Explained – How Intel AMT Vulnerability Allows to Hack Computers Remotely

May 5, 2017 – 4:35 PM
Earlier this week Intel announced a critical escalation of privilege bug that affects its remote management features shipping with Intel Server chipsets for past 7 years, which, if exploited, would allow a remote attacker to take control of vulnerable PCs, laptops, or servers.

The vulnerability, labeled CVE-2017-5689, affects Intel remote management technologies, including Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT) software, versions 6 through 11.6.

The flaw was originally discovered by Maksim Malyutin, a member of Embedi research team, in mid-February, who then responsibly disclosed it to the Intel security team.

My previous article, published earlier this week, was based on the partial information shared by Maksim to The Hacker News, as the reported Intel AMT vulnerability was highly critical and can be exploited remotely, Embedi held technical details until most sysadmins update their systems with a patched firmware.
Today, Embedi research team has disclosed complete technical details about the critical vulnerability, and I have compiled this piece explaining:

  • What is Intel AMT technology?
  • Where the Intel AMT Vulnerability resides?
  • How can an attacker exploit Intel AMT Vulnerability?

Source:
https://thehackernews.com/2017/05/intel-amt-vulnerability.html

Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

April 15, 2017 – 7:05 PM

There is a phishing attack that is receiving much attention today in the security community.

As a reminder: A phishing attack is when an attacker sends you an email that contains a link to a malicious website. You click on the link because it appears to be trusted. Merely visiting the website may infect your computer or you may be tricked into signing into the malicious site with credentials from a site you trust. The attacker then has access to your username, password and any other sensitive information they can trick you into providing.

This variant of a phishing attack uses unicode to register domains that look identical to real domains. These fake domains can be used in phishing attacks to fool users into signing into a fake website, thereby handing over their login credentials to an attacker.

This affects the current version of Chrome browser, which is version 57.0.2987 and the current version of Firefox, which is version 52.0.2. This does not affect Internet Explorer or Safari browsers.

We created our own example to demonstrate how an attacker can register their own domain that looks identical to another company’s domain in the browser. We decided to imitate a healthcare site called ‘epic.com’ by registering our own fake site. You can visit our demo site here in Chrome or Firefox. For comparison you can click here to visit the real epic.com.

Source:
https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/

Most of the Shadow Brokers exploits are already patched

April 15, 2017 – 10:53 AM

This is getting a ton of press lately, but here is Microsoft’s response to the latest leaks:

Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.

When a potential vulnerability is reported to Microsoft, either from an internal or external source, the Microsoft Security Response Center (MSRC) kicks off an immediate and thorough investigation. We work to swiftly validate the claim and make sure legitimate, unresolved vulnerabilities that put customers at risk are fixed. Once validated, engineering teams prioritize fixing the reported issue as soon as possible, taking into consideration the time to fix it across any impacted product or service, as well as versions, the potential threat to customers, and the likelihood of exploitation.

Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.

Source:
https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

Booby-trapped Word documents in the wild exploit critical Microsoft 0day

April 8, 2017 – 5:03 PM

There’s a new zeroday attack in the wild that’s surreptitiously installing malware on fully-patched computers. It does so by exploiting a vulnerability in most or all versions of Microsoft Word.

The attack starts with an e-mail that attaches a malicious Word document, according to a blog post published Saturday by researchers from security firm FireEye. Once opened, exploit code concealed inside the document connects to an attacker-controlled server. It downloads a malicious HTML application file that’s disguised to look like a document created in Microsoft’s Rich Text Format. Behind the scenes, the .hta file downloads additional payloads from “different well-known malware families.”

The attack is notable for several reasons. First, it bypasses most exploit mitigations: This capability allows it to work even against Windows 10, which security experts widely agree is Microsoft’s most secure operating system to date. Second, unlike the vast majority of the Word exploits seen in the wild over the past few years, this new attack doesn’t require targets to enable macros. Last, before terminating, the exploit opens a decoy Word document in an attempt to hide any sign of the attack that just happened.

The zeroday attacks were first reported Friday evening by researchers from security firm McAfee.

Source:
https://arstechnica.com/security/2017/04/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/

Fake Font Update on Google Chrome Uses Social Engineering to Infect Users with Ransomware

February 24, 2017 – 8:57 PM

We’ve seen social engineering attacks manipulate users time and time again. From phishing emails, to baiting attempts – this breed of cyberthreat has continued to manipulate users for years. And now a new scam has emerged that utilizes a fake update on Google Chrome to trick users into downloading and infecting themselves with the infamous Spora ransomware.

The trick is simple. First, the attackers insert JavaScript into poorly secured, but legitimate websites to modify the text rendering on them. Then, when victims visit these sites, the script makes the website indecipherable and prompts them to fix the issue by updating their “Chrome font pack.” Essentially, a window pops up, showing, “The ‘HoeflerText’ font wasn’t found,” and users are asked to update the Chrome Font Pack. And if they click, they’re immediately infected with the highly-effective Spora ransomware, instead of an update for their browser.

So why is this attack seeing such easy success? Believe it not, Hoefler Text is, in fact, a real font, adding a sense of legitimacy behind the scam. However, the malware has primarily seen so much success due to its ability to fly under the radar, as it does not get flagged as an infection by a variety of security programs.

What’s worse is that this isn’t the first time this has happened – delivery of malware through the EITest redirect gates has been around since at least 2014. Additionally, the infected sites and samples change all the time and simply blocking URLs, domains, and IP’s at the perimeter would just be playing “whack-a-mole.”

In fact, EITest gates are typically used in combination with the RIG, Angler, and Sundown EK’s to redirect victims to quite a few ransomware strains, including Spora, CryptoShield, CryptoMix, and Cerber, as well as banking Trojans and various other malware types.

Source:
https://securingtomorrow.mcafee.com/business/fake-font-update-google-chrome-uses-social-engineering-infect-users-ransomware/

Page 5 of 351« First...34567...102030...Last »