Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zero Day exploit. Show all posts

iPhone Security Unveiled: Navigating the BlastPass Exploit

Apple's iPhone security has come under scrutiny in the ever-changing field of cybersecurity due to recent events. The security of these recognizable devices has come under scrutiny because to a number of attacks, notably the worrisome 'BlastPass' zero-click zero-day exploit.

The BlastPass exploit, unveiled by Citizen Lab in September 2023, is attributed to the notorious NSO Group. This zero-click exploit is particularly alarming because it doesn't require any interaction from the user, making it a potent tool for malicious actors. The exploit was reportedly deployed "in the wild," emphasizing the urgency for users to stay vigilant against potential threats.

Apple responded promptly to the situation, acknowledging the severity of the issue and providing guidance on how users can protect themselves. The company recommended updating devices to the latest iOS version, as the exploit was patched in recent updates. This incident serves as a stark reminder of the critical role software updates play in maintaining the security of our devices.

One of the key features of BlastPass was the activation of a fake lockdown mode, creating a sense of urgency and panic for users. This mode simulated a device lockdown, tricking users into thinking they were experiencing a serious security incident. This tactic highlights the growing sophistication of cyber threats and the need for users to stay informed about potential scams and exploits.

Quoting from the official Apple support page, "Keeping your software up to date is one of the most important things you can do to maintain your Apple product's security." This statement underscores the significance of regular software updates in fortifying the security of iPhones and other Apple devices.

As users navigate the digital landscape, it's crucial to exercise caution and be aware of potential threats. The BlastPass incident sheds light on the importance of digital literacy and the need for users to be skeptical of unexpected alerts or prompts on their devices.

iPhone security is being closely examined in light of the recent BlastPass attack, which highlights the necessity of taking preventative action to protect personal data. Apple’s prompt action and the ensuing software patches demonstrate the company’s dedication to user security. Staying up to date and implementing digital hygiene best practices are crucial in the continuous fight against cyber risks as technology develops.



Lazarus Group's Deathnote Cluster: A Threat to the Defense Sector


The Lazarus Group, a well-known cybercriminal organization, has pivoted to the defense sector with its Deathnote cluster. The group has previously been linked to cryptocurrency attacks and other malicious activities. However, its latest move into the defense industry marks a significant shift in its operations.

According to reports, the Deathnote campaign began in 2020 and has been active ever since. The group has been using advanced tactics to infiltrate defense companies, particularly those involved in developing military technology. Once inside, the hackers have been stealing sensitive data and intellectual property.

The Lazarus Group's tactics have evolved significantly over the years. In the past, it has relied on spear-phishing attacks and other traditional methods of cyber espionage. However, it has now adopted more sophisticated techniques, such as the use of supply chain attacks and zero-day exploits.

The Deathnote cluster is particularly concerning because of its ability to evade detection. The group has been using a range of techniques to remain hidden, including the use of fake social media profiles and encrypted communication channels. This makes it extremely difficult for companies to identify and mitigate the threat.

One of the key vulnerabilities that the Lazarus Group has been exploiting is the lack of awareness among employees. Many of the attacks have been successful because of simple human error, such as the failure to follow basic security protocols. This highlights the importance of ongoing employee training and education in the fight against cybercrime.

The Lazarus Group's move into the defense sector is a worrying development that highlights the need for greater vigilance when it comes to cybersecurity. Companies must take a proactive approach to protect their systems and data, including using advanced security solutions and regular vulnerability assessments.

In conclusion, the Lazarus Group's Deathnote cluster represents a significant threat to the defense industry and beyond. Its evolving tactics and ability to remain hidden make it a formidable opponent in the fight against cybercrime. It is crucial that companies take the necessary steps to protect themselves and their customers from these types of attacks.

Nokoyawa Ransomware Attacks Use Windows Zero-Day Vulnerability

A Windows zero-day vulnerability has been exploited in a recent string of ransomware attacks. The attacks involve a new strain of ransomware called Nokoyawa, which leverages the vulnerability to infect and encrypt files on Windows systems.

According to reports, the Nokoyawa ransomware attacks have been detected in various industries, including healthcare, finance, and government. The attackers are believed to be targeting organizations in Europe and Asia, with a particular focus on Japan.

The vulnerability exploited by Nokoyawa is a 'zero-day', meaning that it is an unknown vulnerability that has not been previously disclosed or patched. In this case, the vulnerability is believed to be a memory corruption issue that allows the attacker to execute arbitrary code on the targeted system.

This type of vulnerability is particularly concerning as it allows attackers to bypass security measures that are designed to protect against known vulnerabilities. As a result, organizations may be caught off guard by attacks that exploit zero-day vulnerabilities.

To protect against Nokoyawa and other ransomware attacks, it is important for organizations to keep their software up to date and to implement strong security measures, such as endpoint protection and network segmentation. Additionally, organizations should regularly back up their data to minimize the impact of a successful ransomware attack.

The discovery of this zero-day vulnerability underscores the importance of cybersecurity research and the need for organizations to take a proactive approach to identify and mitigate vulnerabilities in their systems. By staying up to date on the latest threats and vulnerabilities, organizations can better protect themselves from cyber-attacks and minimize the risk of data loss and other negative impacts.

Organizations Struggle with Data Breach Disclosure

A recent survey conducted by cybersecurity firm Bitdefender highlights the ongoing struggle of organizations to handle data breaches and cybersecurity challenges. The survey revealed that a third of organizations have admitted to covering up data breaches, while 42% of IT leaders were instructed to maintain breach confidentiality. This trend of hiding data breaches is alarming as it puts customers' personal information at risk and undermines their trust in the organization.

The survey also highlighted the top cybersecurity concerns for businesses globally, with the most significant challenge being phishing attacks, followed by ransomware and zero-day exploits. These attacks are increasingly sophisticated and can cause significant financial and reputational damage to organizations.

According to Bogdan Botezatu, director of threat research and reporting at Bitdefender, "There is a significant gap between businesses' perceptions of their cybersecurity preparedness and the reality of their protection measures." The survey shows that while organizations are aware of the risks and the importance of cybersecurity, many are not taking sufficient measures to protect their systems and data.

It is essential for organizations to be transparent about data breaches and take necessary precautions to prevent them. They need to prioritize cybersecurity measures and invest in the latest technologies to protect their data from threats. As Botezatu emphasized, "By underestimating their exposure, businesses are not only putting themselves at risk but also their customers."

According to the poll, firms must act quickly to prevent cybersecurity problems and data breaches. In addition to making ensuring companies have sufficient security measures in place, they must be open about any security-related events. Only by implementing these measures can businesses keep the confidence of their customers and safeguard their data from online threats.



Christmas Eve Hack Targets Arnold Clark

Hackers launched a notorious Christmas Eve cyberattack against Arnold Clark, a car dealership. The network issue that has affected computer and telephone services has caused customers who had appointments this week for maintenance and repairs to be rescheduled.

Uncertainty surrounds the issue's timing as the vehicle manufacturer operates two dealerships in the town both on Annan Road. This incident is just one indication of how susceptible businesses can be to online crime, especially over the holidays when many firms are less watchful of security precautions than they typically would be.

The company's IT security staff confirmed that, as of right now, there is no proof of client data being compromised when the system fault first surfaced on Christmas Eve.

On Wednesday, an official told the newspaper: "Over the Christmas holiday, we experienced a network issue that had an impact on both our computer and phone systems. Through their investigations so far, our IT security team has verified that there is no proof that any customer data has been hacked. We want to take this chance to express our gratitude to our clients for their understanding and our regret for any trouble this may have caused."

The attack's origin is still an enigma, but it might have been brought on by various factors. It is possible that an employee unintentionally clicked a harmful link or attachment in an email, allowing hackers to access the company's networks. Another theory is that the attack occurred via a zero-day exploit, which refers to a software flaw previously unknown and used by hackers to enter networks before it is too late.

If sufficient cybersecurity precautions are not taken, cyberattacks such as the one Arnold Clark experienced can occur at any moment and cause significant harm. Businesses must ensure they have sufficient safeguards in place, including multi-factor authentication and frequent system updates, as well as educate their personnel on fundamental cybersecurity concepts like avoiding clicking links from unknown sources and maintaining passwords safe and secure.



Google Patched the Eighth Actively Abused Chrome Zero Day This Year

 

The eighth zero-day vulnerability affecting the Chrome browser on Windows, Mac, Linux, and Android platforms has been acknowledged by Google. You can force-update your browser right away, but an urgent remedy for this one problem is currently being rolled out. There will shortly be upgrades for other Chromium-powered browser clients as well. 

When a Google Chrome update fixed a single security issue, it used to happen very infrequently and only when a vulnerability was actively being utilized by attackers in the wild before a fix was ready. Updates covering a total of eight of these zero days were released in 2022. 

The most recent is CVE-2022-4135, a high-severity heap buffer overflow flaw in the Chromium GPU. The National Institute of Standards and Technology (NIST) national vulnerability database entry states that the zero-day, which was disclosed by Clement Lecigne of Google's own Threat Analysis Group, could allow an attacker to circumvent the security sandbox (using a malicious HTML website). 

The zero-day has not received any additional information from Google. This is not uncommon with such a vulnerability so as to enable a majority of users to install the update and gain protection before other attackers try their hands. All Google has said is that it is "aware that an exploit for CVE-2022-4135 exists in the wild." 

Update Your Google Chrome Browser Immediately 

Google has already started rolling out security updates will continue in the coming days. However, users are recommended to force the update process, given that malicious hackers are known to have exploited code already. This is particularly important for those users who maintain large numbers of open tabs and rarely restart the browser, as the update is only effective following a restart. 

Head for settings in the chrome browser and scan if you have the latest version and if not, then a download and installation will start automatically. The security update takes Chrome to version 107.0.5304.121 or.122 for Windows, version 107.0.5304.121 for Mac and Linux, and version 107.0.5304.141 for Android.

ICS Exploits Earn Hackers $400,000 at Pwn2Own Miami Hacking Contest

 

Pwn2Own Miami 2022 has come to an end, and Zero Day Initiative says the competitors earned $400,000 for 26 zero-day exploits (and multiple vulnerability collisions) targeting ICS and SCADA products exhibited during the contest held last week. 

The contest, organized by Trend Micro’s Zero Day Initiative (ZDI), saw 11 participants targeting multiple production categories: Control Server, OPC Unified Architecture (OPC UA) Server, Data Gateway, and Human Machine Interface (HMI). 

"Thanks again to all of the competitors who participated. We couldn’t have a contest without them," Trend Micro's Zero Day Initiative (ZDI) said today. “Thanks also to the participating vendors for their cooperation and for providing fixes for the bugs disclosed throughout the contest.”

After the safety vulnerabilities abused throughout Pwn2Own are reported, distributors are given 120 days to launch patches till ZDI publicly discloses them. 

The highest payout went to Computest Sector 7 researchers Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps). During day one, they earned $20,000 after executing code on the Inductive Automation Ignition SCADA control server solution using a missing authentication vulnerability. 

The same day they used an uncontrolled search path bug to secure remote code execution (RCE) in AVEVA Edge HMI/SCADA software and were awarded $20,000 for their efforts. The next day, Computest Sector 7 exploited an infinite loop condition to trigger a DoS state against the Unified Automation C++ Demo Server and earned $5,000.

Last but not least, on day two of Pwn2Own Miami 2022, the Computest Sector 7 team earned $40,000 for successfully bypassing the trusted application check on the OPC UA .NET standard. This was the maximum amount that Pwn2Own participants could earn for a single exploit, and Computest’s attempt involved what ZDI described as one of the most interesting bugs ever seen at Pwn2Own. In fact, the Computest team earned the most points and a total of $90,000. 

This year's Pwn2Own Miami took place at the S4 conference in Miami South Beach in person and also allowed remote participation. In 2020, in the first edition of Pwn2Own on ICS, participants won a total of $ 280,000. This event did not take place in 2021 due to the COVID-19 pandemic.

Zero-day Exploit Detected in Adobe Experience Manager

 

A zero-day vulnerability in a prominent content management solution used by high-profile firms such as Deloitte, Dell, and Microsoft has been found. 

The flaw in Adobe Experience Manager (AEM) was detected by two members of Detectify's ethical hacking community.

Adobe Experience Manager (AEM) is a popular content management system for developing digital customer experiences like websites, mobile apps, and forms. AEM has become the primary Content Management System (CMS) for many high-profile businesses due to its comprehensiveness and ease of use. 

The flaw allows hackers to bypass authentication and obtain access to CRX Package Manager, making applications vulnerable to Remote code execution attacks. It affects CR package endpoints and can be fixed by denying public access to the CRX consoles. 

Detectify spokesperson stated, "With access to the CRX Package Manager, an attacker could upload a malicious package in Adobe Experience Manager to leverage it to an RCE and gain full control of the application." 

Ai Ho and Bao Bui, members of Detectify Crowdsource, initially detected the vulnerability in an instance of AEM used by Sony Interactive Entertainment's PlayStation subsidiary in December 2020. Three months later, the AEM CRX bypass was discovered within various Mastercard subdomains. The issues were reported to Sony and Mastercard at the time. 

Mastercard, LinkedIn, PlayStation, and McAfee were among the prominent companies affected by the flaw, according to the members of Detectify. 

A Detectify spokesperson explained: "The CRX Package Manager is accessed by bypassing authentication in Dispatcher, Adobe Experience Manager’s caching and/or load balancing tool. Dispatcher checks user’s access permissions for a page before delivering the cached page and is an essential part of most – if not all – AEM installations. It can be bypassed by adding a lot of special characters in combination in the request." 

Bao Bui, a security researcher and former CTF player of the Meepwn CTF Team, began hunting bug bounties around a year ago. Ai Ho, a security engineer, and developer, has been involved in the bug bounty industry for two years, developing and releasing his own bug-catching tools on GitHub. 

Adobe was notified of the zero-day problem and quickly issued a patch. 

On Detectify's platform, the AEM CRX Bypass zero-day was then implemented as a security test module. "Since it went live in May 2021, around 30 instances of the AEM CRX Bypass vulnerability have been in customers’ web applications," added a Detectify spokesperson. 

So far, Detectify's scans for over 80 specific AEM vulnerabilities have produced over 160,000 hits.

Google Chrome under Threat of Cyberattack as Zero-Day Exploit surfaces


As if it wasn't spooky enough on Halloween night, the Google Chrome technicians were further frightened to announce a critical update notification regarding various browser platforms. Then, what gave Chrome the creeps? Two security vulnerabilities were discovered, out of which one is a Zero-Day exploit in the open!


So, what is the whole story? 

According to Google, "the current Chrome browser (desktop version) is being refreshed to 78.0.3904.87 (a new version) throughout various platforms like Mac, Linux, and Windows. The critical update will begin to work soon. The chrome users are highly suggested to add these updates for safety, unlike the Windows 10 security updates (in which the users were told not to)." In the present time, it is not simple to obtain out any particular information about the two exploits involved, except that the Zero-Day exploit is already out in the wild affecting the update.
"Access to flaws and links can be restrained until most of the users are renewed with a solution. The constraints are also said to be kept under hold until the bug that exists (only if) within other party's archives on which alike projects are depending," justifies Google for the actions taken.

About the Zero-Day Exploit- 

The vulnerability is known as CVE-2019-13720, according to Google. The threat was described on October 29 by Anton Ivanov and Alexey Kulaev, researchers at Kaspersky. "As far as we know, the Chrome update by Google directs loopholes that an intruder could misuse to hack an exploited computer if wanted," said Infrastructure Security Agency (CISA) and U.S. Department of Homeland Security Cybersecurity, in a statement.

Both the vulnerabilities misuse memory exploitation to intensify chances on the engaged computer. The CVE-2019-13721 vulnerability affects the PDFium library which is responsible for creating PDF files. But it is the latter, CVE-2019-13720, which is said to be misused in open which has an impact on audio components and Google Chrome. "Luckily, the threat is not very severe as Google has promptly recognized the flaws. The chances of any real damage in the' Zero-Day room' are least" says Mike Thomspon, applications security specialist.

A new zero-day Exploit Leaked to Bypass Already Patched Vulnerability (CVE-2019-0841)



An exploit broker and hacker, SanboxEscaper made a comeback and published the details about a new zero-day which affects the already patched local privilege escalation vulnerability, CVE-2019-0841 on Windows 10 and Windows 9 operating server.

The details of the zero-day have been published on GitHub and the account and repository from which the details were leaked are the same as the ones which attributed to the leaks of 8 other previously released zero-days. 

SandboxEscaper have been actively involved in leaking zero-day exploits since August 2018, some of the previously leaked zero-days are listed below:

LPE in Advanced Local Procedure Call (ALPC)
LPE in Microsoft Data Sharing (dssvc.dll)
LPE in the Windows Error Reporting (WER) system
LPE exploit in the Windows Task Scheduler process
Sandbox escape for Internet Explorer 11
Bypass of the CVE-2019-0841 protections
LPE targeting the Windows Installer folder

The hacker who recently exploited CVE-2019-0841 vulnerability which was patched by Microsoft in April can further install malicious programs, edit and delete data. The vulnerability can be executed by deleting all files, folders, and subfolders in the Edge Browser.

Commenting on the matter, Will Dormann, Vulnerability Analyst at the CERT/CC, says, “I’ve confirmed that this works on a fully-patched (latest May updates) Windows 10 (1809 and 1903) system. This exploit allows a normal desktop user to gain full control of a protected file.”

“Make sure you have multiple cores in your VM (not multiple processors, multiple \b cores\b0 ).\par. It’s going to increase the thread priority to increase our odds of winning the race condition that this exploits”

Basically, it requires the attacker to log in as a local user and then execute this exploit which triggers the vulnerability, which then allows the attacker to access and change system permissions and gain full control of the system making him act as the admin.


Firefox update fixes critical security vulnerability

Firefox 66.0.1 Released with Fix for Critical Security Vulnerabilities that discovered via Trend Micro’s Zero Day Initiative. The vulnerability affects all the versions of Firefox below 66.0.1.

An attacker could exploit these vulnerabilities to take complete control over the target system of the process.

CVE-2019-9810: Incorrect alias information

Incorrect alias information with IonMonkey JIT compiler for Array.prototype.slice leads to missing bounds check and a buffer overflow.

The bounds checking is a method used for detecting the variable is present within the bounds, a failed bound check would through the exception and results in security vulnerabilities.

CVE-2019-9813: Ionmonkey type confusion with proto mutations

Mishandling of proto mutations leads to the type of confusion vulnerability in IonMonkey JIT code.

The type confusion vulnerability occurs, when the code doesn’t verify what objects it is passed to, and blindly uses it without type-checking.

By exploiting this vulnerability an attacker can execute arbitrary commands or code on a target machine or in a target process without user interaction.

This vulnerability discovered by an independent researcher Niklas Baumstark targeting Mozilla Firefox with a sandbox escape in Trend Micro Zero-day initiative contest and he successfully demonstrates the JIT bug in Firefox, for that he earned $40,000.

In Pwn2Own 2019 contents researchers exploit multiple bugs with leading providers such as Edge, Mozilla Firefox, Windows, VMware and earned $270,000 USD in a single day by submitting 9 unique zero-day exploits.

The Firefox bug was introduced in the second day of the contest by Fluoroacetate team and an individual security researcher Niklas Baumstark.

Microsoft patches a zero-day exploit vulnerability in Internet Explorer


Although, Microsoft patched a zero-day vulnerability in Internet Explorer, it had already exploited in attacks involving a compromised website belonging to an evangelical church in Hong Kong.

Users are requested to update their computers as soon as possible.

It permits remote code execution which allows a user views a specially crafted web page using Internet Explorer. After that it allows the attacker the same user rights as the current user. Microsoft’s security update resolves this issue by modifying how Internet Explorer handles objects in memory.

First, the attackers compromised the website of the Evangelical Lutheran Church of Hong Kong and modified it to host a malicious iFrame which redirected visitors to another website hosting an exploit of the Internet Explorer Microsoft Internet Explorer Remote Memory Corruption Vulnerability (CVE-2015-2502).

According to Symantec, the IP address of this website is 115.144.107.55.
This website hosts a file called vvv.html , which redirects to one of two other files called a.js and b.js, which lead to the download of a file called java.html to the victim’s computer. Java.html installs Korplug on the computer, in the form of an executable called c.exe.


Disable Java in your browsers, if installed as researchers spotted new Java based Zero-day Exploit


Researchers from Trend Micro have found out suspicious URLs that hosted a newly discovered Zero-day exploit, which refers to a hole in software that is exploited by hackers before the vendor becomes aware of it, in Java.

Brooks Li, a threat analyst and Feike Hacquebord, a senior threat researcher, who spotted this exploit, said that this was the first time in nearly two years that a new Java zero-day vulnerability was reported.

The researchers came to know about this exploit after receiving a feedback in their  Smart Protection Network.

According to the report, this new zero-day Java Exploit is being used in spear-phishing attacks targeting a certain forces of NATO country and a US Defence Organization
This zero-day bug affects only the latest Java version 1.8.0.45 not the older versions, Java 1.6 and 1.7.
The vulnerability is still not patched by the company concerned.

According to the report, the URLs hosting the new Java zero-day exploit are similar to the URLs seen in the attack launched by the threat actors behind Pawn Storm that targeted North Atlantic Treaty Organization (NATO) members and White House last April 2015.

The researchers have asked the users to disable Java in browsers if installed due to an application.

Update your Adobe flash player to stay safe


Few days after Microsoft published a security advisory about a new critical security bug in IE that is being used in limited and targeted attacks, Adobe has issued an emergency security update to fix a critical vulnerability(CVE-2014-0515) in flash player.

Please note that it is completely unrelated to IE Exploit in which bug was in IE and the flash file(.swf) used for making the attack successful.  But, in this case, the bug exists in the flash player plugin. 

So, people who use vulnerable version of Adobe Flash player likely to be vulnerable to this attack.

If you are using windows or Mac, make sure you have the latest flash player version 13.0.0.206.  If you are using Linux, make sure to update to the latest version 11.2.202.356.

This new zero-day flash exploit was spotted as being used in Watering-hole attacks by researchers at Kaspersky Labs in early April.

According to SecureList, this flash exploit spread from a Syrian Justice Ministry website(jpic.gov.sy).  Researchers believe the attack was designed to compromise the computers of Syrian dissidents complaining about the government.

New Zero-day vulnerability affects all IE Versions from 6 to 11

A new Zero-day vulnerability in the Internet Explorer impacts all IE Versions from 6 to 11 and is being exploited in limited and targeted attacks. The worst part is there is no patch.

The zero-day exploit have been Dubbed as "Operation Clandestine Fox" by FireEye, is currently targeting only users of Internet explorer 9 through IE11.

To get infected by malware, user don't need to open a suspicious email attachments.  A simple visit to malicious webpage loaded with this IE exploit code will deliver the malware into your system.

According to FireEye report, the exploit page loads a malicious flash file(.swf) that calls javascript in IE to trigger the IE vulnerability.  The reason why attackers used the flash file is to make the attack successful bypassing the ASLR and DEP Protections.

What do you can do to protect yourself?
Microsoft didn't mention when it is going to release the patch. But, it has issued few workarounds for IE users.

One of them is to use the Enhanced Mitigation Experience Toolkit(EMET), a free software from Microsoft that will help in mitigating the exploitation of vulnerabilities by adding additional protection layers.

Micorosof also suggested few other workarounds such as disabling IE extension VGX.dll by entering the following command in cmd:
"%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" 

New IE Zero-day vulnerability exploited in the wild, infects with malware


New Internet Explorer zero-day vulnerabilities are currently being exploited in the wild in Watering Hole Attack, infects the visitors of malicious websites with malware, Security researchers at FireEye Labs warn.
 
One of the vulnerability is an Information leakage that affects windows IE8 in Windows XP and IE9 in windows 7.  The exploit sends timestamp retrieved from the PE headers of msvcrt.dll" which is being used for choosing exploit.

The second one is memory access vulnerability designed to work on IE 7 and 8 in Windows XP, and Windows 7.  The researchers also discovered the vulnerability affects IE 7,8, 9 and 10.

After successful exploitation, he shellcode used in the exploit launches rundll3d.exe and inject malicious code.  The malicious code then downloads and runs malware file from attacker's server.

Almost Half of Tor sites compromised by FBI [Exclusive details]

As many of you might know the US has been pushing for the extradition of Eric Eoin Marques who an FBI agent has called as "the largest facilitator of child porn on the planet."

But most of you might not know that he is also the owner of "freedom hosting" the largest hosting provider for .onion sites within the TOR network . This means that all the sites hosted by "freedom hosting" are at the hands of the FBI. As you can see from the above linked article freedom hosting has been accused of hosting child pornography for a very long time.

I also have a fair idea on how the FBI did the "impossible", tracing a person who is using Tor.And they further might have found details on all the people visiting sites hosted by freedom hosting. First have a look at what a person posted on pastebin on Aug 3rd http://pastebin.com/pmGEj9bV he says he found this code in the main page of "freedom host" this further links to this exploit http://pastebin.mozilla.org/2776374 .





This is my analysis of the exploit ( I have not looked into it deeply as I am busy with my exams)
1. It is a 0 day for the Firefox version that comes as default with the "TOR Browser Bundle"
2. The code says "version >=17 && version <18" checks if the browser is the right version that the exploit works on .

It also has an another check
var i = navigator.userAgent.indexOf("Windows NT");
        if (i != -1)
                return true;
        return false;




3.It also manages to gather the Real IP of the user and possibly execute a malicious payload that might give the attacker full access to the system.
4. This exploits works because the people at TOR project had made it such that Javascript is loaded by the built in browser by default (this was not the case before and people who had their "no script" plugin with proper setting "disallowed" are safe)
5.Please note that is NOT a zero day for the TOR network but rather an exploit for the Firefox version that most TOR users are running.

Tor's official reply: https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting


Though the action's done by the FBI to take down child pornography in the TOR network is appreciated by all of us, many of the legitimate sites hosted by freedom hosting are also down .They should make sure that what they do does not kill the freedom and anonymity that the TOR network stands for.


Edit 1: Here are a few other deeper analysis I found --> http://pastebin.mozilla.org/2777139 , http://tsyrklevich.net/tbb_payload.txt

PS: If you have anything more that you would like to be added to this article or any corrections you can contact me on Twitter https://twitter.com/SuriyaMe 

Ichitaro zero-day Vulnerability exploited in the wild, targets Japan users


JustSystems Corporation, the developer of one of the top Japanese word processor Ichitaro, announced that Arbitrary code execution vulnerbility in Ichitaro is being exploited in the wild.

When an user open a malicious document that exploits this vulnerability, the malware will be dropped in the victim's machine. The malware can delete your data , warns JustSystems.

In a report, Symantec said they have seen the exploitation in the wild since mid-January. The attack targets Japan users.

Malicious Attachment - Image Credits:Symantec
According to their report, the attack starts with an archive file contains the following files: A clean Ichitaro document (.jtd file), A modified JSMISC32.DLL file with a hidden attribute, A malicious DLL file with a hidden attribute and a .jtd file extension.

When the .jtd document is opened on a vulnerable computer, it executes the modified JSMISC32.DLL that further launches the malicious DLL file with the .jtd file extension.

Ichitaro users are advised to download and apply the patch from JustSystems, to protect against this exploit.