WordPress Update Breaks Automatic Update Feature—Apply Manual Update
9.2.2018 thehackernews Vulnerebility
WordPress administrators are once again in trouble.
WordPress version 4.9.3 was released earlier this week with patches for a total 34 vulnerabilities, but unfortunately, the new version broke the automatic update mechanism for millions of WordPress websites.
WordPress team has now issued a new maintenance update, WordPress 4.9.4, to patch this severe bug, which WordPress admins have to install manually.
According to security site WordFence, when WordPress CMS tries to determine whether the site needs to install an updated version, if available, a PHP error interrupts the auto-update process.
If not updated manually to the latest 4.9.4 version, the bug would leave your website on WordPress 4.9.3 forever, leaving it vulnerable to future security issues.
Here's what WordPress lead developer Dion Hulse explained about the bug:
"#43103-core aimed to reduce the number of API calls which get made when the auto-update cron task is run. Unfortunately, due to human error, the final commit didn't have the intended effect and instead triggers a fatal error as not all of the dependencies of find_core_auto_update() are met. For whatever reason, the fatal error was not discovered before 4.9.3's release—it was a few hours after release when discovered."
The issue has since been fixed, but as reported, the fix will not be installed automatically.
Thus, WordPress administrators are being urged to update to the latest WordPress release manually to make sure they'll be protected against future vulnerabilities.
To manually update their WordPress installations, admin users can sign into their WordPress website and visit Dashboard→Updates and then click "Update Now."
After the update, make sure that your core WordPress version is 4.9.4.
However, not all websites being updated to the faulty update have reported seeing this bug. Some users have seen their website installed both updates (4.9.3 and 4.9.4) automatically.
Moreover, the company released two new maintenance updates this week, but none of them includes a security patch for a severe application-level DoS vulnerability disclosed last week that could allow anyone to take down most WordPress websites even with a single machine.
Since WordPress sites are often under hackers target due to its wide popularity in the content management system (CMS) market, administrators are advised to always keep their software and plugins up-to-date.
New Point-of-Sale Malware Steals Credit Card Data via DNS Queries
9.2.2018 thehackernews Virus
Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect.
A new strain of malware has now been discovered that relies on a unique technique to steal payment card information from point-of-sale (PoS) systems.
Since the new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed it UDPoS.
Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used by most POS malware in the past. This malware is also thought to be first of its kind.
Besides using 'unusual' DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update from LogMeIn—a legitimate remote desktop control service used to manage computers and other systems remotely—in an attempt to avoid detection while transferring stolen payment card data pass firewalls and other security controls.
"We recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of 'unusual' DNS requests," Forcepoint researchers said in a blogpost published Thursday.
"Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware."
The malware sample analyzed by the researchers links to a command and control (C&C) server hosted in Switzerland rather than the usual suspects of the United States, China, Korea, Turkey or Russia. The server hosts a dropper file, which is a self-extracting archive containing the actual malware.
It should be noted that the UDPoS malware can only target older POS systems that use LogMeIn.
Like most malware, UDPoS also actively searches for antivirus software and virtual machines and disable if find any. The researchers say it's unclear "at present whether this is a reflection of the malware still being in a relatively early stage of development/testing."
Although there is no evidence of the UDPoS malware currently being in use to steal credit or debit card data, the Forcepoint's tests have shown that the malware is indeed capable of doing so successfully.
Moreover, one of the C&C servers with which the UDPoS malware sample communicates was active and responsive during the investigation of the threat, suggesting the authors were at least prepared to deploy this malware in the wild.
It should be noted that the attackers behind the malware have not been compromised the LogMeIn service itself—it's just impersonated. LogMeIn itself published a blogpost this week, warning its customers not to fall for the scam.
"According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name," LogMeIn noted.
"This link, file or executable isn't provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You'll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update."
According to Forcepoint researchers, protecting against such threat could be a tricky proposition, as "nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications," but DNS is still often treated differently, providing a golden opportunity for hackers to leak data.
Last year, we came across a Remote Access Trojan (RAT), dubbed DNSMessenger, that uses DNS queries to conduct malicious PowerShell commands on compromised computers, making the malware difficult to detect onto targeted systems.
A vulnerable driver: lesson almost learned
9.2.2018 Kaspersky Vulnerebility
How not to use a driver to execute code with kernel privileges
Recently, we started receiving suspicious events from our internal sandbox Exploit Checker plugin. Our heuristics for supervisor mode code execution in the user address space were constantly being triggered, and an executable file was being flagged for further analysis. At first, it looked like we’d found a zero-day local privilege escalation vulnerability for Windows, but the sample that was triggering Exploit Checker events turned out to be the clean signed executable GundamOnline.exe, part of the multiplayer online game Mobile Suit Gundam Online from BANDAI NAMCO Online Inc.
The initial sample is packed using a custom packer and contains anti-analysis techniques that complicate static analysis. For example, it tries to detect if it’s being launched inside a virtual machine by performing a well-known VMware hypervisor detection routine. It first loads the EAX register with the hypervisor magic value VMXh, and the ECX register with the value 0x0A, which is a special command to receive the hypervisor version. Then it performs an ‘in’ command to the VMware hypervisor I\O port 0x5658. If the EBX register is overwritten with VMXh as a result of that operation, it means the executable file is running on the VMware machine.
Our sandbox execution logs showed that the user space memory page is called from the driver bandainamcoonline.sys immediately after IOCTL request 0xAA012044 to device object \\.\Htsysm7838 that is created by the driver. The driver itself is installed just before that. It is first dropped to the directory C:\Windows\SysWOW64\ by a GundamOnline executable, loaded using NtLoadDriver() and deleted immediately afterwards.
Normally, this kind of behavior should not be allowed due to SMEP (Supervisor Mode Execution Prevention). This is a security feature present on the latest Intel processors that restricts supervisor mode execution on user memory pages. Page type is determined using the User/Supervisor flag in the page table entry. If a user memory page is called while in supervisor execution mode, SMEP generates an access violation exception and, as a result, the system will trigger a bug check and halt. This is commonly referred to as a BSOD.
The dropped driver itself is a legitimate driver, signed with a certificate issued to NAMCO BANDAI Online Inc.
The certificate validity period tells us two things. First, this certificate has been valid since 2012, which could mean that the first vulnerable version of the driver was released around the same time. However, we were unable to find one; the earliest sample of bandainamcoonline.sys that we found dates back to November 2015. Secondly, because it expired more than three years ago, you could be forgiven for thinking it’s impossible to install a driver signed with this certificate in a system. Actually, there’s nothing stopping you from installing and loading a driver with an expired certificate validity period.
In order to find the cause of the heuristics trigger, we need to do a static analysis of the driver itself. In the DriverEntry function it first decodes the device object name string in memory, and then creates the device \\.\Htsysm7838. The other two encoded strings – bandainamcoonline and bandainamcoonline.sys – are not used in the driver.
The driver itself is very small and contains only three registered major functions. Function IRP_MJ_DEVICE_CONTROL, which handles requests, accepts only two IOCTLs: 0xAA012044 and 0xAA013044. When called, it checks the size of the input and output buffers and eventually calls the ExecuteUserspaceCode function, passing on the contents of the input buffer to it.
The function ExecuteUserspaceCode performs a single check on the input buffer, which contains a pointer to a user space function or a shellcode, and disables SMEP while saving old CR4 register values. It then calls that function, passing it a pointer to the MmGetSystemRoutineAddress as an argument. After that it restores the original register state, re-enabling SMEP.
To be able to directly call the user function from the provided pointer driver it is necessary to remove a specific bit in the CR4 register first to temporarily stop SMEP, which is what the DisableSMEP function does. The original CR4 values are then restored by the EnableSMEP function.
