Search This Blog

Showing posts with label patch fixes. Show all posts

Ransomware Qlocker Encrypts QNAP Devices with 7Zip

 

A huge ransomware campaign seems to be underway to attack QNAP devices globally and customers can now locate their files in password-protected 7zip archives. The ransomware is known as Qlocker and on 19 April 2021, it was aimed at attacking QNAP computers. Ever since the help platform of bleeping computers has had enormous development, and the victims' requests have increased in ID-Ransomware. 

However, as per the victims in the Qlocker support department of Bleeping Computer, hackers use 7-zip to transfer files to password-protected archives on QNAP computers. During locking of the files, multiple 72 processes are displayed on the QNAP Resource Monitor, which can be executed on the 7zip command line. Once ransomware is completed, files of the QNAP computer will be saved in a password-protected 7-zip file with a.7z extension. Victims must enter the password identified by the perpetrator only to retrieve those archives. 

As soon as one has encrypted the QNAP devices, they then have a !!!READ ME.txt ransom note with a special client key to sign on to the Tor ransomware payment platform. All victims are expected to pay Bitcoins of roughly 0.01, which is around $557.74, from the Qlocker restitution notes shown to get a password for their archived data. After payment is made and an invalid Bitcoin Tax ID has been entered, a 7Zip archive password will be displayed on the Tor Payments website. This password is exclusive to the victim that cannot be used on computers of all the other victims. 

On April 22, a security investigator, Jack Cable, announced a bug found in the Qlocker Tor platform that allows users to freely retrieve their 7zip passwords. This bug could allow victims to obtain a Bitcoin transaction ID from someone who has previously paid but changed it slightly. When the modified transaction ID was sent to the Qlocker Tor site, the payment was acknowledged, and the victim's password was displayed. 

Jack Cable also helped victims secretly recover their passwords and Emsisoft arranged to build a support system to further exploit this vulnerability. Unfortunately, the ransomware developers took it and patched it an hour after they heard of the error. There is no way to download files without a password that is not available for free anymore at this stage.

QNAP has lately solved critical vulnerabilities which enable a mobile player to access a device completely and to run ransomware. 

The following descriptions were found for these two vulnerabilities by QNAP on 16 April: 
CVE-2020-2509: Command Injection Vulnerability in QTS and QuTS hero
CVE-2020-36195: SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On 

"QNAP strongly urges that all users immediately install the latest Malware Remover version and run a malware scan on QNAP NAS. The Multimedia Console, Media Streaming Add-on, and Hybrid Backup Sync apps need to be updated to the latest available version as well to further secure QNAP NAS from ransomware attacks. QNAP is urgently working on a solution to remove malware from infected devices," QNAP stated in a security advisory.

Zoom Security Flaw: Now Hackers Can Take Control Of Your PC, Wait For Patch

 


Zoom security issues were lately troubling users worldwide, very often so. The Zoom video conferencing app was not in the limelight before the ongoing pandemic, however, since the inception of Covid-19, a lot has changed along with the ways of living, this was also the time when Zoom App underwent some regulatory security measures, owing to the suddenly enhanced reputation enjoyed by the app, as the work from home was necessitated by the pandemic. 

However, as of now, it is being observed that the security measures that had been taken a year ago are failing to secure users' data from threat actors.

Cybercriminals exploited a vulnerability and undertook a distant code execution (RCE) assault to take management of host PCs. The two Computest cyber safety intelligence observed the vulnerability on the Pwn2Own 2021 competition, organized by the Zero Day Initiative. The two Computest researchers Daan Keuter and Thijs Alkemade were awarded $200,000 for their findings. 

How does This work? 


Foremostly, the hacker has to be a part of the same organizational domain as the host PC’s user has to get permission from the host to join the meeting; When the attackers become part of a meeting, they will be able to execute a chain of three malware that will install an RCE backdoor on the victim’s PC. 

It can also be understood as — the threat actors can get access to your PC, and simultaneously will able to be able to implement remote commands that will then give access to your sensitive data.

