Tag Bleichenbacher

InfoSec Week 49, 2018

Apple included support for the WebAuthentication API in the latest Safari Release 71 (Technology Preview). The new WebAuthentication as implemented supports USB-based CTAP2 devices.
https://webkit.org/blog/8517/release-notes-for-safari-technology-preview-71/

Critical Kubernetes privilege escalation bug (CVE-2018-1002105) was found and patched during this week. When exploited, the bug allows anonymous users as well a authenticated one to use admin privileges over the cluster API.
There is an exploit published on a GitHub already.
https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/
https://github.com/evict/poc_CVE-2018-1002105

British Telecom will not use Huawei's 5G kit within the core of the network due to security concerns.
https://www.bbc.com/news/technology-46453425

Security agencies in Australia will gain greater access to encrypted messages due to a new legislative.
https://mobile.abc.net.au/news/2018-12-06/labor-backdown-federal-government-to-pass-greater-surveillance/10591944

US National Security Archive published a complete index of all 1504 items in the declassified collection of NSA internal Cryptolog periodical.
https://nsarchive.gwu.edu/briefing-book/cyber-vault/2018-12-04/cyber-brief-cryptolog

Security researchers released attacks on 7 TLS implementations, making use of Bleichenbacher and Manger's attack.
The research with a name "The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations" also includes a TLS 1.3 downgrade attack.
http://cat.eyalro.net/

Ransomware Infected 100k computers in China then demands WeChat Payment and is using XOR as an "encryption". Author was probably identified because he registered domain to his own name.
https://movaxbx.ru/2018/12/05/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/

It looks like 13 years old Virut botnet is resurrected in the wild.
https://chrisdietri.ch/post/virut-resurrects/

Great blog on how guy scammed the scammer to send him photo of his ID.
https://medium.com/@hackerfantastic/scamming-the-scammers-2fb934099ccc

Nearly 250 Pages of internal Facebook documents, emails and statistics were posted online by the UK Parliament.
https://motherboard.vice.com/en_us/article/59vwez/nearly-250-pages-of-devastating-internal-facebook-documents-posted-online-by-uk-parliament

A User Data of the question-and-answer website Quora were compromised.
https://help.quora.com/hc/en-us/articles/360020212652

The records of 500 million customers of the Marriott International hotel group were compromised.
https://www.bbc.com/news/technology-46401890

Interesting revisited paper: "From Keys to Databases -- Real-World Applications of Secure Multi-Party Computation."
https://eprint.iacr.org/2018/450

GTRS - is a tool that uses Google Translator as a proxy to send arbitrary commands to an infected machine.
https://github.com/mthbernardes/GTRS

InfoSec Week 49, 2017

The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.
https://robotattack.org/

HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.
https://zwclose.github.io/HP-keylogger/

There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.
http://seclists.org/fulldisclosure/2017/Dec/38

Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.
https://securityaffairs.co/wordpress/66591/cyber-crime/moneytaker-group.html

Recorded Future analyzed costs of various cybercriminal services sold on the dark market.
https://www.recordedfuture.com/cyber-operations-cost/

Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.
https://bgpmon.net/popular-destinations-rerouted-to-russia/

Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.
https://www.bleepingcomputer.com/news/security/microsoft-fixes-malware-protection-engine-bug-discovered-by-british-intelligence/

Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.
https://blog.avast.com/avast-open-sources-its-machine-code-decompiler

Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.
http://blog.kismetwireless.net/2017/11/dji-uav-drone-id.html

Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.
https://github.com/wazuh/wazuh

Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.
https://github.com/wifiphisher/wifiphisher

InfoSec Week 46, 2017

Multiple critical vulnerabilities were found in the Intel Management Engine, Trusted Execution Engine and Server Platform Services by Intel audit after 3rd party researchers reported the privilege escalation vulnerability.
http://www.zdnet.com/article/intel-weve-found-severe-bugs-in-secretive-management-engine-affecting-millions/

If you have a vulnerable F5, basically attackers can sign anything with your RSA private key. An F5 BIG-IP virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages.
https://support.f5.com/csp/article/K21905460

MalwareHunterTeam discovered a new variant of the CryptoMix ransomware. It uses hardcoded RSA keys and can work offline.
https://securityaffairs.co/wordpress/65716/malware/cryptomix-ransomware-2.html

Attackers are using Microsoft’s Office documents Dynamic Data Exchange protocol to download and install malware. Microsoft does not consider it a vulnerability.
https://www.zscaler.com/blogs/research/microsoft-dde-protocol-based-malware-attacks

Nice step by step guide on how to put shellcode into a legitimate PE file, and make it undetectable.
https://haiderm.com/fully-undetectable-backdooring-pe-files/

Extensive review of U2F hardware devices.
https://github.com/hillbrad/U2FReviews

al-khaser is a PoC malware with good intentions that aims to stress your anti-malware system. It performs a bunch of nowadays malware tricks and the goal is to see if you stay under the radar.
https://github.com/LordNoteworthy/al-khaser

Puffs is a domain-specific language and library for parsing untrusted file formats safely. Examples of such file formats include images, audio, video, fonts and compressed archives.
https://github.com/google/puffs