GDPR causes a flood of new policies

GDPR causes a flood of new policies

GDPR causes a flood of new policies

Posted: May 15, 2018 by 

The European Union claims that the General Data Protection Regulation (GDPR), which comes to term on May 25, is the most important change in data privacy regulation in 20 years. Many companies have spent months preparing for the changes, working on policy and compliance, and introducing changes to their products in order to meet new standards.

We have received quite a few alerts and emails about those policy changes from a wide variety of companies. Combing through the alerts allowed us to see some interesting methods to solve—or evade—the problems that come with making businesses compliant. Let’s take a look at how different companies are coping with GDPR changes, and what you’ll need to pay attention to in those emails.

Total evasion

For some companies whose business interests are too slim in Europe, giving up seemed like the best option. File this alert from Unroll.Me, an app to unsubscribe from unwanted mailing lists, under “why bother.”

Unroll.Me says goosbye

because our service was not designed to comply with all GDPR requirements, Unroll.Me will not be available to EU residents…. And we must delete any EU user accounts by May 24.

Obviously, there is a reason for such drastic measures, and I would call it a good guess if someone were to suggest that this might be related to Unroll.Me having been found selling email data to Uber.

Unroll.me may not be the only company walking away from its European customers in the face of GDPR. Some services have popped up seeming to help companies stay compliant by blocking EU visitors to websites. The GDPR shield shown below was promoted for a period as a possible solution, but the site seems to be down now. Or I could not reach it because I’m in the EU, and the block works too well.

 

GDPR shield

Keep EU visitors off your site by using a GDPR Shield

Chain responsibility for advertisers

Some sites and platforms have advertising partners with whom they share user data. GDPR states that So, you would hope that they take special care in selecting partners who will handle that shared data. Instagram and other Facebook companies have decided on a different approach, shifting that portion of the responsibilities to their advertisers:

Facebook for bussinesses

Businesses who advertise with Instagram and the Facebook companies can continue to use our platforms and solutions in the same way they do today. Each company is responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with the laws that apply to them today.

Helping B2B customers

Google Cloud, on the other hand, offers to help their customers.

Google Cloud

You can count on the fact that Google is committed to GDPR compliance across Google Cloud services. We are also committed to helping our customers with their GDPR compliance journey…

What deserves your attention

Under the GDPR rules, companies need explicit and informed consent from their customers to collect and use their data, so you can expect, and probably have already have seen, a lot of policy changes (Terms of Service). As much as you might be tempted to automatically delete the influx of emails from online providers, it’s important to pay attention to those new privacy policy regulations—especially if it appears that the company may be cutting corners in meeting GDPR standards.

When sifting through these emails, I’ve come across some that I would not count as informed consent. A banner that looks and behaves like a cookie warning does not qualify, and neither does providing a less-than comprehensive picture by spreading out information across several different web pages. I’m hoping that these platforms will provide more detailed and specific information before the magic GDPR drop date arrives.

LinkedIn

To juxtapose these flimsy attempts at GDPR compliance, Google has done an excellent job informing its users of changes. Its Privacy Policy has been updated to make the content easier to understand in light of the GDPR demand that users be able to make informed decisions. It has updated the language and navigation of the document, and introduced videos and illustrations in order to make things clear.

Some companies that are active worldwide do make a distinction between EU and non-EU customers, but offer the same functionality that is automatically applied to EU-based IP addresses as an option to users outside of the EU.

Disqus

When a user is in Privacy Mode, we will not collect or process any personal data, as defined by GDPR. In cases where we do not have a lawful basis for processing personal data we will apply Privacy Mode to requests from IP addresses associated with an EU country.

Other, smaller, companies made an effort to send out more personalized notifications letting me know I needed to approve their new policy in order to stay in touch:

Conclusiv

While the ongoing influx might be a nuisance in your inbox, this is a great opportunity to review the privacy policies and maybe say goodbye to some of the companies that have your email address. (Although the professional spammers will probably just keep on going as if nothing has changed.)

 

Where will GDPR lead us?

Looking at the examples we have seen so far, we can divide the big players from the small players and see that some small players from outside the EU are giving up that part of the market—at least for the time being. The big players and European companies are mostly applying the same policies for EU and non-EU customers, although there will always be some exceptions.

Some have predicted there will be two separate Internets as a result of GDPR. I don’t think that will happen. But we will soon get a better idea of how things will play out once the implementation is done and the first shots across the bow have been fired.

In the meantime, it is worth your time to review the changed policies carefully and pay close attention to privacy policies when you sign up for something new.

And in case you were wondering about ours, feel free to review the Malwarebytes Privacy Policy.

ABOUT THE AUTHOR


Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

GDPR causes a flood of new policies

 

Seven security tips for staying safe on an iPhone

Seven security tips for staying safe on an iPhone

Seven security tips for staying safe on an iPhone

Posted: May 16, 2018 by 
Last updated: May 15, 2018

iPhones have a reputation for being notoriously secure. After all, they caused quite the kerfuffle between Apple and the FBI because they are, from the FBI’s point of view, too secure! However, don’t let that lull you into a false sense of security. Using an iPhone is not an automatic guarantee of invulnerability.

The good news is that there are easy things to do to avoid causing problems for yourself. The following seven tips will help you to make sure your iPhone is the digital fortress that it was meant to be.

1. Use a long passphrase

Most people set a four-digit PIN code, or perhaps the slightly more secure six-digit PIN, to secure their phones. And sure, this seems like perfectly acceptable protection, given that the phone will lock itself down for increasing amounts of time if a thief tries to unlock it with the wrong code too many times. Depending on your settings, it may erase itself after 10 incorrect tries.

What can possibly go wrong? Out of a possible 10,000 combinations, the attacker has to guess correctly in the first 10 attempts. The chances of doing that are quite low—one in 1,000, to be precise. Using six digits increases your odds further.

However, not all attacks involve poking numbers into the screen repeatedly. There have been many devices over the years capable of retrying PIN numbers endlessly, with no penalties, by taking advantage of vulnerabilities in the hardware or software of the iPhone. The latest of these, the GrayKey device, can crack a four-digit PIN in an hour or two, and a six-digit PIN in three days or less.

If there’s one universal truth about these passcodes, it’s that longer is better. The best thing you can do is start using a longer alphanumeric password instead of a PIN code. Each additional character of length increases the time needed exponentially, and that time gets even longer when adding letters and symbols to the mix.

To change to a longer password, open the Settings app, then tap Touch ID & Passcode. Enter your current PIN, then tap Change Passcode on the next screen. Enter your passcode again, but then instead of entering a new passcode, tap Passcode Options. This will give you the option to choose, among other things, a custom alphanumeric code.

I know what you’re thinking. Who wants to enter a lengthy password every time they unlock their phone? Fortunately, modern iPhones have convenient biometric options for accessing the device without entering the password every time. Either Touch ID or Face ID gets you into your phone fast, without needing to enter the password.

Of course, Touch ID and Face ID are convenience features, not security features. There are valid concerns about the safety of using a biometric pattern that cannot be changed as a replacement for a password. Still, if they allow you to use a longer password conveniently, that’s worth way more than avoiding them but using a short PIN code. You can always temporarily lock the device so that Touch ID and Face ID won’t work. For more information, see Apple’s information on the security of Touch ID and Face ID.

2. Lock down your Apple ID with 2FA

With what, now? That funny abbreviation (2FA) stands for two-factor authentication, a means of authentication that requires not just something you know, like a password, but also something you have, like a temporary, one-time-only code. Without both, an attacker cannot access your account.

Your Apple ID provides the keys to the kingdom. It’s tied to every device you own. It probably has a credit card associated with it. Your Apple ID is also your iCloud account, and as such it may hold all manner of tempting goodies, including passwords.

Fortunately, Apple offers 2FA on your Apple ID, and it’s strongly recommended that you take advantage of this. Doing so means that you will always have to enter both your password and a six-digit code sent to a trusted device before logging on to your account from a new machine. This makes it very difficult for a hacker to access your Apple ID and the trove of data it can give access to.

3. Keep your iPhone up-to-date

Keeping your system and all your apps up-to-date is an important part of staying secure. iOS (the system that runs on iPhones) updates frequently to fix vulnerabilities that could be used in various scenarios to attack your device. Some of these are minor, others are major issues.

As an example, consider the GrayKey device discussed above. The method it uses to break into iPhones is still unknown, but one thing is for sure: It relies on one or more unknown security vulnerabilities in iOS. At some point, Apple will find and fix those vulnerabilities, making you safe from GrayKey or any other groups or individuals who may have discovered the vulnerabilities. If you don’t install iOS updates promptly when they are available, though, you remain vulnerable.

Worse, once a vulnerability is patched and Apple publishes their release notes, that gives hackers a little extra information that may help them find the vulnerability, meaning older systems are potentially in greater danger after that point.

4. Use a VPN on free Wi-Fi

Public Wi-Fi can be extremely hazardous. Anyone else on the same network can see any unencrypted network transmissions you make, and an untrustworthy network can actually perform all manner of man-in-the-middle attacks for phishing or other malicious purposes. For example, if you try to log onto your bank site on public Wi-Fi, you might not actually be logging onto your bank site. It could be a malicious look-alike site that bad actors within the Wi-Fi network are sending you to instead.

You could always use cellular data when in public, turning off Wi-Fi in settings, but that’s not always practical, especially with the data caps on most cell data plans. Fortunately, there’s a good solution: a VPN, or virtual private network. Using a good VPN means that all your network traffic is tunneled through an encrypted connection to a server located somewhere else.

Unfortunately, there are a lot of insecure or untrustworthy VPNs out there. It doesn’t help your security much if the VPN is careless with your data, or is otherwise not acting in your best interests. There are many free VPNs out there, but remember the first rule of free services on the Internet: If you’re not paying for it, you’re the product.

Finding a trustworthy, secure VPN can take a little work. Fortunately, an excellent article by Brian Krebs provides details about VPNs and how to select a good one. Make sure that the VPN you choose has good support for iOS; anything that requires you to download an app, but doesn’t offer an iOS app, is off the table from the start.

5. Use additional encryption

The encryption on the iPhone is one of its finest features, but it’s not perfect. As long as there’s any chance of cracking your iPhone’s passcode, or gaining access to unencrypted backups, your data isn’t safe. For your particularly sensitive data, such as passwords, social security numbers, credit card numbers and the like, you need additional encryption.

Using a password manager with its own strong encryption, and a strong password different from any other password you use, can be extremely helpful. A utility like 1Password can store a vault in iCloud that is encrypted independently, meaning an attacker looking for your passwords would need to first crack your phone or iCloud account to access the vault, then crack the vault itself.

Similarly, Apple’s own Notes app now allows creation of encrypted notes, which can be secured with a password of your choice. Use of a strong, unique password means that the data such a note contains is also quite secure.

When it comes to your iPhone backups, consider backing up to your computer using iTunes, and set iTunes to encrypt those backups. Such encryption will use a separate password that you set, so be sure to use a strong, unique password for that.

6. Audit privacy settings periodically

There are many permissions that can be granted to apps, such as access to the camera, the microphone, your contacts, and your location. It’s a good idea to keep track of which permissions you’ve given to which apps, and to revoke any permissions that are not strictly needed. For example, if you posted a photo to Twitter once, but you aren’t likely to do it again, it would be a good idea to remove the right to look at your photos from the Twitter app.

In Settings, tap on Privacy. Here resides the master list of all permissions and which apps you’ve granted them to. Go through all of them periodically, and revoke any permissions that you don’t think a particular app needs.

7. Beware of scams

Use of an iPhone doesn’t do a thing to protect you against scam phone calls or scam text messages. Always be wary of calls or messages from unknown senders. Treat any links received in text messages with extreme suspicion, even if it’s from someone you know, since the sender could be spoofed or their phone could have been stolen.

If you tap a link in a message and the site wants you to log in or provide other personal information, verify with the sender that it’s legitimate. If it appears to be a site you’re familiar with, consider visiting the site via a bookmark instead of the link.

You can also consider using security software that can screen and block scam calls and texts, such as Malwarebytes for iOS (coming soon).

The most secure phone

It’s okay to feel safe as an iPhone owner. Currently, iPhones are the safest smartphones on the planet. However, as demonstrated here, there are still plenty of ways that you can become a victim. So don’t just assume you’re safe automatically by virtue of owning an iPhone.

Doing the right things to keep yourself safe can often be more important than having the most secure phone.

ABOUT THE AUTHOR


Director of Mac & Mobile

Had a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.

Seven security tips for staying safe on an iPhone

 

Fake Malwarebytes helpline scammer caught in the act

Fake Malwarebytes helpline scammer caught in the act

Fake Malwarebytes helpline scammer caught in the act

Posted: May 17, 2018 by 
Last updated: May 16, 2018

An estimated one in every 10 American adults lost money in a cyber scam in the past 12 months, according to a report released by the FTC earlier in the month. On average, each scam victim lost $430, totaling about $9.5 billion overall.

To put this in perspective, that’s over 22 million Americans scammed for $26 million a day, more than $1 million an hour, $18,000 per second.

No one is immune, and now more than ever there is a need to be vigilant. Being taken by a scam can ruin lives or damage the reputation of legitimate companies. No one is excluded—not Amazon, Dell, Malwarebytes, or you.

In the example below, we’ll show how scammers Blue Eye Ventures, LCC, tried to imitate Malwarebytes in order to trick people out of money. Now, more than ever, it’s important to be vigilant in order to tell the good guys from the bad.

Malwarebytes helpline scam

Using a modern web design aesthetic, Blue Eye Ventures makes a reasonably good impression of a company looking to help its clients. They advertise that they are a Malwarebytes helpline. But they are not.

In order to catch these guys in the act, I called the toll-free number asking for help, telling them I wasn’t sure my Malwarebytes software was working properly. I allowed the technician to have access to my computer. He opened up my Malwarebytes software.

I’m sorry sir, this is fake software

The technician on the phone advised me that the (legitimate) Malwarebytes software I was running was fake. Now, I knew that it was not fake. I ran it minutes earlier and it worked perfectly.

Next thing I knew, he ran a tree command. Tree is a recursive directory listing program that produces a depth-indented listing of files. This is not a diagnose tool.

These are the results he produced:

At the bottom of the tree command, he typed “Security Breach” to scare me into believing that my computer was being hacked.

More scare tactics

He then checked my System Configuration:

The tech told me that all my software wasn’t running. “It’s stopped.” This was to scare me into believing that my system wasn’t working. Again, he wasn’t using any tools to diagnose hacking or infections.

He then pulled up Resource Monitor:

The tech asked me, “Do you know what crss.exe means?” I told him I don’t, even though I do.

The csrss.exe file located in C:\Windows\System32 is a real file, and removing it will cause problems with your PC. If someone tells you it’s a virus, that’s a hoax.

Case in point, to further scare me into believing my computer was infected, the tech asked me to read the description he pulled up on Google about the csrss.exe file being a Trojan horse or virus.

The Google result pulls information from an unreliable and untrustworthy source. For example, the article linked here recommends users remove this “malware” from their Mac systems. Any file with .exe is a Windows executable.

Meanwhile, the scammer still hadn’t checked my system with any real tools to find problems. He was only there to scare me into purchasing his plans.

Do not purchase

Below are the plans he offered me, from one year of support for $200 to a lifetime plan for $700. I was instructed to pay Blue Eye Ventures, LLC, by check. Or I could use my credit card at Easy-installatio.com (phone number +120-3354649). This is a Canadian number—and Malwarebytes’ HQ is in the United States.

How do you think a real customer would feel? They purchased Malwarebytes and now they are being told that they purchased phony software, their computer is infected, and it’s going cost them hundreds of dollars to repair. Scammers are not only ruining the reputation of legitimate companies, but they are ripping customers off in the process.

