Potent Firefox 0-day used to install undetected backdoors on Macs


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




The fox animoji.

Enlarge / The fox animoji. (credit: Samuel Axon)

Hackers exploited a pair of potent zero-day vulnerabilities in Firefox to infect Mac users with a largely undetected backdoor, according to accounts pieced together from multiple people.

Mozilla released an update on Tuesday that fixed a code-execution vulnerability in a JavaScript programming method known as Array.pop. On Thursday, Mozilla issued a second patch fixing a privilege-escalation flaw that allowed code to break out of a security sandbox that Firefox uses to prevent untrusted content from interacting with sensitive parts of a computer operating system. Interestingly, a researcher at Google’s Project Zero had privately reported the code-execution flaw to Mozilla in mid April.

On Monday, as Mozilla was readying a fix for the array.pop flaw, unknown hackers deployed an attack that combined working exploits for both vulnerabilities. The hackers then used the attack against employees of Coinbase, according to Philip

Continue reading “Potent Firefox 0-day used to install undetected backdoors on Macs”

Nation-sponsored hackers likely carried out hostile takeover of rival groups’s servers


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Nation-sponsored hackers likely carried out hostile takeover of rival groups’s servers

Enlarge

If nation-sponsored hacking was baseball, the Russian-speaking group called Turla would not just be a Major League team—it would be a perennial playoff contender. Researchers from multiple security firms largely agree that Turla was behind breaches of US Department at Defense in 2008, and more recently the German Foreign Office and France’s military.  The group has also been known for unleashing stealthy Linux malware and using satellite-based Internet links to maintain the stealth of its operations.

Now, researchers with security firm Symantec have uncovered evidence of Turla doing something that would be a first for any nation-sponsored hacking group. Turla, Symantec believes, conducted a hostile takeover of an attack platform belonging to a competing hacking group called OilRig, which researchers at FireEye and other firms have linked to the Iranian government. Symantec suspects Turla then used the hijacked network to attack a Middle Eastern government OilRig had

Continue reading “Nation-sponsored hackers likely carried out hostile takeover of rival groups’s servers”

New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems

Enlarge (credit: JIP)

The Linux and FreeBSD operating systems contain newly discovered vulnerabilities that make it easy for hackers to remotely crash servers and disrupt communications, researchers have warned. OS distributors are advising users to install patches when available or to make system settings that lower the chances of successful exploits.

The most severe of the vulnerabilities, dubbed SACK Panic, can be exploited by sending a specially crafted sequence of TCP Selective ACKnowledgements to a vulnerable computer or server. The system will respond by crashing, or in the parlance of engineers, entering a kernel panic. Successful exploitation of this vulnerability, tracked as CVE-2019-11477, results in a remote denial of service (DoS).

A second vulnerability also works by sending a series of malicious SACKs that consumes computing resources of the vulnerable system. Exploits most commonly work by fragmenting a queue reserved for retransmitting TCP packets. In some OS versions, attackers

Continue reading “New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems”

Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks

Content delivery network Cloudflare is introducing a free service designed to make it harder for browser-trusted HTTPS certificates to fall into the hands of bad guys who exploit Internet weaknesses at the time the certificates are issued.

The attacks were described in a paper published last year titled Bamboozling Certificate Authorities with BGP. In it, researchers from Princeton University warned that attackers could manipulate the Internet’s border gateway protocol to obtain certificates for domains the attackers had no control over.

Browser-trusted certificate authorities are required to use a process known as domain control validation to verify that a person requesting a certificate for a given domain is the legitimate owner. It requires the requesting party to do one of three things:

Read 10 remaining paragraphs | Comments

Russia warns that reported US attacks on its power grid could trigger “cyberwar”


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Giant outdoor power station.

Enlarge / Zapadnaya in the Moscow region. (credit: Vladimir Fedorenko / Владимир Федоренко)

The Kremlin on Monday warned that reported US digital incursions into Russia’s electric power grid could trigger a “cyberwar” between the two countries.

The warning came two days after The New York Times reported that the US Cyber Command, the arm of the Pentagon that runs the military’s offensive and defensive operations in the online world, was aggressively stepping up its targeting of Russia’s grid. Saturday’s report said the command had taken steps to place “potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before.” In some cases, the NYT reported, Pentagon and intelligence officials have been hesitant to brief President Trump in detail about the activities out of concern he might countermand the operations or discuss them with foreign officials. Last year, Trump gave

Continue reading “Russia warns that reported US attacks on its power grid could trigger “cyberwar””

Hackers behind dangerous oil and gas intrusions are probing US power grids


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Power Lines in Page, Arizona

Enlarge / Power Lines in Page, Arizona (credit: IIP Photo Archive)

In a new troubling escalation, hackers behind at least two potentially fatal intrusions on industrial facilities have expanded their activities to probing dozens of power grids in the US and elsewhere, researchers with security firm Dragos reported Friday.

