Over 40 Drivers Could Let Hackers Install Persistent Backdoor On Windows PCs

By: Swati Khandelwal

If you own a device, or a hardware component, manufactured by ASUS, Toshiba, Intel, NVIDIA, Huawei, or other 15 other vendors listed below, you’re probably screwed.

A team of security researchers has discovered high-risk security vulnerabilities in more than 40 drivers from at least 20 different vendors that could allow attackers to gain most privileged permission on the system and hide malware in a way that remains undetected over time, sometimes for years.

For sophisticated attackers, maintaining persistence after compromising a system is one of the most important tasks, and to achieve this, existing hardware vulnerabilities sometimes play an important role.

One such component is a device driver, commonly known as a driver or hardware driver, a software program that controls a particular type of hardware device, helping it to communicate with the computer’s operating system properly.

Since device drivers sit between the hardware and the operating system itself and in most cases have privileged access to the OS kernel, a security weakness in this component can lead to code execution at the kernel layer.

This privilege escalation attack can move an attacker from user mode (Ring 3) to OS kernel-mode (Ring 0), as shown in the image, allowing them to install a persistent backdoor in the system that a user would probably never realize.

windows driver hacking

Discovered by researchers at the firmware and hardware security firm Eclypsium, some of the new vulnerabilities could allow arbitrary read/write of kernel memory, model-specific registers (MSRs), Control Registers (CR), Debug Registers (DR), and physical memory.

“All these vulnerabilities allow the driver to act as a proxy to perform highly privileged access to the hardware resources, which could allow attackers to turn the very tools used to manage a system into powerful threats that can escalate privileges and persist invisibly on the host,” the researchers explain in their report titled ‘Screwed Drivers.’

More: https://thehackernews.com/2019/08/windows-driver-vulnerability.html?m=1

Facebook Plans on Backdooring WhatsApp

By: Bruce Schneier

This article points out that Facebook’s planned content moderation scheme will result in an encryption backdoor into WhatsApp:

In Facebook’s vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user’s device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.

The company even noted that when it detects violations it will need to quietly stream a copy of the formerly encrypted content back to its central servers to analyze further, even if the user objects, acting as true wiretapping service.

Facebook’s model entirely bypasses the encryption debate by globalizing the current practice of compromising devices by building those encryption bypasses directly into the communications clients themselves and deploying what amounts to machine-based wiretaps to billions of users at once.

Once this is in place, it’s easy for the government to demand that Facebook add another filter — one that searches for communications that they care about — and alert them when it gets triggered.

Of course alternatives like Signal will exist for those who don’t want to be subject to Facebook’s content moderation, but what happens when this filtering technology is built into operating systems?

More: https://www.schneier.com/blog/archives/2019/08/facebook_plans_.html

Fundador do Telegram provoca rival e diz que “o WhatsApp nunca será seguro”

By: Márcio Padrão

Agora que o Telegram voltou ao noticiário brasileiro por conta das reportagens do portal “The Intercept” com conversas privadas dentro do app entre o ministro da Justiça, Sergio Moro, e o procurador da Lava-Jato Deltan Dallagnol, vale lembrar que o aplicativo de mensagens deu há algumas semanas uma boa cutucada em seu eterno rival, o WhatsApp.

Um artigo assinado por Pavel Durov, o russo cofundador e atual executivo-chefe do Telegram, foi publicado no site oficial do app com o provocativo título: “Por que o WhatsApp nunca será seguro”. E não é uma pergunta, pois não termina com ponto de interrogação. Durov está afirmando mesmo.

Publicado em 15 de maio, antes das reportagens do “Intercept”, o texto começa recuperando duas falhas de segurança recentes envolvendo o WhatsApp: uma de maio deste ano, dava ao hacker a capacidade de vigiar remotamente os celulares-alvo por meio da câmera e do microfone do celular, além de extrair dados diversos do aparelho; e outra noticiada em outubro de 2018, que dava aos hackers o poder de travar o WhatsApp de terceiros a partir de uma chamada de vídeo.

E aí é que Durov vem com a tese dele:

“Toda vez que WhatsApp precisa consertar uma vulnerabilidade crítica em seu aplicativo, um novo aparece seu lugar. Todos os seus problemas de segurança são convenientemente voltados à vigilância, e se parecem e funcionam como backdoors.”

Pavel Durov, cofundador do Telegram.

“Backdoor” (“porta dos fundos”), para quem não sabe, é o termo técnico para um tipo de brecha de segurança que permita extrair dados pessoais e sensíveis de um programa ou sistema operacional sem que seu usuário se dê conta disso. Um backdoor pode ser implementado de propósito pela desenvolvedora do software.

Durov continua: “Em vez do Telegram, o WhatsApp não é de código aberto, então não há como os pesquisadores de segurança verificarem se há backdoors em seu código. O WhatsApp não apenas publica seu código, mas também faz o oposto: o WhatsApp ofusca deliberadamente os binários de seus aplicativos para que ninguém seja capaz de estudá-los”.

Mais: https://noticias.uol.com.br/tecnologia/noticias/redacao/2019/06/17/fundador-do-telegram-provoca-rival-e-diz-que-o-whatsapp-nunca-sera-seguro.htm

Germany: Backdoor found in four smartphone models; 20,000 users infected

By: Catalin Cimpanu

German cyber-security agency warns against buying or using four low-end smartphone models.

The German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik — BSI) has issued security alerts today warning about dangerous backdoor malware found embedded in the firmware of at least four smartphone models sold in the country.

Impacted models include the Doogee BL7000, the M-Horse Pure 1, the Keecoo P11, and the VKworld Mix Plus (malware present in the firmware, but inactive). All four are low-end Android smartphones.

PHONES INFECTED WITH BACKDOOR TROJAN

The BSI said the phones’ firmware contained a backdoor trojan named Andr/Xgen2-CY.

UK cyber-security firm Sophos Labs first spotted this malware strain in October 2018. In a report it published at the time, Sophos said the malware was embedded inside an app named SoundRecorder, included by default on uleFone S8 Pro smartphones.

Sophos said Andr/Xgen2-CY was designed to work as an unremovable backdoor on infected phones.

The malware’s basic design was to start running once the phone was turned on, collect details about an infected phone, ping back its command-and-control server, and wait for future instructions.

According to Sophos, Andr/Xgen2-CY could collect data such as:

  • The device’s phone number
  • Location information, including longitude, latitude, and a street address
  • IMEI identifier and Android ID
  • Screen resolution
  • Manufacturer, model, brand, OS version
  • CPU information
  • Network type
  • MAC address
  • RAM and ROM size
  • SD Card size
  • Language and country
  • Mobile phone service provider

More: https://www.zdnet.com/article/germany-backdoor-found-in-four-smartphone-models-20000-users-infected/

ESET descobre malware que assume o controle total da comunicação por e-mail

By: TI Inside Online

A ESET descobriu o LightNeuron, um backdoor do Microsoft Exchange que pode ler, modificar ou bloquear qualquer e-mail que passe pelo servidor, incluindo escrever novas mensagens e enviá-las ,sob a identidade de qualquer usuário legítimo da escolha dos invasores. O malware é controlado remotamente por meio de anexos em formato PDF e JPG ocultos em mensagens recebidas pelos usuarios.

O LightNeuron atende aos servidores de e-mail Microsoft Exchange pelo menos desde 2014. Os pesquisadores da ESET identificaram três organizações diferentes vítimas da ameaça, incluindo um ministério de relações exteriores em um país da Europa Oriental e uma organização diplomática regional no Oriente Médio. No Brasil, no entanto, não se tem conhecimento ainda de qual organização teria sido afetada.

O LightNeuron é o primeiro malware conhecido a usar incorretamente o mecanismo do Microsoft Exchange. “Na arquitetura do servidor de e-mail, o LightNeuron pode operar com o mesmo nível de confiança que os produtos de segurança, como filtros de spam. Como resultado, esse malware oferece ao invasor controle total sobre o servidor de e-mail e, portanto, sobre toda a comunicação do usuário”, explica Matthieu Faou, pesquisador de malware da ESET que conduziu a investigação.

Os pesquisadores da ESET coletaram evidências sugerindo que o LightNeuron pertence ao grupo de espionagem Turla, também conhecido como Snake. Este grupo e suas atividades são amplamente investigados pela ESET. “Acreditamos que os profissionais de segurança de TI devem estar cientes dessa nova ameaça”, diz Faou.

Para fazer com que os e-mails de comando e controle (C&C) pareçam inocentes, o LightNeuron usa esteganografia para ocultar seus comandos em imagens PDF ou JPG válidas. A capacidade de controlar a comunicação por e-mail torna o LightNeuron uma ferramenta perfeita para vazar documentos e também para controlar outras máquinas locais por meio de um mecanismo de C&C, o que é muito difícil de detectar e bloquear.

Mais: http://tiinside.com.br/tiinside/13/05/2019/

 

‘LightNeuron’ backdoor receives secret commands via Microsoft Exchange email servers; Russian link suspected

By: Bradley Barth

Researchers have uncovered what they say is the very first malware to achieve persistence in Microsoft Exchange email servers, which allows attackers to secretly execute commands via malicious emails featuring attachments with hidden code.

Dubbed LightNeuron, the furtive backdoor has been targeting Exchange servers since at least 2014, according to a blog post from ESET, whose researchers have provisionally linked the threat to the Russian cyber espionage group Turla. ESET discovered the backdoor on three victims: an unidentified Brazilian organization, a Ministry of Foreign Affairs in Eastern Europe and a regional diplomatic organization in the Middle East.

In addition to the confirmed Windows-based version, ESET believes there may be a Linux variant in use as well, based on artifacts turned up during its investigation.

The key to LightNeuron’s persistence technique is its ability to leverage “transport agents,” which according to Microsoft are tools that let users install custom software on Exchange servers and then process email messages that pass through the transport pipeline. These Transport Agents are granted the same level of trust as spam filters and other security products, ESET explains, which makes a successful infection all the more dangerous and hard to detect.

