Hackers exploit an undocumented Word feature for user fingerprinting

Kaspersky researchers discovered a new attack technique leveraging an undocumented Word feature to gather information on users. Kaspersky researchers discovered a new attack technique leveraging Microsoft Word documents to gather information on users. The technique is innovative because it doesn’t use active content such as macros or exploits, it exploits an undocumented Word feature to fingerprint users. […]

The post Hackers exploit an undocumented Word feature for user fingerprinting appeared first on Security Affairs.

Kaspersky researchers discovered a new attack technique leveraging an undocumented Word feature to gather information on users.

Kaspersky researchers discovered a new attack technique leveraging Microsoft Word documents to gather information on users. The technique is innovative because it doesn’t use active content such as macros or exploits, it exploits an undocumented Word feature to fingerprint users.

The attackers sent phishing emails using Word documents in OLE2 format and contained links to PHP scripts hosted on third-party web resources. Once the user opened the files in Microsoft Office, the application accesses one of the links, resulting in the attackers receiving information about the software installed on the target machine.

“They were in OLE2 format and contained no macros, exploits or any other active content. However, a close inspection revealed that they contained several links to PHP scripts located on third-party web resources.” reads the analysis published by Kaspersky Lab. “When we attempted to open these files in Microsoft Word, we found that the application addressed one of the links. As a result, the attackers received information about the software installed on the computer.”

One of the documents analyzed by the researchers contained tips on how to use Google search more effectively, it doesn’t contain active content, no VBA macros, embedded Flash objects or PE files. Once opened Word sends a GET request to an internal link.

“This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed,” continues the analysis.

The researchers discovered that the document used an undocumented Word feature, they noticed the presence of an INCLUDEPICTURE field that indicates that an image is attached to certain characters in the text.

The experts highlighted that there is no description for Microsoft Office documentation provides basically no description of the INCLUDEPICTURE field.

The attackers used the INCLUDEPICTURE field to include a suspicious link there, although not the URL addressed by Word.

The text in Word documents is stored in the WordDocument stream in a ‘raw state that doesn’t contain formatting except for so-called fields. The fields are used to instruct Word that a certain segment of the text must be presented in a specific way. The field INCLUDEPICTURE indicates that an image is attached to certain characters in the text.

The experts identified the following characters inside the document:

Begin = 0x13
Sep = 0x14
End = 0x15
Field = <Begin> *<Field> [Sep] *<Field> <End>

undocumented word feature

A byte between the separator (SEP) and the end (END) tells words that an image should be inserted at that point. The experts first located the byte sequence with the picture placeholder, then they discovered at which offset the image should be located in the Data stream.

“So, we go to offset 0 in the Data stream and see that the so-called SHAPEFILE form is located there:undocumented Word feature fingerprint

Forms are described in a different Microsoft document: [MS-ODRAW]: Office Drawing Binary File Format. This form has a name and, in this case, it is another suspicious link:” continues the analysis.

Experts noticed that a combination of flags was used to indicate that additional data should be attached to the form. According to Kaspersky, this data constitutes a URL that leads to the actual content of the form.

“This indicates that additional data should be attached to the form (it is highlighted in yellow in the screenshot), and that this data constitutes a URL that leads to the actual content of the form. Also, there is a ‘do not save’ flag, which prevents this content from being saved to the actual document when it is opened.” continues the analysis.

The attackers devised this complex technique to fingerprint users opening the Word documents.

“This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks. In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks,” Kaspersky says.

According to Kaspersky, the Office feature exists in Word and Windows, Microsoft Office for iOS, and Microsoft Office for Android. LibreOffice and OpenOffice do not implement this feature

Pierluigi Paganini

(Security Affairs – undocumented Word, hacking)

The post Hackers exploit an undocumented Word feature for user fingerprinting appeared first on Security Affairs.

Source

Advertisements

CCleaner supply chain compromised to distribute malware

CCleaner app version 5.33 that was available for download between August 15 and September 12 was modified to include the Floxif malware Bad news for the users of the CCleaner app, according to researchers with Cisco Talos, version 5.33 that was available for download between August 15 and September 12 was modified to include the Floxif […]

The post CCleaner supply chain compromised to distribute malware appeared first on Security Affairs.

CCleaner app version 5.33 that was available for download between August 15 and September 12 was modified to include the Floxif malware

Bad news for the users of the CCleaner app, according to researchers with Cisco Talos, version 5.33 that was available for download between August 15 and September 12 was modified to include the Floxif malware.

The Floxif malware downloader is used to gathers information (computer name, a list of installed applications, a list of running processes, MAC addresses for the first three network interfaces) about infected systems and to download and run other malicious binaries.

The variant of Floxif malware spread by the crooks only works on 32-bit systems and victims must use an administrator account.

“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.” reads the analysis published by Cisco Talos. “CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly” states the analysis published by Cisco Talos.

Cisco Talos experts spotted the trojanized CCleaner app last week while performing beta testing of a new exploit detection solution, they noticed that a version of CCleaner 5.33 was connecting to suspicious domains.  later discovered that the CCleaner installer was downloaded from the official website and was signed using a valid digital certificate.

Further investigation allowed Talos to discover that the tainted CCleaner version was deployed on the official website and was signed using a valid digital certificate.

Researchers speculate attackers have compromised the Avast’s supply chain to spread the Floxif trojan.

It is possible that attackers compromised the company system, but experts haven’t excluded that the incident was an insider’s job.

“Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.” continues Talos.

Let’s remind that Avast owns Piriform that developed the CCleaner solution, the Antivirus solution firm bought it in July, a month before the tainted CCleaner 5.33 version was released.

On September 13, Piriform released a new version of the CCleaner (5.34) and CCleaner Cloud version 1.07.3191 that do not contain the malware.

“Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue.” reads a blog post published by Piriform.

The Floxif trojan leverage the DGA algorithm to randomly generated domains names used as command and control (C&C) servers. The DNS data revealed that DNS requests for the domain names used in August and September show thousands of users were infected.

CCleaner DNS requests August-September

 

Once informed of the incident Avast took down the C&C servers and observed a spike in the number of infected hosts making DNS queries for a backup domain.

It is important to highlight that updating to CCleaner version 5.34 does not solve the situation because the malware will be still present on infected hosts.

Pierluigi Paganini

(Security Affairs – CCleaner version 5.33, malware)

The post CCleaner supply chain compromised to distribute malware appeared first on Security Affairs.

Source

Malware attacks leverage the Hangul Word Processor and PostScript to spread malware

Experts at Trend Micro reported malware attacks that leveraged the Hangul Word Processor (HWP) word processing application to target users. It has happened again, attackers leveraged the Hangul Word Processor (HWP) word processing application to target users in South Korea. The application is very popular in South Korea and was exploited in several hacking campaigns against entities in the country. In the […]

The post Malware attacks leverage the Hangul Word Processor and PostScript to spread malware appeared first on Security Affairs.

Experts at Trend Micro reported malware attacks that leveraged the Hangul Word Processor (HWP) word processing application to target users.

It has happened again, attackers leveraged the Hangul Word Processor (HWP) word processing application to target users in South Korea.

The application is very popular in South Korea and was exploited in several hacking campaigns against entities in the country.

In the recent attacks, hackers use the Hangul Word Processor in association with PostScript. The attackers use emails containing malicious attachments to deliver the malware.

“A branch of PostScript called Encapsulated PostScript exists, which adds restrictions to the code that may be run. This is supposed to make opening these documents safer, but unfortunately older HWP versions implement these restrictions improperly. We have started seeing malicious attachments that contain malicious PostScript, which is in turn being used to drop shortcuts (or actual malicious files) onto the affected system.” states the analysis published by Trend Micro.

Although the Encapsulated PostScript adds restrictions to secure the system while opening a document, the older HWP versions implement these restrictions improperly. The attackers have started using attachments containing malicious PostScript to drop shortcuts or malicious files onto the affected system.

Experts noticed that some of the subject lines and document names used by attackers include “Bitcoin” and “Financial Security Standardization”.

Hangul Word Processor

Researchers highlighted that attackers don’t use an actual exploit, but abuse a feature of PostScript to manipulate files.

PostScript doesn’t have the ability to execute shell commands, but attackers obtain a similar behavior by dropping files into various startup folders, then these files are executed when the user reboots the machine.

“Some of the ways we’ve seen this seen of this include:

  1. Drops a shortcut in the startup folder, which executes MSHTA.exe to execute a Javascript file.
  2. Drops a shortcut in startup folder and a DLL file in %Temp% directory. The shortcut calls rundll32.exe to execute the said DLL file.
  3. Drops an executable file in the startup folder.

” reads the analysis.

One of the attacks observed by the researchers at Trend Micro would overwrite the file gswin32c.exe, which is the PostScript interpreter used by the Hangul Word Processor application. The file is replaced with a legitimate version of Calc.exe, in this way the attackers prevent the execution of other embedded PostScript content.

Newer versions of the Hangul Word Processor implement EPS properly, for this reason, users must upgrade the application to stay protected.

“Newer versions of the Hangul Word Processor implement EPS correctly, with the 2014 versions and later not being susceptible to this problem. We suggest upgrading to these newer, safer versions.” Trend Micro says.

Pierluigi Paganini

(Security Affairs – Malware, HWP)

The post Malware attacks leverage the Hangul Word Processor and PostScript to spread malware appeared first on Security Affairs.

Source

BlueBorne: Critical Bluetooth Attack Puts Billions of Devices at Risk of Hacking

If you are using a Bluetooth enabled device, be it a smartphone, laptop, smart TV or any other IoT device, you are at risk of malware attacks that can carry out remotely to take over your device even without requiring any interaction from your side.
Security researchers have just discovered total 8 zero-day vulnerabilities in Bluetooth protocol that impact more than 5.3 Billion devices—from

Source

Bashware Flaw threatens 400M PCs Globally

A newly discovered vulnerability can enable any malware to bypass all security solutions on Windows 10 machines.

Bashware Flaw threatens 400M PCs Globally

A newly discovered vulnerability can enable any malware to bypass all security solutions on Windows 10 machines. This means it can affect any of the 400 million computers running Windows 10 PC globally.

Check Point uncovered the technique, called Bashware. It leverages a new Windows 10 feature called Subsystem for Linux (WSL), which recently went out of beta stage and is now a fully supported Windows feature. This feature makes the popular ‘bash’ terminal available for Windows OS users, which allows users to natively run Linux operating system executables on the Windows operating system.

However, existing security solutions (including anti-virus, inspection tools and anti-ransomware, among others) are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time.  

This may open a door for cybercriminals wishing to run their malicious code undetected, and allow them to use the features provided by Windows Subsystem for Linux to hide from security products that have not yet integrated the proper detection mechanisms.

Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products,” researchers said, in an analysis. “We tested this technique on most of the leading anti-virus and security products on the market, successfully bypassing them all.”

Bashware does not leverage any logic or implementation flaws in WSL’s design, they added. In fact, WSL seems to be well designed.

“What allows Bashware to operate the way it does is the lack of awareness by various security vendors, due to the fact that this technology is relatively new and expands the known borders of the Windows operating system,” the researchers said. “However, we believe that it is both vital and urgent for security vendors to support this new technology in order to prevent threats such as the ones demonstrated by Bashware.”

Check Point noted that Microsoft has already taken steps that should assist the security vendors to deal with the new security considerations presented by WSL, including a Pico APIs that can be used by AV companies in order to monitor these types of processes. Now, it’s up to the vendors to incorporate them.

“With a growing number of cyber-attacks and the frequent news headlines on database breaches, spyware and ransomware, quality security products have become a commodity in every business organization,” Check Point concluded. “Consequently a lot of thought is being invested in devising an appropriate information security strategy to combat these breaches and providing the best solutions possible.”

Source

Toast Overlay attacks, a Cloak and Dagger with No Permissions, fixed by Google

Google just fixed a high-severity Android vulnerability, tracked as CVE-2017-0752, that ties with the Toast Overlay attacks. Security researchers with Palo Alto Networks Unit 42, warned of a high-severity Android vulnerability, tracked as CVE-2017-0752, that ties with the “toast attack” overlay vulnerability. The experts reported that it is possible to abuse Android’s toast notification, a feature […]

The post Toast Overlay attacks, a Cloak and Dagger with No Permissions, fixed by Google appeared first on Security Affairs.

Google just fixed a high-severity Android vulnerability, tracked as CVE-2017-0752, that ties with the Toast Overlay attacks.

Security researchers with Palo Alto Networks Unit 42, warned of a high-severity Android vulnerability, tracked as CVE-2017-0752, that ties with the “toast attack” overlay vulnerability.

The experts reported that it is possible to abuse Android’s toast notification, a feature that is used to provide feedback about an operation in a small short-lived pop up notification, to obtain admin rights on targeted phones and take over the device.

The vulnerability affects all versions of the Android operating system prior to the latest Android 8.0, (Oreo), nearly all Android users.

“What our researchers have found is a vulnerability that can be used to more easily enable an “overlay attack,” a type of attack that is already known on the Android platform. This type of attack is most likely to be used to get malicious software on the user’s Android device.” reads the analysis published by Palo Alto Networks. “This type of attack can also be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable (i.e., a “brick”) or to install any kind of malware including (but not limited to) ransomware or information stealers. In simplest terms, this vulnerability could be used to take control of devices, lock devices and steal information after it is attacked.”

The toast attack is exploitable for “overlay” attacks on Android phones, attackers use them to create a UI overlay to be displayed on top of legitimate Android applications and trick victims into providing sensitive information or clicking confirmation buttons.

Toast Overlay attacks

 

The overlay attack can also be exploited to trigger a denial-of-service condition by creating a toast window that overlays an entire screen of the mobile device.

A toast-type overlay is similar to the Cloak and Dagger attack method that was discovered earlier this year.

“Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks only require two permissions that, in case the app is installed from the Play Store, the user does not need to explicitly grant and for which she is not even notified. Our user study indicates that these attacks are practical. These attacks affect all recent versions of Android (including the latest version, Android 7.1.2), and they are yet to be fixed.” states the researchers.

Cloak and Dagger attacks abuse the following basic Android permissions:

  • SYSTEM_ALERT_WINDOW (“draw on top”) – is a legitimate overlay feature that allows apps to overlap on a device’s screen and top of other apps.
  • BIND_ACCESSIBILITY_SERVICE (“a11y”) – is a permission designed to help disabled users, allowing them to enter inputs using voice commands, or listen content using screen reader feature.

The Toast overlay attacks are quite similar but do not require specific Android permissions to be granted by users.

“Overlay attacks permit an attacker to draw on top of other windows and apps running on the affected device. To launch such an attack, malware normally needs to request the “draw on top” permission” reads the analysis from PaloAlto Networks.

“This newly discovered overlay attack does not require any specific permissions or conditions to be effective. Malware launching this attack does not need to possess the overlay permission or to be installed from Google Play. With this new overlay attack, malware can entice users to enable the Android Accessibility Service and grant the Device Administrator privilege or perform other dangerous actions,”

The Google’s September Android Security Bulletin already addresses the CVE-2017-0752 flaw.

Pierluigi Paganini

(Security Affairs – Toast Overlay attacks, CVE-2017-0752)

The post Toast Overlay attacks, a Cloak and Dagger with No Permissions, fixed by Google appeared first on Security Affairs.

Source

DolphinAttack – Hackers control Siri, Google Now, Alexa voice assistants with ultrasound

The DolphinAttack technique allows hackers to control Siri, Google Now, Alexa and other voice assistants with commands in ultrasonic frequencies. A team of researchers from the Chinese Zhejiang University has demonstrated how to control several popular speech recognition systems using ultrasound. The attack technique was dubbed ‘DolphinAttack’, it was successfully tested against Amazon Alexa, Apple Siri, Google Now, […]

The post DolphinAttack – Hackers control Siri, Google Now, Alexa voice assistants with ultrasound appeared first on Security Affairs.

The DolphinAttack technique allows hackers to control Siri, Google Now, Alexa and other voice assistants with commands in ultrasonic frequencies.

A team of researchers from the Chinese Zhejiang University has demonstrated how to control several popular speech recognition systems using ultrasound.

The attack technique was dubbed ‘DolphinAttack’, it was successfully tested against Amazon Alexa, Apple Siri, Google Now, Huawei HiVoice, Microsoft Cortana, Samsung S Voice,  and also the speech recognition system installed an Audi Q3 models.

DolphinAttack

The researchers were able to modulate various voice commands on ultrasonic carriers making them inaudible to humans. The experts demonstrated than modulating voice commands at a frequency of 20,000 Hz or higher, they were able to activate the systems.

The researchers were able to able to provide the systems with common activation commands (“Hey Siri,” “OK Google,” “Hi Galaxy” and “Alexa,”)and several recognition commands including “Call 1234567890,” “Open dolphinattack.com,” “turn on airplane mode” and “open the back door.”

The team tested the DolphinAttack method against 7 different speech recognition systems running on 16 devices.

The DolphinAttack method was the most effective against Siri on an iPhone 4s and Alexa on Amazon’s Echo personal assistant device, the researchers discovered it was possible to provide voice commands over a distance of nearly 2 meters (6.5 feet).

Test results were independent of the language used, but the type of command provided to the system did it.

“The length and content of a voice command can influence the success rate and the maximum distance of attacks. We are rigorous in the experiments by demanding every
single word within a command to be correctly recognized, though this may be unnecessary for some commands. For instance, “Call/FaceTime 1234567890” and “Open dolphinattack.com” is harder to be recognized than “Turn on airplane mode” or “How’s the weather today?”.” states the research paper.

Other factors impacted the test results, such as the background noise, the researchers observed that the recognition rates for the command “turn on airplane mode” decreased to 30% when used on the street compared to 100% in an office and 80% in a cafe.

The researchers also proposed a series of hardware- and software-based defenses against the DolphinAttack method.

The researchers suggest manufacturers address this issue simply by programming their devices to ignore commands at 20 kHz or higher frequencies.

“A microphone shall be enhanced and designed to suppress any acoustic signals whose frequencies are in the ultrasound range. For instance, the microphone of iPhone 6 Plus can resist to inaudible voice commands well,” concluded the researchers .

From the user’s perspective, a solution to protect them from DolphinAttack is turning off voice assistant apps by going into settings.

Pierluigi Paganini

(Security Affairs – ShadowBrokers, hacking)

The post DolphinAttack – Hackers control Siri, Google Now, Alexa voice assistants with ultrasound appeared first on Security Affairs.

Source

Crypto-busters reverse nearly 320 MEELLION hashed passwords

Researchers reverse hashes in Troy Hunt’s password release. PS, don’t forget the salt

The anonymous CynoSure Prime “cracktivists” who two years ago reversed the hashes of 11 million leaked Ashley Madison passwords have done it again, this time untangling a stunning 320 million hashes dumped to Australian researcher Troy Hunt.…

Source