Loading...

Follow Security Affairs on Feedspot

Continue with Google
Continue with Facebook
or

Valid
The popular jQuery JavaScript library is affected by a rare prototype pollution vulnerability that could allow attackers to modify a JavaScript object’s prototype.

The impact of the issue could be severe considering that the jQuery JavaScript library is currently used on 74 percent of websites online, most sites still use the 1.x and 2.x versions of the library that are affected by the ‘Prototype Pollution’ vulnerability.

This week the library has received a security patch to address the issue, this week, three years after the last major security flaw discovered in its code.

JavaScript objects are like variables that can be used to store multiple values based on a predefined structure. Prototypes are used to define a JavaScript object’s default structure and default values, they are essential to specify an expected structure when no values are set.

An attacker that is able to modify a JavaScript object prototype can make an application crash and change behavior if it doesn’t receive the expected values.

Due to the diffusion of JavaScript, the exploitation of prototype pollution flaws could have serious consequences on web applications.

The vulnerability in the jQuery library (CVE-2019-11358) was discovered by researchers at Snyk that also published a proof of concept code for a prototype pollution attack.

“This security vulnerability referred to and manifests as prototype pollution, enables attackers to overwrite a JavaScript application object prototype.” reads the analysis published by Snyk. “When that happens, properties that are controlled by the attacker can be injected into objects and then either lead to denial of service by triggering JavaScript exceptions, or tamper with the application source code to force the code path that the attacker injects. “

The experts demonstrated that exploiting the flaw attackers can assign themselves admin rights on a web app that uses the jQuery library code.

Fortunately, according to the experts, this prototype pollution issue is not exploitable for mass-attacks because the exploit code must be crafted for each specific target.

Web developers using jQuery JavaScript library for their applications are advised to update their projects to the latest jQuery version, v3.4.0.

“jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, …). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions,” reads the blog post published by the jQuery team.

Pierluigi Paganini

(SecurityAffairs – hacking, jQuery JavaScript library )


The post jQuery JavaScript library flaw opens the doors for attacks on hundreds of millions of websites appeared first on Security Affairs.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Experts at security firm SafeGuard reported that Russian Twitter bot activity raised up by 286 percent in the wake of the release of the Mueller Report. Experts at security firm SafeGuard reported that Russian Twitter bot activity raised up by 286 percent in the wake of the release of the Mueller Report.

Social media platforms like Twitter are key components of misinformation campaigns carried out by nation-state actors, today we discuss Twitter bot activity after the release of the Mueller report.

Experts at security firm SafeGuard reported that Russian Twitter bot activity raised up by 286 percent in the wake of the release of the Mueller Report. The company already tracked over 600,000 known bots and trolls.

The experts also observed a significant increase in the number of unique bots and trolls (+48%) from the previous day, a circumstance that suggests the involvement of an army of dormant Twitter bot accounts previously created.

Thousands of Twitter bot accounts were used by the Russian propaganda machine to influence the sentiment of netizens on the content of the Mueller Report.

Experts observed a spike in the use of hashtags related to the Mueller Report in messages published by Russian-linked bots and trolls. We are in the middle of a complex and coordinated misinformation campaign.

According to George Kamide, Director at SafeGuard Cyber, Twitter bot and troll hashtag use increased 852 percent overall. The experts observed a 5,000 percent increase in usage for the #mueller hashtag.

Below the top five hashtags used in the disinformation campaign launched just after the publication of the Mueller Report.

The SafeGuard Cyber director uses 52 risk signatures to classify bad actors into four behavior modes: malicious, suspicious, disinformation, and bot.

Data collected by SafeGuard confirm the intensification of the presence of Russian bots on Twitter.

In November 2018, Twitter announced to have deleted more than 10,000 accounts managed by bots that were posting messages to influence U.S. Midterm election. In January 2019, the social media platform removed 418 accounts associated with Russian entities.

Pierluigi Paganini

(SecurityAffairs – Twitter, Mueller)

The post Russian Twitter bot activity increased in the wake Mueller report release appeared first on Security Affairs.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Palo Alto Networks Unit 42 researchers uncovered a malicious campaign targeting entities in North America, Europe, Asia, and the Middle East with RevengeRAT.

The campaign was carried out during March, threat actors tracked as
Aggah” used pages hosted on Bit.ly, BlogSpot, and Pastebin as a command-and-control (C2) infrastructure to distribute the RevengeRAT.

Attackers hit organizations in several industries including Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, and other Professional business.

“In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country.” reads the analysis published by Palo Alto Networks.

“Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that region but also the United States, and throughout Europe and Asia.”

The usage of legitimate services to deliver the malware aims at avoiding detection.

RevengeRAT variants were used by different APT groups, such as The Gorgon Group, that hit entities in the UK, Spain, Russia and in the US. The source code of the RAT has been publicly leaked a few years ago and could be actually part of multiple campaigns conducted by several threat actors. 

RevengeRAT allows to open remote shells on the infected system, manage system files, processes, and services, log keystrokes, edit the Windows Registry, edit the hosts file, dump users passwords, and access the webcam, and many more actions.

Researcher an analyzed a bait document built to load a malicious macro-enabled document from a remote server via Template Injection.

“These macros use BlogSpot posts to obtain a script that uses multiple Pastebin pastes to download additional scripts, which ultimately result in the final payload being RevengeRAT configured with a duckdns[.]org domain for C2.” continues the analysis.

“During our research, we found several related delivery documents that followed the same process to ultimately install RevengeRAT hosted on Pastebin, which suggests the actors used these TTPs throughout their attack campaign.”

Once the victims opened the decoy document, it will display a lure image designed to trick them into turning on Microsoft Office macros to “Enable Editing.” If the victim enables the macros, a remote OLE document containing the malicious macro would be loaded using template injection.

The OLE file loaded an embedded Excel document which would download a malicious script from a shortened URL using the Bit.ly service. In a similar way, the malicious code was also downloaded in other attacks from a Blogspot domain hosting a malicious JavaScript.

“The malicious script carries out several activities on the compromised system. First, it attempts to hamper Microsoft Defender by removing its signature set. The script also kills the Defender process along with the processes for several Office applications.” reads the analysis.

Experts pointed out that the technique of enabling macros and disabling ProtectedView in Office and the tactic of killing processes for Windows Defender and Microsoft Office applications were employed by Gorgon group in past campaigns. 

Once downloaded on a victim’s machine, the script will perform the following main actions:

• Downloading a payload from a Pastebin URL
• Creating a scheduled task to periodically obtain and run a script from a Pastebin URL
• Creating an autorun registry key to obtain and run a script from a Pastebin URL

The last stage malware is downloaded from Pastebin, it is a RevengeRAT variant dubbed “Nuclear Explosion” that uses the lulla.duckdns[.]org domain as C2.

The analysis of a single bit.ly shortened URL revealed it was clicked over 1,900 times by targets from roughly 20 countries, this data could give us an idea of the extent of the campaign.

The analysis of decoy document’s properties allowed the experts to discover a number of other RevengeRAT samples used in this campaign.

Despite this, the Palo Alto Networks researchers conclude that there is no “concrete evidence that this attack campaign is associated with Gorgon.”

Pierluigi Paganini

(SecurityAffairs – hacking, RevengeRAT)


The post Campaign leverages Bit.ly, BlogSpot, and Pastebin to distribute RevengeRAT appeared first on Security Affairs.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Researcher discovered a high-severity flaw in Shopify e-commerce platform that could have been abused to expose the traffic and revenue data for the stores.

Bug bounty hunter Ayoub Fathi. discovered a vulnerability in a Shopify API endpoint that could be exploited to leak the revenue and traffic data of thousands of stores.

The Shopify platform is currently used by 800,000 different online merchants in more than 175 countries.

The white hat hacker analyzed the APIs published over the past year by Shopify that allow users to fetch sales data for graph presentations. He noticed that the system was leaking the revenue data of two unnamed Shopify stores, one of which had been removed from the platform.

The researcher carried out a mass check on all the existing stores to determine if the platform was affected by a Direct Object Reference (IDOR) issue iterating over $storeName.

Fathi then decided to perform a mass check on all existing stores instead to see if any customer information would leak through the API.

“The first idea that came to mind is to perform a mass check on eventually all existing stores, and see if we would get any customer data out of any.” reads a post published by the researcher.

“The attack process will be as follows:

  • Building a wordlist of store names (from storeName.myshopify.com);
  • Iterate the wordlist against the almost vulnerable endpoint:
/shops/$storeName/revenue_data.json
  • Filtering out the vulnerable domains;
  • Analyzing affected stores to figure out the root cause of the observed behaviour or eventual vulnerability.”

Fathi found that 4 out of 1000 stores (one of which was closed) were vulnerable. The researcher decided to make further test using a larger dataset, containing 813,684 records, using Forward DNS.

“Using this approach, we don’t need to generate store names from a given domain list. Instead, we will be using the FDNS to obtain reverse CNAME records of shops.myshopify.com (which all the stores point to) ” continues the expert. “Now, we will be looking for CNAME records that match shops.myshopify.com where Shopify merchants are hosting their stores.”

The hacker created and exploit.py script to use the new word list composed of 813K store names

Using this approach the expert retrieved a list of vulnerable stores and queried them to get monthly revenue data in USD of the current store during its lifetime.

“This was tested on 800K merchant stores, +12,100 of them were exposed, +8700 were vulnerable stores that we were able to obtain their sales and traffic data and they should not be public, and 3400 are expected to have their sales data public” wrote Fathi “to summarize:

  • This was tested on +800K stores
  • +12,100 were exposed
  • +8700 stores were vulnerable and their data is set to private.
  • Only +3400 stores data was expected to be public.”

The researcher discovered that the leak was caused by the Shopify Exchange App.

“Based on above data and a few more days of research, I came to the conclusion that this was caused by Shopify Exchange App (Actively used by merchants now) which was introduced only a few months before this vulnerability. Any merchant who has Exchange App installed would be vulnerable.” states Fathi.

Fathi reported the flaw to Spotify on 13 October 2018, the company acknowledged it on October 16 and closed the flaw on November 1.

The bad news is that Shopify has not awarded the expert citing policy violations because the expert tested shops not created for testing purposes.

Below an excerpt of the email Shopify sent to the expert:

“While we appreciate you were trying to demonstrate the impact of the identified issue, intentionally accessing information of other merchants and not immediately reporting this to us is of significant concern to Shopify. As a result, this report will not be awarded a bug bounty.”

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

The post A flaw in Shopify API flaw exposed revenue and traffic data of thousands of stores appeared first on Security Affairs.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Security researcher discovered a database belonging to a ride-hailing company operating in Iran that was left exposed online containing over 6.7M records.

Security researcher Bob Diachenko discovered a database belonging to a ride-hailing company operating in Iran that was left exposed online without protection.

The MongoDB instance named ‘doroshke-invoice-production‘ contained over 6.7 million records of Iranian drivers.

Exposed records include driver first name and last name, SSN (10-digits Iranian ID number in plain text), phone number, and invoice date.

The expert discovered the database using the BinaryEdge search engine that indexes data available on the internet.

Security researcher Bob Diachenko discovered the database named ‘doroshke-invoice-production’ using BinaryEdge search engine that allows
to scan the entire internet space and acquiring data.

“On April 18th, during our regular security audit of nonSql databases with BinaryEdge search engine, I have discovered an open and publicly available MongoDB instance which contained astonishingly sensitive information on Iranian drivers.” reads a blog post published by the expert.

The database included two collections with invoices split by year:

  • invoice95 (all the invoices from year 1395, which corresponds to 2017 in Gregorian calendar), with total number of records: 740,952
  • invoice96 (all the invoices from year 1396, which corresponds to 2018 in Gregorian calendar), with total number of records: 6,031,317

The MongoDB contained a large number of duplicates, the researcher estimates that the unique number of entries is between one and two million.

At the time of writing the owner of the archive is still unknown, fortunately, it has secured the instance.

Diachenko reported its discovery to the Iranian CERT and also attempt to alert researchers in Iran to discover the owner.

“We were able to get in touch with a couple of drivers with an attempt to identify the owner of the database. At the same time, my colleagues have reached out to the biggest ride-hailing companies in Iran to confirm data origin. ” concludes Diachenko.

“While I did not receive an official confirmation or comment from either company, we can only guess if this data was part of their infrastructure. However, no matter who owned it, the fact alone that such highly sensitive PII (personally identifiable information) was available in the wild for at least 3 days, is scary.”

Pierluigi Paganini

(SecurityAffairs – data leak,ride-hailing company)

The post Ride-Hailing Company operating in Iran exposes data of Iranian Drivers appeared first on Security Affairs.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
A new round of the weekly SecurityAffairs newsletter arrived! The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Once again thank you!

Attackers hacked support agent to access Microsoft Outlook email accounts
Major coordinated disinformation campaign hit the Lithuanian Defense
Romanian duo convicted of fraud Scheme infecting 400,000 computers
Security Affairs newsletter Round 209 – News of the week
Whatsapp, Instagram, Facebook down worldwide
A new DDoS technique abuses HTML5 Hyperlink Audit Ping in massive attacks
Apache fixed an important RCE flaw in Tomcat application server
Gnosticplayers round 5 – 65 Million+ fresh accounts from 6 security breaches available for sale
Gnosticplayers round 5 – 65 Million+ fresh accounts from 8 security breaches available for sale
Locked Shields 2019 – Chapeau, France wins Cyber Defence Exercise
Yellow Pencil WordPress Plugin flaw expose tens of thousands of sites
Adblock Plus filter can be exploited to execute arbitrary code in web pages
Blue Cross of Idaho data breach, 5,600 customers affected
CVE-2019-0803 Windows flaw exploited to deliver PowerShell Backdoor
Ecuador suffered 40 Million Cyber attacks after the Julian Assange arrest
FireEye releases FLASHMINGO tool to analyze Adobe Flash files
Scranos – A Cross Platform, Rootkit-Enabled Spyware rapidly spreading
A new variant of HawkEye stealer emerges in the threat landscape
Code execution – Evernote
eGobbler hackers used Chrome bug to deliver 500Million+ ads to iOS users
European Commission is not in possession of evidence of issues with Kaspersky products
Justdial is leaking personal details of all customers real-time
RCE flaw in Electronic Arts Origin client exposes gamers to hack
Analyzing OilRigs malware that uses DNS Tunneling
APT28 and Upcoming Elections: evidence of possible interference (Part II)
Cisco addresses a critical bug in ASR 9000 series Routers
Drupal patched security vulnerabilities in Symfony, jQuery
Facebook ‘unintentionally collected contacts from 1.5 Million email accounts without permission
Russian TA505 threat actor target financial entities worldwide
Broadcom WiFi Driver bugs expose devices to hack
Facebook admitted to have stored millions of Instagram users passwords in plaintext
Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison
Ransomware attack knocks Weather Channel off the Air
Source code of tools used by OilRig APT leaked on Telegram
Avast, Avira, Sophos and other antivirus solutions show problems after
Google is going to block logins from embedded browsers against MitM phishing attacks
Hacker broke into super secure French Governments Messaging App Tchap hours after release
Marcus Hutchins pleads guilty to two counts of banking malware creation

Pierluigi Paganini

(SecurityAffairs – newsletter)



The post Security Affairs newsletter Round 210 – News of the week appeared first on Security Affairs.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Researcher discovered eight unsecured databases exposed online that contained approximately 60 million records of LinkedIn user data.

Researcher Sanyam Jain at GDI foundation discovered eight unsecured databases exposed online that contained approximately 60 million records of LinkedIn user data.

Most of the data are publicly available, the databases also include the email addresses of the users. The databases also contain internal data, such as the type of LinkedIn subscription a circumstance that suggests that the source could be a data breach.

Records include LinkedIn public profile information, including IDs, profile URLs, work history, education history, location, listed skills, other social profiles, and the last time the profile was updated.

The archives contain 229 GB of data, each one containing between 25 GB and 32 GB of information. 

The researcher noticed that the huge trove of data was disappearing and reappearing online under different IP addresses every day.

Finally, the database was no more accessible likely because it was secured.

The mystery behind this discovery is that some users claim to have had
LinkedIn privacy setting configured to avoid publicly displaying some personal details.

“Included in the profile was also my email address that I used when registering my LinkedIn account. It is not known how they gained access to this information as I have always had the LinkedIn privacy setting configured to not publicly display my email address.” reads the post published by BleepingComputer.

“After reviewing the data that was sent to me, I found all of the information to be accurate.”

At the time it is not clear who is the owner of the database, as of Monday, the databases were no longer accessible online.

Paul Rockwell, head of Trust & Safety at LinkedIn, told BleepingComputer that the databases do not belong to them, anyway he confirmed that the company is aware of third-party databases containing scraped LinkedIn data.

Pierluigi Paganini

(SecurityAffairs – hacking, LinkedIn)

The post 60 Million records of LinkedIn users exposed online appeared first on Security Affairs.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

A new service called Inpivx represents the evolution of the ransomware-as-a-service making it very easy for wannabe crooks to develop their malware and build a management panel.

A new Tor hidden service called Inpivx evolves the concept of the ransomware-as-a-service making it very easy for crooks without technical skills to develop their own malware and build a management panel.

Operators behind the service offer for sale the source code for the ransomware and for the management dashboard. The availability of the source code allows crooks to customize their ransomware.

Watch out, Inpivx is not a RaaS and for this reason, it does not supply hosting services.

The ransomware is written in C++ and supports almost any Windows OS version, from Windows XP through Windows 10, while the dashboard is coded in PHP.