The group, now dubbed Xenotime by Dragos, quickly gained international attention in 2017 when researchers from Dragos and the Mandiant division of security firm FireEye independently reported Xenotime had recently triggered a dangerous operational outage at a critical-infrastructure site in the Middle East. Researchers from Dragos have labeled the group the world’s most dangerous cyber threat ever since.

The most alarming thing about this attack was its use of never-before-seen malware that targeted the facility’s safety processes. Such safety instrumented systems are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising.

Continue reading “Hackers behind dangerous oil and gas intrusions are probing US power grids”

If you haven’t patched Vim or NeoVim text editors, you really, really should


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




If you haven’t patched Vim or NeoVim text editors, you really, really should

Enlarge (credit: unknown)

A recently patched vulnerability in text editors preinstalled in a variety of Linux distributions allows hackers to take control of computers when users open a malicious text file. The latest version of Apple’s macOS is continuing to use a vulnerable version, although attacks only work when users have changed a default setting that enables a feature called modelines.

Vim and its forked derivative, NeoVim, contained a flaw that resided in modelines. This feature lets users specify window dimensions and other custom options near the start or end of a text file. While modelines restricts the commands available and runs them inside a sandbox that’s cordoned off from the operating system, researcher Armin Razmjou noticed the source! command (including the bang on the end) bypassed that protection.

“It reads and executes commands from a given file as if typed manually, running them after the sandbox has been

Continue reading “If you haven’t patched Vim or NeoVim text editors, you really, really should”

I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why

Enlarge (credit: Google)

Google is expanding its new Android-based two-factor authentication (2fa) to people logging in to Google and Google Cloud services on iPhones and iPads. While Google deserves props for trying to make stronger authentication available to more users, I’ll be avoiding it in favor of 2fa methods Google has had in place for years. I’ll explain why later. First, here’s some background.

Google first announced Android’s built-in security key in April, when it went into beta, and again in May, when it became generally available. The idea is to make devices running Android 7 and up users’ primary 2fa device. When someone enters a valid password into a Google account, the phone displays a message alerting the account owner. Users then tap a “yes” button if the login is legitimate. If it’s an unauthorized attempt, the user can block the login from going through.

The system aims

Continue reading “I’ll be passing on Google’s new 2fa for logins on iPhones and iPads. Here’s why”

Researchers use Rowhammer bit flips to steal 2048-bit crypto key


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




A DDR3 DIMM with error-correcting code from Samsung. ECC is no longer an absolute defense against Rowhammer attacks.

Enlarge / A DDR3 DIMM with error-correcting code from Samsung. ECC is no longer an absolute defense against Rowhammer attacks. (credit: Samsung)

The Rowhammer exploit that lets unprivileged attackers corrupt or change data stored in vulnerable memory chips has evolved over the past four years to take on a range of malicious capabilities, including elevating system rights and breaking out of security sandboxes, rooting Android phones, and taking control of supposedly impregnable virtual machines. Now, researchers are unveiling a new attack that uses Rowhammer to extract cryptographic keys or other secrets stored in vulnerable DRAM modules.

Like the previous Rowhammer-based attacks, the new data-pilfering RAMBleed technique exploits the ever-shrinking dimensions of DRAM chips that store data a computer needs to carry out various tasks. Rowhammer attacks work by rapidly accessing—or hammering—physical rows inside vulnerable chips in ways that cause bits in neighboring rows to flip, meaning 1s

Continue reading “Researchers use Rowhammer bit flips to steal 2048-bit crypto key”

BGP mishap sends European mobile traffic through China Telecom for 2 hours


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




A graphical depiction of Thursday's BGP leak.

Enlarge / A graphical depiction of Thursday’s BGP leak. (credit: ThousandEyes)

Traffic destined for some of Europe’s biggest mobile providers was misdirected in a roundabout path through the Chinese-government-controlled China Telecom on Thursday, in some cases for more than two hours, an Internet-monitoring service reported. It’s the latest event to stoke concerns about the security of the Internet’s global routing system, known as the Border Gateway Protocol.

The incident started around 9:43am UTC on Thursday (2:43am California time). That’s when AS21217, the autonomous system belonging to Switzerland-based data center colocation company Safe Host, improperly updated its routers to advertise it was the proper path to reach what eventually would become more than 70,000 Internet routes comprising an estimated 368 million IP addresses. China Telecom’s AS4134, which struck a network peering arrangement with Safe Host in 2017, almost immediately echoed those routes rather than dropping them, as proper BGP

Continue reading “BGP mishap sends European mobile traffic through China Telecom for 2 hours”

Millions of machines affected by command execution flaw in Exim mail server


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Close-up photo of police-style caution tape stretched across an out-of-focus background.

Millions of Internet-connected machines running the open source Exim mail server may be vulnerable to a newly disclosed vulnerability that, in some cases, allows unauthenticated attackers to execute commands with all-powerful root privileges.

The flaw, which dates back to version 4.87 released in April 2016, is trivially exploitable by local users with a low-privileged account on a vulnerable system running with default settings. All that’s required is for the person to send an email to “${run{…}}@localhost,” where “localhost” is an existing local domain on a vulnerable Exim installation. With that, attackers can execute commands of their choice that run with root privileges.

The command execution flaw is also exploitable remotely, albeit with some restrictions. The most likely scenario for remote exploits is when default settings have been made such as:

Read 4 remaining paragraphs | Comments

Millions of machines affected by command execution flaw in Exim mail server


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Close-up photo of police-style caution tape stretched across an out-of-focus background.

Millions of Internet-connected machines running the open source Exim mail server may be vulnerable to a newly disclosed vulnerability that, in some cases, allows unauthenticated attackers to execute commands with all-powerful root privileges.

The flaw, which dates back to version 4.87 released in April 2016, is trivially exploitable by local users with a low-privileged account on a vulnerable system running with default settings. All that’s required is for the person to send an email to “${run{…}}@localhost,” where “localhost” is an existing local domain on a vulnerable Exim installation. With that, attackers can execute commands of their choice that run with root privileges.

The command execution flaw is also exploitable remotely, albeit with some restrictions. The most likely scenario for remote exploits is when default settings have been made such as:

Read 4 remaining paragraphs | Comments

Google confirms 2017 supply-chain attack that sneaked backdoor on Android devices


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Man wearing T-shirt that reads

(credit: Alexandre Dulaunoy / Flickr)

Criminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the factories of manufacturers, Google researchers confirmed on Thursday.

Triada first came to light in 2016 in articles published by Kaspersky here and here, the first of which said the malware was “one of the most advanced mobile Trojans” the security firm’s analysts had ever encountered. Once installed, Triada’s chief purpose was to install apps that could be used to send spam and display ads. It employed an impressive kit of tools, including rooting exploits that bypassed security protections built into Android and the means to modify the Android OS’s all-powerful Zygote process. That meant the malware could directly tamper with every installed app. Triada also connected to no fewer than 17 command and control servers.

In July 2017, security firm Dr. Web reported that its researchers

Continue reading “Google confirms 2017 supply-chain attack that sneaked backdoor on Android devices”

Warnings of world-wide worm attacks are the real deal, new exploit shows


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Warnings of world-wide worm attacks are the real deal, new exploit shows

(credit: flattop341)

For the past three weeks, security professionals have warned with increasing urgency that a recently patched Windows vulnerability has the potential to trigger attacks not seen since the WannaCry worm that paralyzed much of the world in 2017. A demonstration video circulating on the Internet is the latest evidence to prove those warnings are the real deal.

It was posted Tuesday by Sean Dillon, a senior security researcher and RiskSense. A play-by-play helps to underscore the significance of the feat.

The video shows a module Dillon wrote for the Metasploit exploit framework remotely connecting to a Windows Server 2008 R2 computer that has yet to install a patch Microsoft released in mid May. At about 14 seconds, a Metasploit

Continue reading “Warnings of world-wide worm attacks are the real deal, new exploit shows”

238 Google Play apps with >440 million installs made phones nearly unusable


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




238 Google Play apps with >440 million installs made phones nearly unusable

Enlarge (credit: NurPhoto | Getty Images)

If the prevalence of abusive Google Play apps has left you numb, this latest report is for you. Carefully concealed adware installed in Google-approved apps with more than 440 million installations was so aggressive that it rendered mobile devices nearly unusable, researchers from mobile security provider Lookout said Tuesday.

BeiTaAd, as the adware is known, is a plugin that Lookout says it found hidden in emojis keyboard TouchPal and 237 other applications, all of which were published by Shanghai, China-based CooTek. Together, the 238 unique apps had a combined 440 million installs. Once installed, the apps initially behaved normally. Then, after a delay of anywhere between 24 hours and 14 days, the obfuscated BeiTaAd plugin would begin delivering what are known as out-of-app ads. These ads appeared on users’ lock screens and triggered audio and video at seemingly random times or even when

Continue reading “238 Google Play apps with >440 million installs made phones nearly unusable”

Microsoft says mandatory password changing is “ancient and obsolete”


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Screenshot from gameshow Password.

(credit: ABC Photo Archives / Getty Images)

Microsoft is finally catching on to a maxim that security experts have almost universally accepted for years: periodic password changes are likely to do more harm than good.

In a largely overlooked post published late last month, Microsoft said it was removing periodic password changes from the security baseline settings it recommends for customers and auditors. After decades of Microsoft recommending passwords be changed regularly, Microsoft employee Aaron Margosis said the requirement is an “ancient and obsolete mitigation of very low value.”

The change of heart is largely the result of research that shows passwords are most prone to cracking when they’re easy for end users to remember, such as when they use a name or phrase from a favorite movie or book. Over the past decade, hackers have mined real-world password breaches to assemble dictionaries of millions of

Continue reading “Microsoft says mandatory password changing is “ancient and obsolete””

Microsoft practically begs Windows users to fix wormable BlueKeep flaw


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Microsoft practically begs Windows users to fix wormable BlueKeep flaw

Enlarge (credit: Aurich Lawson)

Microsoft security officials say they are confident an exploit exists for BlueKeep, the recently patched vulnerability that has the potential to trigger self-replicating attacks as destructive as the 2017 WannaCry attack that shut down computers all over the world.

In a Blog post published late Thursday night, members of the Microsoft Security Response Center cited findings published Tuesday by Errata Security CEO Rob Graham that almost 1 million Internet-connected computers remain vulnerable to the attacks. That indicates those machines have yet to install an update Microsoft issued two weeks ago patching against the so-called BlueKeep vulnerability, which is formally tracked as CVE-2019-0708. The exploits can reliably execute malicious code with no interaction on the part of an end user. The severity prompted Microsoft to take the unusual step of issuing patches for Windows 2003, XP, and Vista, which haven’t been supported in four, five, and two

Continue reading “Microsoft practically begs Windows users to fix wormable BlueKeep flaw”

Hackers actively exploit WordPress plugin flaw to send visitors to bad sites


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




A redirection from a site still running a vulnerable version of the plugin.

Enlarge / A redirection from a site still running a vulnerable version of the plugin.

Hackers have been actively exploiting a recently patched vulnerability in some websites that causes the sites to redirect to malicious sites or display misleading popups, security researchers warned on Wednesday.

The vulnerability was fixed two weeks ago in WP Live Chat Support, a plugin for the WordPress content management system that has 50,000 active installations. The persistent cross-site scripting vulnerability allows attackers to inject malicious JavaScript into sites that use the plugin, which provides an interface for visitors to have live chats with site representatives.

Researchers from security firm Zscaler’s ThreatLabZ say attackers are exploiting the vulnerability to cause sites using unpatched versions of WP Live Chat Support to redirect to malicious sites or to display unwanted popups. While the attacks aren’t widespread, there have been enough of them to raise concern.

Read 3

Continue reading “Hackers actively exploit WordPress plugin flaw to send visitors to bad sites”

Website for storing digital currencies hosted code with a sneaky backdoor


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Website for storing digital currencies hosted code with a sneaky backdoor

(credit: NoHoDamon / Flickr)

A website that bills itself as providing a safer way to store Bitcoin and other digital currencies has been using a coding sleight of hand to generate private keys that are suspiciously trivial for the operators to guess, leaving all funds stored in the wallets open to theft, researchers with a different service said on Friday.

WalletGenerator.net provides code for creating what are known as paper wallets for 197 different cryptocurrencies. Paper wallets were once billed as a secure way to store digital coins because—in theory, at least—the private keys that unlock the wallets are stored on paper, rather than on an Internet-connected device that can be hacked. (In reality, paper wallets are open to hack for a variety of reasons.) While the site advises people to download the code from this Github page and run it while the computer is unplugged from

Continue reading “Website for storing digital currencies hosted code with a sneaky backdoor”

Fake cryptocurrency apps on Google Play try to profit on bitcoin price surge


This post is by Dan Goodin from Ars Technica


Click here to view on the original site: Original Post




Fake cryptocurrency apps on Google Play try to profit on bitcoin price surge

Enlarge (credit: Google)

Google’s official Play Store has been caught hosting malicious apps that targeted Android users with an interest in cryptocurrencies, researchers reported on Thursday.

In all, researchers with security provider ESET recently discovered two fraudulent digital wallets. The first, called Coin Wallet, let users create wallets for a host of different cryptocurrencies. While Coin Wallet purported to generate a unique wallet address for users to deposit coins, the app in fact used a developer-owned wallet for each supported currency, with a total of 13 wallets. Each Coin Wallet user was assigned the same wallet address for a specific currency.

“The app claims it lets users create wallets for various cryptocurrencies,” ESET Malware Researcher Lukas Stefanko wrote in a blog post. “However, its actual purpose is to trick users into transferring cryptocurrency into the attackers’ wallets—a classic case of what we named wallet address scams in our previous

Continue reading “Fake cryptocurrency apps on Google Play try to profit on bitcoin price surge”