Tag APT

InfoSec Week 6, 2018

A buffer overflow vulnerability in older Starcraft version enabled modders to create new maps, so Blizzard tasked reverse engineer to safely emulate the bug in the newer, fixed version.
The author says it all: "This is a tale about what dedication to backward compatibility implies."
https://plus.google.com/+MartinSeeger/posts/HYmY8gPCYJT

A bug in the Grammarly chrome extension (approx ~22M users) exposes user authentication token to all websites, so everybody collecting user data can access their cloud data at grammarly.com.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1527&desc=2

With the release of Google Chrome 68, Chrome will mark all HTTP sites as a “not secure” in the status bar.
https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

Article about the Australian startup Azimuth Security which sells hacking software to the "Five Eyes" police and intelligence agencies.
Rumors are that they are able to remotely hack Android devices and iPhones.
https://motherboard.vice.com/en_us/article/8xdayg/iphone-zero-days-inside-azimuth-security

SEC Consult researchers found multiple vulnerabilities in their smart sex toys security review. Customer database, clear passwords, vulnerable remote controllers...
http://seclists.org/fulldisclosure/2018/Feb/0

Metasploit integrated EternalRomance, EternalSynergy, and EternalChampion Windows (MS17-010) vulnerabilities leaked from the NSA by Shadow Brokers.
https://blog.rapid7.com/2018/02/02/metasploit-wrapup-26/

Someone leaked the source code of Apples' iBoot iOS trusted boot program on GitHub. It is a critical part of iOS system. Meanwhile, Apple filed a copyright takedown request with GitHub.
https://motherboard.vice.com/en_us/article/a34g9j/iphone-source-code-iboot-ios-leak

Hackers infected water utility SCADA systems in Europe with the cryptocurrency mining software.
http://www.eweek.com/security/water-utility-in-europe-hit-by-cryptocurrency-malware-mining-attack

Security researchers discovered vulnerabilities in an automated gas management system that allowed them to hijack credit card payments, steal card numbers and more.
https://www.scmagazine.com/gas-pump-vulnerabilities-in-widespread-software-grant-low-prices-and-credit-card-data/article/741764/

APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was the victim of an APT attack.
https://github.com/NextronSystems/APTSimulator

InfoSec Week 5, 2017

Egyptian human rights activists, dissidents, lawyers and journalists targeted by the phishing campaign. Links received by the email lead to a fake login page designed to trick the targets into giving away their Dropbox credentials.
https://citizenlab.org/2017/02/nilephish-report/

Multiple Polish banks are victims of a malware infection through the Polish financial regulator KNF.
https://www.databreaches.net/hackers-break-into-polish-banks-through-government-regulator-charged-with-bank-security-standards/

Hackers broke into the Czech Foreign Ministry email. "It must have been carried out from the outside, by another country. The way it was done bears a very strong resemblance to the attacks on the US Democratic Party's internet system," said the foreign minister, citing experts.
http://www.securityweek.com/hackers-target-czech-foreign-ministrys-email-system

Extensive analysis of the Locky Bart ransomware binary and the backend server. Binary executable is obfuscated by the WPProtect code-virtualization. Server backend is written using Yii PHP framework.
https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/

APT group Turla using a new javascript payload called KopiLuwak when conducting their phishing attacks. The payload is stored in Office documents using embedded macro and uses multiple layers of the javascript obfuscation.
https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/

APT activity attributed to the Chinese actors is targeting military and aerospace industry in Russia and Belarus. The malware uses steganography to hide the payload.
https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugxs

Can Foreign Governments Launch Malware Attacks on Americans Without Consequences? There is an interesting ongoing court case - Kidane v. Ethiopia - where the Ethiopia's lawyer argued "that it should be able to do anything to Americans in America, even set off a car bomb, as long as Ethiopia didn’t have a human agent in the United States. One judge asked what would happen if Ethiopia mailed a letter bomb into the United States to assassinate an opponent, or hacked an American's self-driving car, causing it to crash. Ethiopia didn't hesitate: their counsel said that they could not be sued for any of those."
https://www.eff.org/deeplinks/2017/02/can-foreign-governments-launch-malware-attacks-americans-without-consequences

A hacker who has stolen 900 GB of data from the mobile forensics company Cellebrite, leaked online some known tools for the iOS exploitation and announced further releases. Released tools are publicly available frameworks. Hacker added that BlackBerry files in his possession are not publicly available.
https://motherboard.vice.com/en_us/article/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite
http://pastebin.com/y9P19guS

Facebook engineers presented at the USENIX Enigma conference, a new mechanism for recovering access to lost online accounts, called Delegated Recovery. Delegated Recovery "allows an application to delegate the capability to recover an account to an account controlled by the same user or entity at a third party service provider".
https://github.com/facebookincubator/DelegatedRecovery/

Printer Exploitation Toolkit (PRET) is a new printer security testing framework.
https://github.com/RUB-NDS/PRET