updates for the still supported branches of the platform : 3.2.2 , 3.1.5 , 3.0.9 and 2.7.19 . The release notes mentioned that `` a number of security related issues were resolvedVulnerability-related.PatchVulnerability, '' but did n't provide any additional details about their nature or impact . The severity of the flaws became apparentVulnerability-related.DiscoverVulnerabilityMonday , when security researcher Netanel Rubin , who foundVulnerability-related.DiscoverVulnerabilitythe vulnerabilities , publishedVulnerability-related.DiscoverVulnerabilitya detailed blog post about them . They do n't seem too critical on their own , but when combined , they allow attackers to create hidden administrative accounts and execute malicious PHP code on the underlying server . The exploit takes advantage of some false assumptions made by the developers , which Rubin described as a logic flaw , an Object Injection , a double SQL injection , and an overly permissive administrative dashboard . The logic issue stems from the reimplementation of a certain function without taking into account decisions made by the original function 's developers . According to the researcher , it is the result of `` having too much code , too many developers and lacking documentation . '' `` Keep in mind that logical vulnerabilities can and will occur in almost all systems featuring a large code base , '' Rubin said . `` Security issues in large code bases is , of course , not Moodle specific . '' Gaining administrative privileges on the Moodle platform is not only dangerous because attackers could install a PHP backdoor by uploading malicious plug-ins or templates , but also because Moodle installations store sensitive and private information about students taking online courses
Buzz60 A view of the Kremlin in Moscow on Jan. 6 , 2017 . Russia 's alleged use of computer hacking to interfere with the U.S. presidential election fits a pattern of similar incidents across Europe for at least a decade . Cyberattacks in Ukraine , Bulgaria , Estonia , Germany , France and Austria that investigators attributed to suspected Russian hackers appeared aimed at influencing election results , sowing discord and undermining faith in public institutions that included government agencies , the media and elected officials . Those investigations bolster U.S. intelligence findings of Russian meddling to help elect Donald Trump , a conclusion the president-elect has disputed — although he conceded Friday after a private intelligence briefing that Russia was among the possible hacking culprits . “ They ’ ve been very good at using the West ’ s weaknesses against itself , the open Internet to hack , the free media to sow discord , and to cause people to question the underpinnings of the systems under which they live , ” said Hannah Thoburn , a research fellow at the Hudson Institute , a Washington think tank . U.S. National Intelligence Director James Clapper told a Senate committee Thursday that Russian intelligence hackers , masquerading as third parties , have conducted attacks abroad that targeted critical infrastructure networks . “ Russia also has used cyber tactics and techniques to seek to influence public opinion across Europe and Eurasia , ” Clapper said . A declassified intelligence report on the Russian hacking released Friday accused Russian President Vladimir Putin of ordering the effort to help elect Trump . It warned that Russia would use lessons learned from the effort to disrupt elections of U.S. allies . USA TODAY Intel chiefs : We 're certain that Russia tried to influence U.S. election In 2007 , Putin told the Munich Security Conference that the United States ’ effort to spread its form of democracy was an insidious threat to Russia and other nations and that his government would push back . Russian sabotage of Western computer systems started that same year . In 2007 , Estonia accused hackers using Russian IP addresses of a wide-scale denial of service attack that shut down the Internet in the former Soviet republic and one of NATO ’ s newest members . According to The Guardian newspaper , the attacks came in waves that coincided with riots on May 3 , 2007 , over the statue , whose removal drew objections from Russia and Russian-speaking Estonians , and on May 8 and 9 , when Russia celebrated its victory over Nazi Germany . They blamed the attacks on a pro-Russia group called CyberBerkut . Hudson analyst Thoburn , who was working as an election observer in Ukraine at the time , said the Ukrainians were able to get around it by deleting their entire system and restoring it from a backup that was not contaminated . Ukrainian officials have also accused Russia of being behind a power grid attack in December 2015 that cut power to 80,000 in western Ukraine . In overt actions against Ukraine , Russia seized the province of Crimea in 2014 and helped armed separatists launch a rebellion in eastern Ukraine . German intelligence in 2015 accused Russia of hackingAttack.Databreachat least 15 computers belonging to members of Germany ’ s lower house of parliament , the Bundestag , and stealing dataAttack.Databreach. Germany ’ s Federal Office for the Protection of the Constitution ( BfV ) said the attackAttack.Databreachwas conducted by a group called Sofacy , which “ is being steered by the Russian state . '' BfV chief Hans-Georg Maassen told Reuters in November that Moscow has tried to manipulate the media and public opinion through various means , including planting false stories . One in 2015 by Russian media was about a German-Russian girl kidnapped and raped by migrants in Berlin . German Chancellor Angela Merkel said she could not rule out Russian interference in Germany 's 2017 federal election through Internet attacks and disinformation campaigns . The country 's Central Election Commission had been hacked during a referendum and local elections in 2015 that was almost certainly linked to Russia and a group that had hacked NATO headquarters in Brussels in 2013 , then-President Rosen Plevneliev told the BBC in November . `` The same organization that has attackedAttack.Databreachthe ( German Parliament ) — stealingAttack.Databreachall the emails of German members of Parliament — the same institution that has attackedAttack.DatabreachNATO headquarters , and that is the same even that has tried to influence American elections lately and so in a very high probability you could point east from us ” ( to Moscow ) , Plevneliev said . A pro-Russian political novice was elected in November to replace Plevneliev . The Vienna-based Organization for Security and Cooperation in Europe , whose tasks include monitoring elections across Europe and the conflict in eastern Ukraine , was attacked in “ a major information security incident ” in November , spokeswoman Mersiha Causevic Podzic said . The incident “ compromised the confidentiality ” of the organization ’ s IT networks , Podzic said . The French daily Le Monde , which first reported the incident , cited a Western intelligence agency attributing the attack to the Russia-linked group APT28 , aka Fancy Bear , and Sofacy . Russia , a member of the OSCE , has objected to the group ’ s criticism of Russian-backed forces battling the Ukrainian government in eastern Ukraine . Russian hackers posing as the “ Cyber Caliphate ” were suspected of attacking France ’ s TV5Monde television channel in 2014 , causing extensive damage to the company ’ s computer systems , FireEye , a cyber security firm that examined the attack , told BuzzFeed . The attack involved posting of Islamic State propaganda , but appeared to use the same servers and have other similarities with Russian-linked APT28 , the group that is a suspect in attacks on the Democratic National Committee , the OSCE and several other European countries . “ APT28 focuses on collecting intelligence that would be most useful to a government , ” FireEye said . “ Specifically , since at least 2007 , APT28 has been targeting privileged information related to governments , militaries and security organizations that would likely benefit the Russian government ” . The security chief of France 's ruling Socialist Party recently warned that the country 's presidential election this spring is at risk of being hacked . Hackers in 2014 attackedAttack.Databreachthe Warsaw Stock Exchange and at least 36 other Polish sites , stealing dataAttack.Databreachand posting graphic images from the Holocaust . The group that claimed responsibility , CyberBerkut , is the same Russian-linked group that attacked Ukrainian sites . The group , posing as Islamic radicals , stoleAttack.Databreachdata and releasedAttack.Databreachdozens of client log-in data , causing mayhem for the exchange , according to Bloomberg News . Dan Wallach , a computer scientist at Rice University who testified about election computer security on Capitol Hill in September , said definitive proof of who conducted an attack would reveal methods and sources who would be lost or killed if exposed . “ You ’ re never going to have definitive attribution , ” Wallach said in an interview . “ The proof is some crazy top secret thing and not for public dissemination ” .