At Malwarebytes, we are always working to expose fraud and educate consumers. We will never sell phony software. We will never charge you hundreds of dollars to fix your computer. And we will teach you how to spot the companies who do.

ABOUT THE AUTHOR


Security Analyst

Moved from management to malware intel in 2017. Hates when people call sauce “gravy.”

Fake Malwarebytes helpline scammer caught in the act

 

A look into Drupalgeddon’s client-side attacks

A look into Drupalgeddon’s client-side attacks

A look into Drupalgeddon’s client-side attacks

Posted: May 18, 2018 by 

Drupal is one of the most popular Content Management Systems (CMS), along with WordPress and Joomla. In late March 2018, Drupal was affected by a major remote code execution vulnerability (CVE-2018-7600) followed by yet another (CVE-2018-7602) almost a month later, both aptly nicknamed Drupalgeddon 2 and Drupalgeddon 3.

These back-to-back vulnerabilities were accompanied by proof of concepts that translated into almost immediate real-world attacks. For many website owners, this situation was frustrating because the window of time to patch is getting considerably smaller. Additionally, updating or upgrading Drupal (or any other CMS for that matter) may have side effects, such as broken templates or functionality, which is why you need to make a full back up and test the changes in the staging environment before moving to production.

Rolling out a CMS is usually the easy part. Maintaining it is where most problems occur due to lack of knowledge, fear of breaking something, and, of course, costs. While this is an earned responsibility for each site owner to do due diligence with their web properties, the outcome is typically websites being severely out of date and exploited, often more than once.

Sample set and web crawl

We decided to choose a number web properties that had not yet been validated (including all versions of Drupal, vulnerable or not). Our main source of URLs came from Shodan and was complemented by PublicWWW, for a total of roughly 80,000 URLs to crawl. We were surprised to start hitting compromised sites quickly into the process and were able to confirm over 900 injected web properties.

Many of the results were servers hosted on Amazon or other cloud providers that were most likely set up for testing purposes (staging) and never removed or upgraded. Thankfully, they received little to no traffic. The other domains we encountered spanned a variety of verticals and languages, with one common denominator: an outdated version (usually severely outdated) of the Drupal CMS.

Figure 1: Crawling and flagging compromised Drupal sites using Fiddler

Drupal versions

At the time of this writing, there are two recommended releases for Drupal. Version 8.x.x is the latest and greatest with some new features, while 7.x.x is considered the most stable and compatible version, especially when it comes to themes.

Figure 2: Drupal’s two main supported branches

Almost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in August 2015. Many security flaws have been discovered (and exploited) since then.

Figure 3: Percentage of compromised sites belonging to a particular Drupal version

Payloads

A large number of Drupal sites that have been hacked via these two recent exploits were also infected with server-side malware, in particular with XMRig cryptocurrency miners. However, in this post we will focus on the client-side effects of those compromises. Neither are exclusive though, and one should expect that a hacked site could be performing malicious actions on both server and client side.

Unsurprisingly, web miners were by far the most common type of injection we noticed. But we also came across a few different social engineering campaigns.

Figure 4: Breakdown of the most common payloads

Web miners

Drive-by mining attacks went though the roof in the fall of 2017 but slowed down somewhat at the beginning of the year. It’s safe to say that the recent Drupal vulnerabilities have added fuel to the fire and resulted in increased activity. Coinhive injections remain by far the most popular choice, although public or private Monero pools are gaining traction as well.

We are seeing the same campaign that was already documented by other researchers in early March and is ensnaring more victims by the day.

Figure 5: A subdomain of Harvard University’s main site mining Monero

Fake updates

This campaign of fake browser updates we documented earlier is still going strong. It distributes a password stealer of Remote Administration Tool (RAT).

Figure 6:  A compromised Drupal site pushing a fake Chrome update

Tech support scams (browlocks)

Redirections to browser locker pages—a typical approach for unveiling tech support scams. The most common redirection we were able to document involved an intermediary site redirecting to browser locker pages using the .TK Top Level Domain (TLD) name.

mysimplename[.]com/si.php
window.location.replace("http://hispaintinghad[.]tk/index/?1641501770611");
window.location.href = "http://hispaintinghad[.]tk/index/?1641501770611";

Figure 7: A compromised Drupal host redirecting to a browser locker page

Web miners and injected code

We collected different types of code injection, from simple and clear text to long obfuscated blurbs. It’s worth noting that in many cases the code is dynamic—most likely a technique to evade detection.

Figure 8: Collage of some of the most common miner injections

Snapshots

The following are some examples of compromised sites sorted by category. We have contacted all affected parties to let them know their resources are being used by criminals to generate profit from malicious cryptomining or malware infections.

Figure 9: Education (University of Southern California)

Figure 10: Government (Arkansas Courts & Community Initiative)

Figure 11: Political party (Green Party of California)

Figure 12: Ad server (Indian TV Revive Ad server)

Figure 13: Religion (New Holly Light)

Figure 14: Health (NetApp Benefits)

Figure 15: Conferences (Red Hat partner conference) 

Figure 16: Tech (ComputerWorld’s Brazilian portal)

Malicious cryptomining remains hot

It is clear that right now, cryptomining is the preferred kind of malicious injection. There are many public but also private APIs that make the whole process easy, and unfortunately they are being abused by bad actors.

Compromised sites big and small remain a hot commodity that attackers will try to amass over time. And because patching remains an issue, the number of potential new victims never stops growing. In light of this, website owners should look into other kinds of mitigation when patching is not always an immediate option, and check what some people call virtual patching. In particular, Web Application Firewalls (WAFs) have helped many stay protected even against new types of attacks, and even when their CMS was vulnerable.

Malwarebytes continues to detect and block malicious cryptomining and other unwanted redirections.

Indicators of compromise

Coinhive

-> URIs

cnhv[.]co/1nt9z
coinhive[.]com/lib/coinhive.min.js
coinhive[.]com/lib/cryptonight.wasm
coinhive[.]com/lib/worker-asmjs.min.js?v7
ws[0-9]{3}.coinhive[.]com/proxy

-> Site keys

CmGKP05v2VJbvj33wzTIayOv6YGLkUYN
f0y6O5ddrXo1be4NGZubP1yHDaWqyflD
kAdhxvdilslXbzLAEjFQDAZotIVm5Jkf
MKr3Uf5CaT88pcqzAXltkBu4Us5gHWaj
NL9TTsyGeVU8FbKR9fUvwkwU4qPJ4Z2I
no2z8X4wsiouyTmA9xZ0TyUdegWBw2yK
oHaQn8uDJ16fNhcTU7y832cv49PqEvOS
PbNDLKIHLCM0hNXOIM7sRTsk66ZuAamf
RYeWLxbPVlfPNsZUh231aLXoYAdPguXY
XoWXAWvizTNnyia78qTIFfATRgcbJfGx
YaUkuGZ3pmuPVsBMDxSgY45DwuBafGA3

Crypto-Loot

-> URI

cryptaloot[.]pro/lib/justdoit2.js

-> Keys

48427c995ba46a78b237c5f53e5fef90cd09b5f09e92
6508a11b897365897580ba68f93a5583cc3a15637212
d1ba2c966c5f54d0da15e2d881b474a5091a91f7c702

EthPocket

eth-pocket[.]com:8585
eth-pocket[.]de/perfekt/perfekt.js

JSECoin

jsecoin[.]com/platform/banner1.html?aff1564&utm_content=

DeepMiner

greenindex.dynamic-dns[.]net/jqueryeasyui.js

Other CryptoNight-based miner

cloudflane[.]com/lib/cryptonight.wasm

FakeUpdates

track.positiverefreshment[.]org/s_code.js?cid=220&v=24eca7c911f5e102e2ba
click.clickanalytics208[.]com/s_code.js?cid=240&v=73a55f6de3dee2a751c3
185.244.149[.]74
5.9.242[.]74

Tech scams

192.34.61[.]245
192.81.216[.]165
193.201.224[.]233
198.211.107[.]153
198.211.113[.]147
206.189.236[.]91
208.68.37[.]2
addressedina[.]tk
andtakinghis[.]tk
andweepover[.]tk
asheleaned[.]tk
baserwq[.]tk
blackivory[.]tk
blownagainst[.]tk
cutoplaswe[.]tk
dearfytr[.]tk
doanythingthat[.]tk
faithlessflorizel[.]tk
grey-plumaged[.]tk
haddoneso[.]tk
handkerchiefout[.]tk
himinspectral[.]tk
hispaintinghad[.]tk
ifheisdead[.]tk
itshandupon[.]tk
iwouldsay[.]tk
leadedpanes[.]tk
millpond[.]tk
mineofcourse[.]tk
momentin[.]tk
murdercould[.]tk
mysimplename[.]com
nearlythrew[.]tk
nothinglikeit[.]tk
oncecommitted[.]tk
portraithedid[.]tk
posingfor[.]tk
secretsoflife[.]tk
sendthemany[.]tk
sputteredbeside[.]tk
steppedforward[.]tk
sweeppast[.]tk
tellingmeyears[.]tk
terriblehope[.]tk
thatwonderful[.]tk
theattractions[.]tk
thereisnodisgrace[.]tk
togetawayt[.]tk
toseethem[.]tk
wickedwere[.]tk
withaforebodingu[.]tk

 

ABOUT THE AUTHOR


Lead Malware Intelligence Analyst

Security researcher with a focus on exploits, malvertising and fraud.

A look into Drupalgeddon’s client-side attacks

 

Adobe Reader zero-day discovered alongside Windows vulnerability

Adobe Reader zero-day discovered alongside Windows vulnerability

Adobe Reader zero-day discovered alongside Windows vulnerability

Posted: May 15, 2018 by 

During the first half of 2018, we have witnessed some particularly interesting zero-day exploits, including one for Flash (CVE-2018-4878) and more recently for Internet Explorer (CVE-2018-8174). The former was quickly used by exploit kits such as Magnitude, while it is only a matter of time before we see the latter being weaponized more widely.

We can now add to that list an Adobe Reader zero-day (CVE-2018-4990), which was reported by ESETand Microsoft and has already been patched. Although it has not been observed in the wild yet, it remains a dangerous threat considering it is coupled with a privilege escalation vulnerability in Microsoft Windows.

To exploit the Windows vulnerability, the attacker must write to an arbitrary address in kernel space, which will not work for Windows 8 and above, as newer security features prevent this kind of mapping. Those two combined zero-days were necessary to escape the Acrobat Reader sandbox protection, which to its credit has been improving the security of the software drastically, so much so that malicious PDFs that were once common as part of drive-by download attacks have all but vanished.

Let’s take a quick look at the malicious PDF using pdf-parser:

python pdf-parser.py --content CVE-2018-4990.pdf

We can see a suspicious obfuscated blurb that most likely contains the JavaScript code we are looking for. We can decode and dump the output to a raw file:

python pdf-parser.py -c CVE-2018-4990.pdf --object 1 --filter --raw > output.raw

The exploit code is now visible in clear text. For a good explanation on how it is used for the ROP chain and shellcode execution, please refer to the ESET article.

We tested this zero-day against Malwarebytes, which was already stopping it without the need for any additional updates. The mitigation happens at the very beginning of the exploitation chain (stack pivoting):

We recommend users patch their systems to prevent this threat, which will most likely be weaponized in the wild soon. A very plausible attack scenario would be a PDF attachment in a malspam campaign.

The Adobe security bulletin (CVE-2018-4990) can be found here, while Microsoft’s (CVE-2018-8120) is here.

 

ABOUT THE AUTHOR


Lead Malware Intelligence Analyst

Security researcher with a focus on exploits, malvertising and fraud.

Adobe Reader zero-day discovered alongside Windows vulnerability

 

Pin It on Pinterest

Shares
Share This