Messages

31

Cyber and Software Security / Apple Security Updates Tackle iOS Device Tracking, RCE Flaws

« on: February 23, 2020, 02:17:42 PM »

Apple’s iOS 13.3.1 update includes a host of security patches and a way to turn off U1 Ultra Wideband tracking.

Apple’s latest security fixes, released Tuesday, tackle a wide range of bugs, including several patches for high-risk flaws that could allow for remote code execution (RCE). Of particular interest to privacy-minded iPhone 11 users is an iOS 13.3.1 update that allows users to turn off U1 Ultra-Wideband device tracking.

The fixes address vulnerabilities in Apple’s Xcode, watchOS, Safari, iTunes for Windows, iOS, iPadOS, macOS and tvOS. The most severe of the bugs include four RCE flaws in Apple TV’s operating system, tvOS – each rated high-severity.

Tracked as CVE-2020-3868, one tvOS RCE bug has a CVSS severity score of 8.8 out of 10, the highest among those patched Tuesday. The bug is tied to multiple memory corruption issues in Apple’s browser engine, WebKit. “By persuading a victim to visit a specially crafted website, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service,” according a description of the flaw.

For More Details : https://threatpost.com/apple-patches-ios-device-tracking/152364/

32

Cyber and Software Security / Dell, HP Memory-Access Bugs Open Attacker Path to Kernel Privileges

« on: February 23, 2020, 02:17:08 PM »

The manufacturers have issued BIOS updates to address the issues, but researchers warn DMA attacks are likely possible against a range of laptops and desktops.

Vulnerabilities in Dell and HP laptops could allow an attacker to access information and gain kernel privileges via the devices’ Direct Memory Access (DMA) capability.

DMA is a processing-efficiency approach for peripherals (such as PCI cards or network interface cards) that, as the name suggests, offers direct high-speed access to a system’s memory.

“For example, a network adapter or Firewire device may need to read and write information quickly,” according to an Eclypsium report, issued Thursday. “Passing this traffic up to the OS and back down again is slow and inefficient. Instead, DMA allows devices to directly communicate with the system’s memory without passing through the operating system [or main CPU].”

For More Details : https://threatpost.com/dell-hp-memory-access-bugskernel-privileges/152369/

33

Cyber and Software Security / U.N. Hack Stemmed From Microsoft SharePoint Flaw

« on: February 23, 2020, 02:16:26 PM »

Reportedly, the bug wasn’t patched, leading to a data breach in July.

Hackers breached the United Nations network in July by exploiting a Microsoft SharePoint vulnerability, according to reports. The breach, which appears to be an espionage operation, reportedly gave the hackers access to an estimated 400 GB of sensitive data.

The breach was swept under the rug by the U.N. until this week, when an internal document outlining the hack was leaked by The New Humanitarian, a global news agency focusing on human rights stories. According to the confidential document, at least 42 U.N. servers were compromised in Geneva and Vienna, potentially exposing staff personnel data and sensitive documents for other organizations collaborating with the U.N.

“Although it is unclear what documents and data the hackers obtained in the 2019 incident, the report… implies that internal documents, databases, emails, commercial information and personal data may have been available to the intruders – sensitive data that could have far-reaching repercussions for staff, individuals and organisations communicating with and doing business with the U.N.,” Ben Parker, with The New Humanitarian, said on Wednesday.

For More Details : https://threatpost.com/un-hack-microsoft-sharepoint-flaw/152378/

34

Cyber and Software Security / Cisco Patches Two High-Severity Bugs in its Small Business Switch Lineup

« on: February 23, 2020, 02:15:47 PM »

Vulnerabilities allow unauthenticated remote attackers to access sensitive device information and launch denial of service attacks.

Cisco Systems released security patches on Wednesday for high-severity vulnerabilities affecting over a half dozen of its small business switches. The flaws allow remote unauthenticated adversaries to access sensitive information and level denial-of-service (DoS) attacks against affected gear.

Impacted are Series Smart Switches, Series Managed Switches and Series Stackable Managed Switches. Cisco said it was unaware of active exploitation of the vulnerabilities and software updates remediating the flaws are available, however no workaround fixes are available.

The vulnerabilities include an information disclosure flaw (CVE-2019-15993) and a bug (CVE-2020-3147) that creates conditions optimum for a DoS attack.

For More Details : https://threatpost.com/cisco-patches-high-severity-bugs-in-switch-lineup/152392/

35

Cyber and Software Security / 200K WordPress Sites Vulnerable to Plugin Flaw

« on: February 23, 2020, 02:15:00 PM »

Developers behind WordPress plugin Code Snippets have issued a patch for the high-severity flaw.

A high-severity vulnerability exists in a popular WordPress plugin, potentially opening up 200,000 websites to takeover.

The WordPress plugin in question in Code Snippets, which allows users to run small chunks of PHP code on their websites. This can be used to extend the functionality of the website (essentially used as a mini-plugin). The flaw (CVE-2020-8417) has been patched by the plugin’s developer, Code Snippets Pro.

“This is a high severity security issue that could cause complete site takeover, information disclosure, and more,” said Chloe Chamberland with Wordfence, who discovered the flaw, in an analysis this week. “We highly recommend updating to the latest version (2.14.0) immediately.”

For More Details : https://threatpost.com/200k-wordpress-sites-vulnerable-to-plugin-flaw/152415/

36

Cyber and Software Security / Microsoft Offers Rewards of Up to $20,000 in New Xbox Bug Bounty Program

« on: February 23, 2020, 02:14:17 PM »

Program is the latest the tech giant has launched that pay users and security researchers to find vulnerabilities in its numerous products.

Microsoft is offering rewards of up to $20,000 for finding vulnerabilities in its Xbox gaming platform through its latest bug bounty program unveiled this week.

The Xbox Bounty Program is open to gamers, security researchers and basically anyone who can help the tech giant identify security vulnerabilities in the Xbox Live network and services and share them with the Xbox team, Chloé Brown, a Microsoft Security Response Center program manager, said in a blog post Thursday.

“Since launching in 2002, the Xbox network has enabled millions of users to share their common love of gaming on a safe and secure service,” she wrote in the post. “The bounty program supplements our existing investments in security development and testing to uncover and remediate vulnerabilities which have a direct and demonstrable impact on the security of Xbox customers.”

For More Details : https://threatpost.com/microsoft-offers-rewards-of-up-to-20000-in-new-xbox-bug-bounty-program/152424/

37

Cyber and Software Security / Sodinokibi Ransomware Group Sponsors Hacking Contest

« on: February 23, 2020, 02:12:51 PM »

Larger winnings for underground skills competitions are attracting sophisticated crime groups.

White hats aren’t alone in holding hacking contests. Russian-language cybercriminals are known for running similar competitions on underground forums. However, an analysis of Dark Web activity has uncovered a trend towards offering increasingly high-stakes prizes during such battles. At the same time, increasingly sophisticated participants are throwing their hats into the mix — notably, the operators behind the Sodinokibi (a.k.a. REvil) ransomware.

For instance, a current hacking competition on the illicit forum known as XSS offers members the chance to win a share of $15,000 in return for original articles containing proof-of-concept videos or original code, according to a Digital Shadows report, released on Thursday.

“Since its relaunch as XSS [in 2018], the former Damagelabs has organized three articles competitions, all with four- or five-figure prize funds,” the firm noted.

For More Details : https://threatpost.com/sodinokibi-ransomware-hacking-contest/152422/

38

Cyber and Software Security / Zero Day Initiative Bug Hunters Rake in $1.5M in 2019

« on: February 23, 2020, 02:11:55 PM »

Microsoft OS flaws, out-of-bounds reads, ICS gear and a record number of high-severity bugs marked 2019 for the ZDI program.

Zero Day Initiative (ZDI) awarded more than $1.5 million in cash and prizes to bug-hunters throughout 2019, it said, resulting in 1,035 security vulnerability advisories for the year.

Most of those advisories (88 percent) were published in conjunction with a patch from the vendor, Zero Day Initiative (ZDI) noted – just 127 were not.

The pace of bug discovery looks to stay steady. ZDI, a division of Trend Micro, announced that already, as of the end of January, it bounty program has published 154 advisories for 2020, affecting products from Apple, Cisco, Oracle, Microsoft and others.

For More Details : https://threatpost.com/zero-day-initiative-bug-hunters-15m-2019/152435/

39

Cyber and Software Security / Evil Corp Returns With New Malware Infection Tactic

« on: February 23, 2020, 02:11:16 PM »

Researchers have observed the cybercrime group back in action, now using a new tactic for distributing malware.

Cybercrime group Evil Corp (a.k.a. Dudear) is back in action after a short hiatus, with a technique in its arsenal not previously used by the group to distribute malware.

Microsoft on Thursday said that it observed emails from the cybercriminal gang utilizing HTML redirectors. Microsoft is unclear whether these HTML redirectors are URLs in the body of the email itself or if they are embedded into an attachment to the email. Regardless, once they are clicked on, they automatically download a malicious Excel file. Next, if the victim “enables editing” in the Excel file, the final payload is dropped.

“This is the first time that Dudear is observed using HTML redirectors,” according to a tweet by the Microsoft Security Intelligence research team, which also released indicators of compromise (IoCs) for the attack. “The attackers use HTML files in different languages. Notably, they also use an IP trace-back service to track the IP addresses of machines that download the malicious Excel file.”

For More Details : https://threatpost.com/evil-corp-returns-with-new-malware-infection-tactic/152430/

40

Cyber and Software Security / Tesla Autopilot Duped By ‘Phantom’ Images

« on: February 23, 2020, 02:10:35 PM »

Researchers were able to fool popular autopilot systems into perceiving projected images as real – causing the cars to brake or veer into oncoming traffic lanes.

Researchers said that autopilot systems used by popular cars – including the Tesla Model X – can be fooled into detecting fake images, projected by drones on the road or on surrounding billboards, as real. Attackers could potentially leverage this design hole to trigger the systems to brake or steer cars into oncoming traffic lanes, they said.

The issue stems from advanced driving assistance systems (ADAS), which are used by semi-autonomous vehicles to help the vehicle driver while driving or parking. By detecting and reacting to obstacles in the road, ADAS systems are designed to increase driver safety. However, researchers said that they were able to create “phantom” images purporting to be an obstacle, lane or road sign; use a projector to transmit the phantom within the autopilots’ range of detection; and trick systems into believing that they are legitimate.

“The absence of deployed vehicular communication systems, which prevents the advanced driving assistance systems (ADASs) and autopilots of semi/fully autonomous cars to validate their virtual perception regarding the physical environment surrounding the car with a third party, has been exploited in various attacks suggested by researchers,” said a team of researchers from the Ben-Gurion University of the Negev in a post last week (they presented the research at Cybertech Israel conference in Tel Aviv last week).

For More Details : https://threatpost.com/tesla-autopilot-duped-by-phantom-images/152491/

41

Cyber and Software Security / Medtronic Patches Implanted Device, CareLink Programmer Bugs

« on: February 23, 2020, 02:09:56 PM »

The medical device giant has issued fixes for bugs first disclosed in 2018 and 2019.

Medtronic has released updates to address known vulnerabilities in its line of connected medical devices that were initially disclosed last year and in 2018.

The vendor has addressed two sets of bugs. The first group, disclosed in March of last year, is found in a range of Medtronic implanted cardiac resynchronization therapy with defibrillation (CRT-D) devices; and in multiple implantable cardioverter defibrillators (ICDs). An ICS-CERT advisory last week gives the most severe of the flaws a CVSS “critical” severity rating of 9.3.

For More Details : https://threatpost.com/medtronic-patches-implanted-device-carelink/152533/

42

Cyber and Software Security / Critical Cisco ‘CDPwn’ Flaws Break Network Segmentation

« on: February 23, 2020, 02:09:10 PM »

Cisco has released patches to address the five vulnerabilities, which could lead to remote code-execution and denial of service.

Cisco is issuing patches for five critical vulnerabilities that have been discovered in Cisco Discovery Protocol (CDP), the info-sharing layer that maps all Cisco equipment on a network.

Researchers at Armis say that the vulnerabilities, which they disclosed on Wednesday and collectively dubbed CDPwn, can allow attackers with an existing foothold in the network to break through network segmentation efforts and remotely take over millions of devices.

CDP is a Cisco proprietary Layer 2 network protocol that is used to discover information about locally attached Cisco equipment. CDP aids in mapping the presence of other Cisco products in the network and is implemented in virtually all Cisco products – including switches, routers, IP phones and IP cameras. Many of these devices cannot work properly without CDP, and do not offer the ability to turn it off, according to researchers.

For More Details : https://threatpost.com/critical-cisco-cdpwn-flaws-network-segmentation/152546/

43

Cyber and Software Security / Critical Cisco ‘CDPwn’ Protocol Flaws Explained: Podcast

« on: February 22, 2020, 01:39:59 AM »

The researcher behind the five critical Cisco flaws, collectively called CDPwn, talks about why Layer 2 protocols are under-researched when it comes to security vulnerabilities.

Researchers on Wednesday disclosed five critical vulnerabilities in Cisco Discovery Protocol (CDP), the Cisco Proprietary Layer 2 network protocol that is used to discover information about locally attached Cisco equipment.

Researchers say that the vulnerabilities, which they collectively call CDPwn, can allow attackers to remotely take over millions of devices. The flaws specifically exist in the parsing of CDP packets, in the protocol implementation for various Cisco products, from its software to IP cameras. Cisco issued patches on Wednesday addressing the five flaws, and is urging users to update as soon as possible.

Threatpost talked to Ben Seri, VP of Research at Armis, who discovered the flaws, about the CDPwn flaws, their impact, and why Layer 2 protocols are an under-researched area.

For More Details : https://threatpost.com/behind-cdpwn-discovering-critical-cisco-protocol-flaws/152530/

44

Cyber and Software Security / WhatsApp Bug Allows Malicious Code-Injection, One-Click RCE

« on: February 22, 2020, 01:39:20 AM »

A high-severity vulnerability could allow cybercriminals to push malware or remotely execute code, using seemingly innocuous messages.

Security researchers have identified a JavaScript vulnerability in the WhatsApp desktop platform that could allow cybercriminals to spread malware, phishing or ransomware campaigns through notification messages that appear completely normal to unsuspecting users. And, further investigation shows this could be parlayed into remote code-execution.

The desktop platform has more than 1.5 billion monthly active users. The high-severity bug (rated 8.2 on the CVSS severity scale) could impact those that also use WhatsApp for iPhone, if they don’t update their desktop and mobile apps, and if they don’t use newer versions of the Chrome browser.

“A vulnerability [CVE-2019-18426] in WhatsApp Desktop versions prior to 0.3.9309 when paired with WhatsApp for iPhone versions prior to 2.20.10 allows cross-site scripting (XSS) and local file reading,” according to the National Vulnerability Database. “Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message.”

More specifically, “The flaws leave users vulnerable to attacks by allowing both the text content and links in website previews to be tampered with to display false content and modified links that point to malicious destinations,” PerimeterX founder and CTO Ido Safruti wrote in a blog post, on Tuesday.

Bad actors can inject harmful code or links into “seemingly innocuous exchanges,” according to Safruti, causing unsuspecting users to click on malicious links that appear to them like messages from a friend.

“These message modifications would be completely invisible to the untrained eye,” he wrote. “Such attacks would be possible by simply modifying the JavaScript code of a single message prior to delivery to its recipient.”

However, the end game is remote code-execution — a potential outcome in some browsers, according to the researchers.

For More Details : https://threatpost.com/whatsapp-bug-malicious-code-injection-rce/152578/

45

Cyber and Software Security / Dropbox Passes $1M Milestone for Bug-Bounty Payouts

« on: February 22, 2020, 01:38:36 AM »

The file-sharing service also disclosed details of past notable bugs for the first time.

Dropbox, the cloud-based file-sharing service, has reported that it has paid out more than $1 million to bug-bounty hunters since starting its program in 2014.

The milestone comes after the service tripled its bounties in 2017, and after running two live hacking events with the HackerOne platform.

“Additionally, charities have also benefited from our continued investment in security through bug-bounty reporters that have leveraged our donation-matching policy to donate more than $10,000 to charities around the world,” the company said.

For More Details : https://threatpost.com/dropbox-1m-milestone-bug-bounty-payouts/152621/