Tag exploit

InfoSec Week 8, 2019

Dutch security researcher Victor Gevers found misconfigured MongoDB database containing facial recognition and other sensitive information about the Uyghur Muslim minority in China. Looks like the company behind the database is Chinese surveillance company SenseNets.

The UK's GCHQ intelligence agency subsidiary, the National Cyber Security Centre, evaluated Huawei devices with the vendor and unofficially decided that the risk using Huawei devices in the infrastructure can be managed.
This is a quite interesting turning point as other US allies are banning Huawei devices from their networks.

If you want to know the alternatives for the PGP functionality, George Tankersley wrote a nice list for that.

Open Privacy Research Society released an alpha version of Cwtch, decentralized, privacy-preserving, asynchronous multi-party messaging protocol that can be used to build other applications.

Linux kernel through 4.20.10 version contain use after free arbitrary code execution vulnerability.

Check Point researchers have discovered 19 years old critical vulnerability in the WinRAR software that can be exploited just by extracting an archive.

Tavis Ormandy discovered old stack buffer overflow vulnerability in the MatrixSSL implementation used primarily by the embedded devices.

Really in-depth article about the discovery and exploitation of the local privilege elevation vulnerability in the LG kernel driver (CVE-2019-8372).

Microsoft is finally deprecating weak SHA-1 hash family in their Windows update mechanism.

Brian Krebs wrote an article about the recent widespread DNS hijacking attacks attributed to the Iranian hackers.

Independent Security Evaluators published a security comparison of the top five password managers which are working on Windows 10.

InfoSec Week 7, 2019

Ubiquiti network devices are being remotely exploited, via port 10001 discovery service. Results in loss of device management, also being used as a weak UDP DDoS amplification attack: 56 bytes in, 206 bytes out.

Researchers demonstrated that Intel SGX trusted enclave poses a security thread, when they implemented proof malware that bypasses antivirus protection by leveraging SGX properties. Find more information in the research paper named "Practical Enclave Malware with Intel SGX".

Looks like the diffusion layer of Russian symmetric ciphers Kuznyechik and hash function Streebog, have mathematical properties required for the backdoor. There is no theoretical attack yet, and I am not convinced that it is on purpose, but the construction is suspicious.

Google engineers have designed a new encryption mode for ChaCha stream cipher called Adiantum. The new encryption mode should be used on cheap ARM processors that does not have hardware support for AES, and it is almost 5x faster than AES-256-XTS.

Current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API.

Phones running Android OS can be compromised remotely by viewing malicious PNG image.

A new vulnerability in the runc, container runtime used by Docker, Kubernetes and others. allows container escape just by running a malicious image.

NCC Group published an interesting blog about a downgrade attack on TLS 1.3 and multiple other vulnerabilities in major TLS Libraries which they found last year.

Researcher Scott Gayou published a step by step guide on how to jailbreak Subaru Crosstrek 2018 head unit leveraging USB port and update mechanism.

According to the Airbnb presentation, 38 percent of bugs at Airbnb could have been prevented by using types.

You can try to find bugs in the Swiss eVoting System, as they opened a bug bounty program. There is also a source code available for registered bug hunters.

Google open sourced ClusterFuzz, an infrastructure used for fuzzing Chrome and OSS-Fuzz, continuous fuzzing pipeline of open source software.

InfoSec Week 2, 2019

Personal information of many German politicans were published online. Since then, Police arrested 20 years old suspect.

Qualys has sent out a security advisory describing three stack-overrun vulnerabilities in systemd-journald. They have two working exploits already.

Samsung Phone Users Perturbed to Find They Can't Delete Facebook.
According to a Hacker News comment (2nd link), it should be possible to delete application via cable using ADB. I didn't try it.

Australian government issued a warning regarding WhatsApp hoax that is promoting installation of a ‘gold’ version of the application. Installation leads to a malware infection.

After Motherboard's article about US carriers selling customers location data, senators call on FCC to investigate T-Mobile, AT&T, and Sprint.

Trial of a Mexican drug lord Joaquín "El Chapo" Guzmán started and it looks like his IT security guy gave encryption keys for a SIP communication service to investigators long time ago.
El Chapo also spyied on his wife and fiancées using Flexi-spy spyware which provider was subpoenaed by FBI.

Singapore's ministry of communications and information published "Public Report of the Committee of Inquiry (COI) into the cyber attack on Singapore Health Services Private Limited Patient Database".
If you are into incident response, this report is really great source.

