Month: March 2019

Facebook Implemented a New Whitehat Settings option to help bug hunters to analyze network traffic on Facebook, Messenger and Instagram Android applications.

You can enable the option from your own account for bug bounty purposes to detect server-side security vulnerabilities.

The new Whitehat Settings enables the security researchers to bypass Facebook’s Certificate Pinning security mechanism, reads the Facebook blog post.

Certificate pinning is a safe security measure to avoid the Man In Middle Attack to secure HTTPS connection. The method of pinning your trusted known certificate along with its fingerprint /serial number in a trusted store is called Certificate Pinning.

You can enable the Whitehat Settings option from the Facebook app, and the option is available only with Android client and not with iOS clients.

Settings within the Facebook for Android app

Recently Facebook increased the payout for security researchers to encourage them to find high impact Vulnerabilities. For account takeover, Facebook has a reward of up to $40,000.

Facebook recently announced that they stored hundreds of millions of user’s password in plain text instead of masking it as a human-readable format.

One of the zero-day flaws (CVE-2019-0797) patched this week by Microsoft has been exploited in targeted attacks by several threats groups, including FruityArmor and SandCat APT groups.

This week, Microsoft released Patch Tuesday Security Update for March 2019 that address 64 flaws, including two Windows zero-day vulnerabilities exploited in targeted attacks.

One of the flaws, tracked as CVE-2019-0808, was disclosed by Google’s Threat Analysis Group after it has observed targeted attacks exploiting the issue alongside a recently addressed flaw in Chrome flaw (CVE-2019-5786).

The second zero-day, tracked as CVE-2019-0797, was reported to Microsoft by experts at Kaspersky Lab, which states the issue has been exploited by several threat actors, including FruityArmor and SandCat APT groups.

FruityArmor is a cyber-espionage group that was first observed in 2016 while targeting activists, researchers, and individuals related to government organizations in Thailand, Iran, Algeria, Yemen, Saudi Arabia, and Sweden. Experts believe FruityArmor´s activity has been slowly increasing during the last two years, the group

In October 2018, FruityArmor exploited another Windows zero-day in targeted attacks aimed at entities in the Middle East.

The SandCat APT was discovered by Kaspersky Lab at the end of 2018 when the group used a flaw (CVE-2018-8611) addressed with security updates released by Microsoft in December.

The CVE-2018-8611 is a race condition that resides in the Kernel Transaction Manager, and most interesting, it could be used to escape the sandbox of the Chrome and Edge web browsers.

The vulnerability was reported to Microsoft by Kaspersky Lab that in two months reported other two Windows zero-days, CVE-2018-8453 and CVE-2018-8589, respectively exploited by FruityArmor and multiple threat actors in attacks mostly aimed at the Middle East.

SandCat was also using the FinFisher/FinSpy spyware and the CHAINSHOT malware,

“we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently.” reads the analysis published by Kaspersky Lab.

“In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.”

At the time of writing, Kaspersky Lab does not have any information about the targets of the attacks involving the CVE-2019-0797.

The CVE-2019-0797 vulnerability is the fourth zero-day vulnerability actively exploited in recent months by Kaspersky.