Transatlantic Cable podcast, episode 327 | Kaspersky official blog

/in

The latest episode of the Transatlantic Cable podcast kicks off with news that hackers are paying to gain access to hotel booking[.]com portals. The hack is apparently so lucrative, they’re now advertising for access on the dark web. Additionally, the team discuss new content restriction laws being discussed in the U.K, with news that photo I.D may be required to access certain sites.

Additionally, this week the team sat down with Vidit Gujrathi, Chess grandmaster and Maher Yamout, Lead Security Researcher at Kaspersky to talk about Chess, cyber-security and how the two are more connected than you might think.

If you liked what you heard, please consider subscribing.

Booking[.]com hackers increase attacks on customers
UK porn watchers could have faces scanned

Kaspersky official blog – ​Read More

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

/in

Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments.

During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I will go through the analysis of the vulnerability, how I discovered it, and the exploitation and disclosure process. Although we made several efforts to get the vendor to fix the vulnerability, it remains unpatched at the time of writing this blog post.

Vulnerability details

CVE-2023-40713
Affected version: Version 2.0.65 (11)
Impact: Privilege Escalation
CVSS: 7.8 — HIGH

When GOG Galaxy is installed, it creates a new file in the /Library/LaunchDaemons directory with the name of com.galaxy.ClientService.plist. This behavior results in the creation of a Launch Daemon, which is a background process running with high privileges. Usually, these processes are used as helper tools to perform privileged actions by a low privileged application.

Inspecting the PLIST file created by GOG Galaxy, it shows that an XPC service named com.gog.galaxy.ClientService is exposed by the Privileged Helper tool located in /Library/PrivilegedHelperTools/com.gog.galaxy.ClientService.

These are highlighted in the contents of the PLIST file below:

?xml version=”1.0″ encoding=”UTF-8″?>

<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”

“http://www.apple.com/DTDs/PropertyList-1.0.dtd”>

<plist version=”1.0″>

<dict>

  <key>Label</key>

  <string>com.gog.galaxy.ClientService</string>

  <key>MachServices</key>

  <dict>

    <key>com.gog.galaxy.ClientService</key>

    <true/>

  </dict>

  <key>Program</key>

  <string>/Library/PrivilegedHelperTools/com.gog.galaxy.ClientService<

/string>

  <key>ProgramArguments</key>

  <array>

  

<string>/Library/PrivilegedHelperTools/com.gog.galaxy.ClientService</string>

  </array>

</dict>

</plist>

Quick intro to XPC service

An XPC service is an inter-process communication mechanism heavily used in macOS. It allows you to create helper tools that can perform certain tasks on behalf of an application. This is typically used for tasks that run in the background or tasks that require elevated privileges. It is usually composed of the XPC service acting as a server and an application that connects to the XPC service.

The following diagram shows a connection between the application and the XPC service:

Figure 1: NSXPC architecture (Source: Apple Developer)

I will not go into details of XPC as it is a complex topic but just think of it as the usual inter-process communication where a client can call methods that are exposed by the XPC service.

Connection validation in GOG Galaxy

The ability to call methods exposed by a service running with high privileges sounds like a bad idea. An application can just connect to the XPC service, call exposed methods, and perform actions on behalf of the XPC service. Although this is possible, most applications verify the client application and only allow specific applications to call the exposed methods.

For example, in the GOG Galaxy Privileged Helper tool, the function responsible for checking if a connection is valid (shouldAcceptNewConnection) is shown below:

-(char)listener:(void *)arg2 shouldAcceptNewConnection:(void *)arg3 {

    r14 = self;

    rax = [arg3 retain];

    r15 = rax;

    if ([r14 areRequirementsValidForProcessId:[rax processIdentifier]] !=

0x0) {

            rax = [NSXPCInterface

interfaceWithProtocol:@protocol(ClientServiceProtocol)];

            rax = [rax retain];

            [r15 setExportedInterface:rax];

            [rax release];

            [r15 setExportedObject:r14];

            rbx = 0x1;

            [r15 resume];

            

  [REDACTED]

The application calls the areRequirementsValidForProcessId function with the processIdentifier parameter which is the PID of the connecting process. If this function returns 0, it will export the object and allow the connection, otherwise, it will exit.

Reviewing the areRequirementsValidForProcessId function, it receives the processID as a parameter, copies the security attributes of the process using the PID and checks them against the following security requirements:

[REDACTED]


void galaxy::service_library::Logger::Info<char const*>(“Validating
signature of calling process at path {}.”, 0x33);

rax = SecRequirementCreateWithString(@”identifier ”com.gog.galaxy” and
anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /*
exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
and certificate leaf[subject.OU] = ”9WS36Q8886”“, 0x0, &var_48);

[REDACTED]

The security check itself is valid as it checks if the package identifier is com.gog.galaxy, if the certification is a valid Apple certificate, and if the team identifier is 9WS36Q8886 (which is the team identifier for GOG Galaxy).

The PID re-use problem

The problem exists because all these checks are performed against a PID which is not safe. In macOS, PIDs can be reused and we can even replace current executables with a different process with posix_spawn() while keeping the old PID. This was originally published on Warcon 18 in the presentation, Don’t Trust the PID (PDF).

This attack is based on a race condition where an exploit is going to send several messages to the XPC service and just after that, execute posix_spawn with the binary that fulfills all the security requirements to replace the malicious binary PID. By queuing a lot of messages, the time between the message processing and process validation will allow the exploit to replace the exploit PID with the real application validating the connection.

The following image shows a graphical representation of the attack:

Figure 2: Race condition when queuing XPC messages (Source: IBM)

Exposed methods of the Privileged Helper tool

Although we can manipulate the Privileged Helper and invoke any exposed methods, it is not useful unless these methods offer an opportunity for exploitation. The protocol used between the XPC service and client was called ClientServiceProtocol.

This protocol exposed the following methods:

 

– (void)requestShutdown; – (void)removeOldClientService; 


– (void)fillProcessInformationForPids:(NSArray *)arg1 authorization: (NSData
*)arg2 withReply:(void (^)(NSArray *))arg3; 


– (void)createFolderAtPath:(NSString *)arg1 authorization:(NSData *)arg2
withReply:(void (^)(NSError *))arg3; 

– (void)renameClientBundleAtPath:(NSString *)arg1 withReply:(void (^)
(NSError *))arg2; 

– (void)changeFolderPermissionsAtPath:(NSString *)arg1 authorization:
(NSData *)arg2 withReply:(void (^)(NSError *))arg3; 

– (void)getVersionWithReply:(void (^)(NSString *))arg1;

While multiple methods were exposed, the most interesting one was changeFolderPermissionsAtPath, which required three arguments.

Arg1 – Authorization data
Arg2 – The path to change permissions to
Arg3 – An array for the response

The function first checks the authorization data which can be bypassed by creating an authorization structure without any rights. After authorization is checked, the function performs a variety of actions, but the most important is calling the chmod function. The chmod function is called with the path provided in arg2 and 0x1ff, which makes any targeted file globally readable, writable, and executable.

-(void)changeFolderPermissionsAtPath:(void *)arg2 authorization:(void *)arg3

withReply:(void *)arg4 {

    r13 = [arg2 retain];

    r14 = [arg3 retain];

    var_C8 = [arg4 retain];

    rax = objc_retainAutorelease(r13); <—- RAX is initated from r13, which

is initiated from arg2

    

    var_F8 = rax;

 

[REDACTED]

    rax = [NSFileManager defaultManager];

    rax = [rax retain];

    r13 = rax;

    var_E8 = [[rax subpathsAtPath:var_F8] retain];

    rax = objc_retainAutorelease(var_F8);

    var_E0 = rax;

    rax = [rax UTF8String];

    rax = chmod(rax, 0x1ff); <— Permissions are changed using chmod

    var_B4 = rax;

    

    if (rax == 0x0) goto loc_1000c1be9;

 

 [REDACTED]

As a low-privileged user, we can communicate with the XPC service and change the permissions of any file in the system. This can be used to abuse the system in several ways, such as by modifying a Launch Daemon to execute a malicious binary when the daemon is loaded. However, this method requires a restart, so a better alternative is to modify the /etc/pam.d/login file.

The /etc/pam.d/login file is a configuration file for the Pluggable Authentication Modules (PAM) system on macOS. It contains the default authentication configuration for all services that use PAM. Modifying the auth entries to use the pam_permit.so module will allow any authentication attempt to succeed. This means that we will be able to run sudo on the target machine without entering a password.

Original File:

sh-3.2# cat /etc/pam.d/login

# login: auth account password session

auth       optional       pam_krb5.so use_kcminit

auth       optional       pam_ntlm.so try_first_pass

auth       optional       pam_mount.so try_first_pass

auth       required       pam_opendirectory.so try_first_pass

account    required       pam_nologin.so

account    required       pam_opendirectory.so

password   required       pam_opendirectory.so

session    required       pam_launchd.so
session    required       pam_uwtmp.so
session    optional       pam_mount.so
sh-3.2#

Replaced File:

sh-3.2# cat /etc/pam.d/login

# login: auth account password session

auth       optional       pam_permit.so

auth       optional       pam_permit.so

auth       optional       pam_permit.so

auth       required       pam_permit.so

account    required       pam_nologin.so

account    required       pam_opendirectory.so

password   required       pam_opendirectory.so

session    required       pam_launchd.so

session    required       pam_uwtmp.so

session    optional       pam_mount.so

sh-3.2#

Exploitation steps

Here are the required steps to successfully exploit the vulnerability:

Connect to the XPC through forked processes and replace the child processes with the legitimate binary.
Call the changeFolderPermissionsAtPath method that is exposed by the XPC modifying permissions of the /etc/pam.d/login file.
Replace the login file with one that allows authentication without password.
Escalate to root running sudo su.

We chose not to release the exploit code for this vulnerability, as it is still a 0-day. However, we have provided all the information needed to reproduce the vulnerability.

Defensive considerations

Adversaries abuse XPC services to execute malicious code, perform application white-listing bypass, and escalate privileges. On macOS, applications can leverage XPC services to send messages to the XPC service daemon, which runs with root privileges on the system. These attacks often take advantage of improper XPC client validation and poor input validation to allow code to be executed with elevated privileges.

Securing XPC can be challenging as it requires secure coding practices from the application vendor such as enabling the hardened runtime for XPC services and notarizing the application. Organizations can and should look for unsigned XPC client services and understand the risks associated with their operation in the environment. Additionally, monitoring for processes that make suspicious calls to processes with elevated privileges could be an early indication of this type of attack.

Disclosure timeline

Below is the disclosure timeline:

25 November 2022 — Vulnerability reported to GOG Galaxy
25 November 2022 — GOG Galaxy Support team responds saying details have been passed to the security team.
01 December 2022 — Asking for an update
01 December 2022 — GOG Galaxy Support team responds saying no updates were received from the security team.
09 December 2022 — Asking for update
09 December 2022 — GOG Galaxy Support team responds saying no updates were received from the security team.
12 January 2023 — Asking for an update, no response from GOG Galaxy Support team 08 February 2023 — Asking for an update
16 February 2023 — GOG Galaxy Support team responds saying no updates were received from the security team
06 March 2023 — Vendor was notified that we plan on publishing and advisory as 90 days have passed since reporting the vulnerability.
June 2023 — Disclosure

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

The post Exploiting GOG Galaxy XPC service for privilege escalation in macOS appeared first on Security Intelligence.

Security Intelligence – ​Read More

Iran’s Most Advanced Cyber Attack Yet

/in

For years now, Iran’s state-sponsored hackers have been some of the most prolific in the world. But prolific does not necessarily mean sophisticated — its attacks haven’t quite impressed in the way that the U.S., Russia, and China’s do. But in a campaign recently uncovered by CheckPoint, one Iranian APT unleashed tools and tactics unlike anything we’ve seen from the country before. If before they were at the kids’ table, this latest campaign suggests that they might have just moved up.

The post Iran’s Most Advanced Cyber Attack Yet appeared first on Check Point Research.

Check Point Research – ​Read More

The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors

/in

Research by: Haifei Li, Check Point Research

Introduction

Outlook, the desktop app in the Microsoft Office suite, has become one of the world’s most popular apps for organizations worldwide for sending and receiving emails, scheduling conferences, and more. From the security perspective, the app is one of the critical “gateways” responsible for introducing various cyber threats into organizations. Even a minor security problem in this app could cause severe damage and undermine the overall enterprise security.

Therefore, it is essential to examine the attack vectors on Outlook for typical enterprise environments, which Check Point Research will do in this paper. We assume the position of an average user – we click and double-click on things on Outlook – as our daily work requires, and we examine the security risks they may introduce from a security research perspective.

We will examine the attack vectors in three categories: the “obvious” Hyperlink attack vector, the “normal” attachment attack vector, and the “advanced” attack vector regarding Outlook email reading and ‘special object’. We use section numbers to mark the scenario for each attack vector.

Please note that the discussed research in this paper was performed on the latest Outlook 2021 (desktop version on Windows), with the latest security updates installed as of November 2023, in typical/default Outlook + Exchange Server environments.

I – The Obvious: the Hyperlink Attack Vector

1.1 – ONE Single-click: Web Links

If an attacker wants to attack someone via emails, an obvious method is for the attacker to send emails with malicious web hyperlinks to lure the victim to click on the links in these HTML emails. This is in fact the attack vector for all the phishing emails that the industry has been fighting against every day.

For example, the following is an email we received – the email body is written in HTML and has some links, such as “https://www.microsoft.com”. When the user clicks, Outlook calls the default browser on the OS to browse the website, which is just obvious.

Figure 1 – gif showing web links in Outlook email

For this attack vector, the attacker basically uses emails as a “bridge” to perform web-based attacks, whether they are social-engineering-based phishing attacks, browser exploits, or even highly technical browser zero-day exploits.

Please note that only a single click is needed to launch web links on Outlook. No additional confirmation is needed by the users. While this may sound scary (compared to the next attack vectors we will discuss), the security risks are not in Outlook, but in the browsers. If the browser is strong enough (against browser exploits) and the user is smart enough (against phishing attacks), there would be no problem. That is probably why Outlook considers usability as the first criteria here; another reason could be that email hyperlinks are just too common, you cannot let users confirm every click, because that would be too annoying and take too much time.

1.2 – Not all hyperlinks are web links

However, Outlook hyperlinks are not just web links, they could contain other types of hyperlinks, and those may introduce security risks. In fact, we at Check Point Research have discovered an Outlook bug in this attack vector. However, discussing particular bugs is not the goal of this paper. Therefore, we’d like to leave this topic for another publication. Please watch our blog site if you are interested. We will update here when the blog post is available.

II – The Normal: the Attachment Attack Vector

Here is the normal attack vector: the attacker sends the victim an email with a malicious attachment and lures the victim to open the attachment.

The “opening the attachment” on Outlook could mean two different types of actions. When the user double-clicks on the attachment, the system is trying to call the default registered application (for that attachment file type) on Windows to open the attachment in that application. When the user single-clicks on the attachment, it is trying to call the registered “previewer” application (for that attachment file type) to preview the attachment within the Outlook app. We will discuss both in detail.

The security risk introduced in the “attachment” scenarios depends on the security of the registered application for that attachment file type. If the application is robust enough with proper security measures, it would be less risky for the end user. On the other hand, if the application is insecure, it would be more risky for the end user.

2. 1 – Double-clicking: Opening the Attachment

If the user double-clicks on the attachment, Outlook will try to call the registered application (for the file type of the attachment) to open the attachment. Depending on the attachment’s extension name (the file type), there could be three scenarios.

2.1.1 – NO CLICK: The attachment’s extension name is marked as an “unsafe” file type.

The attachment could not be opened by Outlook (but it could be received, though).

The following figure shows a “.vbs” attachment is received but the user could not open it, because the “.vbs” file type is marked as “unsafe” by Outlook.

The blocked unsafe file types on Outlook are listed here by Microsoft.

Figure 2 – unsafe attachments are disabled on Outlook

2.1.2 – ONE DOUBLE-CLICK AND ONE SINGLE-CLICK: The attachment’s extension name is not marked as “unsafe” and not marked as “safe” either.

You may consider this as the “unclassified category”. In this scenario, there would be a promoted dialog shown to the user, asking the user for confirmation to open the file.

In this scenario, the user needs to perform two clicks in order to open the attachment. One is double-clicking on the attachment; the other is clicking the “Open” button on the promoted dialog (not the default button). After that, the default/registered app for this specific file type on the Windows OS would be used to open the attachment.

In Check Point Research’s recent blog post, we disclosed an interesting attacking technique (leaking NTLM information via common ports like 80/443) whereby the attacker delivers the .accdb exploit via emails; this would also fall into this scenario. The following gif shows this in an intuition way.

Figure 3 – gif showing double-clicking to open .accdb attachment on Outlook

In the real world, there are so many file types in this “unclassified” scenario. For an average Outlook user, it is impossible to know if every app/attachment you open is secure enough. Therefore, we recommend users stay cautious against this attack vector: do not easily click on the additional “Open” button for attachments from untrusted persons.

For application developers, while it is still rare in the real world, a good recommendation is to honor the Mark-of-the-Web (MotW). In this scenario, the attachment is marked as “from the Internet” when it’s sitting in the Outlook temporary directory prior to being opened by the third-party app. Therefore, if the third-party app checks and honors the MotW, like limiting the features and/or opening the app in an application sandbox when it detects that the file has the MotW flag, it would be a very good security practice.

Knowledge note: on default Outlook + Exchange Server environment, MotW is only set for attachments from email addresses outside the organization’s domain (the Internet), but not for email addresses inside the organization. Therefore, the MotW is very good for developers to balance security and usability for their apps.

For example, on February 2023 Patch Tuesday, Microsoft released a “defense in depth” feature via CVE-2023-21715 for Microsoft Publisher, a Microsoft 365 app. What the update does is simply disable Macros on Publisher totally when the .pub file has MotW. According to our research, when a .pub file with Macros embedded is opened by Publisher, in a “pre CVE-2023-21715” environment, if the .pub file has MotW (an external .pub attachment would fall in this attacking scenario), the following warning dialog is provided to the end user.

Figure 4 – In “pre CVE-2023-21715” environment, user could still choose “Enable Macros” when the .pub file has MotW

In the “post CVE-2023-21715” environment, the dialog is changed to:

Figure 5 – In “post CVE-2023-21715” environment, the “Enable Macros” button is removed when the .pub file has MotW

Note the difference, there’s now no option for the user to choose to run Macros inside the .pub file when the file comes with MotW (from the Internet), making it secure for the end user.

2.1.3 – ONE DOUBLE-CLICK: The attachment’s extension name is marked as a “safe” file type.

In this scenario, the attachment would be opened directly when the user double-clicks on the attachment.

Check out the following gif where the user opens a .docx file directly via one double-click because the .docx is marked as a “safe” file type.

Figure 6 – gif showing double-clicking to open .docx attachment on Outlook

Since there is no additional confirmation for users prior to opening the attachment in this scenario – one double-click is enough to call the application to open the attachment. Application developers should be extremely careful to register their file types/applications into this category.

A highly recommended security enhancement is developing an application sandbox for your application and processing the file in it, like Word, Excel, and PowerPoint’s “Protected View” mode. That said, the Word (.docx, .doc, .rtf, etc.), Excel (.xlsx, .xls, etc.), and PowerPoint (.pptx, .ppt, etc.) file types are all registered in this “safe” category, as well as the popular PDF file type for the latest Adobe Acrobat Reader (tested on version 2023.006.20360).

Figure 7 – Word running in Protected View mode (process integrity level “AppContainer”) when opening a document from external emails

The Protected View mode on Word/Excel/PowerPoint is not a typical application sandbox. In fact, beyond processing the file in the sandboxed process, it also limits the features that could run when the app is running in Protected View mode. For example, all OLE-related features are disabled when Protected View mode is activated. Therefore, the Protected Mode on Word/Excel/PowerPoint is much stronger than typical application sandboxes from a security point of view.

2.2 – Single-clicking: Previewing the Attachment

If the user single-clicks on the attachment (compared to double-clicking), Outlook will try to call the registered “previewer” app (for the file type of the attachment) to “preview” the attachment inside Outlook. Even though it’s called “preview”, the attachment file is still opened and processed from the technical point of view. The difference is that when previewing, the third-party app is running as a COM server in the background, and the attachment content is displayed in the Outlook window. As previously discussed, when “opening” the attachment via double-clicking, the third-party app is run directly, and the content is displayed in the application’s window.

Depending on the attachment’s extension name (the file type), there could be four scenarios when previewing the attachment.

2.2.1 – NO PREVIEW: The attachment’s extension name is marked as “unsafe”.

This is the same situation as we discussed in Scenario 2.1.1. Since the attachment is totally disabled, there are no opening or previewing options.

2.2.2 – NO PREVIEW: There’s no registered previewer app for the extension name.

In fact, most of the file types we have seen are in this category because most apps handling the file types are not registered as Outlook previewer apps. Check out the following gif where the user attempts to preview (via a single-click) a .wmv file (a media file type) but there is no registered app for that file type, so an error message is displayed.

Figure 8 – gif showing single-clicking trying to preview a .wmv attachment on Outlook but receiving an error message

2.2.3 – TWO SINGLE-CLICKS: The previewer app is registered but needs additional confirmation to preview the content

There are some file types, that have their previewer apps registered but Outlook doesn’t have much confidence that previewing the attachment is safe, so Outlook gives an additional warning dialog to the user – which requires another single click – to confirm to preview the attachment. Therefore, there are two single-clicks in this scenario, one for single-clicking on the attachment, and the other for clicking on the “Preview file” button on the warning window.

The following example previews a .pdf attachment – a popular file type- when Adobe Acrobat Reader is installed on the OS. When the user single clicks on the attachment, Outlook asks if the user wants to continue the previewing. Additionally, there’s an option letting the user choose if he/she wants to confirm this file type every time.

Figure 9 – gif showing single-clicking to preview a .pdf attachment on Outlook

Note that in the background, the PDF attachment is processed in the Adobe Acrobat Reader sandbox (one of the ”Acrobat.exe” processes with integrity level “Low”). The Adobe Acrobat Reader processes are started by the Windows process “prevhost.exe”. As shown in the following figures.

Figure 10 – Adobe Acrobat Reader runs in the background and processes the attachment in sandboxed environment, when user previews a PDF attachment on Outlook

Knowledge note: In Windows, standard/default users start processes with the “Medium” integrity level, so if a process is running with a lower integrity level (“Low” or “AppContainer”), it usually indicates that the process is running with a restricted application sandbox. Read more here.

2.2.4 – ONE SINGLE-CLICK: Previewer app is registered and marked as “safe”.

This scenario is the smoothest way to read the content of an attachment. When the user just single-clicks on the attachment, the attachment is previewed and the content is displayed in the Outlook window.

Because the process is very smooth, the potential security risk it may introduce is high. Therefore, from a security point of view, only the apps that have robust security enhancements should be registered into this “previewing safe list”.

For example, the Word, Excel, and PowerPoint file types are in this list. Following is a gif showing a .docx attachment being previewed on Outlook.

Figure 11 – gif showing single-clicking to preview a .docx attachment on Outlook

And, when previewing Word, Excel, or PowerPoint attachments on Outlook, the corresponding app is always run in the security-strong Protected View mode, as the following figure shows. So it protects users while also offering great usability.

Figure 12 – Microsoft Word runs in the background and processes the attachment in Protected View mode, when user previews a Word attachment on Outlook

Side note: Attentive readers may note that it is a bit different from the Adobe Acrobat Reader scenario we previously discussed, the sandboxed “WINWORD.EXE” process is started directly via Outlook process, not via “prehost.exe”, and there is only one “WINWORD.EXE” process, while in the Adobe Acrobat Reader scenario, there are two “Acrobat.exe” processes.

III – The Advanced: the Email Reading and Special Object Attack Vectors

3.1 – The Email Reading Attack Vector

The Email Reading attack vector is for the scenario in which the security problem is triggered as long as the victim reads the (attacking) email on Outlook. So this is a very powerful attack vector.

It is often referred to as the “Preview Pane” attack vector in the security domain, especially for Microsoft Security Update pages. For example, the following is a vulnerability patched by Microsoft which could be triggered when users read emails on Outlook but is referred to as the “Preview Pane” attack vector.

Figure 13 – A typical Microsoft Security Update webpage where Microsoft describes a vulnerability that could be triggered by “Preview Pane”

It is, in fact, a confusing name, as someone pointed out also. Anyway, when we read that Microsoft claims the Outlook Preview Pane is an attack vector, we can assume that the vulnerability could be triggered as long as the user reads emails on Outlook.

This lies in the core functions where Outlook processes emails or other objects that are delivered together with emails. From a vulnerability research point of view, that usually occurs when there is a vulnerability when Outlook parses or processes the email format. Outlook supports three types of email formats: the plain text email format, the HTML email format, and the TNEF email format (commonly known as the “Outlook Rich Text” format). The HTML and TNEF are complex formats so they produce more vulnerabilities, especially for the TNEF which is (basically) a binary format. The bug types could vary from memory corruptions to logical bugs.

Protip: configuring your Outlook only to read plain text email is the best for security, although you may lose the usability, of course since these links, inline pictures will not show up in the plain text email.

The following figure is an example of a piece of a TNEF format email, note the string “Content-Type: application/ms-tnef”, which specifies this email follows the TNEF format.

Figure 14 – the content of a typical TNEF (Outlook Rich Text) format email

Historically, many vulnerabilities have been found in this Outlook Email Reading attack vector, but working exploits were rare. That is because finding a scripting environment within or triggered by Outlook is not an easy job but some slips still can happen. Here is an example.

In 2015, the author of this paper discovered and reported a logical bug in Outlook, dubbed “BadWinmail”, which allows running any Flash exploit (at that time, Flash was installed by default on Windows 8/10) embedded in the TNEF format, via the OLE mechanism. Arbitrary and reliable code execution is achieved as long as the victim reads the email on Outlook – no need to click anything, so it was a very powerful zero-day exploit. Here is the paper and video demonstration if readers would like to see the impact of such an attack vector.

3.2 – The Outlook Special Object Attack Vector

For the previous Outlook Preview Pane (Email Reading) attack vector, although it is already very powerful, the victim still needs to read the email. However, there is a possibility that the victim doesn’t even need to read the email at all,- for as long as the victim opens Outlook and receives emails from the email server, he/she could still be pwned. That’s the attack vector we call the ‘Special Object’ attack vector.

Here is a real-world example, in March 2023, Microsoft disclosed that they detected a threat actor using a zero-day vulnerability (CVE-2023-23397) in Outlook to attack Ukrainian organizations. The zero-day allows local Windows to leak (Net)NTLM credential information to the attacker-controlled server. In detail, the root cause is a logical vulnerability when Outlook processes the so-called “reminder” object sent from the attacker. Please note that this attack doesn’t even need the victim to read the email on Outlook – it would be triggered automatically as long as the victim opens Outlook and connects to the email server. Here is a good analysis including a video demonstration, from MDSec .

Comparing the User Interoperability Required for Each Scenario

Now that we have reviewed all the attack vectors on Outlook, it would be interesting and valuable to compare each of them to see how easy (or hard) the attack scenario could be used for delivering exploits. Our methodology has us assuming the position of the attacker and we already have a working exploit for the targeted application, but we need Outlook as a “delivering method” to “deliver” that exploit “into” the targeted application.

We could use scores to mark the user interoperability required (or, the difficulty of delivering the exploit) for the attack scenario. For example, assuming we have a zero-day exploit for Microsoft Access – an app is usually installed with Outlook as part of the Office suite – and we need to use Outlook to deliver that Access exploit. We tested that when Microsoft Access is installed in the victim’s machine, a .accdb attachment would fall in Scenario 2.1.2 – The attachment’s extension name is not marked as “unsafe” and not marked as “safe” either. As we previously examined, that would require 1 double-click and 1 single-click.

If we set the score of a single-click to 1.0, because performing one double-click is a bit harder than performing one single-click, we could set the score of performing one double-click to 1.2 (plus 0.2, compared to single-clicking). The harder performing the action, the higher the score.

Thus, for the above Scenario 2.1.2, the total score is 1.2 (one double-click) + 1.0 (one single-click) = 2.2.

With this methodology, we could have the following table.

ScenarioDescriptionUser interoperabilityScore1.1Web links in email body1 single-click1.01.2Other hyperlinks in email body1 single-click1.02.1.1Attachment opened in third-party app, file type marked as unsafeN/AN/A2.1.2Attachment opened in third-party app, file type not marked as safe nor unsafe1 double-click and 1 single-click2.22.1.3Attachment opened in third-party app, file type marked as safe1 double-click1.22.2.1Attachment previewed in Outlook, file type marked as unsafeN/AN/A2.2.2Attachment previewed in Outlook, no registered previewer for file typeN/AN/A2.2.3Attachment previewed in Outlook, has registered previewer but not marked as safe2 single-clicks2.02.2.4Attachment previewed in Outlook, has registered previewer and marked as safe1 single-click1.03.1Email Reading / Preview Pane attack vectorNo click, just reading email is enough0.23.2Other Outlook special object exploitationNo click, just receiving email is enough0

Table 1 – a scoring system for various attack scenarios on Outlook

As you can see, we set the score of the Email Reading / Preview Pane attack vector to 0.2 (Scenario 3.1), as it requires a little more user interoperability compared to Scenario 3.2 – special object exploitation. For the special object exploitation, we set the score to 0, as this is the perfect scenario for attackers.

As we can find in the table, the most challenging scenario for attackers is Scenario 2.1.2  the attachment’s extension name is not marked as “unsafe” and not marked as “safe” either, which has the highest score – 2.2. The perfect one is the Scenario 3.2 – the Outlook special object exploitation (score 0), or the Scenario 3.1 – the email reading attack vector (score 0.2).

However, we need to take note that we are only comparing the user interoperability here; we have a big prerequisite of having a working exploit for the targeted app. In fact, most of the time, when the score is low (easy for exploit delivering), the difficulty of finding and developing a working exploit for the targeted app is high.

For example, for the web browser exploit, the score is low (1.0) which means it is relatively easy to deliver the exploit, but finding and developing a working exploit for modern browsers, such as Google Chrome, is costly (as the attacker needs to bypass all the modern exploitation mitigations). So from a defense point of view, the risks for web links in Outlook emails are not completely unacceptable for average users.

For another example, for Scenario 2.1.3 (one double-click to open the attachment), if we assume the attacker has a Word exploit that works on the normal mode but not the “Protected View” mode of Microsoft Word – it is, in fact, the most common case of Word-based attacks. If the attacker sends the exploit (from an external source) as an email attachment, in order to gain successful exploitation, the victim needs to not only perform the one double-click in this scenario but also needs to perform an additional single-click on Microsoft Word (for the “Enable Editing” button, see the following figure), in order to exit the very strict Protected View mode. So, there are in total two user-clicks required for delivering a typical Word-based exploit, if we consider the full attack chain.

Figure 15 – user needs to click the “Enable Editing” button to exit Office Protected View mode

Therefore, when we assess the risk for an exploit delivered via the Outlook attack vectors, we need to assess the whole picture – we need not just consider the Outlook attack scenario discussed in this paper, but also the exploit itself, including the difficulty of developing the exploit.

Conclusion

In this paper, we examined various attack vectors in modern Outlook and compared the user interoperability required for each scenario when attackers use Outlook to deliver their exploits. We analyzed the scenarios by acting as an average Outlook user, using real-world examples, and with our own cutting-edge vulnerability research efforts. We hope this paper can help the security industry deeply understand the security threats that Outlook may pose.

All discussed attack vectors in this paper are monitored and protected by Check Point solutions including Check Point Email Security & Collaboration Security. Harmony Email & Collaboration provides complete protection for Microsoft 365, Google Workspace and all your collaboration and file-sharing apps. Harmony Email & Collaboration is designed specifically for cloud email environments and is the ONLY solution that prevents, not just detects or responds to, threats from entering the inbox.

Harmony Endpoint provides comprehensive endpoint protection at the highest security level while XDR/XPR quickly identifies the most sophisticated attacks by correlating events across your entire security estate and combining with behavioral analytics, real time proprietary threat intelligence from Check Point Research and ThreatCloud AI, and third-party intelligence.

