SSL and internet security news

exploits

Auto Added by WPeMatico

ShadowBrokers Releases NSA UNITEDRAKE Manual

The ShadowBrokers released the manual for UNITEDRAKE, a sophisticated NSA Trojan that targets Windows machines:

Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information.

UNITEDRAKE, described as a “fully extensible remote collection system designed for Windows targets,” also gives operators the opportunity to take complete control of a device.

The malware’s modules — including FOGGYBOTTOM and GROK — can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed.

More news.

UNITEDRAKE was mentioned in several Snowden documents and also in the TAO catalog of implants.

And Kaspersky Labs has found evidence of these tools in the wild, associated with the Equation Group — generally assumed to be the NSA:

The capabilities of several tools in the catalog identified by the codenames UNITEDRAKE, STRAITBAZZARE, VALIDATOR and SLICKERVICAR appear to match the tools Kaspersky found. These codenames don’t appear in the components from the Equation Group, but Kaspersky did find “UR” in EquationDrug, suggesting a possible connection to UNITEDRAKE (United Rake). Kaspersky also found other codenames in the components that aren’t in the NSA catalog but share the same naming conventions­they include SKYHOOKCHOW, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, and DESERTWINTER.

ShadowBrokers has only released the UNITEDRAKE manual, not the tool itself. Presumably they’re trying to sell that.

Powered by WPeMatico

Zero-Day Vulnerabilities against Windows in the NSA Tools Released by the Shadow Brokers

In April, the Shadow Brokers — presumably Russia — released a batch of Windows exploits from what is presumably the NSA. Included in that release were eight different Windows vulnerabilities. Given a presumed theft date of the data as sometime between 2012 and 2013 — based on timestamps of the documents and the limited Windows 8 support of the tools:

  • Three were already patched by Microsoft. That is, they were not zero days, and could only be used against unpatched targets. They are EMERALDTHREAD, EDUCATEDSCHOLAR, and ECLIPSEDWING.

  • One was discovered to have been used in the wild and patched in 2014: ESKIMOROLL.

  • Four were only patched when the NSA informed Microsoft about them in early 2017: ETERNALBLUE, ETERNALSYNERGY, ETERNALROMANCE, and ETERNALCHAMPION.

So of the five serious zero-day vulnerabilities against Windows in the NSA’s pocket, four were never independently discovered. This isn’t new news, but I haven’t seen this summary before.

Powered by WPeMatico

Good Article About Google’s Project Zero

Fortune magazine just published a good article about Google’s Project Zero, which finds and publishes exploits in other companies’ software products.

I have mixed feeling about it. The project does great work, and the Internet has benefited enormously from these efforts. But as long as it is embedded inside Google, it has to deal with accusations that it targets Google competitors.

Powered by WPeMatico

CIA’s Pandemic Toolkit

WikiLeaks is still dumping CIA cyberweapons on the Internet. Its latest dump is something called “Pandemic”:

The Pandemic leak does not explain what the CIA’s initial infection vector is, but does describe it as a persistent implant.

“As the name suggests, a single computer on a local network with shared drives that is infected with the ‘Pandemic’ implant will act like a ‘Patient Zero’ in the spread of a disease,” WikiLeaks said in its summary description. “‘Pandemic’ targets remote users by replacing application code on-the-fly with a Trojaned version if the program is retrieved from the infected machine.”

The key to evading detection is its ability to modify or replace requested files in transit, hiding its activity by never touching the original file. The new attack then executes only on the machine requesting the file.

Version 1.1 of Pandemic, according to the CIA’s documentation, can target and replace up to 20 different files with a maximum size of 800MB for a single replacement file.

“It will infect remote computers if the user executes programs stored on the pandemic file server,” WikiLeaks said. “Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets.”

The CIA describes Pandemic as a tool that runs as kernel shellcode that installs a file system filter driver. The driver is used to replace a file with a payload when a user on the local network accesses the file over SMB.

WikiLeaks page. News article.

EDITED TO ADD: In this case, Wikileaks has withheld the tool itself and just released the documentation.

Powered by WPeMatico

Smart TV Hack via the Broadcast Signal

This is impressive:

The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs. By revising the attack to target similar browser bugs found in other sets, the technique would likely work on a much wider range of TVs.

Powered by WPeMatico

Security Vulnerabilities in Mobile MAC Randomization

Interesting research: “A Study of MAC Address Randomization in Mobile Devices When it Fails“:

Abstract: Media Access Control (MAC) address randomization is a privacy technique whereby mobile devices rotate through random hardware addresses in order to prevent observers from singling out their traffic or physical location from other nearby devices. Adoption of this technology, however, has been sporadic and varied across device manufacturers. In this paper, we present the first wide-scale study of MAC address randomization in the wild, including a detailed breakdown of different randomization techniques by operating system, manufacturer, and model of device. We then identify multiple flaws in these implementations which can be exploited to defeat randomization as performed by existing devices. First, we show that devices commonly make improper use of randomization by sending wireless frames with the true, global address when they should be using a randomized address. We move on to extend the passive identification techniques of Vanhoef et al. to effectively defeat randomization in 96% of Android phones. Finally, we show a method that can be used to track 100% of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames.

Basically, iOS and Android phones are not very good at randomizing their MAC addresses. And tricks with level-2 control frames can exploit weaknesses in their chipsets.

Slashdot post.

Powered by WPeMatico

WWW Malware Hides in Images

There’s new malware toolkit that uses steganography to hide in images:

For the past two months, a new exploit kit has been serving malicious code hidden in the pixels of banner ads via a malvertising campaign that has been active on several high profile websites.

Discovered by security researchers from ESET, this new exploit kit is named Stegano, from the word steganography, which is a technique of hiding content inside other files.

In this particular scenario, malvertising campaign operators hid malicious code inside PNG images used for banner ads.

The crooks took a PNG image and altered the transparency value of several pixels. They then packed the modified image as an ad, for which they bought ad displays on several high-profile websites.

Since a large number of advertising networks allow advertisers to deliver JavaScript code with their ads, the crooks also included JS code that would parse the image, extract the pixel transparency values, and using a mathematical formula, convert those values into a character.

Slashdot thread.

Powered by WPeMatico

Hardware Bit-Flipping Attacks in Practice

A year and a half ago, I wrote about hardware bit-flipping attacks, which were then largely theoretical. Now, they can be used to root Android phones:

The breakthrough has the potential to make millions of Android phones vulnerable, at least until a security fix is available, to a new form of attack that seizes control of core parts of the operating system and neuters key security defenses. Equally important, it demonstrates that the new class of exploit, dubbed Rowhammer, can have malicious and far-reaching effects on a much wider number of devices than was previously known, including those running ARM chips.

Previously, some experts believed Rowhammer attacks that altered specific pieces of security-sensitive data weren’t reliable enough to pose a viable threat because exploits depended on chance hardware faults or advanced memory-management features that could be easily adapted to repel the attacks. But the new proof-of-concept attack developed by an international team of academic researchers is challenging those assumptions.

An app containing the researchers’ rooting exploit requires no user permissions and doesn’t rely on any vulnerability in Android to work. Instead, their attack exploits a hardware vulnerability, using a Rowhammer exploit that alters crucial bits of data in a way that completely roots name brand Android devices from LG, Motorola, Samsung, OnePlus, and possibly other manufacturers.

[…]

Drammer was devised by many of the same researchers behind Flip Feng Shui, and it adopts many of the same approaches. Still, it represents a significant improvement over Flip Feng Shui because it’s able to alter specific pieces of sensitive-security data using standard memory management interfaces built into the Android OS. Using crucial information about the layout of Android memory chips gleaned from a side channel the researchers discovered in ARM processors, Drammer is able to carry out what the researchers call a deterministic attack, meaning one that can reliably target security-sensitive data. The susceptibility of Android devices to Rowhammer exploits likely signals a similar vulnerability in memory chips used in iPhones and other mobile devices as well.

Here’s the paper.

And here’s the project’s website.

Powered by WPeMatico