Windows Remote Assistance Exploit Lets Hackers Steal Sensitive Files - Mr. R3x

Windows Remote Assistance Exploit Lets Hackers Steal Sensitive Files

You have always been warned not to share remote access to your computer with untrusted people for any reason—it's a basic cybersecurity advice, and common sense, right?

But what if, I say you should not even trust anyone who invites or offer you full remote access to their computers.

A critical vulnerability has been discovered in Microsoft's Windows Remote Assistance (Quick Assist) feature that affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7, and allows remote attackers to steal sensitive files on the targeted machine.

Windows Remote Assistance is a built-in tool that allows someone you trust to take over your PC (or you to take remote control of others) so they can help you fix a problem from anywhere around the world.

The feature relies on the Remote Desktop Protocol (RDP) to establish a secure connection with the person in need.

However, Nabeel Ahmed of Trend Micro Zero Day Initiative discovered and reported an information disclosure vulnerability (CVE-2018-0878) in Windows Remote Assistance that could allow attackers to obtain information to further compromise the victim's system.

The vulnerability, which has been fixed by the company in this month's patch Tuesday, resides in the way Windows Remote Assistance processes XML External Entities (XXE).

The vulnerability affects Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10 (both 32- and 64-bit), Windows 8.1 (both 32- and 64-bit) and RT 8.1, and Windows 7 (both 32- and 64-bit).

Exploiting Windows Remote Assistance to Steal Files

Since a security patch for this vulnerability is now available, the researcher has finally released technical details and proof-of-concept exploit code for the flaw to the public.

In order to exploit this flaw, which resides in MSXML3 parser, the hacker needs to use "Out-of-Band Data Retrieval" attack technique by offering the victim access to his/her computer via Windows Remote Assistance.

While setting up Windows Remote Assistance, the feature gives you two options—Invite someone to help you and Respond to someone who needs help.

Selecting the first option helps users generate an invitation file, i.e. 'invitation.msrcincident,' which contains XML data with a lot of parameters and values required for authentication.

Since the parser does not properly validate the content, the attacker can simply send a specially crafted Remote Assistance invitation file containing a malicious payload to the victim, tricking the targeted computer to submit the content of specific files from known locations to a remote server controlled by the attackers.

"The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action," Microsoft explains. 

"This XXE vulnerability can be genuinely used in mass scale phishing attacks targeting individuals believing they are truly helping another individual with an IT problem. Totally unaware that the .msrcincident invitation file could potentially result in loss of sensitive information," Ahmed warns.

Among patching other critical vulnerabilities fixed this month, Windows users are highly recommended to install the latest update for Windows Remote Assistance as soon as possible.

Read More

[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks

[Guide] How to Protect Your Devices Against Meltdown and Spectre Attacks

Recently uncovered two huge processor vulnerabilities called Meltdown and Spectre have taken the whole world by storm, while vendors are rushing out to patch the vulnerabilities in its products.

The issues apply to all modern processors and affect nearly all operating systems (Windows, Linux, Android, iOS, macOS, FreeBSD, and more), smartphones and other computing devices made in the past 20 years.

What are Spectre and Meltdown?

We have explained both, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), exploitation techniques in our previous article.

In short, Spectre and Meltdown are the names of security vulnerabilities found in many processors from Intel, ARM and AMD that could allow attackers to steal your passwords, encryption keys and other private information.

Both attacks abuse 'speculative execution' to access privileged memory—including those allocated for the kernel—from a low privileged user process like a malicious app running on a device, allowing attackers to steal passwords, login keys, and other valuable information.

Protect Against Meltdown and Spectre CPU Flaws

Some, including US-CERT, have suggested the only true patch for these issues is for chips to be replaced, but this solution seems to be impractical for the general user and most companies.

Vendors have made significant progress in rolling out fixes and firmware updates. While the Meltdown flaw has already been patched by most companies like Microsoft, Apple and Google, Spectre is not easy to patch and will haunt people for quite some time.

Here's the list of available patches from major tech manufacturers:

Windows OS (7/8/10) and Microsoft Edge/IE

Microsoft has already released an out-of-band security update (KB4056892) for Windows 10 to address the Meltdown issue and will be releasing patches for Windows 7 and Windows 8 on January 9th.

But if you are running a third-party antivirus software then it is possible your system won’t install patches automatically. So, if you are having trouble installing the automatic security update, turn off your antivirus and use Windows Defender or Microsoft Security Essentials.

"The compatibility issue is caused when antivirus applications make unsupported calls into Windows kernel memory," Microsoft noted in a blog post. "These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot."

Apple macOS, iOS, tvOS, and Safari Browser

Apple noted in its advisory, "All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time."

To help defend against the Meltdown attacks, Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2, has planned to release mitigations in Safari to help defend against Spectre in the coming days.

Android OS

Android users running the most recent version of the mobile operating system released on January 5 as part of the Android January security patch update are protected, according to Google.

So, if you own a Google-branded phone, like Nexus or Pixel, your phone will either automatically download the update, or you'll simply need to install it. However, other Android users have to wait for their device manufacturers to release a compatible security update.

The tech giant also noted that it's unaware of any successful exploitation of either Meltdown or Spectre on ARM-based Android devices.

Firefox Web Browser

Mozilla has released Firefox version 57.0.4 which includes mitigations for both Meltdown and Spectre timing attacks. So users are advised to update their installations as soon as possible.

"Since this new class of attacks involves measuring precise time intervals, as a partial, short-term mitigation we are disabling or reducing the precision of several time sources in Firefox," Mozilla software engineer Luke Wagner wrote in a blog post.

Google Chrome Web Browser

Google has scheduled the patches for Meltdown and Spectre exploits on January 23 with the release of Chrome 64, which will include mitigations to protect your desktop and smartphone from web-based attacks.

In the meantime, users can enable an experimental feature called "Site Isolation" that can offer some protection against the web-based exploits but might also cause performance problems.

"Site Isolation makes it harder for untrusted websites to access or steal information from your accounts on other websites. Websites typically cannot access each other's data inside the browser, thanks to code that enforces the Same Origin Policy." Google says.

Here's how to turn on Site Isolation:

• Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
• Look for Strict Site Isolation, then click the box labelled Enable.
• Once done, hit Relaunch Now to relaunch your Chrome browser.

Linux Distributions

The Linux kernel developers have also released patches for the Linux kernel with releases including versions 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91 and 3.2.97, which can be downloaded from Kernel.org.

VMware and Citrix

A global leader in cloud computing and virtualisation, VMware, has also released a list of its products affected by the two attacks and security updates for its ESXi, Workstation and Fusion products to patch against Meltdown attacks.

On the other hand, another popular cloud computing and virtualisation vendor Citrix did not release any security patches to address the issue. Instead, the company guided its customers and recommended them to check for any update on relevant third-party software.

Read More

Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-Day

Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-Day

If you think that only CPU updates that address this year's major security flaws—Meltdown and Spectre—are the only ones you are advised to grab immediately, there are a handful of major security flaws that you should pay attention to.

Microsoft has issued its first Patch Tuesday for 2018 to address 56 CVE-listed flaws, including a zero-day vulnerability in MS Office related that had been actively exploited by several threat groups in the wild.

Sixteen of the security updates are listed as critical, 38 are rated important, one is rated moderate, and one is rated as low in severity. The updates address security flaws in Windows, Office, Internet Explorer, Edge, ChakraCore, ASP.NET, and the .NET Framework.

The zero-day vulnerability (CVE-2018-0802), described by Microsoft as a memory corruption flaw in Office, is already being targeted in the wild by several threat actor groups in the past few months.

The vulnerability, discovered by several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security's 0Patch Team, and Check Point Software Technologies, can be exploited for remote code execution by tricking a targeted user into opening a specially crafted malicious Word file in MS Office or WordPad.

According to the company, this security flaw is related to CVE-2017-11882—a 17-year-old vulnerability in the Equation Editor functionality (EQNEDT32.EXE), which Microsoft addressed in November.

When researchers at 0Patch were analysing CVE-2017-11882, they discovered a new, related vulnerability (CVE-2018-0802). More details of CVE-2018-0802 can be found in a blog post published by Check Point.

Besides CVE-2018-0802, the company has addressed nine more remote code execution and memory disclosure vulnerabilities in MS Office.

A spoofing vulnerability (CVE-2018-0819) in Microsoft Outlook for MAC, which has been listed as publicly disclosed (Mailsploit attack), has also addressed by the company. The vulnerability does not allow some versions Outlook for Mac to handle the encoding and display of email addresses properly, causing antivirus or anti-spam scanning not to work as intended.

Microsoft also addressed a certificate validation bypass vulnerability (CVE-2018-0786) in .NET Framework (and .NET Core) that could allow malware authors to show their invalid certificates as valid.

"An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose," describes Microsoft. "This action disregards the Enhanced Key Usage taggings."

The company has also patched a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer.

All these flaws could be exploited for remote code execution by tricking a targeted user into opening a specially-crafted webpage that triggers a memory corruption error, though none of these has been exploited in the wild yet.

Meanwhile, Adobe has patched a single, out of bounds read flaw (CVE-2018-4871) this month that could allow for information disclosure, though no active exploits have been seen in the wild.

Users are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Read More

CopyCat Android Rooting Malware Infected 14 Million Devices

CopyCat Android Rooting Malware Infected 14 Million Devices 

CopyCat Android mobile malware was able to infect over 14 million devices last year and root eight million of them, researchers have revealed.

The malware, spread through popular apps repackaged with the malicious code and distributed through third-party stores and phishing scams -- but not Google Play -- infects devices in order to generate and steal advertising revenue.

According to Check Point researchers, the hackers behind the campaign were able to earn roughly $1.5 million in two months, infecting 14 million devices globally and rooting 8 million of them in what the security team calls an "an unprecedented success rate."

Check Point

Once a device is infected, CopyCat waits until a restart to allay suspicion then attempts to root the device. Check Point says that CopyCat was able to successfully root 54 percent of all the devices it infected, "which is very unusual even with sophisticated malware."

In order to achieve root status, the malicious code uses six different vulnerabilities for Android versions 5 and earlier through an "upgrade" pack pulled from Amazon web storage. Some of the flaws the malware tests for are extremely old and the most modern ones were discovered over two years ago -- and so should your device be patched and up-to-date, CopyCat should not be a worry.

"These old exploits are still effective because users patch their devices infrequently, or not at all," the researchers note.

The malware then injects malicious code into the Zygote app launching process, which permits attackers to generate fraudulent revenue by installing apps and substituting the user's referrer ID with their own, as well as display fraudulent ads and applications.

This technique was first used by the Triada Trojan. According to Kaspersky Labs, the malware targeted the same process to gain superuser privileges before using regular Linux debugging tools to embed its DLL and target mobile browsers.

In total, fraudulent ads were displayed on 26 percent of infected devices, while 30 percent were used to steal credit for installing apps on Google Play. In addition, Check Point says the malware would also send device brand, model, OS version and country to CopyCat command and control (C&C) centers.

At the peak of the campaign in April and May 2016, CopyCat mainly infected users in Asia, although over 280,000 infections were also recorded in the United States.

Check Poin

Google was able to quell the campaign, and now the current number of infected devices is far lower -- but those affected by the malware may still be generating revenue for the attackers today.

The researchers are not sure who is behind the malware campaign but has tentatively linked MobiSummer as some of the malware's code is signed by the Chinese ad network.

See also: Windows ransomware found to be incredibly rare

Earlier this week, a UK teenager was charged for supplying malware for use in distributed denial-of-service (DDoS) attacks and assisting criminals in striking high-profile targets worldwide, including NatWest, Vodafone, O2, BBC, BT, Amazon, Netflix, and Virgin Media, among others.r

Read More

The Rise of "Onion-Layered" Attacks , IBM Says

"Onion-layered" security incidents have been on the rise throughout 2015, according to the IBM X-Force Threat Intelligence Quarterly report for Q4 2015.

Released this week, IBM’s report (PDF) cites four key trends that have been observed this year, with onion-layered and ransomware attacks joined by attacks coming from inside an organization and by an increased management awareness of the need to address security threats proactively.

IBM explains that onion-layered security incidents involve a second, more damaging attack hidden behind a visible one. Usually, these attacks are carried by two actors, namely a script kiddie, an unsophisticated attacker launching highly visible attacks which can be easily caught, and a more sophisticated stealthy attacker who might expand their grip of the victim’s network without being detected for weeks or even months.

"As the name suggests, an 'onion-layered' security incident is one in which a second, often significantly more damaging attack is uncovered during the investigation of another more visible event," the report said.

Such attacks demand large amounts of resources and time to investigate and mitigate, IBM says, given that stealthy attackers use sophisticated tools, are careful to cover their tracks, and use anti-forensic techniques to remain undetected. IBM also notes that anti-virus software alerts about malware on Internet-facing servers, unexpected reboots of servers and other unusual behavior, suspicious log records, and frequent user lockouts are signs that stealthy attackers have infiltrated a network.

Undetected attacks could prove highly damaging to companies, especially if the cybercriminals behind them manage to get hold of valuable data.  

“While the recovery of systems compromised by script kiddie attacks might take only a few days of an operation team’s time and effort, the job of finding a root cause, then fully understanding and remediating the work of the stealthy attackers could take months,” IBM said. Meanwhile, an undetected attacker could roam the network undetected, ultimately trying to gain access to the client’s crown jewels.

Earlier this year, Corero Network Security warned that distributed denial-of-service (DDoS) attacks were being leveraged to circumvent cybersecurity solutions, disrupt service availability and infiltrate victim networks.

"The danger in partial link saturation attacks is not the ‘denial of service’ as the acronym describes, but the attack itself," Corero said. "The attack is designed to leave just enough bandwidth available for other sophisticated multi-vector attacks with data exfiltration as the main objective, to fly in under the radar, while the distracting DDoS attack consumes resources."

Based on investigations conducted by Mandiant/FireEye throughout 2014, the median number of days that attackers were present on a victim’s network before being discovered was 205 days.

IBM provided fundamental advice, suggesting that organizations keep systems updated and increase their visibility into the network, as well as build an internal security operations center, create operational procedures, and ensure an appropriate level of logging, in addition to periodically performing penetration testing exercises.

Read More

Subtitle Hack: 200 Million Devices Are Vulnerable, Download Fix For VLC, Kodi, Etc.

A simple but malicious subtitle file can be used to gain control of your PC, TV or smartphone. Check Point researchers have spotted vulnerabilities in VLC, Kodi, Stremio, and Popcorn Time in the way these media players handle subtitle files. As of now, fixes have been released for the media players.

According to a blog post published by Check Point security, a subtitle file could be modified to create a new attack vector and compromise the devices such as PCs, mobile devices, TVs, etc running vulnerable media players. Once compromised, the attacker can perform remote code execution, steal data, use the device as a pawn in a DDoS attack, and more.The researchers say, delivering a cyber attack when subtitles are loaded onto a media players is a “completely overlooked technique”.Most of the people download subtitles files from repositories on the web without giving a second thought, treating them as no more than innocent text files.The researchers say that attackers can upload a malicious subtitle on a repository and manipulate the rankings to put their results on the top. This could result in an increase in manual download counts and automatic download counts (by media players).They also note that subtitles aren’t considered as a threat in comparison to traditional attack vectors which are well-known to security companies and users. That’s the reason a malicious code hiding in a subtitle file could easily sneak through filters deployed by antivirus software.The actual vulnerability lies in the way the media players handle subtitle files. One aspect that contributes to the complexity of the whole thing is a large number of subtitle formats each having its own set of features. Currently, there are around 25 subtitle formats in circulation.Different media players have their own method of parsing and combining different subtitle formats in order to enhance user experience. As a result, the researchers were able to find distinct vulnerabilities in affected media players.The list of affected media players includes VLC, XBMC Kodi, Popcorn Time, and Stremio. However, the researchers don’t exclude the possibility of the exploit existing on other media players. 

The researchers haven’t published further details as the developers are currently investigating the vulnerability.Each of the affected media players has millions of users with VLC topping the list. The last release of VLC (June 5, 2016) has been downloaded more than 170 million times. In total, the researchers estimated that around 200 million devices running the affected media players are exposed to the attack.

Download Subtitle Hack Fix:

Check Point researchers contacted the developers of the affected media players in April 2017. Thankfully, the security patches have been released.

In the case of VLC, the attacker can leverage memory corruption bug. The media player had four vulnerabilities (CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313) which have been fixed by VideoLan.

A fix for VLC is available as the latest version 2.2.5.1 which is present on the VideoLan’s website. The same is the case of Stremio.

The developers of Popcorn Time and Kodi have created a fix, but it’s not released for public yet. For Popcorn Time, you can download the fix manually using this link provided by the researchers. Head over to GitHub where you can find a source code fix for XBMC Kodi.

Read More