Last Week In Blockchain and Cybersecurity News – November 19, 2019

New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware on Your Device

Yet again, WhatsApp is experiencing troubles related to the security infrastructure of its messaging platform. Last month, the company quietly patched another critical vulnerability which allowed a malicious actor to compromise devices remotely.

The vulnerability, CVE-2019-11931, is a stack-based buffer overflow issue that resides in the way WhatsApp parses the stream data of an MP4 file. This vulnerability results in denial-of-service or remote code execution attacks in which an attacker can steal secure chat messages and files you store in the application.

To exploit the vulnerability, an attacker first develops a malicious MP4 file and sends it to a vulnerable user. The file then installs a malicious backdoor on the device without the user’s knowledge.

The vulnerability affects all users of WhatsApp, including Apple iOS, Android, and Microsoft Windows devices.

According to a statement by Facebook, the affected app versions include:

  • Android versions before 2.19.274

  • iOS versions before 2.19.100

  • Enterprise Client versions before 2.25.3

  • Windows Phone versions before and including 2.18.368

  • Business for Android versions before 2.19.104

  • Business for iOS versions before 2.19.100

Read more here

TSX Speculative Attack Allows Theft of Sensitive Data from Latest Intel CPUs

A new vulnerability, CVE-2019-11135, which affects the latest Intel CPUs, has been disclosed. And criminals can exploit the vulnerability to launch a TSX Speculative attack.

Transactional Synchronization Extensions (TSX) is a feature within Intel processors that adds hardware transactional memory support. The TSX feature has been implemented within all Intel CPUs manufactured since 2013.

A local attacker or malicious code can exploit this feature to steal sensitive information from the operating system kernel. This type of attack also targets speculative execution that work to improve performance within the processors.

Researchers discovered that “aborting memory transactions may allow processes to compute the data found in other running processes, including operating system kernel data. An attacker could exploit the flaw to steal sensitive data, including passwords and encryption keys.”

You can find technical details on the Zombieload website.

Read more here

Chrome, Edge, Safari Hacked at Elite Chinese Hacking Contest

China’s top hacking competition, Tianfu Cup, is a two-day event, similar to Pwn2Own, where Chinese security researchers test zero-days against some of the most popular applications used throughout the world. On the first competition day, 32 hacking sessions were scheduled; of these, 13 were successful, seven failed, and 12 sessions were abandoned.

According to ZDNet, security researchers were successful in breaking into:

  • (3 successful exploits) Microsoft Edge (the old version based on the EdgeHTML engine, not the new Chromium version) [tweet]

  • (2) Chrome [tweet]

  • (1) Safari [tweet]

  • (1) Office 365 [tweettweet]

  • (2) Adobe PDF Reader [tweet]

  • (3) D-Link DIR-878 router [tweet]

  • (1) qemu-kvm + Ubuntu [tweettweet]

The organizers of the event plan to report all bugs to the respective organizations when the competition finishes.

On the second day, eight out of the 16 sessions were successful.

Successful exploits targeted:

Team360Vulcan won the competition, earning them $382,500 for hacking “Microsoft Edge, Microsoft Office 365, qemu+Ubuntu, Adobe PDF Reader, and VMWare Workstation.”

Screen Shot 2019-11-19 at 10.40.21 AM.png

Get more information here

Two Charged Over Crypto Theft via SIM Swapping, Death Threats

The Boston U.S. District Court has arrested and charged two men for stealing high-value social media accounts as well as hundreds of thousands of dollars worth of cryptocurrency by using death threats, hacking, and SIM swapping attacks.

The two men, Eric Meiggs and Declan Harrington, “were charged with one count of conspiracy, eight counts of wire fraud, one count of computer fraud and abuse, and one count of aggravated identity theft.”

Both defendants allegedly targeted cryptocurrency executives and other high-profile targets. They stole funds by taking over various victims’ online accounts and siphoning the cryptocurrency from their Block.io or Coinbase wallets.

According to the unsealed indictment, the defendants conducted several attacks, including:

  • Identifying potential victims who likely had significant amounts of cryptocurrency, for example, executives of cryptocurrency companies.

  • Researching potential victims using online tools.

  • Engaging in SIM swapping in order to take control of victims’ cell phone numbers.

  • Leveraging their control over victims’ cell phones to obtain unauthorized access to the victims’ online accounts, including email accounts, social media accounts, and cryptocurrency accounts.

  • Using their access to victims’ accounts, to take control of, and steal things of value from, the victims’ online accounts, including their account handles and their cryptocurrency.

  • Selling or otherwise transferring victims’ log-in credentials, account handles, and cryptocurrency to others in exchange for money or other things of value.

  • Using victims hacked online accounts to communicate with the victims’ friends and family in order to ask for money and cryptocurrency.

  • Communicating with co-conspirators via online social media and chat platforms.

  • Using multiple online accounts to hide their identities and evade detection by law enforcement.

Both Meiggs and Harrington face a maximum of 20 years in prison for wire fraud with an additional two years in prison for aggravated identity theft.

Read more here

GitHub Launches Security Lab to Boost Open-Source Security

Last week, during the GitHub Universe developer conference, GitHub announced plans to launch a global platform for reporting and fixing security vulnerabilities in open-source projects. Google, Oracle, Mozilla, Intel, Uber, VMWare, and more have already partnered up with GitHub for the Security Lab project.

GitHub states that at least 40 percent of security flaws affecting open source code don’t receive a CVE when they’re announced. Therefore, those vulnerabilities are excluded from public databases which would alert customers of the risk.

As an additional security measure, GitHub also offers a token-scanning system to spot hard-coded credentials throughout various formats, a system used by 20 different cloud providers.

Read more here

Leave a Reply

Your email address will not be published. Required fields are marked *