Tag Archives: then

Thousands of Government Websites Hacked to Mine Cryptocurrencies

cryptojacking-website-hacked

There was a time when hackers simply defaced websites to get attention, then they started hijacking them to spread banking trojan and ransomware, and now the trend has shifted towards injecting scripts into sites to mine cryptocurrencies.

Thousands of government websites around the world have been found infected with a specific script that secretly forces visitors’ computers to mine cryptocurrency for attackers.

The cryptocurrency mining script injection found on over 4,000 websites, including those belonging to UK’s National Health Service (NHS), the Student Loan Company, and data protection watchdog Information Commissioner’s Office (ICO), Queensland legislation, as well as the US government’s court system.

Users who visited the hacked websites immediately had their computers’ processing power hijacked, also known as cryptojacking, to mine cryptocurrency without their knowledge, potentially generating profits for the unknown hacker or group of hackers.

It turns out that hackers managed to hijack a popular third-party accessibility plugin called “Browsealoud,” used by all these affected websites, and injected their cryptocurrency-mining script into its code.

Browsealoud is a popular third-party browser plugin that helps blind and partially-sighted users access the web by converting site text to audio.

The script that was inserted into the compromised Browsealoud software belongs to CoinHive—a browser-based Monero mining service that offers website administrators to earn revenue by utilizing CPU resources of visitors.

The mining software was found in more than 4,200 websites, including The City University of New York (cuny.edu), Uncle Sam’s court information portal (uscourts.gov), the UK’s Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner’s Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), UK NHS services, Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.

The full list of affected websites can be found here.

After UK-based infosec consultant Scott Helme raised the alarm about this hack when one of his friends mentioned getting anti-virus alerts on a UK Government website, BrowseAloud’s operator Texthelp took down its site to resolve the issue.

Here’s what Texthelp’s chief technology officer Martin McKay said in a blog post:

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year. Our data security action plan was actioned straight away and was effective, the risk was mitigated for all customers within a period of four hours.”

“Texthelp has in place continuously automated security tests for Browsealoud – these tests detected the modified file, and as a result, the product was taken offline.”

This action eventually removed Browsealoud from all websites immediately, addressing the security issue without its customers having to take any action.

The company also assured that “no customer data has been accessed or lost,” and that its customers will receive a further update as soon as the security investigation gets completed.

Intel Releases New Spectre Patch Update for Skylake Processors

spectre-intel-patch-update

After leaving million of devices at risk of hacking and then rolling out broken patches, Intel has now released a new batch of security patches only for its Skylake processors to address one of the Spectre vulnerabilities (Variant 2).

For those unaware, Spectre (Variant 1, Variant 2) and Meltdown (Variant 3) are security flaws disclosed by researchers earlier last month in processors from Intel, ARM, and AMD, leaving nearly every PC, server, and mobile phone on the planet vulnerable to data theft.

Shortly after the researchers disclosed the Spectre and Meltdown exploits, Intel started releasing microcode patches for its systems running Broadwell, Haswell, Skylake, Kaby Lake, and Coffee Lake processors.

However, later the chip maker rollbacked the firmware updates and had to tell users to stop using an earlier update due to users complaining of frequent reboots and other unpredictable system behavior after installing patches.

Although it should be a bit quicker, Intel is currently working on new patches and already in contact with hardware companies so that they can include the new microcode patch in their new range of firmware updates.

So far, the new microcode update only addresses devices equipped with mobile Skylake and mainstream desktop Skylake chips, leaving the Broadwell, Haswell, Kaby Lake, Skylake X, Skylake SP, and Coffee Lake processors still vulnerable to Spectre (Variant 2) vulnerability.

intel-update

So, everyone else still has to wait for the company to release microcode updates for their systems.

“Earlier this week, we released production microcode updates for several Skylake-based platforms to our OEM customers and industry partners, and we expect to do the same for more platforms in the coming days,” the company says in a blog post.

“We also continue to release beta microcode updates so that customers and partners have the opportunity to conduct extensive testing before we move them into production.”


Intel has strongly urged its customers to install this update as soon as possible, because if not patched, these processor vulnerabilities could allow attackers to bypass memory isolation mechanisms and access everything, including memory allocated for the kernel containing sensitive data like passwords, encryption keys, and other private information.

