Drupal developers announced on Monday that versions 7.x, 8.4.x and 8.5.x of the content management system (CMS) will receive a new security update later this week.

The Drupal core updates, scheduled for April 25 between 16:00 and 18:00 UTC, will deliver a follow-up patch for the highly critical vulnerability tracked as CVE-2018-7600 and dubbed “Drupalgeddon2.”

While Drupal developers have described the upcoming security releases as a follow-up to the updates that fixed Drupalgeddon2, a separate CVE identifier, namely CVE-2018-7602, has been assigned to the new vulnerability.

“For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days,” Drupal said. “The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made.”

The Drupalgeddon2 vulnerability was patched in late March and the first attacks were spotted roughly two weeks later, shortly after technical details and a proof-of-concept (PoC) exploit were made public.

While many of the exploitation attempts represent scans designed to identify vulnerable systems, cybersecurity firms have spotted several campaigns that leverage the flaw to deliver cryptocurrency miners, backdoors and other types of malware.

According to 360Netlab, at least three threat groups have been exploiting the recently patched vulnerability. The company says some of the Drupalgeddon2 attacks are powered by a relatively large botnet tracked by the company as Muhstik. Experts believe Muhstik is actually a variant of the old Tsunami botnet.

“We noticed one of them has worm-propagation behavior,” 360Netlab wrote in a blog post. “After investigation, we believe this botnet has been active for quit a time. We name it muhstik, for this key word keeps popup in its binary file name and the communication IRC channel.”

Muhstik uses two main propagation methods: the aioscan scanning module, which includes seven scanning-related payloads on four different ports, and an SSH scanning module that looks for systems with weak passwords.

Researchers say the botnet can help malicious actors make a profit by delivering cryptocurrency miners such as XMRig and CGMiner, and by using Muhstik to launch distributed denial-of-service (DDoS) attacks.

Volexity reported last week that one of the Monero miner campaigns appeared to be linked to a cybercrime group that last year exploited a vulnerability in Oracle WebLogic Server (CVE-2017-10271) to infect systems with cryptocurrency malware. GreyNoise Intelligence has confirmed the connection between these attacks.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/nZTa59Q-ZN4/drupal-release-second-drupalgeddon2-patch-attacks-continue

Internet media company Oath paid more than $400,000 in bounties during the H1-415 one-day HackerOne event in San Francisco, where 41 hackers from 11 countries were present.

HackerOne’s second annual live-hacking event lasted for nine hours but resulted in breaking multiple records on Saturday, April 14, 2018. The Oath security team was present on the floor to work with the hackers, assess the impact of discovered flaws, patch the vulnerabilities, and pay rewards.

Oath, a media and tech company that owns brands such as Yahoo, AOL, Verizon Digital Media Services, TechCrunch and many more, has also introduced its consolidated private bug bounty program for the first time.

In a blog post on Friday, Oath CISO Chris Nims formally announced the company’s unified bug bounty program, which brings together the programs previously divided across AOL, Yahoo, Tumblr and Verizon Digital Media Service (VDMS).

The programs have already enjoyed the participation of more than 3,000 researchers globally. Over the past four years, Oath paid over $3 million in bounties to the reporting researchers.

“Our new program will combine our existing bug bounty operations into one united program, establishing a foundation to expand our program in the future,” Nims says.

Operated on the HackerOne platform, the AOL, VDMS and Tumblr programs are private, access being available on an invite-only basis. Yahoo properties, however, will be open to the public, Oath says. The H1-415 event was meant to kick-off the new chapter in the company’s bounty program.

“Surfacing vulnerabilities and resolving them before our adversaries can exploit them is essential in helping us build brands people love and trust. Whether they had been participating in our programs for years or were looking at Oath assets for the first time, it was empowering to witness the dedication, persistence and creativity of the hacker community live and in-person,” Nims said.

According to Nims, Oath offers some of the most competitive rewards when compared to other bug bounty programs, with a vulnerability’s impact being a determining factor when deciding on a payout. During assessment, the company looks at what data the flaw could expose, the sensitivity of the data, the role it plays, network location, and the permissions of the server involved.

“It’s our hope that with this unified bug bounty program, we will continue to increase the effectiveness of outside reporting and ultimately the security of Oath and its users,” Nims concluded.

Not only did the H1-415 event allow hackers to find flaws in Oath’s products, but it also allowed around 40 middle and high school students from the Bay Area to learn about cyber-security, HackerOne reveals.

The students met with the hackers and learned about how they started and what opportunities bug bounty programs provided them with.

“Thank you to our hackers that traveled from near and far to help secure such an incredible brand. Thank you to Oath for all their work and dedication to working with the community to build strong relationships and resolve bugs quickly. Finally, thank you to all the students, teachers, volunteers, staff, vendors and others that gave up their Saturdays to be part of something great,” HackerOne concluded.

Related: Kaspersky Lab Offers $100,000 for Critical Vulnerabilities

Related: Firms More Open to Receiving Vulnerability Reports: Ethical Hackers

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/psORPfbHMt8/oath-pays-400000-bug-bounties-one-day

Google Discloses Unpatched Windows Lockdown Policy Bypass

A Windows 10 vulnerability that could bypass Windows Lockdown Policy and result in arbitrary code execution remains unpatched 90 days after Microsoft has been informed on the bug’s existence.

On systems with User Mode Code Integrity (UMCI) enabled, a .NET bug can be exploited to bypass the Windows Lockdown Policy check for COM Class instantiation, security researcher James Forshaw of Google’s Project Zero team.

The issue was reproduced on Windows 10S, but is said to impact all Windows 10 versions with UMCI enabled.

The vulnerability, the security researcher explains, resides in the manner in which the WLDP COM Class lockdown policy behaves when a .NET COM object is instantiated.

The policy contains a hardcoded list of 8 to 50 COM objects which enlightened scripting engines can instantiate. Thus, even if one would be able to register an existing DLL under one of the allowed COM CLSIDs, a good implementation should check the CLSID passed to DllGetObject against said internal list, and prevent attacks.

What the security researcher discovered was that, when a .NET COM object is instantiated, the CLSID passed to DllGetClassObject is only used to look up the registration information in HKCR, the CLSID is thrown away, and the .NET object created.

Because of that, an attacker can add registry keys, including to HKCU, to load an arbitrary COM visible class under one of the allowed CLSIDs.

“This has a direct impact on the class policy as it allows an attacker to add registry keys (including to HKCU) that would load an arbitrary COM visible class under one of the allowed CLSIDs. As .NET then doesn’t care about whether the .NET Type has that specific GUID you can use this to bootstrap arbitrary code execution,” the researcher notes.

For a successful exploitation, an attacker could use tools such as Forshaw’s DotNetToJScript, a free tool that allows users to generate a JScript which bootstraps an arbitrary .NET Assembly and class.

Forshaw also published a Proof-of-Concept as two files: an .INF to set-up the registry and a .SCT. The latter is an example built using DotNetToJScript to load an untrusted .NET assembly into memory to display a message box, but it could be used for more than that.

The flaw was reported to Microsoft on January 19, when the company acknowledged the flaw. As per Project Zero’s policy, vendors are given 90 days to patch flaws before they are made public, and Microsoft didn’t meet the deadline for this issue.

The bug, however, isn’t critical, this being one of the main reasons details on it were publicly released.

“This issue was not fixed in April patch Tuesday therefore it’s going over deadline. This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It’s not an issue which can be exploited remotely, nor is it a privilege escalation,” the security researcher explains.

To abuse the flaw, an attacker would require foothold on the impacted machine to install the needed registry entries. A remote code execution flaw in the operating system could be abused for that.

Considering that there are known Device Guard bypasses in the .NET framework that haven’t been fixed and continue to be usable, the security vulnerability is less serious than it would have been if all known avenues for bypass were fixed, Forshaw concludes.

Related: Google Discloses Unpatched Vulnerability in Edge Web Browser

Related: Google Discloses Unpatched Windows GDI Vulnerability

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/hkjhtXq2l0Q/google-discloses-windows-lockdown-policy-zero-day

Attackers are mass-exploiting a recently fixed vulnerability in the Drupal content management system that allows them to take complete control of powerful website servers, researchers from multiple security companies are warning.

