Tag cryptocurrency

InfoSec Week 27, 2018

Samsung Galaxy S9 and S9+ devices, maybe others, are texting camera photos to random contacts through the Samsung Messages app without user permission.
https://www.theverge.com/circuitbreaker/2018/7/2/17528076/samsung-phones-text-rcs-update-messages

Gentoo Linux distribution GitHub repository was compromised. Attacker removed out all the maintainers, who realized the intrusion only 10 minutes after he gained access. He add rm -rf /* to build scripts, changed README and some minor things.
https://wiki.gentoo.org/wiki/Github/2018-06-28

Since January 2017, Stylish browser extension has been augmented with spyware that records every single website that its 2 million other users visit, then sends complete browsing activity back to its servers, together with a unique identifier.
https://robertheaton.com/2018/07/02/stylish-browser-extension-steals-your-internet-history/

Digicert Withdraws from the CA Security Council (CASC), because they "feel that CASC is not sufficiently transparent and does not represent the diversity of the modern Certificate Authority (CA) industry. Improving the ecosystem requires broad participation from all interested stakeholders, and many are being excluded unnecessarily."
Great step Digicert!
https://www.digicert.com/blog/notice-of-withdrawal-from-the-ca-security-council/

CryptoCurrency Clipboard Hijacker malware discovered by Bleeping Computer monitors for more than 2.3 million Bitcoin addresses, then replace them in memory, with the attacker address.
https://www.bleepingcomputer.com/news/security/clipboard-hijacker-malware-monitors-23-million-bitcoin-addresses/

Local root jailbreak, authorization bypass & privilege escalation vulnerabilities in all ADB broadband routers, gateways and modems. The patch is already available.
https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-network-file-sharing-flaw-in-all-adb-broadband-gateways-routers/

A Microsoft Security division published an analysis of the malware sample which exploited the Adobe Reader software and the Windows operating system using two zero-day exploits in a single PDF file.
https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/

Blog about why it is not helpful to use the Canvas Defender extension, a browser canvas fingerprinting countermeasure.
https://antoinevastel.com/tracking/2018/07/01/eval-canvasdef.html

Blog about the cryptographic primitives used by the North Korean Red Star operating system. The OS is mostly uses AES-256 Rijndael with dynamic S-Box modifications, but the design is evolving and the latest version of the algorithm has more differences.
https://blog.kryptoslogic.com/crypto/2018/07/03/pyongyang.html

Interesting technique how to bypass web-application firewalls by abusing SSL/TLS. An attacker can use an unsupported SSL cipher to initialize the connection to the webserver which supports that cipher, but the WAF would not be able to identify the attack because it can't view the data.
https://0x09al.github.io/waf/bypass/ssl/2018/07/02/web-application-firewall-bypass.html

Good introduction to the Linux ELF file format with some practical examples how sections look like, how to shrink the size during compilation and more.
https://0x00sec.org/t/dissecting-and-exploiting-elf-files/7267

InfoSec Week 24, 2018

Yet another high severity attack against the Intel CPUs. Unpatched systems can leak SIMD, FP register state between privilege levels. These registers are used for private keys nowadays.
The cost of a patch is more expensive context switches because the fix has to unload and reload all SIMD, FP state.
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html

The team behind the CopperheadOS, hardened Google-free Android fork, has imploded. Guys, CEO and CTO (main and probably the only developer) are blaming each other.
https://twitter.com/DanielMicay/status/1006299769214562305

Chromium devs are planning to enforce TLS protocol invariants by rolling new TLS 1.3 versions every six weeks.
According to the developers: "Every six weeks, we would randomly pick a new code point. These versions will otherwise be identical to TLS 1.3, save maybe minor details to separate keys and exercise allowed syntax changes. The goal is to pave the way for future versions of TLS by simulating them (“draft negative one”)."
https://www.ietf.org/mail-archive/web/tls/current/msg26385.html

The Kromtech Security Center found 17 malicious docker images stored on Docker Hub for an entire year. With more than 5 million pulls, containers were primarily used to mine cryptocurrency.
https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers

At least 74 persons, mostly Nigerians, were arrested due to crimes related to the business e-mail compromise schemes.
https://garwarner.blogspot.com/2018/06/74-mostly-nigerians-arrested-in.html

Good summary of the existing inter-service authentication schemes. Bearer, hmac based tokens etc.
https://latacora.singles/2018/06/12/a-childs-garden.html

There is an Ancient "su - hostile" vulnerability in Debian 8 & 9. Doing "su - hostile" may lead to the root privilege escalation. Default sudo -u probably is affected too.
https://j.ludost.net/blog/archives/2018/06/13/ancient_su_-_hostile_vulnerability_in_debian_8_and_9/

There is a critical command injection vulnerability in the macaddress NPM package.
https://nodesecurity.io/advisories/654

Blog about the crafting remote code execution via server-side spreadsheet injection.
https://www.bishopfox.com/blog/2018/06/server-side-spreadsheet-injections/

An implementation flaw in multiple cryptographic libraries allows a side-channel based attacker to recover ECDSA or DSA private keys. Lots of libraries affected, like LibreSSL, Mozilla NSS, OpenSSL, etc.
https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/

InfoSec Week 20, 2018

Major (probably not only) US cell carriers are selling access to the real-time phone location data.
Because, you know the Electronic Communications Privacy Act only restricts telecommunication companies from disclosing data to the government, it doesn't restrict disclosure to other companies. Which can resell back to the gov. Hacker News discussion on a topic is quite informative.
https://www.zdnet.com/article/us-cell-carriers-selling-access-to-real-time-location-data/
https://news.ycombinator.com/item?id=17081684

Guardian wrote that according to the Oracle findings, Android devices send detailed information on searches, what is being viewed and also precise locations to the Google. Even if location services are turned off and the smartphone does not have a Sim card or application installed.
https://www.theguardian.com/technology/2018/may/14/australian-regulator-investigates-google-data-harvesting-from-android-phones

A new report details a widespread campaign targeting several Turkish activists and protesters by their government, using the government malware made by FinFisher.
https://motherboard.vice.com/en_us/article/wjb8g5/finfisher-turkey-twitter-spyware

A new set of vulnerabilities affecting users of PGP and S/MIME were published. The main problem lies in how email clients handle the output of the encryption tool, the protocol itself is not vulnerable, GnuPG should be fine.
https://efail.de/
https://www.benthamsgaze.org/2018/05/15/tampering-with-openpgp-digitally-signed-messages-by-exploiting-multi-part-messages/
https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html

Cryptocurrency mining malware was found in the Ubuntu Snap Store.
https://blog.ubuntu.com/2018/05/15/trust-and-security-in-the-snap-store

Essential reading on how spies are able to shape narrative of a journalistic pieces by document leaking.
https://www.nytimes.com/2018/05/12/sunday-review/when-spies-hack-journalism.html

The US media has learned the identity of the prime suspect in the Vault7 WikiLeaks CIA breach. Should be a 29-year-old former C.I.A. software engineer, government malware writer.
https://www.nytimes.com/2018/05/15/us/cia-hacking-tools-leak.html

Great blog post about math behind and existing implementations of the homomorphic encryption.
https://blog.n1analytics.com/homomorphic-encryption-illustrated-primer/

There is an article about the common encryption workarounds in the criminal investigations written by Orin S. Kerr and Bruce Schneier.
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938033

Sunder is a new desktop application for dividing access to secret information between multiple participants using Shamir's secret sharing method.
https://freedom.press/news/meet-sunder-new-way-share-secrets/

DARKSURGEON is a Windows packer project to empower incident response, malware analysis, and network defense.
https://medium.com/@cryps1s/darksurgeon-a-windows-10-packer-project-for-defenders-1a57759856b6

InfoSec Week 17, 2018

A loud sound emitted by a gas-based fire suppression system deployed in the data center has destroyed the hard drives of a Swedish data center, downing NASDAQ operations across Northern Europe.
https://www.bleepingcomputer.com/news/technology/loud-sound-from-fire-alarm-system-shuts-down-nasdaqs-scandinavian-data-center/

Signal for iOS, version 2.23.1.1 and prior, is vulnerable to the screen lock bypass (CVE-2018-9840).
The blog explains how the vulnerability can be exploited in practice.
http://nint.en.do/Signal-Bypass-Screen-locker.php

Good summary about the integrated circuits Counterfeiting, detection and avoidance methods by hardware engineer Yahya Tawil.
https://atadiat.com/en/e-introduction-counterfeit-ics-counterfeiting-detection-avoidance-methods/

A new python-based cryptocurrency mining malware PyRoMine (FortiGuard Labs) is using the ETERNALROMANCE exploit attributed to the NSA, to propagate Monero cryptocurrency miner.
https://securityboulevard.com/2018/04/python-based-malware-uses-nsa-exploit-to-propagate-monero-xmr-miner/

The Australian Bureau of Statistics tracked people by their mobile device data to enrich their collection of data.
https://medium.com/@Asher_Wolf/the-australian-bureau-of-statistics-tracked-people-by-their-mobile-device-data-and-didnt-tell-them-16df094de31

BGP hijack affected Amazon DNS and rerouted web traffic for more than two hours. Attackers used the hijack to serve fake MyEtherWallet.com cryptocurrency website.
https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f

Embedi researchers analyzed the security of a Huawei Secospace USG6330 firewall firmware. Good insight on how to analyze devices in general.
https://embedi.com/blog/first-glance-on-os-vrp-by-huawei/

The ISO has rejected SIMON and SPECK symmetric encryption algorithms designed and proposed by the NSA. They are optimized for small and low-cost processors like IoT devices.
https://www.schneier.com/blog/archives/2018/04/two_nsa_algorit.html

The Center for Information Technology Policy at Princeton Announced IoT Inspector - an ongoing initiative to study consumer IoT security and privacy.
https://freedom-to-tinker.com/2018/04/23/announcing-iot-inspector-a-tool-to-study-smart-home-iot-device-behavior/

There is a Proof of Concept for Fusée Gelée - a coldboot vulnerability that allows full, unauthenticated arbitrary code execution on NVIDIA's Tegra line of embedded processors. This vulnerability compromises the entire root-of-trust for each processor, leading to full compromise of on-device secrets where USB access is possible.
https://github.com/reswitched/fusee-launcher/blob/master/report/fusee_gelee.md

InfoSec Week 13, 2018

The city of Atlanta government has become the victim of a ransomware attack. The ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees were told to turn off their computers.
https://arstechnica.com/information-technology/2018/03/atlanta-city-government-systems-down-due-to-ransomware-attack/

The academic researchers have discovered a new side-channel attack method called BranchScope that can be launched against devices with Intel processors and demonstrated it against an SGX enclave. The patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.
http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf

Good insight into the ransomware business and how it operates, how it transfers Bitcoin funds, with data gathered over a period of two years.
The paper is named "Tracking Ransomware End-to-end"
https://www.elie.net/static/files/tracking-ransomware-end-to-end/tracking-ransomware-end-to-end.pdf

Mozilla has created a Facebook Container extension for Firefox, which should enable users to protect their online habits by sandboxing Facebook webpage.
https://blog.mozilla.org/firefox/facebook-container-extension/

Interesting article about the North Korean army of hackers operating abroad with the mission to earn money by any means necessary.
https://www.bloomberg.com/news/features/2018-02-07/inside-kim-jong-un-s-hacker-army

Unified logs in the MacOS High Sierra (up to 10.13.3) show the plain text password for APFS encrypted external volumes via disk utility application.
https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp

SophosLabs researchers analyzed a new Android malware which is pretending to he a legitimate QR reader application, but actually is monetizing users by showing them a flood of full-screen advertisements. More than 500k apps were installed.
https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities/

Brian Krebs analyzed the social network behind the recently famous Coinhive javascript cryptocurrency mining business.
https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/

CloudFlare published a Merkle Town dashboard, Certificate Transparency logs visualization tool.
https://blog.cloudflare.com/a-tour-through-merkle-town-cloudflares-ct-ecosystem-dashboard/

Facebook is tracking users' phone call information via their Android Messenger application.
https://twitter.com/i/web/status/977325434030428160

There are multiple critical vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp

New version (4.0) of the most secure operating system on the planet - Qubes OS was released.
https://www.qubes-os.org/news/2018/03/28/qubes-40/

InfoSec Week 12, 2018

Facebook, Google, Cisco, WhatsApp and other industry partners get together to create Message Layer Security as an open standard for end-to-end encryption with formal verification. Messaging Layer Security is now an IETF working group as well.
https://datatracker.ietf.org/doc/draft-omara-mls-architecture/

Long read about the takedown of Gooligan, Android botnet that was stealing OAuth credentials back in 2016.
https://www.elie.net/blog/security/taking-down-gooligan-part-1-overview

The Israeli security company CTS Labs published information about a series of exploits against AMD chips just one day after they have notified the AMD.
https://www.schneier.com/blog/archives/2018/03/israeli_securit.html

Russia orders company behind the Telegram messaging application to hand over users’ encryption keys.
https://www.theverge.com/2018/3/20/17142482/russia-orders-telegram-hand-over-user-encryption-keys

Hacker behind Guccifer 2.0 pseudonym, known for providing WikiLeaks with stolen emails from the US Democratic National Committee, was an officer of Russia’s military intelligence directorate.
https://www.thedailybeast.com/exclusive-lone-dnc-hacker-guccifer-20-slipped-up-and-revealed-he-was-a-russian-intelligence-officer

Fascinating in depth blog about the breaking security of the Ledger cryptocurrency hardware wallet.
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/

There was a Facebook bug which made persistent XSS in Facebook wall possible by embedding an external video using the Open Graph protocol.
https://opnsec.com/2018/03/stored-xss-on-facebook/

Two part series about the password cracking Chinese hardware "encrypted" hard drives. PIN recovered.
https://syscall.eu/blog/2018/03/12/aigo_part1/
https://syscall.eu/blog/2018/03/12/aigo_part2/

Documents leaked by Edward Snowden reveal that the NSA worked to “track down” Bitcoin users.
https://theintercept.com/2018/03/20/the-nsa-worked-to-track-down-bitcoin-users-snowden-documents-reveal/

Dark Web Map - a visualization of the structure of 6.6k Tor's onion services, a.k.a. hidden services, a.k.a. the dark web.
https://www.hyperiongray.com/dark-web-map/

InfoSec Week 10, 2018

Google is contracted by the US Defense Department to apply its artificial intelligence solutions to drone strike targeting.
https://theintercept.com/2018/03/06/google-is-quietly-providing-ai-technology-for-drone-strike-targeting-project/

PacketLogic Deep Packet Inspection (DPI) devices manufactured by Sandvine are being used to deploy government spyware in Turkey and Syria, and redirect Egyptian Users to affiliate advertising networks and browser cryptocurrency miners.
https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/

The researchers from Purdue University and the University of Iowa have discovered new attacks against the 4G LTE wireless data communications technology for mobile devices. The attack an be used to for impersonating existing users, device location spoofing, fake emergency and warning message delivery, eavesdropping on SMS communications, and more.
https://www.helpnetsecurity.com/2018/03/05/lte-attacks/

Blog about the irresponsible handling of the sensitive data by airlines on-line booking system.
https://medium.freecodecamp.org/how-airlines-dont-care-about-your-privacy-case-study-emirates-com-6271b3b8474b

Wire messenger application passed an extensive application level security audit by X41 D-Sec and Kudelski Security. No critical vulnerabilities were found in the iOS, Android or the web part.
https://www.x41-dsec.de/security/report/2018/03/06/projects-x41-wire-phase2/

With the older firmware, it was possible to extract private keys from the cryptocurrency Ledger Nano hardware wallet.
https://twitter.com/i/web/status/970977060134023168

password_pwncheck is an enterprise Kerberos, Windows AD and Linux PAM password quality checking tool. It is able to check against breached lists like Have I Been Pwned and others.
https://github.com/CboeSecurity/password_pwncheck

The Harpoon is a command line tool to automate threat intelligence and open source intelligence tasks.
https://github.com/Te-k/harpoon

InfoSec Week 9, 2018

Wandera security researchers spotted a new sophisticated Android RedDrop malware hidden in at least 53 Android applications. It can intercept SMS, record audio and exfiltrate data to the remote server.
https://www.wandera.com/blog/reddrop-malware/

There is an experimental support for forward secure post-quantum Extended Hash-Based Signatures (XMSS) in the OpenSSH protocol.
https://marc.info/?l=openbsd-cvs&m=151940152732492&w=2

Blog by Matthew Green on the probable encryption key handling by Apple in the China mandated cloud. Not really satisfied explanation, only guesses, as Apple is silent about the exact key handling methodology.
https://blog.cryptographyengineering.com/2018/01/16/icloud-in-china/

Cloudflare detected new Memcached based amplification DDoS attack vector. The attacker just implants a large payload on an exposed memcached server, then, the attacker spoofs the "get" request message with target Source IP address. The memcached server could be really huge - around 1MB.
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

A group of computer scientists from the US and China published a paper proposing the first-ever trojan for a neural network. It's called PoTrojan and is triggered by special network input. After that, the network start to work differently.
https://www.outerplaces.com/science/item/17872-neural-networks-ai-trojan-AMPED

The Cisco Talos team analyzed attribution claims around Olympic Destroyer malware. The result is to not imply blindly to Russia. Attribution is hard.
http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html

New KeePassXC version 2.3.0 was released. There are lots of new features, like new Argon2 key derivation function, SSH agent integration, browser plugin.
https://keepassxc.org/blog/2018-02-28-2.3-released/

Trustico SSL certificate reseller revoked 23000 customer certificates by sending private keys(?!) over email to the Digicert certification authority.
http://blog.koehntopp.info/index.php/3075-how-not-to-run-a-ca/

There are rumors that major U.S. government contractor Cellebrite is able to unlock all current iPhone models.
https://www.forbes.com/sites/thomasbrewster/2018/02/26/government-can-access-any-apple-iphone-cellebrite/

An advertising network has been using a well-known malware trick, a Domain Generation Algorithm (DGA), to bypass ad blockers and deploy in-browser cryptocurrency miners since December 2017.
https://www.bleepingcomputer.com/news/security/ad-network-uses-dga-algorithm-to-bypass-ad-blockers-and-deploy-in-browser-miners/

A novel technique is using hardware branch predictor side channel attack to bypass ASLR protection:
"Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR"
http://www.cs.ucr.edu/~nael/pubs/micro16.pdf

InfoSec Week 8, 2018

Fraudsters are impersonating authors and publishing computer generated books so they can launder money via Amazon.
https://krebsonsecurity.com/2018/02/money-laundering-via-author-impersonation-on-amazon/

Crooks made over $3 million by installing cryptocurrency miners on Jenkins Servers by exploiting Java deserialization RCE vulnerability (CVE-2017-1000353) in the Jenkins.
https://securityaffairs.co/wordpress/69232/malware/jenkinsminer-targets-jenkins-servers.html

Tesla's Kubernetes installed in the Amazon AWS infrastructure was compromised by hackers.They have set up private cryptocurrency mining pool there.
https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/

The co-founder of WhatsApp, Brian Acton, has given $50 millions to support Signal messenger and create a self-sustaining foundation. Very good news for this donation funded privacy technology.
https://signal.org/blog/signal-foundation/

Hackers are exploiting the CISCO ASA vulnerability (CVE-2018-0101) in attacks in the wild.
https://securityaffairs.co/wordpress/68959/hacking/cve-2018-0101-cisco-asa-flaw.html

Security Researcher Troy Hunt published half a billion passwords collected and processed from various breaches. There is also API for this dataset, and some statistics about the password usage.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

There is a critical vulnerability in Mi-Cam baby monitors that let attackers spy on infants. At least 52k users are affected.
https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html

Public key cryptography explained in the form of Ikea instructions. Check other images as well!
https://idea-instructions.com/public-key/

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
https://www.bleepingcomputer.com/news/cryptocurrency/worlds-largest-spam-botnet-is-pumping-and-dumping-an-obscure-cryptocurrency/

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
https://www.fastcompany.com/40515682/the-other-scary-foreign-hacking-threat-trump-is-ignoring

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
https://www.theregister.co.uk/AMP/2018/01/10/taiwanese_police_malware/

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
https://caastudy.github.io/

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
https://www.bleepingcomputer.com/news/security/lenovo-discovers-and-removes-backdoor-in-networking-switches/

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/


Page 1 / 2