M32 Security » Exploits

Critical Flaw In RDP Exposes ALL Versions of Windows To Remote Code Execution Risk

Kyle — Tue, 13 Mar 2012 21:54:58 +0000

Image via Wikipedia

An EXTREMELY critical flaw in Microsoft’s RDP protocol (Remote Desktop) has been discovered and disclosed by Microsoft today. This vulnerability is about as critical as they get; especially for corporate customers. In short, any attacker who sends specially crafted code to any computer running Microsoft Windows that hat has Remote Desktop enabled can essentially take control of it. Microsoft has already released an article about it here (MS12-020).

All users are advised to update their machines as soon as possible, as this nasty exploit has the potential to become very nasty, very fast.

Microsoft to patch Windows bug called ‘Holy Grail’ by one researcher (networkworld.com)
KB 2671387 (support.microsoft.com)
March 2012 Microsoft Black Tuesday, (Tue, Mar 13th) (isc.sans.edu)
Microsoft Issues Urgent Patch for ‘Wormable’ RDP Vulnerability (pcworld.com)

Tags: attack, attacker, black tuesday, code, code execution, exploit, isc, microsoft, network, RDP, rdp protocol, release, remote desktop, risk, SANS, tw, vulnerability, Windows, worm, Wormable

DreamHost Shell/FTP Account Database Compromised, ALL Passwords Reset

Kyle — Sun, 22 Jan 2012 23:37:02 +0000

Image via Wikipedia

According to DreamHost’s Status and Blog, staff noticed some unusual activity on one of their databases that held user login information for shell accounts. While the passwords were mostly encrypted, hackers “hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted,” according to DreamHost CEO Simon Anderson.

As a precaution, ALL shell/FTP account passwords were reset by DreamHost. While it will cause some inconvenience for users trying to access their sites over SSH/FTP, the implications are much more serious. A lot of CMS systems store their database username and passwords in plaintext on configuration files. If whoever gained access to DreamHost’s shell account database and managed to decrypt the information, then they would have unmitigated access to not only sites’ files, but they could potentially (and most likely) gain access to the back-end database driving those sites with all user data. This could be a very major breach of user data from one of the largest web hosts in the United States.

DreamHost is being unusually mum about the technical details about the hack and is angering customers over their negligence regarding out-dated server software. While most front-end software is kept up-to-date, their back-end software is grossly outdated and there appears to be no real effort nor care by DreamHost to keep OS and back-end software updated. What makes things worse is that DreamHost’s official stance on their security solution is to not disclose what technologies they use. Rather than taking a proactive and relatively transparent stance to their own security systems, the company has decided to take-up a reactive and a “security through obscurity” stance.

DreamHost Security Issue Prompts FTP Password Resets (sucuri.net)
Changing Shell/FTP Passwords due to Security Issue (dreamhoststatus.com)
Security Update (dreamhost.com)

Tags: blog, breach, cms, Compromised, isc, Password, Security, Server, ssh, tw, user data

German Researchers Find “Massive” Flaws In Cloud Security

Kyle — Wed, 26 Oct 2011 18:53:23 +0000

Image via Wikipedia

NetworkWorld has a very interesting writeup about a report that six German Information Security researchers published outlining very massive and highly exploitable flaws in Cloud Computing services; specifically Amazon’s EC2 and S3 as well as Eucalyptus Cloud Computing Software. Old concepts like XSS and what is referred to as XML Signature Wrapping attacks on the SOAP interfaces of the aforementioned cloud services. Very troubling and a large blow to the legitimacy of security in the cloud.

The full PDF of the German researchers’ findings can be found here.

NetworkWorld Article

Researchers Demo Cloud Security Issue With Amazon AWS Attack (pcworld.com)
Researchers demo cloud security issue with Amazon AWS hijacking attack (infoworld.com)
Cloud computing: Gaps in the ‘cloud’ (physorg.com)
Researchers demo cloud security issue with Amazon AWS attack (networkworld.com)

Tags: amazon, attack, aws, computing, ec2, EucalyptusEucalyptus (computing), exploit, information security, network, s3, Security, soap, tw, XML, XSS

Virus targets US Predator and Reaper drones

Kyle — Fri, 07 Oct 2011 21:29:53 +0000

A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other war zones. The name of the virus is yet to be known, as details are still emerging about how the malicious code got into the systems in the first place. Could this be a belligerent enemy to US forces attacking their main weapon in use for remote regions? Ars Technica has the story after the jump.

Computer virus hits US Predator and Reaper drone fleet.

Tags: attack, Breaches, code, computer virus, cybersecurity, drone, keystroke, malicious code, malware, MQ-9 ReaperMQ-9 Reaper, nist, predator, reaper drones, War on TerrorismWar on Terrorism

LulzSec Hacks Sony…Again…And Scores PSN Source Code

Kyle — Tue, 07 Jun 2011 00:56:38 +0000

LulzSec, also known as Lulz Security, which has become infamous for their past and more recent hacks including PBS and Sony, has hacked Sony HQ…again. This time they scored around 54 megabytes of the developer’s source code to the PlayStation Network. What does it mean? Hold on to your butts. The group published a press release detailing the hack while simultaneously releasing all stolen code to the public through various channels. The implications of this are enormous, as Sony’s PSN is now wide-open to any exploits found in the previously obfuscated code. Expect Sony’s problems to continue for a while.

The targeting of Sony stems from their legal assault on George Hotz, otherwise known as GeoHotz, who had found and published a way to circumvent protection mechanisms on the PlayStation 3. This was a big deal after the company removed the “Other OS” feature through a firmware update that allowed the installation of Linux on the console to use the powerful IBM Cell processor that powers the machine. The PS3 has been known to be used by organizations like the US Air Force in supercomputer clusters due to the Cell processor’s vastly superior floating-point performance which is highly desired for processing large amounts of data for modeling.

Stay tuned…

Tags: ACHIEVEMENT, Cell, floating point, geohotz, George Hotz, IBM, ibm cell processor, legal assault, lulz, LulzSec, OtherOS, pbs, playstation 3, point performance, ps3, psn, release, sony hq, Source, supercomputer

phpMyAdmin Exploit Used To Launch New SSH Brute-Force Attack

Kyle — Fri, 13 Aug 2010 01:55:13 +0000

An older vulnerability in phpMyAdmin (CVE-2009-1151) is now being exploited by a botnet known as dd_ssh. Details are still emerging, but it appears that this new bot originated from 91.193.157.206 according to SANS. If the exploit of CVE-2009-1151 is successful on vulnerable phpMyAdmin installs, the files vmsplice.txt, dd.txt, and, in some instances, vm.c are downloaded from the aforementioned IP. The last of those files mentioned contains the vmsplice local root exploit (CVE2008-0600). After being compromised, the infected installations start making connections to multiple addresses on ports 54509 and 54510; most likely for command & control. SANS ISC is actively monitoring this apparent new botnet and has noticed a notable up-tick in machines scanning SSH lately.

More Info Over at SANS ISC and thanks goes to Briareos over at BroadBand Reports for the quick fact-finding and possible discovery.

June Security Advisory posted by F5 on identifying any suspicious activity and mitigating the exploit

Tags: dd.txt, dd_ssh vmsplice.txt, phpmyadmin, ssh, vm.c, vmsplice, vulnerability

Zeus v3 Trojan Silently Siphoning Money From UK Bank Accounts

Kyle — Thu, 12 Aug 2010 03:19:40 +0000

Security research firm M86 Security (no relation) has posted a whitepaper outlining how cyber-criminals started utilizing the Zeus v3 trojan in conjunction with the Eleonore, Phoenix, and Siberia Exploit Kits to siphon £675,000 (~$1.05 million USD) so far from UK victims’ systems that have been compromised. The attack started on July 5th and has continued silently ever since. The main reason why the theft hasn’t been successfully mitigated thus far is because of the Zeus trojan’s extreme difficulty to detect by antivirus solutions. The Zeus trojan, also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber is sold as a kit to people willing to pay a price for the latest code known as Zeus v3. It primarily infects a machine through exploiting un-patched versions of Internet Explorer to gain control.

The Zeus trojan has been known to steal user data in the past, but has never been used in such a direct manner. In the US, there are believed to be 3.6 million infected machines by the malware alone, which makes it arguably one of the world’s most dangerous trojans/botnets in terms of potential damage. The Daily Mail has a good article outlining the exact details.

M86 Security Whitepaper (PDF)

Tags: botnet, Eleonore, Gorhax, kit, M86 Security, malware, Phoenix, siberia, trojan, UK, ZBot, Zeus v3, £675000

Conficker: The Proactive Worm Ahead Of The Curve

Kyle — Sun, 08 Aug 2010 19:26:15 +0000

An interesting article over at The Register shows how the now infamous ~6 million strong Conficker botnet/worm stays ahead of the curve in terms of Information Security by staying proactive and paranoid in how it is managed. Although the classification of the worm only goes from A through E, the botnet itself is ever-evolving; creating a nightmare for researchers world-wide in detection and cleansing of infected machines. It is unknown who runs the botnet, but it is known that the technical skill behind its command is very much on the bleeding-edge of security as well as social engineering. For instance, the worm uses simple exploits to infect Windows machines, but it phones home to domain names which can no longer be predicted and shut-down to receive new instructions and updates to the code that infects the machine. It has used scareware in the past to spread as well, such as bogus security software. It has even gone so far as to actually remove or fix other security threats on an infected machine to avoid detection. It constantly stays up-to-date and often mitigates even the newest anti-malware tools designed to remove it.

What makes it so hard to remove is its inability to be cracked. It has used the MD6 cryptographic hash function that was a candidate for the NIST SHA-3 Hash Competition with a 4096-bit RSA key. Even when a buffer-overflow vulnerability was discovered in MD6, the botnet’s owner corrected the implementation within a matter of days. There is an entire working group called The Conficker Working Group tasked entirely to the botnet, which has yet to break-in and take any sort of control away from whoever runs it.

In-depth article at The Register

Tags: botnet, buffer overflow, Conficker, Conficker Working Group, Downadup, Downup, Kido, MD6, nist, RSA, scareware, SHA-3, worm

Microsoft LNK vulnerability exploit spreading quickly

Kyle — Thu, 29 Jul 2010 05:14:41 +0000

At last writing, the Microsoft LNK vulnerability that was originally used to target SCADA systems by the Stuxnet worm in Iran, India, and Indonesia was slowly gaining speed and the exploit had a proof-of-concept in the open. Now it is accelerating. It is now being picked up by old virus/worm/malware families and incorporated into their arsenals to take new victims; some using social engineering, some using their own unique tactics. While the exploit method itself hasn’t changed, the exploiters using it are vigorously churning out new versions of their software. I think it’s safe to say Madagascar will be closing its ports soon. (Warning: addictive)

New detected malwares are Chymine, Vobfus, Sality, Zeus, and most recently, Downloader-CJX

Technet article on Vobfus

The Register on LNK exploit activity

F-Secure blog entry

Tags: Chymine, LNK, LNK-O, malware, microsoft lnk, SALITY, SCADA, Stuxnet, TrojanDownloader, Vobfus, ZBot

LNK Zero-Day Exploit: Siemens WinCC SCADA systems targeted

Kyle — Mon, 26 Jul 2010 05:20:59 +0000

It turns out that the original targets for the highly-dangerous Windows Shell LNK Zero-Day Exploit were Siemens WinCC SCADA systems with hard-coded credentials used in large infrastructure systems like factories and power grids. Once the attacker had successfully executed the LNK exploit, they accessed the Siemens WinCC program and extracted sensitive data from the database the software uses. It is highly suspected that the exploit was explicitly used for espionage toward Iran and Indonesia at the very least, but by whom or what exact purpose is not clear. What is clear is that the Siemens WinCC software was targeted. The Siemens WinCC software has what is considered one of the top vulnerabilities in software according to CWE/SANS, which is the use of fixed-credentials. This type of vulnerability has been publicly disclosed for over two years and the password to this specific software (2WSXcder) has been publicly known since at least 2008. Siemens was made aware of the issue on July 14 and shortly started to asses the problem and notify customers.

In the meantime, a security researcher known as Ivanlef0u has posted a proof-of-concept of the exploit (site is in French), while Win32/TrojanDownloader.Chymine.A and Win32/Autorun.VB.RP are in the wild already actively actively using this exploit according to ESET. Expect to see this exploit to be a bit prolific due to its new and unique nature combined with the relative ineffectiveness of detection/removal systems thus far.

Wired Article on password’s public exposure

ESET Blog on new Zero-day exploit in the wild

Tags: 2WSXcder, Chymine, Ivanlef, july 14, LNK, SCADA, Siemens, siemens wincc, WinCC, zero day

M32 Security » Exploits

Critical Flaw In RDP Exposes ALL Versions of Windows To Remote Code Execution Risk

Related articles

DreamHost Shell/FTP Account Database Compromised, ALL Passwords Reset

Related articles

German Researchers Find “Massive” Flaws In Cloud Security

Related articles

Virus targets US Predator and Reaper drones

LulzSec Hacks Sony…Again…And Scores PSN Source Code

phpMyAdmin Exploit Used To Launch New SSH Brute-Force Attack

Zeus v3 Trojan Silently Siphoning Money From UK Bank Accounts

Conficker: The Proactive Worm Ahead Of The Curve

Microsoft LNK vulnerability exploit spreading quickly

LNK Zero-Day Exploit: Siemens WinCC SCADA systems targeted