In the last few days I have done some analysis on malicious documents, especially PDF. Then I thought, “Why not turn a PDF analysis into an article?”

Let’s go to our case study:

I received a scan request for a PDF file that was reported to support an antivirus vendor, and it replied that the file was not malicious. Because the manufacturer’s analysis was not satisfactory, the team responsible for handling the incident requested a second opinion, since in other anti-virus tools the document was reported to be malicious. The team needed evidence to prove the risk involved in the file.

While conducting an initial analysis on the file, I identified that I had something suspicious:

After an analysis in the structure of objects of the PDF it is possible to identify a malicious URL that is executed during the process of opening the document, that is to say, when the user opens the file in his station it executes of conceal form the call of the URL as shown below :

When performing a domain verification it is possible to reach the IP bound to it:

When performing a URL reputation analysis, a malicious history is identified:

When performing an IP reputation analysis, a malicious history is identified:

The interesting thing is to think that years ago we would never say that infection would be possible through malicious code, URL, shellcode, through obfuscation inside documents like PDF, DOC, DOCx, XLS, XLSx and PPT. Most security tools must always be adapted to this new reality of attack and infection.

It is essential that security professionals are increasingly able to work with this type of analysis that the antivirus tool is not usually able to do, I leave here the hint about the importance of studying malicious document analysis.

About the author: Zoziel Freire

Cyber Security Analyst Content Writer of the portal: Analyst document’s malicious CompTIA Security Analytics Professional LPIC-3 Enterprise Linux Professionals CompTIA Cybersecurity Analyst Linkedin:


Pierluigi Paganini

(SecurityAffairs – PDF analysis, hacking)

The post Malicious PDF Analysis appeared first on Security Affairs.

A destructive cyberattack hit the email provider VFEmail, a hacker wiped its servers in the United States, including the backup systems. 

An unknown attacker has launched a destructive cyber attack against the email provider VFEmail, he erased information on its server including backups, 18 years’ worth of customer emails were lost.

“We have suffered catastrophic destruction at the hands of a hacker. This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can,” reads the statement published by the company on its website.

On Monday, the email provider confirmed that their systems in multiple datacenters were down after a hacker started formatting them.
The company caught the hacker while he was formatting a backup server hosted in the Netherlands. Unfortunately, by that time, the hacker had already managed to erase all disks on every other VFEmail server. 

The hacker destroyed all virtual machines even if the company pointed out that they did not share the same authentication. 

“This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail said. 

The hacker appears to have been attacking out of Bulgaria.


Of course the attacker could have been using a VPN to hide its real origin.,

VFEmail staff recommends that users do not connect their own email clients because the entire content of their accounts was erased by the hacker.

Backups of the servers located in the Netherlands were not affected and were used to restore the service.

The incident could suggest a wrong cybersecurity posture of the company that that was not able to prevent the intrusion and protect the backups.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, hacking)

The post Hacker deleted all data from VFEmail Servers, including backups appeared first on Security Affairs.

Microsoft released Patch Tuesday updates for February 2019 that address 77 flaws, including an Internet Explorer issue that has been exploited in attacks.

Microsoft released Patch Tuesday updates for February 2019 that address 77 flaws, 20 critical vulnerabilities, 54 important and 3 moderate in severity. One of the issue fixed by the tech giant is a zero-day vulnerability in Internet Explorer discovered by Google that has been exploited in attacks.

This zero-day, tracked as CVE-2019-0676, is an information disclosure flaw that tied the way Internet Explorer handles objects in memory.

An attacker can exploit the flaw by tricking the victims into visiting a malicious website using a vulnerable version of Internet Explorer. The flaw could be exploited by attackers to test for the presence of files on the targeted device’s disk.

“An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.” reads the security advisory.

“An attacker who successfully exploited this vulnerability could test for the presence of files on disk. For an attack to be successful, an attacker must persuade a user to open a malicious website. The security update addresses the vulnerability by changing the way Internet Explorer handles objects in memory.”

The vulnerability affects Internet Explorer 11, it was reported by Clement Lecigne from Google’s Threat Analysis Group

Microsoft Patch Tuesday

Microsoft’s Patch Tuesday updates for February 2019 also addressed several flaws whose details were publicly disclosed before a patch was made available.
The tech giant fixed flaws in Adobe Flash Player, Internet Explorer, Edge, Windows, MS Office, and Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, Visual Studio, Azure IoT SDK, Dynamics, Team Foundation Server, and Visual Studio Code.

