Cyber Security Training from QA

Cyber Pulse: Edition 40

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


9 November 2018

Unpatched VirtualBox Zero-Day Vulnerability and Exploit Released Online

An independent exploit developer and vulnerability researcher has publicly disclosed a zero-day vulnerability in VirtualBox that could allow a malicious program to escape virtual machine (guest OS) and execute code on the operating system of the host machine. The vulnerability occurs due to memory corruption issues and affects Intel PRO / 1000 MT Desktop (82540EM) network card (E1000) when the network mode is set to NAT (Network Address Translation). The flaw is independent of the type of operating system being used by the virtual and host machines because it resides in a shared code base. VirtualBox Zero-Day Exploit and Demo Video Released. Sergey Zelenyuk published Wednesday a detailed technical explanation of the zero-day flaw on GitHub, which affects all current versions (5.2.20 and prior) of VirtualBox software and is present on the default Virtual Machine (VM) configuration. According to Zelenyuk, the vulnerability allows an attacker or a malicious program with root or administrator rights in the guest OS to escape and execute arbitrary code in the application layer (ring 3) of the host OS, which is used for running code from most user programs with the least privileges. Following successful exploitation, the researcher believes an attacker can also obtain kernel privileges (ring 0) on the host machine by exploiting other vulnerabilities. "The E1000 has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring 3. Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv," Zelenyuk said. Along with the details of the zero-day vulnerability, Zelenyuk also wrote down the complete exploit chain and released a video demonstration of the attack on Vimeo.

Popular WooCommerce WordPress Plugin Patches Critical Vulnerability

Security researcher discovered an arbitrary file deletion vulnerability in the popular WooCommerce plugin that could allow a malicious or compromised privileged user to gain full control over the unpatched websites. The attack demonstrated in the following video takes advantage of the way WordPress handles user privileges and WooCommerce file deletion vulnerability, allowing an account with "Shop Manager" role to eventually reset administrator accounts' password and take complete control over the website. When installed, WooCommerce extension creates "Shop Managers" accounts with "edit_users" capability, allowing them to edit customer accounts of the store in order to manage their orders, profiles, and products. In WordPress, an account with "edit_users" capability by default allowed to even edit an administrator account and reset its password. But to draw a permission-based line between an administrator and a shop manager account, the WooCommerce plugin adds some extra limitations on the shop managers. However, the researcher discovered that if WordPress admin, for some reason, disables the WooCommerce plugin, its configuration that mandated the limitation goes away, allowing Shop Manager accounts to edit and reset the password for administrator accounts. Now, according to Simon, a malicious Shop Manager can forcefully disable the WooCommerce plugin by exploiting a file deletion vulnerability that resides in the logging feature of WooCommerce. "This vulnerability allows shop managers to delete any file on the server that is writable. By deleting the main file of WooCommerce, woocommerce.php, WordPress will be unable to load the plugin and then disables it," Simon explains in a blog post. Once the file is deleted, the WooCommerce plugin gets disabled, allowing shop managers to update the password for the administrator account and then take over the complete website. If you haven,t yet updated your WordPress and Woocommerce, you are highly recommended to install the latest available security updates as soon as possible.

Flaws in Popular Self-Encrypting SSDs Let Attackers Decrypt Data

Security researchers have discovered multiple critical vulnerabilities in some of the popular self-encrypting solid state drives (SSD) that could allow an attacker to decrypt disk encryption and recover protected data without knowing the password for the disk. The researchers—Carlo Meijer and Bernard van Gastel—at Radboud University in the Netherlands reverse engineered the firmware several SSDs that offer hardware full-disk encryption to identify several issues and detailed their findings in a new paper (PDF) published Monday. "The analysis uncovers a pattern of critical issues across vendors. For multiple models, it is possible to bypass the encryption entirely, allowing for a complete recovery of the data without any knowledge of passwords or keys," the researchers say. The duo successfully tested their attack against three Crucial models of SSDs—Crucial MX100, MX200, and MX300—and four Samsung SSDs—840 EVO, 850 EVO, T3 Portable, and T5 Portable drives and found at least one critical flaw that breaks the encryption scheme. But researchers warned that many other SSDs may also be at risk. Since there is no cryptographic binding present between the password and data encryption key (DEK), an attacker can unlock drives with any password by modifying the password validation routine in RAM through JTAG debugging interface. With physical access to the device's debug ports, the researchers were able to reverse engineer the firmware and modify it to decrypt the hardware encrypted data by entering any password.

University shuts down its entire network to stop Bitcoin crypto-jackers

A Canadian university had to shut down its entire campus network after it discovered hackers had hijacked its computing power to surreptitiously mine cryptocurrency. In a statement released earlier this week, Nova Scotia-based St. Francis Xavier University revealed the hackers snuck in malicious software on its servers to run their crypto-jacking operation. Its technical team first detected the attack last Thursday. Fortunately, the university claims no personal information was compromised as part of the attack. Still though, it caused quite a bit of trouble on campus. Among other things, the statement suggests the network shutdown made it impossible to use wi-fi or make debit transactions. The university says it is still recovering from the attack, but expects its services will be back up and running shortly. There’s been a bevy of crypto-jacking attacks on institutions over the past several months. Back in February, UK researchers found tons of infected government sites mining Monero. More recently, it came to light many hackers had also quietly hijacked Indian government sites to mine cryptocurrency. Hackers are hardly the only ones to have piggybacked off university networks. Back in 2014 , an anonymous student at University College London used campus computers to mine 30,000 Dogecoin (about $25 bucks at the time). We saw a similar trend earlier this year, with numerous university students admitting to utilizing their dorm rooms to run micro-scale Ethereum and Bitcoin mining operations. By contrast, research from RWTH Aachen University indicated Monero crypto-jackers are making about $250,000 each month.

Side channel attacks on graphics processors can enable hackers to spy on web activity and steal passwords

Researchers has demonstrated that hackers can target a computer's graphics processing unit (GPU) to steal passwords, break into cloud-based applications and spy on the web activity of a user. GPUs are the devices that improve the performance of computers' graphical workloads; they are powerful and programmable computational devices. The advanced capabilities of GPUs were originally used for 3D game rendering, but researchers have now started to harness their capabilities more broadly to speed up computational workloads in many other areas such as scientific research, financial modelling, artificial intelligence and oil and gas exploration. GPUs are also being integrated into data centres and clouds to accelerate data-intensive workloads. In this new study, the scientists reverse-engineered an Nvidia GPU to demonstrate how three attacks on GPU's graphics and computational stacks can enable hackers to steal vital data from the a computer, endangering user privacy. The researchers revealed that the attacks are enabled after the victim downloads an app with a malicious program created to observe the victim's computer. With the first attack, hackers can track the user's activity on the web. When the user opens the malicious app, it creates a spy to collect information about the behaviour of the web browser. To create the spy, the malicious app uses OpenGL, which is accessible by any application on a system with user-level privileges. The spy then enables hackers to achieve website fingerprinting with high levels of accuracy. The second attack enables hackers to steal user passwords. When a character is typed on the system, the malicious app uploads the complete password textbox to the GPU as a texture to be rendered. Then, hackers can 'read' the password by observing the interval time of consecutive memory allocation events and inter-keystroke timing. With the third attack, hackers can target a computational application in the cloud. This is achieved by launching a malicious computational workload on the GPU. This workload operates along with the user's application and enables hackers to obtain the structure of victim's secret neural network.

ICO issues maximum £500,000 fine to Facebook for failing to protect users’ personal information

The Information Commissioner’s Office (ICO) has fined Facebook £500,000 for serious breaches of data protection law. In July, the ICO issued a Notice of Intent to fine Facebook as part of a wide ranging investigation into the use of data analytics for political purposes. After considering representations from the company, the ICO has issued the fine to Facebook and confirmed that the amount – the maximum allowable under the laws which applied at the time the incidents occurred - will remain unchanged. The full penalty notice can be read here. The ICO’s investigation found that between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but were simply ‘friends’ with people who had. Facebook also failed to keep the personal information secure because it failed to make suitable checks on apps and developers using its platform. These failings meant one developer, Dr Aleksandr Kogan and his company GSR, harvested the Facebook data of up to 87 million people worldwide, without their knowledge. A subset of this data was later shared with other organisations, including SCL Group, the parent company of Cambridge Analytica who were involved in political campaigning in the US. Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. In the case of SCL Group, Facebook did not suspend the company from its platform until 2018. The ICO found that the personal information of at least one million UK users was among the harvested data and consequently put at risk of further misuse.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 39

Cyber Pulse: Edition 38

Cyber Pulse: Edition 37

Cyber Pulse: Edition 36

Cyber Pulse: Edition 35

Cyber Pulse: Edition 34

Cyber Pulse: Edition 33

Cyber Pulse: Edition 32

Cyber Pulse: Edition 31

Cyber Pulse: Edition 30

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.