Tag China

InfoSec Week 5, 2018

A.P. Moller–Maersk Group, the world's largest container shipping company, reinstalled 45000 PCs and 4000 Servers to recover from the NotPetya ransomware attack.

The U.S. Secret Service is warning financial institutions that ATM jackpotting attacks are targeting cash machines in the United States. Attackers are able to empty Diebold Nixdorf and possibly other ATM machines with malware, endoscope and social engineering skills.

Microsoft disables Spectre software mitigation released earlier this month due to system instability.

Data from the fitness tracking app Strava gives away the location of sensitive locations like army bases.

China built African union building for free, but the building is riddled with microphones and computers are transmitting all voice data back to servers in Shanghai.

Journalist Marc Miller has interviewed one of the hackers of the ICEMAN group behind "Emmental" phishing campaign targeting bank clients.

Errata Security blog about the political nature of the cyber attack attribution. Mostly about the WannaCry and North Korea connection, but it is a good overview on attribution bias in general.

Great article about the largest malvertising campaign of a last year. So called Zirconium group operated up to 30 different ad agencies which enabled them to redirect users to the exploit kits, malware downloads and click fraud websites.

AutoSploit is an automated exploitation tool written in python. It is able to search for targets using Shodan.io API and exploiting them with Metasploit.

InfoSec Week 48, 2017

The German Interior Minister is preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations.

According to the Citizen Lab, Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware sold by Israeli firm Cyberbit.

Elcomsoft wrote an insight about the drastically degraded security of the Apples iOS 11 operating system.

Chinese drone maker D.J.I. is potentially sharing collected data with the Chinese government.

Crooks are installing cryptocurrency miners by using typosquatting npm package names. They are searching for the unregistered package names with the difference of one bit from a well known packages.

Swiftype written a good blog about their infrastructure risk assessment and threat modeling.

Nvidia published a paper about the clustering of a benign and malicious Windows executables using neural networks.

Bucket Stream - Find interesting Amazon S3 Buckets by watching certificate transparency logs.

Sysdig Inspect – a powerful interface for container troubleshooting and security investigation

InfoSec Week 20, 2017

Researchers published WannaCry ransomware decryption tool for older Windows (XP, 2003, 7). It uses bug in the Windows Crypto API which does not immediately erase private key. The application is crawling the computer memory, looking for the prime numbers which can divide the public key used for the encryption.

Google introduced behavior-based malware scanner to every Android device. It's part of the Google Play Service and scans installed apps and provides phone tracking in the case of theft.

Croatian CERT honeypot detected a new SMB worm which uses seven tools from the NSA hacking toolkit. It uses Tor based C&C server, currently only beaconing the server, and spreading using the SMB exploit.

Research by the Recorded Future and the Intrusiontruth group concludes that so-called APT3, widely believed to be a China-based threat actor, is directly connected to the Chinese Ministry of State Security (MSS).

Sophos discovered malware infecting Seagate NAS devices which turn them into Monero cryptocurrency miners. However, “This threat is not targeting the Seagate Central device specifically; however, the device has a design flaw that allows it to be compromised. Most all of these devices have already been infected by this threat.” https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Cryptomining-malware-on-NAS-servers.pdf?la=en

Wikileaks released another CIA malware spying framework. Called 'Athena', the program "provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10)."

Maltrail is a malicious traffic detection system, utilizing publicly available lists containing malicious and generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists.