Tag Archive for: discovers

ESET discovers DazzleSpy, a new macOS spying malware

/in


ESET Research has discovered a new macOS malware spying on visitors to a Hong Kong radio station news site.

According to the cybersecurity research firm, a watering hole attack compromised Hong Kong radio station D100s news website. The attackers served a Safari exploit that installed cyber espionage malware DazzleSpy on site visitors’ Macs.

The vulnerability could also have been exploited on iOS, even on devices such as the iPhone XS and newer, ESET believes.

In fact, ESET says this campaign has similarities with one from 2020 where LightSpy iOS malware was distributed the same way. 

According to ESET, the payload DazzleSpy is capable of a wide variety of cyber espionage actions. ESET Research can conclude that the group behind this operation has strong technical capabilities.

The watering-hole operations the attackers have pursued show that the targets are likely to be politically active individuals in Hong Kong. The malicious code is capable of collecting a wide variety of sensitive and personal information.

The first report about the watering-hole attacks leading to exploits for the Safari web browser running on macOS was published by Google last November. ESET researchers were investigating the attacks at the same time as Google and have uncovered additional details about both the targets and malware used to compromise the victims. ESET has confirmed that the patch identified by the Google team fixes the Safari vulnerability used in the attacks.

“The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code. Its interesting to note that some code suggests the vulnerability could also have been exploited on iOS, even on devices such as the iPhone XS and newer,” says Marc-tienne Lveill, who investigated the watering-hole attack.

“This campaign has similarities with one from 2020 where LightSpy iOS malware was distributed the same way, using iframe injection on websites for Hong Kong citizens leading to a WebKit exploit,” he says.

Lveill says the payload DazzleSpy is capable of a wide variety of cyber espionage actions. 

“It can collect information about the compromised computer; search for specified files; scan…

Source…

Fortinet Security Researcher Discovers Multiple Vulnerabilities in Adobe Illustrator

/in


FortiGuard Labs Threat Research Report

Affected platforms: Windows
Impacted parties: Users of Adobe Illustrator 2021, versions 25.4.1 and earlier
Impact: Multiple Vulnerabilities leading to Arbitrary Code Execution, Memory Leak and Application Denial of Service
Severity level: Critical

In August of 2021, I discovered and reported multiple zero-day vulnerabilities in Adobe Illustrator to Adobe, Inc. On Tuesday, October 26, 2021, Adobe released several security patches that fixed these vulnerabilities. They are identified as CVE-2021-40718, CVE-2021-40746, CVE-2021-40747, CVE-2021-40748 and CVE-2021-40749. All these vulnerabilities have similar root causes related to a single Illustrator Plugin. We suggest users apply the Adobe patches as soon as possible.

Following are some details on these vulnerabilities. More information can be found on the related Fortinet Zero Day Advisory pages by clicking on the CVE links, below:

CVE-2021-40718:

This is a Memory Leak vulnerability that exists in the decoding of AutoCAD Drawing ‘DWG’ files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed DWG file, which causes an Out of Bounds Read memory access due to an improper bounds check.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak.

Fortinet previously released IPS signature Adobe.Illustrator.CVE-2021-40718.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2021-40746:

This is an Arbitrary Code Execution vulnerability that exists in the decoding of AutoCAD Drawing ‘DWG’ files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed DWG file, which causes an Out of Bounds memory access due to an improper bounds check.

Attackers can exploit this vulnerability to execute arbitrary code within the context of the application via a crafted DWG file.

Fortinet previously released IPS signature…

Source…

Sophos Discovers Malware That Blocks The Pirate Bay

/in


(Photo: Getty Images)

Sophos has revealed new malware with a curious goal: preventing its victims from pirating software. The company says this digital vigilante, which is similar to a malware family discovered over a decade ago, modifies the infected system’s HOSTS file to block access to The Pirate Bay and other piracy-related sites.

“Modifying the HOSTS file is a crude but effective method to prevent a computer from being able to reach a web address,” SophosLabs Principal Researcher Andrew Brandt says in a blog post. “It’s crude because, while it works, the malware has no persistence mechanism. Anyone can remove the entries after they’ve been added to the HOSTS file, and they stay removed (unless you run the program a second time).”

The malware is said to spread via the Discord communications platform by masquerading as pirated copies of popular games. Brandt says it’s also distributed over BitTorrent in bundles “named after popular games, productivity tools, and even security products” that include other files whose sole purpose is to make the malware “appear to have originated with a well-known file sharing account on ThePirateBay.”

After the malware is downloaded it sends two HTTP GET requests to a now-inactive domain. The first request fetches a second payload called “ProcessHacker.jpg” that includes a kill-switch to prevent the malware from operating on devices containing files named “7686789678967896789678” and “412412512512512.” The files themselves can be empty; they simply have to use those names.

The second request “uses a query string to send the filename of the executable that was run to the website’s operators,” Brandt said, which would have allowed them to learn more about what kinds of files people are trying to pirate. That effort appears to have been dropped—Brandt says the server to which the HTTP GET requests were sent “no longer responds to requests, nor has a DNS record.”

Recommended by Our Editors

Sophos has updated its security products to defend against this malware. Brandt says anyone who’s already been affected by the campaign can manually restore their access to the websites it blocked by running Notepad as an administrator and “modifying the…

Source…

Computer Memory Can Be Made to Speak in Wifi, Researcher Discovers

/in


Illustration for article titled Computer Memory Can Be Made to Speak in Wifi, Researcher Discovers

Photo: KIRILL KUDRYAVTSEV / Staff (Getty Images)

A new theoretical exploit called Air-Fi can turn a secure, air-gapped computer into a wifi transmitter that can help a hacker exfiltrate secure data.

An air-gapped computer is a computer that is completely disconnected from any network. Many air-gapped machines have every possible network feature removed, from wifi to Bluetooth, but this exploit shows that hackers can use DDR SDRAM buses “to generate electromagnetic emissions in the 2.4 GHz Wi-Fi bands and encode binary data on top of it,” according to the researcher Mordechai Guri of the Ben-Gurion University of the Negev, Israel.

“This technique required high levels of skills from the attacker, in both design and implementation,” said Guri in an email. “However, there are simpler covert exfiltration channels for conventional IT environments in the wild. This one is focusing on leaking data from air-gapped computers where the traditional network-based covert channels fail.”

“Using the Wi-Fi medium in such a non-conventional way is something that I’ve been examining during the last year,” he said.

The transmissions are invisible to other devices and only the hacker can only pick them up with specially-prepared software and hardware.

G/O Media may get a commission

He writes:

As a part of the exfiltration phase, the attacker might collect data from the compromised computers. The data can be documents, key logging, credentials, encryption keys, etc. Once the data is collected, the malware initiates the AIR-FI covert channel. It encodes the data and transmits it to the air (in the Wi-Fi band at 2.4 GHz) using the electromagnetic emissions generated from the DDR SDRAM buses.

Guri is well-known in security circles for figuring out how to attack air-gapped machines. In 2019 he used screen brightness and power lines to transmit data from secure computers and in 2018 he was also able to transmit data via ultrasonic audio files using a simple computer speaker.

In this exploit, Guri was able to force the DDR SDRAM busses to transmit to compromised wifi-capable devices like laptops and smartphones. He hacked four workstations with the exploit, each outfitted with similar 4GB DIMM DDR4…

Source…