Flaw Affecting Millions of Cisco Devices Let Attackers Implant Persistent Backdoor

By: Mohit Kumar

Researchers have discovered a severe vulnerability in Cisco products that could allow attackers to implant persistent backdoor on wide range devices used in enterprises and government networks, including routers, switches, and firewalls.

Dubbed Thrangrycat or 😾😾😾, the vulnerability, discovered by researchers from the security firm Red Balloon and identified as CVE-2019-1649, affects multiple Cisco products that support Trust Anchor module (TAm).

Trust Anchor module (TAm) is a hardware-based Secure Boot functionality implemented in almost all of Cisco enterprise devices since 2013 that ensures the firmware running on hardware platforms is authentic and unmodified.

However, researchers found a series of hardware design flaws that could allow an authenticated attacker to make the persistent modification to the Trust Anchor module via FPGA bitstream modification and load the malicious bootloader.

“An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory. Elements of this bitstream can be modified to disable critical functionality in the TAm,” researchers said.


“Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.”


Chaining With Remote Bugs: No Physical Access Required

Since the vulnerability exploitation requires root privileges, an advisory released by Cisco stressed that only a local attacker with physical access to the targeted system could write a modified firmware image to the component.

However, Red Balloon researchers explained that attackers could also exploit the Thrangrycat vulnerability remotely by chaining it together with other flaws that could allow them to gain root access or, at least, execute commands as root.

To demonstrated this attack, researchers revealed an RCE vulnerability (CVE-2019-1862) in the web-based user interface of Cisco’s IOS operating system that allows a logged-in administrator to remotely execute arbitrary commands on the underlying Linux shell of an affected device with root privileges.

More: https://thehackernews.com/2019/05/cisco-secure-boot-bypass.html?m=1

iPhone Hacking Campaign Using MDM Software Is Broader Than Previously Known

By: Swati Khandelwal

India-linked highly targeted mobile malware campaign, first unveiled two weeks ago, has been found to be part of a broader campaign targeting multiple platforms, including windows devices and possibly Android as well.

As reported in our previous article, earlier this month researchers at Talos threat intelligence unit discovered a group of Indian hackers abusing mobile device management (MDM) service to hijack and spy on a few targeted iPhone users in India.

Operating since August 2015, the attackers have been found abusing MDM service to remotely install malicious versions of legitimate apps, including Telegram, WhatsApp, and PrayTime, onto targeted iPhones.

These modified apps have been designed to secretly spy on iOS users, and steal their real-time location, SMS, contacts, photos and private messages from third-party chatting applications.

During their ongoing investigation, Talos researchers identified a new MDM infrastructure and several malicious binaries – designed to target victims running Microsoft Windows operating systems – hosted on the same infrastructure used in previous campaigns.

  • Ios-update-whatsapp[.]com (new)
  • Wpitcher[.]com
  • Ios-certificate-update.com

“We know that the MDM and the Windows services were up and running on the same C2 server in May 2018,” researchers said in a blog post published today.

“Some of the C2 servers are still up and running at this time. The Apache setup is very specific, and perfectly matched the Apache setup of the malicious IPA apps.”


Possible Connections with “Bahamut Hacking Group”

mobile device management software

Defending hospitals against life-threatening cyberattacks

By: Mohammad S. Jalali

Like any large company, a modern hospital has hundreds – even thousands – of workers using countless computers, smartphones and other electronic devices that are vulnerable to security breaches, data thefts and ransomware attacks. But hospitals are unlike other companies in two important ways. They keep medical records, which are among the most sensitive data about people. And many hospital electronics help keep patients alive, monitoring vital signs, administering medications, and even breathing and pumping blood for those in the most dire conditions.

A 2013 data breach at the University of Washington Medicine medical group compromised about 90,000 patients’ records and resulted in a US$750,000 fine from federal regulators. In 2015, the UCLA Health system, which includes a number of hospitals, revealed that attackers accessed a part of its network that handled information for 4.5 million patients. Cyberattacks can interrupt medical devices, close emergency rooms and cancel surgeries. The WannaCry attack, for instance, disrupted a third of the UK’s National Health Service organizations, resulting in canceled appointments and operations. These sorts of problems are a growing threat in the health care industry.

Protecting hospitals’ computer networks is crucial to preserving patient privacy – and even life itself. Yet recent research shows that the health care industry lags behind other industries in securing its data.

