Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Vulnerability
Breaking News Vulnerability

Arris / Motorola Modems have multiple vulnerabilities and backdoor accounts


Security Researcher Joe Vennix has discovered multiple vulnerabilities in the 'ARRIS / Motorola SURFboard SBG6580' series Wi-Fi Cable Modem that could allow hackers to take control of the Web Interface.

One of the flaws(CVE-2015-0964) is a stored cross site scripting vulnerability in the firewall configuration page could allow an authenticated attacker to inject javascript code capable of performing any action available in the web interface.

The other vulnerability allows to perform a login action "on behalf of the victim's browser by an arbitrary website, without the user's knowledge."

And on top of this, it has pre-installed backdoor accounts.  Devices tested by the researcher had an account called "technician" with the password "yZgO8Bvj".

"Other accounts may be present as installed by service providers and resellers." Rapid7 post reads.  

Rapid7 has published a metasploit module that "takes advantage of all three vulnerabilities to place an arbitrary internal endpoint in the DMZ of the affected network, thus exposing all running services to direct Internet access.

The module also capable of stealing the information of all registered DHCP clients including IPs, hostnames and MAC addresses.
Read more »
Hacking News
Featured Hacking News

Personal data exposed as Linux Australia server hacked


Linux Australia, an organization of open-source and free software user group, revealed that one of their server was hacked. The personal details of conference attendees might have been accessed.

According to the organization only the personal data including the names, street, phone numbers and email addresses of delegates for Linux Australia conferences and PyCon have been exposed in a server breach. No financial data have been exposed because they use a third party payment system.

A server had been attacked on March 22, but the Linux Australia discovered the breach on March 24,after conference management software Zookeepr started sending a large number of error reporting emails.

The hackers utilized an unknown vulnerability to trigger a remote buffer overflow and obtain full control of the server hosting the information by installing  a remote access tool and then botnet command and control software.

Joshua Hesketh, Linux Australia’s president wrote “It is the assessment of Linux Australia that the individual utilised a currently unknown vulnerability to trigger a remote buffer overflow and gain root level access to the server. A remote access tool was installed, and the server was rebooted to load this software into memory. A botnet command and control was subsequently installed and started. During the period the individual had access to the Zookeepr server, a number of Linux Australia’s automated backup processes ran, which included the dumping of conference databases to disk.”

Immediately  responding to the incident, Linux Australia has decommissioned the infected server, and announced improvements to its architecture and security.
Read more »
Malware Report
Breaking News Malware Report

‘Trojan.Laziok’ Malware targets energy sector in Middle East

Image Credits: Symantec
Symantec detected a Trojan.Laziok, which acts as a reconnaissance tool allowing the attackers to gather data about the compromised computers.

Between January and February, Symantec observed a ‘multi-staged, targeted attack campaign’ against energy companies around the world, and the focus  was on the Middle East Countries.

According to the blog post of Symantec’s Christian Tripputi, the attack starts  with spam emails from the moneytrans[.]eu domain,  which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. These mails include a  malicious attachment that contain an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). The code is executed, If the users opens the attachment, which is Excel file. It leaves Trojan.Laziok on the computer.

To hides itself Trojan creates folder names in the %SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle directory, and rename itself with well-known file names such as:

%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\search.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\ati.exe  
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\lsass.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\smss.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\admin.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\key.exe  
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\taskmgr.exe
%SystemDrive%\Documents and Settings\All Users\Application Data\System\Oracle\azioklmpx\chrome.exe

By collecting system configuration data such as Computer name, Installed software, GPU details, CPU details, Antivirus software, RAM size, Hard disk size, Trojan.Laziok begins its reconnaissance process.


After receiving the system configuration data, attackers infected  the computers with additional malware, and distribute the customized copies of Trojan.Zbot and  Backdoor.Cyberat which are specifically tailored for the compromised computer’s profile.

Symantec and Norton products have protections against this campaign.

Malware infections through spam campaigns can be avoided by not clicking on links in unsolicited, unexpected, or suspicious emails; avoid opening attachments in unsolicited, unexpected, or suspicious emails; use comprehensive security software, such as Symantec Endpoint Protection or Norton Security, to protect yourself from attacks of this kind; take a security layered approach for better protection; keep your security software up to date; apply patches for installed software on a timely basis.
Read more »
Malware Report
Malware Report

The 64 bit version of NewPosThings malware is here

A new 64 bit version of NewPosThings, a point of sale malware, has come to light. The 32 bit version of NewPos Things was discovered by Arbor systems in September last year.

The recent developments were brought to light by Trend Micro's threat analyst, Jay Yaneza. They found the malware targeting 64 bit and higher systems, rather than the original 32 bit systems that were being affected initially.

According to SC Magazine, Taneza said, “Similar to the previous 32-bit version reported last year, the 64-bit sample is a multifunction Trojan that includes added functionalities and routines,” Yaneza wrote. “These include RAM scraper capabilities, keylogging routines, dumping virtual network computing (VNC) passwords, and information gathering.”

Researchers have noticed recently that the malware has been evolving continuously affecting more and more security based function in a POS machine.
Read more »
Security Breach
Breaking News Hacking News Security Breach

Hackers target Executive club members of British Airways

Being an executive customer at British Airways (BA) does not guarantee any better security from hackers. Thousands of executive customers found this out to their peril as BA confirmed the hacking of the accounts.

According to the company, it was not a direct attack on the central database; the attack was carried out on some account holders using information on the users available elsewhere on the internet. Also, the company maintained that only “a small number of frequent flyer Executive Club accounts” had been affected and though there has been some unauthorized activity, no sensitive information had been leaked.

Though the company said that the hackers had not gained any access to any subsequent information pages like travel histories or payment card details within accounts, BA Executive Club (BAEC) account holder have registered complaints on the forums saying that their Avios points have been stolen. Avios points are accumulated through frequent travel can be used for other flights or upgrades. Tier points have not been affected due to this hack.

One user wrote, “My Avios balance, which was 46,418 yesterday, is suddenly zero,” Another said, “217,000 taken from my account this morning. 30 minute hold on the silver line.”
Other people are also reporting they are unable to access their accounts at all, with their BAEC number not being recognized at all.The company responded saying that the accounts have been locked down from access as a response to the breach and all the points would be subsequently reinstated.

Some members of BAEC affected by the issue have received emails requesting change of passwords, for those who have not but still are locked out of the accounts can place a call to the customer care.

For customers wanting to book flights now, bookings as redemption of points might not be available pending resolution of the matter but still can be checked for availability.

Alternatively, one might, if the options are available try to book through Avios.com which has not been affected.

However, with so many cases, it is best to wait for a few days till the situation becomes clearer.
Read more »
TOR
Banking Trojans Hacking News password stealing trojans TOR

Banking Trojan Vawtrak

Banking Trojan Vawtrak (aka Neverquest or Snifula) which additionally uses the Pony module to steal wide range of log-in credentials has been proliferating rapidly over the last few months

 USA, Germany, UK, Czech Republic are the  top  affected countries this year.

While Trojans like this are not new, what makes it remarkable is the  the multi-layered concealing processes and wide range of functions it can execute.

The Vawtrak Trojkan spreads via drive-by download – in the form of spam email attachments or links to compromised sites or  through malware downloaders such as Zemot or Chaintor or through exploit kits like Angler.

Tracking the Trojan  Vawtrak, AVG has revealed a detailed analysis of its installation and functionality.

Installation
The trojan was delivered through a spam email from Amazon which contained link to a zip archive stored on a compromised Wordpress site. The delivered file which actually was a executable tried to simultaneously look as  a pdf and a screen saver. It then installed itself into the system and ensured persistence by enabling auto-execution  Windows start-up. Without causing visible changes in the system, it then dropped the DLL into the program folder and deleted its original version.

This shorter second DLL decrypts its payload, which looks like  a normal Windows exe file but is a compressed file. The decompressed file replaces the second DLL and extracts the final module in a compressed format which further contains another two DLL files. The appropriate DLL then executes Vawtrak's main functionality.

Functionality
Once executed, Vawtrak disables antivirus protection of almost all known anti-viruses, steals multiple passwords from browsers (even obscure browsers such as K-Meleon or Flock) or applications, steals browser history, modifies browser settings, logs keystrokes, takes screenshots or records user actions on desktop, enables remote access to victim's system.

Further it communicates with remote Control & Command servers, executing commands from a remote server, sending stolen information, downloading new versions of itself and web-injection frameworks.
One fascinating feature is that it can connect to the update servers  hosted on the Tor hidden Web services via a Tor2web proxy without installing any special software such as Tor browser. Moreover, the communication with the remote server is done over SSL, which adds further encryption. Due to the use of steganography, the user remains totally ignorant of the working and updation of the Trojan.

Vawtrak is not as advanced as some others but its actions are too aggressive and they may cause stability or performance issues in the infected machines.

Staying vigilant about online phishing and scams is the most efficient way of avoiding Vawtrak but as it may still find its way, even without a user's direct interaction. So having an efficient and updated antivirus solution is of utmost importance.

For full analysis of the Trojan, read the complete report by AVG.
Read more »
Security News
Security News

Passwords stolen for Windows users of Puush


Over this weekend, the screenshot sharing app, Puush server was hacked and a malware infected program was placed as an update for Windows users.

The software version r94 downloads malware, which  grab passwords from infected systems. The update has been taken offline, and the latest update r100  is available as download, which will tell you if you were infected or not, this update will clean the malware.

The company noted that the Windows version of the app was affected, the iOS and OS X versions apps are safe.

According to statement released by company, "The malware may be collecting locally stored passwords, but we are yet to confirm these have been transmitted back to a remote location. We have been running the malware in sandboxed environments and have not been able to reproduce any such behaviour. Even so, we recommend you change any important passwords which were stored on your PC (unless they were in a secure password manager). This includes chrome/firefox saved passwords."

The company made removal and cleanup tool available for users, who may have been put off using Puush.

“We have created a cleaner for people who do not wish to continue using puush. It is stand-alone and will tell you if you were infected (assuming you have not already updated to r100).”

 You can obtain this here: http://puush.me/dl/puush_is_sorry.exe.
Read more »
Hacking News
Hacking News

UK based gaming company Multiplay reports unauthorised access of servers, sounds warning bell

Multiplay, a gaming event company recently bought by GAME has alerted its users of a potential breach of its network.

The alert was sounded by Multiplay, by sending an email to its users, encouraging them to change their passwords due to an unauthorized access detected by the company on its systems. Multiplay has assured users that no payment information has been leaked as such information is not stored on its servers.

The email was confirmed by Multiplay on its twitter handle also and asked users to follow the instructions in the email.

Speculations are going around that the breach of the company's servers is the work of some gamers not happy with the recent acquisition of Multiplay, by retailer GAME.

The step has been seen as action to undermine this years gaming festival, Insomnia, hosted by Multiplay.
Read more »
Vulnerability
Vulnerability

Security flaw in Hotel Wi-Fi could allow hackers to infect Guests' system with malware

A security company Cylance, discovered  a vulnerability in ANTlabs InnGate devices, after which they issued a public advisory on March 26 about its system vulnerability (CVE-2015-0932), which provide Wi-Fi access in hotels and convention centers and other places.

In its advisory ANTlabs warns, "An incorrect rsync configuration on certain models of our gateway products allows an external system to obtain unrestricted remote read/write file access.”

Researcher Brian Wallace wrote in a detailed blog post that “Remote access is obtained through an unauthenticated rsync daemon running on TCP 873. Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux based operating system without restriction.”

In his blog Brian Wallace explains that after gaining full read and write access, the attacker could upload a backdoored version  or add an user with root level access and a password known to the attacker. “Once this is done the endpoint is at the mercy of the attacker.”

According to Cylance researchers there are 277 vulnerable devices in 29 countries including the United States, Cuba, Australia and Italy, that could be directly exploited from the Internet.

The Darkhotel APT campaign that specifically targeted  executives via Wi-Fi networks at luxury hotels, was uncovered by Kaspersky Lab researchers last fall. The similar attack  could be leveraged by this vulnerability.

According to the blog post, “The DarkHotel campaign was carried out by an advanced threat actor with a large number of resources, CVE-2015-0932 is a very simple vulnerability with devastating impact. The severity of this issue is escalated by how little sophistication is required for an attacker to exploit it."

Wallace added, “Targets could be infected with malware using any method from modifying files being downloaded by the victim or by directly launching attacks against the now accessible systems. Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do.”

When InnGate devices  were integrated into Property Management Systems (PMS),a software application used to coordinate the operational functions, they  stores credentials to the PMS, and an attacker could potentially gain full access to the PMS.

By blocking the unauthenticated RSYNC process from internet access, a TCP-DENY on port 873 on the upstream network device from the affected InnGate device, the vulnerability can  be mitigated.
Read more »
Security Breach
Data Breach Featured Security Breach

Slack hacked, over 100k users data compromised


Slack, a team communication tool, has suffered suffered a security breach on its central user database, potentially leaving user's login credentials in the hands of hackers.

Slack was launched in 2013 and its android application has been downloaded by more than 100,000 users so far(according to Google Play store).

The company confirmed the breach in a company blog post. The unauthorized access took place for about 4 days in February.

The database accessed by the intruders included usernames, email IDs, and  passwords(hashed). It also contained optional data added by users such as phone numbers, Skype IDs.

On the bright side, Slack didn't store the passwords in a plain-text format. The passwords have been hashed with a bcrypt and a randomly generated salt.  It does not mean this will thwart hackers from accessing your account, it will just slow down the process and give you a time to take action. And, NO Financial or payment data compromised in this attack.

In the wake of security breach, the company strengths its security for the authentication.  One of them is "2 step authentication" - a verification code in addition to your normal password whenever you sign in to Slack. Let's hope the company also fixes any other vulnerabilities in their website.
Read more »
Vulnerability report
Android Vulnerability Vulnerability report

Android users worldwide exposed to Malware risks

Network security company, Palo Alto Networks, has confirmed that they have discovered a vulnerability in Google's Android OS application installation procedure, that can leave its users potentially exposed to malware that can seek control of the whole device. They have named the vulnerability, 'Android Installer Hijacking'.

The vulnerability called Time-of-Check to Time-of-Use (TOCTTOU) was discovered by Palo Alto in January last year. In simple words, it hijacks your device while the installation of an application and installs malware instead of the application.

The malware has been linked to people who frequent and download often from third party application stores that download an application you want to install, in the local storage area of your phone, rather than the protected area where the Play Store downloads and installs its applications from.

Google's security team was informed of the vulnerability a month after it was found by Palo Alto. It can be used by hackers to exploit an android running device in various manners, with credit card information of users also being at risk.

The vulnerability has existed for an year according to Palo Alto's Disclosure Timeline and measures like vulnerability scanners have been put in place to mitigate this vulnerability.
Read more »
Subscribe to: Comments (Atom)