Gits exposed, kinky app devs spanked, Feds spy on spyware buyers, etc
Mac APT unearthed and other infosec bits and bytes summarized just for you
Roundup This week brought with it a Supermicro shoring up firmware security, a North Korean hacking charge, and a spying anti-adware macOS tool getting yanked by Apple from its App Store. Elsewhere, we had…
BrokenType broken out with source code release
A software vulnerability probing tool called BrokenType had appeared in public on GitHub for folks to use.
Developed by Googler Mateusz Jurczyk – though it is not an official Chocolate Factory project – BrokenType lets you fuzz code that handles OpenType and TrueType fonts to find memory corruption errors can could be exploited to execut malicious software (such as the ones behind critical Microsoft patches).
Users can download the entire three-piece toolset directly from GitHub.
Mac security foiled by... URLs
Apple security guru Patrick Wardle has detailed a recently spotted campaign to commander and control macOS machines.
Dubbed Windshift APT, the attack uses multiple exploits to infect Apple-powered computers mostly in the Middle East. One of those exploits abuses the way macOS passes URLs to applications to open.
Wardle said that, just like the way an app can be assigned to open a specific file type, it can also be associated with a URL protocol. As soon as an application lands on a filesystem, it is parsed by the operating system, and if it declares, say, it can handle
foo:// URLs, then macOS automatically registers it as a handler.
That way, if you get someone to simply download an app – and not even run it – it can register itself for a custom protocol, and then be automatically activated when that protocol is invoked in a webpage. Thus, it is possible to install malware or spyware, if the user clicks OK in a popup to confirm they want to launch the special URL.
Wardle recommends that users either switch to a browser that does not automatically open .zip archives of applications, such as Chrome, or at least turn off the “open safe files after downloading” option in Safari.
Gmail users freak over FBI notification
A Reddit thread has popped up in recent days with netizens upset about a notification they received from Google that the FBI had requested access to their messages.
As it turns out, the notifications were likely the result of a 2017 investigation into a remote administration tool (RAT) known as Luminosity that lets the controller covertly spy on the activity of the PC on which the software is installed. It's basically a utility that you sneak onto a victim's computer, and use to snoop on them, and was sold on underground hacker forums. Luminosity’s creator was convicted in a US court earlier this year.
As the Reddit users eventually worked out, the notifications were likely sent after the expiration of a one-year nondisclosure agreement placed on Google by the Feds, and, with that having lapsed, Gmail users were then sent a notification that the FBI had asked for their account info. The agents were quite possibly after the messages of people who may have bought copies of Luminosity using their Gmail accounts. The FBI was able to obtain its customer database.
The moral of the story: don’t mess around with RATs. Especially ones sold on hacker forums and marketplaces.
Egghead maps out exposed .Git repos
A Czech researcher has scanned the internet's web servers to log the world’s exposed Git repositories.
Vladimír Smitka of Lynt Services said he started the project first as a scan just for Czech sites, but eventually expanded it to a global project that took around four weeks to complete and ended up returning 390,000 web pages that had left the critical files exposed.
Smitka said that locking down a site’s Git repository is a critical security task that is all too often overlooked by developers.
“If you use git to deploy your site, you shouldn't leave the .git folder in a publicly accessible part of the site. If you already have it there for some reason, you need to ensure that access to the .git folder is blocked from the outside world,” he explained.
Smitka is advising developers to keep a close eye on files and scripts they upload via Git and make sure they lock down access to the files.
Kink shame: Sex app bares passwords for all to see
Whiplr, a hookup app for kinksters, has been found to be awfully naughty when it comes to password security.
An Engadget report claimed the app’s developer was storing user accounts and passwords in a backend database as plain text.
“Should hackers have gained access to this database, they could've potentially figured out the real identities of users either through the app itself or through other services where those credentials are identical,” the blog noted.
As you can imagine, most people on the site would not want their identities revealed to prudish family and peers, and even fewer would want to have their passwords in the hands of hackers. If you’ve downloaded the app, you will probably want to make sure your password is unique and any personal information scrubbed.
Schneider Electric crash
Industrial control equipment maker Schneider Electric has fixed a remotely exploitable device-crashing flaw in its Modicon Controller.
The CVE-2018-7789 vulnerability can be abused by hackers to remotely disconnect Modicon M221 units from host networks simply by sending malformed packets. Obviously, a miscreant needs network access to the device to knacker it.
Such an attack would leave an operator with "no way to view and control the physical processes on the OT [operational technology] network,” according to Radiflow, the industrial control specialist that uncovered the bug. Attacked equipment would have to be powered off and on again to recover.
"The recovery from such an attack would require a reboot of the attacked PLCs and physical access to the controllers, which would cause significant downtime to the ICS network," Radiflow advised.
Radiflow discovered and reported this vulnerability to Schneider Electric approximately two months ago, prior to its recent remediation. ICS-CERT’s write-up explained that "successful exploitation of this vulnerability could allow an unauthorised user to remotely reboot the device" alongside remediation advice.
Russian hacker extradited for massive financial fraud case
The US District Attorney’s office in Manhattan, New York, said this week it has secured the extradition of Russian national Andrei Tyurin, an alleged hacker wanted in connection with a string of attacks on financial companies.
The DA claimed Tyurin was one of four hackers behind, among other shenanigans, the massive computer security breach at JPMorgan that saw the details on roughly 80 million user accounts stolen back in 2014. Tyurin was also said to have behind a string of attacks on other financial firms and at least one breach of a business news site.
“Andrei Tyurin allegedly engaged in a long-running effort to hack into the systems of U.S. based financial institutions, brokerage firms and financial news publishers, all from the perceived safety of operating outside our borders,” said FBI Assistant Director William Sweeney.
“As alleged, his illegal acts included the historically largest theft of customer data from a U.S. financial institution.”
When he does reach the US and appears in court on September 25, Tyurin will be charged with computer hacking, wire fraud, conspiracy to commit computer hacking, conspiracy to commit wire fraud, identity theft, and violating the Unlawful Internet Gambling Enforcement Act. ®
Sponsored: Beyond the Data Frontier