Viry a Červi

Registration open for VB2019 ─ book your ticket now!

Virus Bulletin News - 13 Březen, 2019 - 14:21
Registration for VB2019, the 29th Virus Bulletin International Conference, is now open, with an early bird rate available until 1 July.

Read more
Kategorie: Viry a Červi

“FINAL WARNING” email – have they really hacked your webcam?

Sophos Naked Security - 13 Březen, 2019 - 14:19
In the last 24 hours, SophosLabs received 1,700 samples of just one new sextortion campaign. Good news? It's all a pack of lies. Don't reply. Don't engage.

Chrome will soon block drive-by-download malvertising

Sophos Naked Security - 13 Březen, 2019 - 14:17
A new Chrome feature hopes to choke off one of the most malicious forms of malware infection: drive-by advertising downloads.

Update now! WordPress abandoned cart plugin under attack

Sophos Naked Security - 13 Březen, 2019 - 13:44
Hackers have been spotted targeting websites running unpatched versions of the WordPress plugin Abandoned Cart for WooCommerce.

Misconfigured Box accounts leak terabytes of companies’ sensitive data

Sophos Naked Security - 13 Březen, 2019 - 13:29
Easily guessable URLs led to what should have been big companies' very private data. Even Box itself was found to be exposing folders.

New bill would give parents an ‘Eraser Button’ to delete kids’ data

Sophos Naked Security - 13 Březen, 2019 - 11:49
The COPPA overhaul would ban targeting ads at kids under 13 and ad targeting based on race, socioeconomics or geolocation on kids under 15.

The fourth horseman: CVE-2019-0797 vulnerability

Kaspersky Securelist - 13 Březen, 2019 - 11:00

In February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. We reported it to Microsoft on February 22, 2019. The company confirmed the vulnerability and assigned it CVE-2019-0797. Microsoft have just released a patch, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery:

This is the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows we have discovered recently using our technologies. Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products;
  2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA).

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
Brief technical details – CVE-2019-0797

CVE-2019-0797 is a race condition that is present in the win32k driver due to a lack of proper synchronization between undocumented syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection. The vulnerable code can be observed below on screenshots made on an up-to-date system during initial analysis:

Snippet of NtDCompositionDiscardFrame syscall (Windows 8.1)

On this screenshot with the simplified logic of the NtDCompositionDiscardFrame syscall you can see that this code acquires a lock that is related to frame operations in the structure DirectComposition::CConnection and tries to find a frame that corresponds to a given id and will eventually call a free on it. The problem with this can be observed on the second screenshot:

Snippet of NtDCompositionDestroyConnection syscall inner function (Windows 8.1)

On this screenshot with the simplified logic of the function DiscardAllCompositionFrames that is called from within the NtDCompositionDestroyConnection syscall you can see that it does not acquire the necessary lock and calls the function DiscardAllCompositionFrames that will release all allocated frames. The problem lies in the fact that when the syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection are executed simultaneously, the function DiscardAllCompositionFrames may be executed at a time when the NtDCompositionDiscardFrame syscall is already looking for a frame to release or has already found it. This condition leads to a use-after-free scenario.

Interestingly, this is the third race condition zero-day exploit used by the same group in addition to CVE-2018-8589 and CVE-2018-8611.

Stop execution if module file name contains substring “chrome.exe”

The exploit that was found in the wild was targeting 64-bit operating systems in the range from Windows 8 to Windows 10 build 15063. The exploitation process for all those operating systems does not differ greatly and is performed using heap spraying palettes and accelerator tables with the use of GdiSharedHandleTable and gSharedInfo to leak their kernel addresses. In exploitation of Windows 10 build 14393 and higher windows are used instead of palettes. Besides that, that exploit performs a check on whether it’s running from Google Chrome and stops execution if it is because vulnerability CVE-2019-0797 can’t be exploited within a sandbox.

This is the Send, encrypted end-to-end, this is the Send, my Mozillan friend

The Register - Anti-Virus - 13 Březen, 2019 - 07:38
Ride the fox, ride the fox

Mozilla's Firefox Send, a free encrypted file sharing service, graduated from test to official release on Tuesday after a year and half of refinement.…

Kategorie: Viry a Červi

Microsoft changes DHCP to 'Dammit! Hacked! Compromised! Pwned!' Big bunch of security fixes land for Windows

The Register - Anti-Virus - 13 Březen, 2019 - 00:13
DHCP client has trio of remote-code exec vulns – plus SAP, Adobe issue updates

Patch Tuesday  It's the second Tuesday of the month, and you know what that means: a fresh dump of security fixes from Microsoft, Adobe and others.…

Kategorie: Viry a Červi

Federal Focus on Cyber Plays Out in President’s Budget, IoT Legislation - 12 Březen, 2019 - 22:05
Money earmarked for the Defense Department and DHS, and bipartisan bills to address the security of federal IoT devices, showcase growing federal cyber-efforts.
Kategorie: Viry a Červi

Microsoft Patches Two Win32k Bugs Under Active Attack - 12 Březen, 2019 - 21:52
Microsoft's March Patch Tuesday updates include 64 fixes, 17 of which are rated critical.
Kategorie: Viry a Červi

Yelp-for-MAGAs app maker is warned there are holes in its code. Does it A. Just fix the problem, or B. Threaten to call the FBI, too?

The Register - Anti-Virus - 12 Březen, 2019 - 21:43
Or C. It's all a libtard plot?

A developer specializing in mobile apps for US conservatives is under fire for threatening to call the Feds on someone who reported security shortcomings in its software.…

Kategorie: Viry a Červi

ThreatList: Phishing Attacks Doubled in 2018 - 12 Březen, 2019 - 20:48
Scammers used both older, tested-and-true phishing tactics in 2018 - but also newer tricks, such as fresh distribution methods, according to a new report.
Kategorie: Viry a Červi

Swiss electronic voting system like... wait for it, wait for it... Swiss cheese: Hole found amid public source code audit

The Register - Anti-Virus - 12 Březen, 2019 - 20:20
Hey, at least it was discovered, eventually, and fixed – which is the whole point

The Swiss Federal Chancellery (SFC) on Tuesday said security researchers have found an fascinating flaw in the Swiss Post's e-voting system as part of an ongoing penetration test.…

Kategorie: Viry a Červi

ProtonMail back up in Russia after regime chokes access over 'terrorist activity'

The Register - Anti-Virus - 12 Březen, 2019 - 18:40
Service says that's ерунда

ProtonMail is "back to running normally in Russia now" after the country blocked access to the encrypted email service, claiming that students at a sports competition were using it to spread anti-regime propaganda.…

Kategorie: Viry a Červi

Raiding party! UK's ICO drops in unannounced on couple of dodgy-dialling dirtbag outfits

The Register - Anti-Virus - 12 Březen, 2019 - 16:25
Data protection police come a-knocking. 'Put your computers and docs in the facking bag!'

The UK's data protection watchdog today raided two businesses suspected of making millions of nuisance calls.…

Kategorie: Viry a Červi

Unpatched Windows Bug Allows Attackers to Spoof Security Dialog Boxes - 12 Březen, 2019 - 16:09
Microsoft won't be patching the bug, but a proof of concept shows the potential for successful malware implantation.
Kategorie: Viry a Červi

Adobe Patches Critical Photoshop, Digital Edition Flaws - 12 Březen, 2019 - 15:53
Adobe fixed two arbitrary code execution flaws in its Photoshop and Digital Edition products.
Kategorie: Viry a Červi

Reg webinar: Tune in for some knowledge on how to become an effective leader in IT security

The Register - Anti-Virus - 12 Březen, 2019 - 15:35
The benefits of pragmatism

Promo  With companies of all sizes anxious to protect themselves from the growing danger of cyberattacks, what does it take to reach a leading role in the security field?…

Kategorie: Viry a Červi

Hey Insiders! DTrace can now run riot in Windows 10, if you really want it to

The Register - Anti-Virus - 12 Březen, 2019 - 15:17
Open-source debugger takes to the stage in OS's next release

Windows 10 has been tweaked to let devs enjoy the delights of DTrace while chasing down pesky bugs.…

Kategorie: Viry a Červi
Syndikovat obsah