A while ago I wrote about a 1917 saddle bag with bogus British battle plans that “fell” off a horse near the Turkish front lines, which had a decisive influence. Apparently that wasn’t inspiration for a similar mission that had an important impact in WWII. On September 25, 1942 a British plane crashed on the … Continue reading This Day in History 1943: Operation Mincemeat→
Last week on Malwarebytes Labs, our podcast featured Troy Hunt, Chloe Messdaghi, and Tanya Janca who discussed security fatigue with us.
We announced the release of the Malwarebytes SMB Cybersecurity Trust & Confidence Report 2021, a first-of-its-kind survey of the hardworking IT professionals on the front lines of the fight against cyberthreats.
We wrote about how Bitcoin payments were used to unmask a man who hired a Dark Web contract killer; how some ransomware gangs are connected, sharing resources and tactics; about a visa scam affecting Nigerian citizens looking to move to the United States; about NAME:WRECK a set of vulnerabilities found in the way a number of popular TCP/IP stacks handle DNS requests; how ransomware disrupted a food supply chain in the Netherlands; how Chrome needed patching against two in-the-wild exploits; how a controversial FBI intervention to shut down malware on hundreds of Exchange servers caused heated discussions; how researchers noted a huge upsurge in DDoS attacks during the pandemic; how Chrome users can opt out of the Google FLoC trial; how deepfakes were going to change everything and then didn’t; About the NSA, CISA, and FBI warning of Russian intelligence exploiting 5 vulnerabilities; and how shady scam bots trick Omegle users into nonconsensual video sex recordings.
Other cybersecurity news:
An update to the Covid-19 NHS track and trace mobile app was blocked over privacy and security concerns. (Source: TechRadar)
Cryptocurrency rewards platform Celsius Network disclosed a security breach exposing customer information that led to a phishing attack. (Source: BleepingComputer)
Threat analysts have been tracking activity where contact forms published on websites are abused to deliver malicious links to IcedID malware. (Source: Microsoft Security Blog)
The EU published the SOCTA 2021 report providing a detailed analysis of the threat of serious and organised crime facing the EU. (Source: Europol)
New information was revealed about how the FBI managed to get into the San Bernardino shooter’s iPhone. (Source: The Verge)
The use of facial recognition for surveillance, or algorithms that manipulate human behaviour, is set to be banned under proposed EU regulations on artificial intelligence. (Source: BBC)
Last week on Malwarebytes Labs, our podcast featured Troy Hunt, Chloe Messdaghi, and Tanya Janca who discussed security fatigue with us.
We announced the release of the Malwarebytes SMB Cybersecurity Trust & Confidence Report 2021, a first-of-its-kind survey of the hardworking IT professionals on the front lines of the fight against cyberthreats.
We wrote about how Bitcoin payments were used to unmask a man who hired a Dark Web contract killer; how some ransomware gangs are connected, sharing resources and tactics; about a visa scam affecting Nigerian citizens looking to move to the United States; about NAME:WRECK a set of vulnerabilities found in the way a number of popular TCP/IP stacks handle DNS requests; how ransomware disrupted a food supply chain in the Netherlands; how Chrome needed patching against two in-the-wild exploits; how a controversial FBI intervention to shut down malware on hundreds of Exchange servers caused heated discussions; how researchers noted a huge upsurge in DDoS attacks during the pandemic; how Chrome users can opt out of the Google FLoC trial; how deepfakes were going to change everything and then didn’t; About the NSA, CISA, and FBI warning of Russian intelligence exploiting 5 vulnerabilities; and how shady scam bots trick Omegle users into nonconsensual video sex recordings.
Other cybersecurity news:
An update to the Covid-19 NHS track and trace mobile app was blocked over privacy and security concerns. (Source: TechRadar)
Cryptocurrency rewards platform Celsius Network disclosed a security breach exposing customer information that led to a phishing attack. (Source: BleepingComputer)
Threat analysts have been tracking activity where contact forms published on websites are abused to deliver malicious links to IcedID malware. (Source: Microsoft Security Blog)
The EU published the SOCTA 2021 report providing a detailed analysis of the threat of serious and organised crime facing the EU. (Source: Europol)
New information was revealed about how the FBI managed to get into the San Bernardino shooter’s iPhone. (Source: The Verge)
The use of facial recognition for surveillance, or algorithms that manipulate human behaviour, is set to be banned under proposed EU regulations on artificial intelligence. (Source: BBC)
Dave McDaniel of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos recently discovered two code execution vulnerabilities in the Cosori smart air fryer.
The Cosori Smart Air Fryer is a WiFi-enabled kitchen appliance that cooks food with a variety of methods and settings. Users can also use the device’s Wi-Fi features to start and stop cooking, look up recipe guides and monitor cooking status.
TALOS-2020-1216 (CVE-2020-28592) and TALOS-2020-1217 (CVE-2020-28593) are remote code execution vulnerabilities that could allow an attacker to remotely inject code into the device. This could hypothetically allow an adversary to change temperatures, cooking times and settings on the air fryer, or start it without the user’s knowledge. The adversary must have physical access to the air fryer for some of these vulnerabilities to work.
An attacker could exploit these vulnerabilities by sending a specially crafted packet to the device that contains a unique JSON object, which would allow them to execute arbitrary code.
Cisco Talos is disclosing these vulnerabilities despite no official fix available from Cosori, in adherence to Cisco’s vulnerability disclosure policy. Corosi did not respond appropriately during the 90-day period as outlined in the policy.
Talos tested and confirmed that the Cosori Smart 5.8-Quart Air Fryer CS158-AF, version 1.1.0 could be exploited by these vulnerabilities.
The following SNORT(R) rule will detect exploitation attempts against these vulnerabilities: 56729. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
HTTP favicons are often used by bug bounty hunters and red teamers to discover vulnerable services in a target AS or IP range. It makes sense – since different tools (and sometimes even different versions of the same tool) use different favicons[1] and services such as Shodan calculate MurmurHash values[2] for all favicons they discover and let us search through them, it can be quite easy to find specific services and devices this way.
But while the use of favicon hashes is common in the “red” community, significant number of blue teamers don’t use them at all. Which is unfortunate, given that – among their other uses – they can provide us with a simple way of identifying IPs hosting phishing kits. After all, this was the reason why searches using HTTP favicon hashes have been introduced into Shodan in the first place[3].
As an example, we will show how to detect IPs hosting phishing pages by looking for sites that try to pass themselves of as login portals for O365 and other Microsoft services, however the same principle would work for any other service as well. One could therefore for example calculate hashes of unique favicons used by systems specific to a company one is trying to protect (e.g. favicon from a company website) and use periodical lookups of these on Shodan and other services in order to implement a – admittedly fairly simple – phishing detection/brand protection mechanism…
So how would one look for fake Microsoft login portals? First, we need to calculate a MurmurHash value of a favicon that we expect might be reused on a phishing website to make it look more trustworthy. Looking at official Microsoft websites, it seems that they use the favicon located at https://c.s-microsoft.com/favicon.ico.
Its hash can be easily calculated using Python code that may be found on GitHub[4]:
If we run this script, we will get the hash -2057558656.
Now that we have a hash to look for, we can query Shodan to get the list of all IP addresses where it found a favicon with the same one. We may use the filter http.favicon.hash to do so.
As we can see, the number of results is quite high. This is hardly surprising though, given that they conain all servers – malicious as well as legitimate – where the favicon is used. In order to discover only the suspicious ones, we would need to further refine the search. One would do this differently for one’s own favicons, but in order to search for suspicious Microsoft login portals, we could extend our search to look only for IPs with web pages looking like log in portals (http.html:”Sign in”) and that are not hosted on Microsoft infrastructure (-org:”Microsoft Corporation” -org:”Microsoft Azure”) but are running an Apache web server (product:”Apache httpd”). Taken together, our search might look like this:
If we ran this updated search, the number of results would be significantly lower.
Not all IPs identified in this way would necessarily turn out to host a phishing website, but most of them almost certainly would (or would at least turn out to have done so recently). In any case, all of them would unquestionably be worth investigating, and it probably wouldn’t take too long to discover something interesting. In our search, for example, the following web site was hosted on the very first IP that Shodan returned.
As we’ve mentioned, the same approach can be used to identify phishing web sites using any other favicon as well.
Given how easy it is to implement automatic periodic lookups (for example against Shodan API) for a list of specific hashes (e.g. the ones that are used on our company log in pages/in our products), favicons can provide a cheap and simple way to detect phishing sites targeting either one’s company or its customers. Even if one decided not to automate them, favicon hash lookups can still provide us with additional information useful, for example, for “long tail” threat hunting or enrichment of other data.
In any case, if you are on the “blue” side and don’t use favicon hashes in any way, consider whether they might not provide you with at least some value.
AV-TEST is the independent research institute for IT security based in Germany. For more than 15 years, these experts have guaranteed quality-assuring comparison and individual tests of virtually all internationally relevant IT security products. They provide companies and users alike with the information they need to choose solutions that are proven to work.
The tools we have to secure web applications from attacks exploiting vulnerabilities and misconfiguration are still missing the mark when it comes to securing application infrastructure. Find out what’s needed for Application Security today.
A new article on the history of American racism towards its black veterans points out it goes back to the Civil War: Thousands of Black men who served in the Civil War, World War I, and World War II were targeted because of their service and threatened, assaulted or lynched, according to a 2017 Equal … Continue reading America’s History of Mistreatment of Black Service Members→
Schools became a major hotspot for cyberattacks as students moved to online learning. In the last 30 days, education was the most targeted sector, receiving more than 60% of all malware encounters, or more than 5 million incidents, according to Microsoft Security Intelligence. The Government Accounting Office wants to know what the U.S. Department of..
The Biden administration is taking the Russian cyber operations ecosystem to task with sanctions pointed at both established Russian companies as well as Russian-controlled entities created by the FSB, GRU and SVR for operational purposes. Coupled with the U.S. Treasury sanctions, a joint advisory from CISA, NSA and the FBI identified the SVR (Russian Foreign..
Like most technology workforce segments, the cybersecurity diversity issue is a very acute problem: there simply isn’t nearly enough representation of diverse backgrounds in cybersecurity roles, from security operations center (SOC) analysts all the way up through enterprise-level CISOs and board members. Erkang Zheng, founder and CEO of JupiterOne, said the primary issue that comes..
As we know, Tripwire Enterprise (TE) is the de-facto go-to solution for File Integrity Monitoring (FIM). In normal operations, we deploy a TE agent to a system we want to monitor. TE then uses that agent to baseline the system against the appropriate rules, creating a known good state for that system. Moving forward, that system […]… Read More
Tripwire recently hired Naoufal Mzali as its first local regional sales manager specifically for the Africa and Levant region. I therefore decided to sit down with Naoufal and have a chat about cybersecurity and Tripwire’s mission for the region. Here’s what he had to say. Joe Pettit: Is the Levant and Africa a new territory […]… Read More
Did you know you are 100 times more likely to lose a laptop or mobile devices than have it stolen? When you are traveling, always double-check to make sure you have your devices with you, such as when leaving airport security, exiting your taxi or check out of your hotel. Read More
This week Tom and Kevin are back with an all new episode! Data breaches vs. recent data leaks, and the controversy over the FBI operation conducted to remove web shells from compromised Microsoft Exchange servers. ** Links mentioned on the show ** Facebook Data Breach: Here’s What To Do Now https://www.forbes.com/sites/kateoflahertyuk/2021/04/06/facebook-data-breach-heres-what-to-do-now/?sh=32c7c9235708 LinkedIn says some user […]
Find out how a vulnerability in OverlayFS allows local users under Ubuntu to gain root privileges.
Vulnerability Summary
An Ubuntu specific issue in the overlayfs file system in the Linux kernel where it did not properly validate the application of file system capabilities with respect to user namespaces. A local attacker could use this to gain elevated privileges, due to a patch carried in Ubuntu to allow unprivileged overlayfs mounts.
CVE
CVE-2021-3493
Credit
An independent security researcher has reported this vulnerability to the SSD Secure Disclosure program.
Affected Versions
Ubuntu 20.10
Ubuntu 20.04 LTS
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 14.04 ESM
Vendor Response
“We published security advisories for this issue today in
Linux supports file capabilities stored in extended file attributes that work similarly to setuid-bit, but can be more fine-grained. A simplified procedure for setting file capabilities in pseudo-code looks like this:
setxattr(...):
if cap_convert_nscap(...) is not OK:
then fail
vfs_setxattr(...)
The important call is cap_convert_nscap, which checks permissions with respect to namespaces.
If we set the file capabilities from our own namespace and on our own mount, there is no problem and we have permission to do so. The problem is that when OverlayFS forwards this operation to the underlying file system, it only calls vfs_setxattr and skips checks in cap_convert_nscap.
This allows to set arbitrary capabilities on files in outer namespace/mount, where they will also be applied during execution.
In Linux 5.11 the call to cap_convert_nscap was moved into vfs_setxattr, so it is no more vulnerable.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1310
libebml security update
19 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libebml
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-3405
Original Bulletin:
https://www.debian.org/lts/security/2021/dla-2629
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2629-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
April 18, 2021 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : libebml
Version : 1.3.4-1+deb9u2
CVE ID : CVE-2021-3405
A heap overflow issue was detected in libebml, a library to read and
write files in the EBML format, a binary pendant to XML.
These issues appeared in several ReadData functions of various data type
classes. This update also fixes the issue in EbmlString::ReadData and
EbmlUnicodeString::ReadData, which were mentioned in CVE-2021-3405.
For Debian 9 stretch, this problem has been fixed in version
1.3.4-1+deb9u2.
We recommend that you upgrade your libebml packages.
For the detailed security status of libebml please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libebml
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmB8Z8lfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEcDChAAhi/7Ov4xys75/7HTdSWdtjavtAhxKH0ERJvR0mAheGkpKwI8YzPho4Ue
7oUug2bRLpgUZWZmDVv6irMp7W4MBf9VTzZyz01hhKC1Yxc2CFRvNkq3d37Gxe0q
tFv04IEoqbF0ehlXM7X5tXgGow+SBwc+fKxgRuVJPDqOf7QVtbhJxCw/zRSbTnDz
bbnMTJJcJtWdIlHmloSzy6sMalZ85gUBSTHT7ykfUI6M8xmFOXxqsi0e2Kyf8+77
K8G4Q2nspDp4L1IpxEVJFR0OyCqaTEHtjz4Q61a6C5T2j029qPG5PQ4AuEMhPovD
o4oKR2sCBf3iVe9HfludDPE76WD6MF0W2cDH0B6Du4kQWK2nmyIbvE2LLq8gN294
CL3pG8/T7QI3PGF2I2W4EyhaeMgpni4/3CkIskBdJ1TiJnvA5AxxHxkPAj7qxUtz
NTvUOv/AR5eZWuYfU0d+Rr2T12en09Gq7OJZ94qmJdyEwNsCYGzk1hdwZ5RNFqij
1DV/xOiqPRveiTEXjzmQGx0GUUw/+etJ104cGYOvJ35YenhZb94zEm2zYRI5RsfM
zpcMR8pF+w3zA9Au4/eqG603IELn+J+gF50p+EptVTggEnmDqydzP0Ebz1UTBv3Y
rzqqjLLTlNMFr6b4CpntRkvUnQnhBixM71OMly789ChQSX97DYo=
=C5n+
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYHzn+ONLKJtyKPYoAQhVXRAAiaX2hSiFOeNK4xaKWCv7WYRlU0RGvH7H
KltwTdSs3vx87l/HIE9lnSxjwRn3n5coZR0ivcEX8/cYIfbu7rIuDrTDjYUZX5Ck
aZx7Hzmg12IyZMxHAjq2gihr033g6PprWLIVM5WlKEGSCWaXKcWLR1arBawnGmwW
aIWplPFCQ/YTHEZXaBFplIxrmsCGoWUeDpDlXpiXrWQTFuqCE7JZwMvMKe0fGYT2
th+8RP+WiLgxrba88lcTXTCHwWSUZu945lhpqzIUytRjL9sQgIidkFkMZd34i/Lr
ZBFbRj+9b9EGje7Vz2AWzDQdxCpqU4Mv0CC5wnUmEoMdkOhk/9QFRwNAdJVBchLJ
WK1azyJ7mmH2ioxHspMe/93OKCgkbYu8Ygf5FgOot1gUveWbmhBolmlpjnPKxYfq
JIG7lXFqHtT4qcoLFB/1Kp3X6gw/y5iXe4B1NiiG5079vs0qT4oL2trV5IpFHYTl
7e6k17OXUX7Px6CmA9YZBMxt0FBlALHhVenD2SG9lJrhrICeemdFQpV8AVTDTc2J
hngtv6j5b+fQBVAHQepPWdlpjYzkrgx9fOAvS7X9tC9UhIKez0Gai2JIdu7xxfiZ
oJqaKbLGIZnQQ6VWjRv4TBVK2KQh2Mm4KbuOvgQKtpM3vaWS2+g9yHp6LhCTj4q/
hFn15EIHSQ4=
=ascE
-----END PGP SIGNATURE-----
