Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security researcher. Show all posts
Security researcher
attackers China Cyber Crime Reverse Shell Security researcher

Attackers Gained Access to the Systems of the National Games of China

 

China has recently had its own national sporting event: the National Games of China began on September 15, 2021, in the Chinese city of Shaanxi. This is a comparable event to the Olympics, however, it only features athletes from China. The National Games of the People's Republic of China, also known as the All-China Games, are China's biggest national sporting event. It is typically held every four years. 

David Álvarez, an Avast security researcher, discovered a malware sample with a peculiar file extension in early September and started to examine where it came from. Following that, he discovered a report submitted to VirusTotal by the National Games IT team on an attack against a server associated with the Games.

The data suggests that the attackers acquired initial code execution on September 3, 2021, about 10:00AM local time, and deployed their first reverse shell executing scripts called runscript.lua. Researchers believe this occurred as a result of an arbitrary file-read vulnerability targeting either route .lua which, according to the API (Application User Interface) extracted from various JavaScript files, is a LUA script containing a lot of functionality ranging from login authentication to file manipulation or index.lua in combination with index.lua?a=upload API that was not used by anyone else in the rest of the network log. It's also worth noticing that runscript.lua was not included in the report or among the files uploaded by the attacker. 

After gaining initial access, the attackers uploaded numerous other reverse shells, such as conf.lua, miss1.php, or admin2.php, to gain a more permanent foothold in the network in the event that one of the shells was found. Because these reverse shells receive commands via POST requests, the data is not contained in the logs attached to the report, which simply show the URL path. Furthermore, the logs in the report do not contain enough information about network traffic for researchers to understand how and when the attackers obtained their initial web shell. 

The method used by the attackers to hack the 14th National Games of China is not novel. They got access to the system by taking advantage of a flaw in the webserver. This highlights the importance of updating software, correctly configuring it, and being aware of potential new vulnerabilities in apps by employing vulnerability scanners.

The most essential security countermeasure for defenders is to maintain the infrastructure patched up to date (especially for the internet-facing infrastructure). The primary priority for both internal and internet-facing infrastructure should be prevention. According to the researchers, in order to fight against this type of attack, more layers of protection must be deployed so that users can identify and respond immediately when a successful breach occurs.
Read more »
US Government
AvosLocker Cyber Security Ransomware Security researcher US Government

Ransomware Gang Offered a Decryptor After Realizing they Hit a US Government Agency

 

After discovering that they had encrypted a US government agency, the AvosLocker ransomware operation offered a free decryptor. AvosLocker infiltrated a US police department last month, encrypting devices and stealing data during the attack. 

Sophos researchers investigating AvosLocker ransomware deployment discovered that the main process begins with attackers utilising PDQ Deploy to run and execute a batch script on targeted workstations called "love.bat," "update.bat," or "lock.bat." The script issues and executes a series of commands that prepare the machines for the ransomware's release before rebooting into Safe Mode. Windows Safe Mode is an IT support solution for resolving IT issues in which most security and IT administration capabilities are disabled. 

The command sequence takes about five seconds to execute and includes disabling Windows update services and Windows Defender, attempting to disable the components of commercial security software solutions that can run in Safe Mode, installing the legitimate remote administration tool AnyDesk and configuring it to run in Safe Mode while connected to the network, ensuring continued command and control by the attacker, setting up a new account with auto-login details, and then connecting to the target's domain controller in order to remotely access and run the ransomware executable, called update.exe.

“The techniques used by AvosLocker are simple, but very clever. They ensure that the ransomware has the best chance of running in Safe Mode and allow the attackers to retain remote access to the machines throughout the attack,” said Peter Mackenzie, director of incident response at Sophos. 

According to a screenshot released by security researcher pancak3, when they learned the victim was a government entity, they offered a free decryptor. While providing a decryptor to the police department, the ransomware organization declined to offer a list of stolen files or details on how they gained access to the department's network. According to an AvosLocker operation member, they have no strategy on who they target but typically avoid encrypting government agencies and hospitals.

"You should note, however, that sometimes an affiliate will lock a network without having us review it first," the AvosLocker operator said. 

Over the last year, international law enforcement activities have resulted in numerous indictments or arrests of ransomware members and money launderers. These arrests include members of the ransomware groups REvil, Egregor, Netwalker, and Clop. This increased pressure has been proved to have a positive effect, resulting in the shutdown of various ransomware operations, including DarkSide, BlackMatter, Avaddon, and REvil.
Read more »
Vulnerabilities and Exploits
Bug Hunter Bugs Flaws GOautodial Remote Code Execution Security researcher Vulnerabilities and Exploits

Multiple Flaws Detected in GOautodial

 

Several vulnerabilities have been uncovered in an open-source call centre software suite that is used all around the world, as per a cybersecurity researcher. 

The Synopsys Cybersecurity Research Center (CyRC) issued a warning disclosing two GOautodial API vulnerabilities. While GOautodial is sold as a paid cloud service by a variety of providers, it is available as a free download. 

Researchers in the GOautodial advisory stated, "The vulnerabilities discovered can be exploited remotely to read system settings without authentication and allow arbitrary code execution by any authenticated user via an unrestricted file upload." 

One of the vulnerabilities discovered by Synopsys is the broken authentication issue CVE-2021-43175, which enables attackers with access to the internal network hosting GOautodial to obtain sensitive configuration information, such as default passwords, from the GOautodial server without credentials. A threat actor could use this information to link to other systems on the network, such as VoIP phones. 

CVE-2021-43176 is another recently discovered flaw that lets any authorised user at any level conduct remote code execution. 

CyRC alerted, "This would allow them to gain complete control over the GOautodial application on the server, steal the data from fellow employees and customers, and even rewrite the application to introduce malicious behaviour such as stealing passwords or spoofing communications (sending messages or emails that look like they come from someone else)." 

Vulnerable versions of the GOautodial API comprises the latest publicly available ISO installer, GOautodial-4-x86 64-Final-20191010-0150.iso, which was created before September 27, 2021. 

The vulnerabilities were discovered by Scott Tolley of the Synopsys Cybersecurity Research Center using the interactive application security testing (IAST) tool Seeker, which automatically tests for security vulnerabilities throughout the software development life cycle (SDLC). 

On September 22, Tolley revealed the vulnerabilities to GOautodial for the first time. On October 20, the firm responded, claiming that the flaws had been addressed. Synopsys validated the patch by November 17 and issued a security advisory about the flaws. 

CVE-2021-33177, CVE-2021-33178, and CVE-2021-33179 are SQL injection, path traversal, and XSS vulnerabilities in the popular application, service, and network monitoring software Nagios XI, respectively, identified by bug-hunter Tolley.
Read more »
Vulnerabilities and Exploits
GitHub Linux Security Bug Security researcher Vulnerabilities and Exploits

Linux System Service Bug Allows You to Gain Root Access

 

An authentication bypass vulnerability in the polkit auth system service, which is installed by default on many recent Linux distributions, allows unprivileged attackers to gain a root shell. On June 3, 2021, the polkit local privilege escalation flaw (CVE-2021-3560) was officially identified, and a fix was released. Polkit is used by systemd, hence it's included in any Linux distribution that uses systemd. 

Kevin Backhouse, a GitHub security researcher, detailed how he discovered the bug (CVE-2021-3560) in a systemd service called polkit in a blog post on Thursday. The problem, which was first introduced in commit bfa5036 seven years ago and first shipped in polkit version 0.113, took various pathways in different Linux distributions. Despite the fact that many Linux distributions did not ship with the vulnerable polkit version until recently, any Linux machine with polkit 0.113 or later installed is vulnerable to attacks. 

Polkit, formerly known as PolicyKit, is a service that determines whether certain Linux tasks require more privileges than there are currently available. It comes into play when you want to establish a new user account, for example. According to Backhouse, exploiting the issue is shockingly simple, needing only a few commands utilizing common terminal tools such as bash, kill, and dbus-send. 

"The vulnerability is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request," explained Backhouse. Polkit asks for the UID of a connection that no longer exists, therefore killing dbus-send — an interprocess communication command – in the middle of an authentication request creates an error (because the connection was killed). 

"In fact, polkit mishandles the error in a particularly unfortunate way: rather than rejecting the request, it treats the request as though it came from a process with UID 0," explains Backhouse. "In other words, it immediately authorizes the request because it thinks the request has come from a root process."

Because polkit's UID query to the dbus-daemon occurs numerous times throughout different code paths, this doesn't happen all of the time. According to Backhouse, those code pathways usually handle the error correctly, but one is vulnerable, and if the disconnection occurs while that code path is running, privilege escalation occurs. It's all about timing, which varies in unanticipated ways due to the involvement of various processes. Backhouse believes the bug's intermittent nature is why it went unnoticed for seven years.
Read more »
Security researcher
cloud storage Malicious Payload malware Security researcher

This Malware that Uses Steam Profile Images to Hide Itself

 

In May 2021, a researcher tweeted about a new malware that hides itself inside Steam profile photos. Except for a warning that the length of the ICC profile data is not acceptable, common online EXIF tools don't provide anything significant about the image. Because the malware is stored in encrypted form inside the PropertyTagICCProfile value instead of an ICC profile. The goal of an ICC profile is to appropriately map colours for output devices like printers. 

Valve's Steam is a video game digital distribution platform. In September 2003, it was released as a separate software client as a mechanism for Valve to give automatic updates for their games, and it was later expanded to include games from third-party publishers. Digital rights management (DRM), server hosting, video streaming, and social networking services are all available through Steam. It also includes community features such as friends lists and groups, cloud storage, and in-game voice and chat functions, as well as game installation and automatic updates.

While concealing malware in the metadata of an image file is not a novel concept, leveraging a gaming platform like Steam has never been done before. This strategy makes sense from the attacker's perspective: It's as simple as updating a profile image file to remove the infection. There are also a lot of valid accounts, and blacklisting the Steam platform would have a lot of unintended consequences. 

It should be emphasised that no installation of Steam – or any other game platform – is required to become a target for this strategy. The Steam platform only acts as a medium for the malicious file to be distributed.  

An external component, which only sees the profile image on one Steam profile, does the hard lifting in terms of downloading, unpacking, and executing the malicious payload. This payload can be transmitted by a variety of methods, including manipulated emails and infected websites. 

The Steam profile image is neither contagious or executable in any way. It acts as a vehicle for the malware itself. It requires the extraction of a second malware. This malware sample's second component is a downloader. It uses TripleDES to decode the payload from the picture and has the password "PjlDbzxS#;8@x.3JT&4MsTqE0" hardcoded.
Read more »
Vulnerabilities
Cyber Security Google Reverse Engineering Security researcher Vulnerabilities

Google Security Researcher Banned From COD: Modern Warfare For Reverse Engineering


A security researcher from Google has been banned from Call of Duty: Modern warfare for attempting to reverse engineer its networking code while studying the security to hunt memory corruption vulnerabilities. 
 
Almost a week later, after getting his account suspended by Call of Duty's developer, Activision Blizzard, Google Project Zero's Williamson, who carried out the research in his personal capacity, published a blog post telling that the research he conducted required him to reverse engineer the networking code in COD'e executable ( For reviewing the code for memory corruption vulnerabilities). However, as the executable was heavily obfuscated, IDA failed to examine it, forcing him to as he said in the blog, "dump the unobfuscated code from the memory of a running game process." 
 
It was at that point when the developers of the game suspected him as a cheater and consequently, his activities were flagged for being suspicious in nature. To ensure he doesn't affect any players in the process, Williamson tried to read memory while he was in the main menu; he attached WinDbg debugging tool – in consequence to which the game exited, the incident was attributed to the flagging event as per Williamson who also attempted to pause the process prior to dumping memory from it. He dumped an image of the game from memory in the main menu and exited normally, as explained in his blog post. 
 
The researcher who was saddened by the ban for multiple reasons, told, "after spending a few days reviewing the binary, I decided that the binary was so large and unwieldy to deal with that I would table the project for a later date. But unfortunately, I was banned about a month later, losing over a year of progress on my account." 
 
