TeamViewer fixes bug that lets attackers access your PC

Popular remote access and troubleshooting app, TeamViewer has patched a vulnerability that could let attackers quietly establish a connection to your computer and further exploit the system.

When successfully exploited, this bug would let an unauthenticated, remote actor execute code on your Windows PC, or obtain password hashes (e.g., for cracking via brute-force).

Full article: https://www.bleepingcomputer.com/news/security/teamviewer-fixes-bug-that-lets-attackers-access-your-pc/

Definition: Consent Phishing

A “consent phishing” scam is an attempt by adversaries to get employees to install a malicious application and/or grant it permissions that will allow it to access sensitive data or perform unwanted functions.

This type of consent phishing relies on the OAuth 2.0 authorization technology. By implementing the OAuth protocol into an app or website, a developer gives a user the ability to grant permission to certain data without having to enter their password or other credentials.

Used by a variety of online companies including Microsoft, Google, and Facebook, OAuth is a way to try to simplify the login and authorization process for apps and websites through a single sign-on mechanism. However, as with many technologies, OAuth can be used for both beneficial and malicious purposes.

Microsoft details the problem step by step in its blog post:

  1. An attacker registers an app with an OAuth 2.0 provider.
  2. The app is configured in a way that makes it seem trustworthy, such as using the name of a popular product used in the same ecosystem.
  3. The attacker gets a link in front of users, which may be done through conventional email-based phishing, by compromising a non-malicious website, or through other techniques.
  4. The user clicks the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data.
  5. If a user clicks Accept, they grant the app permissions to access sensitive data.
  6. The app gets an authorization code, which it redeems for an access token, and potentially a refresh token.
  7. The access token is used to make API calls on behalf of the user.
  8. The attacker can then gain access to the user’s mail, forwarding rules, files, contacts, notes, profile, and other sensitive data.

“Part of the problem is that most users don’t understand what is happening,” Roger Grimes, data driven defense evangelist at KnowBe4 said. “They don’t know that a sign-on that they’ve used with Gmail, Facebook, Twitter or some other OAuth provider is now automatically being called and used or abused by another person. They don’t understand the permission prompts either. All they know is they clicked on an email link or an attachment and now their computer system is asking them to confirm some action that they really don’t understand.”

Redirection Hack: a case study

Several hacked sites we recently repaired had the same exploit, which can be tricky to detect by most site owners. We’ve seen this one enough that we feel it is important to let you know what to look for.

A good friend of ours mentioned as an aside that his site kept getting hacked and though his more technically adept relative had cleaned up the immediate problem, whenever someone attempted to look up his site on a search engine they were met with a list of spam sites (viagra ads and the like) all listing HIS site as the web address. He had no idea how that happened, much less how to fix it.

Here’s what was going on: There’s a file at the root of most websites named “.htaccess”. This file has a bunch of specific directives on how to handle various traffic to your website – for instance, if you redesign your site and change some of the page names (for instance, from “mysite.com/contact.html” to “mysite.com/contact/”) it can be used to redirect visitors to the new page. Without redirecting the visitor would end up on your Not Found page, which is frustrating for them and not a good customer service practice.

If hackers gain access to this file they can redirect your visitors anywhere they want, and that’s exactly what happened in these cases.

The hackers had written a set of directives which said in essence “If the visitor is coming from Google, Bing, etc (listing all the big search engines), then please redirect them to one of a list of spam sites”. So when the search engines crawled the site they were also redirected, and the web address was associated with the spam sites on the search engine.

So it might be a good idea to search your own site from time to time. If you happen to run into a similar problem on your site – or someone else’s – we can help.

All of the sites managed by ProtectYourWp.com are protected against this kind of hack, of course. The sites alluded to above were running vulnerable versions of WordPress and plugins which were the likely entry for the hackers. The sites are now new clients, being kept up to date by us.

New Virus from the domain “ js.donatelloflowfirstly[.]ga “ is infecting many WordPress sites

This is an advertising injection/redirection javascript which sends your visitors off to malicious domains. The javascript in question is injected into EVERY post on affected sites.

Our clients should be automatically protected against most javascript injections such as this (but let us know if you see something like this on your site!).

A quick search for “donatelloflowfirstly” will bring up a bunch of sites which are affected – and a few with instructions on how to clean up the mess.