STE WILLIAMS

The Lazarus hacking group has been caught trying to sneak a new ‘fileless’ Trojan on to Apple macOS computers disguised as a fake cryptocurrency trading application.

The discovery was reported by K7 Computing’s Dinesh Devadoss to Mac security expert Patrick Wardle, who immediately spotted similarities to previous attacks.

The first of these, from 2018, was the ‘Apple.Jeus’ malware, which also used a cryptocurrency trading application to lure high-value targets in order to steal cryptocoins.

In October 2019, the hackers retuned with a new backdoor Trojan that spreads using the same approach – a cryptocurrency application posted to GitHub for victims to download.

To make the applications appear trustworthy, both campaigns used the ruse of setting up fake software companies using legitimate certificates.

Both were connected to the suspected North Korean Lazarus Group, widely blamed for big attacks such as WannaCry in 2017 and Sony Pictures in 2014.

Disappearing act

The new Trojan, tagged by Wardle as OSX.AppleJeus.C, continues in the same vein, with one interesting twist – the so-called fileless in-memory execution of a remote payload.

As its name suggests, fileless malware avoids writing files to disk to avoid detection by signature scanners, restricting itself to main memory.

Once there, the malware attempts to hijack legitimate processes on the target, for example Windows PowerShell or command line scripting tools such as wscript.exe.

In the case of the latest Apple campaign, the trading application is the Trojan that initiates infection, borrowing Apple API calls to create an innocent-looking object file image which is written to disk to create persistence (i.e. the ability to survive reboots).

From that point on, the malware can survive from main memory, calling a remote server for whatever payload the attackers fancy serving.

It’s superficially quite sophisticated, although Wardle notes that for infection to occur, users would be ignoring at least two macOS warnings – that the installer is unsigned and a password prompt when the malware’s installer asks for root access.

It’s not certain what the attackers are trying to do with this variant, but most likely it’s the same cryptocurrency theft as previous macOS campaigns.

Should the average Apple user fear the arrival of fileless malware? Unless you’re reckless, no. Being infected requires the user to take the risk of downloading an unsigned application, which is always a terrible idea.

What to do

Cybercriminals are clearly targeting cryptocurrency in a big way. Any public application used to store or trade in this area should be treated with the extreme caution.

For Mac users, the threat now includes fileless techniques. However, while challenging, these are far from undetectable – Wardle’s KnockKnock tool is one way to spot the example discussed in this article. Anyone who suspects they might already be infected can also:

• Launch Daemon property list: /Library/LaunchDaemons/vip.unioncrypto.plist
• Run process/binary: /Library/UnionCrypto/unioncryptoupdater

Sophos detects the malware as OSX/NukeSped-AB. If you haven’t already, download Sophos Home Free, which provides free malware protection for Macs.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/GN789RKuVrQ/

Cybercriminals will continue to exploit tried-and-tested fraud methods but also adopt a couple of new takes and targets in the year ahead.

Predictions from fraud specialists at Experian suggest continued threats from careless use of public Wi-Fi networks. With ever more spots available, users need to be careful of what data they store on their phone and be wary when accessing public networks with unknown security.

Experian expects more use of “smishing” – phishing attacks via SMS. Folk are also more likely to fall for scams from an online community they’re part of – whether that is a group connected to a political candidate, issue or other theme. The company recommended people take the same precautions with text messages from unknown mobile numbers as they would with emails from unknown sources.

Deepfake video and audio has mainly been used for political purposes so far, but Experian warned that as the technology moves downstream, it will be exploited by cybercriminals. The company said there have been three cases in the US where fake audio of executives has been used to defraud their companies. It also warned that there are few tools to spot deepfake audio and video content.

Certain types of company are more likely to face cyber attacks in 2020, Experian believes. It predicted that cannabis retailers and cryptocurrency exchanges will face more attacks and as immature businesses may not have made the security investment needed to protect their customers. Medical marijuana facilities may store medical records which would prove valuable if stolen. Cryptocurrency exchanges have already been hit by crooks who got away with $41m in Bitcoin in one case.

