The Hacker News — Cyber Security, Hacking, Technology News

Damn! You have to update your Drupal websites.

Yes, of course once again—literally it’s the third time in last 30 days.

As notified in advance two days back, Drupal has now released new versions of its software to patch yet another critical remote code execution (RCE) vulnerability, affecting its Drupal 7 and 8 core.

Drupal is a popular open-source content management system software that powers millions of websites, and unfortunately, the CMS has been under active attacks since after the disclosure of a highly critical remote code execution vulnerability.

The new vulnerability was discovered while exploring the previously disclosed RCE vulnerability, dubbed Drupalgeddon2 (CVE-2018-7600) that was patched on March 28, forcing the Drupal team to release this follow-up patch update.

According to a new advisory released by the team, the new remote code execution vulnerability (CVE-2018-7602) could also allow attackers to take over vulnerable websites completely.

Since the previously disclosed flaw derived much attention and motivated attackers to target websites running over Drupal, the company has urged all website administrators to install new security patches as soon as possible.

• If you are running 7.x, upgrade to Drupal 7.59.
• If you are running 8.5.x, upgrade to Drupal 8.5.3.
• If you are running 8.4.x, which is no longer supported, you need first to update your site to 8.4.8 release and then install the latest 8.5.3 release as soon as possible.

It should also be noted that the new patches will only work if your site has already applied patches for Drupalgeddon2 flaw.

"We are not aware of any active exploits in the wild for the new vulnerability," a drupal spokesperson told The Hacker News. "Moreover, the new flaw is more complex to string together into an exploit."

Technical details of the flaw, can be named Drupalgeddon3, have not been released in the advisory, but that does not mean you can wait until next morning to update your website, believing it won't be attacked.

We have seen how attackers developed automated exploits leveraging Drupalgeddon2 vulnerability to inject cryptocurrency miners, backdoors, and other malware into websites, within few hours after it's detailed went public.

Besides these two flaws, the team also patched a moderately critical cross-site scripting (XSS) vulnerability last week, which could have allowed remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft.

Therefore, Drupal website admins are highly recommended to update their websites as soon as possible.

In a major hit against international cybercriminals, the Dutch police have taken down the world's biggest DDoS-for-hire service that helped cyber criminals launch over 4 million attacks and arrested its administrators.

An operation led by the UK's National Crime Agency (NCA) and the Dutch Police, dubbed "Power Off," with the support of Europol and a dozen other law enforcement agencies, resulted in the arrest of 6 members of the group behind the "webstresser.org" website in Scotland, Croatia, Canada and Serbia on Tuesday.

With over 136,000 registered users, Webstresser website lets its customers rent the service for about £10 to launch Distributed Denial of Service (DDoS) attacks against their targets with little or no technical knowledge.

"With webstresser.org, any registered user could pay a nominal fee using online payment systems or cryptocurrencies to rent out the use of stressers and booters," Europol said.

The service was also responsible for cyber attacks against seven of the UK's biggest banks in November last year, as well as government institutions and gaming industry.

"It's a growing problem, and one we take very seriously. Criminals are very good at collaborating, victimizing millions of users in a moment from anywhere in the world," said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3).

The Webstresser site has now been shut down, and its infrastructure has been seized in the Netherlands, Germany, and the United States. The site has been replaced with a page announcing that law enforcement authorities had taken the service offline.

"As part of the operational activity, an address was identified and searched in Bradford and a number of items seized," NCA said.

Moreover, the authorities have also taken against the top users of this marketplace in the Netherlands, Italy, Spain, Croatia, the United Kingdom, Australia, Canada and Hong Kong, Europol announced.

The Dutch police said the Operation Power Off should send a clear warning to users of sites like webstresser.

"Don't do it," Gert Ras, head of the Dutch police's High Tech Crime unit, said. "By tracking down the DDoS service you use, we strip you of your anonymity, hand you a criminal record and put your victims in a position to claim back damages from you."

The police also reminded people that DDoSing is a crime, for which the "penalties can be severe." If you conduct a DDoS attack, or make, supply or obtain stresser or booter services, you could end up in prison, and fine or both.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Google has finally been rolling out its new massively redesigned Gmail for desktop and mobile to 1.4 billion of users worldwide, which might be the most significant single upgrade in Gmail's history.

This huge revamped version of the email service now offers plenty of new features such as confidential mode, offline support, email snoozing and more, to make Gmail more smarter, secure, and easier to use.

In this article, I have listed details of the most significant changes that you need to know and how to use them. Give it a quick read.

New 'Confidential Mode' Features For Security & Privacy

Are you afraid of sending sensitive documents in an email due to fear of hacking or being forwarded?

Well, now you can simply click the lock icon at the bottom of an email to enable the new Confidential Mode, which lets you add a bunch of extra layers of security (as mentioned below) to the emails of your choice.

1) Self-Destructing Emails: This feature lets you send emails that disappear from the recipient's inbox after a period (between 1 day and five years) you specify or which you can revoke at any time even after you have sent them.

