InfoSec Week 51, 2017

There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.

Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.

Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.

Explanation how web trackers exploit browser login managers to track users on the Internet.

According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.

Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.

Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.

Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.

Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.

InfoSec Week 10, 2017

People around the Azerbaijan human rights activist and lawyer received spear phishing messages. Multi-year investigation by the Amnesty Global Insights. Keyloggging, screenshots, etc.

New Linux ARM malware ELF_IMEIJ.A (by Trend Micro) exploits a CGI Directory vulnerability in devices from CCTV\IP Cam technology vendor AVTech.

A rather amateurish ransomware has been analysed by the Palo Alto Networks. The only interesting part is, that it is actually not asking for money, instead: "RanRan does not ask for direct payment. Instead, prior to any negotiations regarding payment, the victim must create a subdomain with a seemingly politically inflammatory name as well as a Ransomware.txt file hosted on this subdomain. The hosted file must include a statement of ‘Hacked’ and an email address. By performing these actions, the victim, a Middle Eastern government organization, has to generate a political statement against the leader of the country. It also forces the victim to publicly announce that they have been hacked by hosting the Ransomware.txt file."

Kaspersky Lab published report about the newly discovered disk wiper called StoneDrill. It's targeting organizations in Saudi Arabia and is somehow correlated to the Shamoon disk wiper. The malware uses memory injection into the victim’s browser, and provides also RAT functionality.

Errata Security published short analysis of the Wikileaks CIA/#vault7 refuting some claims published by Wikileaks.
There are a few interesting points in the Wikileaks dump, like one TODO list containing this insane note: "Research into embedding a CRL into a self signed cert as a method of stealthy remote beaconing". Nice.
http://blog.erratasec.com/2017/03/some-comments-on-wikileaks-ciavault7.html https://wikileaks.org/ciav7p1/cms/page_2621753.html https://wikileaks.com/ciav7p1/cms/page_5341230.html

IOActive research discovers multiple security vulnerabilities in Confide messaging application. Confide was not using authenticated encryption on a protocol level, and also was not validating server SSL cert.

SessionGopher is a PowerShell tool that uses WMI to extract saved session information for the remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop.
https://www.fireeye.com/blog/threat-research/2017/03/using_the_registryt.html https://github.com/fireeye/SessionGopher

gargoyle - a technique for hiding program’s executable code in non-executable memory. At some programmer-defined interval, gargoyle will wake up – and with some ROP trickery – mark itself executable and do some work...
https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html https://github.com/JLospinoso/gargoyle