Repairs & Upgrades

May 28, 2020 »

Android ‘StrandHogg 2.0’ flaw lets malware assume identity of any app

By John E Dunn

Researchers have publicized a critical security flaw in Android which could be used by attackers to “assume the identity” of legitimate apps in order to carry out on-device phishing attacks.

Discovered by Norwegian company Promon, the bug is called ‘StrandHogg 2.0’, the name denoting that this is an “evil twin” follow up to a similar flaw of the same name made public by the company last year.

Strandhogg is, apparently, the old Norse word for the Viking tactic of sailing up to coastal towns and plundering them, which isn’t a bad description of what the bug might be capable of if it were used in a real attack.

Promon doesn’t delve into the inner workings of the flaw in huge detail but malware exploiting it would be able to overlay a malicious version of any app over the real app, capturing all logins as they are entered by an oblivious user.

Users tap on the icon of the correct app and think they are logging into their email, say, when in fact they are really logging into an interface controlled by an attacker.

Attackers need to know which apps they are targeting in advance but can phish multiple apps in one attack without the need for rooting, admin privileges or special permissions, Promon said.

Promon claims the code used in the attack would be obfuscated enough that it could slip past Google Play’s security layers as well as on-device security apps, making it hard to detect.



Apple sends out 11 security alerts – get your fixes now!

By Paul Ducklin

Apple has just blasted out 11 email advisories detailing its most recent raft of security fixes.

Confusingly, some of these updates have been available for several days already – the most recent version of iOS is 13.5, and it was officially announced on Apple’s main Security update page on 20 May 2020.

In fact, the updates listed for iOS and watchOS are still flagged [2020-05-27T12:00Z] with the words “details available soon “, even though Apple’s Security Advisories have full details.

And Apple’s updates for its non-mobile software products are covered in detail in the Advisory emails, but are not yet mentioned at all on the HT201222 security page.


May 27, 2020 »

Open source libraries a big source of application security flaws

By John E Dunn

How many vulnerabilities lurk inside the bazillions of open source libraries that today’s developers happily borrow to build their applications?

Predictably, the answer is a lot, at least according to application security company Veracode which decided to scan 85,000 applications to see how many flaws it could turn up in the 351,000 libraries used by them.

All told, around seven in ten applications had a security vulnerability traceable to one or more of those libraries, which might come as a shock to the developers who thought they were getting something for free.


Google may soon add end-to-end encryption for RCS

By Lisa Vaas

Make room, WhatsApp, iMessage, Signal, Telegram and all you other end-to-end encrypted messaging services – Google’s getting closer to elbowing its way onto the stage with its Google Messages.

Heaven knows when or even if it will happen, but 9to5Google has analyzed the source code of the latest update to Google Messages and found a slew of clues that strongly suggest that Google’s finally planning to add e2ee to the chat app’s rich communication services (RCS).

What is RCS and why should you care?

The RCS protocol – popularly known as Chat – is the successor to SMS messaging and does what most other texting services do, but without the end-to-end encryption of apps like Signal, et al. In December 2019, Digital Trends did a nice, deep dive into the protocol, explaining why it’s been developed by mobile phone manufacturers, carriers and the cell phone industry’s governing agencies, as well as why we’re all going to love it way more than the blah SMS texting we now have.

Here’s Digital Trend’s pithy explanation of the blah we’ve been putting up with since texting debuted:

Let’s face it: Text messages as we’ve known them throughout history (i.e., since the 1990s) are tired. They don’t support read receipts, group messaging, or the animated stickers your pals trade on apps like Facebook Messenger, WhatsApp, and WeChat. They rely on a cellular connection—which is restricted to places with a signal—and they stop you at 160 characters.

RCS, or Chat, on the other hand, allows group chats, video, audio, and high-resolution images. It already has much of the look, feel and functionality of rich messaging apps, such as iMessage. It also offers read receipts and enables users to see, in real-time, when somebody’s typing a reply to your message. You might already have it in the phone you’re now using.


New iPhone jailbreak released

By Paul Ducklin

Apple’s latest iOS versions have only been out for a week.

The updates are new enough that Apple’s own Security updates page still lists [2020-05-26T14:00Z] the security holes that were fixed in iOS 13.5 and iOS 12.4.7 as “details available soon”.

But there’s a jailbreak available already for iOS 13.5, released by a group known as Unc0ver.

Proceed with care

Jailbreaking, as we have said before, can be a risky business, because in the process of jailbreaking you’re actively and deliberately exploiting a security vulnerability that wasn’t supposed to be there in the first place.

As appealing as it sounds to “escape” from Apple’s walled garden, jailbreaking is not for the faint-hearted, because it can leave you exposed to more dangers than before.

In fact, the only cases we know of where iPhone worms have been able to spread from device to device by themselves has been on jailbroken phones, where applying the jailbreak inadvertently opened up devices to remote connections that were blocked before.


Internet giants unite to stop warrantless snooping on web histories

By Lisa Vaas

Earlier this month, the US Senate narrowly voted to renew warrantless collection of Americans’ web-browsing histories.

This week, the US House of Representatives is expected to consider the act that reauthorizes that warrantless data collection: the USA Freedom Reauthorization Act. The House already passed the reauthorization act, sent it to the Senate, and will this week consider the Senate’s tweaks before sending it to President Trump for his signature.

On Friday, leading up to the House’s vote later this week, a group of seven internet companies and organizations suggested that legislators just might want to rethink the legislation’s disregard for Americans’ privacy.

The group includes Mozilla, Engine, Reddit, Reform Government Surveillance, Twitter, i2Coalition, and Patreon. They’re asking legislators to amend the bill in order to limit government access to internet browsing and search history without a warrant.

They wouldn’t have had to put together a plea to protect American’s online privacy if an amendment to the bill had passed in the Senate. Unfortunately, it didn’t: the amendment to curtail warrantless web history search missed passage by only one vote when four senators didn’t show up for the Senate’s vote.


May 26, 2020 »

What is the dark web? Your questions answered, in plain English

By Paul Ducklin

You can’t read much about cybercrime these days without hearing mention of “the dark web”.

Often, the term is used with the metaphorical meaning of dark, to describe those parts of the internet that are evil, being dedicated to odious and often very serious criminal offences.

We’re not just talking about stories of websites where illegal drugs can be bought and sold, but also about much more worrying crimes including child abuse, terrorism and murder.

Sometimes, however, the term is used in the literal sense of dark to describe a part of the web where the network traffic going to and from it is effectively invisible or untrackable, so that it is dark in the sense of being unilluminated.

And there you have it: dark as in evil, and dark as in unilluminated.


The ransomware that attacks you from inside a virtual machine

By Mark Stockley

Yesterday, SophosLabs published details of a sophisticated new ransomware attack that takes the popular tactic of “living off the land” to a new level.

To ensure their 49 kB Ragnar Locker ransomware ran undisturbed, the crooks behind the attack bought along a 280 MB Windows XP virtual machine to run it in (and a copy of Oracle VirtualBox to run that).

It’s almost funny, but it’s no joke.

The attack was carried out by the gang behind Ragnar Locker, who break into company networks, make themselves admins, conduct reconnaissance, delete backups and deploy ransomware manually, before demanding multi-million dollar ransoms.

Like a lot of criminals who conduct similar “targeted” or “big game” ransomware attacks, the Ragnar Locker gang try to avoid detection as they operate inside a victim’s network with a tactic dubbed “living off the land”.

Living off the land entails using legitimate software administration tools that either already exist on the network the crooks have broken into, or that don’t look suspicious or out of place (PowerShell is a particular favorite).


Signal secure messaging can now identify you without a phone number

By Paul Ducklin

Signal is a popular instant messaging (IM) app with a difference.

That difference – or at least its major difference – is simple: it’s not owned and operated by an industry behemoth.

WhatsApp belongs to Facebook, Skype is part of Microsoft, and iMessage is owned by Apple, but the open-source app Signal belongs, inasmuch as it belongs to anyone, to Signal.

Signal is a US-registered non-profit organization that was founded entirely around making and supporting the messaging app.

As a result, Signal’s big selling point is, well, that it isn’t selling anything.

Sharing information about you with third parties isn’t part of Signal’s business model, so there’s actually no point in it figuring out how to do so…

…which means that there’s a much more compelling reason to believe the organization when it claims to have an unbending focus on end-to-end encryption.

Signal not only has no desire, but also has no need, to take any interest in what you’re saying, or whom you’re saying it to.

Signal is also endorsed by a privacy celebrity that other IM service providers can’t match, namely Edward Snowden.

