Latest Windows SMB flaw (SMBLoris) compromises all versions of Windows from Windows 2000 to Windows 10. A big week for phishing - Copyfish Chrome Extension compromised by phishing, Whitehouse execs phiished by “prankster”, Germany reports sophisticated spearphishing, Nissan expired domain allows attackers to collect live telemetry data from cars.
1. SMBLoris – latest SMB (internet protocol) flaw in Windows remains unpatched
SMBLoris effects all versions of the SMB protocol going back to Windows 2000. This SMB vulnerability is executed when SMBLoris opens an SMB connection and requests a buffer of 128kb (maximum size allowed). Alone 128kb isn’t much, but since a single attacking address can request 65,535 connections, (one for each source port), it can buffer 8GB of memory. Multiply this by a few source addresses and memory will be filled quite quickly. These requests allocate memory in physical RAM without allowing it to be paged in swap space. This puts the CPU in a loop where it is scanning for additional free memory without cycles to do anything else. The system will completely freeze without blue screening as it doesn’t even have the time to produce one.
The flaw was privately reported to Microsoft in early June, but the company considered it to be of moderate impact and does not consider it to be a security breach. In addition, it would probably not even be fixed. Instead Microsoft recommends blocking access from the internet to SMBv1.
Two researchers Sean Dillon and Zach Harding discovered the exploit while researching EternalBlue. The vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000. The research team demonstrated how they could take down a 128GB server using only a Raspberry Pi in under 30 seconds.
Attackers were able to connect to the IoT device, compromise one of these sensors and move to other vulnerable areas of the casino’s network and send out data.
Overview:
https://community.rapid7.com/community/infosec/blog/2017/08/03/smbloris-what-you-need-to-know
SMBLoris Attack Demonstration:
https://youtu.be/mPPUv6Y4zHk
SMBLoris Denial of Service Code (in C):
https://packetstormsecurity.com/files/143636/SMBLoris-Denial-Of-Service.html
2. Phishing attack takes down Copyfish Chrome Extension
Copyfish is a popular Chrome extension that enables text to be copied from images, PDF files, or video through OCR (optical character recognition). A developer at the German company a9t9 Software, fell victim to a phishing attack and subsequently lost control of the extension to the malicious actors.
According to a9t9 software, one of its team members received a phishing email impersonating the Chrome Web Store team instructing them to update their Copyfish Chrome extension; otherwise, Google would remove it from the web store.
The developer bought the scam hook, line, and sinker and followed the instructions to "Please log into your developer dashboard <malicious link> for more information" which opened the "Google" password dialogue box.
The provided link was a bit.ly link, but since the team member was viewing the link in HTML form, he did not find it immediately suspicious and entered the password for their developer account.
The attackers took control of the extension and updated the Copyfish extension on 29 July to Version 2.8.5, which is pushed out spams and advertisements to its 37,000 users.
a9t9 Software contacted Google Developer support to regain access to their software. The extension is now back in the hands of a9t9 software
Writeup of the attack by a9t9:
https://a9t9.com/blog/chrome-extension-adware/
3. Even those in the Whitehouse are susceptible to phishing
Tom Bossert (Homeland Security Advisor) was phished by a self-described "email prankster" posing as Jared Kushner (Senior Advisor)
"Tom, we are arranging a bit of a soirée towards the end of August," the fake Jared Kushner on an Outlook account wrote to the official White House email account of Homeland Security Adviser Tom Bossert. "It would be great if you could make it, I promise food of at least comparable (sic) quality to that which we ate in Iraq. Should be a great evening."
Bossert wrote back: "Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is" (redacted).
The prankster shared the emails with CNN. Details here:
http://edition.cnn.com/2017/07/31/politics/white-house-officials-tricked-by-email-prankster/index.html
As sophisticated as malware scanners and technologies are, malicious actors continually stay one step ahead. German agencies are reporting that spearphishing emails appearing to come from a colleague with a subject akin to “Check this out” with instructions to look into an obscure word or phrase. When the phrase is Googled the search results produce a link to a malicious site. Personell from several German government agencies have received the plausable and innoscent looking spearphishing.
5. Nissan expired domain allows attackers to collect live vehicle telemetry data.Security researchers exploit a Nissan Leaf. After visiting a junk yard and acquiring a Nissan Leaf dashboard they went to work re-assembling it in a lab. After the In-vehicle Infotainment was up and working they discovered an unregistered URL in the debug logs. They registered the URL and pointed it to an Amazon web server - soon the data started pouring in. Data included VIN#, location and telemetry data.
The researchers found that the vehicle used Continental’s Telematics control unit to connect to the backend. Currently available on Ebay for $10.48 + 5.99 (shipping in the US).
The research team is currently exploiting a man in the middle attack to access the firmware and reverse engineer it to access the CAN bus (controller area network vehicle system bus).
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Jesse-Michael-and-Mickey-Shkatov-Driving-Down-the-Rabbit-Hole.pdf