Application Security Weekly Review, Week 9 2019

Read Time: 3 min.

Dangerous flaws in the SHAREit Android app, recent attacks exploiting the latest Drupal bug, malicious docs distribution on hacked Bangladeshi embassy website, and more.

Our latest round-up covers the most important cyber security headlines of this week, including dangerous flaws in the SHAREit Android app, recent attacks exploiting the latest Drupal bug, the new attack, which lets hackers to abuse browser resources for nefarious operations even when the browser’s tabs are closed, and more.

Severe vulnerabilities in SHAREit Android app expose users’ sensitive information

SHAREit, a popular file sharing application for Android, iOS, Windows and macOS, with more than 500 million active users contains two dangerous flaws that could allow cybercriminals to bypass authentication and steal sensitive data from a victim’s device. The vulnerabilities in question are an authentication bypass flaw and an arbitrary file download vulnerability. According to the researchers at cybersecurity outfit RedForce, who reported the problem, an attacker on the same WiFi network as the victim could determine if SHAREit is running on the user’s device simply by checking if two designated TCP ports (port 55283 and port 2999) are open. Once the victim has been identified, it’s relatively easy to carry out the attack and to compromise the system.

The researchers found that when a user with no valid session tries to fetch a non-existing page (for example, [curl http://shareit_sender_ip:2999/DontExist]), the flaw in the app causes it to authenticate the attacker.

Cryptocurrency miner CoinIMP distribution via hacked Drupal websites

Recently Drupal project patched a highly critical remote code execution bug (CVE-2019-6340) in CMS’ core that could allow cybercriminals to takeover Drupal sites. What’s interesting, it took hackers only three days to start launching attacks against sites running vulnerable Drupal version, according to Imperva. The researchers detected dozens of attack attempts from several attackers and countries leveraging a proof-of-concept exploit that was published a day after Drupal team released a fix. The attackers’ goal was to inject a JavaScript cryptocurrency miner CoinIMP into vulnerable sites.

The above-mentioned flaw only affects Drupal 8 sites (Drupal version 7 is safe) and could be exploited when certain conditions are met: e.g. sites are only affected if the certain modules are enabled, such as Drupal 8 core RESTful Web Services (rest) module or JSON:API.

Hacked Bangladeshi embassy website in Cairo distributes malware

Hackers compromised the web site for the Bangladeshi Embassy in Cairo for nefarious activities, according to cybersecurity firm Trustwave. The researchers discovered that in October 2018 a coinminer has been planted on the site and a few months later they noticed the distribution of malicious Word documents, which installs password-stealing Trojan named Godzilla Loader onto infected computers.

Once running on the infected system Godzilla Loader will connect to its Command & Control server and download other malware. Unfortunately, the domain’s owners didn’t respond to Trustwave's emails, so the site still remains compromised.

Hackers use fake Google Analytics, Angular scrips to steal credit card details from Magento sites

Researchers from Sucuri spotted several credit card-stealing scripts masquerading as Google Analytics and Angular (Google’s framework for web development) scripts to make them appear less conspicuous to the website admins. The malicious code is obfuscated and injected into legitimate JS files on sites running on different CMSs, mainly Magento, WordPress, Joomla, and Bitrix.

These scripts load the credit card stealers from different domains created specifically for the attack. The skimming scripts gather the customer credit card information from the checkout pages and send that data to C&C servers.

The researchers say that at least 40 sites have been hosting fake scripts. They also noted campain’s significant level of customization - each site has its own set of injected scripts, unique variations of obfuscation etc.

MarioNet attack lets hackers control a browser even after user has left a malicious page

A group of researchers has devised a new attack method, which lets an attacker to keep control of a user’s browser even after browser’s tabs and windows have been closed. The new method, dubbed MarioNET, takes advantage of an API called Service Workers that all modern browsers support. Basically, Service Worker is a script that works on browser background without user interaction.

To carry out the attack an attacker needs to register a service worker when a user visits malicious website and then to exploit the Service Worker SyncManager interface to retain the activity of the service worker when a user leaves a page.

This method allows attackers to build botnets from users’ browsers and use them for different purposes, such as cryptomining operations, DDoS attacks, or password cracking.