Encrypted Messaging Project "Matrix" Suffers Extensive Cyber Attack


Matrix—the organization behind an open source project that offers a protocol for secure and decentralized real-time communication—has suffered a massive cyber attack after unknown attackers gained access to the servers hosting its official website and data.

Hackers defaced Matrix’s website, and also stole unencrypted private messages, password hashes, access tokens, as well as GPG keys the project maintainers used for signing packages.

The cyber attack eventually forced the organization to shut down its entire production infrastructure for several hours and log all users out of Matrix.org.

So, if you have an account with Matrix.org service and do not have backups of your encryption keys or were not using server-side encryption key backup, unfortunately, you will not be able to read your entire encrypted conversation history.

Matrix is an open source end-to-end encrypted messaging protocol that allows anyone to self-host a messaging service on their own servers, powering many instant messengers, VoIP, WebRTC, bots and IoT communication.

Vulnerable Jenkins Allowed Attackers to Access Server

According to a press release published today by Matrix Project, unknown attackers exploited a sandbox bypass vulnerability in its production infrastructure on 4th April that was running on an outdated, vulnerable version of Jenkins automation server.

The Jenkins flaw allowed attackers to steal internal SSH keys, which they used to access Matrix’s production infrastructure, eventually granting them access to unencrypted content, including personal messages, password hashes, and access tokens.

matrix encrypted chats
Screenshot Credit: David on Twitter

After being informed of the vulnerability by JaikeySarra on 9th April, Matrix.org identified the full scope of the attack and removed the vulnerable Jenkins server as well as revoked the attacker’s access from its servers on 10th April.

The next day, Matrix.org also took its home server down and started rebuilding its production infrastructure from scratch, which has now been back online.

Today at around 5 am UTC, the attackers behind the cyber attack also managed to repoint DNS for matrix.org to a defacement website hosted on GitHub using a Cloudflare API key, which was compromised in the attack and theoretically replaced during the rebuild.

Since the latest defacement confirms that the stolen encrypted password hashes were exfiltrated from the production database, Matrix.org forced to log out all users and strongly advised them to change their passwords immediately.

“This was a difficult choice to make. We weighed the risk of some users losing access to encrypted messages against that of all users’ accounts being vulnerable to hijack via the compromised access tokens,” the company says.

“We hope you can see why we made the decision to prioritize account integrity over access to encrypted messages, but we’re sorry for the inconvenience this may have caused.”

The company also confirms that the GPG keys used for signing packages were also compromised, but fortunately, the attackers did not use it to release malicious versions of the software signed with the stolen keys.

Matrix project assures that both keys have now been revoked.

The maintainers of the project also say they will shortly start emailing all affected users to inform them about the incident and advise them to change their passwords.

Let’s block ads! (Why?)

Link to original source

Popular Video Editing Software Website Hacked to Spread Banking Trojan

free video editing software

If you have downloaded the VSDC multimedia editing software between late February to late March this year, there are high chances that your computer has been infected with a banking trojan and an information stealer.

The official website of the VSDC software — one of the most popular, free video editing and converting app with over 1.3 million monthly visitors — was hacked, unfortunately once again.

According to a new report Dr. Web published today and shared with The Hacker News, hackers hijacked the VSDC website and replaced its software download links leading to malware versions, tricking visitors into installing dangerous Win32.Bolik.2 banking trojan and KPOT stealer.

Even more ironic is that despite being so popular among the multimedia editors, the VSDC website is running and offering software downloads over an insecure HTTP connection.

Though it’s unclear how hackers this time managed to hijack the website, researchers revealed that the breach was reportedly never intended to infect all users, unlike last year attack.

Instead, Dr.Web researchers found a malicious JavaScript code on the VSDC website that was designed to check visitor’s geolocation and replace download links only for visitors from the UK, USA, Canada, and Australia.

Insecure VSDC Website Was Distributing Malware for a Month

The malicious code planted on the website went unnoticed for almost a month—between 21 February 2019 and 23 March 2019—until researcher discovered it and notified VSDC developers of the threat.

free video editing software

Targeted users were served with a dangerous banking trojan designed to perform “web injections, traffic intercepts, key-logging and stealing information from different bank-client systems.”

Moreover, the attackers changed the Win32.Bolik.2 trojan to KPOT Stealer, a variant of Trojan.PWS.Stealer, on March 22, which steals information from web browsers, Microsoft accounts, several messenger services and some other programs.

According to the researchers, at least 565 visitors downloaded VSDC software infected with the banking trojan, while 83 users has had their systems infected with the information stealer.

VSDC site has been hacked several times in the past years. Just last year, unknown hackers managed to gain administrative access to its website and replaced the download links, eventually its visitors’ computers with the AZORult Stealer, X-Key Keylogger and the DarkVNC backdoor.

What to Do If You’re a Victim?

It should be noted that just installing the clean version of the software update over the malicious package would not remove the malware code from the infected systems.

So, in case you had downloaded the software between that period, you should immediately install antivirus software, with the latest up-to-date definitions, and scan your system for malware.

Beside this, affected users are also recommended to change their passwords for important social media and banking websites after cleaning the systems or from a separate device.

Let’s block ads! (Why?)

Link to original source

WikiLeaks Founder Julian Assange Arrested After Ecuador Withdraws Asylum

WikiLeaks founder julian assange arrested

WikiLeaks founder Julian Assange has finally been arrested at the Ecuadorian Embassy in London on Thursday—that’s almost seven years after he took refuge in the embassy to avoid extradition to Sweden over a sexual assault case.

According to a short note released by London’s Metropolitan Police Service, Assange has been arrested immediately after the Ecuadorian government today withdraws asylum.

Assange has now been taken into custody at a central London police station, from where he will be presented before Westminster Magistrates’ Court as soon as possible.

Assange was wanted by British police for failing to surrender to the Westminster Magistrates’ Court in August 2012, while he was under investigation for sexual assault and rape allegations in Sweden.

Although Sweden dropped its preliminary investigation into the rape accusation against Julian Assange in 20117, Assange chose not to leave the Ecuadorian Embassy due to fears of extradition to the United States.

In the United States, Assange is facing federal charges for leaking diplomatic cables and military documents through his popular publication WikiLeaks in 2010 that embarrassed the U.S. governments across the world.

[embedded content]

Although U.S. authorities have never officially confirmed the charges against Assange, late last year U.S. prosecutors accidentally revealed the existence of criminal charges against Assange in a document filed in an unrelated sex crime case.

Assange, the 47-year-old Australian hacker, founded WikiLeaks in 2006 and has since made many high-profile revelations through the platform, exposing ‘dirty’ secrets of several political parties, individuals, and government organizations across the world.

Assange has been forced to live in London’s Ecuadorian Embassy since June 2012, when a U.K. court ordered his extradition to Sweden to face sexual assault and rape charges filed against him.

However, his relationship with Ecuador has deteriorated in the past year. The country cut him off the Internet since March 2018 after he breached its agreement to refrain from interfering in other states’ affairs that could affect the country’s relationship with other nations.

The circumstances even made it difficult for Assange to do his job of editor-in-chief to run WikiLeaks and forced the whistleblower organization to appoint its new editor-in-chief, Kristinn Hrafnsson.

In July last year, the Ecuadorian President also reportedly visited London to finalize a deal with UK government to withdraw Assange’s asylum protection—eventually turning him over to Britain where he is facing an arrest warrant after skipping a bail payment.
The story is developing….

Let’s block ads! (Why?)

Link to original source

Security Flaws in WPA3 Protocol Let Attackers Hack WiFi Password

hack wifi password wpa3

🔥 Breaking — It has been close to just one year since the launch of next-generation Wi-Fi security standard WPA3 and researchers have unveiled several serious vulnerabilities in the wireless security protocol that could allow attackers to recover the password of the Wi-Fi network.

WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data.

The Wi-Fi Protected Access III (WPA3) protocol was launched in an attempt to address technical shortcomings of the WPA2 protocol from the ground, which has long been considered to be insecure and found vulnerable to KRACK (Key Reinstallation Attack).

Though WPA3 relies on a more secure handshake, known as Dragonfly, that aims to protect Wi-Fi networks against offline dictionary attacks, security researchers Mathy Vanhoef and Eyal Ronen found weaknesses in the early implementation of WPA3-Personal, allowing an attacker to recover WiFi passwords by abusing timing or cache-based side-channel leaks.

“Concretely, attackers can then read information that WPA3 was assumed to safely encrypt. This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on,” the researchers say.

Vulnerabilities in WPA3 — Hacking WiFi Password

In a research paper, dubbed DragonBlood, published today, researchers detailed two types of design flaws in WPA3—first leads to downgrade attacks and second to side-channel leaks.

Also Read: How to Hack WiFi Password Easily Using New Attack On WPA/WPA2.

Since the 15-year-old WPA2 protocol has been widely used by billions of devices, widespread adoption of WPA3 won’t happen overnight. To support old devices, WPA3 Certified devices offer a “transitional mode of operation” that can be configured to accept connections using both WPA3-SAE and WPA2.

Researchers find that the transitional mode is vulnerable to downgrade attacks, which attackers can abuse to set up a rogue AP that only supports WPA2, forcing WPA3-supported devices to connect using insecure WPA2’s 4-way handshake.

“We also discovered a downgrade attack against SAE [Simultaneous Authentication of Equals handshake, commonly known as Dragonfly] itself, where we can force a device into using a weaker elliptic curve than it normally would use,” the researchers say.

Moreover, a man-in-the-middle position is not needed to carry out downgrade attack. Instead, attackers only need to know the SSID of the WPA3- SAE network.

Researchers also detail two side-channel attacks—Cache-based (CVE-2019-9494) and Timing-based (CVE-2019-9494) attacks—against Dragonfly’s password encoding method that could allow attackers to perform a password partitioning attack, similar to an offline dictionary attack, to obtain Wi-Fi password.

“For our password partitioning attack, we need to record several handshakes with different MAC addresses. We can get handshakes with different MAC addresses by targeting multiple clients in the same network (e.g. convince multiple users to download the same malicious application). If we are only able to attack one client, we can set up rogue APs with the same SSID but a spoofed MAC address.”

Besides these, the duo also documented a Denial of Service attack that can be launched by overloading an “AP by initiating a large amount of handshakes with a WPA3-enabled Access Point,” bypassing SAE’s anti-clogging mechanism that is supposed to prevent DoS attacks.

Some of these vulnerabilities also affect devices using the EAP-pwd (Extensible Authentication Protocol-Password) protocol, which is also based on the Dragonfly password-authenticated key exchange method.

As a proof-of-concept, researchers will shortly release the following four separate tools (in the GitHub repositories hyperlinked below) that can be used to test the vulnerabilities as mentioned above.

  • Dragondrain—a tool that can test to which extend an Access Point is vulnerable to Dos attacks against WPA3’s Dragonfly handshake.
  • Dragontime—an experimental tool to perform timing attacks against the Dragonfly handshake.
  • Dragonforce—an experimental tool that takes the information to recover from the timing attacks and performs a password partitioning attack.
  • Dragonslayer—a tool that implements attacks against EAP-pwd.

“Nearly all of our attacks are against SAE’s password encoding method, i.e., against its hash-to-group and hash-to-curve algorithm. Interestingly, a simple change to this algorithm would have prevented most of our attacks,” the researchers say.

Wi-Fi Alliance Working With Vendors to Patch Reported Issues

The duo reported their findings to the WiFi Alliance, the non-profit organization that certifies WiFi standards and Wi-Fi products for conformity, who acknowledged the issues and are working with vendors to patch existing WPA3-certified devices.

“The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can refer to their device vendors’ websites for more information,” the WiFi Alliance says in its press release.

“The software updates do not require any changes that affect interoperability between Wi-Fi devices. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.”

You can read more information about these vulnerabilities on the DragonBlood dedicated website, and the research paper [PDF], which also explains how minor changes to the protocol could prevent most of the attacks detailed by the researchers.

Let’s block ads! (Why?)

Link to original source

Sophisticated 'TajMahal APT Framework' Remained Undetected for 5 Years

tajmahal apt malware

Cybersecurity researchers yesterday unveiled the existence of a highly sophisticated spyware framework that has been in operation for at least last 5 years—but remained undetected until recently.

Dubbed TajMahal by researchers at Kaspersky Lab, the APT framework is a high-tech modular-based malware toolkit that not only supports a vast number of malicious plugins for distinct espionage operations, but also comprises never-before-seen and obscure tricks.

By the way, Kaspersky didn’t mention why they named the framework after Taj Mahal, one of the Seven Wonders of the World located in India.

TajMahal toolkit was first discovered by security researchers late last year when hackers used it to spy on the computers of a diplomatic organization belonging to a Central Asian country whose nationality and location have not been disclosed.

However, malware samples examined by the researchers suggest the cyberespionage group behind the attack has been active since at least August 2014.

The TajMahal framework consists of two main packages—”Tokyo” and “Yokohama”—that together contain over 80 distinct malicious modules, which according to researchers, is one of the highest numbers of plugins ever seen for an APT toolset.

“It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine,” the researchers say.

Researchers have not yet figured out how TajMahal infected its targets at the first place, but they do reveal that once accessed, first stage infection Tokyo is downloaded on targeted machines, which then deliver the fully-functional second-stage malware Yokohama.

tajmahal malware

Yokohama stores malicious modules in its encrypted Virtual File System which allows the malware to:

  • log keystrokes,
  • steal browser cookies and data, including backup for Apple mobile devices,
  • record and take screenshots of VoIP calls,
  • steal written CD images,
  • steal documents sent to the printer queue.

Besides usual spying capabilities, the malware also includes some more unique features like requesting to steal a particular file from a previously plugged in USB stick. So, next time when the USB is connected to the infected computer, the file will be stolen.

Though the researchers found only one TajMahal victim so far but given the framework’s sophistication, they believe there are other victims that have yet to be discovered.

“So far we have detected a single victim based on our telemetry,” Kaspersky said.

“This theory is reinforced by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected.”

Additional technical details can be found on the SecureList blog, where the researchers have also published a full set of Indicators of compromise (IOCs) and a complete list of 80 malicious modules stored in the malware with a short description describing what they do.

Let’s block ads! (Why?)

Link to original source