2) Un-Forwardable Emails: Confidential emails open in a special window that does not allow the recipient to forward, copy or print the email, though recipients can still grab a screenshot, or snap a photo from their phone.

3) Two-factor Authentication (2FA) for Emails: If you're paranoid, you can even enable 2FA for a single email, requiring recipients to enter a secret passcode send to them via SMS before opening it.

All the above Confidential Mode features work even with emails sent to non-Gmail users, requiring them to click on a link before opening confidential emails.

New Features That Wouldn't Let You Skip Important Emails

1) Email Snoozing: Google now gives you the ability to snooze emails and become more organized when answering emails.

So, if you notice any emails that require a lengthy response cannot be responded immediately, you can snooze the messages for later. Once snoozed, that email will hide from the inbox and show up again at the time you chose.

This feature is already offered by Google's Inbox app, the mobile version of Microsoft Outlook, but now Google has brought it to Gmail to help you boost productivity.

2) Nudges: While snooze emails are set by you manually, nudges are those reminded to you by Google.

To help your task easier of going through massive amounts of emails to find important emails, Gmail uses artificial intelligence (AI) to remind you of those emails that sit in your inbox unattended and its AI thinks they are important.

Gmail will show up these nudged emails at the top of your inbox with an indicator of how long it’s been sitting there.

3) Smart Replies: Not just Gmail intelligently reminds of important emails to you, it also makes suggestions for tasks that you need to do, like replying to a certain email using "Smart Replies."

With Smart Replies, Google offers you intelligent touch-button responses to the web version of Gmail, a feature that was first introduced in 2015 for the mobile version of Gmail. You can turn this off if you want.

New Features That Supercharge Your Productivity

Besides security and AI, Google is adding a bunch of new management features.

1) Native offline mode: Until now, using Gmail without Internet requires a third-party Chrome plugin to be installed, but now with the built-in offline mode, you can write responses to your emails while on a flight, and then sync your inbox and send them once you land—thanks to Progressive Web Apps (PWA).

2) High-priority notifications: This feature will send you notifications for an incoming email if Gmail thinks it is important to you—based on factors like how typically you respond to email from the sender in question. These features were made available to Inbox users last year.

3) Gmail Tasks: Existed as a to-do list application within Gmail for years, Gmail Tasks is available as part of Gmail and as a standalone app for iOS and Android. The feature has also been given a major upgrade to manage work on the go—from your messages to your calendar.

The biggest new change in Gmail is the sidebar to the right, which gives you quick access to a new version of Google Tasks, pop-up versions of Google Calendar, Keep note-taking app, and 3rd-party services that use Gmail's add-on technology, like Asana, Dialpad, and DocuSign.

4) Inbox enhancers: You can now directly take actions on an email without opening it as you can directly open attachments in an email without having to click into the email itself. You can also RSVP to calendar invitations and even snooze messages without opening them.

5) One-tap unsubscribe prompt: Although Gmail already has a feature that lets users unsubscribe from ads and other bulk email lists you don't respond to, now Gmail proactively ask you tounsubscribe specific lists when it notices you don’t tend to click or you always insta-delete.

6) Anti-Phishing Enhancements: Though Google is already offering anti-phishing functionalities to warn its Gmail users of phishing attempts, the company has now increased the size of the banners (a gigantic, billboard-like message) it puts on top of dodgy emails to warn users they should not click the links within.

Also, if you get an email that is supposedly from one of your contacts, but originates from an unfamiliar email address, Gmail will tell you that something may be wrong.

Here's How to Get New Gmail Right Now

Getting the all new Gmail depends on the type of Google account you have.

If you are a regular Gmail user, you can enable the new Gmail by clicking on the Settings icon in the top-right corner, then select "Try the new Gmail" option, if available.

If you are using the G Suite account for work or school, you can enable the new Gmail through the Early Adopter Program.

The administrator can use the Google Admin console and opt-in to the new Gmail.

However, it should be noted that all the features as mentioned above will not be immediately available at this moment.

Features available at the launch include smart replies, snooze emails and a new tool panel on the right side of Gmail's interface for quickly accessing Tasks and Calendar.

Two separate teams of security researchers have published working proof-of-concept exploits for an unpatchable vulnerability in Nvidia's Tegra line of embedded processors that comes on all currently available Nintendo Switch consoles.

Dubbed Fusée Gelée and ShofEL2, the exploits lead to a coldboot execution hack that can be leveraged by device owners to install Linux, run unofficial games, custom firmware, and other unsigned code on Nintendo Switch consoles, which is typically not possible.

Both exploits take advantage of a buffer overflow vulnerability in the USB software stack of read-only boot instruction ROM (IROM/bootROM), allowing unauthenticated arbitrary code execution on the game console before any lock-out operations (that protect the chip's bootROM) take effect.

The buffer overflow vulnerability occurs when a device owner sends an "excessive length" argument to an incorrectly coded USB control procedure, which overflows a crucial direct memory access (DMA) buffer in the bootROM, eventually allowing data to be copied into the protected application stack and giving attackers the ability to execute code of their choice.
In other words, a user can overload a Direct Memory Access (DMA) buffer within the bootROM and then execute it to gain high-level access on the device before the security part of the boot process comes into play.

"This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) application processors at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3)," hardware hacker Katherine Temkin of ReSwitched, who released Fusée Gelée, said.

However, the exploitation requires users to have physical access to the hardware console to force the Switch into USB recovery mode (RCM), which can simply be done by pressing and shorting out certain pins on the right Joy-Con connector, without actually opening the system.

By the way, fail0verflow said a simple piece of wire from the hardware store could be used to bridge Pin 10 and Pin 7 on the console's right Joy-Con connector, while Temkin suggested that simply exposing and bending the pins in question would also work.

Once done, you can connect the Switch to your computer using a cable (USB A → USB C) and then run any of the available exploits.

Fusée Gelée, released by Temkin, allows device owners only to display device data on the screen, while she promised to release more scripts and full technical details about exploiting Fusée Gelée on June 15, 2018, unless someone else made them public.

She is also working on customized Nintendo Switch firmware called Atmosphère, which can be installed via Fusée Gelée.
On the other hand, ShofEL2 exploit released by famous fail0verflow team allows users to install Linux on Nintendo Switches.

"We already caused temporary damage to one LCD panel with bad power sequencing code. Seriously, do not complain if something goes wrong," fail0verflow team warns.

Meanwhile, another team of hardware hackers Team Xecutor is also preparing to sell an easy-to-use consumer version of the exploit, which the team claims, will "work on any Nintendo Switch console regardless of the currently installed firmware, and will be completely future proof."

Nintendo Can't Fix the Vulnerability Using Firmware Update

The vulnerability is not just limited to the Nintendo Switch and affects Nvidia's entire line of Tegra X1 processors, according to Temkin.

"Fusée Gelée was responsibly disclosed to NVIDIA earlier, and forwarded to several vendors (including Nintendo) as a courtesy," Temkin says.

Since the bootROM component comes integrated into Tegra devices to control the device boot-up routine and all happens in Read-Only memory, the vulnerability cannot be patched by Nintendo with a simple software or firmware update.

"Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever," fail0verflow says. "Nintendo can only patch Boot ROM bugs during the manufacturing process."

So, it is possible for the company to address this issue in the future using some hardware modifications, but do not expect any fix for the Switches that you already own.

Dr. Mordechai Guri, the head of R&D team at Israel's Ben Gurion University, who previously demonstrated various methods to steal data from an air-gapped computer, has now published new research named "BeatCoin."

BeatCoin is not a new hacking technique; instead, it's an experiment wherein the researcher demonstrates how all previously discovered out-of-band communication methods can be used to steal private keys for a cryptocurrency wallet installed on cold storage, preferably an air-gapped computer or Raspberry Pi.

For those unaware, keeping your cryptocurrency protected in a wallet on a device which is entirely offline is called cold storage. Since online digital wallets carry different security risks, some people prefer keeping their private keys offline.

Air-gapped computers are those that are isolated from the Internet, local networks, Bluetooth and therefore, are believed to be the most secure devices and are difficult to infiltrate or exfiltrate.

If you are new to this topic, we recommend reading our previous articles, detailing how highly-motivated attackers can use specially designed malware to exfiltrate data from an air-gapped computer via light, sound, heat, electromagnetic, magnetic, infrared, and ultrasonic waves.
For BeatCoin experiment, Dr. Guri deployed malware on an air-gapped computer that runs a Bitcoin wallet application and then performed each attack vector one-by-one to transmit the wallet keys to a nearby device over covert channels.

"In the adversarial attack model, the attacker infiltrates the offline wallet, infecting it with malicious code," the paper [PDF] reads. "The malware can be pre-installed or pushed in during the initial installation of the wallet, or it can infect the system when removable media (e.g., USB flash drive) is inserted into the wallet’s computer in order to sign a transaction. These attack vectors have repeatedly been proven feasible in the last decade."

Results shown in the above chart suggests AirHopper, MOSQUITO, and Ultrasonic techniques are the fastest way to transmit a 256-bit private key to a remote receiver, whereas, Diskfiltration and Fansmitter methods take minutes.

Guri has also shared two videos. The first one demonstrates exfiltration of private keys from an air-gapped computer, which hardly took a few seconds to transmit data to a nearby smartphone using ultrasonic waves.
In the second video, the researcher transmitted private keys stored on a Raspberry Pi device to the nearby smartphone using the RadIoT attack—a technique to exfiltrate data from air-gapped internet-of-things (IoT) and embedded devices via radio signals.

"The radio signals - generated from various buses and general-purpose input/output (GPIO) pins of the embedded devices - can be modulated with binary data. In this case, the transmissions can be received by an AM or FM receiver located nearby the device."

In the last research published earlier this month, Guri’s team also demonstrated how hackers could use power fluctuations in the current flow "propagated through the power lines" to covertly exfiltrate highly sensitive data out of an air gapped-computer.