Viry a Červi

Supply Chain Security: Managing a Complex Risk Profile - 12 Prosinec, 2018 - 14:36
Experts sound off on how companies can work with their third-party suppliers and partners to secure the end-to-end supply chain.
Kategorie: Viry a Červi

Samsung fixes flaws that could have let attackers hijack your account

Sophos Naked Security - 12 Prosinec, 2018 - 13:45
Flaws in the mobile site were leaving users vulnerable to attackers who could have reset their user passwords and hijacked their accounts.

Google+ to power down early after second security hole found

Sophos Naked Security - 12 Prosinec, 2018 - 13:37
Google has disclosed the second security hole in its Google+ social network in three months.

Text CAPTCHAs easily beaten by neural networks

Sophos Naked Security - 12 Prosinec, 2018 - 13:12
As CAPTCHA-haters know to their frequent irritation, the death of the text-based Completely Automated Procedures for Telling Computers and Humans Apart tends to be exaggerated.

Phones are selling location data from “trusted” apps

Sophos Naked Security - 12 Prosinec, 2018 - 12:55
Data brokers are tracking 200 million mobile devices in the US, updating locations up to 14,000 times a day, the New York Times has found.

Ticketmaster tells customer it's not at fault for site's Magecart malware pwnage

The Register - Anti-Virus - 12 Prosinec, 2018 - 11:15
Uh, hello? Didn't you put third-party Javascript on a payment page?

Ticketmaster is telling its customers that it wasn't to blame for the infection of its site by a strain of the Magecart cred-stealing malware – despite embedding third-party Javascript into its payments page.…

Kategorie: Viry a Červi

VB2018 video: The Big Bang Theory by APT-C-23

Virus Bulletin News - 12 Prosinec, 2018 - 09:14
Today, we release the video of the VB2018 presentation by Check Point researcher Aseel Kayal, who connected the various dots relating to campaigns by the APT-C-23 threat group.

Read more
Kategorie: Viry a Červi

Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)

Kaspersky Securelist - 12 Prosinec, 2018 - 09:00

Executive summary

In October 2018, our AEP (Automatic Exploit Prevention) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis led us to uncover a zero-day vulnerability in ntoskrnl.exe. We reported it to Microsoft on October 29, 2018. The company confirmed the vulnerability and assigned it CVE-2018-8611. Microsoft just released a patch, part of its December update, crediting Kaspersky Lab researchers Boris Larin (Oct0xor) and Igor Soumenkov (2igosha) with the discovery.

This is the third consecutive exploited Local Privilege Escalation vulnerability in Windows we discovered this autumn using our technologies. Unlike the previously reported vulnerabilities in win32k.sys (CVE-2018-8589 and CVE-2018-8453), CVE-2018-8611 is an especially dangerous threat – a vulnerability in the Kernel Transaction Manager driver. It can also be used to escape the sandbox in modern web browsers, including Chrome and Edge, since syscall filtering mitigations do not apply to ntoskrnl.exe system calls.

Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to this zero-day and CHAINSHOT, SandCat also uses the FinFisher / FinSpy framework.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products
  2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
Brief details – CVE-2018-8611 vulnerability

CVE-2018-8611 is a race condition that is present in the Kernel Transaction Manager due to improper processing of transacted file operations in kernel mode.

This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.

We have found multiple builds of exploit for this vulnerability. The latest build includes changes to reflect the latest versions of the Windows OS.

A check for the latest build at the time of discovery: Windows 10 Redstone 4 Build 17133

Similarly to CHAINSHOT, this exploit heavily relies on the use of C++ exception handling mechanisms with custom error codes.

To abuse this vulnerability exploit first creates a named pipe and opens it for read and write. Then it creates a pair of new transaction manager objects, resource manager objects, transaction objects and creates a big number of enlistment objects for what we will call “Transaction #2”. Enlistment is a special object that is used for association between a transaction and a resource manager. When the transaction state changes associated resource manager is notified by the KTM. After that it creates one more enlistment object only now it does so for “Transaction #1” and commits all the changes made during this transaction.
After all the initial preparations have been made exploit proceeds to the second part of vulnerability trigger. It creates multiple threads and binds them to a single CPU core. One of created threads calls NtQueryInformationResourceManager in a loop, while second thread tries to execute NtRecoverResourceManager once. But the vulnerability itself is triggered in the third thread. This thread uses a trick of execution NtQueryInformationThread to obtain information on the latest executed syscall for the second thread. Successful execution of NtRecoverResourceManager will mean that race condition has occurred and further execution of WriteFile on previously created named pipe will lead to memory corruption.

Proof of concept: execution of WriteFile with buffer set to 0x41

As always, we provided Microsoft with a proof of concept for this vulnerability, along with source code. And it was later shared through Microsoft Active Protections Program (MAPP).

More information about SandCat, FruityArmor and CVE-2018-8611 is available to customers of Kaspersky Intelligence Reports. Contact:

It's December of 2018 and, to hell with it, just patch your stuff

The Register - Anti-Virus - 12 Prosinec, 2018 - 02:15
Windows, Office, Acrobat, SAP... you know the deal

Microsoft, Adobe, and SAP are finishing up the year with a flurry of activity, combining to patch more than 140 CVE-listed security flaws between them.…

Kategorie: Viry a Červi

Facebook Fined $11.3M for Privacy Violations - 11 Prosinec, 2018 - 23:19
Italy's regulator found the social giant guilty of misleading consumers as to what it does with their data.
Kategorie: Viry a Červi

Zero-Day Bug Fixed by Microsoft in December Patch Tuesday - 11 Prosinec, 2018 - 23:02
Microsoft patches nine critical bugs as part of December Patch Tuesday roundup.
Kategorie: Viry a Červi

Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory

The Register - Anti-Virus - 11 Prosinec, 2018 - 21:37
'Entirely preventable' theft down to traffic-monitoring certificate left expired for 19 months

Updated  A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure.…

Kategorie: Viry a Červi

25% of NHS trusts have zilch, zip, zero staff who are versed in security

The Register - Anti-Virus - 11 Prosinec, 2018 - 20:16
Not like there's been a major incident recently to kick them into gear or anything

A quarter of NHS trusts in the UK responding to a Freedom of Information request have no staff with security qualifications, despite some employing up to 16,000 people.…

Kategorie: Viry a Červi

Data Privacy Issues Trigger Soul Searching in Tech Industry - 11 Prosinec, 2018 - 19:51
Consumers are growing angry when it comes to data misuse - but the real change will need to come from the tech industry's culture when it comes to privacy.
Kategorie: Viry a Červi

Cobalt Group Pushes Revamped ThreadKit Malware - 11 Prosinec, 2018 - 19:40
Threat actors have updated their malware to include a macro-based delivery framework.
Kategorie: Viry a Červi

Adobe December 2018 Security Update Fixes Reader, Acrobat - 11 Prosinec, 2018 - 18:42
The update includes a raft of critical code-execution problems.
Kategorie: Viry a Červi

Biometrics: Security Solution or Issue? - 11 Prosinec, 2018 - 17:25
Issues still exist when it comes to securing biometrics.
Kategorie: Viry a Červi Redirected to NSFW Page Spewing Racial Epithets - 11 Prosinec, 2018 - 15:28
Administrators lost control of the domain for several hours in a DNS hijacking incident.
Kategorie: Viry a Červi

Lenovo tells Asia-Pacific staff: Work lappy with your unencrypted data on it has been nicked

The Register - Anti-Virus - 11 Prosinec, 2018 - 13:22
That's thousands of employees' names, monthly salaries, bank details

Exclusive  A corporate-issued laptop lifted from a Lenovo employee in Singapore contained a cornucopia of unencrypted payroll data on staff based in the Asia Pacific region, The Register can exclusively reveal.…

Kategorie: Viry a Červi

VB2019 London - join us for the most international threat intelligence conference!

Virus Bulletin News - 11 Prosinec, 2018 - 12:08
VB calls on organisations and individuals involved in threat intelligence from around the world to participate in next year's Virus Bulletin conference.

Read more
Kategorie: Viry a Červi
Syndikovat obsah