Back in 2015, Facebook filed patent request describing how to track user relations using the dust on camera lens.

If your computer rely on BitLocker in TPM mode (boot without PIN), it is possible to extract cryptographic material data out of your computer and decrypt the hard drive.

Zerodium platform wants to pay you $2,000,000 for remote iOS jailbreaks, $1,000,000 for WhatsApp / iMessage / SMS / MMS remote code execution exploit, and $500,000 for Chrome remote exploit.

Security engineer Chris Palmer published blog about the state of software security in 2019.

The NSA has so far open-sourced 32 projects on Github, as part of its Technology Transfer Program.

Research paper on a new hardware-agnostic side-channel attack which is targeting the operating system page cache was published.

Interesting paper from the last October a long-term secure storage proposal:
"ELSA: Efficient Long-Term Secure Storage of Large Datasets".

InfoSec Week 1, 2019

Let's Encrypt recapitulated the last year in the operation of their ACME based certification authority, and summarized the challenges that they will work on in 2019.
They intend to deploy multi-perspective validation, checking multiple distinct Autonomous Systems for domain validation, preventing potential BGP hijacks. They also plan to run own Certificate Transparency (CT) log.

According to the consultant Nathan Ziehnert, "CenturyLink 50 hour outage at 15 datacenters across the US — impacting cloud, DSL, and 911 services was caused by a single network card sending bad packets."

Great blog by Artem Dinaburg, where he is resurrecting 30 years old fuzzing techniques from the famous research papers to run them on on the current Linux distro. Successfully.

An article by Wired about the fake murder for hire services on dark web and a freelance security researcher that took them down. As it turned out, some clients killed their targets themselves.

Multiple newspaper publishers in the US were hit by a ransomware attack, delaying their operations.

The European Union starts running bug bounties on Free and Open Source Software.

Foxit Readers' proof of concept exploit for the Use-After-Free vulnerability (CVE-2018-14442) was published on Github.

Attacker launched multiple servers that return an error message to the connected Electrum clients, which then turn them into a fake update prompt linking to a malware.

Adam Langley published blog about the zero-knowledge attestation when using FIDO based authentication. It could prevent a single-vendor policy some sites started to require.

Interesting blog post by Wouter Castryck on "CSIDH: post-quantum key exchange using isogeny-based group actions".

The security researcher Bruno Keith published a a proof of concept for a remote code execution vulnerability in Microsoft Edge browser (CVE-2018-8629).

If you are interested in older car hacking/tuning, check this article about overcoming the speed limitation on an old Japanese Subaru Impreza STi.

Jonathan “smuggler” Logan published study on the future of black markets and cryptoanarchy named "Dropgangs, or the future of darknet markets".

InfoSec Week 46, 2018

Researchers at the University of California have found that GPUs are vulnerable to side-channel attacks and demonstrated multiple types of attacks. After reverse engineering Nvidia GPU, researchers were able to steal rendered password box from a browser, sniffed other browser related data and also settings from the neural network computations on a GPU in the data center.

Cybersecurity firm Trend Micro has analyzed a new cryptocurrency mining malware that targets Linux OS and is able to hide its processes by implementing a rootkit component.
The rootkit will replace and hooks the readdir and readdir64 application programming interfaces (APIs) of the libc library so the system is unable to monitor miner workers anymore.

An Australian hacker has spent thousands of hours hacking the DRM that medical device manufacturers put on a continuous positive airway pressure (CPAP) machines to create a free tool that lets patients modify their treatment.

In 2016, Russia's Internet Research Agency used browser plugin malware called FaceMusic which "liked" Russian content and made their content popular on a social networks.
Now a Russian national living in Bulgaria has been detained on an US arrest warrant and is accused of online fraud & maintaining a computer network with servers in Dallas between Sep 2014 - Dec 2016.

The European Commission has just announced trials in Hungary, Greece and Latvia of iBorderCtrl project that includes the use of an AI-based lie detection system to spot when visitors to the EU give false information about themselves and their reasons for entering the area.

Troy Hunt analyzed 2FA, U2F authentication mechanisms and commented on the Google Advanced Protection enrollment procedure.

Bitwarden open source password manager has completed a thorough security audit and cryptographic analysis from the security experts at Cure53.

According to a Censys online platform, over a million AT&T devices, probably cable modems share the same TLS private key.

Researchers from Mozilla published blog on how they have designed privacy-aware Firefox Sync.

Two weeks ago we wrote about an attack against the OCB2 authenticated encryption scheme. It breaks integrity of OCB2.
Now there are two more papers, one breaks confidentiality and the other recovers plain text.

There is a zero day exploit "PHP_imap_open_exploit" in PHP that allows bypassing disabled exec functions by using call to imap_open.

InfoSec Week 42, 2018

The Czech Security Intelligence Service (BIS) shuts down Hezbollah servers in the Hezbollah hacking operation. Hackers used female Facebook profiles to trick victims into installing spyware.

More than 420K compromised MikroTik routers can be found on the Internet with half of them mining cryptocurrencies, according to the results of Censys scanner.
Also, there is anonymous gray-hat researcher patching them remotely.

Fake Adobe updates are circulating that will actually update the Windows version of a plugin on your computer, but also install cryptocurrency mining malware.

According to a new research, if you're an American of European descent, there's a 60% chance you can be uniquely identified by public information in DNA databases. This is not information that you have made public; this is information your relatives have made public. https://www.schneier.com/blog/archives/2018/10/how_dna_databas.html

The Pentagon travel system has been hacked. Personal information and credit card data of at least 30K U.S. military and civilian personnel are affected.

A PoC exploit for a Windows (CVE-2018-8495) remote code execution vulnerability that can be exploited via Microsoft Edge has been published.

There is a serious SSH bug discovered in LibSSH library.
Basically a client can bypass the authentication process by telling the server to set the internal state machine maintained by the library to authenticated.

Electron just merged fix enabling position independent executable build (PIE) on Linux, so all Electron-Apps on Linux can soon leverage Address space layout randomization (ASLR) protection.

On this site, you can find "every byte of a TLS connection explained and reproduced".
Really interesting project.

Researcher Lance R. Vick started a spreadsheet to compare relative security, privacy, compatibility, and features of various messenger systems.

Recorded Future published analysis of a Russian and Chinese illegal hacking Communities.

Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension, which helps prevent attackers on a network from learning users browsing history.

Swedish kids can read about the DNSSEC on a milk carton.

InfoSec Week 32, 2018

A Comcast security flaws exposed more than 26 millions of customers’ personal information. Basically, an attacker could spoof IP address using "X-forwarded-for" header on a Comcast login page and reveal the customer’s location.

According to the Check Point Research, more than 150k computers are infected with the new variant of Ramnit botnet named Black. Botnet install second stage malware with the proxy functionality.

Malware infected Apple chip maker Taiwan Semiconductor Manufacturing. All of their factories were shut down last week, but they had already recovered from the attack.

A flaw in the Linux kernel may cause a remote denial of service [CVE-2018-5390]. Attack require less than 2 Kbps of traffic.

GDPR and other cookie consent scripts are used to distribute malware.

Interesting blog on how criminals in Iran make money by creating Android malware apps.

Let's Encrypt root CA certificate is now trusted by all major root programs. They were dependent on a cross-signing on some systems, so this is great news!

There is a really effective new attack on WPA PSK (Pre-Shared Key) passwords. Attackers can ask Access Point for the data required for offline cracking, no client traffic sniffing is needed anymore.

Innovative new research on a software implementation hardening was published with the name "Chaff Bugs: Deterring Attackers by Making Software Buggier".
The idea is simple, introduce a large number of non-exploitable bugs in the program which makes the bug discovery and exploit creation significantly harder.

Researchers from the University of Milan published padding oracle attack against Telegram Passport.
Don't roll your own cryptography schemes if other people depend on it...

A Handshake is a new experimental peer-to-peer root DNS. They have published resolver source code and have test network up and running. Looks like really promising project.

InfoSec Week 30, 2018

Researchers from the Palo Alto Networks analyzed new Mirai and Gafgyt IoT/Linux botnet campaigns. The samples used more than 11 exploits for spreading, exploiting D-Link, Dasan GPON routers.

Brian Krebs published a blog post about the current status of the Universal 2nd Factor (U2F) support. Google practically eliminated employee phishing by introducing mandatory usage of the physical security keys.

There is a new module for the CHIPSEC Security Assessment Framework to check CPU USB debug features and host Direct Connection Interface (DCI), which can be used to modify system firmware with physical access and introduce "Evil Maid" firmware attacks.

Chinese police arrested malware developers for hacking millions of computers to steal $2 million in cryptocurrencies.

Paper on a new Spectre variant called SpectreRSB was published with the name "Spectre Returns! Speculation Attacks using the Return Stack Buffer".
According to a paper „none of the known defenses including Retpoline and Intel's microcode patches stop all SpectreRSB attacks.“

The source code of an Exobot Android Banking Trojan has been leaked online back in May has rapidly spread in the malware community.

Because of insufficient validation of parameters in many Bluetooth implementations, attackers can inject invalid elliptic curve parameters which aren’t checked by many implementations in an invalid public key making session keys vulnerable.

The Cisco Talos security team found multiple vulnerabilities, including remote code execution vulnerability in the Sony IPELA E series network camera. https://blog.talosintelligence.com/2018/07/sony-ipela-vulnerability-spotlight-multiple.html

NSA declassified papers from John Tiltman, one of Britain’s top cryptanalysts during the Second World War, which reveal how pre-world war 2 Brits analyzed and decrypted Russian cryptography.

InfoSec Week 29, 2018

The academics have mounted a successful GPS spoofing attack against road navigation systems that can trick humans into driving to incorrect locations. The novel part is that they are using real map data to generate plausible malicious instructions.

Folks from Cloudflare, Mozilla, Fastly, and Apple during a hackaton implemented Encrypted Server Name Indication (SNI). There are implementations in BoringSSL, NSS and picotls.

Good insight on how credit card thieves use free-to-play apps to steal and launder money from the credit cards.

Chromium recently introduced Cross-Origin Read Blocking (CORB) that helps mitigate the threat of side-channel attacks (including Spectre).

For anybody interested in reverse engineering, nice write up about the Smoke Loader malware bot unpacking mechanism and communication with the C&C.

A research on how to bypass memory scanners using Cobalt Strike’s beacon payload and the gargoyle memory scanning evasion technique.

Eset researchers analyzed ongoing espionage campaign against the Ukrainian government institutions.

The intercept summarized what the public has learned about Russian and U.S. spycraft from the Special Counsel Robert Mueller’s indictment of hackers.

Security researchers have uncovered a highly targeted mobile malware campaign that has been operating since August 2015 and found spying on 13 selected iPhones in India.

There is an exploit for Ubuntu Linux (up to 4.17.4) where other users coredumps can be read via setgid directory and killpriv bypass.

InfoSec Week 27, 2018

Samsung Galaxy S9 and S9+ devices, maybe others, are texting camera photos to random contacts through the Samsung Messages app without user permission.

Gentoo Linux distribution GitHub repository was compromised. Attacker removed out all the maintainers, who realized the intrusion only 10 minutes after he gained access. He add rm -rf /* to build scripts, changed README and some minor things.

Since January 2017, Stylish browser extension has been augmented with spyware that records every single website that its 2 million other users visit, then sends complete browsing activity back to its servers, together with a unique identifier.

Digicert Withdraws from the CA Security Council (CASC), because they "feel that CASC is not sufficiently transparent and does not represent the diversity of the modern Certificate Authority (CA) industry. Improving the ecosystem requires broad participation from all interested stakeholders, and many are being excluded unnecessarily."
Great step Digicert!

CryptoCurrency Clipboard Hijacker malware discovered by Bleeping Computer monitors for more than 2.3 million Bitcoin addresses, then replace them in memory, with the attacker address.

Local root jailbreak, authorization bypass & privilege escalation vulnerabilities in all ADB broadband routers, gateways and modems. The patch is already available.

A Microsoft Security division published an analysis of the malware sample which exploited the Adobe Reader software and the Windows operating system using two zero-day exploits in a single PDF file.

Blog about why it is not helpful to use the Canvas Defender extension, a browser canvas fingerprinting countermeasure.

Blog about the cryptographic primitives used by the North Korean Red Star operating system. The OS is mostly uses AES-256 Rijndael with dynamic S-Box modifications, but the design is evolving and the latest version of the algorithm has more differences.

Interesting technique how to bypass web-application firewalls by abusing SSL/TLS. An attacker can use an unsupported SSL cipher to initialize the connection to the webserver which supports that cipher, but the WAF would not be able to identify the attack because it can't view the data.

Good introduction to the Linux ELF file format with some practical examples how sections look like, how to shrink the size during compilation and more.

Page 1 / 3