Alerts

Security researchers have discovered at least three massive malware campaigns exploiting hundreds of thousands of unpatched MikroTik routers to secretly install cryptocurrency miners on computers connected to them.

In all, the malware campaigns have compromised more than 210,000 routers from Latvian network hardware provider Mikrotik across the world, with the number still increasing as of writing.

The hackers have been exploiting a known vulnerability in the Winbox component of MikroTik routers that was discovered in April this year and patched within a day of its discovery, which once again shows people’s carelessness in applying security patches on time.

The security flaw can potentially allow an attacker to gain unauthenticated, remote administrative access to any vulnerable MikroTik router.

The first campaign, noticed by Trustwave researchers, began with targeting networking devices in Brazil, where a hacker or a group of hackers compromised more than 183,700 MikroTik routers.

Since other hackers have also started exploiting MikroTik router vulnerability, the campaign is spreading on a global scale.

Troy Mursch, another security researcher, has identified two similar malware campaigns that infected 25,500 and 16,000 MikroTik routers, mainly in Moldova, with malicious cryptocurrency mining code from infamous CoinHive service.

The attackers are injecting Coinhive’s Javascript into every web page that a user visits using a vulnerable router, eventually forcing every connected computer to unknowingly mine Monero cryptocurrency for the miscreants.

“The attacker created a custom error page with the CoinHive script in it” and “if a user receives an error page of any kind while web browsing, they will get this custom error page which will mine CoinHive for the attacker,” says Trustwave researcher Simon Kenin.

What’s notable about this campaign is that how wisely the attackers are infecting a large number of devices at a time, instead of going after websites with few visitors or end users by using “sophisticated ways” to run malware on their computers.

“There are hundreds of thousands of these (MikroTik) devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily,” Kenin said.

It’s a good reminder for users and IT managers who are still running vulnerable MikroTik routers in their environment to patch their devices as soon as possible. A single patch, which is available since April is “enough to stop this exploitation in its tracks.”

This is not the first time MikroTik routers are targeted to spread malware. In March this year, a sophisticated APT hacking group exploited unknown vulnerabilities in MikroTik routers to covertly plant spyware into victims’ computers.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Drupal, has released a new version of its software to patch a security bypass vulnerability that could allow a remote attacker to take control of the affected websites.

The vulnerability, tracked as CVE-2018-14773, resides in a component of a third-party library, called Symfony HttpFoundation component, which is being used in Drupal Core and affects Drupal 8.x versions before 8.5.6.

Since Symfony, a web application framework with a set of PHP components is being used by a lot of projects, the vulnerability could potentially put many web applications at risk of hacking.

Symfony Component Vulnerability

According to an advisory released by Symfony, the security bypass vulnerability originates due to Symfony’s support for legacy and risky HTTP headers.

“Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers,” Symfony said.

A remote attack can exploit it with a specially crafted ‘X-Original-URL’ or ‘X-Rewrite-URL’ HTTP header value, which overrides the path in the request URL to potentially bypass access restrictions and cause the target system to render a different URL.

The vulnerability has been fixed in Symfony version 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3, and Drupal has patched the issue in its latest version 8.5.6.

The same Flaw Exists in Zend Framework

Besides Symfony, the Drupal team found that a similar vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal Core, which they named ‘URL Rewrite vulnerability.’

However, the popular CMS said Drupal Core does not use the vulnerable functionality, but recommended users to patch their your website, if their site or module uses Zend Feed or Diactoros directly.

Drupal powers millions of websites and unfortunately, the CMS had recently been under active attacks since after the disclosure of a highly critical remote code execution vulnerability, dubbed Drupalgeddon2.

Therefore, before hackers started exploiting the new flaw to take control of your website, you are highly recommended to update your sites as soon as possible.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

New research shows that browser based Tech Support Scams are starting to utilize services normally found in legitimate call center operations. These services, called call optimization services, are typically used by call centers to perform call load balancing, call routing, dynamic generation of phone numbers, and more.

 

When a visitor accesses a browser-based tech support scam, the page typically utilizes some sort of behavior that makes it difficult to close the page. This could be a form, as shown above, display notification dialogs, entering full screen mode, or a javascript routine that causes the screen to become unresponsive.

 

This is done to scare a visitor into calling the listed phone numbers by keeping the scam on the screen without allowing it to be closed.

According to research by Symantec, tech support scammers have started to utilize call optimization services in order to dynamically insert phone numbers into a tech support scam page. These services are used when the tech support scam URL contains a specific variable. If that variable exists, the phone number will be retrieved via a call optimization service, and if not, will be retrieved from an XML file.

By using a Call Optimization Service, scammers can insert numbers that are appropriate for the visitor’s geographic location, dynamically generate new ones that are not already well known or blacklisted, or use numbers that have low call volume.

“However, by using the call optimization service’s tag in the URL the scammers can dynamically insert phone numbers into their scam pages,” explained Symantec’s report. “This can be useful, for example, if victims are based in multiple countries, as the victim can be shown a phone number that calls someone that speaks their language.”

The report also mentions that other components of these services may also be used that provide analytics, load balancing during busy times, and rerouting calls to other numbers that have low call volume. This allows tech support scammers to operate as fully operation call centers and to never miss the opportunity to scam someone out of their money.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The Linux kernel, versions 4.9+, is vulnerable to denial of service conditions with low rates of specially modified packets.

Description

CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’)

CVE IDs: CVE-2018-5390
Date Public: 23 Jul 2018
Date First Published: 06 Aug 2018
Date Last Updated: 06 Aug 2018

Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port. Thus, the attacks cannot be performed using spoofed IP addresses.

Impact

A remote attacker may be able to trigger a denial-of-service condition against a system with an available open port.

Solution

Apply a patch: Patches for the Linux kernel are available to address the vulnerability.

CVSS Metrics

Group: Base Score: 7.1 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C
Group: Temporal Score: 6.4 Vector: E:POC/RL:ND/RC:C
Group: Environmental Score: 6.4 Vector: CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=1a4f14bab1868b443f0dd3c55b689a478f82e72e
https://www.spinics.net/lists/netdev/msg514742.html

 

The information contained in this website is for general information purposes only. The information is gathered from KB CERT while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Microsoft users, the website www.systemtech.xyz, is a fake Microsoft Support website created by cybercriminals or thieves to trick their potential victims into giving them remote access to their computers. Once the potential victims unknowingly give the cybercriminals remote access to their computers, they will steal their personal and financial information.

Please continue reading below.

The cybercriminals will also trick their potential victims into paying them for services that they have not provided. The cybercriminals will also install malicious software that creates problems on the potential victims’ computers so the potential victims continuously contact them to fix a problem they have created.