Category Archives: (G) Hacking News

Android alert: This new type of rowhammer GPU attack can hijack your phone remotely

Researchers have developed a technique dubbed ‘GLitch’, which uses the WebGL JavaScript graphics library, aided by a device’s integrated GPU, to remotely compromise Android smartphone browsers.

The attack lowers the bar to pulling off so-called rowhammer attacks that flip bits in physical memory to ram through in-built security protections.

The researchers note that most defenses against rowhammer attacks have focused on protecting CPU cores, and show that GPUs that are integrated with CPUs — common on mobile system on chips — are another attack avenue.

With this technique, an attacker could use malicious JavaScript hosted on a website to quickly compromise a smartphone without requiring malware.

A year after rowhammer attacks were first reported in 2014, researchers at Google Project Zero drew attention to vulnerabilities affecting dozens of x86 laptops using bit flips in DRAM to escalate privileges.

 

The rowhammer problem is the result of shrinking DRAM cells, which has made it harder to isolate memory in one address from corrupting data stored in another.

The work demonstrated that repeated toggling of a DRAM row’s wordline — rowhammering — “stresses inter-cell coupling effects that accelerate charge leakage from nearby rows”, resulting in ‘bit flips’ where a cell’s value changes from 1 to 0 or vice versa.

The two attacks are then combined with the WebGL application programming interface (API), which is used for rendering web graphics in browsers. It also relies on browser support for precision WebGL timers, which allow the side-channel to leak memory addresses.

Meanwhile, the GPU allows for “fast double-sided DRAM access, enabling the rowhammer attack”.

The researchers showed that it was possible to use the technique to bypass the Firefox sandbox on Android.

“The precise timing capabilities provided by WebGL can allow an attacker to determine the difference between cached DRAM accesses and uncached DRAM accesses,” explained CERT researchers Will Dormann and Trent Novelly.

“This can allow an attacker to determine contiguous areas of physical DRAM memory. Knowledge of contiguous memory regions is used in a number of microarchitectural attacks, such as rowhammer.”

Precision timers have been disabled in Chrome and Firefox on Android to mitigate the attacks.

Facebook: We’re not the only ones collecting your data across the web

Following CEO Mark Zuckerberg’s two-day grilling before Congress, Facebook is clarifying to users (some confused congressmen among them) how exactly it collects data from people when they’re not logged into Facebook.

In a blog post published Monday, Facebook Product Management Director David Baser explained the basics of various Facebook tools and products, including social plugins, Facebook Login, Facebook Analytics, Facebook Audience Network and Facebook Pixel.

At the same time, the social media giant took the opportunity to point out that it’s not the only popular technology company collecting information about people from across the web. Baser writes:

Many companies offer these types of services and, like Facebook, they also get information from the apps and sites that use them. Twitter, Pinterest and LinkedIn all have similar Like and Share buttons to help people share things on their services. Google has a popular analytics service. And Amazon, Google and Twitter all offer login features. These companies — and many others — also offer advertising services. In fact, most websites and apps send the same information to multiple companies each time you visit them.

Baser notes that Facebook updated its privacy policy to better explain how it collects data on individuals from across the web and what it does with that information.

He also wrote that Facebook requires websites and apps which use its tools “to tell you they’re collecting and sharing your information with us, and to get your permission to do so.” Still, while Facebook may be making its own privacy policy easier to read, it’s unlikely internet users will be clicking on each site’s cookies policy as they browse the web

Coinsecure, not so secure: Millions in cryptocurrency stolen, CSO blamed

The Indian cryptocurrency exchange has accused Dr. Amitabh Saxena, the firm’s Chief Strategy Officer (CSO), of stealing 438 Bitcoins (BTC), worth roughly $3.3 million at the time of writing.

According to a complaint filed with local law enforcement in New Delhi by Coinsecure CEO Mohit Kalra and posted on the firm’s website, Saxena allegedly was the only one — aside from the CEO — to hold the keys to the Coinsecure main wallet.

During the extraction of Bitcoin Gold (BTG) and private keys for customer trading, Saxena allegedly claimed that 438 Bitcoins were “lost” through the process.

Kalra is not convinced.

According to the police complaint, Saxena told the CEO on the 9th of April that the funds had been lost “due to some attack.”

“As the private keys are kept with Dr. Amitabh Saxena, we feel that he is making a false story to divert our attention and he might have a role to play in this entire incident,” the complaint reads. “The incident […] does not seem convincing to us.”

Bitdefender Releases FREE GandCrab Ransomware Decryption Tool

The latest ransomware kicking everyone’s ass is Gandcrab which has infected an estimated 50,000 computers, fortunately for the victims, Bitdefender has released a free Gandcrab ransomware decryption tool as a part of the No More Ransom Project.

Bitdefender Releases FREE GandCrab Ransomware Decryption Tool

 

There’s nothing particularly notable about the ransomware itself other than it combines two existing exploit kits to compromise people and it takes payment in Dash, which is a privacy coin, rather than Bitcoin (which is a first as far as I know).

White hats have released a free decryption tool for GandCrab ransomware, preventing the nasty spreaders of the DIY malware from asking their victims for money.

GandCrab has been spreading since January 2018 via malicious advertisements that lead to the RIG exploit kit landing pages or via crafted email messages impersonating other senders, infecting an estimated 53,000 computers in the process.

In exchange for the decryptor, the crooks behind GandCrab ask for a ransom of anywhere between hundreds and hundreds of thousands of dollars in DASH, a crypto-currency that has just made its debut in cybercrime. The developers of GandCrab use a ransomware-as-a-service business model that allows people with little technical skill to get a piece of the action.

 

The ransomware itself is spreading via malicious adverts and landing pages with Rig Exploit Kit combined with phishing style e-mails copying receipts from popular e-commerce services.

You can find the Gandcrab decryption tool here:

GandCrab Ransomware decryption tool

Ransomware demands tied to GandCrab infections have reached up to an exorbitant $600,000+, orders of magnitude higher than is common in ransomware scams. Ransomware scammers more typically demand between $300 and $500.

The newly developed (free) antidote works for all known versions of the ransomware. The nasty encrypts personal data on victims’ machines.

Security firm Bitdefender developed the GandCrab ransomware decryption tool in collaboration with Europol and Romanian Police. The effort is the latest under the No More Ransom project.

No More Ransom was launched in July 2016, introducing a new level of cooperation between law enforcement and the private sector to fight ransomware.

The last ransomware we wrote about was WannaCry which someone managed to foil by registering a non-existent domain which effectively shut it down:

WannaCry Ransomware Foiled By Domain Killswitch

I think Gandcrab is still going to cause a fair amount of damage and honestly, the visibility of these type of decryption tools outside of the tech and specifically infosec community is quite low, so do help share this article and let people know they may have a way out if they have been infected.

Ransomware victims paying up and would do so again: Telstra

Ransomware writers looking for targets to pay up should start looking in the south-west Pacific, according to the third installment of the Telstra Security Report.

Surveying 1,252 people, of which 40 percent were in Europe, 23 percent from Australia, and 37 percent from elsewhere in Asia-Pacific, the report said approximately half of businesses paid malware ransoms.

47 percent of Australian businesses who found themselves victims of ransomware paid the ransom, which was consistent across APAC,” the report said. “Some 60 percent of ransomware victims in New Zealand and 55 percent in Indonesia paid the ransom, making it the highest for Asia. In Europe, 41 percent of respondent ransomware victims paid up.”

Of those that paid up, 87 percent of Asian businesses got their data back, followed by 86 percent in Australia, and 82 percent in Europe. The report added that in the absence of proper backups, 83 percent of organisations in Australia would pay again, with Europe clocking in at 80 percent, and 76 percent of Asian responders saying they would pay again.

Under Armour’s MyFitnessPal Sees 150 Million Accounts Compromised

The MyFitnessPal virtual health and wellness assistant has copped to a data breach affecting 150 million accounts; hackers made off with user names, email addresses and bcrypt-hashed passwords.

While details of how hackers exploited the accounts are still emerging, this appears to be the largest data breach of 2018 to date.

The intrusion occurred in February, but the Under Armour–owned company said in a notice that it wasn’t aware of the breach until March 25. Fortunately, the affected data did not include Social Security numbers or driver’s license numbers, because the app doesn’t collect that information; nor did it affect payment card data, which in another win for network segmentation, is collected and processed separately.

While the event thankfully doesn’t impact financial accounts, John Gunn, CMO at VASCO Data Security, pointed out that there’s an opportunity to up the ante on data security across the board.

“This event, like similar ones where credit-card data is not taken in a breach, demonstrates the value of enforcing security requirements,” he said, via email. “If businesses applied the Payment Card Industry Data Security Standards (PCI DSS) to all data and not just credit-card information, you would see a lot less personal information, such as user names, email addresses and passwords, getting into the hands of hackers.”

