Tag botnet

InfoSec Week 33, 2018

There is an OpenSSH user enumeration attack against all software versions on all operating systems.
It's a timing attack with proof of concept already published.
http://www.openwall.com/lists/oss-security/2018/08/15/5
https://bugfuzz.com/stuff/ssh-check-username.py

The so-called RedAlpha malware campaign targeting the Tibetan community is deploying a novel “ext4” Linux backdoor. The group is using infrastructure registered with Tsinghua1 University, China and is believed to be conducted by Chinese state-sponsored actors in support of China’s economic development goals.
https://www.recordedfuture.com/chinese-cyberespionage-operations/

The Australia’s Assistance and Access Bill, introduced this week, want to jail people for up to 10 years if they refuse to unlock their phones.
https://nakedsecurity.sophos.com/2018/08/16/australians-who-wont-unlock-their-phones-could-face-10-years-in-jail/

A new research paper named "Piping Botnet - Turning Green Technology into a Water Disaster" demonstrate that the researchers were able to manipulate commercial smart IoT systems used for regulating water and electricity resources.
https://arxiv.org/abs/1808.02131

The guy with his BMW car encountered the theft attempt, where something that looked like a vandalism was actually a really smart attack against the modern alarm system.
https://mrooding.me/a-dutch-first-ingenious-bmw-theft-attempt-5f7f49a96ec8

Cloudflare analyzed the changes and improvements of a new TLS 1.3 (RFC 8446) standard that was finally published last week.
https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

New Foreshadow attack demonstrates how speculative execution can be exploited for reading the contents of Intels' SGX-protected memory as well as extracting the machine’s private attestation key.
https://foreshadowattack.eu/

Practical dictionary attacks are possible against the main mode of IPsec IKEv1/v2 standard. Successful exploitation of a weak password requires only a single active man-in-the-middle attack.
https://web-in-security.blogspot.com/2018/08/practical-dictionary-attack-on-ipsec-ike.html

If you are interested how cryptographic key management is practically done, I have written a blog Commercial Cryptographic Key Management in 2018, where I am explaining a little bit about the hardware, people and processes behind it.
https://www.malgregator.com/key-management.html

Google published BrokenType, the font fuzzing toolset that helped find lots of vulnerabilities in the Windows kernel. It includes a font mutator, generator and loader.
https://github.com/google/BrokenType

InfoSec Week 32, 2018

A Comcast security flaws exposed more than 26 millions of customers’ personal information. Basically, an attacker could spoof IP address using "X-forwarded-for" header on a Comcast login page and reveal the customer’s location.
https://www.buzzfeednews.com/article/nicolenguyen/a-comcast-security-flaw-exposed-millions-of-customers

According to the Check Point Research, more than 150k computers are infected with the new variant of Ramnit botnet named Black. Botnet install second stage malware with the proxy functionality.
https://research.checkpoint.com/ramnits-network-proxy-servers/

Malware infected Apple chip maker Taiwan Semiconductor Manufacturing. All of their factories were shut down last week, but they had already recovered from the attack.
https://www.bloomberg.com/news/articles/2018-08-04/tsmc-takes-emergency-steps-as-operations-hit-by-computer-virus

A flaw in the Linux kernel may cause a remote denial of service [CVE-2018-5390]. Attack require less than 2 Kbps of traffic.
https://access.redhat.com/articles/3553061

GDPR and other cookie consent scripts are used to distribute malware.
https://blog.sucuri.net/2018/08/cookie-consent-script-used-to-distribute-malware.html

Interesting blog on how criminals in Iran make money by creating Android malware apps.
https://blog.certfa.com/posts/pushiran-dl-malware-family/

Let's Encrypt root CA certificate is now trusted by all major root programs. They were dependent on a cross-signing on some systems, so this is great news!
https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html

There is a really effective new attack on WPA PSK (Pre-Shared Key) passwords. Attackers can ask Access Point for the data required for offline cracking, no client traffic sniffing is needed anymore.
https://hashcat.net/forum/thread-7717.html

Innovative new research on a software implementation hardening was published with the name "Chaff Bugs: Deterring Attackers by Making Software Buggier".
The idea is simple, introduce a large number of non-exploitable bugs in the program which makes the bug discovery and exploit creation significantly harder.
https://arxiv.org/abs/1808.00659

Researchers from the University of Milan published padding oracle attack against Telegram Passport.
Don't roll your own cryptography schemes if other people depend on it...
https://pequalsnp-team.github.io/writeups/analisys_telegram_passport

A Handshake is a new experimental peer-to-peer root DNS. They have published resolver source code and have test network up and running. Looks like really promising project.
https://handshake.org/

InfoSec Week 31, 2018

Reddit got hacked. According to the investigation, it looks like hackers accessed employees 2FA protected accounts.
An attacker "compromised a few of Reddit's accounts with cloud and source code hosting providers by intercepting SMS 2FA verification codes".
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

