Security Weekly 18

Security Weekly 18

Security Weekly 18: BlueBorne Bluetooth Attack of the Year, a Hole in Tor on Million, Botnets on Servers Elasticsearch

BlueBorne. Remember this name. It’s not even a vulnerability, it’s a whole bundle of holes in Bluetooth implementations in Windows, Linux, Android and even a little bit in iOS. Researchers from Armis Labs uncovered this abscess, they also estimated the number of potential victims in 5.3 billion devices.

Security Week 18 Photo 1

In a word, the business is serious. BlueBorne allows you to attack a device with Bluetooth support from another “blue-tooth” device. Moreover, both devices do not need to be paired. And, the victim does not even need to be “within the range” of Bluetooth-partners in the district. In other words, if your¬†Bluetooth is on, you are at risk.

The pile of detected vulnerabilities looks like this:
– CVE-2017-1000251. RCE in the Linux kernel; – CVE-2017-1000250. The vulnerability of data leakage in the Bluetooth stack; – CVE-2017-0785. The vulnerability of data leakage in Android; – CVE-2017-0781. RCE on Android; – CVE-2017-0782. RCE on Android; – CVE-2017-0783. Logical vulnerability in Android (Bluetooth Pineapple); – CVE-2017-8628. Logical vulnerability in Windows (Bluetooth Pineapple); – Such a fierce that so far without CVE. RCE-vulnerability of the proprietary protocol Apple Low Energy Audio Protocol.

These two Bluetooth pineapples are named so not by chance. This reference to the famous hacker Wi-Fi Pineapple device. This thing can be left in any public place, where it mimics the favorite home networks of all available devices. Those same simple-minded people will cling to supposedly native networks, well, then MiTM will happen with all that follows. Something similar, only through Bluetooth you can crank CVE-2017-0783 and CVE-2017-8628.

In the original study, has been displayed in pictures example with “resting places” of vulnerabilities in the Bluetooth stack.

Security Week 18 Photo 2

Due to the fact that the holes are mixed and belong to all possible Bluetooth implementations, the attacker must first determine the OS and Version of the OS on the attacked device and then apply the appropriate exploit. At the same time, it should be taken into account that the Bluetooth processes have very high privileges so that with a successful attack the hacker can do anything with the victim’s device. For example, to lure the device to the dark side by turning it on to your botnet or intercepting communications, stealing data, downloading the software and distributing defile in the radius of the Bluetooth connection.

Security Week 18 Photo 3

Guys from Armis Labs acted responsibly and published their findings only after Google, Microsoft, and Apple rolled out patches. But it should be noted that there is a bug in all Windows, starting with Vista, in Linux on the 3.3-rc1 core with BlueZ (including Tizen) and in unnamed versions of iOS. Breakout devices with these operating systems will not get their patches ever.

Well, let’s say smart TVs are relatively safe – they are not carried out of the house very often (although what about an advanced neighbor behind a wall that would like to watch your everyday life through a webcam?. But for mobile devices somehow quite alarming.

Zerodium offers a million dollars for zeros in Tor


The Zerodium exploit supplier again announced a beautiful seven-figure reward for the zero-day exploit – this time in the Tor browser. A fully functional exploit for the previously unknown vulnerability in Tor under Tails Linux and Windows will cost the office a million dollars.

$ 250,000 will be paid for the combined RCE exploit plus the escalation of privileges in Tails and Windows, and $ 200,000 if the exploit turns out to be the only RCE or if it only works when JavaScript is enabled in the browser. The exploit is accepted with full documentation, and the attack vector must necessarily be a website.

  • Zerodium demonstrates such generosity, obviously, not at its own expense – there is a specific order. And, according to the company, this is an order from some government agencies that want to get to the terrible criminals hiding with the help of Tor. States are not named, but in August Zerodium has already announced the peak of requests from “democratic states, as well as states that are not under sanctions.” That is, the circle narrows – this is definitely not the DPRK and not Mother Russia. Anyway, and someone seriously burns up about Tor, as evidenced by both the amount and the term: increased bounties are effective only until November 30, so hurry.

The Tor project already asked what they think about it, and they classically chatted off, stating that, firstly, such awards indicate a high level of security for Tor, and secondly, that all this is not good since a successful hack Tor can become a threat to the lives of some users. They are hinting at the inhabitants of non-democratic countries and states under international sanctions, and as we were told, no such among Zerodium customers.

Thousands of Elasticsearch servers are infected with a POS Trojan

Security Week 18 Photo 4

The researcher from Kromtech decided to probe the public servers of Elasticsearch – a free search engine. He found there something very interesting – the control panel of POS-Trojans JackPOS and AlinaPOS. This is quite an old malware, made a lot of noise a few years ago.

  • POS-Trojans specialize in the interception of payment data of bank cards, for which they infect terminals in trade networks, restaurants, and hotels. Stolen dumps in encrypted form are sent to the server, from where they go straight to the carder online stores.

As it turned out, someone got hold of the sources of these old Trojans (AlinaPOS – 2012, JackPOS – 2014) and put up for sale. Accordingly, the command infrastructure was needed, which was eventually opened by Kromtech. Scanning with the help of Shodan found on the Web 15 thousand servers Elasticsearch, four thousand of which were captured by POS-bot.

That is characteristic, almost all hacked servers are hosted in Amazon. Researchers attribute this to the features of the server configuration system. More precisely, the system itself is safe enough, but users at quick installation often click the security setting – and here’s the result.