Snowden is quoted on Signal’s website with the five simple words, “I use Signal every day.”

(With apologies to well-known cryptographers Bruce Schneier and Matt Green, who are two of Signal’s other celebrity endorsers.)


Office 365 exposed some internal search results to other companies

By John E Dunn

As the well-worn internet saying goes – there is no cloud, it’s just someone else’s computer.

It opens our coverage of the news last February that some Google Photos data had been inadvertently made accessible to the wrong users.

Now Microsoft has suffered its own smaller version of the same phenomenon on the Office 365 platform (or Microsoft 365 as its business versions are now called).

The Register reported that an admin was told that their company’s internal search results had been made visible when queries were run by users from another company.

The glitch was temporary, and any files displayed were not accessible:

At no time were the files that were displayed accessible to the user who received the incorrect search results.

It’s not clear how many accounts were caught up in the incident but Microsoft is said to have made available the URL paths and metadata associated with the results so admins could “identify the exact search query results data which were inadvertently viewed.”

Microsoft acknowledged the problem, describing it as “resolved.”


FBI finally unlock shooter’s iPhones, Apple berated for not helping

By Lisa Vaas

The FBI said on Monday that it figured out how to unlock the iPhones of the shooter who killed three young US Navy students and injured eight at a Pensacola, Florida naval base in December 2019.

No thanks to you, Apple, Attorney General William P. Barr said in a news release:

Thanks to the great work of the FBI – and no thanks to Apple – we were able to unlock Alshamrani’s phones.

Barr has on multiple times issued public calls for encryption backdoors.

On Monday, the AG joined FBI Director Christopher Wray in a virtual press conference. Barr used the opportunity to once again call for a “legislative solution” to the roadblock of Apple’s encryption, while Wray referred to the FBI’s “Apple problem.”

Both gave FBI workers a pat on the back for the months they spent working to unlock the damaged iPhones.

In January, following the shootings, the bureau had asked Apple to help it unlock two iPhones that belonged to murderer Mohammed Saeed Alshamrani. Also in January, the Department of Justice (DOJ) said that its investigations showed the incident was an act of terrorism, motivated by jihadist ideology. On 2 February, al-Qaeda in the Arabian Peninsula (AQAP) claimed responsibility for the shooting spree.

The FBI had gotten a subpoena allowing it to search content on the iPhones, both of which were password-protected and one of which Alshamrani put a bullet hole through, further complicating forensics on the device and its data.

An FBI press release related to Monday’s conference included a photo of the hole in one iPhone and of an iPhone alert saying “Authorized Service Provider Only.”


May 13, 2020 »

TikTok’s handling of child privacy gets another watchdog’s attention

By Lisa Vaas

TikTok: sometimes it’s funny, sometimes it’s cringey, pretty much all times it’s addictive (particularly for young people, and particularly during lockdown).

Also pretty much all the time, the app – which lets users share their short videos – is being investigated for how it handles children’s data. This time around, it’s the Dutch privacy watchdog’s turn.

On Friday, the Dutch Data Protection Authority (DPA) announced that it’s launched an investigation into how TikTok handles user privacy.

As it is, millions of children and teenagers all over the world are sharing their videos on the social media app, the DPA said. It’s grown to be a particularly important tool for staying in touch and spending time with friends, particularly during the coronavirus crisis. But what kind of danger is it exposing our children to?

From the DPA’s announcement:

In the Netherlands many children now have TikTok on their phones. The rise of TikTok has led to growing concerns about privacy.

Are the kids alright?

The watchdog noted that under Dutch law and under the EU General Data Protection Regulation (GDPR), children are seen as particularly vulnerable because they’re “less aware of the consequences of their actions, especially when it comes to sharing personal data on social media.”


Criminal forum trading stolen data suffers ironic data breach

By John E Dunn

Someone on the dark web is touting for sale an unusual database a lot of people might pay handsomely to get their hands on.

Another rich cache full of sensitive company data, or perhaps something stolen from a military power?

In fact, according to the security company that verified its authenticity, Cyble, this is data that a specialized group of internet users will find far more interesting – a database of criminal account holders of the now defunct breach data trading forum.


Thunderspy – why turning your computer off is a cool idea!

By Paul Ducklin

This month’s Bug with An Impressive Name, or BWAIN for short, is Thunderspy.

As well as a cool name, Thunderspy also has its own logo, its own domain name, its own website and a “recorded live” video showing a Thunderspy attack in action.

There’s also a technical paper that’s detailed but nevertheless readable, by security researcher Björn Ruytenberg from Eindhoven University of Technology in The Netherlands.

As you’ve probably guessed, Thunderspy gets its name from Thunderbolt, a type of hardware interconnection system for plugging high-performance external devices into your computer.

You might wonder why Thunderbolt ever came along in a world that already has USB, Display Port, HDMI and other methods of connecting almost any peripheral to your computer that you might want, including microphones, webcams, headphones, screens, keyboards, mobile phones, scanners, printers, memory sticks and hard disks.

The answer, as with so many features in modern devices, is performance.

Thunderbolt doesn’t just let you plug devices into your computers so they can communicate with one another – it pretty much lets you hook up devices directly to the internal memory bus of the computer, as if you had taken the lid off your gaming desktop and plugged a PCI card directly into one of the slots on the motherboard.


Huge toll of ransomware attacks revealed in Sophos report

By John E Dunn

Ransomware might be a dreadful enterprise, but nobody could accuse the criminals behind these attacks of being weak on customer service.

They’re always easy to communicate with – just email the address on the screen. And while it’s true they don’t offer many payment options, the one they do, Bitcoin, is fast and reliable to transact in.

Best of all, according to The State of Ransomware 2020 global study conducted earlier this year on behalf of Sophos, organization’s that decide to pay to get their data back, do so in an efficient 94% of cases.

What’s the catch? Only greater expense in the long run, major business disruption, the possibility of ongoing regulatory oversight for years, and the small matter of public humiliation and lost business should an attack come to light (which increasingly it does thanks to the attackers).

The research questioned 5,000 IT managers from 26 countries (500 from the US and 200 from the UK) in a range of sectors and company sizes from 100 to 5,000 employees.

That’s a healthy sample size, whose results underline one of the most interesting facts about ransomware that can get lost in the headlines – it now affects anyone, anywhere.

It doesn’t seem to matter how big an organisation is, nor which sector or country you look at. Ransomware is ubiquitous, with half of organization’s in the research having experienced an attack during 2019, three quarters of which had their data encrypted.


May 11, 2020 »

Clearview AI won’t sell vast faceprint collection to private companies

By Lisa Vaas

Clearview AI – the web-scraping, faceprint-amassing biometrics company that’s being sued over collecting biometrics without informed consent – says it’s no longer going to sell access to its program to a) private entities or b) any entity whatsoever that’s located in Illinois.

Clearview’s artificial intelligence (AI) program can identify someone by matching photos of unknown people to their online photos and the sites where they were posted. Clearview AI founder and CEO Hoan Ton-That has claimed that the results are 99.6% accurate.

The company’s change of heart was revealed in court documents submitted during the course of a class action suit against Clearview that was filed in Illinois in January. It’s just one of multiple suits: Clearview’s also up against similar lawsuits in Vermont, New York and California.

The Illinois suit charges the company with breaking the nation’s strictest biometrics privacy law – Illinois’s Biometric Information Privacy Act (BIPA) – by scraping some 3 billion faceprints from the web to sell to law enforcement and to what’s turned out to be a motley collection of private entities, including Macy’s, Walmart, Bank of America, Target, and Major League Baseball team The Chicago Cubs.

From a court declaration made by Clearview legal counsel Thomas Mulclaire and filed on Wednesday:

Clearview is in the process of cancelling the accounts of every remaining user who was not either a law enforcement body or other federal, state, or local government department, office or agency. At the same time, Clearview is in the process of cancelling all user accounts belonging to any entity located in Illinois.

The suit contends that Clearview violated BIPA by using biometric data for commercial purposes and is seeking a temporary injunction that would prevent the company from using the information of current and past Illinois residents for its facial recognition program.


Microsoft opens IoT bug bounty program

By Danny Bradbury

Microsoft really wants to secure the Internet of Things (IoT), and it’s enlisting citizen hackers’ help to do it. The company has launched a $100,000 bug bounty for people who can break into Azure Sphere, its security system for IoT devices.

Microsoft first announced Sphere at the RSA conference in April 2018. It’s an IoT ecosystem encompassing both connected devices and the cloud service that controls them.

