Malgregator

InfoSec Week 38, 2017

The ZNIU Android malware is exploiting Linux kernel "Dirty COW" vulnerability to install itself on a device and collect money through the SMS-enabled payment service.
http://blog.trendmicro.com/trendlabs-security-intelligence/zniu-first-android-malware-exploit-dirty-cow-vulnerability/

Good introduction blog into the art of binary fuzzing and crash analysis demonstrated by fuzzing famous open-source Mimikatz software.
https://www.sec-consult.com/en/blog/2017/09/hack-the-hacker-fuzzing-mimikatz-on-windows-with-winafl-heatmaps-0day/index.html

Security researcher Inti De Ceukelaire has gained access to company team pages by exploiting faulty business logic in popular third-party on-line helpdesks.
https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c

Server part of the Wire end-to-end encrypted instant messenger application is now open-source, but there are lots of external dependencies and no documentation yet.
https://medium.com/@wireapp/wire-server-code-now-100-open-source-the-journey-continues-88e24164309c

A brief description behind the technology of a private contact discovery used in Signal messenger.
https://signal.org/blog/private-contact-discovery/

X41 IT Security company has released an in-depth analysis of the three leading enterprise web browsers Google Chrome, Microsoft Edge, and Internet Explorer.
https://github.com/x41sec/browser-security-whitepaper-2017

A nice list of a various open-source honeypot projects available on-line.
https://www.smokescreen.io/practical-honeypots-a-list-of-open-source-deception-tools-that-detect-threats-for-free/

SigThief - The script that will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. It's not a valid signature BUT it's enough for some anti-viruses to flag the executable as trustworthy.
https://github.com/secretsquirrel/SigThief

InfoSec Week 37, 2017

SfyLabs' researchers discovered a new Android banking Trojan named Red Alert 2.0, that is being offered for rent on many dark websites. It uses Twitter as a fall back mechanism for communication.
https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html

Windows cleanup utility CCleaner distributed by antivirus vendor Avast contained a multi-stage Floxif malware.
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html https://www.bleepingcomputer.com/news/security/avast-clarifies-details-surrounding-ccleaner-malware-incident/

According to Slovak CSIRT, multiple Python packages in the PyPI Python repository was hit by typosquatting attack.
http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

Medfusion 4000 Wireless Syringe Infusion Pumps used in acute critical care settings could be remotely controlled, patients killed.
https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02

Kaspersky researchers discovered a new attack technique leveraging an undocumented Microsoft Word feature that loads PHP scripts hosted on third-party web servers.
https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/

DigitalOcean warned that some pre-built and pre-configured application (One-Click) offered by the cloud platform are using default admin passwords.
http://www.securityweek.com/digitalocean-warns-vulnerability-affecting-cloud-users

A use after free error in Apache HTTP can leak pieces of arbitrary memory from the server. It's tracked as an CVE-2017-9798 "Optionsbleed" vulnerability.
https://nvd.nist.gov/vuln/detail/CVE-2017-9798 https://github.com/hannob/optionsbleed

Mr. SIP is a tool developed to audit and simulate SIP-based attacks.
https://github.com/meliht/mr.sip

InfoSec Week 36, 2017

The security researcher Pierre Kim has discovered ten critical zero-day vulnerabilities in D-Link routers.
https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html

There is a new research paper published on a security of a Bluetooth stack named "The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks." Really alarming vulnerabilities discussed.
From a paper: "BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware to other devices. The attack does not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device."
http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf

FireEye has analyzed a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability leveraged by attackers to distribute notoriously known FinFisher / FINSPY malware.
I have included exploit example that is published on a GitHub.
https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html
https://github.com/Voulnet/CVE-2017-8759-Exploit-sample

Kaspersky Labs have analyzed the trend of malicious cryptocurrency mining practices on an infected machines.
https://securelist.com/miners-on-the-rise/81706/

The Android BankBot malware found on Google Play store is targeting multiple UAE banking applications.
http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-play-targets-ten-new-uae-banking-apps

Good analysis of how the JavaScript framework can be abused to bypass XSS mitigations, specifically NoScript’s XSS filter.
http://blog.portswigger.net/2017/09/abusing-javascript-frameworks-to-bypass.html

NSA had developed the capability to decrypt and decode Kazaa and eDonkey file-sharing apps traffic to determine which files are being shared, and what queries are being performed over those P2P networks.
https://theintercept.com/2017/09/13/nsa-broke-the-encryption-on-file-sharing-apps-kazaa-and-edonkey/