Using XML-based rules, a LightNeuron Transport Agent can interfere with a victim’s emails in a variety of ways — blocking them; composing and sending new ones; modifying their content, subjects and recipients; replacing attachments and more.

But the attackers’ can do much more than alter emails. They can also send commands via the compromised Exchange program, enabling them to write executables, launch executables and processes, delete or exfiltrate sensitive files and essentially control local machines via its command-and-control infrastructure.

To achieve this, the attackers simply send an email with a specially crafted PDF document or JPG image to any email address belonging to the infected organization. The commands inside these attached documents are hidden using steganography techniques.

“Once an email is recognized as a command email, the command is executed and the email is blocked directly on the Exchange server. Thus, it is very stealthy and the original recipient will not be able to view it,” states the blog post, authored by ESET researcher Matthieu Faou. Faou also penned an accompanying white paper that further details the threat.

More: https://www.scmagazine.com/home/security-news/lightneuron-backdoor

Vodafone Found Hidden Backdoors in Huawei Equipment

By: Daniele Lepido

 

While the carrier says the issues found in 2011 and 2012 were resolved at the time, the revelation may further damage the reputation of a Chinese powerhouse.

For months, Huawei Technologies Co. has faced U.S. allegations that it flouted sanctions on Iran, attempted to steal trade secrets from a business partner and has threatened to enable Chinese spying through the telecom networks it’s built across the West.

 Now Vodafone Group Plc has acknowledged to Bloomberg that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier’s Italian business. While Vodafone says the issues were resolved, the revelation may further damage the reputation of a major symbol of China’s global technology prowess.

Europe’s biggest phone company identified hidden backdoors in the software that could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy, a system that provides internet service to millions of homes and businesses, according to Vodafone’s security briefing documents from 2009 and 2011 seen by Bloomberg, as well as people involved in the situation.

Vodafone asked Huawei to remove backdoors in home internet routers in 2011 and received assurances from the supplier that the issues were fixed, but further testing revealed that the security vulnerabilities remained, the documents show. Vodafone also identified backdoors in parts of its fixed-access network known as optical service nodes, which are responsible for transporting internet traffic over optical fibers, and other parts called broadband network gateways, which handle subscriber authentication and access to the internet, the people said. The people asked not to be identified because the matter was confidential.

More: https://www.bloomberg.com/news/articles/2019-04-30/vodafone-found-hidden-backdoors-in-huawei-equipment

OnePlus Left A Backdoor That Allows Root Access Without Unlocking Bootloader

By: sikur

Capturar

by Swati Khandelwal

November 13, 2017

Another terrible news for OnePlus users.

Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets.

A Twitter user, who goes by the name “Elliot Anderson” (named after Mr. Robot’s main character), discovereda backdoor (an exploit) in all OnePlus devices running OxygenOS that could allow anyone to obtain root access to the devices.

The application in question is “EngineerMode,” a diagnostic testing application made by Qualcomm for device manufacturers to easily test all hardware components of the device.

This APK comes pre-installed (accidentally left behind) on most OnePlus devices, including OnePlus 2, 3, 3T, and the newly-launched OnePlus 5. We can confirm its existence on the OnePlus 2, 3 and 5.

You can also check if this application is installed on your OnePlus device or not. For this, simply go to settings, open apps, enable show system apps from top right corner menu (three dots) and search for EngineerMode.APK in the list.

MORE: https://thehackernews.com/2017/11/oneplus-root-exploit.html

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Gazer: A New Backdoor Targets Ministries and Embassies Worldwide

By: sikur

By 

backdoor-malwareSecurity researchers at ESET have discovered a new malware campaign targeting consulates, ministries and embassies worldwide to spy on governments and diplomats.

Active since 2016, the malware campaign is leveraging a new backdoor, dubbed Gazer, and is believed to be carried out by Turla advanced persistent threat (APT) hacking group that’s been previously linked to Russian intelligence.

Gazer, written in C++, the backdoor delivers via spear phishing emails and hijacks targeted computers in two steps—first, the malware drops Skipper backdoor, which has previously been linked to Turla and then installs Gazer components.

MORE: https://thehackernews.com/2017/08/gazer-backdoor-malware.html?m=1

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Malware campaign targets Russian-Speaking companies with a new Backdoor

By: sikur

By Pierluigi Paganini

Trend Micro spotted a new espionage campaign that has been active for at least 2 months and that is targeting Russian-speaking firms with a new backdoor

Security experts at Trend Micro have spotted a new cyber espionage campaign that has been active for at least two months and that is targeting Russian-speaking enterprises delivering a new Windows-based backdoor, Trend Micro warns.

The hackers leverage on many exploits and Windows components to run malicious scripts to avoid detection. The last sample associated with this attack was uploaded to VirusTotal on June 6, 2017 and experts at Trend Micro observed five spam campaigns running from June 23 to July 27, 2017.

MORE: http://securityaffairs.co/wordpress/61906/hacking/backdoor-target-russian-speaking-firm.html

 

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist