![]() ![]() My guess is that you will hear about this again a few months from now when the indictments start to emerge. FBI declined to comment and Europol did not respond. In my opinion this strongly indicates that this exploit is in fact the FBI or another agency targeting visitors of The GiftBox Exchange. There are also warnings on the Dark Web about the presence of this malware. Vice is now reporting that their sources are saying this exploit is active on a child porn website called The GiftBox Exchange. The fact that this exploit simply tries to reveal a user’s identity rather than infect them with malware indicates it is being perpetrated by a law enforcement branch in some country. It is also very similar to a 2013 attack that was likely launched on child porn website visitors by the FBI to identify and arrest them. Remember, this attack targeted Tor users specifically and the goal of the attack was to reveal the identity of the browser operator. Vice’s Motherboard have provided an update 2 hours ago on this issue from a few sources. ![]() Update at 2:03pm PST / 5:03PM EST on Wednesday: The Register is also covering the story.Ars Technica is doing a great job covering this.Perhaps the server was compromised by whoever controls energycdn to host that content and then was reinfected by the perpetrator of this new malware variant. One could speculate that the server at 5.39.27.226 was used by as one of their servers to host pirated content. Google Safe Browsing transparency report says the domain hosts malware and redirects to malicious sites. Norton Safe Web reports it hosts viruses. Googling shows that the domain is used frequently to host pirated content. That site for energycdn is simplistic and according to, it has not changed since 2014. Our own research shows that if you look up this IP address in Shodan, it had an SSL certificate that is a wildcard for the domain name. The shell code in this attack calls back to IP address 5.39.27.226, which was a web server hosted at OVH in France. The code then reported site visitor real IP addresses, MAC addresses (network card hardware address) and windows computer name to a central server. The FBI confirmed that they compromised that server and days later it was serving malware that would infect site visitor workstations. Twitter user noticed the shellcode (code that executes on your Windows workstation once exploited) is very similar to shellcode likely used by the FBI back in 2013 to deanonymize visitors to child porn websites hosted by FreedomHosting. Since then researcher Dan Guido posted a series of tweets with some analysis of the exploit itself. On Tuesday just after noon Pacific time, someone published a 0 day exploit for Firefox and Tor to the tor browser mailing list. An attackers goal would be to compromise workstations of visitors to WordPress websites that have been hacked. So our forensic team is keeping an eye on compromised WordPress websites and we expect to see this code show up on a few of them during the next few days. This is a watering hole attack, meaning that a victim has to visit a website that contains this exploit code to be attacked. The exploit code is now public knowledge so we expect new variants of this attack to emerge rapidly. But this code can likely be repurposed to infect workstations with malware or ransomware. There is no fix at the time of this writing.Ĭurrently this exploit causes a workstation report back to an IP address based at OVH in France. The exploit is in the wild, meaning it’s now public and every hacker on the planet has access to it. The vulnerability allows an attacker to execute code on your Windows workstation. If you use Firefox, we recommend you temporarily switch browsers to Chrome, Safari or a non-firefox based browser that is secure until the Firefox dev team can release an update. Currently it exploits Windows systems with a high success rate and affects Firefox versions 41 to 50 and the current version of the Tor Browser Bundle which contains Firefox 45 ESR. A few hours ago a zero day vulnerability emerged in the Tor browser bundle and the Firefox web browser. We’re publishing this as an emergency bulletin for our customers and the larger web community. I also posted an extended update at the end of the post including data indicating this exploit may be part of a law enforcement operation. Tor have also released a fix with version 6.0.7 of their browser.There is also a Thunderbird fix out, version 45.5.1. Update to Firefox 50.0.2 now to patch this vulnerability. Update at 2:32pm PST / 5:32pm EST: Firefox released a fix for this a few minutes ago. Emergency Bulletin: Firefox 0 day in the wild. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |