Tag backdoor

InfoSec Week 25, 2018

Marcus Brinkmann demonstrated how some configuration options in the GnuPG allow remote attackers to spoof arbitrary signature. He used the embedded “filename” parameter in OpenPGP literal data packets, together with the verbose option set in their gpg.conf file.

Tapplock Smart Lock has critical bugs making it a trivial protection. They are using the AES key derived from the MAC address, so anyone with a Bluetooth enabled smartphone can pick up the key upon getting to a smart lock Bluetooth range.

Crooks are injecting credit card stealing backdoor to the config files of a hacked Magento e-commerce platforms. They can reinfect the rest of code base over and over again with the config load.

Updated Satori botnet began to perform network wide scan looking for exploitable XiongMai uc-httpd 1.0.0 devices (CVE-2018-10088).

Baby Monitors in the USA were hacked via obscure Chinese IoT cloud. The woman from the Facebook post claims that someone controlled the camera remotely and spied on her, possibly listened in to conversations.

OpenBSD disables Intel's hyper-threading due to possible exploitable spectre-class bugs in the architecture.

Linux is getting support for in-kernel hibernation encryption. Encrypts disk-image memory, thereby increasing the general security of full-disk encryption on Linux and reducing the attack surface.

OTSECA - (ot)her (sec)urity (a)wareness is an open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.

InfoSec Week 19, 2018

There is a first ransomware which is taking advantage of a new Process Doppelgänging fileless code injection technique. Working on all modern versions of Microsoft Windows, since Vista. This variant of a known SynAck ransomware is using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process.

Security researchers from the Dutch information security company Computes has found that some Volkswagen and Audi cars are vulnerable to remote hacking. They were able to exploit vehicle infotainment systems. The possible attackers could track car location as well as listen to the conversations in a car.

Twitter found a bug that stored user passwords unmasked in an internal log, there is no indication of a breach, but all Twitter users should change their passwords.

There is a breakthrough cryptographic attack on 5-round AES using only 2^22 (previous best was 2^32) presented at CRYPTO 2018. It is joint work of Nathan Keller, Achiya Bar On, Orr Dunkelman, Eyal Ronen and Adi Shamir. This kind of attack is good when evaluating the security of a cipher, it does not have any real world implication as the AES is using at least 10 rounds in production implementations.

Bug hunter which found multiple vulnerabilities in the 7-zip software used by anti-virus vendors wrote an blog on how to exploit one of such bugs. Interesting read.

The 360 Core Security Division response team detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses a browser 0-day vulnerability (CVE-2018-8174). It is a remote code execution vulnerability of Windows VBScript engine and affects the latest version of Internet Explorer.
Microsoft patched this vulnerability few days ago and credited Chinese researchers.

Source code of TreasureHunter Point-of-Sale malware leaks online.

The ssh-decorator package from Python pip had an obvious backdoor (sending ip+login+password to ssh-decorate[.]cf in cleartext HTTP).

Luke Picciau wrote about his experience with Matrix and it's Riot messenger for one year.

There is a first official version 1.0 RC of Briar for Android.
Briar is an open-source End-to-end encrypted Bluetooth / WiFi / Tor based mesh-networking (decentralized) messaging application.

The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection.

InfoSec Week 18, 2018

Multiple tech giants like Apple, Microsoft, Google and others formed an industry coalition and have joined security experts in criticizing encryption backdoors, after Ray Ozzie's CLEAR key escrow idea was widely derided. He basically proposed a scheme where the users have no control over their own devices, but the devices can be securely forensically analyzed by the government agencies.

There is an information leaking vulnerability via crafted user-supplied CDROM image.
"An attacker supplying a crafted CDROM image can read any file (or device node) on the dom0 filesystem with the permissions of the qemu device model process."
QubesOS operationg system is not affected due to the properly compartmentalized architecture.

Great in-depth blog about the reconstruction of the exploit created by the CIA's "Engineering Development Group" targeting MikroTik's RouterOS embedded operating system. This exploit was made public by the WikiLeaks last year.

