The Hacker News — Cyber Security, Hacking, Technology News

Google researcher has discovered a severe vulnerability in modern web browsers that could have allowed websites you visit to steal the sensitive content of your online accounts from other websites that you have logged-in the same browser.

Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and audio files, which if exploited, could allow remote attackers to even read the content of your Gmail or private Facebook messages.

For security reasons, modern web browsers don't allow websites to make cross-origin requests to a different domain unless any domain explicitly allows it.

That means, if you visit a website on your browser, it can only request data from the same origin the site was loaded from, preventing it from making any unauthorized request on your behalf in an attempt to steal your data from other sites.

However, web browsers do not respond in the same way while fetching media files hosted on other origins, allowing a website you visit to load audio/video files from different domains without any restrictions.

Moreover, browsers also support range header and partial content responses, allowing websites to serve partial content of a large media file, which is useful while playing a large media or downloading files with pause and resume ability.

In other words, media elements have an ability to join pieces of multiple responses together and treat it as a single resource.

However, Archibald found that Mozilla FireFox and Microsoft Edge allowed media elements to mix visible and opaque data or opaque data from multiple sources together, leaving a sophisticated attack vector open for attackers.
In a blog post published today, Archibald detailed this vulnerability, which he dubbed Wavethrough, explaining how an attacker can leverage this feature to bypass protections implemented by browsers that prevent cross-origin requests.

"Bugs started when browsers implemented range requests for media elements, which wasn't covered by the standard. These range requests were genuinely useful, so all browsers did it by copying each others behaviour, but no one integrated it into the standard," Archibald explained.

According to Archibald, this loophole can be exploited by a malicious website using an embedded media file on its webpage, which if played, only serves partial content from its own server and asks the browser to fetch rest of the file from a different origin, forcing the browser to make a cross-origin request.

The second request, which actually is a cross-origin request and should be restricted, will be successful because mixing visible and opaque data are allowed for a media file, allowing one website to steal content from the other.

"I created a site that does the above. I used a PCM WAV header because everything after the header is valid data, and whatever Facebook returned would be treated as uncompressed audio," Archibald said.

Archibald has also published a video, and a proof-of-concept exploit demonstrating how a malicious website can fetch your private content from websites like Gmail and Facebook, whose response will be same for the malicious site as your browser loads them for you.


Since Chrome and Safari already have a policy in place to reject such cross-origin requests as soon as they see any redirection after the underlying content appears to have changed between requests, their users are already protected.

"This is why standards are important. I believe Chrome had a similar security issue long ago, but instead of just fixing it in Chrome, the fix should have been written into a standard, and tests should have been written for other browsers to check against," Archibald said.

FireFox and Edge browsers that were found vulnerable to this issue have also patched the vulnerability in their latest versions after Archibald responsibly reported it to their security teams.

Therefore, FireFox and Edge browser users are highly recommended to make sure that they are running the latest version of these browsers.

Security-oriented BSD operating system OpenBSD has decided to disable support for Intel's hyper-threading performance-boosting feature, citing security concerns over Spectre-style timing attacks.

Introduced in 2002, Hyper-threading is Intel's implementation of Simultaneous Multi-Threading (SMT) that allows the operating system to use a virtual core for each physical core present in processors in order to improve performance.

The Hyper-threading feature comes enabled on computers by default for performance boosting, but in a detailed post published Tuesday, OpenBSD maintainer Mark Kettenis said such processor implementations could lead to Spectre-style timing attacks.

"SMT (Simultaneous multithreading) implementations typically share TLBs and L1 caches between threads," Kettenis wrote. "This can make cache timing attacks a lot easier, and we strongly suspect that this will make several Spectre-class bugs exploitable."

In cryptography, side-channel timing attack allows attackers to compromise a system by analyzing the time taken to execute cryptographic algorithms. By measuring the precise time taken for each operation, an attacker can inversely calculate the input values to reveal confidential information.

Meltdown and Spectre-class vulnerabilities discovered earlier this year would be excellent examples of timing attacks.

Therefore, to prevent users of the OpenBSD operating system from such previously disclosed, as well as future timing attacks, the OpenBSD project has disabled the hyper-threading feature on Intel processors by default, as part of system hardening.

What About System Performance?

You might be thinking, removing this optimization feature could impact the performance of your system negatively, but OpenBSD doesn't think so.

Kettenis believes that switching off SMT will not have any negative effect on the system performance, saying leaving it enabled could actually slow down most compute workloads on CPUs with more than two physical cores.

Kettenis also stressed that OpenBSD will also disable the built-in SMT feature by default for CPUs from other vendors, like AMD, in the future.

"We really should not run different security domains on different processor threads of the same core," Kettenis wrote.

OpenBSD has rolled out a new setting via "hw.smt sysctl" that, by default, disables SMT support, and those who want to leverage simultaneous multithreading feature can manually enable it.

However, the new toggle feature only available for Intel CPUs running OpenBSD/amd64 for now and soon will be extended to other vendors and hardware architectures.

Security researchers have been warning about a simple technique that cyber criminals and email scammers are using in the wild to bypass most AI-powered phishing detection mechanisms implemented by widely used email services and web security scanners.

Dubbed ZeroFont, the technique involves inserting hidden words with a font size of zero within the actual content of a phishing email, keeping its visual appearance same, but at the same time, making it non-malicious in the eyes of email security scanners.

