Alerts

A cybersecurity researcher has disclosed an unpatched zero-day vulnerability in the KDE software framework that could allow maliciously crafted .desktop and .directory files to silently run arbitrary code on a user’s computer—without even requiring the victim to actually open it.

KDE Plasma is one of the most popular open-source widget-based desktop environment for Linux users and comes as a default desktop environment on many Linux distributions, such as Manjaro, openSUSE, Kubuntu, and PCLinuxOS.

Security researcher Dominik Penner who discovered the vulnerability, informing that there’s a command injection vulnerability in KDE 4/5 Plasma desktop due to the way KDE handles .desktop and .directory files.

“When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function,” Penner said.

Read more »

Earlier this year, researchers disclosed clipboard hijacking and path-traversal issues in Microsoft’s Windows built-in RDP client that could allow a malicious RDP server to compromise a client computer, reversely.

At the time when researchers responsibly reported this path-traversal issue to Microsoft, in October 2018, the company acknowledged the issue but decided not to address it.

Now, it turns out that Microsoft silently patched this vulnerability (CVE-2019-0887) just last month as part of its July Patch Tuesday updates after Eyal Itkin, security researcher at CheckPoint, found the same issue affecting Microsoft’s Hyper-V technology as well.

Microsoft’s Hyper-V is a virtualization technology that comes built-in with Windows operating system, enabling users to run multiple operating systems at the same time as virtual machines. Microsoft’s Azure cloud service also uses Hyper-V for server virtualization.

Read more »

The same team of cybersecurity researchers who discovered several severe vulnerabilities, collectively dubbed as Dragonblood, in the newly launched WPA3 WiFi security standard few months ago has now uncovered two more flaws that could allow attackers to hack WiFi passwords.

WPA, or WiFi Protected Access, is a WiFi security standard that has been designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and intended to prevent hackers from eavesdropping on your wireless data.

The WiFi Protected Access III (WPA3) protocol was launched a year ago in an attempt to address technical shortcomings of the WPA2 protocol from the ground, which has long been considered to be insecure and found vulnerable to more severe KRACK attacks.

WPA3 relies on a more secure handshake, called SAE (Simultaneous Authentication of Equals), which is also known as Dragonfly, that aims to protect WiFi networks against offline dictionary attacks.

 

However, in less than a year, security researchers Mathy Vanhoef and Eyal Ronen found several weaknesses (Dragonblood) in the early implementation of WPA3, allowing an attacker to recover WiFi passwords by abusing timing or cache-based side-channel leaks.

Shortly after that disclosure, the WiFi Alliance, the non-profit organization which oversees the adoption of the WiFi standard, released patches to address the issues and created security recommendations to mitigate the initial Dragonblood attacks.

But it turns out that those security recommendations, which were created privately without collaborating with the researchers, are not enough to protect users against the Dragonblood attacks. Instead, it opens up two new side-channel attacks, which once again allows attackers to steal your WiFi password even if you are using the latest version of WiFi protocol.
Read more »

Two serious vulnerabilities in Qualcomm’s Snapdragon system-on-a-chip (SoC) WLAN firmware could be leveraged to compromise the modem and the Android kernel over the air.

The flaws were found in Qualcomm’s Snapdragon 835 and 845 WLAN component. The tests were made on Google Pixel 2 and 3 but any unpatched phone running one of the two SoCs is vulnerable.

Critical and high-severity bugs

Security researchers from Tencent’s Blade team found that one one of the vulnerabilities (CVE-2019-10538, with a high severity rating)  allows attackers to compromise the WLAN and the chip’s modem over-the-air.

The second one is a buffer overflow tracked as CVE-2019-10540; it received a critical severity rating and an attacker can exploit it to compromise the Android Kernel from the WLAN component.

The researchers informed both Google and Qualcomm about the flaws and exploitation is currently possible only on Android phones that have not been patched with the latest security updates that rolled out today.

Qualcomm on June 3 published a security bulletin to original equipment manufacturers (OEMs) to allow them to prepare the Android update for their devices.

The chip maker advises “end users to update their devices as patches become available from OEMs.”

Despite patches being available, a high number of phones is likely to remain vulnerable for a long time as the devices may no longer be eligible for updates from the vendor.

Also, not all makers are ready to push the Android update when Google releases it. It is common to see security updates for phones still supported by their maker reach devices with weeks of delay.

Read more »

Turla, also known as Venomous Bear, Waterbug, and Uroboros, is a Russian speaking threat actor known since 2014, but with roots that go back to 2004 and earlier. It is a complex cyberattack platform focused predominantly on diplomatic and government-related targets, particularly in the Middle East, Central and Far East Asia, Europe, North and South America and former Soviet bloc nations.

2019 has seen the Turla actor actively renew its arsenal. Its developers are still using a familiar coding style, but they’re creating new tools. Here we’ll tell you about several of them, namely “Topinambour” (aka Sunchoke – the Jerusalem artichoke) and its related modules. We didn’t choose to name it after a vegetable; the .NET malware developers named it Topinambour themselves.

The new modules were used in an active campaign that started at the beginning of 2019. As usual, the actor targeted governmental entities. The role of the .NET module is to deliver the known KopiLuwak JavaScript Trojan. Moreover, this actor now also has a heavily obfuscated PowerShell Trojan that is similar to KopiLuwak. Among the control servers there are several legitimate but compromised WordPress websites with the actor’s .php scripts on them.

This time, the developers left some Easter eggs for the targets and researchers. The .NET modules include amusing strings such as “TrumpTower” as an initial vector for RC4 encryption. “RocketMan!” (probably a reference to Donald Trump’s nickname for Kim Jong Un) and “MiamiBeach” serve as the first beacon messages from the victim to the control server.

Read more »