Moreover, after the release of proof-of-concept (PoC) exploit for the CPU vulnerabilities last month, hundreds of malware samples are spotted in the wild, most of which are based on the publicly released exploit and designed to work on major operating systems and web browsers.

Although we have not yet seen any fully-featured malware based on Spectre and Meltdown vulnerabilities, it doesn’t take much time for hackers to develop one.

So, users are urged to always keep a close eye on any update that becomes available on their system, and install them as soon as they become available.

Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

crossrat-spying-malware

Are you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this.

Wide-range of cybercriminals are now using a new piece of ‘undetectable’ spying malware that targets Windows, macOS, Solaris and Linux systems.

Just last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced persistent threat (APT) group, called Dark Caracal, engaged in global mobile espionage campaigns.

Although the report revealed about the group’s successful large-scale hacking operations against mobile phones rather than computers, it also shed light on a new piece of cross-platform malware called CrossRAT (version 0.1), which is believed to be developed by, or for, the Dark Caracal group.

CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.

According to researchers, Dark Caracal hackers do not rely on any “zero-day exploits” to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit hackers-controlled fake websites and download malicious applications.

CrossRAT is written in Java programming language, making it easy for reverse engineers and researchers to decompile it.

crossrat-malware

Since at the time of writing only two out of 58 popular antivirus solutions (according to VirusTotal) can detect CrossRAT, ex-NSA hacker Patrick Wardle decided to analyse the malware and provide a comprehensive technical overview including its persistence mechanism, command and control communication as well as its capabilities.

CrossRAT 0.1 — Cross-Platform Persistent Surveillance Malware

Once executed on the targeted system, the implant (hmar6.jar) first checks the operating system it’s running on and then installs itself accordingly.

Besides this, the CrossRAT implant also attempts to gather information about the infected system, including the installed OS version, kernel build and architecture.

Moreover, for Linux systems, the malware also attempts to query systemd files to determine its distribution, like Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint, among many more.

CrossRAT then implements OS specific persistence mechanisms to automatically (re)executes whenever the infected system is rebooted and register itself to the C&C server, allowing remote attackers to send command and exfiltrate data.

As reported by Lookout researchers, CrossRAT variant distributed by Dark Caracal hacking group connects to ‘flexberry(dot)com‘ on port 2223, whose information is hardcoded in the ‘crossrat/k.class’ file.

CrossRAT Includes Inactive Keylogger Module

crossrat-commands

The malware has been designed with some basic surveillance capabilities, which get triggered only when received respective predefined commands from the C&C server.

Interestingly, Patrick noticed that the CrossRAT has also been programmed to use ‘jnativehook,’ an open-source Java library to listen to keyboard and mouse events, but the malware does not have any predefined command to activate this keylogger.

“However, I didn’t see any code within that implant that referenced the jnativehook package—so at this point it appears that this functionality is not leveraged? There may be a good explanation for this. As noted in the report, the malware identifies it’s version as 0.1, perhaps indicating it’s still a work in progress and thus not feature complete,” Patrick said.

How to Check If You’re Infected with CrossRAT?

Since CrossRAT persists in an OS-specific manner, detecting the malware will depend on what operating system you are running.

For Windows:

  • Check the ‘HKCUSoftwareMicrosoftWindowsCurrentVersionRun’ registry key.
  • If infected it will contain a command that includes, java, -jar and mediamgrs.jar.

For macOS:

  • Check for jar file, mediamgrs.jar, in ~/Library.
  • Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.

For Linux:

  • Check for jar file, mediamgrs.jar, in /usr/var.
  • Also look for an ‘autostart’ file in the ~/.config/autostart likely named mediamgrs.desktop.

How to Protect Against CrossRAT Trojan?

malware-crossrat-windows-linux-mac

Only 2 out of 58 antivirus products detect CrossRAT at the time of writing, which means that your AV would hardly protect you from this threat.

“As CrossRAT is written in Java, it requires Java to be installed. Luckily recent versions of macOS do not ship with Java,” Patrick said.

“Thus, most macOS users should be safe! Of course, if a Mac user already has Java installed, or the attacker is able to coerce a naive user to install Java first, CrossRAT will run just dandy, even on the latest version of macOS (High Sierra).”

Users are advised to install behaviour-based threat detection software. Mac users can use BlockBlock, a simple utility developed by Patrick that alerts users whenever anything is persistently installed.

Pre-Installed Password Manager On Windows 10 Lets Hackers Steal All Your Passwords

keeper-windows-10-password-manager-hacking

If you are running Windows 10 on your PC, then there are chances that your computer contains a pre-installed 3rd-party password manager app that lets attackers steal all your credentials remotely.

Starting from Windows 10 Anniversary Update (Version 1607), Microsoft added a new feature called Content Delivery Manager that silently installs new “suggested apps” without asking for users’ permission.

According to a blog post published Friday on Chromium Blog, Google Project Zero researcher Tavis Ormandy said he found a pre-installed famous password manager, called “Keeper,” on his freshly installed Windows 10 system which he downloaded directly from the Microsoft Developer Network.

Ormandy was not the only one who noticed the Keeper Password Manager. Some Reddit users complained about the hidden password manager about six months ago, one of which reported Keeper being installed on a virtual machine created with Windows 10 Pro.

Critical Flaw In Keeper Password Manager

Knowing that a third-party password manager now comes installed by default on Windows 10, Ormandy started testing the software and took no longer to discover a critical vulnerability that leads to “complete compromise of Keeper security, allowing any website to steal any password.”

“I don’t want to hear about how even a password manager with a trivial remote root that shares all your passwords with every website is better than nothing. People really tell me this,” Ormandy tweeted.

The security vulnerability in the Keeper Password Manager was almost identical to the one Ormandy discovered and reported in the non-bundled version of the same Keeper plugin in August 2016 that enabled malicious websites to steal passwords.

“I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works,” Ormandy said.

To explain the severity of the bug, Ormandy also provided a working proof-of-concept (PoC) exploit that steals a user’s Twitter password if it is stored in the Keeper app.

Install Updated Keeper Password Manager

Ormandy reported the vulnerability to the Keeper developers, who acknowledged the issue and released a fix in the just released version 11.4 on Friday by removing the vulnerable “add to existing” functionality.

Since the vulnerability only affects version 11 of the Keeper app, which was released on December 6 as a major browser extension update, the vulnerability is different from the one Ormandy reported six months ago.

Keeper has also added that the company has not noticed any attack using this security vulnerability in the wild.

As for Windows 10 users, Ormandy said users wouldn’t be vulnerable to the password theft unless they open Keeper password manager and enable the software to store their passwords.

However, Microsoft still needs to explain how the Keeper password manager gets installed on the users’ computers without their knowledge.

Meanwhile, users can use this registry tweak to disable Content Delivery Manager in order to prevent Microsoft from installing unwanted apps silently on their PCs.

Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability

microsoft-windows-update

If your computer is running Microsoft’s Windows operating system, then you need to apply this emergency patch immediately. By immediately, I mean now!

Microsoft has just released an emergency security patch to address a critical remote code execution (RCE) vulnerability in its Malware Protection Engine (MPE) that could allow an attacker to take full control of a victim’s PC.

Enabled by default, Microsoft Malware Protection Engine offers the core cybersecurity capabilities, like scanning, detection, and cleaning, for the company’s antivirus and antimalware programs in all of its products.

According to Microsoft, the vulnerability affects a large number of Microsoft security products, including Windows Defender and Microsoft Security Essentials along with Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016, impacting Windows 7, Windows 8.1, Windows 10, Windows RT 8.1, and Windows Server.

Tracked as CVE-2017-11937, the vulnerability is a memory corruption issue which is triggered when the Malware Protection Engine scans a specially crafted file to check for any potential threat.

Flaw Lets Hackers Take Full Control of Your Computer

Successful exploitation of the flaw could allow a remote attacker to execute malicious code in the security context of the LocalSystem account and take control of the target’s computer.

Microsoft said an attacker could place a specially crafted malicious file in a location that is scanned by the Malware Protection Engine to exploit the memory corruption flaw which eventually leads to remote code execution.

“There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user,” the report from Microsoft explained.

Other ways to deliver a specially crafted file could be via emails or Instant Messenger services. The attacker could also “take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server,” the report said.

Patch! Patch! Patch!

Microsoft assured its customers that the vulnerability was fixed before any misuses in the wild.

The company has released an out-of-band critical update for the flaw and advised users to install it as soon as possible. Most home users and many enterprise customers will get the emergency patch automatically over the air.

The security vulnerability was discovered and reported to Microsoft by the UK’s National Cyber Security Centre (NCSC), a cyber defense organization of Britain’s signals intelligence and cybersecurity agency, known as GCHQ.

The emergency fix comes just days before Microsoft is scheduled to roll out its December Patch Tuesday updates.

New TeamViewer Hack Could Allow Clients to Hijack Viewers’ Computer

teamviewer-hack

Do you have remote support software TeamViewer installed on your desktop?

If yes, then you should pay attention to a critical vulnerability discovered in the software that could allow users sharing a desktop session to gain complete control of the other’s PC without permission.

TeamViewer is a popular remote-support software that lets you securely share your desktop or take full control of other’s PC over the Internet from anywhere in the world.

For a remote session to work both computers—the client (presenter) and the server (viewer)—must have the software installed, and the client has to share a secret authentication code with the person he wants to share his desktop.

However, a GitHub user named “Gellin” has disclosed a vulnerability in TeamViewer that could allow the client (sharing its desktop session) to gain control of the viewer’s computer without permission.

TeamViewer Hack Could Be Used By Anyone—Server Or Client

Gellin has also published a proof-of-concept (PoC) code, which is an injectable C++ DLL, which leverages “naked inline hooking and direct memory modification to change TeamViewer permissions.”

The injectable C++ DLL (hack) can be used by both, the client and the server, which results as mentioned below:

If exploited by the Server—the hack allows viewers to enable “switch sides” feature, which is only active after the server authenticated control with the client, eventually allowing the server to initiate a change of control/sides.

TeamViewer


If exploited by the Client—the hack allows the client to take control of the mouse and keyboard of the server “with disregard to servers current control settings and permissions.”

TeamViewer

This vulnerability impacts TeamViewer versions running on Windows, macOS as well as Linux machines.

A Reddit user “xpl0yt,” who first publicized this vulnerability, claimed to have been in contact with the TeamViewer security team, who confirmed him the existence of the vulnerability in its software and released a patch for Windows.

A TeamViewer spokesperson told The Hacker News, “We are patching versions 11-13. Windows is already available, whereas MacOS and Linux are expected later today.”

TeamViewer users are recommended to install the patched versions of the software as soon as they become available. Patches will be delivered automatically to those users who have configured their TeamViewer software to receive automatic updates.

Massive Breach Exposes Keyboard App that Collects Personal Data On Its 31 Million Users

ai-type-keyboard-data-breach

In the digital age, one of the most popular sayings is—if you’re not paying, then you’re not the customer, you’re the product.

While downloading apps on their smartphones, most users may not realize how much data they collect on you.

Believe me; it’s way more than you can imagine.

Nowadays, many app developers are following irresponsible practices that are worth understanding, and we don’t have a better example than this newly-reported incident about a virtual keyboard app.

A team of security researchers at the Kromtech Security Center has discovered a massive trove of personal data belonging to more than 31 million users of the popular virtual keyboard app, AI.type, accidentally leaked online for anyone to download without requiring any password.

Founded in 2010, Ai.type is a customizable and personalizable on-screen keyboard for mobile phones and tablets, with more than 40 million users worldwide.

Apparently, a misconfigured MongoDB database, owned by the Tel Aviv-based startup AI.type, exposed their entire 577 GB of the database online that includes a shocking amount of sensitive details on their users, which is not even necessary for the app to work.

…they appear to collect everything from contacts to keystrokes.

The leaked database of over 31 million users includes:

  • Full name, phone number, and email address
  • Device name, screen resolution and model details
  • Android version, IMSI number, and IMEI number
  • Mobile network name, country of residence and even user enabled languages
  • IP address (if available), along with GPS location (longitude/latitude).
  • Links and the information associated with the social media profiles, including birth date, emails, photos.

“When researchers installed Ai.Type they were shocked to discover that users must allow ‘Full Access’ to all of their data stored on the testing iPhone, including all keyboard data past and present,” the researchers say.

What’s more?

Moreover, the leaked database also reveals that the virtual keyboard app is also stealing users’ contact books, including the contacts’ names and phone numbers—and already scraped more than 373 million records.

“There was a range of other statistics like the most popular users’ Google queries for different regions. Data like average messages per day, words per message, the age of users, words_per_day’: 0.0, ‘word_per_session and a detailed look at their customers,” the researchers say.

data-breach-hacking

Researchers go on to raise a question that “why would like a keyboard, and emoji application need to gather the entire data of the user’s phone or tablet?

Even the recent data breaches have taught us that once our personal data gets in the hands of cybercriminals, it makes us vulnerable forever.

Therefore, the best defense to protect yourself is always—awareness.

Google Collects Android Location Data Even When Location Service Is Disabled

android-location-tracking

Do you own an Android smartphone?

If yes, then you are one of those billions of users whose smartphone is secretly gathering location data and sending it back to Google.

Google has been caught collecting location data on every Android device owner since the beginning of this year (that’s for the past 11 months)—even when location services are entirely disabled, according to an investigation conducted by Quartz.

This location-sharing practice doesn’t want your Android smartphone to use any app, or turn on location services, or even have a SIM card inserted.

All it wants is to have your Android device to be connected to the Internet.

The investigation revealed that Android smartphones have been collecting the addresses of nearby cellular towers, and this data could be used for “Cell Tower Triangulation“—a technique widely used to identify the location of a phone/device using data from three or more nearby cell towers.

Each time your Android device comes within the range of a new cell tower, it gathers the cell tower address and sends this data back to Google when the device is connected to a WiFi network or has a cellular data enabled.

Since the component responsible for collecting location data resides in Android’s core Firebase Cloud Messaging service that manages push notifications and messages on the operating system, it cannot be disabled and doesn’t rely on what apps you have installed—even if you factory reset your smartphone or remove the SIM card.

When Quartz contacted the tech giant about this location-sharing practice, Google spokesperson replied: “We began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery.”

Although it is still unknown how cell-tower data that helps identify a specific cell tower could have been helped Google improve message delivery, the fact that the company’s mobile operating system is collecting location data is a complete violation of user’s privacy.

Even in its privacy policy about location sharing, Google mentions that it will collect location information from devices that use its services, but has not indicated whether the company will collect data from Android devices when all location services are disabled.

“When you use Google services, we may collect and process information about your actual location,” Google’s privacy policy reads. 

“We use various technologies to determine location, including IP address, GPS, and other sensors that may, for example, provide Google with information on nearby devices, Wi-Fi access points, and cell towers.”

Moreover, this location-sharing practice is not limited to any particular Android phone model or manufacturer, as the tech giant was apparently collecting cell tower data from all modern Android devices before being contacted by Quartz.

Although the company said that it never used or stored this location data it collected on its users and that it is now taking steps to end this practice, this data could be used to target location-based advertisement when the user enters any store or restaurant.

According to Google, Android phones will no longer gather and send cell-tower location data back to Google by the end of this month.

Hacker Distributes Backdoored IoT Vulnerability Scanning Script to Hack Script Kiddies

iot-vulnerability-scanner-script

Nothing is free in this world.

If you are searching for free hacking tools on the Internet, then beware—most freely available tools, claiming to be the swiss army knife for hackers, are nothing but a scam.

For example, Cobian RAT and a Facebook hacking tool that we previously reported on The Hacker News actually could hack, but of the one who uses them and not the one you desire to hack.

Now, a security researcher has spotted another hacking tool—this time a PHP script—which is freely available on multiple popular underground hacking forums and allows anyone to find vulnerable internet-connected IP Cameras running the vulnerable version of GoAhead embedded web-server.

However, after closely analysing the scanning script, Newsky Security researcher Ankit Anubhav found that the tool also contains a secret backdoor, which essentially allows its creator to “hack the hacker.

“For an attacker’s point of view, it can be very beneficial to hack a hacker,” Anubhav said.

“For example, if a script kiddie owns a botnet of 10,000 IoT and if he gets hacked, the entire botnet is now in control of the attacker who got control of the system of this script kiddie. Hence, by exploiting one device, he can add thousands of botnets to his army.”

The rise of IoT botnet and release of Mirai’s source code—the biggest IoT-based malware threat that emerged last year and took down Dyn DNS service—has encouraged criminal hackers to create their massive botnet either to launch DDoS attacks against their targets or to rent them to earn money.

iot-vulnerability-scanner

As shown in the self-explanatory flowchart, this IoT scanning script works in four steps:

  • First, it scans a set of IP addresses to find GoAhead servers vulnerable to a previously disclosed authentication bypass vulnerability (CVE-2017-8225) in Wireless IP Camera (P2P) WIFI CAM devices.
  • In the background, it secretly creates a backdoor user account (username: VM | password: Meme123) on the wannabe hacker’s system, giving the attacker same privilege as root.
  • Script also extracts the IP address of the wannabe hacker, allowing script author to access the compromised systems remotely.
  • Moreover, it also runs another payload on the script kiddie’s system, eventually installing a well-known botnet, dubbed Kaiten.

This tool is another example of backdoored hacking tools increasingly being distributed at various underground forums to hack the hacker.

In September, a backdoored Cobian RAT builder kit was spotted on multiple underground hacking forums for free but was caught containing a backdoored module that aimed to provide the kit’s authors access to all of the victim’s data.

Last year, we reported about another Facebook hacking tool, dubbed Remtasu, that actually was a Windows-based Trojan with the capability to access Facebook account credentials, but of the one who uses it to hack someone else.

The bottom line: Watch out the free online stuff very carefully before using them.

Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices

crack-encryption-keys

If you think KRACK attack for WiFi is the worst vulnerability of this year, then hold on…

…we have got another one for you which is even worse.

Microsoft, Google, Lenovo, HP and Fujitsu are warning their customers of a potentially serious vulnerability in widely used RSA cryptographic library produced by German semiconductor manufacturer Infineon Technologies.

It’s noteworthy that this crypto-related vulnerability (CVE-2017-15361) doesn’t affect elliptic-curve cryptography and the encryption standard itself, rather it resides in the implementation of RSA key pair generation by Infineon’s Trusted Platform Module (TPM).

Infineon’s Trusted Platform Module (TPM) is a widely-used, dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and is used for secured crypto processes.

This 5-year-old algorithmic vulnerability was discovered by security researchers at Masaryk University in the Czech Republic, who have released a blog post with more details about the weakness as well as an online tool to test if RSA keys are vulnerable to this dangerous flaw.

ROCA: Factorization Attack to Recover Private RSA Keys

Dubbed ROCA (Return of Coppersmith’s Attack), the factorization attack introduced by the researchers could potentially allow a remote attacker to reverse-calculate a private encryption key just by having a target’s public key—thanks to this bug.

“Only the knowledge of a public key is necessary and no physical access to the vulnerable device is required,” the researchers said. “The vulnerability does NOT depend on a weak or a faulty random number generator—all RSA keys generated by a vulnerable chip are impacted.”

This could eventually allow the attacker to impersonate key owner, decrypt victim’s sensitive data, inject malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with the targeted computer.

ROCA Attack Exposes Billions of Devices to Attack

rsa-encryption-hacking

The ROCA attack affects chips manufactured by Infineon as early as 2012 and is feasible for key lengths, including 1024 and 2048 bits, which is most commonly used in the national identity cards, on PC motherboards to securely store passwords, in authentication tokens, during secure browsing, during software and application signing, and with message protection like PGP.

The flaw also weakens the security of government and corporate computers protected using Infineon’s cryptographic library and chips.

Majority of Windows and Google Chromebook devices developed by HP, Lenovo and Fujitsu are amongst those affected by the ROCA attack.

“We found and analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP,” the researchers said. 

“The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable.”

More Details, Testing Tool, and Patches

The security researchers have released a brief blog post about the flaw, which includes a number of tools for detection, mitigation and workarounds.

The vulnerability was discovered and reported to Infineon Technologies in February this year and the researchers will present their full findings, including the factorization method, on November 2nd at the ACM Conference on Computer and Communications Security.

Their research paper, titled “The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli” (ROCA), will also be released after their presentation.

So, companies and organisations have enough time to change affected encryption keys before the details of how this vulnerability works and could be exploited are released.

Major vendors including InfineonMicrosoft, Google, HP, Lenovo, and Fujitsu have already released the software updates for their relevant hardware and software as well as guidelines for a mitigation of this vulnerability.

“Some Windows security features and potentially third-party software rely on keys generated by the TPM (if available on the system),” according to a Microsoft advisory. “Microsoft is releasing Windows security updates to help work around the vulnerability by logging events and by allowing the generation of software based keys.”

Therefore, users are strongly recommended to patch their devices as soon as possible—AGAIN!

Powered by WPeMatico