Last Week In Blockchain and CyberSecurity News - October 8, 2019

Google Finds Android Zero-Day Impacting Pixel, Samsung, Huawei, Xiaomi Devices

Last week, Google’s Project Zero team disclosed a “zero-day” that resides in the Android operating system kernel code. The vulnerability was patched in December 2017 for versions 3.18,4.14, and 4.9; however, newer software versions are still vulnerable. According to the researchers, vulnerable phone models that run Android 8.x and later include: 

  • Pixel 2 with Android 9 and Android 10 preview 

  • Huawei P20 

  • Xiaomi Redmi 5A 

  • Xiaomi Redmi Note 5 

  • Xiaomi A1 

  • Oppo A3 

  • Moto Z3 

  • Oreo LG phones 

  • Samsung S7, S8, S9 

The exploit requires “little or no per-device customization,” and has been used in real-world attacks by Google’s Threat Analysis Group (TAG). Google’s TAG believes the individuals behind the zero-day likely belong to the NSO Group. NSO denies these claims, stating,  

NSO did not sell and will never sell exploits or vulnerabilities. This exploit has nothing to do with NSO; our work is focused on the development of products designed to help licensed intelligence and law enforcement agencies save lives.

The exploit requires the installation of a malicious application for potential exploitation and is now tracked as CVE-2019-2215. You can find more information about the vulnerability here.

Read more here

A Bug in Signal on Android Devices Could Be Exploited to Spy on Users

Google Project Zero researcher Natalie Silvanovich has discovered a logical vulnerability residing in the Signal messaging app for Android users. A malicious actor can exploit this to force a call to be answered without any interaction from the receiving end. In other words, this bug allows an attacker to listen in on a victim without them knowing. For the exploit to work, the receiving end needs to fail to answer a call over Signal.  

Silvanovich explains, 

“In the Android client, there is a method handleCallConnected that causes the call to finish connecting. During normal use, it is called in two situations: when the device accepts the call when the user selects ‘accept’ and when the device receives an incoming “connect” message indicating that the callee has accepted the call.”   

Going further into detail, Silvanovich states that “using a modified client, it is possible to send the ‘connect’ message to a callee device when an incoming call is in progress but has not yet been accepted by the user. This causes the call to be answered, even though the user has not interacted with the device.” 

iOS devices are affected by a similar logical issue; however, the call fails due to an error in the UI. Silvanovich recommends that Signal improves the logic of both clients. Signal has issued a patch for this vulnerability. 

Read more here

WhatsApp Flaw Opens Android Devices to Remote Code Execution

A technology and information security enthusiast, Awakened, has identified a flaw in the WhatsApp messaging platform on Android devices. The vulnerability allows attackers to gain privilege elevation and conduct remote code execution (RCE) attacks on victims.  

To successfully exploit the vulnerability, an attacker first sends a malicious GIF file to a victim. After the victim downloads the GIF file onto their device and opens the WhatsApp Gallery, the attacks execute. The exploit works on WhatsApp version 2.19.23 on Android version 8.1 and 9.0.  

Facebook has released an official patch in WhatsApp version 2.19.24 and recommends you update your app as soon as possible. The vulnerability is tracked as CVE-2019-11932. 

Get more information here

Researchers Find New Hack to Read Content of Password Protected PDF Files

Researchers have discovered a new set of techniques that abuse security weaknesses in the standard encryption process built into PDFs. Dubbed PDFex, this attack allows attackers to remotely siphon content from a PDF once a legitimate user opens the document. The researchers tested PDFex attacks against 27 popular PDF viewers and discovered all of them to be vulnerable to at least one of the two attacks. In many cases, the PDF viewers were vulnerable to both.  

According to TheHackerNews and researchers, the affected PDF viewers include: 

  • Adobe Acrobat 

  • Foxit Reader 

  • Okular 

  • Evince 

  • Nitro Reader 

The following built-in web browser PDF viewers are also affected: 

  • Chrome 

  • Firefox 

  • Safari 

  • Opera 

PDFex works due to two weaknesses in PDF encryption: partial encryption and ciphertext malleability.  

By design, standard PDFs support partial encryption, so only strings and streams are encrypted. Therefore, attackers can manipulate the document structure and inject malicious payloads into it.  

In terms of ciphertext malleability, PDF encryption uses a “Cipher Block Chaining (CBC) encryption mode with no integrity checks, which can be exploited by attackers to create self-exfiltrating ciphertext parts.” 

The researchers have released proof-of-concept exploits of the PDFex attacks to the public.  

Read more here

Zendesk Security Breach May Impact Orgs like Uber, Slack, and FCC

Zendesk has recently informed its users about a security incident impacting almost 10,000 Zendesk Support and Chat accounts activated before November 1, 2016. Uber, Shopify, Airbnb, and Slack currently use Zendesk for their customer support platform, raising concerns for their customers as well. In a blog post published last week, Zendesk states that the following customer information might have been accessed during the breach: 

  • Agent and end-user names and contact information 

  • Usernames and hashed and salted passwords 

  • Transport Layer Security (TLS) certificates provided to Zendesk by customers 

  • App marketplace settings, including a small number of integration keys or passwords used by Zendesk apps to authenticate against third-party services   

The company further directed users to change any credentials used in the app, upload a new TLS certificate, and change authentication credentials.  

Zendesk will also reset the credentials of end-users who don’t use single sign-on within 24 hours of sending out the breach notification emails.  

Read more here