Tag Archives: A

Microsoft Won’t Patch a Severe Skype Vulnerability Anytime Soon

skype-hacking

A serious vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could potentially allow attackers to gain full control of the host machine by granting system-level privileges to a local, unprivileged user.

The worst part is that this vulnerability will not be patched by Microsoft anytime soon.

It’s not because the flaw is unpatchable, but because fixing the vulnerability requires a significant software rewrite, which indicates that the company will need to issue an all-new version of Skype rather than just a patch.

The vulnerability has been discovered and reported to Microsoft by security researcher Stefan Kanthak and resides in Skype’s update installer, which is susceptible to Dynamic Link Libraries (DLL) hijacking.

According to the researcher, a potential attacker could exploit the “functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories.”

The exploitation of this preferential search order would allow the attacker to hijack the update process by downloading and placing a malicious version of a DLL file into a temporary folder of a Windows PC and renaming it to match a legitimate DLL that can be modified by an unprivileged user without having any special account privileges.

When Skype’s update installer tries to find the relevant DLL file, it will find the malicious DLL first, and thereby will install the malicious code.

Although Kanthak demonstrated the attack using the Windows version of Skype, he believes the same DLL hijacking method could also work against other operating systems, including Skype versions for macOS and Linux.

Kanthak informed Microsoft of the Skype vulnerability back in September, but the company told him that the patch would require the Skype update installer go through “a large code revision,” Kanthak told ZDNet.

So rather than releasing a security update, Microsoft decided to build an altogether new version of the Skype client that would address the vulnerability.

It should be noted that this vulnerability only affects the Skype for the desktop app, which uses its update installer which is vulnerable to the DLL hijacking technique. The Universal Windows Platform (UWP) app version available from the Microsoft Store for Windows 10 PCs is not affected.

The vulnerability has been rated as “medium” in severity, but Kanthak said, “the attack could be easily weaponized.” He gave two examples, which have not been released yet.

Until the company issues an all-new version of Skype client, users are advised to exercise caution and avoid clicking on attachments provided in an email. Also, make sure you run appropriate and updated anti-virus software that offers some defence against such attacks.

This is not the first time Skype has been dealing with a severe security flaw. In June 2017, a critical flaw in Skype was revealed before Microsoft released a fix for the issue that allowed hackers to crash systems and execute malicious code in them.

Last month, among several messaging applications, Skype was also dealing with a critical remote code execution vulnerability in Electron—a popular web application framework widely-used in desktop applications.

Hackers Exploit ‘Telegram Messenger’ Zero-Day Flaw to Spread Malware

telegram-vulnerability

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash.

The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram messaging software.

The flaw has actively been exploited in the wild since at least March 2017 by attackers who tricked victims into downloading malicious software onto their PCs that used their CPU power to mine cryptocurrencies or serve as a backdoor for attackers to remotely control the affected machine, according to a blogpost on Securelist.

Here’s How Telegram Vulnerability Works

The vulnerability resides in the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for coding languages that are written from right to left, like Arabic or Hebrew.

According to Kaspersky Lab, the malware creators used a hidden RLO Unicode character in the file name that reversed the order of the characters, thus renaming the file itself, and send it to Telegram users.

For example, when an attacker sends a file named “photo_high_re*U+202E*gnp.js” in a message to a Telegram user, the file’s name rendered on the users’ screen flipping the last part.

Therefore, the Telegram user will see an incoming PNG image file (as shown in the below image) instead of a JavaScript file, misleading into downloading malicious files disguised as the image.

“As a result, users downloaded hidden malware which was then installed on their computers,” Kaspersky says in its press release published today.

Kaspersky Lab reported the vulnerability to Telegram and the company has since patched the vulnerability in its products, as the Russian security firm said: “at the time of publication, the zero-day flaw has not since been observed in messenger’s products.”