"The ban saddens me on a personal level as I’ve reconnected with family and friends from throughout my life playing this game during the pandemic. But more importantly, this sends a clear signal: this research is not welcome. I believe I had a reasonable expectation that it would be. I had done similar work during a CTF, where I reverse engineered and fuzzed CS:GO without ever risking a ban," he further added. 
 
Williamson, while scaling the magnitude of 'cheating' as a threat to online gaming, said that, "I understand that the developers shoulder an impressive burden in preventing cheat development and use. They need to leverage a variety of signals to detect cheat development and use. I’m guessing that because they may not have seen security researchers reviewing their platform before, they interpret any attempt to reverse engineer as a sign of malicious behavior. No typical player would attach a debugger to the game, and therefore they probably assume they don’t need much more evidence beyond this to issue a ban." 
 
While voicing his concerns regarding the ban for security researchers, he said, "Let me be clear: at no point did I intend to develop or use a cheat, and at no point did I manipulate any aspect of the game for another player or even myself. To this day, I don’t know what exactly caused the ban, and there’s no process to appeal it. What if using a reversing tool as part of my job gets me flagged? This fear is in the back of my mind for all games with anti-cheat, not just Warzone."
Read more »
VLC player
Security flaw Security researcher Software Vulnerability VLC Media player VLC player

VLC player has ‘critical’ security flaw

Popular media software VLC Media Player has a critical software vulnerability that could put millions of users at risk, security researchers have warned.

Researchers from German firm CERT-Bund say they have detected a major safety flaw in the video player, which has been downloaded billions of times across the world, which could allow hackers access to compromise users' devices.

Although the vulnerability is yet to be exploited by hackers publicly to date, it poses an increasing threat for users of the popular software.

- VLC for Nintendo Switch and PS4 could be on the way
- How to convert videos with VLC
- VLC Media Player is about to hit 3bn downloads, with new features on the way

Hijacked

According to CERT-Bund, the flaw enables remote code execution (RCE), unauthorised modification and disclosure of data/files, and overall disruption of service, meaning users could see their devices hijacked and made to run malicious code of software.

Known as CVE-2019-13615, the vulnerability is found in the latest edition of the software, VLC Media Player version 3.0.7.1, and is rated at 9.8 in NIST's National Vulnerability Database, meaning it can be labelled as 'critical'.

The issue has been detected in the Windows, Linux and UNIX versions of VLC, however the macOS version appears to be unaffected.

VideoLAN, the not-for-profit organisation beind VLC Media Player, says it has been working on a patch for the flaw for the last four weeks, and is 60 percent through.

Last month, VideoLAN released the biggest single security update for VLC Media Player in the history of the programme. The update included fixes for 33 vulnerabilities in total, of which two were marked critical, 21 medium and 10 rated low.
Read more »
Zoom
Apple Jonathan Leitschuh Mac Malware Security researcher Web Server security Zoom

Apple pushes out silent update for Mac users to remove Zoom web server

Earlier this week, a US-based security researcher named Jonathan Leitschuh had publicly disclosed a major vulnerability in the Zoom video conferencing software for Apple’s Mac computers which could make any website start a video-enabled call by hacking the webcam of the system. Now, according to a report by TechCrunch, Apple has pushed out an update silently to the macOS which removes the Zoom web server.

As per the report, the US-based technology giant has confirmed the said update has been released and it is installed automatically and does not require any interaction with the user. The purpose of the update is only to remove the local web server installed by the Zoom app. The company said that it pushed the update to protect its users from the risks posed by the exposed web server.

According to Leitschuh’s claims earlier this week, even if Mac users uninstall the Zoom app from their system, the web server continues to persist and it can reinstall Zoom without the user’s permission.

In a statement to The Verge and ZDNet, Zoom had said that it developed the local web server to save Mac users from too many clicks, after Apple changed their Safari browser in a way that requires Zoom users to confirm that they want to launch Zoom every single time. Zoom also said that it will tweak the app such that it will save the user’s and administrator’s preferences for whether the video will be turned on, or not, when they first join a call.

However, it seems Apple took it upon itself to rescue its users from the security vulnerability posed by Zoom app. The silent update was all the more needed because Zoom had installed a local web server that could reinstall the app even if the user had previously uninstalled it.
Read more »
Subscribe to: Posts (Atom)