Tag cryptography

InfoSec Week 51, 2017

There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.
http://seclists.org/fulldisclosure/2017/Dec/85

Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.
https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/

Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.
https://events.ccc.de/congress/2017/Fahrplan/events/9021.html

Explanation how web trackers exploit browser login managers to track users on the Internet.
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.
https://www.unian.info/world/2319991-russian-hacker-says-fsb-involved-in-creation-of-wannacry-malware.html

Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.
https://blog.didierstevens.com/2017/12/27/cracking-encrypted-pdfs-part-2/

Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.
https://blog.fortinet.com/2017/12/20/group-behind-venuslocker-switches-from-ransomware-to-monero-mining

Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.
https://lite.cnn.io/en/article/h_910710e71e532e73a80deb1294a2db7c

Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new

InfoSec Week 47, 2017

According to the annual State of Open Source Security report, 77% of 433000 analyzed sites use at least one front-end JavaScript library with a known security vulnerability.
https://snyk.io/blog/77-percent-of-sites-still-vulnerable/

The AWS team published blog about the recent improvements to the secure random number generation in Linux 4.14, OpenSSL and libc.
https://aws.amazon.com/blogs/opensource/better-random-number-generation-for-openssl-libc-and-linux-mainline/

Really good introduction to the anonymous communication network design and mix nets in general, published by Least Authority.
https://leastauthority.com/blog/mixnet-intro/

Those guys reverse-engineered the Furby Connect DLC file format and are able to remotely upload their own logos, songs to the device over Bluetooth.
https://www.contextis.com/blog/dont-feed-them-after-midnight-reverse-engineering-the-furby-connect

There is a critical vulnerability in the MacOS High Sierra, anyone can login as root with empty password after clicking on login button several times. For now, it could be mitigated by just changing the root password.
https://krebsonsecurity.com/2017/11/macos-high-sierra-users-change-root-password-now/
https://objective-see.com/blog/blog_0x24.html

Very good investigative journalism about the mysterious NSA contractor which could provided top secret documents to the Shadow Brokers.
https://krebsonsecurity.com/2017/11/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/

Uber paid hackers $100k to delete stolen data on 57 million people and shut up. They have even tried to fake it as an bug bounty payment.
http://blog.trendmicro.com/uber-how-not-to-handle-a-breach/

Someone published remote code execution exploit for the Exim Mail server (CVE-2017-16944) on GitHub. Shodan.io shows more than 400k servers with the vulnerable CHUNKING feature.
https://twitter.com/_miw/status/934872934681804800
https://github.com/LetUsFsck/PoC-Exploit-Mirror

InfoSec Week 46, 2017

Multiple critical vulnerabilities were found in the Intel Management Engine, Trusted Execution Engine and Server Platform Services by Intel audit after 3rd party researchers reported the privilege escalation vulnerability.
http://www.zdnet.com/article/intel-weve-found-severe-bugs-in-secretive-management-engine-affecting-millions/

If you have a vulnerable F5, basically attackers can sign anything with your RSA private key. An F5 BIG-IP virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages.
https://support.f5.com/csp/article/K21905460

MalwareHunterTeam discovered a new variant of the CryptoMix ransomware. It uses hardcoded RSA keys and can work offline.
https://securityaffairs.co/wordpress/65716/malware/cryptomix-ransomware-2.html

Attackers are using Microsoft’s Office documents Dynamic Data Exchange protocol to download and install malware. Microsoft does not consider it a vulnerability.
https://www.zscaler.com/blogs/research/microsoft-dde-protocol-based-malware-attacks

Nice step by step guide on how to put shellcode into a legitimate PE file, and make it undetectable.
https://haiderm.com/fully-undetectable-backdooring-pe-files/

Extensive review of U2F hardware devices.
https://github.com/hillbrad/U2FReviews

al-khaser is a PoC malware with good intentions that aims to stress your anti-malware system. It performs a bunch of nowadays malware tricks and the goal is to see if you stay under the radar.
https://github.com/LordNoteworthy/al-khaser

Puffs is a domain-specific language and library for parsing untrusted file formats safely. Examples of such file formats include images, audio, video, fonts and compressed archives.
https://github.com/google/puffs

InfoSec Week 45, 2017

Researchers exploited antivirus software quarantine mechanism to gain privileges by manipulating the restore process from the virus quarantine. By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations.
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/

Wikileaks released source code of leaked CIA hacking tools and it indicates that the CIA used fake certificates attributed to Kaspersky Labs for signing their malware.
https://wikileaks.org/vault8/
https://twitter.com/i/web/status/928669548210991104

