Tag botnet

InfoSec Week 40, 2018

Estonia sues Gemalto for €152M over ID card flaws. According to an article, some keys were NOT generated on a smartcard due to a scaling issue.
Well, looks like they are not affected by ROCA vulnerability, just compromised by Gemalto:)
https://dan.enigmabridge.com/estonia-hits-gemalto-again-insecure-eid-cards/

Apple laptops on Intel chipsets were running in the Intel Management Engine Manufacturing Mode. The vulnerability (CVE-2018-4251) was patched in macOS High Sierra update 10.13.5.
By exploiting the vulnerability, an attacker could write old versions of Intel ME without physical access to the computer, with the possibility of running arbitrary code in ME.
http://blog.ptsecurity.com/2018/10/intel-me-manufacturing-mode-macbook.html

The FBI took down Phantom Secure, a Canadian (not only) encrypted communication service.
The company turned smartphones to a single use encrypted communication devices, mostly to be used by drug kingpins.
The service was sold only to a customers recommended by the existing one.
https://www.fbi.gov/news/stories/phantom-secure-takedown-031618

The US-CERT has released a technical alert warning about a new "FASTCash" ATM scheme being used by the North Korean APT hacking group.
The malware installed on the issuers' compromised switch application servers intercepts the transaction request and responds the fake responses, fooling ATMs to spit out a large amount of cash.
https://www.us-cert.gov/ncas/alerts/TA18-275A

GhostDNS DNS changer botnet hijacked over 100k routers attacking routers overt the intranet using browser javascript.
https://www.hacking.reviews/2018/10/ghostdns-new-dns-changer-botnet.html

Brian Krebs wrote about the really clever phishing scam schemes executed over the phone. They are pretending to be a bank, and have lots of information about the victim before the scam occurs.
https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/

Some Reddit guy found tiny Linux PC hooked to to a router in his apartment. Investigation showed, that it is some kind of information stealing device and the info collectors are paying a "rent" to a roommate which implanted it on his own network. https://www.reddit.com/r/whatisthisthing/comments/9ixdh9/found_hooked_up_to_my_router/e6nh61r/

Facebook published some technical details about the recent profile leaking vulnerability.
The attackers connected three bugs and basically automated the whole process of obtaining user access tokens.
https://newsroom.fb.com/news/2018/09/security-update/

ESET researchers documented the first UEFI rootkit found in the wild. Called LoJax, the rootkit is targeting central, eastern Europe and Balkan government organizations.
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

Conor Patrick recently launched Kickstarter campaign for Solo, the first open source FIDO2 USB, NFC security key. Support it!
https://www.kickstarter.com/projects/conorpatrick/solo-the-first-open-source-fido2-security-key-usb

A step-by-step Linux kernel exploitation for CVE-2017-11176 with the exploit code included.
https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html

InfoSec Week 38, 2018

Purism project introduced their own security token called the Librem Key. They have partnered with the Nitrokey manufacturer, but the firmware provides additional functionality, like a challenge response mode where the key informs you if the bios running on a PC has validated itself to the key.
https://puri.sm/posts/introducing-the-librem-key/

Google built a prototype of a censored search engine which should be used in China, that links users’ searches to their phone numbers.
https://theintercept.com/2018/09/14/google-china-prototype-links-searches-to-phone-numbers/

According to a Swiss officials, two Russian spies caught in the Netherlands had been plotting a cyber attack on a Swiss defense lab analyzing the Novichok nerve agent used in the Salisbury poisoning.
https://www.nytimes.com/2018/09/14/world/europe/russians-salisbury-swiss-lab-sabotage.html

Citizen Lab has published a new report about the Pegasus spyware created by Israeli cyber-security firm NSO Group.
The malware is operating on both Android and iOS devices, and the researchers identified 45 countries in which operators of NSO Group’s Pegasus spyware may be conducting operations.
https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/

Hackers were running cryptocurrency mining malware on the Indian government sites.
https://economictimes.indiatimes.com/small-biz/startups/newsbuzz/hackers-mined-a-fortune-from-indian-websites/articleshow/65836088.cms

Every day this week, Cloudflare is announcing support for a new technology that uses cryptography.
They have introduced Onion service, BGP PKI (RPKI), IPFS node. Essentially, we can call them an active global adversary now.
https://blog.cloudflare.com/crypto-week-2018/

The Western Digital My Cloud was affected by an authentication bypass vulnerability.
An unauthenticated attacker could exploit this vulnerability to authenticate as an admin user without needing to provide a password.
https://securify.nl/en/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html

NSS Labs filed an antitrust suit against CrowdStrike, Symantec, ESET and the Anti-Malware Testing Standards Organization (AMTSO), because they found out that the "vendors have conspired to prevent testing of their products by placing clauses in their end user licensing agreements (EULA) that make testing of their products subject to their permission."
https://www.nsslabs.com/blog/company/advancing-transparency-and-accountability-in-the-cybersecurity-industry/

The new Necurs botnet spam campaign targets Banks with the malicious Wizard (.wiz) files used by Microsoft programs such as Word to guide users through complex or repetitive tasks.
https://blog.barkly.com/wiz-file-malware-necurs-campaign

Informative blog by the LineageOS engineers covering Qualcomm bootloader chain of trust to the point of Android OS being loaded.
https://lineageos.org/engineering/Qualcomm-Firmware/

GnuPG can now be used to perform notarial acts in the State of Washington.
https://lists.gnupg.org/pipermail/gnupg-users/2018-September/060987.html

A new CSS-based web attack will crash and restart your iPhone.
https://techcrunch.com/2018/09/15/a-new-css-based-web-attack-will-crash-and-restart-your-iphone/

Interesting project - SlotBot: Hacking slot machines to win the jackpot with a buttonhole camera and brute-force search.
https://github.com/tensor8/hacking_slot_machines

InfoSec Week 36, 2018

USB media shipped with the Schneider Electric Conext ComBox and Conext Battery Monitor solar products were infected with malware.
https://www.schneider-electric.com/en/download/document/SESN-2018-236-01/

Two days after the proof-of-concept exploit for the Windows Task Scheduler vulnerability appeared online, malware developers have started using it.
https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/

Five Eyes, an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States, officially warns the tech world that they should build interception capabilities voluntarily or governments will legislate.
https://www.computerworld.com.au/article/646059/five-eyes-tech-industry-make-access-online-communications-possible-else/

Security researchers from the Kaitiaki Labs presented exploitation techniques against the automation in the LTE mobile networks.
https://gsec.hitb.org/materials/sg2018/D1%20-%20Exploiting%20Automation%20in%20LTE%20Mobile%20Networks%20-%20Altaf%20Shaik%20&%20Ravishankar%20Borgaonkar.pdf

.NET Framework remote code injection vulnerability (CVE-2018-8284) enables low privileged SharePoint users to execute commands on the server.
https://www.nccgroup.trust/uk/our-research/technical-advisory-bypassing-workflows-protection-mechanisms-remote-code-execution-on-sharepoint/

A good blog post by a bug hunter Steven Seeley - Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows (CVE-2018-15514).
https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html

Thousands of MikroTik routers are forwarding owners’ traffic to unknown attackers.
https://blog.netlab.360.com/7500-mikrotik-routers-are-forwarding-owners-traffic-to-the-attackers-how-is-yours-en/

A great insight into the world of WW2 women code breakers who unmasked the Soviet spies.
https://www.smithsonianmag.com/history/women-code-breakers-unmasked-soviet-spies-180970034/

ProtonMail released a major new version (4.0) of OpenPGPjs which introduces streaming cryptography.
https://protonmail.com/blog/openpgpjs-4-streaming-encryption/

Bruce Schneier announced the publication of the latest book with the name "Click Here to Kill Everybody: Security and Survival in a Hyper-connected World".
https://www.schneier.com/blog/archives/2018/09/new_book_announ.html

There is a new collection of botnet source codes on GitHub.
https://github.com/maestron/botnets

InfoSec Week 33, 2018

There is an OpenSSH user enumeration attack against all software versions on all operating systems.
It's a timing attack with proof of concept already published.
http://www.openwall.com/lists/oss-security/2018/08/15/5
https://bugfuzz.com/stuff/ssh-check-username.py

The so-called RedAlpha malware campaign targeting the Tibetan community is deploying a novel “ext4” Linux backdoor. The group is using infrastructure registered with Tsinghua1 University, China and is believed to be conducted by Chinese state-sponsored actors in support of China’s economic development goals.
https://www.recordedfuture.com/chinese-cyberespionage-operations/

The Australia’s Assistance and Access Bill, introduced this week, want to jail people for up to 10 years if they refuse to unlock their phones.
https://nakedsecurity.sophos.com/2018/08/16/australians-who-wont-unlock-their-phones-could-face-10-years-in-jail/

A new research paper named "Piping Botnet - Turning Green Technology into a Water Disaster" demonstrate that the researchers were able to manipulate commercial smart IoT systems used for regulating water and electricity resources.
https://arxiv.org/abs/1808.02131

The guy with his BMW car encountered the theft attempt, where something that looked like a vandalism was actually a really smart attack against the modern alarm system.
https://mrooding.me/a-dutch-first-ingenious-bmw-theft-attempt-5f7f49a96ec8

Cloudflare analyzed the changes and improvements of a new TLS 1.3 (RFC 8446) standard that was finally published last week.
https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

New Foreshadow attack demonstrates how speculative execution can be exploited for reading the contents of Intels' SGX-protected memory as well as extracting the machine’s private attestation key.
https://foreshadowattack.eu/

Practical dictionary attacks are possible against the main mode of IPsec IKEv1/v2 standard. Successful exploitation of a weak password requires only a single active man-in-the-middle attack.
https://web-in-security.blogspot.com/2018/08/practical-dictionary-attack-on-ipsec-ike.html

If you are interested how cryptographic key management is practically done, I have written a blog Commercial Cryptographic Key Management in 2018, where I am explaining a little bit about the hardware, people and processes behind it.
https://www.malgregator.com/key-management.html

Google published BrokenType, the font fuzzing toolset that helped find lots of vulnerabilities in the Windows kernel. It includes a font mutator, generator and loader.
https://github.com/google/BrokenType

InfoSec Week 32, 2018

A Comcast security flaws exposed more than 26 millions of customers’ personal information. Basically, an attacker could spoof IP address using "X-forwarded-for" header on a Comcast login page and reveal the customer’s location.
https://www.buzzfeednews.com/article/nicolenguyen/a-comcast-security-flaw-exposed-millions-of-customers

According to the Check Point Research, more than 150k computers are infected with the new variant of Ramnit botnet named Black. Botnet install second stage malware with the proxy functionality.
https://research.checkpoint.com/ramnits-network-proxy-servers/

Malware infected Apple chip maker Taiwan Semiconductor Manufacturing. All of their factories were shut down last week, but they had already recovered from the attack.
https://www.bloomberg.com/news/articles/2018-08-04/tsmc-takes-emergency-steps-as-operations-hit-by-computer-virus

A flaw in the Linux kernel may cause a remote denial of service [CVE-2018-5390]. Attack require less than 2 Kbps of traffic.
https://access.redhat.com/articles/3553061

GDPR and other cookie consent scripts are used to distribute malware.
https://blog.sucuri.net/2018/08/cookie-consent-script-used-to-distribute-malware.html

Interesting blog on how criminals in Iran make money by creating Android malware apps.
https://blog.certfa.com/posts/pushiran-dl-malware-family/

Let's Encrypt root CA certificate is now trusted by all major root programs. They were dependent on a cross-signing on some systems, so this is great news!
https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html

There is a really effective new attack on WPA PSK (Pre-Shared Key) passwords. Attackers can ask Access Point for the data required for offline cracking, no client traffic sniffing is needed anymore.
https://hashcat.net/forum/thread-7717.html

Innovative new research on a software implementation hardening was published with the name "Chaff Bugs: Deterring Attackers by Making Software Buggier".
The idea is simple, introduce a large number of non-exploitable bugs in the program which makes the bug discovery and exploit creation significantly harder.
https://arxiv.org/abs/1808.00659

Researchers from the University of Milan published padding oracle attack against Telegram Passport.
Don't roll your own cryptography schemes if other people depend on it...
https://pequalsnp-team.github.io/writeups/analisys_telegram_passport

A Handshake is a new experimental peer-to-peer root DNS. They have published resolver source code and have test network up and running. Looks like really promising project.
https://handshake.org/

InfoSec Week 31, 2018

Reddit got hacked. According to the investigation, it looks like hackers accessed employees 2FA protected accounts.
An attacker "compromised a few of Reddit's accounts with cloud and source code hosting providers by intercepting SMS 2FA verification codes".
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

A non-official French website keepass.fr using an URL similar to the popular password manager KeePass one lets you download a tampered version of the password manager with some adware in it.
https://twitter.com/JusticeRage/status/1021815597972291591

According to The Intercept_, Google is planning to launch a censored version of its search engine in China that will blacklist websites and search terms about human rights, democracy, religion, and peaceful protest.
One can only wonder whether it is some part of a broader strategy, how to spread channels of influence abroad.
https://theintercept.com/2018/08/01/google-china-search-engine-censorship/

There is a great blog published on a Trail of Bits about the recent invalid elliptic curve point attack against the Bluetooth implementations.
Give it a try if you are interested, it's really easy to read!
https://blog.trailofbits.com/2018/08/01/bluetooth-invalid-curve-points/amp/

A borough and a town in Alaska have been hit by a devastating ransomware attack, forcing employees to completely stop using computers and go back to typewriters and hand receipts.
https://mashable.com/2018/08/02/malware-alaska-town

