Topics

31

Cyber and Software Security / BYO-Bug Tactic Attacks Windows Kernel with Outdated Driver

« on: February 22, 2020, 01:35:37 AM »

The RobbinHood ransomware is using a deprecated Gigabyte driver as the tip of the spear for taking out antivirus products.

The operators behind the RobbinHood ransomware are using a vulnerable, legacy driver from Taiwan-based motherboard manufacturer Gigabyte in order to get around antivirus protections. The “bring-your-own-bug” tactic is likely to crop up in other attacks going forward, according to security analysts.

According to research from Sophos, the driver has a known vulnerability (CVE-2018-19320), and was discontinued in 2018 by the company. However, the Verisign certificate used to digitally sign the driver has not been revoked, so the signature remains valid.

For More Details : https://threatpost.com/byo-bug-windows-kernel-outdated-driver/152762/

32

Cyber and Software Security / Dell Patches SupportAssist Flaw That Allows Arbitrary Code Execution

« on: February 22, 2020, 01:34:56 AM »

The uncontrolled search path vulnerability allows a local user to use DLLs to escalate privileges and affects Windows PCs.

Dell has patched a high-severity flaw in its SupportAssist software that could allow an attacker to execute arbitrary code with administrator privileges on affected computers.

The flaw, an uncontrolled search path vulnerability that is being tracked as CVE-2020-5316, could allow a locally authenticated user with low privileges to “cause the loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code,” Dell wrote in its explanation of the bug.

The latest bug—discovered by CyberArk security researcher Eran Shimony, who notified Dell–affects both business and home users of Dell systems. The vulnerability exists in Dell SupportAssist for business PCs version 2.1.3 or older and home PCs version 3.4 or older, according to Dell.

For More Details : https://threatpost.com/dell-patches-supportassist-flaw-that-allows-arbitrary-code-execution/152771/

33

Cyber and Software Security / Adobe Addresses Critical Flash, Framemaker Flaws

« on: February 22, 2020, 01:34:17 AM »

Overall, Adobe patched flaws tied to 42 CVEs as part of its regularly scheduled updates.

Adobe has released patches addressing a wave of critical flaws in its Framemaker and Flash Player products, which, if exploited, could lead to arbitrary code-execution.

Overall, Adobe stomped out flaws tied to 42 CVEs for its regularly scheduled February updates, with 35 of those flaws being critical in severity. That trumps Adobe’s January security update, which addressed nine vulnerabilities overall, including ones in Adobe Illustrator CC and Adobe Experience Manager.

Adobe Framemaker, a document processor designed for writing and editing large or complex documents, including structured documents, took the brunt of this month’s patches with the most (21) critical flaws.

For More Details : https://threatpost.com/adobe-security-update-critical-flash-framemaker-flaws/152782/

34

Cyber and Software Security / Intel Patches High-Severity Flaw in Security Engine

« on: February 22, 2020, 01:33:38 AM »

The high-severity vulnerability could enable denial of service, privilege escalation and information disclosure.

Intel is warning of a high-severity flaw in the firmware of its converged security and management engine (CSME), which if exploited could allow privilege escalation, denial of service and information disclosure.

CSME powers Intel’s Active Management System hardware and firmware technology, used for remote out-of-band management in consumer or corporate PCs, Internet of Things (IoT) devices, and workstations.

The subsystem of CSME has an improper authentication bug (CVE-2019-14598), which has a CVSS score of 8.2 out of 10.0, making it high severity. A privileged user, with local access, could exploit the flaw to launch an array of attacks, according to Intel.

For More Details : https://threatpost.com/intel-patches-high-severity-flaw-in-security-engine/152794/

35

Cyber and Software Security / Microsoft Addresses Active Attacks, Air-Gap Danger with 99 Patches

« on: February 22, 2020, 01:32:58 AM »

There are 12 critical and five previously disclosed bugs in the February 2020 Patch Tuesday Update.

Microsoft has issued one of its largest Patch Tuesday updates for the shortest month of the year, addressing 99 security vulnerabilities across a range of products. Twelve of the bugs are listed as critical – and the rest are rated as being important.

The update includes a patch for the zero-day memory-corruption vulnerability disclosed in late January that’s under active attack. The bug tracked as CVE-2020-0674 is a critical flaw for most Internet Explorer versions, allowing remote code-execution and complete takeover.

For More Details : https://threatpost.com/microsoft-active-attacks-air-gap-99-patches/152807/

36

Cyber and Software Security / SoundCloud Tackles DoS, Account Takeover Issues

« on: February 22, 2020, 01:32:22 AM »

Among other issues, the music platform didn’t limit the number of login attempts someone could make.

Online music platform SoundCloud, which can be thought of as an audio-based YouTube for music creators, has addressed several security bugs in its APIs that could lead to denial-of-service (DoS) or account takeover via credential-stuffing.

SoundCloud recently sold a $75 million stake to satellite radio giant SiriusXM and the two also inked a lucrative ad deal. SoundCloud claims to host 200 million different music tracks on its online platform.

According to researcher Paulo Silva of Checkmarx Security Research, three different groups of security vulnerabilities were found in the platform: A authentication issue which could lead to account takeover; a rate-limiting bug that could lead to DoS; and an improper input validation.


For More Details : https://threatpost.com/soundcloud-dos-account-takeover/152838/

37

Cyber and Software Security / Mozilla Firefox 73 Browser Update Fixes High-Severity RCE Bugs

« on: February 22, 2020, 01:31:26 AM »

The release of Firefox 73 fixed high-severity memory safety bugs that could cause arbitrary code execution and missing bounds check that could enable memory corruption.

Mozilla has launched the latest version of its Firefox browser, which knocks out high-severity security flaws that leave systems open to attack by a remote adversary.

The patched version of Mozilla’s browser, launched on Tuesday, is Firefox 73 and Firefox ESR 68.5. The Firefox ESR browser is its Extended Support Release version of Firefox, designed for mass deployments. Both releases tackle six vulnerabilities. Two of the high-severity bugs both allow a remote attacker to execute code on targeted devices by enticing users to visit a specially-crafted web site and exploiting browser memory corruption flaws.

The Mozilla security bulletin said both high-severity flaws are tied to “memory safety bugs within the browser engine”.  One of the vulnerabilities, tracked as CVE-2020-6800, was fixed in a previous release of Firefox 72 and the current Firefox ESR 68.5 update on Tuesday. The other vulnerability (CVE-2020-6801) was fixed with the release of Firefox 73, released on Tuesday.

For More Details : https://threatpost.com/mozilla-firefox-73-browser-update-fixes-high-severity-rce-bugs/152831/

38

Cyber and Software Security / Critical WordPress Plugin Bug Afflicts 700K Sites

« on: February 22, 2020, 01:30:39 AM »

Researchers are urging users of the GDPR Cookie Consent WordPress plugin to update as soon as possible.

A popular WordPress plugin, which helps make websites compliant with the General Data Protection Regulation (GDPR), has issued fixes for a critical flaw. If exploited, the vulnerability could enable attackers to modify content or inject malicious JavaScript code into victim websites.

The plugin, GDPR Cookie Consent, which helps businesses display cookie banners to show that they are compliant with EU’s privacy regulation, has more than 700,000 active installations – making it a ripe target for attackers. The vulnerability, which does not yet have a CVE number, affects GDPR Cookie Consent version 1.8.2 and below. Earlier this week, after the developer was notified of the critical flaw, the GDPR Cookie Consent plugin was removed from the WordPress.org plugin directory “pending a full review” according to the plugin’s directory page. The  new version, 1.8.3, was released by Cookie Law Info, the developer behind the plugin, on Feb. 10.

For More Details : https://threatpost.com/critical-wordpress-plugin-bug-afflicts-700k-sites/152871/

39

Cyber and Software Security / News Wrap: Valentine’s Day Scams and Emotet’s Wi-Fi Hack

« on: February 22, 2020, 01:23:32 AM »

op stories of this week include a new Emotet Wi-Fi hack and Robbinhood ransomware operators using a “bring your own bug” technique.

