InfoSec Week 7, 2019

Ubiquiti network devices are being remotely exploited, via port 10001 discovery service. Results in loss of device management, also being used as a weak UDP DDoS amplification attack: 56 bytes in, 206 bytes out.

Researchers demonstrated that Intel SGX trusted enclave poses a security thread, when they implemented proof malware that bypasses antivirus protection by leveraging SGX properties. Find more information in the research paper named "Practical Enclave Malware with Intel SGX".

Looks like the diffusion layer of Russian symmetric ciphers Kuznyechik and hash function Streebog, have mathematical properties required for the backdoor. There is no theoretical attack yet, and I am not convinced that it is on purpose, but the construction is suspicious.

Google engineers have designed a new encryption mode for ChaCha stream cipher called Adiantum. The new encryption mode should be used on cheap ARM processors that does not have hardware support for AES, and it is almost 5x faster than AES-256-XTS.

Current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API.

Phones running Android OS can be compromised remotely by viewing malicious PNG image.

A new vulnerability in the runc, container runtime used by Docker, Kubernetes and others. allows container escape just by running a malicious image.

NCC Group published an interesting blog about a downgrade attack on TLS 1.3 and multiple other vulnerabilities in major TLS Libraries which they found last year.

Researcher Scott Gayou published a step by step guide on how to jailbreak Subaru Crosstrek 2018 head unit leveraging USB port and update mechanism.

According to the Airbnb presentation, 38 percent of bugs at Airbnb could have been prevented by using types.

You can try to find bugs in the Swiss eVoting System, as they opened a bug bounty program. There is also a source code available for registered bug hunters.

Google open sourced ClusterFuzz, an infrastructure used for fuzzing Chrome and OSS-Fuzz, continuous fuzzing pipeline of open source software.

InfoSec Week 27, 2018

Samsung Galaxy S9 and S9+ devices, maybe others, are texting camera photos to random contacts through the Samsung Messages app without user permission.

Gentoo Linux distribution GitHub repository was compromised. Attacker removed out all the maintainers, who realized the intrusion only 10 minutes after he gained access. He add rm -rf /* to build scripts, changed README and some minor things.

Since January 2017, Stylish browser extension has been augmented with spyware that records every single website that its 2 million other users visit, then sends complete browsing activity back to its servers, together with a unique identifier.

Digicert Withdraws from the CA Security Council (CASC), because they "feel that CASC is not sufficiently transparent and does not represent the diversity of the modern Certificate Authority (CA) industry. Improving the ecosystem requires broad participation from all interested stakeholders, and many are being excluded unnecessarily."
Great step Digicert!

CryptoCurrency Clipboard Hijacker malware discovered by Bleeping Computer monitors for more than 2.3 million Bitcoin addresses, then replace them in memory, with the attacker address.

Local root jailbreak, authorization bypass & privilege escalation vulnerabilities in all ADB broadband routers, gateways and modems. The patch is already available.

A Microsoft Security division published an analysis of the malware sample which exploited the Adobe Reader software and the Windows operating system using two zero-day exploits in a single PDF file.

Blog about why it is not helpful to use the Canvas Defender extension, a browser canvas fingerprinting countermeasure.

Blog about the cryptographic primitives used by the North Korean Red Star operating system. The OS is mostly uses AES-256 Rijndael with dynamic S-Box modifications, but the design is evolving and the latest version of the algorithm has more differences.

Interesting technique how to bypass web-application firewalls by abusing SSL/TLS. An attacker can use an unsupported SSL cipher to initialize the connection to the webserver which supports that cipher, but the WAF would not be able to identify the attack because it can't view the data.

Good introduction to the Linux ELF file format with some practical examples how sections look like, how to shrink the size during compilation and more.

InfoSec Week 19, 2018

There is a first ransomware which is taking advantage of a new Process Doppelgänging fileless code injection technique. Working on all modern versions of Microsoft Windows, since Vista. This variant of a known SynAck ransomware is using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process.

Security researchers from the Dutch information security company Computes has found that some Volkswagen and Audi cars are vulnerable to remote hacking. They were able to exploit vehicle infotainment systems. The possible attackers could track car location as well as listen to the conversations in a car.

Twitter found a bug that stored user passwords unmasked in an internal log, there is no indication of a breach, but all Twitter users should change their passwords.

There is a breakthrough cryptographic attack on 5-round AES using only 2^22 (previous best was 2^32) presented at CRYPTO 2018. It is joint work of Nathan Keller, Achiya Bar On, Orr Dunkelman, Eyal Ronen and Adi Shamir. This kind of attack is good when evaluating the security of a cipher, it does not have any real world implication as the AES is using at least 10 rounds in production implementations.

Bug hunter which found multiple vulnerabilities in the 7-zip software used by anti-virus vendors wrote an blog on how to exploit one of such bugs. Interesting read.

The 360 Core Security Division response team detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses a browser 0-day vulnerability (CVE-2018-8174). It is a remote code execution vulnerability of Windows VBScript engine and affects the latest version of Internet Explorer.
Microsoft patched this vulnerability few days ago and credited Chinese researchers.

Source code of TreasureHunter Point-of-Sale malware leaks online.

The ssh-decorator package from Python pip had an obvious backdoor (sending ip+login+password to ssh-decorate[.]cf in cleartext HTTP).

Luke Picciau wrote about his experience with Matrix and it's Riot messenger for one year.

There is a first official version 1.0 RC of Briar for Android.
Briar is an open-source End-to-end encrypted Bluetooth / WiFi / Tor based mesh-networking (decentralized) messaging application.

The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection.