Tag CERT

InfoSec Week 3, 2019

35-year-old vulnerability has been discovered in the SCP file transfer utility. According to the advisory impact section, "Malicious scp server can write arbitrary files to scp target directory, change the target directory permissions and to spoof the client output."
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

Multiple U.S. government websites SSL certificates have expired and some sites are inaccessible due to properly used HTTP Strict Transport Security.
There's nobody there to renew them due to a government shutdown.
https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html

Researchers found a new kind of Windows malware using encrypted messaging app Telegram to receive "encrypted" instructions. Nothing innovative with the malware sample, but what is really interesting is, that telegram messages are coupled with unique IDs and malware analysts from the Forcepoint Labs were able to retroactively scrape all the messages issued by the malware operator.
Not sure what kind of channel was used by the bot, but it looks really suspicious to be able to scrape old messages.
https://techcrunch.com/2019/01/17/decrypted-telegram-bot-windows-malware

The researchers at the CanSecWest Vancouver conference will be able to participate in the annual Pwn2Own challenge. This year also in car hacking as Tesla Model 3 will be available.
https://www.zerodayinitiative.com/blog/2019/1/14/pwn2own-vancouver-2019-tesla-vmware-microsoft-and-more

One of last surviving Navajo code talkers, Alfred Newman, has passed away at 94. Newman, with many others, developed during World War II an unbreakable code for military transmissions using the unwritten Navajo language.
https://eu.azcentral.com/story/news/local/arizona/2019/01/14/alfred-k-newman-among-last-navajo-code-talkers-has-died/2570535002/

Security researcher Troy Hunt updated his service Have I Been Pwn with 772,904,991 new email addresses and lots of passwords after finding 87GB of leaked passwords and email addresses by the MEGA cloud storage provider.
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

There was a massive data breach at the Oklahoma Securities Commission with millions of files containing decades worth of confidential case file intelligence from the agency and sensitive FBI investigation source materials leaked.
https://www.newsweek.com/oklahoma-data-breach-may-expose-years-fbi-investigations-report-1293862

Hackers broke into an SEC database and made millions from inside info.
https://www.cnbc.com/2019/01/15/international-stock-trading-scheme-hacked-into-sec-database-justice-dept-says.html

Malicious former employee installed Raspberry Pi in the company network closet, but the Reddit crowd helped with the investigation.
https://blog.haschek.at/2018/the-curious-case-of-the-RasPi-in-our-network.html

Great blog post about the factors in authentication. The more factors to be used, the bigger headache from the enrollment procedures.
https://apenwarr.ca/log/20190114

Noise Protocol Framework Explorer created by Nadim Kobeissi now supports generating secure implementations in Go for any arbitrary Noise Handshake Pattern.
https://twitter.com/i/web/status/1085629955202011136

CERT Poland (CERT Polska) opens access to its malware database (MWDB).
https://www.cert.pl/en/news/single/mwdb-our-way-to-share-information-about-malicious-software/

InfoSec Week 20, 2017

Researchers published WannaCry ransomware decryption tool for older Windows (XP, 2003, 7). It uses bug in the Windows Crypto API which does not immediately erase private key. The application is crawling the computer memory, looking for the prime numbers which can divide the public key used for the encryption.
https://github.com/gentilkiwi/wanakiwi/releases

Google introduced behavior-based malware scanner to every Android device. It's part of the Google Play Service and scans installed apps and provides phone tracking in the case of theft.
https://blog.google/products/android/google-play-protect/

Croatian CERT honeypot detected a new SMB worm which uses seven tools from the NSA hacking toolkit. It uses Tor based C&C server, currently only beaconing the server, and spreading using the SMB exploit.
https://github.com/stamparm/EternalRocks

Research by the Recorded Future and the Intrusiontruth group concludes that so-called APT3, widely believed to be a China-based threat actor, is directly connected to the Chinese Ministry of State Security (MSS).
https://www.recordedfuture.com/chinese-mss-behind-apt3/
https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/

Sophos discovered malware infecting Seagate NAS devices which turn them into Monero cryptocurrency miners. However, “This threat is not targeting the Seagate Central device specifically; however, the device has a design flaw that allows it to be compromised. Most all of these devices have already been infected by this threat.” https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Cryptomining-malware-on-NAS-servers.pdf?la=en

Wikileaks released another CIA malware spying framework. Called 'Athena', the program "provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10)."
https://wikileaks.org/vault7/#Athena

Maltrail is a malicious traffic detection system, utilizing publicly available lists containing malicious and generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists.
https://github.com/stamparm/maltrail