InfoSec Week 7, 2019

Ubiquiti network devices are being remotely exploited, via port 10001 discovery service. Results in loss of device management, also being used as a weak UDP DDoS amplification attack: 56 bytes in, 206 bytes out.

Researchers demonstrated that Intel SGX trusted enclave poses a security thread, when they implemented proof malware that bypasses antivirus protection by leveraging SGX properties. Find more information in the research paper named "Practical Enclave Malware with Intel SGX".

Looks like the diffusion layer of Russian symmetric ciphers Kuznyechik and hash function Streebog, have mathematical properties required for the backdoor. There is no theoretical attack yet, and I am not convinced that it is on purpose, but the construction is suspicious.

Google engineers have designed a new encryption mode for ChaCha stream cipher called Adiantum. The new encryption mode should be used on cheap ARM processors that does not have hardware support for AES, and it is almost 5x faster than AES-256-XTS.

Current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API.

Phones running Android OS can be compromised remotely by viewing malicious PNG image.

A new vulnerability in the runc, container runtime used by Docker, Kubernetes and others. allows container escape just by running a malicious image.

NCC Group published an interesting blog about a downgrade attack on TLS 1.3 and multiple other vulnerabilities in major TLS Libraries which they found last year.

Researcher Scott Gayou published a step by step guide on how to jailbreak Subaru Crosstrek 2018 head unit leveraging USB port and update mechanism.

According to the Airbnb presentation, 38 percent of bugs at Airbnb could have been prevented by using types.

You can try to find bugs in the Swiss eVoting System, as they opened a bug bounty program. There is also a source code available for registered bug hunters.

Google open sourced ClusterFuzz, an infrastructure used for fuzzing Chrome and OSS-Fuzz, continuous fuzzing pipeline of open source software.

InfoSec Week 10, 2017

People around the Azerbaijan human rights activist and lawyer received spear phishing messages. Multi-year investigation by the Amnesty Global Insights. Keyloggging, screenshots, etc.

New Linux ARM malware ELF_IMEIJ.A (by Trend Micro) exploits a CGI Directory vulnerability in devices from CCTV\IP Cam technology vendor AVTech.

A rather amateurish ransomware has been analysed by the Palo Alto Networks. The only interesting part is, that it is actually not asking for money, instead: "RanRan does not ask for direct payment. Instead, prior to any negotiations regarding payment, the victim must create a subdomain with a seemingly politically inflammatory name as well as a Ransomware.txt file hosted on this subdomain. The hosted file must include a statement of ‘Hacked’ and an email address. By performing these actions, the victim, a Middle Eastern government organization, has to generate a political statement against the leader of the country. It also forces the victim to publicly announce that they have been hacked by hosting the Ransomware.txt file."

Kaspersky Lab published report about the newly discovered disk wiper called StoneDrill. It's targeting organizations in Saudi Arabia and is somehow correlated to the Shamoon disk wiper. The malware uses memory injection into the victim’s browser, and provides also RAT functionality.

Errata Security published short analysis of the Wikileaks CIA/#vault7 refuting some claims published by Wikileaks.
There are a few interesting points in the Wikileaks dump, like one TODO list containing this insane note: "Research into embedding a CRL into a self signed cert as a method of stealthy remote beaconing". Nice.
http://blog.erratasec.com/2017/03/some-comments-on-wikileaks-ciavault7.html https://wikileaks.org/ciav7p1/cms/page_2621753.html https://wikileaks.com/ciav7p1/cms/page_5341230.html

IOActive research discovers multiple security vulnerabilities in Confide messaging application. Confide was not using authenticated encryption on a protocol level, and also was not validating server SSL cert.

SessionGopher is a PowerShell tool that uses WMI to extract saved session information for the remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop.
https://www.fireeye.com/blog/threat-research/2017/03/using_the_registryt.html https://github.com/fireeye/SessionGopher

gargoyle - a technique for hiding program’s executable code in non-executable memory. At some programmer-defined interval, gargoyle will wake up – and with some ROP trickery – mark itself executable and do some work...
https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html https://github.com/JLospinoso/gargoyle