New Vulnerability Lets Attackers Sniff or Hijack VPN Connections
Researchers have discovered a security flaw that allows a malicious actor to sniff or hijack VPN connections. The flaw is tracked as CVE-2019-14899 and impacts Android, Linux, macOS, and other Unix-based operating systems. It resides in “the networking stacks of multiple Unix-based operating systems, and more specifically, in how the operating systems reply to unexpected network packet probes.”
Attackers can use this vulnerability to discover numerous details about the victim’s VPN connection status. They can conduct attacks on the same network, a malicious access point, or through a router. According to the researchers, an attacker is also able to determine the exact packet sequence in individual VPN connections.
According to ZDNet and the security research team, the vulnerability is exploitable on the following operating systems:
-
Ubuntu 19.10 (systemd)
-
Fedora (systemd)
-
Debian 10.2 (systemd)
-
Arch 2019.05 (systemd)
-
Manjaro 18.1.1 (systemd)
-
Devuan (sysV init)
-
MX Linux 19 (Mepis+antiX)
-
Void Linux (runit)
-
Slackware 14.2 (rc.d)
-
Deepin (rc.d)
-
FreeBSD (rc.d)
-
OpenBSD (rc.d)
OpenVPN, WireGuard, IKEv2/IPsec, and others are affected by this vulnerability as well.
Read more here
Avast and AVG Browser Extensions Spy on Chrome and Firefox Users
Four popular browser extensions have been exposed for collecting detailed browsing history and data on millions of users.
The extensions include:
-
Avast Online Security
-
AVG Online Security
-
Avast SafePrice
-
AVG SafePrice
Wladimir Palant discovered the malicious behavior of Avast and AVG extensions, stating that the companies are “sending a large amount of data about users’ browsing habits…to the company’s servers — far beyond what’s necessary for the extension to function.”
The extensions are sending the following user data to Avast:
-
Full URL of the page you’re on, including query part and anchor data,
-
A unique user identifier (UID) generated by the extension for tracking,
-
Page title,
-
Referrer URL,
-
How you landed on a page, e.g., by entering the address directly, using a bookmark or clicking a link,
-
A value that tells whether you visited a page before,
-
Your country code
-
Browser name and its exact version number,
-
Your operating system and its exact version number
Palant has reported his findings to Google and Mozilla. Mozilla took immediate action, removing the extensions from its store.
Read more here
Malicious Python Package Available in PyPI Repo for past Year
A fake library has been put into the Python Package Index (PyPI) repository with the objective of stealing SSH and GPG keys from Python developers’ projects. The package, named python3-dateutil, impersonates the ‘dateutil’ package but with extra extensions.
The package itself does not contain malicious code but instead implements imports from a malicious package, called jeIlyfish, that collects SSH and GPG keys “along with a list of directories on the compromised system and deliver[s] them to the attacker.” JeIlyfish has been present in the Python Package Index since December 11, 2018.
Lukas Martini reported both libraries to the Python security team, resulting in the removal of jeIlyfish and python3-dateutil a few hours later.
Get more information here
Ransomware Attack Hits Data Center Provider CyrusOne
CyrusOne, one of the largest data center providers in the United States, has been hit by a ransomware attack, impacting six of its service customers. CyrusOne currently works with more than 185 Fortune 1000 customers around the world. According to a report by ZDNet, six of CyrusOne’s managed service customers, primarily in the New York data center, “have experienced availability issues due to a ransomware program encrypting certain devices in their network.”
The malware in question is the REvil (Sodinokibi) ransomware, one that has been used in other attacks in the past. Reportedly, a ransom note was left to CyrusOne, stating that its files are encrypted, and a ransom must be paid for them to be decrypted; however, CyrusOne does not intend on paying the ransom.
Read more here
TrueDialog Database Leaked Tens of Millions of SMS Text Messages Online
TrueDialog, a company that currently works with over 900 cell phone operators with five billion subscribers, has been leaking millions of SMS messages online. Security researchers at vpnMentor discovered a database belonging to TrueDialog which was not only inappropriately secured but also stored data in plain text.
The database contains information belonging to over 100 million US citizens, summing to over 604 GB of data. Sensitive data includes the full name of recipients, the content of messages, usernames, passwords, PII data, and much more.
vpnMentor reported their discovery of the unsecured database to TrueDialog on November 26th, and the database was secured on the 29th.
Read more here