Tag botnet

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
https://www.bleepingcomputer.com/news/cryptocurrency/worlds-largest-spam-botnet-is-pumping-and-dumping-an-obscure-cryptocurrency/

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
https://www.fastcompany.com/40515682/the-other-scary-foreign-hacking-threat-trump-is-ignoring

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
https://www.theregister.co.uk/AMP/2018/01/10/taiwanese_police_malware/

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
https://caastudy.github.io/

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
https://www.bleepingcomputer.com/news/security/lenovo-discovers-and-removes-backdoor-in-networking-switches/

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/

InfoSec Week 39, 2017

Security researcher Gal Beniamini from Google has discovered a security vulnerability (CVE-2017-11120) in Apple's iPhone and other devices that use Broadcom Wi-Fi chips and published working exploit after notifying affected parties.
https://googleprojectzero.blogspot.sk/2017/10/over-air-vol-2-pt-2-exploiting-wi-fi.html

Google engineers also found multiple flaws and vulnerabilities in the popular DNS software package - Dnsmasq. The patches are now committed to the project’s git repository. Make sure to upgrade to v2.78.
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Arbor Networks researchers attributed Flusihoc DDoS botnet to the Chinese origins. More than 154 different command and control servers were used during the years, with over 48 still active right now.
https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/

HP Enterprise shared ArcSight source code with the Russians.
https://www.schneier.com/blog/archives/2017/10/hp_shared_arcsi.html

The vulnerability in Siemens industrial switches allows an unauthenticated attacker who has access to the network to remotely perform administrative actions.
https://ics-cert.us-cert.gov/advisories/ICSA-17-271-01

Computer manufacturer company Purism is currently running crowdfunding campaign to finance Librem 5 – A Security and Privacy Focused Phone.
From the campaign webpage:
"Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers."
Support them!
https://puri.sm/shop/librem-5/

Microsoft announced new cloud-based memory corruption bug detector with the codename Project Springfield.
https://blogs.microsoft.com/ai/2016/09/26/microsoft-previews-project-springfield-cloud-based-bug-detector/

Super-Stealthy Droppers - Linux "Diskless" binary execution by example.
https://0x00sec.org/t/super-stealthy-droppers/3715

InfoSec Week 29, 2017

Microsoft has analyzed EnglishmansDentist exploit used against the Exchange 2003 mail servers on the out-dated Windows Server 2003 OS. Exploit was released by ShadowBrokers back in April 2017.
https://blogs.technet.microsoft.com/srd/2017/07/20/englishmansdentist-exploit-analysis/

ESET researchers have analyzed a Stantinko botnet consisting of almost half a million machines used for ad-related fraud. It uses malicious Chrome extensions, but also creating and managing Facebook profiles and brute-forcing Joomla and WordPress websites.
https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/

A buffer overflow in the Source SDK in Valve's Source SDK allows an attacker to remotely execute code on a user's computer machine.
https://www.bleepingcomputer.com/news/security/valve-patches-security-flaw-that-allows-installation-of-malware-via-steam-games/
https://motherboard.vice.com/en_us/article/nevmwd/counter-strike-bug-allowed-hackers-to-completely-own-your-computer-with-a-frag

Secure messaging application Wire is now supporting end-to-end encrypted chats, file sharing and calls to businesses. But it's paid feature.
https://medium.com/@wireapp/wire-at-work-introducing-teams-beta-e50dacf6e9f1

Briar, a secure messaging app for Android, was released for a public beta testing. It's using Tor, or P2P direct messaging over Wifi, Bluetooth. Very interesting project.
https://briarproject.org/news/2017-beta-released-security-audit.html

D. J. Bernstein has published blog about the secure key material erasure: "2017.07.23: Fast-key-erasure random-number generators"
https://blog.cr.yp.to/20170723-random.html

Google Project Zero analyzed the security properties of the two major Trusted Execution Environment present on Android devices - Qualcomm’s QSEE and Trustonic’s Kinibi.
https://googleprojectzero.blogspot.sk/2017/07/trust-issues-exploiting-trustzone-tees.html

Prowler is a tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark.
https://github.com/alfresco/prowler

Hardentools is a utility that disables a number of risky Windows "features" exposed by Windows operating system.
https://github.com/securitywithoutborders/hardentools

InfoSec Week 28, 2017

Porn spam botnet consisting of more than 80,000 automated female Twitter accounts has been prompting millions of clicks from Twitter users to the various affiliate dating schemes (known as "partnerka").
https://krebsonsecurity.com/2017/07/porn-spam-botnet-has-evil-twitter-twin/

Two malware families, NemucodAES ransomware and Kovter trojan are being distributed via email, pretending to be a delivery notice from the United Parcel Service.
https://isc.sans.edu/forums/diary/NemucodAES+and+the+malspam+that+distributes+it/22614/

Reyptson ransomware is using victim’s configured Thunderbird email account to execute spam distribution campaign against its contacts.
http://www.securitynewspaper.com/2017/07/18/reyptson-ransomware-spams-friends-stealing-thunderbird-contacts/

Android spyware targeting Iranians is using Telegram bot API to exfiltrate data to the remote server.
https://blog.avast.com/spyware-targets-iranian-android-users-by-abusing-messaging-app-telegram-bot-api

Trustwave SpiderLabs researchers discovered a zero-day vulnerability in Humax HG-100R WiFi Router, that could be exploited by attackers to compromise the WiFi credentials and obtain the router console administrative password.
https://www.trustwave.com/Resources/SpiderLabs-Blog/0-Day-Alert--Your-Humax-WiFi-Router-Might-Be-In-Danger/

Proofpoint analyzed Ovidiy Stealer, undocumented credential stealer, which is sold on the Russian-speaking forums.
https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses

Guido Vranken fuzzed FreeRADIUS source code and found 15 issues, four exploitable, and one of which is a remote code execution bug (RCE). Compile and upgrade now.
http://freeradius.org/security/fuzzer-2017.html

Humble Bundle is selling for next 12 days a lots of DRM-free cybersecurity books very cheaply.
https://www.humblebundle.com/books/cybersecurity-wiley

WireGuard, fast, modern, secure VPN tunnel is now formally verified with the Tamarin equational theorem prover. Really powerful software.
https://www.wireguard.com/formal-verification/

Interesting USENIX paper on the security (and analysis) of bootloaders in mobile devices:
BootStomp: On the Security of Bootloaders in Mobile Devices
http://cs.ucsb.edu/~yanick/publications/2017_sec_bootstomp.pdf

PyREBox is a Python scriptable Reverse Engineering sandbox developed by Cisco Talos. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective.
https://github.com/Cisco-Talos/pyrebox

InfoSec Week 14, 2017

The Cisco Talos team has analyzed ROKRAT remote administration tool targeting South Koreans by spear phishing campaign.
http://blog.talosintelligence.com/2017/04/introducing-rokrat.html

The "rensenWare" ransomware is asking victims to score over 0.2 billion game currency playing the game "Touhou Project - Undefined Fantastic Object”.
http://securityaffairs.co/wordpress/57850/malware/rensenware-ransomware.html

The new BrickerBot malware is performing so called Permanent Denial-of-Service (PDoS) on a IoT device. It's using the same attack vector as a Mirai botnet - bruteforcing ssh passphrase. If succesful, it tries to brick device storage.
https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/

Triada Android malware is using open source DroidPlugin sandbox when running, in order to evade detection.
https://blog.avast.com/mobile-spyware-uses-sandbox-to-avoid-antivirus-detections

The security issue in the Splunk Enterprise allowed a potential attacker to steal data from the authenticated user if she visited a malicious website.
http://seclists.org/fulldisclosure/2017/Mar/89

Google Project Zero demonstrated a Broadcom’s Wi-Fi stack remote code execution exploit on a fully updated Nexus 6P, running Android 7.1.1 version NUF26K.
https://googleprojectzero.blogspot.md/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html

TheShadowBrokers hacking group just leaked the NSA digital weapons package online.
https://github.com/x0rz/EQGRP
https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1

WikiLeaks published documents detailing the Grasshopper framework used by the CIA to create custom Windows malware installers.
Source code of the "Stolen Goods" module contains parts of the leaked Carberp banking trojan source code.
http://www.securityweek.com/wikileaks-details-cia-tool-creating-windows-malware-installers

