A critical vulnerability in VMware’s vCenter management product allowed any old bod on the same network to remotely create an admin-level user, research by Guardicore Labs has revealed.

The astonishing vuln (CVE-2020-3952), details of which were quite spare when VMWare issued a patch last week, was rated by VMware itself as CVSS v3 10.0, the highest level.

Admins in charge of VMware estates should probably patch this one immediately, if they haven’t already.

Guardicore researcher JJ Lehman told The Register: “You have to be network accessible but you don’t have to be authenticated in any way to pull this off. Which means as an attacker who has already breached the perimeter of a network, as long as [you have] access to the vCenter, you essentially control everything on their VMware hosts.”

The virtualization vendor issued an advisory note and patch on 9 April that explained that a “malicious actor with network access to port 389 on an affected vmdir deployment may be able to extract highly sensitive information such as administrative account credentials”.

“It’s very unique,” Guardicore head of research Ofri Ziv told The Reg, explaining that the 10.0 CVSS impact rating on an enterprise virtualization product caught his enterprise security team’s eye. “This is why this is such a critical issue and this is why we believe it’s important for people to understand and mitigate it as fast as possible.”

He added that Guardicore had not seen evidence of the vuln being abused in the wild, though Lehman explained that by its nature, it would be difficult to see traces of its use.

Source: That critical VMware vuln allowed anyone on your network to create new admin users, no creds needed • The Register

In February, a researcher detailed a widely circulating Android backdoor that’s so pernicious that it survives factory resets, a trait that makes the malware impossible to remove without taking unusual measures.

The analysis found that the unusual persistence was the result of rogue folders containing a trojan installer, neither of which was removed by a reset. The trojan dropper would then reinstall the backdoor in the event of a reset. Despite those insights, the researcher still didn’t know precisely how that happened. Now, a different researcher has filled in the missing pieces. More about that later. First, a brief summary of xHelper.

[…]

Once installed, xHelper installs a backdoor that remotely installs apps downloaded from an attacker-controlled server. It also executes commands as a superuser, a powerful privilege setting that gives the malware unfettered system rights.

[…]

Last week, Kaspersky Lab researcher Igor Golovin published a post that filled in some of the gaps. The reinfections, he said, were the result of files that were downloaded and installed by a notorious trojan known as Triada, which ran once the xHelper app was installed. Triada roots the devices and then uses its powerful system rights to install a series of malicious files directly into the system partition. It does this by remounting the system partition in write mode. To make the files even more persistent, Triada gives them an immutable attribute, which prevents deleting, even by superusers. (Interestingly, the attribute can be deleted using the chattr command.)

A file named install-recovery.sh makes calls to files added to the /system/xbin folder. That allows the malware to run each time the device is rebooted. The result is what Golovin described as an “unkillable” infection that has extraordinary control over a device.

[…]

The researcher initially thought that it might be possible to remove xHelper by remounting the system partition in write mode to delete the malicious files stored there. He eventually abandoned that theory.

“Triada’s creators also contemplated this question, and duly applied another protection technique that involved modifying the system library /system/lib/libc.so,” Golovin explained. “This library contains common code used by almost all executable files on the device. Triada substitutes its own code for the mount function (used to mount file systems) in libc, thereby preventing the user from mounting the /system partition in write mode.”

Fortunately, the reinfection method divined in last week’s report works only on devices running older Android versions with known rooting vulnerabilities. Golovin, however, held out the possibility that, in some cases, xHelper may maintain persistence through malicious files that come preinstalled on phones or tablets.

People can disinfect devices by using their recovery mode, when available, to replace the infected libc.so file with the legitimate one included with the original firmware. Users can then either remove all malware from the system partition or, simpler still, reflash the device.

Source: The secret behind “unkillable” Android backdoor called xHelper has been revealed | Ars Technica

Router biz Linksys has reset all its customers’ Smart Wi-Fi account passwords after cybercrims accessed a bunch and redirected hapless users to COVID-19 themed malware.

The mass reset took place after all user accounts were locked on 2 April, following infosec firm Bitdefender revealing that malicious persons were pwning Linksys devices through cred-stuffing attacks.

Hackers with access to Linksys Smart Wi-Fi accounts were changing home routers’ DNS server settings. Compromised users’ attempts to reach domains ranging from Disney, pornography, and Amazon AWS were redirected to a webpage peddling a coronavirus-themed app “that displays a message purportedly from the World Health Organization, telling users to download and install an application that offers instructions and information about COVID-19.”

The app was hosted on Bitbucket, a Git-style collaboration tool. Instead of health advice it dispensed the Oski info-stealing malware, which helps itself to one’s login credentials for various services, including cryptocurrency wallets.

Linksys customers were told of the password reset by the firm earlier this week, along with cryptic and confusing references to “the COVID-19 malware”. Affected users must now change their passwords the next time they log into the Linksys Smart Wi-Fi app.

Source: Linksys forces password reset for Smart Wi-Fi accounts after router DNS hack pointed users at COVID-19 malware • The Register

Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.

Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

Cybersecurity intelligence firm Cyble told BleepingComputer that around April 1st, 2020, they began to see free Zoom accounts being posted on hacker forums to gain an increased reputation in the hacker community.

These accounts are shared via text sharing sites where the threat actors are posting lists of email addresses and password combinations.

In the below example, 290 accounts related to colleges such as the University of Vermont, University of Colorado, Dartmouth, Lafayette, University of Florida, and many more were released for free.

BleepingComputer has contacted random email addresses exposed in these lists and has confirmed that some of the credentials were correct.

One exposed user told BleepingComputer that the listed password was an old one, which indicates that some of these credentials are likely from older credential stuffing attacks.

Accounts sold in bulk

After seeing a seller posting accounts on a hacker forum, Cyble reached out to purchase a large number of accounts in bulk so that they could be used to warn their customers of the potential breach.

Cyble was able to purchase approximately 530,000 Zoom credentials for less than a penny each at $0.0020 per account.

The purchased accounts include a victim’s email address, password, personal meeting URL, and their HostKey.

Source: Over 500,000 Zoom accounts sold on hacker forums, the dark web

As much of the world works from home, an explosion of video conference calls has provided a playground not just for Zoombombers, phishermen and cybercriminals, but also for spies. Everyone from top business executives to government officials and scientists are using conferencing apps to stay in touch during the new coronavirus lockdowns and U.S. counterintelligence agencies have observed the espionage services of Russia, Iran, and North Korea attempting to spy on Americans’ video chats, three U.S. intelligence officials tell TIME.

But the cyberspies that have moved fastest and most aggressively during the pandemic, the intelligence officials say, have been China’s. “More than anyone else, the Chinese are interested in what American companies are doing,” said one of the three. And that, in turn, has some U.S. counterintelligence officials worrying about one video conference platform in particular: Zoom. While the Chinese, Russians, and others are targeting virtually every tool Americans and others are using now that they’re forced to work from home, Zoom is an attractive target, especially for China, the intelligence officials and internet security researchers say.

Source: Foreign Spies Target Zoom, U.S. Intel Officials Say | Time

US senators have been advised not to use videoconferencing platform Zoom over security concerns, the Financial Times reports.

According to three people briefed on the matter, the Senate sergeant-at-arms – whose job it is to run law enforcement and security on the Capitol – told senators to find alternative methods for remote working, although he did not implement an outright ban.

With the coronavirus outbreak forcing millions to work from home, Zoom has seen a 1,900% increase in use between December and March to 200 million daily users. This has been accompanied by a string of bad press about its security and privacy practices, to the point where CEO Eric Yuan was forced to publicly apologize last week.

This week the company admitted to “mistakenly” routing data through China in a bid to secure more server space to deal with skyrocketing demand. “We failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect,” Yuan said.

The news sparked outrage among some senators, and Senate Democrat Richard Blumenthal called for the FTC to launch an investigation into the company.

“As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy and security,” the senator tweeted.

The slew of privacy issues has also prompted the Taiwanese government to ban its officials from using Zoom, and Google banned use of the app on work computers due to its “security vulnerabilities.”

While the Senate has told its members to stay away from Zoom, the Pentagon told the FT that it would continue to allow its staff to use the platform. A memo sent to top cybersecurity officials from the Department of Homeland Security said that the company was being responsive when questioned about concerns over the security of its software, Reuters reported.

Source: The US Senate reportedly advised members to stop using Zoom

Singapore has suspended the use of video-conferencing tool Zoom by teachers after “very serious incidents” in the first week of a coronavirus lockdown that has seen schools move to home-based learning.

FILE PHOTO: FILE PHOTO: Zoom logo is seen in front of diplayed coronavirus disease (COVID-19) in this illustration taken March 19, 2020. REUTERS/Dado Ruvic/Illustration

One incident involved obscene images appearing on screens and strange men making lewd comments during the streaming of a geography lesson with teenage girls, media said.

Zoom Video Communications Inc (ZM.O) has faced safety and privacy concerns over its conferencing app, use of which has surged in offices and schools worldwide after they shut to try and curb virus infections.

“These are very serious incidents,” Aaron Loh of the education ministry’s technology division said on Friday, without giving details.

“The Ministry of Education (MOE) is currently investigating both breaches and will lodge a police report if warranted.

“As a precautionary measure, our teachers will suspend their use of Zoom until these security issues are ironed out.”

Loh said they ministry would further advise teachers on security protocols, such as requiring secure log-ins and not sharing the meeting link beyond the students in the class.

