According to a report this morning from SonicWall, a vulnerability that could allow remote code execution has been discovered in WinRAR. This software vulnerability exposes the half a billion users of this Windows unarchiver. The vulnerability exploited is detailed by MITRE in CVE-2018-20250.
To find out if you are vulnerable, check to see if your WinRAR version is anything prior to WinRAR prior to 5.70 beta 1.
The fix is to update your software to the latest WinRAR version to resolve the issue.
For those not familiar with WinRAR, according to Wikipedia, “WinRAR is a trialware file archiver utility for Windows, developed by Eugene Roshal of win.rar GmbH. It can create and view archives in RAR or ZIP file formats, and unpack numerous archive file formats. To enable the user to test the integrity of archives, WinRAR embeds CRC32 or BLAKE2 checksums for each file in each archive. WinRAR supports creating encrypted, multi-part and self-extracting archives.”
Hello, World! Your Internet connection may be going down this November 15, 2018 onward if your devices are connected to the internet via Norton ConnectSafe’s DNS IP addresses and you do not have a secondary DNS in place. The announcement is currently displayed at https://connectsafe.norton.com/configureRouter.html with a link to this FAQ that hopefully will answer most of your questions.
The DNS IP Addresses you need to check for and change from are any pair among the following:
If you changed your DNS, you probably know already which one you want to go to next. If you have no idea and need some time to investigate, you can either remove the DNS settings that you have in your device (computer or mobile device) and therefore default to your Internet Service Provider’s DNS settings or you can temporarily follow this How-To Geek article that offers step by step instructions on how to change your DNS to OpenDNS’ or Google’s if you trust these two tech companies.
Alright, you are now in the know, friend!
Here is little warning and reminder not to get too comfortable thinking that scammers are gone or that your email spam filter is so good they will never get to you. Here is your wake up call: These people never get tired of trying. They use all sorts of means to disguise themselves including shortening their links by means of “short url” machines like in the case of the above picture.
Example of an email that hides a dangerous link behind a tinyurl link under the UPGRADE NOW button.
In fact, I just got right in my inbox one of those messages with a malicious link to some phishing scam hosted on https:// [some_malicious_place] .us.archive.org. But the link that was actually in the big blue button was not pointing there directly. It was disguised behind a https:// tinyurl.com/ [some_extension_goes_here]. It took running the link through Google’s online virus scanner virustotal.com to detect that the final destination of the link is an archive.org-hosted malicious content and site.
So, when you get an email that makes you uncomfortable as to why you are getting it or one that it looks suspicious, you probably are right. It is probably suspicious and dangerous. Get your IT friend look at it or just do not click on any links or attachments in it until you can get it verified by someone who has the tools. If you know how to extract the links without activating them, then do that and report the links if malicious to places like virustotal.com or to your antivirus software so they can include it in their next update. Please note that sometimes the email may come from an address of a person you actually know (after their mailbox was hijacked or is being spoofed).
Google is full of resources on how to tell if the email you are looking at is Spam. Seriously. Just type such a question and you will find a plethora of reputable sites with good examples. Emphasis on reputable. Do not fall for more phishing while trying to detect some.
This screenshot from virustotal.com details page shows us the final URL the tinyurl link or Shortened URL that was in the phishing email would have led to.
Uber has suffered a data breach a year ago, and the address and email information of 57 million people were stolen. Uber paid off the hackers who then supposedly deleted the data, but that cannot be confirmed.
Watch out for phishing emails related to this Uber data theft, for instance that your “Uber account was compromised” and that you need to change your password, or anything else related to Uber that could be suspicious.
Never click on a link in an email for situations like these, always go to the website yourself through your browser’s address bar or a bookmark you have set earlier.
Remember, Think Before You Click!
UPDATE3: On a website dedicated to the “Key Reinstallation Attacks,” https://www.krackattacks.com/, the researcher who brought attention to this vulnerability describes what it is, presents a demo of the attack against an Android device as client, and suggests practical steps in a rich Q&A article.
UPDATE2: More companies have updates available. Microsoft also has released an update for client devices. (Source: Pileum Corporation)
If you have a Meraki access point, they have released a patch to address this issue. See below link for more information.
If you have an Aerohive access point, they have released a patch to address this issue. See below link.
SonicWALL has announced that their firewalls and access points are not vulnerable to the flaws in WPA2.
Cisco has released patches for some of their products that are affected. You can check for those products and updates as they are released here:
Microsoft has released a patch that provides additional protection on the client workstation. We recommend that this be installed on all workstations immediately.
UPDATE1: Several Wi-Fi AP manufacturers have started developing and releasing Updates. Please check the CERT website below for updates. One of the most recent ones is Meraki access point.
In a research paper titled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA,” Leuven, Belgium researchers Mathy Vanhoef and Frank Piessens just proved that WPA2 handshake traffic can be manipulated to induce nonce and session key reuse. Here is an overview of the announcement from CERT:
Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or client. An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames.
The simplest solution is to install updates provided by your Wi-Fi device vendor.
More on this here:
In an article on their website, Piriform, a company recently acquired by Avast, published the following apology.
Dear CCleaner customers, users and supporters,
We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.
An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.
While more articles on this subject can be found on Spiceworks, a very commendable article about the incident was published by the The Thalos group who first discovered the breach into Avast’s servers.
If you are like me, you did not want to open an apparently random text from firstname.lastname@example.org or whatever the email@example.com that just came to your phone. So you did a quick search in your favorite search engine and this article came up.
So, nothing to worry about. It’s just your optometrist or your dentist (one of those medical professionals you recently visited) reminding you of an appointment or a prescription to pick up.
Alright, with that said, here is a little disclaimer: be careful! Some crazy dude could forge this and spoof that sender’s email address. So, do not download or open any attachment if you can help it. First call your doctor to confirm (or check your email) and see if they sent you any notification.
Great! I hope you have a some peace of mind now. I did once I was reassured and run the antivirus and all the good stuff any cautious person would wanna do.
And, oh, one more thing. If you have considered blogging on WordPress.com or Jetpack before, get it it now! They have a 30% Off promotion if you use coupon code HOLIDAY30 by December 31, 2017.