A security researcher has discovered factory application in OnePlus devices. It can be used to gain root privileges, dump photos, collect WiFi & GPS information.
https://www.bleepingcomputer.com/news/security/second-oneplus-factory-app-discovered-this-one-dumps-photos-wifi-and-gps-logs/
https://github.com/sirmordred/AngelaRoot

There was a vulnerability in CouchDB caused by a discrepancy between the database’s native JSON parser and the Javascript JSON parser used during document validation. Because CouchDB databases are meant to be exposed directly to the internet, this enabled privilege escalation, and ultimately remote code execution, on a large number of installations.
https://justi.cz/security/2017/11/14/couchdb-rce-npm.html

Researchers from the Princeton university have been studying third-party trackers that record sensitive personal data that users type into websites, and the results are not good.
https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/

iPhone X's Face ID facial recognition security mechanism system was circumvented by Vietnam experts using a 3D mask.
http://www.bkav.com/d/top-news/-/view_content/content/103968/face-id-beaten-by-mask-not-an-effective-security-measure

Security researcher Maxim Goryachy reports being able to execute unsigned code on computers running the Intel Management Engine through USB.
https://twitter.com/h0t_max/status/928269320064450560

Deep dive into the Facebook sextorcism scheme using fake young girls profiles by the guys from Marseille.
http://ici.radio-canada.ca/special/sextorsion/en/index.html

Long read about how the security breaches by the Shadow Brokers damaged the US National Security Agency.
https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html

Analysis of a low cost Chinese GSM listening and location device hidden inside the plug of a standard USB data/charging cable.
https://ha.cking.ch/s8_data_line_locator/

Privacy Pass is a browser extension for Chrome and Firefox, which uses privacy-preserving cryptography to allow users to authenticate to the services without compromising their anonymity. It uses blind signature schemes.
https://privacypass.github.io

InfoSec Week 43, 2017

Researchers from the Masaryk University finally published full paper of the practical cryptographic attack against the implementation of RSA in the widely used trusted platform modules / crypto tokens.
"The Return of Coppersmith’s A‚ttack: Practical Factorization of Widely Used RSA Moduli" https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf

Those guys published an interesting paper about the secure cryptographic computation with the threat model without attackers based on Earth. They are proposing SpaceHSM hardware secure devices on the orbit.
"SpaceTEE: Secure and Tamper-Proof Computing in Space using CubeSats"
https://arxiv.org/abs/1710.01430

There is a small chance that the documents encrypted by Bad Rabbit ransomware could be recovered without paying ransom, if the shadow copies had been enabled in the Windows prior to infection. Victims can restore the original versions of the encrypted files using standard Windows backup mechanism.
For technical analysis of the Bad Rabbit ransomware, see the second link.
https://securelist.com/bad-rabbit-ransomware/82851/
https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis

Google is going to deprecate the use of pinned public key certificates, public key pinning (PKP), from the Google Chrome browser.
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ

The British government has publicly attributed North Korean government hackers as a source behind the "WannaCry" malware epidemy.
https://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html

Multiple remote execution vulnerabilities (CVE-2017-13089, CVE-2017-13090) were patched in the popular software Wget. Update!
https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html

The source code of an AhMyth Android remote administration tool is available on GitHub. It can steal contact information, turn on camera, microphone, read SMS, and more.
https://github.com/AhMyth/AhMyth-Android-RAT

Malscan is a robust and fully featured scanning platform for Linux servers built upon the ClamAV platform, providing all of the features of Clamscan with a host of new features and detection modes.
https://github.com/jgrancell/malscan

There is an update for the world's fastest and most advanced password recovery utility Hashcat.
https://github.com/hashcat/hashcat/releases/tag/v4.0.0

InfoSec Week 42, 2017

Interesting research on the possibility of a cheap online surveillance.
"In this work we examine the capability of [..] an individual with a modest budget -- to access the data collected by the advertising ecosystem. Specifically, we find that an individual can use the targeted advertising system to conduct physical and digital surveillance on targets that use smartphone apps with ads."
https://adint.cs.washington.edu/

Mnemonic company together with the Norwegian Consumer Council tested several smartwatches for children and found numerous security vulnerabilities that allows child tracking, etc.
https://www.forbrukerradet.no/side/significant-security-flaws-in-smartwatches-for-children

The Cisco Talos team discovered an e-mail campaign spreading malicious Visual Basic inserted in a Cyber Conflict U.S. conference flyer, targeting cyber warfare conference participants.
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html

SfyLabs security researchers have spotted a new Android banking trojan named LokiBot. It has banking trojan functionality, but turns into ransomware and locks users out of their phones if they try to remove its admin privileges.
https://www.bleepingcomputer.com/news/security/lokibot-android-banking-trojan-turns-into-ransomware-when-you-try-to-remove-it/

There is a newly published cryptographic attack on some legacy systems like Fortinet FortiGate VPN, which uses ANSI X9.31 random number generator with a hardcoded seed key.
https://duhkattack.com/
https://blog.cryptographyengineering.com/2017/10/23/attack-of-the-week-duhk/

Nice explanation of a remote code execution vulnerability (CVE-2017-13772) on a TP-Link WR940N home WiFi router.
https://www.fidusinfosec.com/tp-link-remote-code-execution-cve-2017-13772/

Purism’s Librem Laptops running open-source coreboot firmware are now available with completely disabled Intel Management Engine.
https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/

Wire, open source end-to-end encrypted messenger is now open for corporate clients. It offers secure chats, calls and file sharing while following strict European data protection laws.
https://medium.com/@wireapp/wire-open-for-business-2c535033cf9a

InfoSec Week 33, 2017

Danish conglomerate Maersk expects to lose between $200-300m due to Petya ransomware infection, according to their latest quarterly results.
http://files.shareholder.com/downloads/ABEA-3GG91Y/3491525620x0x954059/3E9E6E5C-7732-4401-8AFE-F37F7104E2F7/Maersk_Interim_Report_Q2_2017.pdf

A Windows Object Linking Embedding (OLE) interface vulnerability in Microsoft PowerPoint in being exploited in order to install malware.
https://www.neowin.net/news/microsoft-powerpoint-used-as-attack-vector-to-download-malware

Interesting blog about the exploitation of a Foxit Reader.
"A tale about Foxit Reader - Safe Reading mode and other vulnerabilities"
https://insert-script.blogspot.sk/2017/08/a-tale-about-foxit-reader-safe-reading.html

Engineer decrypts Apple's Secure Enclave Processor (SEP) firmware.
http://www.iclarified.com/62025/hacker-decrypts-apples-secure-enclave-processor-sep-firmware

Facebook awards $100,000 to 2017 Internet Defense Prize winning paper "Detecting Credential Spearphishing Attacks in Enterprise Settings". Very useful research for urgent topic.
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/ho https://research.fb.com/facebook-awards-100000-to-2017-internet-defense-prize-winners/

Cryptographic library Libsodium has been audited by Matthew Green of Cryptography Engineering.
https://www.privateinternetaccess.com/blog/2017/08/libsodium-audit-results/

New research on integer factorization suggests that "build a massive decryption tool of IPsec traffic protected by the Oakley group~1 (a 768-bit discrete logarithm problem), was feasible in a reasonable time using technologies available before the year 2000." https://eprint.iacr.org/2017/758

EggShell is an iOS and macOS post exploitation surveillance pentest tool written in Python.
https://github.com/neoneggplant/EggShell

InfoSec Week 31, 2017

A new version of the Svpeng Android banking trojan is able to record everything users type on their devices. Crazy stuff.
https://b0n1.blogspot.sk/2017/08/android-banking-trojan-misuses.html https://www.bleepingcomputer.com/news/security/new-version-of-dangerous-android-malware-sold-on-russian-hacking-forum/

Great blog by Kaspersky Lab about the steganography techniques used by malware for data exfiltration, covert communication.
https://securelist.com/steganography-in-contemporary-cyberattacks/79276/

Software researcher from Trail of Bits put Windows Defender to the sandbox.
https://blog.trailofbits.com/2017/08/02/microsoft-didnt-sandbox-windows-defender-so-i-did/

Proofpoint researchers found a spear phishing campaign delivering Carbanak malware to the U.S. restaurant chains.
https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor

How to completely take over the ones online identity? This guy demonstrated that practically.
https://defaultnamehere.tumblr.com/post/163734466355/operation-luigi-how-i-hacked-my-friend-without

Airbnb released the open-source serverless framework for detecting malicious files called BinaryAlert. It uses YARA rules, and takes advantage of AWS Lambda functions for analysis instead of a traditional server architecture. Also uses Terraform to manage underlying infrastructure. Interesting project.
https://medium.com/airbnb-engineering/binaryalert-real-time-serverless-malware-detection-ca44370c1b90

TrickBot malware added worm-like SMB spreading module popularized by WannaCry, Petya samples.
https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/

Analysis of the Juniper ScreenOS randomness subsystem backdoor Dual EC backdoor. Complex, Fascinating stuff.
From the research paper: "The more sophisticated of these vulnerabilities was a passive VPN decryption capability, enabled by a change to one of the elliptic curve points used by the Dual EC pseudorandom number generator"
https://www.cs.uic.edu/~s/papers/juniper2016/juniper2016.pdf

Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training.
https://github.com/gophish/gophish

Cisco CSIRT has released GOSINT, open source threat intelligence gathering and processing framework.
https://github.com/ciscocsirt/GOSINT

