Jump to content

Search the Community

Showing results for tags 'zero-day'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 20 results

  1. Microsoft Put Off Fixing Zero Day for 2 Years A security flaw in the way Microsoft Windows guards users against malicious files was actively exploited in malware attacks for two years before last week, when Microsoft finally issued a software update to correct the problem. One of the 120 security holes Microsoft fixed on Aug. 11’s Patch Tuesday was CVE-2020-1464, a problem with the way every supported version of Windows validates digital signatures for computer programs. Code signing is the method of using a certificate-based digital signature to sign executable files and scripts in order to verify the author’s identity and ensure that the code has not been changed or corrupted since it was signed by the author. Microsoft said an attacker could use this “spoofing vulnerability” to bypass security features intended to prevent improperly signed files from being loaded. Microsoft’s advisory makes no mention of security researchers having told the company about the flaw, which Microsoft acknowledged was actively being exploited. In fact, CVE-2020-1464 was first spotted in attacks used in the wild back in August 2018. And several researchers informed Microsoft about the weakness over the past 18 months. Bernardo Quintero is the manager at VirusTotal, a service owned by Google that scans any submitted files against dozens of antivirus services and displays the results. On Jan. 15, 2019, Quintero published a blog post outlining how Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer files (those ending in .MSI) signed by any software developer. Quintero said this weakness would particularly acute if an attacker were to use it to hide a malicious Java file (.jar). And, he said, this exact attack vector was indeed detected in a malware sample sent to VirusTotal. “In short, an attacker can append a malicious JAR to a MSI file signed by a trusted software developer (like Microsoft Corporation, Google Inc. or any other well-known developer), and the resulting file can be renamed with the .jar extension and will have a valid signature according Microsoft Windows,” Quintero wrote. But according to Quintero, while Microsoft’s security team validated his findings, the company chose not to address the problem at the time. “Microsoft has decided that it will not be fixing this issue in the current versions of Windows and agreed we are able to blog about this case and our findings publicly,” his blog post concluded. Tal Be’ery, founder of Zengo, and Peleg Hadar, senior security researcher at SafeBreach Labs, penned a blog post on Sunday that pointed to a file uploaded to VirusTotal in August 2018 that abused the spoofing weakness, which has been dubbed GlueBall. The last time that August 2018 file was scanned at VirusTotal (Aug 14, 2020), it was detected as a malicious Java trojan by 28 of 59 antivirus programs. More recently, others would likewise call attention to malware that abused the security weakness, including this post in June 2020 from the Security-in-bits blog. Image: Securityinbits.com Be’ery said the way Microsoft has handled the vulnerability report seems rather strange. “It was very clear to everyone involved, Microsoft included, that GlueBall is indeed a valid vulnerability exploited in the wild,” he wrote. “Therefore, it is not clear why it was only patched now and not two years ago.” Asked to comment on why it waited two years to patch a flaw that was actively being exploited to compromise the security of Windows computers, Microsoft dodged the question, saying Windows users who have applied the latest security updates are protected from this attack. “A security update was released in August,” Microsoft said in a written statement sent to KrebsOnSecurity. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.” Update, 12:45 a.m. ET: Corrected attribution on the June 2020 blog article about GlueBall exploits in the wild. Microsoft Put Off Fixing Zero Day for 2 Years
  2. Windows 10 zero-day could allow hackers to seize control of your computer Vulnerability has yet to be patched, with Windows 10 users warned to be on their guard (Image credit: Shutterstock.com) A security bug has been discovered that affects every version of the Windows operating system, from Windows 7 to Windows 10. The vulnerability can be found within the Windows Kernel Cryptography Driver and enables attackers to gain admin-level control of a victim’s computer. The flaw was discovered by Google’s Project Zero security team, which subsequently notified Microsoft. The Redmond-based firm was given seven days to patch the bug before Google published further details – a task that proved beyond the company. Although the ramifications of the security flaw sound scary, Microsoft is urging caution for the time being. The technology giant has claimed that any threat is limited, with no evidence of widespread exploits taking place. As of yet, there is also no indication that attackers are using the exploit to target the US presidential election. A patch is coming One of the reasons why Microsoft can be so calm regarding the vulnerability (tracked as CVE-2020-17087) is that in order to be exploited, it requires another vulnerability, CVE-2020-15999. This earlier bug is browser-based and has already been patched. So, if your browser is up-to-date, you should be protected. Microsoft has not commented on when a patch for the newly-discovered vulnerability is likely to be launched, but it wouldn’t be a surprise if it was packaged within the Patch Tuesday update set to be released on November 10. A Microsoft spokesperson told Forbes that "developing a security update is a balance between timeliness and quality,” which is why the Project Zero deadline was missed. Any zero-day exploit is understandably a cause for concern but perhaps Microsoft is right not to be too panicked over this one. As long as Windows users make sure their browsers are updated, they’ll probably be fine until the patch arrives. Windows 10 zero-day could allow hackers to seize control of your computer
  3. Google fixes Chrome zero-day actively exploited in the wild Google has addressed an actively exploited zero-day security vulnerability in the Chrome 88.0.4324.150 version released today, February 4th, 2020, to the Stable desktop channel for Windows, Mac, and Linux users. "Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild," the Google Chrome 88.0.4324.150 announcement reads. This version is rolling out to the entire userbase during the next days/weeks. Windows, Mac, and Linux desktop users can upgrade to Chrome 88 by going to Settings -> Help -> About Google Chrome. The Google Chrome web browser will then automatically check for the new update and install it when available. V8 vulnerability under active exploitation The vulnerability rated by Google as high severity is being tracked as CVE-2021-21148 and was reported by Mattias Buelens on January 24th, 2021. The zero-day is described as a heap buffer overflow bug in V8, Google's open-source and C++ based high-performance WebAssembly and JavaScript engine. While buffer overflows generally lead to crashes, they can also be exploited by attackers to execute arbitrary code on systems running vulnerable software. While Google says that it "is aware of reports that an exploit for CVE-2020-16009 exists in the wild," the company did not provide any details regarding the threat actors behind these attacks. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google adds. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed." This should provide Chrome users with additional time to install the security update released today and to prevent attackers from creating other exploits targeting this zero-day bug. Last year, Google fixed five Chrome zero-days actively exploited in the wild, all within a single month, between October 20 and November 12. Source: Google fixes Chrome zero-day actively exploited in the wild