In August the following year, it launched the Azure Security Lab, which offers resources to ethical hackers and runs regular security research challenges. The latest, the Sphere Security Research Challenge, lets bug hunters talk directly to Microsoft’s technical team as they try to break into Sphere.


More crypto-stealing Chrome extensions swatted by Google

By Danny Bradbury

Malicious extensions for the Chrome browser continue to spring up just as quickly as the search giant cuts them down. This month, another batch appeared.

Google deleted 49 malicious Chrome extensions from the Chrome Web Store in mid-April after security researcher Harry Denley found them phishing cryptocurrency users. The extensions impersonate Chrome extensions for legitimate cryptocurrency wallets, but when installed they pilfer the users’ private keys and other secrets used to access digital wallets so that their authors can steal victims’ funds. Now Denley has found more.

Talking to Naked Security, Denley explained that he finds new ones each day. He pointed us to this Pastebin entry showing the original 49 he reported in April, along with another 22. The new ones impersonated the Ledger, KeepKey, MetaMask, and Jaxx wallets. The IDs on the left are extension IDs, which show up at the end of an extension’s URL when viewed in the Chrome store.

Google had already taken down most of the offending wallets at the time of writing, and has been generally pretty responsive, according to Denley, who said:

Yeah, they have been, for the majority. Actioned my reports within 24 hours.

New rules

Google has acknowledged a general problem with malicious extensions and has announced new rules for the Chrome Web Store. It said:

We want to ensure that the path of a user discovering an extension from the Chrome Web Store is clear and informative and not muddled with copycats, misleading functionalities or fake reviews and ratings.

The rules forbid developers from publishing multiple extensions that do the same thing, and prohibits misleading metadata, including anonymous user testimonials in app descriptions. Developers can’t upload extensions that exist solely to launch another app or extension, and they shouldn’t send spam notifications, the company added.


Police nab InfinityBlack hackers

By Danny Bradbury

Five alleged members of hacking group InfinityBlack got some unexpected visitors last week when Polish law enforcement arrested them.

InfinityBlack was a hacking group that specialized in stealing and distributing sets of online credentials known as combos, especially for loyalty rewards points accounts. It would sell them to other gangs who would then exchange the points for products, said a Europol press release announcing the arrests.

The hackers ran the operation like a business, with different teams handling individual functions. The whole thing was fronted by an online service selling subscriptions to access stolen data. The development team created tools to test the quality of the stolen data, and a testing team analyzed its suitability for distribution, said Europol. A project management team handled the business end, distributing subscriptions for cryptocurrency payments and converting the data into digital cash.


Air gap security beaten by turning PC capacitors into speakers

By John E Dunn

Researchers have poked another small hole in air gapped security by showing how the electronics inside computer power supply units (PSUs) can be turned into covert data transmission devices.

Normally, if a computer is physically isolated from other computers it is seen as being more secure because there is no channel for data to be transmitted in or out of the device.

Used for decades by the military, today the concept is now often used to secure computers used for secure tasks such as internal bank transfers, or to isolate medical equipment controlled by software such as MRI scanners.

However, the famous Stuxnet attack on Iran in 2010 showed how air gapping could be beaten using infected USB sticks, since when researchers have started exploring more unusual methods to achieve the same end.


April 30, 2020 »

Flaw in defunct WordPress plugin exploited to create backdoor

By John E Dunn

A vulnerability discovered last year in the defunct OneTone WordPress theme plugin is now being exploited by hackers to compromise entire sites while installing backdoor admin accounts.

The attacks were noticed earlier this month by security company Sucuri, and are believed to be ongoing.

The vulnerability that makes it possible is a cross-site scripting (XSS) flaw that allows attackers to inject malicious JavaScript into the plugin’s settings, redirecting innocent visitors to the attacker’s landing page.

In addition, JavaScript is injected via HTML <script> tags, which allows attackers to detect and hijack authenticated admin sessions.


Twitter turns off SMS-based tweeting in most countries

By Lisa Vaas

Buh-bye, original way of tweeting: Twitter said that for the most part, it’s turned off its Twitter via texting service.

Besides a few countries that rely on the feature, Twitter’s turned off its ability to take in our SMS messages and turn them into tweets. On Monday, it said on its support account that it’s killed SMS tweeting in order to keep our accounts safe, referring to SMS-enabled vulnerabilities for which it didn’t give any details.

We want to continue to help keep your account safe. We’ve seen vulnerabilities with SMS, so we’ve turned off our Twitter via SMS service, except for a few countries.

Everyone will still have access to important SMS messages needed to log in to and manage their accounts.

This isn’t a biggie for most of us, given that nowadays, the vast majority of Twitter’s users access the service via its mobile or online apps. And, as Twitter noted, you can still use SMS messages to do important things, like sending authentication codes needed to log in.

But “most of us” isn’t all of us.


iPhone “word of death” could crash your phone – what you need to know

By Paul Ducklin

It’s happened again!

A weird combination of Unicode characters that make up a nonsense word can crash your iPhone, apparently by confusing the iOS operating system when it tries to figure out how to display the “word”.

(We say apparently because we have an iPhone 6+, which is stuck back on iOS 12, and we couldn’t get our phone to crash, although we’ve seen one person on Twitter claiming that their iOS 12 device was affected.)

If you’re a regular Naked Security reader, you’ll have a feeling not just of having read this before but of having read it before, because we covered similar troubles for iOS back in 2013 and in 2018.

And it’s not only Apple that has been in the firing line here, with the WhatsApp software having similar issues in the past dealing with legal-but-unusual character code combinations, and leading to what was described at the time as a “text bomb“.


April 28, 2020 »

Coronavirus tracking tool from Apple and Google embraced by Germany

By Lisa Vaas

Germany on Sunday pulled an about-face regarding the best way to use smart phones to trace people’s contacts with those infected by COVID-19, embracing a decentralized Bluetooth-based approach instead of the more invasive location tracking proposed in other approaches.

The Bluetooth approach – which keeps data local on people’s phones instead of being stored on a centralized database that could be used for mass state surveillance or to track people – is supported by Apple, Google and other European countries, Reuters reported.

Apple and Google first announced their contact tracing collaboration two weeks ago, on 10 April. Instead of “contact tracing,” though, they’re calling it an Exposure Notification system.

As the companies have explained in an FAQ about their approach, it will come in two phases, both of which will use Bluetooth technology on mobile devices to aid in contact tracing efforts.

The first phase will be an API that works across iOS and Android devices for public health agencies to integrate into their own apps. That’s due in May. The second phase, due in coming months, will be introduced at devices’ operating system levels to ensure broad adoption – a key element in the success of contact tracing.

It will be done on a strictly opt-in basis. After the operating system updates and a user has opted in, the Exposure Notification system will start pinging the Bluetooth beacons of nearby devices. Preliminarily, users won’t have to install an app to get those notifications. But if a match is detected that shows a user has come into contact with somebody who’s infected, the user will be notified.


‘Evil GIF’ account takeover flaw patched in Teams

By John E Dunn

Microsoft has quickly fixed a flaw in its Teams videoconferencing and collaboration program that could have allowed attackers to launch a wormlike attack on multiple accounts by sending one victim a malicious GIF image.

Discovered by Israeli security company CyberArk, the underlying weakness is a combination of two issues.

The first concerns the way Teams manages authentication tokens.

Teams can generate a lot of these, depending on what it is accessing (SharePoint, Outlook, for example), which gives the user the right to view content or resources from a Microsoft subdomain accessed during a session.

To simplify, the ability to view an image is defined by two tokens, skypetoken_asm and authtoken, that also control lots of requests a user can make through the Teams API and Skype, such as sending and reading messages, creating groups, adding users and changing permissions.

Importantly, if an attacker could somehow get hold of an authtoken they could generate their own skypetoken. That should be impossible because such tokens are only sent to Microsoft subdomains… which is where the second weakness becomes important.


5 common mistakes that lead to ransomware

By Paul Ducklin

If you’re a system administrator, the network you look after is almost certainly way more spread out since coronavirus stay-at-home regulations kicked in.

But even if your colleagues are using their own computers now, and connecting in via their own internet connections, it’s still “your” network, and it still represents a valuable target – as a network, not just as numerous individual computers – to cybercriminals.

And one of the most dramatic all-at-once attacks that your network can suffer is, of course, ransomware.


April 27, 2020 »

Web shell warning issued by US and Australia

By Danny Bradbury

The US National Security Agency (NSA) and its Australian counterpart the Australian Signals Directorate (ASD) have published a set of guidelines to help companies avoid a common kind of attack: web shell exploits.

A web shell is a malicious program, often written in a scripting language like PHP or Java Server Pages, that gives an attacker remote access to a system and lets them execute functions on a victim’s web server. Attackers hack web-facing applications so that they can install and execute these files on the server, enabling them to steal data, launch attacks on visitors to the site, or use the web server as an ingress point to burrow further into the victim’s infrastructure.

Attackers often disguise web shells as innocuous-looking files that could pass for a component of the web application, enabling them to ‘live off the land’ by executing malicious commands unobtrusively and lurk undetected for a long time unless an admin is paying attention. The NSA warned:

Web shell malware has been a threat for years and continues to evade detection from most security tools. Malicious cyber actors are increasingly leveraging this type of malware to get consistent access to compromised networks while using communications that blend in well with legitimate traffic. This means attackers might send system commands over HTTPS or route commands to other systems, including to your internal networks, which may appear as normal network traffic.

The guidelines list several CVEs that are common attack vectors for the installation of web shells, targeting products from Microsoft (SharePoint and Exchange), Atlassian, Progress, Zoho, and Adobe (ColdFusion).


Patch now! Microsoft issues unexpected Office fix

By Paul Ducklin

Microsoft just issued Security Advisory ADV200004, entitled Availability of updates for Microsoft software utilizing the Autodesk FBX library.

At first glance, you might be inclined to read just the headline and skip on by because you don’t use FBX files or you don’t have any Autodesk software products.

We’ll be honest and admit we hadn’t even heard of FBX files until now, let alone created one – the abbreviation is short for Filmbox, and it’s a proprietary format owned by Autodesk that is used to save motion capture data along with audio and video streams.

Autodesk is probably still best-known for its AutoCAD computer aided drawing software, but it has a huge range of products for video rendering, game creation and more, where the FBX file format is right at home.


Shadow Broker leaked NSA files point to unknown APT group

By Danny Bradbury

Remember the Shadow Brokers, the mysterious group that stole and leaked a collection of NSA files in 2016? Well, it’s the gift that keeps on giving. A security researcher claims to have unearthed a previously-unknown APT group after reading over some of the dumped files.

The Shadow Brokers published their stolen NSA files online in several batches. One of the largest was batch number five, which got the nickname ‘lost in translation’. In March 2018, Budapest University’s Laboratory of Cryptography and System Security (CrySys Lab) published a report picking apart this file drop. It focused on a file called which contained 45 file signatures that government operatives could use to scan machines for infection. Each file signature could be linked to a different attack group. Some of the signatures, like Flame and Stuxnet, were already known. Others were less common. The lab identified one of them, a file called godown.dll in signature 37, as IronTigerASPXSpy. It got this reference from a file listing on VirusTotal.

Juan Guerrero-Saade, a security researcher and adjunct professor at Johns Hopkins University’s School of Advanced International Studies, wasn’t convinced, arguing that misleading files make their way onto VirusTotal all the time. He realized that the file in question was a 15Mb memory dump of a McAfee installer. In short, it’s a red herring.

Investigating godown.dllfurther, he found that the file was a drop from a larger multi-stage infection framework. The tools and techniques that the framework used indicated a unique cluster of activity. It pointed to an advanced persistent threat group that wasn’t publicly known until now.


AI helps experts find thousands of child sexual abuse imagery keywords

By Lisa Vaas

A team of 13 analysts at the Internet Watch Foundation (IWF) have used machine learning to help them figure out what secret code words are used by online communities of perverts to covertly talk about child sexual abuse images.

The IWF is a UK-based charity that every year removes tens of thousands of depraved images.

Sarah Smith, the technical projects officer who’s overseen IWF’s work, told Wired that the charity has been working on its database of pedophile slang for more than 10 years.

The abusers who trade this imagery have been developing a private, secret language over that time. At the dawn of the IWF’s work, over a decade ago, predators were openly sharing content through newsgroups, forums and on dedicated websites, often with clear descriptions of what the pictures depicted.

Chris Hughes, who leads the IWF’s team of 13 analysts, told Wired that back then, finding the content was as simple as a web search. You didn’t have to go to the Dark Web to find the material, given that it was easily available on the open web, he said:

It was possible to go to a search engine, type it in and get exactly what you wanted.

Up until a few weeks ago, the IWF’s database of pedophile slang contained about 450 words and phrases used to refer to abuse images. But over the last few weeks, that database has expanded to contain 3,681 more entries, with several hundred more still to be added.


« older