Source: Singapore stops teachers using Zoom app after ‘very serious incidents’ – Reuters

PIJNACKER – Het Stanislascollege in Pijnacker stopt per direct met het gebruik van de video-app Zoom voor het geven van online lessen. De school heeft meerdere berichten ontvangen van leerlingen, ouders en docenten dat er tijdens de lessen beelden of teksten te zien zijn die niet door de beugel kunnen.

Woensdag besloot het Zoetermeerse Erasmus College ook onmiddellijk te stoppen met Zoom, nadat leerlingen pornobeelden te zien kregen tijdens een online les. Het Stanislascollege heeft zes scholen, verdeeld over Delft, Pijnacker en Rijswijk.

‘In de meeste gevallen lijken de beelden of teksten getoond te worden door personen die niet aan de school verbonden zijn en zich onrechtmatig toegang hebben verschaft tot de les’, schrijft de school in een brief aan ouders.

Hitler-snorretje tijdens les Duits

Volgens regiodirecteur Fons Loogman van Stichting Lucas Onderwijs, waar het Stanislascollege onder valt, zijn er kleine incidenten geweest. ‘Leerlingen sturen een uitnodigingslink door aan derden die dan ook mee kunnen kijken met de les, daar heb je dan geen controle op. Zo is er bijvoorbeeld tijdens een les Duits ergens een Hitlergroet of een Hitler-snorretje getoond.’

Het incident met pornobeelden in Zoetermeer was voor de school in Pijnacker echter de doorslag om te stoppen met Zoom. ‘Daarnaast werden we de afgelopen week al attent gemaakt op berichten uit de ICT-wereld dat Zoom niet veilig is. Zo verzamelen ze informatie, zijn er onveilige beveiligingsstructuren en is het makkelijk te hacken’, zegt Loogman.

Source: Stanislascollege Pijnacker stopt ook met Zoom door ‘beelden die niet door de beugel kunnen’ – Omroep West

ZOETERMEER – Leerlingen van een klas van het Zoetermeerse Erasmus College hebben woensdagochtend, tijdens een les via de video-app Zoom, pornobeelden te zien gekregen. De school is onmiddellijk gestopt met het gebruik van Zoom.

‘We snappen dat jullie ontzettend geschrokken zijn’, schrijft de school in een mail aan de betreffende leerlingen. ‘We hebben natuurlijk direct alle Zoom-lessen stopgezet en gaan kijken naar een andere methode om thuis les te geven.’

Directeur-bestuurder Roderik Rot bevestigt dat er pornografische beelden te zien zijn geweest en dat om die reden alle lessen zijn gestopt. ‘Ja, er is één klas geweest, waarbij daarvan kort sprake was.’ Om hoeveel leerlingen het gaat kan Rot niet zeggen: ‘Een klas bestaat nooit uit meer dan dertig leerlingen en meestal is het bij die online lessen zo dat niet alle leerlingen erbij zijn.’ Op de vraag om welke les het ging, wil hij uit privacyoverwegingen niet ingaan. De school bood leerlingen aan om indien gewenst contact op te nemen met een hulpteam, maar daarvan is voor zover bekend door niemand gebruik gemaakt.

Gestopt met online lessen

Het Erasmus College is nu dus meteen gestopt met Zoom. Volgens Rot had de school dat al in gang gezet. Een externe privacyadviseur had al gezegd dat Zoom, onder strikte voorwaarden, te gebruiken was, maar dat hij toch andere programma’s adviseerde. ‘Dus we hebben gisteren de ouders allemaal bericht dat we gaan overstappen naar iets anders. En dat we daar druk mee bezig zijn.’

[…]

ID’s onveilig gedeeld

Volgens het Delftse cybersecuritybedrijf Fox-IT is het onwaarschijnlijk dat Zoom zelf is gehackt. Security-expert Sanne Maasakkers: ‘Zoom is een heel groot softwarebedrijf waar iedere dag veel mensen met de beveiliging bezig zijn.’ Volgens Maasakkers is het aannemelijker dat uitnodigingscodes in handen terecht zijn gekomen van mensen die niet op de vergadering zijn uitgenodigd.

Iedere deelnemer krijgt zo’n ID. Als die niet is beveiligd met een wachtwoord, dan kunnen buitenstaanders inbreken in een Zoom-meeting, wat met een wachtwoord veel moeilijker is, tenzij een deelnemer zelf is gehackt.

Source: Porno tijdens online les van Zoetermeerse school: ‘Onwaarschijnlijk dat Zoom is gehackt’ – Omroep West

Nee, het is niet echt ‘gehackt’ in die zin dat het zo’n slechte beveiliging heeft dat je gewoon een  ID in kan voeren en daar lukraak porno naar kan sturen.