image
Less than 24 hours after publicly disclosing an unpatched zero-day vulnerability in Windows 10, the anonymous hacker going by online alias “SandboxEscaper” has now dropped new exploits for two more unpatched Microsoft zero-day vulnerabilities. The two new zero-day vulnerabilities affect Microsoft’s Windows Error Reporting service and Internet Explorer 11. Just yesterday, while releasing a Windows 10 zero-day exploit for a local privilege escalation bug in Task Scheduler utility, SandboxEscaper claimed to have discovered four more zero-day bugs, exploits for two has now been publicly released. AngryPolarBearBug2 Windows Bug One of the latest Microsoft zero-day vulnerabilities resides in the Windows Error Reporting service that can be exploited using a discretionary access control list (DACL) operation—a mechanism that identifies users and groups that are assigned or denied access permissions to a securable object. Upon successful exploitation, an attacker can delete or edit any Windows file, including system executables, which otherwise only a privileged user can do. Dubbed AngryPolarBearBug2 by the hacker, the vulnerability is a successor to a previous Windows Error Reporting service vulnerability she found late last year, which was named AngryPolarBearBug and allowed a local, unprivileged attacker to overwrite any chosen file on the system. However, as SandboxEscaper says, this vulnerability is not very easy to exploit, and it “can take upwards of 15 minutes for the bug to trigger.” “I guess a more determined attacker might be able to make it more reliable,” the hacker said. “It is just an insanely small window in which we can win our race; I wasn’t even sure if I could ever exploit it at all.” Internet Explorer 11 Sandbox Bypass The second Microsoft zero-day vulnerability revealed today by SandboxEscaper affects Microsoft’s web browser, Internet Explorer 11 (IE11). Though the exploit note doesn’t contain any detail about this flaw, a video demonstration released by the hacker shows the vulnerability exists due to an error when the vulnerable browser handles a maliciously crafted DLL file. This would eventually allow an attacker to bypass IE Protected Mode sandbox and execute arbitrary code with Medium integrity permissions. Though all three unpatched zero-day vulnerabilities SandboxEscaper released within last 24-hours are not critical, user can expect security updates from Microsoft on 11 June, the company’s next month patch Tuesday. SandboxEscaper has a history of releasing fully functional zero-day vulnerabilities in Windows operating system. Last August, she debuted another Windows Task Scheduler vulnerability on Twitter, which hackers quickly started exploiting in the wild in a spy campaign after disclosure. Later in October, 2018, the hacker released an exploit for a then zero-day vulnerability in Microsoft’s Data Sharing Service (dssvc.dll), which she dubbed “Deletebug.” In December, 2018, she released two more zero-day vulnerabilities in Windows operating system. You can expect two more Microsoft zero-day vulnerabilities from SandboxEscaper in the coming days, as she promised to release them.

Source

image
Malware as high art? Stranger things have happened, but a Windows laptop infected with six high-profile pieces of malware (think WannaCry and BlackEnergy) is nonetheless looking to fetch more than $1 million in public art-auction bids. A project called “The Persistence of Chaos,” mounted by artist Guo O. Dong with help from the Deep Instinct security firm, consists of an old Samsung Blue Netbook from 2008, running Windows XP SP3. It features six pieces of malware that together are responsible for at least $95 billion in financial damages. In addition to WannaCry (responsible for a mass ransomware attack in 2017 that people are still shell-shocked from) and BlackEnergy (the destructive code behind the Christmas power outage in the Ukraine), the laptop has expressive infections like the Dark Tequila malware (a sophisticated credential-stealer first spotted in 2013, known for its cocktail of highly targeted and effective attack modules). It also features some blasts from the past, like two email worms: the ILOVEYOU worm that made waves in at the turn of the millennium in 2000 (remember that?), and the SoBig trojan, from 2003. And, it houses the MyDoom DDoS/file destructor worm that caused a lot of headaches for the federal government back in 2009. The Persistence of Chaos Dong, speaking to VICE, called the project a “bestiary, a catalog of historical threats.” He added, “it’s exciting to see the beasts in a live environment.” The Persistence of Chaos machine is airgapped for safety – and though there are pioneering ways to get around that protection, Dong hopes that won’t prevent art aficionados from bidding to own the very, very sick laptop – to the tune of seven figures. The reserve bid for the computer is $1.13 million. “These pieces of software seem so abstract, almost fake with their funny, spooky names, but I think they emphasize that the web and IRL [in real life] are not different spaces,” Dong told VICE. “Malware is one of the most tangible ways that the internet can jump out of your monitor and bite you.” Bids for the piece are open now. Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Source

image
Some of the most convincing email phishing and malware attacks come disguised as nastygrams from a law firm. Such scams typically notify the recipient that he/she is being sued, and instruct them to review the attached file and respond within a few days — or else. Here’s a look at a recent spam campaign that peppered more than 100,000 business email addresses with fake legal threats harboring malware. On or around May 12, at least two antivirus firms began detecting booby-trapped Microsoft Word files that were sent along with some various of the following message: {Pullman & Assoc. | Wiseman & Assoc.| Steinburg & Assoc. | Swartz & Assoc. | Quartermain & Assoc.} Hi, The following {e-mail | mail} is to advise you that you are being charged by the city. Our {legal team | legal council | legal departement} has prepared a document explaining the {litigation | legal dispute | legal contset}. Please download and read the attached encrypted document carefully. You have 7 days to reply to this e-mail or we will be forced to step forward with this action. Note: The password for the document is 123456 The template above was part of a phishing kit being traded on the underground, and the user of this kit decides which of the options in brackets actually get used in the phishing message. Yes, the spelling/grammar is poor and awkward (e.g., the salutation), but so is the overall antivirus detection rate of the attached malicious Word document. This phishing kit included five booby-trapped Microsoft Word documents to choose from, and none of those files are detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22 — 10 days after they were spammed out. According to both Fortinet and Sophos, the attached Word documents include a trojan that is typically used to drop additional malware on the victim’s computer. Previous detections of this trojan have been associated with ransomware, but the attackers in this case can use the trojan to install malware of their choice. Also part of the phishing kit was a text document containing some 100,000 business email addresses — most of them ending in Canadian (.ca) domains — although there were also some targets at companies in the northeastern United States. If only a tiny fraction of the recipients of this scam were unwary enough to open the attachment, it would still be a nice payday for the phishers. The law firm domain spoofed in this scam — wpslaw.com — now redirects to the Web site for RWC LLC, a legitimate firm based in Connecticut. A woman who answered the phone at RWC said someone had recently called to complain about a phishing scam, but beyond that the firm didn’t have any knowledge of the matter. As phishing kits go, this one is pretty basic and not terribly customized or convincing. But I could see a kit that tried only slightly harder to get the grammar right and more formally address the recipient doing quite well: Legitimate-looking legal threats have a way of making some people act before they think. Don’t be like those people. Never open attachments in emails you were not expecting. When in doubt, toss it out. If you’re worried it may be legitimate, research the purported sender(s) and reach out to them over the phone if need be. And resist the urge to respond to these spammers; doing so may only serve to encourage further “mailious” correspondence. KrebsOnSecurity would like to thank Hold Security for a heads up on this phishing kit.