Hackers Used Telegram to Infect PCs with Cryptocurrency Miners

telegram-vulnerability

During the analysis, Kaspersky researchers found several scenarios of zero-day exploitation in the wild by threat actors. Primarily, the flaw was actively exploited to deliver cryptocurrency mining malware, which uses the victim’s PC computing power to mine different types of cryptocurrency including Monero, Zcash, Fantomcoin, and others.

While analyzing the servers of malicious actors, the researchers also found archives containing a Telegram’s local cache that had been stolen from victims.

In another case, cybercriminals successfully exploited the vulnerability to install a backdoor trojan that used the Telegram API as a command and control protocol, allowing hackers to gain remote access to the victim’s computer.

“After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools,” the firm added.

Firsh believes the zero-day vulnerability was exploited only by Russian cybercriminals, as “all the exploitation cases that [the researchers] detected occurring in Russia,” and a lot of artifacts pointed towards Russian cybercriminals.

The best way to protect yourself from such attacks is not to download or open files from unknown or untrusted sources.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers

airgap-computer-hacking

A team of security researchers—which majorly focuses on finding clever ways to get into air-gapped computers by exploiting little-noticed emissions of a computer’s components like light, sound and heat—have published another research showcasing that they can steal data not only from an air gap computer but also from a computer inside a Faraday cage.

Air-gapped computers are those that are isolated from the Internet and local networks and so, are believed to be the most secure devices that are difficult to infiltrate.

Whereas, Faraday cages are metallic enclosures that even blocks all electromagnetic signals, such as Wi-Fi, Bluetooth, cellular and other wireless communications, making any device kept inside the cage, even more, isolate from outside networks.

However, Cybersecurity Research Center at Israel’s Ben Gurion University, directed by 38-year-old Mordechai Guri, has developed two techniques that helped them exfiltrate data from computers placed inside a Faraday cage.

Dubbed MAGNETO [pdf] and ODINI [pdf], both the techniques make use of proof-of-concept (PoC) malware installed on an air-gapped computer inside the Faraday cage to control the “magnetic fields emanating from the computer by regulating workloads on the CPU cores” and use it to transmit data stealthily.

“Everyone was talking about breaking the air gap to get in, but no one was talking about getting the information out,” Guri says. “That opened the gate to all this research, to break the paradigm that there’s a hermetic seal around air-gapped networks.”

According to the researcher, once a computer (no matter if it is air-gapped or inside a Faraday cage) has been infected, hackers can exfiltrate stolen data without needing to wait for another traditional connection to the infected machine.

How MAGNETO & ODINI Attacks Work:

Once a motivated attacker somehow succeeded in planting malware on an air-gapped computer, the malware then collects small pieces of information, like keylogging data, encryption keys, credential tokens, and passwords.

Also Read: CIA developed Malware for Hacking Air-Gapped Networks.

The PoC malware developed by the team then electrically generates a pattern of magnetic field frequencies by regulating CPU’s workload, which can be achieved by overloading the CPU with calculations that increase power consumption and generate a stronger magnetic field.

These electromagnetic (acoustic, optical and thermal) emissions from the infected computer are powerful enough to carry a small stream of stolen data to a nearby device, a receiver planted by the hacker.

The process involves translating data first into binary, i.e. 0 and 1, and the transmitting it into morse-code-like patterns in accordance with electromagnetic emission.

“The transmitting program leaves only a small footprint in the memory, making its presence easier to hide from AVs. At the OS level, the transmitting program requires no special or elevated privileges (e.g., root or admin), and hence can be initiated from an ordinary userspace process,” the paper reads.

“The transmitting code mainly consists of basic CPU operations such as busy loops, which do not expose malicious behaviors, making it highly evasive from automated analysis tools.”

Also Read: Stealing Data from Air-Gapped Computers Using CCTV Cameras

While both MAGNETO and ODINI attacks are designed to exfiltrate data from a secured computer using electromagnetic emissions, the only difference between the two is:

  • MAGNETO is a short-distance attack where an Android app installed on the attacker’s smartphone can receive stolen data with the help of phone’s magnetometer— a magnetic sensor that can transmit data even if the smartphone is placed inside a Faraday bag or is set to airplane mode.
  • ODINI attack enables attackers to capture electromagnetic signals from a slightly longer range using a dedicated magnetic sensor.

In case of MAGNETO, the team managed to achieve only up to 5 bits/sec over a distance of up to 12.5 cm (5 inches), while ODINI is quite more efficient with a maximum transfer rate of 40 bits/sec over a range of 100 to 150 cm (3-5 feet).

airgap-computer-hacking

Both ODINI and MAGNETO also work if the targeted air-gapped device is inside a Faraday cage, which is designed to block electromagnetic fields, including Bluetooth, Wi-Fi, cellular, and other wireless communications.

Researchers suggest three different approaches that can be used to prevent attackers from establishing a covert magnetic channel, i.e., shielding, jamming, and zoning.

Video Demonstration of MAGNETO And ODINI Attacks

The team published proof-of-concept video demonstrations for both MAGNETO and ODINI attacks, which shows both the attacks in action.

It’s not the first time Ben-Gurion researchers came up with a covert technique to target air-gapped computers. Their previous research of hacking air-gap computers include:

  • aIR-Jumper attack that steals sensitive information from air-gapped computers with the help of infrared-equipped CCTV cameras that are used for night vision.
  • USBee attack that can be used steal data from air-gapped computers using radio frequency transmissions from USB connectors.
  • DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer;
  • BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;
  • AirHopper that turns a computer’s video card into an FM transmitter to capture keystrokes;
  • Fansmitter technique that uses noise emitted by a computer fan to transmit data; and
  • GSMem attack that relies on cellular frequencies.

Critical Flaw in Grammarly Spell Checker Could Let Attackers Steal Your Data

grammar-checking-software-hacking

A critical vulnerability discovered in the Chrome and Firefox browser extension of the grammar-checking software Grammarly inadvertently left all 22 million users’ accounts, including their personal documents and records, vulnerable to remote hackers.

According to Google Project Zero researcher Tavis Ormandy, who discovered the vulnerability on February 2, the Chrome and Firefox extension of Grammarly exposed authentication tokens to all websites that could be grabbed by remote attackers with just 4 lines of JavaScript code.

In other words, any website a Grammarly user visits could steal his/her authentication tokens, which is enough to login into the user’s account and access every “documents, history, logs, and all other data” without permission.

“I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations,” Ormandy said in a vulnerability report. “Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”

Ormandy has also provided a proof-of-concept (PoC) exploit, which explains how one can easily trigger this serious bug to steal Grammarly user’s access token with just four lines of code.

grammar-checking-software-hack

This high-severity flaw was discovered on Friday and fixed early Monday morning by the Grammarly team, which, according to the researcher, is “a really impressive response time” for addressing such bugs.

Security updates are now available for both Chrome and Firefox browser extensions, which should get automatically updated without requiring any action by Grammarly users.

A Grammarly spokesperson also told in an email that the company has no evidence of users being compromised by this vulnerability.

“Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery. At this time, Grammarly has no evidence that any user information was compromised by this issue,” the spokesperson said. 

“We’re continuing to monitor actively for any unusual activity. The security issue potentially affected text saved in the Grammarly Editor. This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension. The bug is fixed, and there is no action required by Grammarly users.”

Stay tuned for more updates.

Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites

wordpress-dos-attack-hacking

A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same.

Since the company has denied patching the issue, the vulnerability (CVE-2018-6389) remains unpatched and affects almost all versions of WordPress released in last nine years, including the latest stable release of WordPress (Version 4.9.2).

Discovered by Israeli security researcher Barak Tawily, the vulnerability resides in the way “load-scripts.php,” a built-in script in WordPress CMS, processes user-defined requests.

For those unaware, load-scripts.php file has only been designed for admin users to help a website improve performance and load page faster by combining (on the server end) multiple JavaScript files into a single request.

However, to make “load-scripts.php” work on the admin login page (wp-login.php) before login, WordPress authors did not keep any authentication in place, eventually making the feature accessible to anyone.

wordpress dos attack

Depending upon the plugins and modules you have installed, the load-scripts.php file selectively calls required JavaScript files by passing their names into the “load” parameter, separated by a comma, like in the following URL:

https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load=editor,common,user-profile,media-widgets,media-gallery

While loading the website, the ‘load-scripts.php’ (mentioned in the head of the page) tries to find each JavaScript file name given in the URL, append their content into a single file and then send back it to the user’s web browser.

How WordPress DoS Attack Works

wordpress-dos-attack-tool

According to the researcher, one can simply force load-scripts.php to call all possible JavaScript files (i.e., 181 scripts) in one go by passing their names into the above URL, making the targeted website slightly slow by consuming high CPU and server memory.

“There is a well-defined list ($wp_scripts), that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user,” Tawily says.

Although a single request would not be enough to take down the whole website for its visitors, Tawily used a proof-of-concept (PoC) python script, doser.py, which makes large numbers of concurrent requests to the same URL in an attempt to use up as much of the target servers CPU resources as possible and bring it down.

The Hacker News has verified the authenticity of the DoS exploit that successfully took down one of our demo WordPress websites running on a medium-sized VPS server.

“It is time to mention again that load-scripts.php does not require any authentication, an anonymous user can do so. After ~500 requests, the server didn’t respond at all any more, or returned 502/503/504 status code errors,” Tawily says.

However, attack from a single machine, with some 40 Mbps connection, was not enough to take down another demo website running on a dedicated server with high processing power and memory.

wordpress-hacking

But that doesn’t mean the flaw is not effective against WordPress websites running over a heavy-server, as application-level attack generally requires a lot fewer packets and bandwidth to achieve the same goal—to take down a site.

So attackers with more bandwidth or a few bots can exploit this flaw to target big and popular WordPress websites as well.

No Patch Available  – Mitigation Guide

Along with the full disclosure, Tawily has also provided a video demonstration for the WordPress Denial of Service attack. You can watch the video to see the attack in action.

Knowing that DoS vulnerabilities are out-of-scope from the WordPress bug bounty program, Tawily responsibly reported this DoS vulnerability to the WordPress team through HackerOne platform.

However, the company refused to acknowledge the issue, saying that this kind of bug “should really get mitigated at the server end or network level rather than the application level,” which is outside of WordPress’s control.

The vulnerability seems to be serious because WordPress powers nearly 29 percent of the Web, placing millions of websites vulnerable to hackers and making them unavailable for their legitimate users.

For websites that can’t afford services offering DDoS protection against application-layer attacks, the researcher has provided a forked version of WordPress, which includes mitigation against this vulnerability.

However, I personally wouldn’t recommend users to install modified CMS, even if it is from a trusted source other than the original author.

Besides this, the researcher has also released a simple bash script that fixes the issue, in case you have already installed WordPress.

Critical Flaw Hits Popular Windows Apps Built With Electron JS Framework

Electron Framework

A critical remote code execution vulnerability has been reported in Electron—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, WordPress and Slack—that allows for remote code execution.

Electron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native desktop applications for Windows, macOS and Linux, without knowledge of programming languages used for each platform.

The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://.

“Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API,” Electron says in an advisory published Monday.

The Electron team has also confirmed that applications designed for Apple’s macOS and Linux are not vulnerable to this issue, and neither those (including for Windows) that do not register themselves as the default handler for a protocol like myapp://.

The Electron developers have already released two new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to address this critical vulnerability.

“If for some reason you are unable to upgrade your Electron version, you can append—as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options,” the company says.

End users can do nothing about this vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.

Much details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (that make themselves the default protocol handler) for security reason.

We will update you as soon as any details about the flaw come out.

Critical Flaw in All Blizzard Games Could Let Hackers Hijack Millions of PCs

dns-rebinding-attack-hacking-exploit

A Google security researcher has discovered a severe vulnerability in Blizzard games that could allow remote attackers to run malicious code on gamers’ computers.

Played every month by half a billion users—World of Warcraft, Overwatch, Diablo III, Hearthstone and Starcraft II are popular online games created by Blizzard Entertainment.

To play Blizzard games online using web browsers, users need to install a game client application, called ‘Blizzard Update Agent,’ onto their systems that run JSON-RPC server over HTTP protocol on port 1120, and “accepts commands to install, uninstall, change settings, update and other maintenance related options.

Google’s Project Zero team researcher Tavis Ormandy discovered that the Blizzard Update Agent is vulnerable to a hacking technique called the “DNS Rebinding” attack that allows any website to act as a bridge between the external server and your localhost.

Just last week, Ormandy revealed a similar vulnerability in a popular Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users’ computers and take control of them.

By simply creating a DNS entry to bind any attacker-controlled web page with localhost (127.0.0.1) and tricking users into visiting it, hackers can easily send privileged commands to the Blizzard Update Agent using JavaScript code.

Although a random website running in a web browser usually cannot make requests to a hostname other than its own, the local Blizzard updater service does not validate what hostname the client was requesting and responds to such requests.

Blizzard DNS Rebinding Attack — Proof of Concept Exploit

Ormandy has also published a proof-of-concept exploit that executes DNS rebinding attack against Blizzard clients and could be modified to allow exploitation using network drives, or setting destination to “downloads” and making the browser install malicious DLLs, data files, etc.

Ormandy responsibly reported Blizzard of the issue in December to get it patched before hackers could take advantage of it to target hundreds of millions of gamers.

However, after initially communication, Blizzard inappropriately stopped responding to Ormandy’s emails and silently applied partial mitigation in the client version 5996.

“Blizzard was replying to emails but stopped communicating on December 22nd. Blizzard is no longer replying to any enquiries, and it looks like in version 5996 the Agent now has been silently patched with a bizarre solution,” Ormandy says.

“Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist. I proposed they whitelist Hostnames, but apparently, that solution was too elegant and simple. I’m not pleased that Blizzard pushed this patch without notifying me, or consulted me on this.”

After the Ormandy’s report went public, Blizzard contacted and informed him that a more robust Host header whitelist fix to address the issue entirely is currently being developed for deployment.

Ormandy is also checking other big games vendors with a user base of over 100 Million to see if the problem can be replicated.

Researchers Uncover Government-Sponsored Mobile Hacking Group Operating Since 2012

dark-caracal-android-malware-app.png

A global mobile espionage campaign collecting a trove of sensitive personal information from victims since at least 2012 has accidentally revealed itself—thanks to an exposed server on the open internet.

It’s one of the first known examples of a successful large-scale hacking operation of mobile phones rather than computers.

The advanced persistent threat (APT) group, dubbed Dark Caracal, has claimed to have stolen hundreds of gigabytes of data, including personally identifiable information and intellectual property, from thousands of victims in more than 21 different countries, according to a new report from the Electronic Frontier Foundation (EFF) and security firm Lookout.

After mistakenly leaking some of its files to the internet, the shadowy hacking group is traced back to a building owned by the Lebanese General Directorate of General Security (GDGS), one of the country’s intelligence agencies, in Beirut.

“Based on the available evidence, it’s likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal,” the report reads.

According to the 51-page-long report [PDF], the APT group targeted “entities that a nation-state might attack,” including governments, military personnel, utilities, financial institutions, manufacturing companies, defence contractors, medical practitioners, education professionals, academics, and civilians from numerous other fields.

dark-caracal-android-malware

Researchers also identified at least four different personas associated with Dark Caracal’s infrastructure — i.e. Nancy Razzouk, Hassan Ward, Hadi Mazeh, and Rami Jabbour — with the help of email address op13@mail[.]com.

“The contact details for Nancy present in WHOIS information matched the public listing for a Beirut-based individual by that name. When we looked at the phone number associated with Nancy in the WHOIS information, we discovered the same number listed in exfiltrated content and being used by an individual with the name Hassan Ward.”

dark-caracal-malware-trace

“During July 2017, Dark Caracal’s internet service provider took the adobeair[.]net command and control server offline. Within a matter of days, we observed it being re-registered to the email address op13@mail[.]com with the name Nancy Razzouk. This allowed us to identify several other domains listed under the same WHOIS email address information, running similar server components. “

Multi-Platform Cyber Espionage Campaign

dark-caracal-android-malware-spying

Dark Caracal has been conducting multi-platform cyber-espionage campaigns and linked to 90 indicators of compromise (IOCs), including 11 Android malware IOCs, 26 desktop malware IOCs across Windows, Mac, and Linux, and 60 domain/IP based IOCs.

However, since at least 2012, the group has run more than ten hacking campaigns aimed mainly at Android users in at least 21 countries, including North America, Europe, the Middle East and Asia.

The data stolen by Dark Caracal on its targets include documents, call records, text messages, audio recordings, secure messaging client content, browsing history, contact information, photos, and location data—basically every information that allows the APT group to identify the person and have an intimate look at his/her life.

To get its job done, Dark Caracal did not rely on any “zero-day exploits,” nor did it has to get the malware to the Google Play Store. Instead, the group used basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit a website controlled by the hackers and application permissions.

One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF Staff Technologist Cooper Quintin. 

This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world.

Here’s How Dark Caracal Group Infects Android Users

dark-caracal-malware-apps

Once tricked into landing on the malicious websites, the victims were served fake updates to secure messenger apps, including WhatsApp, Signal, Threema Telegram, and Orbot (an open source Tor client for Android), which eventually downloaded the Dark Caracal malware, dubbed Pallas, on targets’ mobile devices.

Pallas is a piece of surveillance malware that’s capable of taking photographs, stealing data, spying on communications apps, recording video and audio, acquiring location data, and stealing text messages, including two-factor authentication codes, from victims’ devices.

“Pallas samples primarily rely on the permissions granted at the installation in order to access sensitive user data. However, there is functionality that allows an attacker to instruct an infected device to download and install additional applications or updates.” report says.

“Theoretically, this means it’s possible for the operators behind Pallas to push specific exploit modules to compromised devices in order to gain complete access.”

Besides its own custom malware, Dark Caracal also used FinFisher—a highly secret surveillance tool that is often marketed to law enforcement and government agencies—and a newly discovered desktop spyware tool, dubbed CrossRAT, which can infect Windows, Linux, and OS X operating systems.

Citizen Lab previously flagged the General Directorate of General Security in a 2015 report as one of two Lebanese government organizations using the FinFisher spyware5.” report says.

According to the researchers, though Dark Caracal targeted macOS and Windows devices in various campaigns, at least six distinct Android campaigns were found linked to one of its servers that were left open for analysis, revealing 48GB was stolen from around 500 Android phones.

Overall, Dark Caracal successfully managed to steal more than 252,000 contacts, 485,000 text messages and 150,000 call records from infected Android devices. Sensitive data such as personal photos, bank passwords and PIN numbers were also stolen.

The best way to protect yourself from such Android-based malware attacks is to always download applications from the official Google Play Store market rather than from any third-party website.

Flaw in Popular Transmission BitTorrent Client Lets Hackers Control Your PC Remotely

bittorent-transmission-hacking

A critical vulnerability has been discovered in the widely used Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users’ computers and take control of them.

The vulnerability has been uncovered by Google’s Project Zero vulnerability reporting team, and one of its researchers Tavis Ormandy has also posted a proof-of-concept attack—just 40 days after the initial report.

Usually, Project Zero team discloses vulnerabilities either after 90 days of reporting them to the affected vendors or until the vendor has released a patch.

However, in this case, the Project Zero researchers disclosed the vulnerability 50 days prior to the actual time limit because Transmission developers failed to apply a ready-made patch provided by the researchers over a month ago.

“I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see,” Ormandy said in a public report published Tuesday.

Proof-of-Concept Exploit Made Publicly Available

The PoC attack published by Ormandy exploits a specific Transmission function that lets users control the BitTorrent app with their web browser.

Ormandy confirmed his exploit works on Chrome and Firefox on Windows and Linux (Fedora and Ubuntu) and believes that other browsers and platforms are also vulnerable to the attack.

Transmission BitTorrent app works on server-client architecture, where users have to install a daemon service on their systems in order to access a web-based interface on their browsers locally.

The daemon installed on the user system then interacts with the server for downloading and uploading files through the browser using JSON RPC requests.

Ormandy found that a hacking technique called the “domain name system rebinding” attack could successfully exploit this implementation, allowing any malicious website that user visits to execute malicious code on user’s computer remotely with the help of installed daemon service.

Here’s How the Attack Works:

The loophole resides in the fact that services installed on localhost can be manipulated to interact with third-party websites.

“I regularly encounter users who do not accept that websites can access services on localhost or their intranet,” Ormandy wrote in a separate post, which includes the patch.

“These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website “transfers” execution somewhere else. It does not work like that, but this is a common source of confusion.”

Attackers can exploit this loophole by simply creating a DNS name they’re authorized to communicate with and then making it resolve to the vulnerable computer’s localhost name. Here’s how the attack works:

bittorent-transmission-hacking

  1. A user visits malicious site (http://attacker.com), which has an iframe to a subdomain controlled by the attacker.
  2. The attacker configures their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address controlled by the attacker) with a very low TTL.
  3. When the browser resolves to 123.123.123.123, it serves HTML that waits for the DNS entry to expire (or force it to terminate by flooding the cache with lookups), then it has permission to read and set headers.

Ormandy said the vulnerability (CVE-2018-5702) was the “first of a few remote code execution flaws in various popular torrent clients,” though he did not name the other torrent apps due to the 90-day disclosure timeline.

A fix is expected to be released as soon as possible, a development official with Transmission told ArsTechnica, without specifying an actual date.

Warning: New Undetectable DNS Hijacking Malware Targeting Apple macOS Users

macos-dns-hijacker-malware

A security researcher has revealed details of a new piece of undetectable malware targeting Apple’s Mac computers—reportedly first macOS malware of 2018.

Dubbed OSX/MaMi, an unsigned Mach-O 64-bit executable, the malware is somewhat similar to DNSChanger malware that infected millions of computers across the world in 2012.

DNSChanger malware typically changes DNS server settings on infected computers, allowing attackers to route internet traffic through malicious servers and intercept sensitive information.

First appeared on the Malwarebytes forum, a user posted a query regarding unknown malware that infected his friend’s computer that silently changed DNS settings on infected macOS to 82.163.143.135 and 82.163.142.137 addresses.

After looking at the post, ex-NSA hacker Patrick Wardle analysed the malware and found that it is indeed a ‘DNS Hijacker,‘ which also invokes security tools to install a new root certificate in an attempt to intercept encrypted communications as well.

macos-root-certificate-malware

OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways,” Patrick said.

By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads)” or to insert cryptocurrency mining scripts into web pages.

Besides this, the OSX/MaMi macOS malware, which appears to be in its initial stage, also includes below-mentioned abilities, most of which are not currently activated in its version 1.1.0:

  • Take screenshots
  • Generate simulated mouse events
  • Perhaps persist as a launch item
  • Download and upload files
  • Execute commands

The motive, author(s) behind the malware, and how it is spreading are currently unknown.


However, Patrick believes that the attackers could be using lame methods like malicious emails, web-based fake security alerts/popups, or social-engineering type attacks to target Mac users.

To check if your Mac computer is infected with MaMi malware, go to the terminal via the System Preferences app and check for your DNS settings—particularly look for 82.163.143.135 and 82.163.142.137.

virustotal-dns-changer-mawlare

According to VirusTotal, a multi-engine antivirus scanner, none of 59 popular antivirus software is detecting this malware at this moment, so you are advised to use a 3rd-party tool such as a firewall that can detect and block outgoing traffic.

You can also install a free open-source firewall for macOS named ‘LuLu,’ created by Patrick and available at GitHub, which blocks suspicious traffic and prevents OSX/MaMi’s from stealing your data.