Ειδοποιήσεις

A security researcher has publicly disclosed an unpatched zero-day vulnerability in all supported versions of Microsoft Windows operating system (including server editions) after the company failed to patch a responsibly disclosed bug within the 120-days deadline.

Discovered by Lucas Leong of the Trend Micro Security Research team, the zero-day vulnerability resides in Microsoft Jet Database Engine that could allow an attacker to remotely execute malicious code on any vulnerable Windows computer.

The Microsoft JET Database Engine, or simply JET (Joint Engine Technology), is a database engine integrated within several Microsoft products, including Microsoft Access and Visual Basic.

According to the an advisory released by Zero Day Initiative (ZDI), the vulnerability is due to a problem with the management of indexes in the Jet database engine that, if exploited successfully, can cause an out-out-bounds memory write, leading to remote code execution.

An attacker must convince a targeted user into opening a specially crafted JET database file in order to exploit this vulnerability and remotely execute malicious code on a targeted vulnerable Windows computer.

“Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process,” Trend Micro’s Zero Day Initiative wrote in its blog post.

“Various applications use this database format. An attacker using this would be able to execute code at the level of the current process.”

According to the ZDI researchers, the vulnerability exists in all supported Windows versions, including Windows 10, Windows 8.1, Windows 7, and Windows Server Edition 2008 to 2016.

ZDI reported the vulnerability to Microsoft on May 8, and the tech giant confirmed the bug on 14 May, but failed to patch the vulnerability and release an update within a 120-day (4 months) deadline, making ZDI go public with the vulnerability details.

Proof-of-concept exploit code for the vulnerability has also been published by the Trend Micro its GitHub page.

Microsoft is working on a patch for the vulnerability, and since it was not included in September Patch Tuesday, you can expect the fix in Microsoft’s October patch release.

Trend Micro recommends all affected users to “restrict interaction with the application to trusted files,” as a mitigation until Microsoft comes up with a patch.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

A bug in Twitter’s API inadvertently exposed some users’ direct messages (DMs) and protected tweets to unauthorized third-party app developers who weren’t supposed to get them, Twitter disclosed in its Developer Blog on Friday.

What Happened?

Twitter found a bug in its Account Activity API (AAAPI), which is used by registered developers to build tools to support business communications with their customers, and the bug could have exposed those customers’ interactions.

The Twitter AAAPI bug was present for more than a year—from May 2017 until September 10—when the microblogging platform discovered the issue and patched it “within hours of discovering it.”

In other words, the bug was active on the platform for almost 16 months.

“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer,” Twitter explains.

 

How Did This Happen?

The bug resides in the way Twitter’s AAAPI works. If a user interacts with an account or business on Twitter that used the AAAPI, the bug “unintentionally” sends one or more of their DMs and protected tweets to the wrong developers instead of the authorized ones.

“Based on our initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong source,” Twitter explains.

“In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.”

 

How Many Twitter Users Are Affected?

Although Twitter says it has not yet discovered any evidence that a wrong developer received DMs or protected tweets, the company also “can’t conclusively confirm it didn’t happen.”

So, it is notifying potentially impacted people, which, according to Twitter, are less than 1 percent. Since Twitter now has over 336 million monthly active users, the bug could potentially affect more than 3 million people.

“Any party that may have received unintended information was a developer registered through our developer program, which we have significantly expanded in recent months to prevent abuse and misuse of data,” the company says.

It should be noted that the bug only involves users’ DMs and interactions with companies that use Twitter “for things like customer service”—not all your DMs.

How Is Twitter Handling The Issue?

Twitter says the company has already contacted developers who received the unintended data and is “working with them to ensure that they are complying with their obligations to delete information they should not have.”

Twitter says its investigation into the bug is still “ongoing,” and assures its users that at the current moment, the company has “no reason to believe that any data sent to unauthorized developers was misused.”

“We’re very sorry this happened,” Twitter says. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

 

What Can Affected Users Do?

Nothing. Yes, you really can’t do anything about your data which has already been gone into wrong hands.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

A vulnerability in Western Digital My Cloud network-attached storage (NAS) that allows an attacker to bypass authentication and take control of the device with administrator permissions remains unpatched almost a year and a half after being reported initially. The security bug, which received the identification number CVE-2018-17153 on Tuesday, was discovered by security researcher Remco Vermeulen at Securify on April 9, 2017, and reported to Western Digital the next day.

The researcher tested the flaw on a Western Digital My Cloud model WDBCTL0020HWT updated to firmware version 2.30.172. The problem is not limited to this model, though, because My Cloud products share the same code.

Exploiting the vulnerability

The authentication process to a My Cloud device generates a server-side session that is bound to the user’s IP address. After this step, authenticated CGI modules can be called by sending the cookie ‘username=admin’ in an HTTP request.

“It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate. The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1,” Vermeulen explains.

If the attacker sets the ‘username=admin’ cookie, they get admin-level access to the device.

The researcher published a proof-of-concept code and detailed the steps to get control over a My Cloud NAS.

An attacker has first to set an admin session bound to their IP address.

POST /cgi-bin/network_mgr.cgi HTTP/1.1
Host: wdmycloud.local
Content-Type: application/x-www-form-urlencoded
Cookie: username=admin
Content-Length: 23

cmd=cgi_get_ipv6&flag=1

The next step is to call a remote target system and authenticate using the ‘username=admin’ cookie.

Vermeulen told BleepingComputer that compromising My Cloud NAS systems can be done via cross-site scripting (CSRF) attacks in malvertising campaigns, allowing the attacker to target devices that are not reachable over the internet.

Other researchers reported the bug to Western Digital, too

Vermeulen is not the only one who found the vulnerability. Last year, security group Exploiteers disclosed it at Def Con security conference.

The group says they contacted Western Digital about it but the company refused to acknowledge or fix the issue. As a result, Exploiteer member Zenofex built a Metasploit module that exploits the vulnerability for it.

In August, the group made a video that demonstrates two vulnerabilities, one of them being the authentication bypass CVE-2018-17153:

At this moment, there are about 1,870 Western Digital My Cloud NAS systems connected online, most of them in Europe. The number keeps changing, though. NAS devices are used for backup purposes, so they are very likely to contain data that is valuable to the user. With at least two researchers reporting the vulnerability more than a year ago, proof-of-concept code freely available, and an exploitation module at the ready, hackers are likely to focus on Western Digital products, as they seem ripe for ransomware attacks.

 

Western Digital now has a hotfix for the My Cloud authentication bypass vulnerability

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Credential stuffing attacks are a growing problem, particularly in the financial sector, where botnets can initiate so many fraudulent login attempts that the wave has the effect of a distributed denial-of-service (DDoS) attack.

The attack consists in trying to log into multiple online services using username and password combination compiled from data breaches. The success of the endeavor depends on the common practice of users having the same password for multiple accounts.

Cybercriminals automate these attacks and use botnets that distribute the login activity among compromised systems. The end goal is to log into a target site and assume the identity of the account owner, steal money or gather information.

Billions of malicious login attempts recorded

General statistics from one company that offers DDoS mitigation services are staggering: over 30 billion malicious login attempts recorded in less than one year, from November 2017 to June 2018.

In the last two months of the interval, bots generated about 8.3 billion attempts to sign in with stolen credentials.

The latest State of the Internet report from Akamai describes credential stuffing attacks targeting two companies in the financial sector, with one of them hit by three botnets at the same time.

Three botnets with different attack approaches

In the first case, the attackers produced a significant increase in the network traffic of a large credit union in North America.

Over the course of one week, Akamai noticed 315,178 fraudulent login attempts from about 20,000 IP addresses of 1,750 Internet Service Providers (ISPs). 4,382 different user agents were observed in the attack.

The first botnet running a credential stuffing attack was responsible for a third (94,2296) of the malicious login attempts. Akamai labeled it a “dumb botnet” because its traffic came from two IP addresses and all requests had the same user agent, making it easy to identify and stop.

The second adversary was more complex, sending traffic from 10,000 different IP addresses and using 695 user agents.

 

“Over three days, the botnet averaged 59 requests per second and was responsible for 190,487 malicious login attempts,” Akamai writes in the report.

The third botnet was the toughest to defend against because it took the “low and slow” approach, with only one malicious login attempt happening every two minutes, totaling 5,286 malicious login attempts in a week. It used 188 unique user agents and 1,500 IP addresses.

The low activity from this botnet made it more difficult to spot and permitted the attacker to run their game for a longer period.

 

Noisy botnet overuses user agent

The second organisation hit by credential stuffing attacks is also a financial service. Its normal traffic recorded 7 million legitimate logins in six days, but when the botnet activity started, there were over 8.5 million fraudulent logins, most of them occurring over 48 hours.

 

What gave away the fraudulent activity was that 95% of the traffic appeared to come from the same type of device, Samsung Galaxy SM-G531H smartphone, making the bad requests easier to identify and stop.

Credential stuffing attacks are easy to orchestrate due to automated tools available as a service. The main requirement is to have a large enough database of usernames and cracked passwords to feed into the login fields of various services.

As data breaches are frequent and users tend to recycle their passwords, there is no shortage of fodder for credential stuffing.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

One of the world’s most dangerous Android and iPhone spyware program has been found deployed against targets across 45 countries around the world over the last two years, a new report from Citizen Lab revealed.

The infamous spyware, dubbed Pegasus, is developed by NSO Group—an Israeli company which is mostly known for selling high-tech surveillance tools capable of remotely cracking into iPhones and Android devices to intelligence agencies around the world.

Pegasus is NSO Group’s most powerful creation that has been designed to hack iPhone, Android, and other mobile devices remotely, allowing an attacker to access an incredible amount of data on a target victim, including text messages, calendar entries, emails, WhatsApp messages, user’s location, microphone, and camera—all without the victim’s knowledge.

Pegasus has previously been used to target human rights activists and journalists, from Mexico to the United Arab Emirates.

Just last month, reported that this nasty spyware was used against one of the staffers of Amnesty International—one of the most prominent non-profit human rights organizations in the world—earlier this year, alongside another human rights defender.

 

Now, a new report released Tuesday from the University of Toronto’s Citizen Lab revealed that the Pegasus infections have victimized more countries than previously believed.

36 Pegasus Spyware Operations Found Deployed in 45 Countries

Citizen Lab last month said that it had so far counted as many as 174 publicly-reported cases of individuals worldwide “abusively targeted” with NSO spyware, but now found traces of Pegasus infections across as many as 45 countries.

According to the report, 36 Pegasus operators have been using the spyware to conduct surveillance operations in 45 countries worldwide, and at least 10 of these operators appear to be actively engaged in cross-border surveillance.

The report further said that while some NSO customers may be lawfully using Pegasus, at least 6 of those countries with significant Pegasus operations were “known spyware abusers,” which means they have previously been linked to the abusive use of spyware to target civil society.

 

These “known spyware abusers” include Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.

The list of countries targeted by Pegasus includes Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.

Since Citizen Lab tracked down Pegasus infections by creating fingerprints for Pegasus infrastructure to identify the IP addresses associated with the same spyware system, it admitted that there could be some inaccuracies in its report, due to the possible use of VPN and satellite connections by some of its targets.

Citizen Lab is keeping those fingerprints secret for now but found they could then be detected by scanning the internet.

Spyware Creator “NSO Group” Response:

In response to the Citizen Lab report, an NSO Group spokesperson released a statement saying that the company worked in full compliance with all countries without breaking any laws, including export control regulations.

“Contrary to statements made by you, our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is conducted in strict compliance with applicable export control laws,” NSO Group spokesperson Shalev Hulio told Citizen Lab.

“NSO’s Business Ethics Committee, which includes outside experts from various disciplines, including law and foreign relations, reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use.”

The NSO Group further said that there were some problems with the Citizen Lab research and that the company did not sell in many of the 45 countries listed in the report.

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.