Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams.
They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard.
The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.
A currently incomplete list of vulnerable operating systems and the init systems they came with is available below, with more to be added once they are tested and found to be affected:
• Ubuntu 19.10 (systemd)
• Fedora (systemd)
• Debian 10.2 (systemd)
• Arch 2019.05 (systemd)
• Manjaro 18.1.1 (systemd)
• Devuan (sysV init)
• MX Linux 19 (Mepis+antiX)
• Void Linux (runit)
• Slackware 14.2 (rc.d)
• Deepin (rc.d)
• FreeBSD (rc.d)
• OpenBSD (rc.d)
Read more »
The Department of Homeland Security’s today alerted institutions from the financial services sector of risks stemming from ongoing Dridex malware attacks targeting private-sector financial firms through phishing e-mail spam campaigns.
The alert was published by the Cybersecurity and Infrastructure Security Agency (CISA) via the US National Cyber Awareness System, a tool designed to provide industry and users with info on current security topics and threats.
“Because actors using Dridex malware and its derivatives continue to target the financial services sector, including financial institutions and customers, the techniques, tactics, and procedures contained in this report warrant renewed attention,” CISA says.
“Treasury and CISA encourage network security specialists to incorporate these indicators into existing Dridex-related network defense capabilities and planning.”
The alert issued today also comes with “a list of previously unreported indicators of compromise derived from information reported to FinCEN” by financial companies.
The Dridex malware, and its various iterations, has the capability to impact confidentiality of customer data and availability of data and systems for business processes. According to industry reporting, the original version of Dridex first appeared in 2012, and by 2015 had become one of the most prevalent financial Trojans. We expect actors using Dridex malware and its derivatives to continue targeting the financial services sector, including both financial institutions and customers.
Read more »
Security researcher William J. Tolley reported a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website. Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections.
Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year which turned reverse path filtering off. However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn’t a reasonable solution, but this was how we discovered that the attack worked on Linux.
Adding a prerouting rule to drop packets destined for the client’s virtual IP address is effective on some systems, but I have only tested this on my machines (Manjaro 5.3.12-1, Ubuntu 19.10 5.3.0-23). This rule was proposed by Jason Donenfeld, and an analagous rule on the output chain was proposed by Ruoyu “Fish” Wang of ASU. We have some concerns that inferences can still be made using slightly different methods, but this suggestion does prevent this particular attack.
There are other potential solutions being considered by the kernel maintainers, but I can’t speak to their current status. I will provide updates as I receive them.
We have attached his original disclosure He provided to distros () vs openwall org and security () kernel org below, with at least one critical correction: I orignally listed CentOS as being vulnerable to the attack, but this was incorrect, at least regarding IPv4. We didn’t know the attack worked against IPv6 at the time we tested CentOS, and I haven’t been able to test it yet.
Read more »
OpenBSD, an open-source operating system built with security in mind, has been found vulnerable to four new high-severity security vulnerabilities, one of which is an old-school type authentication bypass vulnerability in BSD Auth framework.
The other three vulnerabilities are privilege escalation issues that could allow local users or malicious software to gain privileges of an auth group, root, as well as of other users, respectively.
The vulnerabilities were discovered and reported by Qualys Research Labs earlier this week, in response to which OpenBSD developers released security patches for OpenBSD 6.5 and OpenBSD 6.6 just yesterday—that’s in less than 40 hours.
Here’s a brief explanation of all four security vulnerabilities in OpenBSD—a free and open-source BSD-based Unix-like operating system—along with their assigned CVE identifiers
Read more »
Cybersecurity researchers have uncovered a new, previously undiscovered destructive data-wiping malware that is being used by state-sponsored hackers in the wild to target energy and industrial organizations in the Middle East.
Dubbed ZeroCleare, the data wiper malware has been linked to not one but two Iranian state-sponsored hacking groups—APT34, also known as ITG13 and Oilrig, and Hive0081, also known as xHunt.
A team of researchers at IBM who discovered the ZeroCleare malware says that the new wiper malware shares some high-level similarities with the infamous Shamoon, one of the most destructive malware families known for damaging 30,000 computers at Saudi Arabia’s largest oil producer in 2012.
Just like the Shamoon wiper malware, ZeroCleare also uses a legitimate hard disk driver called ‘RawDisk by ElDos’ to overwrite the master boot record (MBR) and disk partitions of targeted computers running the Windows operating system.
Though EldoS driver is not signed, the malware still manages to run it by loading a vulnerable but signed Oracle’s VirtualBox driver, exploiting it to bypass the signature checking mechanism and load the unsigned EldoS driver.
Read more »