Last weekend a security researcher publically disclosed a zero-day vulnerability in Windows 10, Windows 8.1 and Server editions after Microsoft failed to patch it in the past three months.
The zero-day memory corruption flaw resides in the implementation of the SMB (server message block) network file sharing protocol that could allow a remote, unauthenticated attacker to crash systems with denial of service attack, which would then open them to more possible attacks.
According to US-CERT, the vulnerability could also be exploited to execute arbitrary code with Windows kernel privileges on vulnerable systems, but this has not been confirmed right now by Microsoft.
Without revealing the actual scope of the vulnerability and the kind of threat the exploit poses, Microsoft has just downplayed the severity of the issue, saying:
“Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
The memory corruption flaw resides in the manner in which Windows handles SMB traffic that could be exploited by attackers; all they need is tricking victims to connect to a malicious SMB server, which could be easily done using clever social engineering tricks.
“In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure,” CERT said in the advisory.
“By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys.”
Since the exploit code is now publicly available to everyone and there is no official patch from Microsoft, all Windows users are left open to potential attacks at this time.
Until Microsoft patches the memory corruption flaw (most probably in the upcoming Windows update or out-of-band patch), Windows users can temporarily fix the issue by blocking outbound SMB connections (TCP ports 139 and 445 and UDP ports 137 and 138) from the local network to the WAN.
The vulnerability has been given Common Vulnerability Scoring System (CVSS) score of 7.8. Proof-of-concept code has been published on GitHub.
United States Computer Emergency Readiness Team (US-CERT) has discovered a zero-day vulnerability in the SMB service of Microsoft Windows which lets attackers carry out Denial of Service attacks and crash the entire system leading to Blue Screen of Death (BSOD).
Furthermore, using this vulnerability, an attacker can launch all sorts of attacks such as executing arbitrary code. This vulnerability makes Windows 8.1 and Windows 10 exposed to exploitation and may also affect the Windows Server systems.
The advisory also states that Microsoft Windows has failed to handle traffic coming from a malicious or infected server properly and also it cannot handle server response that contains too many bytes “following the structure defined in the SMB2 TREE_CONNECT Response structure.”
The CERT team also reproduced the attack method by conducting a denial of service attack onto computers running patched versions of Windows 8.1 and Windows 10. However, the team could not successfully run arbitrary code.
The problem may worsen now since the exploit code that may let attackers take advantage of this zero-day vulnerability is already available online and therefore, a patch for the flaw is required badly. Until then, US-CERT cannot provide a solution to keep the users safe. It, however, has provided a temporary fix in the form of blocking outbound SMB connections on the local network.
WordPress is one of the most used content management system (CMS) in the world. So when there is a security flaw in its system, it affects millions of users on the Internet. That is exactly what has been discovered by security researchers at Sucuri, an Internet security company which revealed that WordPress websites are vulnerable to a critical and easily exploitable zero-day Content Injection vulnerability.
Sucuri found a Content Injection or Privilege Escalation vulnerability affecting the REST API allowing an attacker to modify the content of any post or page within a WordPress site. However, there is good news since Sucuri discretely reported the vulnerability to WordPress security team who handled the matter professionally and informed as many security providers and hosts and implemented a patch before this became public.
If you are using WordPress on your website the only way you may be at risk is if you have not updated your WordPress to the latest version 4.7.2. The update was issued on January 26th.
In their blog post, Marc Alexandre Montpas from Sucuri stated that “This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0. One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress, then it is currently vulnerable to this bug.”
If you or your friends are using WordPress, it is highly advisable to update your website and inform others about the issue so they can also update their WordPress to the latest version.
WordPress has also acknowledged the issue and published a blog post earlier today urging users to update their WordPress since it poses a “severe security risk” for users.
Evolving technologies such a IoT (Internet of Things) enable IP based Internetworking with devices previously not part of the network. Fitness machines, Home Protection Systems, Automation systems, Industrial processing systems, medical equipment, Burglary systems, temperature controls etc.
The downside to IoT is that it opens up a whole new attack vector. Not only can poorly protection IoT machines be compromised, they also can serve as a jump host to further penetrate the customer network.
Shodan is the tool of choice these days. A lot of the underground community is actively exchanging scripts with the best IoT dorks. Only because there is a treadmill on the web doesn’t mean that you can leave the default username and password!
Groups of attackers have adopted a new tactic that involves deleting publicly exposed MongoDB databases and asking for money to restore them. In a matter of days, the number of affected databases has risen from hundreds to more than 10,000.
The issue of misconfigured MongoDB installations, allowing anyone on the internet to access sensitive data, is not new. Researchers have been finding such open databases for years, and the latest estimate puts their number at more than 99,000.
On Monday, security researcher Victor Gevers from the GDI Foundation reported that he found almost 200 instances of publicly exposed MongoDB databases that had been wiped and held to ransom by an attacker or a group of attackers named Harak1r1.
The attackers left a message behind for the database administrators asking for 0.2 bitcoins (around US $180) to return the data.
A day later, the number of databases wiped by Harak1r1 had reached 2,500 and by Friday, more than 8,600 had been affected and contained the ransom message.
In addition, other attackers have joined the scheme, researchers counting at least five groups with different ransom messages so far. Together, the groups deleted 10,500 databases, and in some cases, they’ve replaced each other’s ransom messages.
The bad news is that most of them don’t even bother copying the data before deleting it, so even if the victims decide to pay, there’s a high chance they won’t get their information back.
Gevers said he has helped some victims and there was no evidence in the logs that the data had been exfiltrated. He advises affected database owners not to pay and to get help from security professionals.
MongoDB administrators are advised to follow the steps on the security checklist from the MongoDB documentation in order to lock down their deployments and prevent unauthorized access.
Google’s new Pixel smartphone was reportedly hacked by a Chinese team in just 60 seconds.
At PwnFest, a hacking competition in Seoul on Friday (11 November), a team of white-hat hackers called Qihoo 360 cracked Google’s new handset and won $120,000 (£95,670) in cash. The hackers took advantage of a vulnerability to gain remote code execution that is undisclosed.
The exploit launched the Google Play store before opening Chrome and displaying a web page reading “Pwned By 360 Alpha Team”.
Google said the Chrome bug that Keen Team found was patched within 24 hours of the event and the changes have already been released into the stable branch by the Chrome team.
It was the second time in as many weeks that the Pixel has been compromised.
Chinese hacking group, Keen Team of Tencent, a rival of Qihoo 360, discovered a zero-day vulnerability at the Mobile Pwn2Own event in Japan. The vulnerability is yet to be patched. Thankfully, these exploits have been found in hacking events, instead of being used in the wild by attackers.
While these exploits suggest Pixel phones are vulnerable to attackers, earlier this month Adrian Ludwig, the director of security at Android, told Motherboard that the Google Pixel and the iPhone are equal when it comes to security. Ludwig said Android would be soon better though. “In the long term, the open ecosystem of Android is going to put it in a much better place,” he said.
Apple’s updated Safari browser running on MacOS Sierra also fell. Respected Chinese hacker outfit Pangu Team renowned for releasing million-dollar persistent modern iOS jailbreaks for free, along with hacker JH, blasted Cupertino’s web browser with a root privilege escalation zero day that took 20 seconds to run, earning the team $80,000.
Qihoo 360 also breached Adobe Flash with a flick of the finger, digging up a combination decade-old, use-after-free zero day and a win32k kernel flaw to score $120,000.
It took four seconds for Flash to fall.
The hacks conclude the PwnFest whitewash, which saw Microsoft Edge hacked and the first-ever zero day exploits against VMWare Workstation on Thursday.
Qihoo 360 hackers walked away with $520,000 in prize money.
When John Matherly released SHODAN, search engine which could collect data on web servers like HTTP port 80, FTP etc. It was considered a success, in the hackers point of view. And now there’s censys.
Censys was created by a group of scientists from the University of Michigan as an instrument to make Internet more secure. In fact, both Shodan and Censys are meant for security researches, but as the duo gains more and more attention, there certainly can be a lot of people who would try to use it for more nefarious purposes.
Censys is just like shodan but, more user friendly and works in a better and broader way. Censys is like a time saving buddy for the system lovers or the so called hackers.
HOW CENSYS WORKS
Millions of devices like the home routers, ip cameras, mobile phones use same set of cryptographic keys for SSH secure shells or https. Which makes them vulnerable to hijacking. The vendors build and deploy their products. Typically, the vendors build their device’s firmware based on software development kits (SDKs) received from chip makers. They are too lazy to change the codes.
Censys conducts a daily scan on whole internet database almost everything. It scans all the IPv4 addresses which controls the majority internet traffic. It makes sure that it checks all the possible vulnerabilities. When researcher conducted the mass scan of 4 billion ip addresses the result was shocking.
“We have found everything from ATMs and bank safes to industrial control systems for power plants. It’s kind of scary,” said Zakir Durumeric, the researcher leading the Censys project at the University of Michigan and inventor of ZMap. Censys uses mainly two tools.
The first step of collecting data is Zmap(20) it performs single packet host discovery and scans all the Ipv4 address space. Hosts found by ZMap seed pluggable application scanners, which perform a followup application layer handshake and produce structured JSON data describing a certain aspect of how a host is configured. Typically, application scanners only perform a single handshake and measure one aspect of how a service is configured. For example, they perform separate horizontal scans and use different pluggable scanners to measure how HTTPS hosts respond to a typical TLS handshake, whether hosts support SSLv3, and whether a host is vulnerable to the heart bleed attack. Since collecting all the data from a single scan may cause load on the host., it instead uses scheduled scans thereby aggregating the data collected from each scheduled scans.
It is a fast and more extensible application scanner. At this time, ZGrab supports application handshakes for HTTP, HTTP Proxy, HTTPS, SMTP(S), IMAP(S), POP3(S), FTP, CWMP, SSH, and Modbus, as well as StartTLS, Heartbleed, SSLv3, and specific cipher suite checks. On a dual-Xeon E5-2640 (6-cores at 2.5 GHz) system with an Intel X520 ethernet adapter, ZGrab can complete HTTPS handshakes with the full IPv4 address space in 6h20m, and a banner grab and StartTLS connection with all publicly accessible SMTP hosts in 3h9m, 1.86k and 1.32k hosts/second respectively. In simple words ZMap quickly identifies hosts and ZGrab produces structured data about each of those hosts. Zgrab can be used independently. It does on even on one host from simply reading and writing a data to initiating a handshake.
Censys exposes data back to the community, which ranges from researchers who need to quickly perform a simple query to those who want to perform in-depth analysis on raw data. In order to meet these disparate needs, they are exposing the data to researchers through several interfaces, which offer varying degrees of flexibility.
1) a web-based query and reporting interface,
2) a programmatic REST API,
3) Public Google BigQuery tables,
4) Raw downloadable scan results. They are planning to publish pre-defined dashboards that are accessible to users outside of the research community.
Neither Shodan nor Censys are likely to be used by some serious cyber criminals — the real big bad guys have had botnets for a while, which can serve the very same purpose yet yield more power. It took Shodan’s creator John Matherly only 5 hours to ping and map all the devices on the whole Internet, and a botnet utilising hundreds of computers would probably do that even faster.
But there are a lot of other people who already have tried to misuse Shodan and Censys to play bad tricks and pranks on other people. And while the problem with the IoT security is mostly for the manufacturers to solve, there are a few things that you can do about it to secure those connected things that actually belong to you.