Posts Tagged ‘flash’

Immediately Patch Microsoft 0 day vulnerabilities being used to spread SPYWARE!

Thursday, September 14th, 2017

 

Windows 0-Day Flaw

Get ready to install a fairly large batch of security patches onto your Windows computers.

As part of its September Patch Tuesday, Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products.

 The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE).

Affected Microsoft products include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • .NET Framework
  • Skype for Business and Lync
  • Microsoft Exchange Server
  • Microsoft Office, Services and Web Apps
  • Adobe Flash Player

.NET 0-Day Flaw Under Active Attack

According to the company, four of the patched vulnerabilities are publicly known, one of which has already been actively exploited by the attackers in the wild.

Here’s the list of publically known flaws and their impact:

Windows .NET Framework RCE (CVE-2017-8759)—A zero-day flaw, discovered by researchers at cybersecurity firm FireEye and privately reported it to Microsoft, resides in the way Microsoft .NET Framework processes untrusted input data.

Microsoft says the flaw could allow an attacker to take control of an affected system, install programs, view, change, or delete data by tricking victims into opening a specially crafted document or application sent over an email.

The flaw could even allow an attacker to create new accounts with full user rights. Therefore users with fewer user rights on the system are less impacted than users who operate with admin rights.

According to FireEye, this zero-day flaw has actively been exploited by a well-funded cyber espionage group to deliver FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July this year.

FinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies.

Once infected, FinSpy can perform a large number of secret tasks on victims computer, including secretly monitoring computers by turning ON webcams, recording everything the user types with a keylogger, intercepting Skype calls, copying files, and much more.

“The [new variant of FINSPY]…leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” researchers at FireEye said.

“As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

Three Publicly Disclosed Vulnerabilities

The remaining three publicly known vulnerabilities affecting the Windows 10 platform include:

  • Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746): This flaw could allow an attacker to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.
  • Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723): This flaw resides in Edge where the Content Security Policy (CSP) fails to properly validate certain specially crafted documents, allowing attackers to trick users into visiting a website hosting malware.
  • Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417): this flaw exists in the Broadcom chipset in HoloLens, which could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.

BlueBorne Attack: Another Reason to Install Patches Immediately

Also, the recently disclosed Bluetooth vulnerabilities known as “BlueBorne” (that affected more than 5 Million Bluetooth-enabled devices, including Windows, was silently patched by Microsoft in July, but details of this flaw have only been released now.

BlueBorne is a series of flaws in the implementation of Bluetooth that could allow attackers to take over Bluetooth-enabled devices, spread malware completely, or even establish a “man-in-the-middle” connection to gain access to devices’ critical data and networks without requiring any victim interaction.

So, users have another important reason to apply September security patches as soon as possible in order to keep hackers and cyber criminals away from taking control over their computers.

Other flaws patched this month include five information disclosure and one denial of service flaws in Windows Hyper-V, two cross-site scripting (XSS) flaws in SharePoint, as well as four memory corruption and two remote code execution vulnerabilities in MS Office.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Source:
Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

Cisco disrupts $30 million browser plug-in hacking operation

Wednesday, October 7th, 2015

Cisco has disrupted a major browser-based hacking operation, thought to be worth $30 million to criminals each year.

The company said unnamed hackers used the notorious Angler Exploit Kit to take advantage of vulnerabilities in common browser plugins, such as Flash and Java.

As many as 90,000 users were affected each day by the attack.

The networking company, through its security wing Talos Group, patched the vulnerabilities being used by the exploit kit, cutting off affected machines from the command-and-control infrastructure.

“This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen [intellectual property, credit card info and personally identifiable information are generating hundreds of millions of dollars annually,” said the researchers in a blog post.

The exploit kit helped to generate vast sums by gaining access to computers, and holding them hostage for a ransom price, which must be paid within a limited time frame to gain back access to their device.

US federal agents warned earlier this year that so-called ransomware, which encrypts files and documents without the owner’s permission, costs consumers $18 million a year.

 

via ZDNet Article

DarkHotel hackers targets company bosses in hotel rooms

Friday, November 14th, 2014
Kaspersky video still Security researchers believe DarkHotel has targeted hotel guests for seven years

Related Stories

Companies are being warned about ongoing hack attacks that target hi-tech entrepreneurs and other corporate executives in their hotel rooms.

The campaign has been dubbed DarkHotel and is believed to single out specific senior staff when they log in to the net via wi-fi or an Ethernet cable.

The technique puts data at risk even if the employees are using encryption.

The attacks began in 2007, according to research firm Kaspersky Lab.

“The fact that most of the time the victims are top executives indicates the attackers have knowledge of their victims’ whereabouts, including name and place of stay,” said the Russian security company.

“This paints a dark, dangerous web in which unsuspecting travellers can easily fall.”

The firm’s research indicates the majority of the attacks to date have taken place in Japan but that visitors to hotels in Taiwan, mainland China, Hong Kong, Russia, South Korea, India, Indonesia, Germany, the US and Ireland have also been targeted.

It said that the effort was “well-resourced”, but it was unclear who was responsible.

One independent expert said the hacks should not come as too much of a shock.

Adobe Flash update The malware was attached to legitimate updates for Adobe Flash and other software

“It’s unsurprising given the high value of the targets,” commented Dr Ian Brown, from the Oxford Internet Institute.

“This is perhaps a wake-up call to big company CEOs who weren’t already aware that this kind of thing was going on.”

Copied certificates

The scheme works by requesting that the targeted user installs an update to a popular software package shortly after they connect to the net.

Examples include new versions of Adobe Flash, Google Toolbar and Windows Messenger.

The installation files include legitimate software, but with the DarkHotel code added on.

To prevent the malware being detected, the hackers use certificates – the equivalent of a digital password, used under normal circumstances to confirm software is trustworthy.

Hotel visitor The majority of the detected attacks targeted visitors to Japanese hotels

They were able to do this by taking copies of valid certificates that were protected by relatively weak levels of encryption, which they were capable of breaking.

Kaspersky said that examples of spoofed certificates that its researchers had found included ones issued by Deutsche Telekom, Cybertrust and Digisign.

The result is that the hackers can then employ other types of malware.

These are said to include:

  • Keyloggers – used to record and transmit a user’s individual keyboard and mouse presses in order to monitor their activity
  • Information stealers – used to copy data off the computer’s hard drive, including passwords stored by internet browsers, and the logins for cloud services including Twitter, Facebook, Mail.ru and Google
  • Trojans – used to scan a system’s contents, including information about the anti-virus software it has installed. The findings are then uploaded to the hackers’ computer servers
  • Droppers – software that installs further viruses on the system
  • Selective infectors – code that spreads the malware to other computer equipment via either a USB connection or shared removable storage. These targets appeared to be “systematically vetted” before being infected
  • Small downloaders – files designed to contact the hackers’ server after 180 days. The belief is that this is intended to let them take back control if some of the other malware is detected and removed

The researchers said workers for electronics manufacturers, pharmaceutical companies, cosmetic makers, car designers, the military and non-governmental organisations had all been targeted.

They added that the employees had probably been identified by the last name and room number they were required to enter in order to access the internet, inferring that they must have had a separate way to determine their targets’ travel dates, assigned room numbers and other details.

“The attackers were also very careful to immediately delete all traces of their tools as soon as an attack was carried out successfully,” they added.

 

BBC News – DarkHotel hackers targets company bosses in hotel rooms.