BYOB (Build Your Own Botnet) is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop countermeasures against these threats.
https://github.com/colental/byob

FireEye wrote article about the internals of a FIN7 hacking group global operation.
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

WireGuard, next generation VPN software, is finally submitted for the Linux kernel inclusion. Linus Torvalds commented the pull request:
"I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art."
https://marc.info/?l=linux-netdev&m=153306429108040&w=2
http://lists.openwall.net/netdev/2018/08/02/124

Malhunt: automated malware search in memory dumps using volatility and Yara rules.
https://github.com/andreafortuna/malhunt

InfoSec Week 30, 2018

Researchers from the Palo Alto Networks analyzed new Mirai and Gafgyt IoT/Linux botnet campaigns. The samples used more than 11 exploits for spreading, exploiting D-Link, Dasan GPON routers.
https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/

Brian Krebs published a blog post about the current status of the Universal 2nd Factor (U2F) support. Google practically eliminated employee phishing by introducing mandatory usage of the physical security keys.
https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/

There is a new module for the CHIPSEC Security Assessment Framework to check CPU USB debug features and host Direct Connection Interface (DCI), which can be used to modify system firmware with physical access and introduce "Evil Maid" firmware attacks.
https://blog.eclypsium.com/2018/07/23/evil-mai%EF%BB%BFd-firmware-attacks-using-usb-debug/

Chinese police arrested malware developers for hacking millions of computers to steal $2 million in cryptocurrencies.
https://www.ccn.com/chinese-police-arrest-malware-developers-who-hacked-2-million-in-crypto/

Paper on a new Spectre variant called SpectreRSB was published with the name "Spectre Returns! Speculation Attacks using the Return Stack Buffer".
According to a paper „none of the known defenses including Retpoline and Intel's microcode patches stop all SpectreRSB attacks.“
https://arxiv.org/abs/1807.07940

The source code of an Exobot Android Banking Trojan has been leaked online back in May has rapidly spread in the malware community.
https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/

Because of insufficient validation of parameters in many Bluetooth implementations, attackers can inject invalid elliptic curve parameters which aren’t checked by many implementations in an invalid public key making session keys vulnerable.
https://www.kb.cert.org/vuls/id/304725

The Cisco Talos security team found multiple vulnerabilities, including remote code execution vulnerability in the Sony IPELA E series network camera. https://blog.talosintelligence.com/2018/07/sony-ipela-vulnerability-spotlight-multiple.html

NSA declassified papers from John Tiltman, one of Britain’s top cryptanalysts during the Second World War, which reveal how pre-world war 2 Brits analyzed and decrypted Russian cryptography.
https://www.theregister.co.uk/2018/07/19/russia_one_time_pads_error_british/

InfoSec Week 25, 2018

Marcus Brinkmann demonstrated how some configuration options in the GnuPG allow remote attackers to spoof arbitrary signature. He used the embedded “filename” parameter in OpenPGP literal data packets, together with the verbose option set in their gpg.conf file.
https://neopg.io/blog/gpg-signature-spoof/

Tapplock Smart Lock has critical bugs making it a trivial protection. They are using the AES key derived from the MAC address, so anyone with a Bluetooth enabled smartphone can pick up the key upon getting to a smart lock Bluetooth range.
https://latesthackingnews.com/2018/06/16/tapplock-smart-lock-is-having-a-bad-time-two-bugs-reported-in-one-week/

Crooks are injecting credit card stealing backdoor to the config files of a hacked Magento e-commerce platforms. They can reinfect the rest of code base over and over again with the config load.
https://thehackernews.com/2018/06/magento-security-hacking.html

Updated Satori botnet began to perform network wide scan looking for exploitable XiongMai uc-httpd 1.0.0 devices (CVE-2018-10088).
https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/

Baby Monitors in the USA were hacked via obscure Chinese IoT cloud. The woman from the Facebook post claims that someone controlled the camera remotely and spied on her, possibly listened in to conversations.
https://www.sec-consult.com/en/blog/2018/06/true-story-the-case-of-a-hacked-baby-monitor-gwelltimes-p2p-cloud/

OpenBSD disables Intel's hyper-threading due to possible exploitable spectre-class bugs in the architecture.
https://www.mail-archive.com/source-changes@openbsd.org/msg99141.html

Linux is getting support for in-kernel hibernation encryption. Encrypts disk-image memory, thereby increasing the general security of full-disk encryption on Linux and reducing the attack surface.
http://lkml.iu.edu/hypermail/linux/kernel/1806.2/03567.html

