Year: 2018

Google Patches 34 Browser Bugs in Chrome 67, Adds Spectre Fixes

Threatpost Security News May 31, 2018 2

Google updated its Chrome browser to version 67.0.3396.62 on Tuesday patching 34 bugs and adding support for the credential management API called WebAuthn. The update will be available in the coming days for Windows, Mac and Linux platforms, Google said.

Most notably to the browser update are mitigations for Spectre. The fix includes an added feature called Site Isolation that essentially separates the processes between different tabs – so that if one tab crashes, the others will continue to work. This also protects against speculative side-channel CPU vulnerabilities like Spectre because it reduces the amount of data exposed to side channel attacks.

“We’re continuing to roll out Site Isolation to a larger percentage of the stable population in Chrome 67,” said Chrome in its security release. “Site Isolation improves Chrome’s security and helps mitigate the risks posed by Spectre.”

Bug fixes for Chrome 67 include nine rated high. One of them is an out of bounds memory access bug (CVE-2018-6130) in Web Real Time Communication (WebRTC), which is an open-source project providing web browsers with real-time communication through simple APIs. Google also patched a heap buffer overflow glitch in open source graphics library Skia (CVE-2018-6126) and an overly permissive policy bug (CVE-2018-6125) in the WebUSB API, which provides a way to expose USB device services to the Web. Below is a full list of the vulnerabilities fixed that are rated high.

CVE-2018-6123: Use after free in Blink.

CVE-2018-6124: Type confusion in Blink.

CVE-2018-6125: Overly permissive policy in WebUSB.

CVE-2018-6126: Heap buffer overflow in Skia.

CVE-2018-6127: Use after free in indexedDB.

CVE-2018-6128: uXSS in Chrome on iOS.

CVE-2018-6129: Out of bounds memory access in WebRTC.

CVE-2018-6130: Out of bounds memory access in WebRTC.

CVE-2018-6131: Incorrect mutability protection in WebAssembly.

Part of the Google update also included the introduction of the WebAuthn API into Chrome 67. This API enables users to log into their accounts using alternative methods such as with biometric options ranging from fingerprint readers, iris scans or facial recognition. Mozilla has also recently packaged this feature into Firefox a few weeks ago with the release of Firefox 60.

Finally, the latest version of Chrome has deprecated the browser’s support for HTTP public key pinning; instead adopting the more flexible solution of Expect-CT headers. This plan was first announced in 2017 after Google argued that public key pinning runs the risk of leaving website admins open to difficulties selecting a reliable set of keys to pin to.

Chrome 67 for desktops is currently available. Android and Chrome OS versions will follow soon after.

Hidden Cobra Strikes Again with Custom RAT, SMB Malware

Threatpost Security News May 31, 2018 1

The feds are warning that the North Korean APT group known as Hidden Cobra is mounting active attacks on U.S. businesses (and others globally), including organizations in the media, aerospace, financial and critical infrastructure sectors.

According to a United States Computer Emergency Readiness Team (US-CERT) bulletin released Tuesday, the state-sponsored group is using two families of malware against U.S. assets: A remote access tool (RAT) dubbed Joanap; and a Server Message Block (SMB) worm known as Brambul.

Neither family is new, having been first observed in 2009. However, both are bringing thoroughly modern tricks to the cyber-party. The actors are targeting sensitive and proprietary information, and the malware could disrupt regular operations and disable systems and files.

A Look at Joanap and Brambul

Joanap is a fully functional RAT that serves as the payload in various phishing or drive-by attacks. Hidden Cobra uses it to exfiltrate data and host system information, drop and run secondary payloads, and initialize proxy and peer-to-peer communications on compromised Windows devices, according to the alert. It uses Rivest Cipher 4 encryption to communicate with the C2.

It also has capabilities to manage botnets for other types of operations, and can carry out file management, process management, the creation and deletion of directories, and node management.

Brambul meanwhile is a Windows 32-bit brute-force authentication worm that spreads through SMB, which is the Windows file-sharing protocol that enables shared access to files between users on a network. Famously, SMB is the point of compromise targeted by leaked National Security Agency hacking tools like EternalBlue and EternalRomance.

In this case, Brambul specifically targets insecure or unsecured user accounts and spreads through poorly secured network shares. It shows up looking like a service dynamic link library file or a portable executable file; and once executed, it pivots to spread to other subnets and systems on the network.

“If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks,” the alert explained.

Once active on a system, Brambul sets about harvesting system information and sending it back to Hidden Cobra actors via malicious email messages. It can also accept command-line arguments, and it has a self-kill mechanism.

North Korea Behind the Scenes

Joint Hidden Cobra research from the Department of Homeland Security and the FBI noted that IP addresses and other indicators of compromise (IOCs) associated with the attacks link back to both strains, which they say are custom malware deployed by the North Korean government.

“FBI has high confidence that Hidden Cobra actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation,” the feds said in their alert. “DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber-activity.”

Hidden Cobra (also known as the Lazarus Group) has been on the radar screen for some time; it was linked to the infamous 2014 Sony Pictures hack, for instance, as well as the SWIFT banking attacks. More recently, last June the group was seen leveraging malware called DeltaCharlie, which is the brains behind North Korea’s distributed denial-of-service (DDoS) botnet infrastructure.

Also, in April, Thailand’s Computer Emergency Response Team (ThaiCERT) seized a server operated by the APT, which is part of the network used to control the global GhostSecret espionage campaign, which researchers say is still ongoing. McAfee warned at the time that the GhostSecret campaign was carrying out data reconnaissance on a wide number of industries, including critical infrastructure, entertainment, finance, healthcare and telecommunications, in at least 17 countries.

To avoid compromise, users and administrators should follow best practices, especially maintaining up-to-date patching and antivirus; enabling workstation firewalls; implementing email- and download-scanning to quarantine or block suspicious attachments and files; restricting user permissions for software installations; and disabling Microsoft’s File and Printer Sharing service, if not needed.

“If this service is required, use strong passwords or Active Directory authentication,” US-CERT noted.

How to set Vacation Auto Responder in GMail

Dan Uff May 31, 2018 0

As summer comes, so does the family vacations. If you use Gmail, there is a way to set up an auto responder to let your customers know that you'll get back to them as soon as you can.

Here's how to set it up:

1. Login to your Gmail account as normal.

2. Click Settings (gear icon) > General.

3. Scroll down to "Vacation Responder".

4. Click the vacation responder section to "ON".

5. Fill out the Start Date and End Date for the responder.

6. Click if you want to only respond to people in your Contacts.

7. When satisfied, click on the "Save Changes" button.

8. That's it.

AI is now better at detecting skin cancer than human doctors

Dan Uff May 30, 2018 1

“Modern medicine pushes forward thanks to the efforts of doctors and scientists who develop new tools, techniques, and methods for diagnosing and treating ailments, but what happens when the tools become smarter than the humans?” Mike Wehner reports for BGR. “A new algorithm for detecting skin cancers might provide the answer to that question, as it just demonstrated it can outperform human doctors in spotting malignant melanomas.”

“In a new study published in the journal Annals of Oncology, a team of scientists asked trained dermatologists to face off against a neural network to see which one provided accurate diagnoses more often,” Wehner reports. “Spoiler: The humans didn’t win.”

“The numbers are quite stunning: 87 percent of melanomas were accurately diagnosed by the human doctors the first time around, and that number improved to 89 percent during the second round of examination,” Wehner reports. “The AI, on the other hand, nailed 95 percent of malignant growths.”

Read more in the full article here.