Waze | Another way to track your moves

Millions of drivers use Waze, a Google-owned navigation app, to find the best, fastest route from point A to point B. And according to a new study, all of those people run the risk of having their movements tracked by hackers.

Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of “ghost drivers” that can monitor the drivers around them—an exploit that could be used to track Waze users in real-time. They proved it to me by tracking my own movements around San Francisco and Las Vegas over a three-day period.

“It’s such a massive privacy problem,” said Ben Zhao, professor of computer science at UC-Santa Barbara, who led the research team.

Here’s how the exploit works. Waze’s servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze’s computers are really talking to a Waze app on someone’s smartphone. Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze’s back-end app servers. With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of “ghost cars”—cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them.

 

The attack is similar to one conducted by Israeli university students two years ago, who used emulators to send traffic bots into Waze and create the appearance of a traffic jam. But an emulator, which pretends to be a phone, can only create the appearance of a few vehicles in the Waze system. The UC-Santa Barbara team, on the other hand, could run scripts on a laptop that created thousands of virtual vehicles in the Waze system that can be sent into multiple grids on a map for complete surveillance of a given area.

In a test of the discovery, Zhao and his graduate students tried the hack on a member of their team (with his permission).

“He drove 20 to 30 miles and we were able to track his location almost the whole time,” Zhao told me. “He stopped at gas stations and a hotel.”

 

Last week, I tested the Waze vulnerability myself, to see how successfully the UC-Santa Barbara team could track me over a three-day period. I told them I’d be in Las Vegas and San Francisco, and where I was staying—the kind of information a snoopy stalker might know about someone he or she wanted to track. Then, their ghost army tried to keep tabs on where I went.

Users could be tracked right now and never know it.

– Ben Zhao, UC-Santa Barbara computer science professor
 

The researchers caught my movements on three occasions, including when I took a taxi to downtown Las Vegas for dinner:

And they caught me commuting to work on the bus in San Francisco. (Though they lost me when I went underground to take the subway.)

The security researchers were only able to track me while I was in a vehicle with Waze running in the foreground of my smartphone. Previously, they could track someone even if Waze was just running in the background of the phone. Waze, an Israeli start-up, was purchased by Google in 2013 for $1.1 billion. Zhao informed the security team at Google about the problem and made a version of the paper about their findings public last year. An update to the app in January of this year prevents it from broadcasting your location when the app is running in the background, an update that Waze described as an energy-saving feature. (So update your Waze app if you haven’t done so recently!)

“Waze constantly improves its mechanisms and tools to prevent abuse and misuse. To that end, Waze is regularly in contact with the security and privacy research community—we appreciate their help protecting our users,” said a Waze spokesperson in an emailed statement. “This group of researchers connected with us in 2014, and we have already addressed some of their claims, implementing safeguards in our system to protect the privacy of our users.”

The spokesperson said that “the concept of Waze is that we all work together to share information and impact the world around us” and that “users expect to offer certain information about their route in exchange for unparalleled navigation assistance.” Among the safeguards deployed by Waze is a “system of cloaking” so that a user’s location as displayed “from time to time within the Waze application does not represent such user’s actual, real time location.”


But those safeguards did not prevent real-time tracking in my case. The researchers sent me their tracking minutes after my trips, with accurate time stamps for each of my locations, meaning this cloaking system doesn’t seem to work very well.

“Anyone could be doing this [tracking of Waze users] right now,” said Zhao. “It’s really hard to detect.”

Part of what allowed the researchers to track me so closely is the social nature of Waze and the fact that the app is designed to share users’ geolocation information with each other. The app shows you other Waze drivers on the road around you, along with their usernames and how fast they’re going. (Users can opt of this by going invisible.) When I was in Vegas, the researchers simply populated ghost cars around the hotel I was staying at that were programmed to follow me once I was spotted.

“You could scale up to real-time tracking of millions of users with just a handful of servers,” Zhao told me. “If I wanted to, I could easily crawl all of the U.S. in real time. I have 50-100 servers, and could get more from [Amazon Web Services] and then I could track all of the drivers.”

Theoretically, a hacker could use this technique to go into the Waze system and download the activity of all the drivers using it. If they made the data public like the Ashley Madison hackers did, the public would suddenly have the opportunity to follow the movements of the over 50 million people who use Waze. If you know where someone lives, you would have a good idea of where to start tracking them.

Like the Israeli researchers, Zhao’s team was also able to easily create fake traffic jams. They were wary of interfering with real Waze users so they ran their experiments from 2 a.m. to 5 a.m. every night for two weeks, creating the appearance of heavy traffic and an accident on a remote road outside of Baird, Texas.

“No real humans were harmed or even interacted with,” said Zhao. They aborted the experiment twice after spotting real world drivers within 10 miles of their ghost traffic jam.

 

While Zhao defended the team’s decision to run the experiment live on Waze’s system, he admitted they were “very nervous” about initially making their paper about their findings public. They had approval from their IRB, a university ethics board; took precautions not to interfere with any real users; and notified Google’s security team about their findings They are presenting their paper at a conference called MobiSys, which focuses on mobile systems, at the end of June in Singapore.

 

“We needed to get this information out there,” said Zhao. “Sitting around and not telling the public and the users isn’t an option. They could be tracked right now and never know it.”

“This is bigger than Waze,” continued Zhao. The attack could work against any app, said Zhao, turning their servers into an open system that an attacker can mine and manipulate. With Waze, it’s a particularly sensitive attack because users’ location information is being broadcast and can be downloaded, but the attack on another app would allow hackers to download any information that users broadcast to other users or allow them to flood the app with fake traffic.

“With a [dating app], you could flood an area with your own profile or robot profiles and basically ruin it for your area,” said Zhao. “We looked at a bunch of different apps and nearly all of them had this near-catastrophic vulnerability.”

The scary part, said Zhao, is that “we don’t know how to stop this.” He said that servers that interact with apps in general are not as robust against attack as those that are web-facing.

“Not being able to separate a real device from a program is a larger problem,” said Zhao. “It’s not cheap and it’s not easy to solve. Even if Google wanted to do something, it’s not trivial for them to solve. But I want them to get this on the radar screen and help try to solve the problem. If they lead and they help, this collective problem will be solved much faster than if they don’t.”

“Waze is building their platform to be social so that you can track people around you. By definition this is going to be possible,” said Jonathan Zdziarski, a smartphone forensic scientist, who reviewed the paper at my request. “The crowd sourced tools that are being used in these types of services definitely have these types of data vulnerabilities.”

Zdziarski said there are ways to prevent this kind of abuse, by for example, rate-limiting data requests. Zhao told me his team has been running its experiments since the spring of 2014, and Waze hasn’t blocked them, even though they have created the appearance of thousands of Waze users in a short period of time coming from just a few IP addresses.

Waze’s spokesperson said the company is “examining the new issue raised by the researchers and will continue to take the necessary steps to protect the privacy of our users.”

In the meantime, if you need to use Waze to get around but are wary of being tracked, you do have one option: set your app to invisible mode. But beware, Waze turns off invisible mode every time you restart the app.

Full paper here.

Credit:

Advertisements

[CRITICAL] CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

Have you ever been deep in the mines of debugging and suddenly realized that you were staring at something far more interesting than you were expecting? You are not alone! Recently a Google engineer noticed that their SSH client segfaulted every time they tried to connect to a specific host. That engineer filed a ticket to investigate the behavior and after an intense investigation we discovered the issue lay in glibc and not in SSH as we were expecting. Thanks to this engineer’s keen observation, we were able determine that the issue could result in remote code execution. We immediately began an in-depth analysis of the issue to determine whether it could be exploited, and possible fixes. We saw this as a challenge, and after some intense hacking sessions, we were able to craft a full working exploit!

In the course of our investigation, and to our surprise, we learned that the glibc maintainers had previously been alerted of the issue via their bug tracker in July, 2015. (bug). We couldn’t immediately tell whether the bug fix was underway, so we worked hard to make sure we understood the issue and then reached out to the glibc maintainers. To our delight, Florian Weimer and Carlos O’Donell of Red Hat had also been studying the bug’s impact, albeit completely independently! Due to the sensitive nature of the issue, the investigation, patch creation, and regression tests performed primarily by Florian and Carlos had continued “off-bug.”

This was an amazing coincidence, and thanks to their hard work and cooperation, we were able to translate both teams’ knowledge into a comprehensive patch and regression test to protect glibc users.

That patch is available here.

 

Issue Summary:

Our initial investigations showed that the issue affected all the versions of glibc since 2.9. You should definitely update if you are on an older version though. If the vulnerability is detected, machine owners may wish to take steps to mitigate the risk of an attack. The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack. Google has found some mitigations that may help prevent exploitation if you are not able to immediately patch your instance of glibc. The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.

 

Technical information:

glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated. Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow. The vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further.

Exploitation:

Remote code execution is possible, but not straightforward. It requires bypassing the security mitigations present on the system, such as ASLR. We will not release our exploit code, but a non-weaponized Proof of Concept has been made available simultaneously with this blog post. With this Proof of Concept, you can verify if you are affected by this issue, and verify any mitigations you may wish to enact. As you can see in the below debugging session we are able to reliably control EIP/RIP.

(gdb) x/i $rip => 0x7fe156f0ccce <_nss_dns_gethostbyname4_r+398>: req (gdb) x/a $rsp 0x7fff56fd8a48: 0x4242424242424242 0x4242424242420042

When code crashes unexpectedly, it can be a sign of something much more significant than it appears; ignore crashes at your peril! Failed exploit indicators, due to ASLR, can range from:

  • Crash on free(ptr) where ptr is controlled by the attacker.
  • Crash on free(ptr) where ptr is semi-controlled by the attacker since ptr has to be a valid readable address.
  • Crash reading from memory pointed by a local overwritten variable.
  • Crash writing to memory on an attacker-controlled pointer.

We would like to thank Neel Mehta, Thomas Garnier, Gynvael Coldwind, Michael Schaller, Tom Payne, Michael Haro, Damian Menscher, Matt Brown, Yunhong Gu, Florian Weimer, Carlos O’Donell and the rest of the glibc team for their help figuring out all details about this bug, exploitation, and patch development.

 

 

Credit:  Fermin J. Serna and Kevin Stadmeyer

OmniRAT – the $25 way to hack into Windows, OS X and Android devices

 

Just last week, police forces across Europe arrested individuals who they believed had been using the notorious DroidJack malware to spy on Android users.

Now attention has been turned on to another piece of software that can spy on communications, secretly record conversations, snoop on browsing histories and take complete control of a remote device. But, unlike DroidJack, OmniRAT doesn’t limit itself to Android users – it can also hijack computers running Windows and Mac OS X too.

And that’s not the only difference between DroidJack and OmniRAT. Both of them may be being sold openly online, but OmniRAT retails for as little as $25 compared to DroidJack’s more hefty $210.

Security researchers at the anti-virus company Avast describe OmniRAT as a “Remote Administration Tool.

And it certainly can be used for entirely legitimate purposes, with the permission and consent of the owners of Android, Mac and Windows computers it tries to control.

But, in the wrong hands, it can also be considered a “Remote Access Trojan” – giving malicious hackers an opportunity to sneakily spy on and steal from unsuspecting users duped into installing the code.

OmniRAT

In his blog post, researcher Nikolaos Chrysaidos describes how he believes hackers have infected Androids with OmniRAT after sending an SMS.

Apparently, a German Android user explained on the Techboard-online forum how he had received an SMS telling him that an MMS had not been delivered directly to him due to the StageFright vulnerability.

In order to access the MMS, the user was told to follow a bit.ly link within three days, and enter a PIN code.

However, as Crysaidos explains, visiting the URL would initiate the attempt to install OmniRAT onto the target’s Android device:

Once you enter your number and code, an APK, mms-einst8923, is downloaded onto the Android device. The mms-einst8923.apk, once installed, loads a message onto the phone saying that the MMS settings have been successfully modified and loads an icon, labeled “MMS Retrieve” onto the phone.

Once the icon is opened by the victim, mms-einst8923.apk extracts OmniRat, which is encoded within the mms-einst8923.apk. In the example described on Techboard-online, a customized version of OmniRat is extracted.

Android app icon

Perhaps the long list of permissions requested by the app would make you think twice, if it weren’t so common for so many popular apps in the Google Play store to make similar requests.

App permissions

The problem of course is that through its cunning social engineering, and the target’s keen attempt to view the MMS that they might have been sent, it may be all too likely that the user grants permission for the app to be installed without thinking of the possible consequences.

And, as the app is capable of sending its own SMS messages, it may be that your infected Android device could then send further messages with malicious intent to your friends, family and colleagues, in the hope of hijacking further devices. After all, users are more likely to be tricked into believing a message is legitimate, and letting their guard down, if they receive a message apparently coming from someone they know and trust.

Sadly victims will probably have no clue that their devices are compromised, and even if they uninstall the MMS Retrieve icon, the customised version of OmniRAT remains installed on their Android smartphone, and will be sending data to a command and control (C&C) server seemingly based in Russia:

Russian domain

So, the question to ask is how should you protect yourself?

Well, clearly you should resist the urge to install apps onto your smartphone from anywhere other than the official app stores. Although malware has unfortunately snuck into the Google Play store in the past, you’re much more likely to encounter malicious code from unauthorised sources.

Furthermore, I would recommend running a security product on your Android device to detect malicious code and that – if possible – you keep your Android smartphone patched with the latest version of the operating system.

Finally, always think long and hard before clicking on links from untrusted sources. It could be that you’re just one click away from a hacker trying to take remote control of your Android phone.

 

 

Credit: 

Pro-Palestinian Hackers Took over Radio Tel Aviv Website

A group of pro-Palestinian hackers took over the official website of Radio Tel Aviv (TLV) on Sunday and left a deface page on the homepage showing anti-Israeli messages.

A group of Palestinian-friendly hackers going with the handle of AnonCoders hacked and defaced the official website of Radio Tel Aviv.

Hackers left a deface page along with messages both in support of Palestine and against Israel and Zionism.

The Israeli newspaper YT News reports that the deface page uploaded by the group remained on the Radio Tel Aviv’s website for more than a day after it was removed by the site’s admin. However, the Radio transmission remained unharmed.

The message on the website described why the site was targeted:

“Because we are the voice of Palestine and we will not remain silent. And our main target is Zionism and Israhell, if you are asking why your website got hacked by us, it’s basically because we want to share our message.”

A full preview of the deface page is available below:

pro-palestinian-hackers-took-over-radio-tel-aviv-website

Link of targeted website along with its zone-h mirror as a proof of hack is available below:

http://102fm.co.il/
http://zone-h.org/mirror/id/24931127?zh=1

This is not the first time when pro-Palestinian hackers took over an Israeli entertainment service provider. In the past, the cyber wing of Hamas hacked the official TV broadcasts of Israeli Channel 2 and Channel 10 for a short period of time.

In 2013, Israel’s major traffic tunnel was hit by a massive cyber-attack, causing huge financial damage.

In March 2014, Al-Qassam hackers from Palestine compromised the IsraelDefense magazine database and its website, to launch SMS attack on Israeli journalists.

 

 

Credit: 

Mozilla’s Bugzilla Hacked | Stolen Data Used For Targeting Firefox users

Mozilla yesterday detailed a security attack on its bug tracker and testing tool Bugzilla, as well as the steps it is taking to mitigate a repeat incident. In short, a hacker compromised the service, stole security-sensitive information, and used it to attack Firefox users.

Bugzilla is open-source software that has been adopted by a variety of organizations in addition to Mozilla: WebKit, the Linux kernel, FreeBSD, Gnome, KDE, Apache, Red Hat, Eclipse, and LibreOffice. While Bugzilla is mostly public, access to security-sensitive information is restricted so that only certain privileged users can access it. Following the attack, Mozilla has now beefed up security on those accounts.

mozillas-bugzilla-hacked-stolen-data-used-for-targeting-firefox-users

After conducting an investigation of the unauthorized access, Mozilla believes the attacker used information from Bugzilla to exploit a Firefox vulnerability. The company plugged that Firefox security hole on August 6, just a day after it was reported to the company.

The flaw was being exploited in the wild: Attackers were injecting a malicious script that searched for key files on a user’s machine and then uploaded them to a remote server, thought to be located in the Ukraine. Firefox users merely had to load a webpage with the exploit on it, and the attack left no trace.

Mozilla said the latest update to Firefox 40 (version 40.0.3, released on August 27) addressed all the vulnerabilities that the attacker learned about and could have used to harm Firefox users. With that out of the way, the company is now focusing on the Bugzilla side of the attack.

Although Mozilla shut down the account that the attacker broke into “shortly after” the company discovered that it had been compromised, there is still more work to be done:

We are updating Bugzilla’s security practices to reduce the risk of future attacks of this type. As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication. We are reducing the number of users with privileged access and limiting what each privileged user can do. In other words, we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in.

Additionally, Mozilla said it has notified relevant law enforcement authorities about the incident. The company may also take “additional steps based on the results of any further investigations.”

 

Credit: 

 

 

 

United Airlines’ Frequent Flyer App has been hacked

United Airlines’ Frequent Flyer App Can Be Hacked to Reveal Passenger Info

Flying has never been more convenient for customers. The security checks might be a drag, but sometimes all it takes to check in online is punching in a few digits into a mobile app.

But that may be just a little too convenient. A cybersecurity company has discovered that it’s possible to obtain the personal and flight information of United Airlines MileagePlus customers through the company’s app.

“An attacker can get access to personal details such as email, phone number, flight details (origin, destination, date, time, seat) and even the boarding pass,” Yosi Dahan, co-founder and CEO of Turrisio Cybersecurity, told Motherboard in an email.

When logging into the United Airlines app to check in, a customer can either enter their booking confirmation code or MileagePlus ID and doesn’t need to give any other information, such as a password. MileagePlus is United Airline’s frequent flyer program. If the user’s flight is within 24 hours, their information will be displayed on the app.

Image: Censored screenshot provided by Dahan to show the information he uncovered

MileagePlus IDs are very basic: they come in the format of two letters, followed by six digits. So instead of having to find out the ID of a particular customer, Dahan wrote a simple Python proof-of-concept script that could allow an attacker to grind through the possible combinations of IDs and automatically check if any flights were booked with them.

There is no indication that the app has actually been abused by criminals. But Dahan, who has previously written about the MileagePlus app security, envisioned that it could be possible to launch a social engineering attack with information gleaned this way. He suggested, for instance, that an attacker could call a victim and present them with information that only United Airlines should know, then scam them into handing over credit card details.

 

 

Credit:  motherboard

Firefox Under Fire: Anatomy of latest 0-day attack

On the August 6th, the Mozilla Foundation released a security update for the Firefox web browser that fixes the CVE-2015-4495 vulnerability in Firefox’s embedded PDF viewer, PDF.js. This vulnerability allows attackers to bypass the same-origin policy and execute JavaScript remotely that will be interpreted in the local file context. This, in turn, allows attackers to read and write files on local machine as well as upload them to a remote server. The exploit for this vulnerability is being actively used in the wild, so Firefox users are advised to update to the latest version (39.0.3 at the time of writing) immediately.

In this blog we provide an analysis of two versions of the script and share details about the associated attacks against Windows, Linux and OS X systems.

According to ESET’s LiveGrid® telemetry, the server at the IP address 185.86.77.48, which was hosting the malicious script, has been up since July 27, 2015. Also we can find corroboration on one of the compromised forums:

image1

Operatives from the Department on Combating Cybercrime of the Ministry of Internal Affairs of Ukraine, who responded promptly to our notification, have also confirmed that the malicious exfiltration server, hosted in Ukraine, has been online since July 27, 2015.

According to our monitoring of the threat, the server became inactive on August 8, 2015.

 

The script

The script used is not obfuscated and easy to analyze. Nevertheless, the code shows that the attackers had good knowledge of Firefox internals.

The malicious script creates an IFRAME with an empty PDF blob. When Firefox is about to open the PDF blob with the internal PDF viewer (PDF.js), new code is injected into the IFRAME (Figure 2). When this code executes, a new sandboxContext property is created within wrappedJSObject. A JavaScript function is written to the sandboxContext property. This function will later be invoked by subsequent code. Together, these steps lead to the successful bypass of the same-origin policy.

Code that creates sandboxContext property

The exploit is very reliable and works smoothly. However, it may display a warning which can catch the attention of tech-savvy users.

The warning message showed on compromised site

After successful exploitation of the bug, execution passes to the exfiltration part of code. The script supports both the Linux and Windows platforms. On Windows it searches for configuration files belonging to popular FTP clients (such as FileZilla, SmartFTP and others), SVN client, instant messaging clients (Psi+ and Pidgin), and the Amazon S3 client.

The list of collected files on Windows at the first stage of attack

These configuration files may contain saved login and password details.

On the Linux systems, the script sends following files to the remote server:

  • /etc/passwd
  • /etc/hosts
  • /etc/hostname
  • /etc/issue

It also parses the /etc/passwd file in the order to get the home directories (homedir) of users on the system. The script then searches files by mask in the home directories collected, and it avoids searching in the home directories of standard system users (such as daemon, bin, sys, sync and so forth).

The list of collected files on Linux at stage 1 of attack

It collects and uploads such files as:

  • history (bash, MySQL, PostgreSQL)
  • SSH related configuration files and authorization keys
  • Configuration files for remote access software – Remmina
  • FileZilla configuration files
  • PSI+ configuration
  • text files with possible credentials and shell scripts

As is evident here, the purpose of the first version of the malicious script was to gather data used mostly by webmasters and site administrators. This allowed attackers to move on to compromising more websites.

 

The second version

The day after Mozilla released the patch for Firefox the attackers decided to go “all-in”: they registered two new domains and improved their script.

The two new malicious domains were maxcdnn[.]com (93.115.38.136) and acintcdn[.]net (185.86.77.48). The second IP address is the same one as used in the first version. Attackers selected these names because the domains look as if they belong to a content delivery network (CDN).

The improved script on the Windows platform not only collects configuration files for applications; it also collects text files containing almost all combinations of words of possible value to attackers (such as password, accounts, bitcoins, credit cards, exploits, certificates, and so on):

List of files collected on Windows during the second attack stage

The attackers improved the Linux script by adding new files to collect and also developed code that works on the Mac OS X operating system:

List of files collected on Macs during the second stage of an attack

Some Russian-speaking commentators misattributed this code to the Duqu malware, because some variables in the code have the text “dq” in them.

 

A copycat attack

Since the bug is easy to exploit and a working copy of the script is available to cybercriminals, different attackers have started to use it. We have seen that various groups quickly adopted the exploit and started to serve it, mostly on adult sites from google-user-cache[.]com (108.61.205.41)

This malicious script does all the same things as the original script, but it collects different files:

The list of collected files used in copycat attack

 

Conclusion

The recent Firefox attacks are an example of active in-the-wild exploitation of a serious software vulnerability. The exploit shows that the malware-writers had a deep knowledge of Firefox internals. It is also an interesting one, since in most cases, exploits are used as an infection vector for other data-stealing trojans. In this instance, however, that was not necessary, because the malicious script alone was able to steal sensitive files from victims’ systems.

Additionally, the exploit started to be reused by other malware operators shortly after its discovery. This is common practice in the malware world.

ESET detects the malicious scripts as JS/Exploit.CVE-2015-4495. We also urge Firefox users to update their browser to the patched version (39.0.3). The internal Firefox PDF reader can also be disabled by changing the pdfjs.disabled setting to true.

 

Indicators of Compromise

A partial list of compromised servers:

hxxp://www.akipress.org/

hxxp://www.tazabek.kg/

hxxp://www.super.kg/

hxxp://www.rusmmg.ru/

hxxp://forum.cs-cart.com/

hxxp://www.searchengines.ru/

hxxp://forum.nag.ru/

Servers used in attack:

maxcdnn[.]com (93.115.38.136)

acintcdn[.]net (185.86.77.48)

google-user-cache[.]com (108.61.205.41)

Hashes (MD5):

0A19CC67A471A352D76ACDA6327BC179547A7A25

2B1A220D523E46335823E7274093B5D44F262049

19BA06ADF175E2798F17A57FD38A855C83AAE03B

3EC8733AB8EAAEBD01E5379936F7181BCE4886B3

 
 

Credit:  Anton Cherepanov