I’m a systems scientist at MIT Sloan School of Management, interested in understanding complex socio-technical systems such as cybersecurity in health care. A former student, Jessica Kaiser, and I interviewed hospital officials in charge of cybersecurity and industry experts, to identify how hospitals manage cybersecurity issues. We found that despite widespread concern about lack of funding for cybersecurity, two surprising factors more directly determine whether a hospital is well protected against a cyberattack: the number and varied range of electronic devices in use and how employees’ roles line up with cybersecurity efforts.

More: https://theconversation-com.cdn.ampproject.org/c/s/theconversation.com/amp/defending-hospitals-against-life-threatening-cyberattacks-93052

Inside New York City Cyber Command — a government agency most people know nothing about that’s leading America’s biggest city into the future

By: Brennan Weiss

NEW YORK — In the fall of 2012, President Barack Obama’s defense secretary, Leon Panetta, arrived to Manhattan’s west side to deliver an unprecedented speech about cyber warfare.

Aboard the USS Intrepid, the legendary World War II aircraft carrier now functioning as a museum along the banks of the Hudson River, Panetta devoted his entire speech to a topic seldom discussed in public by such a senior government official, let alone a member of the president’s Cabinet.

The US was on the verge of a “cyber Pearl Harbor,” Panetta warned.

leon panetta
Former US Defense Secretary Leon Panetta.
Francois Lenoir/Reuters

Attackers could target and shut down power plants, water treatment facilities, and gas pipelines that would “cause physical destruction and the loss of life. It would paralyze and shock the nation and create a new, profound sense of vulnerability.”

Panetta’s words were stretched for emphasis and enunciated with such clarity that it was impossible to overlook what he was saying:

A cyber Pearl Harbor.

The invocation of one of the deadliest attacks ever on American soil would surely raise some eyebrows. But the tides of war were changing, and Panetta wanted the country to know about it in no uncertain terms.

The speech struck a chord with the crowd of mostly New York City business executives and national security professionals.

Among them, sitting at a far-off table in the corner of the room, was a little-known cybersecurity specialist named Geoff Brown.

MORE: http://www.businessinsider.com/nyc-cyber-command-protecting-new-yorkers-2018-4

Microsoft Won’t Patch a Severe Skype Vulnerability Anytime Soon

By: sikur


by Swati Khandelwal

February 14, 2018

A serious vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could potentially allow attackers to gain full control of the host machine by granting system-level privileges to a local, unprivileged user.

The worst part is that this vulnerability will not be patched by Microsoft anytime soon.

It’s not because the flaw is unpatchable, but because fixing the vulnerability requires a significant software rewrite, which indicates that the company will need to issue an all-new version of Skype rather than just a patch.

The vulnerability has been discovered and reported to Microsoft by security researcher Stefan Kanthak and resides in Skype’s update installer, which is susceptible to Dynamic Link Libraries (DLL) hijacking.

According to the researcher, a potential attacker could exploit the “functionality of the Windows DLL loader where the process loading the DLL searches for the DLL to be loaded first in the same directory in which the process binary resides and then in other directories.”

The exploitation of this preferential search order would allow the attacker to hijack the update process by downloading and placing a malicious version of a DLL file into a temporary folder of a Windows PC and renaming it to match a legitimate DLL that can be modified by an unprivileged user without having any special account privileges.

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Critical Flaw in Grammarly Spell Checker Could Let Attackers Steal Your Data

By: sikur


by Swati Khandelwal

February 05, 2018

A critical vulnerability discovered in the Chrome and Firefox browser extension of the grammar-checking software Grammarly inadvertently left all 22 million users’ accounts, including their personal documents and records, vulnerable to remote hackers.

According to Google Project Zero researcher Tavis Ormandy, who discovered the vulnerability on February 2, the Chrome and Firefox extension of Grammarly exposed authentication tokens to all websites that could be grabbed by remote attackers with just 4 lines of JavaScript code.

In other words, any website a Grammarly user visits could steal his/her authentication tokens, which is enough to login into the user’s account and access every “documents, history, logs, and all other data” without permission.

“I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations,” Ormandy said in a vulnerability report. “Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”

Ormandy has also provided a proof-of-concept (PoC) exploit, which explains how one can easily trigger this serious bug to steal Grammarly user’s access token with just four lines of code.

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist