Posts by Cybaze

Torrent Risks: An Analysis by Z-Lab Yoroi / Cybaze

Torrent Risks: An Analysis by Z-Lab Yoroi / Cybaze

Malware delivered through good Reputation Torrents

Report of March 14, 2019

Authors: Davide Testa, Luigi Martire, Antonio Farina, Antonio Pirozzi, Pierluigi Paganini

Download the report from here

Cisco addressed two DoS vulnerabilities in CISCO ESA products that can be exploited by remote unauthenticated attacker.

Cisco fixed two denial-of-service (DoS) flaws in Email Security Appliance (ESA) products that can be exploited by a remote unauthenticated attacker.

The first flaw tracked as CVE-2018-15453  has been rated as “critical,” it is a memory corruption bug caused by improper input validation in emails signed with Secure/Multipurpose Internet Mail Extensions (S/MIME). The attacker could send a specially crafted S/MIME email to vulnerable ESA products and can cause appliances to reload and enter a DoS condition.

“A vulnerability in the Secure/Multipurpose Internet Mail Extensions (S/MIME) Decryption and Verification or S/MIME Public Key Harvesting features of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause an affected device to corrupt system memory.” reads the security advisory published by Cisco.

“A successful exploit could cause the filtering process to unexpectedly reload, resulting in a denial of service (DoS) condition on the device. “

Experts pointed out that the DoS condition is permanent because even after the software restart, it will process the same malicious email.

To restore the Cisco ESA product it is necessary to manually fix it.

“A successful exploit could allow the attacker to cause a permanent DoS condition. This vulnerability may require manual intervention to recover the ESA. ” continues the advisory.

“This vulnerability affects all software versions prior to the first fixed release of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA), both virtual and hardware appliances, if the software is configured for S/MIME Decryption and Verification or S/MIME Public Key Harvesting.”

The second DoS flaw in Cisco ESA, tracked as CVE-2018-15460 and rated “high severity,” affects the message filtering feature of AsyncOS software.

The flaw could be exploited by an attacker to cause a DoS condition by getting CPU usage to increase to 100%. The attacker could trigger the issue by sending an email containing a large number of whitelisted URLs.

“A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to cause the CPU utilization to increase to 100 percent, causing a denial of service (DoS) condition on an affected device.” reads the security advisory.

“The vulnerability is due to improper filtering of email messages that contain references to whitelisted URLs. An attacker could exploit this vulnerability by sending a malicious email message that contains a large number of whitelisted URLs.”

Also in this case, the successful exploitation of the bug could allow the attacker to cause a sustained DoS condition. The vulnerable device will stop scanning and forwarding email messages.

Both vulnerabilities in Cisco ESA were discovered by Cisco, the good news is that there is no evidence of malicious exploitation.

“This vulnerability affects all software versions prior to the first fixed release of Cisco AsyncOS Software for Cisco ESAs, both virtual and hardware, if the URL Filtering as Global Setting feature is enabled and a URL whitelist is in use. By default, the URL Filtering as Global Setting feature is disabled. ” states the advisory.

Pierluigi Paganini

(SecurityAffairs – DoS, CISCO ESA)

The post CISCO addresses DoS bugs in CISCO ESA products appeared first on Security Affairs.

Security expert uncovered a DNS hijacking campaign targeting organizations in various industries worldwide and suspects Iranian APT groups.

Security experts at FireEye uncovered a DNS hijacking campaign that is targeting government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations in the Middle East, North Africa, North America and Europe. According to the experts, the campaign is carried out, with “moderate confidence,” by APT groups linked to the Iranian Government.

“FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.” reads the report published by FireEye.

“While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran. “

Experts monitored the activities of threat actors between January 2017 and January 2019.

Working with victims, the security firm collected evidence that links the campaign to Iran, tactics, techniques and procedures (TTPs) and interest are aligned with Iranian APT groups. We have also worked closely with victims, security organizations, and law enforcement agencies where possible to reduce the impact of the attacks and/or prevent further compromises.

FireEye researchers tracked access from Iranian IPs to machines used to intercept, record and forward network traffic. The same IPs were previously associated with cyber attacks conducted by Iranian cyberspies.

The attackers are not financially motivated and targeted several Middle Eastern governments whose data would be of interest to Iran.

It is interesting to note that FireEye confirmed that this campaign is different from other operations carried out by Iranian APT groups due to the use of DNS hijacking at scale.

“While this campaign employs some traditional tactics, it is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale.” continues the analysis published by FireEye.

“The attacker uses this technique for their initial foothold, which can then be exploited in a variety of ways. “

Attackers used three different ways to manipulate DNS records to enable victim compromises.

The first technique sees attackers attempt logging into a DNS provider’s administration interface using compromised credentials and changing DNS A records to intercept email traffic.

DNS hijacking 1

The second technique sees attackers attempt changing DNS NS records after hacking into the victim’s domain registrar account.

DNS hijacking 2

In both cases, the attackers leverage Let’s Encrypt certificates to avoid raising suspicion and establish a connection without any certificate errors.

“The Let’s Encrypt Certificate allows the browsers to establish a connection without any certificate errors as Let’s Encrypt Authority X3 is trusted.” continue the researchers.

With these techniques, attackers are able to harvest usernames, passwords and domain credentials.

The third attack technique involved a DNS redirector and previously altered A and NS records to redirect victim’s traffic to infrastructure controlled by the attackers.

DNS hijacking 3

FireEye says it’s still trying to determine the exact attack vector for the DNS record modifications, but believes multiple techniques, including phishing, may have been used.

At the time it is quite impossible to exactly identify a single intrusion vector for each record change, experts believe attackers employed multiple techniques to gain an initial foothold into victims’ infrastructure.

“Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account.” concludes FireEye.

“This DNS hijacking, and the scale at which it has been exploited, showcases the continuing evolution in tactics from Iran-based actors. This is an overview of one set of TTPs that we recently observed affecting multiple entities. We are highlighting it now so that potential targets can take appropriate defensive action,” 

Pierluigi Paganini

(SecurityAffairs – Iran, DNS hijacking)

The post Alleged Iran-linked APT groups behind global DNS Hijacking campaign appeared first on Security Affairs.

Experts disclosed three flaws in the systemd, a software suite that provides fundamental building blocks for Linux operating systems.

Security firm Qualys has disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 ) in a component of systemd, a software suite that provides fundamental building blocks for a Linux operating system used in most major Linux distributions.

The flaws reside in the systemd–journald, a service of the systemd that collects and stores logging data.

Both CVE-2018-16864 and CVE-2018-16865 bugs are memory corruption vulnerabilities, while the CVE-2018-16866 is an out of bounds issue that can lead to an information leak.

Security patches for the three vulnerabilities are included in distro repository since the coordinated disclosure, but some Linux distros such as some versions of Debian remain vulnerable. The flaws cannot be exploited in SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 because their code is compiled with GCC’s -fstack-clash-protection option.

“CVE-2018-16864 was introduced in April 2013 (systemd v203) and became exploitable in February 2016 (systemd v230). We developed a proof of concept for CVE-2018-16864 that gains eip control on i386.” reads the security advisory.

Qualys experts were working on an exploit for another Linux vulnerability when noticed that passing several megabytes of command-line arguments to a program that calls syslog(), they were able to crash the systemd–journald.

“CVE-2018-16865 was introduced in December 2011 (systemd v38) and became exploitable in April 2013 (systemd v201). CVE-2018-16866 was introduced in June 2015 (systemd v221) and was inadvertently fixed in August 2018.” continues the advisory.

The experts developed a PoC exploit for both CVE-2018-16865 and CVE-2018-16866 that is able to obtain a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. They plan to publish the exploit code in the near future.


In an attack scenario against a Linux box, the CVE-2018-16864 can be exploited by a malicious code or an ill-intentioned logged-in user, to crash and hijack the systemd–journald system service, and elevated access previleges. The chaining of the CVE-2018-16865 and CVE-2018-16866 could allow a local attacker to crash or hijack the root-privileged journal service.

The CVE-2018-16865 was found by the experts because surprised by the heavy usage of alloca() in journald, then they focused their work on searching for another attacker-controlled alloca() and found the bug.

The CVE-2018-16866 flaw appeared in June 2015 (v221) and was fixed inadvertently in August 2018.

“We discovered an out-of-bounds read in journald (CVE-2018-16866), and transformed it into an information leak” wrote the experts.

The security firm acknowledged systemd’s developers, Red Hat Product Security, and the members of linux-distros@…nwall.

Pierluigi Paganini

(SecurityAffairs – Linux, hacking)

The post Three security bugs found in the popular Linux suite systemd appeared first on Security Affairs.

Kaspersky was a long accused to support Russian intelligence, in an ironic turn, source now revealed it helped to catch alleged NSA data thief

Kaspersky was a long accused to support Russian intelligence in cyber espionage activities and for this reason, its products have been banned by the US Government and EU Parliament.

The company denied any involvement with operations conducted by the Russian intelligence and recently opened it Transparency Center in Zurich
to assure the integrity and trustworthiness of its products.

Kaspersky Zurigo Center

Now the position of the company seems completely changed.

We have a long discussed the hack of the NSA-linked Equation Group Remember carried out by the “The Shadow Brokers” that attempted to sale the stolen hacking tools and exploits and leaked part of them online.

In August 2016, the FBI has arrested the former NSA contractor Harold Thomas Martin over a massive secret data theft.
At the time of the arrest, Martin was working for Booz Allen Hamilton Holding Corp.

The US DoJ charged Harold Thomas Martin (51) with theft of secret documents and highly classified government material. According to a court complaint disclosed, the stolen data include source codes developed by the NSA to its hacking campaigns against foreign governments.

According to the Politico website, sources informed of the events reported that Kaspersky learned about Martin after he sent strange Twitter messages to two researchers of the firm in 2016, minutes before The Shadow Brokers began leaking the NSA dump online.

“The timing was remarkable — the two messages arrived just 30 minutes before an anonymous group known as Shadow Brokers began dumping classified NSA tools online and announced an auction to sell more of the agency’s stolen code for the price of $1 million Bitcoin. ” reported the Politico website.

“The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name ‘HAL999999999’ to send five cryptic, private messages to two researchers at the Moscow-based security firm,” Politico reports.

A first message sent on Aug. 13, 2016, asked one of the researchers to arrange a conversation with Kaspersky Lab CEO Eugene Kaspersky.

Kaspersky reported the events to the NSA that identified Martin and the FBI arrested him later.

“According to the sources who spoke with POLITICO, Kaspersky gave the NSA all five Twitter messages as well as evidence of the sender’s real identity.” continues the Politico. “Then, according to the redacted court document, the FBI used the evidence to obtain search warrants for Martin’s Twitter account and Maryland home and property. The document doesn’t indicate how the FBI learned of the Twitter messages or Martin’s identity. “

Summarizing, Kaspersky Lab helped the NSA to catch an alleged NSA data thief, the security firm exposed a massive breach that U.S. authorities were not able to detect.

Pierluigi Paganini

(SecurityAffairs – Kaspersky Lab, intelligence)

The post Ironic turn … Kaspersky Labs helped NSA to catch alleged data thief appeared first on Security Affairs.

Google released its security patches for Android in 2019 that addressed tens of vulnerabilities in the popular mobile OS.

Google released the first batch of security patches for Android in 2019 that addressed tens of flaws, the most severe of them is the CVE-2018-9583 issue.

The CVE-2018-9583 flaw is a critical remote code execution vulnerability affecting the System, it was included in the 2019-01-01 security patch level.

A remote attacker could exploit the flaw using a specially crafted file to execute arbitrary code within the context of a privileged process. 

The 2019-01-01 security patch level addresses a total of 13 security flaws.

Google addressed only one flaw in Framework, tracked as CVE-2018-9582 it was rated as a High severity and affects Android versions 8.0, 8.1, and 9. 

The other 12 vulnerabilities affecting the System component are:

  • 1 Critical remote code execution bug.
  • 4 High risk elevation of privilege issues.
  • 7 High severity information disclosure vulnerabilities.

The 2019-01-05 security patch level addressed a total of 14 vulnerabilities in Kernel components (7), NVIDIA components (1), Qualcomm components (3), and Qualcomm closed-source components (3).

The most severe issue is the CVE-2018-11847 flaw, a Critical bug affecting a Qualcomm closed-source component that could allow local malicious applications to execute arbitrary code within the context of a privileged process.

Pierluigi Paganini

(SecurityAffairs – Android, security patches)

The post First Google security patches for Android in 2019 fix a critical flaw appeared first on Security Affairs.

Tens of state attorneys general announced a $1.5 million settlement with The Neiman Marcus Group over a 2013 data breach.

Tens of attorneys general announced this week a $1.5 million settlement with The Neiman Marcus Group LLC over a data breach suffered by the company in 2013 and disclosed earlier 2014.

43 states and the District of Columbia were involved in the settlement.

Neiman Marcus

Early 2014, the high-end retailer confirmed a data breach, the incident happened a few weeks after the clamorous data breach at US giant retailer Target. At the time, Neiman Marcus had 79 stores and reported total sales of $1.1 billion in the Q4 2013.

The data breach was first reported by cybersecurity expert Brian Krebs, the specialist confirmed a surge in fraudulent credit and debit charges on cards that had been used at Neiman Marcus stores.

The company notified the incident to its customers that hackers breached servers of the company and accessed the payment information of those who purchased at one of its 77 stores.

In just three months in 2013, hackers stole about 370,000 credit cards and at least 9,200 of them were involved in fraudulent activities.

“Under terms of the settlement announced Tuesday, Neiman Marcus agrees to maintain reasonable procedures to protect customers’ personal data and obtain an information security assessment and report from a third-party professional.” reported the Associated Press.

Pierluigi Paganini

(Security Affairs –  settlement, cybercrime)

The post State attorneys general announced a $1.5 million settlement with Neiman Marcus appeared first on Security Affairs.

Microsoft has released the January 2019 Patch Tuesday updates that address 51 vulnerabilities in Windows OSs and other products.

Microsoft has released Microsoft January 2019 Patch Tuesday that solve 51 vulnerabilities in Windows operating system and in the following solutions:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • .NET Framework
  • Microsoft Exchange Server
  • Microsoft Visual Studio
Microsoft January 2019 Patch Tuesday

A close look at the list of issues addressed with the Microsoft January 2019 Patch Tuesday reveals that 7 flaws are rated critical, none was exploited in attacks in the wild.

The vulnerabilities rated as critical could be exploited by attackers for remote code execution, most of them affect Windows 10 and Server editions.

Three out of seven critical issues affect the ChakraCore scripting engine in the Edge browser, two affect Microsoft’s Hyper-V server virtualization environment, one impacts Edge, and one affects the Windows DHCP client.

The CVE-2019-0547 vulnerability resides in the Mitch Adair of the Microsoft Windows Enterprise Security Team, it could be exploited by an attacker to send a specially crafted DHCP response to a client in order to perform arbitrary code execution.

“A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine.” reads the security advisory.

“To exploit the vulnerability, an attacker could send a specially crafted DHCP responses to a client. The security update addresses the vulnerability by correcting how Windows DHCP clients handle certain DHCP responses.”

Other two Windows Hyper-V vulnerabilities (CVE-2019-0550 & CVE-2019-0551) can lead to remotely execute code on the host.

“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.” reads the security advisory related to the
CVE-2019-055 issue. “To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.”

Only one of the issues addressed with Microsoft January 2019 Patch Tuesday that resides in the Microsoft JET Database Engine was publicly known, but it was not exploited in the wild.
The flaw tracked as CVE-2019-0579 and rated as important could be exploited to execute arbitrary code on a target’s system by tricking users into opening a specially-crafted file.

The tech giant also fixed a vulnerability in Skype for Android (CVE-2019-0622) that could have allowed a local attacker with physical access to an Android device to bypass the lock screen and potentially expose victim’s data.

Below there is the full list of vulnerabilities addressed by the Microsoft January 2019 Patch Tuesday.

Pierluigi Paganini

(SecurityAffairs –  Cybersecurity, Microsoft January 2019 Patch Tuesday)

The post Microsoft January 2019 Patch Tuesday updates fix 7 critical vulnerabilities appeared first on Security Affairs.

Adobe’s Patch Tuesday security updates for January 2019 fix two flaws rated as “important” in the Connect and Digital Editions products.

Adobe’s Patch Tuesday security updates for January 2019 fix two “important” vulnerabilities in the Connect and Digital Editions ebook reader products.

The first flaw, tracked as CVE-2018-19718, is a session token exposure issue that affects the Adobe Connect web conferencing software. The vulnerability could lead to the exposure of privileges granted to a session, it affects Adobe Connect version 9.8.1 and earlier for all platforms.

The second flaw, tracked as CVE-2018-12817, is an out-of-bounds read bug that affects the Digital Editions ebook reader software. The flaw can result in the disclosure of information in the context of the current user, it affects Adobe Digital Editions version 4.5.9 and earlier on Windows, macOS, iOS and Android platforms. The vulnerability was reported by Jaanus Kääp of Clarified Security.

The good news is that Adobe is not aware of cyber attacks in the wild exploiting the two flaws, experts believe that the likelihood of their exploitation is very low. Both flaws were rated as important and received a priority rating of 3.

On January 3, Adobe released security updates that address two critical vulnerabilities in the Acrobat and Reader products, a use-after-free issue and a security bypass flaw.

The flaws affect the latest versions of Acrobat DC, Acrobat Reader DC, Acrobat 2017 and Acrobat Reader DC 2017 for Windows and macOS.

Pierluigi Paganini

(SecurityAffairs – Adobe, Connect)

The post Adobe addresses ‘Important’ Flaws in Connect, Digital Editions appeared first on Security Affairs.

A 20-year-old hacker was arrested for the recent massive data leak that impacted hundreds of German politicians. According to the authorities, the man had already confessed.

The German authorities have identified a 20-year-old hacker that stole and leaked personal data belonging to hundreds of German politicians. According to the authorities, the youngster, who lives with his parents and is still studying, had already confessed to having acted because he was annoyed.

“The accused said he published the data because he had been annoyed by certain statements made by those affected,” explained Georg Ungefuk, a spokesman for the Frankfurt prosecution service’s internet crime office ZIT.

The man was arrested after police raided his home in the state of Hesse,
the agents seized computers and hard drives.

The young hacker immediately decided to cooperate with the authorities and admitted to having acted alone.

He was charged with spying and illegally publishing personal data.

According to Bloomberg News, the exposed data includes email addresses, mobile phone numbers, invoices, copies of identity documents and personal chat transcripts.

The data were leaked online via the Twitter account “G0d” (@_0rbit) that has been suspended. “The Twitter account @_0rbit published the links daily in the style of an advent calendar, with each entry representing a “door”, behind which was a link to new information.” reported France24.

The leak was first reported by the German newspaper the Bild and the broadcaster RBB. According to the Bild, the theft of the data continued until the end of October but at the time it is not clear when it started.

The hackers leaked data belonging to political officials included members of the Bundestag lower house of parliament, the European Parliament, deputies from all parties, regional and local assemblies.

German politicians

The data was leaked online in December, but inexplicably the news was reported only this week.

The list of affected people also includes President Frank-Walter Steinmeier, celebrities and journalists.

The unique party in the Bundestag that was not targeted by the hacker is the opposition group of Alternative for Germany (AfD).

“We are still investigating his motives and whether they may have been criminal or politically motivated,” the head of cyber security at Germany’s Federal Police Office (BKA), Heiko Loehr, told to the reporters.

Pierluigi Paganini

(SecurityAffairs – data leak, German politicians)

The post German youngster behind massive data leak of German politicians data appeared first on Security Affairs.