A non-official French website keepass.fr using an URL similar to the popular password manager KeePass one lets you download a tampered version of the password manager with some adware in it.
https://twitter.com/JusticeRage/status/1021815597972291591

According to The Intercept_, Google is planning to launch a censored version of its search engine in China that will blacklist websites and search terms about human rights, democracy, religion, and peaceful protest.
One can only wonder whether it is some part of a broader strategy, how to spread channels of influence abroad.
https://theintercept.com/2018/08/01/google-china-search-engine-censorship/

There is a great blog published on a Trail of Bits about the recent invalid elliptic curve point attack against the Bluetooth implementations.
Give it a try if you are interested, it's really easy to read!
https://blog.trailofbits.com/2018/08/01/bluetooth-invalid-curve-points/amp/

A borough and a town in Alaska have been hit by a devastating ransomware attack, forcing employees to completely stop using computers and go back to typewriters and hand receipts.
https://mashable.com/2018/08/02/malware-alaska-town

BYOB (Build Your Own Botnet) is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop countermeasures against these threats.
https://github.com/colental/byob

FireEye wrote article about the internals of a FIN7 hacking group global operation.
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

WireGuard, next generation VPN software, is finally submitted for the Linux kernel inclusion. Linus Torvalds commented the pull request:
"I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art."
https://marc.info/?l=linux-netdev&m=153306429108040&w=2
http://lists.openwall.net/netdev/2018/08/02/124

Malhunt: automated malware search in memory dumps using volatility and Yara rules.
https://github.com/andreafortuna/malhunt

InfoSec Week 30, 2018

Researchers from the Palo Alto Networks analyzed new Mirai and Gafgyt IoT/Linux botnet campaigns. The samples used more than 11 exploits for spreading, exploiting D-Link, Dasan GPON routers.
https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/

Brian Krebs published a blog post about the current status of the Universal 2nd Factor (U2F) support. Google practically eliminated employee phishing by introducing mandatory usage of the physical security keys.
https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/

There is a new module for the CHIPSEC Security Assessment Framework to check CPU USB debug features and host Direct Connection Interface (DCI), which can be used to modify system firmware with physical access and introduce "Evil Maid" firmware attacks.
https://blog.eclypsium.com/2018/07/23/evil-mai%EF%BB%BFd-firmware-attacks-using-usb-debug/

Chinese police arrested malware developers for hacking millions of computers to steal $2 million in cryptocurrencies.
https://www.ccn.com/chinese-police-arrest-malware-developers-who-hacked-2-million-in-crypto/

Paper on a new Spectre variant called SpectreRSB was published with the name "Spectre Returns! Speculation Attacks using the Return Stack Buffer".
According to a paper „none of the known defenses including Retpoline and Intel's microcode patches stop all SpectreRSB attacks.“
https://arxiv.org/abs/1807.07940

The source code of an Exobot Android Banking Trojan has been leaked online back in May has rapidly spread in the malware community.
https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/

Because of insufficient validation of parameters in many Bluetooth implementations, attackers can inject invalid elliptic curve parameters which aren’t checked by many implementations in an invalid public key making session keys vulnerable.
https://www.kb.cert.org/vuls/id/304725

The Cisco Talos security team found multiple vulnerabilities, including remote code execution vulnerability in the Sony IPELA E series network camera. https://blog.talosintelligence.com/2018/07/sony-ipela-vulnerability-spotlight-multiple.html

NSA declassified papers from John Tiltman, one of Britain’s top cryptanalysts during the Second World War, which reveal how pre-world war 2 Brits analyzed and decrypted Russian cryptography.
https://www.theregister.co.uk/2018/07/19/russia_one_time_pads_error_british/

InfoSec Week 25, 2018

Marcus Brinkmann demonstrated how some configuration options in the GnuPG allow remote attackers to spoof arbitrary signature. He used the embedded “filename” parameter in OpenPGP literal data packets, together with the verbose option set in their gpg.conf file.
https://neopg.io/blog/gpg-signature-spoof/

Tapplock Smart Lock has critical bugs making it a trivial protection. They are using the AES key derived from the MAC address, so anyone with a Bluetooth enabled smartphone can pick up the key upon getting to a smart lock Bluetooth range.
https://latesthackingnews.com/2018/06/16/tapplock-smart-lock-is-having-a-bad-time-two-bugs-reported-in-one-week/

Crooks are injecting credit card stealing backdoor to the config files of a hacked Magento e-commerce platforms. They can reinfect the rest of code base over and over again with the config load.
https://thehackernews.com/2018/06/magento-security-hacking.html

Updated Satori botnet began to perform network wide scan looking for exploitable XiongMai uc-httpd 1.0.0 devices (CVE-2018-10088).
https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/

