- fail0verflow hackers found an unpatchable flaw in Nintendo Switch bootROM and runs Linux OS
- A Flaw in Hotspot Shield VPN From AnchorFree Can Expose Users Locations
- UDPOS PoS malware exfiltrates credit card data DNS queries
- Researcher found multiple vulnerabilities in NETGEAR Routers, update them now!
- The source code of the Apple iOS iBoot Bootloader leaked online
- Swisscom data breach Hits 800,000 Customers, 10% of Swiss population
Posted: 09 Feb 2018 12:23 PM PST
The group of hackers known as ‘fail0verflow’ has discovered a vulnerability in the gaming console Nintendo Switch that could be exploited to install a Linux distro.
The hackers announced their discovery in a post on Twitter, the published an image of a console running the Debian Linux distro after the hack.
The fail0verflow group revealed that the exploit triggers a flaw in the boot ROM process of the Nvidia Tegra X1 chip that powers the console, if confirmed the issue cannot be solved with a software o firmware update.
When asked if they have built the hack on nvtboot the group No closed-source boot chain components were involved.
Discovery of a flaw in the Boot ROM opens the door to the hack of the console for other purposes, for example to the piracy.
In a next future, hackers could find a way to install homebrew apps and pirated games on the Nintendo Switch.
On the other side, Nintendo could work with Nvidia on new secure Tegra X1 chips, as a temporary solution it could ban users with hacked consoles to ban these users from online play.
(Security Affairs – Nintendo Switch, hacking)
The post fail0verflow hackers found an unpatchable flaw in Nintendo Switch bootROM and runs Linux OS appeared first on Security Affairs.
Posted: 09 Feb 2018 07:04 AM PST
Security expert Paulos Yibelo has discovered a vulnerability in Hotspot Shield VPN from AnchorFree that can expose locations of the users.
Paulos Yibelo, a security researcher, has discovered a vulnerability that can expose users and locations around the globe compromising their anonymity and privacy. The company has about 500 million users globally.
VPN services providers are used nowadays to protect the identity of individual users and against the eavesdropping of their browsing habits. In countries like North Korea and China they are popular among political activists or dissidents where internet access is restricted because of censorship or heavily monitored once these services hide the IP addresses of the real users, that can be used to locate the person real address.
The Great Firewall of China is an example. Locating a Hotspot Shield user in a rogue country could pose a risk to their life and their families.
The VPN Hotspot Shield developed by AnchorFree to secure the connection of users and protect their privacy contained flaws that allow sensitive information disclosure such as the country, the name of WIFI network connection and the user's real IP address, according to the researcher.
“By disclosing information such as Wi-Fi name, an attacker can easily narrow down or pinpoint where the victim is located, you can narrow down a list of places where your victim is located”. states Paulos Yibelo.
The vulnerability CVE-2018-6460 was published without a response from the company on Monday, but on Wednesday a patch was released to address the issue. The vulnerability is present on the local web server (127.0.0.1 on port 895) that Hotspot Shield installs on the user's machine.
“http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information. There are other multiple endpoints that return sensitive data including configuration details.” continues the researcher.
“While that endpoint is presented without any authorization, status.js is actually a JSON endpoint so there are no sensitive functions to override, but when we send the parameter func with $_APPLOG.Rfunc, it returns that function as a JSONP name. We can obviously override this in our malicious page and steal its contents by supplying a tm parameter timestamp, that way we can provide a logtime“.
Once running, the server hosts multiple JSONP endpoints, with no authentication requests and also with responses that leak sensitive information pertaining the VPN service, such as the configuration details. The researcher released a proof of concept (PoC) for the flaw, however, the reporter Zack Whittaker, from ZDNET, independently verified that flaw revealed only the Wi-Fi network name and the country, not the real IP address.
The company replied to the researcher allegation:
“We have found that this vulnerability does not leak the user’s real IP address or any personal information, but may expose some generic information such as the user’s country. We are committed to the safety and security of our users, and will provide an update this week that will completely remove the component capable of leaking even generic information”.
About the author Luis Nakamoto
Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.
(Security Affairs – Hotspot Shield VPN, privacy)
The post A Flaw in Hotspot Shield VPN From AnchorFree Can Expose Users Locations appeared first on Security Affairs.
Posted: 09 Feb 2018 05:39 AM PST
A new PoS malware dubbed UDPoS appeared in the threat landscape and implements a novel and hard to detect technique to steal credit card data from infected systems.
The UDPoS malware was spotted by researchers from ForcePoint Labs, it relies upon User Datagram Protocol (UDP) DNS traffic for data exfiltration instead of HTTP that is the protocol used by most POS malware.
The UDPoS malware is the first PoS malicious code that implements this technique disguises itself as an update from LogMeIn, which is a legitimate remote desktop control application.
“According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name,” reads a blogpost published by LogMeIn noted.
“This link, file or executable isn’t provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You’ll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.”
The UDPoS malware only targets older POS systems that use LogMeIn.
“However, in amongst the digital haystack there exists the occasional needle: we recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of ‘unusual’ DNS requests. Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware.” reads the analysis published by ForcePoint.
The command and control (C&C) server are hosted by a Swiss-based VPS provider, another unusual choice for such kind of malware.
The server hosts a 7-Zip self-extracting archive, update.exe, containing LogmeinServicePack_5.115.22.001.exe and log that is the actual malware.
The malicious code implements a number of evasion techniques, it searches for antivirus software disables them, it also checks if it is running in a virtualized environment.
“For the anti-AV and anti-VM solution, there are four DLL and three Named Pipe identifiers stored in both service and monitor components:
However, only the monitor component makes use of these and, moreover, the code responsible for opening module handles is flawed: it will only try to open cmdvrt32.dll – a library related to Comodo security products – and nothing else.” continues the analysis.
“It is unclear at present whether this is a reflection of the malware still being in a relatively early stage of development/testing or a straightforward error on the part of the developers.”
It must be highlighted that currently there is no evidence of the UDPoS malware currently being used in attacks in the wild, but the activity of the C&C servers suggests crooks were preparing the attacks.
In the past other malware adopted the DNS traffic to exfiltrate data, one of them is the DNSMessenger RAT spotted by Talos experts in 2017. The researchers from Cisco Talos team spotted the malware that leverages PowerShell scripts to fetch commands from DNS TXT records.
Further info about the UDPoS malware, including IoCs, are available in the blog post.
(Security Affairs – UDPoS , PoS malware)
The post UDPOS PoS malware exfiltrates credit card data DNS queries appeared first on Security Affairs.
Posted: 09 Feb 2018 03:31 AM PST
Security researchers Martin Rakhmanov from Trustwave conducted a one-year-study on the firmware running on Netgear routers and discovered vulnerabilities in a couple of dozen models.
Netgear has just released many security updates that address vulnerabilities in a couple of dozen models.
The vulnerabilities have been reported by security researchers Martin Rakhmanov from Trustwave, which conducted a one-year-study on the firmware running on Netgear’s box.
Users are recommended to apply the security patches as soon as possible, they can be exploited by hackers to compromise gateways and wireless points.
The expert discovered that 17 different Netgear routers are affected by a remote authentication bypass that could be exploited by a remote attacker to access target networks without having to provide a password.
“This also affects large set of products (17 total) and is trivial to exploit. Authentication is bypassed if “&genie=1″ is found within the query string.” reads the analysis published by Rakhmanov.
Yes, it’s right, an attacker just needs to append the “&genie=1” the URL to bypass authentication, of course, the attack works against any gateways with remote configuration access enabled.
Attackers can access the device changing its DNS settings to redirect browsers to malicious sites.
Another 17 Netgear routers are affected by Password Recovery and File Access vulnerabilities. The flaws reside in the genie_restoring.cgi script used by the Netgear box’s built-in web server, the vulnerability can be triggered to extract files and passwords from its filesystem in flash storage and to pull files from USB sticks plugged into the router.
“Some routers allow arbitrary file reading from the device provided that the path to file is known. Proof-of-concept for Nighthawk X8 running firmware 184.108.40.206 or earlier:
curl -d “id=304966648&next_file=cgi-bin/../../tmp/mnt/usb0/part1/README.txt” http://192.168.1.1/genie_restoring.cgi?id=304966648
The above will fetch README.txt file located on a USB thumb drive inserted into the router. Total of 17 products are affected. Specific models are listed in the Advisory notes.” continues the analysis.
The list of issues discovered by the researcher includes a command Injection Vulnerability on D7000, EX6200v2, and Some Routers, PSV-2017-2181. After pressing the WPS button, the Netgear routers allows for two minutes a remote attacker to execute arbitrary code on the box with root privileges.
“Only 6 products are affected, this allows to run OS commands as root during short time window when WPS is activated.” states the analysis.
(Security Affairs – Netgear routers, hacking)
The post Researcher found multiple vulnerabilities in NETGEAR Routers, update them now! appeared first on Security Affairs.
Posted: 09 Feb 2018 01:48 AM PST
The source code for Apple iOS iBoot secure bootloader has been leaked to GitHub, now we will try to understand why this component is so important for the iOS architecture.
The iBoot is the component loaded in the early stages of the boot sequence and it is tasked with loading the kernel, it is stored in a boot ROM chip.
“This is the first step in the chain of trust where each step ensures that the next is signed by Apple.” states Apple describing the iBoot.
The leaked code is related to iOS 9, but experts believe it could still present in the latest iOS 11.
Apple promptly reacted to the data leak asking to remove the content for a violation of the Digital Millennium Copyright Act (DMCA).
“This repository is currently disabled due to a DMCA takedown notice. We have disabled public access to the repository. The notice has been publicly posted.” reads the notice on the GitHub repository.
“Reproduction of Apple's "iBoot" source code, which is responsible for ensuring trusted boot operation of Apple's iOS software. The "iBoot" source code is proprietary and it includes Apple's copyright notice. It is not open-source.”
The data leak is considered very dangerous because hackers and security experts can analyze the code searching for security vulnerabilities that could be triggered to compromise the iBoot.
Even is the code cannot be modified, the exploit of a flaw could allow loading other components compromising the overall security of the architecture.
The boot sequence is:
Bootrom → Low Level Bootloader → iBoot → Device tree → Kernel.
The Jailbreak consists of compromising one of the above phases, typically the kernel one.
Newer iPhones have an ARM-based coprocessor that enhances iOS security, so-called Secure Enclave Processor, it makes impossible the access to the code to conduct reverse engineering of the code.
But now the iBoot code has been leaked online and experts can analyze it.
The jailbreak could allow removing security restrictions making it possible to install third-party software and packages, also code that is not authorized by Apple and therefore not signed by the IT giant.
Compromising the iBoot could theoretically allow loading any malicious code in the boot phase or a tainted kernel.
Apple tried to downplay the issue saying that it implements a layered model of security
"Old source code from three years ago appears to have been leaked, but by design the security of our products doesn't depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protection," reads a statement issued by Apple.
(Security Affairs – iBoot, Apple)
The post The source code of the Apple iOS iBoot Bootloader leaked online appeared first on Security Affairs.
Posted: 08 Feb 2018 11:41 PM PST
Swisscom data breach – Telco company Swisscom confirmed it has suffered a data breach that affected roughly 800,000 of its customers, roughly 10% of the Swiss population.
Swiss telco company Swisscom confirmed it has suffered a data breach that affected roughly 800,000 of its customers, roughly 10% of the Swiss population.
According to Swisscom, unauthorized parties gained access to data in Autumn, the attackers accessed the customers’ records using a sales partner’s credentials.
The security breach was discovered by Swisscom during a routine check, most of the exposed data are related to the mobile services subscribers.
“In autumn of 2017, unknown parties misappropriated the access rights of a sales partner, gaining unauthorised access to customers' name, address, telephone number and date of birth. Under data protection law this data is classed as "non-sensitive".” reads the press release issued by the company.
“Prompted by this incident, Swisscom has now also tightened security for this customer information. The data accessed included the first and last names, home addresses, dates of birth and telephone numbers of Swisscom customers; contact details which, for the most part, are in the public domain or available from list brokers.”
Exposed data includes names, physical addresses, phone numbers, and dates of birth, the telecom giant collects this type of data when customers subscribe an agreement.
It is not clear how the hackers obtained the credentials, the good news is that sales partners are allowed to access only information for customers’ identification and to manage contracts.
Swisscom highlighted that data accessed by the intruders are not considered sensitive under data protection laws, anyway, accessed info is a precious commodity in the criminal underground because crooks can use them to conduct phishing campaigns against the company’s customers.
Swisscom has reported the data breach to the Swiss Federal Data Protection and Information Commissioner (FDPIC).
"Swisscom stresses that the system was not hacked and no sensitive data, such as passwords, conversation or payment data, was affected by the incident," continues the press release."Rigorous long-established security mechanisms are already in place in this case."
After the Swisscom data breach, the company revoked the credentials used to access its systems and implemented tighter controls for partners.
Swisscom implemented a number of changes to improve its security, including:
Customers are advised to report any suspicious calls or email.
(Security Affairs – Swisscom data breach, hacking)
The post Swisscom data breach Hits 800,000 Customers, 10% of Swiss population appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|