Security News #0x66: The Mask
- Metasploit announced a module that attacks Android WebView, up through 4.2. Now you can pwn a phone with a QR code. I would love to say that I have tried it, but my Kali has only been updating for two hours, grabbing a whopping 20 KB/s of update joy. Perhaps next week I’ll have some time to try it out.
- The other new Metasploit module I want to try is Windows TrackPopupMenuEx Win32k NULL Page. This is a privilege escalation attack based on CVE 2013-3881 and patched in MS13-081. It (apparently) affects Windows 7 SP0 and SP1. Sigh. The Kali update says it should finish in 3 more hours.
- Kahu Security discusses various techniques to redirect web pages, with a special emphasis on techniques that store the redirect script in images.
- Raphael Mudge shows how to modify the source for one of the modules within Metasploit; in particular he updated the
reverse_httpstager to allow for a non-blank User-Agent string.
- A new piece of malware, called "The Mask" has been detected. Threatpost calls it a nation-state level attack, and says that the targets were primarily in Spanish speaking countries. Dark Reading reports some 380 victims among some 1,000 IP addresses. ZDNet reports that malicious links to the Washington Post and the Guardian were used in the attacks.
- Cloudflare has provided some of the technical details behind the NTP amplification DDoS attack that hit them last week. This was a big attack, as they were hit with some 400 Gbps of traffic.
- Ars Technica reports that a number of Asus routers can be remotely attacked. Update your firmware!
- And if you think the problem is restricted to Asus, well, there also appears to be a currently propagating worm called "TheMoon" that is infecting Linksys Routers.