Threat Emulation as well as Check Point gateways provide superior security beyond any Next Generation Firewall (NGFW). Best designed for Zero Day protection, these gateways are the best at preventing the fifth generation of cyber attacks with more than 60 innovative security services.
Check Point Research proactively hunts Outlook and email related attacks in the wild. As a leading security company, Check Point continues to develop innovative detection and protection technologies for customers around the world.

The post The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors appeared first on Check Point Research.

Check Point Research – ​Read More

Letters with Remcos RAT hosted in Discord | Kaspersky official blog

/in

Since the beginning of the summer, Kaspersky systems have been recording an increase in the detection of Remcos remote-access  trojan attacks. The probable reason for this is a wave of malicious emails in which attackers try to convince employees of various companies to click on a link for malware installation.

Malicious letters

The bait that the attackers are using in this mailout isn’t something extraordinary. They pose as a new client who wants to purchase some products or services and tries to clarify some information: the availability or prices of some merchandise, their compliance with some criteria, or something similar. What matters is that, in order to clarify the information, the recipient must click the link and read the list of these criteria or requirements. To make their letters more persuasive, cybercriminals often ask how quickly it will be possible to deliver the goods or ask about terms for international delivery. Of course, you shouldn’t follow the link — it doesn’t lead to a list, but to a malicious script.

The attackers store their malicious script in an interesting place. Links have the address that looks like https://cdn.discordapp.com/attachments/. Discord is a completely legitimate communication platform, which allows users to exchange instant messages, make audio and video calls, and, most importantly, send various files. A Discord user can click on any file sent through this application and get a link that will make it available to an external user (this is necessary, for example, to quickly share a file via another messenger). It is these links that look like https://cdn.discordapp.com/attachments/ with some set of numbers identifying a specific file.

Discord is actively used by various gaming communities, but it’s sometimes also used by companies to communicate within different teams and departments or even with customers. Therefore, systems that filter malicious content in emails often don’t consider links to files stored on Discord servers as suspicious.

Accordingly, if a recipient of the letter decides to follow such a link, he’ll in fact download malicious JavaScript that imitates a text file. When the victim opens this file, malicious script will launch powershell which, in turn, will download the Remcos RAT to the user’s computer.

What is Remcos RAT and how dangerous is it?

Theoretically, Remcos RAT — or Remote Control and Surveillance — is a program for remote administration, which was released by the company Breaking Security. But it has long been used by cybercriminals for espionage and taking control of computers running Windows. For example, in 2020, we wrote about the use of Remcos RAT in malicious mailings that exploited the common delays in deliveries of goods during the coronavirus pandemic.

Remcos RAT collects data about both the victim and their computer, and then serves as a backdoor through which attackers can take complete control of the system. They download additional malicious software and run it, collect account data, record logs of user activity, and so on.

How to stay safe

In order to ensure that the Remcos malware doesn’t harm your company, we recommend using reliable security solutions both at the level of the mail gateway and on all work devices that have access to the internet. Thus, the malicious emails will be detected before they reach the mailboxes of employees, but even if attackers come up with a new delivery method, our endpoint protection solutions won’t let to download it. Kaspersky Endpoint Security detects Remcos RAT as Backdoor.MSIL.Remcos or Backdoor.Win32.Remcos.

Kaspersky official blog – ​Read More

Crypto Deception Unveiled: Check Point Research Reports Manipulation of Pool Liquidity Skyrockets Token Price by 22,000%.

/in

By Oded Vanunu, Dikla Barda, Roman Zaikin

Unmasking Deceptive Tactics: A recent investigation by Check Point Research exposes a troubling trend in the cryptocurrency landscape. Deceptive actors are manipulating pool liquidity, sending token prices soaring by a shocking 22,000%.

$80,000 Heist Unveiled: The manipulation of pool liquidity resulted in a swift and calculated theft of $80,000 from unsuspecting token holders. This incident sheds light on the evolving strategies scammers employ to exploit decentralized finance platforms.

Continued Threat Landscape: This incident follows hot on the heels of a previously reported million-dollar scam. Check Point Research recently delved into the intricacies of a rug pull orchestrated through a fake token factory. For details on this preceding incident, visit Check Point Research: Unraveling the Rug Pull.

Check Point’s Blockchain Threat Intelligence system raised an alert on pool liquidity manipulation, resulting in a staggering token price increase of 22,000%. The malicious actor exploited the liquidity pool, stealing $80,000 from unsuspecting holders.

Check Point’sBblockchain Threat Intelligence system detected a malevolent transaction:
https://etherscan.io/tx/0x85ebb1b1d6f091a2d72c4cffb66beea0552a07b2efabb5fd53d4198f8d159b64

What did we find?

The scammer created two wallets:

0x48F7661E84A823505d683D092a2DccdA1e5aA119

0x151a2498826F9fe6f214C92bB1811f7d1153b630

Using the first wallet, they deployed the contract token WIZ (0x2ae38b2b47bf41ba4ab8f749b092fdd02b00bc1e) and its liquidity pool pair address (0x6e0367d897a8fd8bcbc44b4e2a14bafa904360aa), which included reserves of WETH and WIZ tokens. In the second wallet (0x151a2498826F9fe6f214C92bB1811f7d1153b630), the scammer created a malicious contract (0x796042E0032aC5247bc04A49102d49c5b5A5cF0c) designed to exploit a backdoor and manipulate the WIZ token price, resulting in an $80,000 theft from victims.

Method of Operation:

Token Creation: The scammer launches a new cryptocurrency token, pairs it with a well-known cryptocurrency on a decentralized exchange (DEX), creating a liquidity pool.

Token Promotion: Aggressive marketing, often leveraging social media and influencers, generates hype and attracts investors.

Investor Participation: As investor interest grows, they start purchasing the new token.

Pool Manipulation: After accumulating substantial investments, the scammer manipulates the pool reserve by burning most WIZ tokens, reducing the supply and temporarily inflating the token’s price by 22,000%.

Scammer’s Gain: Exploiting the inflated price, the scammer sells a significant number of tokens, pocketing $80,000.

Technical Insights:

Liquidity pools

In the world of cryptocurrencies, you often need to swap one type of digital currency for another. But how do you do it easily and quickly without an intermediate? That’s where liquidity pools come in. Without these pools, you’d have to find someone willing to trade at the exact time and price you want, which can be difficult and time-consuming.

So how does a liquidity pool work?

Let’s break down the mechanics of a liquidity pool:

Picture a sizable digital reservoir holding two distinct cryptocurrencies—let’s call them Token A and Ethereum. This reservoir serves as an open arena where anyone can swap Token A for Ethereum or vice versa.

Now, when an individual decides to exchange Token A for Ethereum, they contribute Token A to the pool and withdraw an equivalent value of Ethereum. The dynamic pricing within the pool fluctuates based on the quantity of each token present. If there is an abundance of Token A but a scarcity of Ethereum, the value of Token A decreases while Ethereum’s value rises.

In the case at hand, the scammer manipulates the pool balance by burning tokens. Burning tokens within a liquidity pool, like the WIZ/WETH pool, can boost the token’s value by adhering to the core principles of supply and demand. As tokens are permanently removed from circulation, the overall supply diminishes.

Liquidity pools follows a formula that harmonizes the quantities of two tokens. When one token type (WIZ in this instance) undergoes reduction through burning, the relative value of the other token (WETH) in the pool escalates to maintain equilibrium. Failure to increase the amount of WETH leads to a substantial surge in the token price, particularly for WIZ.

Are you seeing how hackers or scammers exploit this method, known as liquidity pool manipulation, to sway token prices?

The crux of this strategy lies in the transient inflation of the token’s price within the liquidity pool. Given that decentralized exchange (DEX) prices hinge on asset ratios in the pool, diminishing one side (via burning) can ditort the price.

Liquidity pools become susceptible to exploitative tactics, including rug pulls or influencing contracts reliant on these pools for price data. This blog zeroes in on the former, unraveling the narrative of a scammer concealing a backdoor to manipulate the WIZ/WETH liquidity pool by incinerating their tokens.So, let us see what the scammer did:

The scammer runs the function ‘brr’ methodID (0x5606de36) on his malicious contract:

let’s see this function:

We can see on line 127 the scammer runs the transfer function on the _coin contract address, the _coin address will be set in an earlier function by the scammer to WIZ address: 0x2ae38b2b47bf41ba4ab8f749b092fdd02b00bc1e

Using this transfer function, the scammer was able to burn the WIZ tokens on the pool, let us understand how :

In order to get to the _burn function the scammer will have to pass a few checks, which we will explore now:

The first check he will need to go through is limitsEnabled, this would have needed to be set to False in order for the scammer to get to the second check.

for limitsEnabled to be False, the scammer needed to run the function called ‘removeLimits’

And as we can see, right before renouncing the ownership of WIZ contract he calls this function:

So this is how the scammer passes the first check.

Now let us look at the second check, in this, the ‘from’ address needs to return False on the ExcludeFromFees and True for isexcludedForMaxTxAmount,

since both functions _isExcludedFromFees and _isExcludedForMaxTxAmount are public, we can run them with the scammer contract address as input and check the results:

Let us look at how the malicious contract address was set to True on the ExcludedForMaxTxAmount, since this is the part that helps us understand that the person who created the WIZ token and the scammer is the same person.

In the WIZ contract code we found a backdoor, the scammer hardcoded the malicious contract address in the code as mktRecevier, and set the excludeFromMaxTranscation to True for this address:

This helps the scammer to pass the second check, and allows him to get to the _burn function.

He then uses this function to burn the WIZ tokens in the WIZ/WETH liquidity pool.

If we will continue to look at the malicious contract code:

We can see the scammer in line 132 of the malicious contract sync the pool and raises the WIZ price. Then at the end in line 137 executes 0xf77 which sells all the tokens and steals almost 80,000 dollars.

As you can see in CoinMarketCap the price of the token raises by 21949% at the time of this malicious transaction:

Scammer’s Strategy:

The scammer’s approach involves temporarily inflating the token price in the liquidity pool. By manipulating the pool balance, they influence the decentralized exchange prices. Liquidity pools, integral to various contracts, become vulnerable to manipulative schemes.

Conclusion:

This manipulation scheme highlights the susceptibility of liquidity pools to fraudulent activities. Scammers leverage backdoors and exploits to manipulate token prices, emphasizing the importance of vigilance in the decentralized finance space.

Check Point researchers are actively monitoring domains associated with the identified scammer’s wallet address and similar. The Threat Intel Blockchain system, developed by Check Point, continues to accumulate valuable information on emerging threats, and this intelligence will be shared in the future. In this collaborative effort, we aim to empower investors with the knowledge needed to navigate the crypto space securely and protect themselves from potential pitfalls. For more information contact us at: blockchain@checkpoint.com

The post Crypto Deception Unveiled: Check Point Research Reports Manipulation of Pool Liquidity Skyrockets Token Price by 22,000%. appeared first on Check Point Research.

Check Point Research – ​Read More

Restricted Settings in Android 13 and 14 | Kaspersky official blog

/in

With each new version of the Android operating system, new features are added to protect users from malware. For example, Android 13 introduced Restricted Settings. In this post, we’ll discuss what this feature involves, what it’s designed to protect against, and how effectively it does its job (spoiler: not very well).

What are Restricted Settings?

How do Restricted Settings operate? Imagine you’re installing an application from a third-party source — that is, downloading an APK file from somewhere and initiating its installation. Let’s suppose this application requires access to certain functions that Google considers particularly dangerous (and for good reason — but more on that later). In this case, the application will ask you to enable the necessary functions for it in your operating system settings.

However, in both Android 13 and 14, this isn’t possible for applications installed by users from APK files. If you go to your smartphone’s settings and try to grant dangerous permissions to such an application, a window titled Restricted Settings will appear. It will say “For your security, this setting is currently unavailable”.

When an application installed from third-party sources requests dangerous permissions, a window pops up with the title Restricted Settings

So, which permissions does Google consider so hazardous that access to them is blocked for any applications not downloaded from the store? Unfortunately, Google isn’t rushing to share this information. We therefore have to figure it out from independent publications for Android developers. At present, two such restrictions are known:

Permission to access Accessibility
Permission to access notifications

It’s possible that this list will change in future versions of Android. But for now it seems that these are all the permissions that Google has decided to restrict for applications downloaded from unknown sources. Now let’s discuss why this is even necessary.

Why Google considers Accessibility dangerous

We previously talked about Accessibility in a recent post titled the Top-3 most dangerous Android features. In short, Accessibility constitutes a set of Android features designed to assist people with severe visual impairments.

The initial idea was that Accessibility would enable applications to act as mediators between the visual interface of the operating system and individuals unable to use this interface but capable of issuing commands and receiving information through alternative means — typically by voice. Thus, Accessibility serves as a guide dog in the virtual space.

An application using Accessibility can see everything happening on the Android device’s screen, and perform any action on the user’s behalf — pressing buttons, inputting data, changing settings, and more.

This is precisely why the creators of malicious Android applications are so fond of Accessibility. This set of functions enables them to do a great deal of harm: spy on correspondence, snoop on passwords, steal financial information, intercept one-time transaction confirmation codes, and so on. Moreover, Accessibility also allows malware to perform user actions within other applications. For example, it can make a transfer in a banking app and confirm the transaction using the one-time code from a text message.

This is why Google deems the permission to access Accessibility particularly perilous — and rightly so. For apps available on Google Play, their use is subject to careful scrutiny by moderators. As for programs downloaded from unknown sources, Android developers have attempted to completely disable access to this set of functions.

Why Google restricts access to notifications

We’ve covered Accessibility, so now let’s talk about what’s wrong with applications accessing notifications (in Android, this function is called Notification Listener). The danger lies in the fact that notifications may contain a lot of personal information about the user.

For example, with access to all notifications, a malicious app can read almost all of the user’s incoming correspondence. In particular, it can intercept messages containing one-time codes for confirming bank transactions, logging in to various services (such as messengers), changing passwords, and so on.

Here, two serious threats arise. Firstly, an app with access to Notification Listener has a simple and convenient way to monitor the user — very useful for spyware.

Secondly, a malicious app can use the information obtained from notifications to hijack user accounts. And all this without any extra tricks, complex technical gimmicks, or expensive vulnerabilities — just exploiting Android’s built-in capabilities.

It’s not surprising that Google considers access to notifications no less dangerous than access to Accessibility, and attempts to restrict it for programs downloaded from outside the app stores.

How Android malware bypasses Restricted Settings

In both Android 13 and 14, the mechanism to protect against the use of dangerous functions by malicious apps downloaded from unknown sources operates as follows. App stores typically use the so-called session-based installation method. Apps installed using this method are considered safe by the system, no restrictions are placed on them, and users can grant these apps access to Accessibility and Notification Listener.

However, if an app is installed without using the session-based method — which is very likely to happen when a user manually downloads an APK — it’s deemed unsafe, and the Restricted Settings function is enabled for it.

Hence the bypass mechanism: even if a malicious app downloaded from an untrusted source cannot access Accessibility or notifications, it can use the session-based method to install another malicious app! It will be considered safe, and access restrictions won’t be activated.

We’re not talking theory here – this is a real problem: malware developers have already learned to bypass the Restricted Settings mechanism in the latest versions of their creations. Therefore, the restrictions in Android 13 and 14 will only combat malware that’s old — not protect against new malware.

How to disable Restricted Settings when installing an app from third-party sources

Even though it’s not safe, sometimes a user might need to grant access to Accessibility or Notification Listener to an app downloaded from outside the store. We recommend extreme caution in this case, and strongly advise scanning such an application with a reliable antivirus before installing it.

To disable the restrictions:

Open your smartphone settings
Go to the Apps section
Select the app you want to remove access restrictions for
In the upper right corner, tap on the three dots icon
Select Allow restricted settings

That’s it! Now, the menu option that lets you grant the app the necessary permissions will become active.

How to protect your Android smartphone

Since you can’t rely on Restricted Settings, you’ll have to use other methods to protect yourself from malware that abuses access to Accessibility or notifications:

Be wary of any apps requesting access to these features — we’ve discussed above why this is very dangerous
Try to install applications from official stores. Sometimes malware can still be found in them, but the risk is much lower than the chance of picking up trojans from obscure sites on the internet
If you really have to install an app from an unreliable source, remember to disable this option immediately after installation
Scan all applications you install with a reliable mobile antivirus.
If you’re using the free version of our protection tool, remember to do this manually before launching each new application. In the paid version of Kaspersky: Antivirus & VPN, this scan runs automatically.

Kaspersky official blog – ​Read More

4th December – Threat Intelligence Report

/in

For the latest discoveries in cyber research for the week of 4th December, please download our Threat_Intelligence Bulletin.

TOP ATTACKS AND BREACHES

Check Point Research provides highlights about Cyber Av3ngers group activity, which has taken responsibility on defacing workstations at Pennsylvania’s Aliquippa municipal water authority. Following the attack, CISA has published an advisory about this hacktivists group which is affiliated to Iranian Revolutionary Guard Corps (IRGC) and reportedly hit multiple water utility companies in the United States by targeting Unitronics’ PLC devices.
The service of 60 United States based credit unions has been disrupted, after Ongoing Operations, a cloud hosting provider firm, has been a victim of a ransomware attack. Security researchers believe that the threat actors had exploited the Citrix NetScaler ‘Citrix Bleed’ vulnerability (CVE-2023-4966) to gain access to the firm’s network.

Check Point IPS provides protection against this threat (Citrix NetScaler Information Disclosure (CVE-2023-4966))

Japan’s space agency, JAXA, has disclosed that it had been hit by a cyber-attack. JAXA claimed that important rocket or satellite related operations information had not been affected, but that the breach is still being investigate. According to Japanese media, the attack had occurred in the summer, and was discovered by Japan’s police a few months later.
Campaigns targeting customers of hospitality reservation service booking.com have recently ramped up. Threat actors target hotels to gain access to their booking.com administration portals. The attackers then contact the hotels’ customers using the official app to redirect the payment to their own accounts.
Official Israeli government agencies have announced that a cyber incident had affected the network of Ziv hospital in Safed. The newly founded hacktivist group Malek Team has taken responsibility for the attack and claims to have exfiltrated 500GB of patients’ medical data from the hospital’s servers.
India’s National Aerospace Laboratories, a government owned firm which develops civilian aircraft, has suffered a ransomware attack on its network. The LockBit ransomware group has claimed responsibility for the breach and has leaked several documents allegedly exfiltrated in the breach.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Lockbit; Gen.Win.Crypter.Lockbit; Ransomware.Wins.LockBit.ta; Ransomware_Linux_Lockbit)

More than $50m in customers’ cryptocurrency has been stolen in a cyber-attack against blockchain platform KyberSwap. According to the company, the attackers used “a series of complex actions“ to exploit a vulnerability and transfer funds from customers’ wallets to their own.

VULNERABILITIES AND PATCHES

Google has released an advisory for Google Chrome addressing seven security vulnerabilities. One of the vulnerabilities, CVE-2023-6345, is a critical integer overflow vulnerability in the Skia 2D graphics library, which could allow a remote attacker to perform sandbox escape. Google claims to be aware of an active exploit for this vulnerability existing in the wild.
Apple has published security updates for its devices’ operation systems to patch the information-disclosure vulnerability CVE-2023-42916. According to Apple, the company is aware of reports of the vulnerability being actively exploited in the wild against previous versions of iOS devices.
Security researchers warn of active exploitation in large scale of OwnCloud vulnerability CVE-2023-49103, a critical information disclosure vulnerability in the graphapi OwnCloud from the last week.
Zyxel has released an advisory addressing 6 security vulnerabilities affecting the company’s NAS devices. Three of the vulnerabilities (CVE-2023-4473, CVE-2023-4474 and CVE-2023-35138) are considered critical and could allow an unauthenticated remote attacker to gain arbitrary code execution.

THREAT INTELLIGENCE REPORTS

Researchers have uncovered a campaign targeting a United States company in the aviation sector. The threat actors used spear phishing emails to gain access to the victim firm’s network, and installed a payload that collects information and creates a reverse shell. The researchers suspect the previously unfamiliar threat actor’s motivation is commercial industrial espionage.
The Ukrainian CERT has published an advisory warning of mass-targeting of Ukrainian citizens with emails leading to Remcos RAT infections. According to the report, the attackers sent malicious court summons to 15,000 Ukrainians using compromised email addresses of official judiciary authorities.

Check Point Threat Emulation provides protection against this threat (RAT.Wins.Remcos.A, Injector.Win.RunPE.A)

A campaign using a modified version of the notorious Gh0st Remote Access Trojan, dubbed SugarGh0st, has been discovered. The threat actors have targeted Uzbekistan’s Ministry of Foreign Affairs, as well as users in South Korea. Security researchers assess that a Chinese nation-state group is behind the attacks.

Check Point Threat Emulation provides protection against this threat (RAT.Win.Gh0stRAT, RAT.Wins.Gh0stRAT)

Researchers warn of a new campaign distributing the Lumma information stealer malware. The attackers had first breached a legitimate website, then use phishing emails to direct victims to the compromised website, causing malicious content to be downloaded.

Check Point Threat Emulation provides protection against this threat (InfoStealer.Win.LummaC2, InfoStealer.Wins.Lumma)

The post 4th December – Threat Intelligence Report appeared first on Check Point Research.

Check Point Research – ​Read More

Taking the complexity out of identity solutions for hybrid environments

/in

For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories.

As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left with a host of new identity challenges that many aren’t prepared to deal with. The proliferation of diverse cloud environments, each with its own identity solutions, coupled with the complexities of legacy systems, has resulted in fragmented and siloed identity services. That is where the identity fabric comes in.

The challenge of hybrid identity

Most environments are comprised of a mixture of multiple cloud and on-premise (on-prem) applications and systems. Though many are moving to modern Software-as-a-Service (SaaS) solutions, on-prem IAM products are often deeply embedded in mission-critical systems of organizations. They can’t simply be unplugged and replaced with modernized IAM solutions without risking significant business disruption, loss of data continuity, potential security risks and single points of failure.

Additionally, many modern IAM solutions struggle to meet the complex requirements of large, multi-layered organizations, including user role management, compliance with industry-specific regulations and integration with existing IT infrastructure. It has become painfully evident that a one-size-fits-all IAM system doesn’t exist, forcing organizations to use a combination of IAM systems across hybrid clouds and on-prem. A recent Osterman Research Report found that 52% of organizations stated that addressing identity access challenges in hybrid and multi-cloud environments was a critical initiative for them over the next year.

Managing identity fragmentation

As identity services multiply across hybrid cloud environments, organizations struggle to manage and enforce consistent user policies, comply with changing regulations, gain holistic visibility and mitigate user-related risks. Legacy applications remain tethered to legacy identity solutions, creating an inconsistent user experience without a single authoritative source for a user’s identity. Osterman research showed the top identity initiative for the next twelve months for 64% of the responding organizations was extending cloud identity capabilities to on-prem applications.

What is an identity fabric?

Businesses need a versatile solution that complements existing identity solutions while effectively integrating the various IAM silos that organizations have today into a cohesive whole. To provide consistent security policies and a better user experience, businesses require the ability to quickly audit all authentication workflows, layer intelligence to automate data-driven decisions and empower artificial intelligence (AI) and machine learning (ML) across legacy and on-prem applications in hybrid cloud deployments.

This is where an identity fabric comes into play: to bridge the gap between legacy identity infrastructure and modern cloud-based IAM systems. An identity fabric aims to integrate and enhance existing solutions rather than replace them. The goal is to create a less complex environment where consistent security authentication flows and visibility can be enforced. This approach aligns with our strategy of “taking the complexity out of identity solutions for hybrid environments.”

Learn more about identity fabric

Providing the foundation for an identity fabric

We have found that there are some fundamental building blocks to delivering an effective identity fabric:

The first step is to eliminate the identity silos by creating a single, authoritative directory. It’s critical that this directory be vendor-agnostic so it can stitch together all of your directories to create a single source of truth, management and enforcement. IBM Security Verify Directory offers flexibility, efficiency and scalability across on-prem, cloud and hybrid environments, providing smooth and secure access control.
The next step is to extend modern authentication mechanisms to your legacy applications, which are often abandoned due to the need for more funding, time and/or skills to modify existing application authentication flows. IBM’s Application Gateway is a product-agnostic gateway designed to bridge the gap between legacy and modern apps and systems with no-code integrations that allow legacy applications to take advantage of modern and advanced authentication capabilities, helping to reduce risk and improve regulatory compliance.
The third step incorporates behavioral risk-based authentication for modern and legacy applications. Regardless of the IAM solutions in use, risk-based authentication solutions enable a continuous assessment of risk levels at the time of access. Verify Trust introduces dynamic risk-based authentication, enhancing security without requiring a complete system overhaul. Powered by AI, Verify Trust delivers accurate and continuous risk-based access protection against the latest account takeover techniques by combining global intelligence, user behavioral biometrics, authentication results, network data, account history and a range of device risk detection capabilities.

Explore the Verify family

Orchestration holds your identity fabric together

Orchestration is the integration glue to an identity fabric. Without it, building an identity fabric would be resource-intensive. Orchestration allows more intelligent decision-making and simplifies onboarding and offboarding. It enables you to build consistent security policies while taking the burden off your administrators as you quickly and easily automate processes at scale.

For example, you have a legacy application with a homegrown identity system. The people who wrote it have long since left. Orchestration enables you to create a workflow so that when a user logs in to the system, it automatically creates a user account on the preferred modern identity solution with low code or no code identity orchestration. When users return to that homegrown application, they will automatically access it with a modern authentication mechanism.

Effective identity orchestration allows you to achieve simplicity in legacy and modern application coexistence, remove the burden of identity solution proliferation, consolidate identity silos, reduce identity solution vendor lock-in and simplify identity solution migrations by allowing for highly customizable flows with little-to-no code across identity solutions.

Take the next step in identity solutions

Whether you are an organization looking for workforce access, customer IAM, privileged access or governance identity solutions, or looking to build an identity fabric with your existing identity solutions, IBM Security Verify takes the complexity out of identity solutions for hybrid environments, emphasizing innovation and customer-centricity. We invite all stakeholders to join us on this transformative journey as we shape the future of IAM. Together, we will simplify identity solutions for the ever-evolving world of hybrid environments.

Join us for a webinar to learn more.

The post Taking the complexity out of identity solutions for hybrid environments appeared first on Security Intelligence.

Security Intelligence – ​Read More

How to stop, disable, and remove any Android apps — even system ones | Kaspersky official blog

/in

Most smartphones have an average of around 80 installed apps, of which at least 30% are never used since most are forgotten about. But such “ballast” is harmful: there’s less free space on the device; potential bugs and compatibility issues multiply; and even unused apps at times distract you with pointless alerts.

To make things worse, abandoned apps can continue collecting data about the phone and its owner and feed it to advertising firms, or simply gobble up mobile data. Hopefully, we’ve already convinced you to “debloat” your smartphone at least a couple of times a year and uninstall apps you haven’t used for ages — not forgetting to cancel any paid subscriptions to them!

But, unfortunately, some apps are vendor-protected against uninstallation, and so aren’t all that easy to jettison. Thankfully, there are some ways to get round this problem…

Uninstall the app

Sometimes you can’t find an unwanted app under the Manage apps & device tab of the Google Play app. First, try to remove it through the phone settings: look there for the Apps section. This lists all installed programs and has a search feature to save you from having to scroll through them all. Having found the unwanted app and tapping it, you’re taken to the App Info screen. Here you can view the app’s mobile data, battery, and storage consumption, and, most importantly, find and tap the Uninstall button. If the button is there and active, the job’s done.

List of all installed apps and the App Info screen with the Uninstall button

Disable the app

If the app was installed on the phone by the vendor, it’s likely to be non-removable and have no Uninstall button on the App Info screen. That said, it’s not necessarily linked to the OS or core components of the smartphone — it could be, say, a Facebook client or a proprietary browser. Such apps are often called bloatware since they bloat the phone’s firmware and the list of standard apps. The easiest way to disable such apps is on the above-mentioned App Info screen; instead of Uninstall, the relevant button will be marked Disable. A disabled app is not much different from an uninstalled one — it vanishes from the set of icons on the startup screen and won’t run manually or when the phone boots up. Should you need it later, you can easily turn it back on with a single tap on that same App Info screen.

Disabling reduces the risk of data leakage, but does nothing to save storage space — unfortunately, the disabled app continues to take up memory on your phone. If you absolutely have to uninstall it — but there’s no Uninstall button — read on!…

For non-removable apps, instead of an Uninstall button, the App Info screen shows a Disable button

Stop the app

But what if the Disable button on the App Info screen is grayed out and untappable? For especially important programs, vendors take care to block the disabling option — often for a good reason (they’re vital to the system) — so you need to think very carefully before trying to disable or uninstall such apps manually. Open your favorite search engine and punch in the query “exact smartphone model number + exact app name”. Most likely you’ll see Android user forum discussions at the top of the search results. These often give information about whether the given app is safe to disable or whether there could be any side effects.

To perform a harmless experiment with an app that can’t be disabled, you can use the Force Stop button. This is the second button on that App Info screen and it’s almost always active — even for apps that can’t be disabled. Force Stop simply stops the app temporarily, without attempting to remove or permanently disable it. However, it no longer consumes power or mobile data — and can no longer spy on you. And if your phone continues to work as normal, then perhaps the app isn’t that important after all.

But stopped apps can start up again when certain events occur or after a phone restart, and stopping them manually each time — moreover regularly — can be troublesome and inconvenient. Fortunately, you can automate this task with the Greenify app. It doesn’t require superuser rights to work, but merely automates navigating to the now-familiar App Info screen and tapping the Force Stop button. You simply supply Greenify with a list of unwanted apps and set a Force Stop schedule to, say, twice a day. Other tools offer similar functionality, but Greenify’s advantage is its lack of “extra” features.

If the Disable button is inactive, try using Force Stop

Freeze or uninstall the app despite its objections

If you tested stopping a non-removable app and suffered no negative effects, you might consider freezing it or removing it altogether. Freezing is the same as disabling but is done using different tools. Before delving into the details, note that freezing requires technical skill and the activation of Developer mode on your phone. This mode itself creates certain information security risks by allowing connections to the phone via USB or LAN in special technical modes, plus the ability to view and modify its contents. Although Google has fenced off this functionality with many safeguards (permission requests, additional passwords, and so on), the room for error (thus creating risks) is high.

One more thing: before you start tinkering, be sure to create the fullest possible backup of your smartphone data.

If all of the above hasn’t scared you off, see the guide in the box.

Freezing and uninstalling non-removable Android apps in Developer mode

Download and install Android SDK Platform-Tools on your computer. Of the tools inside, you’ll only need the Android Debug Bridge USB driver and the ADB command line.
Enable Developer mode on your phone. The details vary slightly from vendor to vendor, but the general recipe is roughly the same: repeatedly tap the Build Number option in the About Phone.
Enable USB Debugging under Developer Settings on your smartphone. There are multiple options there — but don’t touch any apart from these two!
Connect your smartphone to your computer through USB.
Allow Debug mode on your phone screen.
Test Debug mode by getting a list of all packages (what developers call apps) installed on your phone. To do so, type the following in the ADB command line
adb shell pm list packages
The response will be a long list of packages installed on the phone, in which you need to find the name of the unwanted app. This might look something like facebook.katana or com.samsung.android.bixby.agent. You can often (but not always) tell which app is which by their names.
Freeze (disable) the unwanted app using the ADB command line. To do so, enter the command
adb shell pm disable-user –user 0 PACKAGENAME ,
where PACKAGENAME is the name of the unwanted app package. Different vendors may have different usernames (0 in our example), so check the correct PM command for your smartphone. As before, an online search helps out: “phone model + Debloat” or “phone model + ADB PM”.
You can use developer commands to not only disable an app but also completely uninstall it. To do so, replace the previous command with adb shell pm uninstall –user 0 PACKAGENAME
Restart your phone.

The free Universal Android Debloater tool somewhat simplifies all this sorcery. It issues ADB commands automatically, based on the “cleaning packages” selected from the menu, which are prepared with both the vendor and model in mind. But since this is an open-source app written by enthusiasts, we can’t vouch for its efficacy.

Kaspersky official blog – ​Read More