Cyber Security News February 2019

This posting is here to collect cyber security news in February 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

 

373 Comments

  1. Tomi Engdahl says:

    New Backdoor Targets Linux Servers
    https://www.securityweek.com/new-backdoor-targets-linux-servers

    A new backdoor is targeting Linux servers in East Asia and Latin America, including Amazon Web Services (AWS) hosted machines, Check Point security researchers say.

    Dubbed ‘SpeakUp’, the new Trojan targets known vulnerabilities in six different Linux distributions and attempts to propagate internally and beyond via remote code execution vulnerabilities. The malware also has the ability to infect Mac devices.

    Reply
  2. Tomi Engdahl says:

    Researchers Identify Hacker Behind Massive Data Breach Collection
    https://www.securityweek.com/researchers-identify-hacker-behind-massive-data-breach-collection

    Recorded Future says that its security researchers were able to identify the hacker who first distributed the recently surfaced database of 773 million email addresses.

    Named “Collection #1” and made up of individual data breaches from thousands of different sources, the database was 87.18 GB in size, containing a total of 2,692,818,238 rows representing email addresses and passwords.

    Reply
  3. Tomi Engdahl says:

    Flaw Possibly Affecting 500,000 Ubiquity Devices Exploited in the Wild
    https://www.securityweek.com/flaw-possibly-affecting-500000-ubiquity-devices-exploited-wild

    Nearly half a million Ubiquity devices may be affected by a vulnerability that has already been exploited in the wild, security experts warned last week.

    Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), revealed last week on Twitter that hackers had been remotely targeting Ubiquity networking devices exposed via a discovery service accessible on UDP port 10001.

    https://twitter.com/troutman/status/1090212243197870081

    Reply
  4. Tomi Engdahl says:

    Why Fighting Card-Not-Present Fraud Remains an Ongoing Challenge
    https://www.securityweek.com/why-fighting-card-not-present-fraud-remains-ongoing-challenge

    The recent takedown of the xDedic marketplace—where threat actors had been buying and selling access to compromised remote desktop protocol (RDP) servers since at least 2016 and that, according to authorities, had facilitated over $68 million USD in fraud—is the latest reminder that fraudulent card-not-present (CNP) transactions remain a persistent and dynamic challenge for fraud teams.

    Reply
  5. Tomi Engdahl says:

    Attackers Use CoAP for DDoS Amplification
    https://www.securityweek.com/attackers-use-coap-ddos-amplification

    Attackers recently started abusing the Constrained Application Protocol (CoAP) for the reflection/amplification of distributed denial of service (DDoS) attacks, NETSCOUT warns.

    CoAP is a simple UDP protocol designed for low-power computers on unreliable networks that appears similar to HTTP, but which operates over UDP (User Datagram Protocol) port 5683. The protocol is mainly used by mobile phones in China, but is also present in Internet of Things (IoT) devices.

    Reply
  6. Tomi Engdahl says:

    Zcash Discloses Vulnerability That Could Have Allowed ‘Infinite Counterfeit’ Cryptocurrency
    http://fortune.com/2019/02/05/zcash-vulnerability-cryptocurrency/

    On March 1 of last year, Ariel Gabizon was tidying up a presentation he was preparing to deliver the following day at a financial cryptography conference on the Caribbean island of Curaçao when he spotted a seemingly small mathematical mistake that could, he realized, jeopardize billions of dollars in capital.

    Ultimately, an attacker could have exploited the vulnerability to mint an infinite amount of counterfeit Zcash—as well as any other cryptocurrency that relied on its cryptographic technology—and no one would have been the wiser.

    team patched the security hole in October, roughly eight months after its initial discovery. “We don’t believe that there was any exploitation of the vulnerability”

    The Zcash team, which conceded that it cannot be absolutely certain that the vulnerability wasn’t exploited

    The team limited the number of people in the know, used encrypted communications, and carefully selected confidantes

    While Zcash and a couple of the other top affected cryptocurrencies have patched their systems, not every project susceptible to the bug had a heads up. Indeed, some projects appear still to be vulnerable, raising questions about the proper way to handle vulnerability disclosure in the cybercoin era.

    Coordinating a fix
    When Zcash researchers first discovered the counterfeiting vulnerability, they faced a dilemma. They could disclose the bug immediately, inciting chaos and panic and opening a number of cryptocurrency-related projects—including theirs—to attack, or they could keep the bug between themselves, create a fix, and sneak it into a planned network upgrade, only later quietly looping in other affected parties

    The team opted for the latter approach.

    Reply
  7. Tomi Engdahl says:

    Google releases Chrome extension to check for leaked usernames and passwords
    https://www.zdnet.com/article/google-releases-chrome-extension-to-check-for-leaked-usernames-and-passwords/

    Google releases “Password Checkup” Chrome extension on Safer Internet Day.

    Reply
  8. Tomi Engdahl says:

    http://www.etn.fi/index.php/13-news/9046-etayhteysprotokolla-vuotaa-kuin-seula

    Reverse RDP Attack: Code Execution on RDP Clients
    https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/

    Used by thousands of IT professionals and security researchers worldwide, the Remote Desktop Protocol (RDP) is usually considered a safe and trustworthy application to connect to remote computers. Whether it is used to help those working remotely or to work in a safe VM environment, RDP clients are an invaluable tool.

    However, Check Point Research recently discovered multiple critical vulnerabilities in the commonly used Remote Desktop Protocol (RDP) that would allow a malicious actor to reverse the usual direction of communication and infect the IT professional or security researcher’s computer. Such an infection could then allow for an intrusion into the IT network as a whole.
    16 major vulnerabilities and a total of 25 security vulnerabilities were found overall.

    Reply
  9. Tomi Engdahl says:

    Don’t Let Huawei Help Set Up 5G, US Warns EU Nations
    https://www.securityweek.com/dont-let-huawei-help-set-5g-us-warns-eu-nations

    US officials are fanning out across Europe to warn about the security risks of allowing Chinese telecoms giant Huawei to help build 5G mobile networks, a US diplomat said Tuesday.

    Washington considers the matter urgent as European Union countries prepare to roll out fifth-generation networks that will bring near-instantaneous connectivity, vast data capacity and futuristic technologies.

    “We are urging folks not to rush ahead and sign contracts with untrusted suppliers from countries like China,” a US State Department official told reporters in Brussels.

    The official said he was meeting EU officials as well as those in Belgium, France and Germany, while colleagues will be travelling to Spain and elsewhere to underline US concerns.

    “Going with an untrusted supplier like Huawei or ZTE will have all sorts of ramifications for your national security,” he warned, speaking on condition of anonymity.

    It could also undermine intellectual property protection, privacy and human rights, he added.

    In December, European Commission Vice President Andrus Ansip echoed US warnings about the threat posed by Huawei and ZTE who — under a 2017 Chinese cybersecurity law — are required to cooperate with Beijing’s intelligence services.

    Reply
  10. Tomi Engdahl says:

    RDP Servers Can Hack Client Devices: Researchers
    https://www.securityweek.com/rdp-servers-can-hack-client-devices-researchers

    More than two dozen vulnerabilities have been discovered by security experts in popular implementations of the remote desktop protocol (RDP), including flaws that allow a malicious RDP server to hack a device running the client RDP software.

    RDP allows users to remotely connect to other devices on the network. The protocol was originally developed by Microsoft for Windows, but there are also several open source implementations that can be used on Linux and Unix systems.

    The FBI warned recently that attacks involving RDP have been on the rise in the past couple of years, fueled by RDP access sold on the dark web.

    https://www.securityweek.com/rdp-increasingly-abused-attacks-fbi

    Reply
  11. Tomi Engdahl says:

    ‘No Material Impact’ From Foreign Meddling in 2018 US Vote: Report
    https://www.securityweek.com/no-material-impact-foreign-meddling-2018-us-vote-report

    Foreign meddling and hacking attempts had “no material impact” on the US midterm congressional elections last year, according to a high-level review by the Justice and Homeland Security Departments Tuesday.

    Reply
  12. Tomi Engdahl says:

    BuzzFeed News:
    A story of two hackers, both US citizens and former members of the UGNazi hacking group, who deceived and murdered one hacker’s girlfriend in the Philippines

    “Down The Rabbit Hole I Go”: How A Young Woman Followed Two Hackers’ Lies To Her Death
    https://www.buzzfeednews.com/article/josephbernstein/tomi-masters-down-the-rabbit-hole-i-go

    Tomi Masters was a 23-year-old from Indiana who moved to California with dreams of making it big in the cannabis business. Then she met a hacker who introduced her to a dark new world of digital manipulation, suspicion, paranoia, and fear — one that swallowed her alive and left her floating in a river in the Philippines.

