Oracle Identity Manager Hacked through a Critical Flaw

 

Based in Redwood, California, Oracle Corporation is the largest software company whose primary business is database products. Historically, Oracle has targeted high-end workstations and minicomputers as the server platforms to run its database systems. Its relational database was the first to support the SQL language, which has since become the industry standard.

A exploit was found in Oracle’s identity management system. This exploix has been marked as CVE-2017-10151, it has been assigned the highest CVSS score of 10 and is easy to exploit without any user interaction.

This CVE is due to a security loophole involving a default account that allows an unathenticated attacker on the same network to compromise the Oracle Identity Manager through HTTP.

The full details of this vulnerability have not yet been released by Oracle.

“This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials,” Oracle’s advisory reads.

The easily exploitable vulnerability affects Oracle Identity Manager versions 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0 and 12.2.1.3.0.

Oracle has already released patches for all versions of the products that were affected by this CVE. all users should update to the latest version of Oracle to patch the vulnerability before a hacker has the chance to exploit it.

Justin Palmer

Sources:

https://thehackernews.com/2017/10/oracle-identity-manager.html

https://www.oracle.com/index.html

 

North Korea Hackers Accused of Stealing Secret Blueprints of South Korea’s Submarine Weapon Systems

28-KimJongUn-AFP-4

 

North Korean hackers have broken into computer systems in South Korea and stolen classified documents containing blueprints for submarines and warships, it has been alleged. They illegally accessed systems of Daewoo Shipbuilding and stole around 40,000 documents, according to South Korean politician Kyeong Dae-soo. Sixty “classified documents including blueprints and technical data for submarines and vessels equipped with Aegis weapon systems” made their way into North Korean hands.

The breach was discovered by the South Korean defense ministry. According to Kyung Dae-soo of the main opposition Liberty Korea Party. “We are almost 100 percent certain that North Korean hackers were behind the hacking and stole the company’s sensitive documents,” Kyeong told Reuters. A team investigating the hack concluded that North Korea was behind the attack after they reportedly uncovered similarities with other attacks known to have been previously conducted by North Korean hackers.

The country is also in the middle of building a brand new submarine that could potentially launch nuclear missiles. As US intelligence assesses that North Korea has begun construction of a new class of 2,000-ton submarine which Kim Jong-un could use to launch country’s nuclear missiles. Its existence hasn’t been confirmed yet, but US intelligence sources are closely monitoring the country’s shipyards in order to get an idea of what is happening.

 

Citations:

http://www.ibtimes.co.uk/north-korea-accused-hacking-stealing-secret-blueprints-south-korean-warships-submarines-1645245

http://www.mirror.co.uk/tech/north-korean-hackers-accused-stealing-11441008

http://www.businessinsider.com/north-korea-stole-submarines-technology-south-korea-2017-10

-Matthew Brown

UnCaptcha Cracks Google ReCaptcha with 85% Accuracy

One of the internet’s favorite ways of verifying that traffic is coming from actual people and not bots are captchas. Those little boxes with pictures of street signs have proven notoriously difficult for robots to crack, despite increasing progress in machine learning making progress on recognizing images. Recently, however, researchers at the University of Maryland have figured out a new, easier way to crack these pesky security measures.

Rather than looking at the images provided by Google, their new system UnCaptcha uses the available audio captcha in order to circumvent the complexities of image processing.

reCAPTCHA-Step1

The program works by passing the audio played by the program to various speech to text algorithms. It uses Bing Speech Recognition, IBM, and the Google Cloud API along with phonetic processing to determine exact and near homophones and plug its results back into the captcha.

The researchers have been able to achieve about 85% accuracy with this system, which is available on Github. Google has noticed the release of this captcha cracker, and recently started adding certain bits of spoken text into their audio recordings.

https://www.infosecurity-magazine.com/news/uncaptcha-defeats-google-captcha/

https://www.bleepingcomputer.com/news/technology/uncaptcha-breaks-450-recaptchas-in-under-6-seconds/

New Ransomware Spreads across Europe

A new ransomware, dubbed “Bad Rabbit”,  has been spreading quickly throughout Europe in the past few months.  The Petya-like attack (27% of BadRabbit code has been seen in Petya samples) has struck corporate and personal networks alike utilizing “drive-by” download attacks.  An initial analysis by Kaspersky Labs states that the malware spreads by luring victims using fake Adobe Flash Player installers meaning that no exploits were used in the distribution of the malware, the victim must manually execute the malware dropper.

Once executed, BadRabbit scans the internal network for open SMB (Server Message Block) shares and tries a hardcoded list of commonly used credentials to spread the ransomware.  It also uses the post-exploitation tool “Mimikatz” to extract the credentials off of the infected systems. This is notable because it marks a new wave of ransom attack, one that doesn’t utilize the “EternalBlue” exploit, the exploit used by notable ransomware such as WannaCry and Petya to spread throughout networks.  The same report also stated that numerous compromised websites have been detected “all of which were news or media websites.”

After spreading through a network, BadRabbit utilizes an open-source full drive encryption service called DiskCryptor that encrypts files using RSA 2048 keys.  After this, a ransom note appears on the screen asking victims to log into an onion website to make an initial payment of .05 bitcoin (or ~$285) in order to get their encryption key.  A countdown timer, originally set for 40 hours, is also displayed with the threat of increasing the price of the key if no payment is sent within the time frame.

badrabbit.png

Image result for bad rabbit screenshots

Affected organizations include Russian news agencies Interfax and Fontanka as well as the payment systems used in the Kiev Metro, Odessa International Airport, and the Ukranian Ministry of Infrastructure. Interfax was hit particularly hard, 24 hours after the attack their website still displayed the message “our service is temporarily unavailable.”

The head of Russian cyber-security firm Group-IB, Illya Sachkov says, “In some of the companies, the work has been completely paralyzed – servers and workstations are encrypted.” U.S. officials have stated that they have “received numerous reports ofBadRabbit ransomware infections in many countries around the world.”  The Russian central bank released a statement that there were recorded BadRabbit attacks on several of the top 20 Russian financial institutions, but that none had been compromised.

So far, attacks have been heavily concentrated in Russia, however, attacks have also been recorded in Ukraine, Turkey, and Germany.  An analysis is still being done on BadRabbit to try and find a way to decrypt computers without having to pay, as well as how to stop it from spreading further.

The malware is still undetected by the majority of anti-virus programs according to Virus Total. For now, Kaspersky Labs suggests that you disable the WMI service on your computers to prevent the malware from spreading over your network, as well as changing default credentials within your network.

sources

http://www.bbc.com/news/technology-41740768

https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html

http://www.intezer.com/notpetya-returns-bad-rabbit/

 

Bad rolling code in key fob for many Subaru cars

Most cars you see on the road have key-less entry. This means that you do not have to use your key in the door, and can lock/unlock you car door from a few meters away, making life much easier. First a short explanation on how rolling codes work, and then how Subaru’s rolling codes failed.

Inside your key fob is a small radio transmitter, and inside the car is a corresponding radio receiver. When you press the unlock or lock button, a new 40 digit rolling code is generated from a pseudo-random number generator. The car and fob both use the same generator, so they both get the same new code without anyone on the outside being able to predict the pattern. If the code from the fob matches the code in the car, the car unlocks and locks. When the car receives a valid code, it generates the next number in the sequence. To account for things like pressing the lock/unlock buttons when the car is out of range, the car stores around 250 of the next numbers from the generator, so the fob can match any of those.

How Subaru failed is their rolling code was generated using an incremental algorithm, meaning by intercepting enough signals you could figure out how it increments and calculate the next code. Even worse, it is surprisingly easy and also cheap to execute this attack. The few supplies you need are: A raspberry pi with WiFi, a radio receiver, a wire, 433 MHz antenna, and smartphone. All you need to do is connect the receiver and antenna, wire it to the pi, connect to the pi, and run a script. Once a signal is received, the next code in the sequence is calculated and you can use it to unlock the car. If you don’t feel like committing grand theft auto, you can flood the car with hundreds of new rolling codes, meaning any code from the fob won’t work. This means you will not be able to use remote lock, and you have to take the car into a dealership to put it into programmer mode and reset the codes.

On newer models across all cars, some form of encryption is used to transmit the rolling code, and only the car knows the decryption key. The list of affected cars is:

2006 Subaru Baja
– 2005 – 2010 Subaru Forester
– 2004 – 2011 Subaru Impreza
– 2005 – 2010 Subaru Legacy
– 2005 – 2010 Subaru Outback

However, more Subaru vehicles could be affected.

Noah Kalinowski

Source: http://seclists.org/fulldisclosure/2017/Oct/27