17 May 2019
WhatsApp fixes a critical vulnerability that let attackers install spyware on phones
Popular instant messenger WhatsApp was discovered having a serious security hole in the application. A buffer overflow vulnerability in WhatsApp could have allowed attackers to install spyware on mobiles. It was reported that the spyware could be installed through a WhatsApp audio call made to victims, regardless of whether they answered the call or not. The vulnerability was actually identified by WhatsApp in the first week of May but it took a few days to work on this issue. The Facebook-owned company has disclosed the details of this vulnerability in a security advisory. According to the advisory published this month, the bug, designated as CVE-2019-3568, is a buffer overflow vulnerability existing in WhatsApp VOIP stack that allowed remote code execution(RCE). RCE could be carried out using a specially crafted series of SRTCP packets sent to victims having WhatsApp. The bug is reportedly patched in WhatsApp versions v2.19.134 (Android), v2.19.51 (iOS), v2.18.348 (Windows Phone) and v2.18.15 (Tizen). Users are advised to update to the latest version using their respective app store. In a statement to The Financial Times, WhatsApp actually told that a private company was abusing this vulnerability to conduct cyber espionage. “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society,” said WhatsApp. It is speculated that the Pegasus spyware, created by the NSO group, was largely exploiting this vulnerability.
Attackers compromised Best of the Web Trust Seal to inject keyloggers
A security researcher named Willem de Groot discovered that the Trust Seal of Best of the Web has been compromised and contains two different keyloggers. Best of the Web’s Trust Seal script which was hosted on Amazon’s content delivery network (CDN) has been compromised by attackers. The Trust Seal script was compromised to deploy two key logging scripts that are designed to sniff keystrokes from visitors. The security researcher who uncovered the issue notified Best of the Web, and the company responded quickly by fixing the issue. The company also notified all the potentially impacted customers about the incident. “Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised. We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again,” Best of the Web told BleepingComputer. The compromised Trust Seal script is present on hundreds of websites including xcoins, Custom Equipment Company, Office stationery, and more. The keystroke logging scripts uncovered by de Groot were encoded, however, the security researcher managed to decode them. The company is currently conducting a complete security audit of its hosted accounts in order to avoid such incidents from happening in the future.
Security flaw in over 25,000 Linksys routers exposes sensitive information
More than 25,000 Linksys Smart Wi-Fi routers have been discovered to leak sensitive information, thanks to a security flaw. Security researcher Troy Mursch of Bad Packets LLC, came across the flaw when the company’s honeypot software scanned the vulnerable devices. It was found that the routers permitted unauthenticated remote access to sensitive information. In his blog, Troy Mursch tells that the flaw, identified as CVE-2014-8244, could be exploited by fetching details of JNAP protocol present in the device, from a browser. This was done by entering the Smart Wi-Fi router’s public IP address in the browser and then accessing the developer console. The researcher also highlighted that the leak could be perpetrated by sending a request to a specific JNAP endpoint, which he mentions in the blog. The scans by the honeypot software revealed that 25,617 Linksys Smart Wi-Fi routers leaked sensitive information. This mainly included MAC addresses, names, and operating systems of the devices connected to these routers. Sensitive information of the routers was also exposed. This included WAN settings, Firewall status, firmware update settings, and DDNS settings. Mursch also emphasized that attackers could bank on default passwords existing in most of these smart routers. “Our scans have found thousands of routers are still using the default password and are vulnerable to immediate takeover – if they aren’t already compromised,” he said. Among the 25,617 vulnerable routers detected, nearly half of them (11,834) were located in the US.
Ever-changing Hworm RAT found in new variant
Security researchers have discovered a new version of the infamous Hworm a.k.a njRAT. According to researchers from Morphisec, a security firm based in Israel, njRAT had a new obfuscation technique to evade from security software installed on the victims’ computers. In their blog, Morphisec researchers indicate that this new version uses a fileless VBScript injector that leveraged DynamicWrapperX. This component has also been reportedly used by other RATs such as DarkComet, and KilerRAT, among others. Hworm’s attack campaign works in two stages. The first stage involves an obfuscated or encoded VBS file dropped into the victim system. This file has three base64 streams, with one of them holding the DynamicWrapperX. A script downloaded by DynamicWrapperX checks if the infected system is 64-bit or not to decide the right attack script and then goes on to drop Hworm. The second stage forms the execution part of Hworm where it takes over the victim computer. Researchers suggest that the new version of Hworm might be used by threat actors for large phishing attacks. “Today we see this attack employed on a regular basis as part of widespread spam phishing campaigns - if successful, Hworm gives the attacker complete control of the victim’s system,” the researchers wrote. Cyber attacks leveraging Hworm are known to target the energy industry, primarily in the Middle East. However, this new version might also be used to target other countries.
Bluetooth-enabled Titan security keys found with a serious security hole, Google offers free replacement
Titan Security Keys, Google’s security product meant for two-factor authentication (2FA), was found to have a security vulnerability. The Bluetooth Low Energy (BLE) version of the security key could be exploited by an outsider to sign into user accounts and possibly control devices connected to them. Currently, Titan security keys are available in the US market only. According to a blog published by Christiaan Brand, Product Manager for Google Cloud Platform, an attacker at a distance approximately 30 feet from the user could intercept the security key or the device on which it is paired. However, Brand mentions that the attackers can only achieve this if they meet certain conditions. In order to mitigate this flaw, Google has offered free replacements for users with Titan security keys. The method described by Brand involves an attacker being in close physical proximity with the user who tries to sign on a device with the Bluetooth security key. The attacker could connect their devices to the key at this time before the user does. Attackers could also disguise their devices as security keys during the time when users pair their devices with the key. If users accidentally connect to the attacker(s)’ device, the latter could potentially take over the user account as well as their device. Google is issuing free replacements for Bluetooth Titan security keys. Users are advised to avail them as soon as possible. However, the tech giant suggested using these keys until users get the replacement. “Current users of Bluetooth Titan Security Keys should continue to use their existing keys while waiting for a replacement, since security keys provide the strongest protection against phishing,” suggested Brand, in his blog.
Multiple Russian government sites leak passport and personal data of over 2.25 million citizens
Ivan Begtin, the co-founder of Russian NGO Informational Culture, discovered that multiple Russian government websites are leaking the personal and passport data of over 2.25 million citizens, including those belonging to government officials and high profile politicians. Begtin uncovered almost 23 Russian government sites that leaked SNILS numbers and another 14 sites that leaked passport details. These sites also exposed other personal information such as names, email addresses, designation, place of work, and tax identification numbers. Begtin noted that certain data leaks were harder to identify and required extraction of metadata from digital signature files, while some were easily identified using a Google search for open web directories on government sites. Begtin conducted extensive research by investigating government online certification centers, an e-bidding platform used by government agencies, and almost 50 government portals. He then posted a three-part blog series about the data leak. He also notified Roskomnadzor, the Russian government agency in charge of data privacy, almost 8 months ago about the breach. He attempted to contact the government authorities several times but failed to get a response from them. Later, Begtin shared his findings with Russian news site RBC, which published an in-depth article. RBC conducted an investigation and found out that the passport and personal details also belonged to several high-profile Russian government officials including the deputy chairman of the Russian Duma (Parliament) Alexander Zhukov, former deputy prime minister Arkady Dvorkovich, and former deputy prime minister Anatoly Chubais.
ARIN uncovers over 757,760 IPv4 addresses obtained through a fraud scheme
American Registry for Internet Numbers (ARIN) has uncovered a fraud scheme in late-2018. Almost 757,760 IPv4 addresses worth between $9,850,880 and $14,397,440 were fraudulently obtained in this scheme. ARIN distributes Internet number resources such as IPv4, IPv6, and Autonomous System numbers to organizations across the United States, Canada, and the Caribbean and North Atlantic islands. ARIN was able to uncover and revoke the fraudulently obtained IPv4 addresses following the arbitration under an ARIN Registration Services Agreement in the U.S. District Court for the Eastern District of Virginia. ARIN noted that some of the defrauded IPv4 addresses had been transferred to bonafide purchasers out of the ARIN region. According to the Department of Justice (DoJ) press release, the two accused parties behind the fraud scheme, Amir Golestan and Micfo, are charged in federal court in a twenty-counts of wire fraud indictment, with each count punishable by up to 20 years of imprisonment. “The indictment alleges that since February 2014, Golestan and Micfo created and utilized ‘Channel Partners’ which purported to consist of several individual businesses, all of whom acquired the right to IP addresses from the American Registry of Internet Numbers (ARIN),” the press release read. ARIN President and CEO John Curran said that they are investigating suspected cases of fraud against ARIN and will revoke and report the illegal activity to law enforcement authorities. “Fraud will not be tolerated. The vast majority of organizations obtain their address space from ARIN in good faith according to the policies set out by the community. However, ARIN detected fraud as a result of internal due diligence processes, and took action to respond in this particularly egregious case,” Curran said.