Tag Apple

InfoSec Week 49, 2018

Apple included support for the WebAuthentication API in the latest Safari Release 71 (Technology Preview). The new WebAuthentication as implemented supports USB-based CTAP2 devices.
https://webkit.org/blog/8517/release-notes-for-safari-technology-preview-71/

Critical Kubernetes privilege escalation bug (CVE-2018-1002105) was found and patched during this week. When exploited, the bug allows anonymous users as well a authenticated one to use admin privileges over the cluster API.
There is an exploit published on a GitHub already.
https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/
https://github.com/evict/poc_CVE-2018-1002105

British Telecom will not use Huawei's 5G kit within the core of the network due to security concerns.
https://www.bbc.com/news/technology-46453425

Security agencies in Australia will gain greater access to encrypted messages due to a new legislative.
https://mobile.abc.net.au/news/2018-12-06/labor-backdown-federal-government-to-pass-greater-surveillance/10591944

US National Security Archive published a complete index of all 1504 items in the declassified collection of NSA internal Cryptolog periodical.
https://nsarchive.gwu.edu/briefing-book/cyber-vault/2018-12-04/cyber-brief-cryptolog

Security researchers released attacks on 7 TLS implementations, making use of Bleichenbacher and Manger's attack.
The research with a name "The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations" also includes a TLS 1.3 downgrade attack.
http://cat.eyalro.net/

Ransomware Infected 100k computers in China then demands WeChat Payment and is using XOR as an "encryption". Author was probably identified because he registered domain to his own name.
https://movaxbx.ru/2018/12/05/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/

It looks like 13 years old Virut botnet is resurrected in the wild.
https://chrisdietri.ch/post/virut-resurrects/

Great blog on how guy scammed the scammer to send him photo of his ID.
https://medium.com/@hackerfantastic/scamming-the-scammers-2fb934099ccc

Nearly 250 Pages of internal Facebook documents, emails and statistics were posted online by the UK Parliament.
https://motherboard.vice.com/en_us/article/59vwez/nearly-250-pages-of-devastating-internal-facebook-documents-posted-online-by-uk-parliament

A User Data of the question-and-answer website Quora were compromised.
https://help.quora.com/hc/en-us/articles/360020212652

The records of 500 million customers of the Marriott International hotel group were compromised.
https://www.bbc.com/news/technology-46401890

Interesting revisited paper: "From Keys to Databases -- Real-World Applications of Secure Multi-Party Computation."
https://eprint.iacr.org/2018/450

GTRS - is a tool that uses Google Translator as a proxy to send arbitrary commands to an infected machine.
https://github.com/mthbernardes/GTRS

InfoSec Week 44, 2018

The US federal prosecutors say that Chinese spies hacked dozen firms to steal aviation engineering secrets for the Chinese aerospace company.
https://arstechnica.com/tech-policy/2018/10/feds-say-chinese-spies-and-their-hired-hackers-stole-aviation-secrets/

Apple's ICMP packet-handling code contains a heap buffer overflow vulnerability (CVE-2018-4407).
Exploit can DoS any Mac, iOS device on a network by sending a crafted packet. The ping of death is back.
https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407

Microsoft is sharing Indian bank customers' data with U.S. intelligence agencies.
Looks like the banks were aware of it, when they have signed the Office 365 license agreements.
https://www.neowin.net/news/microsoft-has-been-sharing-indian-bank-customers039-data-with-us-intelligence-agencies

Google announced the launch of reCAPTCHA v3, which aims to improve user experience by removing the need for challenges. It uses the score based on the user on-site interactions.
https://developers.google.com/recaptcha/docs/v3

The end-to-end encrypted instant messaging application Signal introduced a new "Sealed sender" privacy feature that is protecting the sender before traffic observation.
https://signal.org/blog/sealed-sender/

Multiple malicious python libraries found and removed from PyPI. Guys are typo-squatting popular repository names and deliver malware.
https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/

Great list of lessons learned over 20 years of red teaming by security expert Matt Devost.
https://www.oodaloop.com/ooda-original/2015/10/22/10-red-teaming-lessons-learned-over-20-years/

Cisco Talos researchers found a code execution vulnerability in the anti-malware tool Sophos HitmanPro.Alert.
https://www.scmagazineuk.com/vulnerability-found-sophos-anti-malware-product/article/1497367

Researcher Jay Rosenberg documents clear connection between one of Lazarus Group's tools and an open source Chinese CasperPhpTrojan remote access trojan.
https://www.intezer.com/paleontology-the-unknown-origins-of-lazarus-malware/

Apple releases specification of T2 security chip.
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

Researchers announced a fast attack breaking OCB2, an ISO-standard authenticated encryption scheme.
https://eprint.iacr.org/2018/1040

InfoSec Week 40, 2018

Estonia sues Gemalto for €152M over ID card flaws. According to an article, some keys were NOT generated on a smartcard due to a scaling issue.
Well, looks like they are not affected by ROCA vulnerability, just compromised by Gemalto:)
https://dan.enigmabridge.com/estonia-hits-gemalto-again-insecure-eid-cards/

Apple laptops on Intel chipsets were running in the Intel Management Engine Manufacturing Mode. The vulnerability (CVE-2018-4251) was patched in macOS High Sierra update 10.13.5.
By exploiting the vulnerability, an attacker could write old versions of Intel ME without physical access to the computer, with the possibility of running arbitrary code in ME.
http://blog.ptsecurity.com/2018/10/intel-me-manufacturing-mode-macbook.html

The FBI took down Phantom Secure, a Canadian (not only) encrypted communication service.
The company turned smartphones to a single use encrypted communication devices, mostly to be used by drug kingpins.
The service was sold only to a customers recommended by the existing one.
https://www.fbi.gov/news/stories/phantom-secure-takedown-031618

The US-CERT has released a technical alert warning about a new "FASTCash" ATM scheme being used by the North Korean APT hacking group.
The malware installed on the issuers' compromised switch application servers intercepts the transaction request and responds the fake responses, fooling ATMs to spit out a large amount of cash.
https://www.us-cert.gov/ncas/alerts/TA18-275A

GhostDNS DNS changer botnet hijacked over 100k routers attacking routers overt the intranet using browser javascript.
https://www.hacking.reviews/2018/10/ghostdns-new-dns-changer-botnet.html

Brian Krebs wrote about the really clever phishing scam schemes executed over the phone. They are pretending to be a bank, and have lots of information about the victim before the scam occurs.
https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/

Some Reddit guy found tiny Linux PC hooked to to a router in his apartment. Investigation showed, that it is some kind of information stealing device and the info collectors are paying a "rent" to a roommate which implanted it on his own network. https://www.reddit.com/r/whatisthisthing/comments/9ixdh9/found_hooked_up_to_my_router/e6nh61r/

Facebook published some technical details about the recent profile leaking vulnerability.
The attackers connected three bugs and basically automated the whole process of obtaining user access tokens.
https://newsroom.fb.com/news/2018/09/security-update/

ESET researchers documented the first UEFI rootkit found in the wild. Called LoJax, the rootkit is targeting central, eastern Europe and Balkan government organizations.
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

Conor Patrick recently launched Kickstarter campaign for Solo, the first open source FIDO2 USB, NFC security key. Support it!
https://www.kickstarter.com/projects/conorpatrick/solo-the-first-open-source-fido2-security-key-usb

A step-by-step Linux kernel exploitation for CVE-2017-11176 with the exploit code included.
https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html

InfoSec Week 39, 2018

Linux had officially committed to implementing and obeying the Code of Conduct — which is immediately misused to remove top Linux coders.
Some of the Linux developers are now threatening to withdraw the license to all of their code.
https://lulz.com/linux-devs-threaten-killswitch-coc-controversy-1252/

Bug in Twitter sent users' private direct messages to third-party developers who were not authorized to receive them. Some brand accounts should be affected.
https://blog.twitter.com/developer/en_us/topics/tools/2018/details-for-developers-on-Account-Activity-API-bug.html

Qualcomm accuses Apple of stealing chip secrets for the purpose of helping Intel overcome engineering flaws in its chips.
https://www.cnbc.com/2018/09/25/qualcomm-accuses-apple-of-giving-its-chip-secrets-to-intel.html

Australian government pushes for the smartphone spyware implanted by Telco vendors, manufacturers.
https://www.brisbanetimes.com.au/business/companies/spyware-on-phone-fears-as-dutton-pushes-new-security-laws-20180924-p505oc.html

At least the sixth backdoor account was removed from Cisco devices this year.
This time it's "hardcoded credentials" in the Cisco Video Surveillance Manager (VSM) Software.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm

ESET researchers discovered, that the Kodi Media Player add-ons are misused for the cryptocurrency mining malware distribution.
https://www.welivesecurity.com/2018/09/13/kodi-add-ons-launch-cryptomining-campaign/

According to a stackexchange post, "the Chinese police is forcing whole cities to install an Android spyware app Jingwang Weishi.
They are stopping people in the street and detaining those who refuse to install it."
https://security.stackexchange.com/questions/194353/police-forcing-me-to-install-jingwang-spyware-app-how-to-minimize-impact

Researchers proved that the security of PKCS #1 Digital Signatures is as secure as any of its successors like RSA-PSS and RSA Full-Domain.
https://www.schneier.com/blog/archives/2018/09/evidence_for_th.html

There is a novel cache poisoning attack on WiFi by a remote off-path mitm attack vector.
Takes only 30 seconds and is using interesting multi-packet injection for timing side channel inference for injection. Works on Windows, OSX and Linux.
https://www.usenix.org/conference/usenixsecurity18/presentation/chen-weiteng

InfoSec Week 37, 2018

Tesla model S is using a 40bit challenge response scheme broken back in 2005. Researchers stole a car in ~6 seconds with precomputed tables.
https://www.esat.kuleuven.be/cosic/fast-furious-and-insecure-passive-keyless-entry-and-start-in-modern-supercars/

Zerodium exploit acquisition program published a serious Tor Browser 7.x vulnerability leading to a full bypass of Tor / NoScript 'Safest' security level which is supposed to block all javascript.
This kind of bug is an law enforcement dream.
https://twitter.com/Zerodium/status/1039127214602641409

Very interesting read from Troy Hunt on the effectiveness of negative media coverage and shaming of bad security.
https://www.troyhunt.com/the-effectiveness-of-publicly-shaming-bad-security/

Researchers say that the developers of Adware Doctor, the fourth highest ranking paid app in the Mac App Store, have found a way to bypass Apple restrictions and sends the browsing history of its users to a server in China. Apple already removed the application from the Mac Store.
https://objective-see.com/blog/blog_0x37.html

Apple has also removed most of the popular security applications offered by cyber-security vendor Trend Micro from its official Mac App Store after they were caught stealing users' sensitive data without their consent.
https://www.bleepingcomputer.com/news/security/trend-micro-apps-leak-user-data-removed-from-mac-app-store/

European Court of Human Rights rules that GCHQ Data collection violates the human rights charter.
https://www.theguardian.com/uk-news/2018/sep/13/gchq-data-collection-violated-human-rights-strasbourg-court-rules

The Iran government, at least since 2016, is is spying on its citizens, Kurdish and Turkish natives, and ISIS supporters, using mobile applications with a malware.
The operation has been named Domestic Kitten.
https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/

Researchers introduced previously overlooked side-channel attack vector called Nemesis that abuses the CPU’s interrupt mechanism to leak microarchitectural instruction timings from enclaved execution environments such as Intel SGX, Sancus, and TrustLite.
https://github.com/jovanbulck/nemesis

India’s controversial Aadhaar identity database software was hacked, ID database compromised.
The vulnerability could allow someone to circumvent security measures in the Aadhaar software, and create new entries.
https://www.huffingtonpost.in/2018/09/11/uidai-s-aadhaar-software-hacked-id-database-compromised-experts-confirm_a_23522472

Criminals are faking Google Analytics script to steal credential and stay under the radar.
https://gwillem.gitlab.io/2018/09/06/fake-google-analytics-malware/

The OpenSSL team released version 1.1.1. There are a lots of new features like TLS 1.3 support, side-channel hardening, new RNG, SHA3, Ed25519 support.
https://www.openssl.org/blog/blog/2018/09/11/release111/

InfoSec Week 32, 2018

A Comcast security flaws exposed more than 26 millions of customers’ personal information. Basically, an attacker could spoof IP address using "X-forwarded-for" header on a Comcast login page and reveal the customer’s location.
https://www.buzzfeednews.com/article/nicolenguyen/a-comcast-security-flaw-exposed-millions-of-customers

According to the Check Point Research, more than 150k computers are infected with the new variant of Ramnit botnet named Black. Botnet install second stage malware with the proxy functionality.
https://research.checkpoint.com/ramnits-network-proxy-servers/

Malware infected Apple chip maker Taiwan Semiconductor Manufacturing. All of their factories were shut down last week, but they had already recovered from the attack.
https://www.bloomberg.com/news/articles/2018-08-04/tsmc-takes-emergency-steps-as-operations-hit-by-computer-virus

A flaw in the Linux kernel may cause a remote denial of service [CVE-2018-5390]. Attack require less than 2 Kbps of traffic.
https://access.redhat.com/articles/3553061

GDPR and other cookie consent scripts are used to distribute malware.
https://blog.sucuri.net/2018/08/cookie-consent-script-used-to-distribute-malware.html

Interesting blog on how criminals in Iran make money by creating Android malware apps.
https://blog.certfa.com/posts/pushiran-dl-malware-family/

Let's Encrypt root CA certificate is now trusted by all major root programs. They were dependent on a cross-signing on some systems, so this is great news!
https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html

There is a really effective new attack on WPA PSK (Pre-Shared Key) passwords. Attackers can ask Access Point for the data required for offline cracking, no client traffic sniffing is needed anymore.
https://hashcat.net/forum/thread-7717.html

Innovative new research on a software implementation hardening was published with the name "Chaff Bugs: Deterring Attackers by Making Software Buggier".
The idea is simple, introduce a large number of non-exploitable bugs in the program which makes the bug discovery and exploit creation significantly harder.
https://arxiv.org/abs/1808.00659

Researchers from the University of Milan published padding oracle attack against Telegram Passport.
Don't roll your own cryptography schemes if other people depend on it...
https://pequalsnp-team.github.io/writeups/analisys_telegram_passport

A Handshake is a new experimental peer-to-peer root DNS. They have published resolver source code and have test network up and running. Looks like really promising project.
https://handshake.org/

InfoSec Week 29, 2018

The academics have mounted a successful GPS spoofing attack against road navigation systems that can trick humans into driving to incorrect locations. The novel part is that they are using real map data to generate plausible malicious instructions.
https://www.bleepingcomputer.com/news/security/researchers-mount-successful-gps-spoofing-attack-against-road-navigation-systems/

Folks from Cloudflare, Mozilla, Fastly, and Apple during a hackaton implemented Encrypted Server Name Indication (SNI). There are implementations in BoringSSL, NSS and picotls.
https://twitter.com/grittygrease/status/1018566026320019457

Good insight on how credit card thieves use free-to-play apps to steal and launder money from the credit cards.
https://kromtech.com/blog/security-center/digital-laundry

Chromium recently introduced Cross-Origin Read Blocking (CORB) that helps mitigate the threat of side-channel attacks (including Spectre).
https://www.chromium.org/Home/chromium-security/corb-for-developers

For anybody interested in reverse engineering, nice write up about the Smoke Loader malware bot unpacking mechanism and communication with the C&C.
https://www.cert.pl/en/news/single/dissecting-smoke-loader/

A research on how to bypass memory scanners using Cobalt Strike’s beacon payload and the gargoyle memory scanning evasion technique.
https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle/

Eset researchers analyzed ongoing espionage campaign against the Ukrainian government institutions.
https://www.welivesecurity.com/wp-content/uploads/2018/07/ESET_Quasar_Sobaken_Vermin.pdf

The intercept summarized what the public has learned about Russian and U.S. spycraft from the Special Counsel Robert Mueller’s indictment of hackers.
https://theintercept.com/2018/07/18/mueller-indictment-russian-hackers/

Security researchers have uncovered a highly targeted mobile malware campaign that has been operating since August 2015 and found spying on 13 selected iPhones in India.
https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html

There is an exploit for Ubuntu Linux (up to 4.17.4) where other users coredumps can be read via setgid directory and killpriv bypass.
https://www.exploit-db.com/exploits/45033/

InfoSec Week 6, 2018

A buffer overflow vulnerability in older Starcraft version enabled modders to create new maps, so Blizzard tasked reverse engineer to safely emulate the bug in the newer, fixed version.
The author says it all: "This is a tale about what dedication to backward compatibility implies."
https://plus.google.com/+MartinSeeger/posts/HYmY8gPCYJT

A bug in the Grammarly chrome extension (approx ~22M users) exposes user authentication token to all websites, so everybody collecting user data can access their cloud data at grammarly.com.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1527&desc=2

With the release of Google Chrome 68, Chrome will mark all HTTP sites as a “not secure” in the status bar.
https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

Article about the Australian startup Azimuth Security which sells hacking software to the "Five Eyes" police and intelligence agencies.
Rumors are that they are able to remotely hack Android devices and iPhones.
https://motherboard.vice.com/en_us/article/8xdayg/iphone-zero-days-inside-azimuth-security

SEC Consult researchers found multiple vulnerabilities in their smart sex toys security review. Customer database, clear passwords, vulnerable remote controllers...
http://seclists.org/fulldisclosure/2018/Feb/0

Metasploit integrated EternalRomance, EternalSynergy, and EternalChampion Windows (MS17-010) vulnerabilities leaked from the NSA by Shadow Brokers.
https://blog.rapid7.com/2018/02/02/metasploit-wrapup-26/

Someone leaked the source code of Apples' iBoot iOS trusted boot program on GitHub. It is a critical part of iOS system. Meanwhile, Apple filed a copyright takedown request with GitHub.
https://motherboard.vice.com/en_us/article/a34g9j/iphone-source-code-iboot-ios-leak

Hackers infected water utility SCADA systems in Europe with the cryptocurrency mining software.
http://www.eweek.com/security/water-utility-in-europe-hit-by-cryptocurrency-malware-mining-attack

Security researchers discovered vulnerabilities in an automated gas management system that allowed them to hijack credit card payments, steal card numbers and more.
https://www.scmagazine.com/gas-pump-vulnerabilities-in-widespread-software-grant-low-prices-and-credit-card-data/article/741764/

APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was the victim of an APT attack.
https://github.com/NextronSystems/APTSimulator

InfoSec Week 49, 2017

The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.
https://robotattack.org/

HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.
https://zwclose.github.io/HP-keylogger/

There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.
http://seclists.org/fulldisclosure/2017/Dec/38

Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.
https://securityaffairs.co/wordpress/66591/cyber-crime/moneytaker-group.html

Recorded Future analyzed costs of various cybercriminal services sold on the dark market.
https://www.recordedfuture.com/cyber-operations-cost/

Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.
https://bgpmon.net/popular-destinations-rerouted-to-russia/

Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.
https://www.bleepingcomputer.com/news/security/microsoft-fixes-malware-protection-engine-bug-discovered-by-british-intelligence/

Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.
https://blog.avast.com/avast-open-sources-its-machine-code-decompiler

Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.
http://blog.kismetwireless.net/2017/11/dji-uav-drone-id.html

Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.
https://github.com/wazuh/wazuh

Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.
https://github.com/wifiphisher/wifiphisher

InfoSec Week 40, 2017

There is a great probability that if you used Outlook’s S/MIME encryption in the past 6 months, plaintext of your emails was leaked to the mail exchange because of Outlook S/MIME CVE-2017-11776 vulnerability.
https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/index.html

The Kaspersky anti-virus was allegedly stealing NSA secrets using a silent signature mode that detected classified documents. Israel hacked the Kaspersky, and notified the NSA.
https://www.washingtonpost.com/world/national-security/israel-hacked-kaspersky-then-tipped-the-nsa-that-its-tools-had-been-breached/2017/10/10/d48ce774-aa95-11e7-850e-2bdd1236be5d_story.html
https://www.wsj.com/articles/russian-hackers-scanned-networks-world-wide-for-secret-u-s-data-1507743874

A custom OxygenOS Android fork that comes installed on all OnePlus smartphones, is tracking users, allowing OnePlus to connect each phone to its customer.
https://www.chrisdcmoore.co.uk/post/oneplus-analytics/

Chromebooks and Chromeboxes are affected by a bug in certain Infineon Trusted Platform Module (TPM) firmware versions. RSA keys generated by the TPM being vulnerable to a computationally expensive attacks. Targeted attacks are possible.
https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

KovCoreG hacking group used advertising network on Pornhub to redirect users to a fake browser update websites that installed malware.
https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-campaign-exposes-millions-potential-ad-fraud-malware

Apple released a security patch for macOS High Sierra 10.13 to fix vulnerabilities in the Apple file system (APFS) volumes and Keychain software. The patch also addresses a flaw in the Apple file system that exposes encrypted drive’s password in the hint box.
http://securityaffairs.co/wordpress/63896/hacking/apple-file-system-flaw.html

Yet another part of the reverse engineering blog post series analyzing TrickBot with IDA.
https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core

Keybase has launched a nice new feature - encrypted Git. There are no services like website, pull requests, issue tracking or wiki, just simple git. Encrypted.
https://keybase.io/blog/encrypted-git-for-everyone


Page 1 / 2