Misconfigured Jenkins Servers Leak Sensitive Data
19.1.2018 securityweek Analysis
A researcher has conducted an analysis of Jenkins servers and found that many of them leak sensitive information, including ones belonging to high-profile companies.

London-based researcher Mikail Tunç used the Shodan search engine to find Jenkins servers accessible from the Internet and discovered roughly 25,000 instances.

The expert analyzed approximately half of them and determined that 10-20% were misconfigured. He spent weeks manually validating the issues he discovered and notifying affected vendors.

Jenkins is an open source automation server used by software developers for continuous integration and delivery. Since the product is typically linked to a code repository such as GitHub and a cloud environment such as AWS or Azure, failure to configure the application correctly can pose a serious security risk.

Some of the misconfigured systems discovered by Tunç provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account. Some Jenkins servers used a SAML/OAuth authentication system linked to Github or Bitbucket, but they allowed any GitHub or Bitbucket account to log in rather than just accounts owned by the organization.

Tunc said a vast majority of the misconfigured Jenkins servers leaked some type of sensitive information, including credentials for private source code repositories, credentials for deployment environments (e.g. usernames, passwords, private keys and AWS tokens), and job log files that included credentials and other sensitive data.

One of the exposed Jenkins instances, which leaked sensitive tokens, belonged to Google, but the tech giant quickly addressed the issue after being informed via its bug bounty program.

The researcher also named several major UK-based companies, including Transport for London, supermarkets Sainsbury’s and Tesco, credit checking company ClearScore, educational publisher Pearson, and newspaper publisher News UK. Some of these companies allegedly exposed highly sensitive data, but Tunç said he often had difficulties in responsibly disclosing his findings.

“I want to make it absolutely clear that I did not exploit any vulnerabilities to gain access to Jenkins servers – I simply walked through the front door which was visible to the world, then told the owners to close said front door,” the researcher noted in a blog post.

While Tunç received products, vouchers and thanks for his work from the companies he alerted, misconfigured Jenkins instances can be highly problematic and some vendors have paid significant bug bounties for such security holes.

A few months ago, two researchers reported earning a total of $20,000 from Snapchat after finding exposed Jenkins instances that allowed arbitrary code execution and access to sensitive data.

Experts uncovered a new campaign abusing FTP servers to deliver Dridex Banking Trojan
19.1.2018 securityaffairs Virus

Security researchers at Forcepoint have spotted a new spam campaign that is abusing compromised FTP servers as a repository for malicious documents and infecting users with the Dridex banking Trojan.
The Dridex banking Trojan is a long-running malware that has been continuously improved across the years.

The malicious email campaign was first noticed by Forcepoint on January 17, 2018, the messages were primarily sent to .com top level domains (TDLs) most of them in France, the UK, and Australia.

“The sender domains used are observed to be compromised accounts. The sender names rotated around the following names, perhaps to make the emails look more convincing to unsuspecting recipients: admin@, billing@, help@, info@, mail@, no-reply@, sale@, support@, ticket@.” reads the analysis published by Forcepoint.

Attackers used at least two types of weaponized documents, one of them is a Word document abusing DDE protocol for malware execution, and an XLS file with macro code that download the Dridex banking Trojan from a compromised server.

According to the experts, the attackers obtained in some way the login credentials to compromise the servers used in this campaign.

“The compromised servers do not appear to be running the same FTP software; as such, it seems likely that the credentials were compromised in some other way.” states Forcepoint.

“The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups. This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable,”

The experts believe the campaign is leveraging the infamous Necurs botnet to send out spam messages, researchers noticed that downloaders used by attackers are similar to those used by the botnet before.

Forcepoint highlighted that the spam volume associated with this campaign was very low compared to other Necurs campaigns, attackers sent only 9,500 emails, it is very low respect millions of emails sent through the botnet in other campaigns.

Another peculiarity of this campaign is the use of FTP servers for download the malware.

“Cybercriminals constantly update their attack methods to try and ensure maximum infection rates. In this case FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations. The presence of FTP credentials in the emails highlights the importance of regularly updating passwords,” Forcepoint concluded.

Forcepoint report included IoCs for this campaign.

Health South East RHF data breach exposed health records for half of Norway’s Population
19.1.2018 securityaffairs BigBrothers

On January 8, the Health South East RHF, that is the healthcare organization that manages hospitals in Norway’s southeast region disclosed a major security breach.
On January 8, the Health South East RHF, that is the healthcare organization that manages hospitals in Norway’s southeast region (countries of Østfold, Akershus, Oslo, Hedmark, Oppland, Buskerud, Vestfold, Telemark, Aust-Agder and Vest-Agder), disclosed a security breach that may have exposed sensitive data belonging to more than half of the population.

The incident was announced by the national healthcare security centre HelseCERT that detected an abnormal activity against computer systems in the region. HelseCERT notified the incident to local authorities as well as NorCERT.

“We are in a phase where we try to get an overview. It’s far too early to say how big the attack is. We are working to acquire knowledge of all aspects,” Kjetil Nilsen, director of NorCERT, the National Security Authority (NSM) told Norwegian media outlet VG.

“Everything indicates that it is an advanced player who has the tools and ability to perform such an attack. It can be advanced criminals. There is a wide range of possibilities,”

According to the HelseCert, the security breach is the result of an attack conducted by ‘advanced’ and ‘professional’ hackers.

Authorities announced important measures to limit the damage caused by the security breach.

“A number of measures have been implemented to remove the threat, and further measures will be implemented in the future,” announced Norway’s Ministry of Health and Care in a statement.

“This is a serious situation and measures have been taken to limit the damage caused by the incident,” reads a joint statement published by Health South East RHF and Sykehuspartner HF.

The hospitals in the region currently serve 2.9 million inhabitants, that correspond to 56 percent of the overall population composed of 5.2 million citizens.

Health records are a precious commodity in the cybercrime underground, but are also considered by nation-state actors a mine of data that could be used in further attacks. Experts and government representatives believe that the data breach suffered by the Health South-East RHF could be the result of a cyber espionage campaign conducted by a foreign state interested in gathering data related to people who work in government, military, intelligence personnel, and politicians.

The VG newspaper reported that Health South East hired Hewlett Packard Enterprise in the autumn of 2016 to modernize computer systems in the healthcare company, but the project was suspended because NRK revealed poor control of access to patient data.

The Health South East RHF data breach seems to be not related to the above project, as confirmed by CEO Cathrine Lofthus.

“We have investigated that is important to us. We do not see any connection between this attack and that project, “says Lofthus.

chaiOS Bug can crash iMessage App on any iPhone and macOS with a simple link
19.1.2018 securityaffairs Apple

The software developer Abraham Masri has discovered a new bug, dubbed ‘chaiOS’ that could be exploited to crash a target’s iMessage application.
The researcher and software developer Abraham Masri has discovered a new bug, dubbed ‘chaiOS Text Bomb’ that could be exploited to crash recipient’s iMessage application in a continuous loop.

Abraham Masri
@cheesecakeufo
👋 Effective Power is back, baby!

chaiOS bug:
Text the link below, it will freeze the recipient's device, and possibly restart it. http://iabem97.github.io/chaiOS

⚠️ Do not use it for bad stuff.
----
thanks to @aaronp613 @garnerlogan65 @lepidusdev @brensalsa for testing!

12:00 AM - Jan 17, 2018
133 133 Replies 494 494 Retweets 944 944 likes
Twitter Ads info and privacy
The flaw exploited by the ‘chaiOS Text Bomb’ affects both iOS and macOS, according to researchers at Yalu Jailbreak, the bug is currently compatible up till iOS 11.1.2 firmware, this means that it affects iMessage apps on macOS High Sierra, iOS 10 to 10.3.3, and iOS 11 to 11.2.1.

The exploitation of the issue is very simple, an attacker just needs to send a link to a web page hosting a JavaScript code that attempts to send an SMS message. The iMessage application fails to properly handle the code triggering the crash of the app. In some cases, it has been observed that the iMessage app enters a continuous reboot loop.

A proof-of-concept page has been put together by Masri and shared on Twitter yesterday, but the page has been removed from GitHub due to potential abuses, anyway, a new mirror has been already added.

“chaiOS is a malicious iOS bug that can cause the target device to freeze, respring, drain the battery, and possibly kernel panic. It is developed by the eminent jailbreak developer, Abraham Masri.

Here are the known after-effects once someone opens the malicious link.

The stock Messages app goes completely blank.
Messages app crashes instantly after opening.
Slowdown the target device.
It weighs around 7MB and loads some the exploit into user’s browser window and then crashes it.” states Yalu Jailbreak.

Below is a video PoC of the exploitation of the bug:

Researchers observed that the chaiOS Text Bomb can also affect Windows systems, it can also crash Chrome and Firefox web browsers.

The download link to the chaiOS is reported on the following page, but please don’t use it.

https://yalujailbreak.net/chaios/

Below instructions to trigger the bug:

Open the Messages app.
Select the recipient whose device you want to crash.
Send them the aforementioned link. Be sure to include a “/” at the end.
You are done with this now. Just wait for them to open the link in Safari.