The white hat hacker Tavis Ormandy discovered a severe flaw in Blizzard games that expose millions of PCs to DNS Rebinding attacks.

The notorious white hat hacker Tavis Ormandy at the Google’s Project Zero team made the headlines again, this time he discovered a severe flaw in Blizzard games that could be exploited by remote attackers to run malicious code on gamers’ computers.

The impact of the discovery is potentially amazing, millions of PC are at risk. Every month, roughly half a billion users play popular online games created by Blizzard Entertainment, including World of Warcraft, Overwatch, Diablo III, Hearthstone and Starcraft II.

blizzard games

Play the Blizzard games is very simple, players just need to install a client application, called ‘Blizzard Update Agent.‘ The application runs JSON-RPC server over HTTP protocol on port 1120, and “accepts commands to install, uninstall, change settings, update and other maintenance related options.

“All blizzard games are installed alongside a shared tool called “Blizzard Update Agent”, claims they have “500 million monthly active users”, who presumably all have this utility installed.” wrote Ormandy on a Chromium thread. “The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc’s are from a legitimate source”

Ormandy demonstrated that the Blizzard Update Agent is vulnerable to ‘DNS Rebinding’ attack that allows any website to create a dns name that they are authorized to communicate with, and then make it resolve to localhost.

The local Blizzard updater service fails to validate what hostname the client was requesting and responds to such requests.

Practically, the website poses itself as a bridge between the external server and your localhost, “this means that *any* website can send privileged commands to the agent.”

The attackers can launch a DNS Rebinding attack to create a DNS entry to bind any attacker-controlled web page with and trick users into visiting it, with this technique a hacker can remotely send privileged commands to the Blizzard Update Agent using JavaScript code.

Ormandy published a proof-of-concept exploit that executes DNS rebinding attack against Blizzard clients.

“I have a domain I use for testing called, you can use this page to generate hostnames: Here I want to alternate between and, so I use

$ host has address
$ host has address
$ host has address" wrote Ormandy.

“Exploitation would involve using network drives, or setting destination to “Downloads” and making the browser install dlls, datafiles, etc. I made a very simple demo, I’m sure it’s quite brittle, but hopefully you get the idea! See screenshot attached of how it’s supposed to look.”

Blizzard Games Blizzard Update Agent is vulnerable DNS Rebinding

Ormandy reported the flaw to Blizzard in December, but after initially communication, Blizzard stopped responding his messages. According to the expert, the companyrolled out just partial mitigation in the client version 5996.

Ormandy was disappointed about the company’s behavior.

“Blizzard were replying to emails, but stopped communicating on December 22nd. Blizzard are no longer replying to any enquiries, and it looks like in version 5996 the Agent now has been silently patched with a bizarre solution.” wrote the expert.

“Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist. I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple. I’m not pleased that Blizzard pushed this patch without notifying me, or consulted me on this.”

Once Ormandy publicly disclosed the issue, Blizzard informed him that it addressed the bug with a more robust Host header whitelist fix that is currently under validation in a QA environment.

Pierluigi Paganini

(Security Affairs – DNS Rebinding attacks, Blizzard Games)

The post Google hacker found a critical flaw in Blizzard Games that expose millions of PCs to DNS Rebinding attacks appeared first on Security Affairs.

The popular Linus Torvalds harshly criticizes the Spectre patches issued by Intel to patch the Spectre variant 2 flaw affecting its processor chips.

Security experts harshly criticize the patch issued by Intel to patch the Spectre variant 2 flaw affecting its processor chips.

Intel has decided to do not disable the prediction feature in future chips until the company will implement design changes in microarchitecture, but this means that the shipped chips will be “vulnerable by default” and will include a protection flag that can be set by software.

Intel published a technical note about the mitigation of the Spectre flaw

Intel explained its approach in its technical note about Spectre mitigation (“Speculative Execution Side Channel Mitigations“), the tech giant addressed the issue with an opt-in flag dubbed IBRS_ALL bit (IBRS states for Indirect Branch Restricted Speculation).

The famous Linus Torvalds expressed in an email to the Linux Kernel mailing list his disappointment, he defined the Linux Spectre Patches “UTTER GARBAGE”

“All of this is pure garbage. Is Intel really planning on making this shit architectural?” he wrote. “Has anybody talked to them and told them they are f*cking insane? Please, any Intel engineers here – talk to your managers.” 

“They do literally insane things. They do things that do not make sense … The patches do things that are not sane. 


Spectre patches

The Indirect Branch Restricted Speculation, along with Single Thread Indirect Branch Predictors (STIBP) and Indirect Branch Predictor Barrier (IBPB), prevent the abuse of the prediction feature and the exploitation of the flaw.

Torvalds speculate the Intel’s decision to address the issues in this way is mainly motivated by the intention to avoid legal liability. Recalling two decades of flawed chips would have a catastrophic impact on the tech giant.

Torvalds explained that the impact of using IBRS on existing hardware is so severe that no one will set the hardware capability bits.

“Nobody sane will use them, since the cost is too damn high,” he said.

Of course, the impact on the performance depends on the hardware and workload involved.

Let me close with an abstract from the Linus Torvalds’s email:

“That’s part of the big problem here. The speculation control cpuid stuff shows that Intel actually seems to plan on doing the right thing for meltdown (the main question being _when_). Which is not a huge surprise, since it should be easy to fix, and it’s a really honking big hole to drive through. Not doing the right thing for meltdown would be completely unacceptable.

So the IBRS garbage implies that Intel is _not_ planning on doing the right thing for the indirect branch speculation.

Honestly, that’s completely unacceptable too.” wrote Torvalds.

“Have you _looked_ at the patches you are talking about? You should have – several of them bear your name.

The patches do things like add the garbage MSR writes to the kernel entry/exit points. That’s insane. That says “we’re trying to protect the kernel”. We already have retpoline there, with less overhead.

So somebody isn’t telling the truth here. Somebody is pushing complete garbage for unclear reasons. Sorry for having to point that out.

If this was about flushing the BTB at actual context switches between different users, I’d believe you. But that’s not at all what the patches do.

As it is, the patches are COMPLETE AND UTTER GARBAGE.

They do literally insane things. They do things that do not make sense. That makes all your arguments questionable and suspicious. The patches do things that are not sane.


Pierluigi Paganini

(Security Affairs – Spectre patches, Linus Torvalds)

The post Linus Torvalds calls the Linux Spectre patches “UTTER GARBAGE” appeared first on Security Affairs.

According to a researcher from security firm Predeo, three Sonic apps in the Google Play published by SEGA leak users’ data to uncertified servers.

According to a researcher from security firm Predeo, some game applications in the Google Play published by SEGA leak users’ data to uncertified servers.

The Android apps are Sonic Dash,  Sonic the Hedgehog™ Classic, and Sonic Dash 2: Sonic Boom, that have been totally downloaded millions of times.

The expert discovered that the apps are leaking users’ geolocation and device data to suspicious servers, thereby posing a privacy threat to mobile gamers, according to researchers.

Pradeo’s Lab discovered that some game applications in the Google Play published by SEGA, the famous video games developer and publisher, access and leak users’ geolocation and device dataHundreds of millions of users are concerned by these data privacy violations.” states the blog post published by Pradeo.


The Sonic apps send data to an average of 11 distant servers, three of which are not certified. Most of the servers obviously collect data for marketing purposes, but the expert observed that two of the three uncertified servers are linked to a potential unwanted library app dubbed Android/Inmobi.D,

Android.InMobi is classified as an advertisement library that is bundled with certain Android applications.

The expert discovered that the Sonic apps also leak mobile network information, including the service provider name, network type, and device information (i.e. manufacturer, commercial name, battery level, the maximum level of the battery, and operating system version number).

The researchers at Pradeo also conducted a vulnerability assessment for the three Sonic App and discovered an average of 15 OWASP (Open Web Application Security Project) flaws.

Experts discovered two critical flaws, X.509TrustManager and PotentiallyByPassSslConnection, that could be exploited by hackers to power man-in-the-middle attacks due to the lack of validation for SSL certificate errors.

“Unsafe implementation of the interface X509TrustManager. Specifically, the implementation ignores all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.” reads the description for the X.509TRUSTMANAGER flaw, while the POTENTIALLY_BYPASS SSL_CONNECTION is described as:

“The implementation bypasses all SSL certificate validation errors when establishing an HTTPS connection to a remote host, thereby making your app vulnerable to man-in-the-middle attacks. An attacker could read transmitted data (such as login credentials) and even change the data transmitted on the HTTPS connection.

I suggest you read the post to discover the remaining issues and the risks they posed to the users.

Pierluigi Paganini

(Security Affairs – Sonic apps, hacking)

The post Three Sonic apps in the Google Play are leaking data to uncertified servers appeared first on Security Affairs.

Authorities discovered a fraudulent scheme involving dozens of gas-station employees who installed malicious programs on electronic gas pumps to cheat customers

Russian law enforcement investigated fraudulent activities involving gas-station payment systems.

Authorities discovered a fraudulent scheme involving dozens of gas-station employees who installed malicious programs on electronic gas pumps to trick customers into paying for more fuel than they pumped into their vehicles.

