14.1 C
Thursday, November 23, 2017
Home Tags Zero-day attack

Tag: Zero-day attack

Zero-day attack exploits a legitimate process in Windows, according to Cybellum; AV vendors downplay threat.
Enlargereader comments 15 Share this story Google has shut down an operation that combined malicious AdSense advertisements with a zero-day attack exploiting Chrome for Android to force devices to download banking fraud malware. Over a two-month span, the campaign downloaded the Banker.AndroidOS.Svpeng banking trojan on about 318,000 devices monitored by Kaspersky Lab, researchers from the Moscow-based anti-malware provider reported in a blog post published Monday. While the malicious installation files weren't automatically executed, they carried names such as last-browser-update.apk and WhatsApp.apk that were designed to trick targets into manually installing them. Kaspersky privately reported the scam to Google, and engineers from the search company put an end to the campaign, although the timing of those two events wasn't immediately clear. "So far, those behind Svpeng have limited their attacks to smartphone users in Russia," Kaspersky Lab researchers Nikita Buchka and Anton Kivva wrote in Monday's post. "However, next time they push their 'adverts' on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past. After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?" A Google spokesman said a fix for the auto-download vulnerability was being tested in Chrome version 54 and was expected to be "live 100%" in version 55. (He didn't respond to a request asking him to elaborate.) He also said an Android security feature known as Verify Apps provided warnings when people tried to install one of the malicious apps. He didn't explain how the malicious advertisements snuck by Google security checks or what company engineers are doing to prevent AdSense from running similar ones in the future. Last week, researchers from a separate security firm named Cylance disclosed a separate malvertising campaign on Google AdWords that targeted Mac users. Kaspersky Lab researchers said it was clear from lulls in the campaign that someone or something inside Google detected and removed many of the malicious ads distributing the Svpeng installation files. But even after old ones were expelled, new ones managed to take their place. "The high rates and abrupt changes in the number of detections are easy to explain: Google has been quick to block the ads that the trojan uses for propagation," the researchers wrote. "However, this is a reactive rather than proactive approach—the malicious ads were blocked after the trojan was already on thousands of Android devices. It is also worth noting that there were multiple occasions in the past two months when these ads found their way on to AdSense; similar attacks have been occurring up to the present time, with the most recent attack registered on 19 October 2016." Monday's report is yet another reminder why it's generally a good idea not to change default Android settings preventing the installation of apps not carried in the official Google Play app bazaar. It also reaffirms the importance of remaining highly skeptical of webpages encouraging users to install files. Google deserves credit for quickly removing malicious ads and creating safety nets such as Verify Apps and a default prohibition on installing third-party apps, but as the Kaspersky Lab researchers point out, these approaches reactively treat the symptoms rather than curing the underlying disease.
News Analysis: Two million usernames and emails were exposed after the breach of unpatched forum software. Here's what happened and what we should learn from it. Ubuntu Linux is one of the most popular Linux distributions in use today, making its users an attractive target for hackers.
In an attack that was officially confirmed on July 15, Canonical, the lead commercial vendor behind Ubuntu Linux, revealed that its Ubuntu Forums user community was hacked, and the attacker gained unauthorized access to a database of 2 million users.Although an attacker was able to gain access to the user database, the access was somewhat limited and didn't directly expose any valid user passwords, according to Canonical CEO Jane Silber. "We know the attacker was not able to gain access to any Ubuntu code repository or update mechanism," Silber wrote in a blog post. "We know the attacker was not able to gain access to valid user passwords."What the attacker was able to access was the ability to read any information in the user forums database tables. However, Canonical's analysis is that the attacker only accessed the user table in the database, Silber said.With the database access, the attacker was able to download usernames, email addresses and IP addresses for 2 million users.

The Ubuntu user forums make use of the Ubuntu single sign-on approach, which did not store user passwords in the forums database. Rather, the password credentials for users were present in the user database as random strings of data. Canonical determined the root cause of the Ubuntu forums breach to be a known SQL injection vulnerability in the Forumrunner add-on for the vBulletin forum software.

Though Canonical is constantly updating its Ubuntu software, apparently the organization had neglected to update Forumrunner and vBulletin to be up-to-date with the latest patches. So to recap, information on 2 million Ubuntu users was breached, not from an exotic zero-day attack, but from a known SQL injection vulnerability that Canonical should have patched.

Certainly, Canonical isn't unique here, as more often than not, in many breaches, it is known, already-patched vulnerabilities that are identified as a root cause.To its credit though, Canonical didn't have easily readable passwords stored in its forums user database.

That doesn't mean that there isn't a risk, as attackers now have a list of 2 million Ubuntu users, complete with their email addresses and IP addresses that could perhaps be used for phishing or other wrongdoing.As a fix for the breach, Canonical has patched vBulletin and put in place a Web application firewall (WAF)—both actions that should have been present prior to the breach.

Canonical is using the open-source ModSecurity WAF, which can be configured and used to limit the risks of potential SQL injection attacks.Certainly, Canonical is not the first (and won't be the last) Linux organization that is the victim of a breach.

Back in 2011, the Linux Foundation was the victim of a security breach that exposed passwords and email addresses.
In February, attackers breached the user forums for the popular Linux Mint distribution.In the modern era, the simple truth is that any unpatched or misconfigured system, be it Linux or otherwise, represents an easy target for an attacker to breach.
It is incumbent on all operating system vendors to be forever vigilant in fully patching systems, ensuring correct permission configuration and making use of additional security layers, such as a WAF, to protect themselves and their users.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter