May 2018 Android Security Bulletin includes additional Meltdown fix

May 2018 Android Security Bulletin includes additional Meltdown fix

Google releases additional Meltdown mitigations for Android as part of the May 2018 Android Security Bulletin. The tech giant also addresses flaws in NVIDIA and Qualcomm components.

Both Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack (CVE-2017-5754 vulnerability) could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The good news is that Meltdown attacks are not easy to conduct and the risk of exploitation is considered low.

Early this year,  Google released mitigations for both Meltdown and Spectre attacks, and not delivered additional mitigations. The Meltdown mitigation was addressed along with the information disclosure flaw in USB driver tracked as CVE-2017-16643.

“The most severe vulnerability in this section [Kernel components] could enable a local malicious application to bypass operating system protections that isolate application data from other applications,” reads the security advisory published by Google.

The May 2018 Android Security Bulletin is composed of two parts, the first one being the 2018-05-01 security patch level, that addresses seven High severity issues (CVE-2017-13309, CVE-2017-13310, CVE-2017-13311, CVE-2017-13312, CVE-2017-13313, CVE-2017-13314, CVE-2017-13315) in Android runtime, Framework, Media framework, and System.

The flaws addressed in the 2018-05-01 security patch level include Information Disclosure, Elevation of Privilege, and Denial of Service that affects Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1 releases.

The second section is the “2018-05-05 security patch level vulnerability details” that includes details for each of the security vulnerabilities that apply to the 2018-05-05 patch level.

The 2018-05-05 security patch level includes patches for security vulnerabilities affecting NVIDIA and Qualcomm components.

Three vulnerabilities that were fixed in the NVIDIA components are CVE-2017-6289, CVE-2017-5715, CVE-2017-6293, respectively a critical elevation of privilege, an information disclosure and an elevation of privilege ranked as High risk.

“The most severe vulnerability in this section could enable a local malicious application to execute arbitrary code within the context of the TEE.” continues the advisory.

Google addressed 11 vulnerabilities in Qualcomm components, including a Critical remote code execution flaw that could be exploited by an attacker over WLAN. The remaining issued are 9 elevation of privilege vulnerabilities and one denial of service issue.

HiddenMiner Android Cryptocurrency miner can brick your device

HiddenMiner Android Cryptocurrency miner can brick your device

Researchers at Trend Micro recently discovered a new strain of Android miner dubbed ANDROIDOS HIDDENMINER that can brick infected devices

Crooks are looking with increasing interest cryptocurrency mining malware developed for mobile devices.

Researchers at Trend Micro recently discovered a new strain of Android malware dubbed ANDROIDOS HIDDENMINER that abuse device CPU to mine Monero cryptocurrency.

HiddenMiner also implements evasion techniques, it is able to bypass automated analysis by checking if it’s running in a virtualized environment by abusing an Android emulator detector found on Github.

“We uncovered a new Android malware that can surreptitiously use the infected device’s computing power to mine Monero. Trend Micro detects this as ANDROIDOS_HIDDENMINER.” reads the analysis published by Trend Micro.

“This Monero-mining Android app’s self-protection and persistence mechanisms include hiding itself from the unwitting user and abusing the Device Administrator feature (a technique typically seen in SLockerAndroid ransomware).”

The experts were able to find the Monero mining pools and wallets connected to the HiddenMiner malware, they learned that one of its operators withdrew 26 XMR (or US$5,360 as of March 26, 2018) from one of the wallets. This information suggests that the operators are currently active.

hiddenminer wallet activities

HiddenMiner abuse the device’s CPU power to mine Monero, unfortunately, the computational effort is so important that the CPU can overheat causing the device to lock, fail, and be permanently damaged.

“There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted.” continues the analysis.

“Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail.”

This behavior was already observed in the past, the Loapi Monero-mining malware caused a device’s battery to bloat.

HiddenMiner, like Loapi, uses to lock the device screen after revoking device administration permissions.

The ANDROIDOS HIDDENMINER is currently being delivered through a fake Google Play update app, experts found it on third-party app marketplaces.

The miner is mainly affecting users in India and China, but experts fear it could rapidly target other countries.

Malware developers are abusing Device Administration Permission, experts pointed out that users can’t uninstall an active system admin package until device administrator privileges are removed first.

Victims of the HiddenMiner’s cannot remove the miner from device administrator as it employs a trick to lock the device’s screen when a user wants to deactivate its device administrator privileges. Experts explained that it exploits a vulnerability found in Android operating systems except for Nougat and later versions.

“Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave.” concluded Trend Micro. “For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.”

MITRE is evaluaMITRE is evaluating a service dubbed ATT&CK for APT detectionting a service dubbed ATT&CK for APT detection

MITRE is evaluaMITRE is evaluating a service dubbed ATT&CK for APT detectionting a service dubbed ATT&CK for APT detection

MITRE is evaluating a new service dubbed ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) for APT detection.

MITRE is going to offer a new service dubbed ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) to evaluate products based on their ability in detecting advanced persistent threats.

“MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.” reads the MITRE’s official page. “ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.”

ATT&CK

The MITRE ATT&CK service will evaluate endpoint detection and response products for their ability to detect advanced threats.

“There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE.

Duff explained MITRE will adopt a transparent methodology and knowledge base that will make easy to interpret results obtained with its service.

In my opinion, sharing information about attackers’ TTPs is essential and such kind of initiative is very important for cyber security community.

Jessica Payne from Microsoft Windows Defender praised the MITRE ATT&CK service.

The knowledge base was initially collected as a tool to allow red team members to communicate more easily with blue team members and corporate executives, it comes from publicly available sources.

“ATT&CK provides a common framework for evaluating post-breach capabilities,” said Duff. “We believe that objective and open testing based on ATT&CK will advance capabilities and help drive the entire endpoint detection and response market forward.”

According to Duff, internal MITRE information doesn’t contaminate the knowledge base.

In this phase, MITRE intends to evaluate its service and its efficiency, the first case study will be based on APT3/Gothic Panda and will evaluate the ability of products in detecting this threat.

“As part of their participation in MITRE’s impartial cyber evaluation, cybersecurity vendors will be provided clear articulation of their capabilities, as well as access to MITRE’s cyber experts’ feedback for improving their products.” reads the statement published by MITRE. “Details captured will include the ATT&CK technique tested, specific actions the assessors took to execute, and details on the product’s ability to detect the emulated adversary behavior.”

MITRE, for this first round, call for vendors to contribute until April 13, 2018.

VPNs & Privacy Browsers leak users’ IPs via WebRTC

VPNs & Privacy Browsers leak users’ IPs via WebRTC

The security researcher Dhiraj Mishra (@mishradhiraj_) has studied how VPNs & Privacy Browsers leak users’ IPs via WebRTC

Hi Internet,

You might have heard about VPN’s & Privacy Browsers leaking users’ IPs via WebRTC [1[2]
Summary:
Got CVE-2018-6849 reserved, wrote a Metasploit Module for this issue which uses WebRTC and collects the leak private IP address, however this module may be implemented as a new library in (browser_exploit_server.rb) in MSF. #cheers What is WebRTC ?
WebRTC (Web Real-Time Communication) provides supports to web browser on a real-time communication via API.So let’s get started….There are “multiple” online services and JavaScript code available which uses WebRTC function. Even if you are using VPN’s or Privacy based browsers it leaks your actual public and private IP address.I think this is more of a privacy issue rather than security if we talk specifically in browser-based bug bounty, however, such information can help an attacker to do further recon/attack if they are in the same network.Most of the browser have WebRTC enabled by default,Mozilla Team says :This is a well-known property of webrtc – see the duplicate bug.
http://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-07#section-5.4

Chrome Team says : We’ve already done what we plan to do, following the guidelines in https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-04. And we offer a “Network Limiter” extension (https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia?hl=en) to turn on more restrictive modes.Don’t forget Facebook even they have Webkits and it is vulnerable too.
Facebook Team says :

Hi Dhiraj,

Thank you for your report. We’ve looked into your finding but determined the information being leaked is not sensitive enough to warrant a bounty. We may consider leakage of a victims referrer header, but it would have to display a full and potentially sensitive path. However, we have protections in place which prevent this from happening. Although this finding doesn’t qualify we still appreciate your time and effort sending it in.

Okay if your an android lover, you would be aware with android webkit though, The android webkit also leaks IP address as well, I tested this on Nokia 8 android 8.1.0 and the issue still exists.

Android Team says: 

The Android security team has conducted an initial severity assessment on this report. Based on our published severity assessment matrix (1) it was rated as not being a security vulnerability that would meet the severity bar for inclusion in an Android security bulletin.

Pheewww !  then what, I started targeting privacy browser and the very first browser came in my mind was DuckDuck Go which has 1,000,000+download rate in Android market and being an privacy based browser the WebRTC was enabled over there and it leaks your IP address, I reported the same to DD Go Security Team.

Duck Duck Go Team says:
Hi again Dhiraj,

Thank you for trying out the new browser and for sending this report,
including the security team. They’re currently looking into this and
I’ll let you know if any further information is needed.

There’s a similar discussion in the Firefox Focus for Android repository
on GitHub, so we’ll keep an eye on that too:
https://github.com/mozilla-mobile/focus-android/issues/609
  
Hmmmm cool, then CVE-2018-6849was assign for this issue, However I keep on taking follow up for them but they are taking too long time to patch. #Unpatched

Then I thought of creating module for this, many thanks to Brendan Coles who helped me in this and even suggested this can be used has a functionality to a HTTP library would be more useful, as it could be leveraged by existing exploits and info gathering modules.

WebRTC ip leak
Working of my MSF Module on DuckDuck Go Privacy Browser

In between RageLtMan also gave his thoughts that “I could actually see a benefit to this being in lib for use by things like #8648. I can inject the separate script ref in the response via the MITM mechanism, but would be cool to just generate and serve the JS directly (for any script we think will have more than 2 weeks of lifetime in browsers). Thanks for the PR”

Outcome:
So lets see, I started with private IP leak vulnerability which turned to CVE-2018-6849, which gave rise to a Metasploit module, which will in turn became a part of MSF library,

now that’s cool. Hope you like the read……
About the Author: Security Researcher Dhiraj Mishra ()
Philippine central bank has thrown an alert after SWIFT hackers hit Malaysia central bank

Philippine central bank has thrown an alert after SWIFT hackers hit Malaysia central bank

The Philippine central bank has thrown an alert to local financial institutions following a cyber attack against the SWIFT servers at the Malaysian central bank.

The Philippine central bank has thrown an alert to local financial institutions following a cyber attack against the Malaysian central bank.

According to Malaysian governor, the hackers attempted to steal money through fraudulent wire transfers, the good news is that the attack failed.

Bank Negara Malaysia confirmed that no funds were lost in the cyber attack, the hackers sent fake wire-transfer requests over the SWIFT bank messaging network to the target bank in order to trick it to transfer the money.

“We issued a general alert reminder as soon as we got BNM advisory to be extra careful over the long holiday. Although banks already do that as SOP (standard operating procedure),”Bangko Sentral ng Pilipinas Governor Nestor Espenilla said in a phone message.

At the time of writing is still unclear who is behind the attack or the way the hacker breached the SWIFT systems used by the bank.

“Bank Negara did not say who was behind the hack or how they accessed its SWIFT servers. The central bank, which supervises 45 commercial banks in Malaysia, said on Thursday there was no disruption to other payment and settlement systems the central bank operates because of the cyber attack.” reported the Straits Times.

SWIFT

Bank Negara said it had taken additional security measures to protect its stakeholders.

“All unauthorised transactions were stopped through prompt action in strong collaboration with SWIFT, other central banks and financial institutions,” it said in a statement.

The Philippine banks were also involved in the clamorous 2016 cyber heist when hackers stole US$81 million from the Bangladesh central bank, at the time the hackers transferred money into several accounts at Manila-based Rizal Commercial Banking Corp (RCBC) and then used them into the local casino industry.

The Philippine central bank fined RCBC a record one billion pesos (US$20 million) in 2016 for the failure to prevent the fraudulent transfers of money.

RCBC sustained that a rogue employee was responsible for the movement.

Mr Abu Hena Mohd. Razee Hassan, deputy governor of Bangladesh Bank, said the latest attack against the Malaysian central bank showed that the SWIFT platform remained vulnerable.

“After the attack on our central bank, SWIFT took several measures to protect the system globally but yet this is happening, meaning criminals have more ability and more capable weapons,” Mr Razee Hassan told Reuters in Dhaka.

“So this is the time to further improve the financial transfer system globally.”