The package goes for $500, it also includes the decryption tool, operators also provide a detailed tutorial.

“If the client has no skill, we provide a tutorial based on our own ransomware dashboard each line of code has an explanation,” an Inpivx member told BleepingComputer.

The dashboard provides infection data in real time, it includes the total number of encrypted files, number of infections, the operating systems of the infected machines and their geographical distribution.

It also implements a chat that allows operators to communicate with the victims.

A specific clients section includes information on infected machines, such as the victim IDs, the operating system, the ransom price, the decryption key, and the payment status.

“Inpivx approach is highly likely to attract to the ransomware game individuals with expertise in other areas of the crime business.” wrote Ionut Ilascu from BleepingComputer. “With access to the source code, they can alter the original ransomware product and create new strains that could evolve to something new by combining code from other malware.”

Pierluigi Paganini

(SecurityAffairs – Tor, Inpivx)

The post INPIVX hidden service, a new way to organize ransomware attacks appeared first on Security Affairs.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
British malware researcher Marcus Hutchins has pleaded guilty to developing and sharing the banking malware between July 2014 and July 2015.

The popular British cybersecurity expert Marcus Hutchins has pleaded guilty to developing and sharing the Kronos banking malware
between July 2014 and July 2015.

Marcus Hutchins, also known as MalwareTech, made the headlines after discovering the “kill switch” that halted the outbreak of the WannaCry ransomware. In August 2017, he was arrested in Las Vegas after attending the Def Con hacking conference and was detained by the FBI in the state of Nevada.

In August 2017, Marcus Hutchins pleaded not guilty to charges of creating and selling malware at a hearing in Milwaukee, Wisconsin.
The court decided to relax the expert bail terms, allowing him to access the Internet and continues his ordinary working activities. The only restriction on Hutchins is that the expert cannot visit the Wannacry server domain.

The decision is unusual because computer crime suspects are not allowed to stay online.

The court allowed him to live in Los Angeles, where the company that hired him is located, but he was obliged to surrender his passport and he must wear a tracking device until his trial in October.

On Friday, Hutchins accepted a plea deal and admitted two charges of malware development.

“I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” reads a statement published by the expert.

“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Marcus Hutchins would face with a maximum penalty of five years in prison a $250,000 fine and a year of probation.

According to the Federal law enforcement, the researchers told an unnamed associate over a recorded telephone line: “I used to write malware, they picked me up on some old shit,” “I wrote code for a guy a while back who then incorporated it into a banking malware.”

Pierluigi Paganini

(Security Affairs – Marcus Hutchins, cybercrime)

The post Marcus Hutchins pleads guilty to two counts of banking malware creation appeared first on Security Affairs.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Antivirus solutions from different vendors are having malfunctions after the installation of Windows security patches released on April 9, including McAfee, Avast and Sophos.

Antivirus solutions from different vendors are showing malfunctions after the installation of Windows security patches released on April 9.

Antivirus solutions from Sophos, Avira, ArcaBit, Avast, and recently McAfee reported security issues after the installation of the fixes released by Microsoft.

Microsoft is aware of the problems reported by its users with their antivirus solutions and already included several antivirus software to the list of known issues.

Users of the affected machines are observing sudden system freezes and performance degradation.

In some cases, users of systems running Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2 reported that they were able to log in, but the process takes more than ten hours.

Experts observed that safe mode is not affected by the issues, experts suggest to run in safe mode to disable the antivirus and allow the machines to boot without problems.

“Sophos additionally reports that adding the antivirus software’s own directory to the list of excluded locations also serves as a fix, which is a little strange.” reported ArsTechnica.

“Avast recommends leaving systems at the login screen for about 15 minutes and then rebooting; the antivirus software should then update itself automatically in the background.”

Update for Sophos, Avira, and ArcaBit users, have been blocked by Microsoft. McAfee is investigating the issue, while ArcaBit and Avast already released updates that address the problem.

According to experts at Avast and McAfee, the root cause of the problem is the change that Microsoft made to CSRSS (“client/server runtime subsystem”) component that manages Win32 applications. The experts believe that antivirus solutions are blocked while attempting to access some resource.

At the time it was difficult to understand what has happened and if the problem could definitively be solved by applying antivirus updates of fixes of the operating system.

Pierluigi Paganini

(SecurityAffairs – hacking, antivirus)

The post Avast, Avira, Sophos and other antivirus solutions show problems after appeared first on Security Affairs.

Read Full Article

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview