Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Flash Exploits. Show all posts

Decentralized Finance (Defi) Protocol Akropolis Hacked For $2 Million In DAI

 


Decentralized finance (defi) protocol Akropolis was recently hacked for $2 million in DAI, in the most recent flash loan attack to hit the 'nascent defi industry'. 
When the attack occurred, (GMT timezone) Akropolis admins stopped all transactions on the platform to forestall further losses. In a statemen on Nov. 12, Akropolis revealed that the hack was executed over an assemblage of s contracts in its "savings pools". 

The attacker stole the platform's Ycurve pool in batches of $50,000 in the stablecoin DAI. This specific pool permits investors to trade stablecoins and procure interest.

Despite the fact that Akropolis says that it recruited two firms to further investigate the incident, yet unfortunately neither one of the companies were able to pinpoint the attack vectors utilized in the exploit.

“At ~14:36 GMT we noticed a discrepancy in the APYs of our stablecoin pools and identified that ~2.0mn DAI had been drained out of the Ycurve and sUSD pools,” revealed Akropolis. 

The hacker though was still able to discover loop holes to exploit, wiring his 'loot' to this address. Akropolis clarified additionally: “The attack vectors used in the exploit were not identified in either audit. The essence of the exploit in question is a combination of a re-entrancy attack with Dydx flash loan origination.”

Flash loan attacks have gotten rather common against cryptocurrency services running DeFi (decentralized financed) platforms that enables users to either borrow or loan 'using cryptocurrency, speculate on price variations, and earn interest on cryptocurrency savings-like accounts.' 

These attacks are noticed to have been on a quite steady rise since early February this year, and one of the biggest flash loan attacks occurred just a month ago, in October, when hackers stole $24 million worth of cryptocurrency assets from DeFi service Harvest Finance. 

Others pools were fortunately not affected. These included compound DAI, compound USDC, AAVE sUSD, AAVE bUSD, curve bUSD, curve sBTC. Native AKRO and ADEL staking pools were also left untouched. 

Nonetheless, the Akropolis group said that it is still looking for approaches to repay the affected user “in a way that is sustainable for the project”. All stable coin pools have been put on a hold currently, it added.

Turla Mosquito Hacker Group shift to Open Source Malware


Turla, a hacking group that has been active for over ten years and one of the largest known state-sponsored cyberespionage groups, is showing a shift in its behaviour from using its own creations to leveraging the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor.

While this is not the first time Turla is using generic tools, researchers at ESET say that this is the first time the group has used Metasploit, which is an open-source penetration testing project, as a first stage backdoor.

“In the past, we have seen the group using open-source password dumpers such as Mimikatz,” ESET Research said in a blog post. “However, to our knowledge, this is the first time Turla has used Metasploit as a first stage backdoor, instead of relying on one of its own tools such as Skipper.”

The typical targets of the attacks remain to be embassies and consulates in Eastern Europe and the group is still using a fake Flash installer to install both the Turla backdoor and the legitimate Adobe Flash Player.

According to the researchers, the compromise occurs when the user downloads a Flash installer from get.adobe.com through HTTP, allowing Turla operators to replace the legitimate Flash executable with a trojanized version by intercepting traffic on a node between the end machine and the Adobe servers.


“We believe the fifth possibility to be excluded, as, to the best of our knowledge, Adobe/Akamai was not compromised,” the post went on to say, assuring that the Adobe website does not seem to have been compromised.

Researchers found, at the beginning of March 2018, that there were some changes in the Mosquito campaign. Where previously, the attack was carried out by dropping a loader and the main backdoor using a fake Flash installer, there is now a change in the way the final backdoor is dropped.


“Turla’s campaign still relies on a fake Flash installer but, instead of directly dropping the two malicious DLLs, it executes a Metasploit shellcode and drops, or downloads from Google Drive, a legitimate Flash installer,” the post read.

The shellcode then downloads a Meterpreter, which gives the attacker the control of the compromised machine, and finally places the final Mosquito backdoor.


Once the attack is executed, the fake Flash installer downloads a legitimate Flash installer from a Google Drive URL and runs it to deceive the user into thinking that the installation went smoothly.

Researchers also say that because of the use of Metasploit, it can be assumed that there is an operator controlling the exploitation manually. More information on Turla can be found in ESET’s whitepaper as well as their recent report on Turla’s change in attacks.

Android Malware Attacking Over 232 Banking Apps Discovered

A new Android malware is reportedly targeting over 232 banking applications, including a few banks in India. This was discovered by the internet and cybersecurity firm Quick Heal, which identified the Android Banking Trojan imitating banking mobile apps around the world.

It includes major Indian banks apps from SBI, HDFC, ICICI, IDBI, and Axis, among others.

What is the malware?

The Trojan malware, named ‘Android.banker.A9480’, is being used to steal personal data such as login data, messages, contact lists, etc. from users and uploading it to a malicious server.

This malware also targets cryptocurrency apps installed on users’ phones to extract similar sensitive data.

Who has it affected?

According to Quick Heal, the banks affected by the malware include Axis mobile, HDFC Bank Mobile Banking, SBI Anywhere Personal, HDFC Bank Mobile Banking LITE, iMobile by ICICI Bank, IDBI Bank GO Mobile+, Abhay by IDBI Bank Ltd, IDBI Bank GO Mobile, IDBI Bank mPassbook, Baroda mPassbook, Union Bank Mobile Banking, and Union Bank Commercial Clients.

The full list can be found on Quick Heal’s original blog post.

How does the malware work?

The security firm has revealed that the malware is being distributed through a fake Flash Player app on third-party stores.

“This is not surprising given that Adobe Flash is one of the most widely distributed products on the Internet. Because of its popularity and global install base, it is often targeted by attackers,” the firm said in a statement.

Once the malicious app is installed, it will ask the user to activate administrative rights. The app sends continuous pop-ups until the user activates the admin privilege, even if the user denies the request or kills the process. Once activated, the malicious app hides its icon soon after the user taps on it.

They also revealed that if any of the targeted apps are found on the infected device, the app shows a fake notification on behalf of the targeted banking app. If the user clicks on the notification, they are shown a fake login screen to steal the user’s confidential info like net banking login ID and password.

Since the malware is able to intercept incoming and outgoing SMS from an infected smartphone, it can bypass the OTP based two-factor authentication on the user’s bank account and can misuse the access.

How can users protect their data?

It should be noted that Adobe Flash player has been discontinued after Android 4.1 version as the player comes integrated with the mobile browser itself. There is no official Adobe Flash Player available on the Google Play Store. Adobe had also announced that it will stop updating and distributing Flash player by the end of 2020 in all formats of the browser.

To stay safe from this trojan, users should take care to download only verified apps and avoid third-party apps or links provided in SMS or emails. Users should also keep the “Unknown Sources” option disabled in the settings (Settings > Security > Unknown Sources).

Additionally, users are advised to install a trusted mobile security app that can detect and block fake and malicious apps before they can infect their device.

It is also strongly advised to always keep the device OS and mobile security apps up-to-date as per official instructions.

Mozilla blocks vulnerable Adobe flash versions


A day after Facebook’s newly appointed Chief Security Officer Alex Stamos took to Twitter to call for more rapid moves to force Flash’s extinction as the plugin was reportedly being used to spread malware on users’ systems via security exploits, the head of Firefox Support has claimed to have blocked all the vulnerable versions of Adobe Flash in its Firefox browser.

On July 14, Mark Schmidt, head of Firefox Support posted on twitter, “BIG NEWS!! All versions of Flash are blocked by default in Firefox as of now.”

According to a news report published on TheNextWeb, three major Flash vulnerabilities were discovered during security firm Hacking Team’s leaked 400GB worth of documents, which allow malicious files to execute code and install malware on victims’ computers and product source code leaked online.

“Mozilla has noted that Flash will remain blocked until Adobe releases a version that isn’t being actively exploited by publicly known vulnerabilities,” the report read.

It is also said that Mozilla is trialing Shumway, an HTML5-based efficient renderer for the SWF format that’s used with Flash files.

Update your Adobe flash player to stay safe


Few days after Microsoft published a security advisory about a new critical security bug in IE that is being used in limited and targeted attacks, Adobe has issued an emergency security update to fix a critical vulnerability(CVE-2014-0515) in flash player.

Please note that it is completely unrelated to IE Exploit in which bug was in IE and the flash file(.swf) used for making the attack successful.  But, in this case, the bug exists in the flash player plugin. 

So, people who use vulnerable version of Adobe Flash player likely to be vulnerable to this attack.

If you are using windows or Mac, make sure you have the latest flash player version 13.0.0.206.  If you are using Linux, make sure to update to the latest version 11.2.202.356.

This new zero-day flash exploit was spotted as being used in Watering-hole attacks by researchers at Kaspersky Labs in early April.

According to SecureList, this flash exploit spread from a Syrian Justice Ministry website(jpic.gov.sy).  Researchers believe the attack was designed to compromise the computers of Syrian dissidents complaining about the government.

CVE-2012-1535: Adobe Flash player being exploited in the wild


A word document 'iPhone 5 Battery.doc' containing a malicious embedded flash file explotis the recently patched Adobe Flash player vulnerability(CVE-2012-1535), Alienvault researchers warns.

About CVE-2012-1535:Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content.

Once victim open the the malicious document , it will exploit the vulnerability and executes the shellcode. Once the payload is executed, it drops a malicious dll file. While executing the malicious code, the malware displays a genuine article about leaked iPhone 5 battery Images.

This backdoor is know as c0d0so0 and also Backdoor.Briba and it has been seen in other targeted attacks exploiting CVE-2012-0779 among others during the past few months.

The backdoor contacts the remote sever publicnews.mooo.com using a HTTP POST request and attempts to download an executable file encapsulated in a ZIP and disguised as a GIF.

"The use of Dynamic DNS providers like DynDNS.org , 3322.net.. is very common in this kind of threats. You should be monitoring the requests to dynamic dns providers in your network,"Researcher says.