Week 05: System and User Enumeration

September 28, Facebook admitted that unknown hacks exploited three zero-day vulnerabilities on its social media platform and took away secret access tokens for more than 50 million Facebook users.

Access Tokens “are the equivalent of digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the app.” The hackers could use those access tokens to take over user accounts. In response, Facebook reset access token for nearly 90 million users, which caused all 90 million users being logged out on September 28. The hackers could use the secret access tokens to access user accounts, personal information, and access third-party app or websites that are logged in with Facebook accounts.

https://thehackernews.com/2018/09/facebook-account-hack.html

The governor of California just signed into law the first law in American history that ensures that IoT devices/gadgets have  “reasonable” security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”  I think it’s kind of sad that the law has to force vendors to build their products more securely.  But if it’s going to take something like this for it to happen then so be it!  Wonder how the rest of the country is going to follow and what fines and law suites are going to come about if a vendor does not comply.  Will they not be able to sell their product in Cali?  What if they bought it on Amazon across state lines?

 

https://www.cnet.com/news/california-governor-signs-countrys-first-iot-security-law/

A local-privilege escalation vulnerability in the Linux kernel affects all current versions of Red Hat Enterprise Linux and CentOS, even in their default/minimal installations. It would allow an attacker to obtain full administrator privileges over the targeted system, and from there potentially pivot to other areas of the network.

https://threatpost.com/local-privilege-escalation-flaw-in-linux-kernel-allows-root-access/137748/

A new piece of malware, Virobot, has been discovered that has both ransomware and botnet capabilities in a single package. It propagates itself via Microsoft Outlook spam e-mails. Virobot infected emails are sent to the victim’s entire contact list on Outlook, which contains a copy of the malware or a link to a payload file which will be downloaded on the target machine when the spam message is opened.

Once the malware hits a machine, it scans the registry of the machine to identify the Product ID and GUID. It then generates an encryption and decryption key using a cryptographic Random Number Generator. All these gathered data are then sent to the Command and Control server and later it starts encrypting the hard drive. Once encryption is completed, the malware displays a ransom note and a ransom screen.

Apparently, the malware’s server has been taken down and it can no longer carry out encryption unless it establishes connection with its C&C.

This malware also includes a keylogging feature, wherein it records everything that the target types on its machine and then shares it with its C&C server.

Although the malware’s C&C server is offline, we may never know when these malicious actors would switch their operations to another command and control server.

https://www.securityweek.com/new-virobot-ransomware-and-botnet-emerges

https://krebsonsecurity.com/2018/09/u-s-mobile-giants-want-to-be-your-online-identity/

The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, such as location, customer reputation, and physical attributes of the device. Here’s a look at what’s coming, and the potential security and privacy trade-offs of trusting the carriers to handle online authentication on your behalf.

Considering these firms have not had such a great track record in safeguarding customer information and accounts…this probably is not the best idea.

The new MacOS Mojave was released to the public today.  But it looks like there’s a zero day privilege escalation bug in it.  The “entrusted” app was able to grab data from the system where you were supposed to have privileged access to access it.

https://www.bleepingcomputer.com/news/security/macos-mojave-privacy-bypass-flaw-allows-access-to-protected-files/