The software allows gas-station employees to deliver between 3 to 7 percent less per gallon of pumped gas.

The scam shorted customers between 3-to-7 percent per gallon of gas pumped.

“At dozens of gas stations owned by the largest oil companies, FSB officers identified malicious computer programs, thanks to which the owners of cars quietly missed the fuel. At times, “underweight” was up to 7% of the amount of gasoline that was being refueled into the tank. Identify the virus was almost impossible. Their creator and distributor was detained.” reported media outlet Rosbalt.

On Saturday, Russian Federal Security Service (FSB) arrested the hacker Denis Zayev. The man was charged with the creation of several programs designed for such kind of frauds.

Authorities revealed that the programs were found only on gas stations in the south of the country.

According to the authorities, the man was selling the software to gas-station employees. involved in the fraud scheme. Zayev was sharing profits with gas-station employees, it has been estimated that the fraud allowed the hacker and employees to earn “hundreds of millions of rubles.”

The malicious software was undetectable by inspectors and oil companies that monitor gasoline inventory remotely.

“At dozens of gas stations, malicious programs were discovered, which made it unnoticeable for customers to undercharge fuel when refueling their cars. “A giant scam covered almost the entire south of Russia,” viruses “were found in dozens of gas stations in the Stavropol Territory, Adygea, Krasnodar Territory, Kalmykia, several republics of the North Caucasus, etc.” continues the Rosbalt.”A whole network was built to steal fuel from ordinary citizens – they did not bear any financial loss, “the source said. “

Zaiev’s software was very sophisticated programs that were injected both into the software of the pumps and into the cash register to modify records.

The Rosbalt provided details about the way the programs worked. Every morning, gas-station employees left one of the reservoirs empty (for example, under the guise of maintenance). When a customer made a purchase, the software automatically undercharged him from 3% to 7% of the amount of gasoline purchased. The meter on the column was instructed to display the clients to show that the entire volume of paid fuel was poured into the tank. The stolen gasoline was automatically sent to the tank left empty. The malware virus erased any track of this operation.

The fuel was collected in the tank to be sold later by scammers that shared the profits of the sale.

Vulnerabilities and cyber attacks involving systems at gas-stations are not a novelty.

In January 2014,  a criminal organization hit gas station ATMs located in South America. The gang used Bluetooth-enabled skimmers to steal 2 million dollars from customers.

Early 2015, experts at Rapid7 revealed that more than 5000 Automated tank gauges (ATGs) used to prevent fuel leaks at gas stations in US were vulnerable to remote cyber attacks.



Pierluigi Paganini

(Security Affairs – fraud, gas-station)

The post Hacker infected pumps at gas-stations in Russia in a profitable fraud scheme appeared first on Security Affairs.

Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.

In the last days of 2017, researchers at CSE Cybsec observed threat actors exploiting some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising. The huge malvertising campaign was dubbed EvilTraffic

The compromised websites involved in the EvilTraffic campaign run various versions of the popular WordPress CMS. Once a website has been compromised, attackers will upload a “zip” file containing all the malicious files. Despite the “zip” file has different name for each infection, when it is uncompressed, the files contained in it have always the same structure. We have found some of these archives not used yet, so we analyzed their content.

The malicious files are inserted under a path referring probably different versions of the same malware (“vomiu”, “blsnxw”, “yrpowe”, “hkfoeyw”, “aqkei”, “xbiret”, “slvkty”).

Under this folder there are:

  • a php file, called “lerbim.php”;
  • a php file, that has the same name of the parent dir; it has initially “.suspected” extension and only in a second time, using “lerbim.php” file, it would be changed in “.php” file;
  • two directories, called “wtuds” and “sotpie”, containing a series of files.

An example of this structure is shown in the following figure:


The main purpose of the “malware” used in the EvilTraffic campaign is to trigger a redirecting chain through at least two servers which generate advertising traffic.

The file “{malw_name}.php” becomes the core of all this context: if it is contacted by the user through the web browser, it redirects the flow first to “” and then to “”, which acts as a dispatcher to different sites registered to this revenue chain.



These sites could be used by attackers to offer commercial services that aim to increase traffic for their customers, but this traffic is generated in an illegal way by compromising websites. The sites could host also fraudulent pages which pretend to download suspicious stuff (i.e. Toolbars, browser extensions or fake antivirus) or steal sensitive data (i.e. credit card information).

In order to increase the visibility of the web, the compromised sites must have a good page-rank on search engines. So, the malware performs SEO Poisoning by leveraging on wordlist containing the trending searched words

The population of the compromised site with the wordlists and their relative query results is triggered contacting the main PHP using a specific User-Agent on a path “{malw_name}/{malw_name}.php?vm={keyword}”.