MyFitnessPal users are being required to change their passwords. In terms of mitigation, users should of course immediately do that, but they should also be aware that the information taken could be used for phishing attacks, which is where the real danger lies. Any user should avoid clicking on links in emails, social media posts or other messages that seem to have come from Under Armour or MyFitnessPal.

Also, if a user repurposes the MyFitnessPal password on any other websites, especially for banking accounts or similar websites, they should immediately change their passwords on those websites – and choose a different, strong password for each one.

“The reuse of passwords in situations like this may seem like short lapse in judgment, but this data that aligns names and email addresses with passwords is a potential disaster for anyone who reuses their passwords across multiple sites and accounts,” said Lisa Baergen, marketing director of MasterCard-owned NuData Security, via email.

College Kids Turn to Crypto-Mining, Riddling Higher-Ed Networks

The higher-education landscape has become a fertile field for growing crypto-mining revenue. College students are crypto-mining from their dorm rooms, while outside actors are targeting their online activities for web-based attacks.

According to Vectra’s 2018 RSA Conference Edition of its Attacker Behavior Industry Report, higher education is a prime arena given that students are usually not protected by universities’ open networks. These same students also do their own crypto-mining, because they get free electricity.

“Students are more likely to perform crypto-mining personally as they don’t pay for power, the primary cost of crypto-mining,” said Chris Morales, head of security analytics at Vectra. “Universities also have high-bandwidth capacity networks with a large volume of easy targets, especially as students are more likely to use untrusted sites (like illegal movies, music and software) hosting crypto-mining malware.”

The report, which analyzed traffic and collected metadata from more than 4.5 million devices and workloads from customer cloud, data-center and enterprise environments, found that 60% of cryptocurrency mining detections occurred in higher education, followed by entertainment and leisure (6%), financial services (3%), technology (3%) and healthcare (2%). Mining overall has surged with the rising price of cryptocurrencies like Bitcoin, Monero and Ethereum.

  • Colleges and universities aren’t just over-indexing in crypto-mining. The highest volume of attacker behaviors per industry were in higher education (3,715 detections per 10,000 devices) followed by engineering (2,918 detections per 10,000 devices).
  • This is primarily due to command-and-control (C&C) activity in higher education, according to the report, and internal reconnaissance activity in engineering. To the former point, C&C activity in higher education, with 2,205 detections per 10,000 devices, is four times above the industry average of 460 detections per 10,000 devices.
  • These early threat indicators usually precede other stages of an attack and are often associated with opportunistic botnet behaviors, Vectra said.
  • Higher education can only respond to students when they detect crypto-mining with a notice the activity is occurring. They can provide assistance in cleaning machines, or in the case of the student being responsible, they can issue a cease-and-desist. As such, the problem is likely to persist.
  • “Students are exceedingly intelligent and very enterprising,” said Daniel Basile, executive director of the Security Operations Center (SOC) at ‎Texas A&M University. “This is a time that many of them are working with new technologies, and it is not surprising that they utilizing their machines for cryptocurrency mining. However, there is also a large increase in websites that will crypto-jack your PC while you are on their website. This new trend of mining Bitcoin for revenue instead of ads can directly affect students. With the increase in online video streaming resources, this creates a large amount of cryptocurrency mining.”

GoScanSSH Malware Avoids US Military, South Korea Targets

A new strain of malware that targets vulnerable Linux-based systems is loose in the wild, with an interesting habit of avoiding government and military networks.

Dubbed GoScanSSH (a mash-up of its hallmarks: its Golang-based coding, its ability to scan for new hosts from infected machines, and use of the SSH port), the malware is being used in a widespread campaign that includes more than 70 unique malware samples and multiple versions, indicating that this threat is continuing to be actively developed and improved upon by the attackers. The earliest instance of a variant dates back to last summer, so the campaign has been ongoing for at least nine months.

It’s main effort seems to be in infecting as many machines as possible, potentially creating a botnet for future use in more damaging attacks.

According to Cisco Talos researchers, bad actors gain access to targets using an SSH-credential brute-force attack against publicly accessible SSH servers.

“In this particular series of attacks, the attacker was leveraging a word list containing more than 7,000 username/password combinations,” they explained in a posting. “Once the attacker has discovered a valid credential set that allows successful SSH authentication, a unique GoScanSSH malware binary is then created and uploaded to the compromised SSH server. The malware is then executed, thus infecting the system.”

Immediately following infection, the GoScanSSH malware attempts to determine how powerful the infected system is and assigns the malware instance a unique identifier, which is all sent to the command-and-control (C&C) server. From there, it initiates SSH scanning activity to find additional vulnerable SSH servers exposed to the internet.

It specifically avoids IP addresses assigned to the US. Department of Defense and several in South Korea. The reason for this is unclear.

“It is difficult to fully get inside the head of attackers, but one theory could be that the attackers know that nation-states are resourced and have the political and networking connections to perform accurate attribution,” said Dan Matthews, director of engineering at Lastline, via email. He added, “This attack does not appear complex, although they have done two things which differ from recent commodity malware Written in Go, which is an efficient/cross-platform/modern/cool programming language; and added an IP address validation step prior to performing dictionary attacks against publicly reachable SSH servers.”

Once it has been determined that the selected IP address is an ideal candidate for additional attacks, the malware attempts to obtain valid SSH credentials by attempting to authenticate to the system using the aforementioned wordlist containing username and password combinations. If successful, the malware reports back to the C&C server.

Organizations should employ best practices to ensure that servers they may have exposed remain protected, including ensuring that systems are hardened, that default credentials are changed prior to deploying new systems to production environments and that these systems are continuously monitored for attempts to compromise them.

As Matthews said, “The best thing any organization can do to protect against password reuse attacks is to enable some type of multifactor authentication, particularly for services such as VPNs, SSH servers and web/cloud-based email services, which are reachable from the internet.”

Facebook was tracking your text message and phone call data. Now what?

While Facebook boss Mark Zuckerberg was stumblingly apologizing for giving Russian-linked Cambridge Analytica access to over 50 million US Facebook users’ personal data, news broke that Facebook had been scraping call and text message data from Android phones for years.

If you looked closely, you would have seen Zuckerberg and company had been snooping on Facebook‘s billion-plus users since the beginning. Indeed, the company’s entire business model is built on profiting from your personal data.

That’s not news, but we’re only now realizing just how deeply Facebook data mines each of us including our phone call and text messaging records.

Tech site Ars Technica cited several users who discovered that if you used an Android phone and installed the Facebook app, the social network was likely logging your phone calls and text messages metadata ever since the Android app’s inception.

By metadata, that means Facebook was tracking when you called, how long you were on the call, and when you texted. Facebook never had access to the content. For example, Facebook could know you called your mom every Saturday evening, but not what you spoke about

It appears Facebook could never pull this off on Apple’s iOS. Other social networks, such as the obscure Path, pulled down its users’ contact information without permission. Path apologized for this and deleted the data. Even as Facebook apologizes for its privacy invasions, the social networking giant isn’t going that far.

On Android, the door was left open for Facebook to easily pull down your data via Android’s early application programming interface, or API. Before the launch of Android 6.0 in 2015, to use an app you had to agree to all its permission requirements. In Facebook’s case, the company asked for the moon — access to all your data including your phone usage.

With Android 6.0, Google introduced a permission model for Android app data access. Now when you install an application you must explicitly grant access to specific areas. You can also revoke these permissions.

It’s time to turn those off.

You may want to share your contacts with Facebook, but I’m hard pressed to think of a reason why you’d want Facebook to know about who and when you called or texted someone.

Anrdroid App Permissions
Don’t permit Facebook, or any other app, to access data it doesn’t need for its job.

sjvn

To do this, open your Settings app and tap “Apps.”

Then, click on each app. On the App info screen, you’ll see a “Permissions” category. From here, click on “Permissions”.

The next window lists all the permissions for the app. From the next “App permissions” screen, you can dive deeper into each app’s permissions — such as Camera, Contacts, Location, Microphone, Phone, SMS, and Storage — and change them.

Be aware, some apps won’t work without specific permissions. To stop Facebook snooping on your phone communications’ metadata, turn Phone and SMS off.

What’s that? You didn’t specifically grant Facebook the right to keep an eye on your phones and texts, so you’re good, right? Wrong.

Facebook apps kept using the older, but still supported pre-Android 4.1, software development kit (SDK) APIs’ permission rules for years. This gave Facebook access to your call and message logs by default.

Google finally deprecated the Android 4.0 API in October 2017. After that, Facebook no longer automatically pulled down your logs.

Whether you’re running an ancient phone with an old version of Android or a brand new Pixel 2 with Android 8.1, I’d double check Facebook and Facebook Messenger. It doesn’t hurt to be cautious.

Facebook says that it’s not the social network’s fault, it’s yours.

In a statement, Facebook stated: “Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android.”

While that may be true, it’s not all that obvious.

