Category Archives: Security Alert

FormBook Infostealer Malware

FormBook has grown in popularity recently and has been spotted as part of several malware distribution campaigns. It can be purchased for a relatively low price and is able to execute commands from its command and control (C2) server, enabling the attacker to execute files, start processes and steal passwords.

Another more notable feature of the kit, called the “Lagos Island method” by its creator, can disable user-mode hooking and Application Programming Interface (API) monitoring on the target systems.

The malware has been deployed through many files and methods, including malicious links in .pdf files, macro-enabled .doc files and archive files (such as .zip and .rar) containing .exe payloads.

Affected Platforms:

Microsoft Windows – all versions

Resolution :

  • Ensure users are aware of basic phishing practices (don’t click on attachments from senders you don’t recognise).
  • Maintain up-to-date anti-virus.
  • Be aware of files including PDF, DOC, XLS, ZIP, RAR, ACE, and ISO format attachments.
  • Monitor logs for indicators or compromise.





Microsoft Internet Explorer 9, 10 and 11 Multiple Flaws

Multiple vulnerabilities were reported in Microsoft Internet Explorer. A remote user can cause arbitrary code to be executed on the target user’s system. A remote user can obtain potentially sensitive information on the target system.

A remote user can create specially crafted content that, when loaded by the target user, will trigger an object memory handling error and execute arbitrary code on the target user’s system [CVE-2017-11822, CVE-2017-11813].

A remote user can create specially crafted content that, when loaded by the target user, will trigger an object memory handling error and access potentially sensitive information on the target user’s system [CVE-2017-11790].

A remote user can create specially crafted content that, when loaded by the target user, will trigger an object memory handling error and execute arbitrary code on the target user’s system [CVE-2017-11793, CVE-2017-11809, CVE-2017-11810]. This can also be exploited via an embedded ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.

Hui Gao of Palo Alto Networks, Heige (a.k.a. SuperHei) of Knownsec 404 Security Team, Jaanus Kp Clarified Security (via Trend Micros Zero Day Initiative), Dmitri Kaslov, Telspace Systems, Yixiang Zhu of National Engineering Lab for Mobile Internet System and Application Security, China, Lokihart of Google Project Zero, Ivan Fratric of Google Project Zero, and Atte Kettunen of F-Secure reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user’s system.

A remote user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix.

The Microsoft advisories are available at:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11790
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11793
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11809
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11810
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11813
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11822





ISMInjector Trojan

ISMInjector is a trojan that injects malware into legitimate processes and has anti-analysis capabilities to avoid detection.

Currently a spear phishing campaign is used to deliver the trojan on a user’s system. The attackers send malicious .zip files that attempt to run in Microsoft Word. The macro in the Word documents will run a PowerShell command that will begin the process of installing ISMInjector via the CVE-2017-0199 vulnerability.

Affected Platforms:

  • Microsoft Office 2007 (SP3), 2010 (SP2), 2013 (SP1) and 2016
  • Microsoft Windows Vista SP2
  • Windows Server 2008 SP2
  • Windows 7 SP1
  • Windows 8

To prevent and detect a trojan infection, ensure that:

  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, antivirus and other security products are kept up to date.
  • All day to day computer activities such as email and internet are performed using non-administrative accounts.
  • Strong password policies are in place and password reuse is discouraged.
  • Network, proxy and firewall logs should be monitored for suspicious activity.
  • User accounts accessed from infected machines should be reset on a clean computer.


RSA Encryption Vulnerability – Practical Factorisation Attack

Flawed chipsets used by PCs to generate RSA encryption keys have a vulnerability which has weakened the security of stored passwords, encrypted disks and documents. The flaw has been found in cryptographic smartcards, security tokens, chipsets and secure hardware manufactured by Infineon Technologies. Their cryptographic chips and Trusted Platform Modules (TPMs) are also integrated within authentication, signature and encryption tokens of other vendors and chips.

The Return of the Coppersmith’s Attack (ROCA) vulnerability relates to the TPM used to cryptographically sign and protect computer systems and services. The flaw was discovered within the implementation of RSA keypair generation in a cryptographic library, allowing what is called a “practical factorisation” attack. This attack permits an attacker to use a target’s public key to generate a private key with some time and power. The attack is possible for common key lengths, including 1024 and 2048 bits.

Note that the RSA algorithms are not at fault, rather faulty products incorrectly implementing them and producing poorly randomised results.

Affected Platforms:

  • Infineon
  • Google
  • Lenovo
  • HP
  • Fujitsu
  • Microsoft
  • If not listed, check devices for NIST FIPS 140-2 or CC EAL 5+ certified hardware.

Resolution:

  • Users and administrators are encouraged to apply the necessary updates. HP, Google, Microsoft, Lenovo and Fujitsu have patches available.
  • Increase the key lengths to more than 2048 bit.
  • If a sensitive device cannot be patched, consider replacing the device.

Last week, Lenovo, MicrosoftGoogle, and Infineon each issued security bulletins regarding the weakness and warned customers to update their impacted systems.




HPE Intelligent Management Center Service Operation Management Flaw

A vulnerability was reported in HPE Intelligent Management Center Service Operation Management. A remote user can obtain files on the target system.

A remote user can send a specially crafted request to download arbitrary files on the target system.

Tenable Inc. reported this vulnerability. Impact:   A remote user can obtain files on the target system.

Solution:   HPE has issued a fix (SOM 7.3 E0501P01).

RESOLUTION

HPE has made the following software updates to resolve the vulnerability in Intelligent Management Center Service Operation Management. The updates that address the vulnerability are in version 7.3 E0501P01.

  • iMC SOM – Version: Fixed in IMC SOM 7.3 E0501P01
    • HP Network Products
      • JG139A HPE IMC Service Operation Management Software Module License
      • JG139AAE HPE IMC Service Operation Management Software Module E-LTU

The HPE advisory is available at:

Vendor URL:  h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03776en_us

CVE Reference:   CVE-2017-12555





Oracle Issues Fix for Oracle Linux – KRACK WPA2 Hack

Multiple vulnerabilities were reported in wpa_supplicant. A remote user on the wireless network can access and modify data on the wireless network.

A remote user within range of the wireless network can record and replay retransmissions of part of the 802.11i 4-way handshake of the WPA and WPA2 protocols to force a reinstallation of the pairwise transient key, a group key, or an integrity key and force a reset of the incremental transmit packet number nonce and the receive replay counter. As a result, the remote user can replay encrypted packets, decrypt packets, and forge packets.

Both client systems and access points are affected.

A remote user on the wireless network can reinstall the pairwise encryption key (PTK-TK) [CVE-2017-13077].

A remote user on the wireless network can reinstall the group key (GTK) [CVE-2017-13078, CVE-2017-13080].

A remote user on the wireless network can reinstall the integrity group key (IGTK) [CVE-2017-13079, CVE-2017-13081].

A remote user on the wireless network can retransmit the Fast BSS Transition (FT) Reassociation Request and reinstall the pairwise encryption key (PTK-TK) [CVE-2017-13082].

A remote user on the wireless network can reinstall the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake [CVE-2017-13086].

A remote user on the wireless network can reinstall the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame [CVE-2017-13087].

A remote user on the wireless network can reinstall the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame [CVE-2017-13088].




This set of vulnerabilities is referred to as KRACK (Key Reinstallation AttaCK).

The original advisory is available at:

https://papers.mathyvanhoef.com/ccs2017.pdf

Additional information is available at:

https://www.krackattacks.com/

Mathy Vanhoef and Frank Piessens from Katholieke Universiteit Leuven reported these vulnerabilities. John Van Boxtel from Cypress reported one vulnerability.

[note: The vulnerabilities reside in the WPA and WPA2 protocol specification and are not due to incorrect vendor implementation of the standards.]

Impact:   A remote user on the wireless network can access and modify data on the wireless network.

Solution:   Oracle has issued a fix for CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, and CVE-2017-13087.

The Oracle Linux advisory is available at:

http://linux.oracle.com/errata/ELSA-2017-2911.html

Vendor URL:  linux.oracle.com/errata/ELSA-2017-2911.html 




Red Hat Issues Fix KRACK WPA2 WiFi

Multiple vulnerabilities were reported in wpa_supplicant. A remote user on the wireless network can access and modify data on the wireless network.

A remote user within range of the wireless network can record and replay retransmissions of part of the 802.11i 4-way handshake of the WPA and WPA2 protocols to force a reinstallation of the pairwise transient key, a group key, or an integrity key and force a reset of the incremental transmit packet number nonce and the receive replay counter. As a result, the remote user can replay encrypted packets, decrypt packets, and forge packets – Details here

Both client systems and access points are affected.

A remote user on the wireless network can reinstall the pairwise encryption key (PTK-TK) [CVE-2017-13077].

A remote user on the wireless network can reinstall the group key (GTK) [CVE-2017-13078, CVE-2017-13080].

A remote user on the wireless network can reinstall the integrity group key (IGTK) [CVE-2017-13079, CVE-2017-13081].

A remote user on the wireless network can retransmit the Fast BSS Transition (FT) Reassociation Request and reinstall the pairwise encryption key (PTK-TK) [CVE-2017-13082].

A remote user on the wireless network can reinstall the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake [CVE-2017-13086].

A remote user on the wireless network can reinstall the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame [CVE-2017-13087].

A remote user on the wireless network can reinstall the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame [CVE-2017-13088].




This set of vulnerabilities is referred to as KRACK (Key Reinstallation AttaCK).

The original advisory is available at:

https://papers.mathyvanhoef.com/ccs2017.pdf

Additional information is available at:

https://www.krackattacks.com/

Mathy Vanhoef and Frank Piessens from Katholieke Universiteit Leuven reported these vulnerabilities. John Van Boxtel from Cypress reported one vulnerability.

[Editor’s note: The vulnerabilities reside in the WPA and WPA2 protocol specification and are not due to incorrect vendor implementation of the standards.]

Impact:   A remote user on the wireless network can access and modify data on the wireless network.

Solution:   Red Hat has issued a fix for CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, and CVE-2017-13087.

The Red Hat advisory is available at:

https://access.redhat.com/errata/RHSA-2017:2911

Vendor URL:  access.redhat.com/errata/RHSA-2017:2911 (Links to External Site)

Cause:   Access control error, State error

Underlying OS:  Linux (Red Hat Enterprise)





Security Updates Available For Flash Player – APSB17-32

Adobe has released a security update for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. This update addresses a critical type confusion vulnerability that could lead to code execution.

Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.

Affected Product Versions

Adobe Flash Player Desktop Runtime – Version 27.0.0.159 – Windows, Macintosh

Adobe Flash Player for Google Chrome – Version 27.0.0.159 – Windows, Macintosh, Linux and Chrome OS

Adobe Flash Player for Microsoft Edge and Internet Explorer 11 Version – 27.0.0.130 – Windows 10 and 8.1

Adobe Flash Player Desktop Runtime – Version 27.0.0.159 – Linux

How To Update

  • Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 27.0.0.170 via the update mechanism within the product or by visiting the Adobe Flash Player Download Center.
  • Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 27.0.0.170 for Windows, Macintosh, Linux and Chrome OS.
  • Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 27.0.0.170.
  • Please visit the Flash Player Help page for assistance in installing Flash Player.

There is also the following updates from Microsoft – https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170018

Users who have selected the option to ‘Allow Adobe to install updates’ will receive the update automatically. Users who do not have the ‘Allow Adobe to install updates’ option enabled can install the update via the update mechanism within the product when prompted.

How To Check Your Adobe Flash Version

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right- click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.




Microsoft Has Fixed WPA2 KRACK Attacks On Supported Operating Systems

Technology companies are responding to a new Wi-Fi exploit (known as KRACK) affecting all modern Wi-Fi networks using WPA or WPA 2 encryption.

Microsoft says it has already fixed the problem for customers running supported versions of Windows. “We have released a security update to address this issue,” says a Microsoft spokesperson in a statement. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.

Microsoft says the Windows updates released on October 10th protect customers, and the company “withheld disclosure until other vendors could develop and release updates.

The updates are available via Windows update, but if you need to install manually here is the link :-

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080





New Rowhammer Attack Bypassing Countermeasures

A new variation of the Rowhammer attack has been identified.

This attack is capable of bypassing all previous countermeasures, which can lead to personal systems being targeted. The aim of the attack is to achieve a privilege escalation or to target corporate cloud systems with denial of service attacks. The attack does, however, require access to the device via a low-level account from a previous exploit or other means.

The new variant of Rowhammer bombards single row of memory cells, instead of multiple locations. It is that change of method which allows the vulnerability to bypass all previous mitigations. The downside for the attacker is that the attack takes longer to complete.

Affected Platforms:

Dynamic Random Access Memory (DRAM)

Resolution:

There is currently no work around available.

Monitor logs on cloud networks to detect anomalies that could indicate a DoS attack is being attempted.

Monitor for development of new countermeasures being released.