    Reply
  13. Tomi Engdahl says:

    Russian Darknet Forum Selling Access to U.S. News Sites
    https://darkwebnews.com/dark-web/russian-darknet-forum-sells-us-news-sites-access/

    Sixgill, an Israeli threat intelligence company, recently revealed that a Russian-language darknet forum has been selling access to the content management systems of a variety of news sites.

    According to the company, the illicit trade has been going on since October 2018.

    One bundle that the darknet website offered contained logins to 1,425 U.S.-based news sites.

    the starting bid price was at $600 with an option of outright purchase at $1,200.

    Reply
  14. Tomi Engdahl says:

    ExileRAT shares C2 with LuckyCat, targets Tibet
    https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html

    Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA), an organization officially representing the Tibetan government-in-exile.

    Reply
  15. Tomi Engdahl says:

    Struts Vulnerability CVE-2017-5638 on VMware vCenter – the Gift that Keeps on Giving
    https://isc.sans.edu/forums/diary/Struts+Vulnerability+CVE20175638+on+VMware+vCenter+the+Gift+that+Keeps+on+Giving/24606/

    All too often when doing an internal security assessment or penetration test, a simple NMAP scan will find back-end infrastructure such as RADIUS servers, Hypervisors, iLo, iDRAC and other BMC host addresss – essentially the parts of the datacenter that real people shouldn’t need access to.

    Reply
  16. Tomi Engdahl says:

    SpeakUp Linux Backdoor Sets Up for Major Attack
    https://threatpost.com/speakup-linux-backdoor/141431/

    Armed with an impressive bag of exploits and other tricks for propagation, researchers believe the new trojan could be the catalyst for an upcoming, major cyber-offensive.

    LAS VEGAS — A backdoor trojan dubbed “SpeakUp” has been spotted exploiting the Linux servers that run more than 90 percent of the top 1 million domains in the U.S. It uses a complex bag of tricks to infect hosts and to propagate, which analysts say could indicate that it’s poised for a major offensive involving a vast number of infected hosts, potentially worldwide.

    Reply
  17. Tomi Engdahl says:

    Security researchers discover new Linux backdoor named SpeakUp
    SpeakUp backdoor trojan can run on six different Linux distributions, and even on macOS.
    https://www.zdnet.com/article/security-researchers-discover-new-linux-backdoor-named-speakup/

    Reply
  18. Tomi Engdahl says:

    New Malware Siphons Cryptocurrency Wallets and Credentials, Credit Cards
    https://www.bleepingcomputer.com/news/security/new-malware-siphons-cryptocurrency-wallets-and-credentials-credit-cards/

    CookieMiner is a new malware strain capable of stealing and exfiltrating web browser cookies related to online wallet services and cryptocurrency exchange websites, as well as passwords, text messages, and credit card credentials.

    Reply
  19. Tomi Engdahl says:

    Good news! Only half of Internet of Crap apps fumble encryption
    https://www.theregister.co.uk/2019/02/04/iot_apps_encryption/

    Android apps for TP-Link, LIFX, Belkin, and Broadlink kit found with holes, some at least have been repaired

    Evaluating the security of IoT devices can be difficult, particularly if you’re not adept at firmware binary analysis. An alternative approach would be just to assume IoT security is generally terrible, and a new study has shown that’s probably a safe bet.

    In a paper distributed last week through preprint service ArXiv, computer scientists Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d’Amorim, and Atul Prakash from the Federal University of Pernambuco, Brazil, and the University of Michigan describe how they analyzed the security of apps accompanying IoT devices as indication of the overall security of the associated hardware.

    “Our intuition is that if this interaction between the companion app and device firmware is not implemented with good security principles, the device’s firmware is potentially insecure and vulnerable to attacks,” they explain in their paper.

    Reply
  20. Tomi Engdahl says:

    Houzz discloses data breach, asks some users to reset passwords
    https://www.welivesecurity.com/2019/02/04/houzz-discloses-data-breach-asks-some-users-to-reset-passwords/

    Citing an ongoing investigation, the company wouldn’t say how or when the incident occurred

    Reply
  21. Tomi Engdahl says:

    Citing an ongoing investigation, the company wouldn’t say how or when the incident occurred
    https://thehackernews.com/2019/02/sim-swapping-hack.html

    A 20-year-old college student who stole cryptocurrency worth more than $5 million by hijacking victims’ phone numbers has pleaded guilty and accepted a sentence of 10 years in prison.

    Ortiz was arrested last year on charges of siphoning millions of dollars in cryptocurrency from around 40 victims using a method commonly known as “SIM swapping,” which typically involves fraudulently porting of the same number to a new SIM card belonging to the attacker.

    Reply
  22. Tomi Engdahl says:

    Benjamin Mayo / 9to5Mac:
    Security researcher, who’s shared iOS flaws before, demos a macOS Keychain exploit but won’t share details with Apple because of the lack of a macOS bug bounty

    Security researcher demos macOS exploit to access Keychain passwords, but won’t share details with Apple out of protest
    https://9to5mac.com/2019/02/06/mac-keychain-exploit/

    Security researcher Linuz Henze has shared a video demonstration of what is claimed to be a macOS Mojave exploit to access passwords stored in the Keychain. However, he has said he is not sharing his findings with Apple out of protest.

    Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility.

    However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.

    KeySteal – Stealing your keychain passwords on macOS Mojave
    https://www.youtube.com/watch?v=nYTBZ9iPqsU

    Reply
  23. Tomi Engdahl says:

    James Vincent / The Verge:
    Google says Gmail is now blocking an extra 100M spam messages each day by using TensorFlow-trained machine learning models — Google is using its machine learning platform, TensorFlow, to eke out additional gains — Google has recruited its in-house machine learning framework, TensorFlow …

    Gmail is now blocking 100 million extra spam messages every day with AI
    https://www.theverge.com/2019/2/6/18213453/gmail-tensorflow-machine-learning-spam-100-million

    Google is using its machine learning platform, TensorFlow, to eke out additional gains

    Reply
  24. Tomi Engdahl says:

    Jeff Stone / CyberScoop:
    Researchers discover e-ticketing flaw at 8+ airlines, including Southwest, that would let hackers access sensitive info by intercepting emails to travellers

    E-ticketing system exposes airline passengers’ personal information via email
    https://www.cyberscoop.com/airlines-ticketing-email-hackers-wandera-southwest/

    At least eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to research published Wednesday by the mobile security company Wandera.

    The systems fail to secure customers’ personally identifiable information, including names, boarding passes, passport numbers and flight numbers, Wandera said.

    The email vulnerabilities still exist, Wandera found, even though researchers notified affected companies weeks ago, and despite growing corporate awareness about the risks associated with sacrificing security for convenience.

    https://www.wandera.com/mobile-security/airline-check-in-risk/

    Reply
  25. Tomi Engdahl says:

    Intercept Images from a Security Camera Using Wireshark [Tutorial]
    https://www.youtube.com/watch?v=va1wUSPGgSU

    How to Use Wireshark to Hijack Pictures from Wi-Fi Cameras

    Reply
  26. Tomi Engdahl says:

    USB drive DESTROYED by customer; Louis attempts data recovery anyway.
    https://www.youtube.com/watch?v=zcUv6bpc4NU

    Reply
  27. Tomi Engdahl says:

    Scammers Abuse Gmail Address Feature in Fraud Attacks
    https://www.securityweek.com/scammers-abuse-gmail-address-feature-attacks

    A group of scammers has been abusing a Gmail feature that gives users control over all dotted versions of their Gmail addresses.

    The feature, Agari says, has provided scammers with the ability to scale their operations by opening multiple fraudulent credit card accounts. These accounts are then used to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online information providers.

    One scammer was reportedly able to submit a total of twenty-two separate applications under different identities, which allowed them to open over $65,000 in fraudulent credit cards at a single financial institution.

    Reply
  28. Tomi Engdahl says:

    macOS Mojave Zero-Day Allows Theft of Keychain Passwords
    https://www.securityweek.com/macos-mojave-zero-day-allows-theft-keychain-passwords

    A researcher has disclosed the existence of a zero-day vulnerability in macOS Mojave that can be exploited by malware to steal plaintext passwords from the operating system’s Keychain. The flaw has not been reported to Apple, but its details have not been made public.

    Germany-based Linus Henze has published a video showing how a malicious application installed on a system running the latest release of Apple’s macOS Mojave operating system (10.14.3) can extract passwords from the local Keychain password management system.

    According to Henze, the malicious app and the user account on which it is running don’t require admin privileges for the attack to work. However, passwords can only be obtained from that user’s Keychain

    Reply
  29. Tomi Engdahl says:

    Chinese Hackers Spy on U.S. Law Firm, Major Norwegian MSP
    https://www.securityweek.com/chinese-hackers-spy-us-law-firm-major-norwegian-msp

    China-linked cyber-espionage group APT10 has targeted companies in the United States and Europe to steal intellectual property or gain commercial advantage, Recorded Future security researchers say.

    The attacks, observed between November 2017 and September 2018, hit at least three companies, namely Norwegian IT and business managed service provider (MSP) Visma, an international apparel company, and a U.S. law firm with strong experience in intellectual property law.

    The Chinese hackers used Citrix and LogMeIn remote-access software and stolen valid user credentials to access the networks of targeted companies. For privilege escalation, DLL sideloading techniques previously associated with APT10 were used.

    Reply
  30. Tomi Engdahl says:

    Lawmakers Concerned About Apple’s Handling of FaceTime Spying Bug
    https://www.securityweek.com/lawmakers-concerned-about-apples-handling-facetime-spying-bug

    Two members of the U.S. House of Representatives want to know more about how Apple has handled the recently disclosed bug that made it easy to spy on FaceTime users.

    In a letter sent to Apple CEO Tim Cook, Democrats Frank Pallone and Jan Schakowsky, both members of the House’s Committee on Energy and Commerce, have asked the tech giant for more transparency on its investigation into the FaceTime bug.

    Reply
  31. Tomi Engdahl says:

    Joseph Cox / Motherboard:
    Leaked documents show around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data for at least five years — In January, Motherboard revealed that AT&T, T-Mobile, and Sprint were selling their customers’ real-time location data …

    Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years
    https://motherboard.vice.com/en_us/article/43z3dn/hundreds-bounty-hunters-att-tmobile-sprint-customer-location-data-years

    Documents show that bail bond companies used a secret phone tracking service to make tens of thousands of location requests.

    Reply
  32. Tomi Engdahl says:

    Benjamin Mayo / 9to5Mac:
    A security researcher who has shared iOS flaws before demos a macOS Keychain exploit, won’t share details with Apple because of the lack of a macOS bug bounty
    https://9to5mac.com/2019/02/06/mac-keychain-exploit/

    Reply
  33. Tomi Engdahl says:

    German Competition Watchdog Demands More Control for Facebook Users
    https://www.securityweek.com/german-competition-watchdog-demands-more-control-facebook-users

    Facebook users should be asked for consent before data collected by the group’s subsidiaries Whatsapp and Instagram and on third-party websites is combined with their social network account, Germany’s competition authority said Thursday.

    Neither should users who refuse permission for their data to be merged be shut out of Facebook services as a result, the Federal Competition Office (FCO) ruled.

    Reply
  34. Tomi Engdahl says:

    Apple tells app developers to disclose or remove screen recording code
    https://techcrunch.com/2019/02/07/apple-glassbox-apps/?utm_source=tcfbpage&sr_share=facebook

    Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the app store, TechCrunch can confirm.

    Reply
  35. Tomi Engdahl says:

    Phishers Serve Fake Login Pages via Google Translate
    https://www.securityweek.com/phishers-serve-fake-login-pages-google-translate

    A recent phishing attack targeting mobile users leveraged Google Translate to serve fake login pages to Google and Facebook users.

    The attack started with a basic notification sent to the intended victim’s email address, claiming that someone had accessed their Google account from a new device. The user is prompted to review the activity by clicking on a button in the notification, which takes them to the phishing page instead.

    When viewed on a mobile phone, the message is condensed and seems legitimate. However, if the user switches to a desktop PC, it becomes clear that the email is a phishing attempt

    Akamai’s Larry Cashdollar, who discovered the attack, points out that the abuse of known brand names to give legitimacy to fake messages is a known tactic in phishing. Cybercriminals use various social engineering tactics to trick users into falling victims to their attacks without paying attention to little details.

    Phishing Attacks Against Facebook / Google via Google Translate
    https://blogs.akamai.com/sitr/2019/02/phishing-attacks-against-facebook-google-via-google-translate.html

    Reply
  36. Tomi Engdahl says:

    Australian Parliament Computer Network Breached
    https://www.securityweek.com/australian-parliament-computer-network-breached

    Australia’s parliament revealed Friday that its computer network had been compromised by an unspecified “security incident” and said an investigation was under way.

    “Following a security incident on the parliamentary computing network, a number of measures have been implemented to protect the network and its users,” parliamentary authorities said in a statement.

    Officials declined to comment on the nature of the cyber security breach, but said there was no initial evidence that data had been accessed.

    Reply
  37. Tomi Engdahl says:

    Apple Patches FaceTime Spying Vulnerability
    https://www.securityweek.com/apple-patches-facetime-spying-vulnerability

    Apple has finally released an iOS update that should fully patch the Group FaceTime vulnerability that could have been exploited to spy on users through their device’s microphone and camera.

    Apple described the flaw, tracked as CVE-2019-6223, as a logic issue in the handling of Group FaceTime calls. The company says the problem has been addressed with “improved state management.”

    Reply
  38. Tomi Engdahl says:

    Australia Wields Vast Decryption Powers Before Planned Review
    https://www.securityweek.com/australia-wields-vast-decryption-powers-planned-review

    Australian security agencies have begun using sweeping new powers to access encrypted communications, even before a promised review to address concerns from the likes of Google, Apple and Facebook.

    The powers were granted under a new decryption law which was rushed through parliament in December amid fierce debate, and was seen as the latest salvo between governments and tech firms over national security and privacy.

    Two months later, the Australian Federal Police have revealed that agents have already used it while investigating drug trafficking and child exploitation.

    Under the fresh rules, refusal to grant authorities access to devices is punishable with up to 10 years in prison, and police told a parliamentary inquiry they had used that threat to compel two suspects to hand over their passwords.

    Reply
  39. Tomi Engdahl says:

    Zero-day Vulnerability Highlights the Responsible Disclosure Dilemma
    https://www.securityweek.com/zero-day-vulnerability-highlights-responsible-disclosure-dilemma

    A zero-day vulnerability found in a video-conferencing system and responsibly disclosed led to the response, “Our developers are aware of some known vulnerabilities with the systems, development for these devices has slowed significantly as they are End of Life. For devices that are still under support, we may target future releases.”

    This left the vulnerability finder — Trustwave SpiderLabs’ researcher Simon Kenin — with a quandary: make public the vulnerability so that users would be aware of the threat and attackers might use it, or just sit on it. Shodan shows there are 372 Lifesize devices in universities around the world. The Lifesize website claims, “Tens of thousands of organizations around the world use Lifesize.”

    The vulnerability, amounting to multiple command injection flaws, is trivial to exploit and was found in all versions of four Lifesize products: Team, Room, Passport and Networker.

    The Lifesize problem is nothing more than a lack of sanitization: user provided input is passed direct to the PHP shell_exec function, which executes system commands as the webserver user. The value to the attacker is limited, but nevertheless gets him a foothold on the server.

    However, by combining this new command injection vulnerability with a separate — and also unfixed — privilege escalation bug, Kenin blogged he “could achieve root privileges on the Lifesize product’s system and have full persistence on the device and its underlying corporate network.” He wrote a full python PoC exploit and provided it with his disclosure to Lifesize in November 2018.

    He had no reply from Lifesize. In January 2019 he tried again — and this is when he was told there would be no fix. “It is always a dilemma when you go public with an advisory after a responsible disclosure process that does not result in a fix,” he wrote. “On one hand, I could simply trash my work on this research and keep attention off of it… But,” he added, “for all we know, a malicious attacker could already have in their possession the same knowledge that I do and may be actively using this exploit to infiltrate corporate networks.”

    With no sign of a patch, he decided he would have to go to full disclosure — but this story has a happy ending. The day before he was due to publish his findings, Lifesize issued a statement: “We encourage all customers using Lifesize 220 Series systems to contact Lifesize support for a hotfix. Our support teams can be reached by telephone, email or by opening a support ticket.”

    Reply
  40. Tomi Engdahl says:

    Google Patches Critical .PNG Image Bug
    https://threatpost.com/google-patches-critical-png-image-bug/141524/

    Eleven critical bugs will be patched as part of the February Android Security Bulletin.

    Google has patched a critical vulnerability in its current and legacy versions of its Android operating system, which allow an attacker to send a specially crafted Portable Network Graphics (.PNG) image file to a targeted device and execute arbitrary code.

    In its February Android Security Bulletin, Google lists three critical Android Framework vulnerabilities (CVE-2019-1986, CVE-2019-1987, CVE-2019-1988), one of which is associated with the .PNG bug. Impacted versions of its Android OS range from Nougat (7.0) to its current Pie (9.0).

    Reply
  41. Tomi Engdahl says:

    It’s 2019, and a PNG file can pwn your Android smartphone or tablet: Patch me if you can
    Malicious Bluetooth signals, too, it looks like
    https://www.theregister.co.uk/2019/02/07/android_january_patches/

    The worst vulnerability in the latest monthly batch, according to the ad giant, is one in which a maliciously crafted PNG image could execute code smuggled within the file, if an application views it. Thus an evil .PNG file opened by a chat app or email reader, say, could start running malware on the device with high-level privileges.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*