Threat Report

Let’s see what’s poppin’ in this week’s threat report. We’re covering a hosting provider that lost personally identifiable information (PII) for 14M domain owners. Privilege escalation in Windows software that would allow malware to persist. And a popular trojan is now free on the dark Web.

Hostinger’s DB, with PII for 14M people, popped

The Web hosting provider, Hostinger, disclosed a security incident that impacted its platform and users. The incident was discovered on August 23, 2019. Hostigner set up a status page where customers can track updates about the incident. Hostinger started rolling out password resets for all impacted users.

The company said that a hacker gained access to an internal server, where he found an authorization token for an internal API which he then used to make API calls against a database storing the personal information of about 14M customers; information includes usernames, customers’ IP addresses, first and last names, and contact information such as phone numbers, emails, home addresses and information about user passwords in a hashed format.

The loss of this PII makes these domains’ owners more likely to be victims of hijack or compromise in the future. Technology service providers should monitor their environment for signs of intrusion.

43M users exposed daily to clickjacking on popular sites

Clickjacking scripts, or scripts designed to intercept mouse clicks, are being used for either ad fraud or redirection to malicious websites on at least 613 popular websites.

Academics from Microsoft Research, the Chinese University of Hong Kong, Seoul National University, and Pennsylvania State University scanned the Alexa Top 250K list of most popular websites for malicious scripts that intercepted user clicks and found scripts that fell into one of three categories:

1. Click interception by hyperlinks (when malicious actors use rogue scripts to enclose legitimate links on the original site to hijack their destination).

2. Click interception by event handlers (when malicious actors use rogue scripts to modify a website’s event handlers and hijack the user’s mouse click and cursor and redirect it toward another element or section of a Web page).

3. Click interception by visual deception (when malicious actors create elements on a legitimate site that look like the site’s original content, also known as the Mimikatz technique).

Between these three click interception methods, researchers were able to detect a total of 437 third-party scripts that intercepted user clicks across 613 websites, which in total receive around 43M visits on a daily basis.

Some of the scripts simply intercepted and performed clicks on ads for monetary profit, while others redirect users to malicious sites showing tech support scams or malware-infected apps similar to the recent discovery of a NordVPN trojan’d app.

In some cases, scripts selectively intercepted user clicks to rate limit interceptions to reduce suspicion. The majority of the clickjacking scripts were included in legitimate sites as part of legitimate malvertising solutions.

Nanocore now free

A new variant of Nanocore has been spotted in the wild that is being offered across underground forums for free. This makes it easier than ever for bad actors with limited technical skills to target passwords, bank details, and other personal information. Original variants of the malware cost roughly $25 on dark Web forums.

Nanocore version 1.2.2 offers users a variety of attacks against Windows systems, including the ability to steal passwords, payment details, and secretly record audio and video footage using the webcam. To maintain its persistence, the malware disables the light which would demonstrate that it is recording.

The operators behind the Nanocore campaigns provides a user-friendly interface to help criminals manage their activity and make it simpler to conduct attacks. Organizations should monitor for signs of infection and keep software updated.

Endpoint Security vulnerable to privilege escalation

Check Point recently patched CVE-2019-8790 in its Endpoint Security Initial Client, which allows attackers to escalate privileges and execute code using system privileges.

The vulnerability is an unsafe DLL loading caused by use of an uncontrolled search path and by not validating if the DLLs it loads is signed with a digital certificate. In addition, the security flaw could be used for privilege escalation and persistence by loading an arbitrary unsigned DLL into one of the Windows services used by the Check Point Endpoint Security software.

Check Point Device Auxiliary Framework Service attempts to load a missing DLL named “atl110.dll” from various folders within the Windows PATH environment variable. The actors commonly exploit this type of vulnerability during the later stage of their attacks. Users must keep the software up to date with the latest releases to prevent any potential attacks.

Lenovo Solution Centre vulnerable to privilege escalation

CVE-2019-6177 is a recently discovered privilege escalation vulnerability in Lenovo Solution Centre, a software that comes pre-installed on Windows-based Lenovo devices. A bit of software bloat you probably never needed. The software has been shipped since 2011, but it is unclear when Lenovo stopped shipping it with new devices. Its end of life occurred November 30, 2018, so, the flaw could have exposed machines for at least eight years.

The flaw is a discretionary access control list (DACL) overwrite. More specifically, it involves a high-privileged Lenovo process giving low-privileged users full control over a file. Researchers explain that a low-privileged user can write a “hardlink” file to the controllable location (a pseudofile that points to any other file on the system that the low-privileged user doesn’t have control of).

According to their findings, “when the Lenovo process runs, it overwrites the privileges of the hardlinked file with permissive privileges, granting the low-privileged user take full control of a file they shouldn’t normally be allowed to.” The user can then execute arbitrary code on the system with Administrator or SYSTEM privileges.

Lenovo has released an official advisory confirming that users should uninstall Lenovo Solution Centre on their Lenovo devices.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Thursday August 22nd 2019