Monthly Archives: May 2019

Multi-hop Phishing Attack

Today I received an email from a business associate whom I often corresponded with. Even though the email looks normal – it contains his full name and the usual email signature – something looks off.

The email body is very terse and contains only a link – alarm bells start going off. The link points to a valid Google docs document.

The document contains 2 links, both pointing to the same external site.

It is seemingly a login page for your Microsoft outlook account. But the domain is not associated with Microsoft. A classic phishing attack.

It so happens that the business associate is using Outlook for his email. After entering his credentials into the phishing site, the attacker must have used his credentials to send a copy of the phishing email to everyone in his contacts. Indeed that is the case, after I have confirmed with other associates. What makes this attack so successful is that 1) the email is from someone you have corresponded with 2) the first link opens a valid Google docs and some would have let their guard down at this point of time.

The latest report from FireEye states that 91% of cyber attacks comes from emails, and email-based attacks are getting increasingly more sophisticated. Some are also taking advantage of how email addresses are being shown on mobile devices.

Email Threat Report from FireEye

As cyber threats continue to evolve, we must continue to educate users on the importance of maintaining vigilance and to be mindful of the limitations of current solutions to address the risks of phishing and other attacks.

Edit: I have submitted the phishing site to Google’s Report Phishing Page

Vulnerability in Linksys and Cisco routers

This is a not a good week for network equipment manufacturers.

First, it was discovered that over 25000 Linksys Smart Wifi routers are vulnerable for sensitive information disclosure flaws.

Using data provided by BinaryEdge, our scans have found 25,617 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public internet, including:

  • MAC address of every device that’s ever connected to it (full historical record, not just active devices)
  • Device name (such as “TROY-PC” or “Mat’s MacBook Pro”)
  • Operating system (such as “Windows 7” or “Android”)

In some cases additional metadata is logged such as device type, manufacturer, model number, and description – as seen in the example below.

The picture is worst for even Cisco, which embedded a default SSH keypair in all of its 9000 series devices. Basically this means that anyone (who knows the IPv6 address and keypair) can SSH into a vulnerable device and take over it completely. It is so serious that some have described it as a backdoor.

RIDL and Fallout: MDS attacks

After the spectacle of Spectre and Meltdown last year, we now have more vulnerabilities that attacks the CPU to leak confidential data. The new vulnerabilities are called RIDL and Fallout – not quite as catchy as Spectre and Meltdown – and it belongs to a class of attacks called MDS (Microarchitectural Data Sampling) attacks.

There are exploit demos that show the attacker retrieving the contents of hashed passwords in /etc/shadow, which he/she can crack offline after that. Another demo shows an attack being carried out using Javascript/WebAssembly. Essentially this means that if you visit a web page that contains attack code it can read information from other processes it is not meant to.

Our attacks can leak confidential data across arbitrary security boundaries in real-world settings (cloud, browsers, etc.).

Source: RIDL and Fallout: MDS attacks

Security lapse exposed a Chinese smart city surveillance system | TechCrunch

Yet another case of unsecured database in the public cloud. That in itself is unfortunately not uncommon. What is eyebrow-raising however, is the type of content that it stores.

The database processed various facial details, such as if a person’s eyes or mouth are open, if they’re wearing sunglasses, or a mask — common during periods of heavy smog — and if a person is smiling or even has a beard.The database also contained a subject’s approximate age as well as an “attractive” score, according to the database fields.

Source: Security lapse exposed a Chinese smart city surveillance system | TechCrunch

Remote Code Execution on most Dell computers

First it was Lenovo and Asus, now Dell has fallen as well. Goes to show that 1) you should uninstall crapware that comes pre-bundled with your Windows machine 2) writing secure software is hard.

What computer do you use? Who made it? Have you ever thought about what came with your computer? When we think of Remote Code Execution (RCE) vulnerabilities in mass, we might think of vulnerabilities in the operating system, but another attack vector to consider is “What third-party software came with my PC?”. In this article, I’ll be looking at a Remote Code Execution vulnerability I found in Dell SupportAssist, software meant to “proactively check the health of your system’s hardware and software” and which is “preinstalled on most of all new Dell devices”.

Source: Remote Code Execution on most Dell computers