Search the Community

Dropbox strikes back against Bartalex macro malware phishers Dropbox has struck back against a hacker group using its cloud storage services to store and spread the Bartalex macro malware. Trend Micro fraud analyst Christopher Talampas reported uncovering the campaign while investigating attacks targeting the Automated Clearing House (ACH) network used by many businesses for electronic funds transfers in the US on Tuesday. A Dropbox spokesperson later told V3 that the firm is aware of the campaign and has already taken action against the hackers. "We're aware of the issue and have already revoked the ability for accounts involved to share links since they've violated our Acceptable Use Policy," said the spokesperson. "We act quickly in response to abuse reports submitted to abuse@dropbox.com, and are constantly improving how we detect and prevent Dropbox users from sharing spam, malware or phishing links." The use of Dropbox links containing the Bartalex macro malware reportedly makes the campaign particularly dangerous. "Instead of attachments, the message this time bore a link to ‘view the full details'. By hovering over the URL we can see that it redirects to a Dropbox link with a file name related to the supposed ACH transaction," read Trend Micro in an advisory. "The URL leads to a Dropbox page that contains specific instructions (and an almost convincing) Microsoft Office warning that instructs users to enable the macros. "Upon enabling the macro, the malicious document then triggers the download of the banking malware." Trend Micro reported uncovering at least 1,000 malicious Dropbox links hosting the malware during the campaigns peak. It is unclear how successful the campaign has been, although Trend Micro said that the malware has been used to target big name financial institutions including JP Morgan. Trend Micro cited the use of macro malware as a sign that criminals are rehashing old tricks in a bid to get round more modern system defences. "Macro malware like Bartalex is seemingly more prominent than ever, which is an indicator that old threats are still effective infection vectors on systems today," read the advisory. "And they seem to be adapting: they are now being hosted in legitimate services like Dropbox and, with the recent outbreak, macro malware may continue to threaten more businesses in the future." Macro malware is a threat that afflicted older versions of Windows. Microsoft ended the threat with Office XP in 2001 when it tweaked its systems to request user permission before executing macros script in embedded files. Macros are code scripts containing commands for automating tasks that are used in numerous applications. The discovery follows a reported boom in phishing levels. Research from Verizon earlier in April showed that a staggering one in four phishing scams currently result in success. Source

Security researchers at IBM have uncovered a bug in cloud storage service provider Dropbox's software development kit (SDK) that potentially leaves millions of Android users open to attack. Researchers at IBM's X-Force Application Security Research warned that the 'DroppedIn' flaw affects many applications using the Dropbox SDK. "It allows attackers to connect applications on mobile devices to a Dropbox account they control," explained vice president of IBM Security Caleb Barlow. "This vulnerability may affect any Android app that uses the Dropbox SDK versions 1.5.4 to 1.6.1, and can be exploited locally using malware and remotely using drive-by techniques." A Dropbox spokesperson told V3 the firm issued an update fixing the flaw in December 2014 and added it could only be exploited in "very specific circumstances" on devices where the main Dropbox Android app was not installed. Barlow said despite the assurances hackers could still steal data from vulnerable systems without the patch. "The vulnerability allows attackers to execute malicious code during the log-in process that allows them to access the random number, called a 'nonce', that Dropbox uses as part of the authentication process," he said. "Once the attacker has the nonce, they can enter an access token that is also used to identify a user and then upload or download files into/from the victim's vulnerable app to the attacker's Dropbox account." He added to fully fix the problem application developers will have to install the SDK patch. "There are many apps that rely on the Dropbox SDK, including Yahoo Mail, Microsoft Office Mobile, AgileBits 1Password, and several productivity, photo editing/sharing tools," he said. "Application developers that use the Android Dropbox SDK need to upgrade their version to at least 1.6.2 or above ASAP which is where the patch for this vulnerability exists." The Dropbox spokesperson moved to allay these concerns telling V3 "most Android app developers using our SDK have updated their apps so users don't need to do anything." The news follows reports that application developers are failing to install critical security updates. Researchers at McAfee reported in February that a number of "popular" applications still do not include critical patches for the high-profile BERserk and Heartbleed Secure Sockets Layer flaws. Source

1 Introduction The Dropbox SDK is a library that developers can download and add to their products. This library provides easy access to Dropbox features, such as downloading and uploading files, via a simple set of APIs. AppBrain provides statistics as to the prevalence of the use of the Dropbox SDK on Android [1]. According to these statistics, 0.31% of all applications use the Dropbox SDK. Of the top 500 apps in the Google Play Store, 1.41% use the Dropbox SDK. Interestingly, 1.32% of total app installations and 3.93% of app installations of the top 500 apps use the Dropbox SDK, respectively. While it is not a highly prevalent library, some extremely popular Android apps that may hold sensitive information use the Dropbox SDK, including Microsoft Office Mobile with over 10,000,000 downloads1 and AgileBits 1Password with over 100,000 downloads2 . The vulnerability that we discovered may affect any Android app that uses the Dropbox SDK versions 1.5.4-1.6.1. We examined 41 apps that use the Dropbox SDK for Android, out of which 31 apps (76%) were vulnerable to our attack (i.e. they used version 1.5.4-1.6.1). It’s noteworthy that the rest of the apps were vulnerable to a much simpler attack with the same consequences, but had been fixed by Dropbox with the 1.5.4 version of the SDK which they did not care to upgrade to. This paper is organized as follows. Section 2 gives a background on Inter-App Communication (IAC) in Android. Section 3 shows how IAC can be exploited in general locally by malware and remotely using driveby techniques. Section 4 describes how the Dropbox SDK for Android uses OAuth for app authorization. In 1https://play.google.com/store/apps/details?id=com.microsoft.office.officehub 2https://play.google.com/store/apps/details?id=com.agilebits.onepassword 1section 5 we deep-dive into the vulnerability we found within the Dropbox SDK for Android OAuth code. Section 6 presents a real attack, dubbed DroppedIn, that exploits the vulnerability. In section 7, we show that the threat is real by presenting case studies. We end with section 8 that presents a mitigation for the vulnerability. 2 Inter-App Communication (IAC) in Android Android applications are executed in a sandbox environment. The sandbox ensures data confidentiality and integrity as no application can access sensitive information held by another application without proper privileges. For example, Android’s stock browser application holds sensitive information such as cookies, cache and history which shouldn’t be accessed by third-party apps. The sandbox relies on several techniques including per-package Linux user-id assignment. Thus, resources, such as files, owned by one app cannot be accessed by default by other apps. While sandboxing is great for security, it may diminish interoperability as apps sometimes would like to talk to each other. Going back to the browser example, the browser would want to invoke the Google Play app when a user browsed to the Google Play website. In order to support this kind of functionality, Android provides high-level Inter-App Communication (IAC) mechanisms. This communication is usually done using special messages called Intents, which hold both the payload and the target application component. Intents can be sent explicitly, where the target application component is specified, or implicitly, where the target is left unspecified and is determined by Android according to other Intent parameters such as its URI scheme, action or category. 3 General Exploitation via Inter-App Communication The attack surface is greatly increased if the attacker can directly invoke application components, controlling the Intent’s payload. This is the case with exported application components. Such components can be attacked locally by malware. Activities, Android application components responsible for UI screens, can also be attacked remotely using drive-by exploitation techniques as shown by [2, 3]. In the local attack, illustrated by Figure 3.1, malware invokes the exported target application component with a malicious Intent (i.e. one that contains malicious data) by simply calling APIs such as Context.startActivity(Intent). In the case of remote drive-by exploitation, illustrated by Figure 3.2, a user is lured into browsing a malicious website. This site serves a web page that causes the browser to invoke the target activity with the malicious Intent. Read more: http://dl.packetstormsecurity.net/1503-exploits/exploiting-dropboxsdk-android.pdf

LinkedIn's iOS application is prone to a vulnerability that may permit remote attackers to execute arbitrary code. Security Researcher Zouheir Abdallah has disclosed HTML parsing vulnerability in LinkedIn iOS an app, that can be used to phish for credentials or be escalated into a full blown attack. LinkedIn's vulnerability occurs when the messaging feature of LinkedIn's mobile app parses invalid HTML and an attacker can exploit this vulnerability remotely from his/her account, which could have serious impact on LinkedIn's users. He created Proof of concept of the flaw and submitted it to the LinkedIn Security team in September 2013. Later in October 2013, the vulnerable application was patched. One of the possible attack vector is that, using this vulnerability attacker can easily phish LinkedIn user on iOS app. As shown in the screenshot, POC message says: The iOS app will display the url without the hyperlink embedded in the HTML a href , and the receiver of the message will not even know that he is being redirected to a malicious site. The phishing site can be a replica of LinkedIn and tricks the victim into giving out his username and password. This attack can also be used against LinkedIn users by claiming that, they have to re-authenticate to view some article on LinkedIn. The Same attack could also work on different devices such as Android and Blackberry, but he couldn’t test as he didn’t have other handsets at hand. LinkedIn doesn't have a Bug Bounty program neither a Hall of Fame, nevertheless he received a symbolic token of a Shirt, Mug, and a thank you note from LinkedIn's security team. Zouheir is known for reporting a serious vulnerability in DropBox's 2 Factor Authentication back in July 2013. Source: LinkedIn iOS app HTML Message Parsing Vulnerability