Tag ATM

InfoSec Week 40, 2018

Estonia sues Gemalto for €152M over ID card flaws. According to an article, some keys were NOT generated on a smartcard due to a scaling issue.
Well, looks like they are not affected by ROCA vulnerability, just compromised by Gemalto:)
https://dan.enigmabridge.com/estonia-hits-gemalto-again-insecure-eid-cards/

Apple laptops on Intel chipsets were running in the Intel Management Engine Manufacturing Mode. The vulnerability (CVE-2018-4251) was patched in macOS High Sierra update 10.13.5.
By exploiting the vulnerability, an attacker could write old versions of Intel ME without physical access to the computer, with the possibility of running arbitrary code in ME.
http://blog.ptsecurity.com/2018/10/intel-me-manufacturing-mode-macbook.html

The FBI took down Phantom Secure, a Canadian (not only) encrypted communication service.
The company turned smartphones to a single use encrypted communication devices, mostly to be used by drug kingpins.
The service was sold only to a customers recommended by the existing one.
https://www.fbi.gov/news/stories/phantom-secure-takedown-031618

The US-CERT has released a technical alert warning about a new "FASTCash" ATM scheme being used by the North Korean APT hacking group.
The malware installed on the issuers' compromised switch application servers intercepts the transaction request and responds the fake responses, fooling ATMs to spit out a large amount of cash.
https://www.us-cert.gov/ncas/alerts/TA18-275A

GhostDNS DNS changer botnet hijacked over 100k routers attacking routers overt the intranet using browser javascript.
https://www.hacking.reviews/2018/10/ghostdns-new-dns-changer-botnet.html

Brian Krebs wrote about the really clever phishing scam schemes executed over the phone. They are pretending to be a bank, and have lots of information about the victim before the scam occurs.
https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/

Some Reddit guy found tiny Linux PC hooked to to a router in his apartment. Investigation showed, that it is some kind of information stealing device and the info collectors are paying a "rent" to a roommate which implanted it on his own network. https://www.reddit.com/r/whatisthisthing/comments/9ixdh9/found_hooked_up_to_my_router/e6nh61r/

Facebook published some technical details about the recent profile leaking vulnerability.
The attackers connected three bugs and basically automated the whole process of obtaining user access tokens.
https://newsroom.fb.com/news/2018/09/security-update/

ESET researchers documented the first UEFI rootkit found in the wild. Called LoJax, the rootkit is targeting central, eastern Europe and Balkan government organizations.
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

Conor Patrick recently launched Kickstarter campaign for Solo, the first open source FIDO2 USB, NFC security key. Support it!
https://www.kickstarter.com/projects/conorpatrick/solo-the-first-open-source-fido2-security-key-usb

A step-by-step Linux kernel exploitation for CVE-2017-11176 with the exploit code included.
https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html

InfoSec Week 5, 2018

A.P. Moller–Maersk Group, the world's largest container shipping company, reinstalled 45000 PCs and 4000 Servers to recover from the NotPetya ransomware attack.
https://www.bleepingcomputer.com/news/security/maersk-reinstalled-45-000-pcs-and-4-000-servers-to-recover-from-notpetya-attack/

The U.S. Secret Service is warning financial institutions that ATM jackpotting attacks are targeting cash machines in the United States. Attackers are able to empty Diebold Nixdorf and possibly other ATM machines with malware, endoscope and social engineering skills.
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/

Microsoft disables Spectre software mitigation released earlier this month due to system instability.
http://www.securityweek.com/microsoft-disables-spectre-mitigations-due-instability

Data from the fitness tracking app Strava gives away the location of sensitive locations like army bases.
https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

China built African union building for free, but the building is riddled with microphones and computers are transmitting all voice data back to servers in Shanghai.
https://twitter.com/i/web/status/957879611513278464

Journalist Marc Miller has interviewed one of the hackers of the ICEMAN group behind "Emmental" phishing campaign targeting bank clients.
https://securityaffairs.co/wordpress/64349/cyber-crime/iceman-hacker-interview.html

Errata Security blog about the political nature of the cyber attack attribution. Mostly about the WannaCry and North Korea connection, but it is a good overview on attribution bias in general.
http://blog.erratasec.com/2018/01/the-problematic-wannacry-north-korea.html

Great article about the largest malvertising campaign of a last year. So called Zirconium group operated up to 30 different ad agencies which enabled them to redirect users to the exploit kits, malware downloads and click fraud websites.
https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85

AutoSploit is an automated exploitation tool written in python. It is able to search for targets using Shodan.io API and exploiting them with Metasploit.
https://github.com/NullArray/AutoSploit

InfoSec Week 25, 2017

Ukrainian critical infrastructure, including banks, Kyiv’s metro system, the airport and the Chernobyl's radiation monitoring system, was hit by the worldwide malware campaign.
The attack is believed to be a new campaign by the group behind Petya ransomware. It takes advantage of the known SMB exploit (EternalBlue), and is spreading fast to the other countries.
https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759
https://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

Indian ATMs running outdated Windows XP are suffering jackpotting attack by the Rufus ATM malware.
http://securityaffairs.co/wordpress/60220/breaking-news/rufus-malware-atm.html

Analysis of a new Marcher Android banking trojan variant which is posing as Adobe Flash Player Update.
https://www.zscaler.com/blogs/research/new-android-marcher-variant-posing-adobe-flash-player-update

The Russian government is threatening to ban Telegram messenger because it refused to be compliant with the data protection laws.
http://securityaffairs.co/wordpress/60449/terrorism/russia-telegram-ban.html

Bug hunter from Google, Tavis Ormandy, has found yet another serious vulnerability in the Microsoft's Malware Protection Engine.
http://www.databreachtoday.com/google-security-researcher-pops-microsofts-av-defenses-a-10058

The Hardware Forensic Database (HFDB) is a project of CERT-UBIK aiming at providing a collaborative knowledge base related to IoT Forensic methodologies and tools.
http://hfdb.io/

Good summary of the most common memory based attacker techniques such as shellcode injection, reflective DLL injection or process hollowing.
https://www.endgame.com/blog/technical-blog/hunting-memory

InfoSec Week 51, 2016

Russian hackers tracked Ukrainian artillery units using Android implant
https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/

UK nuclear submarines are running Windows for Submarines (customized Win XP). It should be noted that the Windows operating system probably doesn't control the nuclear launch operations itself.
http://www.newyorker.com/news/news-desk/world-war-three-by-mistake

McAfee VirusScan Enterprise for Linux can be remotely compromised. Some of these vulnerabilities can be chained together to allow remote code execution as root.
https://nation.state.actor/mcafee.html

Trend Micro analysed very lightweight ATM malware called Alice (BKDR_ALICE.A). Its only purpose is to empty the ATM safe.
http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/

Veles: Nice open source tool for binary data visualization and analysis.
https://codisec.com/veles/

Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware.
https://n0where.net/portable-malware-analysis-sandbox-noriben/