A generic unpacker for packed Android applications released by the Check Point researchers.
https://github.com/CheckPointSW/android_unpacker

InfoSec Week 29, 2017

Microsoft has analyzed EnglishmansDentist exploit used against the Exchange 2003 mail servers on the out-dated Windows Server 2003 OS. Exploit was released by ShadowBrokers back in April 2017.
https://blogs.technet.microsoft.com/srd/2017/07/20/englishmansdentist-exploit-analysis/

ESET researchers have analyzed a Stantinko botnet consisting of almost half a million machines used for ad-related fraud. It uses malicious Chrome extensions, but also creating and managing Facebook profiles and brute-forcing Joomla and WordPress websites.
https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/

A buffer overflow in the Source SDK in Valve's Source SDK allows an attacker to remotely execute code on a user's computer machine.
https://www.bleepingcomputer.com/news/security/valve-patches-security-flaw-that-allows-installation-of-malware-via-steam-games/
https://motherboard.vice.com/en_us/article/nevmwd/counter-strike-bug-allowed-hackers-to-completely-own-your-computer-with-a-frag

Secure messaging application Wire is now supporting end-to-end encrypted chats, file sharing and calls to businesses. But it's paid feature.
https://medium.com/@wireapp/wire-at-work-introducing-teams-beta-e50dacf6e9f1

Briar, a secure messaging app for Android, was released for a public beta testing. It's using Tor, or P2P direct messaging over Wifi, Bluetooth. Very interesting project.
https://briarproject.org/news/2017-beta-released-security-audit.html

D. J. Bernstein has published blog about the secure key material erasure: "2017.07.23: Fast-key-erasure random-number generators"
https://blog.cr.yp.to/20170723-random.html

Google Project Zero analyzed the security properties of the two major Trusted Execution Environment present on Android devices - Qualcomm’s QSEE and Trustonic’s Kinibi.
https://googleprojectzero.blogspot.sk/2017/07/trust-issues-exploiting-trustzone-tees.html

Prowler is a tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark.
https://github.com/alfresco/prowler

Hardentools is a utility that disables a number of risky Windows "features" exposed by Windows operating system.
https://github.com/securitywithoutborders/hardentools

InfoSec Week 18, 2017

Some good souls are selling Ransomware as a service. It has own logo, support, bug tracker, and a clean website.
https://therainmakerlabs.in/philadelphia

The webpage of the open-source video transcoder application Handbrake was compromised and served malware for the Mac users.
https://objective-see.com/blog/blog_0x1D.html

Comparison of the "http81 IoT botnet" against the Mirai source code. The C&C code is different, but they took some parts of the published source code.
http://blog.netlab.360.com/http-81-botnet-the-comparison-against-mirai-and-new-findings-en/
http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/

IBM shipped malware infected USB flash drives to the customers.
https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146

Shodan can now find malware C&C servers.
https://malware-hunter.shodan.io/
https://threatpost.com/malware-hunter-crawls-internet-looking-for-rat-c2s/125360/

Deep insight into use-after-free vulnerability and many possibilities how to exploit it. https://scarybeastsecurity.blogspot.ch/2017/05/ode-to-use-after-free-one-vulnerable.html

Critical remotely exploitable vulnerability found in the Microsofts' Malware Protection service.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
https://technet.microsoft.com/en-us/library/security/4022344

The criminals are stealing 2FA tokens by abusing widespread telecommunications network equipment.
https://arstechnica.com/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/

Guido Vranken found a vulnerability (CVE-2017-8779) that allows an attacker to allocate any amount of bytes (up to 4 gigabytes per attack) on a remote RPCBIND host, and the memory is never freed unless the process crashes or the administrator halts or restarts the RPCBIND service.
https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/

Good summary of an iCloud Keychain Secrets vulnerability (CVE-2017–2448). From the blog:
"This allows an adversary to craft an OTR message which can negotiate a key successfully while bypassing the actual signature verification...Considering that OTR uses ephemeral keys for encryption, this flaw implies that a syncing identity key is no longer required for an adversary with Man In The Middle capabilities to negotiate an OTR session to receive secrets."
https://hackernoon.com/bypassing-otr-signature-verification-to-steal-icloud-keychain-secrets-9e92ab55b605

Researchers developed the cheapest way so far to hack a passive keyless entry system, as found on some cars. No cryptography broken.
https://conference.hitb.org/hitbsecconf2017ams/sessions/chasing-cars-keyless-entry-system-attacks/
https://hackaday.com/2017/04/27/stealing-cars-for-20-bucks/

OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.
https://github.com/evilsocket/opensnitch

Linux Malware Detect (LMD) is a malware scanner for Linux designed around the threats faced in shared hosted environments.
https://github.com/rfxn/linux-malware-detect


Page 1 / 2