USB media shipped with the Schneider Electric Conext ComBox and Conext Battery Monitor solar products were infected with malware.
https://www.schneider-electric.com/en/download/document/SESN-2018-236-01/
Two days after the proof-of-concept exploit for the Windows Task Scheduler vulnerability appeared online, malware developers have started using it.
https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/
Five Eyes, an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States, officially warns the tech world that they should build interception capabilities voluntarily or governments will legislate.
https://www.computerworld.com.au/article/646059/five-eyes-tech-industry-make-access-online-communications-possible-else/
Security researchers from the Kaitiaki Labs presented exploitation techniques against the automation in the LTE mobile networks.
https://gsec.hitb.org/materials/sg2018/D1%20-%20Exploiting%20Automation%20in%20LTE%20Mobile%20Networks%20-%20Altaf%20Shaik%20&%20Ravishankar%20Borgaonkar.pdf
.NET Framework remote code injection vulnerability (CVE-2018-8284) enables low privileged SharePoint users to execute commands on the server.
https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-workflows-protection-mechanisms-remote-code-execution-on-sharepoint/
A good blog post by a bug hunter Steven Seeley - Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows (CVE-2018-15514).
https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html
Thousands of MikroTik routers are forwarding owners’ traffic to unknown attackers.
https://blog.netlab.360.com/7500-mikrotik-routers-are-forwarding-owners-traffic-to-the-attackers-how-is-yours-en/
A great insight into the world of WW2 women code breakers who unmasked the Soviet spies.
https://www.smithsonianmag.com/history/women-code-breakers-unmasked-soviet-spies-180970034/
ProtonMail released a major new version (4.0) of OpenPGPjs which introduces streaming cryptography.
https://protonmail.com/blog/openpgpjs-4-streaming-encryption/
Bruce Schneier announced the publication of the latest book with the name "Click Here to Kill Everybody: Security and Survival in a Hyper-connected World".
https://www.schneier.com/blog/archives/2018/09/new_book_announ.html
There is a new collection of botnet source codes on GitHub.
https://github.com/maestron/botnets
Google started selling their Titan Security Key bundle that support FIDO standards for secure authentication. They have written the firmware by themselves, but the price should be lower for this kind of hardware.
https://store.google.com/us/product/titan_security_key_kit
Interesting three month research on hacking Australian law firms by registering expired domain names. Thousands of emails received with sensitive material.
https://medium.com/@gszathmari/hacking-law-firms-abandoned-domain-name-attack-560979e0b774
Researchers systematically retrieved 3500 AT controlling commands from over 2000 Android smartphone firmware images across 11 vendors and "demonstrated that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices."
https://atcommands.org/
Fortnite Installer created by Epic Games allowed to install anything on the customer Android phone. An Epic security engineer requested Google to delay public disclosure for the 90 days period, to allow time for the update, but Google refused.
https://m.androidcentral.com/epic-games-first-fortnite-installer-allowed-hackers-download-install-silently
US T-Mobile Database was breached, 2 millions of customers' data exposed.
https://www.databreachtoday.com/t-mobile-database-breach-exposes-2-million-customers-data-a-11420
Ars Technica published a good introductory review of the WireGuard next generation VPN software.
https://arstechnica.com/gadgets/2018/08/wireguard-vpn-review-fast-connections-amaze-but-windows-support-needs-to-happen/
WhatsApp has warned users that by using a free backup service offered by Google, messages will no longer be protected by end-to-end encryption.
https://www.zdnet.com/article/whatsapp-warns-free-google-drive-backups-are-not-encrypted/
Assured researchers published an article which provides a brief overview of the new TLS 1.3.
https://assured.se/2018/08/29/tls-1-3-in-a-nut-shell/
If you wanted to know how to use PGP in an organization of 200 people, read this blog about OpenPGP key distribution.
They are now turning the lessons learned into an Internet standard.
https://tech.firstlook.media/keylist-rfc-explainer
Mozilla Firefox 62 and newer support a new TLS API for WebExtensions.
There is now a certificate viewer leveraging new API called Certainly Something (Certificate Viewer).
https://addons.mozilla.org/en-US/firefox/addon/certainly-something/
In-depth blog spot by voidsecurity about the VirtualBox code execution vulnerability.
https://www.voidsecurity.in/2018/08/from-compiler-optimization-to-code.html
Mark Ermolov and Maxim Goryachy researchers have published a detailed walk-through for accessing an Intel's Management Engine (IME) JTAG feature, which provides debugging access to the processor.
https://github.com/ptresearch/IntelTXE-POC
If you are running Linux machines in Microsoft Azure, you should disable built-in wa-linux-agent backdoor that enable root access from Azure console.
https://raymii.org/s/blog/Linux_on_Microsoft_Azure_Disable_this_built_in_root_access_backdoor.html
There is a good blog post by Stuart Schechter about the dark side of the two factor authentication. Highly recommended reading.
https://medium.com/@stuartschechter/before-you-turn-on-two-factor-authentication-27148cc5b9a1
Great research by Eyal Ronen, Kenneth G. Paterson and Adi Shamir demonstrate that adopting pseudo constant time implementations of TLS are not secure against the modified Lucky 13 attack on encryption in CBC-mode. Tested against four fully patched implementations of TLS - Amazon's s2n, GnuTLS, mbed TLS and wolfSSL.
https://eprint.iacr.org/2018/747
Traefik, popular open source reverse proxy and load balancing solution is leaking (CVE-2018-15598) TLS certificate private keys via API.
https://www.bleepingcomputer.com/news/security/cloud-product-accidentally-exposes-users-tls-certificate-private-keys/
Google enrolled Hardware Secure Module to their Cloud Key Management Service. The customers can use it to store their encryption keys with FIPS 140-2 Level 3 security certified devices from now on.
https://cloud.google.com/hsm/
Microsoft Corp said that Russian hackers are targeting U.S. political groups ahead of November’s congressional elections.
https://www.reuters.com/article/us-usa-russia-hackers/russian-hacking-of-conservative-groups-sites-thwarted-microsoft-idUSKCN1L60I0
The WIRED cover story on how Russian NotPetya malware took down Maersk, the world’s largest shipping firm.
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Kaspersky Lab published analysis of a sophisticated "Dark Tequila" banking malware which is targeting customers in Mexico and other Latin American nations.
https://securelist.com/dark-tequila-anejo/87528/
NSA successfully cracked and listened for years to encrypted networks of Russian Airlines, Al Jazeera, and other “High Potential” targets.
https://theintercept.com/2018/08/15/nsa-vpn-hack-al-jazeera-sidtoday/
Anonymous targeted Spanish Constitutional Court, economy and foreign ministry websites to support Catalonia separatist drive.
https://securityaffairs.co/wordpress/75509/hacking/anonymous-catalonia.html
Red Teaming/Adversary Simulation Toolkit is a collection of open source and commercial tools that aid in red team operations.
https://github.com/infosecn1nja/Red-Teaming-Toolkit
There is an OpenSSH user enumeration attack against all software versions on all operating systems.
It's a timing attack with proof of concept already published.
http://www.openwall.com/lists/oss-security/2018/08/15/5
https://bugfuzz.com/stuff/ssh-check-username.py
The so-called RedAlpha malware campaign targeting the Tibetan community is deploying a novel “ext4” Linux backdoor. The group is using infrastructure registered with Tsinghua1 University, China and is believed to be conducted by Chinese state-sponsored actors in support of China’s economic development goals.
https://www.recordedfuture.com/chinese-cyberespionage-operations/
The Australia’s Assistance and Access Bill, introduced this week, want to jail people for up to 10 years if they refuse to unlock their phones.
https://nakedsecurity.sophos.com/2018/08/16/australians-who-wont-unlock-their-phones-could-face-10-years-in-jail/
A new research paper named "Piping Botnet - Turning Green Technology into a Water Disaster" demonstrate that the researchers were able to manipulate commercial smart IoT systems used for regulating water and electricity resources.
https://arxiv.org/abs/1808.02131
The guy with his BMW car encountered the theft attempt, where something that looked like a vandalism was actually a really smart attack against the modern alarm system.
https://mrooding.me/a-dutch-first-ingenious-bmw-theft-attempt-5f7f49a96ec8
Cloudflare analyzed the changes and improvements of a new TLS 1.3 (RFC 8446) standard that was finally published last week.
https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/
New Foreshadow attack demonstrates how speculative execution can be exploited for reading the contents of Intels' SGX-protected memory as well as extracting the machine’s private attestation key.
https://foreshadowattack.eu/
Practical dictionary attacks are possible against the main mode of IPsec IKEv1/v2 standard. Successful exploitation of a weak password requires only a single active man-in-the-middle attack.
https://web-in-security.blogspot.com/2018/08/practical-dictionary-attack-on-ipsec-ike.html
If you are interested how cryptographic key management is practically done, I have written a blog Commercial Cryptographic Key Management in 2018, where I am explaining a little bit about the hardware, people and processes behind it.
https://www.malgregator.com/key-management.html
Google published BrokenType, the font fuzzing toolset that helped find lots of vulnerabilities in the Windows kernel. It includes a font mutator, generator and loader.
https://github.com/google/BrokenType
Modern key management in a large organization is primarily described by bureaucratic procedures and compliance requirements due to financial liability. No one personnel hold all the keys required for a task. To minimize the need for trust in a...
A Comcast security flaws exposed more than 26 millions of customers’ personal information. Basically, an attacker could spoof IP address using "X-forwarded-for" header on a Comcast login page and reveal the customer’s location.
https://www.buzzfeednews.com/article/nicolenguyen/a-comcast-security-flaw-exposed-millions-of-customers
According to the Check Point Research, more than 150k computers are infected with the new variant of Ramnit botnet named Black. Botnet install second stage malware with the proxy functionality.
https://research.checkpoint.com/ramnits-network-proxy-servers/
Malware infected Apple chip maker Taiwan Semiconductor Manufacturing. All of their factories were shut down last week, but they had already recovered from the attack.
https://www.bloomberg.com/news/articles/2018-08-04/tsmc-takes-emergency-steps-as-operations-hit-by-computer-virus
A flaw in the Linux kernel may cause a remote denial of service [CVE-2018-5390]. Attack require less than 2 Kbps of traffic.
https://access.redhat.com/articles/3553061
GDPR and other cookie consent scripts are used to distribute malware.
https://blog.sucuri.net/2018/08/cookie-consent-script-used-to-distribute-malware.html
Interesting blog on how criminals in Iran make money by creating Android malware apps.
https://blog.certfa.com/posts/pushiran-dl-malware-family/
Let's Encrypt root CA certificate is now trusted by all major root programs. They were dependent on a cross-signing on some systems, so this is great news!
https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html
There is a really effective new attack on WPA PSK (Pre-Shared Key) passwords. Attackers can ask Access Point for the data required for offline cracking, no client traffic sniffing is needed anymore.
https://hashcat.net/forum/thread-7717.html
Innovative new research on a software implementation hardening was published with the name "Chaff Bugs: Deterring Attackers by Making Software Buggier".
The idea is simple, introduce a large number of non-exploitable bugs in the program which makes the bug discovery and exploit creation significantly harder.
https://arxiv.org/abs/1808.00659
Researchers from the University of Milan published padding oracle attack against Telegram Passport.
Don't roll your own cryptography schemes if other people depend on it...
https://pequalsnp-team.github.io/writeups/analisys_telegram_passport
A Handshake is a new experimental peer-to-peer root DNS. They have published resolver source code and have test network up and running. Looks like really promising project.
https://handshake.org/
Reddit got hacked. According to the investigation, it looks like hackers accessed employees 2FA protected accounts.
An attacker "compromised a few of Reddit's accounts with cloud and source code hosting providers by intercepting SMS 2FA verification codes".
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/
A non-official French website keepass.fr using an URL similar to the popular password manager KeePass one lets you download a tampered version of the password manager with some adware in it.
https://twitter.com/JusticeRage/status/1021815597972291591
According to The Intercept_, Google is planning to launch a censored version of its search engine in China that will blacklist websites and search terms about human rights, democracy, religion, and peaceful protest.
One can only wonder whether it is some part of a broader strategy, how to spread channels of influence abroad.
https://theintercept.com/2018/08/01/google-china-search-engine-censorship/
There is a great blog published on a Trail of Bits about the recent invalid elliptic curve point attack against the Bluetooth implementations.
Give it a try if you are interested, it's really easy to read!
https://blog.trailofbits.com/2018/08/01/bluetooth-invalid-curve-points/amp/
A borough and a town in Alaska have been hit by a devastating ransomware attack, forcing employees to completely stop using computers and go back to typewriters and hand receipts.
https://mashable.com/2018/08/02/malware-alaska-town
BYOB (Build Your Own Botnet) is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop countermeasures against these threats.
https://github.com/colental/byob
FireEye wrote article about the internals of a FIN7 hacking group global operation.
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
WireGuard, next generation VPN software, is finally submitted for the Linux kernel inclusion. Linus Torvalds commented the pull request:
"I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art."
https://marc.info/?l=linux-netdev&m=153306429108040&w=2
http://lists.openwall.net/netdev/2018/08/02/124
Malhunt: automated malware search in memory dumps using volatility and Yara rules.
https://github.com/andreafortuna/malhunt
Researchers from the Palo Alto Networks analyzed new Mirai and Gafgyt IoT/Linux botnet campaigns. The samples used more than 11 exploits for spreading, exploiting D-Link, Dasan GPON routers.
https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/
Brian Krebs published a blog post about the current status of the Universal 2nd Factor (U2F) support. Google practically eliminated employee phishing by introducing mandatory usage of the physical security keys.
https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/
There is a new module for the CHIPSEC Security Assessment Framework to check CPU USB debug features and host Direct Connection Interface (DCI), which can be used to modify system firmware with physical access and introduce "Evil Maid" firmware attacks.
https://blog.eclypsium.com/2018/07/23/evil-mai%EF%BB%BFd-firmware-attacks-using-usb-debug/
Chinese police arrested malware developers for hacking millions of computers to steal $2 million in cryptocurrencies.
https://www.ccn.com/chinese-police-arrest-malware-developers-who-hacked-2-million-in-crypto/
Paper on a new Spectre variant called SpectreRSB was published with the name "Spectre Returns! Speculation Attacks using the Return Stack Buffer".
According to a paper „none of the known defenses including Retpoline and Intel's microcode patches stop all SpectreRSB attacks.“
https://arxiv.org/abs/1807.07940
The source code of an Exobot Android Banking Trojan has been leaked online back in May has rapidly spread in the malware community.
https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/
Because of insufficient validation of parameters in many Bluetooth implementations, attackers can inject invalid elliptic curve parameters which aren’t checked by many implementations in an invalid public key making session keys vulnerable.
https://www.kb.cert.org/vuls/id/304725
The Cisco Talos security team found multiple vulnerabilities, including remote code execution vulnerability in the Sony IPELA E series network camera. https://blog.talosintelligence.com/2018/07/sony-ipela-vulnerability-spotlight-multiple.html
NSA declassified papers from John Tiltman, one of Britain’s top cryptanalysts during the Second World War, which reveal how pre-world war 2 Brits analyzed and decrypted Russian cryptography.
https://www.theregister.co.uk/2018/07/19/russia_one_time_pads_error_british/
The academics have mounted a successful GPS spoofing attack against road navigation systems that can trick humans into driving to incorrect locations. The novel part is that they are using real map data to generate plausible malicious instructions.
https://www.bleepingcomputer.com/news/security/researchers-mount-successful-gps-spoofing-attack-against-road-navigation-systems/
Folks from Cloudflare, Mozilla, Fastly, and Apple during a hackaton implemented Encrypted Server Name Indication (SNI). There are implementations in BoringSSL, NSS and picotls.
https://twitter.com/grittygrease/status/1018566026320019457
Good insight on how credit card thieves use free-to-play apps to steal and launder money from the credit cards.
https://kromtech.com/blog/security-center/digital-laundry
Chromium recently introduced Cross-Origin Read Blocking (CORB) that helps mitigate the threat of side-channel attacks (including Spectre).
https://www.chromium.org/Home/chromium-security/corb-for-developers
For anybody interested in reverse engineering, nice write up about the Smoke Loader malware bot unpacking mechanism and communication with the C&C.
https://www.cert.pl/en/news/single/dissecting-smoke-loader/
A research on how to bypass memory scanners using Cobalt Strike’s beacon payload and the gargoyle memory scanning evasion technique.
https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle/
Eset researchers analyzed ongoing espionage campaign against the Ukrainian government institutions.
https://www.welivesecurity.com/wp-content/uploads/2018/07/ESET_Quasar_Sobaken_Vermin.pdf
The intercept summarized what the public has learned about Russian and U.S. spycraft from the Special Counsel Robert Mueller’s indictment of hackers.
https://theintercept.com/2018/07/18/mueller-indictment-russian-hackers/
Security researchers have uncovered a highly targeted mobile malware campaign that has been operating since August 2015 and found spying on 13 selected iPhones in India.
https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html
There is an exploit for Ubuntu Linux (up to 4.17.4) where other users coredumps can be read via setgid directory and killpriv bypass.
https://www.exploit-db.com/exploits/45033/
Hackers have poisoned the Arch Linux PDF reader package named “acroread” that was found in a user-provided Arch User Repository (AUR). They have put downloader malware inside.
https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
Hackers took over the maintainer account of the eslint-scope and eslint-config-eslint npm packages and published malicious versions which were downloading some juicy scripts from the pastebin.com. https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
Backend of the TimeHop iOS application was compromised, personal records of the 21 million customers leaked.
https://www.timehop.com/security/technical
Nice journalism about how few researchers found the names and addresses of soldiers and secret agents using Strava fitness application when the company published tracking maps on the internet.
https://decorrespondent.nl/8481/heres-how-we-found-the-names-and-addresses-of-soldiers-and-secret-agents-using-a-simple-fitness-app
Lexington Insurance Company and Beazley Insurance Company are suing Trustwave over a 2009 breach. Trustwave supposedly failed to detect malware that caused a breach.
This will be huge precedent in the whole industry.
https://www.bleepingcomputer.com/news/security/security-firm-sued-for-failing-to-detect-malware-that-caused-a-2009-breach/
One email to a North American Network Operators mailing list led to a concerted effort to kick a notorious BGP hijacking factory off the Internet.
https://blog.apnic.net/2018/07/12/shutting-down-the-bgp-hijack-factory/
It looks like that the Carbanak banking malware source code was leaked.
https://malware-research.org/carbanak-source-code-leaked/
Researchers found spying malware signed using digital certificates stolen from D-Link and other Taiwanese tech-companies.
https://thehackernews.com/2018/07/digital-certificate-malware.html