Malgregator

InfoSec Week 29, 2017

Microsoft has analyzed EnglishmansDentist exploit used against the Exchange 2003 mail servers on the out-dated Windows Server 2003 OS. Exploit was released by ShadowBrokers back in April 2017.
https://blogs.technet.microsoft.com/srd/2017/07/20/englishmansdentist-exploit-analysis/

ESET researchers have analyzed a Stantinko botnet consisting of almost half a million machines used for ad-related fraud. It uses malicious Chrome extensions, but also creating and managing Facebook profiles and brute-forcing Joomla and WordPress websites.
https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/

A buffer overflow in the Source SDK in Valve's Source SDK allows an attacker to remotely execute code on a user's computer machine.
https://www.bleepingcomputer.com/news/security/valve-patches-security-flaw-that-allows-installation-of-malware-via-steam-games/
https://motherboard.vice.com/en_us/article/nevmwd/counter-strike-bug-allowed-hackers-to-completely-own-your-computer-with-a-frag

Secure messaging application Wire is now supporting end-to-end encrypted chats, file sharing and calls to businesses. But it's paid feature.
https://medium.com/@wireapp/wire-at-work-introducing-teams-beta-e50dacf6e9f1

Briar, a secure messaging app for Android, was released for a public beta testing. It's using Tor, or P2P direct messaging over Wifi, Bluetooth. Very interesting project.
https://briarproject.org/news/2017-beta-released-security-audit.html

D. J. Bernstein has published blog about the secure key material erasure: "2017.07.23: Fast-key-erasure random-number generators"
https://blog.cr.yp.to/20170723-random.html

Google Project Zero analyzed the security properties of the two major Trusted Execution Environment present on Android devices - Qualcomm’s QSEE and Trustonic’s Kinibi.
https://googleprojectzero.blogspot.sk/2017/07/trust-issues-exploiting-trustzone-tees.html

Prowler is a tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark.
https://github.com/alfresco/prowler

Hardentools is a utility that disables a number of risky Windows "features" exposed by Windows operating system.
https://github.com/securitywithoutborders/hardentools

InfoSec Week 28, 2017

Porn spam botnet consisting of more than 80,000 automated female Twitter accounts has been prompting millions of clicks from Twitter users to the various affiliate dating schemes (known as "partnerka").
https://krebsonsecurity.com/2017/07/porn-spam-botnet-has-evil-twitter-twin/

Two malware families, NemucodAES ransomware and Kovter trojan are being distributed via email, pretending to be a delivery notice from the United Parcel Service.
https://isc.sans.edu/forums/diary/NemucodAES+and+the+malspam+that+distributes+it/22614/

Reyptson ransomware is using victim’s configured Thunderbird email account to execute spam distribution campaign against its contacts.
http://www.securitynewspaper.com/2017/07/18/reyptson-ransomware-spams-friends-stealing-thunderbird-contacts/

Android spyware targeting Iranians is using Telegram bot API to exfiltrate data to the remote server.
https://blog.avast.com/spyware-targets-iranian-android-users-by-abusing-messaging-app-telegram-bot-api

Trustwave SpiderLabs researchers discovered a zero-day vulnerability in Humax HG-100R WiFi Router, that could be exploited by attackers to compromise the WiFi credentials and obtain the router console administrative password.
https://www.trustwave.com/Resources/SpiderLabs-Blog/0-Day-Alert--Your-Humax-WiFi-Router-Might-Be-In-Danger/

Proofpoint analyzed Ovidiy Stealer, undocumented credential stealer, which is sold on the Russian-speaking forums.
https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses

Guido Vranken fuzzed FreeRADIUS source code and found 15 issues, four exploitable, and one of which is a remote code execution bug (RCE). Compile and upgrade now.
http://freeradius.org/security/fuzzer-2017.html

Humble Bundle is selling for next 12 days a lots of DRM-free cybersecurity books very cheaply.
https://www.humblebundle.com/books/cybersecurity-wiley

WireGuard, fast, modern, secure VPN tunnel is now formally verified with the Tamarin equational theorem prover. Really powerful software.
https://www.wireguard.com/formal-verification/