This is a serious violation of the security barrier enforced by the hypervisor and poses a particular threat to multi-tenant data centers where the customers ' virtualized servers share the same underlying hardware . The open-source Xen hypervisor is used by cloud computing providers and virtual private server hosting companies , as well as by security-oriented operating systems like Qubes OS . The new vulnerability affectsVulnerability-related.DiscoverVulnerabilityXen 4.8.x , 4.7.x , 4.6.x , 4.5.x , and 4.4.x and has existed in the Xen code base for over four years . It was unintentionally introducedVulnerability-related.DiscoverVulnerabilityin December 2012 as part of a fix for a different issue . The Xen project releasedVulnerability-related.PatchVulnerabilitya patch Tuesday that can be applied manually to vulnerable deployments . The good news is that the vulnerability can only be exploitedVulnerability-related.DiscoverVulnerabilityfrom 64-bit paravirtualized guest operating systems . Xen supports two types of virtual machines : Hardware Virtual Machines ( HVMs ) , which use hardware-assisted virtualization , and paravirtualized ( PV ) VMs that use software-based virtualization . Based on whether they use PV VMs , Xen users might be affected or not . For example , Amazon Web Services said inVulnerability-related.DiscoverVulnerabilityan advisory that its customers ' data and instances were not affectedVulnerability-related.DiscoverVulnerabilityby this vulnerability and no customer action is required . Meanwhile , virtual private server provider Linode had to reboot some of its legacy Xen servers in order to applyVulnerability-related.PatchVulnerabilitythe fix . Qubes OS , an operating system that uses Xen to isolate applications inside virtual machines , also put out an advisory warningVulnerability-related.DiscoverVulnerabilitythat an attacker who exploits another vulnerability , for example inside a browser , can exploitVulnerability-related.DiscoverVulnerabilitythis Xen issue to compromise the whole Qubes system . The Qubes developers have releasedVulnerability-related.PatchVulnerabilitya patched Xen package for Qubes 3.1 & 3.2 and reiterated their intention to stop using paravirtualization altogether in the upcoming Qubes 4.0 . Vulnerabilities that allow breaking the isolation layer of virtual machines can be very valuable for attackers .
In November 8 , 2016 Microsoft releasedVulnerability-related.PatchVulnerabilitya security update for Windows Authentication Methods ( MS16-137 ) which included 3 CVEs : Talking specifically about CVE-2016-7237 , this fix was appliedVulnerability-related.PatchVulnerabilityto `` lsasrv.dll '' , which affected the LSASS service . The vulnerability affectedVulnerability-related.DiscoverVulnerabilityall Windows versions , either 32 or 64 bits , and was reportedVulnerability-related.DiscoverVulnerabilityand later describedVulnerability-related.DiscoverVulnerabilityin more detail by Laurent Gaffié ( @ PythonResponder ) the same day that the fix was publishedVulnerability-related.PatchVulnerability. He also published proof-of-concept ( PoC ) code triggering the vulnerability . When the LSASS service crashes , the target is automatically restarted after 60 seconds , which is not very nice when it 's a production server . As this allocation is close to 4GB , this will probably fail.If the allocation fails , one of the necessary conditions to reproduce the NULL-Pointer dereference will be reached . There was a misunderstanding here about the vulnerability , because according to the PoC released by Laurent Gaffié , the problem WAS N'T in the structure pointer , but rather in one field of the CRITICAL_SECTION object pointed by this structure , which is NULL when the huge allocation fails ! To be clear , the check of the NULL pointer should probably have been here : Although the public PoC does n't trigger the vulnerability in Windows 8.1 or Windows 10 , the researcher and Microsoft declared these Windows versions as vulnerable . As I said before , the `` NegGetExpectedBufferLength '' function reads the evil size from the SMB packet . Now , this function has to return the 0x90312 value ( SEC_I_CONTINUE_NEEDED ) to produce the fail in the huge allocation . Unfortunately , in the latest Windows versions , an extra check was added in this function which compares the evil size against 0xffff ( 64KB ) . If the evil size is greater , this function wo n't return the 0x90312 value , but rather this will return the 0xC00000BB value ( STATUS_NOT_SUPPORTED ) , which wo n't produce any allocation fail resulting in the vulnerability not being triggered . On the other hand , if we use the evil size with a value less or equal than 0xffff ( 64KB ) , the allocation wo n't fail and again , the vulnerability wo n't be triggered . So , why are Windows 8.1 and Windows 10 vulnerable ? Although the bug is triggered when a memory allocation fails , that does n't mean that the allocation has to be giant , but rather that the LSASS service does n't have enough available memory to allocate . I had been able to confirmVulnerability-related.DiscoverVulnerabilitythat this vulnerability can be triggered in Windows 7 and 2008 R2 by establishing several SMB connections and sending evil sizes with values like 0x1000000 ( 16 MB ) . The problem is that in the case of the latest Windows versions , it 's not possible to use this kind of sizes , because as I said before , the limit is 64KB . So , the only way to trigger this vulnerability should be by producing a memory exhaustion in the LSASS service . It may be possible to do so by finding a controllable malloc in the LSASS authentication process , creating multiple connections and producing a memory exhaustion until the `` LsapAllocateLsaHeap '' function fails . Maybe , this memory exhaustion condition could be easily reached in local scenarios . I realized that the fix was n't working when I tried to understand why the public PoC was n't working against Windows 10 . It 's surprising to see that nobody else noticed that –that we know of- , and that a considerable amount of Windows users have been unprotected for more than 2 months since the public exploit was released . As of January 10th , Microsoft decided to releaseVulnerability-related.PatchVulnerabilitya new security bulletin including a patch for the affected systems ( MS17-004 ) . If we diff against the latest `` lsasrv.dll '' version ( v6.1.7601.23642 ) , we can see that the vulnerability was fixedVulnerability-related.PatchVulnerabilityby changing the '' NegGetExpectedBufferLength '' function . Basically , the same 64KB packet size check used by Windows 8.1 and Windows 10 was now added to the rest of the Windows versions
TSB is a mysterious group that appeared in the summer of 2016 when they dumpedAttack.Databreachon GitHub and other sites a trove of files they claim to have stolenAttack.Databreachfrom the Equation Group , a codename given to a cyber-espionage group many cyber-security experts believe to be the NSA . In their original announcement , the group dumpedAttack.Databreacha collection of free files so that cyber-security experts can validate the veracity of their claims . In addition , the group also releasedAttack.Databreacha second set of files , which were encrypted with a password the group promised to provide to the winner of online bidding war . As no one stepped forward , the group started selling some of these tools individually last December but eventually called it quits in January , announcing their retirement just ahead of President Trump 's inauguration . Now , the group is back , and the reason why , according to a post published on their Medium blog , is because of Trump 's political moves , which appear to have angered the group . The reasons , as listed by the Shadow Brokers , are below , in original : The politically-charged message ends with the password for the rest of the supposed NSA hacking tools they group released last summer . The first cache of NSA hacking tools contained quite a lot of material , such as zero-day exploits and tools to bypass firewalls ( Cisco , Fortinet , Juniper , and TOPSEC ) , a toolkit to extract VPN keys , backdoors for Linux systems , and several Windows exploits . This second cache is quite fresh , and security researchers have n't had the time to search it in its entirety
A leaked arsenal of hacking tools allegedly belonging to the National Security Agency ( NSA ) shows the US spy agency infiltrated the servers of a major Pakistani cellular service provider . The data dumpAttack.Databreach, publicly released by the ShadowBrokers hacking group earlier this week , includes alleged digital weapons and notes shared by NSA operators about their access inside the servers of a Pakistani mobile network . Notes contained in the massive dumpAttack.Databreachof encrypted data , which is still being analysed by network security researchers , include details of how NSA used the exploits to infiltrate cellular operators in Pakistan . One snippet from the leak , several terabytes in size , includes at least 14 lines mentioning different servers operated by a major Pakistani cellular network . The snippet , analysed by a security researcher who goes by the name X0rz , appears to show NSA operators sharing a step-by-step technical guide on how to hack into the servers . `` Try one of the following…old way , may not work on new machines , '' says one section of the snippet . Another section appears to show methods to retrieveAttack.Databreachcall logs of users of the Pakistani cellular service . `` If searching for LACs and cell id 's , use the format in the documentation…if searching for phone numbers , use the normal format , '' it says . Hundreds of NSA cyber weapons variants publicly released including code showing hacking of Pakistan mobile system https : //t.co/bL833ktQpm In a tweet , Wikileaks claimed the leaked `` NSA cyber weapons variants '' include `` code showing hacking of Pakistan mobile system '' . The data dumpAttack.Databreachwas publicly released earlier this week by the ShadowBrokers hacking group after it failed to auction the arsenal of hacking tools . In a lengthy anonymous blog post , the group claimed it was releasing the files as a `` form of protest '' after losing faith in the leadership of US President Donald Trump . ShadowBrokers had announced the auction for the alleged NSA cyber weapons in August last year . The authenticity of the code being NSA software was later confirmed by documents provided by whistleblower and former National Security Agency contractor Edward Snowden to the Intercept . In the leakAttack.Databreachof top-secret documents , Snowden releasedAttack.Databreacha classified draft NSA manual on how to implant the SECONDDATE malware – malicious code used to monitor or control someone else 's computer . The draft NSA manual contained instructions telling NSA operators to use a specific string of characters associated with the SECONDDATE malware program . The documents revealed at least `` two documented cases of SECONDDATE being used to successfully infect computers overseas '' including `` successful attacks against computer systems in…Pakistan . '' A report by The Intercept claimed NSA hackers used the malicious program to breach targets in Pakistan ’ s NTC VIP Division , which contained documents pertaining to `` the backbone of Pakistan ’ s Green Line communications network '' used by the `` civilian and military leadership '' .
On Friday , a cache of hacking tools allegedly developed by the US National Security Agency was dumped online . The news was explosive in the digital security community because the tools contained methods to hack computers running Windows , meaning millions of machines could be at risk . Security experts who tested the tools , leaked by a group called the Shadow Brokers , found that they worked . They were panicked : This is really bad , in about an hour or so any attacker can download simple toolkit to hack into Microsoft based computers around the globe . — Hacker Fantastic ( @ hackerfantastic ) April 14 , 2017 But just hours later , Microsoft announced that many of the vulnerabilities were addressedVulnerability-related.PatchVulnerabilityin a security update releasedVulnerability-related.PatchVulnerabilitya month ago . “ Today , Microsoft triaged a large release of exploits made publicly available by Shadow Brokers , ” Philip Misner , a Microsoft executive in charge of security wrote in a blog post . “ Our engineers have investigated the disclosed exploits , and most of the exploits are already patchedVulnerability-related.PatchVulnerability. ” Misner ’ s post showed that three of nine vulnerabilities from the leak were fixedVulnerability-related.PatchVulnerabilityin a March 14 security update . As Ars Technica pointed out , when security holes are discoveredVulnerability-related.DiscoverVulnerability, the individual or organization that foundVulnerability-related.DiscoverVulnerabilitythem is usually credited in the notes explaining the update . No such acknowledgment was found in the March 14 update . Here ’ s a list of acknowledgments for 2017 , showing credit for finding security problems in almost every update . One theory among security practitioners is that the NSA itself reportedVulnerability-related.DiscoverVulnerabilitythe vulnerabilities to Microsoft , knowing that the tools would be dumped publicly . Microsoft told ZDNet that it might not list individuals who discoverVulnerability-related.DiscoverVulnerabilityflaws for a number of reasons , including by request from the discoverer . The US government has not commented on this leak , though previous leaks by the Shadow Brokers claiming to be NSA hacking tools were confirmed at least in part by affected vendors and NSA whistleblower Edward Snowden .
