NULL HYDERABAD News Bytes by Harsha

About Me• Name: Harsha

• Pursuing Masters in Information Security

• Student of JNTU-H

• I am a Security Enthusiast

News Bytes: Agenda• Rombertik Malware

• Apple Safari Browser Vulnerable to URL Spoofing Vulnerability

• FBI: Banned Security Researcher Admitted to Hacking Plane In-Flight

• Venom Vulnerability Exposes Most Data Centers to Cyber Attacks

• DDoS Botnet Leverages Thousands of Insecure SOHO Routers

• USBKill — Code That Kills Computers Before They Examine USBs for Secrets

Rombertik Malware• Who reported Rombertik Malware ?

• When was is it reported ?

• What’s so catchy about Rombertik Malware ?

• What are it’s flaws ?

• What ‘s in store for the future ?

Rombertik Malware• Spotted by Cisco Researchers which uses multi layer obfuscation to

avoid detection and notably destroys the master boot record if analysed or debugged.

• Reports have been made earlier this month.

• Checks if it’s running in sandbox and then decrypts and makes a second copy and overwrites that copy with the malware’s core functionality.

• It runs anti-analysis functions to ensure that it’s not being debugged.

• However, Symantec has noted that this protection mechanism can be bypassed.

• This malware opens new avenues for security implementation mechanisms.

Apple Safari Browser Vulnerable to URL Spoofing Vulnerability• The latest versions of Safari for Mac OS X and iOS are vulnerable to

a URL-spoofing exploit that could allow hackers to launch credible phishing attacks.

• The issue was discovered by security researcher David Leo, who published a proof-of-concept exploit for it.

• This opens the possibility to hack critical information from apple users.

• Leo’s proof-of-concept is not perfect and its behavior is somewhat inconsistent. When opened in Safari on iOS, the spoofed URL flickers and sometimes the user can briefly see the real URL.

• On Safari on Mac OS X the flickering is much less apparent, so it’s harder to tell that something is amiss.

FBI: Banned Security Researcher Admitted to Hacking Plane In-Flight• A security researcher who was pulled out from a United Airlines flight last

month had previously admitted to Federal Bureau of Investigation (FBI) that he had taken control of an airplane and made it fly briefly sideways.

• Chris Roberts, the founder of One World Labs, was recently detained, questioned and had his equipment taken by federal agents following his tweet suggesting he might hack into the plane's in-flight entertainment system.

• The documents claim that Roberts connected his laptop to the plane’s IFE system via a modified Ethernet cable, allowing him to access other airplane systems.

• During at least one instance, Roberts reportedly claimed to have overwritten the code on the airplane's Thrust Management Computer while aboard a flight and successfully controlled the system to issue the climb command.

Venom Vulnerability Exposes Most Data Centers to Cyber Attacks• Just after a new security vulnerability surfaced Wednesday, many

tech outlets started comparing it with HeartBleed.

• it is not going to cause as much danger as HeartBleed did.

• Dubbed VENOM, stands for Virtualized Environment Neglected Operations Manipulation, is a virtual machine security flaw uncovered by security firm CrowdStrike that could expose most of the data centers to malware attacks, but in theory.

• Yes, the risk of Venom vulnerability is theoretical as there is no real-time exploitation seen yet, while, on the other hand, last year’s HeartBleed bug was practically exploited by hackers unknown number of times, leading to the theft of critical personal information

Venom Vulnerability Exposes Most Data Centers to Cyber Attacks• Venom (CVE-2015-3456) resides in the virtual floppy drive code

used by a several number of computer virtualization platforms that if exploited could allow an attacker to escape from a guest 'virtual machine' (VM) and gain full control of the operating system hosting them, as well as any other guest VMs running on the same host machine .

• According to CrowdStrike, this roughly decade-old bug was discovered in the open-source virtualization package QEMU, affecting its Virtual Floppy Disk Controller (FDC) that is being used in many modern virtualization platforms and appliances, including Xen, KVM, Oracle's VirtualBox, and the native QEMU client.

Venom Vulnerability Exposes Most Data Centers to Cyber Attacks• For successful exploitation, an attacker sitting on the guest virtual

machine would need sufficient permissions to get access to the floppy disk controller I/O ports.

• When considering on Linux guest machine, an attacker would need to have either root access or elevated privilege. However on Windows guest, practically anyone would have sufficient permissions to access the FDC.

• Potentially more concerning are most of the large cloud providers, including Amazon, Oracle, Citrix, and Rackspace, which rely heavily on QEMU-based virtualization are vulnerable to Venom.

• However, the good news is that most of them have resolved the issue, assuring that their customers needn't worry.

DDoS Botnet Leverages Thousands of Insecure SOHO Routers• Small office and home office (SOHO) routers are an increasingly

common target for cybercriminals, not because of any vulnerability, but because most routers are loosely managed and often deployed with default administrator credentials

• A new report suggests that hackers are using large botnet of tens of thousands of insecure home and office-based routers to launch Distributed Denial-of-Service (DDoS) attacks.

• Almost all of the infected routers that were part of the botnet appear to be ARM-based models from a California-based networking company Ubiquiti Networks, sold across the world.

• This makes researchers believed that the cyber criminals were exploiting a firmware vulnerability in the routers

DDoS Botnet Leverages Thousands of Insecure SOHO Routers• What’s revealed in the close inspection?

• However, this assumption was proved wrong when inspected deeply, revealing that :

• All of the compromised routers could be remotely accessible on the default ports (via HTTP and SSH)

• Almost all of those accounts continued to make use of vendor-provided login credentials

•This basically opens the door for an attacker to man-in-the-middle (MitM) attacks, eavesdrop on all communication, cookie hijack, and allows hackers to gain access to other local network devices such as CCTV cameras.

DDoS Botnet Leverages Thousands of Insecure SOHO Routers• The botnet comprises devices in 109 countries, with Thailand (64

percent), Brazil, and the United States being the top three most-affected nations. Also, the firm identified 60 command and control servers used by criminals to control the botnet, the majority of them were located in China and the U.S.

• Users should also keep in mind the safety of their devices by making sure that they:

• Disable all remote access to the devices unless it's specifically needed

• Change the default login credentials for their routers to prevent unauthorized access

• Router firmware is up-to-date

USBKill — Code That Kills Computers Before They Examine USBs for Secrets

• USBkill — A new program that once activated, will instantly disable the laptop or computer if there is any activity on USB port.

• "USBKill" is a new weapon that could be a boon for whistleblowers, journalists, activists, and even cyber criminals who want to keep their information away from police and cyber thieves.

• The author of USBkill states that the program could be very effective when running on a virtual machine, which would vanish when you reboot.

Thank You For Your Time