- Exploit -

Last update 28.09.2017 14:51:09

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8 



Zero-day exploit (CVE-2018-8453) used in targeted attacks
13.1.0218 Kaspersky
Exploit  Vulnerebility

Yesterday, Microsoft published their security bulletin, which patches CVE-2018-8453, among others. It is a vulnerability in win32k.sys discovered by Kaspersky Lab in August. We reported this vulnerability to Microsoft on August 17, 2018. Microsoft confirmed the vulnerability and designated it CVE-2018-8453.

In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys. The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.

So far, we detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.

Kaspersky Lab products detected this exploit proactively through the following technologies:

Behavioral detection engine and Automatic Exploit Prevention for endpoints
Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)
Kaspersky Lab Verdicts for the artifacts in this campaign are:

HEUR:Exploit.Win32.Generic
HEUR:Trojan.Win32.Generic
PDM:Exploit.Win32.Generic
More information about this attack is available to customers of Kaspersky Intelligence Reports. Contact: intelreports@kaspersky.com

Technical details
CVE-2018-8453 is a Use-After-Free inside win32kfull!xxxDestroyWindow that resembles an older vulnerability — CVE-2017-0263. CVE-2017-0263 was originally deployed by the Sofacy APT, together with a PostScript exploit, back in 2017.

For technical analysis of the vulnerability, we completely reverse-engineered the ITW exploit sample obtained and rewrote it into a full Proof of Concept.

The exploitation of this vulnerability depends on a sequence of events that are performed from hooks set on three usermode callback functions – fnDWORD, fnNCDESTROY, and fnINLPCREATESTRUCT. The exploit installs these hooks by replacing the function pointers in the KernelCallbackTable:

Hooked functions in the Kernel Callback Table

Inside the fnINLPCREATESTRUCT hook, the exploit initializes a “SysShadow” window by explicitly assigning a position to it:

Usermode hook on fnINLPCREATESTRUCT initializes SysShadow

When processing the WM_LBUTTONDOWN message, the fnDWORD hook executes the DestroyWindow function on the parent, which results in the window being marked as free and subsequently freed by the garbage collector.

The issue lies inside the fnNCDESTROY hook that is performed during execution of the DestroyWindow function. This hook executes the NtUserSetWindowFNID syscall, which contains a flawed logic to change the fnid status of the window without properly checking if it is set to FNID_FREED.

Vulnerable code inside NtUserSetWindowFNID

The fnid status of the window is located at offset 0x02a in the tagWND structure:

kd> dt win32k!tagWND

+0x02a fnid : Uint2B

When the scrollbar is initially created, it has the value FNID_SCROLLBAR (0x029A).

The next diagram shows the value of fnid prior and after execution of the NtUserSetWindowFNID syscall:

Scrollbar fnid prior and after execution of NtUserSetWindowFNID syscall

We can check what the new fnid value is by verifying it against the ReactOS source code:

/* FNIDs for NtUserSetWindowFNID, NtUserMessageCall */
#define FNID_SCROLLBAR 0x029A

#define FNID_BUTTON 0x02A1

#define FNID_FREED 0x8000 /* Window being Freed… */

This action results in the first scrollbar being destroyed, while the system still maintains a reference to a “SysShadow” class, as the scrollbar fnid is no longer marked as FNID_FREED, but as FNID_BUTTON instead.

To successfully reclaim the freed memory pool, the exploit contains a number of different feng shui tactics. The spray procedure is dependent on the exploited Windows version, and because the exploit targets a wide range of operating systems, it includes five separate functions for spraying:

Heap spraying procedures supported in the exploit

For the latest supported version (Windows 10 RS4), the spray tactic is quite complicated. The kernel is sprayed with bitmap objects of different size. This is required to exhaust the memory allocator to eventually bypass the Low Fragmentation Heap security mitigations that were significantly improved in the latest Windows builds:

Heap Feng Shui technique for Windows RS4 17134

This leads to the following memory layout, where USERTAG_SCROLLTRACK is the freed pool allocation:

Freed scrollbar heap allocation

When another scrollbar is allocated, the SysShadow class memory reference is reused, but its contents are attacker-controlled, because the freed Usst (ffffee30044b2a10) and Gpbm (ffffee30044b2a90) pools were merged into a single block:

Freed allocation is merged with the following pool

This results in a powerful arbitrary kernel Read\Write using GDI Bitmap primitives that works even on the latest Windows versions.

Following successful exploitation, a slightly modified Token-stealing payload is used to swap the current process Token value with the one from the SYSTEM EPROCESS structure:

Modified Token-stealing payload process

So far, we’ve observed the usage of this exploit in a small number of targeted attacks, when the exploit is packaged in a malware installer. The installer requires system privileges to install its payload. The payload is a sophisticated implant, used by the attackers for persistent access to the victims’ machines. Some of its main characteristics include:

Encrypting the main payload using AES-256-CBC with the SHA-1 of the SMBIOS UUID (this makes it impossible to decrypt the payload on machines other than the victim, if the SMBIOS UUID is not known)
Using Microsoft BITS (Background Intelligent Transfer Service) for communicating with its C&C servers, an unusual technique
Storing the main payload in a randomly named file on disk; the loader contains a hash of the filename and attempts to find the payload by comparing the filename hash for all files in the Windows directory
More details on this malware and the APT behind it are available to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com

Victims
The distribution of the attack seems to be highly targeted, affecting less than a dozen victims in the Middle East region, according to our telemetry.

Attribution
During our investigation, we discovered the attackers were using a PowerShell backdoor that has previously been seen exclusively used by the FruityArmor APT. There is also an overlap in the domains used for C2 between this new set of activity and previous FruityArmor campaigns. That makes us assess with medium confidence that FruityArmor is responsible for the attacks leveraging CVE-2018-8453.

Conclusion
Even when deploying 0-days seems to be more frequent than it used to be, this would be the second time we have spotted FruityArmor using one of them to distribute its malware. This points to the resources and sophistication of this actor, along with the advanced final-stager they distribute.

So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.

We believe that although FruityArmor´s activity has been slowly increasing during the last two years, the extremely targeted nature of the attacks helps them fly below the radar.

Appendix I – Indicators of compromise:
Domains:
weekendstrips[.]net
shelves-design[.]com


Hackers Exploit Drupalgeddon2 to Install Backdoor
12.10.2018 securityweek
Exploit

A threat actor was observed targeting Drupal vulnerabilities patched earlier this year to install a backdoor on compromised servers, IBM reports.

The hackers target CVE-2018-7600, or Drupalgeddon2, a critical vulnerability found to impact Drupal versions 6, 7 and 8, but which was addressed in March this year. Assigned a risk score of 21/25, the vulnerability could be exploited to gain full control over a site, including access to non-public data.

Within weeks after a patch was released and the vulnerability became public, the first attempts to exploit it were observed. Soon after, while cybercriminals were targeting vulnerable sites with backdoors and crypto-miners, Drupal patched another highly critical flaw related to Drupalgeddon2.

Now, IBM’s security researchers reveal that both vulnerabilities are being targeted in a series of attacks that appear to be part of a financially-motivated campaign aiming at mass-infecting vulnerable Drupal websites. Although both security bugs have been patched, delays in applying fixes make them persistent.

The researchers observed that the same HTTP POST request was being repeatedly sent from the same IP address, which then revealed similar traffic from multiple command-and-control (C&C) servers. Part of a widespread cyber-attack, the requests would download a Perl script to launch the Shellbot backdoor.

The Shellbot malware would connect to an Internet Relay Chat (IRC) channel and use it to receive instructions. The bot contains functionality to perform distributed denial-of-service (DDoS) attacks, as well as to scan for SQL injection weaknesses and other vulnerabilities, in an attempt to reach root level on the victimized system.

“The vulnerabilities used in this campaign were leveraged in an automated way, allowing attackers to scan a large number of websites with minimal effort. Moreover, if successfully exploited, the flaw could lead to a potential compromise of the web application with the possibility of spilling over to the underlying operating system as well,” IBM notes.

Around since 2005, Shellbot was designed to open remote command line shells, launch DDoS attacks, run tasks and processes, download additional files onto the infected system, and change the endpoint’s settings, among others.

Although old, Shellbot is being used by several threat groups, and the security researchers observed it last year in attacks targeting an Apache Struts vulnerability (CVE-2017-5638) as well, when it was packaged as the C&C with the PowerBot malware, which dropped crypto-mining modules.

“It costs a lot of time and money to find or buy a zero-day flaw — two resources cybercriminals are typically not willing to invest. It is much more lucrative to use existing vulnerabilities such as Drupalgeddon and attack code in an automated way, especially when users delay patching and updating their applications,” IBM concludes.


KeyBoy Abuses Popular Office Exploits for Malware Delivery
11.10.2018 securityweek
Exploit  Virus

A group of hackers believed to be operating out of China was observed using popular Microsoft Office exploits for the delivery of malware.

The actor, known as KeyBoy, was first identified in 2013 and has been observed mainly targeting governments and other organizations in South East Asia. The group continues to be active, although it has expanded the targets list, and even hit the energy sector.

Recently, the group was seen abusing an open source version of the popular CVE-2017-0199 exploit to target India's Ambassador to Ethiopia. The actor used a phishing email with an attached document that would download and execute a script to install the final payload.

According to AlienVault, which has been tracking KeyBoy’s whereabouts, the group has been also testing the use of another exploit generator. Because the actor didn’t change the default settings in the tool, the document meta-data included obvious hints that the document was malicious.

In this case, however, the data hinted at another Office exploit that was previously abused in attacks, namely CVE-2017-8570.

The attacks, AlienVault says, were meant to drop the malware family known as TSSL to the victims’ computers. The malware had been associated with the group last year, and was present in more recent attacks as well.

In August 2018, Citizen Lab detailed a campaign targeting Tibetan activists, journalists, members of the Tibetan Parliament in exile, and the Central Tibetan Administration, where TSSL was also used. They linked the campaign to a larger operation called Tropic Trooper, which was ousted in 2016.

The group also continued delivering the Android malware family known as Titan, AlienVault’s security researchers reveal. While the infections continue, however, only older sources of the files have been identified.

The files were traced back to a user posting malicious APKs on a Taiwanese site (apk.tw) for downloading Android applications. However, the individual stopped posting several years ago, and the researchers couldn’t identify a new source of Titan samples.


Zerodium disclose exploit for NoScript bug in version 7 of Tor Browser
11.9.2018 securityaffairs
Exploit

Zero-day broker Zerodium has disclosed a NoScript vulnerability that could be exploited by attackers to execute arbitrary JavaScript code in the Tor Browser.

NoScript is a popular Firefox extension that protects users against malicious scripts, it only allows the execution of JavaScript, Java, and Flash plugins on trusted websites

Bug broker Zerodium has discovered a NoScript vulnerability that could be exploited to execute arbitrary JavaScript code in the Tor Browser even if the maximum level is used. The exploit bypasses the protection implemented by NoScript.

The company also provided instruction to exploit the flaw in the following Twitter message:

Zerodium

@Zerodium
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.

2:23 PM - Sep 10, 2018
1,043
921 people are talking about this
Twitter Ads info and privacy
Security researcher @x0rz also posted a proof of concept script to show that is very easy to exploit the flaw.

x0rz
@x0rz
Very easy to reproduce the Zerodium Tor Browser 7.x NoScript bypass vulnerability https://gist.github.com/x0rz/8198e8e22b1f70fddb9c815c1232b795 … #TorBrowser #vulnerability

4:10 PM - Sep 10, 2018
671
452 people are talking about this
Twitter Ads info and privacy
The latest version of the Tor Browser 8 is not affected, this means that users have to update their oldest versions as soon as possible.

The flaw resides in the NoScript Firefox extension and affects the Tor Browser that is based on Firefox.

The Italian hacker Giorgio Maone that developed the extension patched the bug in a couple of hours and addressed the problem with the release of the version 5.1.8.7.

Giorgio Maone
@ma1
· Sep 10, 2018
Replying to @ma1
Fixed in 5.1.8.7 "Classic": https://noscript.net/getit#classic

You may need to open about:config and set your xpinstall.signatures.required to false in order to install, since Mozilla doesn't support signing for "Classic" (legacy) add-ons anymore.

Giorgio Maone
@ma1
I said FIXED, guys :)
Get 5.1.8.7 here:http://noscript.net/getit#classic

4:27 PM - Sep 10, 2018
17
See Giorgio Maone's other Tweets
Twitter Ads info and privacy
Maone explained that only the “Classic” branch of NoScript 5 is impacted, according to the expert the flaw was introduced in May 2017 with the release of NoScript 5.0.4.

It exists due to a “work-around for NoScript blocking the in-browser JSON viewer.”

Tor Browser flaw

Tor Project team pointed out that this bug is a Tor Browser zero-day flaw, instead of a NoScript issue.

“This was a bug in NoScript and not a zero-day exploit of Tor Browser that could circumvent its privacy protections. For bypassing Tor, a real browser exploit would still be needed,” the Tor Project explained.

“If a user sets his Tor browser security level to ‘Safest’ to block JavaScript from all websites (e.g. to prevent browser exploits or data gathering), the exploit would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code despite the maximum security level being used, making it totally ineffective,” Chaouki Bekrar, the CEO of Zerodium, told SecurityWeek.

Bekrar confirmed to have acquired the zero-day vulnerability “many months ago” and shared it with law enforcement and government customers.

The worrying news is that Bekrar confirmed to have acquired “high-end Tor exploits” as part of its bug bounty program. In September the ZERODIUM announced it will pay up to $1 million for fully working zero-day exploits for Tor Browser on Tails Linux and Windows OSs.

Bekrar highlighted that the exploits have been used by its customers to “fight crime and child abuse, and make the world a better and safer place for all.”

Don’t waste time, upgrade your browser to the newest release.


Fallout exploit kit appeared in the threat landscape in malvertising campaigns
10.9.2018 securityaffairs
Exploit

At the end of August, security experts discovered a new exploit kit called Fallout that is being used to distribute the GandCrab ransomware.
At the end of August, the threat analyst nao_sec discovered a new exploit kit called Fallout that is being used to distribute the GandCrab ransomware and other malicious codes, including droppers and potentially unwanted programs (PUPs).

Once deployed on a compromised website, the exploit kit leverages the CVE-2018-4878 Adobe Flash Player and the CVE-2018-8174Windows VBScript engine vulnerabilities to deliver a malware on the visitors’ machines.

“At the end of August 2018, we observed a new Exploit Kit. Its behavior (code generation using html) and URL pattern are similar to Nuclear Pack Exploit Kit. Therefore we named it “Fallout Exploit Kit”. Fallout Exploit Kit is using CVE-2018-4878 and CVE-2018-8174. That code is distinctive and interesting.” reads a blog post published by nao_sec.

At the time of the discovery, the exploit kit was delivering and installing the SmokeLoader downloader that was used to download the CoalaBot and another unidentified malware.

“The exe file executed by shellcode is “Nullsoft Installer self-extracting archive”. This will run SmokeLoader and two exe files will be downloaded” continues the analysis.

The Fallout exploit kit was also observed by FireEye in a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

The security firm observed the exploit kit installing the GandCrab Ransomware on Windows machines, it was also used to redirect macOS users to pages promoting fake antivirus software or fake Adobe Flash Players.

fallout exploit kit

The exploit kit will first attempt to exploit VBScript, then it will try to exploit the Flash Player flaw.

Once the exploit code is executed, it will download and execute a Trojan onto Windows systems. The malicious code then enumerates all running processes, creates their crc32 checksums, and compare them against a list of blacklisted checksum associated with virtual machines and analysis tools such as:

vmwareuser.exe
vmwareservice.exe
vboxservice.exe
vboxtray.exe
Sandboxiedcomlaunch.exe
procmon.exe
regmon.exe
filemon.exe
wireshark.exe
netmon.exe
vmtoolsd.exe
If none of the above processes is running on the infected machine the Trojan will download and execute a DLL that installs the GandCrab ransomware.

Further details including the IoCs are included in both reports published by FireEye and nao_sec.


Researchers Discover New "Fallout" Exploit Kit
8.9.2018 securityweek
Exploit

A recently discovered exploit kit (EK) has been used in a campaign targeting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

Dubbed Fallout, the new EK has been targeting users in Japan with the SmokeLoader Trojan, but has been also observed delivering the GandCrab ransomware in the Middle East. Before dropping the payload, however, the EK fingerprints the browser profile to identify targets of interest.

Targeted users are redirected from a genuine advertiser page to the exploit kit landing page URL via multiple 302 redirects, FireEye’s security researchers have discovered.

Based on the user’s operating system and browser, the attack either delivered the EK directly or attempts to reroute the victim to other social engineering campaigns. macOS users in the United States, for example, are redirected to social engineering attempts posing either as anti-virus software or Flash updates.

“The strategy is consistent with the rise of social engineering attempts FireEye has been observing for some time, where bad actors use them to target users that are on fully patched systems or any OS/software profile that is not ideal for any exploit attempts due to software vulnerability,” the security firm notes.

The campaign, FireEye says, has been targeting entities in the government, telecom and healthcare sectors.

Fallout’s landing page only contained code for a VBScript vulnerability at first, but Flash embedding code was later added for it, the security researchers reveal. The VBScript loads a JScript function that decodes malicious next stage VBScript to exploit CVE-2018-8174 and executes shellcode that downloads, decrypts and executes a payload.

The dropped file contains PE loader code for initial loading and final payload execution. An unpacked DLL enumerates all running processes, creates their crc32 checksums, and tries to match them against a list of blacklisted checksums.

If any is found, the malware enters an infinite loop. If the check passes, a new thread is started. The malware checks its own image path, OS version, and architecture.

Depending on the Windows version and architecture, the malware attempts to take ownership of ctfmon.exe or rundll32.exe, or replace them with a copy of itself. It also adds itself to startup and reboots the system.

If it fails to replace the targeted system files successfully, the malware copies itself at a different location and then executes via ShellExecuteW.

The final payload in this attack is the GandCrab ransomware, which is being fetched and manually loaded into memory by the malware.

“In recent years, arrests and disruptions of underground operations have led to exploit kit activity declining heavily. Still, exploit kits pose a significant threat to users who are not running fully patched systems. Nowadays we see more exploit kit activity in the Asia Pacific region, where users tend to have more vulnerable software. Meanwhile, in North America, the focus tends to be on more straightforward social engineering campaigns,” FireEye concludes.


Recently uncovered PowerPool Group used recent Windows Zero-Day exploit
7.9.2018 securityaffairs
Exploit

Security experts from ESET observed a treat actor, tracked as PowerPool, exploiting the recently disclosed Windows zero-day flaw in targeted attacks.
The vulnerability was publicly disclosed on August 27 by the security expert “@SandboxEscaper,” the researcher also published the exploit code for the vulnerability.

The vulnerability affects Microsoft’s Windows operating systems that could be exploited by a local attacker or malicious program to obtain system privileges on the vulnerable system.

The vulnerability resides in the Windows’ task scheduler program and ties to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

Microsoft was expected to address the vulnerability in September security Patch Tuesday, that is scheduled for September 11, but the news of live attacks exploiting the issue could force the company to roll out a patch sooner.

Security community 0patch has also released an unofficial patch for the vulnerability.

Now security researchers from ESET reported the local privilege escalation vulnerability has been exploited by a previously unknown group tracked as PowerPool.

“As one could have predicted, it took only two days before we first identified the use of this exploit in a malicious campaign from a group we have dubbed PowerPool.“reads the analysis published by ESET.

“This group has a small number of victims and according to both our telemetry and uploads to VirusTotal (we only considered manual uploads from the web interface), the targeted countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States and Ukraine.”

The threat actor leveraged the Windows zero-day exploit in targeted attacks against a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines, and Poland.

According to ESET, attackers have modified the publicly available exploit source code and recompiled it.

To obtain a Local Privilege Escalation, the attacker needs to properly choose the target file that will be overwritten. The target file, in fact, has to be a file that is executed automatically with administrative rights.

“PowerPool’s developers chose to change the content of the file C:\Program Files (x86)\Google\Update\GoogleUpdate.exe. This is the legitimate updater for Google applications and is regularly run under administrative privileges by a Microsoft Windows task.” continues the analysis.

PowerPool’s attack vector is spear-phishing messages, ESET researchers pointed out that the same group was also responsible for a spam campaign spotted by SANS in May that used Symbolic Link (.slk) files to spread malicious codes.

PowerPool group

The group used a multi-stage malware, the first stage is a backdoor used for a reconnaissance activity. It determines if the infected machine is interesting for the attackers, in this case, the malicious code downloads a second stage backdoor that supports various commands such as uploading and downloading files, killing processes, and listing folders.

The analysis of the second-stage backdoor allowed the researchers to determine that the malicious code is not “a state-of-the-art APT backdoor.”

“Once the PowerPool operators have persistent access to a machine with the second-stage backdoor, they use several open-source tools, mostly written in PowerShell, to move laterally on the network.” continues the report.

The tools used by the attackers include PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,” ESET concluded.

Further details, including the IoCs are reported in the analysis published by ESET.


Windows Zero-Day Exploited in Targeted Attacks by 'PowerPool' Group
6.9.2018 securityweek
Exploit

A threat group tracked by security firm ESET as “PowerPool” has been exploiting a Windows zero-day vulnerability to elevate the privileges of a backdoor in targeted attacks.

The flaw was disclosed on August 27 by a researcher who uses the online moniker “SandboxEscaper.” The security hole was not reported to Microsoft before its details were made public – including a compiled exploit and its source code – as SandboxEscaper was apparently frustrated with the company’s vulnerability reporting process.

Other members of the industry quickly confirmed the vulnerability, which seems to affect the Advanced Local Procedure Call (ALPC) interface of the Windows Task Scheduler. Malicious actors with local access to the targeted device can exploit the flaw to escalate privileges to SYSTEM by overwriting files that should normally be protected by filesystem access control lists (ACLs).

The public exploit has been confirmed to work on 64-bit versions of Windows 10 and Windows Server 2016, with the possibility to adapt it for 32-bit systems as well.

Microsoft has launched an investigation, but it has yet to release a patch or provide mitigations. While the tech giant initially suggested that a fix may be released with its regular Patch Tuesday updates, the company may roll out a patch sooner now that the vulnerability has been exploited in malicious attacks.

In the meantime, 0patch has released an unofficial fix for the vulnerability and CERT/CC’s advisory for the bug describes some mitigations.

According to ESET, the local privilege escalation vulnerability has been exploited by a newly uncovered group it tracks as PowerPool. Based on the security firm’s telemetry and malware samples uploaded to VirusTotal, the threat actor appears to have leveraged the Windows zero-day against a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines and Poland.

ESET researchers determined that PowerPool slightly modified the publicly available exploit source code and recompiled it for its attacks.

The hackers, whose possible origins have not been discussed by the security firm, have used the zero-day to overwrite C:\Program Files(x86)\Google\Update\GoogleUpdate.exe, a legitimate updater for Google applications. Since this file is regularly executed in Windows with administrative privileges, overwriting it with their malware has allowed the attackers to obtain elevated permissions on the targeted system.

ESET believes PowerPool attacks begin with a malware-carrying email being sent to the targeted user. While the campaign involving the zero-day appears to be highly targeted, an interesting spam campaign spotted by SANS in May, which used Symbolic Link (.slk) files for malware distribution, was apparently carried out by the same group.

The first stage malware used by PowerPool, which is delivered via the initial emails, is a backdoor designed for reconnaissance purposes. If the infected machine presents an interest to the attackers, the malware downloads a second stage backdoor capable of executing commands on the system, uploading and downloading files, killing processes, and listing folders.

The files downloaded by the second stage malware to compromised devices include several open source tools that allow the attackers to move laterally on the network. The list includes PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

ESET has described this second stage malware as “clearly not a state-of-the-art APT backdoor.”

“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,” ESET concluded.


Oracle Products Affected by Exploited Apache Struts Flaw
4.9.2018 securityweek 
Exploit

Oracle informed customers over the weekend that some of the company’s products are affected by a critical Apache Struts 2 vulnerability that has been exploited in the wild.

The vulnerability, discovered in the open source development framework by Semmle researcher Man Yue Mo, is tracked as CVE-2018-11776 and it has been classified as critical. It allows an unauthenticated attacker to remotely execute arbitrary code on a targeted server by sending it a specially crafted request.

The existence of the flaw was disclosed on August 22, and despite the availability of only limited technical information, proof-of-concept (PoC) exploits emerged within days.

On around August 27, security firms started seeing attempts to find vulnerable Apache Struts 2 installations, and even attempts to exploit the security hole to deliver a cryptocurrency miner.

Oracle notified customers of CVE-2018-11776 on Saturday and warned that Apache Struts 2 is a component of several of its product distributions. However, the company noted that not all products incorporating Struts 2 are necessarily vulnerable.

“When the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace, this vulnerability can be used to perform an unauthenticated remote code execution attack which can lead to a complete compromise of the targeted system,” Oracle said in its advisory.

The exact list of products impacted by the vulnerability is only available to Oracle customers, but the company revealed last year – when it warned users about another actively exploited Struts 2 flaw – that the framework is used in MySQL Enterprise Monitor, Communications Policy Management, FLEXCUBE Private Banking, Retail XBRi, Siebel, WebLogic Server, and various Financial Services and Insurance products.

Customers have been provided information on the status of each impacted product and the availability of patches. Oracle’s next Critical Patch Update (CPU) is scheduled for October 16.

Apache Struts vulnerabilities can pose a significant risk to organizations. A flaw affecting the framework was exploited in the massive Equifax breach that impacted over 140 million individuals.


Expert publicly disclosed exploit code for Windows Task Scheduler Zero-Day
29.8.2018 securityaffairs
Exploit  Vulnerebility

A security researcher has publicly disclosed the details of zero-day privilege escalation vulnerability affecting all Microsoft’s Windows operating systems
A security researcher who handles the Twitter account @SandboxEscaper has disclosed the details of zero-day privilege escalation vulnerability affecting Microsoft’s Windows operating systems that could be exploited by a local attacker or malicious program to obtain system privileges on the vulnerable system.

SandboxEscaper
@SandboxEscaper
Here is the alpc bug as 0day: https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar … I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

7:07 PM - Aug 27, 2018

SandboxEscaper/randomrepo
Repo for random stuff. Contribute to SandboxEscaper/randomrepo development by creating an account on GitHub.

github.com
1,338
834 people are talking about this
Twitter Ads info and privacy
According to the expert who disclosed the flaw, the issue also affects a “fully-patched 64-bit Windows 10 system.”

The vulnerability resides in the Windows’ task scheduler program and ties to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

The Advanced Local Procedure Call (ALPC) is an undocumented Inter-Process Communication facility provided by the Microsoft Windows kernel for lightweight (or local) Inter-Process Communication (IPC) between processes on the same computer.

The Advanced local procedure improves high-speed and secure data transfer between one or more processes in the user mode.

Windows zero-day
SandboxEscaper posted a proof-of-concept (PoC) exploit code for the zero-day that was published on GitHub.

The vulnerability was verified by the CERT/CC analyst Will Dormann that posted the following message:

Will Dormann
@wdormann
I've confirmed that this works well in a fully-patched 64-bit Windows 10 system.
LPE right to SYSTEM!

SandboxEscaper
@SandboxEscaper
Here is the alpc bug as 0day: https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar … I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

12:08 AM - Aug 28, 2018
193
132 people are talking about this
Twitter Ads info and privacy
The CERT/CC published a security advisory explaining that It could be exploited by a local user to obtain elevated (SYSTEM) privileges.

“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code” reads the alert issued by the CERT/CC.

The flaw received a CVSS score of 6.4 to 6.8.
The CERT/CC confirmed that currently there is no workaround for the flaw. The Advanced Local Procedure Call (ALPC) interface is a local system, this limit the impact of the vulnerability. Experts warn of malware that could include the PoC code to gain system privileges on Windows systems.

SandboxEscaper did not report the zero-day to Microsoft, now all Windows systems are vulnerable until the Company will release security updates for its systems.

At the time of writing it is still unclear if the Windows zero-day effects all supported Windows versions, some experts, in fact, said that the PoC code doesn’t work on Windows 7.

Microsoft is expected to address the vulnerability in September security Patch Tuesday, that is scheduled for September 11.


Exploit Published for Windows Task Scheduler Zero-Day
29.8.2018 securityweek
Exploit

Details of an unpatched vulnerability in Microsoft’s Windows 10 operating system were made public on Monday, via Twitter.

Information on the bug and a link to proof-of-concept (PoC) code hosted on GitHub was posted by a security researcher who claims to be frustrated with Microsoft’s bug submission process.

The researcher’s Twitter account was no longer accessible shortly after she posted the tweet, but it’s unclear whether it was suspended or deleted. The flaw, however, has been already confirmed by security researchers, including Will Dormann, a vulnerability analyst at CERT/CC.

Will Dormann
@wdormann
I've confirmed that this works well in a fully-patched 64-bit Windows 10 system.
LPE right to SYSTEM!

SandboxEscaper
@SandboxEscaper
Here is the alpc bug as 0day: https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar … I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

12:08 AM - Aug 28, 2018
193
132 people are talking about this
Twitter Ads info and privacy

The bug, Dormann notes in a CERT/CC alert, is a local privilege escalation vulnerability in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) interface. By exploiting the flaw, a local user could obtain SYSTEM privileges.

The ALPC interface is a Windows-internal mechanism that works as an inter-process communication system.

A Windows-internal mechanism, the ALPC interface enables client processes within the OS to request information or action from server processes running within the same OS.

“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges. The CERT/CC is currently unaware of a practical solution to this problem,” the CERT/CC alert reads.

What is yet unclear, however, is whether the vulnerability impacts all supported Windows versions, including 32-bit variants. Some researchers say the published PoC doesn’t appear to work on Windows 7, for example.

The public availability of a PoC for this privilege escalation bug is expected to stir the interest of cyber-criminals, and it might not be long before weaponized versions emerge.

An attacker using spear-phishing or other social engineering techniques could trick the victim into executing a malicious app capable of exploiting the bug.

"The Microsoft zero-day is a serious issue, as it impacts fully patched ubiquitous software -- Windows 10 -- which means almost all organizations are vulnerable to it," Glen Pendley, deputy CTO at Tenable, told SecurityWeek. "The question is not whether a patch will be released, but when. What you do between now and then is largely what will determine your level of exposure and risk. Organizations that take a defense in depth approach and those that are closely attuned to their system configurations and user behavior are the best positioned to reduce their overall risk."

Contacted by SecurityWeek to get more information on its patching plans for this bug, a Microsoft spokesperson said,"Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule."

*Updated with comments from Microsoft, Tenable


Exploit for Recent Critical Apache Struts Vulnerability Published
28.8.2018 securityweek
Exploit  Vulnerebility

Exploit code for a Critical remote code execution vulnerability in Apache Struts 2 was published on GitHub within days after the bug was addressed last week.

Tracked as CVE-2018-11776, the security flaw was found to impact Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the popular Java framework.

In their advisory, code analysis company Semmle, which discovered the flaw and reported it to the Apache Software Foundation in April, explains that the bug affects commonly-used endpoints of Struts, which are likely to be exposed.

To make matters worse, the issue is related to the Struts OGNL (Object-Graph Navigation Language) language, which hackers are often familiar with.

To exploit the bug, attackers need to inject their own namespace as a parameter in an HTTP request. The value of that parameter, the code analysis company reveals, is insufficiently validated by the Struts framework, and can be any OGNL string.

Although only limited details on the vulnerability were made public, a working proof-of-concept (PoC) was published less than two days after the Apache Software Foundation released their advisory.

On Friday, threat intelligence provider Recorded Future revealed that, in addition to the PoC and a Python script that allows for easy exploitation of the vulnerability, they also detected “chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.”

CVE-2018-11776, Recorded Future says, is even easier to exploit compared to last year’s CVE-2017-5638, the Apache Struts exploit that was at the heart of the Equifax breach. There are hundreds of millions of potentially vulnerable systems, but identification could be challenging, as many are backend application servers.

“The new Apache Struts vulnerability is potentially even more damaging than the one from 2017 that was used to exploit Equifax. Unlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim's Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it,” Allan Liska, Senior Security Architect, Recorded Future, said in an emailed comment to SecurityWeek.

Semmle, on the other hand, won’t confirm whether the PoC is working. However, the company does warn that the published code could provide attackers with a quick way into enterprise networks.

“There is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can’t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure,” Semmle CEO, Oege de Moor, told SecurityWeek via email.

“The Equifax breach happened not because the vulnerability wasn’t fixed, but because Equifax hadn’t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn’t had the time to update their software, will now be at even greater risk,” de Moor said.


North Korean Hackers Exploit Recently Patched Zero-Day
21.8.2018 securityweek  BigBrothers  
Exploit 

North Koren hackers are exploiting a recently patched vulnerability in Microsoft's VBScript engine vulnerability in live attacks, security researchers say.

Tracked as CVE-2018-8373, the bug was identified as a memory corruption issue that would result in remote code execution in the context of the current user. The flaw resides in the manner in which the VBScript scripting engine handles objects in memory in Internet Explorer.

“[A]n attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft said.

Impacting the VBScript engine in the latest versions of Windows, the vulnerability does not affect Internet Explorer 11, as “VBScript in Windows 10 Redstone 3 (RS3) has been effectively disabled by default,” Trend Micro, the security firm that discovered the flaw last month, says.

The security company also notes that the discovered exploit sample uses the same obfuscation technique as exploits for CVE-2018-8174, a VBScript engine remote code execution flaw that Microsoft addressed in May.

The method for exploiting CVE-2018-8373 and running shellcode is also similar to the CVE-2018-8174 exploits, which further suggests that the same author is behind both. The creator used a new use-after-free (UAF) vulnerability in vbscript.dll, which remained unpatched in the latest VBScript engine, Trend Micro says.

Last week, Dustin Childs, communications manager for the ZDI, told SecurityWeek that the similarities between these flaws seem more than coincidental. He also pointed out that further exploits could emerge from the same group.

While Trend Micro did not attribute the attacks to a specific actor, Qihoo 360’s security researchers claim that the North Korean threat actor known as DarkHotel is behind both exploits.

The researchers say the domain name used by the zero-day exploit is the same they observed in May being used for CVE-2018-8174’s exploitation and that it is indeed linked to DarkHotel.

Qihoo 360, which has been tracking DarkHotel for a while, appears confident that this is the threat actor that has been exploiting CVE-2018-8373 since before it was patched.

“Based on our analysis, this vulnerability can be steadily exploited. Moreover, since it is the second VB engine exploit found in the wild this year, it is not far-fetched to expect other vulnerability findings in the VB engine in the future,” Trend Micro said.

First detailed in 2014, the DarkHotel advanced persistent threat (APT) actor was recently said to be connected to the infamous Lazarus Group. Based on the reuse of code between various malware families attributed to North Korean actors, Intezer and McAfee concluded that most of the malicious tools link back to Lazarus.


Faxploit – Critical flaws potentially exposes millions of HP OfficeJet Printers to hack
14.8.2018 securityaffairs
Exploit

A vulnerability in HP OfficeJet all-in-one inkjet printer can be exploited by attackers to gain control of the printer and use it as entry point into the network environment.
A critical vulnerability potentially exposes millions of HP OfficeJet printers to hack, according to the experts at Check Point the attackers only need to send a fax to the vulnerable printers.

The researchers discovered two critical vulnerabilities in HP’s implementation of a widely used fax protocol implemented in all its OfficeJet all-in-one inkjet printers.

The vulnerabilities affect the HP all-in-one printers that support Group 3 (G3) fax protocols that are part of the ITU T.30 standard for sending and receiving color faxes.

OfficeJet HP flawCheckpoint experts reported the flaws to HP and shared details for the two vulnerabilities at the DEF CON conference.

The researchers devised an attack technique dubbed Faxploit, they demonstrated that once the attackers have compromised a fax machine they could leverage the NSA exploit EternalBlue for lateral movements.

“The below diagram shows the Faxploit attack flow, following which a threat actor could then move laterally across your network to access your organization’s most confidential information.” reads the blog post published by CheckPoint Security.

“The crucial element to notice is that whereas most attacks today penetrate through an internet connection to enter an organization’s network, using this vulnerability in the fax protocol even a network that is completely detached would be vulnerable. This is due to the attack being channeled through a route that until now was considered to be secure and need not have protection layers applied.”

HP OfficeJet all-in-one inkjet printer 2

The experts explained that attackers run several type of attack, such as stealing documents or tampering with the fax content by replacing the documents received with altered versions of them.

The fax flaws could be exploited by attackers during the receiving handshake.

“We could reach this vulnerability by sending a huge XML (> 2GB) to the printer over TCP port 53048 thus triggering a stack-based buffer overflow. Exploiting this vulnerability then gave us full control over the printer, meaning that we could use this as a debugging vulnerability,” researchers wrote.

The expert explained that when sending a fax the OfficeJet printer it is used the TIFF image format. The sender’s fax broadcasts the .TIFF meta-data for the receiving fax machine to set transmission parameters such as page sizes. According to the ITU T.30 standard protocol, the receiver’s fax will have to analyze meta-data for data continuity and sanitation, but exports discovered that by sending a color fax, they noticed the sending/receiving machines used the image format .JPG instead of .TIFF.

“When we examined the code that handles the colourful faxes we found out another good finding: the received data is stored to a .jpg file without any check. In contrast to the .tiff case in which the headers are built by the receiver, in the .jpg case we controlled the entire file,” researchers noted. “When the target printer receives a colourful fax it simply dumps its content into a .jpg file (“%s/jfxp_temp%d_%d.jpg” to be precise), without any sanitation checks.”

The vulnerable OfficeJet printers used a custom JPEG parser to parse the fax data, instead of using libjpeg, the developers implemented their own JPEG parser.

The experts examined the parser and discovered two stack-based buffer overflow vulnerabilities.

HP also released security patches for both vulnerabilities tracked as CVE-2018-5925 and CVE-2018-5924.

“Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” reads the security advisory published by HP.


Beware the Fax Machine: Some Hackers Target Old Gadgets
13.8.2018 securityweek
Exploit

What could be less threatening than the old office fax machine? Nothing. That's precisely why it's used as a backdoor for hackers to get into an organization's network.

Check Point, a cyber security firm in Israel, said Sunday that their research discovered security flaws in tens of millions of fax machines.

The hack works by sending an image file through the phone line — or a file that the fax machine thinks is an image file — and that is coded to contain malicious software. When a company receives the photo, the image is decoded and uploaded into the fax-printer's memory, allowing the hackers to take over the device and spreading the malicious code through the network.

Hackers could infiltrate a network by exploiting all-in-one printer-fax machines.

"Many companies may not even be aware they have a fax machine connected to their network, but fax capability is built into many multifunction office and home printers," said Yaniv Balmas, group manager of security research at Check Point.

The researchers focused on Hewlett Packard's OfficeJet Pro all-in-one fax printers — the global market leader for fax machines. Hewlett Packard quickly fixed the issue — a patch is available on their support page — but the same vulnerabilities are present in most fax machines, including those by Canon and Epson.

Many machines are too old to even update. That means it will be difficult for companies to stop hackers from entering their system.

Globally, businesses use an estimated 45 million fax machines. Faxes are still widely used in healthcare, banking, and law, sectors in which highly sensitive data is stored. In the U.S. medical sector, 75 percent of all communications are sent by fax.

To prevent organizations' networks from becoming compromised, experts recommend that companies check if their fax machines can be updated, or place fax devices on a secure network that is separate from the networks that carry sensitive information.


MikroTik Routers Exploited in Massive Crypto-Mining Campaign
4.8.2018 securityweek
Exploit  Cryptocurrency

Attackers managed to infect tens of thousands of MikroTik network routers in Brazil with code that injects the CoinHive in-browser crypto-mining script into web traffic.

The attack emerged on July 31, when more than 70,000 MikroTik devices in the country started displaying the same behavior. With all using the same CoinHive site-key, it became apparent that a single actor was behind the attack.

No zero-day was used in this massive attack, as MikroTik, a Latvian router manufacturer, patched the targeted vulnerability back in April 2018. The issue, however, is that the vulnerable devices haven’t been updated in a timely manner.

At the moment, there are “hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone,” Trustwave’s Simon Kenin, the researcher who analyzed the attack, reveals.

The employed exploit provides the attacker with the ability to read files from a vulnerable MikroTik router and get unauthenticated remote admin access to the device.

As part of this attack, however, the actor didn’t run a malicious executable on the router, but leveraged the device’s functionality to inject the CoinHive script into every web page the user visited.

For that, the attacker created a custom error page with the CoinHive script in it, which resulted in the user landing on that page when encountering any kind of error page while browsing. The attack works in both directions, meaning that users who visit websites behind those infected routers are impacted as well.

Initially, users would encounter the CoinHive script on every visited page, likely because the attacker, who appears to have high understanding of how the MikroTik routers work, might have built code to inject the script in every page.

In addition to modifying the device’s settings to serve the crypto-mining error page, the attacker also created a backdoor on the compromised devices. Kenin also noticed that the script has been updated several times during his investigation.

“The attacker seems to be adding more cleanup commands to leave a smaller footprint and reduce risk of being detected,” the researcher notes.

Kenin also noticed that, although the attack was initially focused on Brazil, MikroTik devices in other countries started being infected as well. In fact, he eventually discovered that over 170,000 routers globally appeared to have the CoinHive site-key.

By targeting MikroTik’s vulnerable carrier-grade router devices, the attackers ensured a broad reach: impacted are not only users behind the routers, but also the visitors of any website hosted behind such a router.

“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily,” Kenin points out.

While the routers were exploited to deliver a crypto-mining payload, the devices coudl have been exploited for other objectives, Sean Newman, Director Product Management at Corero Network Security, sold SecurityWeek. "From a DDoS perspective, the scale of processing power available in such devices could easily be leveraged for a single attack which could extend to tens of terabits per second, or many smaller attacks if they were used as part of a DDoS for hire service," Newman said.


Advanced Malvertising Campaign Exploits Online Advertising Supply Chain
31.7.2018 securityweek
Exploit  Virus

Malvertising Campaign Steals Traffic From 10,000 Hacked WordPress Sites and Exploits the Online Advertising Supply Chain

Malvertising is neither a new nor insignificant threat -- nor is there any easy solution to stop it. It is the abuse of the online advertising industry to deliver malware disguised as or hidden within seemingly innocuous advertisements.

Researchers at Check Point have discovered what they describe as the infrastructure and methods used in a large ‘malvertising’ and banking Trojan campaign, which delivers malicious adverts to millions worldwide through the HiBids online advertising platform.

The campaign starts with a threat actor that Check Point describes as 'Master134'. He sold stolen web traffic from 10,000 hacked WordPress sites to, say the researchers, "AdsTerra, the real time bidding (RTB) ad platform, who then sold it to Resellers (ExoClick, AdKernel, EvoLeads and AdventureFeeds)."

The researchers told SecurityWeek, "The traffic is stolen from the compromised WordPress sites via a known exploit on that platform, which enables the actor to insert a redirection to his malicious infrastructure."

Once this traffic has passed through AdsTerra, the resellers sell it to the highest bidding advertiser. Unfortunately, the return value on malware distribution is (almost) immediate via malwares such as ransomwares, miners, and banking trojans. Due to the large return on those malwares, malicious actors can usually afford to out-bid legitimate publishers.

"In this way," say the researchers, "cyber criminals are abusing the online advertising ecosystem, using it to bid alongside legitimate advertisers, like Nike or Coca Cola, but placing higher bids in order to have the ad-networks select their malware-laden ads to display on thousands of publishers’ websites instead of clean, legitimate ads."

Check Point does not provide details of the malware being distributed through this particular campaign, nor any of the publications that receive and unwittingly transmit the malware to innocent visitors. It merely states, "The ads often contain malicious code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe’s Flash Player, so that the user gets infected by ransomware, keyloggers, and other types of malware simply by visiting a site hosting the malicious link."

Luis Corrons, security evangelist at Avast, told SecurityWeek that past malvertising campaigns "have affected some of the biggest news sites, such as The New York Times, Huffington Post, Forbes, The Daily Mail and more. In order to go undetected, some of these attacks just last a few seconds each wave, to make it harder to track the source of the infection. JavaScript Monero miner even got to YouTube through an ad network last January."

SecurityWeek asked AdsTerra for a comment on malvertising and the Check Point report, but we have so far received no reply to our email. Of the two telephone numbers we were able to find, one is a mobile number (supposedly in Singapore) that was switched off, while the other (supposedly in Gibraltar) just terminated. AdsTerra, according to its website, is headquartered in Limassol, Cyprus; while Europages lists an address in Gibraltar.

Online advertiser reviews, however, provide a glowing endorsement for the organization; with one saying that AdsTerra is particularly strong on popunder adverts. Popunders are among the sneakiest of advertisements. Rather than run the risk of being closed by the user as soon as it is seen, popunders open in a new window underneath the current browser window and remain unseen until the focus window is closed. "That’s one of the main streams of malvertising," Check Point told SecurityWeek.

There is no easy defense against malvertising. Ad blockers work, but more and more publishers are blocking access to their pages when they detect a blocker. Users must either pay a subscription for no adverts, accept they cannot view the page they want, or receive the adverts that could potentially contain malware or malicious links.

Greater responsibility -- perhaps even legal liability -- on the advertiser would help. Corrons suggests, "A content check should be performed by the ad network (on both the advertisements and the landing pages)." He would also like to see greater active monitoring, background checking on the publishers, and legal contracts with high fines if the content is not secure.

Little of this currently happens. "Due to the really fast transactions, and the sheer volume of advertisements, we believe that there is no real-time monitoring by humans," Check Point told SecurityWeek. "Resellers need to know that their customers are 'bad guys', but most of them preform no vetting of their customers."

Trusting to luck is not a good security defense; but it seems that the most many users can do against malvertising is use an ad blocker, maintain an up-to-date anti-virus solution, minimize local vulnerabilities with judicious patching -- and trust to luck when all else fails.


Korean Davolink routers are easy exploitable due to poor cyber hygene
25.7.2018 securityaffairs
Exploit

Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected, but the password is hardcoded in the HTLM of login page.
The story started in 2018 when Anubhav noticed a very basic flaw the routers of the Korean vendor Davolink.

These Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected.

Analyzing the code of the page the expert has noticed a function named “clickApply” that included the password in standard base 64 coding.

function clickApply(sel)
{
var user_passwd="YWRtaW4=";
var super_passwd="(null)";
document.forms[0].http_passwd.value = encode(document.forms[0].tmp_http_passwd.value);

Davolink dvw
Scanning the Internet for similar devices using the search engine Zoomeye, he discovered more than 50 routers in Korea are exposed only and are accessible providing the hardcoded password.
Davolink
The expert reported the issue to the vendor that quickly acknowledged it and responded that they have discontinued the product. The vendor added that a working patch is already available.

The expert published the exploit code on exploit-db.

“Many IoT vendors are not doing the basics right as keeping the password in the HTML source, it is a very basic security issue” concluded Anubhav

“and it is a relevant issue as users in Korea are using it”


Sony addresses remotely exploitable flaws in Sony IPELA E Network Cameras
23.7.2018 securityaffairs
Exploit

Sony fixed 2 remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code.
Sony addressed two remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code on affected devices.

The first vulnerability, tracked as CVE-2018-3937, is a command injection issue that affects the measurementBitrateExec features implemented in the IPELA E Series Network Camera.

The vulnerability was reported by the researchers Cory Duplantis and Claudio Bozzato from Cisco Talos. An attacker could execute arbitrary code by sending specially crafted HTTP GET request to vulnerable devices.

“An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability. Detailed vulnerability information can be found here.” wrote the researchers.

The experts explained that the devices fail to check on the server address while parsing the input measurement string. The attacker can provide any string as the server address and it will be executed via system.

“While parsing the input measurement string, there isn’t a check on the server address (-c). In this manner, any string can be placed as the server address and will be executed via system. Knowing this, an attacker can execute arbitrary commands in the position of the server address,” continues the experts.

Sony IPELA E

The second issue, tracked as CVE-2018-3938, is a stack buffer overflow that resides in the 802dot1xclientcert.cgi functionality of the Sony IPELA E Series Camera products.

“An exploitable stack buffer overflow vulnerability exists in the “802dot1xclientcert.cgi” functionality of Sony IPELA E Series Camera. A specially crafted POST request can cause a stack buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability. Detailed vulnerability information can be found here.” wrote the researchers.

The vulnerability could be exploited by sending specially crafted POST request.

“A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability,” continues the experts.

The 802dot1xclientcert.cgi component is “designed to handle everything related to certificate management for 802.1x.”

The system fails to check the strlen length of the incoming data that is directly copied to a local buffer via memcpy. This means that the attacker can provide content to trigger the stack-based buffer overflow that could allow the attacker to remotely execute commands on the affected device.

Both vulnerabilities effects Sony IPELA E series G5 firmware 1.87.00, the tech giant released an update last week to address them.


RIG Exploit Kit operators leverage PROPagate Injection Technique to deliver Miner
2.7.2018 securityaffairs
Exploit

FireEye reported the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild.
Security experts from FireEye have documented the PROPagate code injection technique that was observed for the first time in a malware distribution campaign in the wild.

The PROPagate code injection technique was first discovered in November 2017 by a Hexacorn security researcher that demonstrated it works on all recent Windows versions and could allow attackers to inject malicious code into other applications.

The expert discovered that it is possible to abuse legitimate GUI window properties (UxSubclassInfo and CC32SubclassInfo) utilized internally by SetWindowSubclass function to load and execute malicious code inside other applications.

Back then, a security researcher found that an attacker could abuse the SetWindowSubclass API, a function of the Windows operating system that manages GUIs, to load and execute malicious code inside the processes of legitimate apps.

Malware authors took several months to adopt the PROPagate code injection technique in a live malware campaign.

Recently the experts at FireEye uncovered a campaign leveraging RIG Exploit Kit delivering Monero miner via the PROPagate code injection technique.

The operators of the RIG exploit kit are hijacking traffic from legitimate sites using a hidden iframe and redirects them to a page hosting the exploit kit. The RIG exploit kit uses three JavaScripts snippets, each of which uses a different technique to deliver the malicious payload. Thre three techniques spread the malware:

via malicious JavaScript;
via Flash;
via Visual Basic script;
Below the attack chain described by FireEye:

“The attack chain starts when the user visits a compromised website that loads the RIG EK landing page in an iframe. The RIG EK uses various techniques to deliver the NSIS (Nullsoft Scriptable Install System) loader, which leverages the PROPagate injection technique to inject shellcode into explorer.exe.” reads the analysis published by FireEye.

“This shellcode executes the next payload, which downloads and executes the Monero miner. “

PROPagate injection technique

The analysis of the payload allowed the experts to determine that threat actors have used multiple payloads and anti-analysis techniques to bypass the analysis environment.

PROPagate code injection

“Although we have been observing a decline in Exploit Kit activity, attackers are not abandoning them altogether.” In this blog post, we explored how RIG EK is being used with various exploits to compromise endpoints. We have also shown how the NSIS Loader leverages the lesser known PROPagate process injection technique, possibly in an attempt to evade security products.” concluded FireEye.


Zerodium offers up to $500,000 for Linux Zero-Day exploits
1.7.2018 securityaffairs
Exploit

The sale of Zero-day exploits is a prolific business, zero-day broker Zerodium offers rewards of up to $500,000 FreeBSD, OpenBSD, NetBSD, Linux Zero-Days.
The sale of Zero-day exploits is a prolific business that most people totally ignore, to better understand its evolution let’s analyze together the offer of the popular exploit broker Zerodium. To have a clear idea about the company mission let’s visit the website.

“ZERODIUM pays premium bounties and rewards to security researchers to acquire their original and previously unreported zero-day research affecting major operating systems, software, and devices.” reads the company web sites. “While the majority of existing bug bounty programs accept almost any kind of vulnerabilities and PoCs but pay very low rewards, at ZERODIUM we focus on high-risk vulnerabilities with fully functional exploits, and we pay the highest rewards on the market.”

Zerodium, like other zero-day brokers, buys zero-days and sell them to government agencies and law enforcement, but many privacy advocates fear that these flaws could be used by surveillance firms that sell their products to authoritarian regimes.

The company is offering rewards of up to $500,000 for zero-day exploits in UNIX-based operating systems, including OpenBSD, FreeBSD, NetBSD. The same offer is for exploits developed form popular Linux distros such as Ubuntu, CentOS, Debian, and Tails.

Prices for zero-day vary for several factors, including the market shares of the affected platforms/systems (Windows zero-day exploits for Windows are usually more valuable than Linux ones) and level of user interaction requested for the exploitation of the flaws (no click, one click, two clicks, etc.).

Other factors include the reliability for the zero-day exploit, the number of vulnerabilities that attackers need to chain to exploit the flaw, the success rate, and the OS configuration that it is necessary for the exploitation.

The rewards for Linux zero-days continues to increase, a trend already observed since February, when rewards going as high as $45,000.
zerodium Zero-day exploits

Zerodium

@Zerodium
We're currently acquiring #0day exploits (privilege escalation or RCE) for the following operating systems: OpenBSD, FreeBSD, NetBSD, Ubuntu, CentOS, Debian, and Tails. For related inquiries or submissions, contact us: https://zerodium.com/submit.html

6:17 PM - Jun 27, 2018
51
39 people are talking about this
Twitter Ads info and privacy
The company shared the latest zero-day acquisition drive as part of its ordinary zero-day acquisition program.

The acquisition drive includes special offers, usually associated with higher fees, for specific zero-day exploits.

Zerodium is still looking for remote code execution or local privilege escalation Linux and BSD systems, it offers variable rewards that can go up to $500,000.

The firm payouts for Linux privilege escalation zero-day exploits range from $10,000 to $30,000, while a local privilege escalation (LPE) in Linux could be paid up to $100,000.

Rewards for Linux remote code execution exploits can range from $50,000 to $500,000, zero-days for CentOS and Ubuntu are most wanted.

Across the months, Zerodium published several drive searching for zero-day exploits targeting iOS, Adobe Flash Player, the Tor Browser, mobile IM apps, and Android.

zerodium Zero-day exploits

In the past Zerodium offered up to $1.5 million for an iOS zero-day exploit.

Looking at the price-list for zero-days we can notice that exploit codes for server environments, Linux have high rewards, but mobile exploits remain the most expensive in the zero-day market.

Recently a new player emerged in the zero-day market, it is Crowdfense who launched an acquisition program with prizes of $10 million.


Exploit Kits Target Recent Flash, Internet Explorer Zero-Days
13.6.2018 securityweek 
Exploit

Exploit kits (EKs) might not be as dominant as they were several years ago, but they continue to exist and most of them already adopted exploits for recently discovered Flash and Internet Explorer zero-day vulnerabilities.

The first of the flaws is CVE-2018-4878, a security bug in Adobe’s Flash Player discovered in late January, when it was exploited by a North Korean hacker group in attacks aimed at individuals in South Korea. Adobe released a patch within a week after the bug became public, but it continued to be targeted in numerous other attacks.

The second is CVE-2018-8174, a critical issue that allows attackers to remotely execute arbitrary code on all supported versions of Windows, and which was addressed with the May 2018 Patch Tuesday updates. The bug is an update to a 2-year-old VBScript vulnerability (CVE-2016-0189) that continues to be abused in attacks.

The recently patched Flash Player zero-day tracked as CVE-2018-5002, which has been exploited in targeted attacks, has yet to be added to EKs.

“Since both Flash and the VBScript engine are pieces of software that can be leveraged for web-based attacks, it was only natural to see their integration into exploit kits,” Malwarebytes points out.

Within days after a proof of concept became publicly available, RIG adopted the exploit for the new VBScript engine flaw, becoming the first EK to do so. The toolkit also added an exploit for said Flash bug, and was observed pushing payloads such as Bunitu, Ursnif, and the SmokeLoader backdoor.

Magnitude continues to focus on South Korea and is now targeting both CVE-2018-4878 and CVE-2018-8174. The toolkit is considered one of the most sophisticated EKs on the market, courtesy of its own Magnigate filtering, a Base64-encoded landing page, and fileless payload.

Another active EK is GreenFlash Sundown. Rather elusive in nature, it “continues to strike via compromised OpenX ad servers” and now targets CVE-2018-4878 too. Usually delivering the Hermes ransomware, it was recently observed serving a cryptocurrency miner.

The GrandSoft EK, which only targets Internet Explorer and also appears in smaller distribution campaigns, is still relying on the older CVE-2016 -0189 Internet Explorer exploit. Lacking the obfuscation EK landing pages usually feature, the toolkit was observed delivering payloads such as the AZORult stealer.

“There is no doubt that the recent influx of zero-days has given exploit kits a much-needed boost. We did notice an increase in RIG EK campaigns, which probably resulted in higher than usual successful loads for its operators. While attackers are concentrating on Microsoft Office–related exploits, we are observing a cascading effect into exploit kits,” Malwarebytes concludes.


Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit
8.6.2018 thehackernews 
Exploit

Hundreds of thousands of websites running on the Drupal CMS—including those of major educational institutions and government organizations around the world—have been found vulnerable to a highly critical flaw for which security patches were released almost two months ago.
Security researcher Troy Mursch scanned the whole Internet and found over 115,000 Drupal websites are still vulnerable to the Drupalgeddon2 flaw despite repetitive warnings.


Drupalgeddon2 (CVE-2018-7600) is a highly critical remote code execution vulnerability discovered late March in Drupal CMS software (versions < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1) that could allow attackers to completely take over vulnerable websites.
For those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or standard Drupal installations under the privileges of the user.
Since Drupalgeddon2 had much potential to derive attention of motivated attackers, the company urged all website administrators to install security patches immediately after it was released in late March and decided not to release any technical details of the flaw initially.

However, attackers started exploiting the vulnerability only two weeks after complete details and proof-of-concept (PoC) exploit code of Drupalgeddon2 was published online, which was followed by large-scale Internet scanning and exploitation attempts.


Shortly after that, we saw attackers developed automated exploits leveraging Drupalgeddon 2 vulnerability to inject cryptocurrency miners, backdoors, and other malware into websites, within few hours after it's detailed went public.
Mursch scanned the Internet and found nearly 500,000 websites were running on Drupal 7, out of which 115,070 were still running an outdated version of Drupal vulnerable to Drupalgeddon2.
While analyzing vulnerable websites, Mursch noticed that hundreds of them—including those of Belgium police department, Colorado Attorney General office, Fiat subsidiary Magneti Marelli and food truck locating service—have already been targeted by a new cryptojacking campaign.
Mursch also found some infected websites in the campaign that had already upgraded their sites to the latest Drupal version, but the cryptojacking malware still existed.
We have been warning users since March that if you are already infected with the malware, merely updating your Drupal website would not remove the "backdoors or fix compromised sites." To fully resolve the issue you are recommended to follow this Drupal guide.


Adobe fixed the CVE-2018-5002 Flash Zero-Day exploited in targeted attacks in the Middle East

7.6.2018 securityaffairs Exploit

Adobe has recently fixed several vulnerabilities, including the CVE-2018-5002 Flash Zero-Day exploited in targeted attacks in the Middle East
Adobe has released security updates for Flash Player that address four vulnerabilities, including a critical issue (CVE-2018-5002) that has been exploited in targeted attacks mainly aimed at entities in the Middle East.

The CVE-2018-5002 vulnerability, reported by researchers at ICEBRG and Qihoo 360 and Tencent, is a stack-based buffer overflow that can be exploited by attackers arbitrary code execution.

“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.171 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

“Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash Player content distributed via email.”

The researcher did not disclose technical details of the vulnerability, but Adobe confirmed that the zero-day was exploited in targeted attacks against Windows users.

Attackers launched spear phishing attacks using messages with weaponized Office documents (Excel spreadsheet named “salary.xlsx) that contain specially crafted Flash content.

“The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers. This attack mainly targets the Middle East.” reads the analysis published by Qihoo 360.

CVE-2018-5002 zero-day Adobe Flash player

The Flash Player 30.0.0.113 version also addresses the following vulnerabilities:

CVE-2018-4945 – a critical type confusion vulnerability that can lead to code execution, it was reported by researchers at Tencent.
CVE-2018-5000 – an “important” severity integer overflow that can lead to information disclosure, it was reported anonymously through Trend Micro’s Zero Day Initiative (ZDI).
CVE-2018-5001 – an “important” out-of-bounds read flaw that can lead to information disclosure, it was reported anonymously through Trend Micro’s Zero Day Initiative (ZDI).
This is the second zero-day discovered in 2018, the first Adobe zero-day, tracked as CVE-2018-4878, was patched in February after it was exploited by North Korea-linked nation-state hackers in attacks aimed at South Korea. The flaw was later exploited by different cybercrime gangs.

According to the analysis published by Qihoo 360, attackers were preparing the campaign recently detected at least since February. The C&C domain appears as a job search website in the Middle East and its name leads the experts into believing that the target is located in Doha, Qatar.

“Through analysis, we can see that the attack used a 0-day vulnerability regardless of the cost. The attacker developed sophisticated plans in the cloud and spent at least three months preparing for the attack. The detailed phishing attack content was also tailored to the attack target. All clues show this is a typical APT attack. We suggest all relevant organizations and users to update their Flash to the latest versions in a timely manner. ” concludes Qihoo 360.


Experts noticed an ongoing activity involving the RIG Exploit Kit to deliver the Grobios Trojan
28.5.2018 securityaffairs 
Exploit

Malware researchers from FireEye recently noticed an interesting ongoing activity involving the infamous RIG Exploit Kit (EK) to deliver the Grobios Trojan.
Security experts highlighted several times the decline of the exploit kit activity after the disappearance of the Angler and Nuclear exploit kits in 2016.
Anyway, researchers at FireEye periodically observe significant developments in this space and recently noticed an interesting ongoing activity involving the infamous RIG Exploit Kit (EK).

The RIG Exploit Kit has been recently involved in the distribution of the Grobios Trojan, in the following image is reported the infection chain.

RIG Exploit Kit Grobios campaign

“We first observed redirects to RIG EK on Mar. 10, 2018, from the compromised domain, latorre[.]com[.]au, which had a malicious iframe injected to it.” reads the analysis published by FireEye.

“The iframe loads a malvertisement domain, which communicates over SSL and leads to the RIG EK landing page that loads the malicious Flash file”. “When opened, the Flash file drops the Grobios Trojan.”

Malware researchers said the Grobios Trojan implements several evasion techniques and uses various persistence mechanisms to make hard for victims to uninstall the threat. The malware implements the following techniques to gain persistence:

It delivers a copy of itself into the %APPDATA% folder (i.e. %APPDATA%\Google\v2.1.13554\<RandomName>.exe.), masquerading as a version of legitimate application installed on the target system. It creates an Autorun registry key and a shortcut in the Windows Startup folder.
It drops multiple copies of itself in subfolders of a program at the path %ProgramFiles%/%PROGRAMFILES(X86)%, masquerading as a different version of the installed program, and sets an Autorun registry key or creates a scheduled task.
It drops a copy itself in the %Temp% folder, and creates a scheduled task to run it.
The malware also uses multiple anti-debugging, anti-analysis and anti-VM techniques to evade the detection.

Once completed a series of checks to detect the VM and malware analysis environment, the Grobios Trojan connects to the command and control (C2) server to receive commands.

“In an effort to evade static detection, the authors have packed the sample with PECompact 2.xx.” continues the analysis.

“The unpacked sample has no function entries in the import table. It uses API hashing to obfuscate the names of API functions it calls and parses the PE header of the DLL files to match the name of a function to its hash. The malware also uses stack strings.”

Once infected the system, the malware also creates two scheduled tasks.

Experts highlighted that the malware protects its copy in the %TEMP% folder with (Windows Encrypted File System) EFS.

The analysis of the code also revealed the presence of two hardcoded obfuscated C2s.

“Despite the decline in activity, exploit kits still continue to put users at risk – especially those running older versions of software. Enterprises need to make sure their network nodes are fully patched.” concluded FireEye.

Further details including the IoCs for the threat are available in the report.


Nethammer—Exploiting DRAM Rowhammer Bug Through Network Requests
25.5.2018 thehackernews  
Exploit
Last week, we reported about the first network-based remote Rowhammer attack, dubbed Throwhammer, which involves the exploitation a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.
However, a separate team of security researchers has now demonstrated a second network-based remote Rowhammer technique that can be used to attack systems using uncached memory or flush instruction while processing the network requests.
The research was carried out by researchers who discovered Meltdown and Spectre CPU vulnerabilities, which is independent of the Amsterdam researchers who presented a series of Rowhammer attacks, including Throwhammer published last week.
If you are unaware, Rowhammer is a critical issue with recent generation dynamic random access memory (DRAM) chips in which repeatedly accessing a row of memory can cause "bit flipping" in an adjacent row, allowing attackers to change the contents of the memory.
The issue has since been exploited in a number of ways to escalate an attacker's privilege to kernel level and achieve remote code execution on the vulnerable systems, but the attacker needed access to the victim’s machine.
However, the new Rowhammer attack technique, dubbed Nethammer, can be used to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing, which would be possible only with a fast network connection between the attacker and victim.
This causes a high number of memory accesses to the same set of memory locations, which eventually induces disturbance errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-value.
The resulting data corruption can then be manipulated by the attacker to gain control over the victim's system.
"To mount a Rowhammer attack, memory accesses need to be directly served by the main memory. Thus, an attacker needs to make sure that the data is not stored in the cache," the researcher paper [PDF] reads.
Since caching makes an attack difficult, the researchers developed ways that allowed them to bypass the cache and attack directly into the DRAM to cause the row conflicts in the memory cells required for the Rowhammer attack.
Researchers tested Nethammer for the three cache-bypass techniques:
A kernel driver that flushes (and reloads) an address whenever a packet is received.
Intel Xeon CPUs with Intel CAT for fast cache eviction
Uncached memory on an ARM-based mobile device.
All three scenarios are possible, researchers showed.
In their experimental setup, researchers were successfully able to induce a bit flip every 350 ms by sending a stream of UDP packets with up to 500 Mbit/s to the target system.
Since the Nethammer attack technique does not require any attack code in contrast to a regular Rowhammer attack, for example, no attacker-controlled code on the system, most countermeasures do not prevent this attack.
Since Rowhammer exploits a computer hardware weakness, no software patch can completely fix the issue. Researchers believe the Rowhammer threat is not only real but also has potential to cause real, severe damage.
For more in-depth details on the new attack technique, you can head on to this paper, titled "Nethammer: Inducing Rowhammer Faults through Network Requests," published by the researchers earlier this week.


More than 800,000 DrayTek routers at risks due to a mysterious zero-day exploit
19.5.2018 securityaffairs
Exploit

DrayTek routers are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some models.
Routers manufactured by the Taiwan-based vendor DrayTek are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some of its routers.

DrayTek confirmed to be aware that hackers are attempting to exploit the zero-day vulnerability to compromise its routers.

Many users reported on Twitter cyber attacks against its routers, in these cases, hackers have changed DNS settings of the routers to point to a server having the 38.134.121.95 IP address on the network of China Telecom.

It is likely attackers are conducting a Man-in-the-Middle attack to redirect users to bogus clones of legitimate sites to steal their credentials.

DrayTek routers zeroday

DrayTek published a security advisory warning of the attacks and providing instructions on how to check and correct DNS settings.

“In May 2018, we became aware of new attacks against web-enabled devices, which includes DrayTek routers. The recent attacks have attempted to change DNS settings of routers.” reads the security advisory.

” If you have a router supporting multiple LAN subnets, check settings for each subnet. Your DNS settings should be either blank, set to the correct DNS server addresses from your ISP or DNS server addresses of a server which you have deliberately set (e.g. Google 8.8.8.8). A known rogue DNS server is 38.134.121.95 – if you see that, your router has been changed. “

The company is already working on a firmware updates to patch the issue.

DrayTek published a second advisory that includes the list of devices and firmware versions that it is going to release in the coming days.
Initially, the company suspected that victims of the attacks were using DrayTek routers with default credentials, but one of them clarified that its device wasn’t using factory settings, a circumstance that confirms that attackers are in possession of a zero-day exploit.

Kevin Beaumont

@GossiTheDog
Reports coming in DrayTek routers are being mass hacked and DNS servers changed on them (allows traffic redirection and MITM attacks). https://twitter.com/adamitec/status/997237081461133312 …

11:35 AM - May 18, 2018
69
89 people are talking about this
Twitter Ads info and privacy

Kevin Beaumont

@GossiTheDog
18 May
Reports coming in DrayTek routers are being mass hacked and DNS servers changed on them (allows traffic redirection and MITM attacks). https://twitter.com/adamitec/status/997237081461133312 …

Kevin Beaumont

@GossiTheDog
😢 pic.twitter.com/xMXak22JNG

11:37 AM - May 18, 2018
View image on Twitter
20
15 people are talking about this
Twitter Ads info and privacy

Kevin Beaumont

@GossiTheDog
18 May
Replying to @GossiTheDog
😢 pic.twitter.com/xMXak22JNG

Kevin Beaumont

@GossiTheDog
The running theme so far is remote admin (WAN mgmt) is enabled (on by default) but password had been changed. Either going to be brute force or exploit.

1:24 PM - May 18, 2018
11
See Kevin Beaumont's other Tweets
Twitter Ads info and privacy
Searching for DrayTek routers online with Shodan we can find more than 800,000 connected devices connected online, some of them could be potentially compromised with the mysterious exploit.