Finally, Experian warned that the increasing use of mobile payment systems – expected to hit $4.5 trillion by 2023 – will be an ever more tempting target for fraudsters. It noted that most NFC payment apps have decent security, but some handheld point-of-sale devices for swiping cards used at venues and retailers are less secure.

In a refreshing bout of honesty, Experian also rated the accuracy of the predictions it made last year.

Firstly was its forecast that biometric security would be targeted in 2019. The credit agency gave itself an A grade for this – pointing to the discovery of a million people’s fingerprints on an accessible database.

But it only got a B grade for suggesting an enterprise-wide skimming attack could succeed in 2019.

It marked itself with another B grade for suggesting that a mobile network would see a simultaneous and successful attack on both Android and Apple phones.

But better marks for suggesting that a top cloud vendor would be breached. Capital One suffered a massive data loss and the hacker accused of the attack has been charged with targeting another 30 AWS-hosted companies.

And a mixed A grade for Experian’s prediction that online gamers would fall victim to attacks from crooks posing as fellow, friendly gamers. 2019 did see data losses at Zynga and distributed denial-of-service (DDoS) attacks on gaming servers, but no active attacks from people posing as gamers.

The full report is available to download from here, if you’re prepared to cough up an email and some other details. ®

Sponsored:
What next after Netezza?

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/06/security_threats_for_2020_experian/

A bug in the way Unix-flavored systems handle TCP connections could put VPN users at risk of having their encrypted traffic hijacked, it is claimed.

The University of New Mexico team of William Tolley, Beau Kujath, and Jedidiah Crandall this week said they’ve discovered CVE-2019-14899, a security weakness they report to be present in “most” Linux distros, along with Android, iOS, macOS, FreeBSD, and OpenBSD. The upshot is, if exploited, encrypted VPN traffic can be potentially hijacked and disrupted by miscreants on the network.

To pull off the attack, the US-based posse says, a hacker would need to be “network adjacent” to their target, or control an access point on the victim’s local network. Once the victim connected to their VPN, the spy would be able to, for one thing, tamper with the TCP stream to do things like inject packets into the stream.

This could be potentially used, we imagine, to force malicious JavaScript into webpages being visited via the VPN, for example.

“We are able to determine the exact SEQ and ACK numbers by counting encrypted packets and/or examining their size,” the team explains of the process. “This allows us to inject data into the TCP stream and hijack connections.”

Speaking of OpenBSD… The freely available operating system suffers from multiple authentication bypass bugs. To patch these, grab the latest updates for OpenBSD 6.5 and OpenBSD 6.6.

So far, the eggheads say they have found the bug to be exploitable in various ways on macOS, iOS, and Android as well as versions of Ubuntu, Fedora, Debian, Arch, and Manjaro, as well as Devuan, MX Linux 19, Void Linux, FreeBSD, and OpenBSD.

“Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year which turned reverse path filtering off,” the crew explained. “However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn’t a reasonable solution, but this was how we discovered that the attack worked on Linux.”

Additionally, the researchers said, multiple VPN platforms could be exploited.

“This vulnerability works against OpenVPN, WireGuard, and IKEv2/IPSec, but has not been thoroughly tested against tor, but we believe it is not vulnerable since it operates in a SOCKS layer and includes authentication and encryption that happens in userspace,” the New Mexico “Breakpointing Bad” team writes.

“It should be noted, however, that the VPN technology used does not seem to matter and we are able to make all of our inferences even though the responses from the victim are encrypted, using the size of the packets and number of packets sent (in the case of challenge ACKs, for example) to determine what kind of packets are being sent through the encrypted VPN tunnel.”

The team says they have prepared a paper with a detailed description of the flaw and will publish it once a full workaround or patch for the security blunder is released. Given how tricky the bug would be to actually exploit in the wild, however, there is no need to panic just yet. ®

Sponsored:
What next after Netezza?

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/06/vpnbusting_bug_spotted/

Promo On December 9, SANS will launch its second annual KringleCon virtual conference followed shortly thereafter by its 13th Holiday Hack Challenge.

KringleCon returns by popular demand, with last year’s inaugural conference viewed more than 87,000 times on YouTube. As such, it’s believed to be one of the largest virtual cybersecurity conferences to date, and SANS hope to welcome even more attendees in 2019. It also has an overarching storyline: last year, an evil hacker locked Santa’s castle, trapping conference attendees inside the building. This year, the hacker is trying to hack KringleCon to stop the event taking place entirely.

You can watch last year’s KringleCon and all previous Holiday Hack Challenges here.

With well over 20,000 people expected to participate worldwide this year, KringleCon and the SANS Holiday Hack Challenge are prime examples of how cybersecurity education can be made fun, and can engage a whole new generation of cyber-professionals as well as advance the skills of established pros. Allowing participants to learn from experts as well as other community members, the Holiday Hack challenges slowly ramp up in difficulty, with hints, talks, and blogs provided that share tactics that people can directly apply in their jobs.

This year’s Holiday Hack Challenge will also include offensive and defensive machine-learning challenges, and SANS has included more defensive training opportunities to engage a broader audience in the infosec community.

With cybersecurity skills in such high demand – The Global Cybersecurity Workforce Shortage to Reach 1.8 Million according to the Center for Cyber Safety and Education – it’s important that both industry and governments act to help fill that gap. SANS Institute is addressing this issue head-on by creating compelling and accessible educational offerings to attract a diverse range of people into the profession.

“When Santa invites you to a free hacking conference at the North Pole, you definitely want to be there,” said Ed Skoudis, Director of SANS Cyber Ranges and Team-Based Training.

Kringlecon boasts an extensive line-up of speakers, including IBM Security’s Stephanie Carruthers, Black Hills Information Security’s John Strand, Ian Coldwater from Heroku/Salesforce, Dave Kennedy from TrustedSec, and Lesley Carhart from Dragos, to name a few. Many more are still to be announced.

And of course, there are top prizes to win. Holiday Hack Challenge offers a series of awards and valuable educational prizes, ranging from SANS On Demand courses to NetWars Continuous subscriptions, to top participants.

Make sure you follow KringleCon on Twitter to be the first to know about the challenges and KringleCon talks, and to help defeat the evil KringleCon hacker once more!

For more information on SANS and its cyber security training, head here.

Sponsored:
What next after Netezza?

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/06/sans_holiday_hack_challenge_kringlecon/

Computer scientists from UC Berkeley, Texas AM, and semiconductor biz SK Hynix have found a way to defeat secure enclave protections by observing memory requests from a CPU to off-chip DRAM through the memory bus.

In a paper [PDF] titled, “An Off-Chip Attack on Hardware Enclaves via the Memory Bus,” slated for inclusion in the 29th USENIX Security Symposium in August, 2020, researchers Dayeol Lee, Dongha Jung, Ian Fang, Chia-Che Tsai, and Raluca Ada Popa describe an off-chip attack on hardware enclaves called Membuster.

Their work focuses specifically on Intel SGX (software guard extensions), Chipzilla’s chip architecture extensions for creating secure execution environments. But they say it’s applicable to other hardware enclaves that do not encrypt addresses on the memory bus.

“This attack is not limited to Intel SGX; no existing TEE [Trusted Execution Environment] defends this type of attack,” said Dayeol Lee, a doctoral student at UC Berkeley and one of the report’s co-authors, in an email to The Register. “But there are known mitigations in various levels (hardware/software) as described in the paper. They are just expensive in terms of performance, cost, etc.”

The attack is local and does not work over a network; threat scenarios include an attacker trying to obtain data from a secure enclave where there’s physical access to the target device ,or an attacker at a cloud service provider trying to obtain a tenant customer’s data – a possibility that sounds less far-fetched given what occurred at Twitter recently.

