Wormable Apple iCloud Bug Allows Automatic Photo Theft
Throughout the span of three months, a group of ethical hackers were able to discover 55 vulnerabilities, several of which could have provided an attacker complete access to customer and employee applications. The research produced 11 critical flaws, 29 high-severity flaws, 13 medium severity flaws, and two low severity flaws. The most worrying vulnerability included a wormable iCloud account takeover flaw. This flaw would have allowed a threat actor to automatically siphon victim documents, photos, videos, and other sensitive files.
Initially, the researchers were provided $51,500 for their work; however, Apple has stated that there will be an additional payout at a later date, summing up to nearly $300,000. The blog post highlighting discoveries from Sam Curry, Ben Sadeghipour, Samuel Erb, Tanner Barnes, and Brett Buerhaus can be found here.
Diving further into the vulnerability, the writeup noted the iCloud bug as a cross-site scripting (XSS) flaw, stating that “from an attackers perspective, that any cross-site scripting vulnerability would allow an attacker to retrieve whatever information they wanted to from the iCloud service.”
The research group was then able to create a proof of concept (PoC) that demonstrated how an attacker could steal a victim’s iCloud information which could eventually be used to “retrieve source code for internal Apple projects; fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.”
Read more here
Ryuk Group Went From an Email to Domain-wide Ransomware in 29 Hours.
Ryuk, one of the most active ransomware groups in recent years has utilized several tools such as Cobalt Strike, AdFind, WMI, vsftpd, PowerShell, PowerView, and Rubeus to take over an organization in under 29 hours. Initially, the threat actors utilized Bazar/Kegrap through an email delivery malspam campaign.
During its initial execution, Bazaar injects itself into various processes such as svchost.exe, explorer.exe, and opens up cme.exe. During this phase, the malware attempts to enumerate and discover several configurations and attributes about the Active Directory Domain utilizing nltest, net group, and AdFind. The next steps in the attack phase included lateral movement attempts, establishing beacons, transferring files, and ultimately utilizing PowerShell to disable Windows Defender in the environment.
After taking over the Active Directory environment, Ryuk ransomware attackers requested 600+ bitcoins, totaling up to around $6 million at the time.
Below is a Timeline provided by DFIR
The report here provides a full breakdown of the technical details and tactics utilizing the MITRE ATT&CK Framework.
The report MITRE Attacks utilized within the attack phase are included below:
- User Execution – T1204
- Windows Management Instrumentation – T1047
- Service Execution – T1035
- Scripting – T1064
- PowerShell – T1086
- Rundll32 – T1085
- Process Injection – T1055
- Valid Accounts – T1078
- Disabling Security Tools – T1089
- Account Discovery – T1087
- Domain Trust Discovery – T1482
- Network Service Scanning – T1046
- Query Registry – T1012
- Remote System Discovery – T1018
- Security Software Discovery – T1063
- Remote Services – T1021
- Commonly Used Port – T1043
- Standard Application Layer Protocol – T1071
- Data Encrypted for Impact – T1486
Read more here.
Microsoft Warns of Android Ransomware That Activates When You Press the Home Button
AndroidOS/MalLocker.B is a new strain of ransomware that abuses the processes behind the “incoming call” notification and “Home button” on victim devices. Once installed, MalLocker.b overrides the victim’s screen and only allows them to view one page, a ransom note designed to look like a message from local law enforcement. The message states the victim has committed a crime, and that a fee has to be paid. Similarly to other Android ransomware, MalLocker.B does not encrypt the phone’s files but prevents access to all phone functionalities.
According to ZDNet, MalLocker.B has implemented novel variations of the typical Android Ransomware tactics, utilizing a two-part mechanism to display their ransomware notes.
“The first part abuses the “call” notification. This is the function that activates for incoming calls to show details about the caller, and MalLocker.B uses it to show a window that covers the entire area of the screen with details about the incoming call.”
“The second part abuses the “onUserLeaveHint()” function. This function is called when users want to push an app into the background and switch to a new app, and it triggers when pressing buttons like Home or Recents. MalLocker.B abuses this function to bring its ransom note back into the foreground and prevent the user from leaving the ransom note for the home screen or another app.”
MalLocker.B contains code that typically would not get past Play Store code reviews, so it is recommended to not download Android-apps from third party locations to reduce potential ransomware attacks.
Read more here.
Hp Device Manager Backdoor Lets Attackers Take Over Windows Systems
HP has released a security advisory highlighting three critical and high severity vulnerabilities in the HP Device Manager application that can be utilized by attackers to obtain system takeover. The Security Vulnerabilities discovered by Nicky Bloor (@nickstadb) state that attackers can remotely gain SYSTEM privileges on vulnerable workstations running HP device Manager.
According to BleepingComputer, the three HP Device Manager Security vulnerabilities include CVE-2020-6925, CVE-2020-6926, and CVE-2020-6927.
CVE-2020-6925 affects all versions of HP Device Manager and it exposes locally HP Device Manager managed accounts to dictionary attacks because of weak cipher implementation (does not impact customers who use Active Directory authenticated accounts.)
CVE-2020-6926 is a remote method invocation flaw in all versions of HP Device Manager which enables remote attackers to gain unauthorized access to resources.
CVE-2020-6927 is the weakness that may allow attackers to gain SYSTEM privileges via a backdoor database user in the PostgreSQL database (the password used is just a space.)
HP has provided an updated client 5.0.4, which mitigates the vulnerability under CVE-2020-6927, which allows privilege escalation opportunities. However, security updates have not been provided for the other two HP Device Manager vulnerabilities.
Potential Mitigations that system administrators can take can be found here.
Read more here.