Tag Archive for: ‘led

Known macOS Vulnerabilities Led Researcher to Root Out New Flaws

/in


Sometimes all it takes to root out a new software vulnerability is to study and analyze previous bug reports. That’s how researcher Csaba Fitzl says he sniffed out some new Apple macOS vulnerabilities, one of which was a mirror image of a logic flaw that a group of researchers competing in the 2020 Pwn2Own contest found and executed there.

Fitzl, a content developer for Offensive Security, says he reread and studied the winning six-exploit chain that the researchers used to hack macOS. One of the exploits in that chain weaponized a privilege escalation bug, which Apple later fixed. But there still was a hole, and he found it: “Although Apple fixed it properly, but still there was an extra function … that basically opened up another vulnerability to be utilized a bit differently than the original one,” Fitzl explains.

Apple’s original fix for the flaw allowed an attacker to change ownership of a directory in macOS. But Fitzl discovered that he could create a new directory on the targeted system, which could allow an attacker to escalate their privileges on macOS. “Although you had to use different techniques to get through to the system, but because you could create an arbitrary directory anywhere on the system, you could elevate your privileges to root,” he says.

It was basically the same logic flaw but in a different piece of the code. Apple has since patched the vulnerability Fitzl found as well.

This week at Black Hat Singapore, Fitzl will share technical details of this and two other vulns he found while drilling down on previous vuln research on macOS during a session entitled “macOS Vulnerabilities Hiding in Plain Sight.”

Apple had not responded to a request for comment as of this posting.

‘Something Is Not Right’
Fitzl says he didn’t actually spot traces of the new flaws linked to previous research until after he reread the research papers. “At some point it hit me that there is something not right. It turned out that there is a vulnerability not like the one initially documented,” he explains of his findings. “That eventually led to me to find or identify new vulnerabilities.”

The other two flaws he found include one that built upon research from Mickey Jin, who…

Source…

Eavesdropping By LED | Hackaday

/in


If you ever get the feeling someone is watching you, maybe they are listening, too. At least they might be listening to what’s coming over your computer speakers thanks to a new attack called “glow worm.” In this novel attack, careful observations of a power LED on a speaker allowed an attacker to reproduce the sound playing thanks to virtually imperceptible fluctuations in the LED brightness, most likely due to the speaker’s power line sagging and recovering.

You might think that if you could see the LED, you could just hear the output of the speaker, but a telescope through a window 100 feet away appears to be sufficient. You can imagine that from a distance across a noisy office you might be able to pull the same trick. We don’t know — but we suspect — even if headphones were plugged into the speakers, the LED would still modulate the audio. Any device supplying power to the speakers is a potential source of a leak.

On the one hand, this is insidious because, unlike more active forms of bugging, this would be pretty much undetectable. On the other hand, there are a variety of low-tech and high-tech mitigations to the attack, too. Low tech? Close your blinds or cover the LED with some tape. High tech? Feed a random frequency into the LED to destroy any leaking information. Super spy tech? Put fake speakers in front of your real speakers that silently playback misinformation on their LEDs.

The video plays samples of recovered speech and, honestly, it was clear enough but not great. We wondered if a little additional signal processing might help.

Passive bugs are hard to find. Even a fancy junction detector won’t tell you if your speakers are compromised by glow worm.

 

 


Source…

Valley News – Malware on employee’s company computer led to cyber attack on UVM Medical Center

/in


One afternoon in late October, the information technology department at the University of Vermont Medical Center started receiving reports of glitching computer systems across its network.

Employees reported they were having trouble logging into business and clinical applications.

Some reported the systems weren’t working at all. Within a few hours, the IT department began to suspect the hospital was experiencing a cyberattack.

The possibility was very much on the IT team’s radar, as several other major hospital networks nationwide fell victim to cyberattacks earlier last fall.

Immediately, UVM Medical Center cut off all internet connections to the network to protect what data it could. Soon after, the department discovered a text file on a network computer, apparently left by the perpetrators of the attack.

“It basically said: ‘We encrypted your data; if you wanna get the key to un-encrypt it, contact us,’ ” explained Doug Gentile, senior VP of network information technology at the medical center. “There was no specific ransom note, no specific dollar amount or anything like that, it was just: ‘Here’s how you contact us.’ ”

The department immediately contacted the FBI and opted not to reach out to the attackers. “Even if you contact them, even if you pay them, you have no guarantee they’re gonna deliver anything,” Gentile said.

Over the ensuing weeks, UVM Medical Center worked closely with the FBI to investigate the source of the attack while the hospital operated without access to most of its data for several weeks.

“Of course we have standard procedures for if systems go down, but being down for two to three weeks is beyond what we ever expect. It was stressful for people,” Gentile said. The attack cost the hospital between $40 million and $50 million, mostly in lost revenue.

But it could have been worse.

“While it was a significant inconvenience and a big financial hit, the fact that no data was breached was huge,” Gentile said. When the cyberattack was discovered, hospital officials feared patient data could be stolen. Things like Social Security numbers, insurance information, and medical records were all on the line.

Often, in cases like…

Source…

Binance reveals how data analytics led to ransomware-linked money laundering bust

/in


Crypto-exchange exploits OpSec mistakes to bust crooks

Binance offers details on how it is using data analytics to fight money laundering

The Binance cryptocurrency exchange has explained how advances in data analytics helped it track down a group of money launderers involved with various cybercrimes, including the notorious Clop ransomware scam.

Ukrainian police announced the arrest of individuals and the takedown of infrastructure related to the ‘Clop’ ransomware operation earlier this month.

Binance’s statement confirms that those arrested were cashing out and laundering funds, rather than being behind the creation of the ransomware.

The group – also known as FANCYCAT – had their fingers in numerous criminal scams including laundering money for dark web operators as well as ransomware peddlers.

Follow the (digital) money

Analogous with drug dealers, the funds extracted from victims through criminal activity such as ransomware need to be disguised before they can be safely spent in the real world to buy goods. That’s because any funds tied back to criminal activity can become the target of forfeiture orders.

Even if money is already in digital form there is a need to launder it, with abusing exchanges being one of the main techniques in play.

“Blockchain analysis shows a network of money launderers living inside macro exchanges which deposit and withdraw to each other to wash the money,” according to Binance, the Cayman Islands-domiciled crypto exchange.

Based on this insight, Binance was able to apply detection mechanisms to identify and interdict suspect accounts before working with law enforcement to build cases and take down criminal groups, as it explained in a blog post about the investigation.

We applied the two-pronged approach to the FANCYCAT investigation: our AML detection and analytics program detected suspicious activity on Binance.com and expanded the suspect cluster. Once we mapped out the complete suspect network, we worked with private sector chain analytics companies TRM Labs and Crystal (BitFury) to analyze on-chain activity and gain a better understanding of this group and its attribution.

Based on our analysis we found that this specific group was not only associated with laundering Clop…

Source…