Formally verified implementation of Curve25519 made it into Firefox 57. And it is 20% faster on 64-bit architectures.
https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/

A nice curated list of IDA plugins.
https://github.com/onethawt/idaplugins-list

InfoSec Week 34 - 35, 2017

Autodesk A360 cloud-based online storage misused as a delivery platform for multiple malware families.
http://blog.trendmicro.com/trendlabs-security-intelligence/a360-drive-adwind-remcos-netwire-rats/

Brian Krebs has done a good open source intel work on a shadowy past of Marcus Hutchins, author of the popular cybersecurity blog MalwareTech.
https://krebsonsecurity.com/2017/09/who-is-marcus-hutchins/

Wikileaks has published documents about the CIA Angelfire - "persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7)"
https://wikileaks.org/vault7/#Angelfire

ESET has published a research paper about a Gazer, stealth cyberespionage trojan, attributed to the notoriously known Turla group. The group was spreading malware using watering hole and spearphishing campaigns. I cannot find any more direct attribution except the fact that it is targeting "embassies and consulates" which, I believe, are a very common target for every intelligence actor...
https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

Zimperium Researcher Adam Donenfeld published a proof-of-concept for iOS Kernel Exploit.
https://github.com/doadam/ziVA

Very good analysis of a group chat vulnerabilities in a popular IM applications:
"Insecurities of WhatsApp's, Signal's, and Threema's Group Chats"
https://web-in-security.blogspot.ch/2017/07/insecurities-of-whatsapps-signals-and.html

Cloudflare's blog post about a quantum resistant supersingular isogeny Diffie-Hellman key agreement used in TLS 1.3.
https://blog.cloudflare.com/sidh-go/

A Phrack-style paper on research into abusing Windows token privileges for escalation of privilege. Deep down the rabbit hole.
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt

Security researchers at Positive Technologies have discovered an undocumented configuration setting that disables the Intel Management Engine.
http://securityaffairs.co/wordpress/62470/hacking/intel-management-engine-kill-switch.html

InfoSec Week 33, 2017

Danish conglomerate Maersk expects to lose between $200-300m due to Petya ransomware infection, according to their latest quarterly results.
http://files.shareholder.com/downloads/ABEA-3GG91Y/3491525620x0x954059/3E9E6E5C-7732-4401-8AFE-F37F7104E2F7/Maersk_Interim_Report_Q2_2017.pdf

A Windows Object Linking Embedding (OLE) interface vulnerability in Microsoft PowerPoint in being exploited in order to install malware.
https://www.neowin.net/news/microsoft-powerpoint-used-as-attack-vector-to-download-malware

Interesting blog about the exploitation of a Foxit Reader.
"A tale about Foxit Reader - Safe Reading mode and other vulnerabilities"
https://insert-script.blogspot.sk/2017/08/a-tale-about-foxit-reader-safe-reading.html

Engineer decrypts Apple's Secure Enclave Processor (SEP) firmware.
http://www.iclarified.com/62025/hacker-decrypts-apples-secure-enclave-processor-sep-firmware

Facebook awards $100,000 to 2017 Internet Defense Prize winning paper "Detecting Credential Spearphishing Attacks in Enterprise Settings". Very useful research for urgent topic.
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/ho https://research.fb.com/facebook-awards-100000-to-2017-internet-defense-prize-winners/

Cryptographic library Libsodium has been audited by Matthew Green of Cryptography Engineering.
https://www.privateinternetaccess.com/blog/2017/08/libsodium-audit-results/

New research on integer factorization suggests that "build a massive decryption tool of IPsec traffic protected by the Oakley group~1 (a 768-bit discrete logarithm problem), was feasible in a reasonable time using technologies available before the year 2000." https://eprint.iacr.org/2017/758

EggShell is an iOS and macOS post exploitation surveillance pentest tool written in Python.
https://github.com/neoneggplant/EggShell

InfoSec Week 32, 2017

The lone Nigerian guy is responsible for an attack against at least 4000 gas, oil, banking, infrastructure organizations using phishing and NetWire trojan for remote access.
https://blog.checkpoint.com/2017/08/15/get-rich-die-trying-case-study-real-identity-behind-wave-cyberattacks-energy-mining-infrastructure-companies/

Alert Logic published report about the cloud security. Public cloud is generally more secure than private and on-premises networks. Attack vectors are the same as for most online applications - mostly SQL injection, remote code execution against the web applications.
https://www.alertlogic.com/assets/industry-reports/alertlogic-cloud-security-report-2017.pdf

Oxford University researchers published so called intra-library collusion (ILC) attack against the Android devices. From the research paper: "(intra-library collusion attack) occurs when a single library embedded in more than one app on a device leverages the combined set of permissions available to it to pilfer sensitive user data".
https://arxiv.org/pdf/1708.03520.pdf
https://nakedsecurity.sophos.com/2017/08/15/how-shared-android-libraries-could-be-weaponized-for-data-theft/

Four remotely exploitable vulnerabilities were identified in Siemens’ Molecular Imaging products running Microsoft Windows 7 operating system.
https://ics-cert.us-cert.gov/advisories/ICSMA-17-215-02

A recent phishing campaign that is distributing Trickbot is using extremely plausible imitations of financial institutions and government sites.
https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+banking+Trojan/22720/

WikiLeaks has published CIA tool CouchPotato that allows operators to remotely spy on video streams in real-time.
https://wikileaks.org/vault7/#CouchPotato

InfoSec Week 31, 2017

A new version of the Svpeng Android banking trojan is able to record everything users type on their devices. Crazy stuff.
https://b0n1.blogspot.sk/2017/08/android-banking-trojan-misuses.html https://www.bleepingcomputer.com/news/security/new-version-of-dangerous-android-malware-sold-on-russian-hacking-forum/

Great blog by Kaspersky Lab about the steganography techniques used by malware for data exfiltration, covert communication.
https://securelist.com/steganography-in-contemporary-cyberattacks/79276/

Software researcher from Trail of Bits put Windows Defender to the sandbox.
https://blog.trailofbits.com/2017/08/02/microsoft-didnt-sandbox-windows-defender-so-i-did/

Proofpoint researchers found a spear phishing campaign delivering Carbanak malware to the U.S. restaurant chains.
https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor

How to completely take over the ones online identity? This guy demonstrated that practically.
https://defaultnamehere.tumblr.com/post/163734466355/operation-luigi-how-i-hacked-my-friend-without

Airbnb released the open-source serverless framework for detecting malicious files called BinaryAlert. It uses YARA rules, and takes advantage of AWS Lambda functions for analysis instead of a traditional server architecture. Also uses Terraform to manage underlying infrastructure. Interesting project.
https://medium.com/airbnb-engineering/binaryalert-real-time-serverless-malware-detection-ca44370c1b90

TrickBot malware added worm-like SMB spreading module popularized by WannaCry, Petya samples.
https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/

Analysis of the Juniper ScreenOS randomness subsystem backdoor Dual EC backdoor. Complex, Fascinating stuff.
From the research paper: "The more sophisticated of these vulnerabilities was a passive VPN decryption capability, enabled by a change to one of the elliptic curve points used by the Dual EC pseudorandom number generator"
https://www.cs.uic.edu/~s/papers/juniper2016/juniper2016.pdf

Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training.
https://github.com/gophish/gophish

Cisco CSIRT has released GOSINT, open source threat intelligence gathering and processing framework.
https://github.com/ciscocsirt/GOSINT

A generic unpacker for packed Android applications released by the Check Point researchers.
https://github.com/CheckPointSW/android_unpacker

InfoSec Week 30, 2017

NSA's XKeyscore spying tool is used to fish Microsoft Windows crash reports out of the Internet traffic. They have used it against the Mexico's Secretariat of Public Security.
https://www.schneier.com/blog/archives/2017/08/nsa_collects_ms.html

Researchers from the Exodus Intelligence wrote remote exploit against the Android and iOS operating system, using Broadcom’s Wi-Fi chipset bug.
"Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit."
https://blog.exodusintel.com/2017/07/26/broadpwn/

Great blog about chaining 4 vulnerabilities on the GitHub Enterprise in order to achieve remote code execution!
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html

Trend Micro researchers analyzed infection chain used by JS_POWMET fileless malware.
http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/

Researchers used antivirus cloud-based sandbox to exfiltrate data from the endpoint.
https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox.pdf
https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox-wp.pdf

The Google team has blocked a new "Lipizzan" Android spyware family from the Google Play.
https://android-developers.googleblog.com/2017/07/from-chrysaor-to-lipizzan-blocking-new.html

Microsoft won't patch a 20 years old SMBv1 SMBloris memory handling bug, that could be exploited by attackers to execute a Denial of Service attack on a web servers.
http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html

Private notes application Standard Notes got a cryptography audit.
https://standardnotes.org/blog/7/announcing-our-2017-security-audit-results

Framework for Testing WAFs (FTW) is a project created by researchers from ModSecurity and Fastly to help provide rigorous tests for WAF rules. It uses the OWASP Core Ruleset V3 as a baseline to test rules on a WAF.
https://github.com/fastly/ftw

InfoSec Week 29, 2017

Microsoft has analyzed EnglishmansDentist exploit used against the Exchange 2003 mail servers on the out-dated Windows Server 2003 OS. Exploit was released by ShadowBrokers back in April 2017.
https://blogs.technet.microsoft.com/srd/2017/07/20/englishmansdentist-exploit-analysis/

ESET researchers have analyzed a Stantinko botnet consisting of almost half a million machines used for ad-related fraud. It uses malicious Chrome extensions, but also creating and managing Facebook profiles and brute-forcing Joomla and WordPress websites.
https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/

A buffer overflow in the Source SDK in Valve's Source SDK allows an attacker to remotely execute code on a user's computer machine.
https://www.bleepingcomputer.com/news/security/valve-patches-security-flaw-that-allows-installation-of-malware-via-steam-games/
https://motherboard.vice.com/en_us/article/nevmwd/counter-strike-bug-allowed-hackers-to-completely-own-your-computer-with-a-frag

Secure messaging application Wire is now supporting end-to-end encrypted chats, file sharing and calls to businesses. But it's paid feature.
https://medium.com/@wireapp/wire-at-work-introducing-teams-beta-e50dacf6e9f1

Briar, a secure messaging app for Android, was released for a public beta testing. It's using Tor, or P2P direct messaging over Wifi, Bluetooth. Very interesting project.
https://briarproject.org/news/2017-beta-released-security-audit.html

D. J. Bernstein has published blog about the secure key material erasure: "2017.07.23: Fast-key-erasure random-number generators"
https://blog.cr.yp.to/20170723-random.html

Google Project Zero analyzed the security properties of the two major Trusted Execution Environment present on Android devices - Qualcomm’s QSEE and Trustonic’s Kinibi.
https://googleprojectzero.blogspot.sk/2017/07/trust-issues-exploiting-trustzone-tees.html

Prowler is a tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark.
https://github.com/alfresco/prowler

Hardentools is a utility that disables a number of risky Windows "features" exposed by Windows operating system.
https://github.com/securitywithoutborders/hardentools

InfoSec Week 28, 2017

Porn spam botnet consisting of more than 80,000 automated female Twitter accounts has been prompting millions of clicks from Twitter users to the various affiliate dating schemes (known as "partnerka").
https://krebsonsecurity.com/2017/07/porn-spam-botnet-has-evil-twitter-twin/

Two malware families, NemucodAES ransomware and Kovter trojan are being distributed via email, pretending to be a delivery notice from the United Parcel Service.
https://isc.sans.edu/forums/diary/NemucodAES+and+the+malspam+that+distributes+it/22614/

Reyptson ransomware is using victim’s configured Thunderbird email account to execute spam distribution campaign against its contacts.
http://www.securitynewspaper.com/2017/07/18/reyptson-ransomware-spams-friends-stealing-thunderbird-contacts/

Android spyware targeting Iranians is using Telegram bot API to exfiltrate data to the remote server.
https://blog.avast.com/spyware-targets-iranian-android-users-by-abusing-messaging-app-telegram-bot-api

Trustwave SpiderLabs researchers discovered a zero-day vulnerability in Humax HG-100R WiFi Router, that could be exploited by attackers to compromise the WiFi credentials and obtain the router console administrative password.
https://www.trustwave.com/Resources/SpiderLabs-Blog/0-Day-Alert--Your-Humax-WiFi-Router-Might-Be-In-Danger/

Proofpoint analyzed Ovidiy Stealer, undocumented credential stealer, which is sold on the Russian-speaking forums.
https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses

Guido Vranken fuzzed FreeRADIUS source code and found 15 issues, four exploitable, and one of which is a remote code execution bug (RCE). Compile and upgrade now.
http://freeradius.org/security/fuzzer-2017.html

Humble Bundle is selling for next 12 days a lots of DRM-free cybersecurity books very cheaply.
https://www.humblebundle.com/books/cybersecurity-wiley

WireGuard, fast, modern, secure VPN tunnel is now formally verified with the Tamarin equational theorem prover. Really powerful software.
https://www.wireguard.com/formal-verification/

Interesting USENIX paper on the security (and analysis) of bootloaders in mobile devices:
BootStomp: On the Security of Bootloaders in Mobile Devices
http://cs.ucsb.edu/~yanick/publications/2017_sec_bootstomp.pdf

PyREBox is a Python scriptable Reverse Engineering sandbox developed by Cisco Talos. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective.
https://github.com/Cisco-Talos/pyrebox


Page 2 / 6