According to Facebook:

“When you sign up for Messenger or Facebook Lite on Android, or log into Messenger on an Android device, you are given the option to continuously upload your contacts as well as your call and text history. For Messenger, you can either turn it on, choose ‘learn more’ or ‘not now’. On Facebook Lite, the options are to turn it on or ‘skip’. If you chose to turn this feature on, we will begin to continuously log this information.”

Notice how they’re talking about contacts, but not explicitly about your calling and texting history. If you follow their links, you’re taken to a page that describes how to handle contacts for Messenger and the Facebook app. You must dive deeper still to find out how to turn off “Sync Your Call and Text History”. This can only be done from the app’s Permissions page.

To find out what Facebook has already collected from you, go to Facebook and create an archive. Take the following steps:

Go to the top right of any Facebook page and select “Settings”. Click “Download a copy of your Facebook data” at the bottom of general account settings. Then, click “Start My Archive”.

You’ll need to confirm you want to do this. In a few minutes you’ll get an email with a link to a zip file containing most of your Facebook information.

You’ll find the information on your calls and texts in the contact_info.htm file in the html directory. At the bottom of the files, after your contacts, you’ll see your call and message logs.

After you stop Facebook from gathering this information by either deleting the apps or changing their permissions, what will Facebook do with the data it already collected? Good question.

While Facebook claims, “You are always in control of the information you share with Facebook,” we know that’s not true, or it wouldn’t have been sharing our data with Cambridge Analytica. In this specific case, Facebook hasn’t said what it will do with the phone-related data.

While it is true that we installed the Facebook apps, 99 percent of us weren’t aware we were giving Facebook permission to riffle through our call and SMS logs. Mind you, some of us knew as far back as 2011 that Facebook was playing fast and loose with our contact information. But, seriously, how many people pay close attention to our application permissions? Perhaps a few more than those who actually read end-user licensing agreements (EULAs)?

Facebook declares it doesn’t collect the contents of calls or texts, and information collected isn’t sold to third parties. That’s not much solace to those whose data has been slurped up by the social networking giant.

Maybe Facebook won’t do anything questionable with your data, but, given what we know now about how Facebook handles our privacy, do you really want to take that chance?

Beware – Memcached DDoS Attacks Will Be BIG In 2018

So after the massive DDoS attack trend in 2016 it seems like 2018 is going to the year of the Memcached DDoS amplification attack with so many insecure Memcached servers available on the public Internet.

Memcached DDoS Attacks Will Be BIG In 2018

 

Unfortunately, it looks like a problem that won’t easily go away as there are so many publically exposed, poorly configured Memcached servers online (estimated to be over 100,000).

Honestly, Github handled the 1.3Tbps attack like a champ with only 10 minutes downtime although they did deflect it by moving traffic to Akamai.

Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. We predicted then that there would be more such attacks and it seems we were right.

Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the provider had taken adequate safeguards, but it’s clear that the memcached attack is going to be a feature network managers are going to have to take seriously in the future.

The attacks use shoddily secured memcached database servers to amplify attacks against a target. The assailant spoofs the UDP address of its victim and pings a small data packet at a memcached server that doesn’t have an authenticated traffic requirement in place. The server responds by firing back as much as 50,000 times the data it received.

 

Then less than a week later, there appears to have been another record-breaking Memcached DDoS attack this time clocking in at 1.7Tbps, although we don’t currently know who it was aimed at.

The amplification is fairly significant as well with the Memcached servers sending up to 50,000 times the data recieved to the unwitting victim, I imagine they are sending some kind of command to retrieve all key value pairs available on the server to the spoofed IP – which could be a significant amount of traffic.

With multiple data packets sent out a second, the memcached server unwittingly amplifies the deluge of data that can be sent against the target. Without proper filtering and network management, the tsunami of data can be enough to knock some providers offline.

There are some simple mitigation techniques, notably blocking off UDP traffic from Port 11211, which is the default avenue for traffic from memcached servers. In addition, the operators of memcached servers need to lock down their systems to avoid taking part in such denial of service attacks.

“While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” said Carlos Morales, VP of sales, engineering and operations at Arbor Networks.

“It is critically important for companies to take the necessary steps to protect themselves.”

Memcached servers, like any other part of a well-built infrastructure, should be only listening on the LAN IP address, not the public IP (like any database), but like the whole MongoDB Ransack fiasco, it’s much easier to listen on * and Memcached typically is used without any type of authentication.

I suspect we will see many more of these Memcached DDoS attacks through-out 2018, and probably more targeted. I’m not sure why people love to target Github – perhaps because it’s just so resilient it’s a good test target to see how effective you are.

Source: The Register