The Xen Security Team has discovered a security bug in the hypervisor code which, if exploited, can be used for breaking Qubes OS isolation. Exploit chaining required for the full system takeover tough.
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-029-2017.txt

Interesting research about the using antivirus software as a leverage during the attack. "Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks"
https://www.sec.cs.tu-bs.de/pubs/2017-asiaccs.pdf

InfoSec Week 13, 2017

The tale of a misunderstood malware author who has released banking malware - NukeBot- source code on a GitHub to get a track.
https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/

New Android ransomware is using third party stores (what else?) to propagate, mainly to the Russian-speaking users. It asks for 500 rubles (~5 EUR), then keeps screen locked forever.
https://www.bleepingcomputer.com/news/security/new-android-ransomware-evades-all-mobile-antivirus-solutions/

Palo Alto Networks analyzed the "Trochilus and MoonWind" RAT campaign targeting Thai organisations with the keylogger. Two different RATs share the same part of the infrastructure.
http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations

Eset published a detailed analysis of a Turlas second-stage payload, Carbon backdoor. Nice config file and serious pub key encryption in use with the C&C servers.
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/

Phishing campaign targeting owners of GitHub repositories with the Dimnie malware able to log keystrokes and take screenshots.
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/

Analysis of the GhostAdmin 2.0 RAT. Keylogger, screen capture, IRC based C&C, audio recording.
https://www.cylance.com/content/cylance/en_us/blog/threat-spotlight-ghostadmin.html

This stuff has been published for some time, but definitely worth reading. CIA tradecraft for the malware writers: "Development Tradecraft DOs and DON'Ts"
https://wikileaks.org/ciav7p1/cms/page_14587109.html

The Yeti is a threat intelligence platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats.
https://yeti-platform.github.io/

box.js is a utility to analyze malicious JavaScript. It uses Node, and create text reports.
https://github.com/CapacitorSet/box-js

CERT Société Générale published FAME - an open source malware analysis platform that is meant to facilitate analysis of malware-related files, leveraging as much knowledge as possible in order to speed up and automate end-to-end analysis.
https://certsocietegenerale.github.io/fame/

InfoSec Week 9, 2017

Cisco Talos analyzed PowerShell trojan "DNSMessenger" that communicates with the command and control server using DNS TXT record queries.
http://blog.talosintelligence.com/2017/03/dnsmessenger.html

IRC Botnet named GhostAdmin spreading as a fake security product, borrowing its name and icon from the Symantec, Avira, Avast.
https://www.alienvault.com/blogs/security-essentials/ghostadmin-the-invisible-data-thief-notes-from-the-underground

Nice analysis of an admin panel used by spambot "Onliner". It was used for spreading Ursnif in the Italy and Canada.
https://benkowlab.blogspot.ch/2017/02/spambot-safari-2-online-mail-system.html

The group known as the APT28, attributed to the Russia, is behind the spear phishing operation against the Japan. They have used PowerShell payload, which downloads additional DLL malware later.
https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html

New exploit kit called Nebula is up for a sale on the internet. Different payload is served according to the victim location.
http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html

German and Czech Android users are getting served with a banking Trojan directly through SMS messages.
https://www.helpnetsecurity.com/2017/02/28/germans-czechs-banking-malware/

Teddy bear seller CloudPets Mongo database full of customers' info leaked online.
https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/

This is from the beginning of February, some provoking thoughts on the cyber conflict around French elections.
https://medium.com/@thegrugq/opening-cyber-salvo-in-the-french-elections-e677447b91dc

Eset & Kaspersky released a decryption tool for the Dharma ransomware.
http://www.computerworld.com/article/3176688/security/free-decryption-tools-now-available-for-dharma-ransomware.html

Matthew Green wrote about the use of advanced cryptography in the ransomware development. This is interesting, and partially related to my december blog.
https://blog.cryptographyengineering.com/2017/02/28/the-future-of-ransomware/

Researchers from the Graz University of Technology published attack against the Intel Software Guard Extensions enclaves. From the paper: "In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. [...] In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes."
https://arxiv.org/abs/1702.08719

whoishere.py - Identify people by assigning a name to a device performing a wireless probe request
https://github.com/hkm/whoishere.py

The Future Of Malware

With the current state of technology and the massive “boom” of the implementation of the encryption libraries, decentralized, trustless...