The vulnerability in this case is that other than the basic checks on the format of the input buffer, no additional checks are done. Therefore, any user on the system can use this driver to elevate their privileges and execute arbitrary code in the Ring 0 of the OS. Even if the driver is not present in the system, an attacker can register it with Windows API functions and exploit the flaw.
We realized that this vulnerability looks exactly like the one found in Capcom’s driver last year.
Binary diffing bandainamcoonline.sys and capcom.sys proves exactly that, showing there are almost no differences between the two drivers. The only slight variations are the encoded strings and digital signatures. Because the earliest sample of the vulnerable driver that we’ve been able to find dates to November 2015, it can be assumed that this vulnerability first appeared in the bandainamcoonline.sys driver – almost a year before a similar driver was used by Capcom.
We believe both drivers were almost certainly compiled from the same source code, as a part of an anti-hacking solution to prevent users from cheating in the game. The presence of functions that implicitly disable and re-enable SMEP show that this design decision was intentional. But because the driver makes no additional security checks, any user can call and exploit the vulnerable IO control code by using Windows APIs such as DeviceIoControl(). This essentially makes the driver a rootkit, allowing anyone to interact with the operating system at the highest privilege level. In fact, we found multiple malware samples (already detected by our products) using a previously known vulnerability in capcom.sys to elevate their privileges to System level.
After finding the vulnerability we contacted BANDAI NAMCO Online Inc. The vendor responded promptly and released a patch three days later. They removed the driver altogether, and it is no longer loaded by the game executable. This is very similar to what Capcom did, and is perfectly acceptable in this case.
Finding this vulnerability wouldn’t have been possible without our Exploit Checker technology, which is a plugin for our sandbox, and can be also found in KATA (Kaspersky Anti Targeted Attack Platform). The technology was designed to monitor suspicious events that occur at the earliest post-exploitation phases and can detect common techniques used in exploits, such as ROP, Heap Spray, Stack Pivot, and so on. In this particular case, multiple heuristics for executing code in supervisor mode in the user address space were triggered, and the sample was flagged for further analysis. If a token-swapping attempt was performed to elevate process privileges, a technique that’s widely used in LPE exploits, it would have been automatically detected by Exploit Checker heuristics.
Kaspersky Lab solutions detect the vulnerable drivers mentioned in this article as HEUR:HackTool.Win32.Banco.a and HEUR:HackTool.Win32.Capco.a.
Zerodium Offers $45,000 for Linux 0-Days
9.2.2018 securityweek IT
Hackers willing to find unpatched vulnerabilities in the Linux operating system and report them to exploit acquisition firm Zerodium can earn up to $45,000 for their findings, the company announced on Thursday.
The company has been long acquiring vulnerabilities in Linux as part of its normal payouts program, but it would normally pay only up to $30,000 for Local Privilege Escalation flaws in the operating system. Until March 31, 2018, however, such flaws can earn hackers up to 50% more, Zerodium said on Twitter.
Zerodium
✔
@Zerodium
Got a Linux LPE? Working with default installations of Ubuntu, Debian, CentOS/RHEL/Fedora? We are increasing our payouts to $45,000 per #0day exploit until March 31st, 2018. To submit, please check: https://zerodium.com/submit.html
4:03 PM - Feb 8, 2018
46
43 people are talking about this
Twitter Ads info and privacy
Zerodium claims that hackers who submit valid zero-day vulnerabilities in products of interest would receive payment for their efforts within a week after the initial submission.
The exploit acquisition firm is targeting vulnerabilities in the most commonly used Linux distributions and interested hackers can head over to its website to learn specific information on what is considered an eligible submission.
The payments promised for Linux vulnerabilities, however, aren’t the highest the company offers.
On desktop platforms, remote code execution flaws in Windows can earn the reporting hacker up to $300,000. Those who discover unpatched vulnerabilities in mobile operating systems can make up to $1,500,000, if the bug affects Apple’s iOS platform.