Baby Monitors in the USA were hacked via obscure Chinese IoT cloud. The woman from the Facebook post claims that someone controlled the camera remotely and spied on her, possibly listened in to conversations.
https://www.sec-consult.com/en/blog/2018/06/true-story-the-case-of-a-hacked-baby-monitor-gwelltimes-p2p-cloud/

OpenBSD disables Intel's hyper-threading due to possible exploitable spectre-class bugs in the architecture.
https://www.mail-archive.com/source-changes@openbsd.org/msg99141.html

Linux is getting support for in-kernel hibernation encryption. Encrypts disk-image memory, thereby increasing the general security of full-disk encryption on Linux and reducing the attack surface.
http://lkml.iu.edu/hypermail/linux/kernel/1806.2/03567.html

OTSECA - (ot)her (sec)urity (a)wareness is an open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.
https://github.com/trimstray/otseca

InfoSec Week 23, 2018

Australian government drafts new laws, that will force technology giants like Facebook, Google to give government agencies access to encrypted data.
https://www.theguardian.com/technology/2018/jun/06/planned-laws-to-force-tech-firms-to-reveal-encrypted-data

A security researcher at Telspace Systems, Dmitri Kaslov, discovered a vulnerability in the Microsoft Windows JScript component, that can be exploited by an attacker to execute malicious code on a target computer.
https://www.zerodayinitiative.com/advisories/ZDI-18-534/

IBM X-Force Research has uncovered a new Brazilian, Delphi-based MnuBot malware active in the wild. It downloads it's functionality during the execution dynamically from the remote C&C server, so its functionality can be upgraded on the fly.
https://securityintelligence.com/new-banking-trojan-mnubot-discovered-by-ibm-x-force-research/

The US Department of Homeland Security and FBI issues alert over two new malware, Joanap remote access tool and Brambul SMB worm, linked to the Hidden Cobra hacker group.
https://www.us-cert.gov/ncas/alerts/TA18-149A

A Toronto-based investment firm alleges that a rival company hired the Israeli companies tied to state intelligence agencies, to help sway a business dispute over a 2014 bid for a telecommunications company.
https://www.calcalistech.com/ctech/articles/0,7340,L-3739390,00.html

Google announced a project Capillary: End-to-end encryption for push messaging in Android. It should be available backward to API level 19 - KitKat.
https://android-developers.googleblog.com/2018/06/project-capillary-end-to-end-encryption.html

Engineers from the University of Toronto have built a filter that slightly alters photos of people’s faces to keep facial recognition software from realizing what it's looking at. https://joeybose.github.io/assets/adversarial-attacks-face.pdf

Research paper about the business model of a botnet operation, even with a business model canvas!
https://arxiv.org/abs/1804.10848

New research takes on the problem of habituation to security warnings. They have used eye tracking and fMRI data to find out how people react to the security warnings in the software.
https://neurosecurity.byu.edu/misq-longitudinal-2018/

A new paper by Bonnetain and Schrottenloher giving improved quantum attack on a newly proposed Commutative Supersingular Isogeny Diffie–Hellman (CSIDH) key exchange. According to the paper, they show, that the 128-bit classical, 64-bit quantum security parameters proposed actually offer at most 37 bits of quantum security.
https://eprint.iacr.org/2018/537

InfoSec Week 12, 2018

Facebook, Google, Cisco, WhatsApp and other industry partners get together to create Message Layer Security as an open standard for end-to-end encryption with formal verification. Messaging Layer Security is now an IETF working group as well.
https://datatracker.ietf.org/doc/draft-omara-mls-architecture/

Long read about the takedown of Gooligan, Android botnet that was stealing OAuth credentials back in 2016.
https://www.elie.net/blog/security/taking-down-gooligan-part-1-overview

The Israeli security company CTS Labs published information about a series of exploits against AMD chips just one day after they have notified the AMD.
https://www.schneier.com/blog/archives/2018/03/israeli_securit.html

Russia orders company behind the Telegram messaging application to hand over users’ encryption keys.
https://www.theverge.com/2018/3/20/17142482/russia-orders-telegram-hand-over-user-encryption-keys

Hacker behind Guccifer 2.0 pseudonym, known for providing WikiLeaks with stolen emails from the US Democratic National Committee, was an officer of Russia’s military intelligence directorate.
https://www.thedailybeast.com/exclusive-lone-dnc-hacker-guccifer-20-slipped-up-and-revealed-he-was-a-russian-intelligence-officer

Fascinating in depth blog about the breaking security of the Ledger cryptocurrency hardware wallet.
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

There was a Facebook bug which made persistent XSS in Facebook wall possible by embedding an external video using the Open Graph protocol.
https://opnsec.com/2018/03/stored-xss-on-facebook/

Two part series about the password cracking Chinese hardware "encrypted" hard drives. PIN recovered.
https://syscall.eu/blog/2018/03/12/aigo_part1/
https://syscall.eu/blog/2018/03/12/aigo_part2/

Documents leaked by Edward Snowden reveal that the NSA worked to “track down” Bitcoin users.
https://theintercept.com/2018/03/20/the-nsa-worked-to-track-down-bitcoin-users-snowden-documents-reveal/

Dark Web Map - a visualization of the structure of 6.6k Tor's onion services, a.k.a. hidden services, a.k.a. the dark web.
https://www.hyperiongray.com/dark-web-map/

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
https://www.bleepingcomputer.com/news/cryptocurrency/worlds-largest-spam-botnet-is-pumping-and-dumping-an-obscure-cryptocurrency/

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
https://www.fastcompany.com/40515682/the-other-scary-foreign-hacking-threat-trump-is-ignoring

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
https://www.theregister.co.uk/AMP/2018/01/10/taiwanese_police_malware/

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
https://caastudy.github.io/

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
https://www.bleepingcomputer.com/news/security/lenovo-discovers-and-removes-backdoor-in-networking-switches/

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/

InfoSec Week 39, 2017

Security researcher Gal Beniamini from Google has discovered a security vulnerability (CVE-2017-11120) in Apple's iPhone and other devices that use Broadcom Wi-Fi chips and published working exploit after notifying affected parties.
https://googleprojectzero.blogspot.sk/2017/10/over-air-vol-2-pt-2-exploiting-wi-fi.html

Google engineers also found multiple flaws and vulnerabilities in the popular DNS software package - Dnsmasq. The patches are now committed to the project’s git repository. Make sure to upgrade to v2.78.
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Arbor Networks researchers attributed Flusihoc DDoS botnet to the Chinese origins. More than 154 different command and control servers were used during the years, with over 48 still active right now.
https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/

HP Enterprise shared ArcSight source code with the Russians.
https://www.schneier.com/blog/archives/2017/10/hp_shared_arcsi.html

The vulnerability in Siemens industrial switches allows an unauthenticated attacker who has access to the network to remotely perform administrative actions.
https://ics-cert.us-cert.gov/advisories/ICSA-17-271-01

Computer manufacturer company Purism is currently running crowdfunding campaign to finance Librem 5 – A Security and Privacy Focused Phone.
From the campaign webpage:
"Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers."
Support them!
https://puri.sm/shop/librem-5/

Microsoft announced new cloud-based memory corruption bug detector with the codename Project Springfield.
https://blogs.microsoft.com/ai/2016/09/26/microsoft-previews-project-springfield-cloud-based-bug-detector/

Super-Stealthy Droppers - Linux "Diskless" binary execution by example.
https://0x00sec.org/t/super-stealthy-droppers/3715

InfoSec Week 29, 2017

Microsoft has analyzed EnglishmansDentist exploit used against the Exchange 2003 mail servers on the out-dated Windows Server 2003 OS. Exploit was released by ShadowBrokers back in April 2017.
https://blogs.technet.microsoft.com/srd/2017/07/20/englishmansdentist-exploit-analysis/

ESET researchers have analyzed a Stantinko botnet consisting of almost half a million machines used for ad-related fraud. It uses malicious Chrome extensions, but also creating and managing Facebook profiles and brute-forcing Joomla and WordPress websites.
https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/

A buffer overflow in the Source SDK in Valve's Source SDK allows an attacker to remotely execute code on a user's computer machine.
https://www.bleepingcomputer.com/news/security/valve-patches-security-flaw-that-allows-installation-of-malware-via-steam-games/
https://motherboard.vice.com/en_us/article/nevmwd/counter-strike-bug-allowed-hackers-to-completely-own-your-computer-with-a-frag

Secure messaging application Wire is now supporting end-to-end encrypted chats, file sharing and calls to businesses. But it's paid feature.
https://medium.com/@wireapp/wire-at-work-introducing-teams-beta-e50dacf6e9f1

Briar, a secure messaging app for Android, was released for a public beta testing. It's using Tor, or P2P direct messaging over Wifi, Bluetooth. Very interesting project.
https://briarproject.org/news/2017-beta-released-security-audit.html

D. J. Bernstein has published blog about the secure key material erasure: "2017.07.23: Fast-key-erasure random-number generators"
https://blog.cr.yp.to/20170723-random.html

Google Project Zero analyzed the security properties of the two major Trusted Execution Environment present on Android devices - Qualcomm’s QSEE and Trustonic’s Kinibi.
https://googleprojectzero.blogspot.sk/2017/07/trust-issues-exploiting-trustzone-tees.html

Prowler is a tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark.
https://github.com/alfresco/prowler

Hardentools is a utility that disables a number of risky Windows "features" exposed by Windows operating system.
https://github.com/securitywithoutborders/hardentools


Page 1 / 2