Weekly news

InfoSec Week 8, 2018

Fraudsters are impersonating authors and publishing computer generated books so they can launder money via Amazon.
https://krebsonsecurity.com/2018/02/money-laundering-via-author-impersonation-on-amazon/

Crooks made over $3 million by installing cryptocurrency miners on Jenkins Servers by exploiting Java deserialization RCE vulnerability (CVE-2017-1000353) in the Jenkins.
https://securityaffairs.co/wordpress/69232/malware/jenkinsminer-targets-jenkins-servers.html

Tesla's Kubernetes installed in the Amazon AWS infrastructure was compromised by hackers.They have set up private cryptocurrency mining pool there.
https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/

The co-founder of WhatsApp, Brian Acton, has given $50 millions to support Signal messenger and create a self-sustaining foundation. Very good news for this donation funded privacy technology.
https://signal.org/blog/signal-foundation/

Hackers are exploiting the CISCO ASA vulnerability (CVE-2018-0101) in attacks in the wild.
https://securityaffairs.co/wordpress/68959/hacking/cve-2018-0101-cisco-asa-flaw.html

Security Researcher Troy Hunt published half a billion passwords collected and processed from various breaches. There is also API for this dataset, and some statistics about the password usage.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

There is a critical vulnerability in Mi-Cam baby monitors that let attackers spy on infants. At least 52k users are affected.
https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html

Public key cryptography explained in the form of Ikea instructions. Check other images as well!
https://idea-instructions.com/public-key/

InfoSec Week 7, 2018

The Fidelis Cybersecurity researcher Jason Reaves demonstrated how covertly exchange data using X.509 digital certificates. The proof of concept code is using SubjectKeyIdentifier and generating certificates on the fly.
https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities

The "UDPoS" Point of Sale malware is using DNS traffic to exfiltrate stolen credit card data.
https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns

Talos analyzed malware threat targeting Olympic computer systems during the opening ceremony. The main purpose was information gathering and destroying the system.
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Zero-day vulnerability in the Bitmessage messaging client was exploited to steal Electrum cryptocurrency wallet keys.
https://securityaffairs.co/wordpress/69100/hacking/bitmessage-zero-day.html

Trustwave analyzed multi-stage Microsoft Word attack which is NOT using macros. Really creative technique.
https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-without-Macros/

Microsoft can't fix Skype privilege escalation bug without the massive code rewrite, so they postponed it for a while.
http://seclists.org/fulldisclosure/2018/Feb/33

Facebook is advertising their Onavo VPN application, but there are a few reasons why it is really not a good idea to use it.
https://gizmodo.com/do-not-i-repeat-do-not-download-onavo-facebook-s-vam-1822937825

Facebook is spamming users via SMS registered for two factor authentication (2FA). Then posts their responses on a wall.
https://twitter.com/Gabriel__Lewis/status/963121814166630400

(Not only) Performance analysis of a Retpoline mitigation for Spectre vulnerability.
https://cyber.wtf/2018/02/13/in-debt-to-retpoline/

A guide on how to brutefoce Linux Full Disk Encryption (LUKS) volumes using Hashcat software.
https://blog.pnb.io/2018/02/bruteforcing-linux-full-disk-encryption.html

Proof of concept of LibreOffice remote arbitrary file disclosure vulnerability. It is possible to silently send any files. All operating systems affected before 5.4.5/6.0.1 versions.
https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure

InfoSec Week 6, 2018

A buffer overflow vulnerability in older Starcraft version enabled modders to create new maps, so Blizzard tasked reverse engineer to safely emulate the bug in the newer, fixed version.
The author says it all: "This is a tale about what dedication to backward compatibility implies."
https://plus.google.com/+MartinSeeger/posts/HYmY8gPCYJT

A bug in the Grammarly chrome extension (approx ~22M users) exposes user authentication token to all websites, so everybody collecting user data can access their cloud data at grammarly.com.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1527&desc=2

With the release of Google Chrome 68, Chrome will mark all HTTP sites as a “not secure” in the status bar.
https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

Article about the Australian startup Azimuth Security which sells hacking software to the "Five Eyes" police and intelligence agencies.
Rumors are that they are able to remotely hack Android devices and iPhones.
https://motherboard.vice.com/en_us/article/8xdayg/iphone-zero-days-inside-azimuth-security

SEC Consult researchers found multiple vulnerabilities in their smart sex toys security review. Customer database, clear passwords, vulnerable remote controllers...
http://seclists.org/fulldisclosure/2018/Feb/0

Metasploit integrated EternalRomance, EternalSynergy, and EternalChampion Windows (MS17-010) vulnerabilities leaked from the NSA by Shadow Brokers.
https://blog.rapid7.com/2018/02/02/metasploit-wrapup-26/

Someone leaked the source code of Apples' iBoot iOS trusted boot program on GitHub. It is a critical part of iOS system. Meanwhile, Apple filed a copyright takedown request with GitHub.
https://motherboard.vice.com/en_us/article/a34g9j/iphone-source-code-iboot-ios-leak

Hackers infected water utility SCADA systems in Europe with the cryptocurrency mining software.
http://www.eweek.com/security/water-utility-in-europe-hit-by-cryptocurrency-malware-mining-attack

Security researchers discovered vulnerabilities in an automated gas management system that allowed them to hijack credit card payments, steal card numbers and more.
https://www.scmagazine.com/gas-pump-vulnerabilities-in-widespread-software-grant-low-prices-and-credit-card-data/article/741764/

APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was the victim of an APT attack.
https://github.com/NextronSystems/APTSimulator

InfoSec Week 5, 2018

A.P. Moller–Maersk Group, the world's largest container shipping company, reinstalled 45000 PCs and 4000 Servers to recover from the NotPetya ransomware attack.
https://www.bleepingcomputer.com/news/security/maersk-reinstalled-45-000-pcs-and-4-000-servers-to-recover-from-notpetya-attack/

The U.S. Secret Service is warning financial institutions that ATM jackpotting attacks are targeting cash machines in the United States. Attackers are able to empty Diebold Nixdorf and possibly other ATM machines with malware, endoscope and social engineering skills.
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/

Microsoft disables Spectre software mitigation released earlier this month due to system instability.
http://www.securityweek.com/microsoft-disables-spectre-mitigations-due-instability

Data from the fitness tracking app Strava gives away the location of sensitive locations like army bases.
https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

China built African union building for free, but the building is riddled with microphones and computers are transmitting all voice data back to servers in Shanghai.
https://twitter.com/i/web/status/957879611513278464

Journalist Marc Miller has interviewed one of the hackers of the ICEMAN group behind "Emmental" phishing campaign targeting bank clients.
https://securityaffairs.co/wordpress/64349/cyber-crime/iceman-hacker-interview.html

Errata Security blog about the political nature of the cyber attack attribution. Mostly about the WannaCry and North Korea connection, but it is a good overview on attribution bias in general.
http://blog.erratasec.com/2018/01/the-problematic-wannacry-north-korea.html

Great article about the largest malvertising campaign of a last year. So called Zirconium group operated up to 30 different ad agencies which enabled them to redirect users to the exploit kits, malware downloads and click fraud websites.
https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85

AutoSploit is an automated exploitation tool written in python. It is able to search for targets using Shodan.io API and exploiting them with Metasploit.
https://github.com/NullArray/AutoSploit

InfoSec Week 4, 2018

Electron applications designed to run on Windows that register themselves as the default handler for a protocol, like Skype, Slack and others, are vulnerable to the remote code execution vulnerability.
https://electronjs.org/blog/protocol-handler-fix

Dutch intelligence service AIVD provided the FBI with important information regarding Russian interference with the American elections. They have following the Cozy Bear APT for years.
https://www.volkskrant.nl/media/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/

Good blog about the exploitation of the Intel Management Engine 11 vulnerabilities. Researchers Mark Ermolov and Maxim Goryachy were able to debug and analyse most of the Intel ME processes.
http://blog.ptsecurity.com/2018/01/running-unsigned-code-in-intel-me.html

It's possible to bypass the Cloudflare protection by scanning internet for misconfigured customers' servers.
https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/

It is possible for an unauthenticated attacker in the LAN network to achieve remote code execution (CVE-2018-5999) in the AsusWRT router as the root user.
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt

The Tinder dating application is not using encryption when accessing data on a backend server. Your naked photos could be seen by a waitress in a restaurant. The geeky one.
https://www.checkmarx.com/2018/01/23/tinder-someone-may-watching-swipe-2/

Oracle has released patches for ten vulnerabilities in VirtualBox, which allows guest to host virtual machine escape.
https://www.techrepublic.com/article/10-new-vm-escape-vulnerabilities-discovered-in-virtualbox/

The guy was able to obtain TLS certificates from the Let's Encrypt certification authority for domains that he does not own, due to the TLS-SNI-01 challenge workflow in a cloud environment. Shared hosting providers like Heroku, AWS CloudFront affected.
https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/

Blog by Joanna Rutkowska on a future Qubes Air operating system architecture roadmap. They want to provide compartmentalized secure Qubes OS as a service.
https://www.qubes-os.org/news/2018/01/22/qubes-air/

There is a cryptographic analysis of the WireGuard protocol. WireGuard is a layer 3 replacement for the IPsec, OpenVPN solutions. Interesting project.
https://eprint.iacr.org/2018/080

Nice introduction on how to fuzz TCP servers by Robert Swiecki.
http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
https://www.bleepingcomputer.com/news/cryptocurrency/worlds-largest-spam-botnet-is-pumping-and-dumping-an-obscure-cryptocurrency/

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
https://www.fastcompany.com/40515682/the-other-scary-foreign-hacking-threat-trump-is-ignoring

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
https://www.theregister.co.uk/AMP/2018/01/10/taiwanese_police_malware/

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
https://caastudy.github.io/

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
https://www.bleepingcomputer.com/news/security/lenovo-discovers-and-removes-backdoor-in-networking-switches/

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/

InfoSec Week 2, 2018

New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.
https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/

Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.
http://depastedihrn3jtw.onion.link/show.php?md5=ee7136ac48fa59fba803b9fbcbc6d7b9
http://depastedihrn3jtw.onion.link/show.php?md5=7e7bfe406315f120d8ed325ffb87670b

A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.
https://www.bleepingcomputer.com/news/security/hc7-planetary-ransomware-may-be-the-first-to-accept-ethereum/

There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.
http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125
https://twitter.com/dragosr/status/949822668563365889

Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements

Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.
https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.
http://seclists.org/fulldisclosure/2018/Jan/12

Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.
https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/

VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.
http://blog.virustotal.com/2018/01/virustotal-graph.html

A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.
https://github.com/RealJTG/Meltdown

InfoSec Week 1, 2018

Daniel Shapira from Twistlock wrote a blog about exploiting a Linux kernel vulnerability in the waitid() syscall (CVE-2017-5123) in order to modify the Linux capabilities of a Docker container, gain privileges and escape the container jail.
https://www.twistlock.com/2017/12/27/escaping-docker-container-using-waitid-cve-2017-5123/

There is a critical hardware bug in the Intel chips, which enables a user level process to access kernel address space, thus read other processes memory. Cloud providers and OS makers are preparing software patches, but the performance penalty could be significant. According to the Wired:
"[researchers] confirmed that when Intel processors perform that speculative execution, they don't fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer's kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel's memory with speculative execution."
http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/

The guy dumped PlayStation 4 kernel by leaking arbitrary memory into accessible crashdumps.
https://fail0verflow.com/blog/2017/ps4-crashdump-dump/

ACM published article about more than 2 decades old ransomware experiments with the name "Cryptovirology: The Birth, Neglect, and Explosion of Ransomware".
https://cacm.acm.org/magazines/2017/7/218875-cryptovirology/fulltext

Nice write up about exploit development for the arbitrary command execution on a BMC Server Automation remote agent software.
https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/

MacOS-only 0day vulnerability published on a last day of 2017. It is an IOHIDSystem kernel vulnerability that can be exploited by any unprivileged user.
https://siguza.github.io/IOHIDeous/

Edward Snowden’s open source Haven application uses smartphone sensors to detect physical tampering.
https://github.com/guardianproject/haven

PiKarma detects wireless network attacks performed by KARMA module (fake AP). Starts deauthentication attack (for fake access points).
https://github.com/WiPi-Hunter/PiKarma

InfoSec Week 51, 2017

There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.
http://seclists.org/fulldisclosure/2017/Dec/85

Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.
https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/

Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.
https://events.ccc.de/congress/2017/Fahrplan/events/9021.html

Explanation how web trackers exploit browser login managers to track users on the Internet.
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.
https://www.unian.info/world/2319991-russian-hacker-says-fsb-involved-in-creation-of-wannacry-malware.html

Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.
https://blog.didierstevens.com/2017/12/27/cracking-encrypted-pdfs-part-2/

Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.
https://blog.fortinet.com/2017/12/20/group-behind-venuslocker-switches-from-ransomware-to-monero-mining

Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.
https://lite.cnn.io/en/article/h_910710e71e532e73a80deb1294a2db7c

Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new

InfoSec Week 50, 2017

Crooks hacked Fox-IT by capturing fox-it.com DNS record, then obtained a certificated and executed a man-in-the-middle attack on connection.
https://www.fox-it.com/en/insights/blogs/blog/fox-hit-cyber-attack/

The Mandiant - FireEye company analyzed an incident at a critical infrastructure organization where an attacker deployed so called TRITON malware designed to manipulate industrial safety system. According to the analysis, "the malware was delivered as a Py2EXE compiled python script [...] containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers."
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

The anonymous researcher behind the massive internet scans of the IoT devices known for the BrickerBot case published some insights on his operation. Looks like he is a gray hat after all.
https://ghostbin.com/paste/q2vq2

Google published Android security roadmap for the next year. There will be lots of improvements, and new requirements for App developers.
https://android-developers.googleblog.com/2017/12/improving-app-security-and-performance.html

Multiple vulnerabilities were identified in Telegram messenger for Android, like arbitrary file overwrite on receiving and directory traversal. There are definitely better alternatives to this software...
https://bugs.chromium.org/p/project-zero/issues/detail?id=1470

Guy uploaded his self-signed malformed certificate to the websites which process them and found out lots of them is vulnerable to the XSS injection.
https://binaryfigments.com/2017/12/11/dont-trust-all-ssl-tls-certificates/

Mavinject is a legitimate Windows component digitally signed by Microsoft, that can be abused to inject any DLL inside a running process.
https://reaqta.com/2017/12/mavinject-microsoft-injector/

Microsoft pushed comprehensive audit reports on Windows Events to GitHub.
https://github.com/MicrosoftDocs/windows-itpro-docs/tree/master/windows/device-security/auditing


Page 1 / 7