Researchers from CSE CybSec ZLab discovered roughly 18.100 compromised websites.

While researchers were analyzing the EvilTraffic malvertising campaign, they realized that most of the compromised websites used in the first weeks of the attacks have been cleaned up in the last days.  just in one week, the number of compromised websites dropped from around 35k to 18k.

According to Alexa Traffic Rank, is ranked number 132 in the world and 0.2367% of global Internet users visit it. Below are reported some traffic statistics related to provided by

The analysis of the traffic shows an exponential increase in the traffic during October 2017.

Experts discovered that crooks behind the Operation EvilTraffic used a malicious software to hijack traffic, it acts as brows a browser hijacker. The malware is distributed via various methods, such as:

  • Attachment of junk mail
  • Downloading freeware program via unreliable site
  • Open torrent files and click on malicious links
  • By playing online games
  • By visiting compromised websites

The main purpose of the malware is to hijack web browsers changing browser settings such as DNS, settings, homepage etc. in order to redirect as more traffic as possible to the dispatcher site.

Further technical details about this campaign, including IoCs, are available in the report titled:

Tens of thousands of compromised web sites involved in new massive malvertising campaign

You can download the full ZLAB Malware Analysis Report at the following URL:

Pierluigi Paganini

(Security Affairs – malvertising campaign, EvilTraffic)

The post Op EvilTraffic CSE CybSec ZLAB Malware Analysis Report – Exclusive, tens of thousands of compromised sites involved in a new massive malvertising campaign appeared first on Security Affairs.

Cybersecurity week Round-Up (2018, Week 3) -Let’s try to summarize the most important event occurred last week in 3 minutes.

The week started with the discovery of a new variant of the dreaded Mirai Botnet dubbed Okiru, for the first time a malware targets ARC based IoT devices, billions of IoT devices are potentially at risk.

Kaspersky published a report on a powerful Android malware, dubbed SkyGoFree, developed for surveillance purposes by an Italian firm. The same malware was analyzed months before by researchers at CSE Cybsec in November 2017.

Interesting also the discovery of a new variant of the KillDist wiper that targeted Windows machines in financial institutions in Latin America.

Spectre and Meltdown continue to make the headlines, many users claim problems with the installed security patches.

While Oracle announces patches for the vulnerabilities affecting the Intel CPU,

Crooks continues to focus their interest on cryptocurrencies. The web-based wallet application for the Stellar Lumen cryptocurrency suffered a DNS hijacking attack that resulted in the theft of $400,000

Security researchers at Check Point have spotted a malware family dubbed RubyMiner that is targeting web servers worldwide in an attempt to exploit their resources to mine Monero cryptocurrency.

This week emerged also the activity of Lebanese APT, dubbed Dark Caracal, that is operating at least since 2012 using a powerful Android spyware. Its arsenal also includes a Windows malware and the surveillance software FinFisher

Experts from Talos group published an interesting article on North Korea Group 123 involved in at least 6 different hacking campaigns in 2017 Last year

Pierluigi Paganini

(Security Affairs – cybersecurity)

The post Cybersecurity week Round-Up (2018, Week 3) appeared first on Security Affairs.

Google has awarded a record $112,500 to a security researcher for reporting an exploit chain that could be used to hack Pixel smartphones.

Last week the Google disclosed the technical details of the exploit chain that was devised in August 2017 by the Guang Gong from Alpha Team at Qihoo 360 Technology. The exploit chain triggers two vulnerabilities, CVE-2017-5116 and CVE-2017-14904, researchers submitted it through the Android Security Rewards (ASR) program.

“The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome.” reads the analysis published by Google.

Android exploit chain

Chaining the vulnerabilities the attackers can remotely inject arbitrary code into the system_server process when a malicious URL in Chrome is accessed.

In an attack scenario, the victims can be tricked into clicking on such a URL by hackers that can fully compromise their mobile device.

Gong was awarded $105,000 for this exploit chain, he received also an additional award of $7500 through the Chrome Rewards program.

Google addressed the flaws as part of Google Android ‘s December security bulletin that addressed a total of 42 bugs.

Pixel mobile devices and partner devices using A/B updates will automatically install the security updates that fixed the flaws.

“The Android security team responded quickly to our report and included the fix for these two bugs in the December 2017 Security Update. Supported Google device and devices with the security patch level of 2017-12-05 or later address these issues.” concluded Google.

The overall ASR payout rewards is over $1.5 million to date, with the top research team earning $300,000 for 118 vulnerability reports.

Pierluigi Paganini

(Security Affairs – Android exploit chain, hacking)

The post Google awarded Chinese hacker record $112,500 for Android exploit chain appeared first on Security Affairs.

The Samsam Ransomware made the headlines in the first days of 2018, the malicious code infected systems of some high-profile targets, including a hospital that paid a $55,000 ransom.

The SamSam ransomware is an old threat, attacks were observed in 2015 and the list of victims is long, many of them belong to the healthcare industry.

Among the victims of the Samsam Ransomware there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area. Crooks behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files, but the organization refused to pay the Ransom because it had a backup of the encrypted information.

In April 2016, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware, why it is so dangerous?

Back to the present, the Samsam Ransomware made the headlines in the first days of 2018, the malicious code infected systems of some high-profile targets, including hospitals, an ICS firm, and a city council.

According to Bleeping Computer, the malware was used in attacks against the Hancock Health Hospital and the Adams Memorial Hospital in Indiana, the municipality of Farmington, New Mexico, cloud-based EHR (electronic health records) provider Allscripts, and an unnamed ICS firm in the US.

In one case, managers of the Hancock Health hospital decided to pay the $55,000 ransom.

“Hancock Health paid a $55,000 ransom to hackers to regain access to its computer systems, hospital officials said.Part of the health network had been held hostage since late Thursday, when ransomware locked files including patient medical records.” reported the Greenfield Reporter.

“The hackers targeted more than 1,400 files, the names of every one temporarily changed to “I’m sorry.” They gave the hospital seven days to pay or the files would be permanently encrypted, officials said.”

In at least three attacks the ransomware locked files and dropped a ransom note with the names “sorry,” a circumstance that suggests an ongoing malware campaign launched by the same threat actor.

Hackers use to scan the Internet for machines with open RDP connections, then they attempt to hack using brute-force attacks.

SamSam ransomware note

“Bleeping Computer has tracked down this ransom note to recent SamSam infections. According to data provided by the ID-Ransomware service, there have been 17 submissions of SamSam-related files to the service in January alone.” continues Bleeping Computers.

The analysis of Bitcoin address reported in the ransom note shows crooks made nearly 26 Bitcoin (roughly $300,000), the first payment made by one of the victims is date back December 25.

Pierluigi Paganini

(Security Affairs – SamSam ransomware, hacking)

The post A hospital victim of a new SamSam Ransomware campaign paid $55,000 ransom appeared first on Security Affairs.

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Once again thank you!


Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 146 – News of the week appeared first on Security Affairs.

OnePlus confirmed that a security breach affected its online payment system, hackers stole credit card information belonging to up to 40,000 customers.

OnePlus confirmed that a security breach affected its online payment system, a few days ago many customers of the Chinese smartphone manufacturer claimed to have been the victim of fraudulent credit card transactions after making purchases on the company web store.

OnePlus has finally confirmed that its online payment system was breached, following several complaints of fraudulent credit card transactions from its customers who made purchases on the company’s official website.
OnePlus Payment-Page-1024x579

Dozens of cases were reported through the support forum and on Reddit, the circumstance that credit cards had been compromised after customers bought a smartphone or some accessories from the OnePlus official website suggests it was compromised by attackers.

On January 19, the company released a statement to admit the theft of credit card information belonging to up to 40,000 customers. The hacker stole the credit card information between mid-November 2017 and January 11, 2018 by injecting a malicious script into the payment page code.

The script was used by attackers to sniff out credit card information while it was being entered by the users purchasing on the web store.

“We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at may be affected by the incident. We have sent out an email to all possibly affected users.” reads the statement.
“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered. The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated.”

OnePlus is still investigating the breach to determine how the hackers have injected the malicious script into its servers.

The script was used to sniff out full credit card information, including card numbers, expiry dates, and security codes, directly from a customer’s browser window.

OnePlus said that it has quarantined the infected server and enhanced the security of its systems.

Clients that used their saved credit card, PayPal account or the “Credit Card via PayPal” method are not affected by the security breach.

As a precaution, the company is temporarily disabling credit card payments at, clients can still pay using PayPal.  The company said it is currently exploring alternative secure payment options with our service providers.

OnePlus is notifying all possibly affected OnePlus customers via an email.

We are eternally grateful to have such a vigilant and informed the community, and it pains us to let you down. We are in contact with potentially affected customers. We are working with our providers and local authorities to address the incident better,” continues the statement.

Pierluigi Paganini(Security Affairs – CIA Director, email hacking)

The post OnePlus admitted hackers stole credit card information belonging to up to 40,000 customers appeared first on Security Affairs.