11 January 2019
Student Held for Leaking Data of Almost 1000 German Politician
The German police have identified a 20-year old student in a massive leak that exposed the personal data of almost 1000 German politicians and public figures online. The hacker went by the pseudonyms ‘G0T’ and ‘Orbit’ and has been accused of spying, leaking data and unwarranted publication of personal data. "During the interrogation, the defendant stated that he had acted alone in the data spying and unauthorized data releases. The investigation has so far revealed no evidence of third-party participation. As to his motivation, the suspect stated that he acted out of annoyance over public statements made by the politicians, journalists and public figures concerned,” said Federal Criminal Police Office of Germany in a press release, Bank Info Security reported. The links to caches of personal data of German politicians were published on two different Twitter accounts in December and this remained unnoticed until January. The data leak detected after it was reported by major media outlets. The leak contained mostly the contact information of the affected individuals. This includes private emails and phone numbers. Around 50 to 60 individuals had their Facebook messages, photos, home addresses and bank account details exposed. Those affected in the hack includes journalists, elected officials and politicians. However, no information related to the right-wing Alternative for Germany (AfD) was released in the breach. Investigators believe that no malware or exploit kit was used to obtain the data. Instead, the hacker may have gained access by cracking the passwords. Bad password is suspected to be the primary reason for the hack.
OXO International Data Breach Linked to MageCart Attack
Advanced Phishing Tool With Automation Can Now Bypass Two-Factor
A new tool has has been released that targets 2FA or Two-factor Authentication. Known as Modlishka -- translating to ‘mantis’ in English, this tool not only automates phishing but also knocks down 2FA. Piotr Duszynski, the researcher behind this tool says that it can bypass most of the current 2FA authentication schemes. Duszynski came up with Modlishka to help red-team penetration testers reinforce their own phishing attacks. The striking feature of this tool is its reverse proxy functionality which can totally overcome most 2FA. A brief video demo is presented here. In essence, Modlishka places itself as a server between a user and website (Gmail, for example). So, the server captures every action (including passwords and 2FA tokens) by the user without his knowledge, and is readily available at the attackers’ disposal. Modlishka’s ease of use makes it an ideal tool for automated phishing. In addition, attackers need not work with different phishing templates that are time-consuming. All Modlishka requires is a domain name and a TLS Certificate to operate flawlessly on the host environment. “At the time when I started this project (which was in early 2018), my main goal was to write an easy-to-use tool, that would eliminate the need of preparing static web page templates for every phishing campaign that I was carrying out.” said Duszynski to ZDNet. While automated phishing has not been tested extensively with Modlishka, only time will tell of its effectiveness. Interestingly, this tool fails on a U2F protocol which is hardware-dependent. Future releases might even see improvements over U2F and make it more capable than it is currently.
New Phishing Kit Found Using Fake Web Fonts to Evade Detection
Researchers detected a new malware strain dubbed as ‘IcePick-3PC’ which is capable of stealing device IP addresses by hacking a website’s third-party tools. The malware has affected several publishers and e-commerce businesses including industries such as retail and healthcare. Researchers from The Media Trust spotted the malware when it was used to spam device owners via a phishing campaign. The phishing scam offered gift cards from Amazon and Walmart, urging users to share their personal information for claiming their prizes. Michael Bittner, Digital Security & Operations Manager at The Media Trust explained in a blog post that IcePick-3PC malware steals device IP addresses by hacking a website’s third-party tools which are often pre-loaded onto client platforms by self-service agencies. The tools are designed to incorporate animation content via HTML5. When a user visits a website with a compromised third-party library, the malware runs a series of checks on the user’s device before running. “The malware conducts the usual checks on user agent, device type, whether the device is an Android device, battery level, device motion and orientation, and referrer,” the blog post read. Once the checks are completed, the malware makes an RTC peer connection between the infected device and a remote peer before sending the extracted device’s IP to the attacker. “The DSO suspects, given the malware’s level of sophistication and advanced techniques, that it is likely the product of dark code from organized cybercrime rings. If this is the case, the attack on recognized publishers and e-commerce businesses might portend a larger-scale attack, or, at the minimum, the illegal trading of user information in the near future,” the blog post added.
Vulnerability in Microsoft Office exposes user information and local machine information
A vulnerability in Microsoft Office allowed documents with embedded ActiveX controls to leak local machine information and user information including passwords. The vulnerability was detected by Mimecast Research Labs in November 2018. Mimecast has reported the vulnerability to Microsoft on November 6. Mimecast in a report explains that the vulnerability exists as the MSO.DLL appears to improperly leak the contents of its process memory. An attacker who exploits this vulnerability could gain access to information stored in the memory such as passwords, http requests, certificates, domain information, and other user information. This information could further allow attackers to compromise systems. “This memory leak leads to the permanent writing of memory content into different Microsoft Office files and thus, the potential for the unintended leakage of sensitive information and local machine information. If known, this is the type of data could be useful to cybercriminals for executing a malware-enabled, remote execution attack and at least as important—to steal sensitive information,” Matthew Gardiner, Director of Product Marketing, explained, Softpedia reported. Microsoft explained that in order to exploit the vulnerability, the attacker could create a special document and then would trick the victim into opening the document. For this, the attacker must know the memory address location where the object was created. However, Microsoft has already released patches for all the affected Office products with an ‘Important’ severity rating. Installing the January 2019 security updates resolves the vulnerability.
Unprotected MongoDB instance containing almost 200 million CVs exposed online
An open and unprotected MongoDB instance which contained 202,730,434 resumes of Chinese jobseekers was left publicly accessible for at least one week. The database held almost 854 GB of data. On 28, December 2018, Bob Diachenko, Director of Cyber Risk Research at Hacken and bug bounty platform HackenProof, discovered the unsecured database while analyzing the data stream of BinaryEdge search engine. The exposed CVs contained personal information such as full names, dates of birth, addresses, phone numbers, email addresses, marital status, number of children, political affiliations, body measurements like height and weight, literacy level, salary expectations, education, previous job experience, and more, Diachenko explained in a blog. Diachenko couldn't find the owner of the database so he took to Twitter to look for the owner. He tweeted, “Just came across a giant database with more than 202 Million Chinese CVs, with pretty much detailed info. - name, email, phones, genders, child counts, marriage status, politics stat (?) - and, of course, skills, work history etc. Any ideas where to report?” One of Diachenko’s follower pointed out a Github repository for an app named data-import which contained source code of the app. The app’s purpose was to scrape CVs from legitimate job-finding portals. “One of the primary sources from where the app appears to have scraped CVs is bj.58.com, a popular Chinese job portal, however other portals could have been scraped as well,” Diachenko told ZDNet. Diachenko contacted bj.58.com and one of its representatives confirmed that the data came from a data scraper and did not leak from its storage. “We have searched all over the database and investigated all the other storage, and concluded that the sample data is not leaked from us,” a representative for bj.58.com said. “It seems that the data is leaked from a third party who scrapes data from many CV’s websites,” the representative concluded. Interestingly enough, the unprotected open database was secured a week later.
DNS hijacking campaign traced back to Iran
A recent DNS hijacking campaign has been successful in targeting organizations globally. The series of attacks affected commercial entities, government agencies, Internet infrastructure providers, and telecommunications providers across North America, North Africa, and the Middle East. Researchers believe that a group operating out of Iran to be responsible for the DNS hijacking attacks. Researchers from FireEye have been tracking the DNS attacks for the last several months. They published a blog based on their analysis on January 9, 2019. “We have so far not been able to attribute the attacks to any particular threat group. However, available evidence including IP addresses and the machines used to intercept, record, and forward network traffic suggests the attacker is based in Iran,” researchers said. Researchers said that the attackers have manipulated DNS records with at least three different methods. In the first technique, the attackers modified the ‘DNS A’ records that are used for mapping domain names to IP addresses, so the traffic bound for one domain gets redirected via the domain controlled by the attackers. In the second technique, the attackers modified the ‘DNS NS’ records and pointed a victim organization's nameserver record to a domain controlled by attackers. The third technique uses a combination of the previous two techniques, to return legitimate IP addresses for users outside the targeted domains.
Privilege escalation flaws discovered in the IntelHD5000 kernel extension of Apple OSX 10.13
Researchers from Cisco Talos have discovered critical vulnerabilities in the IntelHD5000 kernel extension of Apple OSX 10.13. The flaws could allow attackers to gain escalated privileges on targeted devices. The bugs are tracked as CVE-2018-4456 and CVE-2018-4421 and exist in the kernel extension when dealing with the graphics resources inside of macOS High Sierra. Commenting on the specification of the flaws, Tyler Bohan of Cisco Talso said, “A library inserted into the VLC media application can cause an out-of-bounds access inside of the KEXT leading to a use after free and invalid memory access in the context of the kernel. This can be used for privilege escalation.” The two vulnerabilities are slightly different from each other - depending on the values that can be replaced and the values they can be replaced with. “The issue itself arises in the IntelAccelerator user client type 6, IGAccelSharedUserClient. The kernel extension is responsible for resource delegation in regards to graphics processing. The data stored and returned here gets passed through into the GPU for rendering and processing. There are multiple methods for allocating and deleting resources as well as creating shared memory with userspace,” said Bohan. Exploitation of vulnerabilities would require for a library to be inserted into the VLC media application. This would cause an out-of-bounds access inside of the KEXT (Kernel Extension). “Apple kernel extension shows that it uses a restricted subset language and a unique way of communication between userspace and the kernel known as IOKit,” Bohan added. Apart from these two vulnerabilities, the researchers also claim to have discovered a third issue but no CVE number has been assigned yet. The issues in question are found affecting Apple OSX 10.13.4 running on MacBookPro11.4. Given the potential risks associated with the vulnerabilities, Bohan advises the users to patch their systems with a security update that was released in early December 2018.