Interesting USENIX paper on the security (and analysis) of bootloaders in mobile devices:
BootStomp: On the Security of Bootloaders in Mobile Devices
http://cs.ucsb.edu/~yanick/publications/2017_sec_bootstomp.pdf

PyREBox is a Python scriptable Reverse Engineering sandbox developed by Cisco Talos. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective.
https://github.com/Cisco-Talos/pyrebox

InfoSec Week 27, 2017

WikiLeaks has published documents detailing two alleged CIA implants, BothanSpy and Gyrfalcon, designed to steal SSH credentials from Windows and Linux.
https://wikileaks.org/vault7/#BothanSpy

Popular article about the background of iPhone Jailbreaking. Really interesting.
https://motherboard.vice.com/en_us/article/8xa4ka/iphone-jailbreak-life-death-legacy

Domains for an authoritative name servers of .io domain was free, so guy registered one, and published blog about the possibility of .io domains takeover.
https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/

The author of the original variant of the Petya ransomware has published the master key via Twitter.
https://twitter.com/JanusSecretary/status/882663988429021184

Security researcher Nitay Artenstein has discovered a serious Broadcom Wi-Fi chip bug CVE-2017-9417.
https://www.bleepingcomputer.com/news/security/broadpwn-bug-affects-millions-of-android-and-ios-devices/

Chinese researchers published an attack on a satellite phone encryption that enable them to decrypt communication encrypted by GMR-2 cipher in real-time.
https://eprint.iacr.org/2017/655.pdf

API Security Checklist is the checklist of the most important security countermeasures when designing, testing, and releasing an online API.
https://github.com/shieldfy/API-Security-Checklist

Horcrux: A Password Manager for Paranoids is an research project and experimental implementation of a highly secure password manager. Credentials are secretshared over multiple servers, the passwords are filled by modifying outgoing POST requests.
https://github.com/HainaLi/horcrux_password_manager
https://export.arxiv.org/pdf/1706.05085

InfoSec Week 26, 2017

The ExPetr/Petya ransomware which hits the Ukraine last week is actually a disk wiper. Victims are not able to decrypt their data, as the encryption key is not stored anywhere.
https://securelist.com/schroedingers-petya/78870/

Blog with details about the remotely triggerable stack-based buffer overflow found in Avast Antivirus software last year.
https://landave.io/2017/06/avast-antivirus-remote-stack-buffer-overflow-with-magic-numbers/

Linux Systemd gives root privileges to usernames started with number.
https://ma.ttias.be/giving-perspective-systemds-usernames-start-digit-get-root-privileges-bug/

WikiLeaks published a manual describing "OutlawCountry" Linux malware which redirects outgoing Internet traffic using netfilter, iptables. The second published is ELSA, a geo-location malware for WiFi-enabled devices running the Microsoft Windows operating system.
https://wikileaks.org/vault7/releases/#OutlawCountry
https://wikileaks.org/vault7/#Elsa

Security researcher Benjamin Kunz-Mejri discovered a Skype (7.2, 7.35, and 7.36) zero-day remote buffer overflow vulnerability CVE-2017-9948.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9948

Great blog post about the problems of a certificate revocation, alternative solutions and how to do it better.
https://scotthelme.co.uk/revocation-is-broken/

Blog about the novel reflective DLL injection technique called ThreadContinue which uses SetThreadContext() and NtContinue() API calls.
https://zerosum0x0.blogspot.sk/2017/07/threadcontinue-reflective-injection.html

InfoSec Week 25, 2017

Ukrainian critical infrastructure, including banks, Kyiv’s metro system, the airport and the Chernobyl's radiation monitoring system, was hit by the worldwide malware campaign.
The attack is believed to be a new campaign by the group behind Petya ransomware. It takes advantage of the known SMB exploit (EternalBlue), and is spreading fast to the other countries.
https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759
https://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

Indian ATMs running outdated Windows XP are suffering jackpotting attack by the Rufus ATM malware.
http://securityaffairs.co/wordpress/60220/breaking-news/rufus-malware-atm.html

