Ειδοποιήσεις

Microsoft Word documents can potentially smuggle in malicious code using embedded web videos, it is claimed. Opening a booby-trapped file, and clicking on the vid, will trigger execution of the code.

In summary, miscreants can leverage this weakness to potentially trick marks into installing malware on their PCs. It’s useful for hackers preying on non-savvy phishing targets, and the like.

Seeing as there is no official patch for the alleged vulnerability, a workaround is to block files with embedded videos, or use other defenses to prevent dodgy documents from compromising systems and networks.

The alleged flaw was flagged up this week by infosec bods at Cymulate, who claimed a lack of safeguards in the way Redmond’s Office 2016 and earlier handle video material opens a door for remote code execution attacks.

“Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios,” Cymulate CTO Avihai Ben-Yossef claimed on Thursday.

“This attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file.”

Delivery

So, it works like this: the attacker creates an otherwise normal Word file and, within the text, embeds an online video from YouTube or any other streaming site – the video itself doesn’t matter, here. From there, the attacker unpacks the resulting Docx file, and edits the document.xml file within.

That XML file, the researchers explained, is where the real danger lies. A miscreant can modify the embeddedHTML parameter to redirect the iframe code of the video to any HTML or JavaScript of their choosing.

The .docx is packed up with the twiddled XML code, and sent to a victim, say, via email. When the file is opened in Word, and the mark tricked into clicking on the video iframe, the malicious XML is parsed, sans security warnings, and its malicious code is executed. This could be used to fool people into installing fake Adobe Flash updates that contain spyware.

Microsoft has yet to comment on the claims, nor had a chance to issue a patch or fix, we understand.

In the meantime, to mitigate against this, according to Cymulate, admins can block embedded video or block Word docs that contain an “embeddedHTML” tag. Also, don’t open or trust Word documents from strangers, and don’t run installers that pop up unexpectedly from Office files. ®

Updated to add

Seems Microsoft won’t be addressing this because, as far as it is concerned, the software is working as expected. “The product is properly interpreting HTML as designed – working in the same manner as similar products,” said Jeff Jones, a senior director at Microsoft.

So, as we suggested, don’t open files or links from suspicious or unknown sources, and don’t click to allow stuff to install if anything weird pops up. Meanwhile, apply defense-in-depth mechanisms, and stop compromises from spreading from a single user to the whole network.

 

The information contained in this website is for general information purposes only. The information is gathered from The Register while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The Bitcoin Core development team has released an important update to patch a major DDoS vulnerability in its underlying software that could have been fatal to the Bitcoin Network, which is usually known as the most hack-proof and secure blockchain.

The DDoS vulnerability, identified as CVE-2018-17144, has been found in the Bitcoin Core wallet software, which could potentially be exploited by anyone capable of mining BTC to crash Bitcoin Core nodes running software versions 0.14.0 to 0.16.2.

In other words, Bitcoin miners could have brought down the entire blockchain either by overflooding the block with duplicate transactions, resulting in blockage of transaction confirmation from other people or by flooding the nodes of the Bitcoin P2P network and over-utilizing the bandwidth.

The vulnerability had been around since March last year, but the team says nobody noticed the bug or nobody was willing to incur the expense of exploiting it.

According to the bitcoin core developers, all recent versions of the BTC system are possibly vulnerable to the Distributed Denial of Service (DDoS) attacks, though there’s a catch—attacking Bitcoin is not cheap.

The DDoS attack on the BTC network would cost miners 12.5 bitcoins, which is equal to almost $80,000 (68,000 Euro), in order to perform successfully.

The Bitcoin Core team has patched the vulnerability and are urging miners to update with the latest Bitcoin Core 0.16.3 version as soon as possible.

“A denial-of-service vulnerability (CVE-2018-17144) exploitable by miners has been discovered in Bitcoin Core versions 0.14.0 up to 0.16.2. It is recommended to upgrade any of the vulnerable versions to 0.16.3 as soon as possible,” the vulnerability note reads.

Although the team says that the miners running Bitcoin Core only occasionally are not in danger of such attacks, it would obviously be recommended to upgrade to the latest software version as soon as possible just to be on the safe side.

In addition to the DDoS vulnerability, the latest version also includes patches for a non-insignificant number of minor bugs, related to consensus, RPC and other APIs, invalid error flags, and documentation.

After upgrading to the latest version—the process that will take five minutes to half an hour depending upon the processing power of your computer—users should note that the new wallet will have to redownload the entire blockchain.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The GandCrab v5 ransomware has started to use the recently disclosed Task Scheduler ALPC vulnerability to gain System privileges on an infected computer.  This vulnerability was recently patched by Microsoft in the September 2018 Patch Tuesday, but as shown by computers still vulnerable to EternalBlue, business can be slow to install these updates.

The Task Scheduler ALPC vulnerability is a 0day exploit that was revealed by a security researcher on Twitter. When used, the vulnerability will allow executables to be executed using System privileges, which allows commands to be executed with full administrative privileges.

GandCrab’s use of this vulnerability was first discovered by a malware analyst named Valthek, who posted about it on Twitter. Valthek has told BleepingComputer that this vulnerability appears to be the same one that security researcher Kevin Beaumont posted in his Github repository.

Valthek further told BleepingComputer that this exploit was most likely being used to perform system level commands such as the clearing of Shadow Volume copies and to dynamically create the ransomware’s wallpaper.

Valthek has also seen some weird behavior in some variants. For example, in one variant the ransomware would not run on Windows XP and Windows Vista, but this has since been resolved in newer variants  Also newer variants have switched from a HTML note to a text ransom note.

 

Vaccine for GandCrab updated to support v5

Valthek has also released a vaccine that when run on a computer, prevents it from being infected by GandCrab. While this may protect some users, it should be cautioned that the GandCrab developers could just as easily change their program to bypass this vaccine.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe.

Dubbed LoJax, the UEFI rootkit is part of a malware campaign conducted by the infamous Sednit group, also known as APT28, Fancy Bear, Strontium, and Sofacy, to target several government organizations in the Balkans as well as in Central and Eastern Europe.

Operating since at least 2007, Sednit group is a state-sponsored hacking group believed to be a unit of GRU (General Staff Main Intelligence Directorate), a Russian secret military intelligence agency. The hacking group has been associated with a number of high profile attacks, including the DNC hack just before the U.S. 2016 presidential election.

UEFI, or Unified Extensible Firmware Interface, a replacement for the traditional BIOS, is a core and critical firmware component of a computer, which links a computer’s hardware and operating system at startup and is typically not accessible to users.

How Does LoJax UEFI Rootkit Work?

According to the ESET researchers, the LoJax malware has the ability to write a malicious UEFI module into the system’s SPI flash memory, allowing BIOS firmware to install and execute malware deep inside the computer disk during the boot process.

“This patching tool uses different techniques either to abuse misconfigured platforms or to bypass platform SPI flash memory write protections,” ESET researchers said in a blog post published today.

Since LoJax rootkit resides in the compromised UEFI firmware and re-infects the system before the OS even boots, reinstalling the operating system, formatting the hard disk, or even replacing the hard drive with a new one would not be sufficient to clean the infection.

Flashing the compromised firmware with legitimate software is the only way to remove such rootkit malware, which typically is not a simple task for most computer users.

 

 

First spotted in early 2017, LoJax is a trojaned version of a popular legitimate LoJack laptop anti-theft software from Absolute Software, which installs its agent into the system’s BIOS to survive OS re-installation or drive replacement and notifies device owner of its location in case the laptop gets stolen.

According to researchers, the hackers slightly modified the LoJack software to gain its ability to overwrite UEFI module and changed the background process that communicates with Absolute Software’s server to report to Fancy Bear’s C&C servers.

Upon analyzing the LoJax sample, researchers found that the threat actors used a component called “ReWriter_binary” to rewrite vulnerable UEFI chips, replacing the vendor code with their malicious one.

“All the LoJax small agent samples we could recover are trojanizing the exact same legitimate sample of the Computrace small agent rpcnetp.exe. They all have the same compilation timestamp and only a few tens of bytes are different from the original one,” ESET researchers said.

“Besides the modifications to the configuration file, the other changes include timer values specifying the intervals between connections to the C&C server.”

LoJax is not the first code to hide in the UEFI chip, as the 2015 Hacking Team leak revealed that the infamous spyware manufacturer offered UEFI persistence with one of its products.

Also, one of the CIA documents leaked by Wikileaks last year gave a clear insight into the techniques used by the agency to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones, demonstrating their use of EFI/UEFI and firmware malware.

However, according to ESET, the LoJax rootkit installation uncovered by its researchers is the first ever recorded case of a UEFI rootkit active in the wild.

How to Protect Your Computer From Rootkits

As ESET researchers said, there are no easy ways to automatically remove this threat from a system.

Since UEFI rootkit is not properly signed, users can protect themselves against LoJax infection by enabling the Secure Boot mechanism, which makes sure that each and every component loaded by the system firmware is properly signed with a valid certificate.

If you are already infected with such malware, the only way to remove the rootkit is to reflash the SPI flash memory with a clean firmware image specific to the motherboard, which is a very delicate process that must be performed manually and carefully.

Alternative to reflashing the UEFI/BIOS, you can replace the motherboard of the compromised system outright.

“The LoJax campaign shows that high-value targets are prime candidates for the deployment of rare, even unique threats. Such targets should always be on the lookout for signs of compromise,” researchers wrote.

For more in-depth details about the LoJax root, you can head onto a white paper [PDF], titled the “LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group,” published on Thursday by ESET researchers.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware.

Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who have already downloaded them with banking malware.

The apps in question masquerade as a currency exchange app called Currency Converter and battery saver app called BatterySaverMobi, and are using motion-sensor inputs of infected Android devices to monitor them before installing a dangerous banking Trojan called Anubis.

The malicious Android apps, with a large number of fake five-star reviews, use this clever trick instead of traditional evasion techniques in order to avoid detection when researchers run emulators (which are less likely to use sensors) to detect such malicious apps.

“As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data,” the researchers explain in a blog post published Thursday.

“If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.”

Once downloaded, the malicious app uses the infected device’s motion sensor to detect whether or not the user or the device is moving. If both the device and user are still, the malicious code will not run.

As soon as it detects the sensor data, the app runs the malicious code and then tries to trick the victims into downloading and installing the malicious Anubis payload APK with a bogus system update, masquerading as a “stable version of Android.”

Not Just Motion Detection

If the user approves the fake system update, the in-built malware dropper uses requests and responses over legitimate services including Twitter and Telegram to connect to its required command and control (C&C) server and downloads the Anubis banking Trojan on the infected device.

“One of the ways the app developers hide the malicious server is by encoding it in Telegram and Twitter web page requests. The bank malware dropper will request Telegram or Twitter after it trusts the running device,” the researchers explain.

“Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background.”

Once compromised, the Anubis banking Trojan obtains users’ baking account credentials either by using a built-in keylogger or by taking screenshots of the users’ screen when they insert credentials into any banking app.

Usually, banking Trojans launch a fake overlay screen on the top of bank account login pages to steal banking credentials.

According to the Trend Micro researchers, the latest version of Anubis has been distributed to 93 different countries and targets users of at least 377 variations of financial apps to extract bank account details.

The banking Trojan also has the ability to gain access to contact lists and location, send spam messages to contacts, call numbers from the device, record audio, and alter external storage.

Google has since removed the two malicious apps from its Play Store. Although it is a never-ending concern, the best way to protect yourself from such malware is to always be vigilant when downloading applications even from Google’s official Play store.

Most importantly, be careful which apps you give administrative rights to, as it is a powerful permission that can provide full control of your device.

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.