At least three different attack groups are exploiting “Drupalgeddon2,” the name given to an extremely critical vulnerability Drupal maintainers patched in late March, researchers with Netlab 360 said Friday. Formally indexed as CVE- 2018-7600, Drupalgeddon2 makes it easy for anyone on the Internet to take complete control of vulnerable servers simply by accessing a URL and injecting publicly available exploit code. Exploits allow attackers to run code of their choice without having to have an account of any type on a vulnerable website. The remote-code vulnerability harkens back to a 2014 Drupal vulnerability that also made it easy to commandeer vulnerable servers.

Drupalgeddon2 “is under active attack, and every Drupal site behind our network is being probed constantly from multiple IP addresses,” Daniel Cid, CTO and founder of security firm Sucuri, told Ars. “Anyone that has not patched is hacked already at this point. Since the first public exploit was released, we are seeing this arms race between the criminals as they all try to hack as many sites as they can.”

China-based Netlab 360, meanwhile, said at least three competing attack groups are exploiting the vulnerability. The most active group, Netlab 360 researchers said in a blog post published Friday, is using it to install multiple malicious payloads, including cryptocurrency miners and software for performing distributed denial-of-service attacks on other domains. The group, dubbed Muhstik after a keyword that pops up in its code, relies on 11 separate command-and-control domains and IP addresses, presumably for redundancy in the event one gets taken down.

Added punch

Netlab 360 said that the IP addresses that deliver the malicious payloads are widely dispersed and mostly run Drupal, an indication of worm-like behavior that causes infected sites to attack vulnerable sites that have not yet been compromised. Worms are among the most powerful types of malware because their self-propagation gives them viral qualities.

Adding extra punch, Muhstik is exploiting previously patched vulnerabilities in other server applications in the event administrators have yet to install the fixes. Webdav, WebLogic, Webuzo, and WordPress are some of the other applications that the group is targeting.

Muhstik has ties to Tsunami, a strain of malware that has been active since 2011 and infected more than 10,000 Unix and Linux servers in 2014. Muhstik has adopted some of the infection techniques seen in recent Internet-of-things botnets. Propagation methods include scanning for vulnerable server apps and probing servers for weak secure-shell, or SSH, passwords.

The mass exploitation of Drupal servers harkens back to the epidemic of unpatched Windows servers a decade ago, which gave criminal hackers a toehold in millions of PCs. The attackers would then use their widely distributed perches to launch new intrusions. Because website servers typically have much more bandwidth and computing power than PCs, the new rash of server compromises poses a potentially much greater threat to the Internet.

Drupal maintainers have patched the critical vulnerability in both the 7.x and 8.x version families as well as the 6.x family, which maintainers stopped supporting in 2016. Administrators who have yet to install the patch should assume their systems are compromised and take immediate action to disinfect them.

https://arstechnica.com/?p=1296981

Researchers claim hackers can remotely exploit an unpatched command injection vulnerability to take control of network-attached storage (NAS) devices from LG.

VPN specialists at vpnMentor discovered that many LG NAS models are impacted by a flaw that can be exploited without authentication.

According to researchers, the password parameter in the login page is vulnerable to command injection. An attacker can abuse this parameter to execute arbitrary commands, including for adding a new user account and dumping the database containing existing usernames and passwords.

Adding a new username and an associated password hash allows an attacker to log in to the administration interface as an authorized user and access any file stored on the device.

vpnMentor told SecurityWeek that attacks exploiting this flaw can be launched both from the local network and the Internet. The company says it’s difficult to determine exactly how many devices are vulnerable to attacks from the Internet, but it estimates that it’s roughly 50,000.

vpnMentor has randomly tested a majority of LG NAS device models and they appear to be vulnerable. The company says LG uses two types of firmware across all its NAS products and one of them is impacted by this vulnerability.

Proof-of-concept (PoC) code and a video have been made available to demonstrate the vulnerability:

[embedded content]

LG has been notified about the security hole, but vpnMentor claims it has not received any response from the tech giant and there is no sign of a patch. SecurityWeek has reached out to LG for comment and will update this article if the company responds.

This is not the first time researchers have found serious vulnerabilities in LG NAS products. A couple of years ago, Hungary-based SEARCH-LAB analyzed LG’s N1A1 product and discovered multiple flaws that could have been leveraged to gain admin access to devices.