Analysis of a new Marcher Android banking trojan variant which is posing as Adobe Flash Player Update.
https://www.zscaler.com/blogs/research/new-android-marcher-variant-posing-adobe-flash-player-update

The Russian government is threatening to ban Telegram messenger because it refused to be compliant with the data protection laws.
http://securityaffairs.co/wordpress/60449/terrorism/russia-telegram-ban.html

Bug hunter from Google, Tavis Ormandy, has found yet another serious vulnerability in the Microsoft's Malware Protection Engine.
http://www.databreachtoday.com/google-security-researcher-pops-microsofts-av-defenses-a-10058

The Hardware Forensic Database (HFDB) is a project of CERT-UBIK aiming at providing a collaborative knowledge base related to IoT Forensic methodologies and tools.
http://hfdb.io/

Good summary of the most common memory based attacker techniques such as shellcode injection, reflective DLL injection or process hollowing.
https://www.endgame.com/blog/technical-blog/hunting-memory

InfoSec Week 24, 2017

Erebus ransomware distributed by the malicious advertisement campaign is using Rig exploit kit to infect Linux servers across the world.
Some companies had to pay already.
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures

FireEye published anatomy of a cyber extortion scheme executed by FIN10 group. They infiltrate company networks, steal valuable data, then attempt to extort executives and board members of a company.
https://www.hackread.com/wp-content/uploads/2017/06/fin10-cyber-extortionist-canadian-mining-firms-casinos-to-ransom.pdf
https://www.fireeye.com/blog/threat-research/2017/06/fin10-anatomy-of-a-cyber-extortion-operation.html

Researchers changed e-cigarette USB compatible charger for a keyboard emulator, so it can issue commands when connected to the PC.
http://news.sky.com/story/e-cigarettes-can-be-used-to-hack-computers-10908333

Wired has published an article about the malware behind the Ukraine power grid blackout.
https://www.wired.com/story/crash-override-malware/

A lottery computer programmer designed his code so that on three days of the year, he could predict winning numbers in some games.
https://www.bloomberg.com/news/articles/2017-06-12/programmer-pleads-guilty-to-theft-in-lottery-rigging-scandal

Part of the Wikileaks Vault 7 release, Cherry Blossom, exposes CIA wireless hacking toolkit.
https://wikileaks.org/vault7/#Cherry Blossom

Cisco Talos has published BASS - Automated Signature Synthesizer for malware detection.
https://github.com/Cisco-Talos/bass

Some (AVG, Avast, Avira, CheckPoint, K7) antivirus software‘s kernel vulnerabilities found by the bee13oy security researcher.
https://github.com/bee13oy/AV_Kernel_Vulns

InfoSec Week 23, 2017

Turla malware is communicating with the C&C infrastructure by leaving comments in Britney Spears's Instagram account.
https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/

The gang behind Platinum threat is using Intel Active Management technology Serial-over-LAN channel to bypass the software firewall when transferring files, due to operating system independence of this low level technology.
https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/

Montenegro is continuously targeted by cyber attacks attributed to the APT28 group as a part of a broader influence campaign.
http://securityaffairs.co/wordpress/59820/apt/apt28-targets-montenegro.html

MacSpy malware-as-a-service is a feature rich RAT targeting OS X operating system.
https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service

IBM researchers analyzed QakBot banking trojan responsible for "lock out" of the hundreds of Active Directory users.
https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/

A Linux malware is installing cryptocurrency mining software on Raspberry Pi via SSH. It's using only default SSH user & passphrase.
https://www.bleepingcomputer.com/news/security/linux-malware-mines-for-cryptocurrency-using-raspberry-pi-devices/

The GNU Privacy Guard (GnuPG) developers start new fundraising effort for the continued development of this well known encryption software.
If you want to know more about the capabilities of GnuPG, check the linked "An Advanced Intro to GnuPG" presentation from the last year.
Please, donate.
https://gnupg.org/donate/
https://begriffs.com/posts/2016-11-05-advanced-intro-gnupg.html

InfoSec Week 22, 2017

Notoriously known Gh0st RAT spyware is spreading through the same SMB vulnerability as a WannaCry ransomware.
https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html

Jaff, ransomware distributed by the today's biggest spam botnet Necurs, is sharing server infrastructure with a PaySell cybercrime marketplace based in Saint Petersburgh, Russia.
https://heimdalsecurity.com/blog/jaff-ransomware-operation-cyber-crime-marketplace/

Security researchers have spotted a new PowerPoint infection vector. Malware is downloaded to a computer whenever a victim hovers a link. Without the macros.
https://www.bleepingcomputer.com/news/security/powerpoint-file-downloads-malware-when-you-hover-a-link-no-macros-required/

Wikileaks has published yet another CIA toolkit - Windows implant capable of the on-the-fly infection of a file executed over the network.
https://wikileaks.org/vault7/releases/#Pandemic

This guy lost lots of bitcoin in 15 minutes as attacker exploited Verison alternative authentification method. Interesting read.
https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac

Company behind OneLogin, a single sign-on and identity management for cloud-based applications, has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data.
https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/

InfoSec Week 21, 2017

Check Point researchers revealed a new attack vector using malicious subtitle files, which, when downloaded by a victim’s media player, can provide complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io.
http://blog.checkpoint.com/2017/05/23/hacked-in-translation/

Check Point also discovered an auto-clicking adware found on 41 apps in Google Play Store. It is silently sending "clicks" to an advertisements pushed by the remote C&C server.
http://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/

WannaCry support staff decrypted files for free because their "Taiwanese campaign seems to be a total failure." and they have "overestimated income of the population". How generous.
https://twitter.com/fztalks/status/864852163230609408
http://www.taiwannews.com.tw/en/news/3161826

Cloak & Dagger is a new class of potential attacks affecting Android devices. It's basically an attack vector based on two Android permissions (SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE) that are allowed by default and malicious app can use them to do bad stuff.
http://cloak-and-dagger.org/

Interesting security evaluation "of the Implantable Cardiac Device Ecosystem Architecture" by the WhiteScope. Basically, these devices are not authenticated, nor encrypted and can be programmed by anyone competent.
http://blog.whitescope.io/2017/05/understanding-pacemaker-systems.html

Crypto guys published paper breaking the encryption published 3 days earlier. Should have emailed them instead...
https://eprint.iacr.org/2017/471 https://eprint.iacr.org/2017/458

Vulnerability researcher Tavis Ormandy has ported Windows Defender to Linux:)
"This repository contains a library that allows native Linux programs to load and call functions from a Windows DLL."
https://github.com/taviso/loadlibrary

InfoSec Week 20, 2017

Researchers published WannaCry ransomware decryption tool for older Windows (XP, 2003, 7). It uses bug in the Windows Crypto API which does not immediately erase private key. The application is crawling the computer memory, looking for the prime numbers which can divide the public key used for the encryption.
https://github.com/gentilkiwi/wanakiwi/releases

Google introduced behavior-based malware scanner to every Android device. It's part of the Google Play Service and scans installed apps and provides phone tracking in the case of theft.
https://blog.google/products/android/google-play-protect/

Croatian CERT honeypot detected a new SMB worm which uses seven tools from the NSA hacking toolkit. It uses Tor based C&C server, currently only beaconing the server, and spreading using the SMB exploit.
https://github.com/stamparm/EternalRocks

Research by the Recorded Future and the Intrusiontruth group concludes that so-called APT3, widely believed to be a China-based threat actor, is directly connected to the Chinese Ministry of State Security (MSS).
https://www.recordedfuture.com/chinese-mss-behind-apt3/
https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/

Sophos discovered malware infecting Seagate NAS devices which turn them into Monero cryptocurrency miners. However, “This threat is not targeting the Seagate Central device specifically; however, the device has a design flaw that allows it to be compromised. Most all of these devices have already been infected by this threat.” https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Cryptomining-malware-on-NAS-servers.pdf?la=en

Wikileaks released another CIA malware spying framework. Called 'Athena', the program "provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10)."
https://wikileaks.org/vault7/#Athena

Maltrail is a malicious traffic detection system, utilizing publicly available lists containing malicious and generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists.
https://github.com/stamparm/maltrail


Page 2 / 5