image
Researchers are raking the Lenovo Watch X over the security coals in a report that blasts the device for shipping with a half dozen “disturbing” privacy and security vulnerabilities. The budget ($50) smartwatch was introduced in June 2018 and was initially praised for its design, features and affordability. But months following the launch, the Lenovo X Watch has since been hearing an earful from usability, and now security, critics. In a report released by Checkmarx on Tuesday, security researcher David Sopas outlined a swath of failings and concluded the watch’s vulnerabilities were “a violation of [his] privacy” by sending location data to an “unknown server” in China. In the report titled “Your Lenovo Watch X Is Watching You and Sharing What It Learns” Sopas outlined a litany of bugs. Lenovo said all bugs outlined in the Checkmarx report are “due to be complete this week.” One bug pinpointed the phone’s location via longitude and latitude and sent it via an unencrypted communications channel to China, where Lenovo is headquartered. Another bug that was identified could allow for a man-in-the-middle attack. “Communication sent between the mobile application and web server is not encrypted, so anyone could sniff the communication,” the researcher wrote. Other bugs included an account take-over vulnerability. “Due to lack of account validation and permissions, it’s possible to force a password change request for any user,” he wrote. “Anyone who knows the userid could change the user password, and therefore hijack remote accounts.” Three Bluetooth bugs included one where hand movements kick the watch into pairing mode and never times out. Another Bluetooth bug could allow a “malicious user [to] send a specific command to the watch to set alarms. The function allows adding multiple alarms, as often as every minute.” And lastly a Bluetooth write permission bug could allow someone to spoof incoming call alerts to the watch. Sopas stressed the corresponding Lenovo Watch X app, with 50,000-plus downloads, is also troubling. For its part, Lenovo told Threatpost the watch was never intended for the U.S. market. That is despite the English language app and a number of U.S.-based online retailers selling the watch. “The Watch X was designed for the China market and is only available from Lenovo to limited sales channels in China. Our PSIRT team has been working with the ODM that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week,” Lenovo wrote. Checkmarx disclosed the watch vulnerabilities to Lenovo in October 2018. Lenovo confirmed receipt of the bugs several weeks later. In January, Lenovo said fixes are issued. It’s unclear what, if anything, users will need to do in order to ensure they get a fix. Smart watches have recently come under fire for privacy issues. Last month, researchers from Pen Test Partners examined kids watches that were part of watchmaker Gator’s portfolio devices. They found a severe flaw exposes sensitive information for 35,000 kids and 20,000 individual accounts.

Source

image
By Waqas Famed secure email service provider VFEmail has become a victim of a hack attack by an unknown cybercriminal. The company claims that it has suffered a “catastrophic destruction” of its US servers and almost two decades of data and backups in only a few hours. The entire digital infrastructure of the company got destroyed by […] This is a post from HackRead.com Read the original post: Email service provider loses 2 decades worth of data due to hack attack

Source

image
While APT activity and a raft of malware types continue to capture the notice of researchers and journalists, it turns out that trusty old banking trojans remain the top email-borne threat out there. According to Proofpoint’s latest quarterly report, analyzing trends for the fourth quarter of 2018 based on its telemetry, banking malware that harvests online banking credentials made up 56 percent of all malicious payloads at the end of last year. Of those, the firm found that Emotet comprised 76 percent of them – although, strictly speaking, Emotet has evolved into much more than just a banking trojan. “Despite the presence of a range of banking trojans appearing in the wild, threat actors continue to coalesce around known malware,” the report highlighted. “Taken together, Emotet, Panda Banker and Ursnif comprised almost 97 percent of observed banking trojans in Q4. Emotet traffic, while far more consistent and appearing in higher volumes than other bankers in Q4, was quiet for most of October; the actor primarily responsible for high-volume Emotet campaigns was also inactive for most of April. Aside from these two periods, however, Emotet steadily increased in the volume and frequency of associated email campaigns throughout 2018.” In all, malicious messages bearing credential-stealers or downloaders in general collectively jumped more than 230 percent year-over-year – an illustration of the value of stolen credentials on the Dark Web. As for the rest of the bunch, espionage-ready remote access trojans (RATs) accounted for just 8.4 percent of all malicious payloads in Q4 and 5.2 percent for the year; however, that marks a significant change from previous years in which they were more rarely used by crimeware actors, according to the report. RATs establish backdoors on a victim’s machine for the purposes of reconnaissance, data exfiltration, credential theft, loading additional malware and so on. APT505 was particularly active using RATs in the quarter. And, ransomware dropped even further in Q4 to just one tenth of 1 percent of overall malicious message volume. “After dominating the threat landscape in 2016 and much of 2017, ransomware nearly disappeared in Q1 2018,” the report explained. “In Q2, we observed a return of ransomware, albeit at much lower levels than we saw in 2017. However, this spike appeared to be a ‘testing of the waters,’ since ransomware message volumes dropped by 10 percentage points from Q2. This suggests that ransomware campaigns did not generate sufficient returns for threat actors to continue distributing them at scale. Ransomware dropped even further in Q4 to just one tenth of 1% of overall malicious message volume.” Only three ransomware strains appeared, and only in relatively small, sporadic email campaigns, in Q4: GandCrab, GlobeImposter and Troldesh. Interestingly, the malware delivery mechanism of choice seemed to be via malicious links embedded within the body of an email, rather than attachments. “Malicious URLs continued to outnumber malicious attachments in email campaigns delivering malware throughout Q4,” according to the report. “Proofpoint observed over twice as many URL messages as attachment messages during this period, although this constituted a decrease from 2018 as a whole. For the entire year, malicious URLs appeared over three times as often as messages with malicious attachments, suggesting that the pendulum may be swinging back toward attachments as it tends to do periodically.” On the non-malware email-attack front, business email compromise (BEC) spiked considerably, continuing its inexorable growth; the number of email fraud attacks against targeted companies increased 226 percent quarter-on-quarter and a whopping 476 percent from two years ago. On average, companies targeted by BEC received about 120 fraudulent emails in the fourth quarter of the year, up from 36 in Q3 2018 and up from 21 in the year-ago quarter.

Source

image
Ubuntu and some other Linux distributions suffer from a severe privilege escalation vulnerability that could allow a local attacker or a malicious program to obtain root privileges and total control over the targeted system. Dubbed “Dirty_Sock” and identified as CVE-2019-7304, the vulnerability was discovered by security researcher Chris Moberly, who privately disclosed it to Canonical, the maker of Ubuntu, late last month. The vulnerability resides in the REST API for snapd service, a universal Linux packaging system that makes an application compatible for various Linux distributions without requiring any modification. Built by Canonical, snapd comes by default installed on all versions of Ubuntu and also used by other Linux distributions, including Debian, OpenSUSE, Arch Linux, Solus, and Fedora. Snap packages are basically applications compressed together with their dependencies that also includes instructions on how to run and interact with other software on various Linux systems for desktop, cloud, and Internet of Things. Snap locally host a web server (UNIX_AF socket) to offer a list of RESTful APIs that help the service perform various actions on the operating system. These REST APIs come with access control to define user-level permission for specific tasks. Some powerful APIs are only available to root users while others can be accessed by low-privileged users. According to Moberly, a flaw in the way the access control mechanism checks the UID associated with any request made to a server allows attackers to overwrite the UID variable and access any API function, including those that are restricted for the root user. “Snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket,” Ubuntu explains in its advisory. “A local attacker could use this to access privileged socket APIs and obtain administrator privileges.” However, it should be noted that since the Dirty Sock exploit leverages local privilege escalation flaw, it does not allow hackers to compromise a vulnerable Linux system remotely. Moberly has also released two proofs-of-concept (PoC) exploits on GitHub today, one of which requires an SSH connection while the other is able to sideload a malicious snap by abusing this API. Canonical has released snapd version Snapd 2.37.1 this week to address the vulnerability, and Ubuntu and other major Linux distributions have already rolled out a fixed version of their packages. Linux users are highly recommended to upgrade their vulnerable installations as soon as possible. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source

image
What could be more frightening than a service informing you that all your data is gone—every file and every backup servers are entirely wiped out? The worst nightmare of its kind. Right? But that's precisely what just happened this week with VFEmail.net, a US-based secure email provider that lost all data and backup files for its users after unknown hackers destroyed its entire U.S. infrastructure, wiping out almost two decades' worth of data and backups in a matter of few hours for no apparent reason. Started in 2001 by Rick Romero, VFEmail provides secure, private email services to companies and end users, both free and paid-for. Describing the attack as “catastrophic,” the privacy-focused email service provider revealed that the attack took place on February 11 and that “all data” on their US servers—both the primary and the backup systems—has been completely wiped out, and it's seemingly beyond recovery. “Yes, @VFEmail is effectively gone,” Romero wrote on Twitter Tuesday morning. “It will likely not return. I never thought anyone would care about my labor of love so much that they'd want to completely and thoroughly destroy it.” The VFEmail team detected the attack on February 11 itself after it noticed all the servers for his service went offline without any notice. After two hours, the company reported that the attackers had been caught “in the middle of formatting its backup server,” saying that it “fear all US-based data may be lost.” However, shortly after that VFEmail confirmed that “all the disks on every server” had been wiped out, virtually erasing the company's entire infrastructure, including mail hosts, virtual machine hosts, and a SQL server cluster, within just a few hours. “Strangely, not all VMs shared the same authentication, but all were destroyed,” VFEmail explained. “This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,”—a rare example of a purely destructive attack. Although it is yet unclear who was behind this destructive attack and how the hack was pulled off, a statement posted to the company's website pointed to an IP address 94[.]155[.]49[.]9 and the username “aktv,” which appears to be registered in Bulgaria. Romero believes the hacker behind the above-mentioned IP address most likely used a virtual machine and multiple means of access onto the VFEmail infrastructure to carry out the attack, and as a result, no method of protection, such as 2-factor authentication, would have protected VFEmail from the intrusion. The official website has now been restored and running, but all secondary domains still remain unavailable. If you are an existing user, expect to find your inboxes empty. This isn't the first time the company has been attacked. In 2015, a group of hackers known as the “Armada Collective,” who also targeted Protonmail, Hushmail, and Runbox, launched a DDoS attack against VFEmail after it refused to pay a ransom.

Source

image
A local privilege-escalation vulnerability in Canonical’s snapd package has been uncovered, which would allow any user to obtain administrator privileges and immediate root access to affected Linux system servers. Snapd is used by Linux users to download and install apps in the .snap file format. Chris Moberly at Missing Link Security found the issue (CVE-2019-7304), and said that it resides in the snapd API. This is installed by default in Ubuntu; Moberly said in his bug report that his proof-of-concept exploits work “100% of the time on fresh, default installations of Ubuntu Server and Desktop.” He also noted that the flaw is “likely included in many Ubuntu-like Linux distributions.” Taking a page from the well-known “Dirty Cow” vulnerability, Moberly dubbed the issue “Dirty Sock,” since it revolves around handling sockets. “snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket,” Canonical explained in its Ubuntu advisory, which provides patches for affected packages. “A local attacker could use this to access privileged socket APIs and obtain administrator privileges.” Moberly elaborated in a blog post explaining the technical details of the issue. “snapd serves up a REST API attached to a local UNIX_AF socket. Access control to restricted API functions is accomplished by querying the UID associated with any connections made to that socket. User-controlled socket peer data can be affected to overwrite a UID variable during string parsing in a for-loop. This allows any user to access any API function.” With access to the API, there are multiple methods to obtain root. The researcher developed PoCs for two of them that involve creating root-level user accounts; but there are likely many more approaches that could be taken, he noted. The first, dirty_sockv1, bypasses access control checks to use a restricted API function (POST /v2/create-user) of the local snapd service. “This queries the Ubuntu SSO for a username and public SSH key of a provided email address, and then creates a local user based on these values,” Moberly explained. The down side is that successful exploitation requires an outbound Internet connection and an SSH service accessible via localhost. The second, appropriately named dirty_sockv2, also bypasses access control checks of the local snapd service to use a restricted API function, this time POST /v2/snaps. “This allows the installation of arbitrary snaps,” the researcher said. “Snaps in ‘devmode’ bypass the sandbox and may include an install hook that is run in the context of root at install time. dirty_sockv2 leverages the vulnerability to install an empty ‘devmode’ snap including a hook that adds a new user to the local system. This user will have permissions to execute sudo commands.” As opposed to version one, dirty_sockv2 does not require the SSH service to be running. It will also work on newer versions of Ubuntu with no Internet connection at all, making it resilient to changes and effective in restricted environments. Exploit two is also effective on non-Ubuntu systems that have installed snapd but that do not support the “create-user” API that the first exploit leverages. Moberly found the vulnerability in January, and praised the snapd team fixing the issue quickly. “I was very impressed with Canonical’s response to this issue,” he said. “The team was awesome to work with, and overall the experience makes me feel very good about being an Ubuntu user myself.” On Ubuntu systems with snaps installed, snapd “typically will have already automatically refreshed itself to snapd 2.37.1 which is unaffected,” Canonical said. As for other Linux distros that use snapd, such as Linux Mint, Debian and Fedora, administrators should check to see if the flaw is present and apply patches accordingly.

Source

image
A design flaw in Apple’s macOS could allow a malicious application to steal victims’ Safari web browsing history. The security hole exists in every version of the Mac’s Mojave operating system, including macOS Mojave 10.14.3 Supplemental Update recently released on Feb. 7. That’s according to Mac and iOS developer Jeff Johnson, who disclosed the bug over the weekend. The issue specifically exists in the fact that there are no permission dialogues for apps in certain folders. While enforcing permissions would mean that these folders could only be accessed by certain apps, the alternative (no permissions required) in the case of ~/Library/Safari means that apps are allowed to look inside it. And inside the folder is a user’s entire web browsing history (as well as reading list archives, remote notifications, template icons and more). Johnson said that once a malicious app laced with malware has been installed on the system, it could then access the Safari library and steal the web browsing history. New blog post “Spying on Safari in Mojave” In which I report a newly discovered hole in macOS Mojave privacy protections.https://t.co/86HyJXlC0C — Jeff Johnson (@lapcatsoftware) February 9, 2019 “I’ve discovered a way to bypass these protections in Mojave and allow apps to look inside ~/Library/Safari without acquiring any permission from the system or from the user,” said Johnson in a Feb. 8 post, titled Spying on Safari in Mojave. “There are no permission dialogs, It Just Works.™ In this way, a malware app could secretly violate a user’s privacy by examining their web browsing history.” Johnson said that he notified Apple and privately released the technical details to the computing giant. Apple has acknowledged the vulnerability, he said. At the time of this writing, there is no patch/remediation available. Apple has faced a slew of security issues lately – the company last week patched a major flaw in its Group FaceTime feature that allowed callers to eavesdrop on people they called even if the other party never picked up. Also last week, a researcher claimed to have found a new Apple zero-day impacting macOS that could allow an attacker to extract passwords from a targeted Mac’s keychain password management system. Threatpost reached out to Apple for comment and will update this post with any response. Interested in learning about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET. Join Threatpost senior editor Tara Seals and a panel of mobile security experts, including Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.

Source

image
Cybersecurity researchers have discovered a way to hide malicious code in Intel SGX enclaves, a hardware-based memory encryption feature in modern processors that isolates sensitive code and data to protect it from disclosure or modification. In other words, the technique allows attackers to implant malware code in a secure memory that uses protection features of SGX which are otherwise designed to protect important data from prying eyes or from being tampered, even on a compromised system. Introduced with Intel's Skylake processors, SGX (Software Guard Extensions) allows developers to run selected application modules in a completely isolated secure region of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels like the operating system, kernel, BIOS, SMM, hypervisor, etc. However, a team of researchers, some of whom were behind the discovery of the Spectre-Meltdown CPU flaws, managed to bypass this protection and got their own malicious application in the secure enclaves by leveraging the age-old technique of return-oriented programming (ROP). The attack also uses Transactional Synchronization eXtensions (TSX), found in modern Intel CPUs, in conjunction with a novel fault-resistant read primitive technique called TSX-based Address Probing (TAP). TAP uses TSX to determine if a virtual address is accessible by the current process, and this exploration of memory is undetectable because operating system-level applications cannot look inside an enclave, by design. “Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code reuse attack from within an enclave which is then inadvertently executed by the host application,” reads a research paper [PDF] published Tuesday. To determine whether a memory page is writable, the team developed a fault-resistant write primitive, Checking Located Addresses for Writability (CLAW), which encapsulates the write instruction for the target memory page within a TSX transaction and explicitly aborts the transaction after the write. After that, the writability of the target memory page can be deduced based on the return value of the transaction. Once the malware gets its way into the secure enclave, the confidentiality and integrity that SGX fundamentally guarantees to legit programs would also prohibit researchers or security solutions from detecting and analyzing the malware within an enclave. This would eventually allow the malware app to bypass various security technologies, such as operating system-level Address Space Layout Randomization (ASLR), stack canaries, and address sanitizer, as well as execute arbitrary code on the targeted system. “Moreover, there's a potential threat of next-generation ransomware which securely keeps encryption keys inside the enclave and, if implemented correctly, prevents ransomware recovery tools,” the academics explain. The researchers said the proof-of-concept exploit developed by their team bypassed ASLR, stack canaries, and address sanitizer, to “run ROP gadgets in the host context enabling practical enclave malware,” noting that the entire exploit process took 20.8 seconds. In the end, the academics concluded that instead of “protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits.” The mitigations against such attacks could be implemented in future generations of Intel CPUs that better sandbox the SGX enclaves. While some of those mitigations would require hardware-level changes without costing any performance, some would not require hardware modifications but would trade some performance.

Source

image
Microsoft on Tuesday issued a bevy of patches to correct at least 70 distinct security vulnerabilities in Windows and software designed to interact with various flavors of the operating system. This month's patch batch tackles some notable threats to enterprises — including multiple flaws that were publicly disclosed prior to Patch Tuesday. It also bundles fixes to quash threats relevant to end users, including critical updates for Adobe Flash Player and Microsoft Office, as well as a zero-day bug in Internet Explorer. Some 20 of the flaws addressed in February's update bundle are weaknesses labeled “critical,” meaning Microsoft believes that attackers or malware could exploit them to fully compromise systems through little or no help from users — save from convincing a user to visit a malicious or hacked Web site. Microsoft patched a bug in Internet Exploder Explorer (CVE-2019-0676) discovered by Google that attackers already are using to target vulnerable systems. This flaw could allow malware or miscreants to check for the presence of specific files on the target's hard drive. Another critical vulnerability that impacts both end users and enterprises is a weakness in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. “Windows DHCP client”). That flaw, CVE-2019-0626, could let an attacker execute malcode of his choice just by sending the target a specially crafted DHCP request. At the top of the list of patch concerns mainly for companies is a publicly disclosed issue with Microsoft Exchange services (CVE-2019-0686) that could allow an attacker on the same network as the target to access the inbox of other users. Microsoft said it has not seen active exploitation of this bug yet, but considers it likely to be exploited soon. Security experts are fond of saying “patch now!” when it comes to Windows bugs, but in general it can’t hurt for regular users to wait a day or two after Microsoft releases monthly security updates before installing the fixes. That's because occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out. Just don't put off the task too long. And bear in mind it’s a good idea to get in the habit of backing up your data before installing Windows updates, to hedge against the odd case in which a wonky patch ends up rendering your system unusable until you can work out how to reverse the changes. Windows 10 likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn’t make it easy for Windows 10 users to change this setting, but it is possible. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update. Microsoft also included fixes to address a single vulnerability in Adobe Flash Player. Microsoft and Adobe disagree on the severity of this flaw, according to security firm Qualys. Adobe labels it an “important” bug, while Microsoft tags it with a far more severe “critical” label. Regardless, Flash flaws are favorite targets of attackers. If you browse the Web with IE or Edge, this month's patch batch from Microsoft has you covered. Fortunately, the most popular Web browser by a long shot — Google Chrome — auto-updates Flash but also is now making users explicitly enable Flash every time they want to use it (Microsoft also bundles Flash with IE/Edge and updates it whenever Windows systems install monthly updates). By the summer of 2019 Google will make Chrome users go into their settings to enable it every time they want to run it. Firefox also forces users with the Flash add-on installed to click in order to play Flash content; instructions for disabling or removing Flash from Firefox are here. Adobe will stop supporting Flash at the end of 2020. Adobe also released updates for Adobe Acrobat and Reader that plug at least 70 security holes in these applications, so if you have either installed please be sure to update those. As always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Source

image
By Carolina To test the security of its data, Russia is considering disconnecting its Internet service for a short period of time. The test will affect all the data sent by Russian citizens or organizations as Internet access would be limited only within the national territory, meaning that they will not be routed internationally. The test has […] This is a post from HackRead.com Read the original post: Russian to shut down Internet to test its cyber deterrence

Source