Source

image
Two critical cross-site request forgery (CSRF) flaws in educational non-profit Khan Academy’s website may have affected some users by allowing account takeover. Khan Academy, a non-profit learning organization, produces short lessons in the form of videos that can be accessed online. The two critical flaws, which were both resolved shortly after they were reported and were publicly disclosed last week, stemmed from a lack of CSRF tokens, which double-check account log-in requests to make sure they aren’t CSRF attacks. A Khan Academy spokesperson told Threatpost they resolved the flaw by adding a CSRF token check to the password-change request. The company sought to downplay the vulnerability, saying: “The flaw’s impact was minimal, only possibly affecting a small fraction of our users. A user would have to visit a malicious page to begin with for it to work.” The spokesperson added, “We take these matters seriously and our team moves swiftly and decisively to investigate and resolve issues as quickly as possible. We will continue to take all appropriate measures to ensure the highest integrity of our systems to protect the data of our learners, volunteers, partners and other stakeholders.” One of the flaws could have allowed attackers to takeover accounts that were created using the Google or Facebook login option (two options that are available for quick sign-ins using existing Facebook or Google usernames and passwords). CSRF happens when a malicious website sends a request to a web application that a victim is already authenticated against. This way an attacker can access the functionality in a target web application via the victim’s already authenticated browser. In this case, if a user creates an account using Google or Facebook and does not set an additional password, it is possible to send an HTML request via CSRF to the already-created account and set a new password, according to the researcher. “When a user creates an account using Google or Facebook and does not set an additional password, it is possible to set their passwords via CSRF,” according to the bounty hunter who discovered the flaw, who goes under the alias “tomoh,” in a HackerOne report. To be attacked, a victim would need to go to a website where attackers added a line of malicious code somewhere on the site. The vulnerability was reported November 16 via Khan Academy’s HackerOne bug-bounty program, and fixed shortly after. The flaw was recently publicly disclosed last week. The other flaw could have allowed a bad actor to take over any unconfirmed account on Khan Academy. This glitch exists because the endpoint (/signup/email) allows users to change their email before they confirm their account email. That means an attacker could obtain a new email address not associated with a Khan Academy account, then lure another Khan Academy user to visit a URL linking to a page, that could then send a post request to the (/signup/email) endpoint. Because the endpoint is not protected from CSRF, the email change will go through, and the attacker would then be able to take over the unconfirmed account using password reset. Making matters worse, “The original user would not be able to reclaim account since the original email is now not associated with any KA account,” the researcher said. He added, “And since unconfirmed users can participate in most activities on the website, this could lead to leakage of personal info. Since this [account takeover] does not require any knowledge of the user’s email address or KAID, it would become possible to launch large-scale attacks by posting malicious links on forums or other places on the internet that KA users would visit.” This second flaw was reported via HackerOne on April 15; and fixed on April 16. Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Source

image
By Uzair Amir This issue is linked with G Suite users only while free consumer Google accounts remained unharmed. A couple of days ago it was reported that Google has been using Gmail to secretly store its users’ purchase history for years. Now, the company has revealed that its team recently discovered a bug due to which some […] This is a post from HackRead.com Read the original post: Google says it stored some G Suite passwords in plain text for 14 years

Source

image
A Windows zero-day exploit dropped by developer SandboxEscaper would allow local privilege-escalation (LPE), by importing legacy tasks from other systems into the Task Scheduler utility. It’s the latest zero-day from SandboxEscaper, who said that she has four more in the hopper that she’d like to sell for $60,000 to non-Western buyers. Mitja Kolsek, co-founder of 0patch and CEO of Arcos Security, told Threatpost that the bug is a typical LPE flaw, allowing a low-privileged user on the computer to arbitrarily modify any file, including system executables. “Since these are executed in high-privileged context, the attacker’s code can get executed and, for instance, promote the attacker to local administrator or obtain covert persistence on the computer,” said Kolsek, adding that 0patch is working on releasing a micropatch for the vulnerability as soon as possible. “The only atypical factor is that the attacker must know a valid username and password on the computer because these must be passed to Task Scheduler in order for the exploit to work.” He added, “This means, for example, that a local corporate user without administrative privileges on their workstation could easily mount such attack, and so would an external attacker who gained remote access to some computer in the network and found or guessed any Windows domain user’s credentials.” Abusing Legacy Tasks The exploit, disclosed on Twitter on Tuesday, takes advantage of the fact that old Windows XP tasks in the .JOB format can be imported to Windows 10 via the Task Scheduler. An adversary can run a command using executables ‘schtasks.exe’ and ‘schedsvc.dll’ copied from the old system. This results in a call to a remote procedure call (RPC) called “SchRpcRegisterTask,” which is exposed by the Task Scheduler service. When a specific function is encountered, called “par int __stdcall tsched::SetJobFileSecurityByName(LPCWSTR StringSecurityDescriptor, const unsigned __int16 , int, const unsigned __int16 )par”, it opens the door to gaining system privileges. “I assume that to trigger this bug you can just call into this function directly without using that schtasks.exe copied from Windows XP,” SandboxEscaper added in her Tuesday writeup. “but I am not great at reversing :(.” Other researchers have tested the exploit and found it to be valid. “I can confirm that this works as-is on a fully patched (May 2019) Windows 10 x86 system,” tweeted Will Dormann, a vulnerability analyst at CERT/CC. “A file that is formerly under full control by only SYSTEM and TrustedInstaller is now under full control by a limited Windows user. Works quickly, and 100% of the time in my testing.” He said it works against a fully patched and up-to-date version of Windows 10, 32 and 64-bit, as well as Windows Server 2016 and 2019. Windows 8 and 7 are not vulnerable, he noted. Microsoft, for its part, has yet to release an advisory or statement on the bug, which doesn’t yet have a CVE. More Zero-Days on the Horizon? SandboxEscaper also announced on her blog that she’s sitting on three other LPE vulnerabilities and another, fittingly, for escaping the Windows sandbox. “If any non-western people want to buy LPEs, let me know,” she wrote. “(Windows LPE only, not doing any other research nor interested in doing so). Won’t sell for less then 60k for an LPE. I don’t owe society a single thing. Just want to get rich and give you *** in the west the middlefinger.” SandboxEscaper has a history of releasing fully functional Windows zero-days. Last August, she debuted another Task Scheduler flaw on Twitter, which was quickly exploited in the wild in a spy campaign just two days after disclosure. In October, SandboxEscaper released an exploit for what was dubbed the “Deletebug” flaw, found in Microsoft’s Data Sharing Service (dssvc.dll). And towards the end of 2018 she offered up two more: The “angrypolarberbug,” which allows a local unprivileged process to overwrite any chosen file on the system; and a vulnerability allows an unprivileged process running on a Windows computer to obtain the content of arbitrary file – even if permissions on such file don’t allow it read access. “I believe her claim about four more vulnerabilities as she has demonstrated her abilities to find them in the past,” Kolsek told Threatpost. Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Source

