- 24 hours later, Apple fixes the bug in macOS High Sierra that allowed Root access with no password
- US Judge Orders Coinbase to hand over details of 14,355 US citizens to the IRS
- The Shipping Giant Clarkson has suffered a security breach
- New variants of the UBoatRAT RAT hits targets in East Asia
Posted: 30 Nov 2017 09:56 AM PST
Just 24 hours later, Apple issued a security update for macOS High Sierra that addresses the bug that allowed Root access with no password
Yesterday I published a post on an embarrassing flaw affecting the macOS High Sierra, tracked as CVE-2017-13872, that that can be exploited to gain root access to a machine with no password.
The vulnerability is exploitable via the authentication dialog box in the Apple macOS High Sierra that asks for an administrator's username and password when the user needs to do specific actions like configure privacy and network settings.
From the user login screen, if the user provides "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and he gains admin rights.
Initial reports suggested that the exploit works by entering the username "root" with a blank password, but the expert Tom Ervin discovered that it works with any password.
The attack scenario needs physical access to the machine to log in, once inside the attacker can perform several malicious activities such as install a malware.
Even if the flaw was first reported on Apple developer forums on November 13 by a user, Apple only learned of it on Tuesday when the web developed Lemi Orhan Ergin tweeted about it.
The flaw affects macOS High Sierra 10.13 and macOS High Sierra 10.13.1, it doesn’t impact macOS Sierra 10.12.6 and earlier.
Just 24 hours later, Apple announced the availability of a security update for macOS High Sierra that addresses the issue.
"An attacker may be able to bypass administrator authentication without supplying the administrator's password," the company said in its advisory.
“A logic error existed in the validation of credentials. This was addressed with improved credential validation.”
Experts noticed that If they have a root account enabled and a password for it set, the trick will not work, for this reason Apple has deactivated the root account by default.
(Security Affairs – macOS High Sierra, hacking)
The post 24 hours later, Apple fixes the bug in macOS High Sierra that allowed Root access with no password appeared first on Security Affairs.
Posted: 30 Nov 2017 05:50 AM PST
A federal judge in the California court has ruled that cryptocurrency exchange portal Coinbase must hand over details of over 14,000 users to the US IRS.
In November 2016, the US Internal Revenue Service (IRS) has filed a motion asking the US Federal Court of Northern California to force the US-based cryptocurrency exchange portal to hand over the personal details of all US users that have conducted Bitcoin trades between January 1, 2013, and December 31, 2015.
The motion is part of a tax evasion investigation launched by the US authorities and aimed to track people that currently maintains funds in Bitcoin or that were paid using the cryptocurrency to avoid paying US taxes.
Now a federal judge in the California Northern district court has ruled that US-based cryptocurrency exchange portal Coinbase must hand over details of over 14,000 users to the US Internal Revenue Service (IRS). Coinbase must provide personal and financial details of its US users, including names, birth dates, addresses, Bitcoin wallet ID, tax ID numbers.
According to the IRS, during the period under investigation, only about 900 US citizens paid taxes for Bitcoin-related operations, even if Coinbase was serving millions of users, most of them from US.
In a first time judge rejected the IRS filing because the huge audience and its potential impact, but the US agency filed a new motion earlier November and judged decided that Coinbase would have to hand over the personal details of all US Coinbase users that have at least one account used in Bitcoin transactions greater than $20,000 worth of Bitcoin between January 1, 2013, and December 31, 2015.
According to Coinbase, it was now forced to hand over data belonging to 14,355 users, a small fraction of the nearly 500,000 users covered by the first motion.
“The government initially sought private financial records of approximately 500,000 account holders. In response to Coinbase's continuing fight, the IRS significantly reduced the scope of the summons to approximately 14,000 customers. Although this 97% reduction in impacted customers is a big win for our customers, the IRS still took Coinbase to court to obtain a sweeping set of customer records. Today we argued, even as narrowed, the summons is still unjustified and invasive to our customers.” reads a blog post published by the company.
The list of 14,355 US users will not include citizens for which Coinbase filed 1099-K tax forms and users who only bought Bitcoin storing it in their accounts and never used it.
The message is clear, US authorities will try to persecute any tax-evasion activities that leverage crypto currencies to avoid controls.
(Security Affairs – Coinbase, Bitcoin)
The post US Judge Orders Coinbase to hand over details of 14,355 US citizens to the IRS appeared first on Security Affairs.
Posted: 29 Nov 2017 11:25 PM PST
Clarkson, one of the world's largest providers of shipping services publicly disclosed a security breach.
Clarkson confirmed the hackers may release some of the stolen data, it hasn’t provided further details due to the ongoing law enforcement investigation.
The information disclosed by the company suggests cyber criminals blackmailed the company requesting the payment of a ransom in order to avoid having its data leaked online.
According to Clarkson, the hackers compromised a single user account to access the systems of the shipping giant.
“Clarkson PLC confirms that it was subject to a cybersecurity incident which involved unauthorised access to the Company's computer systems.” Clarkson said in a statement.
“Our initial investigations have shown the unauthorised access was gained via a single and isolated user account which has now been disabled.”
The company has disabled the account after the incident and has started notifying affected customers and individuals.
The company had been expecting the cyber criminals to publish part of the stolen data on Tuesday, but nothing is still happening.
The company said it has been conducting a review of the security of its architecture and announced new IT security measures.
"As you would rightly expect, we're working closely with specialist police teams and data security experts to do all we can to best understand the incident and what we can do to protect our clients now and in the future," said Andi Case, CEO of Clarkson. "We hope that, in time, we can share the lessons learned with our clients to help stop them from becoming victims themselves. In the meantime, I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised."
(Security Affairs – Clarkson shipping, data breach)
The post The Shipping Giant Clarkson has suffered a security breach appeared first on Security Affairs.
Posted: 29 Nov 2017 10:23 PM PST
Palo Alto Networks discovered a custom RAT dubbed UBoatRAT that has been used in targeted attacks on personnel or organizations related to South Korea.
Security experts from Palo Alto Networks discovered custom remote access Trojan (RAT) dubbed UBoatRAT that has been used in targeted attacks on personnel or organizations related to South Korea and the video gaming industry.
The UBoatRAT has been distributed through Google Drive links, the malware obtains the address of the command and control (C&C) server from GitHub and uses Microsoft Windows Background Intelligent Transfer Service (BITS) to maintain persistence.
The address of the C&C and the destination port are hidden in a file hosted on GitHub, and the malware accesses the file using a specific URL. UBoatRAT communicates with the C&C served using a custom protocol.
Attackers used the GitHub account 'elsa999', according to the researchers the author has been frequently updating repositories since July.
UBoatRAT was first spotted on May 2017, at the time it was a simple HTTP backdoor leveraging a public blog service in Hong Kong and a compromised web server in Japan for C&C.
Across the months the authors added several new features to the RAT, the last variant was released during summer.
“Palo Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called UBoatRAT.” reads the analysis published by Palo Alto Networks.
“The attacks with the latest variants we found in September have following characteristics.
The exact targets aren't still clear at the moment, the experts speculate the hackers aimed to Korea or the video games industry, because Korean-language game titles, Korea-based game company names, and some words used in the video games business were used for delivery.
The UBoatRAT performs malicious activities on the infected machine only when joining an Active Directory Domain, this means that user systems that are not part of a domain would not be impacted.
Threat actors delivered the RAT through a ZIP archive hosted on Google Drive and containing a malicious executable file disguised as a folder or a Microsoft Excel spreadsheet. The latest variants of the UBoatRAT masquerade as Microsoft Word document files.
The RAT halts its execution when detects a virtualization software such as VMWare, VirtualBox, QEmu, when executed it attempts to obtain the Domain Name from network parameters. If it fails to get the domain name, it displays a fake error message and quits.
Otherwise, UBoatRAT copies itself as C:\programdata\svchost.exe, and creates and executes C:\programdata\init.bat, then it displays a specific message and quits.
Experts observed that the malware relies the Microsoft Windows Background Intelligent Transfer Service (BITS), a service for transferring files between machines, to maintain the persistence.
“Bitsadmin.exe is a command-line tool user can create and monitor BITS jobs. The tool provides the option, /SetNotifyCmdLine which executes a program when the job finishes transferring data or is in error. UBoatRAT takes advantage of the option to ensure it stays running on a system, even after a reboot.” continue the analysis.
Once established a covert channel with C&C, the malware waits following backdoor commands from the attacker.
The researchers have identified fourteen samples of UBoatRAT, as well as one downloader associated with the attacks.
“Though the latest version of UBoatRAT was released in September, we have seen multiple updates in elsa999 accounts on GitHub in October. The author seems to be vigorously developing or testing the threat.” concluded Palo Alto Networks.
(Security Affairs – malware, UBoatRAT)
The post New variants of the UBoatRAT RAT hits targets in East Asia appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|