Tag Archives: zeroday

Hackers Exploiting ‘Bitmessage’ Zero-Day to Steal Bitcoin Wallet Keys

bitmessage-bitcoin-hacking

Bitmessage developers have warned of a critical ‘remotely executable’ zero-day vulnerability in the PyBitmessage application that was being exploited in the wild.

Bitmessage is a Peer-to-Peer (P2P) communications protocol used to send encrypted messages to users. Since it is decentralized and trustless communications, one need-not inherently trust any entities like root certificate authorities.

Those who unaware, PyBitmessage is the official client for Bitmessage messaging service.

According to Bitmessage developers, a critical zero-day remote code execution vulnerability, described as a message encoding flaw, affects PyBitmessage version 0.6.2 for Linux, Mac, and Windows and has been exploited against some of their users.

“The exploit is triggered by a malicious message if you are the recipient (including joined chans). The attacker ran an automated script but also opened, or tried to open, a remote reverse shell,” Bitmessage core developer Peter Šurda explained in a Reddit thread.

“The automated script looked in ~/.electrum/wallets [Electrum wallets], but when using the reverse shell, he had access to other files as well. If the attacker transferred your Bitcoins, please contact me (here on Reddit).”

Moreover, hackers also targeted Šurda. Since his Bitmessage addresses were most likely considered to be compromised, he suggested users not to contact him at that address.

“My old Bitmessage addresses are to be considered compromised and not to be used,” Šurda tweeted.

Šurda believes that the attackers exploiting this vulnerability to gain remote access are primarily looking for private keys of Electrum bitcoin wallets stored on the compromised device, using which they could/might have stolen bitcoins.

Bitmessage developers have since fixed the vulnerability with the release of new PyBitmessage version 0.6.3.2.

So, if you are running an affected version of PyBitmessage, you are highly recommended to upgrade your software to version 0.6.3.2.

Since the vulnerability affects PyBitmessage version 0.6.2 and not PyBitmessage 0.6.1, alternatively you can also consider, as suggested by Šurda, downgrading your application to mitigate yourself from potential zero-day attacks.

Although the developers did not reveal more details about the critical vulnerability, Šurda advised users to change all their passwords and create new Bitmessage keys, if they have any suspicion of their computers being compromised.

Binary files for Windows and OSX are expected to become available on Wednesday.

The investigation into these attacks is still ongoing, and we will update this article with more information as it becomes available.

Stay Tuned! Stay Safe!

Hackers Exploit ‘Telegram Messenger’ Zero-Day Flaw to Spread Malware

telegram-vulnerability

A zero-day vulnerability has been discovered in the desktop version for end-to-end encrypted Telegram messaging app that was being exploited in the wild in order to spread malware that mines cryptocurrencies such as Monero and ZCash.

The Telegram vulnerability was uncovered by security researcher Alexey Firsh from Kaspersky Lab last October and affects only the Windows client of Telegram messaging software.

The flaw has actively been exploited in the wild since at least March 2017 by attackers who tricked victims into downloading malicious software onto their PCs that used their CPU power to mine cryptocurrencies or serve as a backdoor for attackers to remotely control the affected machine, according to a blogpost on Securelist.

Here’s How Telegram Vulnerability Works

The vulnerability resides in the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for coding languages that are written from right to left, like Arabic or Hebrew.

According to Kaspersky Lab, the malware creators used a hidden RLO Unicode character in the file name that reversed the order of the characters, thus renaming the file itself, and send it to Telegram users.

For example, when an attacker sends a file named “photo_high_re*U+202E*gnp.js” in a message to a Telegram user, the file’s name rendered on the users’ screen flipping the last part.

Therefore, the Telegram user will see an incoming PNG image file (as shown in the below image) instead of a JavaScript file, misleading into downloading malicious files disguised as the image.

“As a result, users downloaded hidden malware which was then installed on their computers,” Kaspersky says in its press release published today.

Kaspersky Lab reported the vulnerability to Telegram and the company has since patched the vulnerability in its products, as the Russian security firm said: “at the time of publication, the zero-day flaw has not since been observed in messenger’s products.”

Hackers Used Telegram to Infect PCs with Cryptocurrency Miners

telegram-vulnerability

During the analysis, Kaspersky researchers found several scenarios of zero-day exploitation in the wild by threat actors. Primarily, the flaw was actively exploited to deliver cryptocurrency mining malware, which uses the victim’s PC computing power to mine different types of cryptocurrency including Monero, Zcash, Fantomcoin, and others.

While analyzing the servers of malicious actors, the researchers also found archives containing a Telegram’s local cache that had been stolen from victims.

In another case, cybercriminals successfully exploited the vulnerability to install a backdoor trojan that used the Telegram API as a command and control protocol, allowing hackers to gain remote access to the victim’s computer.

“After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools,” the firm added.

Firsh believes the zero-day vulnerability was exploited only by Russian cybercriminals, as “all the exploitation cases that [the researchers] detected occurring in Russia,” and a lot of artifacts pointed towards Russian cybercriminals.

The best way to protect yourself from such attacks is not to download or open files from unknown or untrusted sources.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

(Unpatched) Adobe Flash Player Zero-Day Exploit Spotted in the Wild

flash-zero-dy-exploit

Another reason to uninstall Adobe Flash Player—a new zero-day Flash Player exploit has reportedly been spotted in the wild by North Korean hackers.

South Korea’s Computer Emergency Response Team (KR-CERT) issued an alert Wednesday for a new Flash Player zero-day vulnerability that’s being actively exploited in the wild by North Korean hackers to target Windows users in South Korea.

Simon Choi of South Korea-based cybersecurity firm Hauri first reported the campaign on Twitter, saying the North Korean hackers have been using the Flash zero-day against South Koreans since mid-November 2017.

Although Choi did not share any malware sample or details about the vulnerability, the researcher said the attacks using the new Flash zero-day is aimed at South Korean individuals who focus on researching North Korea.

Adobe also released an advisory on Wednesday, which said the zero-day is exploiting a critical ‘use-after-free’ vulnerability (CVE-2018-4878) in its Flash media software that leads to remote code execution.

flash-zero-dy-exploit

The critical vulnerability affects Adobe Flash Player version 28.0.0.137 and earlier versions for:

  • Desktop Runtime (Win/Mac/Linux)
  • Google Chrome (Win/Mac/Linux/Chrome OS)
  • Microsoft Edge and Internet Explorer 11 (Win 10 & 8.1)

“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users,” the advisory said. “These attacks leverage Office documents with embedded malicious Flash content distributed via email. Adobe will address this vulnerability in a release planned for the week of February 5.


To exploit the vulnerability, all an attacker need to do is trick victims into opening Microsoft Office documents, web pages, or spam messages that contain a maliciously crafted Adobe Flash file.

The vulnerability can be leveraged by hackers to take control of an affected computer.

Choi also posted a screenshot to show that the Flash Player zero-day exploit has been delivered via malicious Microsoft Excel files.

Adobe said in its advisory that the company has planned to address this vulnerability in a “release planned for the week of February 5,” through KR-CERT advises users to disable or completely remove the buggy software.

Zero-Day Remote ‘Root’ Exploit Disclosed In AT&T DirecTV WVB Devices

remote-root-directv

Security researchers have publicly disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after trying to get the device manufacturer to patch this easy-to-exploit flaw over the past few months.

The problem is with a core component of the Genie DVR system that’s shipped free of cost with DirecTV and can be easily exploited by hackers to gain root access and take full control of the device, placing millions of people who’ve signed up to DirecTV service at risk.

The vulnerability actually resides in WVBR0-25—a Linux-powered wireless video bridge manufactured by Linksys that AT&T provides to its new customers.

DirecTV Wireless Video Bridge WVBR0-25 allows the main Genie DVR to communicate over the air with customers’ Genie client boxes (up to 8) that are plugged into their TVs around the home.

Trend Micro researcher Ricky Lawshae, who is also a DirecTV customer, decided to take a closer look at the device and found that Linksys WVBR0-25 hands out internal diagnostic information from the device’s web server, without requiring any authentication.

hacking-news

When trying to browse to the wireless bridge’s web server on the device, Lawshae was expecting a login page or similar, but instead, he found “a wall of text streaming before [his] eyes.”

Once there, Lawshae was able to see the output of several diagnostic scripts containing everything about the DirecTV Wireless Video Bridge, including the WPS pin, connected clients, running processes, and much more.

What’s more worrisome was that the device was accepting his commands remotely and that too at the “root” level, meaning Lawshae could have run software, exfiltrate data, encrypt files, and do almost anything he wanted on the Linksys device.

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated, remote root command injection vulnerability. It was at this point that I became pretty frustrated,” Lawshae wrote in an advisory published Wednesday on Trend Micro-owned Zero Day Initiative (ZDI) website. 

“The vendors involved here should have had some form of secure development to prevent bugs like this from shipping. More than that, we as security practitioners have failed to affect the changes needed in the industry to prevent these simple yet impactful bugs from reaching unsuspecting consumers.”

Lawshae also provided a video, demonstrating how a quick and straightforward hack let anyone get a root shell on the DirecTV wireless box in less than 30 seconds, granting them full remote unauthenticated admin control over the device.

The vulnerability was reported by the ZDI Initiative to Linksys more than six months ago, but the vendor ceased communication with the researcher and had yet not fixed the problem, leaving this easy-to-exploit vulnerability unpatched and open for hackers.

So, after over half a year, ZDI decided to publicize the zero-day vulnerability, and recommended users to limit their devices that can interact with Linksys WVBR0-25 “to those that actually need to reach” in order to protect themselves.

Zerodium Offers $1 Million for Tor Browser 0-Days That It will Resell to Governments

tor-zero-day-exploits-hacking

It seems like Tor Browser zero-day exploits are in high demand right now—so much so that someone is ready to pay ONE MILLION dollars.

Zerodium—a company that specialises in acquiring and reselling zero-day exploits—just announced that it will pay up to USD 1,000,000 for working zero-day exploits for the popular Tor Browser on Tails Linux and Windows operating system.

Tor browser users should take this news an early warning, especially who use Tails OS to protect their privacy.

Zero-day exploit acquisition platform has also published some rules and payout details on its website, announcing that the payout for Tor exploits with no JavaScript has been kept double than those with JavaScript enabled.

The company has also clearly mentioned that the exploit must leverage remote code execution vulnerability, the initial attack vector should be a web page and it should work against the latest version of Tor Browser.

Moreover, the zero-day Tor exploit must work without requiring any user interaction, except for victims to visit a web page.

Other attack vectors such as delivery via malicious document are not eligible for this bounty, but ZERODIUM may, at its sole discretion, make a distinct offer to acquire such exploits.

Zerodium to Sell Tor Browser 0-Days to Law Enforcement Agencies

Although the zero-day market has long been a lucrative business for private firms that regularly offer more payouts for undisclosed vulnerabilities than big technology companies, Zerodium says that it wants to resell the Tor browser exploits to law enforcement agencies to fight crime.

In a FAQ, the company has admitted that it will sell the acquired Tor zero-days to law enforcement agencies, and possibly the commercial malware development companies who sell spyware to governments.

“In many cases, [Tor] used by ugly people to conduct activities such as drug trafficking or child abuse. We have launched this special bounty for Tor Browser zero-days to help our government customers fight crime and make the world a better and safer place for all,” Zerodium said.

In response to the Zerodium bounty program, Tor Project says that breaching the security of its anonymity software may risk lives of many users, including human rights defenders, activists, lawyers, and researchers, who rely on it.

The non-profit foundation also urges researchers and hackers to responsibly disclose vulnerabilities in Tor via its recently-launched bug bounty program.

“We think the amount of the bounty is a testament to the security we provide. We think it’s in the best interest of all Tor users, including government agencies, for any vulnerabilities to be disclosed to us through our own bug bounty,” Tor Project spokesperson told The Hacker News.

“Over 1.5 million people rely on Tor everyday to protect their privacy online, and for some it’s life or death. Participating in Zerodium’s program would put our most at-risk users’ lives at stake.”

Payouts for Tor Browser 0-Day RCE Exploits

Here is the list of Zerodium’s payouts for Tor Browser Exploits:

  • RCE and LPE to Root/SYSTEM for Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit) without JavaScript: $250,000
  • Only RCE (No LPE) for Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit) without JavaScript: $185,000
  • RCE+LPE to Root/SYSTEM for Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit) with JavaScript: $125,000
  • Only RCE (No LPE) for Tor Browser on Tails 3.x (64bit) and on Windows 10 RS3/RS2 (64bit) with JavaScript: $85,000
  • RCE and LPE to Root/SYSTEM for Tor Browser on Tails 3.x (64bit) OR on Windows 10 RS3/RS2 (64bit) without JavaScript: $200,000
  • Only RCE (No LPE) for Tor Browser on Tails 3.x (64bit) OR on Windows 10 RS3/RS2 (64bit) without JavaScript: $175,000
  • RCE and LPE to Root/SYSTEM for Tor Browser on Tails 3.x (64bit) OR on Windows 10 RS3/RS2 (64bit) with JavaScript: $100,000
  • Only RCE (No LPE) for Tor Browser on Tails 3.x (64bit) OR on Windows 10 RS3/RS2 (64bit) with JavaScript: $75,000

Those interested can submit their exploit until November 30th, 2017 at 6:00 pm EDT. The company also notes that the bounty may be terminated before its expiration if the total payout to researchers reaches one million U.S. dollars ($1,000,000).

Powered by WPeMatico

Researcher Discloses 10 Zero-Day Flaws in D-Link 850L Wireless Routers

D-Link-850L-Wireless-Router-Password-Hacking

A security researcher has discovered not one or two but a total of ten critical zero-day vulnerabilities in routers from Taiwan-based networking equipment manufacturer D-Link which leave users open to cyber attacks.

D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers are vulnerable to 10 security issues, including “several trivial” cross-site scripting (XSS) flaws, lack of proper firmware protection, backdoor access, and command injection attacks resulting in root access.

If successfully exploited, these vulnerabilities could allow hackers to intercept connection, upload malicious firmware, and get root privileges, enabling them to remotely hijack and control affected routers, as well as network, leaving all connected devices vulnerable to cyber attacks as well.

These zero-day vulnerabilities were discovered by Pierre Kim—the same security researcher who last year discovered and reported multiple severe flaws in D-Link DWR-932B LTE router, but the company ignored the issues.

The same happened in February, when the researcher reported nine security flaws in D-Link products but disclosed the vulnerabilities citing a “very badly coordinated” disclosure with D-Link.

So, Kim opted to publicly disclose the details of these zero-day flaws this time and published their details without giving the Taiwan-based networking equipment maker the chance to fix them.

Here’s the list of 10 zero-day vulnerabilities affect both D-Link 850L revision A and revision B Kim discovered:

  1. Lack of proper firmware protection—since the protection of the firmware images is non-existent, an attacker could upload a new, malicious firmware version to the router. Firmware for D-Link 850L RevA has no protection at all, while firmware for D-Link 850L RevB is protected but with a hardcoded password.
  2. Cross-site scripting (XSS) Flaws—both LAN and WAN of D-Link 850L RevA is vulnerable to “several trivial” XSS vulnerability, allowing an attacker “to use the XSS to target an authenticated user in order to steal the authentication cookies.”
  3. Retrieve admin passwords—both LAN and WAN of D-Link 850L RevB are also vulnerable, allowing an attacker to retrieve the admin password and use the MyDLink cloud protocol to add the user’s router to the attacker’s account to gain full access to the router.
  4. Weak cloud protocol—this issue affects both D-Link 850L RevA and RevB. MyDLink protocol works via a TCP tunnel that use no encryption at all to protect communications between the victim’s router and the MyDLink account.
  5. Backdoor Access—D-Link 850L RevB routers have backdoor access via Alphanetworks, allowing an attacker to get a root shell on the router.
  6. Private keys hardcoded in the firmware—the private encryption keys are hardcoded in the firmware of both D-Link 850L RevA and RevB, allowing to extract them to perform man-in-the-middle (MitM) attacks.
  7. No authentication check—this allows attackers to alter the DNS settings of a D-Link 850L RevA router via non-authenticated HTTP requests, forward the traffic to their servers, and take control of the router.
  8. Weak files permission and credentials stored in cleartext—local files are exposed in both D-Link 850L RevA and RevB. In addition, routers store credentials in clear text.
  9. Pre-Authentication RCEs as root—the internal DHCP client running on D-Link 850L RevB routers is vulnerable to several command injection attacks, allowing attackers to gain root access on the affected devices.
  10. Denial of Service (DoS) bugs—allow attackers to crash some daemons running in both D-Link 850L RevA and RevB remotely via LAN.

Kim advised users to cut the connections with the affected D-Link router in order to be safe from such attacks.

According to Kim, “the Dlink 850L is a router overall badly designed with a lot of vulnerabilities. Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused.”

You can get full details of all 10 zero-day vulnerabilities on Kim’s website as well as on security mailing lists.

The security of D-Link products has recently been questioned when the U.S. Federal Trade Commission, FTC sued the company earlier this year, alleging that the lax security left its products and therefore, “thousands of consumers” vulnerable to hackers.

Powered by WPeMatico

Mobile Bootloaders From Top Manufacturers Found Vulnerable to Persistent Threats

hack-mobile-android-bootloader-unlock

Security researchers have discovered several severe zero-day vulnerabilities in the mobile bootloaders from at least four popular device manufacturers that could allow an attacker to gain persistent root access on the device.

A team of nine security researchers from the University of California Santa Barbara created a special static binary tool called BootStomp that automatically detects security vulnerabilities in bootloaders.

Since bootloaders are usually closed source and hard to reverse-engineer, performing analysis on them is difficult, especially because hardware dependencies hinder dynamic analysis.

Therefore, the researchers created BootStomp, which “uses a novel combination of static analysis techniques and underconstrained symbolic execution to build a multi-tag taint analysis capable of identifying bootloader vulnerabilities.”

The tool helped the researchers discover six previously-unknown critical security bugs across bootloaders from HiSilicon (Huawei), Qualcomm, MediaTek, and NVIDIA, which could be exploited by attackers to unlock device bootloader, install custom malicious ROM and persistent rootkits.

Five of the vulnerabilities have already been confirmed by their respective by the chipset vendors. Researchers also found a known bug (CVE-2014-9798) in Qualcomm’s bootloaders, which was previously reported in 2014, but still present and usable.

mobile-bootloader-hacking

In a research paper [PDF], titled “BootStomp: On the Security of Bootloaders in Mobile Devices,” presented at the USENIX conference in Vancouver, the researchers explain that some of the discovered flaws even allow an attacker with root privileges on the Android operating system to execute malicious code as part of the bootloader or to perform permanent denial-of-service attacks.

According to the researchers, the vulnerabilities impact the ARM’s “Trusted Boot” or Android’s “Verified Boot” mechanisms that chip-set vendors have implemented to establish a Chain of Trust (CoT), which verifies the integrity of each component the system loads while booting the device.

Overview: Discovered Bootloader Vulnerabilities

The researchers tested five different bootloader implementations in Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Nexus 9 (NVIDIA Tegra chipset), Sony Xperia XA (MediaTek chipset) and two versions of the LK-based bootloader, developed by Qualcomm.

The researcher discovered five critical vulnerabilities in the Huawei Android bootloader:

  • An arbitrary memory write or denial of service (DoS) issue when parsing Linux Kernel’s DeviceTree (DTB) stored in the boot partition.
  • A heap buffer overflow issue when reading the root-writable oem_info partition.
  • A root user’s ability to write the nve and oem_info partitions, from which configuration data and memory access permissions governing the smartphone’s peripherals can be read.
  • A memory corruption issue that could allow an attacker to install a persistent rootkit.
  • An arbitrary memory write bug that lets an attacker run arbitrary code as the bootloader itself.

Another flaw was discovered in NVIDIA’s hboot, which operates at EL1, meaning that it has equivalent privilege on the hardware as the Linux kernel, which once compromised, can lead to an attacker gaining persistence.

The researchers also discovered a known, already patched vulnerability (CVE-2014-9798) in old versions of Qualcomm’s bootloader that could be exploited to cause a denial of service situation.

The researchers reported all the vulnerabilities to the affected vendors. Huawei confirmed all the five vulnerabilities and NVIDIA is working with the researchers on a fix.

The team of researchers has also proposed a series of mitigations to both limit the attack surface of the bootloader as well as enforce various desirable properties aimed at safeguarding the security and privacy of users.

Powered by WPeMatico