Earlier this year, a new type of trojan caught the attention of ESET researchers. This article will take a deep dive into how the exploit works and briefly describe the final payload.
Researchers at Zimperium, a specialist cybersecurity company, has announced that it has found another major vulnerability in the Android operating systems that many of us use on our mobile devices.
A blog post published by Zimperium says “Meet Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files.” Nearly every single device since Android 1.0, released in 2008, is affected according to the blog post. The researchers were able to exploit the flaw in devices running Android 5.0 and later, and conceptually nearly every single device since Android 1.0 (2008) could be affected. According to Zimperium, earlier devices could be impacted through media players and instant messenger that use the Stagefright library.
Media files carry additional information called metadata, which is processed when the file is opened or previewed. This means the video or audio file on the device would not even need to be opened by the user for the attack to occur. Once the device was infected, the most likely method an attacker would use would be via a web browser.
How might this happen in a real environment?
Zimperium has said that they notified Google’s Android Security team in August, and that Google responded quickly to try and fix it. They’ve also said that full technical details of the exploit will not be released publicly until Google has confirmed that the issue has been fixed and is available to users.
Bugs and vulnerabilities in operating systems are not uncommon. This exploit highlights the need for users to ensure that their devices are running the very latest version of their operating system and applications.
Unfortunately, unlike the first time Stagefright appeared, when disabling the automatic retrieval of MMS messages could prevent your device from being infected, this time we need to wait for the update from Google, our phone carrier as well as our handset manufacturers to make it available to us.
In the meantime there are some precautions you can take:
Remember, the most important thing you can do is keep your operating system and apps up to date. For that extra layer of protection, download AVG AntiVirus for Android to help protect your devices against malicious phishing sites.
Follow me on Twitter @TonyatAVG
This week’s episode of Mr. Robot was an exciting one for us here at Avast – our product made an appearance on the show! In addition to the exploit Avast blocked, there were many other interesting hacks in this week’s episode, which I discussed with Avast security experts, Filip Chytry and Jiri Sejtko.
Minute 7:00: Elliot is in his apartment with Isaac and DJ. Something about Vera’s brother, Isaac, bugs Elliot and what does Elliot do when he is bugged by someone? He hacks them!
Stefanie: We see Elliot once again turn to the Linux distribution, Kali, to hack Isaac’s cell phone. He seems to do this within a matter of seconds, how easy is this to do? Later on, when Elliot visits Vera in prison, we learn what Elliot plans to auto-send information from Isaac’s phone to himself. This seems really intrusive and couldn’t Isaac just get a new phone?
Filip Chytry: This is a more advanced hack and unless Elliot had everything prepped before they entered his apartment, this would taken a lot more time to execute (but this is a TV show, so things sometimes happen faster on TV then they do IRL). The Linux distribution Kali, a popular tool for penetration testing, can be used to plant code on a device. But, Isaac’s phone would have had to be connected to either Elliot’s Wi-Fi network or Elliot could have set up a fake Wi-Fi hotspot using a popular network name like “Starbucks Wi-Fi” or “ATT Wi-Fi”, a Wi-Fi network Isaac’s phone had connected to before and would connect to automatically. Elliot would then use Kali to exploit a vulnerability in Isaac’s phone and plant code to send information from the phone to Elliot’s chosen destination. Since Elliot told Vera about this, Vera could have told Isaac and Isaac could have gotten a new phone, but Isaac was not given a happy end in this episode…
Minute 11:30: Elliott tries to find a way to hack into the prison’s network. Darlene helps him by uploading an exploit onto USB sticks. The USB sticks are branded with E-Corp’s logo, to look trustworthy. She drops the USB sticks on the prison’s parking lot. A police officer takes one of the sticks and inserts it into his work PC. First, a window appears saying “get your free $100 eTunes gift card”, and then a window asking him what his favorite music genre is appears. He clicks through several questions – and then BAM! Avast detects the exploit!
Stefanie: Watching this scene, we couldn’t be prouder. Avast detects an exploit in Mr. Robot, this is so exciting! Taking a closer look at Avast’s warning pop-up, we can see the exploit was a Trojan: JS:ScriptPE-inf (Trj) Is this actually a Trojan that exists or is this made up?
Minute 31:38: Elliot runs an undetectable activated signal sniffer that will locate any wireless signal in sight on his phone while it is at the prison’s security desk. When Elliot exits the prison, he checks the data retrieved from the sniffer and is disappointed to see that the prison’s network uses WPA2 encryption.
Stefanie: Elliot mentions that WPA2 is “borderline unhackable” and then he mentions a handshake? Is WPA2 encryption really that secure and what handshake is he referring to?
Filip: WPA stands for Wi-Fi Protected Access and WPA2 is WPA’s successor, which uses AES (Advanced Encryption Standard). WPA is the best encryption currently available for Wi-Fi, so when Elliot says it is border line unhackable, he means it! There is one way WPA2 can be hacked, but, as Elliot mentions, it takes a long time to do. When a client connects to an access point, a four-way handshake happens, encrypting messages to confirm that both parties know the so called PSK (pre-shared key) and PMK (pairwise master key), without revealing them. In order to hack a WPA2 protected network, you have to capture and decrypt the authentication handshake. Capturing the handshake can be easy but the decryption can be difficult, depending on the Wi-Fi network’s password complexity.
After Elliot gives up on the idea of hacking into the prison’s Wi-Fi, a police car drives by and automatically connects to his smartphone. He says “The mobile feed on the cameras… I don’t need to hack WPA when there is dedicated 4G”. Later, in minute 35:40, we see Elliot hacking a police patrol car. His plan is to connect to the “patrol car’s bluetooth to run the exploit on the PLC”. He is successful and gives the order “at 9:49, all the cell doors should open”.
Stefanie: What’s a PLC?
Jiri: PLC stands for “programmable logic controller”, it’s a computer usually used in industrial environments. The most famous PLC attack vector is probably Stuxnet, which was designed to monitor Siemens machines in Iranian nuclear facilities and manipulate the centrifuge’s rotor speed.
Stefanie: In the case of Mr. Robot, the PLC is used in the prison to control the locks of the cell doors.
Jiri: Yes, PLC-based systems are heavily used in prisons, there are prisons in the U.S., where PLCs control over 900 doors. Security researchers have mentioned concerns about prison PLC systems’ vulnerabilities already years ago and Sam Esmail, the producer and writer of Mr. Robot, cleverly ties these concerns into the story. Potential exploits are also presented in the open source Metasploit Framework, which is a tool for developing and executing exploit code – so basically, every script kiddie can (ab)use it.
Stefanie: Sounds scary. How could a PLC be protected from an exploit?
Jiri: System administrators should make sure that the PLC firmware and controlling software is patched and always updated. They should also use proper network segmentation to prevent access to the PLC network from other local networks – air gaps – like the one in Mr. Robot, where the PLC could be accessed via patrol car’s laptop. Also, physical media like USB flash disks and mobile phones should be restricted from accessing the PLC.
Stefanie: Sounds pretty simple in a way… Has anyone ever broken out of prison by hacking into the prison’s system?
Filip: There are many ways prisoners can use technology to “hack” themselves out of prison. Earlier this year, a criminal imprisoned in a jail near London, managed to escape the prison using social engineering. He set up a fake web domain that resembled the domain of the court responsible for him. He then used this domain in an email he sent to the prison’s custody inbox, including the message that he should be released. His escape was noticed only three days later, when solicitors were supposed to interview him.
The (cyber)criminal was caught again some time later, but this story shows that a jailbreak via “hack” isn’t that unrealistic in today’s world.
Thank you Jiri and Filip for taking the time to discuss this week’s Mr. Robot hacks!
What did hack did you find most interesting from the episode? Let us know in the comments below
Wow, that sentence sounds rather boring, right? Well, let’s elaborate a bit. If you are an avid PC gamer you most like know Steam, and if you are into playing (or watching) gamers compete in Multiplayer Online Battle Arenas (MOBAs), you also might have noticed that some of the more famous DotA 2 players got their accounts stolen. Of course their accounts were not the only ones affected, but definitely the most noticeable ones.
What happened is that Steam apparently had a rather big loophole in its system: One could access another account with only the username – and it was as simple as eating pie. Just take a look at the video below and be amazed:
The issue is now fixed, after Valve learned of it on July 25th – so if you are a gamer with a lot of games in your steam library (or a professional DotA/CS:GO player) you can relax.
According to Kotaku, Valve release a statement to those affected:
“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.
We apologize for any inconvenience.”
Yesterday Microsoft released an emergency security update for all of the supported Windows version (this means Windows 7, Windows 8/8.1, Windows RT and apparently even the unreleased Windows 10). The patch is supposed to fix an exploit that would allow hackers to access another computer easily. According to the company the flaw lies in the way the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts.
“An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft says in their security bulletin. “There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.“
Microsoft also says that while they had information that indicates that the issue was public there is no evidence that the vulnerability was used in any actual attack on customers.
The vulnerability itself was apparently found after going through loads of data from the Hacking Team email breach.
Hacker Mateusz Jurczyk from Google’s Project Zero disclosed 15 remote execution vulnerabilities, most of them for Windows and the Adobe Type Manager Font Driver. He presented his findings at the Recon security conference and aptly named his research “One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation”.
According to his blog the most serious and interesting security issue he discovered so far was a really reliable BLEND instruction exploit. Jurczyk writes that “the extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far.”
He also shared two videos in which he shows how he successfully exploits the Adobe Reader 11.0.10 using the BLEND vulnerability (CVE-2015-3052), accompanied by sandbox escapes via ATMFD.DLL in the Windows Kernel as well as a “Registry Object” vulnerability on x64 builds (CVE-2015-0090).
The post Time to Patch: Loads of Security Issues in Adobe Reader and Microsoft Windows appeared first on Avira Blog.
You might have heard of the security issue with Galaxy phones that was everywhere in the media this week. If not, let me fill you in:
Samsung phones come preinstalled with SwiftKey, a very popular alternative keyboard for Android and iOS. Security researchers from NowSecure discovered a vulnerability in the update mechanism for the customized version the company uses and which is being distributed on most of the Galaxy phone models.
According to NowSecure „a remote attacker capable of controlling a user’s network traffic can manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged (system) user on the target’s phone. This can be exploited in a a manner that requires no user interaction — a user does not have to explicitly choose to download a languagePack update to be exploited.“
Samsung itself played the issue down and stated that a “very specific set of conditions” needs to be met in order for the attack to be successful. Nonetheless a patch will be made available soon – after all more than 600 million Samsung Galaxy phones are affected. The drawback is that only devices that have Samsung’s Knox security platform installed will profit from the updates. “For the devices that don’t come with KNOX by default, we are currently working on an expedited firmware update that will be available upon completion of all testing and approvals” the company says in their statement.
Six university researchers discovered high-impact “zero-day” security weaknesses in iOS and Mac, which can be abused by getting a malicious app approved by the Apple app store – something they managed to do without any issues. Through this app they were able to access sensitive data from other apps – with dire consequences. The researchers state that “our sandboxed app successfully retrieved from the system’s keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome […]”
It does sound unbelievable, doesn’t it? Just take a look at the below video to see a malicious sandboxes app on OS X steal all private notes in the Evernote app:
Or how about a look at how it is able to steal any websites’ passwords:
According to their research 88.6% of the apps they tested were found to be completely exposed to the XARA attacks. This includes popular apps like Evernote, WeChat, and 1Password: “In our study, we downloaded 1,612 free apps from the MAC App Store. These apps cover all 21 categories of the store, including social networking, finance, business, and others. In each category, we picked up all the free apps when less than 100 of them are there, and top 100 otherwise. Also from the iOS App Store, we collected 200 most popular apps, 40 each from “All Categories”, “Finance”, “Business”, “Social Networking” and “Productivity”, after removing duplications.”
The researcher informed Apple about the issues in October 2014, a fix seems to be still outstanding.
Take a look at the research paper to read all about the issue.
The post XARA – With This Exploit Hackers Can Steal Your Passwords appeared first on Avira Blog.