OTSECA - (ot)her (sec)urity (a)wareness is an open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.
https://github.com/trimstray/otseca

InfoSec Week 23, 2018

Australian government drafts new laws, that will force technology giants like Facebook, Google to give government agencies access to encrypted data.
https://www.theguardian.com/technology/2018/jun/06/planned-laws-to-force-tech-firms-to-reveal-encrypted-data

A security researcher at Telspace Systems, Dmitri Kaslov, discovered a vulnerability in the Microsoft Windows JScript component, that can be exploited by an attacker to execute malicious code on a target computer.
https://www.zerodayinitiative.com/advisories/ZDI-18-534/

IBM X-Force Research has uncovered a new Brazilian, Delphi-based MnuBot malware active in the wild. It downloads it's functionality during the execution dynamically from the remote C&C server, so its functionality can be upgraded on the fly.
https://securityintelligence.com/new-banking-trojan-mnubot-discovered-by-ibm-x-force-research/

The US Department of Homeland Security and FBI issues alert over two new malware, Joanap remote access tool and Brambul SMB worm, linked to the Hidden Cobra hacker group.
https://www.us-cert.gov/ncas/alerts/TA18-149A

A Toronto-based investment firm alleges that a rival company hired the Israeli companies tied to state intelligence agencies, to help sway a business dispute over a 2014 bid for a telecommunications company.
https://www.calcalistech.com/ctech/articles/0,7340,L-3739390,00.html

Google announced a project Capillary: End-to-end encryption for push messaging in Android. It should be available backward to API level 19 - KitKat.
https://android-developers.googleblog.com/2018/06/project-capillary-end-to-end-encryption.html

Engineers from the University of Toronto have built a filter that slightly alters photos of people’s faces to keep facial recognition software from realizing what it's looking at. https://joeybose.github.io/assets/adversarial-attacks-face.pdf

Research paper about the business model of a botnet operation, even with a business model canvas!
https://arxiv.org/abs/1804.10848

New research takes on the problem of habituation to security warnings. They have used eye tracking and fMRI data to find out how people react to the security warnings in the software.
https://neurosecurity.byu.edu/misq-longitudinal-2018/

A new paper by Bonnetain and Schrottenloher giving improved quantum attack on a newly proposed Commutative Supersingular Isogeny Diffie–Hellman (CSIDH) key exchange. According to the paper, they show, that the 128-bit classical, 64-bit quantum security parameters proposed actually offer at most 37 bits of quantum security.
https://eprint.iacr.org/2018/537

InfoSec Week 12, 2018

Facebook, Google, Cisco, WhatsApp and other industry partners get together to create Message Layer Security as an open standard for end-to-end encryption with formal verification. Messaging Layer Security is now an IETF working group as well.
https://datatracker.ietf.org/doc/draft-omara-mls-architecture/

Long read about the takedown of Gooligan, Android botnet that was stealing OAuth credentials back in 2016.
https://www.elie.net/blog/security/taking-down-gooligan-part-1-overview

The Israeli security company CTS Labs published information about a series of exploits against AMD chips just one day after they have notified the AMD.
https://www.schneier.com/blog/archives/2018/03/israeli_securit.html

Russia orders company behind the Telegram messaging application to hand over users’ encryption keys.
https://www.theverge.com/2018/3/20/17142482/russia-orders-telegram-hand-over-user-encryption-keys

Hacker behind Guccifer 2.0 pseudonym, known for providing WikiLeaks with stolen emails from the US Democratic National Committee, was an officer of Russia’s military intelligence directorate.
https://www.thedailybeast.com/exclusive-lone-dnc-hacker-guccifer-20-slipped-up-and-revealed-he-was-a-russian-intelligence-officer

Fascinating in depth blog about the breaking security of the Ledger cryptocurrency hardware wallet.
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

There was a Facebook bug which made persistent XSS in Facebook wall possible by embedding an external video using the Open Graph protocol.
https://opnsec.com/2018/03/stored-xss-on-facebook/

Two part series about the password cracking Chinese hardware "encrypted" hard drives. PIN recovered.
https://syscall.eu/blog/2018/03/12/aigo_part1/
https://syscall.eu/blog/2018/03/12/aigo_part2/

Documents leaked by Edward Snowden reveal that the NSA worked to “track down” Bitcoin users.
https://theintercept.com/2018/03/20/the-nsa-worked-to-track-down-bitcoin-users-snowden-documents-reveal/

Dark Web Map - a visualization of the structure of 6.6k Tor's onion services, a.k.a. hidden services, a.k.a. the dark web.
https://www.hyperiongray.com/dark-web-map/


Page 1 / 2