Archive for February 28, 2017

Google Discloses Vulnerability After Microsoft Fails To Patch In Time

(pc-Google Images)
Google's Project Zero has unearthed a bug in Windows, and as Microsoft failed to patch it within 90 days of being notified, details of the flaw have been made public.

The vulnerability in question is in the gdi32.dll file that is used by a significant number of programs. It is affecting Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10, which are yet to be patched.

Google gives company 90 days after disclosure of vulnerabilities to fix the issue. However, if the time elapses without a patch that is made available to the public, the vulnerability is then disclosed to the public so that users can protect themselves by taking necessary steps.

In a post, Google’s Mateusz Jurczyk explains how the bug works. The post -- entitled "Windows gdi32.dll heap-based out-of-bounds reads / memory disclosure in EMR_SETDIBITSTODEVICE and possibly other records" -- says that Microsoft issued a patch that fixed a related issue, but not all the memory access issues were addressed.

As part of MS16-074, some of the bugs were indeed fixed, such as the EMR_STRETCHBLT record, which the original proof-of-concept image relied on. However, we've discovered that not all the DIB-related problems are gone. As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.

Jurczyk informed Microsoft about the bug on 16 November, giving the Windows-maker 90 days to get things sorted before going public. With this month's batch of security patches from Microsoft being delayed, the company missed the deadline, so the details of the bug are now available for everyone to see.

Russian cybersecurity researcher charged with treason for sharing info with US firms

A top cybersecurity researcher, Ruslan Stoyanov,  at  Kaspersky lab was arrested after he was allegedly charged with treason by Russian authorities. It is now reported that he allegedly passed the secret state documents to Verisign and other US companies.

In December, Stoyanov was arrested with two other  FSB officers, Sergei Mikhailov and Dmitry Dokuchayev,  in Moscow, after a Russian businessman accused them of treason.

According to an unnamed source, the allegations against three officials were first made in 2010 by a Russian businessman,  Pavel Vrublevsky, who is the founder of the online payment firm ChronoPay.

And in  December 2016, all three of them were arrested in response to those 2010 claims that the men had passed secrets on to American companies.

“I can confirm we (Chronopay) expect to be part of this case,” Vrublevsky told Reuters. “In 2010 we provided the FSB and other important Russian agencies with evidence that at least one FSB employee, as well as several other people, were involved in treason.”

Before his allegation, Vrublevsky himself was arrested and convicted for organizing a cyber attack on rival online payment company's website, ChronoPay.

After the news of the arrest of  Stoyanov, Kaspersky Lab released the following statement:

"The case against this employee does not involve Kaspersky Lab. The employee, who is Head of the Computer Incidents Teams, is under investigation for a period predating his employment at Kaspersky Lab. We do not possess details of the investigation."

"The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments."

TeamSpy Malware Reappears In a Spam Campaign

(pc-Google Images)
Heimdal Security researchers spotted a new spam campaign carrying the TeamSpy data-stealing malware.

The attackers exploit the TeamViewer remote access tool to grant an attacker full access to a compromised device. Once downloaded the malware first targets usernames and passwords and then scans for personal information and pictures, which can be used for a number of illicit activities, including extortion, and financial gains, said Heimdal CEO Morten Kjaersgaard.

First, an email from a spoofed address will get the victim to download a zip file, which, once opened, triggers the .exe file inside to be activated. The TeamSpy code is then dropped onto the victim's computer, as a malicious DLL. The emails noticed by the security firm had "eFax message from “1408581 **" as a subject line.

As before, the cybercriminals install a legitimate version of TeamViewer on their victims' computers and then alter the behavior with DLL hijacking to make sure it stays hidden.

The logs are copied to a file, adding all available user names and passwords. The file is continuously sent to a C & C server.

Per the researchers, the TeamSpy malware includes various components in the otherwise legitimate TeamViewer application, two of them are keylogger and a TeamViewer VPN.

Putin Says Number of Cyber attacks against the Russia grew three times

The number of attacks launched against Russian Cyberspace has increased significantly in the recent years, President of Russian Federation Vladimir Putin said at the annual board meeting of the Federal Security Services on February 16.
"The Number of cyber attacks against official information databases has tripled in the past year compared to 2015", — said the President.

On 11 February, Oleg Salagai, the Director of the Department of public health & communications Ministry, said that unknown hackers attacked the official website of the Health Ministry. The attackers failed to gain access to any personal data or classified files.

Spies Hack Israeli Soldiers’ Android Phones

(pc-Google Images)
More than 100 soldiers from the Israel Defense Forces (IDF) have become the target of a cyberespionage group when information from their mobile devices was stolen using malicious Android applications.

ViperRAT, the clandestine hacking collective was found actively hijacking soldiers’ Android-based smartphones to remotely siphon images and audio directly from the devices.

Highly sophisticated malware allowed the attackers to control each phone’s microphone and camera. In effect, the hackers could eavesdrop on soldiers’ conversations and peer into live camera footage — wherever an affected smartphone’s camera would be pointed, that vantage point could have also been viewable to the hackers.

A list of installed apps on the infected mobile device is also sent out by the dropper. Some variants will pretend to be chat apps, another variant will pretend to be a YouTube layer, depending on what's already installed on the device.

Other Android smartphone applications common to Israeli citizens and available in the Google Play store — including a billiards game, an Israeli Love Songs player, and a Move To iOS app — where found to contain hidden ViperRat malware.

While the malicious actors behind ViperRAT have yet to be explicitly identified, their activity patterns suggest that the cyberespionage is being carried out by a group operating out of the Middle East.