Besides, what is even dangerous here is that the hackers can run their operations without the victim being required to do anything, therefore it is very essential to add more layers of security measures that can slow down the future operations of the attackers. 

The aforementioned operation runs on Mac, Windows, but on Zoom’s iOS and Android apps, it has not been checked yet. Notably, the browser version is safe. 

Currently, Zoom is yet to take measures, and the technical details of the attack have not been reported to the public, yet. Reportedly, the patch will arrive on Zoom for Mac and Windows within the next 90 days. 

Guardian: Truecaller Fixes Location Vulnerabilty In Its New App

Caller ID and spam blocking company Truecaller recently launched its "Guardian" application that allows users to share their live locations with the trusted guardians in their contact lists. Anand Prakash, cybersecurity expert based in Bangalore, however, pointed out that the app had a major vulnerability and Truecaller soon fixed it. The individual security app has an emergency option that informs the user's selected peers of his/her live location, which gives real-time information during any emergency.  Mr. Prakash who founded Pingsafe, a cybersecurity startup, says that the vulnerability could allow any potential threat actor to gain access into any user's account via using a phone number. 

Later, the hacker could hijack the user account and take all its data, this may include the live location (both user and emergency contacts), user date of birth, and profile picture. Guardian was released on 3rd March and has over 1,00,000 downloads on the play store. "We are using an encrypted line between the two different clients...So that actually means that you can't revisit a previous journey because we don't store that data...The data that is shared with the 'forever sharing' option is the state of battery and signal, along with the location to help the trusted guardians follow the user," says Truecaller. Mr. Prakash contacted Truecaller the next day, notifying the latter about the vulnerability. 

Basic API error was the reason for the flaw. If API (Application Programming Interfaces) problems persist, it allows attackers to access website data and software, generally not accessible to a user. Mr. Prakash says he immediately looked into the app after its release and soon discovered issues with the app. using the "login API" option in the app, the researcher was able to gain access to another person's profile using his phone number. 

A similar pattern was tried with other contacts and the issue was reported to Truecaller. The company soon fixed the issue and later notified the expert. Mr. Prakash identified the issue as an "Insecure Direct Object Interference" flaw.  PingSafe's report says, "companies tend to miss out on such fundamental issues even after rigorous security assessments. The repercussions of such problems are enormous and impact customers’ privacy and lead to companies’ revenue losses." 

Microsoft releases patches for 58 vulnerabilities


On Tuesday, Microsoft released fixes for 58 vulnerabilities for more than ten products for Windows and other software in their last Patch Tuesday for this year.

These include vulnerabilities ranging from critical (nine of them), important (forty-six of the flaws were rated important), and moderate (rest three). None of these vulnerabilities or bugs were publicly known or exploited by hackers yet. Both users and administrators should update their systems with these patches as soon as possible. 

Some of these patches include:

22 remote code execution holes have been sealed, according to SANS Technology. These fixed execution holes covered two critical vulnerabilities CVE-2020-17118 and CVE-2020-17121 in Microsoft SharePoint, an acute point for exploitation. 

The second vulnerability, Microsoft said could be used for a network-based attack by infiltrating the network by making a site and installing executive codes.

“In a network-based attack, an attacker can gain access to create a site and could execute code remotely within the kernel. The user would need to have privileges", said Microsoft. 

Microsoft released the patch for yet another critical remote code execution (RCE) vulnerability CVE-2020-17095 , scoring an 8.5 out of 10 on CVSS scale (Common Vulnerability Scoring System). This vulnerability present in Microsoft's Hyper V system (which is used to create Virtual Machine environments ) could be used to hack the Virtual machines by RCE.

 “An attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data,” commented Microsoft on the Hyper V vulnerability. 

Other fixes and updates were released for products including Windows, multiple versions of the Edge browser, Microsoft Office, Visual Studio, as well as other products and services in Microsoft’s portfolio. This month's updates were still on the lower end as compares to last month's where the tech giant rolled out a bundle of 112 fixes.