A design flaw in Microsoft Teams Updater could expose your organization to cyberattack

Essentially, bad actors could abuse the Microsoft Teams Updater – an update mechanism – to download any malicious binary files from Comand-and-Control Servers.

Attackers can abuse Microsoft Teams Updater to deliver malicious payloads

A threat actors could abuse MS Teams Updater to download any malicious binary files from a remote server. Unfortunately, we are dealing with a design flaw and the issues can not be so easily addressed.

The first proposed solution required to restrict Microsoft Teams ability to update via a URL – the updater allows then only local connections via a share or local folder for product updates. If the program detects the string “http/s”, “:”, “/” and port numbers in the updater URL it will block the connection and log the activity under %localappdata%\Microsoft\Teams\SquirrelSetup.log.

But the mechanism allows share access in the local UNC format: \\server\. Attackers could still exploit it in some strict conditions. For example, they could get the file inside the network through the shared folders or accessed the payload from that share in the victim device. Such attacks will not be easy to implement – hackers will try to create a remote rather than local share. Then they can download the remote payload and execute it without access to a local share.

Hackers could also take advantage of the open-source project Squirrel, which Microsoft Teams uses for installation and updating routines. It relies on NuGet package manager to create the necessary files. In this attack scenario, the payload needs to have the name “squirrel.exe” and have to be placed in a particular nupkg file – of course, crafted using the metadata of the fake MS Teams release. That way the payload can be downloaded and the easily executed by Microsoft Teams.


KrØØk: Even more Wi‑Fi chips vulnerable to eavesdropping

ESET researchers delved into details about the KrØØk vulnerability in Wi-Fi chips and revealed that similar bugs affect more chip brands than previously thought.

KrØØk (formally CVE-2019-15126) is a vulnerability in Wi-Fi chips that allows unauthorized decryption of some WPA2-encrypted traffic. Specifically, the bug has led to wireless network data being encrypted with a WPA2 pairwise session key that is all zeros instead of the proper session key that had previously been established in the 4-way handshake. 

Exploiting KrØØk allows adversaries to intercept and decrypt data. While other techniques need to be in range of the Wi-Fi signal, the attackers do not need to be authenticated and associated to the WLAN. In other words, they don’t need to know the Wi-Fi password.

Previously researchers from ESET did not observe KrØØk in other Wi-Fi chips than Broadcom and Cypress. By the way, used by over billion of devices, including: 

Amazon Echo 2nd gen, Amazon Kindle 8th gen, Apple iPad mini 2, Apple iPhone 6, 6S, 8, XR, Apple MacBook Air Retina 13-inch 2018, Google Nexus 5, Google Nexus 6, Google Nexus 6S, Raspberry Pi 3, Samsung Galaxy S4 GT-I9505, Samsung Galaxy S8, Xiaomi Redmi 3S.

Qualcomm and MediaTek join the list. Now researchers took a closer look on other vendors. The vulnerability they discovered in Qualcomm (CVE-2020-3702) was also triggerable by a disassociation and led to undesirable disclosure of data by transmitting unencrypted data in the place of encrypted data frames – much like with KrØØk. The main difference is, that instead of being encrypted with an all-zero session key, the data is not encrypted at all (despite the encryption flags being set).

They also observed a similar vulnerability on some Wi-Fi chips by MediaTek. One of the affected devices is the ASUS RT-AC52U router. Another one is the Microsoft Azure Sphere development kit.

Official patches (both software and hardware) are already available.

ESET released the script they’ve been using to test whether a device is vulnerable to KrØØk that can be used by researchers or device manufacturers. It can be found here

Read more

Cluster of 295 Chrome extensions caught hijacking Google and Bing search results

More than 80 million Chrome users have installed one of 295 Chrome extensions that hijack and insert ads inside Google and Bing search results.

The malicious extensions were discovered by AdGuard, a company that provides ad-blocking solutions, while the company’s staff was looking into a series of fake ad-blocking extensions that were available on the official Chrome Web Store.

The vast majority of the malicious extensions (245 out of the 295 extensions) were wallpapers that had no other function than to apply a custom background for Chrome’s “new tab” page. All extensions loaded malicious code from the fly-analytics.com domain, and then proceeded to quietly inject ads inside Google and Bing search results.

Additionally, AdGuard discovered another bad practices on the Chrome Web Store, such as store moderators allowing a large number of copycat extensions to clone popular add-ons, capitalize on their brands, reach millions of users, while also containing malicious code that performs ad fraud or cookie stuffing.

The full list of 295 ad-injecting extensions is available here

You might be in danger if you have wallpaper with: GTA V, Avengers Endgame, Spiderman, Riverdale, Witcher, Minecraft, Real Madrid, Fortnite, Star Wars, Deadpool and a lot more.

Almost all the 295 extensions were still available on the official Chrome Web Store earlier last week. Now extensions are steadily pulling down from the store but it is recommended for users to manually uninstall it from browsers.

Read more

Meetup with security flaws which could have allowed hackers to take over groups and steal gathered PayPal funds

The combination of cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities could allow attackers to gain administrator privileges, enabling them to perform varied actions – from cancelling or changing events to even redirecting PayPal payments.

XSS (cross-site scripting) vulnerability allowed a regular group member to have the same permissions as an organizer. CSRF vulnerability allowed to carry out unauthorised commands that attackers can exploit to gain control over groups.

The privilege escalation was possible by simply posting JavaScript code in the message in the discussion area – using the POST requests. The script would be hidden to users and still execute in any browser that allows it when they visit the tainted Meetup page. When the organiser page runs the script in the browser, attackers can use their role of administrator to do whatever we want.

It also possible to spread the vulnerability with a worm – then the whole site could be compromised.  Anyone could become an agent to spread the threat. And when organizations get infected, hackers could be able to move gathered funds to their own malicious PayPal.

Update. Both vulnerabilities have been fixed recently.


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Ransomware gang publishes tens of GBs of internal data from LG and Xerox (ZDNet)
2. Windows 10: HOSTS file blocking telemetry is now flagged as a risk (Bleeping Computer)
3. How hackers behind Twitter Bitcoin scam were caught (HackRead)
4. Newsletter plugin bugs let hackers inject backdoors on 300K sites (Bleeping Computer)
5. Hacker leaks passwords for 900+ Pulse Secure VPN enterprise servers (Security Affairs)
6. Twitter for Android vulnerability gave access to direct messages (Bleeping Computer)
7. Firefox gets fix for evil cursor attack (ZDNet)
8. Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks (The Hacker News)
9. Flaw in popular NodeJS ‘express-fileupload’ module allows DoS attacks and code injection (Security Affairs)
10. Bugs in HDL Automation expose IoT devices to remote hijacking (Bleeping Computer)