Search This Blog

Showing posts with label Vulnerability and Exploits. Show all posts

Security Bug Detected in Google’s Android App

 

A vulnerability had existed in Google's eponymous Android app with over five billion downloads to date that might have enabled an attacker to stealthily steal the personal information of a victim's device. 

In a blog post-Sergey Toshin, the founder of Oversecured Mobile App Security Group, noted that it's about the way the Google app relies on code that is not packaged with the app directly. Several Android apps, notably the Google application, decrease download size and storage space by depending on code libraries installed on Android smartphones. 

However, the shortcoming in Google's code allowed the malicious application to inherit the permissions of the Google app and permit it to almost completely access data from a user. 

The malicious application could also pull the code library from a malicious app on the very same device rather than its legitimate code library. This access includes access to Google user accounts, search histories, e-mails, text messages, contacts, and call history, as well as microphone/camera triggering and user location. 

Toshin added that the malicious application will be activated once for the attack to start, but it is carried out without the knowledge or cooperation of the user. He added that removing the malicious program will not remove malicious components from the Google app. 

A Google spokesman told that last month it addressed the issue and there was no proof that the attackers would be using the flaw. The built-in malware scanner of Android, Google Protect Play, will stop the installation of harmful apps. However, there is no absolute safety feature, and malicious apps are already on the internet. 

Toshin stated that the vulnerability in Google's app is almost like a bug identified in TikTok earlier in this year that would allow an attacker to hijack a TikTok user's session tokens which are exploited to gain control of their account. 

Oversecured identified several other identical vulnerabilities, including the Google Play app for Android and more recent pre-installed apps on Samsung phones.

Experts mentioned main loophole of Russian companies in cyber attacks

 According to experts of the cybersecurity company BI.ZONE (a subsidiary of Sberbank), the main reason for successful cyberattacks on Russian companies is an access control vulnerability that allows attackers to connect to an organization's systems and, as a result, then leads to data leakage.

"The vulnerability of access control was recognized as the main reason for unauthorized access to data of Russian companies. The company for strategic digital risk management BI.ZONE recorded this problem in 61% of organizations where they managed to gain access to confidential data," the company said.

According to BI.ZONE, this number was 67% last year. "A slight improvement may be due to an increase in the quality of creating in-house applications," experts say.

Yevgeny Voloshin, director of the BI.ZONE expert services unit, explained that attackers, having hacked the administrator's account, gain access to the company's systems and use this gap to steal data. At the same time, most often it is possible to crack the account by brute-force passwords.

"This problem lies in the incorrect division of access in internal corporate applications. For example, a regular user can also work with functions that should only be available to the administrator. Attackers, having hacked his account, connect to the internal infrastructure, and then use this gap for data theft and other fraudulent actions," notes Yevgeny Voloshin.

BI.ZONE experts recommend using complex passphrases with punctuation marks and other characters, rather than just a single word. Also, the vulnerability problem may be related to access to certain types of data without additional user authentication.

Earlier, E Hacking news reported that most users use passwords that are too simple, which cybercriminals can easily guess in 46 percent of cases.

Vulnerabilties Found in Realtek Module

A new type of severe rated vulnerabilities has been revealed in the Realtek RTL8170C Wi-Fi module. A hacker could exploit these vulnerabilities to gain access to a device and attack wireless communications. According to experts Vdoo, an Israeli tech IoT firm, if an exploit is successful, it would result in control of complete WiFi module possible root access in the Linux or Android OS, of the embedded devices using this module. 

Hacker News reports "Realtek RTL8710C Wi-Fi SoC underpins Ameba, an Arduino-compatible programmable platform equipped with peripheral interfaces for building a variety of IoT applications by devices spanning across agriculture, automotive, energy, healthcare, industrial, security, and smart home sectors." These vulnerabilities impact all IoT and embedded devices that use the module for connecting to Wi-Fi networks and the hacker would have to be on the same Wi-Fi network. It is because the firmware knows the network's pre-shared key (PSK) or uses the RTL8710C module. 

PSK, as the name suggests, is a cryptographic code that is used to verify wireless devices on LANs. "In the same vein, the RTL8170C Wi-Fi module's WPA2 four-way handshake mechanism is vulnerable to two stack-based buffer overflow vulnerabilities (CVE-2020-27301 and CVE-2020-27302, CVSS scores: 8.0) that abuse the attacker's knowledge of the PSK to obtain remote code execution on WPA2 clients that use this Wi-Fi module," reports The Hacker News. An earlier investigation in February revealed similar vulnerabilities in the Realtek RTL8195A Wi-Fi module, the primary one being a buffer overflow vulnerability (CVE-2020-9395). 

It allows a hacker who is in the range of an RTL8195 module to completely hijack the module, without needing a Wi-Fi password. In a possible real-world attack situation, experts performed a PoC (proof of concept) exploit where the hacker disguises as an authorized access point and sends an infected encrypted GTK (group temporal key) to the supplicant (client) with the help of WPA2 protocol connection. GTK is used for securing broadcast and multicast traffic. "During the analysis, we have discovered and responsibly disclosed six major vulnerabilities in Realtek’s RTL8195A Wi-Fi module that these devices were based on," said Vdoo.

Industrial Switches Given by the Vendors Affected by a Same Vulnerability

Industrial switches that were given by the vendors have been affected by a same vulnerability, the reason being they all have the same firmware from Korenix Technology, an industrial networking solutions provider based in Taiwan. SEC Consult, an Austrian-based cyber security company revealed the vulnerability. The company (which is owned by Atos) was trying to get the security holes patched since last year, but it took more than an year for Korenix to release security fixes. 

Security Week reports "Properl+Fuchs did release some patches and workarounds last year after being notified about the vulnerabilities, but the company’s response was limited due to the fact that the flaws existed in the Korenix firmware. SEC Consult’s initial attempts to get Korenix to patch the vulnerabilities failed, until late November 2020, when the company had been preparing to make its findings public." Westermo for PMI-110-F2G and Pepperl+Fuchs for Comtrol RocketLinx industrial switches also use the same firmware made for Jetnet Industrial switches by Korenix. Beijer Electronics Group owns both Westermo and Pepperl+Fuchs. 

As per SEC consult, the companies which made these devices have the same firmware base, hence, a single vulnerability affects all of them. SEC Consult found 5 kinds of vulnerabilities, assigned high severity, and critical ratings. It includes unauthorised device administration, cross-site request forgery, authentication command injection, TFTP file/read/write issues, and backdoor accounts. If a hacker has network access, he can attack a device and make unauthorised changes in configuration, steal sensitive data, or make it enter into a DoS state. The affected devices are used in automation, transportation, heavy industry, surveillance, power and energy, and other sectors. 

These switches, according to experts, hold a crucial position in a network and attacker can exploit these vulnerabilities and disruption the connection to the attached network systems.  Apart from releasing firmware updates for the security fixes, Korenix has also suggested some measures to prevent from potential threats. "This vulnerability can also be exploited via Cross-Site Request Forgery attacks as there is no protection for that kind of attack. The NMS (Network Management System) of Korenix, also known as JetView or Korenix NMS, communicates via UDP and triggered all actions without prior authentication," reports Security Week.

Microsoft Exchange Bug Report Allowed Attackers to take Advantage of the Situation

 

Every moment a threatening actor begins a new public web-based search for vulnerable systems which advances faster than international companies in their systems to recognize serious vulnerabilities to attack. 

Once critical vulnerabilities occur, the efforts of attackers are greatly enhanced and new checks are made on the Web within minutes of publication. 

In their quest for new victims, attackers aim untiringly to win the tournament for weak patching systems. 

Within five minutes of the Microsoft security advisory going public, researchers noted that the cybercriminals started to scan the internet for insecure Exchange Servers. As in Palo Alto Networks' 2021 Cortex Xpanse Attack Surface threat report, released on Wednesday, threatening attackers were fast off the mark to scan for servers ready to take advantage, according to an analysis of threat data collected from companies from January to March of this year. 

It can cause race between attackers and IT administrators whenever critical vulnerabilities in widely accepted software are public: a race to find the correct goals – specifically when proof-of-concept (PoC) code exists or when a bug is trivial to take advantage of – and IT personnel to carry out risk analysis and enforce patches required. 

The report states that zero-day vulnerabilities, in particular, will cause attackers to search within 15 minutes of public disclosure. 

However, when it comes to Microsoft Exchange, Palo Alto researchers stated that attackers "worked faster" and scans were identified within 5 minutes. 

On March 2nd, in its Exchange Server, Microsoft revealed about four zero-day vulnerabilities. The Chinese advanced persistent threat (APT) group Hafnium and other APTs, including Lucky Mouse, Tick, and Winnti Group, immediately followed up on the four security problems that had potentially an effect on-prem Exchange Servers 2013, 2016, and 2019. 

The security release caused a flood of attacks and was continuing three weeks later. At that moment, researchers at F-Secure stated that vulnerable servers are "being hacked faster than we can count." 

"Computing has become so inexpensive that a would-be attacker need only spend about $10 to rent cloud computing power to do an imprecise scan of the entire internet for vulnerable systems," the report says. "We know from the surge in successful attacks that adversaries are regularly winning races to patch new vulnerabilities." 

The report also highlights the much more common cause of system vulnerabilities in corporate networks, the Remote Desktop Protocol (RDP), representing 32 percent of the total security problems, which is a particularly problematic field over the past year as many businesses switch to cloud quickly to enable their workers to work remotely. 

“Asset discovery typically occurs only once a quarter and uses a mosaic of scripts and programs that testers have created to find some of the potentially vulnerable infrastructures. However, their methods are seldom comprehensive and often fail to find the entire vulnerable infrastructure of a given organization. ”- Palo Alto Networks.

Vulnerabilities Exposed Pelton User Data

 

Special security research published this week, states that unauthorized users might have been able to access confidential user information through recently patched vulnerabilities in Peloton's bike software. The same week, Peloton revealed that two of its treadmills were voluntarily recalled because of significant security concerns and vulnerability problems. 

Pen Test Partners, a cybersecurity organization, said it found loopholes earlier this year that enable unauthenticated users to use Peloton's API, a platform that allows bikes-to-server communications. 

The bugs could enable untrusted users, even when personal mode settings have been selected for their account profiles, to access confidential material for all Peloton users, even Live-class information, says Pen Test Partners. 

Pen Test Partners has informed Peloton, which gives the company 90 days until publication to fix the vulnerabilities. However, Peloton has "acknowledged the disclosure," but hasn't "fix the vulnerability," as per a blog posted by Pen Test Partners on Wednesday 5th of May 2021. 

TechCrunch first revealed the bugs, that were publicly disclosed the same week. After the death of a child and hundreds of users reported accidents, Peloton had to withdraw all its treadmills. The workpieces have had the same insecure API. 

A Peloton spokesman denied the idea that confidential information might have been infringed, saying that through an e-mail address to The Hill, “the identification of vulnerabilities by itself does not constitute a breach.” 

“No software is immune from bugs, and we aim to responsibly investigate reported vulnerabilities that we deem legitimate,” the spokesperson added. “Our security team is continuing their work to monitor attempts at unauthorized access by exploitation of these vulnerabilities.” 

Peloton also noted that when the Pen Test partners eventually approached, but it was “slow to update the researcher about our remediation efforts,” he acted and addresses the vulnerabilities. 

The organization also praised Pen Test Partner creator Ken Munro for sending and collaborating with them on the vulnerability studies. Pen Test Partners later proposed that the cyber vulnerabilities had been resolved by Peloton.

HP Enterprise Suffers Critical Bug, Requests Users To Update

 

Experts had already alarmed that HPE's (Hewlett Packard Enterprise) unpatched Edgeline Infrastructure Manager versions were vulnerable to remote authentication bypass breach. HP is requesting its customers to patch one of the company's top-class application management software that lets hackers launch a remote authentication bypass attack and gain access to customer's cloud infrastructure. The bug with a CVSS score of 9.8, is rated critical. It impacts all variants of HPE's EIM (Edgeline Infrastructure Manager) ahead of variant 1.21. 

The edge computing management suite of HPE, EIM is two years old. Users are advised to immediately install HPE EIM AV1.22 or later updates for bug fixes. In a security bulletin posted recently, HPE Product Security Response Team wrote, “a security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to the execution of arbitrary commands, gaining privileged access, causing a denial of service, and changing the configuration." 

About the bug 

Remote authentication-bypass vulnerability is related to a problem linked to how HPE manages reset passwords for admin accounts. If a user logs in for the first time with a default password for an active administrator account, he is asked to change the password for the account. It is carried out by sending a request to URL redfish/v1/SessionService/ResetPassword/1. But, when the password is changed, a malicious remote hacker can exploit the same URL to change the password for an administrator account. Next, the hacker has to simply log in with the updated admin account password by sending a request to a URL. 

After that, hackers can change the password of the OS root account by sending a request to URL /redfish/v1/AccountService/Accounts/1. "It allows the attacker to SSH to the EIM host as root. SSH stands for Secure Shell or Secure Socket Shell and is a network protocol that is most often used by system administrators for remote command-line requests, system logins, and also for remote command execution," reports threat post. Cybersecurity firm Tenable has also uploaded proof of the attack.

Zoom Security Flaw: Now Hackers Can Take Control Of Your PC, Wait For Patch

 


Zoom security issues were lately troubling users worldwide, very often so. The Zoom video conferencing app was not in the limelight before the ongoing pandemic, however, since the inception of Covid-19, a lot has changed along with the ways of living, this was also the time when Zoom App underwent some regulatory security measures, owing to the suddenly enhanced reputation enjoyed by the app, as the work from home was necessitated by the pandemic. 

However, as of now, it is being observed that the security measures that had been taken a year ago are failing to secure users' data from threat actors.

Cybercriminals exploited a vulnerability and undertook a distant code execution (RCE) assault to take management of host PCs. The two Computest cyber safety intelligence observed the vulnerability on the Pwn2Own 2021 competition, organized by the Zero Day Initiative. The two Computest researchers Daan Keuter and Thijs Alkemade were awarded $200,000 for their findings. 

How does This work? 


Foremostly, the hacker has to be a part of the same organizational domain as the host PC’s user has to get permission from the host to join the meeting; When the attackers become part of a meeting, they will be able to execute a chain of three malware that will install an RCE backdoor on the victim’s PC. 

It can also be understood as — the threat actors can get access to your PC, and simultaneously will able to be able to implement remote commands that will then give access to your sensitive data.

Besides, what is even dangerous here is that the hackers can run their operations without the victim being required to do anything, therefore it is very essential to add more layers of security measures that can slow down the future operations of the attackers. 

The aforementioned operation runs on Mac, Windows, but on Zoom’s iOS and Android apps, it has not been checked yet. Notably, the browser version is safe. 

Currently, Zoom is yet to take measures, and the technical details of the attack have not been reported to the public, yet. Reportedly, the patch will arrive on Zoom for Mac and Windows within the next 90 days. 

Chrome Blocks Port 10080 to Prevent Slipstreaming Hacks

Google Chrome has blocked HTTPS, FTP, and HTTP access to TCP (transmission control protocol) port 10080 to protect ports getting exploited from NAT Slipstreaming 2.0 attacks. In 2020, cybersecurity expert Samy Kamkar revealed a new variant of the NAT Slipstreaming vulnerability that lets scripts on illicit websites avoid a user's NAT firewall and hack into any UDP/TCP port on the target's internal network. By exploiting these vulnerabilities, hackers can deploy a variety of attacks, these include modification of router configurations and hacking into private network services. 

"NAT Slipstreaming was discovered by security researcher Samy Kamkar and it requires the victims to visit the threat actor's malicious website (or a site with maliciously crafted ads). To expose hosted services, the attack abuses certain NAT devices scanning port 5060 to create port forwarding rules when detecting maliciously-crafted HTTP requests camouflaged as valid SIP requests," reported Bleeping Computers in 2019. The flaw only works on selected ports configured by a router's ALG (Application Level Gateway), ports that don't receive much traffic are being blocked by browser developers. 

As of now, Chrome has blocked HTTPS, HTTP, and FTP access on ports 1719, 1720, 1723, 5060, 5061, 69, 137, 161, and 554. Recently, Google said that it is considering blocking TCP port 10080 in Chrome. Firefox had blocked TCP port 10080 already in November last year. But the most worrisome aspect relating to 10080 is may developers may start using it as a replacement to port 80. They may find it useful as the port ends in '80' which makes it attractive. Besides this, the port doesn't require root privileges for binding into Unix systems, said Adam Rice, developer at Google Chrome. 

For developers that want to continue using this post, Mr. Rice will add an enterprise policy that will allow the developers to use the port by overriding the block. If a port is blocked, the user is displayed a "ERR_UNSAFE_PORT" error message while trying to gain access to the port. "If you are currently hosting a website on port 10080, you may want to consider using a different port to allow Google Chrome to continue accessing the site," said Bleeping computer.

The VMware Carbon Black Cloud Workload Patched a Vulnerability

 

The VMware Carbon Black Cloud Workload device's major security vulnerability will indeed permit root access, and the authority to handle most of the solution administration rights. The lately identified vulnerability, trackable as CVE-2021-21982, with a 9.1 CVSS score, remains in the device's administrative interface and continues to exist because intruders might bypass authentication by manipulating the URL on the interface. VMware Black Cloud Workload is the forum for cybersecurity defense on VMware's vSphere portal for virtual servers and workloads. vSphere is the virtualization platform for VMware cloud computing. 

As per the statement made by VMware last week, the problem is caused by inaccurate URL handling. “A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,” the company noted. “An adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.” 

In turn, the intruder would be able to obtain the device management API. Once the intruder is logged in as an admin, it may also access and change administrative configuration settings. The opponent might also perform several attacks, which include code execution, de-activation of security monitoring, or the catalog of virtual instances in the private cloud, and even more since it depends on what instruments the institution has implemented in the environment. 

“A malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance may be able to obtain a valid authentication token, granting access to the administration API of the appliance,” VMware notes in an advisory. 

VMware's Carbon Black Cloud Workload is being used by organizations in virtualized environments for protecting workloads that offer tools for the evaluation of vulnerabilities, antiviruses, and threats. 

Egor Dimitrenko, a positive technologies researcher who has been credited with the discovery of the vulnerability, says that the intruder could definitely use the bug to execute arbitrary code on a server. “Remote Code Execution is a critical vulnerability that gives an attacker unlimited opportunity to perform any attack to company infrastructure,” Dimitrenko underlines. 

The researcher explains that the intruder should not usually be able to access the VMware Carbon Black Cloud workload admin panel from the Internet, but also indicates that misconfigurations can result in improper exposure. He says that organizations can implement tools for remote access inside the internal network. 

In order to deal with this vulnerability and encourage customers to use the update to stay secure, VMware released version 1.0.2 of the VMware Carbon Black Cloud Workload appliance last week. It is also recommended that network checks should be implemented to ensure limited access to the device admin interface. Additionally on Friday, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of the vulnerability and raise awareness on the existence of patches for it.

A Trio of Vulnerabilities in the Linux Kernel Can Give Attackers Root Privileges

 

Linux kernel distributions appear explicitly susceptible to recently uncovered vulnerabilities. In the iSCSI module, which is used for viewing shared data storages, three unearthed vulnerabilities in the Linux kernel would provide administrative privileges to anybody with a user account. Since 2006, the Linux code has no identification of the trio of defects – the CVE-2021-27363, CVE-2021-27364, and CVE-2021-27365 – until GRIMM researchers found them. 

“If you already had the execution on a box, either because you have a user account on the machine, or you’ve compromised some service that doesn’t have repaired permissions, you can do whatever you want basically,” said Adam Nichols, principal of the Software Security practice at GRIMM. 

Although the vulnerabilities that are in code, are not functional remotely, therefore they are not remote exploits but are still troubling. They take “any existing threat that might be there. It just makes it that much worse,” he explained. Referring to the concept that "many eyes make any bug shallow," Linux code doesn't get many eyes so that it seems perfect. But while the code was first published, the bugs have been there, even in the last fifteen years they haven't really modified. 

GRIMM researchers, of course, are trying to dig in to see how often vulnerabilities occur where possible – with open source, a much more feasible solution. It's very much related to the extent of the Linux kernel that the defections drifted away. "It gotten so big," Nichols said, "there's so much code there." “The real strategy is making sure you’re loading as little code as possible.” 

Nichols said that bugs are present in all Linux distributions, but kernel drivers are not enabled by default. If the vulnerable kernel module can be loaded by a regular user or not, may vary. For example, they could be checked by GRIMM in all Red Hat distros. "Even though it's not loaded by default, you can load it and you can exploit it without any trouble," added Nichols. 

Although the hardware is present, other systems such as Debian and Ubuntu “are in the same boat as Red Hat, where the user, depending on what packages are installed, can coerce it into getting loaded; then it’s there to be exploited,” he said. Errors are reported in 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. The bugs are not included in the following updates. Although all the old kernels are end-of-life and will not be patched. 

Nichols suggests that the Kernel must be blacklisted as a temporary measure to neutralize defects. “Any system that doesn’t use that module can just say never load this module under any circumstances, and then you’re kept safe,” he said. But “if you’re actually using iSCSI, then you wouldn’t want to do that.”

Malware WannaCry And Vulnerability EternalBlue Remain at Large

 

One specific aspect of malware and one vulnerability continues to develop as security companies have been reconstructing the highest trends in the past weeks that is - WannaCry and EternalBlue. WannaCry spreads quickly since Windows Server Message Block Version 1, also known as EternalBlue, had a vulnerability to a broad flaw. Microsoft had already fixed the vulnerability, CVE-2017-0143 - effectively, shortly before WannaCry was released - with its system update MS17-010.
For example, the security agency Trend Micro claims that WannaCry, trailed by cryptocurrency miners, and Emotet has been the most popular form of malware family found last year. Whereas Emotet was newly disrupted by police departments.

“The one thing that really keeps WannaCry prevalent and active is the fact that it is wormable ransomware,” says Rik Ferguson, vice president of security research at Trend Micro. "Couple that with the fact that Shodan showed me just now that there remain 9,131 internet-facing machines vulnerable to MS17-010 and you quickly begin to understand why it continues to propagate." 

The National Security Agency, which apparently developed the exploit for the SMB v1 flaw, seems to have started the EternalBlue. This exploit was then leaked or robbed by the Shadow Brokers Party in 2017 and eventually obtained and leaked. Two months later, EternalBlue-targeting was released, with many analysts claiming it was created by North Korean hackers, who then might have lost all control of the WannaCry. 

Although WannaCry seems to be the malware frequently detected, it does not imply that it is the most harmful or even most of the devices contain it. Not all such codes are published and even if they are, they don't guarantee success. 

However, everything being favorable, the continued circulation of WannaCry shows that at least some unencrypted devices remain infected. Regrettably, certain unencrypted systems asymptotically decrease, never reaching zero. In 2020, Conficker - a Malware Family that was initially identified as targeting a vulnerability in Microsoft Server - was the 15th largest form of malware by Trend Micro. "Other variants after the first Conficker worm spread to other machines by dropping copies of itself in removable drives and network shares," according to Trend Micro. 

Though ransomware profits may be rising, the most frequently viewed malware in the wild has improved little in recent times from a quantitative point of view. 

The Finnish security company, F-Secure, for example, lists network exploits and file handling errors as the most malicious code attacks in 2020. And the most frequently viewed form of attempted exploit still battles the EternalBlue vulnerability of SMB v1. "There are three different threat detections that contributed to this: Rycon, WannaCry, and Vools," Christine Bejerasco, vice president of security firm F-Secure, Tactical Defense Unit, stated.

Guardian: Truecaller Fixes Location Vulnerabilty In Its New App

Caller ID and spam blocking company Truecaller recently launched its "Guardian" application that allows users to share their live locations with the trusted guardians in their contact lists. Anand Prakash, cybersecurity expert based in Bangalore, however, pointed out that the app had a major vulnerability and Truecaller soon fixed it. The individual security app has an emergency option that informs the user's selected peers of his/her live location, which gives real-time information during any emergency.  Mr. Prakash who founded Pingsafe, a cybersecurity startup, says that the vulnerability could allow any potential threat actor to gain access into any user's account via using a phone number. 

Later, the hacker could hijack the user account and take all its data, this may include the live location (both user and emergency contacts), user date of birth, and profile picture. Guardian was released on 3rd March and has over 1,00,000 downloads on the play store. "We are using an encrypted line between the two different clients...So that actually means that you can't revisit a previous journey because we don't store that data...The data that is shared with the 'forever sharing' option is the state of battery and signal, along with the location to help the trusted guardians follow the user," says Truecaller. Mr. Prakash contacted Truecaller the next day, notifying the latter about the vulnerability. 

Basic API error was the reason for the flaw. If API (Application Programming Interfaces) problems persist, it allows attackers to access website data and software, generally not accessible to a user. Mr. Prakash says he immediately looked into the app after its release and soon discovered issues with the app. using the "login API" option in the app, the researcher was able to gain access to another person's profile using his phone number. 

A similar pattern was tried with other contacts and the issue was reported to Truecaller. The company soon fixed the issue and later notified the expert. Mr. Prakash identified the issue as an "Insecure Direct Object Interference" flaw.  PingSafe's report says, "companies tend to miss out on such fundamental issues even after rigorous security assessments. The repercussions of such problems are enormous and impact customers’ privacy and lead to companies’ revenue losses." 

Researcher Laxman Muthiyah Awarded with $50,000 for Detecting a Flaw in Microsoft Account

 

A bug bounty hunter was awarded $50,000 by Microsoft for revealing a security vulnerability leading to account deprivation. The expert says that only ‘user accounts’ have an effect on vulnerabilities. The vulnerability has to do with launching a brute force attack to estimate that the seven-digit security code is sent via email or SMS in a reset password checking process. 

Microsoft has granted $50,000 to the Security Researcher Laxman Muthiyah for revealing a vulnerability that could allow anyone to hijack the accounts of users without permission. Researcher Laxman Muthiyah informed in a blog post on Tuesday 2nd March, about the possibility of the particular security flaw. 

“To reset a Microsoft account’s password, we need to enter our email address or phone number in their forgot password page, after that, we will be asked to select the email or mobile number that can be used to receive security code,” researcher Laxman Muthiyah wrote in the blog. “Once we receive the 7-digit security code, we will have to enter it to reset the password. Here, if we can brute force all the combination of 7-digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission.” 

In the past, Muthiyah found an Instagram-rate flaw that might contribute to take-up and then use the same tests to secure Microsoft's account. The researcher found out that the rates are set to reduce the number of tries and safeguard the accounts. Examination of an HTTP POST application sent to verify the code showed that the code was encrypted before it was sent, which suggests that the authentication was broken in order to optimize brutal force attacks. 

The analyst sent 1000 code requests, but only 122 were accepted, the remaining (1211 error code), resulted in an error, and all other requests prevented establishing the limit rate used for account protection. The analyst bypassed the blocking and encryption process by submitting simultaneous requests. It was found that, if all requests sent don't really arrive at the server simultaneously, the mechanism blacklists the IP address.

That being said, in an actual scenario, the attacker must submit security codes possible, about 11 million request attempts, simultaneously required to modify a Microsoft account password (including those with 2FA enabled). In order to successfully complete the attack, such an attack would need several computer resources and 1000s of IP address. 

Muthiyah has reported the problem to Microsoft that was immediately discovered and solved in November 2020. 

“I received the bounty of USD 50,000 on Feb 9th, 2021 through hacker one and got approval to publish this article on March 1st. I would like to thank Dan, Jarek, and the entire MSRC Team for patiently listening to all my comments, providing updates, and patching the issue. I also like to thank Microsoft for the bounty.” concluded Muthiyah

Backdoor Affects 20,000 U.S Agencies Via Microsoft Vulnerability

A backdoor breached more than 20,000 US enterprises, it was installed through Microsoft Corp's recently patched flaws in the email software, said an individual aware of the U.S government's response. The hacks have already reached beyond areas than the malicious downloaded codes of Solarwinds Corp, an organization that suffered the most from the recent cyberattack in December. The recent cyberattack has left channels open that can be remotely accessed. These are spread across small businesses, city governments, and credit unions say reports from U.S investigations. 

Besides this, the records also reveal that tens of thousands of enterprises in Europe and Asia were also affected by the hack. The hacks are still present even though Microsoft issued security patches earlier this week. Earlier, Microsoft said that the hacks had "limited and targeted attacks," but now denies to comment on the current state of the problems. However, it said the company is currently working with the government authorities and security firms to deal with the issue. Reuters says, "more attacks are expected from other hackers as the code used to take control of the mail servers spreads." 

A scan revealed that, out of the connected vulnerable devices, a mere 10% of users have installed the security patches, but the numbers are going up. As the patch is not helpful to fix the backdoors, the US government is currently trying to figure out how to assist the victims and help them with the issue. The devices compromised seem to run the web version of the email client Outlook, hosting them on their devices, not using cloud providers. Experts say this might've saved many big agencies and government authorities from the attack.  

White House press secretary Jen Psaki earlier this week informed media that the vulnerabilities revealed in Microsoft's popular exchange servers are big and can have a deep impact, there is a concern that the victims may be more. "Microsoft and the person working with the U.S. response blamed the initial wave of attacks on a Chinese government-backed actor. A Chinese government spokesman said the country was not behind the intrusions," reports Reuters. 

Russian state systems are in danger because of Internet Explorer

This year, many government agencies will have to spend several hundred million rubles on updating their information systems due to the termination of support for Internet Explorer by the American corporation Microsoft. The fact is that most government information systems used an outdated version of the browser to log users in.

Experts believe that if nothing is done, the systems will continue to work, but will not receive updates, which will make them vulnerable to hacker attacks.

For example, this will affect the system of control over the volume of turnover of alcoholic and alcohol-containing products in the Russian Federation, the system of the Federal Treasury, and the Supreme Court.

All of these information systems work only in the Internet Explorer browser on the Windows operating system. When they were created, only Internet Explorer supported the necessary cryptographic security requirements. But many years have passed since then: Microsoft will stop supporting Internet Explorer version 11 from August 17, 2021, and support for older versions has been discontinued since January 12, 2016.

According to the expert, the lack of updates carries a serious risk of data leakage and the availability of services. This increases the risk of hacker attacks and narrows the circle of potential users. The problem is large-scale - to solve it, it will be necessary to rewrite the software of state information systems, which will take from one to three years, and it will cost hundreds of millions of rubles.

Experts believe that Microsoft even assisted import substitution in Russia. According to them, the departments will deal with the issue of their compatibility with domestic operating systems, solving the problem with the work of state information systems without Internet Explorer.

"Taking into account the requirements for import substitution, the best course for departments will be to switch to open-source browsers, for example, from the Chromium and Firefox families", said Yuri Sosnin, Deputy General Director of the Astra Linux group of companies.

According to Timur Myakinin, the head of the software development department of the IT company Jet Infosystems, the departments still have enough time to abandon the old technologies.

Hackers Used Internet Explorer Zero-Day Vulnerability To Target Security Researchers

 

In recent times, during the attacks against the security and vulnerability researchers in North Korea, an Internet Explorer zero-day vulnerability has been discovered. The zero-day vulnerability is a computer software vulnerability unknown to individuals who need to minimize the harm. Hackers may use the vulnerability to change computer systems, files, machines, and networks to the detriment of the vulnerability. 

Google announced last month that the Lazarus-sponsored state-based North Korean hacking community carried out attacks on security scholars in social engineers, wherein the hacking community used social networks as a tool to target security researchers and used custom backdoor malware. The Lazarus group is a North Korea based persistent threat group (APT), which has gained a lot of prominence in the preceding years as various CyberAttacks have been attributed to the threat group. 

The threat actors have developed comprehensive online "security researcher" personas who then use social media to connect with renowned security researchers to contribute to the vulnerability and exploit growth to execute their attacks. 

In this regard, the attackers have sent malignant Visual Studio Projects and links to the website that hosts the exploit kits to install backdoors in the computers of the researchers. Microsoft also announced that it had monitored the assault and saw Lazarus exchanging MHTML files containing malicious java scripts with the researchers. The server command and control at the time of the investigation was down and therefore no further payloads were investigated by Microsoft. 

Recently in this social-engineering campaign, South Korean cybersecurity company ENKI claimed that Lazarus attacked MHTML files on their squad. Although the attacks were ineffective, they analyzed payloads downloaded from MHT files and found that they contained a vulnerability exploit for Internet Explorer. 

MHT/MHTML is a file format that is used by Internet Explorer to store a web page and services in one file. MHT / MHTML file is sometimes also known as MIME HTML. The MHT file transmitted to ENKI investigators was confirmed to be an exploit of Chrome 85 RCE and called "Chrome_85_RCE_Full_Exploit_Code.mht." 

On further executing the MHT/MHTML file, Internet Explorer will automatically start to display the MHT file contents. ENKI stated that a malicious javascript would download two payloads with one containing a zero-day version of Internet Explorer if the execution of the script was allowed. ENKI has affirmed that they have reported the bug to Microsoft and for which they were later contacted by a Microsoft employee. 

Concerning the aforementioned incident, Microsoft has said that they have investigated every aspect of the report and will surely provide an update in near future, “Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.”

Russian hackers hacked the first level Olympiad in a second

A new Olympic season has begun in Russia. Many competitions have been moved online due to the COVID-19 pandemic. The first level Olympiad allows the winner to enter the university without exams.

It turns out that the hacker could theoretically ensure admission to the best universities in the country, putting graduates in unequal conditions.

SQL injections and XSS vulnerabilities were discovered on the site, which make it is possible to influence the results of the competition. As a result, according to the hacker, it is easily possible: 1) find out the tasks in advance and change the answer data during the Olympiad; 2) see the sessions and data of other users; and 3) massively upload user information, including personal information (information from the passport, registration, phone, e-mail).

"SQL injection is one of the easiest ways to hack a site. Indeed, in a very short period of time and by replacing several characters, an attacker can gain access to all personal data of the Olympiad and to all tasks," said Oleg Bakhtadze-Karnaukhov, an independent researcher on the Darknet.

According to the researcher, most likely, there was not enough time to detect such errors during the programming of this site, although it takes little time to find and fix them.

"If the site contains vulnerabilities, then a command in a specific programming language can be inserted, for example, in a link, and the page will display information that was not intended for users initially," explained Dmitry Galov, Cybersecurity Expert at Kaspersky Lab.

According to Alexei Drozd, head of the information security department at SearchInform, the reason may be design errors, as a result of which the site, for example, poorly checks or does not check incoming information at all.

"Unfortunately, when developing websites and applications, security issues are always in the background. First, there is a question of functionality," concluded Alexey Drozd.


WhatsApp Reveals Six Bugs On Its Security Advisory Website


The Social Messaging app WhatsApp has been open about its bugs and vulnerabilities recently. To be vocal about the issue, the company has set up a dedicated website that will work as a security advisory and inform users about the latest developments on issues and bugs in WhatsApp. Owned by social media giant Facebook, WhatsApp, with a current user base of around 2 million, has set up the website as an initiative to keep the community informed about security and be more transparent with its users.


The dedicated website is not limited to WhatsApp users but open to the entire cybersecurity community. The move comes as a response to the criticisms that WhatsApp faced over its handling of security issues. The dedicated platform will give users detailed reports of security updates related to WhatsApp, along with CVEs (Common Vulnerabilities and Exposures) details. The updates will help cybersecurity experts to know the effect of these bugs and vulnerabilities.

WhatsApp reported six security bugs that it had recently discovered. The company had released security patches for these six bugs before the hackers could exploit them. Few of the bugs could be remotely launched. CVE-2020-1890, an android based WhatsApp bug, sent the recipients sticker, which contained malicious codes. The bug could be deployed without user interaction. Few bugs, however, required user interaction and couldn't be launched remotely. CVE-2019-11928 bug became active when a desktop WhatsApp user clicked any location link, allowing cross-site scripting. WhatsApp says that it will keep the community updated about the latest developments through its advisory platform, trying to release security patches as soon as possible.

According to reports, five of the six bugs were patched on the same day; however, the last bug took quite some time. "We are very committed to transparency, and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts. We strongly encourage all users to ensure they keep their WhatsApp up-to-date from their respective app stores and update their mobile operating systems whenever updates are available," says WhatsApp.

Apple's APSDaemon Vulnerability Abused by Malware Distributors



Attackers can maliciously redirect users on websites sharing counterfeit products, adult content or videos and dupe them into installing malware before they even land on the intended website, it's one of the most popular ways of generating revenue amongst hackers who acquire access to websites by exploiting the vulnerabilities in an installed plugin – it could be a security flaw or outdated software.

Typically, 'malicious redirects' are operated by hackers with the intent of generating advertising impressions, however other consequences of 'malvertising' can be relatively dangerous causing significant damage to unprotected machines. The campaign revolves around the idea of pushing malware and spam-laden advertisements onto the browsers. In 2019, attackers were seen launching such campaigns against popular web browsers namely Google Chrome, Microsoft Edge, Opera, and Safari.

Recently, malware distributors have launched a new malware campaign that makes use of this 'web pages redirect' to exploit a DLL hijacking flaw in Apple's Push Notification service executable Windows to get a cryptocurrency miner installed on the targeted user's system.

What is DLL hijacking?


DLL (Dynamic Link Libraries) are extensions of various applications running on any operating system as most of the applications require storing code in different files, when a user uses an application, it may or not use certain codes – those codes are stored in a different file and are loaded into RAM only when there's a requirement, this reduces the file size while optimizing the usage of RAM and preventing the application from becoming too big to function smoothly.

As these DLLs are essential for running almost all applications on our systems, they are found in different files and folders on users' computers. Now, if an attacker succeeds in replacing the original DLL file with a counterfeit one carrying malicious code, it is termed as DLL Hijacking.

A program that became the latest victim of the aforementioned flaw is Apple's Push Notification service executable (APSDaemon.exe) that had been vulnerable to DLL hijacking. Since, it is responsible for loading AppleVersions.dll upon execution, if it fails to check whether the authentic AppleVersions.dll is being loaded, it could allow cybercriminals to replace the DLL file with a fake one containing malware.

Running in an authentic executable by Apple had allowed the malware to function with less to no risk of being detected by antivirus software, moreover, the threat actors have also employed a hashing algorithm to make the detection even difficult.