Ready to Start Your Career?Create Free Account
November 17, 2017
UNM4SK3D: CIA, Microsoft, and IoT
November 17, 2017
November 17, 2017
#wikileaksJust when the world thought Wikileaks might just stop dripping, the whistle-blower forum resumed their old ways, this time releasing source code and analysis of CIA hacking tools dubbed 'Vault 8.' You may recall that beginning in March of last year, Wikileaks began releasing formerly confidential CIA documents under the name 'Vault 7,' which included 23 hacking related projects or tools. What is assumed to be the first of the Vault 8 series is 'Project Hive,' a "significant backend component the agency used to remotely control its malware covertly." This project is an advanced command-and-control server that works with malware to send specific commands to execute tasks on the targets and receive exfiltrated information from the target machines.From the newly shared source code and development logs, we can see that Project Hive can be utilized by many CIA agents to "remotely control multiple malware implants used in different operations." The design is meant to keep the identity of its users secret via multi-stage communication over a VPN. Although Project Hive looks innocent in a browser, the malware implant signals back to the hosting fake website, forwarding malware-related traffic to a 'hidden' CIA server called 'Blot.' What's more, the malware uses fake digital Kaspersky Lab certificates.
This publication will enable investigative journalists, forensic experts and the general public to better identify and understand covert CIA infrastructure components. Source code published in this series contains software designed to run on servers controlled by the CIA. -WikileaksFor more details about previous posts from Wikileaks, read this edition of UNM4SK3D.
#vulnerabilityIn Microsoft's recent Patch Tuesday, the company released a fix for a 17-year-old remote code execution bug found in an Office executable called Microsoft Equation Editor, CVE-2017-11882. Aside from the discomforting fact that this bug has been in existence for so long, researchers seem to be in disagreement with Microsoft over the severity. The big 'M' classified the bug as 'important' while others argue it is 'extremely dangerous.' More specifically, researchers from Embedi say the bug is severe "because all versions of Microsoft Office for the past 17 years are vulnerable and that the CVE works with all the Microsoft Windows versions (including Microsoft Windows 10 Creators Update)." Additionally, once this bug has been executed, Microsoft Windows and Office security features such as Control Flow Guard could not protect against it.Ironically enough, researchers first discovered the bug using a Microsoft tool, BinScope, which analyzes files to see if they pass standards set by Microsoft’s Security Development Lifecycle. Microsoft, when giving a comment, described the bug as a memory corruption problem. Users must open a specially crafted file with an affected version of Microsoft Office or Microsoft WordPad software in order for the vulnerability to be exploited. An attacker could also potentially exploit the vulnerability by sending that specially crafted file to the user and convincing the user to open the file. “Because the component has numerous security issues and the vulnerabilities it contains can be easily exploited, the best option for a user to ensure security is to disable registering of the component in Windows registry," cautioned the researchers.
The component is an OutProc COM server executed in a separate address space. This means that security mechanisms and policies of the office processes (e.g. WINWORD.EXE, EXCEL.EXE, etc.) do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities. -Embedi researchersTake control of your Microsoft products. Read '3 Ways to Increase Office 365 Security.'
#blueborneHello. I'm Alexa and I'm flawed. Unfortunately, your Amazon Echo or Google Home most likely won't tell you this, but users of AI personal assistants should be warned that a bluetooth hack has left over 20 million devices vulnerable. You may recall BlueBorne, eight critical zero-day flaws that affected billions of Bluetooth-enabled devices, including smartphones, TVs, laptops, watches, and smart TVs. These flaws worked by leveraging the short-range wireless protocol to take full control over targeted devices, access data, and spread malware to other adjacent devices. Unfortunately, this exploit does not require any user interaction and cannot be detected by most security tools.IoT security firm Armis, who initially discovered this issue, has now disclosed that Amazon Echo and Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities. More specifically, Amazon Echo's variants use different operating systems, so other Echo devices are affected by either the vulnerabilities found in Linux or Android, while Google Home devices are affected by only one Android vulnerability. Bluetooth, however, cannot be disabled on either of the personal assistants, meaning attackers within the range of the devices can easily launch an attack. Luckily, Amazon and Google have both released patches and automatic updates for these devices.
BlueBorne concerns us because of the medium by which it operates.With BlueBorne, attackers can gain full control right from the start. Moreover, Bluetooth offers a wider attacker surface than WiFi, almost entirely unexplored by the research community and hence contains far more vulnerabilities. -Armis researchersOriginal details regarding BlueBorne found here on the Tripwire blog.