image
Google stored G Suite passwords in plaintext for almost 15 years, the cloud giant acknowledged on Tuesday evening. G Suite, Google’s brand of cloud computing, productivity and collaboration tools, software and products, has more than 5 million users as of February. Google said that it recently discovered the passwords for a “subset of enterprise G Suite customers” stored in plain text since 2005. “This practice did not live up to our standards,” Suzanne Frey, VP of engineering for Google Cloud Trust, said in a post. “To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.” Enterprise, not consumer, accounts were impacted, said Google. What Happened? The best security practice is to store passwords with cryptographic hashes that mask those passwords to ensure their security – so when users set their passwords, instead of remembering the exact characters of the password, companies will scramble it with a “hash function.” However, Google said that within G Suite, it had made an error implementing a G Suite console for domain administrators that resulted in passwords being stored in plaintext – meaning they didn’t have cryptographic hashes and were left unscrambled. The tool, located in the administrator console, allowed administrators to upload or manually set user passwords for their company’s users and was meant to help them onboard new users. However, due to implementation error the admin console was inadvertently storing passwords in plain text. The functionality no longer exists, said Google. In a separate issue, Google also discovered that starting in January 2019, it inadvertently stored a subset of unhashed passwords – for a maximum of 14 days – in its encrypted infrastructure. “This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords,” said Frey. “We will continue with our security audits to ensure this is an isolated incident.” Google has notified G Suite administrators to change impacted passwords and will reset accounts that have not already done so themselves. Google did not specify how many users were impacted by either incident. Google Security Practices Blasted The main issue is that the full extent of a security faux pas like this for years to come is still unknown, Robert Prigge, president of Jumio, said. “That means, when G Suite users are logging into their accounts, we want to believe, really believe, that they are the legitimate account owners,” said Prigge in an email. “But, at the end of the day, we don’t know for sure. And the weakest link in the security chain is again Google’s username and password. Thanks to the Dark Web, phishing attacks and social engineering, there’s a huge quantity of user credentials available for purchase (for pennies).” Another concern is the timeline: The fact that Google just recently discovered that the G Suite passwords were stored in plaintext since 2005 is troubling, Kevin Gosschalk, CEO of Arkose Labs said. “Companies need to be constantly re-evaluating and testing their own security measures to make sure lapses in security or, in this instance, a faulty password setting and recovery offering, does not jeopardize its customers or their accounts,” Gosschalk said via email. “This mistake should have been recognized and prevented fourteen years earlier with proactive, ongoing security testing.” Google is only the latest conglomerate tech company to find itself in hot water due to how it stores passwords. In March, Facebook said it found that hundreds of millions of user passwords were stored in plain text for years. And a year ago in May 2018, Twitter said that a glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling to change their passwords. Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Source

image
After Facebook and Twitter, Google becomes the latest technology giant to have accidentally stored its users’ passwords unprotected in plaintext on its servers—meaning any Google employee who has access to the servers could have read them. In a blog post published Tuesday, Google revealed that its G Suite platform mistakenly stored unhashed passwords of some of its enterprise users on internal servers in plaintext for 14 years because of a bug in the password recovery feature. G Suite, formerly known as Google Apps, is a collection of cloud computing, productivity, and collaboration tools that have been designed for corporate users with email hosting for their businesses. It’s basically a business version of everything Google offers. The flaw, which has now been patched, resided in the password recovery mechanism for G Suite customers that allows enterprise administrators to upload or manually set passwords for any user of their domain without actually knowing their previous passwords in order to help businesses with on-boarding employees and for account recovery. If the admins did reset, the admin console would store a copy of those passwords in plain text instead of encrypting them, Google revealed. “We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password,” Google says. However, Google also says that the plain text passwords were stored not on the open Internet but on its own secure encrypted servers and that the company found no evidence of anyone’s password being improperly accessed. “This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure,” Google says. “This issue has been fixed, and we have seen no evidence of improper access to or misuse of the affected passwords.” Google also clarifies that the bug was restricted to users of its G Suite apps for businesses and that no free version of Google accounts like Gmail were affected. Though the company did not disclose how many users might have been affected by this bug beyond just saying the issue affected “a subset of our enterprise G Suite customers,” with more than 5 million G Suite enterprise customers, the bug could affect a large number of users — presumably any user who used G Suite in last 14 years. In order to address the issue, Google has since removed the capability from G Suite administrators and emailed them a list of impacted users, asking them to ensure that those users reset their passwords. Google says the company would be automatically resetting passwords for those users who do not change their passwords. “Out of an abundance of caution, we’ll reset accounts that have not done so themselves,” the tech giant says. Google is the latest tech company to accidentally store unhashed passwords on its internal servers. Recently, Facebook was in the news for storing plaintext passwords for hundreds of millions of its users, both Instagram and Facebook, on its internal servers. Almost a year ago, Twitter also reported a similar security bug that unintentionally exposed passwords for its 330 million users in readable text on its internal computer system.

Source

image
An anonymous hacker with an online alias “SandboxEscaper” today released proof-of-concept (PoC) exploit code for a new zero-day vulnerability affecting Windows 10 operating system—that’s his/her 5th publicly disclosed Windows zero-day exploit [1, 2, 3] in less than a year. Published on GitHub, the new Windows 10 zero-day vulnerability is a privilege escalation issue that could allow a local attacker or malware to gain and run code with administrative system privileges on the targeted machines, eventually allowing the attacker to gain full control of the machine. The vulnerability resides in Task Scheduler, a utility that enables Windows users to schedule the launch of programs or scripts at a predefined time or after specified time intervals. SandboxEscaper’s exploit code makes use of SchRpcRegisterTask, a method in Task Scheduler to register tasks with the server, which doesn’t properly check for permissions and can, therefore, be used to set an arbitrary DACL (discretionary access control list) permission. “This will result in a call to the following RPC “_SchRpcRegisterTask,” which is exposed by the task scheduler service,” SandboxEscaper said. A malicious program or a low-privileged attacker can run a malformed .job file to obtain SYSTEM privileges, eventually allowing the attacker to gain full access to the targeted system. SandboxEscaper also shared a proof-of-concept video showing the new Windows zero-day exploit in action. The vulnerability has been tested and confirmed to be successfully working on a fully patched and updated version of Windows 10, 32-bit and 64-bit, as well as Windows Server 2016 and 2019. More Windows Zero-Day Exploits to Come Besides this, the hacker also teased that he/she still has 4 more undisclosed zero-day bugs in Windows, three of which leads to local privilege escalation and fourth one lets attackers bypass sandbox security. The details and exploit code for the new Windows zero-day came just a week after Microsoft monthly patch updates, which means no patch exists for this vulnerability at the current, allowing anyone to exploit and abuse. Windows 10 users need to wait for a security fix for this vulnerability until Microsoft’s next month security updates—unless the company comes up with an emergency update.

Source

image
By Uzair Amir The leaked database was discovered on Shodan on May 14th. A huge online database containing private contact information including phone numbers and email IDs of roughly 50 million Instagram profiles including those of influencers and brands has reportedly been discovered by security researcher Anurag Sen. The affected individuals include famous food bloggers and celebrities too […] This is a post from HackRead.com Read the original post: Database with millions of Instagram influencers’ info leaked online

Source