Skip to content

FaceApp爆紅,出現新的網路詐騙手法

近日有一款可以把人臉變老、變笑臉的修圖軟體《FaceApp》在臉書及 IG 上爆紅,ESET研究團隊發現因為FaceApp的流行,出現了藉由使用假的“Pro”版本的應用程式作為誘餌的新詐騙手法
 
FaceApp應用程式提供各種面部修改過濾器,適用於Android和iOS,雖然應用程式本身是免費的,但某些功能(標記為“PRO”)需付費,而最近對FaceApp隱私問題的擔憂也引起了媒體的巨大關注。
 
ESET發現了試圖透過FaceApp不存在的“Pro”版本的兩種詐騙手法。
 
假網站
第一個方式,攻擊者使用了一個虛假的網站聲稱免費提供FaceApp的“旗艦”版本。
 
圖1.其中一個使用的詐騙網站
 
實際上,詐騙者會欺騙他們的受害者點擊無數的安裝其他付費應用、訂閱、廣告和問卷等的提議,受害者還會收到各種網站的請求,以允許顯示通知,啟用後,這些通知會進行下一步的詐騙性提議。
 
圖2.來自瀏覽器的通知進行下一步的詐騙
 
在測試的過程中,可以從Google Play下載取得免費版本FaceApp,但是,如不是在Google Play裡,而是其他的文件共享服務(如mediafire.com)下載該應用程序,如下面的圖3所示,這代表著很可能用戶已下載了惡意軟體。
 
圖3. FaceApp呈現為“FaceApp PRO”並從非官方來源下載
 
YouTube影片
第二種的詐騙方式為YouTube影片,其宣傳FaceApp免費“專業版”的下載連結,但是,縮短的下載連結其實是讓用戶從Google Play安裝各種其他應用程式,如下面的圖4所示的其中一個YouTube影片,在撰寫本文時,該影片已有超過150,000個觀看次數。
 
雖然此類詐騙手法通常僅用於投放廣告,但縮短的連結可能會導致用戶只需點擊一下即可安裝惡意軟體。過去就曾發生過類似情況,例如將Fortnite用作誘餌。
 
圖4.一個YouTube影片提供了一個連接,用於為Android的“FaceApp Pro”應用程式下載安裝包(APK)
 
上述連結被點擊了96,000次,但這並不是實際下載數量。 
 
圖5.YouTube影片中引用的假“FaceApp Pro”下載安裝包連結的數字訊息
 
結論
無論APP多麼有趣,請避免從非官方應用程式的來源處下載應用程式,並去了解該應用程式的相關訊息(開發人員,評級,評論等),特別是在Android系統中,每個受歡迎的應用程式或遊戲都有可能是假的;但幸運的是,對於注重網路安全的用戶而言,是可以透過他們所使用的資安產品中發現的,ESET資安專家建議為了維護您的行動裝置安全,請選用專業並值得信賴的資安品牌,ESET行動安全套裝適用於Android系統,讓您的行動裝置獲得更多的保障。
 
入侵指標(IoC)
 
 
***購買ESET行動安全套裝:https://www.eset.tw/estore/zh/

Windows零時差攻擊CVE-2019-1132利用漏洞鎖定目標攻擊

今年6月,ESET研究團隊發現針對東歐地區利用Windows中的提高本地權限擴張漏洞的零時差攻擊
 
其利用Microsoft Windows中的提高本地權限擴張漏洞,特別是win32k.sys元件中的NULL pointer dereference。當發現該漏洞時,就已向Microsoft資訊安全中心進行通報,該中心也及時修復了漏洞並發布了更新。
 
該漏洞影響的Windows版本如下:
Windows 7 for 32位系統Service Pack 1
Windows 7(用於​​基於x64的系統)Service Pack 1
Windows Server 2008 for 32位系統Service Pack 2
Windows Server 2008(用於基於Itanium的系統)Service Pack 2
Windows Server 2008(用於基於x64的系統)Service Pack 2
Windows Server 2008 R2(用於基於Itanium的系統)Service Pack 1
Windows Server 2008 R2(用於基於x64的系統)Service Pack 1
 
這與近年來揭露的許多其他Microsoft Windows win32k.sys漏洞一樣,此漏洞為利用彈出選單的攻擊手法,與2017年分析的Sednit組織透過提升本地特權漏洞方式非常相似。
 
此漏洞建立了兩個視窗;一個用於第一階段,另一個用於第二階段的開發。對於第一個視窗,它建立彈出選單對象並使用CreatePopupMenu和AppendMenu函數追加選單項目。此外,該漏洞利用設置了WH_CALLWNDPROC和EVENT_SYSTEM_MENUPOPUPSTART hooks。
 
然後該漏洞利用TrackPopupMenu函數顯示一個選單。此時,連接到EVENT_SYSTEM_MENUPOPUPSTART的代碼將被執行。此代碼嘗試通過向選單發送MN_SELECTITEM,MN_SELECTFIRSTVALIDITEM和MN_OPENHIERARCHY訊息序列打開選單中的第一個可用項目。
 
接下來為觸發此漏洞的關鍵點,利用已經建立初始選單的同時,即刻建立子選單,而該漏洞利用代碼處理WH_CALLWNDPROC hooks中的WM_NCCREATE訊息,當漏洞利用代碼檢測到系統處於此狀態時,它會向第一個選單發送MN_CANCELMENUS(0x1E6)訊息,取消該選單,但它的子選單仍然會被建立。
 
如果在核心模式下檢查這個子選單對象,就會看到tagPOPUPMENU-> ppopupmenuRoot等於0.這個狀態允許攻擊者在這個核心結構中使用該元素作為NULL pointer dereference。該漏洞利用在地址0x0處分配一個新頁面,該地址將被核心視為tagPOPUPMENU對象(請參考圖1)。
 
圖1. tagPOPUPMENU核心結構
 
此時,攻擊者使用第二個視窗,主要的漏洞利用目標是觸發第二個視窗的tagWND結構中的bServerSideWindowProc位址。這導致在核心模式下執行WndProc過程。
 
為了執行該操作,攻擊者通過調用user32.dll函數庫中的未導出的HMValidateHandle函數來洩漏第二個視窗的tagWND結構的核心內存地址。然後,漏洞利用程序在NULL頁面處製作一個假的tagPOPUPMENU對象,並將MN_BUTTONDOWN訊息發送到子選單。
 
之後,核心最終將執行win32k!xxxMNOpenHierarchy函數。
 
圖2. win32k!xxxMNOpenHierarchy函數的反組譯代碼
 
此函數將NULL頁面上的精心設計對象傳遞給win32k!HMAssignmentLock。 bServerSideWindowProc位在win32k!HMDestroyUnlockedObject函數內設置,該函數位於win32k!HMAssignmentLock內部的幾個調用中。
 
圖3. win32k!HMDestroyUnlockedObject函數的反組譯代碼
 
一切完成後,漏洞可以將特定訊息發送到第二個視窗,以便在核心模式下執行WndProc。
 
最後該漏洞利用系統令牌替換當前進程的令牌。
 
已發布的更新程序在win32k!xxxMNOpenHierarchy函數中添加了對NULL pointer的檢查。
 
圖4.兩個win32k.sys版本之間的代碼差異 – 原始(左)和修補(右)
 
結論
該漏洞僅適用於舊版本的Windows,因為從Windows 8開始,不允許用戶端程序執行NULL頁面。 Microsoft將此處理操作反向移植到x64的系統的Windows 7。仍然使用Windows 7進行32位系統Service Pack 1的人更新到最新的操作系統,因為Windows 7 Service Pack 1的擴展支援將於2020年1月14日結束。這意味著Windows 7用戶將無法獲得重大的安全性更新。
 
入侵指標(IoCs)
 
全球資安大廠ESET一直致力開發主動偵測、多層級的安全技術,並結合自動化的機器學習和人類知識,超過30年的研究經驗,為各種規模的企業和端點平台,提供主動和智慧的防護產品或解決方案。連年榮獲Virus Bulletin 100獎項肯定, 優異的成績持續保持業界領先地位。全球擁有超過1億的用戶,代理機構遍及全球超過180個國家,支援多種語系,並提供在地化的服務協助、是個人及企業值得信賴的資安領導品牌。
 
若有任何資安需求,歡迎洽詢ESET資安專業團隊,服務電話:(02)7722-6899,或上官網查詢:https://www.eset.tw/
 

ESET launches Version 7.0 of File Security for Linux

BRATISLAVA – ESET,  a global leader in cybersecurity, has launched Version 7.0 of their ESET File Security for Linux product.

ESET File Security for Linux provides advanced protection to organizations’ general servers, network file storage and multipurpose servers. The software ensures the servers are stable and conflict-free in order to preserve system resources for vital tasks and avoid disrupting business continuity.

As the use of Linux servers increases in popularity with organizations, it is vital that all users and their businesses remain protected against the latest threats. ESET File Security for Linux is powered by the latest ESET LiveGrid® technology and eliminates all types of threats, including viruses, rootkits, worms and spyware. Version 7.0 offers a host of advanced features, including real-time file system protection, tighter security and a real-time web graphical user interface (GUI). 

Additionally, ESET File Security is fully compatible with the ESET Security Management Center and allows you to manage the software through a web interface, giving you the option to schedule on-demand scans, actions and security tasks.

Matus Cipak, product manager from ESET, says, “Just a single malicious file can pose a serious threat to organizations of any size, and a reliable and advanced security software system is an absolute must for modern businesses. With ESET File Security, users can rest assured that their organizations and their servers are fully protected against the latest threats. Whether it’s a targeted attack on your organization or hidden ransomware, ESET is proud to provide businesses with the absolute best in enterprise security.”

For further information on ESET File Security for Linux, click here.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

SafeDNS重命名和重新分組幾個內容類別並引入新的類別

SafeDNS’s changed the names of several content categories and regrouped the categories, so it is easier for our users to grasp their essence to decide which of the categories to block or allow with the web filtering service.

So, we have renamed the category containing sites with child sexual abuse images, criminally obscene adult and child sexual abuse content from a list compiled by Internet Watch Foundation/IWF (UK). Now the category is called ‘Child Sexual Abuse (IWF)’, and we have moved to a large group of categories called ‘Illegal Activity’. To the same group, we have moved two more categories – ‘German Youth Protection’ and ‘Child Sexual Abuse (Arachnid)’.

A new category, ‘Crypto-Mining’, is added to the ‘Illegal Activity’ group. The category contains sites that are known to stealthily mine cryptocurrencies.

Two more categories are renamed – the one we used to call ‘Banner Ads’ into ‘Online Ads’, and the ‘Politics’ category is now called ‘Politics, Society and Law’.

A significant change is that we now have an entirely new group of categories, called ‘Security’. In this group, we have moved the three long-existing categories you know well – ‘Virus Propagation’, ‘Phishing’, and ‘Botnets’.

In the large group of categories, called ‘General Sites’, there’s a new category, ‘Online Libraries’. Its name is pretty much self-explanatory. The category contains online library sites.

We sincerely hope the new names of the filtering categories and new way of grouping them makes it clearer what content the categories have and whether to ban them or not.

Go to the Web Filtering tab of your SafeDNS Dashboard and check the changes. You might want to block some of the new categories to improve your internet security further!

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SafeDNS
SafeDNS breathes to make the internet safer for people all over the world with solutions ranging from AI & ML-powered web filtering, cybersecurity to threat intelligence. Moreover, we strive to create the next generation of safer and more affordable web filtering products. Endlessly working to improve our users’ online protection, SafeDNS has also launched an innovative system powered by continuous machine learning and user behavior analytics to detect botnets and malicious websites.