According to cloud security company Avanan, Microsoft Office 365 also fails to detect such emails as malicious crafted using ZeroFont technique.
Like Microsoft Office 365, many emails and web security services use natural language processing and other artificial intelligence-based machine learning techniques to identify malicious or phishing emails faster.

The technology helps security companies to analyze, understand and derive meaning from unstructured text embedded in an email or web page by identifying text-based indicators, like email scams mimicking a popular company, phrases used to request for payments or password resets, and more.
However, by adding random zero font-size characters between the indicator texts present in a phishing email, cybercriminals can transform these indicators into an unstructured garbage text, hiding them from the natural language processing engine.

Therefore, the email looks normal to a human eye, but Microsoft reads the entire garbage text, even if some words are displayed with a font size of "0."

"Microsoft can not identify this as a spoofing email because it cannot see the word 'Microsoft' in the un-emulated version," reads Avanan's blog post. "Essentially, the ZeroFont attack makes it possible to display one message to the anti-phishing filters and another to the end user."

Besides the ZeroFont technique, Avanan also detected hackers using other similar tricks that involve Punycode, Unicode, or Hexadecimal Escape Characters in their phishing attacks.

Last month, researchers from the same company reported that cybercriminals had been splitting up the malicious URL in a way that the Safe Links security feature in Office 365 fails to identify and replace the partial hyperlink, eventually redirecting victims to the phishing site.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Remember the 'Olympic Destroyer' cyber attack?

The group behind it is still alive, kicking and has now been found targeting biological and chemical threat prevention laboratories in Europe and Ukraine, and a few financial organisation in Russia.

Earlier this year, an unknown group of notorious hackers targeted Winter Olympic Games 2018, held in South Korea, using a destructive malware that purposely planted sophisticated false flags to trick researchers into mis-attributing the campaign.

Unfortunately, the destructive malware was successful to some extent, at least for a next few days, as immediately after the attack various security researchers postmortem the Olympic Destroyer malware and started attributing the attack to different nation-state hacking groups from North Korea, Russia, and China.

Later researchers from Russian antivirus vendor Kaspersky Labs uncovered more details about the attack, including the evidence of false attribution artifacts, and concluded that the whole attack was a masterful operation in deception.
Now according to a new report published today by Kaspersky Labs, the same group of hackers, which is still unattributed, has been found targeting organisations in Russia, Ukraine, and several European countries in May and June 2018, specifically those organizations that respond to and protect against biological and chemical threats.

New Attack Shares Similarities With Olympic Destroyer

During their investigation, researchers found that the exploitation and deception tactics used by the newly discovered campaign share many similarities with the Olympic Destroyer attack.

"In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past," the researchers said. "They continue to use a non-binary executable infection vector and obfuscated scripts to evade detection."

Just like Olympic Destroyer, the new attack also targets users affiliated with specific organisations using spear-phishing emails that appear as coming from an acquaintance, with an attached document.

If the victims open the malicious document, it leverages macros to download and execute multiple PowerShell scripts in the background and install the final 3rd-stage payload to take remote control over the victims' system.

Researchers found that the technique used to obfuscate and decrypt the malicious code is same as used in the original Olympic Destroyer spear-phishing campaign.

The second-stage script disables Powershell script logging to avoid leaving traces and then downloads the final "Powershell Empire agent" payload, which allows fileless control of the compromised systems over an encrypted communication channel.

Hackers Target Biological and Chemical Threat Prevention Laboratories

According to the researchers, the group has attempted to gain access to computers in countries, including France, Germany, Switzerland, Russia, and Ukraine.
Researchers found evidence of hackers primarily targeting people affiliated with an upcoming biochemical threat conference, called Spiez Convergence, held in Switzerland and organized by Spiez Laboratory.

Spiez Laboratory played an essential role in investigating the poisoning in March of a former Russian spy in the UK. The U.K. and the U.S. both said Russia was behind the poisoning and expelled dozens of Russian diplomats.

Another document targeted Ministry of Health in Ukraine.

It is not yet known that who behind these attacks, but Kaspersky advises all biochemical threat prevention and research organizations to strengthen their IT security and run unscheduled security audits.

Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks.

The campaign is believed to be active covertly since fall 2017 but was spotted in March by security researchers from Kaspersky Labs, who have attributed these attacks to a Chinese-speaking threat actor group called LuckyMouse.

LuckyMouse, also known as Iron Tiger, EmissaryPanda, APT 27 and Threat Group-3390, is the same group of Chinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year.

The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors.

This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain "access to a wide range of government resources at one fell swoop."

According to the researchers, the group injected malicious JavaScript code into the official government websites associated with the data center in order to conduct watering hole attacks.
Although LuckyMouse has been spotted using a widely used Microsoft Office vulnerability (CVE-2017-11882) to weaponize Office documents in the past, researchers have no proofs of this technique being used in this particular attack against the data center.

The initial attack vector used in the attack against the data center is unclear, but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center.

The attack against the data center eventually infected the targeted system with a piece of malware called HyperBro, a Remote Access Trojan (RAT) deployed to maintain persistence in the targeted system and for remote administration.

"There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites," the researchers said in a blog post published today.

"These events suggest that the data center infected with HyperBro and the waterholing campaign are connected."

As a result of the waterholing attack, the compromised government websites redirected the country's visitors to either penetration testing suite Browser Exploitation Framework (BeEF) that focuses on the web browser, or the ScanBox reconnaissance framework, which perform the same tasks as a keylogger.

The main command and control (C&C) server used in this attack is hosted on an IP address which belongs to a Ukrainian ISP, specifically to a MikroTik router running a firmware version released in March 2016.

Researchers believe the Mikrotik router was explicitly hacked for the campaign in order to process the HyperBro malware's HTTP requests without detection.

Hell Yeah! Another security vulnerability has been discovered in Intel chips that affects the processor's speculative execution technology—like Specter and Meltdown—and could potentially be exploited to access sensitive information, including encryption related data.

Dubbed Lazy FP State Restore, the vulnerability (CVE-2018-3665) within Intel Core and Xeon processors has just been confirmed by Intel, and vendors are now rushing to roll out security updates in order to fix the flaw and keep their customers protected.

The company has not yet released technical details about the vulnerability, but since the vulnerability resides in the CPU, the flaw affects all devices running Intel Core-based microprocessors regardless of the installed operating systems, except some modern versions of Windows and Linux distributions.

As the name suggests, the flaw leverages a system performance optimization feature, called Lazy FP state restore, embedded in modern processors, which is responsible for saving or restoring the FPU state of each running application 'lazily' when switching from one application to another, instead of doing it 'eagerly.'

"System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch," Intel says while describing the flaw. 

"Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value."

According to the Red Hat advisory, the numbers held in FPU registers could potentially be used to access sensitive information about the activity of other applications, including parts of cryptographic keys being used to secure data in the system.

All microprocessors starting with Sandy Bridge are affected by this designing blunder, which means lots of people again should gear them up to fix this vulnerability as soon as the patches are rolled out.

However, it should be noted that, unlike Spectre and Meltdown, the latest vulnerability does not reside in the hardware. So, the flaw can be fixed by pushing patches for various operating systems without requiring new CPU microcodes from Intel.

According to Intel, since the flaw is similar to Spectre Variant 3A (Rogue System Register Read), many operating systems and hypervisor software have already addressed it.

Red Hat is already working with its industry partners on a patch, which will be rolled out via its standard software release mechanism.

AMD processors are not affected by this issue.

Also, modern versions of Linux—from kernel version 4.9, released in 2016, and later are not affected by this flaw. Only if you are using an older Kernel, you are vulnerable to this vulnerability.

Moreover, modern versions of Windows, including Server 2016, and latest spins of OpenBSD and DragonflyBSD are not affected by this flaw.

Microsoft has also published a security advisory, offering guidance for the Lazy FP State Restore vulnerability and explaining that the company is already working on security updates, but they will not be released until the next Patch Tuesday in July.

Microsoft says that Lazy restore is enabled by default in Windows and cannot be disabled, adding that virtual machines, kernel, and processes are affected by this vulnerability. However, customers running virtual machines in Azure are not at risk.

Cortana, an artificial intelligence-based smart assistant that Microsoft has built into every version of Windows 10, could help attackers unlock your system password.

With its latest patch Tuesday release, Microsoft has pushed an important update to address an easily exploitable vulnerability in Cortana that could allow hackers to break into a locked Windows 10 system and execute malicious commands with the user's privileges.

In worst case scenario, hackers could also compromise the system completely if the user has elevated privileges on the targeted system.
The elevation of privilege vulnerability, tracked as CVE-2018-8140 and reported by McAfee security researchers, resides due to Cortana's failure to adequately check command inputs, which eventually leads to code execution with elevated permissions.

"An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status," Microsoft explains. "An attacker who successfully exploited the vulnerability could execute commands with elevated permissions."

Microsoft has classified the flaw as "important" because exploitation of this vulnerability requires an attacker to have physical or console access to the targeted system and the targeted system also needs to have Cortana enabled.

Cedric Cochin of McAfee's Advanced Threat Research (ATR) team has published technical details of the flaw, and also provided a step-by-step proof-of-concept video tutorial, showing how he hijacked a locked Windows 10 computer by carrying out a full password reset using Cortana.

"Cochin discovered that by simply typing while Cortana starts to listen to a request or question on a locked device, he could bring up a search menu. Cochin didn’t even have to say anything to Cortana, but simply clicked on the "tap and say" button and started typing in words," a blog post on McAfee explained.

Cochin represents three different attack vectors, demonstrating how the Cortana flaw could be used for various nefarious purposes, such as retrieving confidential information, logging into a locked device and even run malicious code from the locked screen.
McAfee recommends users to turn off Cortana on the lock screen in order to prevent such attacks. Although Microsoft has patched the vulnerability with its latest security updates released yesterday, many PCs will not be running the latest updates just yet.

Despite warnings about the threat of leaving insecure remote services enabled on Android devices, manufacturers continue to ship devices with open ADB debug port setups that leave Android-based devices exposed to hackers.

Android Debug Bridge (ADB) is a command-line feature that generally uses for diagnostic and debugging purposes by helping app developers communicate with Android devices remotely to execute commands and, if necessary, completely control a device.

Usually, developers connect to ADB service installed on Android devices using a USB cable, but it is also possible to use ADB wirelessly by enabling a daemon server at TCP port 5555 on the device.

If left enabled, unauthorized remote attackers can scan the Internet to find a list of insecure Android devices running ADB debug interface over port 5555, remotely access them with highest "root" privileges, and then silently install malware without any authentication.

Therefore, vendors are recommended to make sure that the ADB interface for their Android devices is disabled before shipping. However, many vendors are failing to do so.

In a Medium blog post published Monday, security researcher Kevin Beaumont said there are still countless Android-based devices, including smartphones, DVRs, Android smart TVs, and even tankers, that are still exposed online.

"This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’* — the administrator mode — and then silently install software and execute malicious functions," Beaumont said.

The threat is not theoretical, as researchers from Chinese security firm Qihoo 360's NetLab discovered a worm, dubbed ADB.Miner, earlier this year, that was exploiting the ADB interface to infect insecure Android devices with a Monero (XMR) mining malware.
Smartphones, smart TVs, and TV set-top boxes were believed to be targeted by the ADB.Miner worm, which managed to infect more than 5,000 devices in just 24 hours.

Now, Beaumont once again raised the community concerns over this issue. Another researcher also confirmed that the ADB.Miner worm spotted by Netlab in February is still alive with millions of scans detected in the past month itself.

"@GossiTheDog inspired me to take a look back at the ADB.Miner worm, which I've been fingerprinting in February. It seems that it lives and it feels pretty well. I've checked out two days (4th, 5th of June) - about 40 000 unique IP addresses. I'll provide some deep analysis soon," Piotr Bazydło, IT Security researcher at NASK, tweeted.

Although it is difficult to know the exact number of devices due to Network Address Translation and dynamic IP reservations, Beaumont says "it is safe to say 'a lot.'"

In response to Beaumont's blog post, the Internet of Things (IoT) search engine Shodan also added the capability to look for port 5555. Based on the scanning IP addresses, the majority of exposed devices are found in Asia, including China and South Korea.

Kevin advises vendors to stop shipping products with Android Debug Bridge enabled over a network, as it creates a Root Bridge—a situation anybody can misuse the devices.

Since ADB debug connection is neither encrypted nor requires any password or key exchange, Android device owners are advised to disable it immediately.

Security researchers have been warning about cybercriminals who have made over 20 million dollars in just past few months by hijacking insecurely configured Ethereum nodes exposed on the Internet.

Qihoo 360 Netlab in March tweeted about a group of cybercriminals who were scanning the Internet for port 8545 to find insecure geth clients running Ethereum nodes and, at that time, stole 3.96234 units of Ethereum cryptocurrency (Ether).

However, researchers now noticed that another cybercriminal group have managed to steal a total 38,642 Ether, worth more than $20,500,000 at the time of writing, in past few months by hijacking Ethereum wallets of users who had opened their JSON-RPC port 8545 to the outside world.

Geth is one of the most popular clients for running Ethereum node and enabling JSON-RPC interface on it allows users to remotely access the Ethereum blockchain and node functionalities, including the ability to send transactions from any account which has been unlocked before sending a transaction and will stay unlocked for the entire session.
Here's the attackers' Ethereum account address, where all the stolen funds have been collected:

0x957cD4Ff9b3894FC78b5134A8DC72b032fFbC464

By simply searching this address on the Internet, we found dozens of forums and websites where users have posted details of similar incidents happened with them, describing about the same account address hackers used to stole their funds from the insecurely configured Ethereum nodes.

According to an advisory issued by Ethereum Project three years ago, leaving the JSON-RPC interface on an internet-accessible machine without a firewall policy opens up your cryptocurrency wallet to theft "by anybody who knows your [wallet] address in combination with your IP."

NetLab researchers warned that not only the above-mentioned cybercriminal group but other attackers are also actively scanning the Internet for insecure JSON-RPC interface to steal funds from cryptocurrency wallets.

"If you have honeypot running on port 8545, you should be able to see the requests in the payload. Which has the wallet addresses. And there are quite a few ips scanning heavily on this port now," 360 Netlab tweeted.

Users who have implemented Ethereum nodes are advised only to allow connections to the geth client originating from the local computer, or to implement user-authorization if remote RPC connections need to be enabled.

CompTIA, a global provider of vendor-neutral IT certifications, offers a wide range of popular certifications such as A+, Network+, Cloud+, Linux+, and Security+ certifications [...]

In its years-long efforts to censor the Internet by blocking access to a large number of websites in the country, Russia has now approved a new bill introducing fines for search engines that provide links to banned sites, VPN services, and anonymization tools.

VPNs, or Virtual Private Networks, are third-party services that help users access block banned websites by encrypting users' Internet traffic and routing it through a distant connection, hiding their location data and access sites that are usually restricted or censored by a specific country.

According to the amendments to the Code of Administrative Offenses of the Russian Federation, besides introducing fines for providing links to banned resources, the lower house of Russian parliament, the State Duma, will also impose fines on search engines if they fail to stop issuing links to resources providing up-to-date database of blocked domains upon users request.

According to the bill, individuals who break the law will face fine of 3,000 to 5,000 rubles (approx. $48 to $80), officials will face fines up to 50,000 rubles (approx. $800), and legal entities could be fined 500,000 to 700,000 (nearly $8,019 to $11,227), reports Russian State Duma Government site.

The bill to the Code of Administrative Offenses is associated with the law on anonymizers adopted at the end of the spring session of the State Duma in 2017.

Many Russian citizens use VPNs and other Internet proxy services to access blocked content by routing their traffic through servers outside the country.

However, Russian authorities have begun to crack down on Internet freedoms by tighten controls on online services in recent years, citing concerns about the spread of extremist materials.

As a result, last year, Russian authorities made it mandatory for VPN and anonymizer services operating in the country to register themselves with the state.

However, many VPNs and anonymizers have still not registered themselves, which is why the country has introduced fines for search engines that provide links to banned sites, VPNs, and anonymization tools.

The Russian communications watchdog Roskomnadzor will also provide a Federal State Information System (FGIS) containing an up-to-date list of banned websites and services in the country, and search engines will be required to connect to FGIS within 30 days.

Those who fail to connect to this system will also face fines similar to those detailed above.

Late last month, Roskomnadzor also threatened Apple to face the consequences for not removing secure messaging app Telegram from its App Store and blocking it from sending push notifications to local users who have already downloaded the app.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

If you have already uninstalled Flash player, well done! But if you haven't, here's another great reason for ditching it.

Adobe has released a security patch update for a critical vulnerability in its Flash Player software that is actively being exploited in the wild by hackers in targeted attacks against Windows users.

Independently discovered last week by several security firms—including ICEBRG, Qihoo 360 and Tencent—the Adobe Flash player zero-day attacks have primarily been targeting users in the Middle East using a specially crafted Excel spreadsheet.

"The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers," Qihoo 360 published vulnerability analysis in a blog post.

The stack-based buffer overflow vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 29.0.0.171 and earlier versions on Windows, MacOS, and Linux, as well as Adobe Flash Player for Google Chrome, and can be exploited to achieve arbitrary code execution on targeted systems.
The vulnerability resides in the interpreter code of the Flash Player that handles static-init methods, which fails to correctly handle the exceptions for try/catch statements.

"Because Flash assumes that it is impossible to execute to the catch block when processing the try catch statement, it does not check the bytecode in the catch block," the researchers explain. "The attacker uses the getlocal, setlocal instruction in the catch block to read and write arbitrary addresses on the stack."

The registration date for a web domain, mimicking a job search website in the Middle East, used as the command and control (C&C) server for zero-day attacks suggests that hackers have been making preparations for the attack since February.

Besides the patch for CVE-2018-5002, Adobe also rolled out security updates for two "important" vulnerabilities—including Integer Overflow bug (CVE-2018-5000) and an Out-of-bounds read issue (CVE-2018-5001)—both of which lead to information disclosure.

So, users are highly recommended to immediately update their Adobe Flash Player to versions 30.0.0.113 via their update mechanism within the software or by visiting the Adobe Flash Player Download Center.

After the discovery of massive VPNFilter malware botnet, security researchers have now uncovered another giant botnet that has already compromised more than 40,000 servers, modems and internet-connected devices belonging to a wide number of organizations across the world.

Dubbed Operation Prowli, the campaign has been spreading malware and injecting malicious code to take over servers and websites around the world using various attack techniques including use of exploits, password brute-forcing and abusing weak configurations.

Discovered by researchers at the GuardiCore security team, Operation Prowli has already hit more than 40,000 victim machines from over 9,000 businesses in various domains, including finance, education and government organisations.

Here's the list devices and services infected by the Prowli malware:

• Drupal and WordPress CMS servers hosting popular websites
• Joomla! servers running the K2 extension
• Backup servers running HP Data Protector software
• DSL modems
• Servers with an open SSH port
• PhpMyAdmin installations
• NFS boxes
• Servers with exposed SMB ports
• Vulnerable Internet-of-Thing (IoT) devices

All the above targets were infected using either a known vulnerability or credential guessing.

Prowli Malware Injects Cryptocurrency Miner

Since the attackers behind the Prowli attack are abusing the infected devices and websites to mine cryptocurrency or run a script that redirects them to malicious websites, researchers believe they are more focused on making money rather than ideology or espionage.

According to GuardiCore researchers, the compromised devices were found infected with a Monero (XMR) cryptocurrency miner and the "r2r2" worm—a malware written in Golang that executes SSH brute-force attacks from the infected devices, allowing the Prowli malware to take over new devices.

In simple words, "r2r2 randomly generates IP address blocks and iteratively tries to brute force SSH logins with a user and password dictionary. Once it breaks in, it runs a series of commands on the victim," the researchers explain.

These commands are responsible for downloading multiple copies of the worm for different CPU architectures, a cryptocurrency miner and a configuration file from a remote hard-coded server.

Attackers Also Tricks Users Into Installing Malicious Extensions

Besides cryptocurrency miner, attackers are also using a well known open source webshell called "WSO Web Shell" to modify the compromised servers, eventually allowing attackers to redirect visitors of websites to fake sites distributing malicious browser extensions.

The GuardiCore team traced the campaign across several networks around the world and found the Prowli campaign associated with different industries.

"Over a period of 3 weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations," the researchers said. "These attacks led us to investigate the attackers' infrastructure and discover a wide-ranging operation attacking multiple services."

How to Protect Your Devices From Prowli-like Malware Attacks

Since the attackers are using a mix of known vulnerabilities and credential guessing to compromise devices, users should make sure their systems are patched and up to date and always use strong passwords for their devices.

Moreover, users should also consider locking down systems and segmenting vulnerable or hard to secure systems, in order to separate them from the rest of their network.

Late last month, a massive botnet, dubbed VPNFilter, was found infecting half a million routers and storage devices from a wide range of manufacturers in 54 countries with a malware that has capabilities to conduct destructive cyber operations, surveillance and man-in-the-middle attacks.

It turns out that the threat of the massive VPNFilter botnet malware that was discovered late last month is beyond what we initially thought.

Security researchers from Cisco's Talos cyber intelligence have today uncovered more details about VPNFilter malware, an advanced piece of IoT botnet malware that infected more than 500,000 routers in at least 54 countries, allowing attackers to spy on users, as well as conduct destructive cyber operations.

Initially, it was believed that the malware targets routers and network-attached storage from Linksys, MikroTik, NETGEAR, and TP-Link, but a more in-depth analysis conducted by researchers reveals that the VPNFilter also hacks devices manufactured by ASUS, D-Link, Huawei, Ubiquiti, QNAP, UPVEL, and ZTE.

"First, we have determined that are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Lin," the researchers say.

To hijack devices manufactured by above listed affected vendors, the malware simply relies on publicly-known vulnerabilities or use default credentials, instead of exploiting zero-day vulnerabilities.

VPNFilter 'ssler' — Man-in-the-Middle Attack Module

Besides this, the researchers primarily shared technical details on a new stage 3 module, named "ssler," which is an advanced network packet sniffer that, if installed, allows hackers to intercept network traffic passing through an infected router and deliver malicious payloads using man-in-the-middle attacks.

"Ssler module provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80," the researchers say.

This 3rd-stage module also makes the malware capable of maintaining a persistent presence on an infected device, even after a reboot.

The ssler module has been designed to deliver custom malicious payloads for specific devices connected to the infected network using a parameter list, which defines the module's behavior and which websites should be targeted.

These parameters include settings to define the location of a folder on the device where stolen data should be stored, the source and destination IP address for creating iptable rules, as well as the targeted URL of the JavaScript injection.

To setup packet sniffing for all outgoing web requests on port 80, the module configures the device's iptables immediately after its installation to redirect all network traffic destined for port 80 to its local service listening on port 8888.

"To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes," the researchers explain.

To target HTTPS requests, the ssler module also performs SSLStrip attack, i.e., it downgrades HTTPS connections to HTTP, forcing victim web browsers into communicating over plaintext HTTP.

VPNFilter 'dstr' — Device Destruction Module

As briefed in our previous article, VPNFilter also has a destructive capability (dstr module) that can be used to render an infected device unusable by deleting files necessary for normal device operation.

The malware triggers a killswitch for routers, where it first deliberately kills itself, before deleting the rest of the files on the system [named vpnfilter, security, and tor], possibly in an attempt to hide its presence during the forensic analysis.

This capability can be triggered on individual victim machines or en masse, potentially cutting off internet access for hundreds of thousands of victims worldwide.

Simply Rebooting Your Router is Not Enough

Despite the FBI seizure of a key command and control server right after the discovery of VPNFilter, the botnet still remains active, due to its versatile, multi-stage design.

Stage 1 of the malware can survive a reboot, gaining a persistent foothold on the infected device and enabling the deployment of stages 2 and 3 malware. So, each time an infected device is restarted, stages 2 and 3 are re-installed on the device.

This means, even after the FBI seized the key C&C server of VPNFilter, hundreds of thousands of devices already infected with the malware, likely remain infected with stage 1, which later installs stages 2 and 3.

Therefore, rebooting alone is not enough to completely remove the VPNFilter malware from infected devices, and owners of consumer-grade routers, switches, and network-attached storage devices need to take additional measures, which vary from model to model. For this, router owners are advised to contact their manufacturer.

For some devices, resetting routers to factory default could remove the potentially destructive malware, along with removing stage 1, while some devices can be cleaned up with a simple reboot, followed by updating the device firmware.

And as I said earlier, mark these words again: if your router cannot be updated, throw it away and buy a new one. Your security and privacy is more than worth a router's price.

Security researchers at British software firm Snyk have revealed details of a critical vulnerability that affects thousands of projects across many ecosystems and can be exploited by attackers to achieve code execution on the target systems.

Dubbed "Zip Slip," the issue is an arbitrary file overwrite vulnerability that triggers from a directory traversal attack while extracting files from an archive and affects numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z.

Thousands of projects written in various programming languages including JavaScript, Ruby, Java, .NET and Go—from Google, Oracle, IBM, Apache, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Eclipse, OWASP, ElasticSearch, JetBrains and more—contained vulnerable codes and libraries.

Went undetected for years, the vulnerability can be exploited using a specially crafted archive file that holds directory traversal filenames, which if extracted by any vulnerable code or a library, would allow attackers to unarchive malicious files outside of the folder where it should reside.
Using this Zip Slip attack an attacker can even overwrite legitimate executable files or configuration files for an application to trick the targeted system or the user into running it, "thus achieving remote command execution on the victim's machine," the company explains.

"The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers." 

"The contents of this zip file have to be handcrafted. Archive creation tools don't typically allow users to add files with these paths, despite the zip specification allowing it. However, with the right tools, it’s easy to create files with these paths."

The company has also published proof-of-concept Zip Slip archives and released a video demonstration, showing how attackers can exploit the Zip Slip vulnerability.

Since April, the company started privately disclosing the Zip Slip vulnerability to all vulnerable libraries and projects maintainers.

A list of all affected libraries and projects has also been posted on Snyk’s GitHub repository, some of which have already fixed the issue with the release of updated versions.

Moreover, you can also read Snyk's blog post to learn more about vulnerable codes in different ecosystems through example snippets.

Not following cybersecurity best practices could not only cost online users but also cost cybercriminals. Yes, sometimes hackers don't take best security measures to keep their infrastructure safe.

A variant of IoT botnet, called Owari, that relies on default or weak credentials to hack insecure IoT devices was found itself using default credentials in its MySQL server integrated with command and control (C&C) server, allowing anyone to read/write their database.

Ankit Anubhav, the principal security researcher at IoT security firm NewSky Security, who found the botnets, published a blog post about his findings earlier today, detailing how the botnet authors themselves kept an incredibly week username and password combination for their C&C server's database.

Guess what the credentials could be?

Username: root
Password: root

These login credentials helped Anubhav gain access to the botnet and fetch details about infected devices, the botnet authors who control the botnet and also some of their customers (a.k.a. black box users), who have rented the botnet to launch DDoS attacks.

"Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the botmaster is available) and cooldown time (time interval between the two attack commands) can also be observed," Anubhav wrote.

Besides this, Anubhav was also able to see the duration limit of the attack such as for how long a client can perform the DDoS attack, maximum available bots for an attack, and the list of various IPs targeted by the DDoS attack.

Anubhav also found another botnet, which was also built with a version of Owari and its database was also exposed via weak credentials.

The C&C servers of both the botnets were located at 80.211.232.43 and 80.211.45.89, which are now offline, as "botnet operators are aware that their IPs will be flagged soon due to the bad network traffic," Anubhav wrote. "Hence to stay under the radar, they often voluntarily change attack IPs."

Hundreds of thousands of websites running on the Drupal CMS—including those of major educational institutions and government organizations around the world—have been found vulnerable to a highly critical flaw for which security patches were released almost two months ago.

Security researcher Troy Mursch scanned the whole Internet and found over 115,000 Drupal websites are still vulnerable to the Drupalgeddon2 flaw despite repetitive warnings.

Drupalgeddon2 (CVE-2018-7600) is a highly critical remote code execution vulnerability discovered late March in Drupal CMS software (versions < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1) that could allow attackers to completely take over vulnerable websites.

For those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or standard Drupal installations under the privileges of the user.

Since Drupalgeddon2 had much potential to derive attention of motivated attackers, the company urged all website administrators to install security patches immediately after it was released in late March and decided not to release any technical details of the flaw initially.
However, attackers started exploiting the vulnerability only two weeks after complete details and proof-of-concept (PoC) exploit code of Drupalgeddon2 was published online, which was followed by large-scale Internet scanning and exploitation attempts.

Shortly after that, we saw attackers developed automated exploits leveraging Drupalgeddon 2 vulnerability to inject cryptocurrency miners, backdoors, and other malware into websites, within few hours after it's detailed went public.

Mursch scanned the Internet and found nearly 500,000 websites were running on Drupal 7, out of which 115,070 were still running an outdated version of Drupal vulnerable to Drupalgeddon2.

While analyzing vulnerable websites, Mursch noticed that hundreds of them—including those of Belgium police department, Colorado Attorney General office, Fiat subsidiary Magneti Marelli and food truck locating service—have already been targeted by a new cryptojacking campaign.

Mursch also found some infected websites in the campaign that had already upgraded their sites to the latest Drupal version, but the cryptojacking malware still existed.

We have been warning users since March that if you are already infected with the malware, merely updating your Drupal website would not remove the "backdoors or fix compromised sites." To fully resolve the issue you are recommended to follow this Drupal guide.

Despite the continual emergence of new cyber attacks because of misconfigured servers and applications, people continue to ignore security warnings.

A massive malware campaign designed to target open Redis servers, about which researchers warned almost two months ago, has now grown and already hijacked at least 75% of the total servers running publicly accessible Redis instances.

Redis, or REmote DIctionary Server, is an open source, widely popular data structure tool that can be used as an in-memory distributed database, message broker or cache. Since it is designed to be accessed inside trusted environments, it should not be exposed on the Internet.

Dubbed RedisWannaMine, a similar malware leveraging same loophole was discovered in late March by data center security vendor Imperva and designed to drop a cryptocurrency mining script on the targeted servers—both database and application.

According to Imperva's March blog post, this cryptojacking threat was "more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers' infection rate and fatten their wallets."

A newly published report from the same security firm has now revealed that three-quarters of the open Redis servers accessible from the Internet (over port 6379) contain malicious sets of a key-value pair in the memory, indicating despite multiple warnings administrators continue to leave their servers vulnerable to hackers.

Out of total compromised servers, 68 percent systems were found infected using similar keys, named "backup1, backup2, backup3," which were attacked from a medium-sized botnet located at China (86% of IPs), according to the data Imperva collected from their self-set-up publicly available Redis servers to serve as a honeypot.

Moreover, the attackers have now found using the compromised servers as a proxy to scan and find vulnerabilities, including SQL injection, cross-site scripting, malicious file uploads, and remote code executions, in other websites.

The new attack works by setting a malicious key-value pair in the memory and saving it as a file in the /etc/crontabs folder that forces the server to execute the file.

"Attackers usually set values that include commands to download external remote resource and run it. Another popular type of command is adding SSH keys, so the attacker can remotely access the machine and take it over," Nadav Avital, security research team leader at Imperva, explains in a blog post.

To protect Redis servers from falling victim to such attacks, administrators are advised never to expose their servers to the Internet, but if required, apply authentication mechanism to prevent unauthorized access.

Also, since Redis doesn't use encryption and stores data in plain text, you should never store any sensitive data on these servers.

"Security issues commonly arise when people don’t read the documentation and migrate services to the cloud, without being aware of the consequences or the adequate measures that are needed to do so," Avital said.

The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra.

Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world.

The group was even associated with the WannaCry ransomware menace that last year shut down hospitals and businesses worldwide. It is reportedly also linked to the 2014 Sony Pictures hack, as well as the SWIFT Banking attack in 2016.

Now, the Department of Homeland Security (DHS) and the FBI have uncovered two new pieces of malware that Hidden Cobra has been using since at least 2009 to target companies working in the media, aerospace, financial, and critical infrastructure sectors across the world.

The malware Hidden Cobra is using are—Remote Access Trojan (RAT) known as Joanap and Server Message Block (SMB) worm called Brambul. Let's get into the details of both the malware one by one.

Joanap—A Remote Access Trojan

According to the US-CERT alert, "fully functional RAT" Joanap is a two-stage malware that establishes peer-to-peer communications and manages botnets designed to enable other malicious operations.

The malware typically infects a system as a file delivered by other malware, which users unknowingly download either when they visit websites compromised by the Hidden Cobra actors, or when they open malicious email attachments.

Joanap receives commands from a remote command and control server controlled by the Hidden Cobra actors, giving them the ability to steal data, install and run more malware, and initialize proxy communications on a compromised Windows device.

Other functionalities of Joanap include file management, process management, creation and deletion of directories, botnet management, and node management.

During analysis of the Joanap infrastructure, the U.S. government has found the malware on 87 compromised network nodes in 17 countries including Brazil, China, Spain, Taiwan, Sweden, India, and Iran.

Brambul—An SMB Worm

Brambul is a brute-force authentication worm that like the devastating WannaCry ransomware, abuses the Server Message Block (SMB) protocol in order to spread itself to other systems.

The malicious Windows 32-bit SMB worm functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims' networks by dropper malware.

"When executed, the malware attempts to establish contact with victim systems and IP addresses on victims' local subnets," the alert notes. 

"If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks."

Once Brambul gains unauthorized access to the infected system, the malware communicates information about victim's systems to the Hidden Cobra hackers using email. The information includes the IP address and hostname—as well as the username and password—of each victim's system.

The hackers can then use this stolen information to remotely access the compromised system via the SMB protocol. The actors can even generate and execute what analysts call a "suicide script."

DHS and FBI have also provided downloadable lists of IP addresses with which the Hidden Cobra malware communicates and other IOCs, to help you block them and enable network defenses to reduce exposure to any malicious cyber activity by the North Korean government.

DHS also recommended users and administrators to use best practices as preventive measures to protect their computer networks, like keeping their software and system up to date, running Antivirus software, turning off SMB, forbidding unknown executables and software applications.

Last year, the DHS and the FBI published an alert describing Hidden Cobra malware, called Delta Charlie—a DDoS tool which they believed North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets.

Other malware linked to Hidden Cobra in the past include Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, like DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.

A 23-year-old Canadian man, who pleaded guilty last year for his role in helping Russian government spies hack into email accounts of Yahoo users and other services, has been sentenced to five years in prison.

Karim Baratov (a.k.a Karim Taloverov, a.k.a Karim Akehmet Tokbergenov), a Kazakhstan-born Canadian citizen, was also ordered on Tuesday by United States Judge Vince Chhabria to pay a fine of $250,000.

Baratov had previously admitted his role in the 2014 Yahoo data breach that compromised about 500 million Yahoo user accounts. His role was to "hack webmail accounts of individuals of interest to the FSB," Russia's spy agency.

In November, Baratov pleaded guilty to a total of nine counts, including one count of conspiring to violate the Computer Fraud and Abuse Act, and eight counts of aggravated identity theft.

According to the US Justice Department, Baratov and his co-defendant hacker Alexsey Belan worked for two agents—Dmitry Dokuchaev and Igor Sushchin—from the FSB (Federal Security Service) to compromise the accounts.

The Justice Department announced charges for all of the four people in March last year, which resulted in the arrest of Baratov in Toronto at his Ancaster home and then his extradition to the United States.

However, Belan—who is already on the FBI's Most Wanted Hackers list—and both FSB officers currently reside in Russia, due to which they are unlikely to face the consequences for their involvement.

Baratov ran an illegal no-questions-asked hacking service from 2010 until his arrest in March 2017, wherein he charged customers around $100 to obtain another person's webmail password by tricking them to enter their credentials into a fake password reset page.

According to the court documents, Baratov managed to crack more than 11,000 email accounts in both Russia as well as the United States before the Toronto Police Department caught him.

As part of his plea, Baratov admitted to hacking thousands of webmail accounts of individuals for seven years and send those accounts' passwords to Russian spy Dokuchaev in exchange for money.

The targeted attack allowed the four to gain direct access to Yahoo's internal networks, and once in, co-defendant hacker Belan started poking around the network.

According to the FBI, Belan discovered two key assets:

• Yahoo's User Database (UDB) – a database containing personal information about all Yahoo users.
• The Account Management Tool – an administrative tool used to make alterations to the targeted accounts, including their passwords.

Belan then used the file transfer protocol (FTP) to download the Yahoo's UDB, which included password recovery emails and cryptographic values unique to each Yahoo account, eventually enabling Belan and Baratov to access specific accounts of interest to the Russian spies.

According to Baratov's lawyers, at the time of the crime, Baratov had no idea he was working with Russian FSB agents.