Lee explained that hardware enclaves are not only for the cloud but are also used in end-user devices, like mobile phones. A rogue Amazon employee, he suggested, could use the technique to extract data from a tenant’s application running on a hardware enclave, or an end-user could gather data from an enclaved application, to get secret data from the enclave owner, the app’s developer.

Other security boffins have already devised various on-chip attacks on hardware enclaves that exploit side-channels, like a shared cache, or utilize techniques like return oriented programming. For example, earlier this year, Graz University of Technology academics disclosed an attack on Intel SGX that allows the implantation of malware.

But rather than relying on on-chip side channel information – observing the behavior of chip components used for both protected and general operations – to reveal memory addresses, the Membuster attack depends on observing an off-chip side channel, the memory address bus.

“Although the CPU encrypts the data of an enclave, all the addresses still leave the CPU unencrypted, allowing the attacker to infer program secrets from the access patterns,” the paper explains. “Since off-the-shelf DRAM interfaces do not support address bus encryption, no existing hardware enclave can prevent physical attackers from observing the memory address bus.”

Various academic proposals have been made recently to close off on-chip side channels, like like Varys, Hyperrace, Cloak, T-SGX, and Déjà Vu. But because Membuster operates off-chip, putting defenses built within the silicon simply won’t help.

As the boffins describe it, their attack takes advantage of operating system privileges to induce cache misses – which is when data is not found in a cache and must be sought elsewhere or in main memory, an occurrence that imparts information useful to the attacker. The technique requires custom hardware, reverse engineering of hardware components and an algorithm to obtain application secrets from memory bus traces.

To conduct the attack, the attacker needs to install a custom-printed circuit board called an interposer on the DIMM socket between the DRAM and the socket. Once the bugged system is rebooted, the eavesdropping hardware copies the command bus signals and sends them a signal analyzer for amplification, storage, and analysis.

Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainer

READ MORE

These DRAM traces are then used to map memory addresses and addressing functions and to translate between virtual and physical memory addresses.

To demonstrate their technique, the boffins conducted attacks on Hunspell, an open-source spell checking library widely in applications like LibreOffice, Chrome, and Firefox, and Memcached, an in-memory key-value database. The amount of data they could recover varied with the methods applied; using a technique called cache squeezing, they were able to recover 96 per cent of a random spell-checked document and 82 per cent of the Memcached query.

Membuster has limitations, its creators concede. It’s not well-suited for rapid-fire references to the same memory address because it only leaks memory access patterns from last-level cache misses. The technique is best suited “for leaking data-dependent memory loads over a large heap or array,” the paper explains.

The researchers conclude Membuster demonstrates that physically securing secure enclaves should be taken as seriously as software security.

Intel, alerted previously to the findings, provided a statement to The Register via email explaining that Membuster doesn’t fit its threat model.

“Intel SGX operates under the assumption that the security perimeter includes only the internals of the CPU package, and in particular, leaves the DRAM untrusted,” a company spokesperson said. “It is supported by an autonomous hardware unit called the Memory Encryption Engine (MEE) whose role is to help protect CPU-DRAM traffic over some memory range. We’ve previously documented that attacks requiring oblivious RAM are outside of scope of the design for the MEE. Membuster is one such attack.” ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/05/membuster_secure_enclave/

A group of hackers used a compromised email account to steal a start-up’s $1m venture capital payment.

The incident response team at security house Check Point says it was called in to investigate the case of money that a Chinese VC firm had reported missing after it was supposedly sent to a startup in Israel.

It was believed that the attack was down to a compromised email account that had been used to re-route the payment to an account controlled by the attacker, a rather cut-and-dry business email compromise (BEC) operation.

As it turned out, however, the attack was a bit more complicated.

“Apparently, a few months before the money transaction was made, the attacker noticed an email thread announcing the upcoming multi-million dollars seeding fund and decided to do something about it,” explained Check Point analyst Matan Ben David.

“Instead of just monitoring the emails by creating an auto-forwarding rule, as is seen in the usual BEC cases, this attacker decided to register 2 new lookalike domains.”

Using those lookalike domains (one for the VC firm and one for the startup), the bad guys then sent each side an email claiming to be from the other. Having a spoofed email account on each side, the attacker then forwarded the messages to the actual startup and VC email accounts, as needed.

“This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack. Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination,” Ben David said.

“Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side. Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success.”

At one point, it was found, the attacker even managed to cancel a scheduled face-to-face meeting between the two sides.

Email scammers extract over $300m a month from American suits’ pockets

READ MORE

Finally, after the two companies had agreed on the $1m investment, the attacker provided the VC side with their own account number before again modifying that message and sending it back to the Israeli firm. This caused the VC to send the attacker the money, while also making the startup believe the money was on the way.

“In a brazen move, instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment,” mused Ben David.

“If that wasn’t enough, even after the attack was remediated, the Israeli CFO continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction.”

We have to say, that’s better support than some VCs get when they hand seven figures to a bogus operation. ®

Sponsored:
Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/05/vcs_tricked_mitm/

Seeing its firewall sales softening, the security vendor makes another acquisition to reorient itself for the cloud era.

“We believe the addition of Aporeto’s unique machine identity technology will further enhance our leading Prisma Cloud capabilities and strengthen our commitment to helping customers secure their journey to the cloud,” Nikesh Arora, Palo Alto’s chairman and CEO, said in a statement.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/with-aporeto-palo-alto-looks-away-from-the-firewall-and-toward-the-future/d/d-id/1336535?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Maksim Yakubets and his crew stole tens of millions using Zeus and Dridex, with victims including Bank of America, Key Bank, GenLabs, and United Dairy, DoJ says.

The US State Department in collaboration with the US Department of Justice and the FBI Thursday announced an unprecedented $5 million reward for information leading to the arrest or conviction of a Russian hacker allegedly responsible for stealing tens of millions of dollars from banks and consumers over the past decade.

In a criminal complaint unsealed today in federal court in Lincoln, Nebraska, the US charged Moscow-based Maksim Yakubets, 32, of running the notorious Zeus banking malware operation since at least 2009. Yakubets and multiple co-conspirators are alleged to have installed Zeus on thousands of business computers and captured information that allowed them to later log into online banking accounts belonging to the victims and initiate fraudulent wire transfers.

Yakubets and other members of his group attempted to steal a staggering $220 million using Zeus and ending up netting at least $70 million from victim bank accounts. Among the numerous organizations that were victimized in the Zeus campaign were Bank of America, Bank of Albuquerque, Key Bank, Bullitt County Fiscal Court, GenLabs, and United Dairy.

Federal authorities on Thursday separately also charged Yakubets and another Russian national, Igor Turashev, 38, with stealing and attempting to steal money from online bank accounts belonging to thousands of individuals and businesses using Bugat – aka Dridex – malware.

The Dridex campaign began around 2009, and as with the Zeus scheme, resulted in millions of dollars being siphoned out of the online bank accounts of consumers and businesses. A representative list of victims included at least two banks and four companies. Attacks involving Dridex continued until as recently as March 2019, the DoJ said in a statement announcing the indictment.

“For over a decade, Maksim Yakubets and Igor Turashev led one of the most sophisticated transnational cybercrime syndicates in the world,” said US Attorney Scott Brad of Western District of Pennsylvania. The Dridex operation was one of the most widespread malware campaigns the Justice Department has ever encountered, he said.

Yakubets is alleged to have managed the development, distribution, and maintenance of Dridex and also oversaw the actual financial theft and the use of money mules to receive wire transfers and ACH payments. Turashev served as the systems administrator and was in charge of Dridex botnet operations. NPR on Thursday quoted senior Treasury Department officials describing Yakubets as also working separately for Russia’s domestic intelligence agency the Federal Security Service (FSB).

“Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide,” said Assistant Attorney General Brian Benczkowski. The $5 million reward for his arrest or conviction is the largest ever the US government has offered in connection with a cybercrime.

Tens of Millions in Losses

According to charging documents unsealed this week in connection with both indictments, Yakubets, Turashev, and others involved in the Dridex campaign infected systems by tricking victims into opening malicious attachments or clicking on rogue links in phishing emails. They used the malware to collect usernames and passwords to bank accounts either via keystroke logging or by hijacking computer sessions and directing victims to spoofed bank login pages. The stolen credentials were then used to initiate fraudulent wire transfers to overseas accounts and to an extensive network of money mules in the US.

As one example, the indictment points to an attack in September 2012, where Yakubets and Turashev managed to illicitly transfer some $2.2 million from an online account at Commonwealth Bank belonging to Penneco Oil to an account in Krasnodar, Russia. The same day the duo attempted to steal another $76,000 from Penneco’s account at the same bank.

Yakubets employed a similar tactic with the Zeus campaign, which was more targeted at businesses than Dridex.

For the moment both individuals remain at large in Russia. While it’s highly unlikely the Russian government will willingly extradite the two individuals to face the charges against them, their ability to travel outside Russia likely has been severely curtailed by the indictments. In the past, US law enforcement authorities have been quite successful in arresting and extraditing indicted individuals from countries like Russia who made the mistake of traveling to nations friendly to US interests.

Some notable examples include Vadim Polyakov, a Russian hacker who in 2014 was arrested while vacationing in Spain, and then extradited and subsequently convicted on charges related to an attack on StubHub. Another example is Roman Seleznyov, another Russian hacker currently serving a concurrent 27-year and 14-year sentence for his role in two separate hacking schemes that resulted in over $70 million in losses to US businesses. Seleznyov, was arrested while vacationing in the Maldives and extradited to the US in July 2014, prompting accusations of kidnapping from his father Valery Seleznev, a Russian lawmaker.

“If they are indeed found to reside in Russia, it is likely that they might never be brought to trial in the United States,” says Chris Morales, head of security analytics at Vectra. Diplomacy is one possible avenue he says. “The alternative is through the US government finding its own way to bring the defendants to the United States against their will, forcibly.”

Fausto Oliveira, principal security architect at Acceptto, says the indictments are a clear warning that the US is committed to prosecuting cybercriminals across borders. It also serves as a reminder for the public that this type of crime is not forgotten, he says.

The $5 million award is significant at as well, Oliveira says. “[It] may tempt some other threat actors or casual connections to denounce them as a way to either take down the competition or obtain some financial gain,” he says.

Like Morales, he too fears that the biggest challenges for the DoJ is if the indicted persons remain or have escaped to a territory that does not have an extradition agreement. “In those cases it becomes hard, if not impossible, for the suspects to be brought in front of a judge.”

Related Content:

• New Banking Trojan Discovered Targeting Businesses’ Financial Accounts
• Bank Botnets Continue to Thrive One Year After Gameover Zeus Takedown
• Attack Steals Online Banking Credentials From SMBs
• Infamous Banking Malware Adds Email-Sending Feature
• LinkedIn Attack Also Spread Bugat Trojan — Not Just Zeus

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “A Cause You Care About Needs Your Cybersecurity Help.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-sets-$5-million-bounty-for-russian-hacker-behind-zeus-banking-thefts/d/d-id/1336536?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Vulnerability in the Aviatrix VPN client, since patched, gives an attacker unlimited access to a breached system.

A VPN vulnerability that provided both initial access to a victim’s computer and privilege escalation once access was granted has been disclosed. The vulnerability in the Aviatrix VPN client, used by large organizations such as NASA and Shell, has been patched in all versions and is available for download.

Immersive Labs researcher and content engineer Alex Seymour discovered the vulnerability in early October. After noting evidence that a pair of Web servers were launched during the VPN client’s open sequence, he found the servers and the Python used to create them had known issues, especially with the very lax permissions given the servers during the sequence.

Seymour was able to show proof of the privilege escalation that would allow an attacker to run essentially any random code desired on the targeted machine. Aviatrix responded to the notice of the breach and patched the vulnerability in less than a month. Both Aviatrix and Seymour recommend that all Aviatrix VPN client users update to the latest version as soon as possible.

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “10 Security ‘Chestnuts’ We Should Roast Over the Open Fire.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/vpn-flaw-allows-criminal-access-to-everything-on-victims-computers/d/d-id/1336537?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

“Fragile?” “Handle with care?”

“Meh! Looks like a football to me,” workers for the UK parcel delivery company Yodel must have said around the time – 2016 – they were caught on video, apparently tossing packages around.

Have they grown more tender? Dunno, but FWIW, a year after the football exposé, they made it to the top of the country’s worst delivery companies (again).

More to the cybersecurity point, and more recently, a security researcher spotted Yodel’s mobile parcel delivery app doing something similar in the data realm – as in, tossing around random parcel data, and letting it leak into the apps of people whose doorsteps those packages weren’t supposed to show up on.

On Saturday, Akshay “Ax” Sharma, having failed to get Yodel’s attention, blogged about his discovery.

As Sharma tells it, around noon on Saturday, he noticed something weird on Yodel’s mobile app for Android. The app lets you track parcel deliveries scheduled for your address but was showing other people’s packages in addition to his own. Every time he refreshed the feed, the app loaded new tracking numbers for more random packages – packages that weren’t even destined for the same building as his own, nor that he’d ever tracked.

After Shara tweeted about the issue, one other Twitter user said that she was seeing the same thing:

@YodelOnline @AkshaySharmaUS I have other people’s deliveries on my Yodel app today too! Couldn’t work out for the… twitter.com/i/web/status/1…

—
Michelle Burgess (@chelleburgess) November 30, 2019

…and ditto for multiple users who noted the glitch in their Google Play Store reviews:

The app was last updated on 18 November, and the reports of data leakage seemed to have cropped up after that.

On Tuesday night, Yodel told The Register that the problem’s been fixed. It didn’t elaborate on what caused the leak, nor whether anybody’s packages got pinched because of it, saying only that…

Following an investigation into the issue we can confirm that it is now resolved, with the Yodel app running again as normal.

Let’s just redirect those goodies, shall we?

Sharma provided a number of screenshots showing the information the app was dribbling – about other people’s packages – before it got plugged. He said that the list included:

• Tracking numbers
• Name(s) of retailer(s) who sent the package
• Package’s current location on a map
• Delivery driver’s name
• Package destination (i.e., recipient’s location)
• Customers’ reference notes with regards to the parcel contents (say, “that insanely expensive new iThingie I’m getting my sweetie for Christmas”)
• Estimated delivery time

Besides all that, Sharma said, the app offers users the option to reschedule or cancel deliveries – in some cases, “using just the tracking number which is now revealed to a user with absolutely no connection to the package.” All of which could lead, of course, to “Hello, new iPhone that I didn’t pay for!”

Perhaps nobody’s packages got tampered with due to the bug, but they could have. Sharma blames poor mobile app design and testing:

While the potential for damage arising from a minor security bug like this one may seem negligible, the app still reveals way too much data than necessary and gives control of your precious parcels to unknown parties, should they get tempted to abuse it.

This is yet another lesson in how serious bugs and security flaws can arise from poor design and testing when coding mobile apps.

What to do?

Not a thing, given that users can’t avoid a glitch in a mobile app like this one, and it’s all now been fixed. However, given that it’s holiday season and purchases are flying through the intertubes, why not take a minute and watch our video on how to stay safe on Black Friday? Sure, that was last week, but the crooks are after us year-round. That makes our tips as fresh as pine garlands and as green as mistletoe!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JLW56DeeTmY/