The list of patched issues includes two critical remote code execution vulnerabilities in SharePoint (CVE-2019-0594 and CVE-2019-0604) and a flaw in Windows DHCP Servers (CVE-2019-0626). The exploitation of these flaws could allow attackers to run arbitrary code and take control of the server.

Pierluigi Paganini

(SecurityAffairs – Kunbus, hacking)

The post Microsoft Patch Tuesday updates for February 2019 fixes IE Zero-Day appeared first on Security Affairs.

Cybaze-Yoroi ZLAB revealed interesting a hidden connection between the AZORult toolkit and specific Gootkit payload.


In the last days, a huge attack campaign hit several organizations across the Italian cyberspace, as stated on bulletin N020219 the attack waves tried to impersonate legit communication from a known Express Courier. However, a deeper analysis by Cybaze-Yoroi ZLAB revealed interesting hidden aspects, spotting a connection between the AZORult toolkit and a particular Gootkitpayload.

Technical analysis

Stage 1 – The Attached Javascript

Most of the infection attempts started with a particular email attachment: a compressed archive containing stealthy JavaScript code, most of the times able to avoid antivirus detection during the initial stages of the attack campaigns.

Table 1:  Generic information about malicious js file

This JS file is an obfuscated dropper with the purpose to download another component from a “safe” remote location:

Figure 1: Snippet from the JavaScript attachment

It contacts two distinct servers, googodsgld.]com and driverconnectsearch.]info. The behaviour of this sort of JavaScript stager is as essential as interesting: it downloads other executable code able to virtually do anything the attacker wants. This kind of pattern and the simplicity of the code itself remotely resemble the Brushaloader threat, a known dropper/stager written in VBScript and contacting its remote infrastructures in a similar manner. We can hypothesize that the malware writers may have emulated the Brushaloader stager functionalities, creating a sort of custom version exploiting the same mechanism.

Figure 2: Classic Brushaloader sample (left) along with the recent Javascript stager (right)
Figure 3: Encrypted communication with driverconnectsearch[.]info server

After the first contact attempt to googodsgld[.]com, the script communicates with the other destination and retrieves a Cabinet Archive encoded within the chunk of executable javascript code returned by driverconnectsearch[.]info. Then it stores it in “%APPDATA%LocalTemp”.  

As shown in Figure 3,  the first characters of the encoded payload string are “TVNDRg” which translates to “MSCF”: standard header of the Microsoft Cabinet compressed file format.

Figure 4: Javascript downloaded from diverconnectsearch[.]info server.

Stage 2 – The Cabinet

Actually, this .CAB archive is just a shell for a PE32 executable file: 

Table 2:  Generic information about RuntimeBroker5.exe (AZORult)

Executing the RuntimeBroker5.exe sample, seems it behaves as another dropper: it downloads two other components from the remote server “hairpd[.]com”.

Figure 5: RuntimeBroker5.exe process execution

The sample file actually does not perform only this downlaod. Here one of the key point of the article: it also establishes a communication channel with the AZORult C2 host “ssl.]admin.]itybuy.]it”.

The network packet exchanged with the server confirms this identification due to the known communication patterns and the dynamic analysis also shows info-stealing behaviours compatible with the identified threat. 

As shown in the following figure, the written files in “%APPDATA%LocalTemp” path closely match AZORult analysis described by Unit42 research group.

Figure 6: Evidence of the similarity of RuntimeBroker5.exe and AZORult malware variant analyzed by UNIT42
Figure 7: C2 Communication comparison

During the dynamic analysis, the RuntimeBroker5.exe sample received a sort of configuration file from the C2 server. We extracted it from the running malware image and decoded it:

  1. firefox.exe
  2. SOFTWAREWow6432NodeMozillaMozilla Firefox
  3. SOFTWAREMozillaMozilla Firefox
  4. SOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand
  5. SOFTWAREMicrosoftWindowsCurrentVersionApp Pathsfirefox.exe
  6. %appdata%MozillaFirefoxProfiles
  7. MozillaFireFox
  8. CurrentVersion
  9. Install_Directory
  10. nss3.dll
  11. thunderbird.exe
  12. SOFTWAREWow6432NodeMozillaMozilla Thunderbird
  13. SOFTWAREMozillaMozilla Thunderbird
  14. SOFTWAREClassesThunderbirdEMLDefaultIcon
  15. %appdata%ThunderbirdProfiles
  16. ThunderBird
  17. SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
  18. SELECT fieldname, value FROM moz_formhistory
  19. NSS_Init
  20. PK11_GetInternalKeySlot
  21. PK11_Authenticate
  22. PK11SDR_Decrypt
  23. NSS_Shutdown
  24. PK11_FreeSlot
  25. logins.json
  26. logins
  27. hostname
  28. timesUsed
  29. encryptedUsername
  30. encryptedPassword
  31. cookies.sqlite
  32. formhistory.sqlite
  33. %LOCALAPPDATA%GoogleChromeUser Data
  34. %LOCALAPPDATA%GoogleChrome SxSUser Data
  35. %LOCALAPPDATA%XpomUser Data
  36. %LOCALAPPDATA%YandexYandexBrowserUser Data
  37. %LOCALAPPDATA%ComodoDragonUser Data
  38. %LOCALAPPDATA%AmigoUser Data
  39. %LOCALAPPDATA%OrbitumUser Data
  40. %LOCALAPPDATA%BromiumUser Data
  41. %LOCALAPPDATA%ChromiumUser Data
  42. %LOCALAPPDATA%NichromeUser Data
  43. %LOCALAPPDATA%RockMeltUser Data
  44. %LOCALAPPDATA%360BrowserBrowserUser Data
  45. %LOCALAPPDATA%VivaldiUser Data
  46. %APPDATA%Opera Software
  47. %LOCALAPPDATA%Go!User Data
  48. %LOCALAPPDATA%SputnikSputnikUser Data
  49. %LOCALAPPDATA%KometaUser Data
  50. %LOCALAPPDATA%uCozMediaUranUser Data
  51. %LOCALAPPDATA%QIP SurfUser Data
  52. %LOCALAPPDATA%Epic Privacy BrowserUser Data
  53. %APPDATA%brave
  54. %LOCALAPPDATA%CocCocBrowserUser Data
  55. %LOCALAPPDATA%CentBrowserUser Data
  56. %LOCALAPPDATA%7Star7StarUser Data
  57. %LOCALAPPDATA%Elements BrowserUser Data
  58. %LOCALAPPDATA%TorBroProfile
  59. %LOCALAPPDATA%SuhbaUser Data
  60. %LOCALAPPDATA%Safer TechnologiesSecure BrowserUser Data
  61. %LOCALAPPDATA%RafotechMustangUser Data
  62. %LOCALAPPDATA%SuperbirdUser Data
  63. %LOCALAPPDATA%ChedotUser Data
  64. %LOCALAPPDATA%TorchUser Data
  65. GoogleChrome
  66. GoogleChrome64
  67. InternetMailRu
  68. YandexBrowser
  69. ComodoDragon
  70. Amigo
  71. Orbitum
  72. Bromium
  73. Chromium
  74. Nichrome
  75. RockMelt
  76. 360Browser
  77. Vivaldi
  78. Opera
  79. GoBrowser
  80. Sputnik
  81. Kometa
  82. Uran
  83. QIPSurf
  84. Epic
  85. Brave
  86. CocCoc
  87. CentBrowser
  88. 7Star
  89. ElementsBrowser
  90. TorBro
  91. Suhba
  92. SaferBrowser
  93. Mustang
  94. Superbird
  95. Chedot
  96. Torch
  97. Login Data
  98. Web Data
  99. SELECT origin_url, username_value, password_value FROM logins
  100. SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
  101. SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
  102. SELECT name, value FROM autofill
  103. SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
  104. %APPDATA%MicrosoftWindowsCookies
  105. %APPDATA%MicrosoftWindowsCookiesLow
  106. %LOCALAPPDATA%MicrosoftWindowsINetCache
  107. %LOCALAPPDATA%PackagesMicrosoft.MicrosoftEdge_8wekyb3d8bbweACINetCookies
  108. %LOCALAPPDATA%PackagesMicrosoft.MicrosoftEdge_8wekyb3d8bbweAC#!001MicrosoftEdgeCookies
  109. %LOCALAPPDATA%PackagesMicrosoft.MicrosoftEdge_8wekyb3d8bbweAC#!002MicrosoftEdgeCookies
  110. %LOCALAPPDATA%PackagesMicrosoft.MicrosoftEdge_8wekyb3d8bbweACMicrosoftEdgeCookies
  111. InternetExplorer
  112. InternetExplorerLow
  113. InternetExplorerINetCache
  114. MicrosoftEdge_AC_INetCookies
  115. MicrosoftEdge_AC_001
  116. MicrosoftEdge_AC_002
  117. MicrosoftEdge_AC
  118. SoftwareMicrosoftInternet Explorer
  119. SoftwareMicrosoftInternet ExplorerIntelliFormsStorage2
  120. SoftwareMicrosoftWindows NTCurrentVersionWindows Messaging SubsystemProfilesOutlook
  121. SoftwareMicrosoftOffice15.0OutlookProfilesOutlook
  122. SoftwareMicrosoftOffice16.0OutlookProfilesOutlook
  123. POP3
  124. IMAP
  125. SMTP
  126. HTTP
  127. %appdata%WaterfoxProfiles
  128. Waterfox
  129. %appdata%ComodoIceDragonProfiles
  130. IceDragon
  131. %appdata%8pecxstudiosCyberfoxProfiles
  132. Cyberfox
  133. sqlite3_open
  134. sqlite3_close
  135. sqlite3_prepare_v2
  136. sqlite3_step
  137. sqlite3_column_text
  138. sqlite3_column_bytes
  139. sqlite3_finalize
  140. %APPDATA%filezillarecentservers.xml
  141. <RecentServers>
  142. </RecentServers>
  143. <Server>
  144. </Server>
  145. <Host>
  146. </Host>
  147. <Port>
  148. </Port>
  149. <User>
  150. </User>
  151. <Pass>
  152. </Pass>
  153. <Pass encoding=”base64″>
  154. FileZilla
  155. ole32.dll
  156. CLSIDFromString
  157. {4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
  158. {3CCD5499-87A8-4B10-A215-608888DD3B55}
  159. vaultcli.dll
  160. VaultOpenVault
  161. VaultEnumerateItems
  162. VaultGetItem
  163. MicrosoftEdge
  164. BrowsersAutoComplete
  165. CookieList.txt
  166. SELECT host_key, name, encrypted_value, value, path, is_secure, (expires_utc/1000000)-11644473600 FROM cookies
  167. %appdata%Moonchild ProductionsPale MoonProfiles
  168. PaleMoon
  169. %appdata%Electrumwallets
  170. Electrum
  171. %appdata%Electrum-LTCwallets
  172. Electrum-LTC
  173. %appdata%ElectrumGwallets
  174. ElectrumG
  175. %appdata%Electrum-btcpwallets
  176. Electrum-btcp
  177. %APPDATA%Ethereumkeystore
  178. Ethereum
  179. %APPDATA%Exodus
  180. Exodus
  181. Exodus Eden
  182. *.json,*.seco
  183. %APPDATA%JaxxLocal Storage
  184. JaxxLocal Storage
  185. %APPDATA%MultiBitHD
  186. MultiBitHD
  187. mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
  188. .wallet
  189. wallets.wallet
  190. wallet.dat
  191. walletswallet.dat
  192. electrum.dat
  193. walletselectrum.dat
  194. Softwaremonero-projectmonero-core
  195. wallet_path
  196. BitcoinBitcoin-Qt
  197. BitcoinGoldBitcoinGold-Qt
  198. BitCoreBitCore-Qt
  199. LitecoinLitecoin-Qt
  200. BitcoinABCBitcoinABC-Qt
  201. %APPDATA%Exodus Eden
  202. %Appdata%Psi+profiles
  203. %Appdata%Psiprofiles
  204. <roster-cache>
  205. </roster-cache>
  206. <jid type=”QString”>
  207. <password type=”QString”>
  208. </password>

Table 3: AZORult Configuration file

The multiple references to Browser Cookies and CryptoWallets confirms the “RuntimeBroker5.exe” sample, initially hidden into the cabilet archive,  is an AZORult variant.

Stage 3 – The Payload

The other file download from hairpd[.]com by AZORult’s sample is another executable PE32.

Figure 8: GET request to download the payload.

Table 4:  Generic information about sputik.exe (Gootkit)

The “sputik.exe” uses a set of evasion techniques to avoid the monitoring of the process, such as invoking the “UuidCreateSequential” API to detect the usage of typical virtual machine’s MAC addresses, but this technique can be easily bypassed by spoofing a real network card one.

Figure 9: Evasion technique through the check “UuidCreateSequential” API call

Bypassing all the evasion techniques reveals the nature of the payload: a Gootkit malware implant.

Figure 10: Command line of the final sample

By instrumenting the execution of the implant, we were able to extract part of the JavaScript code of the malware. The Gootkit implant counts several modules written on top of NodeJS technology embedded into the PE file, revealing part of the implant code.

Figure 11: Portion of Gootkit code snippet

In the past years, Gootkit source code have been leaked online and part of it is also available on the Github platform. This way we were able to investigate differences between the extracted snippets and the known, previously leaked, malware version.

Figure 12: Comparison between extracted Gootkit version and the leaked one

As general consideration, we noticed a lot of similarities between the codes, they are perfectly compatible, but few differences holds. For instance private keys and certificates have been modified, showing the malware author choose a stronger key.

Table 5:  Certificate comparison 
(New on the left, known/leaked on the right)


These attack waves targeting italian organization and users revealed interesting connections between two threats we was used to monitor and detect across both the InfoSec community and the CERT-Yoroi’s constituency, revealing a hidden link connecting this particular AZORult instance and with the Gootkit implant.

Also, the analysis pointed to an evolution of the dropping techniques used in the initial stages of the attacks by cyber-criminals, showing how the usage of extremely flexible stagers written in high level languages, JavaScript in this case, is becoming more popular and needs to be carefully monitored.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis published on the Yoroi Blog.

Pierluigi Paganini

(SecurityAffairs – AZORult, gootkit)

The post Gootkit: Unveiling the Hidden Link with AZORult appeared first on Security Affairs.

The 0patch experts released a micropatch to address an in Adobe Reader zero-day that allows maliciously PDF docs to call home and send over the victim’s NTLM hash.The 0patch experts released a micropatch to address an in Adobe Reader zero-day that allows maliciously PDF documents to call home and send over the victim’s NTLM hash.

The 0patch experts released a micropatch to address a zero-day vulnerability in Adobe Reader which could be exploited by threat actors to craft maliciously PDF documents that call home and send over the victim’s NTLM hash to remote attackers in the form of an SMB request.

The vulnerability was reported by the security expert Alex Inführ that also published technical details of the issue along with a proof-of-concept.

“Once again the XML Form Architecture (XFA) structure helped.
XFA is
a XML structure inside a PDF, which defines forms and more. This time it is not even necessary to use a feature of the XFA form but instead xml-stylesheet does the trick.” wrote the expert.

“Adobe Reader actually detects any http/https URLs specified in a xml-stylesheet element and asks for the user’s confirmation. This dialog can be simply bypassed by using UNC paths.” 

The expert explained that this new issue is similar to the
CVE-2018-4993 (aka “BadPDF“) that fixed by Adobe in November. The flaw allowed to trigger a callback to an attacker-controlled SMB server and leak the users NTMLv2 hash.

Inführ tested the PoC on Adobe Acrobat Reader DC 19.010.20069 running on Windows OS.

Once users have applied the micropatch the vulnerability will be immediatelly addressed.

“This vulnerability, similar to CVE-2018-4993, the so-called Bad-PDFreported by CheckPoint in April last year, allows a remote attacker to steal user’s NTLM hash included in the SMB request. It also allows a document to “phone home”, i.e., to let the sender know that the user has viewed the document. Obviously, neither of these is desirable.” reads the blog post published by 0patch.

“The malicious PDF included a certain element that triggered automatic loading of another PDF from a remote share.”

The patch released by the 0patch community allows to display a warning that inform users that the document is trying to access a remote share:

PDF hack callback

“This warning allowed the user to decide whether to allow the potentially malicious document to “phone home” or not.” reads the post.

0patch published a video PoC demo that shows how the micropatch works:

Pierluigi Paganini

(SecurityAffairs – micropatch, hacking)

The post Micropatch prevents malicious PDFs from Calling Home appeared first on Security Affairs.

620 million accounts stolen from 16 hacked websites (Dubsmash, Armor Games, 500px, Whitepages, ShareThis) available for sale on the dark web

The Register revealed in exclusive that some 617 million online account details stolen from 16 hacked websites are available for sale on the dark web.

The advertising for the sale of the huge trove of data was published in the popular Dream Market black marketplace, data are available for less than $20,000 worth of Bitcoin.

Data was collected from data breaches of popular websites including:

  • Dubsmash (162 million);
  • MyFitnessPal (151 million);
  • MyHeritage (92 million);
  • ShareThis (41 million);
  • HauteLook (28 million);
  • Animoto (25 million);
  • EyeEm (22 million);
  • 8fit (20 million);
  • Whitepages (18 million);
  • Fotolog (16 million);
  • 500px (15 million);
  • Armor Games (11 million);
  • BookMate (8 million);
  • CoffeeMeetsBagel (6 million);
  • Artsy (1 million);
  • DataCamp (700,000).

While some of the above websites are known to have been hacked (i.e. MyHeritage, MyFitnessPal) for some of them it is the first time that the security community was informed of their breaches.

Journalists at The Register have analyzed account records and confirmed they appear to be legit. Spokespersons for MyHeritage and 500px confirmed the authenticity of the data.

Most of the data included in the dump consist of account holder names, email addresses, and hashed passwords (in some cases password are hashed with the MD5 algorithm that makes it easy for hackers to decrypt).

Journalists pointed out that depending on the specific website there are other information in the archives, including location, personal details, and social media authentication tokens. The data doesn’t include financial information.

The information could be used by threat actors to target users of hacked websites and conduct several malicious activities.

“All of the databases are right now being touted separately by one hacker, who says he or she typically exploited security vulnerabilities within web apps to gain remote-code execution and then extract user account data.” states the post published by The Register. “The records were swiped mostly during 2018, we’re told, and went on sale this week.”

The journalists confirmed that they received the information that the Dubsmash data has been purchased by at least one individual.

The seller seems to be located outside of the US, at least in one case he attempted to blackmail the owner of the website asking money to avoid the sale of data.

dark web

The seller told The Register that he stolen roughly a billion accounts from servers to date since he started hacking in 2012.

“I don’t think I am deeply evil,” the seller told The Register. “I need the money. I need the leaks to be disclosed.”

“Security is just an illusion. I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.”

Pierluigi Paganini

(SecurityAffairs – dark web, hacking)

The post 620 million accounts stolen from 16 hacked websites available for sale on the dark web appeared first on Security Affairs.

Security experts found a serious flaw tracked CVE-2019-5736 affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.

Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability tracked CVE-2019-5736 affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.

The vulnerability was discovered by the security researchers Adam Iwaniuk and Borys Popławski.

Such kind of vulnerabilities could have a significant impact on an IT environment, its exploitation could potentially escape containment, impacting the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it

“The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs.” reads a blog post. published by Red Hat.

“While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies…and that’s exactly what this vulnerability represents,”

“The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host.” Sarai wrote in a post to the OpenWall mailing list.

“The level of user interaction is being able to run any command (it doesn’t matter if the command is not attacker-controlled) as root within a container in either of these contexts:

  • Creating a new container using an attacker-controlled image.
  • Attaching (docker exec) into an existing container which the attacker had previous write access to.”

Sarai, which is one of the maintainers of runc, has pushed a git commit to address the vulnerability, but all the project built on runcneed to include the changes.

Docker released the v18.09.2 version to address the issue, but according to the experts, thousands of Docker daemons exposed online are still vulnerable, most of them in the US and China.

runc dockers

Default configurations of Red Hat Enterprise Linux and Red Hat OpenShift are protected, Linux distros Debian and Ubuntu are working to address the issue. Both Google Cloud and AWS published security advisories to recommend customers to update containers on affected services.

Pierluigi Paganini

(SecurityAffairs – runc, hacking)


The post Docker runc flaw opens the door to a ‘Doomsday scenario’ appeared first on Security Affairs.

Security researcher Lukas Stefanko from ESET discovered the first Android cryptocurrency clipboard hijacker impersonating MetaMask on the official Google Play store.

The rogue MetaMask app is a Clipboard Hikacker that monitors a device’s clipboard for Bitcoin and Ethereum addresses and replaces them with addresses of wallets under the control of the attacker. Using this trick the attackers can transfers funds to their wallets.

“This dangerous form of malware first made its rounds in 2017 on the Windows platform and was spotted in shady Android app stores in the summer of 2018. In February 2019, we discovered a malicious clipper on Google Play, the official Android app store.” reads the post published by ESET.

MetaMask clipboard hijacker

The Clipboard Hikacker poses itself as a mobile version of the legitimate service which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node.

However, the legitimate service currently does not offer a mobile app.

Lukas Stefanko discovered that the app was able to steal cryptocurrency using two different attack methods.

The first attack scenario sees attackers using the app to attempt to steal the private keys and seeds of an Ethereum wallet when a user adds it to the app. Once the attackers obtain this data send it to a Telegram account.

The second attack scenario sees attackers monitoring the clipboard for Ethereum and Bitcoin addresses, and when one is detected, replace it with the attackers’ address.

In June 2017, security researchers from Qihoo 360 Total Security spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that infected over 300,000 computers. Most of the victims are located in Asia, mainly China.

In July 2017, a CryptoCurrency Clipboard Hijackers was discovered by BleepingComputer while monitoring more than 2.3 million addresses.

In March 2018, security researchers at Palo Alto Networks, spotted a strain of malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address to the Windows clipboard. The malicious code then replaces the address in the clipboard with the author’s one.

Pierluigi Paganini

(SecurityAffairs – Clipboard Hikacker, MetaMask)

The post MetaMask app on Google Play was a Clipboard Hijacker appeared first on Security Affairs.

Users of QNAP NAS devices are reporting through QNAP forum discussions of mysterious code that adds some entries that prevent software update.

Users of the Network attached storage devices manufactured have reported a mystery string of malware attacks that disabled software updates by hijacking entries in host machines’ hosts file.

According to the users, the malicious code adds some 700 entries to the /etc/hosts file that redirects requests to IP address


The user ianch99 in the QNAP NAS community forum reported that the antivirus ClamAV was failing to update due to host file entries.

“Since recent firmware updates, the ClamAV Antivirus fails to update due to 700+ entries in /etc/hosts, all set to e.g.” wrote
the user ianch99.


As they are all set to, the ClamAV update fails. If you remove these entries, the update runs fine but they return on after rebooting.”

Other users reported similar problems with the MalwareRemover, but it is still unclear if the events are linked.

QNAP provided a script that could help users to restore normal operations deleting the mysterious entries.

QNAP hasn’t confirmed that the incidents were caused by a malware.

“Exposing your NAS on the internet (allowing remote access) is always a high risk thing to do (at least without a properly deployed remote access VPN and/or 2FA on all existing user accounts)!” wrote the user P3R.

“The real problems that I see with Qnap are:

  • The marketing is pushing the private cloud message and tell users that the Qnap solution is a secure way to deploy it. Unfortunately the first part is very attractive to users that doesn’t understand the risks and the last part is a lie.
  • Qnap have many dangerous things enabled by default and/or without sufficient warnings about the risks.”

Pierluigi Paganini

(SecurityAffairs – NAS, hacking)

The post A mysterious code prevents QNAP NAS devices to be updated appeared first on Security Affairs.

Google has released a new extension for Chrome dubbed
Password Checkup that will alert users if their username/password combinations were leaked online as part of a dump after a data breach.

Last week Google released Password Checkup a Chrome extension that warns users about compromised logins every time they will enter login credentials on a website.

Password Checkup will compare the username/password provided by the users against a database of four billion credentials belonging to various data breaches that were disclosed over the years. The tool will display a red alert box in case of a positive match and will suggest users change the password.

“If we detect that a username and password on a site you use is one of over 4 billion credentials that we know have been compromised, the extension will trigger an automatic warning and suggest that you change your password.” reads the blog post published by Google.

Password Checkup

Google pointed out that Password Checkup needs to protect both the content of the queries and prevent credential leaks in the process. The Chrome extension addresses the requirements by using multiple rounds of hashing, k-anonymity, and private set intersection with blinding.

“At a high level, Password Checkup needs to query Google about the breach status of a username and password without revealing the information queried. At the same time, we need to ensure that no information about other unsafe usernames or passwords leaks in the process, and that brute force guessing is not an option. Password Checkup addresses all of these requirements by using multiple rounds of hashing, k-anonymity, and private set intersection with blinding.” reads a post published by Google.

Password Checkup was developed with the support of cryptography experts at Stanford University to avoid that Google itself could learn users’ credentials and prevent wider exposure of breaches.ù
Password Checkup isn’t the only service that allows users to check if their credentials have been exposed in a data breach over the years, other free services are Have I Been Pawned, the Identity Leak Checker and Firefox Monitor,

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Password Checkup Chrome extension warns users about compromised logins appeared first on Security Affairs.