Threatpost editors Tara Seals and Lindsey O’Donnell-Welch break down the top stories for this week, ended Feb. 14, including:

    Recent phishing scams – including ones with a romance hook – continue to trick victims, showing that phishing tactics still work in stealing millions from individuals, corporations, and even government agencies.
    Emotet has a newly discovered feature that hacks nearby Wi-Fi networks, allowing the prolific malware to spread rapidly, like a worm.
    The operators behind the Robbinhood ransomware are using a new tactic called “bring your own bug,” which researchers think will continue in future campaigns.
    Patch Tuesday craziness this week included 99 patches from Microsoft, as well as vulnerability fixes from Adobe, Intel and Mozilla Firefox.


For More Details : https://threatpost.com/news-wrap-valentines-day-scams-and-emotets-wi-fi-hack/152891/

40

Cyber and Software Security / 500 Malicious Chrome Extensions Impact Millions of Users

« on: February 22, 2020, 01:22:34 AM »

The malicious Chrome extensions were secretly collecting users’ browser data and redirecting them to malware-laced websites.

Researchers say that 500 Google Chrome browser extensions were discovered secretly uploading private browsing data to attacker-controlled servers, and redirecting victims to malware-laced websites. The browser extensions, all of which have now been removed, were downloaded millions of times from Google’s Chrome Web Store.

Browser extensions are used for customizing web browsers, modifying user interfaces, blocking ads and managing cookies. But researchers said that the malicious extensions they discovered are instead part of a massive malvertising campaign that also harvested browser data. Malvertising often is used as a vehicle for fraudulent activity, including data exfiltration, phishing or ad fraud. In this particular instance, bad actors were redirecting victims from legitimate online ad streams to malware-laced pages.

For More Details : https://threatpost.com/500-malicious-chrome-extensions-millions/152918/

41

Cyber and Software Security / Huawei Controversy Highlights 5G Security Implications

« on: February 22, 2020, 01:21:35 AM »

Security experts say that 5G supply chain concerns should be taken seriously – whether it’s in the context of Huawei or not.

The controversy over Huawei’s involvement in the 5G telecom gear market ratcheted up a notch this week. U.S. officials said they have evidence that the Chinese equipment giant has had access to backdoors inside mobile carrier networks for more than 10 years.

Officials are trying to make the case that the U.S. and its allies should ban Huawei from supplying infrastructure for 5G networks going forward, due to what they say is the possibility of widespread, Beijing-backed espionage.

Huawei rejected the allegations, and other countries around the world are continuing to build networks using the vendor’s gear despite the U.S. position on the vendor. But security experts say that 5G supply-chain concerns should be taken seriously – whether it’s in the context of Huawei or not.

“A backdoor to a lawful intercept interface could yield a treasure trove of information to a malicious actor — including the current location of a target, details including when and where a call was placed, and even the ability to eavesdrop or listen into a current call,” Russ Mohr, engineer and Apple evangelist at MobileIron, told Threatpost. “A backdoor is an extremely valuable resource to a bad actor, and it is likely that it would be much more valuable as an asset to collect data than as a mounting point for an attack — although it may provide an opportunity to inject ransomware into a 5G network targeting a mobile carrier.”
Latest Allegations

The feds told the Wall Street Journal that Huawei can make use of backdoors that have been put in place by lawful-intercept legislation. Implemented around the world, these laws allow law enforcement to access call records, location data and other wireless network information during the course of a criminal investigation, under certain circumstances (in the U.S. it takes a special court approval process). The idea of lawful intercept is probably best-known from the Patriot Act, passed by the Bush administration in the wake of 9/11. That expanded law enforcement’s access to electronic records in the context of suspected terror threats.

For More Details : https://threatpost.com/huawei-5g-security-implications/152926/

42

Cyber and Software Security / Lenovo, HP, Dell Peripherals Face Unpatched Firmware Bugs

« on: February 22, 2020, 01:20:44 AM »

A lack of proper code-signing verification and authentication for firmware updates opens the door to information disclosure, remote code execution, denial of service and more.

Fresh firmware vulnerabilities in Wi-Fi adapters, USB hubs, trackpads and cameras are putting millions of peripheral devices in danger of a range of cyberattacks, according to research from Eclypsium.

TouchPad and TrackPoint firmware in Lenovo Laptops, HP Wide Vision FHD camera firmware in HP laptops and the Wi-Fi adapter on Dell XPS laptops were all found to lack secure firmware update mechanisms with proper code-signing.

“Software and network vulnerabilities are often the more-obvious focus of organizations’ security priorities, but firmware vulnerabilities could give adversaries full control over the compromised device,” Katie Teitler, senior analyst at TAG Cyber, said via email. “This could lead to implanted backdoors, network traffic sniffing, data exfiltration and more. Unfortunately, though, firmware vulnerabilities can be harder to detect and more difficult to patch.”
Unsigned Firmware Updates: A Growing Problem

Firmware for peripherals can be burned into the integrated circuit of the device itself, or the component may have its own flash memory where firmware is stored. Firmware can also be dynamically provided by the operating system at boot time. Regardless of the implementation approach, firmware is used as the device-specific operating system for the peripheral in question, and can provide criminals with a rich attack surface if found to be vulnerable.

For More Details : https://forum.daffodilvarsity.edu.bd/index.php?action=post;board=886.0

43

Cyber and Software Security / Active Exploits Hit Vulnerable WordPress ThemeGrill Plugin

« on: February 22, 2020, 01:19:41 AM »

Websites using a vulnerable version of the WordPress plugin, ThemeGrill Demo Importer, are being targeted by attackers.

Researchers are urging users of a vulnerable WordPress plugin, ThemeGrill Demo Importer, to update as soon as possible after discovering attackers are actively exploiting a flaw in the plugin.

The ThemeGrill Demo Importer plugin is owned by ThemeGrill, which offers various templates for website outlines. This WordPress plugin helps users import and manage ThemeGrill templates on their sites. As of last week, the plugin had 200,000 active installations. According to WebARX, who discovered the flaw, on Tuesday that number has dipped to 100,000 installs. It is unclear at this time what accounts for the drop in the number of WordPress plugin installs.

Researchers disclosed a flaw in the plugin this week, which allows unauthenticated, remote attackers to execute some administrator functions – without checking if they are an administrator. One such function is the capability to wipe the entire database of the vulnerable website, bringing it to its default state and clearing website databases of existing posts and user roles. And, after carrying out this action, an attacker would also then be logged in as an administrator –  giving them complete control over the website.

For More Details : https://threatpost.com/active-exploits-hit-vulnerable-wordpress-themegrill-plugin/152947/

44

Cyber and Software Security / Iran-Backed APTs Collaborate on 3-Year ‘Fox Kitten’ Global Spy Campaign

« on: February 22, 2020, 01:18:57 AM »

APT34/OilRig and APT33/Elfin have established a highly developed and persistent infrastructure that could be converted to distribute destructive wiper malware.

Two Iran-backed APTs could be working together on a sprawling, three-year campaign to compromise high-value organizations from the IT, telecom, oil and gas, aviation, government and security sectors in Israel and around the world, according to a report by researchers at ClearSky.

They maintain, APT34/OilRig and APT33/Elfin appear to be linked to the campaign (which they dubbed Fox Kitten). The offensive has resulted in the establishment of a highly developed and persistent infrastructure of access to company networks, which has been used for reconnaissance and espionage, they said. However, it’s also the perfect launchpad for the deployment of destructive malware such as ZeroCleare and Dustman, researchers noted, both of which have been linked to the APTs.

For More Details : https://threatpost.com/iranian-apts-fox-kitten-global-spy-campaign/152974/

45

Cyber and Software Security / SMS Attack Spreads Emotet, Steals Bank Credentials

« on: February 22, 2020, 01:18:03 AM »

A new Emotet campaign is spread via SMS messages pretending to be from banks and may have ties to the TrickBot trojan.

Attackers are sending SMS messages purporting to be from victims’ banks – but once they click on the links in the text messages, they are asked to hand over their banking credentials and download a file that infects their systems with the Emotet malware.

Emotet has continued to evolve since its return in September, including a new, dangerous Wi-Fi hack feature disclosed last week that can let the malware spread like a worm. Now, this most recent campaign delivers the malware via “smishing,” a form of phishing that relies on text messages instead of email. While smishing is certainly nothing new, researchers say that the delivery tactic exemplifies Emotet’s operators constantly swapping up their approaches to go beyond mere malspam emails – making it hard for defense teams to keep up.

For More Details : https://threatpost.com/sms-attack-spreads-emotet-bank-credentials/153015/