Recent Zero-Day Vulnerabilities disclosed on Twitter

By Stuart Nevans Locke:

 
Within the last few weeks, two Zero-Day exploits were disclosed on Twitter. Typically, exploits are reported to the company with a vulnerable product, researchers wait until the company fixes the vulnerability, and after patches are released for the exploit the vulnerability is made public. Companies that run bug bounty programs often pay researchers for finding vulnerabilities, however those companies almost always pay researchers less than they could get if they sold those vulnerabilities on the black market. Some bug bounty programs can also have extremely limited scope or are reluctant to reward researchers with bounties. As a result, companies such as Zerodium have formed which operate in the gray area of buying and selling exploits. For example, last year Zerodium offered to pay up to $250,000 to researchers who found a remote code execution vulnerability that resulted in root access, while the bug bounty program run by Tor would pay a maximum of $4,000.zerodium_prices

On September 10, Zerodium released a tweet saying that a the NoScript plugin of Tor Browser version 7.x could be trivially bypassed. The NoScript plugin is made for Firefox and bundled into Tor Browser. Its primary purpose is to prevent javascript from running in your browser. While a vulnerability that bypasses NoScript would not be enough to de-anonymize users of the Tor Browser, it could be a useful step in running javascript based exploits to do so. What makes this case of irresponsible disclosure so interesting is that Zerodium is in the business of buying and selling vulnerabilities, not giving them away on Twitter for no reason. This has caused speculation about why they released the vulnerability and theories range from it being a PR move to them having more severe exploits in other versions of Tor.

Just a few days earlier, on August 27, a Twitter user going by the handle @SandboxEscaper posted a tweet containing a Local Privilege Escalation Exploit that worked on fully updated windows machines. Both the source code and a Proof of Concept (PoC) were published by the researcher. In the tweet, SandboxEscaper complained about how unpleasant dealing with Microsoft had been for them in the past. Very quickly after SandboxEscaper released this exploit, malware in the wild began to use the exploit.

The most worrisome thing about these two vulnerabilities is how they were both disclosed in such irresponsible manners, allowing them to be exploited in the wild before NoScript and Microsoft had time to put out patches. One of the important things that cybersecurity researchers emphasize is the process of responsible disclosure, and it’s extremely worrisome to see this completely ignored by multiple sources.

Some Sources:
https://www.zdnet.com/article/exploit-vendor-drops-tor-browser-zero-day-on-twitter/ (Summary of Zerodium’s disclosure)
https://www.theregister.co.uk/2018/08/28/windows_zero_day_lpe/ (Summary of SandboxEscaper’s disclosure)
https://hackerone.com/torproject (Tor bug bounty)
https://zerodium.com/tor.html (Zerodium Tor Page)
https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f (Technical Analysis of SandboxEscaper’s exploit)

Baltimore’s Dispatch System Taken Down

Baltimore’s 911 dispatch system was breached Sunday, March 25th, shutting down automatic dispatching until Monday, March 26th, as well as halting call logs from 9:54 a.m. Sunday to 7:42 a.m. Monday.

A server running the city’s computer-aided dispatch (CAD) system was infiltrated around 8:30 Sunday morning, forcing caller information to be relayed manually for the remainder of the day into Monday. Under normal circumstances, caller information appears on a map and the nearest first responders are dispatched automatically. The attack effectively slowed this process and demanded that call center staff relay this information to dispatchers themselves.

The exploited vulnerability was a port that had been left open after an IT team attempted to troubleshoot a communications issue and in the process made changes to the firewall. City workers were able to take the affected server offline, conduct a thorough investigation, and successfully bring it back online by approximately 2 a.m. Monday morning. Later reports confirmed that the attack did involve ransomware, but neither the ransom amount nor the city’s response to the ransomware has been stated.

-Jordan Sullivan

Sources:

Crypto-jacking on Government Official Websites.

About a month ago it was discovered that there was a vulnerability being exploited on a browser plug-in called, Browsealoud. Browsealoud is a website plugin, developed by the company TextHelp, that adds speech, reading, and translation to websites, in an effort  to help those with dyslexia and other conditions.  Hackers injected a crypto-mining script on a Java file within the Browsealoud library. The script would mine the currency ‘monero’. Since the hackers attacked Browsealoud itself and not the individual websites, all the websites that were using Browsealoud (nearly 4000) were infected.  Some of the websites included  UK’s ICO (Information Commissioner’s Office) and NHS (National Health Service) and US’ federal judiciary. When someone visited a website using the plugin, the script would run and use the visitors CPU to begin mining.

Crytpo-mining is something to be wary about especially with the rise of Bitcoin and other cryptocurrencies. The hackers simply just wanted an easy way to mine more currency for themselves whether or not it was legally. There reason for doing this comes back to the acronym ‘MEECES’ which stands for money, ego, entertainment, cause, entrance, status. The attackers were just looking for some money in this case because as of now it is unknown who injected the script. It was very fortunate, with the information as of now, that no information of the users who used the website was stolen, and only were used to mine cryptocurrency.

Websites now should use more caution when implementing plugins to there website. Every company should have people testing for vulnerabilities within their services and should submit proof of this to their customers. In the future we need to become more aware of ways our websites and services can become vulnerable and the risks we take using them.

– Jordan Disciglio

Souces:
https://viraldocks.com/cryptojacking-attack-hits-4000-websites/

https://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites

Sanitize your strings, kiddos

Trusting user inputted strings has always been a problem in computing. Users will always find a way to break your application with some kind of weird character. Programmers have found clever ways to get around this, such as preparing SQL statements, escaping unknown characters, or just returning an error when coming across unknown text. However, with the rise of the internet and the availability of tools, hackers have gotten smarter at the way they attack inputs.

In the last month of so, Django found this out in their django.utils.text.Truncator class. This class had two methods, chars() and words() which would attempt to clean input.

Well, for some reason, users wanted a way to clean HTML with these methods, so Django added a html keyword argument to the methods, which would attempt to clean the text as if it were HTML. However, due to a catastrophic backtracking vulnerability in a regular expression in those functions, malicious users could input complicated HTML that would take a long time to process. This would result in a DoS attack on the web server, and bring down services to other users. Uh-oh.

So, looking at the CVE, you can see the security community ranked it a 5, the highest rating. Needless to say, Django quickly patched the issue and launched a hot fix.

The moral of the story is that security vulnerabilities can happen to anyone, and you should know what the framework you are using is doing, instead of just blatantly trusting that it will work. Be aware of security in your everyday life.

— Kyle Kaniecki

Web Injects Used to Steal Bitcoin Money

With the increased use of cryptocurrency, hackers have started employing the use of Web injects to intercept payments and acquire user information.  Of course when it comes to hacking there are many ways, but this report is intended to inform readers of how Web injects work and why they can be hard to identify.  What a Web inject does is while the page loads, malware that changes the web page before the user sees it.  In this article, two website Web injects are used for Coinbase and Blockchain.info.  With Coinbase, the inject disables the enter key forcing the user to press a fake submit button, thus giving the user credentials to the hacker.  Likewise, the Web injects for Blockchain.info changes the web page so that the payment transaction goes to the hacker.

In the future, the use of online websites for bitcoin transactions (or payment transactions in general) will continue to increase.  A study claimed that by 2024, the number of bitcoin users will reach 200 million (RT news).  Therefore, hackers will always try to exploit the user’s information.  So in the future, companies with online payment platforms and bitcoin wallets will need to continue to research hacker attacks and stay up to date with security.  Also, users should be more aware of the how hackers use Web injections.  So for example, if a button does not work or there is a strange error, they should notify the companies.  This is all that companies and users can really do in this situation.  Just continue to develop security tools and pay attention to details on the webpages.

-Jamie Smith

https://www.darkreading.com/attacks-breaches/criminals-using-web-injects-to-steal-cryptocurrency/d/d-id/1331350

https://www.ccn.com/exponential-growth-number-bitcoin-users-reach-200-million-2024/