UK NCSC warns developers and companies to upgrade from Python 2 to avoid large scale attacks

Security researchers at the UK’s National Cyber Security Centre (NCSC) have warned developers over the dangers of using the popular Python 2 programming language as it is impending End-of-Life (EoL). The warning also reiterated that there will be no bug fixes or security updates for Python 2 as it is approaching EoL on the 1st of January, 2020. Companies that are still using any version of Python 2.x are recommended to migrate their code to the next version Python 3.x because the developers will stop issuing bug fixes and security updates after EoL. This will leave applications that use Python 2.x vulnerable as nobody is fixing the flaws. As a result, this could lead to risking the data and security of many existing applications. Running an unsupported software application can act as a classic gateway to many breaches and incidents as shown in many incidents across the globe. Some of the examples are the WannaCry ransomware that infected more than 230,000 computers across the globe and the latest Equifax breach that resulted in the settlement of $700 million to the security regulation body. In addition to these highly destructive threats, threat actors can target popular applications including NumPy, Requests, and Tensorflow, that run on Python 2.x. Many of these popular projects have already dropped support for Python 2.x and others have pledged to drop them by 2020. NCSC urged companies and developers to migrate their Python 2.x code to Python 3.0 or higher. NCSC also published a blog post which includes a summary of Python 3's most attractive features, but also a list of tools and git repository links that can help developers with the migration, such as Can I Use Python 3 and 2to3.


Researchers detected clickjacking scripts on over 600 popular websites

Researchers from Microsoft Research, the Chinese University of Hong Kong, Seoul National University, and Pennsylvania State University have found out malicious clickjacking scripts that intercept user clicks on at least 613 popular websites. Crooks leverage clickjacking scripts to hijack user clicks and perform unwanted clicks on online ads in order to generate revenue. The research team detected clickjacking scripts on websites by creating a tool named Observer. This tool scans the Alexa Top 250,000 list of most popular websites for the presence of clickjacking scripts that intercept user clicks. “OBSERVER focuses on three fundamental actions that JavaScript code might rely on to intercept clicks: 1) modifying an existing hyperlink in a page; 2) creating a new hyperlink in a page; and 3) registering an event handler to an HTML element to hook a user click,” said the researchers in their research paper.  Researchers recommend organisations to ensure link and click integrity to prevent click-interception by hyperlinks and event handlers. They suggest detecting third-party scripts and distinguishing first-party scripts from third-party scripts so that visitors can identify if the redirection URL is provided by the first-party website or a third party.


Apple issues minor iOS patch to fix unintentionally unpatched jailbreaking flaw

Apple recently released an update to the iOS 12.4 version to patch a critical security flaw that allowed hackers to jailbreak up-to-date phones. The iOS 12.4 version was released in July with an intent to issue small fixes and updates, but unintentionally re-opened the jailbreak security flaw that was patched with the iOS 12.3 update. The bug was initially found by Ned Williamson working with Google Project Zero. Apple thanked him in release notes for iOS 12.4.1 as having discovered the critical security flaws that allow hackers to exploit the operating system. Also, an unknown user who went by the nickname @Pwn20wnd released a public proof-of-concept about the flaw on Git. The user also stated that “it is very likely that someone is already exploiting the bug for bad purposes,” while speaking to Motherboard last week. Apple did thank Pwn20wnd in their security update for bringing the vulnerability to their attention. "We would like to acknowledge @Pwn20wnd for their assistance," stated the company. Security researchers have warned regular users who have not jailbroken their phones to update to the latest iOS 12.4.1 version. Failing to do so could allow hackers to sneak in any malicious application that could execute arbitrary code with system privileges. Users can install the latest update using the on-air updating functionality from the iOS Settings app. Alternatively, users can also update your Apple device to iOS 12.4.1 through iTunes by connecting your iOS device to a computer and checking for the update.


Newly discovered Nemty ransomware found hosting its payment portal on Tor network

A new ransomware strain called Nemty has been discovered over the weekend. It only encrypts files on the target device with specific file extensions. Discovered by a security researchers Vitali Kremez, Nemty ransomware deletes the shadow or backup files in order to make it impossible for the victims to recover their files. Once the malware is installed and executed on victims’ machines, it encrypts files of specific extensions and appends them with .nemty extension. The file extensions that are not encrypted by Nemty include .log, .cab, .cmd, .com, .cpl, .exe, .ini, .dll, .lnk, .url, and .ttf. Strangely enough, the ransomware code also contains a reference to the Russian President. It’s unclear how Nemty is distributed but Kremez has heard from a reliable source that operators deploy it via compromised remote desktop connections. Nemty ransomware includes a specific check - ‘isRU’ - which makes it easy to identify computers in Russia, Belarus, Kazakhstan, Tajikistan, and Ukraine. Once it marks the location, Nemty sends the computer name, username, operating system, and computer ID to the attackers. Bleeping Computer reports that the ransomware’s payment portal is hosted on the Tor network for anonymity. The infected user can decrypt some of their files for free by uploading them to the portal. However, the full recovery of files can only be done by paying a ransom of 0.09981 BTC, which equates to around $1,000.


Vulnerability in QEMU allows attackers to perform virtual machine escape

A vulnerability in QEMU, a popular open-source hardware virtualisation package, allows attackers to perform a “virtual machine escape” by attacking the host operating system that runs QEMU. The vulnerability tracked as CVE-2019-14378 allows an attacker to perform arbitrary code execution at the same privilege level as QEMU itself, and completely crash the QEMU process. The vulnerability impacts providers of cloud-hosted virtual machines that use QEMU for virtualisation. The vulnerability was found by a security researcher during a code audit, and there’s no evidence that the vulnerability has been exploited in the wild. The flaw relies on the networking implementation in QEMU and is found in the packet reassembly in SLiRP. The vulnerability is triggered when fragment packets are reassembled for processing. However, successful exploitation of the vulnerability also requires bypassing ASLR and PIE.  Patches have been released for the vulnerability, which additionally fixes a regression in which network block device connections could hang. However, patches applied to QEMU requires a restart of the virtual machines operated by that process, which will create downtime as systems are patched.


Hostinger suffers data breach impacting 14 million customers

Web hosting provider Hostinger suffered a data breach after an unauthorized third party gained access to its internal API server. Hostinger became aware of the incident on August 23, 2019, after it received alerts that one of its internal servers that contained an authorization token has been accessed by a third-party. Attackers used this authorization token to gain further access and escalate privileges to Hostinger’s system RESTful API Server. The compromised server contained the client information of nearly 14 million Hostinger users. The exposed client information includes clients’ first names, usernames, email addresses, hashed passwords, and IP addresses. However, no payment card or financial information was compromised, as Hostinger does not store payment card data on servers. Hostinger client accounts were also not impacted by the incident. Upon learning the incident, the hosting provider hired a team of internal and external forensics experts and data scientists to investigate the incident and determine the origin of the attack. Upon determining the origin of unauthorized access, Hostinger took the necessary measures to protect its client data. It has disabled access to the server by securing the API and all related systems. It has reset passwords for all its clients and systems within its infrastructure. It has also taken steps to improve the security measures of all Hostinger operations.


Edited and compiled by cyber security specialist James Aguilan.