Multiple mobile Bootloaders found Vulnerable

A group of nine researchers from the University of California Santa Barbara researchers have discovered a number of code execution and denial of service zero day flaws in the bootloaders of Android chipsets from six vendors.

The analyzed the interaction between the Android OS and chip using a custom tool dubbed “BootStomp.” that automatically detects security vulnerabilities in bootloaders.

Since bootloaders are usually closed source and hard to reverse-engineer, performing analysis on them is difficult, especially because hardware dependencies hinder dynamic analysis.

Therefore, the researchers created BootStomp, which “uses a novel combination of static analysis techniques and underconstrained symbolic execution to build a multi-tag taint analysis capable of identifying bootloader vulnerabilities.”

The tool helped the researchers discover six previously-unknown critical security bugs across bootloaders from HiSilicon (Huawei), Qualcomm, MediaTek, and NVIDIA, which could be exploited by attackers to unlock device bootloader, install custom malicious ROM and persistent rootkits.

Five of the vulnerabilities have already been confirmed by their respective by the chipset vendors. Researchers also found a known bug (CVE-2014-9798) in Qualcomm’s bootloaders, which was previously reported in 2014, but still present and usable.

Some of the discovered flaws even allow an attacker with root privileges on the Android operating system to execute malicious code as part of the bootloader or to perform permanent denial-of-service attacks.

According to the researchers, the vulnerabilities impact the ARM’s “Trusted Boot” or Android’s “Verified Boot” mechanisms that chip-set vendors have implemented to establish a Chain of Trust (CoT), which verifies the integrity of each component the system loads while booting the device.

The researchers tested five different bootloader implementations in Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Nexus 9 (NVIDIA Tegra chipset), Sony Xperia XA (MediaTek chipset) and two versions of the LK-based bootloader, developed by Qualcomm.

The researcher discovered five critical vulnerabilities in the Huawei Android bootloader:

  • An arbitrary memory write or denial of service (DoS) issue when parsing Linux Kernel’s DeviceTree (DTB) stored in the boot partition.
  • A heap buffer overflow issue when reading the root-writable oem_info partition.
  • A root user’s ability to write the nve and oem_info partitions, from which configuration data and memory access permissions governing the smartphone’s peripherals can be read.
  • A memory corruption issue that could allow an attacker to install a persistent rootkit.
  • An arbitrary memory write bug that lets an attacker run arbitrary code as the bootloader itself.

The vulnerabilities discovered by the researchers rely on the attacker’s ability to write in the non-volatile memory which is accessed by the bootloader, for this reason, researchers propose a series of mitigation strategies to both limits the attack surface of the bootloader and enforce various desirable properties aimed at safeguarding the security and privacy of users. The measures include the use of hardware features already implemented in most modern devices that don’t allow the writing on specific partitions of the memory.partition of the memory.

Advertisements

CVE-2017-9805:A critical vulnerability in Apache Struts

Security researchers at lgtm.com have discovered a critical remote code execution vulnerability in Apache Struts — a popular open-source MVC framework for developing web applications in the Java programming language which supports REST, AJAX, and JSON, allowing a remote attacker to run malicious code on the affected servers.

The vulnerability (CVE-2017-9805) is a programming blunder that resides in the way Struts processes data from an untrusted source. Specifically, Struts REST plugin fails to handle XML payloads while deserializing them properly.

All versions of Struts since 2008 are affected; all web applications using the framework’s popular REST plugin are vulnerable.

At least 65% of the Fortune 100 companies are actively using web applications built with the Struts framework. Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework.

The vulnerability is incredibly easy for an attacker to exploit , all an attacker needs is to submit a malicious XML code in a particular format to trigger the vulnerability on the targeted server.

Successful exploitation of the vulnerability could allow an attacker to take full control of the affected server, eventually letting the attacker infiltrate into other systems on the same network.

This flaw is an unsafe deserialization in Java similar to a vulnerability in Apache Commons Collections, discovered by Chris Frohoff and Gabriel Lawrence in 2015 that also allowed arbitrary code execution.

Since this vulnerability has been patched in Struts version 2.5.13, administrators are strongly advised to upgrade their Apache Struts installation as soon as possible.

