New DNS Vulnerability Lets Attackers Launch Large-Scale DDoS Attacks
Israeli cybersecurity researchers have disclosed details about a new flaw impacting DNS protocol that can be exploited to launch amplified, large-scale distributed denial-of-service (DDoS) attacks to takedown targeted websites.
Called NXNSAttack, the flaw hinges on the DNS delegation mechanism to force DNS resolvers to generate more DNS queries to authoritative servers of attacker’s choice, potentially causing a botnet-scale disruption to online services.
“We show that the number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in theory, mainly due to a proactive resolution of name-servers’ IP addresses,” the researchers said in the paper.
Source: The hacker news / Securityweek / Blog of CZ.NIC staff
New Bluetooth Vulnerability Exposes Billions of Devices to Hackers
Academics from École Polytechnique Fédérale de Lausanne (EPFL) disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion of modern devices to hackers. The attacks, dubbed Bluetooth Impersonation AttackS or BIAS, concerns Bluetooth Classic, which supports Basic Rate (BR) and Enhanced Data Rate (EDR) for wireless data transfer between devices. “The Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment,” the researchers outlined in the paper. “Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade.”
Given the widespread impact of the vulnerability, the researchers said they responsibly disclosed the findings to the Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards in December 2019.
Source: The hacker news / Threatpost / Securityweek / EPFL BIAS blog
HTTP Status Codes Command This Malware How to Control Hacked Systems
A new version of COMpfun remote access trojan (RAT) has been discovered in the wild that uses HTTP status codes to control compromised systems targeted in a recent campaign against diplomatic entities in Europe. The cyberespionage malware—traced to Turla APT with “medium-to-low level of confidence” based on the history of compromised victims—spread via an initial dropper that masks itself as a visa application, the Global Research and Analysis Team at Kaspersky discovered. The Turla APT, a Russian-based threat group, has a long history of carrying out espionage and watering hole attacks spanning various sectors, including governments, embassies, military, education, research, and pharmaceutical companies.
Source: The hacker news / Bleeping computer / Kaspersky blog
Remote Code Execution Vulnerability Patched in VMware Cloud Director
VMware informed customers on Tuesday that it has patched a high-severity remote code execution vulnerability in its Cloud Director product. The vulnerability, tracked as CVE-2020-3956, has been described as a code injection issue that allows an authenticated attacker to send malicious traffic to Cloud Director, which could result in arbitrary code execution. “This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access,” VMware said in its advisory.
Source: Securityweek / VMware security advisory
Improper Microsoft Patch for Reverse RDP Attacks Leaves 3rd-Party RDP Clients Vulnerable
Remember the Reverse RDP Attack—wherein a client system vulnerable to a path traversal vulnerability could get compromised when remotely accessing a server over Microsoft’s Remote Desktop Protocol?
Though Microsoft had patched the vulnerability (CVE-2019-0887) as part of its July 2019 Patch Tuesday update, it turns out researchers were able to bypass the patch just by replacing the backward slashes in paths with forward slashes.
Microsoft acknowledged the improper fix and re-patched the flaw in its February 2020 Patch Tuesday update earlier this year, now tracked as CVE-2020-0655.
In the latest report shared with The Hacker News, Check Point researcher disclosed that Microsoft addressed the issue by adding a separate workaround in Windows while leaving the root of the bypass issue, an API function “PathCchCanonicalize,” unchanged.
Source: The hacker news
Researcher Spots New Malware Claimed to be ‘Tailored for Air‑Gapped Networks’
A cybersecurity researcher at ESET today published an analysis of a new piece of malware, a sample of which they spotted on the Virustotal malware scanning engine and believe the hacker behind it is likely interested in some high-value computers protected behind air‑gapped networks. Dubbed ‘Ramsay,’ the malware is still under development with two more variants (v2.a and v2.b) spotted in the wild and doesn’t yet appear to be a complex attacking framework based upon the details researcher shared.
However, before reading anything further, it’s important to note that the malware itself doesn’t leverage any extraordinary or advanced technique that could let attackers jump air-gapped networks to infiltrate or exfiltrate data from the targeted computers.
Source: The hacker news / Bleeping computer / Bruce Schneier on security / ZD Net / ESET blog
(Last) Week in Ransomware – May 15th 2020 – REvil targets Trump
This week, we saw some interesting news about ransomware features being added and continued attackers against high profile victims. The biggest news is REvil’s continued threats against Grubman Shire Meiselas & Sacks (GSMLaw) after demanding a $21 million ransom. They have now increased the ransom to $42 million and have begun releasing emails that they state are damaging to President Trump.
Source: Bleeping computer
EasyJet hacked: data breach affects 9 million customers
EasyJet, the UK’s largest airline, has disclosed that they were hacked and that the email addresses and travel information for 9 million customers were exposed. For some of these customers, credit card details were also accessed by the attackers. In a data breach notification disclosed today, EasyJet states that they have suffered a cyberattack, and an unauthorized third-party was able to gain access to their systems. During this attack, the threat actors were able to access the email addresses and travel information for nine million customers. For approximately 2,208 customers, credit card details were also exposed.
Source: Bleeping computer / The hacker news / Dark reading / Threatpost / Securityweek / BBC / Infosecurity magazine / Helpnet security
Adobe releases critical out-of-band security update
Adobe has released an out-of-band security update for Adobe Character Animator that fixes a critical remote code execution vulnerability. Security updates for information disclosure vulnerabilities in Adobe Premiere Pro, Adobe Audition, and Adobe Premiere Rush were also released. All of these vulnerabilities were discovered by Mat Powell of Trend Micro Zero Day Initiative and were not found in the wild. “To the best of our knowledge, they were not publicly known or under active attack when the patches were released,” Dustin Childs, manager at Trend Micro’s ZDI, told BleepingComputer.
Source: Bleeping computer / Threatpost / Securityweek / Adobe security bulletin
Microsoft warns of ‘massive’ phishing attack pushing legit RAT
Microsoft is warning of an ongoing COVID-19 themed phishing campaign that installs the NetSupport Manager remote administration tool. In a series of tweets, the Microsoft Security Intelligence team outlines how this “massive campaign” is spreading the tool via malicious Excel attachments. The attack starts with emails pretending to be from the Johns Hopkins Center, which is sending an update on the number of Coronavirus-related deaths there are in the United States. Attached to this email is an Excel file titled ‘covid_usa_nyt_8072.xls’, that when opened, displays a chart showing the number of deaths in the USA based on data from the New York Times.
Source: Bleeping computer
This Service Helps Malware Authors Fix Flaws in their Code
Almost daily now there is news about flaws in commercial software that lead to computers getting hacked and seeded with malware. But the reality is most malicious software also has its share of security holes that open the door for security researchers or ne’er-do-wells to liberate or else seize control over already-hacked systems. Here’s a look at one long-lived malware vulnerability testing service that is used and run by some of the Dark Web’s top cybercriminals.
Source: Krebs on security
Alleged Hacker Behind Massive ‘Collection 1’ Data Dump Arrested
A hacker accused of selling hundreds of millions of stolen credentials from last year’s “Collection 1” data dump on the dark web has been arrested in the Ukraine. The Security Service of Ukraine (SSU) took into custody a threat actor known as “Sanix,” who they claim posted 773 million e-mail addresses and 21 million unique passwords on a hacker forum last year, according to a press release. The SSU said it worked with the Ukrainian cyber police and National Police on the investigation. Authorities did not release his real name.
Known as Collection 1, the database of breached emails was discovered on a popular underground hacking forum on Jan. 17, 2019. At the time Troy Hunt, the researcher behind the HaveIBeenPwned database, quantified the trove of data as 1,160,253,228 unique combinations of email addresses and passwords.
Source: Threatpost / Krebs on security / The hacker news / Infosecurity magazine
Verizon Data Breach Report: DoS Skyrockets, Espionage Dips
Denial-of-service (DoS) attacks have spiked over the past year, while cyber-espionage campaigns have spiraled downwards. That’s according to Verizon’s 2020 Data Breach Investigations Report (DBIR) released Tuesday, which analyzed 32,002 security incidents and 3,950 data breaches across 16 industry verticals.
The wolf is back…
Thai Android devices and users are being targeted by a modified version of DenDroid we are calling “WolfRAT,” now targeting messaging apps like WhatsApp, Facebook Messenger and Line. We assess with high confidence that this modified version is operated by the infamous Wolf Research. This actor has shown a surprising level of amateur actions, including code overlaps, open-source project copy/paste, classes never being instanced, unstable packages and unsecured panels.
Source: TALOS intelligence blog
Secjuice Squeeze Volume 24
Welcome to the 24th edition of the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly prepared for you every week. This week’s volume compiled by Secjuice writers Sinwindie, Mike Peterson, Thunder-Son, jtc94, Miguel Calles, and Hartoyo Wahyu.
An Expert By Any Other Name
What comes to mind when you hear “cybersecurity”? A pentester? Security researcher? Compliance officer? IT Support? MSSP? EDR? “Cybersecurity” has a multitude of meanings – almost every company wants a “cybersecurity expert,” but what does that even mean? What needed skills are those companies looking for in a candidate?