Bypassing authentication and impersonating arbitrary users in Oracle Access Manager with padding oracle. The guy basically broke Oracles home grown cryptographic implementation.

There is a critical privilege escalation vulnerability affecting Apache Hadoop versions from 2.2.0 to 2.7.3.

According to the Arbor Networks' security researchers have claimed that the anti-theft software Absolute LoJack is serving as an espionage software modified by the Russia-based Fancy Bear group.

Wired wrote an article about the famous Nigerian 419 scammers, their culture and why they are still flourishing.

Matrix and Riot instant messenger applications are confirmed as the basis for the France’s government initiative to implement federated secure messenger.

Amazon threatens to suspend Signal's secure messenger AWS account over censorship circumvention. They are using different TLS Server Name Indication - "domain fronting" - when establishing connection to circumvent network censorship, but Amazon says it is against their terms of services.

Respected German CT-Magazine says that there are 8 new Spectre vulnerabilities found in the Intel processors.

InfoSec Week 11, 2018

A cyberattack on a Saudi Arabian petrochemical company was probably planed with the physical explosion in mind. They have attributed Iran, and didn't mention Stuxnet at all, so a little bit one-sided view of this cyberwarfare exchange.

There is a critical vulnerability in Credential Security Support Provider protocol (CredSSP) that affects all versions of Windows. Due to cryptographic flaw, man-in-the-middle attack could allow remote procedure calls attack and data exfiltration against the RDP and WinRM.

A vulnerability (CVE-2018-1057) in Samba allows authenticated users to change other users' password.

Kubernetes vulnerability (CVE-2017-1002101) allows containers using subpath volume mounts with any volume type to access files/directories outside of the volume, including the host’s filesystem. Updated version is already available.

Quite good exchange on the encryption policy and the government backdoor proposals between the US National Academy of Sciences and the Electronic Frontier Foundation. Relevant for all democratic regimes.

Kaspersky has discovered PlugX remote access tool (RAT) malware installed across the pharmaceutical organizations in Vietnam, aimed at stealing drug formulas and business information.

Encrypted Email Service provider ProtonMail is being blocked by internet service providers in Turkey.

CTS-Labs security researchers has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines.

Adam Langley's blog post about the inability of the TLS 1.3 to snoop on proxy traffic.

Hacker Adrian Lamo dies at 37. He was known for his involvement in passing information on whistleblower Chelsea Manning, a former US Army soldier who leaked sensitive information to the WikiLeaks.

To find assault suspect, police in the Raleigh, North Carolina used search warrants to demand Google accounts not of specific suspects, but from any mobile devices that veered too close to the scene of a crime in specific time.

Kaspersky releases Klara, a distributed system written in Python, designed to help threat intelligence researchers hunt for new malware using Yara rules.

Nice paper about the simple manual cipher that should be resistant against the modern cryptanalysis.
LC4: A Low-Tech Authenticated Cipher for Human-To-Human Communication https://eprint.iacr.org/2017/339

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.

InfoSec Week 2, 2018

New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.

Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.

A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.

HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.

There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.

Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.

Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.

Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.

Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.

VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.

A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.

InfoSec Week 51, 2017

There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.

Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.

Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.

Explanation how web trackers exploit browser login managers to track users on the Internet.

According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.

Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.

Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.

Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.

Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.

InfoSec Week 48, 2017

The German Interior Minister is preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations.

According to the Citizen Lab, Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware sold by Israeli firm Cyberbit.

Elcomsoft wrote an insight about the drastically degraded security of the Apples iOS 11 operating system.

Chinese drone maker D.J.I. is potentially sharing collected data with the Chinese government.

Crooks are installing cryptocurrency miners by using typosquatting npm package names. They are searching for the unregistered package names with the difference of one bit from a well known packages.

Swiftype written a good blog about their infrastructure risk assessment and threat modeling.

Nvidia published a paper about the clustering of a benign and malicious Windows executables using neural networks.

Bucket Stream - Find interesting Amazon S3 Buckets by watching certificate transparency logs.

Sysdig Inspect – a powerful interface for container troubleshooting and security investigation