Select Page
Microsoft Patch Tuesday — February 2019 Update Fixes 77 Flaws

Microsoft Patch Tuesday — February 2019 Update Fixes 77 Flaws

Microsoft has issued its second Patch Tuesday for this year to address a total of 77 CVE-listed security vulnerabilities in its Windows operating systems and other products, 20 of which are rated critical, 54 important and 3 moderate in severity.

February security update addresses flaws in Adobe Flash Player, Internet Explorer, Edge, Windows, MS Office, and Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, Visual Studio, Azure IoT SDK, Dynamics, Team Foundation Server, and Visual Studio Code.

Four of the security vulnerabilities patched by the tech giant this month have been reported as being publicly known at the time of release, and one is being actively exploited in the wild.

The vulnerability actively being exploited in the wild is rated as important and resides in the way Internet Explorer handles objects in the memory.

An attacker can trick victims into landing on a specially crafted website and exploit this vulnerability, identified as CVE-2019-0676, to check for files on a target system, leading to information disclosure.

Though Microsoft has not yet shared any details about the malicious campaign exploiting this flaw, the vulnerability likely restricted to targeted attacks.

One of the publicly disclosed flaws but not exploited in the wild, identified as CVE-2019-0636 and rated as important, concerns an information vulnerability in Windows operating system that could allow an attacker to read the contents of files on disk.

images from Hacker News

Researchers Implant “Protected” Malware On Intel SGX Enclaves

Researchers Implant “Protected” Malware On Intel SGX Enclaves

Cybersecurity researchers have discovered a way to hide malicious code in Intel SGX enclaves, a hardware-based memory encryption feature in modern processors that isolates sensitive code and data to protect it from disclosure or modification.

In other words, the technique allows attackers to implant malware code in a secure memory that uses protection features of SGX which are otherwise designed to protect important data from prying eyes or from being tampered, even on a compromised system.

Introduced with Intel’s Skylake processors, SGX (Software Guard Extensions) allows developers to run selected application modules in a completely isolated secure region of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels like the operating system, kernel, BIOS, SMM, hypervisor, etc.

However, a team of researchers, some of whom were behind the discovery of the Spectre-Meltdown CPU flaws, managed to bypass this protection and got their own malicious application in the secure enclaves by leveraging the age-old technique of return-oriented programming (ROP).

The attack also uses Transactional Synchronisation eXtensions (TSX), found in modern Intel CPUs, in conjunction with a novel fault-resistant read primitive technique called TSX-based Address Probing (TAP).

images from Hacker News

Hackers Destroyed VFEmail Service – Deleted Its Entire Data and Backups

Hackers Destroyed VFEmail Service – Deleted Its Entire Data and Backups

What could be more frightening than a service informing you that all your data is gone—every file and every backup servers are entirely wiped out?

The worst nightmare of its kind. Right?

But that’s precisely what just happened this week with VFEmail.net, a US-based secure email provider that lost all data and backup files for its users after unknown hackers destroyed its entire U.S. infrastructure, wiping out almost two decades’ worth of data and backups in a matter of few hours for no apparent reason.

Started in 2001 by Rick Romero, VFEmail provides secure, private email services to companies and end users, both free and paid-for.

Describing the attack as “catastrophic,” the privacy-focused email service provider revealed that the attack took place on February 11 and that “all data” on their US servers—both the primary and the backup systems—has been completely wiped out, and it’s seemingly beyond recovery.

images from Hacker News

First Hacker Convicted of ‘SIM Swapping’ Attack Gets 10 Years in Prison

First Hacker Convicted of ‘SIM Swapping’ Attack Gets 10 Years in Prison

A 20-year-old college student who stole cryptocurrency worth more than $5 million by hijacking victims’ phone numbers has pleaded guilty and accepted a sentence of 10 years in prison.

Ortiz was arrested last year on charges of siphoning millions of dollars in cryptocurrency from around 40 victims using a method commonly known as “SIM swapping,” which typically involves fraudulently porting of the same number to a new SIM card belonging to the attacker.

In SIM swapping, attackers social engineer a victim’s mobile phone provider by making a phoney call posing as their target and claiming that their SIM card has been lost and that they would like to request a SIM swap.

The attackers attempt to convince the target’s telecommunications company that they are the actual owner of the phone number they want to swap by providing required personal information on the target, like their SSNs and addresses, eventually tricking the telecoms to port the target’s phone number over to a SIM card belonging to the attackers.

Once successful, the attackers essentially gained access to their target’s mobile phone number using which they can obtain one-time passwords, verification codes, and two-factor authentication in order to reset passwords for and gain access to target’s social media, email, bank, and cryptocurrency accounts.

SIM swapping has grown increasingly popular among cybercriminals over the past year and Joel Ortiz, a California man, is the first person to receive jail time for this crime, after pleading guilty to stealing more than $5 million in cryptocurrency from 40 victims, according to Motherboard.

Rather than facing trials and severe consequences imposed by the jury, Ortiz chose to accept a plea deal for 10 years last week, according to Deputy District Director Eric West of Santa Clara County, California.

images from Hacker News

Several Popular Beauty Camera Apps Caught Stealing Users’ Photos

Several Popular Beauty Camera Apps Caught Stealing Users’ Photos

Just because an app is available on Google Play Store doesn’t mean that it is a legitimate app. Despite so many efforts by Google, some fake and malicious apps do sneak in and land millions of unaware users on the hunting ground of scammers and hackers.

Cybersecurity firm Trend Micro uncovered at least 29 devious photo apps that managed to make its way onto Google Play Store and have been downloaded more than 4 million times before Google removed them from its app store.

The mobile apps in question disguised as photo editing and beauty apps purporting to use your mobile phone’s camera to take better pictures or beautify the snaps you shoot, but were found including code that performs malicious activities on their users’ smartphone.

Three of the rogue apps—Pro Camera Beauty, Cartoon Art Photo and Emoji Camera—have been downloaded more than a million times each, with Artistic Effect Filter being installed over 500,000 times and another seven apps in the list over 100,000 times.

Once installed, some of these apps would push full-screen advertisements on victim’s device for fraudulent or pornographic content every time the infected phone is unlocked, and some would even redirect victims to phishing sites in an attempt to steal their personal information by tricking them into believing they have won a contest.

images from Hacker News