Zero Day Telegram Vulnerability Exploited by Hackers for Cryptomining

Kaspersky Lab has revealed that in October 2017, they had discovered a flaw in Telegram Messenger’s Windows desktop client that was being exploited “in the wild”. According to Kaspersky, the flaw has allegedly been by Russian cybercriminals in a cryptomining campaign.

The Telegram vulnerability involves the use of an RLO (right-to-left override) attack when the user sends a file through the messenger.

RLO Unicode method is primarily used for coding languages that are written right-to-left, such as Hebrew or Arabic, but hackers can use it to trick users into downloading malicious files. When an app is vulnerable to attack, it will display a filename incompletely or in reverse.

Kaspersky has said that it seems that only Russian cybercriminals were aware of this flaw and were exploiting it — not to spread ransomware but cryptomining malware.

The attacks enabled cybercriminals to not just spread the cryptomining malware but also to install a backdoor to remotely control victims’ computers.

“We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017,” read the report Kaspersky published on the flaw.

In the report, Alexey Firsh, cyberthreat researcher at Kaspersky, has outlined several scenarios that show cases of how the vulnerability was actually exploited.

He also wrote that Telegram was informed of this flaw and it no longer occurs in their products.

Amazon denies risk in Amazon Key — while it is working to fix it

Earlier this week, Anonymous researcher and Twitter user, MG, posted a video showing how Amazon Key, the company’s recently launched service which allows delivery staff to unlock a customer’s house and deposit items when no one’s home, can be used to disable customer’s alarm systems and break into their homes using a software.


After a failed attempt at disclosure with Amazon, where it demanded to see a PoC and refused the possibility of any reward or payment, MG took to Twitter and uploaded the video showing how Amazon Key can be exploited by “anyone with a raspberry pie.”

Once the video was posted, Amazon finally reached out to him and is currently working on a fix to the vulnerability.

However, Amazon is still denying any risk associated with its product.

"The security features built into the delivery application technology used for in-home delivery are not being used in the demonstration,” said Kristen Kish, Amazon spokesperson.

She added that, “Safeguards are in place when the driver technology is used: our system monitors 1) that the door is only open for a brief period of time, 2) communication to the camera and lock is not interrupted, and 3) that the door is securely re-locked. The driver does not leave without physically checking that the door is locked. Safety and security is built into every aspect of the service.”

While MG is withholding technical details until Amazon has a chance to fix the issue, the video shows how a hacker can easily enter a house enabled with Amazon Key.

Amazon also told Forbes that the hack involves “disrupting Wi-Fi connections used by the Key system, not Amazon software. The Raspberry Pi does some as yet undisclosed deauthorization, which would indicate a disconnection between the various pieces of the Amazon Key setup.”

MG, in his report, questions this process.

“Why are you using low wage workers to be the last gate in a bad security model? How often has this process been audited for completion rates or holes?” he writes.

He is also concerned about the “fact that they require your house’s alarm to be turned off for a driver to use the Amazon Key without issue,” saying that Amazon doesn’t talk about the consumer use of the app either.

Schneider Electric reveals it was flaw in technology that led to hack

Schneider Electric SE said in a customer advisory released on Thursday that the attack that in December that led to a halt in operations at an undisclosed industrial facility was caused by hackers exploiting a previously unknown vulnerability in its technology.

Schneider said in the notice that the vulnerability was in an older version of the Triconex firmware that allowed hackers to install a remote-access Trojan as "part of a complex malware infection scenario" and advised customers to follow previously recommended security protocols for Triconex.

Reports of the breach surfaced on December 14, when cybersecurity firms disclosed that hackers had breached one of Schneider’s Triconex safety systems and speculated that it was likely an attack by a nation-state.

The target of the attack has not been disclosed till now, however, Dragos, a cybersecurity firm has said it occurred in the Middle East. Others have speculated it was in Saudi Arabia.

The attack is the first of its kind to be reported to happen on this kind of system.

The system itself is used in nuclear facilities, oil and gas plants, mining, water treatment facilities, and other plants to safely shut down industrial processes when hazardous conditions are detected.

Previously, Schneider had said that the attack was not caused by a bug in the Triconex system.

Schneider is reportedly working on tools to identify and remove the malware, expected to be released in February. The Department of Homeland Security is also investigating the attack, according to Schneider.

Gmail Android app flaw allows crooks to send emails pretending to be someone else


Beware people! A bug in Gmail’s Android app would allow people with bad intention to hide their identity and impersonate other people and organizations.

Yan Zhu, a security researcher, discovered the bug in the end of October which Google has said to have fixed.

In order to stay safe, Gmail users should study the email address carefully. Don’t hit reply to ask for verification. Walk over and have a chat, or send a note using what you know is their real email address.

Email spoofing is not a new thing which allowed the hackers sending an email which looks like from another account by hiding their own addresses.  

As per the researcher, the sender’s real email address would be hidden, and the receiver wouldn’t be able to reveal it by even by opening the email and expanding the contents.

Zhu told Motherboard that she had changed her display name to yan “security@google.com” with an extra quotation mark.

She shared a screenshot of the mail with the Motherboard.

According to Motherboard, DomainKeys Identified Mail (DKIM) signature digitally signs emails for a given domain and establishes authenticity.

When John Shier, a security enthusiast, noted that a set of emails to discern whether they were phish or legit, the DKIM was one of the clues that led him to the conclusion that one of the emails in question was for real.

DKIM doesn’t filter or identify spoofed emails, per se, but it can be helpful in approving legitimate email.

In fact, Google has used it to authenticate email coming from eBay and PayPal: both heavily phished properties.

If a message comes in to Gmail purporting to be from either but lacks DKIM, out it goes – it doesn’t even make it into the Spam folder.

Hackers can Record Phone Calls on Modern Samsung Galaxy Handsets



The recent versions of Samsung Galaxy can have all their phone calls recorded using an OpenBTS, a malicious base station.

A base stations work as a fake telephony towers, they  are used for testing and debugging in laboratory.

Two German security researchers, Daniel Komaromy and Nico Golde, showed how base stations can easily fool Samsung Galaxy’s handset and have them connected to their network, at the PacSec security conference  in Tokyo, Japan.

They used  the latest versions of Samsung's Galaxy S6, Galaxy S6 Edge, and Galaxy Note 4 families. The common thing about these phones is Samsung's line of "Shannon" baseband chips, which is used to handle telephony features.

When hacker uses the OpenBTS base  for transmitting malicious firmware update to the baseband chip then it has higher possibility of attack.

This firmware is capable of rerouting all  the phone calls through proxy, and can record   phone calls and spy on their victims without being noticed.

Researchers reported technical details to Samsung's team, and  the company has started work on a patch to fix the issue.



Several serious security bugs in Samsung Galaxy S6 Edge

A dozen of flaws have been found in Samsung's Android operating system running on Samsung Galaxy S6 Edge smartphones by researchers from Google’s Project Zero.  

However, Samsung claims to have patched most of the vulnerabilities.

As per the researchers, the flaws could allow an attacker to manipulate the privilege the device assigns to its apps, and access the victim's emails among other threats.

The research team reported the vulnerabilities to the concerned company in late July and eight of them were addressed by the vendor with its October maintenance release. The company has assured to patch remaining three security bugs later this month.

 Project Zero wanted to put the security of an OEM device to the test to see how it compares against Google’s Nexus, for which the Internet giant has started releasing monthly security updates.

“The majority of Android devices are not made by Google, but by external companies known as Original Equipment Manufacturers or OEMs which use the Android Open-Source Project (AOSP) as the basis for mobile devices which they manufacture. OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers,” Project Zero researcher Natalie Silvanovich said in a blog post.

The researchers, who were asked to find vulnerabilities, looked for three types of issues that can be part of a kernel privilege escalation exploit chain, including gaining remote access to contacts, photos and messages, gaining access to such data from a Google Play application that requires no permissions, and using this access to persistently execute code even after a device wipe.

“Each team worked on three challenges, which we feel are representative of the security boundaries of Android that are typically attacked. They could also be considered components of an exploit chain that escalates to kernel privileges from a remote or local starting point,” Silvanovich said.

Among the eleven high severity issues, the most serious being a path traversal vulnerability (CVE-2015-7888) in the Samsung WifiHs20UtilityService service that can be exploited to write arbitrary files on the system.

The email client installed on Samsung Galaxy S6 Edge devices is also plagued by a serious flaw (CVE-2015-7889), which allows an attacker to forward a user’s emails to a different account via a series of intents from an unprivileged application. Another email client issue (CVE-2015-7893) can be exploited to execute arbitrary JavaScript code embedded in a message.

Google researchers also found issues related to drivers (CVE-2015-7890, CVE-2015-7891, CVE-2015-7892), and image parsing (CVE-2015-7894, CVE-2015-7895, CVE-2015-7896, CVE-2015-7897, CVE-2015-7898).

“Overall, we found a substantial number of high-severity issues, though there were some effective security measures on the device which slowed us down. The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review. It was also surprising that we found the three logic issues that are trivial to exploit. These types of issues are especially concerning, as the time to find, exploit and use the issue is very short,” Silvanovich explained.



Critical Bug in GnuTLS library affects Linux and hundreds of apps


A critical bug(CVE-2014-0092) in handling the errors in the GNU Security library GnuTLS affects hundreds of software packages including RedHat, Debian and Ubuntu distros.

According to RedHat security advisory, there is a coding error in GnuTLS which fails to handle certain errors that could occur during the verification of an X.509 certificate, results in reporting 'a successful verification'.

"An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker." the advisory reads.

The bug exists in returning the value in the verify.c file (https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b?diffmode=sidebyside).  It appears the uninitialized variable "result" is causing the problem.  There is also another coding error where it returns value of issuer_version when issuer_version is less than zero, instead of returning zero.  And, when result is less than zero, it goes to 'cleanup' location instead of 'fail'.

Nikos Mavrogiannopoulos from Red Hat Security Technologies Team discovered this security flaw, while doing an audit of GnuTLS for the RedHat.

Users are advised to upgrade to the latest GnuTLS version (3.2.12 or 3.1.22) or apply the patch for GnuTLS 2.12.x.

Hackers can use Google Chrome to spy on your conversations


A Security bug in Google Chrome allows hackers to use computer microphone to surreptitiously listen to your private conversations.

Normally, a website that uses speech recognition technology gets permission from user to access mic.  There will be indication of the speech recognition in chrome.  Once the user leaves the website, chrome will stop listening to Mic.

Israeli developer Tal Ater found a security flaw in this system, while working on Speech Recognition library.

The problem is that once you grant a HTTPS-enabled website permission to use your mic, chrome will remember the choice and start listening in the future without asking permission again.

In a demo video, he showed how an attacker could leverage this functionality by launching a small hidden pop-up window that will start the speech recognition system.

Ater reported the bug to Google's Security team on Sep. 2013.  He has been nominated for the chromium's reward panel.




Security Bugs fixed: Wireshark 1.10.4 and 1.8.12 released

Wireshark latest versions are available here.  The new versions 1.10.4 and 1.8.12 have no special features comparing to previous versions.  However, multiple bugs have been fixed in these versions.

There are three security bugs fixed.  The vulnerability exists in the "SIP dissector", "The BSSGP dissector" and the "NTLMSSP v2 dissector"

An attacker could remotely crash the Wireshark by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

Besides security bugs, there are also some non-security related bugs fixed in these versions such as "Tx MCS set is not interpreted properly in WLAN beacon frame", "Wireshark fails to decode single-line, multiple Contact: URIs in SIP responses".

Download the latest version from here:
http://www.wireshark.org/download.html



Hacked Verizon Femtocell allows hackers to spy on Phone calls made with iPhone & Android


Two Security experts from iSEC Partners have found a way to spy on Verizon wireless mobile phone customers by hacking into devices the U.S. Carrier sells to boos Wireless signals indoors.

In a demonstration for Reuters, researchers Ritter and Doug DePerry show how they are able to spy on phone calls, messages and photos made with iPhone and Android phones by using a Verizon femtocell that they had previously hacked.

"This is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people," Reuters quoted a senior consultant with the security firm iSEC Partners , Tom Ritter as saying.

Verizon reportedly updated the software on its signal-boosting devices, known as femtocells or network extenders,to thwart hackers from copying the technique of the two experts.

"The Verizon Wireless Network Extender remains a very secure and effective solution for our customers" Verizon spokesperson said in a statement after they fixed the bug.

However, researchers claimed their technique still works because they had modified the device before the company pushed out the software fix. Experts told Reuters that the further details will be shared at the two upcoming hacking conferences : Black Hat and DefCon.

Security Flaw in Samsung allow hackers to bypass Android Lock screen

A Security flaw in the Samsung phones allows hacker to bypass the lock screen and launch apps and dial phone numbers on a locked device. The vulnerability has been discovered by a mobile enthusiast Terence Eden.

To exploit this security flaw, the hacker should activate the screen and press Emergency Call. Then,  Press the "ICE" button on the bottom left and hold down physical home key for a few seconds and then release. Now, you can access the Home screen and launch any app or widget.

Researcher has tested this vulnerability against Galaxy Note II N7100 running 4.1.2.

"This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed." Eden said in his blog post.

The researcher says he tried to contact Samsung regarding this vulnerability but there is no proper response from their side.





Reflected Cross site scripting vulnerability in MTS Mobile website


An Information Security Expert Narendra Bhati, from Sheoganj, India has discovered Reflected Cross site scripting vulnerability in the official website of MTS website(mtsindia.com).

MTS group is an Indian mobile network operator headquartered in New Delhi, that provides wireless voice, messaging and data services in India.

The vulnerability exists in the Search field  of the website.  Injecting the xss code in the Search box will execute successfully the injected code.

For instance, injecting the following code in the search box will display the alert box:

    "><script>alert("E Hacking News")</script>
Narendra also found that the field allows user to run the iframe code also.  So , possibly, a hacker can inject phishing page to scam innocent visitors.

    "/><iframe src="http://www.google.com" width=1000 height=1000></iframe>

One of the twitter "Sign in" forms sends password in plain text


Zohar Alon, the CEO of cloud security company Dome9, discovered a security flaw in the design Twitter. One of the 'Sign in' forms failed to use secure connection and sends the password in plain text.

The main twitter sign in page uses secure connection and encrypts login credentials to prevent hackers from obtaining the data.  But , the drop down sign in menu in the tweet details page failed to utilize the HTTPS(secure) connection.

Vulnerable Twitter sign in form

It means that a malicious hacker can capture the login credentials by sniffing the victims' network traffic.

Afrer being notified by The Next Web about this critical vulnerability, the Twitter security team has addressed the issue. Now it uses HTTPS protocol for the sign in page.

Google webmaster Tools security flaw giving unauthorized access to Old Accounts

A security flaw in Google Webmaster tools results in old user accounts automatically getting re-verified and given access to sites they shouldn’t have access to anymore.

Google Webmaster tools is Google website that helps website owners manage how their site appears in Google, diagnose problems, and optimize traffic.

According to the Search Engine Journal report, users are finding themselves with sudden access to accounts that they once had access to, but no longer do; i.e., ex-employees or even contractors and the like.

webmaster tools security flaw

"For those not aware of the seriousness of this apparent breach of security, " The Search Engine Journal report reads. "The rub is, there’s simply no guarantee those granted renewed access won’t do something malicious. Not only could past access holders change key elements, but spying on the competition for larger entities is definitely a possibility."

"That bug is presumably giving a lot of power to individuals that shouldn’t have it — power to deindex, disavow links, unverify the current/legitimate webmaster’s access, and even redirect sites to other verified domains in the user’s account. It also reveals a lot of link, search, index/crawl and other data to users that shouldn’t be able to see those things." The Search Engine Land report says.

Google has fixed the bug , several hours after the issue. 

CVE-2012-4953 : Critical Memory corruption vulnerability in Symantec Antivirus


symantec vulnerability

CVE-2012-4953: A critical security flaw has been discovered in the multiple Symantec Antivirus products. The improper handling of the malformed CAB files results in Memory corruption vulnerability. The vulnerability has been announced in US-CERT on Nov 5.

According to the statement, a successful exploitation may result in arbitrary code execution as the result of a file being scanned

"We have confirmed that Symantec Endpoint Protection 11, which uses dec_abi.dll, and Symantec Scan Engine 5.2, which uses Dec2CAB.dll, are affected" The researcher says.

A remote attacker can send a specially crafted CAB formatted file to trigger a memory corruption error in 'dec_abi.dll' and execute arbitrary code with system privileges on the victim system.

I'm still confused the date of notification to the vendor. The report says the bug was reported on 8 Apr 2011 ?!

"The SEP product team has received the vulnerability report (VU#985625) from CERT and we are actively working on a response that will include all affected versions of Symantec products as well as mitigation plans . Please be assured that all versions of SEP 12.1 are unaffected by CERT VU#985625. We will provide an official advisory on Wednesday, November 7 PST." The symantec response when one of the user asked details about the vulnerability in their forum.

According to the US-CERT advisory, Symantec Endpoint Protection 11 is affected and upgrading to Symantec to Symantec Endpoint Protection 12 will fix the problem.

"Symantec currently has no plans to update Symantec Endpoint Protection 11. We have verified that Symantec Scan Engine, now known as Symantec Protection Engine for Cloud Services, version 7 does not appear to be affected." advisory reads.