1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Emergency Bulletin: Firefox exploit

Discussion in 'BlackHat Lounge' started by No.RuleZ, Nov 30, 2016.

  1. No.RuleZ

    No.RuleZ BANNED BANNED

    Joined:
    Jul 23, 2010
    Messages:
    1,746
    Likes Received:
    361
    We’re publishing this as an emergency bulletin for our customers and the larger web community. A few hours ago a zero day vulnerability emerged in the Tor browser bundle and the Firefox web browser. Currently it exploits Windows systems with a high success rate and affects Firefox versions 41 to 50 and the current version of the Tor Browser Bundle which contains Firefox 45 ESR.

    If you use Firefox, we recommend you temporarily switch browsers to Chrome, Safari or a non-firefox based browser that is secure until the Firefox dev team can release an update. The vulnerability allows an attacker to execute code on your Windows workstation. The exploit is in the wild, meaning it’s now public and every hacker on the planet has access to it. There is no fix at the time of this writing.

    Currently this exploit causes a workstation report back to an IP address based at OVH in France. But this code can likely be repurposed to infect workstations with malware or ransomware. The exploit code is now public knowledge so we expect new variants of this attack to emerge rapidly.

    This is a watering hole attack, meaning that a victim has to visit a website that contains this exploit code to be attacked. So our forensic team is keeping an eye on compromised WordPress websites and we expect to see this code show up on a few of them during the next few days. An attackers goal would be to compromise workstations of visitors to WordPress websites that have been hacked.

    How this unfolded
    On Tuesday just after noon Pacific time, someone https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html to the tor browser mailing list.

    [​IMG]

    Since then researcher https://twitter.com/dguido/status/803837261485932544 posted a series of tweets with some analysis of the exploit itself.

    [​IMG]

    Twitter user https://twitter.com/TheWack0lian/status/803743900372504577 the shellcode (code that executes on your Windows workstation once exploited) is very similar to shellcode likely used by the https://www.wired.com/2013/09/freedom-hosting-fbi/. The FBI confirmed that they compromised that server and days later it was serving malware that would infect site visitor workstations. The code then reported site visitor real IP addresses, MAC addresses (network card hardware address) and windows computer name to a central server. This code is very similar.

    [​IMG]

    What we found
    The shell code in this attack calls back to IP address 5.39.27.226, which was a web server hosted at OVH in France. The site is now down. Our own research shows that if you https://www.shodan.io/host/5.39.27.226, it had an SSL certificate that is a wildcard for the energycdn.com domain name. That site for energycdn is simplistic and https://web.archive.org/web/20150731020432/http://www.energycdn.com/, it has not changed since 2014.

    https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=%22energycdn.com%22%20torrent shows that the domain is used frequently to host pirated content. https://safeweb.norton.com/report/show_mobile?name=energycdn.com. Google Safe Browsing transparency report says the https://www.google.com/transparencyreport/safebrowsing/diagnostic/#url=energycdn.com.

    One could speculate that the server at 5.39.27.226 was used by energycdn.com as one of their servers to host pirated content. Perhaps the server was compromised by whoever controls energycdn to host that content and then was reinfected by the perpetrator of this new malware variant. But we’re speculating.
     
  2. SunnyLeon

    SunnyLeon Jr. VIP Jr. VIP

    Joined:
    Oct 13, 2013
    Messages:
    515
    Likes Received:
    178
    Gender:
    Male
    Location:
    Outside the Matrix
    Thank you, I`m closing down for now I guess :)
     
  3. JRB137

    JRB137 Registered Member

    Joined:
    Nov 24, 2016
    Messages:
    59
    Likes Received:
    3
    Gender:
    Male
    Occupation:
    Self-Employed
    Location:
    North East, UK
    Thanks for the heads up, appreciated!