HoeflerText Popups Targeting Google Chrome Users

Researchers spotted a new EITest campaign leveraging HoeflerText Popups to target Google Chrome users and push NetSupport Manager RAT or Locky ransomware.

Security researchers with both the SANS Internet Storm Center and Palo Alto Networks’ Unit 42, has spotted a malware campaign leveraging bogus popups that alert users to a missing web-font.

The attackers are targeting Google Chrome and Firefox browser users, the researcher discovered the popups contain a malicious JavaScript file that delivers either the NetSupport Manager remote access tool (RAT) or Locky ransomware.

Many similarities with the EITest malware campaign have been discovered.

“The attackers behind the EITest campaign have occasionally implemented a social engineering scheme using fake HoeflerText popups to distribute malware targeting users of Google’s Chrome browser. In recent months, the malware used in the EITest campaign has been ransomware such as Spora and Mole.” reads the post published by PaloAlto Networks. “However, by late August 2017, this campaign began pushing a different type of malware.  Recent samples are shown to infect Windows hosts with the NetSupport Manager remote access tool (RAT). This is significant, because it indicates a potential shift in the motives of this adversary.”

Victims are lured to a compromised website that generates a bogus popup message informing the user the webpage they are trying to view cannot display correctly because their browser hasn’t the correct “HoeflerText” font and suggest them to fix the issue downloading a Chrome Font Pack.

Hoefler-campaign-malware

However, when the same links were tried in Google Chrome, they displayed a fake notification stating: The “HoeflerText” font was not found.

These notifications also had an ‘update’ button. When they were clicked , a JavaScript file named Win.JSFontlib09.js was recieved. That JavaScript file is designed to download and install Locky ransomware.

In another case, the same Chrome HoeflerText font update delivers the file “Font_Chrome.exe” file that delivers and installs NetSupport Manager RAT.

The expert tried different browsers and observed mixed behaviors, Tor and Yandex browsers both returned the same results as IE 11 and Microsoft Edge when viewing those fake Dropbox pages.  Opera and Vivaldi returned the same HoeflerText notifications seen in Google Chrome.

Victims using Internet Explorer or Microsoft Edge on bogus webpages did not trigger the HoeflerText’ popup,  rather, victims will get a fake anti-virus alert with a phone number for a tech support scam.

“Users should be aware of this ongoing threat. Be suspicious of popup messages in Google Chrome that state: The ‘HoeflerText’ font wasn’t found. Since this is a RAT, infected users will probably not notice any change in their day-to-day computer use. If the NetSupport Manager RAT is found on your Windows host, it is probably related to a malware infection,” post concluded.

Gazer:A backdoor targeting Ministries and Embassies

ESET security researchers have discovered a new malware campaign targeting consulates, ministries and embassies and is believed to be carried out by Turla advanced persistent threat (APT) hacking group.

Active since 2016, the malware campaign is leveraging a new backdoor, dubbed Gazer,written in C++, the backdoor delivers via spear phishing emails and hijacks targeted computers.

The attacks show all the hallmarks of past campaigns launched by the Turla hacking group, namely:

  • Targeted organizations are embassies and ministries;
  • Spearphishing delivers a first-stage backdoor such as Skipper;
  • A second stealthier backdoor (Gazer in this instance, but past examples have included Carbon and Kazuar) is put in place;
  • The second-stage backdoor receives encrypted instructions from the gang via C&C servers and evades detection by using compromised using compromised, legitimate websites as a proxy.
Instead of using Windows Crypto API, Gazer uses custom 3DES and RSA encryption libraries to encrypt the data before sending it to the C&C server—a common tactic employed by the Turla APT group.

Gazer uses code-injection technique to take control of a machine and hide itself for a long period of time in an attempt to steal information.

Gazer backdoor also has the ability to forward commands received by one infected endpoint to the other infected machines on the same network.
So far ESET researchers have identified four different variants of the Gazer malware in the wild.
Earlier versions of Gazer were signed with a valid certificate issued by Comodo for “Solid Loop Ltd,” while the latest version is signed with an SSL certificate issued to “Ultimate Computer Support Ltd.”
ssl-certificate
Certificates used to sign the malware variants

According to researchers, Gazer has already managed to infect a number of targets worldwide, with the most victims being located in Europe.

Full technical analysis of the malware can be found here.

LabVIEW vulnerability allows malicious code execution

Security researchers from Cisco’s Talos Security Intelligence have discovered a critical vulnerability in LabVIEW software that could allow attackers to execute malicious code on a target computer, giving them full control of the system.

LabVIEW is a system design and development platform released by National Instruments. The software is widely used to create applications for data acquisition, instrument control and industrial automation.

Identified as CVE-2017-2779, the code execution vulnerability could be triggered by opening a specially crafted VI file, a proprietary file format used by LabVIEW.

Talos researchers explain “An exploitable memory corruption vulnerability exists in the RSRC segment parsing functionality of LabVIEW. A specially crafted VI file can cause an attacker controlled looping condition resulting in an arbitrary null write. An attacker controlled VI file can be used to trigger this vulnerability and can potentially result in code execution.”

Talos researchers have successfully tested the vulnerability on LabVIEW 2016 version 16.0, but National Instruments has refused to consider this issue as a vulnerability in their product and had no plans to release any patch to address the flaw.
However, the issue should not be ignored, because the threat vector is almost similar to many previously disclosed Microsoft Office vulnerabilities, in which victims got compromised after opening malicious MS Word file received via an email or downloaded from the Internet.
Since there is no patch available, the LabVIEW users are left with only one option—be very careful while opening any VI file you receive via an email.
Full technical analysis is available here.

WireX Android DDoS Botnet

A team of security researchers from several security firms have uncovered a new, widespread botnet that consists of tens of thousands of hacked Android smartphones.

Dubbed WireX, detected as “Android Clicker,” the botnet network primarily includes infected Android devices running one of the hundreds of malicious apps installed from Google Play Store and is designed to conduct massive application layer DDoS attacks.

Researchers from Akamai, CloudflareFlashpoint, Google, Oracle Dyn, RiskIQ, Team Cymru, and other organizations cooperated to combat this botnet. Evidence indicates that the botnet may have been active as early as August 2nd, but it was the attacks on August 17th that drew the attention of these organizations when multiple Content Delivery Networks (CDNs) and content providers were subject to significant attacks.

The first available indicators of the WireX botnet appeared on August 2nd as minor attacks that went unnoticed at the time. It wasn’t discovered until researchers began searching for the 26 character User-Agent string in logs.

WireX is a volumetric DDoS attack at the application layer. The traffic generated by the attack nodes is primarily HTTP GET requests, though some variants appears to be capable of issuing POST requests. In other words, the botnet produces traffic resembling valid requests from generic HTTP clients and web browsers.

ua26-uniques-1
Estimated growth of the botnet based on the count of unique IPs per hour observed participating in attacks.

During initial observation, the majority of the traffic from this botnet was distinguished by the use of an HTTP Request’s User-Agent string containing the lowercase English alphabet characters, in random order.

Some of the User-Agent values seen:

User-Agent: jigpuzbcomkenhvladtwysqfxr  
User-Agent: yudjmikcvzoqwsbflghtxpanre  
User-Agent: mckvhaflwzbderiysoguxnqtpj  
User-Agent: deogjvtynmcxzwfsbahirukqpl  
User-Agent: fdmjczoeyarnuqkbgtlivsxhwp  
User-Agent: yczfxlrenuqtwmavhojpigkdsb  
User-Agent: dnlseufokcgvmajqzpbtrwyxih  

Variants of the malware have also been observed emitting User-Agent strings of varying length and expanded character sets, sometimes including common browser User-Agents. Here are some samples of other User-Agents observed:

User-Agent: xlw2ibhqg0i  
User-Agent: bg5pdrxhka2sjr1g  
User-Agent: 5z5z39iit9damit5czrxf655ok060d544ytvx25g19hcg18jpo8vk3q  
User-Agent: fge26sd5e1vnyp3bdmc6ie0  
User-Agent: m8al87qi9z5cqlwc8mb7ug85g47u  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3 (.NET CLR 3.5.30729)  
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7) Gecko/20071018 BonEcho/2.0.0.7  
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_7; en-us) AppleWebKit/530.19.2 (KHTML, like Gecko) Version/4.0.2  

After further investigation, security researchers identified more than 300 malicious apps on Google’s official Play Store, many of which purported to be media, video players, ringtones, or tools for storage managers and app stores, which include the malicious WireX code.

Just like many malicious apps, WireX apps do not act maliciously immediately after the installation in order to evade detection and make their ways to Google Play Store.

Investigation of the logs from attacks on August 17th revealed previous attacks meeting the same signature implicated the first Android application, “twdlphqg_v1.3.5_apkpure.com.apk”.

Many of the identified applications fell into the categories of media/video players, ringtones or tools such as storage managers and app stores with additional hidden features that were not readily apparent to the end users that were infected. At the launch of the applications, the nefarious components begin their work by starting the command and control polling service which queries the command and control server, most commonly g[.]axclick[.]store, for attack commands. When attack commands are received, the parsing service inspects the raw attack command, parses it and invokes the attacking service with the extracted parameters.

The applications that housed these attack functions, while malicious, appeared to be benign to the users who had installed them. These applications also took advantage of features of the Android service architecture allowing applications to use system resources, even while in the background, and are thus able to launch attacks when the application is not in use. Antivirus scanners currently recognize this malware as the “Android Clicker” trojan, but this campaign’s purpose has nothing to do with click fraud. It is likely that this malware used to be related to click fraud, but was repurposed for DDoS.

PREVENTION & MITIGATION

If your device is running a newer version of the Android operating system that includes Google’s Play Protect feature, the company will automatically remove WireX apps from your device, if you have one installed.

Play Protect is Google’s newly launched security feature that uses machine learning and app usage analysis to remove (uninstall) malicious apps from users Android smartphones to prevent further harm.

Also, it is highly recommended to install apps from reputed and verified developers, even when downloading from Google official Play Store and avoid installing unnecessary apps.

Additionally, you are strongly advised to always keep a good antivirus app on your mobile device that can detect and block malicious apps before they can infect your device, and always keep your device and apps up-to-date.

Education & Healthcare industries targeted by Defray Ransomware

A new ransomware has been discovered by researchers of Proofpoint used in targeting Education & healthcare organisations.

The ransomware used in the campaign was dubbed Defray, based on the command and control (C&C) server hostname used for the first observed attack:

defrayable-listings[.]000webhostapp[.]com

The ransomware is being spread via Microsoft Word document attachments in email.

The researchers observed two targeted attack on Aug. 15, and on Aug. 22, and both appeared to be designed for specific organizations.

The attack on August 15 targeted Manufacturing and Technology verticals, attackers used messages with the subject “Order/Quote” and a Microsoft Word document containing an embedded executable (also an OLE packager shell object).

defrayf1
The Word document, patient_report.doc, delivered in malicious email messages

The attack on August 22, aimed primarily at Healthcare and Education involving messages with a Microsoft Word document containing an embedded executable (specifically, an OLE packager shell object). The attachment features a UK hospital logo in the upper right and purports to be from the Director of Information Management & Technology at the hospital.

defrayf2
Word document attachment, presentation.doc, delivered in malicious email messages

If the potential victim double clicks on the embedded executable, the ransomware is dropped with a name such as taskmgr.exe or explorer.exe in the %TMP% folder and executed.

The ransomware contains a hardcoded list of file extensions, shown below, for files that it will encrypt (although we observed others such as .lnk and .exe encrypted that were not on this list). The file extensions of modified files were not changed. We observed that the modified files all end in bytes “30 82 04 A4 02 01 00 02 82 01 01 00 9F CF 52 84” for our sample.

Defray has been observed communicating with an external C&C server via both HTTP (clear-text, shown in Figure 4) and HTTPS, to which it will report infection information.

After encryption is complete, Defray may cause other general havoc on the system by disabling startup recovery and deleting volume shadow copies. On Windows 7 the ransomware monitors and kills running programs with a GUI, such as the task manager and browsers.

“Defray Ransomware is somewhat unusual in its use in small, targeted attacks. Although we are beginning to see a trend of more frequent targeting in ransomware attacks, it still remains less common than large-scale “spray and pray” campaigns. It is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains. Instead, it appears that Defray may be for the personal use of specific threat actors, making its continued distribution in small, targeted attacks more likely” concluded Proofpoint.