Israeli mobile forensics firm Cellebrite has announced that it has suffered a data breachAttack.Databreachfollowing an unauthorized access to an external web server . “ The impacted server included a legacy database backup of my.Cellebrite , the company ’ s end user license management system . The company had previously migrated to a new user accounts system . Presently , it is known that the information accessed includes basic contact information of users registered for alerts or notifications on Cellebrite products and hashed passwords for users who have not yet migrated to the new system , ” the company stated , and added that it is still investigating the attack . They are also notifying affected customers , and advising them to change their passwords . The confirmation comes a few hours after Motherboard releasedAttack.Databreachgeneral information about 900 GB of data that they obtainedAttack.Databreachand has supposedly been stolenAttack.Databreachfrom the firm . The cache includes alleged usernames and passwords for logging into Cellebrite databases connected to the company ’ s my.cellebrite domain , ” the publication noted . “ The dumpAttack.Databreachalso contains what appears to be evidence files from seized mobile phones , and logs from Cellebrite devices ” . The hacker that shared the data with the publication and is apparently behind the breach also noted that access to the compromised servers has been traded among hackers in IRC chat rooms , so it ’ s possible that other persons have exfiltratedAttack.Databreachpotentially sensitive data . “ The Cellebrite breachAttack.Databreachshows that anyone can be hacked , even firms whose bread and butter is data exfiltrationAttack.Databreach. And Cellebrite isn ’ t the first organization of this type to be targeted – Hacking Team and Gamma International have both experienced similar attacks by groups opposed to government surveillance , ” Tony Gauda , CEO of ThinAir , commented for Help Net Security . “ While the 900 GB of data hasn ’ t been released publicly , it ’ s safe to assume that the information is highly sensitive . Besides customer information , the hackers managed to retrieveAttack.Databreachtechnical data , which could have serious repercussions if it were to fall into the wrong hands . Incidents such as this are the cyber equivalent of robbing a gun store , and I wouldn ’ t be surprised if the proprietary info stolenAttack.Databreacheventually made its way online . Demand for advanced hacking tools and techniques has never been higher and until these firms start securing their digital arsenals with technology capable of rendering data useless when it ’ s compromised , they will continue to find themselves in the crosshairs of hackers ” . Cellebrite ’ s name has become widely known after reports that the company has been asked for help to exfiltrate dataAttack.Databreachfrom the locked iPhone belonging to Syed Farook , one of the San Bernardino shooters
Microsoft ’ s security team had a busy weekend . On Friday night , security researcher Tavis Ormandy of Google ’ s Project Zero announcedVulnerability-related.DiscoverVulnerabilityon Twitter that he had foundVulnerability-related.DiscoverVulnerabilitya Windows bug . Well , not just any bug . It was “ crazy bad , ” Ormandy wrote . “ The worst Windows remote code exec in recent memory. ” By Monday night , Microsoft had releasedVulnerability-related.PatchVulnerabilityan emergency patch , along with details of what the vulnerability entailed . And yes , it was every bit as scary as advertised . That ’ s not only because of the extent of the damage hackers could have done , or the range of devices the bug affectedVulnerability-related.DiscoverVulnerability. It ’ s because the bug 's fundamental nature underscores the vulnerabilities inherent in the very features meant to keep our devices safe . What made this particular bug so insidious was that it would have allowed hackers to target Windows Defender , an antivirus system that Microsoft builds directly into its operating system . That means two things : First , that it impacted the billion-plus devices that have Windows Defender installed . ( Specifically , it took advantage of the Microsoft Malware Protection Engine that underpins several of the company ’ s software security products . ) Second , that it leveraged that program ’ s expansive permissions to enable general havoc , without physical access to the device or the user taking any action at all . “ This was , in fact , crazy bad , ” says Core Security systems engineer Bobby Kuzma , echoing Ormandy ’ s original assessment . As Google engineers noteVulnerability-related.DiscoverVulnerabilityin a report on the bug , to pull off the attack a hacker would have only had to sendAttack.Phishinga specialized email or trickAttack.Phishinga user into visiting a malicious website , or otherwise sneak an illicit file onto a device . This also isn ’ t just a case of clicking the wrong link ; because Microsoft ’ s antivirus protection automatically inspects every incoming file , including unopened email attachments , all it takes to fall victim is an inbox . “ The moment [ the file ] hits the system , the Microsoft malware protection intercepts it and scans it to make sure it ’ s ‘ safe , ’ ” says Kuzma . That scan triggers the exploit , which in turn enables remote code execution that enables a total machine takeover . “ As soon as it ’ s there , the malware protection will take it up and give it root access. ” It ’ s scary stuff , though tempered by Microsoft ’ s quick action and the fact that Ormandy appears to have foundVulnerability-related.DiscoverVulnerabilitythe bug before bad actors did . And because Microsoft issuesVulnerability-related.PatchVulnerabilityautomatic updates for its malware protection , most users should be fully protected soon , if not already . It should still serve as an object lesson , though , in the risks that come with antivirus software that has tendrils in every part of your system . It ’ s a scary world out there , and antivirus generally helps make it less so . To do its job correctly , though , it needs unprecedented access to your computer—meaning that if it falters , it can take your entire system down with it . “ There is a raging debate about antivirus in some circles , stating that it can be used as a springboard to infect users , ” says Jérôme Segura , lead malware intelligence analyst with Malwarebytes . “ The fact of the matter is that security software is not immune to flaws , just like any other program , but there is no denying the irony when an antivirus could be leveraged to infect users instead of protecting them. ” Irony and , well , damage . A year ago , Google ’ s Ormandy foundVulnerability-related.DiscoverVulnerabilitycritical vulnerabilities that affectedVulnerability-related.DiscoverVulnerabilityno fewer than 17 Symantec antivirus products . He ’ s found similar in offerings from security vendors like FireEye , McAfee , and more . And more recently , researchers discoveredVulnerability-related.DiscoverVulnerabilityan attack called “ DoubleAgent , ” which turned Microsoft ’ s Application Verifier tool into a malware entry point . “ Because of what they do , AV products are really complex and have to touch a lot of things that are untrusted , ” says Kuzma . “ This is the kind of vulnerability we ’ ve seen time and again. ” There ’ s also no real solution ; it ’ s not easy to weigh the protections versus the risks . The best you can hope for , really , is what Ormandy and Microsoft demonstrated during the last few days : That someone catches the mistakes before the bad guys do , and that the fixes come fast and easy .
Argentinean security researcher Manuel Caballero has discoveredVulnerability-related.DiscoverVulnerabilityanother vulnerability in Microsoft 's Edge browser that can be exploitedVulnerability-related.DiscoverVulnerabilityto bypass a security protection feature and steal data such as passwords from other sites , or cookie files that contain sensitive information . The vulnerability is a bypass of Edge 's Same Origin Policy ( SOP ) , a security feature that prevents a website from loading resources and code from other domains except its own . To exploit the flaw , Caballero says that an attacker can use server redirect requests combined with data URIs , which would allow him to confuse Edge 's SOP filter and load unauthorized resources on sensitive domains . The expert explains the attack step by step on his blog . In the end , the attacker will be able to inject a password form on another domain , which the built-in Edge password manager will automatically fill in with the user 's credentials for that domain . Below is a video of the attack . Additionally , an attacker can steal cookies in a similar manner . More demos are available on a page Caballero set up here . Two weeks ago , Caballero foundVulnerability-related.DiscoverVulnerabilityanother SOP bypass in Edge , which an attacker could also exploit to steal cookies and passwords . That particular exploit relied on a combination of data URIs , meta refresh tag , and domainless pages , such as about : blank . Compared to the previous SOP bypass , the technique Caballero disclosedVulnerability-related.DiscoverVulnerabilityyesterday has the advantage that it 's faster to execute compared to the first , which required the attacker to log users out of their accounts and re-authenticate them in order to collect their credentials . Caballero has a history of findingVulnerability-related.DiscoverVulnerabilitysevere bugs in Microsoft browsers . He previously also bypassed the Edge SOP using Edge 's new Reading Mode , showed how you could abuse the SmartScreen security filter for tech support scams , and found a serious JavaScript attack in Internet Explorer 11 ( still unpatched ) . What 's more worrisome is that Microsoft has not patchedVulnerability-related.PatchVulnerabilityany of the SOP bypass issues the expert discoveredVulnerability-related.DiscoverVulnerability. `` We have 3 SOP bypasses right now , '' Caballero told Bleeping Computer today when asked to confirm the status of the three bugs . This month 's Patch Tuesday , releasedVulnerability-related.PatchVulnerabilitytwo days ago , patchedVulnerability-related.PatchVulnerabilitythe Edge SmartScreen issue Caballero discoveredVulnerability-related.DiscoverVulnerabilitylast December , but the researcher found a way to bypass Microsoft 's patch within minutes .
Cyber security researchers on Monday pointed to code in a "ransomware" attackAttack.Ransomthat could indicate a link to North Korea . Symantec and Kaspersky Lab each cited code that was previously used by a hacker collective known as the Lazarus Group , which was behind the high-profile 2014 hack of Sony that was also blamed on North Korea . But the security firms cautioned that it is too early to make any definitive conclusions , in part because the code could have been merely copied by someone else for use in the current event . The effects of the ransomware attackAttack.Ransomappeared to ease Monday , although thousands more computers , mostly in Asia , were hitAttack.Ransomas people signed in at work for the first time since the infections spread to 150 countries late last week . Health officials in Britain , where surgeries and doctors ' appointments in its national health care system had been severely impacted Friday , were still having problems Monday . But health minister Jeremy Hunt said it was `` encouraging '' that a second wave of attacks had not materialized . He said `` the level of criminal activity is at the lower end of the range that we had anticipated . '' In the United States , Tom Bossert , a homeland security adviser to President Donald Trump , told the ABC television network the global cybersecurity attack is something that `` for right now , we 've got under control . '' He told reporters at the White House that `` less than $ 70,000 '' has been paid as ransomAttack.Ransomto those carrying out the attacks . He urged all computer users to make sure they installVulnerability-related.PatchVulnerabilitysoftware patches to protect themselves against further cyberattacks . In the television interview , Bossert described the malware that paralyzed 200,000 computers running factories , banks , government agencies , hospitals and transportation systems across the globe as an `` extremely serious threat . '' Cybersecurity experts say the hackers behind the `` WannaCry '' ransomware , who demandedAttack.Ransom$ 300 paymentsAttack.Ransomto decrypt files locked by the malware , used a vulnerability that came from U.S. government documents leaked online . The attacks exploitedVulnerability-related.DiscoverVulnerabilityknown vulnerabilities in older Microsoft computer operating systems . During the weekend , Microsoft president Brad Smith said the clandestine U.S. National Security Agency had developed the code used in the attack . Bossert said `` criminals , '' not the U.S. government , are responsible for the attacks . Like Bossert , experts believe Microsoft 's security patch releasedVulnerability-related.PatchVulnerabilityin March should protect networks if companies and individual users install it . Russian President Vladimir Putin said his country had nothing to do with the attack and cited the Microsoft statement blaming the NSA for causing the worldwide cyberattack . `` A genie let out of a bottle of this kind , especially created by secret services , can then cause damage to its authors and creators , '' Putin said while attending an international summit in Beijing . He said that while there was `` no significant damage '' to Russian institutions from the cyberattack , the incident was `` worrisome . '' `` There is nothing good in this and calls for concern , '' he said . Even though there appeared to be a diminished number of attacks Monday , computer outages still affected segments of life across the globe , especially in Asia , where Friday 's attacks occurred after business hours . China China said 29,000 institutions had been affected , along with hundreds of thousands of devices . Japan 's computer emergency response team said 2,000 computers at 600 locations were affected there . Universities and other educational institutions appeared to be the hardest hit in China . China 's Xinhua News Agency said railway stations , mail delivery , gas stations , hospitals , office buildings , shopping malls and government services also were affected . Elsewhere , Britain said seven of the 47 trusts that run its national health care system were still affected , with some surgeries and outpatient appointments canceled as a result . In France , auto manufacturer Renault said one of its plants that employs 3,500 workers stayed shut Monday as technicians dealt with the aftermath of the Friday attacks . Security patches Computer security experts have assured individual computer users who have kept their operating systems updated that they are relatively safe , but urged companies and governments to make sure they applyVulnerability-related.PatchVulnerabilitysecurity patches or upgradeVulnerability-related.PatchVulnerabilityto newer systems . They advised those whose networks have been effectively shut down by the ransomware attackAttack.Ransomnot to make the payment demandedAttack.Ransom, the equivalent of $ 300 , paidAttack.Ransomin the digital currency bitcoin . However , the authors of the "WannaCry" ransomware attackAttack.Ransomtold their victims the amount they must payAttack.Ransomwill double if they do not comply within three days of the original infection , by Monday in most cases . The hackers warned that they will delete all files on infected systems if no paymentAttack.Ransomis received within seven days .
SEATTLE — When malicious software first became a serious problem on the internet about 15 years ago , most people agreed that the biggest villain , after the authors of the damaging code , was Microsoft . As a new cyberattack continues to sweep across the globe , the company is once again at the center of the debate over who is to blame for a vicious strain of malware demanding ransomAttack.Ransomfrom victims in exchange for the unlocking of their digital files . This time , though , Microsoft believes others should share responsibility for the attack , an assault that targeted flaws in the Windows operating system . On Sunday , Brad Smith , Microsoft ’ s president and chief legal officer , wrote a blog post describing the company ’ s efforts to stop the ransomware ’ s spread , including an unusual step it took to releaseVulnerability-related.PatchVulnerabilitya security update for versions of Windows that Microsoft no longer supports . Mr. Smith wrote , “ As a technology company , we at Microsoft have the first responsibility to addressVulnerability-related.PatchVulnerabilitythese issues. ” He went on , though , to emphasize that the attack had demonstrated the “ degree to which cybersecurity has become a shared responsibility between tech companies and customers , ” the latter of whom must update their systems if they want to be protected . He also pointed his finger at intelligence services , since the latest vulnerability appeared to have been leaked from the National Security Agency . On Monday , a Microsoft spokesman declined to comment beyond Mr. Smith ’ s post . Microsoft has recognized the risk that cybersecurity poses to it since about 2002 , when Bill Gates , the former chief executive , issued a call to arms inside the company after a wave of malicious software began infecting Windows PCs connected to the internet . “ As software has become ever more complex , interdependent and interconnected , our reputation as a company has in turn become more vulnerable , ” Mr. Gates wrote in an email to employees identifying trustworthy computing as Microsoft ’ s top priority . “ Flaws in a single Microsoft product , service or policy not only affectVulnerability-related.DiscoverVulnerabilitythe quality of our platform and services overall , but also our customers ’ view of us as a company. ” Since then , the company has poured billions of dollars into security initiatives , employing more than 3,500 engineers dedicated to security . In March , it releasedVulnerability-related.PatchVulnerabilitya software patch that addressedVulnerability-related.PatchVulnerabilitythe vulnerability exploited by the ransomware , known as WannaCry , protecting systems such as Windows 10 , its latest operating system . Yet security flaws in older editions of Windows persist . The company no longer providesVulnerability-related.PatchVulnerabilityregular software updates to Windows XP , a version first released in 2001 , unless customers pay for “ custom support , ” a practice some observers believe has put users at risk . Late Friday , Microsoft took the unusual step of making patchesVulnerability-related.PatchVulnerabilitythat protect older systems against WannaCry , including Windows XP , free . “ Companies like Microsoft should discard the idea that they can abandon people using older software , ” Zeynep Tufekci , an associate professor at the school of information and library science at the University of North Carolina , wrote in a New York Times opinion piece over the weekend . “ The money they made from these customers hasn ’ t expired ; neither has their responsibility to fix defects. ” But security experts challenged that argument , saying that Microsoft could not be expected to keep updating old software products indefinitely . ProvidingVulnerability-related.PatchVulnerabilityupdates to older systems could make computers more insecure by removing an incentive for users to modernize , Mikko Hypponen , the chief research officer of F-Secure , a security firm . “ I can understand why they issuedVulnerability-related.PatchVulnerabilityan emergency patch for XP after WannaCry was found , but in general , we should just let XP die , ” Mr. Hypponen said .
The industrial company on Tuesday releasedVulnerability-related.PatchVulnerabilitymitigations for eight vulnerabilities overall . Siemens AG on Tuesday issuedVulnerability-related.PatchVulnerabilitya slew of fixes addressingVulnerability-related.PatchVulnerabilityeight vulnerabilities spanning its industrial product lines . The most serious of the patched flaws include a cross-site scripting vulnerability in Siemens ’ SCALANCE firewall product . The flaw could allow an attacker to gain unauthorized accessAttack.Databreachto industrial networks and ultimately put operations and production at risk . The SCALANCE S firewall is used to protect secure industrial networks from untrusted network traffic , and allows filtering incoming and outgoing network connections in different ways . Siemens S602 , S612 , S623 , S627-2M SCALANCE devices with software versions prior to V4.0.1.1 are impactedVulnerability-related.DiscoverVulnerability. Researchers with Applied Risk , who discoveredVulnerability-related.DiscoverVulnerabilitythe flaw , saidVulnerability-related.DiscoverVulnerabilitythat vulnerability exists inVulnerability-related.DiscoverVulnerabilitythe web server of the firewall software . An attacker can carry out the attack by craftingAttack.Phishinga malicious link and trickingAttack.Phishingan administrator – who is logged into the web server – to click that link . Once an admin does so , the attacker can execute commands on the web server , on the administrator ’ s behalf . “ The integrated web server allows a cross-site scripting attack if an administrator is misledAttack.Phishinginto accessing a malicious link , ” Applied Risk researcher Nelson Berg said inVulnerability-related.DiscoverVulnerabilityan analysisVulnerability-related.DiscoverVulnerabilityof the flaw . “ Successful exploitation may lead to the ability to bypass critical security measures provided by the firewall. ” Exploitation of this vulnerability could ultimately enable threat actors to bypass critical security functions provided by the firewall , potentially providing access to industrial networks and putting operations and production at risk . The vulnerability , CVE-2018-16555 , has a CVSS score which Applied Risk researcher calculatesVulnerability-related.DiscoverVulnerabilityto be 8.2 ( or high severity ) . That said , researchers saidVulnerability-related.DiscoverVulnerabilitya successful exploit is not completely seamless and takes some time and effort to carry out – for an attacker to exploit the flaw , user interaction is required and the administrator must be logged into the web interface . Researchers saidVulnerability-related.DiscoverVulnerabilitythat no exploit of the vulnerability has been discoveredVulnerability-related.DiscoverVulnerabilitythus far . Siemens addressedVulnerability-related.PatchVulnerabilitythe reported vulnerability by releasingVulnerability-related.PatchVulnerabilitya software update ( V4.0.1.1 ) and also advised customers to “ only access links from trusted sources in the browser you use to access the SCALANCE S administration website. ” The industrial company also releasedVulnerability-related.PatchVulnerabilityan array of fixes for other vulnerabilities on Tuesday . Overall , eight advisories were released by the US CERT . Another serious vulnerability ( CVE-2018-16556 ) addressedVulnerability-related.PatchVulnerabilitywas an improper input validation flaw in certain Siemens S7-400 CPUs . Successful exploitation of these vulnerabilities could crash the device being accessed which may require a manual reboot or firmware re-image to bring the system back to normal operation , according to the advisory . “ Specially crafted packets sent to Port 102/TCP via Ethernet interface , via PROFIBUS , or via multi-point interfaces ( MPI ) could cause the affected devices to go into defect mode . Manual reboot is required to resume normal operation , ” according to US Cert . An improper access control vulnerability that is exploitableVulnerability-related.DiscoverVulnerabilityremotely in Siemens IEC 61850 system configurator , DIGSI 5 , DIGSI 4 , SICAM PAS/PQS , SICAM PQ Analyzer , and SICAM SCC , was also mitigatedVulnerability-related.PatchVulnerability. The vulnerability , CVE-2018-4858 , has a CVSS of 4.2 and exists inVulnerability-related.DiscoverVulnerabilitya service of the affected products listening on all of the host ’ s network interfaces on either Port 4884/TCP , Port 5885/TCP , or Port 5886/TCP . The service could allow an attacker to either exfiltrateAttack.Databreachlimited data from the system or execute code with Microsoft Windows user permissions . Also mitigatedVulnerability-related.PatchVulnerabilitywere an improper authentication vulnerability ( CVE-2018-13804 ) in SIMATIC IT Production Suite and a code injection vulnerability ( CVE-2018-13814 ) in SIMATIC Panels and SIMATIC WinCC that could allow an attacker with network access to the web server to perform a HTTP header injection attack .
The industrial company on Tuesday releasedVulnerability-related.PatchVulnerabilitymitigations for eight vulnerabilities overall . Siemens AG on Tuesday issuedVulnerability-related.PatchVulnerabilitya slew of fixes addressingVulnerability-related.PatchVulnerabilityeight vulnerabilities spanning its industrial product lines . The most serious of the patched flaws include a cross-site scripting vulnerability in Siemens ’ SCALANCE firewall product . The flaw could allow an attacker to gain unauthorized accessAttack.Databreachto industrial networks and ultimately put operations and production at risk . The SCALANCE S firewall is used to protect secure industrial networks from untrusted network traffic , and allows filtering incoming and outgoing network connections in different ways . Siemens S602 , S612 , S623 , S627-2M SCALANCE devices with software versions prior to V4.0.1.1 are impactedVulnerability-related.DiscoverVulnerability. Researchers with Applied Risk , who discoveredVulnerability-related.DiscoverVulnerabilitythe flaw , saidVulnerability-related.DiscoverVulnerabilitythat vulnerability exists inVulnerability-related.DiscoverVulnerabilitythe web server of the firewall software . An attacker can carry out the attack by craftingAttack.Phishinga malicious link and trickingAttack.Phishingan administrator – who is logged into the web server – to click that link . Once an admin does so , the attacker can execute commands on the web server , on the administrator ’ s behalf . “ The integrated web server allows a cross-site scripting attack if an administrator is misledAttack.Phishinginto accessing a malicious link , ” Applied Risk researcher Nelson Berg said inVulnerability-related.DiscoverVulnerabilityan analysisVulnerability-related.DiscoverVulnerabilityof the flaw . “ Successful exploitation may lead to the ability to bypass critical security measures provided by the firewall. ” Exploitation of this vulnerability could ultimately enable threat actors to bypass critical security functions provided by the firewall , potentially providing access to industrial networks and putting operations and production at risk . The vulnerability , CVE-2018-16555 , has a CVSS score which Applied Risk researcher calculatesVulnerability-related.DiscoverVulnerabilityto be 8.2 ( or high severity ) . That said , researchers saidVulnerability-related.DiscoverVulnerabilitya successful exploit is not completely seamless and takes some time and effort to carry out – for an attacker to exploit the flaw , user interaction is required and the administrator must be logged into the web interface . Researchers saidVulnerability-related.DiscoverVulnerabilitythat no exploit of the vulnerability has been discoveredVulnerability-related.DiscoverVulnerabilitythus far . Siemens addressedVulnerability-related.PatchVulnerabilitythe reported vulnerability by releasingVulnerability-related.PatchVulnerabilitya software update ( V4.0.1.1 ) and also advised customers to “ only access links from trusted sources in the browser you use to access the SCALANCE S administration website. ” The industrial company also releasedVulnerability-related.PatchVulnerabilityan array of fixes for other vulnerabilities on Tuesday . Overall , eight advisories were released by the US CERT . Another serious vulnerability ( CVE-2018-16556 ) addressedVulnerability-related.PatchVulnerabilitywas an improper input validation flaw in certain Siemens S7-400 CPUs . Successful exploitation of these vulnerabilities could crash the device being accessed which may require a manual reboot or firmware re-image to bring the system back to normal operation , according to the advisory . “ Specially crafted packets sent to Port 102/TCP via Ethernet interface , via PROFIBUS , or via multi-point interfaces ( MPI ) could cause the affected devices to go into defect mode . Manual reboot is required to resume normal operation , ” according to US Cert . An improper access control vulnerability that is exploitableVulnerability-related.DiscoverVulnerabilityremotely in Siemens IEC 61850 system configurator , DIGSI 5 , DIGSI 4 , SICAM PAS/PQS , SICAM PQ Analyzer , and SICAM SCC , was also mitigatedVulnerability-related.PatchVulnerability. The vulnerability , CVE-2018-4858 , has a CVSS of 4.2 and exists inVulnerability-related.DiscoverVulnerabilitya service of the affected products listening on all of the host ’ s network interfaces on either Port 4884/TCP , Port 5885/TCP , or Port 5886/TCP . The service could allow an attacker to either exfiltrateAttack.Databreachlimited data from the system or execute code with Microsoft Windows user permissions . Also mitigatedVulnerability-related.PatchVulnerabilitywere an improper authentication vulnerability ( CVE-2018-13804 ) in SIMATIC IT Production Suite and a code injection vulnerability ( CVE-2018-13814 ) in SIMATIC Panels and SIMATIC WinCC that could allow an attacker with network access to the web server to perform a HTTP header injection attack .
The zero-day memory corruption flaw resides inVulnerability-related.DiscoverVulnerabilitythe implementation of the SMB ( server message block ) network file sharing protocol that could allow a remote , unauthenticated attacker to crash systems with denial of service attack , which would then open them to more possible attacks . According to US-CERT , the vulnerability could also be exploitedVulnerability-related.DiscoverVulnerabilityto execute arbitrary code with Windows kernel privileges on vulnerable systems , but this has not been confirmedVulnerability-related.DiscoverVulnerabilityright now by Microsoft . Without revealingVulnerability-related.DiscoverVulnerabilitythe actual scope of the vulnerability and the kind of threat the exploit poses , Microsoft has just downplayedVulnerability-related.DiscoverVulnerabilitythe severity of the issue , saying : `` Windows is the only platform with a customer commitment to investigate reported security issues , and proactively update impacted devices as soon as possible . We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection . '' However , the proof-of-concept exploit code , Win10.py , has already been releasedVulnerability-related.DiscoverVulnerabilitypublicly for Windows 10 by security researcher Laurent Gaffie and does not require targets to use a browser . The memory corruption flaw resides inVulnerability-related.DiscoverVulnerabilitythe manner in which Windows handles SMB traffic that could be exploitedVulnerability-related.DiscoverVulnerabilityby attackers ; all they need is tricking victims to connect to a malicious SMB server , which could be easily done using clever social engineering tricks . `` In particular , Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure , '' CERT said in the advisory . `` By connecting to a malicious SMB server , a vulnerable Windows client system may crash ( BSOD ) in mrxsmb20.sys . '' Since the exploit code is now publicly available to everyone and there is no official patch from Microsoft , all Windows users are left open to potential attacks at this time . Until Microsoft patchesVulnerability-related.PatchVulnerabilitythe memory corruption flaw ( most probably in the upcoming Windows update or out-of-band patch ) , Windows users can temporarily fixVulnerability-related.PatchVulnerabilitythe issue by blocking outbound SMB connections ( TCP ports 139 and 445 and UDP ports 137 and 138 ) from the local network to the WAN .
In recent years , ransomware has become a growing concern for companies in every industry . Between April 2015 and March 2016 , the number of individuals affected by ransomware surpassed 2 million — a 17.7 % increase from the previous year . Ransomware attacks function by breaching systems , usually through infected email , and locking important files or networks until the user pays a specified amount of money . According to FBI statistics cited in a Malwarebytes report , hackers gained more than $ 209 million from ransomware paymentsAttack.Ransomin the first three months of 2016 , putting ransomware on track to rake in nearly $ 1 billion this year . But as a result of increased ransom-avoidance , cybercriminals have created an even more insidious threat . Imagine malware that combines ransomware with a personal data leakAttack.Databreach: this is what the latest threat , doxware , looks like . With doxware , hackers hold computers hostageAttack.Ransomuntil the victim pays the ransomAttack.Ransom, similar to ransomware . But doxware takes the attack further by compromisingAttack.Databreachthe privacy of conversations , photos , and sensitive files , and threatening to release them publicly unless the ransom is paidAttack.Ransom. Because of the threatened release , it 's harder to avoid paying the ransomAttack.Ransom, making the attackAttack.Ransommore profitable for hackers . In 2014 , Sony Pictures suffered an email phishing malware attackAttack.Phishingthat releasedAttack.Databreachprivate conversations between top producers and executives discussing employees , actors , industry competitors , and future film plans , among other sensitive topics . And ransomware attacksAttack.Ransomhave claimed a number of recent victims , especially healthcare systems , including MedStar Health , which suffered a major attackAttack.Ransomaffecting 10 hospitals and more than 250 outpatient centers in March 2016 . Combine the data leakAttack.Databreachof Sony and the ransomware attackAttack.Ransomon MedStar and you can see the potential fallout from a doxware attack . Doxware requires strategic , end-to-end planning , which means hackers will target their victims more deliberately . Looking at the data leakedAttack.Databreachfrom Sony , it 's easy to imagine the catastrophic effect doxware would have on an executive of any major corporation . Company leaders hold countless conversations over email each day on sensitive topics ranging from product development to competition to internal politics , and if there 's a doxware attack , the fallout could be extensive . Expect Things to Get WorseThe technology behind doxware is still new , but expect the problem to become worse . Recent attacks have been contained to Windows desktop computers and laptops , but this will certainly change . Once the malware can infiltrate mobile devices , the threat will become even more pervasive , with text messages , photos , and data from apps at risk for being leakedAttack.Databreach. It 's also highly likely that doxware will target more types of files . Workplace emails are currently a big target for hackers . However , a company 's internal communications/instant messaging network is also appealing to hackers using doxware , as the messaging network often serves as a platform where both sensitive business discussion and casual conversations take place , potentially exposing both company secrets and personally embarrassing exchanges . One of these variants hold files ransomAttack.Ransomwith the threat of release and then stealsAttack.Databreacha victim 's passwords . Another mutation , Popcorn Time , takes doxware even further giving victims the option to infect two of their friends with the malware instead of paying the ransomAttack.Ransom.