09/7/18

Security Advisory- MEGA Chrome Extension Hijack

What is MEGA?

MEGA is a cloud storage and file hosting service offered by Mega Limited, a New Zealand-based company. The service is offered primarily through web-based apps. Mega mobile apps are also available for Windows Phone, Android and iOS.

Mega is known for its security feature where all files are end-to-end encrypted locally before they are uploaded. This prevents anyone from accessing the files without knowledge of the pass key used for encryption. As of January 20, 2018, Mega has 100 million registered users in more than 245 countries and territories, and more than 40 billion files have been uploaded to the service.

Affected Version

MEGA Chrome Extension 3.39.4

The Firefox version of MEGA has not been impacted or tampered with, and users accessing MEGA through its official website (https://mega.nz) without the Chrome extension are also not affected by the breach.

All extracted information will be immediately reported to a hacker-controlled server located in Ukraine. A list of the target services includes the following:

  • Google
  • Amazon
  • Microsoft
  • GitHub
  • com
  • Google Webstore Login
  • My Ether Wallet
  • My Monero
  • IDEX Market

Fig: MEGA extension window in browser

Current Scenario

On 4 September at 14:30 UTC, an unknown attacker managed to hack into MEGA’s Google Chrome web store account and uploaded a malicious version 3.39.4 to the web store. When installed the extension will monitor for specific login form submissions to Amazon, Microsoft, GitHub, and Google.

The hijacked MEGA extension then sent all the stolen information back to an attacker’s server located in Ukraine, which is then used by the attackers to log in to the victims accounts, and also extract the crypto currency private keys to steal user digital currencies.

Although the company has not revealed the number of users affected by the security incident, it is believed that the malicious version of the MEGA Chrome extension may have been installed by tens of millions of users.

Fig: Blog post published by the company

How this attack works?

It would perform monitoring of any form submission where the URL contains the strings Register or Login or variables exist that are named “username”, “email”, “user”, “login”, “usr”, “pass”, “passwd”, or “password”. If the extension detected any of these form submissions or data variables, it would send the credentials and variables values to a host in Ukraine called https://www.megaopac.host/.

To make matters worse this extension will also monitor for the following URL patterns: “https://www.myetherwallet.com/*”, “https://mymonero.com/*”, “https://idex.market/*”, and if detected, would execute Javascript that would attempt to steal the crypto currency private keys for the logged in user from these sites.

Fig: Monitoring login attempts to various sites

Fig: Stealing variables with certain names

Fig: Sending information to attackers

Fig: Capturing crypto currency keys

Prevention attempts by officials

The main reason for this attack was Google’s decision to disallow publisher signatures on Chrome extensions and relying solely on signing them automatically after upload to the Chrome web store, which removes an important barrier to external compromise. As a prevention attempt Google removed the MEGA extension from its Chrome Web Store five hours after the breach.

However, after four hours of the security breach MEGA updated the extension with a clean MEGA version (3.39.5), auto-updating all the affected installations.

Recommendations

  1. Users who had installed the extension should uninstall the MEGA version 3.39.4.
  2. Change your passwords at any accounts, especially financial, shopping, banking, and government institutions, that you may have used.
  3. Consider resetting the Chrome browser to make sure the extension is completely removed. (Settings->Show advanced settings->Restore settings to their original defaults)
  4. Until more information is available about the cause of the incident, it is recommended that all users should stop the use of the MEGA Chrome extension.
  5. Transfer any cryptocurrency funds, including tokens, to another address.

Some best practices to stay safe in future

  1. The incident highlights a security danger with third-party Chrome extensions. If you have any unused extension installed on your Chrome browser, it’s a good idea to remove them.
  2. Do not install potentially unwanted extensions on browser.
  3. Before granting permission, verify the reason why an application requires elevated permissions like ‘Read and Change your data on websites you visit’.
  4. Use two-factor authentication for any resources that support financial information, because in such cases, even if criminals get to your credentials, they won’t be able to compromise your accounts.
  5. Password managers are particularly helpful when need to change a whole lot of passwords at the same time.

References

  1. https://mega.nz/start
  2. https://www.neowin.net/news/megas-chrome-extension-suffers-breach-steals-user-credentials-and-crypto-keys
  3. https://sensorstechforum.com/mega-chrome-extension-hacked-user-passwords-stolen-uninstall-asap/

 

Author,
Jinto T.K.

SOC Team

Varutra Consulting Pvt. Ltd.

09/4/18

Advisory | Microsoft Zero Day Vulnerability – Windows Task Scheduler Local Privilege Escalation Vulnerability

Introduction

A previously unknown zero-day vulnerability has been disclosed in the Microsoft’s Windows operating system that could help a local user or malicious program to obtain system privileges on the targeted machine.

The vulnerability is a privilege escalation issue which resides in the Windows’ task scheduler program and occurred due to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

Advanced local procedure call (ALPC) is an internal mechanism, available only to Windows operating system components, that facilitates high-speed and secure data transfer between one or more processes in the user mode.

Exploit for this vulnerability has been shared by a hacker named “SandboxEscaper” and the exploit code is currently available on public repositories like GitHub. However the current exploit works only in windows 64 bit operating systems. For a complete solution, we have to wait for Microsoft to respond until the scheduled September 11 Patch.

Affected Versions

1) Windows 10

2) Windows Server 2016

The exploit would need modifications to work on operating systems other than 64-bit (i.e., 32-bit OS). Also it hard codes prnms003 driver, which doesn’t exist in certain versions (e.g. on Windows 7 it can be prnms001). Compatibility with other windows versions may be possible with modification of the publicly available exploit source code.

How to Detect?

It is possible that the original windows processes can be replaced with the malicious program shared by the hacker. So we can detect those exploits by checking whether the original windows processes have been replaced.

  1. Look for spoolsv.exe under abnormal processes (or another Spooler exploit).
  2. Look for connhost.exe under abnormal processes (e.g. the Print Spooler).

Spoolsv.exe:

It is called Windows Print Spooler. This service spools print jobs and handles interaction with the printer. By disabling the Windows Print Spooler service you wouldn’t be able to print more than one document at a time, and any documents not immediately sent to the printer wouldn’t print.

Risk: If you turn off this service, you won’t be able to print or see your printers.

Fig: Checking for suspicious processes

Connhost.exe:

It is called Console Windows Host. This service is present in Windows 10 and using this, windows command prompt can show the same window frame like the other programs. It also allows you to operate the cmd prompt and users to drag and drop a file directly into it. This Microsoft Console Host program resides in “C:\Windows\System32” and should not be removed.

This process is closely related to windows CSRSS(Client Server Runtime System Service) a protected process you can’t terminate, which is responsible for console windows and the shutdown process, which are critical functions in Windows.

Risk: If you turn off this service, windows CSRSS service will also crash because conhost.exe runs under csrss.exe, so there is a high chance for the system to become unusable or shutdown.

Fig: Checking for suspicious processes

Recommendations

  1. Do not remove/disable any original system processes without confirmation.
  2. Monitor and block any local users from gaining administrator privileges by using SIEM tools.
  3. Detect all the malicious processes by the name of genuine ones by using Behavioral Analysis.
  4. Network traffic analytics should continue to be used to detect anomalous traffic going across the network and to spot where users are behaving in a way that they historically don’t.

References

  1. https://www.kb.cert.org/vuls/id/906424
  2. https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f
  3. https://threatpost.com/microsoft-windows-zero-day-found-in-task-scheduler/136977/

 

Author,
Jinto T.K.

SOC Team

Varutra Consulting Pvt. Ltd.