In fact, Zerodium is already known to have paid a group of hackers $1 million for a zero-day in iOS.
In August 2017, Zerodium announced it was prepared to pay up to $500,000 for unpatched vulnerabilities in popular instant messaging and email applications. The offer remains active in its current program.
In September last year, the company announced it was willing to pay up to $1 million for zero-day flaws in the Tor Browser. The “bounty” program ended in December 2017, but Zerodium wouldn’t provide information on the results of the operation.
Once in the possession of vulnerabilities it considers of interest, the company sells them to its customers as part of the Zerodium Zero-Day Research Feed. The company also says it analyzes, aggregates, and documents the acquired security intelligence before offering it, along with protective measures and security recommendations, to its clients.
New PoS Malware Family Discovered
9.2.2018 securityweek Virus
Researchers have discovered a new Point of Sale (POS) malware. They cannot tell yet whether it is new code still being developed, or already used -- complete with coding errors -- in an undetected campaign. They suspect the latter.
PoS malware has been responsible for a number of high profile data breaches over the last few years, including Hyatt Hotels, Chipotle Mexican Grill, Avanti Markets, and Sonic Drive-In. The growing use of EMV (chip & pin) payment cards in the U.S. makes card-present fraud more difficult. It was always expected that this would drive criminals towards card-not-present (that is, online) fraud; making the online theft of card details more attractive.
Forcepoint researchers Robert Neumann and Luke Somerville described the malware in a blog analysis posted today. "This appears to be a new family which we are currently calling 'UDPoS' owing to its heavy use of UDP-based DNS traffic." The researchers are not overly impressed by the quality of the coding, describing it as 'a flawed gem' -- where 'flawed' refers to the coding and 'gem' to the excitement of discovering a new needle in the haystack of old malware.
The malware uses a 'LogMeIn' theme as camouflage. The C2 server is service-logmeln.network (with an 'L' rather than an 'I') hosting the dropper file, update.exe. This is a self-extracting 7-Zip archive containing LogmeinServicePack_5.115.22.001.exe and logmeinumon.exe. The former, the service component of the malware, is run automatically by 7-Zip on extraction.
This service component is responsible for setting up its own folder, and establishing persistence. It then passes control to the second, or monitoring, component by launching logmeinumon.exe. The two components have a similar structure, and use the same string encoding technique to hide the name of the C" server, filenames and hard-coded process names.
The monitor component creates five different threads after attempting an anti-AV and virtual machine check and either creating or loading an existing ‘Machine ID'. The Machine ID is used in all the malware's DNS queries. The anti-AV/VM process is flawed, attempting to open only one of several modules.
When first run, the malware generates a batch file (infobat.bat) to fingerprint the infected device, with details written to a local file before being sent to the C2 server via DNS. The precise reason for this is unclear, but the researchers note, "The network map, list of running processes and list of installed security updates is highly valuable information."
Deeper analysis of the malware revealed a process designed to collect Track 1 and Track 2 payment card data by scraping the memory of running processes. "These processes," say the researchers, "are checked against an embedded and pre-defined blacklist of common system process and browser names with only ones not present on the list being scanned."
If any Track 1/2 data is found, it is sent to the C2 server. A log is also created and stored, "presumably," say the researchers, "for the purpose of keeping track of what has already been submitted to the C2 server."
When the researchers attempted to find additional samples of the same malware family, all they found was a different service component but without a corresponding monitor component. This one had an 'Intel' theme rather than a 'LogMeIn' theme. It was compiled at the end of September 2017, two weeks before the compilation stamp of October 11, 2017 for the LogMeIn components.
"Whether this is a sign that authors of the malware were not successful in deploying it at first or whether these are two different campaigns cannot be fully determined at this time due to the lack of additional executables," note the authors.
They warn that legacy PoS systems -- which can number thousands in large retailers -- are often based on variations of the Windows XP kernel. "While Windows POSReady is in extended support until January 2019, it is still fundamentally an operating system which is seventeen years old this year."
They urge sysadmins to monitor unusual activity patterns; in this case, DNS traffic. "By identifying and reacting to these patterns, businesses -- both PoS terminal owners and suppliers -- can close down this sort of attack sooner."
Austin, Texas based Forcepoint, originally known as Raytheon/Websense, was created in a $1.9 billion deal involving Raytheon, Websense and Vista Equity Partners in April 2015. It was renamed to Forcepoint in January 2016.
Actor Targeting Middle East Shows Excellent OPSEC
9.2.2018 securityweek Krypto
An actor making extensive use of scripting languages in attacks on targets in the Middle East demonstrates excellent operational security (OPSEC), researchers from Talos say.
As part of these targeted attacks allegedly confidential decoy documents supposedly written by the Jordanian publishing and research house Dar El-Jaleel were used, as well as VBScript, PowerShell, and VBA scripts that would dynamically load and execute functions retrieved from a command and control (C&C) server.
The threat actor(s) was particularly careful to camouflage the infrastructure and used several reconnaissance scripts to check the validity of victim machines. The actor was observed blocking systems that didn't meet their criteria, filtering connections based on their User-Agent strings, and hosting the infrastructure on CloudFlare.
Attacks start with a VBScript designed to create a second stage PowerShell script that would create a Microsoft Office document and to open it. The document was purportedly written by Dar El-Jaleel, an institute well-known for their research of the Palestinian-Israeli conflict and the Sunni-Shia conflict in Iran.
Supposedly a confidential analysis report on Iranian activities within the Syrian civil war, the document contains a macro designed to create a WSF (Windows Script File) file and to execute it. The WSF script, Talos discovered, is the main part of the infection and contains a User-Agent used to identify the targets.
The script first registers the infected system with a command and control server and executes an infinite loop, trying to contact the /search URI every 5 seconds to download and execute payloads.
These payloads are of three types, but all are VBScript functions loaded and executed on the fly using the ExecuteGlobal() and GetRef() APIs, differentiated by the number of arguments supplied: none, one, or two. The security researchers received five different functions, all obfuscated.
A reconnaissance function was received a few minutes after the initial compromise, meant to retrieve information from the infected system: disk volume serial number, installed anti-virus software, Internet IP address, computer name, username, Operating System, and architecture. All data is sent to the C&C. A second reconnaissance function was used to list the drives of the system and their type.
Two functions meant to achieve persistence for the WSF script were received as well: one script was used to persist, while the second was meant to clean the infected system.
The system also received a pivot function, which was meant to execute a PowerShell script. In turn, the script would execute a second base64 encoded script.
One last PowerShell script served to the system was meant to download shellcode from 176[.]107[.]185[.]246 IP, map it in memory, and execute it. While the shellcode wasn’t retrieved during investigation, the process revealed the many precautions the attacker takes before delivering the payload.
The attacker’s C&C is protected by CloudFlare, which makes it difficult to track and analyze the campaign. The researchers noticed that the actor was active during the morning (Central European Time zone), and that payloads were only sent during that time.
Furthermore, the attacker’s server becomes unreachable after serving the shellcode (the firewall is disabled for a few minutes to allow the download to go through). The actor was also observed blacklisting some of the researchers’ specific User-Agent strings and IP addresses.
“This high level of OPSEC is exceptional even among presumed state sponsored threat actors,” Talos notes.
The VBScript used during this campaign shows similarities to Jenxcus (also known as Houdini/H-Worm), but the researchers are not sure whether the actor used “new version of Jenxcus or if this malware served as the inspiration for their own malicious code.”
While Jenxcus’ source code is available on the Internet, the adaptation observed in these attacks is more advanced, with the functions loaded on demand and the initial script including only parts of the code, not all of it.
The security researchers were also able to identify different targets based on the User-Agent and say that targeted campaigns using Dar El-Jaleel decoy documents were observed before. In fact, the same decoy documents were observed in several attacks in 2017, but it is not clear if the same actor is behind all of them.
“These campaigns show us that at least one threat actor is interested in and targeting the Middle East. Due to the nature of the decoy documents, we can conclude that the intended targets have an interest in the geopolitical context of the region,” Talos notes.
Philippine Bank Threatens Counter-Suit Over World's Biggest Cyber-Heist
9.2.2018 securityweek Cyber
The Philippine bank used by hackers to transfer money in the world's biggest cyber heist warned of tit-for-tat legal action Thursday, after Bangladeshi officials said they would sue the lender.
Unidentified hackers stole $81 million from the Bangladesh central bank's account with the US Federal Reserve in New York two years ago, then transferred it to a Manila branch of the Rizal Commercial Banking Corp (RCBC).
The funds were then swiftly withdrawn and laundered through local casinos.
Bangladeshi officials said Wednesday they are readying a case against RCBC for its alleged role in the heist.
One of the officials, Bangladesh's Finance Minister A.M.A Muhith, said last year he wanted to "wipe out" RCBC.
But RCBC maintained the February 2016 cyber-heist was an "inside job" and that the Philippine bank was being used as a scapegoat to hide the real culprits.
RCBC, one of the Philippines' largest banks, charged that Bangladeshi officials were hiding their own findings into the crime, possibly to conceal the involvement of their own officials in the heist.
"RCBC has had it and will consider a lawsuit against Bangladesh Central Bank officials for claiming the bank had a hand in the $81M cyber-heist," the Philippine lender said in a statement.
"They are perpetuating the cover-up and using RCBC as a scapegoat to keep their people in the dark," the RCBC statement said.
The Philippine central bank imposed a record $21 million fine on RCBC after the discovery of the heist as it investigated the lender's alleged role in the theft.
Only a small amount of the stolen money has been recovered.
Money-laundering charges were also filed against the RCBC branch manager.
The US reserve bank, which manages the Bangladesh Bank reserve account, has denied its own systems were breached.
Flaws Affecting Top-Selling Netgear Routers Disclosed
9.2.2018 securityweek Vulnerebility
Security firm Trustwave has disclosed the details of several vulnerabilities affecting Netgear routers, including devices that are top-selling products on Amazon and Best Buy.
The flaws were discovered by researchers in March 2017 and they were patched by Netgear in August, September and October.
One of the high severity vulnerabilities has been described as a password recovery and file access issue affecting 17 Netgear routers and modem routers, including best-sellers such as R6400, R7000 (Nighthawk), R8000 (Nighthawk X6), and R7300DST (Nighthawk DST).Vulnerabilities in Netgear Nighthawk routers
According to Trustwave, the web server shipped with these and other Netgear routers has a resource that can be abused to access files in the device’s root directory and other locations if the path is known. The exposed files can store administrator usernames and passwords, which can be leveraged to gain complete control of the device.
An unauthenticated attacker can exploit the flaw remotely if the remote management feature is enabled on the targeted device. Improperly implemented cross-site request forgery (CSRF) protections may also allow remote attacks.
Another high severity flaw affecting 17 Netgear routers, including the aforementioned best-sellers, can be exploited by an attacker to bypass authentication using a specially crafted request. Trustwave said the vulnerability can be easily exploited.
A flaw that can be exploited to execute arbitrary OS commands with root privileges without authentication has also been classified as high severity. Trustwave said command injection is possible through a chained attack that involves a CSRF token recovery vulnerability and other weaknesses.
Two other command injection vulnerabilities have been found by Trustwave researchers, but they have been rated medium severity and they only affect six Netgear router models.
One of the flaws requires authentication, but experts pointed out that an attacker can execute arbitrary commands after bypassing authentication using the aforementioned authentication bypass vulnerability.
The other medium severity command injection is related to the Wi-Fi Protected Setup (WPS). When a user presses the WPS button on a Netgear router, a bug causes WPS clients to be allowed to execute arbitrary code on the device with root privileges during the setup process.
“In other words, if an attacker can press the WPS button on the router, the router is completely compromised,” Trustwave said in an advisory.
Netgear has put a lot of effort into securing its products, especially since the launch of its bug bounty program one year ago. In 2017, the company published more than 180 security advisories describing vulnerabilities in its routers, gateways, extenders, access points, managed switches, and network-attached storage (NAS) products.
VMware Addresses Meltdown, Spectre Flaws in Virtual Appliances
9.2.2018 securityweek Vulnerebility
VMware has started releasing patches and workarounds for the Virtual Appliance products affected by the recently disclosed CPU vulnerabilities known as Meltdown and Spectre.
According to an advisory published on Thursday, Meltdown and Spectre impact several VMware Virtual Appliances, including vCloud Usage Meter (UM), Identity Manager (vIDM), vCenter Server (vCSA), vSphere Data Protection (VDP), vSphere Integrated Containers (VIC) and vRealize Automation (vRA).
VMware has so far released a patch only for its VIC product, and workarounds have been made available for UM, vIDM, vCSA, and vRA. vCSA 5.5 is not affected, and neither patches nor workarounds have been released for VDP.
VMware has released separate advisories describing the specific workarounds for each product. The company advised users not to apply workarounds to other products than the one they are intended for, and pointed out that the workarounds are only meant to be a temporary solution until permanent fixes become available.
The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data. Billions of devices using Intel, AMD, ARM, Qualcomm and IBM processors are affected.
Intel started releasing microcode updates for its processors shortly after the flaws were disclosed, but the company decided to halt updates due to frequent reboots and unpredictable system behavior.
Following Intel’s announcement, VMware informed customers that it had decided to delay new releases of microcode updates for its ESXi hypervisor until the chipmaker addresses problems.
Intel announced this week that it has identified the root of an issue that caused systems to reboot more frequently and started releasing a new round of patches.
Intel and AMD told customers that their future products will include built-in protections for exploits such as Specter and Meltdown.
A Flaw in Hotspot Shield VPN From AnchorFree Can Expose Users Locations
9.2.2018 securityweek Vulnerebility
Security expert Paulos Yibelo has discovered a vulnerability in Hotspot Shield VPN from AnchorFree that can expose locations of the users.
Paulos Yibelo, a security researcher, has discovered a vulnerability that can expose users and locations around the globe compromising their anonymity and privacy. The company has about 500 million users globally.
VPN services providers are used nowadays to protect the identity of individual users and against the eavesdropping of their browsing habits. In countries like North Korea and China they are popular among political activists or dissidents where internet access is restricted because of censorship or heavily monitored once these services hide the IP addresses of the real users, that can be used to locate the person real address.
The Great Firewall of China is an example. Locating a Hotspot Shield user in a rogue country could pose a risk to their life and their families.
The VPN Hotspot Shield developed by AnchorFree to secure the connection of users and protect their privacy contained flaws that allow sensitive information disclosure such as the country, the name of WIFI network connection and the user’s real IP address, according to the researcher.
“By disclosing information such as Wi-Fi name, an attacker can easily narrow down or pinpoint where the victim is located, you can narrow down a list of places where your victim is located”. states Paulos Yibelo.
The vulnerability CVE-2018-6460 was published without a response from the company on Monday, but on Wednesday a patch was released to address the issue. The vulnerability is present on the local web server (127.0.0.1 on port 895) that Hotspot Shield installs on the user’s machine.
“http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information. There are other multiple endpoints that return sensitive data including configuration details.” continues the researcher.
“While that endpoint is presented without any authorization, status.js is actually a JSON endpoint so there are no sensitive functions to override, but when we send the parameter func with $_APPLOG.Rfunc, it returns that function as a JSONP name. We can obviously override this in our malicious page and steal its contents by supplying a tm parameter timestamp, that way we can provide a logtime“.
Once running, the server hosts multiple JSONP endpoints, with no authentication requests and also with responses that leak sensitive information pertaining the VPN service, such as the configuration details. The researcher released a proof of concept (PoC) for the flaw, however, the reporter Zack Whittaker, from ZDNET, independently verified that flaw revealed only the Wi-Fi network name and the country, not the real IP address.
The company replied to the researcher allegation:
“We have found that this vulnerability does not leak the user’s real IP address or any personal information, but may expose some generic information such as the user’s country. We are committed to the safety and security of our users, and will provide an update this week that will completely remove the component capable of leaking even generic information”.
Sources:
https://threatpost.com/hotspot-shield-vulnerability-could-reveal-juicy-info-about-users-researcher-claims/129817/
https://www.helpnetsecurity.com/2018/02/07/hotspot-shield-vpn-flaw/
https://irishinfosecnews.wordpress.com/2018/02/07/hotspot-shield-vulnerability-could-reveal-juicy-info-about-users-researcher-claims/
http://www.zdnet.com/article/privacy-flaw-in-hotspot-shield-can-identify-users-locations/
http://www.ubergizmo.com/2018/02/security-flaw-hotspot-shield-vpn-expose-users/
https://betanews.com/2018/02/07/hotspot-shield-vpn-flaw/
https://thehackernews.com/2018/02/hotspot-shield-vpn-service.html
http://www.securitynewspaper.com/2018/02/07/flaw-hotspot-shield-can-expose-vpn-users-locations/
http://seclists.org/fulldisclosure/2018/Feb/11
https://blogs.securiteam.com/index.php/archives/3604
http://www.paulosyibelo.com/2018/02/hotspot-shield-cve-2018-6460-sensitive.html
US authorities dismantled the global cyber theft ring known as Infraud Organization
9.2.2018 securityaffairs Cyber
The US authorities have dismantled a global cybercrime organization tracked Infraud Organization involved in stealing and selling credit card and personal identity data.
The US authorities have taken down a global cybercrime organization, the Justice Department announced indictments for 36 people charged with being part of a crime ring specialized in stealing and selling credit card and personal identity data.
According to the DoJ, the activities of the ring tracked as ‘Infraud Organization’, caused $530 million in losses. The group is active since 2010, when it created in Ukraine by Svyatoslav Bondarenko.
Bondarenko remains at large, but Russian co-founder Sergey Medvedev has been arrested by the authorities.
Most of the crooks were arrested in the US (30), the remaining members come from Australia, Britain, France, Italy, Kosovo, and Serbia.
The indicted leaders of the organization included people from the United States, France, Britain, Egypt, Pakistan, Kosovo, Serbia, Bangladesh, Canada and Australia.
The motto of the Infraud Organization was “In Fraud We Trust,” it has a primary role in the criminal ecosystem as a “premier one-stop shop for cybercriminals worldwide,” explained the Deputy Assistant Attorney General David Rybicki.
“As alleged in the indictment, Infraud operated like a business to facilitate cyberfraud on a global scale,” said Acting Assistant Attorney General John Cronan.
The platform offered a privileged aggregator for criminals (10,901 approved “members” in early 2017) that could buy and sell payment card and personal data.
“Members ‘join the Infraud Organization via an online forum. To be granted
membership, an Infraud Administrator must approve the request. Once granted
membership, members can post and pay for advertisements within the Infraud forum. Members may move up and down the Infraud hierarchy.” said the indictment.
“The Infraud Organization continuously screens the wares and services of the vendors within the forum to ensure quality products. Vendors who are considered subpar are swiftly identified and punished by the Infraud Organization’s Administrators.”
The Infraud Organization used a number of websites to commercialize the data, it implemented a classic and efficient e-commerce for the stolen card and personal data, implementing also a rating and feedback system and an escrow” service for payments in digital currencies like Bitcoin.