Sony has always put great interest in the security of its line of consoles, constantly correcting even the minimum exploit and preventing users from modifying the software of their PlayStation. Although the company does this as a means of preventing piracy and cheating in competitive video games, these security mechanisms also prevent the use of custom software, a practice considered legitimate by enthusiasts and developers.

Andy Nguyen, a renowned security engineer, recently introduced an exploit that would allow arbitrary code to be executed on PlayStation 4 and PlayStation 5 consoles for the specific purpose of executing custom code on these systems. It is also possible for the exploit to work on PlayStation 3 consoles, although the method has not been effectively tested in this version.

For some home software enthusiasts, this is a hack similar to the popular FreeDVDBoot, detected on PlayStation 2. This technique allowed games recorded on burned discs to be run without the need to make physical modifications to the console. Methods like this have become more important since issues such as video game conservation started to become relevant.

Despite attempts to preserve old video games as a cultural expression, Sony (and companies in general) continues to try to scuttle any attempt to modify its software, always arguing that the use of homebrew software simply benefits the creators of pirated video games.

Many people believe that the industry’s stance has simply led independent developers to undertake better and more organized efforts to find ways to use homebrew software. A well-known example is that of the PlayStation 4 console, considered highly difficult to modify until a bug in firmware version 9.0 opened the door to multiple modification methods.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post <strong>Critical vulnerability in the way Sony PS3, PS4, and PS5 consoles read Blu-Ray discs allows rooting and modifying the firmware</strong> appeared first on Information Security Newspaper | Hacking News.

Created by Twitter user @joohoi, cybersecurity professionals around the world have praised ffuf for its advanced capabilities, versatility, and ease of use, making it one of the top choices in fuzzing.

Before keep going, as usual, we remind you that this article was prepared for informational purposes only and does not represent a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.

INSTALLATION

According to the experts of the Cyber Security 360 course, ffuf runs on a Linux terminal or Windows command prompt. Upgrading from the source code is no more difficult than compiling, except for the inclusion of “-u”.

go get -u github.com/ffuf/ffuf

For this example Kali Linux was used, so you will find ffuf in the apt repositories, which will allow you to install it by running a simple command.

apt install ffuf

After installing this program, you can use the “-h” option to invoke the help menu.

ffuf –h

ENTRY OPTIONS

These are parameters that help us provide the data needed for a web search of a URL using word lists.

Normal attack

For a normal attack, use the parameters “-u” for the target URL and “-w” to load the word list.

ffuf -u http://testphp.vulnweb.com/FUZZ/ -w dict.txt

After you run the command, you will need to focus on the results.

• First, it’s worth noting that by default it works on HTTP using the GET method
• You can also view the status of the response code (200, 204, 301, 302, 307, 401, 403, and 405). You can track the progress of the attack being performed

Using multiple word lists

The experts of the Cyber Security 360 course mention that a single list of words is not always enough to get the desired results. In these cases, you can apply multiple word lists at the same time, one of the most attractive functions of ffuf. In this example, we have granted the program access to two dictionaries (txt:W1 and txt:W2), which the tool will run at the same time:

ffuf -u https://ignitetechnologies.in/W2/W1/ -w dict.txt:W1 -w dns_dict.txt:W2

Ignore a comment in a word list

Usually, the default word list has some comments that can affect the accuracy of the results. In this case, we can use the “-ic” parameter to delete the comments. Also, to remove any banners in the tools used, use the “-s” parameter:

ffuf -u http://testphp.vulnweb.com/FUZZ/ -w dict.txt

Here we can notice that some comments are shown in the results if the above command is executed. After using the “-s” and “-ic” parameters, all comments and banners will be removed.

ffuf -u http://testphp.vulnweb.com/FUZZ/ -w dict.txt -ic –s

Extensions

It is also possible to search for a file with a specific extension on a web server using the “-e” option. All you need to do is specify the extension and name of the file along with the parameter in the appropriate command format:

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -e .php

Different queries and modes

Burp Suite is a professional platform for monitoring the security of web applications. The “cluster bomb” function allows using multiple payloads, mention the experts of the Cyber Security 360 course. There is a separate payload package for each given location; the attack goes through each payload packet one by one, checking all possible options.

There are several parameters of this tool that make it easy to use the script. For example, the “-request” parameter allows you to use the request in an attack, while “-request-proto” allows you to define the parameter itself, and “-mode” helps you choose the attack mode.

First, random credentials are used on the target URL page and the proxy server is configured to capture the request in interception mode in Burp Suite.

Now, on the Intercept tab, you need to change the credentials provided by adding HFUZZ and WFUZZ. HFUZZ is added before “uname” and WFUZZ before “pass”. Then, you need to copy and paste this query into the text and name according to the purposes of the project. In this case, the file was named as brute.txt.

Later we will move to the main attack mode, where the “-request” parameter contains a “-request-proto” text file that will help you create a prototype of http, and “-mode” will be responsible for the “cluster bomb” attack. The lists of words in question (users.txt and pass.txt) consist of SQL injections. By entering the following command, an attack will be launched:

ffuf -request brute.txt -request-proto http -mode clusterbomb -w users.txt:HFUZZ -w pass.txt:WFUZZ -mc 200

As you can see from the results of the attack, SQL injections have been successfully found to be effective for this specific purpose.

MAPPING OPTIONS

If we want the ffuf to show only the data that is important for web fuzzing, we must pay attention to these parameters. For example, it can be HTTP code, strings, words, size and regular expressions, mention the experts of the Cyber Security 360 course.

HTTP Code

To understand this configuration, you should consider a simple attack on which you will be able to see which HTTP codes appear in the results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt

It is clear that the codes 302 HTTP and 200 HTTP were received.

If you want to see specific attacks, such as HTTP code 200, you must use the “-mc” parameter along with a specific number. To verify that this parameter works, you just need to run the following command:

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -mc 200

Line

The tool returns results for specific lines in the file using the “-ml” parameter. We can use it by specifying the strings we need.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -ml 15

Words

Similarly, since the above options correspond to a function, you can provide a result with a certain number of words. For this, use the “-mw” parameter along with the number of words you want to see in the results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -mw 53

Size

It is also possible to use the “-ms” parameter along with the specific size you want to see in the results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -ms 2929

Regular expressions

This is the last of all the mapping options available in ffuf. LFI fuzzing will be applied by matching the string to the subsequent “root:x” pattern for this dictionary.

A URL is used that can provide this functionality, and with the “-mr” parameter, the corresponding string “root:x” is defined. This is what a special list of words looks like.

Using this list of words, we enter the following command to add the “-mr” parameter to the attack script:

ffuf -u http://testphp.vulnweb.com/showimage.php?file=FUZZ -w dict2.txt -mr "root:x"

We received the http 200 response for /etc/passwd for this list of words.

FILTERING OPTIONS

Filtering options are the exact opposite of matching parameters. The experts of the Cyber Security 360 course recommend using these options to remove unnecessary elements during web fuzzing. It also applies to HTTP code, strings, words, size, and regular expressions.

HTTP Code

The “-fc” parameter requires a specific HTTP status code that the user wants to remove from the results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fc 302

Line

With the help of the “-fl” parameter, it is possible to remove a certain row from the result or filter it from the attack.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fl 26

Size

The “-fs” option allows you to filter the specified size described by the user during the attack.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fs 2929

Words

The “-fw” option allows you to filter the number of words of the results that the user wants to receive.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fw 83

Regular expressions

The “-fr” option allows you to delete a specific regular expression. In this case, we will try to exclude the log files from the results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -fr "log"

GENERAL PARAMETERS

Below are the general parameters of this tool, which are completely related to the web fuzzing process.

Automatic custom calibration

Calibration is the process of providing a measuring instrument with the information it needs to understand the context in which it will be used. When collecting data, calibrating your computer ensures that the process works accurately, mention the experts of the Cyber Security 360 course.

We can adjust this function according to the needs in each case using the “-acc” parameter, which cannot be used without the “-ac” parameter.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -acc -ac -fl 26 -ac -fs 2929 -ac -fw 54

Color

Sometimes color separation helps identify relevant details in the results. The “-c” parameter helps to divide the data into categories.ç

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt –c

Maximum task execution time

If you want to apply fuzzing for a limited period of time, you can use the “-maxtime” parameter. You must enter a command to specify the selected time interval.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -maxtime 5

Maximum turnaround time

Using the “-max time-job” parameter, the user can set a time limit for a specific job. With this command, you can limit the time it takes to complete a task or query.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -maxtime-job 2

Delay

Using the “-p” parameter, the user will add a slight delay for each request offered by the attack. According to the experts of the Cyber Security 360 course, with this feature the consultation becomes more efficient and provides clearer results.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -p 1

Query speed

We can select the request speed you need for each of the attacks using the “-rate” parameter. For example, we can create one request per second according to the desired attack.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -rate 500

Error functions

There are three parameters that support the error function. The first parameter is “-se”, a “false error” that says whether the next request is genuine or not. The second “-sf” parameter will stop the attack when more than 95% of the requests are counted as an error. The third parameter is “-sa”, a combination of the above parameters.

In the example shown below, we will use the “-se” parameter:

Ffuf -u http://ignitetechnologies.in/W2/W1/ -w dict.txt:W1 -w dns_dict.txt:W2 –se

Verbose mode

Verbose Mode is a feature used in many operating systems that provide additional information about what the computer does and what drivers and applications it loads when initialized. In programming, this mode provides accurate output for debugging purposes, making it easier to debug the program itself. To access this mode, the “-v” parameter is applied.

Ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt –v

Execution threads

The “-t” parameter is used to speed up or slow down the process. By default, it is set to 40. If you want to speed up the process, you need to increase its value.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -t 1000

OUTPUT OPTIONS

We may save the results of attacks carried out in order to keep records, improve readability and find possible links. Enter the “-o” parameter to save the output, but you must specify its format using the “-of” parameter.

Once the attack is complete, it should be checked whether the file with the output data corresponds to this format or not, mention the experts of the Cyber Security 360 course. As you can see, the file itself refers to HTML.

Output data in CSV format

Similarly, we can create CSV files using the “-of” parameter, where csv are comma-separated values. For example:

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -o file.html -of html

When the attack is complete, you need to check whether the file with the output data corresponds to this format or not. As you can see, the file itself belongs to the CSV.

Data output in all available formats

Similarly, if you want to recover data in all formats, use the “-of all” parameter. For example, it can be json, ejson, html, md, csv, ecsv.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -o output/file -of all

Now, once the attack is complete, you need to check all the files. We can see that they were saved in various formats.

HTTP OPTIONS

Sometimes the fuzzing process requires details such as an HTTP request, cookies, and an HTTP header, mention the experts of the Cyber Security 360 course.

Time-out

This feature acts as a deadline for the event to complete. The “-timeout” parameter helps to activate this option.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -timeout 5

Host header

If you want to fuzz out subdomains, you can use the “-H” parameter along with the word list of the domain name.

Ffuf -u https://google.com -w dns_dict.txt -mc 200 -H “HOST: FUZZ.google.com”

Recursion

According to the experts of the Cyber Security 360 course, this is a mechanism for reusing objects; if a program requires the user to access a function within another function, this is called a recursive call to the function. Using the “-recursion” parameter, the user can implement this functionality in their attacks.

ffuf -u "http://testphp.vulnweb.com/FUZZ/" -dict.txt –recursion

Cookie attack

There are times when fuzzing is not effective on a site where authentication is required. In these cases, we may use the “-b” parameter to use session cookies.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -b "PHPSESSID:"7aaaa6d88edcf7cd2ea4e3853ebb8bde""

Replay-proxy

There are speed limits when using the Intruder feature in the free version of Burp (Community Edition). The attack slowed down a lot, and each new “order” slowed it down even more.

In this case, the user uses the Burp Suite proxy server to get the results and evaluate them. First, you need to install the localhost proxy server on port number 8080.

Now let’s use “-replay-proxy”, which helps to get the local proxy server of the host, installed in the previous step on port number 8080.

ffuf -u http://192.168.1.12/dvwa/FUZZ/ -w dict.txt -replay-proxy http://127.0.0.1:8080 -v -mc 200

This attack will show results on two platforms. The first platform is in the Kali Linux terminal and the second is in the “HTTP history” tab in Burp Suite. With the help of various methods, you will be able to better understand the target and analyze the results of the attack.

It is common to compare ffuf with other tools such as dirb or dirbuster. While ffuf can be used for deploying brute-force attacks, its real appeal lies in simplicity.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, information technologies, and to know more details about the Cyber Security 360 course.

The post <strong>How to find zero-day vulnerabilities with Fuzz Faster U Fool (ffuf): Detailed free fuzzing tool tutorial</strong> appeared first on Information Security Newspaper | Hacking News.

These problems were found by researchers at NCC Group, who mention that the flaws exist due to the lack of user input validation in two PHP scripts. Vulnerabilities include a command injection in grel.php and a command injection in hw_view.php, and their successful exploitation would allow actors to execute remote code threats without authentication.

Because there are no protections during inclusion, threat actors could activate the script without prior authentication by calling it directly. This would allow them to take control of the device as if they had logged in directly through a secure shell.

According to experts, successful exploitation allows hackers to obtain limited user privileges on the machine as a ‘www-data’ user; however, it should be noted that the Kernel on the system that NCC Group found is very outdated, allowing hackers to escalate their privileges to the system’s administrative root user.

Researchers at NCC Group discovered these problems while applying pentesting to a customer’s systems. These findings were reported to Fujitsu, which addressed the flaws shortly thereafter and notified its users that no active exploitation attempts had been detected, plus there do not appear to be proof-of-concept (PoC) exploits for these attacks.

Although hacking attempts are unlikely to occur, users are advised to upgrade to the latest version of the software to mitigate the risks related to these flaws.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post <strong>Two critical command injection vulnerabilities in Fujitsu cloud storage system allow remote encryption or deletion of files</strong> appeared first on Information Security Newspaper | Hacking News.

Although the attack sounds simple, the researchers note that a threat actor would have to overcome multiple obstacles to replicate this scenario on a commonly used device: “By their nature, Bluetooth Low Energy (BLE) wireless tracking beacons could pose a significant risk to users’ privacy. For example, an adversary could track a device by placing BLE receivers near public places and then record the presence of the user’s beacons.”

Examples of this are the BLE beacons that Microsoft and Apple added to their operating systems for functions such as tracking lost devices, connecting smartphones to wireless devices such as headphones or wireless speakers, and allowing users to switch devices easily.

The devices transmit signals at a speed close to 500 beacon signals per minute. To address security and privacy issues, many BLE proximity apps use measures such as cryptographically anonymizing and periodically rotating the identity of a mobile device on their beacons. They will routinely re-encrypt the device’s MAC address, while apps rotate identifiers so receivers can’t link beacons from the same device.

Any user could evade these obstacles by taking the device’s logs on a lower layer. Previous studies have shown that wireless transmitters have small imperfections accidentally introduced during manufacturing that are unique to each device.

Experts found that similar imperfections in Bluetooth transmitters create distortions that can be used to create a unique fingerprint. These fingerprints can be used to track devices and therefore unsuspecting users.

As mentioned above, this is not a straightforward process. To begin with, threat actors would need to isolate the target to capture the log in wireless transmissions and find the unique features of the physical layer of the Bluetooth transmitter; subsequently, hackers would require a receiver in a place where a device might be and force passive detection of the target’s Bluetooth transmissions.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Bluetooth signals on smartphones allow tracking any user’s location by exploiting BLE appeared first on Information Security Newspaper | Hacking News.

Parents, students, and staff from schools in the school district were notified of the situation just a few hours ago, and have been receiving regular updates through The Tenafly Public Schools notification system, a structure independent of the affected systems.

So far, the ransomware variant used in this attack or the amount of the ransom demanded by cybercriminals is unknown. It is also not known whether local authorities plan to negotiate with the attackers or whether they will try to restore their systems on their own.

Unofficial sources had reported that the ransomware attack rendered dozens of computers useless in the county before which local authorities were being forced to pay a ransom in cryptocurrency.

The Bergen County Prosecutor’s Office and the New Jersey State Police’s CyberCrime Unit are already aware of the attack, and an investigation has been ordered by the Federal Bureau of Investigation (FBI), as Bergen authority believes this case is beyond its capabilities.

This is an increasingly common hacking variant. Just a few weeks ago, Somerset County suffered a cybersecurity breach that forced the temporary shutdown of all its electronic systems, while last year Hillsborough and Bernards Township school districts also had to disrupt their academic activities due to an encryption malware infection.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post <strong>Ransomware attack targeting public schools in New Jersey forces cancellation of final exams</strong> appeared first on Information Security Newspaper | Hacking News.

The report notes that, while it is still difficult to obtain access orders for this information, at least since 2018 Telegram has been adopting measures to comply with the legal provisions of some governments in the West, willing to share IP addresses and telephone numbers when required by a court.

These changes can even be seen in the application’s usage policies. In the section “WHO YOUR PERSONAL DATA MAY BE SHARED WITH”, Telegram shares some details about this possible scenario: “If Telegram receives a court order confirming that you are suspected of terrorism, we may disclose your IP address and phone number to the relevant authorities. So far, this has never happened. When it happens, we will include it in a semi-annual transparency report published in https://t.me/transparency.”

Free interpretation

While this is a valid cause for the deployment of intelligence tasks, it is known that governments around the world have always used counterterrorism policies to validate the implementation of invasive measures.

The German government itself already carries out some surveillance tasks on opposition groups and civil interest groups. Recently, a German court had to order the state intelligence agency BfV to halt its investigations into the Alternative for Germany (AfD) party, a right-wing political group that opposes immigration, among other ultra-nationalist measures.

In addition, the governments of the United States and Canada have been deploying mass surveillance tasks for years under the pretext of combating terrorist activities.

Privacy structure

In this regard, Telegram published a message endorsing its commitment to protecting the confidential information and conversations of its users: “Secret chats on the platform use end-to-end encryption, so we do not have any data to reveal.”  Still, it’s important to mention that Telegram doesn’t use end-to-end encryption by default.

To safeguard unprotected data with end-to-end encryption, Telegram uses a distributed infrastructure; Cloud chat data is stored in various data centers around the world that are controlled by different legal entities across multiple jurisdictions. The relevant decryption keys are divided into parts and never stored in the same place as the data, so interested parties would require several court orders to force Telegram to share this information.

Telegram considers that this structure simply makes it impossible for government agencies to access the confidential records of their users, although it has always been specified that the platform may be forced to hand over data only in sufficiently serious and relevant cases at the multinational level. Still, there are no known examples of what Telegram considers important enough to pass the scrutiny of the legal systems that safeguard its privacy structure.

Is Telegram even a good choice?

Although the idea of the general public is that Telegram represents a safer option than platforms such as WhatsApp or Facebook Messenger, this is not an idea shared by many experts. Moxie Marlinspike, the developer of the encrypted messaging service Signal, has become one of Telegram’s harshest critics: “I’m surprised that the media refers to Telegram as an encrypted messaging service; Telegram has a lot of attractive features, but there’s no worse option in terms of privacy and data collection.”

According to Marlinspike, Telegram stores on its servers all contacts, groups, media, and plain text messages that users have sent: “Almost everything we can see in the app, Telegram can see it too,” adds the developer.

For the expert, this false perception of privacy comes from a misinterpretation of the “secret chat” function, conversations that are protected with end-to-end encryption although with technology at least questionable. Other platforms like Facebook Messenger or Instagram chat also have secret chat features or expired messages, and they don’t store users’ files on their servers.

In conclusion, Telegram is a good choice in the world of instant messaging, although users should not assume that no one can access their conversations, photos, videos, and documents sent through this platform.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post <strong>Telegram is providing Police with user information in several cases, contradicting the company’s privacy policy. Use it with a burner phone and VPN</strong> appeared first on Information Security Newspaper | Hacking News.

Before learning about the decryption tool, let’s take a look at some details on the development of ransomware, in addition to its encryption process and mistakes made by its creators.

Development & behavior

TaRRaK is written in .NET and its code is not protected with obfuscation or any other bypass method. When executed, the ransomware creates a mutex identified as TaRRaK to ensure that only one instance of the malware runs, in addition to creating an auto-start registry entry to run the ransomware on each login of the target system:

The ransomware contains a list of 178 file extensions:

 After avoiding folders with strings such as $Recycle.Bin, :\Windows, \Program Files, \Local\Microsoft\, and :\ProgramData\, the encrypted files receive the .TaRRaK file extension:

Flaws at encryption

The source code and encryption process are riddled with bugs:

The malware sample attempts to read the entire file into memory using File.ReadAllBytes(). This feature has an internal limit that states that a maximum of 2 GB of data can be loaded; in case the file is larger, the function throws an exception, which is then handled by the try-catch block, which only handles a permission denied condition.

TaRRaK adds an ACL entry that grants full access to everyone and retrys the data read operation. In case any other error occurs, the exception is regenerated and the ransomware enters an infinite loop.

Even if the upload operation is successful and data from the file may enter memory, the Encrypt function converts the byte array to a 32-bit array of integers.

The malware allocates another block of memory with the same size as the file size and then performs an encryption operation, using a custom encryption algorithm. The encrypted Uint32 array is converted to another byte array and written to the file. Therefore, in addition to the memory allocation for the data in the original file, two additional blocks are allocated; if any of the memory allocations fail, it throws an exception and the ransomware loops again.

In the unusual scenarios where ransomware manages to complete the encryption process without errors, a ransom note will appear in the root folder of the compromised drives, in addition to displaying an advertisement on the user’s desktop:

Decryption tool

Avast specialists detailed the process to decrypt files infected with TaRRaK ransomware:

• Log in to the same account as the affected user
• Download the free Avast decryptor for Windows 32-bit or 64-bit
• Run the downloaded file
• On the home page, after reading the license information, click “Next”

• On the next page, select the list of locations where you want to apply decryption. By default, the tool contains a list of all local drives:

• You can choose to back up the encrypted files in case something goes wrong during the decryption process. Finally, click “Decrypt” to recover your information.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Free decryption tool for TaRRaK ransomware. How to recover your infected files? appeared first on Information Security Newspaper | Hacking News.

The attack was first reported by Onchain analyst, OKHotshot, who posted on Twitter to alert what had happened. In a first tweet, the researcher mentioned that the BAYC and the OtherSide metaverse Discord accounts were compromised by threat actors.

Once the attackers gained access to these platforms, they posted a message targeting the NFT community offering purported exclusive giveaways for BAYC and Otherside token holders: “We are releasing another exclusive giveaway to all our holders listed above”, read the message, posted alongside a link to a phishing website.

As users may remember, phishing is an online identity theft technique in which scammers trick victims into revealing their confidential information using malicious websites. In the world of cryptocurrencies and NFTs, cybercriminals use these websites to gain access to victims’ online wallets and transfer the virtual assets to their own accounts.

Short after the researcher released the alert Yuga Labs acknowledged that its Discord servers were succesfully attacked: “The team caught the incident and quickly addressed it. It seems that about 200 ETH in NFT had been affected. We’re still investigating, but if you were affected, please email us”.

Lousy background

As mentioned above, this is the second attack against Yuga Labs in just two months; the first incident was reported in mid-April, through the hacking of BAYC’s official Instagram account to post a malicious link that allowed the theft of 91 “apes”. The attackers responsible for this theft also used a link to a fake BAYC website promoting an alleged giveaway; once affected users entered their information, their virtual assets were transferred to addresses controlled by the hackers.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post <strong>How bored Ape NFTs are being hacked again and again. 200 ETH stolen</strong> appeared first on Information Security Newspaper | Hacking News.

According to the report, GitLab fixed a total of eight vulnerabilities of all severity ranges, which exploitation would have allowed threat actors to deploy multiple hacking scenarios, including cross-site scripting (XSS), privilege escalation attacks, and even the installation of backdoors in GitLab projects. Detected and addressed flaws are described below, along with their tracking key and score assigned according to the Common Vulnerability Scoring System (CVSS).

Account takeover via SCIM email change: When setting up group SAML SSO, the SCIM feature would allow any owner of a Premium group to invite arbitrary users through their username and email address to subsequently change users’ email addresses through SCIM to a hacker-controlled address and take control of the affected account due to the absence of multi-factor authentication measures. The flaw received a CVSS score of 9.9/10 and was tracked as CVE-2022-1680.

XSS stored in Jira: A store cross-site scripting (XSS) error in Jira would allow threat actors to execute arbitrary JavaScript code in GitLab through specially crafted Jira issues. The flaw was tracked as CVE-2022-1940 and received a CVSS score of 7.7/10.

XSS attack in quick actions: The absence of input validation in quick actions would allow threat actors to exploit an XSS bug by injecting HTML into contact details. The flaw received a CVSS score of 8.7/10 and received the tracking key CVE-2022-1948.

IP allowlist bypassing when using Activation Tokens: Incorrect authorization in GitLab EE would allow threat actors to misuse an activation token from any location, even evading IP address restrictions. The flaw received a CVSS score of 6.5/10 and was tracked as CVE-2022-1935.

IP allowlist bypassing when using Project Deployment Tokens: Improper authorization in GitLab would have allowed malicious hackers using project deployment tokens to access from any location, even with IP address restrictions enabled. The flaw was tracked as CVE-2022-1936 and received a CVSS score of 6.5/10.

Incorrect authorization in Interactive Web Terminal: When the Interactive Web Terminal feature is configured, incorrect authorization would allow users with the Developer role to open terminals in running jobs of other developers, potentially exposing these jobs to hacking scenarios. The vulnerability was tracked as CVE-2022-1944 and received a CVSS score of 5.4/10.

Subgroup members can list members of the parent group: An issue in all versions of GitLab CC/EE would allow a member of the subgroup to access the list of members of their parent group. The vulnerability received a CVSS score of 4.3/10 and was tracked as CVE-2022-1821.

Group member lock bypass: Malicious group maintainers could add new members to a project within their group via REST APIs, even after group owners enable settings to prevent members from being added to projects within the group. The flaw was tracked as CVE-2022-1783 and received a CVSS score of 2.7/10.

GitLab adds that these fixes are part of its effort to maintain the highest security standards and improve the user experience. For more information, users can visit the FAQ section of GitLab, where more detailed descriptions of every single flaw and its corresponding security patches are found.

The code hosting and development service also offers its users to receive security notifications directly in their inbox through their contact page. To receive notifications of new update releases via RSS, GitLab users can subscribe to the GitLab Security Release RSS feed.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post 8 critical vulnerabilities in GitLab would allow hackers to install backdoors in your code appeared first on Information Security Newspaper | Hacking News.

The report, by Bitdefender, mentions: “Users in a position to validate a link in an email client before clicking on it, will be susceptible to clicking on it because it has not yet been translated into a real domain name in their browser. The actual domain name would only be seen after the page has started to open.”

The term IDN refers to domain names that, in whole or in part use characters from a non-Latin script or alphabet, which are encoded by the Unicode standard. In order for the Domain Name System (DNS) to interpret them correctly, IDNs are stored in the DNS as ASCII strings using Punycode transcription.

Counterfeit IDN homograph domains can be created by combining letters from different alphabets, which to the user look so similar to each other that it is impossible to distinguish them, although Unicode treats them as separate entities. This is not a new concept, although it is still a problem for many users.

Most browsers, for example, display in the address bar the real name of an internationalized domain name (https://xn--n1aag8f.com, for example) instead of the name to display the real name (https://žugec.com) if the site is suspicious. However, Office applications, including Outlook, display the name in another method:

Since domain registration verification greatly limits which counterfeit domains can be registered and most browsers display the real name of the spoofed IDN domain, IDN homograph attacks have ceased to be a constant cybersecurity threat, although threat actors may find ways to deploy these attacks on a large scale.

Microsoft acknowledged the problem when it received the Bitdefender report, though it’s unclear if the issue will be fixed. While the issue is resolved, endpoint security solutions and IP and URL reputation services could collaborate by blocking most suspicious domains.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How to hide spoofed malicious domain when users hover above a link in a phishing email in Microsoft Outlook, Word or Excel document? appeared first on Information Security Newspaper | Hacking News.

While UNISOC is a major chip producer, its technology has been little analyzed by mobile security specialists, so it is difficult to know what the security risks are present in devices with these chips and there are not even references to any vulnerability detected in their firmware.

A recent research effort was led by Check Point Research, and focuses on the modem of smartphones with UNISOC chips could be a very attractive attack target for cybercriminals, as this component can be accessed remotely and relatively easily, with the potential to deploy denial of service (DoS) attacks and block the communications of the affected devices.

Basic attack concepts

The Long-Term Evolution (LTE) network is made up of a dozen protocols and components, and you need to understand it to understand how the UNISOC modem works. The 3GPP Group introduced the Evolved Packet System (EPS), an LTE technology architecture consisting of three key interconnected components:

• User equipment (UE)
• Evolved UMTS terrestrial radio access network (E-UTRAN)
• Evolved Packet Core (EPC)

E-UTRAN has only one stack, the eNodeB station, which controls radio communications between the EU and the EPC. A UE can be connected to one eNodeB at a time.

The EPC component consists of four stacks, one of which is the Mobility Management Entity (MME). The MME controls the high-level operations of mobile devices on the LTE network. This component sends signaling messages related to security control, management of tracking areas, and mobility maintenance.

Check Point Research’s tests, conducted by a smartphone with a UNISOC modem, focus on communications between MME and UE stacks, which occur via EPS session management (ESM) and mobility management (EMM) protocols. The following screenshot shows the protocol stack of the modem. The no-access stratum (NAS) level hosts EPS and EMM signaling messages.

The NAS protocol operates with high-level structures, which would allow threat actors to create specially crafted EMM packets and send them to a vulnerable device, whose modem will analyze it and create internal objects based on the information received.

A bug in the scanning code would allow hackers to lock the modem and even perform remote code execution (RCE) attacks.

Security flaws in NAS handlers

Most NAS message analyzers have three arguments: an output buffer, which is an object of the appropriate message structure, the NAS message data blob for decoding, and the current offset in the message blob.

The unified function format allows you to easily implement the harness to fuzz the NAS analysis functions. Check Point experts used the classic combination of AFL and QEMU to fuzz the modem binary on a PC, patching the modem binary to redirect malloc calls to the libc equivalent. The fuzzer swapped the NAS message data and passed it as an input buffer to the analysis function.

One of the optional fields ATTACH_ACCEPT is mobile identity. The modem firmware implements an unpacking function such as liblte_mme_unpack_mobile_id_ie of srsRAN to extract the mobile identity from the NAS message. The identity data block begins with the length of the identity; if the device is represented by an International Mobile Subscriber Identity (IMSI), the 2-byte length of message data is copied to the output buffer as the IMSI number.

The check is bypassed to ensure that the provided length value is greater than one. Therefore, if the value of the length field is zero, 0-2 = 0xFFFFFFFE bytes of the NAS message are copied to the heap memory, leading to a DoS condition.

In the following screenshot, you can see the message ATTACH_ACCEPT, which causes the overflow.

Conclusions

The highlighted 0x23 value indicates that the following data is the identity block of the message, where the first 0x01 is the length and the second 0x01 is the IMSI type.

UNISOC is aware of this condition, and has already been assigned the identification key CVE-2022-20210. While the hacking variants described by Check Point are not easy to exploit and require great resources and planning, the possibility of exploitation is real and should not be dismissed.

Errors will be properly addressed, protecting millions of smart device users. Google is also aware of the report and will issue some additional protections for the Android system. 

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post Millions of Android smartphones exposed to remote hacking due to vulnerability in UNISOC baseband chips appeared first on Information Security Newspaper | Hacking News.

The attack would have been carried out by a group operating the LockBit 2.0 ransomware variant, and the perpetrators threaten to divulge sensitive information if the affected organization refuses to pay a ransom by June 11. It has not been confirmed whether the attack had any considerable impact on Foxconn Mexico’s routine operations, nor is the amount of the ransom demanded known.

The company has already received requests for information about the attack, although it has not commented on it.

Foxconn has already been the target of ransomware attacks before. In late 2020, the firm confirmed that one of its U.S. facilities had been attacked by the operators of the DoppelPaymer ransomware, who even leaked sensitive information on the dark web.

In that incident, the hackers also claimed to have attacked the facilities of Foxconn Mexico, in addition to demanding a ransom of more than $30 million in Bitcoin. Despite these claims, the company always maintained that only its systems in the U.S. had been affected.

Recently, LockBit 2.0 also claimed responsibility for an attack on tire and rubber giant Bridgestone Americas, stealing sensitive information and exposing it on illegal hacking forums. At the beginning of 2021, the Federal Bureau of Investigation (FBI) published a document with the main indicators of compromise of this ransomware variant, mentioning that attackers usually violate the affected networks by buying access on the dark web or exploiting zero-day vulnerabilities.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post LockBit ransomware encrypts computers at Foxconn Mexico factory, one of Apple’s largest suppliers appeared first on Information Security Newspaper | Hacking News.