Cracking tool milks weakness to reveal some Mega passwords (Updated)

Yet another security researcher is poking holes in the security of Mega, this time by pointing out that the confirmation messages e-mailed to new users can in many cases be cracked to reveal their password and take over their Mega accounts.

Steve "Sc00bz" Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.

Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.

Read 12 remaining paragraphs | Comments

Downloader Targets Down Under

At the time of this blog post, and for the past five days, we have noticed an increase in spam containing malware that targets Australians. The attackers behind this malicious spam campaign appear to have no specific target in mind other than compromising a large base in Australia for reasons still unknown. Symantec Security Response has observed two separate versions of this campaign purporting to be from Australian organizations and targeting Australian users.

In this following example, an email pretends to be from the "Australian Taxation Office" with the subject line "Tax Agent Report – Delayed Tax Returns" and contains a 'Tax Report.zip' attachment file. Inside the zip file is a TaxReport.xls.exe malicious executable file.
 

Figure 1. Downloader.Dromedan, malicious email spoofs Australian Taxation Office
 

In another example, an email pretends to be from an Australian airline with the subject line "Check-in Details" and contains a Check-in-Details.zip attachment file. Inside the zip file is a 'check-in details.pdf.exe' malicious executable file.
 

Figure 2. Downloader.Dromedan, malicious email spoofs Australian airline
 

Both email attachments contain the exact same malware and, once executed, the malware will connect to the following command-and-control (C&C) servers:

  • linebench.ru/image.php
  • headart.pl/image.php
  • iprice.pl/image.php
  • dyndin.ru/image.php
  • dudebox.pl/image.php

This malware is designed to download and execute additional malicious files onto the compromised machine. Symantec has protections in place for these attacks and detects them as Downloader.Dromedan.

As always, we recommend users exercise caution when opening email attachments. If a suspicious email originates from an organization that you do not have any personal business dealings with, it should be safely assumed that these emails are potentially malicious and should not be opened.

If you doubt the authenticity of an email, you can always directly visit the Web page of these organizations and contact them for information. Most organizations fall victim to spammers and scammers, and usually have a way to report abuse on their websites.

Just-patched Java, IE bugs used to snare human rights sites

The website belonging to non-governmental organization Reporters Without Borders is the latest to be hit by attacks that use the recently patched Java and Internet Explorer vulnerabilities to surreptitiously hijack computers of visitors, security researchers said.

The compromise comes a week after similar attacks successfully commandeered sites belonging to major Hong Kong political parties, Jindřich Kubec, a security researcher with antivirus provider Avast, wrote in a blog post published Tuesday. It's most likely another example of a "watering hole" attack, in which attackers target the sites their victims are likely to visit, in much the way predators position themselves near a river or lake bed to lie in wait for thirsty prey.

"Such an organization is an ideal target for [a] watering-hole campaign, as it seems right now the miscreants concentrate only on human rights/political sites—many Tibetan, some Uygur, and some political parties in Hong Kong and Taiwan which are the latest hits in this operation," Kubec wrote. "In our opinion the finger could be safely pointed to China (again)."

Read 2 remaining paragraphs | Comments