Related: Netgear Patches Over 50 Flaws in Routers, Switches, NAS Devices

Related: Critical Vulnerabilities Patched in QNAP Storage Devices

Related: Multiple Zero-days Disclosed in Western Digital NAS Storage Devices

Related: StorageCrypt Ransomware Targets NAS Devices via SambaCry Exploit

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/SDC4mazBFi4/unpatched-flaw-exposes-lg-nas-devices-remote-attacks

The U.S. Food and Drug Administration (FDA) this week announced its medical device safety action plan, which includes seeking additional funding and authorities that would help it improve cybersecurity in the healthcare industry.

The FDA’s plan focuses on five key areas and medical device cybersecurity is one of them. As part of its efforts to keep up with emerging threats and vulnerabilities, the agency wants the authority to require medical device manufacturers to include updating and patching capabilities into the design of their products.

The organization also wants vendors to create a “Software Bill of Materials,” which should help medical device customers and users determine which systems may be impacted by vulnerabilities.

“The additional authorities we seek are to further strengthen medical device security by directly addressing challenges healthcare delivery organizations and providers have encountered as a result of cyber campaigns and attacks such as WannaCry,” an FDA spokesperson told SecurityWeek.

The agency would require that “new devices entering the market have a demonstrated capability of patchability and updatability built into the design architecture of the device, and that a patch management process and plan is provided by the manufacturer for premarket review,” the spokesperson said.

As for the Software Bill of Materials, the measure is inspired by one of the recommendations made recently by the Health Care Industry Cybersecurity Task Force. A bill of materials would be issued for each piece of medical technology to describe its components and the risks associated with those components, which can help users understand the impact of certain threats and vulnerabilities.

The FDA also plans on updating its premarket guidance for medical device cybersecurity to better protect against moderate risks, which it has described as ransomware and other attacks that could disrupt clinical operations and delay patient care, and major risks, such as the remote exploitation of a vulnerability that can be used in a “multi-patient, catastrophic attack.”

The agency’s plans also include requiring companies to adopt policies and procedures for coordinated disclosure of vulnerabilities.

Finally, the FDA says it’s exploring the development of a CyberMed Safety (Expert) Analysis Board (CYMSAB), which it has described as a “public-private partnership that would complement existing device vulnerability coordination and response mechanisms and serve as a resource for device makers and FDA.”

The CYMSAB’s tasks would include assessing vulnerabilities and assisting with coordinated disclosure, evaluating risks and proposed mitigations, and adjudicating disputes. One interesting role of this entity would be to send experts to investigate compromised devices at the request of a manufacturer or the FDA.

Related: St. Jude Medical Recalls 465,000 Pacemakers Over Security Vulnerabilities

Related: Sensitive FDA Systems at Risk of Cyberattacks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/urkK0thcHGY/fda-reveals-new-plans-medical-device-security

LinkedIn recently patched a vulnerability that could have been exploited by malicious websites to harvest data from users’ profiles, including private information.

The flaw affected the AutoFill functionality, which allows websites to offer users the possibility to quickly fill out forms with data from their LinkedIn profile. Users simply click the AutoFill button on a webpage containing a form and some of the fields are pre-populated with data available from LinkedIn, including name, title, company, email address, phone number, city, zip code, state and country.

Jack Cable, an 18-year-old researcher based in Chicago, noticed that this functionality could have been abused to harvest user data by placing the AutoFill button on a malicious site. Rather than leaving the button as provided by LinkedIn, an attacker could have changed its properties to spread it across the entire web page and make it invisible.

Whenever a user would visit the malicious site and click anywhere on the page, they would actually be clicking on the invisible AutoFill button, resulting in their LinkedIn data being harvested by the website.

Cable pointed out that the possibility to launch these types of attacks clearly violated LinkedIn’s policies related to the use of AutoFill. First of all, the social media giant does not allow form field data to be submitted without being seen by the user.

Secondly, while some of the exposed data was publicly accessible on users’ LinkedIn profiles, non-public data was also provided to a site abusing AutoFill. LinkedIn states in its documentation that only public data is used to fill out forms.

Cable reported the vulnerability to LinkedIn on April 9 and a temporary solution that involved restricting the AutoFill functionality to whitelisted sites was rolled out the next day. However, the researcher argued that this fix was incomplete as whitelisted websites still could have collected user data. Furthermore, there was also the possibility of a whitelisted site getting compromised and abused for data harvesting.

LinkedIn rolled out a more permanent fix on April 19. Bleeping Computer reports that users are now prompted whenever their data is being sent to a website via the AutoFill functionality. The social media company said there had been no evidence of malicious exploitation.

While the vulnerability itself is not particularly sophisticated, the existence of such security holes can pose a serious problem to both a company and its customers, as demonstrated by the recent Cambridge Analytica scandal, in which the data of as many as 87 million Facebook users was harvested.

Cable has also reported vulnerabilities to Google, Yahoo, Uber, the U.S. Department of Defense (Hack the Air Force), and many other organizations.

Related: Russian Arrested by Czech Police Tied to 2012 LinkedIn Hack

Related: LinkedIn Patches Persistent XSS Flaw in Help Center

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/vqC7m82fKaA/linkedin-vulnerability-allowed-user-data-harvesting

Cisco informed customers on Wednesday that it has patched critical vulnerabilities in WebEx and UCS Director, along with nine high severity flaws in StarOS, IOS XR, Firepower and ASA products.

The WebEx vulnerability, tracked as CVE-2018-0112, is interesting because it allows a remote attacker to execute arbitrary code on a targeted user’s system by sending them a specially crafted Flash (.swf) file via the WebEx client’s file sharing capabilities during a meeting.

The flaw, discovered by Alexandros Zacharis of the European Union Agency for Network and Information Security (ENISA), affects WebEx Business Suite clients, WebEx Meetings, and WebEx Meetings Server. Cisco has released software updates that patch the vulnerability.

The Cisco Unified Computing System (UCS) Director product is affected by an information disclosure issue that allows an authenticated attacker to remotely access information on virtual machines in the end-user portal and perform any permitted operations. The issue, identified as CVE-2018-0238, was discovered by Cisco itself and patches are available.

Of the 30 advisories published by Cisco on Wednesday, nine describe high severity flaws, 18 are for medium severity issues, and one is informational.

The high severity vulnerabilities include denial-of-service (DoS) flaws in StarOS, IOS XR software, Firepower Detection Engine and 2100 series appliances, and several Adaptive Security Appliance (ASA) products; a session fixation issue affecting ASA, AnyConnect Secure Mobility, and Firepower Threat Defense (FTD); and an SSL certificate verification bypass bug affecting ASA.

According to Cisco, none of the vulnerabilities disclosed this week have been exploited in the wild. However, it’s important for Cisco customers to patch serious flaws as it’s not uncommon for malicious actors to exploit them in their operations.

Cisco has recently warned customers that the risk of exploitation for an IOS Smart Install vulnerability is high. The vulnerability, CVE-2018-0171, was disclosed recently and a proof-of-concept (PoC) exploit is available.

While this particular flaw has yet to be exploited in attacks, the risk is high due to the fact that Smart Install, along with other Cisco protocols, have been abused in malicious campaigns, including ones conducted by state-sponsored threat actors.

Related: Cisco Patches Hard-coded Password in PCP Software

Related: Cisco Reissues Patches for Critical Firewall Flaw

Related: Cisco Patches Flaws in Email Security, Other Products

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/z4INP2vKXUQ/cisco-patches-critical-flaws-webex-ucs-director

Updates released on Wednesday for Drupal 8 patch a moderately critical cross-site scripting (XSS) vulnerability affecting a third-party JavaScript library.

The flaw impacts CKEditor, a WYSIWYG HTML editor included in the Drupal core. CKEditor exposes users to XSS attacks due to a flaw in the Enhanced Image (image2) plugin.

“The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor using the <img> tag and specially crafted HTML,” said CKEditor developers. “Please note that the default presets (Basic/Standard/Full) do not include this plugin, so you are only at risk if you made a custom build and enabled this plugin.” 

XSS flaws can typically be exploited by getting the targeted user to click on a specially crafted link, and they allow attackers to execute arbitrary code, leading to session hijacking, data theft or phishing.

The security hole, discovered by Kyaw Min Thein, affects CKEditor versions 4.5.11 through 4.9.1, and it has been fixed with the release of version 4.9.2. The patched version of CKEditor has been included in Drupal 8.5.2 and 8.4.7.

“The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable,” Drupal developers explained. “If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor’s site.”

This is the second Drupal security update in recent weeks. The previous update was released in late March and it addressed CVE-2018-7600, a highly critical remote code execution vulnerability that allows attackers to take control of impacted websites.

Dubbed Drupalgeddon2, the flaw has been exploited in the wild to deliver backdoors, cryptocurrency miners, and other types of malware. The first attempts to exploit the vulnerability were spotted in mid-April, shortly after technical details and proof-of-concept (PoC) code were made public.

Related: Flaw in Drupal Module Exposes 120,000 Sites to Attacks

Related: Several Vulnerabilities Patched in Drupal

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/8SQM_3C7DLQ/drupal-8-updated-patch-flaw-wysiwyg-editor

A feature that allows users to wirelessly sync their iPhones and iPads with iTunes can be abused by hackers to take control of iOS devices in what researchers call a “Trustjacking” attack.

This feature can be enabled by physically connecting an iOS device to a computer with iTunes and enabling the option to sync over Wi-Fi. The user is prompted to confirm that the computer is trusted when the mobile device is first connected to it, but no other approval is required to enable the syncing feature or to access the device over Wi-Fi at a later time.

Researchers at Symantec have found a way to abuse the iTunes Wi-Fi sync feature. They discovered that if an attacker can convince the targeted user to connect their iPhone/iPad via a cable to a malicious or compromised device, the hacker gains persistent control over the phone/tablet as long as they are on the same wireless network as the victim.

In one attack scenario described by the experts, the Trustjacking attack involves a malicious charger at an airport. Once the user connects a device to the charger, they are asked to confirm that they trust the computer they have connected to – which they will likely do, thinking that the trust will be revoked once the phone/tablet is disconnected. The attacker then enables the Wi-Fi sync option in iTunes in a process that can be automated.

Even after the victim disconnects the iPhone/iPad from the charger, the attacker will still have control over the device, allowing them to conduct a wide range of activities.

For example, an attacker can install a developer image corresponding to the iOS version running on the victim’s system, giving them access to the device’s screen. Repeatedly capturing screenshots allows the hacker to view and record the victim’s every action.

Since the sync feature provides access to the iTunes backup, an attacker can also obtain a user’s photos, SMS and iMessage chats, and application data. The attacker can also install malicious applications or replace existing apps with a modified version.

An attack can also be conducted by hijacking the targeted user’s computer, making it easier to conduct unauthorized activities given that the computer and the mobile device are more likely to be on the same network for extended periods of time.

While the easiest way to conduct a Trustjacking attack involves being on the same Wi-Fi network as the victim, Symantec researchers believe this requirement can be bypassed via what is known as a malicious profile attack.

This method has been known since 2013 and it involves convincing the victim to install a malicious configuration file, or iOS profile, on their iPhone or iPad. These profiles allow cellular carriers, MDM solutions, and apps to configure system-level settings, but they can also be abused to remotely hijack devices.

Symantec says the method can be used to conduct Trustjacking attacks over the Internet by connecting the device to a VPN server and creating a continuous connection between them.

Apple has been informed about the vulnerability and the company has attempted to address it by adding an extra layer of protection in iOS 11. Specifically, users are now asked to enter their passcode when trusting a computer.

“While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in an holistic manner. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work as described above,” explained Symantec’s Roy Iarchy, one of the people involved in this research.

Some of the mitigations recommended by Symantec include clearing the list of trusted devices and reauthorizing them, enabling encrypted backups in iTunes, setting a strong password, and using mobile security solutions.

Related: “SandJacking” Attack Allows Hackers to Install Evil iOS Apps

Related: Apple Patches Dozens of Vulnerabilities Across Product Lines

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

http://feedproxy.google.com/~r/Securityweek/~3/_uYH3en4oiQ/iphones-ipads-can-be-hacked-trustjacking-attack