  4. Google patches Chrome zero-day vulnerability currently being exploited Google has released an update for Chrome that patches three security bugs, one of which is a zero-day vulnerability that is currently being exploited. The vulnerability, under the identifier CVE-2020-6418, was discovered by Clement Lecigne, a member of Google's Threat Analysis Group, on February 18. While it is known that the vulnerability is being exploited in the wild, information on how it is being used is not public yet. The vulnerability has been patched in Chrome version 80.0.3987.122. The update is rolling out to all Windows, Mac, and Linux users. However, it is not known when an update with the patch will make it to the mobile versions of the browser. As for the vulnerability itself, it is described as a ‘type confusion in V8’. V8 is Chrome’s component responsible for processing JavaScript code. Type confusion refers to a logical bug that occurs when a program accesses resources using an incompatible type, leading to logical errors. The vulnerability, when exploited, can allow attackers to run unrestricted code on the affected applications. The search giant patched Chrome’s first zero-day vulnerability back in March 2019 when it disclosed the security risk along with a vulnerability in Windows 7. Since the patch fixes a zero-day that is currently being exploited in the wild, it is best for users to update their browsers to the latest version (80.0.3987.122). You can download the update using the offline installer here, or head to the three-dot menu on Chrome > Help > About Google Chrome, and force the update. Source: Clement Lecigne (Twitter) via ZDNet Source: Google patches Chrome zero-day vulnerability currently being exploited (Neowin)
  5. Legacy QNAP NAS Devices Vulnerable to Zero-Day Attack Some legacy models of QNAP network attached storage devices are vulnerable to remote unauthenticated attacks because of two unpatched vulnerabilities. Two critical zero-day bugs affect legacy QNAP Systems storage hardware, and expose devices to remote unauthenticated attackers. The bugs, tracked as CVE-2020-25099 and CVE-2021-36195, impact QNAP’s model TS-231 network attached storage (NAS) hardware, allowing an attacker to manipulate stored data and hijack the device. The vulnerabilities, also impact some non-legacy QNAP NAS gear. However, it is important to note that patches are available for non-legacy QNAP NAS hardware. A patch for the now-retired QNAP model TS-231 NAS device, first released in 2015, is scheduled to be released within weeks, QNAP representatives told Threatpost. Patches for current model QNAP devices need to be downloaded from the QNAP download center and applied manually. Zero-Day Disclosure Both bugs were disclosed on Wednesday by SAM Seamless Network researchers, who released limited technical details. The disclosure was ahead of official QNAP public disclosure of the vulnerabilities, and was in line with SAM Seamless Network’s disclosure policy of giving a vendor three months to disclose vulnerability details. Both flaws were found in the Oct. and Nov. 2020 timeframe and made public Wednesday. “We reported both vulnerabilities to QNAP with a four-month grace period to fix them,” researchers wrote. “Due to the seriousness of the vulnerabilities, we decided not to disclose the full details yet, as we believe this could cause major harm to tens of thousands of QNAP devices exposed to the internet.” QNAP would not specifically say how many additional legacy NAS devices may be impacted. The company, in a statement to Threatpost said: “There are many hardware models of NAS in QNAP. (See: https://www.qnap.com/en/product/eol.php). In the list, you can find the models, the period of hardware repair or replacement, the supported OS and App updates and maintenance and the status of technical support and security updates. Most of the models, the security update could be upgraded to the latest version, i.e. QTS 4.5.2. However, some old hardware models have limits of firmware upgrade. For example, TS-EC1679U-SAS-RP could support only the legacy QTS 4.3.4.” Breaking Down QNAP Bug One Tracked as CVE-2020-2509, this remote code execution (RCE) bug is tied to firmware used in both old and new hardware, according to QNAP. Firmware versions prior to QTS (build 20210202) and QTS (build 20201123) are affected. Patches for current (non-legacy) hardware can be downloaded via QTS (ZIP) and QTS (ZIP). The bug (CVE-2020-2509) resides in the NAS web server (default TCP port 8080), according to researchers. “Previous RCE attacks on QNAP NAS models relied on web pages which do not require prior authentication, and run/trigger code in server-side. We’ve therefore inspected some CGI files (which implement such pages) and fuzzed a few of the more relevant ones,” researchers described. They said that during the inspection, they were able to fuzz the web server with customized HTTP requests to different CGI pages, focusing on ones that didn’t require prior authentication. “We’ve been able to generate an interesting scenario, which triggers remote code execution indirectly (i.e., triggers some behavior in other processes),” researchers wrote. A fix for the vulnerability, suggested by researchers, is “adding input sanitizations to some core processes and library APIs, but it has not been fixed as of this writing.” Breaking Down QNAP Bug Two The second bug, tracked as CVE-2021-36195, is an unauthenticated RCE and arbitrary file-write flaw. It impacts QNAP TS-231’s latest firmware (version, released in September. The flaw allows two types of attacks. One allows a remote attacker – with access to the web server (default port 8080) – to execute arbitrary shell commands, without prior knowledge of the web credentials. The second attack “allows a remote attacker with access to the DLNA server (default port 8200) to create arbitrary file data on any (non-existing) location, without any prior knowledge or credentials. It can also be elevated to execute arbitrary commands on the remote NAS as well,” according to researchers at SAM Seamless Network. To exploit the bug, researchers created a proof-of-concept attack. “[We used] a python script that we wrote in order to hack into the device. We achieve full takeover of the device by using a simple reverse shell technique. After that, we access a file that’s stored on the QNAP storage. Any file stored can be accessed similarly.” QNAP said a fix for supported hardware can be downloaded from the QNAP App Center and is identified as Multimedia Console 1.3.4. QNAP Patch Timeline “Currently, we have released the fix in the latest firmware and related app,” QNAP representatives told Threatpost. “Since the severity level is high, we would like to release the security update for legacy versions. It is expected to be available in a week. In addition, we hope there will be another week for users’ updates.” Source: Legacy QNAP NAS Devices Vulnerable to Zero-Day Attack
  6. Google Chrome Hit in Another Mysterious Zero-Day Attack Google late Tuesday shipped another urgent security patch for its dominant Chrome browser and warned that attackers are exploiting one of the zero-days in active attacks. This is the fourth in-the-wild Chrome zero-day discovered so far in 2021 and the continued absence of IOC data or any meaningful information about the attacks continue to raise eyebrows among security experts. The newest Chrome update -- 90.0.4430.85 -- is available for Windows, Mac and Linux users and is being rolled out via the browser’s automatic update mechanism. According to a Google Chrome advisory, the update patches at seven security vulnerabilities but the company only provided one-line documentation and CVE IDs for five bugs. The vulnerability being exploited is identified as CVE-2021-21224 and simply described as a “type confusion” in the V8 Chrome rendering engine. Google credited the Jose Martinez (tr0y4) from VerSprite Inc. for reporting the vulnerability. “Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,” the company said. The Chrome update also fixes a heap buffer overflow in V8, an integer overflow bug in Mojo, an out-of-bounds memory access issue in V8 and a use-after-free vulnerability in Navigation. Source: Google Chrome Hit in Another Mysterious Zero-Day Attack
  7. Pulse Secure VPN zero-day used to hack defense firms, govt orgs Pulse Secure has shared mitigation measures for a zero-day authentication bypass vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance actively exploited in attacks against worldwide organizations and focused on US Defense Industrial base (DIB) networks. To mitigate the vulnerability tracked as CVE-2021-22893 (with a maximum 10/10 severity score), Pulse Secure advises customers with gateways running PCS 9.0R3 and higher to upgrade the server software to the 9.1R.11.4 release. As a workaround, the vulnerability can be mitigated on some gateways by disabling Windows File Share Browser and Pulse Secure Collaboration features using instructions available in the security advisory published earlier today. Pulse Secure also released the Pulse Connect Secure Integrity Tool to help customers determine if their systems are impacted. Security updates to solve this issue will be released in early May. The Pulse Connect Secure (PCS) team is in contact with a limited number of customers who have experienced evidence of exploit behavior on their PCS appliances. The PCS team has provided remediation guidance to these customers directly. The investigation shows ongoing attempts to exploit four issues: The substantial bulk of these issues involve three vulnerabilities that were patched in 2019 and 2020: Security Advisory SA44101 (CVE-2019-11510), Security Advisory SA44588 (CVE- 2020- 8243) and Security Advisory SA44601 (CVE- 2020- 8260). Customers are strongly recommended to review the advisories and follow the guidance, including changing all passwords in the environment if impacted.The new issue, discovered this month, impacted a very limited number of customers. The team worked quickly to provide mitigations directly to the limited number of impacted customers that remediates the risk to their system. PCS will issue a software update in early May. Visit Security Advisory SA44784 (CVE-2021-22893) for more information.Customers are also encouraged to apply and leverage the efficient and easy-to-use Pulse Secure Integrity Checker Tool to identify any unusual activity on their system. - Pulse Connect Secure Chinese-backed state hackers likely behind attacks CVE-2021-22893 was exploited in the wild in conjunction with other Pulse Secure bugs by suspected state-sponsored threat actors to hack the networks of dozens of US and European government, defense, and financial organizations and execute arbitrary code remotely on Pulse Connect Secure gateways. At least two threat actors tracked as UNC2630 and UNC2717 by cybersecurity firm FireEye have been deploying 12 malware strains in these attacks. FireEye also suspects that the UNC2630 threat actor may have ties to APT5, a known APT group that operates on behalf of the Chinese government, based on "strong similarities to historic intrusions dating back to 2014 and 2015" conducted by APT5. "Although we are not able to definitively connect UNC2630 to APT5, or any other existing APT group, a trusted third party has uncovered evidence connecting this activity to historic campaigns which Mandiant tracks as Chinese espionage actor APT5," FireEye said. "While we cannot make the same connections, the third party assessment is consistent with our understanding of APT5 and their historic TTPs and targets." According to the FireEye: UNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021. UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP. "These actors are highly skilled and have deep technical knowledge of the Pulse Secure product," Charles Carmakal, FireEye Mandiant SVP and CTO, told BleepingComputer. "They developed malware that enabled them to harvest Active Directory credentials and bypass multifactor authentication on Pulse Secure devices to access victim networks. "They modified scripts on the Pulse Secure system which enabled the malware to survive software updates and factory resets. This tradecraft enabled the actors to maintain access to victim environments for several months without being detected." UNC2630's primary goals are to maintain long-term access to networks, collect credentials, and steal proprietary data, according to Carmakal. At the moment, there is no evidence that these threat actors have introduced any backdoors through a supply chain compromise of Pulse Secure's network or software deployment process. Source: Pulse Secure VPN zero-day used to hack defense firms, govt orgs
  8. Adobe: Windows Users Hit by PDF Reader Zero-Day Adobe on Tuesday warned that a gaping security hole in one of the most widely deployed software products has been exploited in the wild in “limited attacks targeting Adobe Reader users on Windows.” Adobe’s confirmation of the zero-day attack was buried in a security bulletin that documents at least 11 security vulnerabilities affected Adobe Acrobat and Reader on both Windows and MacOS platforms. “These updates address multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user,” according to the bulletin. Adobe’s Acrobat Reader is widely used freeware to view, create, fill, print and format files in the Portable Document Format (PDF). The software has long been a rich target for advanced threat actors conducting targeted attacks. The under-attack flaw -- CVE-2021-28550 -- is described as a use-after-free memory corruption issue that was discovered and reported anonymously to Adobe. The company did not provide any additional details on the active exploitation. The mega-patch release from Adobe documents at least 23 flaws in a range of products, including a pair of security holes in the Adobe Experience Manager, a trio of security flaws in Adobe InDesign and five serious bugs in Adobe Illustrator. The company also patched security vulnerabilities in Adobe InCopy and Adobe Genuine Service. Source: Adobe: Windows Users Hit by PDF Reader Zero-Day
  9. Hackers Exploit 0-Day Gatekeeper Flaw to Attack MacOS Computers Security is only as strong as the weakest link. As further proof of this, Apple released an update to macOS operating systems to address an actively exploited zero-day vulnerability that could circumvent all security protections, thus permitting unapproved software to run on Macs. The macOS flaw, identified as CVE-2021-30657, was discovered and reported to Apple by security engineer Cedric Owens on March 25, 2021. "An unsigned, unnotarized, script-based proof of concept application [...] could trivially and reliably sidestep all of macOS's relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements), even on a fully patched M1 macOS system," security researcher Patrick Wardle explained in a write-up. "Armed with such a capability macOS malware authors could (and are) returning to their proven methods of targeting and infecting macOS users." Apple's macOS comes with a feature called Gatekeeper, which allows only trusted apps to be run by ensuring that the software has been signed by the App Store or by a registered developer and has cleared an automated process called "app notarization" that scans the software for malicious content. But the new flaw uncovered by Owens could enable an adversary to craft a rogue application in a manner that would deceive the Gatekeeper service and get executed without triggering any security warning. The trickery involves packaging a malicious shell script as a "double-clickable app" so that the malware could be double-clicked and run like an app. "It's an app in the sense that you can double click it and macOS views it as an app when you right click -> Get Info on the payload," Owens said. "Yet it's also shell script in that shell scripts are not checked by Gatekeeper even if the quarantine attribute is present." According to macOS security firm Jamf, the threat actor behind Shlayer malware has been abusing this Gatekeeper bypass vulnerability as early as January 9, 2021. Distributed via a technique called search engine poisoning or spamdexing, Shlayer accounts for almost 30% of all detections on the macOS platform, with one in ten systems encountering the adware at least once, according to Kaspersky statistics for 2019. The attack works by manipulating search engine results to surface malicious links that, when clicked, redirects users to a web page that prompts users to download a seemingly benign app update for out-of-date software, which in this campaign, is a bash script designed to retrieve next-stage payloads, including Bundlore adware stealthily. Troublingly, this infection scheme could be leveraged to deliver more advanced threats such as surveillanceware and ransomware. In addition to the aforementioned vulnerability, Monday's updates also address a critical flaw in WebKit Storage (tracked as CVE-2021-30661) that concerns an arbitrary code execution flaw in iOS, macOS, tvOS, and watchOS when processing maliciously crafted web content. "Apple is aware of a report that this issue may have been actively exploited," the company said in a security document, adding it addressed the use-after-free weakness with improved memory management. Aside from these updates, Apple has also released iCloud for Windows 12.3 with patches for four security issues in WebKit and WebRTC, among others, that could allow an attacker to cross-site scripting (XSS) attacks (CVE-2021-1825) and corrupt kernel memory (CVE-2020-7463). Users of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the flaws. Source: Hackers Exploit 0-Day Gatekeeper Flaw to Attack MacOS Computers
  10. New ransomware group uses SonicWall zero-day to breach networks A financially motivated threat actor exploited a zero-day bug in Sonicwall SMA 100 Series VPN appliances to deploy new ransomware known as FiveHands on the networks of North American and European targets. The group, tracked by Mandiant threat analysts as UNC2447, exploited the CVE-2021-20016 Sonicwall vulnerability to breach networks and deploy FiveHands ransomware payloads before patches were released in late February 2021. Prior to deploying the ransomware payloads, UNC2447 was also observed using Cobalt Strike implants for gaining persistence and installing a SombRAT backdoor variant, a malware first spotted in the CostaRicto campaign coordinated by a group of mercenary hackers. The zero-day was also exploited in attacks targeting SonicWall's internal systems in January and later abused indiscriminately in the wild. Undercover HelloKitty The FiveHands ransomware deployed in UNC2447 attacks was first observed in the wild during October 2020. It is also very similar to HelloKitty ransomware, both of them rewrites of DeathRansom ransomware. The former was used to encrypt the systems of video game development studio CD Projekt Red [1, 2], with the attackers later claiming to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and an unreleased version of Witcher 3. This ransomware operation has also targeted other large companies worldwide, including Brazilian power company CEMIG (Companhia Energética de Minas Gerais). As discovered by Mandiant, HelloKitty activity had slowly dwindled starting with January 2021 when FiveHands usage in attacks began to pick up. "Based on technical and temporal observations of HELLOKITTY and FIVEHANDS deployments, Mandiant suspects that HELLOKITTY may have been used by an overall affiliate program from May 2020 through December 2020, and FIVEHANDS since approximately January 2021," the researchers said. Besides their sharing feature, functionality, and coding similarities, the two malware strains were also linked by Mandiant earlier this month after observing a FiveHands ransomware Tor chat using a HelloKitty favicon. FiveHands ransomware Tor chat (Mandiant) BleepingComputer reported earlier today on Whistler resort municipality being hit by a new ransomware operation using a very similar Tor site, but it's not clear if there are any links to the FiveHands ransomware operation. FiveHands also has extra functionality since, unlike HelloKitty and DeathRansom, it can also "use the Windows Restart Manager to close a file currently in use so that it can be unlocked and successfully encrypted." It further differs by using different embedded encryption libraries, a memory-only dropper, and asynchronous I/O requests, not present in the two other ransomware strains in its family. Image: Mandiant Ragnar Locker ransomware also deployed by UNC2447 affiliates "UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant added in a report published today. "UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics." Mandiant says that UNC2447 affiliates have also been observed deploying Ragnar Locker ransomware activity in previous attacks. In March, Mandiant analysts discovered three more zero-day vulnerabilities in SonicWall’s on-premises and hosted Email Security (ES) products. These zero-days were also actively exploited by another group tracked as UNC2682 to backdoor systems using BEHINDER web shells to move laterally through the victims' networks and gain access to emails and files. Source: New ransomware group uses SonicWall zero-day to breach networks
  11. Compsci boffin publishes proof-of-concept code for 54-year-old zero-day in Universal Turing Machine Patch your devi... oh, hang on a sec A computer science professor from Sweden has discovered an arbitrary code execution vuln in the Universal Turing Machine, one of the earliest computer designs in history – though he admits it has "no real-world implications". In a paper published on academic repository ArXiv, Pontus Johnson, a professor at the KTH Royal Institute of Technology in Stockholm, Sweden, cheerfully explained that his findings wouldn't be exploitable in a real-world scenario because it pertained specifically to the 1967 implementation [PDF] of the simulated Universal Turing Machine (UTM) designed by the late Marvin Minsky, who co-founded the academic discipline of artificial intelligence. Yet what the amusing little caper really brings to the world is a philosophical point: if one of the simplest concepts of a computer is vulnerable to user meddling, where in the design process should we start trying to implement security features? "The universal Turing machine is generally considered to be the simplest, most abstract model of a computer," wrote Johnson in his paper. Through exploiting the Minsky-spec UTM's lack of input validation, he was able to trick it into running a program he had put together. The Minsky specification describes a tape-based machine that reads and executes very simple programs from a simulated tape. Instructions on the tape move the simulated tape reader head left or right across the "tape" itself, which is represented as a one-line alphanumeric string. While users can make inputs at the start of the tape, in the UTM model they're not supposed to alter the program that follows. "Regardless of the historical aspect of it, the fact [is] that the most simple [computer] we can describe seems to have had this propensity for vulnerability," Johnson told The Register. Security (if you could call it that) for UTM consists of a single digit that tells the machine "user input ends here, everything after this point is executable with the parameters you've just read." Johnson's exploit was as simple as writing that "input ends here" character in the user input field and then writing his own program after it. The UTM executes that and skips past the intended program. Parallels with modern vulnerabilities are obvious: scale it up a bit in complexity and this has all the hallmarks of a SQL injection vuln, for example – or any other unsanitised or unescaped user input field. Johnson told The Register today: "In this case, as in many cases, the vulnerability is based on confusing the machine… in academia, we scientists like to start with the basic principle: demonstrate something for a small system, then maybe it's true for a larger system. It seems to me that for the very smallest system, there is this intrinsic vulnerability, this propensity to be vulnerable." The compsci prof continued: "Obviously Marvin Minsky didn't have the intention to [create] either a secure or a vulnerable system. Nevertheless, what happened was [it] was vulnerable." Philosophically, Johnson's vuln (which has been assigned as CVE-2021-32471) raises deeper questions for hardware and firmware designers alike to think upon, he told us: "Some people say that security needs to be built in from the start; you can't add it later. But in this case, all the mitigations of this that I could think of, they need to be add-ons, you can't build it into this machine. "And if this is the mother of all computers, then it seems to me that you cannot build security in from the start." Professor Alan Woodward of the University of Surrey opined to El Reg: "It's an interesting and provocative thought as to whether or not there is some fundamental cause for the number of specific attacks we see. I don't think we need to panic that there is some fundamental flaw in modern computer architecture, more it's a reminder that complexity brings its own threats." Looking specifically at Johnson's vuln, he commented: "Interestingly, it seems to point more to issues with interpretations/implementations of the Turing machine. It seems to support the adage that nothing is totally secure once it's actually implemented." Source: Compsci boffin publishes proof-of-concept code for 54-year-old zero-day in Universal Turing Machine
  12. Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild Google has addressed yet another actively exploited zero-day in Chrome browser, marking the second such fix released by the company within a month. The browser maker on Friday shipped 89.0.4389.90 for Windows, Mac, and Linux, which is expected to be rolling out over the coming days/weeks to all users. While the update contains a total of five security fixes, the most important flaw rectified by Google concerns a use after free vulnerability in its Blink rendering engine. The bug is tracked as CVE-2021-21193. Details about the flaw are scarce except that it was reported to Google by an anonymous researcher on March 9. As is usually the case with actively exploited flaws, Google issued a terse statement acknowledging that an exploit for CVE-2021-21193 but refrained from sharing additional information until a majority of users are updated with the fixes and prevent other threat actors from creating exploits targeting this zero-day. "Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild," Chrome Technical Program Manager Prudhvikumar Bommana noted in a blog post. With this update, Google has fixed three zero-day flaws in Chrome since the start of the year. Earlier this month, the company issued a fix for an "object lifecycle issue in audio" (CVE-2021-21166) which it said was being actively exploited. Then on February 4, the company resolved another actively-exploited heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine. Chrome users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw. Source: Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild
  13. Google fixes the third actively exploited Chrome 0-Day since January Google has addressed a new zero-day flaw in its Chrome browser that has been actively exploited in the wild, the second one within a month Google has fixed a new actively exploited zero-day in its Chrome browser, this is the second zero-day issue addressed by the IT giant within a month. The flaw, tracked as CVE-2021-21193, is a use after free vulnerability in the Blink rendering engine. Google addressed the issue with the 89.0.4389.90 version for Windows, Mac, and Linux, which will be available in the coming days. The flaw was reported to Google by an anonymous researcher on March 9, at the time of this writing the company did not reveal details about the vulnerability to avoid those other threat actors could exploit the issue in the wild. Google also addressed other 4 vulnerabilities. “This update includes 5 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.” reads the post published by Google. [$500][1167357] High CVE-2021-21191: Use after free in WebRTC. Reported by raven (@raid_akame) on 2021-01-15 [$TBD][1181387] High CVE-2021-21192: Heap buffer overflow in tab groups. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-23 [$TBD][1186287] High CVE-2021-21193: Use after free in Blink. Reported by Anonymous on 2021-03-09“ “Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild.” Chrome Technical Program Manager Prudhvikumar Bommana added that Google has detected some of the bugs using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL. CVE-2021-21193 is the third zero-day flaw in Chrome actively exploited that has been addressed since January. In early February, Google has addressed an actively exploited zero-day vulnerability, tracked as CVE-2021-21148, with the release of the Chrome 88.0.4324.150 version. The vulnerability is a Heap buffer overflow that resides in the V8, which is an open-source high-performance JavaScript and WebAssembly engine, written in C++. Earlier this month, Google addressed another zero-day issue, tracked as CVE-2021-21166, actively exploited in the wild. In 2020, Google addresses five Chrome zero-days actively exploited in the wild. In October, the IT giant addressed the following three zero-days: CVE-2020-15999 – The flaw is a memory corruption bug that resides in the FreeType font rendering library, which is included in standard Chrome releases. CVE-2020-16009 – is a Heap buffer overflow in Freetype in Google Chrome. CVE-2020-16010 – affects the browser’s user interface (UI) component in Chrome for Android. In November, the company addressed two other zero-day vulnerabilities, actively exploited in the wild. Both zero-day flaws, tracked as CVE-2020-16013 and CVE-2020-16017, were reported by anonymous sources. Source: Google fixes the third actively exploited Chrome 0-Day since January
  14. Microsoft has acknowledged a Windows zero-day vulnerability in MSHTML that allows for remote code execution when exploited. The issue affects all versions from Windows 7 through Windows 10 and the corresponding Windows Server releases. The company is tracking the vulnerability under CVE-2021-40444 in MSRC and adds that it is aware of “targeted attacks” that are achieved by creating malicious Office documents that exploit the vulnerability. The issue has been given a score of 8.8. The firm adds in the details that an attacker could create an ActiveX control to be used by Office’s MSHTML browser rendering engine, which when opened by the user could allow for remote code execution. However, those that use the default option to open files from the internet in Protected View or via Application Guard for Office will be able to fend off the attack. Additionally, Microsoft Defender Antivirus and Defender for Endpoint can successfully detect the threat. The Defender for Endpoint alert displayed for this threat is “Suspicious Cpl File Execution”. Another workaround posted by the firm involves disabling the installation of all ActiveX controls via the registry. The firm notes that the change will not affect controls that were already installed but will still be protected. You can head to the workarounds section in the MSRC post for the detailed workaround and the resulting impacts. As for a permanent fix or mitigation, Microsoft says that it will take an “appropriate action” on completion of its investigation. This might come in the way of fixes during next week’s Patch Tuesday updates or via an out-of-band security update before the scheduled monthly patches. A researcher from one of the cybersecurity organization that helped uncover this vulnerability, Haifei Li, said in a statement to BleepingComputer that the attach method is “100% reliable”, making it a significant risk. EXPMON researches could also reproduce the attack on Windows 10 running the latest Office 365 build. Another Office-related issue reported this week involved a bug in Outlook that allowed suspicious email IDs seem genuine, opening users to potential phishing attacks. While the firm denied fixing the vulnerability, it reportedly did so in the latest version. Microsoft acknowledges Windows zero-day that leverages Office files for attacks
  15. Microsoft Corp. warns that attackers are exploiting a previously unknown vulnerability in Windows 10 and many Windows Server versions to seize control over PCs when users open a malicious document or visit a booby-trapped website. There is currently no official patch for the flaw, but Microsoft has released recommendations for mitigating the threat. According to a security advisory from Redmond, the security hole CVE-2021-40444 affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and many Windows Server versions. IE been slowly abandoned for more recent Windows browsers like Edge, but the same vulnerable component also is used by Microsoft Office applications for rendering web-based content. “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft wrote. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” Microsoft has not yet released a patch for CVE-2021-40444, but says users can mitigate the threat from this flaw by disabling the installation of all ActiveX controls in IE. Microsoft says the vulnerability is currently being used in targeted attacks, although its advisory credits three different entities with reporting the flaw. On of the researchers credited — EXPMON — said on Twitter that it had reproduced the attack on the latest Office 2019 / Office 365 on Windows 10. “The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous),” EXPMON tweeted. Windows users could see an official fix for the bug as soon as September 14, when Microsoft is slated to release its monthly “Patch Tuesday” bundle of security updates. This year has been a tough one for Windows users and so-called “zero day” threats, which refers to vulnerabilities that are not patched by current versions of the software in question, and are being actively exploited to break into vulnerable computers. Virtually every month in 2021 so far, Microsoft has been forced to respond to zero-day threats targeting huge swaths of its user base. In fact, by my count May was the only month so far this year that Microsoft didn’t release a patch to fix at least one zero-day attack in Windows or supported software. Many of those zero-days involve older Microsoft technologies or those that have been retired, like IE11; Microsoft officially retired support for Microsoft Office 365 apps and services on IE11 last month. In July, Microsoft rushed out a fix for the Print Nightmare vulnerability that was present in every supported version of Windows, only to see the patch cause problems for a number of Windows users. On June’s Patch Tuesday, Microsoft addressed six zero-day security holes. And of course in March, hundreds of thousands of organizations running Microsoft Exchange email servers found those systems compromised with backdoors thanks to four zero-day flaws in Exchange. Microsoft: Attackers Exploiting Windows Zero-Day Flaw
  16. Google patches 8th Chrome zero-day exploited in the wild this year Google has released Chrome 91.0.4472.164 for Windows, Mac, and Linux to fix seven security vulnerabilities, one of them a high severity zero-day vulnerability exploited in the wild. "Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild," the company revealed. The new Chrome release has started rolling out worldwide to the Stable desktop channel and will become available to all users over the following days. Google Chrome will automatically update itself on the next launch, but you can also manually update it by checking for the newly released version from Settings > Help > 'About Google Chrome.' Eighth exploited zero-day patched this year The zero-day patched on Thursday and reported by Google Project Zero's Sergei Glazunov is described as a type confusion bug in V8, Google's open-source C++-based and high-performance WebAssembly and JavaScript engine. Even though type confusion weaknesses would generally lead to browser crashes following successful exploitation by reading or writing memory out of the bounds of the buffer, they can also be exploited by threat actors to execute arbitrary code on devices running vulnerable software. While Google said that it is aware of CVE-2021-30563 in the wild exploitation, it did not share info regarding these attacks to allow the security update to deploy on as many systems as possible before more threat actors start actively abusing. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed." In all, Google has patched eight Chrome zero-day bugs exploited by attackers in the wild since the start of 2021. Besides CVE-2021-30563, the company previously addressed: CVE-2021-21148 - February 4th, 2021 CVE-2021-21166 - March 2nd, 2021 CVE-2021-21193 - March 12th, 2021 CVE-2021-21220 - April 13th, 2021 CVE-2021-21224 - April 20th, 2021 CVE-2021-30551 - June 9th, 2021 CVE-2021-30554 - June 17th, 2021 More details on previously patched Chrome zero-days The Google Threat Analysis Group (TAG) has shared additional details earlier this week regarding in-the-wild exploitation of CVE-2021-21166 and CVE-2021-30551 Chrome zero-days. "Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world," Google said. On Thursday, Microsoft and Citizen Lab linked the vendor mentioned in Google TAG's report to Israeli spyware vendor Candiru Threat actors deployed the surveillance vendor's spyware to infect iOS, Android, macOS, and Windows devices using Chrome zero-days and Windows unpatched flaws. Microsoft researchers found that Candiru's malware was used to compromise the systems of "politicians, human rights activists, journalists, academics, embassy workers, and political dissidents." In all, Microsoft said it discovered "at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore." Google patches 8th Chrome zero-day exploited in the wild this year
  17. iOS zero-day let SolarWinds hackers compromise fully updated iPhones Flaw was exploited when government officials clicked on links in LinkedIn messages. The Russian state hackers who orchestrated the SolarWinds supply chain attack last year exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing Web authentication credentials from Western European governments, according to Google and Microsoft. In a post Google published on Wednesday, researchers Maddie Stone and Clement Lecigne said a “likely Russian government-backed actor” exploited the then-unknown vulnerability by sending messages to government officials over LinkedIn. Moscow, Western Europe, and USAID Attacks targeting CVE-2021-1879, as the zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said. The campaign closely tracks to one Microsoft disclosed in May. In that instance, Microsoft said that Nobelium—the name the company uses to identify the hackers behind the SolarWinds supply chain attack—first managed to compromise an account belonging to USAID, a US government agency that administers civilian foreign aid and development assistance. With control of the agency’s account for online marketing company Constant Contact, the hackers could send emails that appeared to use addresses known to belong to the US agency. The federal government has attributed last year’s supply chain attack to hackers working for Russia’s Foreign Intelligence Service (abbreviated as SVR). For more than a decade, the SVR has conducted malware campaigns targeting governments, political think tanks, and other organizations in countries like Germany, Uzbekistan, South Korea, and the US. Targets have included the US State Department and the White House in 2014. Other names used to identify the group include APT29, the Dukes, and Cozy Bear. In an email, Shane Huntley, the head of Google's Threat Analysis Group, confirmed the connection between the attacks involving USAID and the iOS zero-day, which resided in the WebKit browser engine. “These are two different campaigns, but based on our visibility, we consider the actors behind the WebKit 0-day and the USAID campaign to be the same group of actors,” Huntley wrote. “It is important to note that everyone draws actor boundaries differently. In this particular case, we are aligned with the US and UK governments' assessment of APT 29.” Forget the sandbox Throughout the campaign, Microsoft said, Nobelium experimented with multiple attack variations. In one wave, a Nobelium-controlled web server profiled devices that visited it to determine what OS and hardware the devices ran on. If the targeted device was an iPhone or iPad, a server used an exploit for CVE-2021-1879, which allowed hackers to deliver a universal cross-site scripting attack. Apple patched the zero-day in late March. In Wednesday’s post, Stone and Lecigne wrote: After several validation checks to ensure the device being exploited was a real device, the final payload would be served to exploit CVE-2021-1879. This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7. This type of attack, described by Amy Burnett in Forget the Sandbox Escape: Abusing Browsers from Code Execution, is mitigated in browsers with Site Isolation enabled, such as Chrome or Firefox. It’s raining zero-days The iOS attacks are part of a recent explosion in the use of zero-days. In the first half of this year, Google’s Project Zero vulnerability research group has recorded 33 zero-day exploits used in attacks—11 more than the total number from 2020. The growth has several causes, including better detection by defenders and better software defenses that require multiple exploits to break through. The other big driver is the increased supply of zero-days from private companies selling exploits. “0-day capabilities used to be only the tools of select nation-states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use,” the Google researchers wrote. “In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities. No longer do groups need to have the technical expertise; now they just need resources.” The iOS vulnerability was one of four in-the-wild zero-days Google detailed on Wednesday. The other three were: CVE-2021-21166 and CVE-2021-30551 in Chrome CVE-2021-33742 in Internet Explorer The four exploits were used in three different campaigns. Based on their analysis, the researchers assess that three of the exploits were developed by the same commercial surveillance company, which sold them to two different government-backed actors. The researchers didn’t identify the surveillance company, the governments, or the specific three zero-days they were referring to. Representatives from Apple didn’t immediately respond to a request for comment. iOS zero-day let SolarWinds hackers compromise fully updated iPhones
  18. Google fixes seventh Chrome zero-day exploited in the wild this year Google has released Chrome 91.0.4472.114 for Windows, Mac, and Linux to fix four security vulnerabilities, with one of them a high severity zero-day vulnerability exploited in the wild. This version, released today, June 17th, 2021, to the Stable desktop channel, has started rolling out worldwide and will become available to all users over the next few days. Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can perform a manual update by going to Settings > Help > 'About Google Chrome'. No details on zero-day attacks in the wild "Google is aware that an exploit for CVE-2021-30554 exists in the wild.," the company's announcement reads. The zero-day is caused by a use after free weakness in the WebGL (Web Graphics Library) JavaScript API used by the Chrome web browsers to render interactive 2D and 3D graphics without using plug-ins. Successful exploitation of this vulnerability could lead to arbitrary code execution on computers running unpatched Chrome versions. Although Google says that it is aware of CVE-2021-30554 in the wild exploitation, it did not share info regarding these attacks. "Access to bug details and links may be kept restricted until a majority of users are updated with a fix," the company said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed." Google fixed three more high severity use after free bugs today in Chrome's Sharing, WebAudio, and TabGroups components, tracked as CVE-2021-30555, CVE-2021-30556, and CVE-2021-30557. Seventh Chrome zero-day exploited in the wild this year Today's update fixes Google Chrome's sixth zero-day exploited in attacks this year, with the other five listed below: CVE-2021-21148 - February 4th, 2021 CVE-2021-21166 - March 2nd, 2021 CVE-2021-21193 - March 12th, 2021 CVE-2021-21220 - April 13th, 2021 CVE-2021-21224 - April 20th, 2021 CVE-2021-30551 - June 9th, 2021 In addition to these zero-days, Kaspersky reported that a threat actor group known as Puzzlemaker is chaining Chrome zero-day bugs to escape the browser's sandbox and install malware on Windows systems. "Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server," Kaspersky said. Project Zero, Google's zero-day bug-hunting team, also unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users within a single year. Google fixes seventh Chrome zero-day exploited in the wild this year
  19. Malware caught using a macOS zero-day to secretly take screenshots Image Credits: Made Kusuma Jaya / EyeEm (opens in a new window)/ Getty Images Almost exactly a month ago, researchers revealed a notorious malware family was exploiting a never-before-seen vulnerability that let it bypass macOS security defenses and run unimpeded. Now, some of the same researchers say another malware can sneak onto macOS systems, thanks to another vulnerability. Jamf says it found evidence that the XCSSET malware was exploiting a vulnerability that allowed it access to parts of macOS that require permission — such as accessing the microphone, webcam or recording the screen — without ever getting consent. XCSSET was first discovered by Trend Micro in 2020 targeting Apple developers, specifically their Xcode projects that they use to code and build apps. By infecting those app development projects, developers unwittingly distribute the malware to their users, in what Trend Micro researchers described as a “supply-chain-like attack.” The malware is under continued development, with more recent variants also targeting Macs running the newer M1 chip. Once the malware is running on a victim’s computer, it uses two zero-days — one to steal cookies from the Safari browser to get access to a victim’s online accounts, and another to quietly install a development version of Safari, allowing the attackers to modify and snoop on virtually any website. But Jamf says the malware was exploiting a previously undiscovered third zero-day in order to secretly take screenshots of the victim’s screen. macOS is supposed to ask the user for permission before it allows any app — malicious or otherwise — to record the screen, access the microphone or webcam, or open the user’s storage. But the malware bypassed that permissions prompt by sneaking in under the radar by injecting malicious code into legitimate apps. Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner explained in a blog post, shared with TechCrunch, that the malware searches for other apps on the victim’s computer that are frequently granted screen-sharing permissions, like Zoom, WhatsApp and Slack, and injects malicious screen recording code into those apps. This allows the malicious code to “piggyback” the legitimate app and inherit its permissions across macOS. Then, the malware signs the new app bundle with a new certificate to avoid getting flagged by macOS’ built-in security defenses. The researchers said that the malware used the permissions prompt bypass “specifically for the purpose of taking screenshots of the user’s desktop,” but warned that it was not limited to screen recording. In other words, the bug could have been used to access the victim’s microphone, webcam or capture their keystrokes, such as passwords or credit card numbers. It’s not clear how many Macs the malware was able to infect using this technique. But Apple confirmed to TechCrunch that it fixed the bug in macOS 11.4, which was made available as an update today. Source: Malware caught using a macOS zero-day to secretly take screenshots
  20. Further investigation into an exploit kit known as "Elderwood" shows the attackers using it are more numerous and possibly better funded than previously thought, according to new research from Symantec. Elderwood is a hacking platform that has attack code which abuses software vulnerabilities in programs such as Adobe Systems' Flash multimedia program and Microsoft's Internet Explorer browser in order to spy on computers. Symantec has been tracking Elderwood since 2012, noting that exploits contained in it have been used against defense-related companies, people involved in human rights campaigns and IT and supply-chain firms in the so-called "Operation Aurora" attacks. The company thought a single group controlled Elderwood, although the security company's latest findings indicate a more diversified operation. Symantec doesn't say in which country it believes the attackers are located, but the Operation Aurora attacks are suspected to have originated in China. After Operation Aurora came to light, Google came forward in early 2010. In an unprecedented move, it publicly said the attacks against its network originated in China, which fueled a diplomatic row with the U.S. Google said the attacks were aimed at compromising the Gmail accounts of human rights activists. The U.S. and China subsequently clashed over cybersecurity issues, with U.S. companies becoming increasingly vocal over what they hold are technically sophisticated long-term infiltration campaigns originating from within China. Symantec now thinks several hacking groups are using Elderwood, indicating that its developer may be selling the platform. Another possibility is that the core Elderwood hackers are developing exploits for their own in-house teams, the company wrote in a blog post Thursday. "The attack groups are separate entities with their own agendas," Symantec wrote. A sub-group called "Hidden Lynx" targets the defense industry and Japanese users. "Vidgrab" prefers targeting Uyghur dissidents in the western China region. Another group known as "Linfo" or "Icefog" goes after manufacturing firms, while "Sakurel" focuses on aerospace companies. At the start of this year, the Elderwood exploit kit contained three zero-day vulnerabilities, which are software flaws that do not have a patch ready. Those vulnerabilities included one for Flash (CVE-2014-0502) and two for Internet Explorer (CVE-2014-0322 and CVE-2014-0324). Another clue that all of the groups may be closely connected is the use of shared infrastructure. The Flash exploit and one for Internet Explorer, CVE-2014-0322, were hosted on the same server but used by all four groups, Symantec wrote. Creating attack code for those vulnerabilities isn't cheap, which suggests if hacking groups are purchasing the exploits from Elderwood's developer, those organizations "must have substantial financial resources." If all Elderwood-related attacks come from a larger group split into teams, then "these employees are either being well compensated for their work or have some other motivating factor that prevents them from selling exploits on the open market themselves." Source
  • Create New...