Friday, November 7, 2014

Methodologies for exploiting vulnerabilities that never go out of style

On June 25, 2012, Apple slightly changed OS X’s official website. It switched out a statement that claimed "immune to PC viruses" for "designed to be safe." It was a battle creating controversy for years, and it was one of the main factors that encourage the myth that Apple devices were immune to attacks.

WireLurker, a new family of malware discovered by Palo Alto Networks, try to take advantage of general disinformation. It attacks iOS and OS X devices in the traditional way (fraudulent apps, links to malware downloads, faulty extensions used when visiting a website, connecting to a compromised device via USB...), and is able to install applications bypassing Apple’s sandbox (even on not jailbroken iOS devices, for example).

In fact, this new wave of malware led INCIBE, former INTECO, to develop their own apps analyzer, called Merovingio. On an article they explain how the challenge of developing from scratch is. They also describe some of its modules, which will be used to analyze new risks automatically and in real-time.

Cell phones have become a juicy target for cyber attackers. Among their tactics, ransomware is again the most "profitable" one. On Ontinet they analyze how one of them operates. It is hidden as an Android app for adults. When it is installed it asks permission to lock the screen (presumably to avoid infectious attacks...). After showing some actual adult images, it ends up reproducing an alleged notification from FBI accusing the user of consuming child pornography. Then it claims for moneraty compensation to unlock the device.

Passwords are another problem for user's satisfactory experience in the technological world. Some of them even end up using the default ones. Added to this, the use of IP cameras with its own website has led to a situation where anyone can find at least eleven thousand unprotected cameras in the USA with a simple search on Google. So if someone knows one manufacturer’s default login credentials can satisfy his curiosity having a look to cameras at some very different spots.

Web servers can be attacked in many ways, including taking advantage of easter eggs left by developers on their products. The server-side scripting language PHP has enough protection measures to avoid sensitive information leaks that would allow an attacker to know what version is being used and therefore its available vulnerabilities. But precisely one of the PHP easter eggs documented shows the logo with different backgrounds, and it is usually public by default. Since this image change with each version of the language, it could reveal the specific version used.

There is another strategy, sometimes improvised, that can be transformed into a vector of attack when it is carried out by the bad boys. It is dubbed buffer overflow, which is a common flaw in amateur developments and affects the way hardware communicates with software. It fill up not only the system memory assigned to the tool, but also the contiguous one. An attacker could exploit this weakness for privilege escalation and skip some protections.


Post a Comment