Questargon

Hi everybody.
 
A new UPnP vulnerability has been discovered recently that might be a hackers dream. It is listed as CVE-2020-12695 and got nicknamed "CallStranger". This security issue is serious, because the vulnerability is using an intentional UPnP protocol feature (Service subscription with callback) that is also implemented in many IoT devices which will NOT be patched.
Additional information and links can be found in the article about the CVE above. Some more here:
https://www.callstranger.com
https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of
https://www.zdnet.com/article/callstranger-vulnerability-lets-attacks-bypass-security-systems-and-scan-lans/
 
If you want to know whether your local network has any vulnerable devices, download the python 3 script from this repository: https://github.com/yunuscadirci/CallStranger and let it scan your local network. It looks for all UPnP devices and checks them for "CallStranger". If such devices have been found, make sure that they can not be reached from the internet (i.e. check port-forwarding on your internet router) or turn their UPnP feature off! If the router itself is vulnerable, disable its UPnP functionality as well! You might even have to contact your ISP when you do not have full control over your router to check whether they can mitigate this somehow.
 
The recommended patch for this is to only allow callback requests to the same network matching the URL of the subscription request. Routers and software running on common computers might get these patches soon™, but most of the cheap IoT devices will never. This means free DDoS carpet bombing for the internet villains. Or they can try to scan your local network using this reflection attack and get information that should not leave that network.
 
Stay safe,
questargon

Hi everybody.
 
A new UPnP vulnerability has been discovered recently that might be a hackers dream. It is listed as CVE-2020-12695 and got nicknamed "CallStranger". This security issue is serious, because the vulnerability is using an intentional UPnP protocol feature (Service subscription with callback) that is also implemented in many IoT devices which will NOT be patched.
Additional information and links can be found in the article about the CVE above. Some more here:
https://www.callstranger.com
https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of
https://www.zdnet.com/article/callstranger-vulnerability-lets-attacks-bypass-security-systems-and-scan-lans/
 
If you want to know whether your local network has any vulnerable devices, download the python 3 script from this repository: https://github.com/yunuscadirci/CallStranger and let it scan your local network. It looks for all UPnP devices and checks them for "CallStranger". If such devices have been found, make sure that they can not be reached from the internet (i.e. check port-forwarding on your internet router) or turn their UPnP feature off! If the router itself is vulnerable, disable its UPnP functionality as well! You might even have to contact your ISP when you do not have full control over your router to check whether they can mitigate this somehow.
 
The recommended patch for this is to only allow callback requests to the same network matching the URL of the subscription request. Routers and software running on common computers might get these patches soon™, but most of the cheap IoT devices will never. This means free DDoS carpet bombing for the internet villains. Or they can try to scan your local network using this reflection attack and get information that should not leave that network.
 
Stay safe,
questargon

Ha! Got my passkey delivered to my GoogleMail-Account just now. Google seems to not reject those mails as spam anymore.
 
Onward.... 🚀

The only thing that matters in the end is that more wu get crunched

According to ZDNet there is a malware currently in development that can grab screenshots from your Google Authenticator to get access to its 2FA codes.
 
Article: https://www.zdnet.com/article/google-could-have-fixed-2fa-code-stealing-flaw-in-authenticator-app-years-ago/
 
"This malware called Cerberus has this feature currently under development" - Researchers from "ThreadFabric" discovered. But it might not be long until it is out in the wild. The core feature that allows this attack (except from being infected with the malware in the first place - DOH) is the capability to take screenshots of Google Authenticator - a feature that Android itself has a flag for to prevent this from happening. Google just never applied this flag to the Google Authenticator (facepalm). The best part is, that Google was informed about this bug back in 2014 and didn*t fix it yet (double facepalm).
 
See here: https://wwws.nightwatchcybersecurity.com/2020/03/03/google-authenticator-for-android-allows-screen-capture/
 
I hope Google fixes this bug now that the impacts are getting closer. It does not protect you from all harm that can be done by hackers when they successfully installed malware on your Android device, but it will make it harder for them and maybe mitigate some of the damages they can do.
 
EDIT: More on that topic from ZDNet: https://www.zdnet.com/article/using-google-authenticator-heres-why-you-should-get-rid-of-it/

According to ZDNet there is a malware currently in development that can grab screenshots from your Google Authenticator to get access to its 2FA codes.
 
Article: https://www.zdnet.com/article/google-could-have-fixed-2fa-code-stealing-flaw-in-authenticator-app-years-ago/
 
"This malware called Cerberus has this feature currently under development" - Researchers from "ThreadFabric" discovered. But it might not be long until it is out in the wild. The core feature that allows this attack (except from being infected with the malware in the first place - DOH) is the capability to take screenshots of Google Authenticator - a feature that Android itself has a flag for to prevent this from happening. Google just never applied this flag to the Google Authenticator (facepalm). The best part is, that Google was informed about this bug back in 2014 and didn*t fix it yet (double facepalm).
 
See here: https://wwws.nightwatchcybersecurity.com/2020/03/03/google-authenticator-for-android-allows-screen-capture/
 
I hope Google fixes this bug now that the impacts are getting closer. It does not protect you from all harm that can be done by hackers when they successfully installed malware on your Android device, but it will make it harder for them and maybe mitigate some of the damages they can do.
 
EDIT: More on that topic from ZDNet: https://www.zdnet.com/article/using-google-authenticator-heres-why-you-should-get-rid-of-it/

German IT magazine "c't" from heise got some information about serious security flaws regarding Logitechs wireless devices.
 
Read the full article: https://www.heise.de/ct/artikel/Logitech-keyboards-and-mice-vulnerable-to-extensive-cyber-attacks-4464533.html
 
Summary:
Logitech's products using their Unifying Wireless Radio, which are most of their products meant for office use, have some serious security flaws that might be easily exploited. The wireless radio is encrypted, but an attacker can break this easily when he has access to the devices. In the first case ( CVE-2019-13053 ) he just has to press some keys on a wireless keyboard and record the radio to extract the needed information to inject his own commands into the  communication or in the second case ( CVE-2019-13052 ) when he was able to listen to the pairing process he can aquire enough information to break the encryption. The moment he has this key, he has control over these input devices connected to the computer and can send keyboard commands masking as a valid input device. Or in other words, he totally owns this computer now. The first vulnerabilitiy will not be closed by Logitech because of compatibility issues, and for the second one you should be pairing your device only when nobody is able to listen in a radius of about 10m - says Logitech.
 
There are some more vulnerabilities that have been detected by security expert Marcus Mengs, heise says. But these can be fixed via a firmware update of the unified receiver - although that is not as easy as it seems, since you need a special tool from Logitech to be able to load this firmware correctly. The SetPoint-Software from Logitech does not report the version of the firmware correctly and insists that everything is up to date and you cannot update the firmware using it. You need a tool called SecureDFU from Logitech which is not easy to find.
 
The gaming line of products from Logitech seems to be not affected by these specific flaws mentioned here, although the artice doesn't mention how much time Mr Mengs invested in tying to hack those devices - if he tried at all and did not just focus on the Unifying stuff.
 
Keep in mind that you need to update your firmware again when Logitech is updating them to address some of these securtiy flaws in later versions!
 
Conclusion: Use cabled mice in your office!

German IT magazine "c't" from heise got some information about serious security flaws regarding Logitechs wireless devices.
 
Read the full article: https://www.heise.de/ct/artikel/Logitech-keyboards-and-mice-vulnerable-to-extensive-cyber-attacks-4464533.html
 
Summary:
Logitech's products using their Unifying Wireless Radio, which are most of their products meant for office use, have some serious security flaws that might be easily exploited. The wireless radio is encrypted, but an attacker can break this easily when he has access to the devices. In the first case ( CVE-2019-13053 ) he just has to press some keys on a wireless keyboard and record the radio to extract the needed information to inject his own commands into the  communication or in the second case ( CVE-2019-13052 ) when he was able to listen to the pairing process he can aquire enough information to break the encryption. The moment he has this key, he has control over these input devices connected to the computer and can send keyboard commands masking as a valid input device. Or in other words, he totally owns this computer now. The first vulnerabilitiy will not be closed by Logitech because of compatibility issues, and for the second one you should be pairing your device only when nobody is able to listen in a radius of about 10m - says Logitech.
 
There are some more vulnerabilities that have been detected by security expert Marcus Mengs, heise says. But these can be fixed via a firmware update of the unified receiver - although that is not as easy as it seems, since you need a special tool from Logitech to be able to load this firmware correctly. The SetPoint-Software from Logitech does not report the version of the firmware correctly and insists that everything is up to date and you cannot update the firmware using it. You need a tool called SecureDFU from Logitech which is not easy to find.
 
The gaming line of products from Logitech seems to be not affected by these specific flaws mentioned here, although the artice doesn't mention how much time Mr Mengs invested in tying to hack those devices - if he tried at all and did not just focus on the Unifying stuff.
 
Keep in mind that you need to update your firmware again when Logitech is updating them to address some of these securtiy flaws in later versions!
 
Conclusion: Use cabled mice in your office!

Most AV software are heavily criticized for not following Microsoft recommendations for many things and violate many fundamental principles of 3rd party software kernel integration. This is why it's so common for AV software to break with updates and OS upgrades and why it's specifically mentioned, along with drivers, to make sure you have updated before doing such updates etc.
 
Microsoft simply cannot test every application out there, no matter how popular it may be. Follow the proper guidelines and this won't happen and it's the responsibility of those companies to test and validate their software not Microsoft's. This sort of thing shouldn't happen with general updates like this.
 
Edit:
If I remember correctly Symantec caused a privileged execution exploit a few years back, Windows Defender recently too. If you want to exploit a system look at AV software, if a system is going to break it's probably AV software. It's the digital double edge sword.

Edit 2 :
An other problem, related to the update, is also happening.
It affects, Windows 7 and 10, and slows down computers.
 
 
 
Original topic :
 
The April 2019, Windows update, KB4493472, caused problems to computers with Windows 7/8 and servers with Windows Servers 2008/2012, with Sophos Endpoint Protection installed (managed by either Sophos Central or Sophos Enterprise Console).
 
It caused the system to freeze or hang upon restart after installing this update. The device doesn't reach the user log on screen.
Working for an IT company selling Sophos Antivirus protections, we had lots of tickets this week ?
 
 
The solution is to restart the device in "Safe Mode". After which, or the update fails and there is a rollback, or it boots in safe mode and you can uninstall that update in command line.
wusa /uninstall /kb:4493472  
 
 
https://support.microsoft.com/en-gb/help/4493472/windows-7-update-kb4493472
 
https://community.sophos.com/kb/en-us/133945
 
 
 
 
Edit 1 :
Users of Avast and Avira are also impacted.
https://www.zdnet.com/article/windows-7-problems-microsoft-blocks-april-updates-to-systems-at-risk-of-freezing/
 
https://www.pcgamer.com/a-recent-windows-update-is-locking-up-some-pcs-heres-a-temporary-fix/

Edit didn't work... Have complained to YouTube.. Nothing I can do for now...

This is like the first time in years I haven't woken up on a Saturday morning and watched Wan Show
 
 
Oh well, Linus has to make sure his companies security is protected. That's more important than anything.

I wrote one too. They dont get paid attention to like more clickbaity things.

This tool named Modlishka is a reverse-proxy that can intercept your login and your Two-Factor-Authentification (like the method used with the popular Google Authenticator) to give attackers access to your protected accounts. Several german websites were reporting information about this tool:
 
German:
https://www.golem.de/news/modlishka-phishing-tool-umgeht-zwei-faktor-authentifizierung-1901-138674.html
https://www.zdnet.de/88351325/tool-hebelt-zwei-faktor-authentifizierung-aus/
https://winfuture.de/news,106885.html
 
English:
https://www.theinquirer.net/inquirer/news/3069049/2fa-bypassing-tool-modlishka-is-on-github-for-all-to-use
 
This tool is on github in the open now, so it can be used by everybody to create great phishing sites:
 
https://github.com/drk1wi/Modlishka
 
The argument of the author is - according to zdNet.de - , that without making this public, nobody would change the current process or even think about another, maybe better solution.
The only way to not being hacked this way is to always check the URL and certificate of the website you're typing your data into, which can be tricky when you only get a small browser window without a visible URL to log in and some apps don't present the URL or certificate at all.
A way around this is to use a hardware dongle that supports U2F for example, but these are not very convenient and cannot be used with all devices.
 
Never feel too safe,
questargon
 
P.S.: This is NOT a new flaw, as pointed out below. It just makes it easier for third parties ("script kiddies") to exploit this vulnerability.

Okok, my example was not perfect. I was trying to illustrate a similar way of how your login might get compromised.
You're absolutely correct though: With Modlishka there would be no warning when your credentials are being phished.

I just came up with an idea on how to explain this vulnerability better:
 
Assume you're connected to a remote machine via Remote Desktop Protocol, VNC, Teamviewer or the like. You enter your credentials and 2FA-Code on this machine and just after you send it all away, the connection gets disconnected and the hacker sitting directly at your remote machine takes over your session with the browser open on that account.

ALL methods that enter authentification information via the same website across consecutive webpages are affected - so Authy is affected as well. It's in the principle of the tool to fake the website by forwarding it to you and grab all information you enter there - a classic "man in the middle" attack. U2F Dongles use another interface and NOT the web-gui to enter the authentification and that cannot be faked via web-proxy, so they cannot be intercepted (AFAIK. I assume this U2F interface also checks the certificate of the website, so only the right website receives the right token, therefore it won't work with the certificate of the phishing proxy).

Yeah, true dat.
But I thinks it's important to give people a wakeup call that have a false sense of security by using Google Authenticator, Authy or other similar tools.
 
Hell ... even I would fall for such a phishing site if I'm in a rush.

ALL methods that enter authentification information via the same website across consecutive webpages are affected - so Authy is affected as well. It's in the principle of the tool to fake the website by forwarding it to you and grab all information you enter there - a classic "man in the middle" attack. U2F Dongles use another interface and NOT the web-gui to enter the authentification and that cannot be faked via web-proxy, so they cannot be intercepted (AFAIK. I assume this U2F interface also checks the certificate of the website, so only the right website receives the right token, therefore it won't work with the certificate of the phishing proxy).

This tool named Modlishka is a reverse-proxy that can intercept your login and your Two-Factor-Authentification (like the method used with the popular Google Authenticator) to give attackers access to your protected accounts. Several german websites were reporting information about this tool:
 
German:
https://www.golem.de/news/modlishka-phishing-tool-umgeht-zwei-faktor-authentifizierung-1901-138674.html
https://www.zdnet.de/88351325/tool-hebelt-zwei-faktor-authentifizierung-aus/
https://winfuture.de/news,106885.html
 
English:
https://www.theinquirer.net/inquirer/news/3069049/2fa-bypassing-tool-modlishka-is-on-github-for-all-to-use
 
This tool is on github in the open now, so it can be used by everybody to create great phishing sites:
 
https://github.com/drk1wi/Modlishka
 
The argument of the author is - according to zdNet.de - , that without making this public, nobody would change the current process or even think about another, maybe better solution.
The only way to not being hacked this way is to always check the URL and certificate of the website you're typing your data into, which can be tricky when you only get a small browser window without a visible URL to log in and some apps don't present the URL or certificate at all.
A way around this is to use a hardware dongle that supports U2F for example, but these are not very convenient and cannot be used with all devices.
 
Never feel too safe,
questargon
 
P.S.: This is NOT a new flaw, as pointed out below. It just makes it easier for third parties ("script kiddies") to exploit this vulnerability.

ALL methods that enter authentification information via the same website across consecutive webpages are affected - so Authy is affected as well. It's in the principle of the tool to fake the website by forwarding it to you and grab all information you enter there - a classic "man in the middle" attack. U2F Dongles use another interface and NOT the web-gui to enter the authentification and that cannot be faked via web-proxy, so they cannot be intercepted (AFAIK. I assume this U2F interface also checks the certificate of the website, so only the right website receives the right token, therefore it won't work with the certificate of the phishing proxy).

This tool named Modlishka is a reverse-proxy that can intercept your login and your Two-Factor-Authentification (like the method used with the popular Google Authenticator) to give attackers access to your protected accounts. Several german websites were reporting information about this tool:
 
German:
https://www.golem.de/news/modlishka-phishing-tool-umgeht-zwei-faktor-authentifizierung-1901-138674.html
https://www.zdnet.de/88351325/tool-hebelt-zwei-faktor-authentifizierung-aus/
https://winfuture.de/news,106885.html
 
English:
https://www.theinquirer.net/inquirer/news/3069049/2fa-bypassing-tool-modlishka-is-on-github-for-all-to-use
 
This tool is on github in the open now, so it can be used by everybody to create great phishing sites:
 
https://github.com/drk1wi/Modlishka
 
The argument of the author is - according to zdNet.de - , that without making this public, nobody would change the current process or even think about another, maybe better solution.
The only way to not being hacked this way is to always check the URL and certificate of the website you're typing your data into, which can be tricky when you only get a small browser window without a visible URL to log in and some apps don't present the URL or certificate at all.
A way around this is to use a hardware dongle that supports U2F for example, but these are not very convenient and cannot be used with all devices.
 
Never feel too safe,
questargon
 
P.S.: This is NOT a new flaw, as pointed out below. It just makes it easier for third parties ("script kiddies") to exploit this vulnerability.

ALL methods that enter authentification information via the same website across consecutive webpages are affected - so Authy is affected as well. It's in the principle of the tool to fake the website by forwarding it to you and grab all information you enter there - a classic "man in the middle" attack. U2F Dongles use another interface and NOT the web-gui to enter the authentification and that cannot be faked via web-proxy, so they cannot be intercepted (AFAIK. I assume this U2F interface also checks the certificate of the website, so only the right website receives the right token, therefore it won't work with the certificate of the phishing proxy).

A new version of Options has just been released. Logitech added additional origin checks to prevent misuse of that websocket. See the thread in Project-Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=1663
EDIT: The OP of that thread has not reacted yet though, so you might want to wait until he also says that it is ok now.
EDIT2: Bug is fixed.
 

Oh great.
It seems, that the Logitech Driver Software called "Logitech Options" opens up a websocket without any authentication so it can be used by anything that gets access to it - being a websocket, code executed in a webpage in your local webbrowser is included. There is no fix so far.
 
Logitech Options is the default software suite that all newer devices from Logitech use. The older software called "SetPoint" does not seem to be affected.
 
Project Zero found this bug: https://bugs.chromium.org/p/project-zero/issues/detail?id=1663
German website golem.de has an article as well (in german, sorry... ? ) https://www.golem.de/news/logitech-options-logitech-software-ermoeglicht-boesartige-codeausfuehrung-1812-138218.html
 
If you're versatile with system administration, you might be able to block this port via a firewall or remove the service in question. I did not try this myself, so removing the software entirely is the quick and easy way out.
 
Stay safe,
questargon