LastPass, the most popular password manager is susceptible to phishing attacks. A LastPass phishing vulnerability was recently uncovered, which could spell disaster for some LastPass users.
Could your password manager be spoofed?
One cybersecurity problem faced by business users and consumers alike is how to keep track of an increasing number of passwords. Password sharing between websites is big security no-no and for maximum security passwords must be complex and changed frequently.
A secure password needs to contain a mix of capital and lowercase letters, non-sequential numbers, special characters, and ideally should be 11 characters long. It must not include any personal information or dictionary words. In short, each password must be next to impossible to remember. Just in case you do manage to memorize it, it is essential to change it often. At least every three months, but preferably every month.
The solution for many people, business users alike, is to use a password manager. This has the advantage of remembering your passwords for you, although it has the disadvantage of exposing every one of your passwords should the unthinkable happen and the password manager be hacked.
Fortunately, when it comes to the latter, the chances are very slim. Password managers are robust and secure, right? Well that would depend on which password manager you use. If you use LastPass for instance, the most popular password manager, those passwords may not be quite as secure as many people think.
At last weekend’s ShmooCon conference, Praeside Inc., CTO Sean Cassidy demonstrated a LastPass phishing vulnerability and showed just how easy it is to spoof the LastPass password manager and obtain login credentials. The bad news is the technique is so effective it is highly unlikely that the user would even know that his or her password has been compromised.
LastPass phishing vulnerability can be exploited with very little skill
The LastPass phishing vulnerability is easy to exploit and has left many security professionals wondering whether this technique is already being used by cybercriminals to gain access to passwords. LastPass has announced that it has patched the problem and has increased security to make it harder for user details to be phished.
Cassidy discovered the LastPass phishing vulnerability some time ago. When logged out, or when a session expires, a browser notification or viewport is displayed requesting the user log back in. However, what happens if that browser window is spoofed? If the user can be redirected to a malicious website where a spoofed version of that browser window is displayed, they could be fooled into entering their login name and password, revealing it to the phisher.
If the spoofed viewport was convincing the user would enter their credentials and be none the wiser that they had been phished. Cassidy set out to prove this by creating an exact copy of the LastPass login screen and using it on a site he had purchased called chrome-extension.pw. The login screen was not just realistic; it was an exact copy. Cassidy took it from the source code of the webpage. It was identical to the real login prompt in every way.
LastPass phishing vulnerability used to capture login credentials
If the user is logged out with a known Cross-Site Request Forgery (CSRF), a spooked viewport can be displayed. Instead of being taken to the real site, they are directed to a page that just looks like the LastPass one. When the login details are entered they are sent to the LastPass API and are verified. The user will be unaware, and the attacker would have the master password. Even if 2FA is enabled a similar process can be set up to get the second authentication factor.
According to Cassidy, a security measure designed to alert the user if their account has been accessed from an unusual IP address would not be triggered if 2FA had been enabled on the account.
LastPass has now made a change and the email alert will be sent to the user regardless of whether they have 2FA set up or not. Should they be phished, they will at least be aware of it. LastPass has also blocked websites from logging users out and further security measures are planned that will notify users bypassing the viewport.
However, since Cassidy has released the tool that demonstrates the LastPass phishing vulnerability and how it can be exploited, it is possible that other attackers could take advantage and create their own versions. LastPass has issued a statement confirming that with the email verification corrected and a patch issued to resolve other security vulnerabilities, the issue is resolved. It would only be possible for the phishing attempt to succeed if the user’s email account has been compromised.
A Microsoft Silverlight security vulnerability is something of a rarity. The application framework may be similar to Adobe Flash, but it does not contain nearly as many security vulnerabilities. In fact, it is exceptionally rare for a bug to be discovered. In this case, Kaspersky Lab identified the security flaw which could potentially allow remote code execution.
Microsoft has now addressed the security flaw (CVE-2016-0034) in its latest MS16-006 patch which was released on Tuesday. Kaspersky Lab has now published an analysis of the security flaw.
It is essential for the patch to be installed. While the vulnerability is not believed to have already been exploited, it is possible for the patch to be reverse engineered. According to Brian Bartholomew of Kaspersky Lab, “it’s not that difficult to produce a weaponized version of it.”
Rare Microsoft Silverlight security vulnerability investigated by Kaspersky Lab researchers
Kaspersky Lab researchers may not have been the first people to have discovered the Microsoft Silverlight security vulnerability. They decided to investigate a potential Microsoft Silverlight security vulnerability that had alledgedly been discovered by Russian hacker Vitaliy Toropov. He claimed to have written an exploit for the Microsoft Silverlight security vulnerability, which he was trying to get Hacking Team to buy. At the time they were more interested in Adobe Flash zero-day exploits and ignored the Microsoft Silverlight security vulnerability.
Kaspersky Lab decided to investigate due to the potential damage that could be caused by a Silverlight bug. The vulnerability could potentially be used to attack both Windows and OS X devices running Microsoft Silverlight 5 or Microsoft Silverlight 5 Developer Runtime. Users could be targeted with a phishing email and convinced to visit a website where a drive-by download would occur and load a malicious Silverlight application, regardless of the browser they were using.
Kaspersky Lab did discover it the security vulnerability, although whether it is the same vulnerability that Toropov had managed to develop an exploit for is not known. However, it is one less security issue to worry about now that it has been patched by Microsoft.
The first security update of the year for Microsoft may have only included 9 security bulletins, but six of them have been marked as critical. The critical Windows security flaws include 7 bugs that permit the remote execution of code, one that allows elevation of privileges. A vulnerability affecting Microsoft Exchange Server has also been discovered and patched to prevent spoofing.
The updates include patches for 25 separate vulnerabilities. These critical Windows security flaws should be addressed as soon as possible to keep systems protected. While not all of these security flaws have been published, it is possible for a patch to be reverse engineered to allow a hacker to take advantage of the vulnerabilities in unpatched machines.
Critical Windows security flaws patched in latest Microsoft security update
Although seven critical Windows security flaws have been identified and addressed, one of the most serious is the MS16-005 security bulletin. This is one of the remote code execution vulnerabilities, but it is the one most likely to be exploited by hackers as the vulnerability has been publicly disclosed. The vulnerability affects Windows’ kernel-mode drivers and makes it possible for a hacker to trigger an Address Space Layout Randomization (ASLR) bypass. All that would be required would be to get the user to visit a malicious website.
MS16-001 is critical for users of Internet Explorer. This security flaw affects versions 8, 9 and 10 of the web browser. This will be the last security update for Internet Explorer 8 and 10, with Microsoft now having stopped providing security support. Internet Explorer 9 security updates will continue to be provided for Windows Vista and Windows Server 2008 SP2, but users of IE 8 and 10 should now upgrade to IE 13 to ensure continued support is received.
This memory corruption vulnerability affects VBScript engine and could be exploited by getting an individual to visit a malware-compromised website. This would allow an attacker to gain the same privileges as the current user. If that user had administrative privileges, and attacker would be able to gain control of the computer and install programs, or delete or modify data. The same vulnerability has been addressed for VBScript in MS16-003.
While not marked as critical, any user of Outlook Web Access (OWA) should ensure that MS16-10 is applied. This patch addresses four separate vulnerabilities that could potentially be exploited and used for a business email compromise (BEC).
While only marked as important, Outlook administrators are likely to disagree. An attacker could exploit this vulnerability to make a phishing email appear as if it had been sent from within an organization. This would make the phishing email difficult for employees to identify, and would likely result in a large number of employees compromising their computers.
Microsoft has also patched a bug in Silverlight (MS16-006), which was identified by Kaspersky Lab. The bug is particularly risky for anyone operating Microsoft Silverlight across multiple platforms. The patch plugs a runtime remote code execution vulnerability.
Security researchers at IBM’s X-Force have identified a worrying new Rovnix malware strain that is being used in a spate of cyberattacks on Japanese banks.
Rovnix malware is nothing new. It has been around for a couple of years but it is now ranking as one of the top ten most popular malware strains to be used for attacks on financial institutions. It may not be used nearly as often as Dyre, Neverquest, Dridex, Zeus or Gozi, – the top 5 malware currently being used by cybercriminals – but it is particularly nasty and is highly persistent. Worse still, the new strain of the malware is only recognized by 7% of anti-virus software vendors.
New Rovnix Malware Strain Is Particularly Worrying for Japan’s Banks
The latest wave of attacks on Japanese banks signal a major departure from the usual attacks being conducted by cybercriminal gangs in Europe. Previously, they have concentrated on attacking European banks and Japan has been left well alone. That is no longer the case. In fact, IBM’s X-Force has described the latest wave of attacks as “an onslaught.” The criminal gang behind the latest Rovnix malware attack has already targeted 14 Japanese banks since the start of December last year.
The language barrier has prevented cybercriminal gangs from targeting Japans banks in the past, but they have now got around the problem and have developed their campaign in Japanese. Each campaign has been tailored for each of the banks under attack.
As with campaigns conducted in Europe, the primary means of malware delivery is spam email. A spam message contains a zip file with a fairly innocuous waybill detailing the delivery of a parcel from a courier company. Opening the attachment and viewing the waybill will result in a downloader being launched that will load Rovnix malware onto a device.
One of the most worrying features of Rovnix malware is its elaborate web injection mechanism which mimics the banks web pages. When an end user visits the bank’s webpage the malware injects Javascript and shows the user modified sections of the banks webpage. Login credentials are stolen, but crucially, so is the second password which enables a transaction to be conducted.
More worrying is some users are being prompted to download an app to their mobile phone. Doing that will result in their SMS messages being compromised. When the bank sends an authorization code to the mobile device, the cybercriminals will use that code to authorize a fraudulent transfer, defeating the two-factor authentication used by the bank.
Rovnix malware tends to be used to target one country at a time, but that may not necessarily always be the case. It can be quickly and easily adapted to attack any country’s banks. Rovnix malware is highly sophisticated and can be tailored to attack different institutions and evade detection. Even before the malware is installed, it can scan a device and determine which security protections are installed. It then uses a wide range of mechanisms to evade detection.
Microsoft has announced it will be pulling the plug on old versions of Internet Explorer and will be withdrawing software security support on IE 8, 9, and 10 from Tuesday January 12, 2016. An Internet Explorer security risk warning has been issued as older versions of the web browser will be more vulnerable to cyberattack from tomorrow.
Microsoft will only be issuing security updates and providing technical support for Internet Explorer 11 and Microsoft Edge from January 13, 2015. All users have been urged to upgrade to Internet Explorer 11 if running windows 7 or 8.1, with Windows 10 users requested to make the switch to Microsoft Edge by Wednesday, January 13.
The news shouldn’t come as a major surprise as Microsoft first made the announcement about discontinuing support for older versions of IE 18 months previously, but that said, many IT departments and individual users have not yet upgraded. Duo Security have calculated 36% of IE users are running versions 9 or 10.
The problem for many enterprises is web applications have been developed to work on Internet Explorer 9 or 10, and consequently an upgrade may require changes to be made to those applications to ensure they work optimally on Edge or IE11.
The good news is that only one version change will be required. Microsoft has confirmed that although earlier versions of the browser are being retired, it has promised to continue offering support for IE11 for the lifespan of Windows 7, 8, and 10. The same applies to the Microsoft Edge browser.
Internet Explorer Security Risk Will Increase Following Next IE11 Update
The Internet Explorer security risk will not increase substantially overnight. It is highly improbable that hackers have exploits lined up that can be used on older versions. However, when software is discontinued, it is the issuing of the next patch on the supported version that is the critical date.
In the case of Internet Explorer, cybercriminals will be able to assess what is updated in the next release. When IE11 is patched, it will be highly probable that many of the vulnerabilities that are addressed will also affect previous IE versions.
Hackers could develop exploits for those unpatched vulnerabilities to attack individuals running older browser versions. The Internet Explorer security risk will increase substantially.
It is much easier for cybercriminals to exploit vulnerabilities in browsers than unpatched software installed on devices. All that is required is to direct the user to an infected website containing the appropriate exploit kit for the user’s device to be infected.
Companies in highly regulated industries such as the financial services and healthcare should ensure their browsers are updated before support is stopped. Running any machine on outdated and unsupported software will violate industry regulations. This could result in significant financial penalties being incurred.
