All Windows versions susceptible to new code injection attack

296px-windows_logo_and_wordmark_-_2012-svgA new code injection technique called AtomBombing has been uncovered by researchers at enSilo. AtomBombing was found to be effective against all versions of Windows. AtomBombing exploits the operating system’s atom tables which are provided by the operating system to allow applications to store and access data.

enSilo’s Tal Liberman explained that “What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.” and depending on the process in which it was injected, the malicious code could allow attackers to take screenshots, access encrypted passwords, or perform Man in the Browser (MitB) attacks noted helpnetsecurity.

There is no way to fix this issue as it is not a vulnerability but security solutions can start monitoring API calls for malicious activity.

Ghost Push malware affecting Android devices

what-is-malware-as-a-serviceThe latest version of the Ghost Push trojan discovered in 2015 has been found by researchers at Cheetah mobile. This latest variant is able to root almost all Android devices except those running the Android 6.0 Marshmallow or higher.

The malware hides its core coding in the system directory, disguising itself as a built-in app of the phone and prevents third parties from taking over root privilege in order to hide and evade detection.

Cheetah Mobile reported that the highest percent of infection was in Malaysia (14%), followed by Vietnam (13%) and Colombia (10%).

Android users can stay immune by upgrading to version 6.0. But most android smartphone manufacturers apart from Google do not get updates pushed out to users in a reasonable amount of time as the manufacturers, carrieers and Google have to work together to push out updates to users.

Backdoors in Xiaomi Smartphones

indexA computer science student, Thijs Broenink has found that one of the pre-installed apps that come with Xiaomi smartphones ‘AnalyticsCore (AnalyticsCore.apk)‘ is an app that sends device information (IMEI, MAC address, Model, Nonce, Package name and signature) to Xiaomi as well as checks for updates daily from Xiaomi’s server and install them. He made the discovery when out of curiosity, he reverse-engineered the pre-installed apps to see what they actually do.

Broenink found that the download of update is done over HTTP which means it could be tampered with in transit and replaced with a malicious file. The access granted by the app also gives Xiaomi the power to silently replace signed apps within 24 hours on all devices sold by them.

In response, a Xiaomi spokesperson told The Hacker News that a successful attack on the “self-upgrade” feature by a random attacker is impossible, as the MIUI’s (Xiaomi’s Android firmware for mobile devices) checks the signature of the Analytics.apk app during installation, and will not install any app that has not be signed by Xiaomi. He also noted that “Starting from MIUI V7.3 released in April/May, HTTPS was enabled to further secure data transfer, to prevent any man-in-the-middle attacks,”

To completely block access for this app, users can use an ad-blocking app with root access to blacklist Xiaomi related webservers as uninstalling the app does not work because it reinstalls itself after a while.

Microsoft brings Tuesday Patches to an end

microsoft-patch-tuesday-header

Yesterday’s Patch Tuesday is meant to be the last traditional Windows Patch Tuesday. Microsoft is changing its patch release model. The new model will have all patches for a month bundled together and users will not be able to pick and choose which updates to install.

Microsoft has said this will start with Windows 10 but will be affect other operating systems as well in due course.

Security teams should be prepared to make changes to their patching methods as soon as Microsoft implements its new patch release model.

Critical Zero-day vulnerability in MySQL

mysql_hostingMultiple severe vulnerabilities affecting MySQL and it’s forks were discovered by researcher, Dawid Golunski according to Helpnetsecurity. One of the vulnerabilities – CVE-2016-6662 – can be used to make malicious settings in the MySQL configuration file or create a new configuration file, allowing execution of arbitrary code with root access when the service is restarted. The vulnerability.

Golunski explained in an advisory published on Monday, that “The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers,”

Oracle is yet to release a fix for these issues even though Golunski reported to the issues to them in late July. MySQL forks, Percona and MariaDB have pushed out new releases that addresses the CVE-2016-6662.

Golunski advised, “As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnfi3 files that are not in use,”

Spyware found on Vietnam Airlines disguised as McAfee Antivirus

The spyware that recently infected Vietnam Airlines is revealed to be a variant of the Korplug RAT which disguises itself as a McAfee antivirus program according to analysis of the malware by Malwarebytes.

Malwarebytes’ examination of the Korplug payload found a legitimate McAfee software with a signed certificate but with a compromised  Dynamic Link Library that was used to hijack the execution of the legitimate software. The spyware obfuscates it’s malicious coding and hides it under layers of loaders and files.

Korplug is also known as  PlugX and is linked to the Chinese APT groups. More information on the malware is on Malwarebyte’s blog.

Pegasus was sold for lawful use only

what-is-malware-as-a-serviceThe NSO Group, an organization that reportedly specializes in ‘cyber-war’ which combined three iOS zero-day vulnerabliities into Pegasus malware claims that the malware was only sold to governnments under signed agreements to be used in a lawful manner. Spokesperson of the group, Zamir Dahbash told the Washington Post that “Specifically, the products may only be used for the prevention and investigation of crimes.” But according to SCMagazine, researchers suspect that the malware was used to target an activist, Ahmed Mansoor, who originally sent the malware to Lookout and Citizen Lab for examination.

Uses who fear that they have been infected by Pegasus can use Lookout mobile apps to check their devices. All users are encouraged to update their devices to iOS 9.3.5.