Attackers

A security researcher unveiled a new iOS attack technique called SandJacking, which allows someone with physical...

access to an unlocked iPhone to load malicious apps on the device. The SandJacking attack uses a flaw in XCode 7 regarding certificates. How does the attack exploit this flaw, and how dangerous is SandJacking compared to other iOS threats?

To keep its ecosystem malware free, Apple requires all apps to be distributed via its official App Store. Each app is reviewed to ensure it is reliable, performs as expected and is free of offensive or malicious features; it also runs in a sandbox to prevent other processes from accessing it and its associated data. Each app has to be signed with an Apple Developer ID certificate. These are only available to members of Apple's Developer Program, who have to go through a verification process, which can include having to provide government-issued photo identification like a driver's license or passport. On the whole, these security controls work very well, though there have been some notable cases where malware has still managed to infect numerous iOS devices: WireLurker, XcodeGhost and AceDeceiver. SandJacking is now another example.

Before the release of iOS 8.3, one attack technique was to replace a legitimate app with a rogue version by simply assigning the malicious app a similar identifier, known as a bundle ID, and overwriting the original application. IOS 8.3 now prevents the installation of an app that has an ID similar to an existing one. However, while this check prevents a legitimate app from being overwritten and replaced during the installation process, it doesn't provide any safeguard during the restore process.

Chilik Tamir from Mi3 Security recently demonstrated how an attacker with physical access to an unlocked iPhone can create a backup, remove the legitimate app, install his rogue version of the deleted app and then restore the backup. This SandJacking attack works on non-jailbroken iPhones and gives the attacker access to the sandbox data of the app it replaces. The malicious app still has to be signed, but in Xcode version 7 -- a suite of software development tools created by Apple -- programmers are allowed to create iOS apps using unvalidated certificates that can be obtained by simply providing an Apple ID and then distributing them directly, avoiding Apple's application review and store restrictions. Creating an Apple ID is a simple process requiring only a name and an email address.

Although apps created with these unvalidated certificates have limited capabilities compared to regular apps where the developer has been through the formal verification process to obtain a certificate -- they can't access Apple Pay or in-app purchase features for example -- they can still access personal data such as the victim's address book and calendar. They're also likely to go undetected by the user, who would have to check the app's certificate and the device's provisioning settings to verify the developer's identity.

The SandJacking attack itself is not as dangerous a threat as other iOS threats, such as YiSpecter, XcodeGhost and Backdoor.MAC.Eleanor, which offer the attacker full control of the compromised device, because the attacker would need physical access to the device to pull a SandJacking attack off. It could be used while a phone is being repaired, or by a family member or law enforcement agency who has access to the device. But any type of smartphone that is unlocked and in the possession of someone other than the owner has to be regarded as potentially compromised. What the attack shows is how reliant the internet and technology as a whole is becoming on digital certificates when deciding whether something or someone should be trusted or not. Those who issue digital certificates need to ensure the internet and security systems can actually trust them.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out how a pirated app beat Apple's App Store security

Learn how to avoid mobile application malware and security risks

Discover how your enterprise can defend itself against fake apps

This was first published in September 2016


SearchSecurity: Security Wire Daily News

Bitcoin.org is warning that the Bitcoin Core, the as-close-to-official-as-it-gets version of Blockchain consolidation software and Bitcoin wallets, has likely been compromised.

“Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release [version 0.13.0] will likely be targeted by state sponsored attackers,” the organisation says in a post that does not elaborate which state may be be behind the threat or the nature of any attack.

“As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this calibre. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.”

The warning makes oblique references to China, saying “We believe Chinese services such as pools and exchanges are most at risk here due to the origin of the attackers.”

The potential problems with Bitcoin Core mean “not being careful before you download binaries could cause you to lose all your coins. This malicious software might also cause your computer to participate in attacks against the Bitcoin network.”

A suggested defence is to employ only the key used to sign Bitcoin Core hashes.

“We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964. You should securely verify the signature and hashes before running any Bitcoin Core binaries,” the advisory says.

Bitcoin.org is not an official organ of Bitcoin, instead offering a hub for development of the Bitcoin Core. We therefore presume that the site's publishers speak with some authority, but as it offers no way to contact its operators we've attempted to contact The Bitcoin Foundation to seek its take on this announcement. But the Foundation's contacts mechanism has a mis-firing CAPTCHA that has repelled all our attempts at sending a message.

The Register will keep trying to learn more about this warning! ®

Sponsored: Accelerated Computing and the Democratization of Supercomputing


The Register - Security

There is an undocumented SNMP community string in Rockwell Automation’s MicroLogix 1400 programmable logic controllers that can be exploited by attackers to remotely change settings or modify the device firmware, and therefore compromise the PLCs.

bug rockwell plc

The vulnerability was found by Cisco Talos researcher Patrick DeSantis in versions 7 to 15.004 of the PLC systems (a full list of vulnerable product can be found here).

The affected PLCs are intended for use in general industrial machinery, HVAC / building automation, SCADA, commercial machinery, etc.

According to the US ICS-CERT, the vulnerability could be exploited by a low skilled attacker, but there are currently no known public exploits that specifically target this flaw.

“SNMP is a standard protocol employed by many types of internet protocol based products and allows centralized and remote device management capabilities. One of the many standard SNMP capabilities enables users to manage the product’s firmware, including the capability of applying firmware updates to the product. The MicroLogix 1400 utilizes this standard SNMP capability as its official mechanism for applying firmware updates to the product,” ICS-CERT explained.

Rockwell Automation has been informed of the issue, but unfortunately can’t remove the capability from the product.

Operators are, therefore, advised to minimize the risk of the flaw being exploited by doing things like utilizing proper network infrastructure controls to block SNMP requests from unauthorized sources, and using the product’s “RUN” keyswitch setting to prevent unauthorized firmware update operations.


Help Net Security

Security researchers have come up with a way to unlock cars manufactured by vendors around the world, and are set to present their findings on Friday at the Usenix security conference in Austin, Texas.

They have devised two attacks:

  • One that target cars of the Volkswagen Group (VW, Seat, Škoda, and Audi), and includes recovering the cryptographic algorithms and keys from electronic control units that allows them to clone the signal that will open the car, and
  • Another that takes advantage of the cryptographically weak cipher in the Hitag2 rolling code scheme used by Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, Ford and other car makers. The result of the attack is the same: an unlocked car.

“Our findings affect millions of vehicles worldwide and could explain unsolved insurance cases of theft from allegedly locked vehicles,” the researchers noted.

The attacks are perhaps not extremely easy to execute, as they require specific technical knowledge and effort, but the hardware tools required to pull them off is cheap and accessible to practically everyone.

For example, this Arduino-based RF transceiver costs less than $ 40, and can eavesdrop and record rolling codes, emulate a key, and perform reactive jamming:

cars easily unlocked

Both attacks can be performed in mere minutes. The researchers did not probe the security of the remote control systems installed on all of the vehicles manufactured by the aforementioned automakers, but those that they managed to compromise are present (in VW’s case) on hundreds of millions of cars, most of which are probably still being driven around.

While these attacks do not allow the attacker to start the car and drive away with it, they can be paired with attacks that allow that, the researchers noted.

Also, stealing valuable objects from inside the car can be pulled off quickly and without leaving a trace on how the car was accessed – victims might even think they forgot to lock the car.

It’s good to note that similar attacks have been demonstrated earlier this year by a group of researchers from ADAC, the largest automobile club in Europe, and before that by researchers from ETH Zurich.

Unfortunately, there is not much car owners can do about this problem, apart from refraining from leaving valuable things in their cars, and from using the remote control system altogether (i.e. choose to unlock their car by using the physical key).

It’s the automakers who should do something about it, but it’s unlikely they will.

“Completely solving the described security problems would require a firmware update or exchange of both the respective ECU and (worse) the vehicle key con- taining the remote control. Due to the strict testing and certification requirements in the automotive industry and the high cost of replacing or upgrading all affected car keys in the field, it is unlikely that VW Group can roll out such an update in the short term,” the researchers noted.

The team says that it’s unknown whether the attacks they devices are currently carried out in the wild by criminals, but that it’s likely they are. “There have been various media reports about unexplained theft from locked vehicles in the last years. The security issues described in this paper could explain such incidents,” they concluded.

For a list of affected cars check out the researchers’ paper.


Help Net Security

Malware operators can hide the use of malicious macros to distribute malware by simply renaming the offending Office documents, Cisco researchers reveal.

Microsoft switched macros off by default in 2007, and also introduced new file formats that no longer supported macros, but cybercriminals have discovered ways of getting around that. Macro malware, a great concern a decade ago, returned strong last year, showing that cybercriminals can find ways to abuse old methods to distribute new threats can continue to make various improvements.

Macros are snippets of code that are automatically executed when a document is opened, as long as they are enabled, and malware creators have been long abusing the feature to distribute their programs. In 2007, Microsoft switched to a default Word document format that no longer supported macros: DOCX.

To ensure that files are safe for opening, Microsoft also introduced OfficeOpen XML (OOXML) standard in Office 2007, where the [Content_Types].xml component of the document (which is, in fact, an archive), provides the MIME type information for the other components. Thus, if it asserts the MIME type for DOCX, Office will not save or run macro code for the file. The same applies to the DOTX file format, but not to DOCM and DOTM, which support macros.

This also means that, because of the MIME type agreement, Office will open a file according to the file data, not to the filename extension. Basically, if Word can identify the data structure, it can open an OOXML file with macros (DOCM or DOTM) even if it has a different filename extension. “This is true even if OOXML files have non-OOXML file extensions, so long as MS Word is registered to handle the format,” Cisco researchers reveal.

This means that cybercriminals can disguise DOCM files containing embedded macros as other file formats by simply changing the extension.

“For example, the RTF file format does not support MS Office macro code, but a DOCM file renamed to RTF will open within MS Office and can run embedded macro code,” Cisco researchers say, adding that this tactic is already being abused in the wild.

Cisco’s Talos team has been tracking this type of activity and says that there has been a rapid increase in the deployment rate over the past months. After analyzing the macro payload in thousands of DOTM files discovered between March 18 and July 13, researchers discovered the reuse of a pattern of machine obfuscated macros.

“Once the collision was discovered, the macro collisions occurring in at least four distinct DOTM files were pulled out for further inspection. This accounted for a whopping 64% of all DOTMs discovered over a four month period,” researchers say.

What’s more, Cisco explains that, although their analysis has focused on Word documents with malicious macros, the attack can be carried out using similar OOXML formats for Excel and PowerPoint. PPTM files that feature malicious macros can be disguised as PPT presentations, and XLSM files can be masqueraded as text-only CSV spreadsheet files.

The culprit, the team explains, is a MS Office component called WWLIB.DLL, which validates OOXML file types by confirming the MIME type of the file. The validation will always pass if the MIME type is OOXML, even if the file extension does not hint at an OOXML file type. To block the attack, the researcher say, WWLIB validation needs to be patched “to verify that the file extension is as expected when a DOCM or DOTM MIME type is encountered.”

Related: Microsoft Blocks Risky Macros in Office 2016

Related: PowerWare Ransomware Abuses PowerShell, Office Macros

view counter

Previous Columns by SecurityWeek News:

Tags:


SecurityWeek RSS Feed