Tag exploit

InfoSec Week 12, 2018

Facebook, Google, Cisco, WhatsApp and other industry partners get together to create Message Layer Security as an open standard for end-to-end encryption with formal verification. Messaging Layer Security is now an IETF working group as well.

Long read about the takedown of Gooligan, Android botnet that was stealing OAuth credentials back in 2016.

The Israeli security company CTS Labs published information about a series of exploits against AMD chips just one day after they have notified the AMD.

Russia orders company behind the Telegram messaging application to hand over users’ encryption keys.

Hacker behind Guccifer 2.0 pseudonym, known for providing WikiLeaks with stolen emails from the US Democratic National Committee, was an officer of Russia’s military intelligence directorate.

Fascinating in depth blog about the breaking security of the Ledger cryptocurrency hardware wallet.

There was a Facebook bug which made persistent XSS in Facebook wall possible by embedding an external video using the Open Graph protocol.

Two part series about the password cracking Chinese hardware "encrypted" hard drives. PIN recovered.

Documents leaked by Edward Snowden reveal that the NSA worked to “track down” Bitcoin users.

Dark Web Map - a visualization of the structure of 6.6k Tor's onion services, a.k.a. hidden services, a.k.a. the dark web.

InfoSec Week 11, 2018

A cyberattack on a Saudi Arabian petrochemical company was probably planed with the physical explosion in mind. They have attributed Iran, and didn't mention Stuxnet at all, so a little bit one-sided view of this cyberwarfare exchange.

There is a critical vulnerability in Credential Security Support Provider protocol (CredSSP) that affects all versions of Windows. Due to cryptographic flaw, man-in-the-middle attack could allow remote procedure calls attack and data exfiltration against the RDP and WinRM.

A vulnerability (CVE-2018-1057) in Samba allows authenticated users to change other users' password.

Kubernetes vulnerability (CVE-2017-1002101) allows containers using subpath volume mounts with any volume type to access files/directories outside of the volume, including the host’s filesystem. Updated version is already available.

Quite good exchange on the encryption policy and the government backdoor proposals between the US National Academy of Sciences and the Electronic Frontier Foundation. Relevant for all democratic regimes.

Kaspersky has discovered PlugX remote access tool (RAT) malware installed across the pharmaceutical organizations in Vietnam, aimed at stealing drug formulas and business information.

Encrypted Email Service provider ProtonMail is being blocked by internet service providers in Turkey.

CTS-Labs security researchers has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines.

Adam Langley's blog post about the inability of the TLS 1.3 to snoop on proxy traffic.

Hacker Adrian Lamo dies at 37. He was known for his involvement in passing information on whistleblower Chelsea Manning, a former US Army soldier who leaked sensitive information to the WikiLeaks.

To find assault suspect, police in the Raleigh, North Carolina used search warrants to demand Google accounts not of specific suspects, but from any mobile devices that veered too close to the scene of a crime in specific time.

Kaspersky releases Klara, a distributed system written in Python, designed to help threat intelligence researchers hunt for new malware using Yara rules.

Nice paper about the simple manual cipher that should be resistant against the modern cryptanalysis.
LC4: A Low-Tech Authenticated Cipher for Human-To-Human Communication https://eprint.iacr.org/2017/339

InfoSec Week 7, 2018

The Fidelis Cybersecurity researcher Jason Reaves demonstrated how covertly exchange data using X.509 digital certificates. The proof of concept code is using SubjectKeyIdentifier and generating certificates on the fly.

The "UDPoS" Point of Sale malware is using DNS traffic to exfiltrate stolen credit card data.

Talos analyzed malware threat targeting Olympic computer systems during the opening ceremony. The main purpose was information gathering and destroying the system.

Zero-day vulnerability in the Bitmessage messaging client was exploited to steal Electrum cryptocurrency wallet keys.

Trustwave analyzed multi-stage Microsoft Word attack which is NOT using macros. Really creative technique.

Microsoft can't fix Skype privilege escalation bug without the massive code rewrite, so they postponed it for a while.

Facebook is advertising their Onavo VPN application, but there are a few reasons why it is really not a good idea to use it.

Facebook is spamming users via SMS registered for two factor authentication (2FA). Then posts their responses on a wall.

(Not only) Performance analysis of a Retpoline mitigation for Spectre vulnerability.

A guide on how to brutefoce Linux Full Disk Encryption (LUKS) volumes using Hashcat software.

Proof of concept of LibreOffice remote arbitrary file disclosure vulnerability. It is possible to silently send any files. All operating systems affected before 5.4.5/6.0.1 versions.

InfoSec Week 1, 2018

Daniel Shapira from Twistlock wrote a blog about exploiting a Linux kernel vulnerability in the waitid() syscall (CVE-2017-5123) in order to modify the Linux capabilities of a Docker container, gain privileges and escape the container jail.

There is a critical hardware bug in the Intel chips, which enables a user level process to access kernel address space, thus read other processes memory. Cloud providers and OS makers are preparing software patches, but the performance penalty could be significant. According to the Wired:
"[researchers] confirmed that when Intel processors perform that speculative execution, they don't fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer's kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel's memory with speculative execution."

The guy dumped PlayStation 4 kernel by leaking arbitrary memory into accessible crashdumps.

ACM published article about more than 2 decades old ransomware experiments with the name "Cryptovirology: The Birth, Neglect, and Explosion of Ransomware".

Nice write up about exploit development for the arbitrary command execution on a BMC Server Automation remote agent software.

MacOS-only 0day vulnerability published on a last day of 2017. It is an IOHIDSystem kernel vulnerability that can be exploited by any unprivileged user.

Edward Snowden’s open source Haven application uses smartphone sensors to detect physical tampering.

PiKarma detects wireless network attacks performed by KARMA module (fake AP). Starts deauthentication attack (for fake access points).

InfoSec Week 51, 2017

There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.

Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.

Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.

Explanation how web trackers exploit browser login managers to track users on the Internet.

According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.

Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.

Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.

Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.

Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.

InfoSec Week 32, 2017

The lone Nigerian guy is responsible for an attack against at least 4000 gas, oil, banking, infrastructure organizations using phishing and NetWire trojan for remote access.

Alert Logic published report about the cloud security. Public cloud is generally more secure than private and on-premises networks. Attack vectors are the same as for most online applications - mostly SQL injection, remote code execution against the web applications.

Oxford University researchers published so called intra-library collusion (ILC) attack against the Android devices. From the research paper: "(intra-library collusion attack) occurs when a single library embedded in more than one app on a device leverages the combined set of permissions available to it to pilfer sensitive user data".

Four remotely exploitable vulnerabilities were identified in Siemens’ Molecular Imaging products running Microsoft Windows 7 operating system.

A recent phishing campaign that is distributing Trickbot is using extremely plausible imitations of financial institutions and government sites.

WikiLeaks has published CIA tool CouchPotato that allows operators to remotely spy on video streams in real-time.

InfoSec Week 29, 2017

Microsoft has analyzed EnglishmansDentist exploit used against the Exchange 2003 mail servers on the out-dated Windows Server 2003 OS. Exploit was released by ShadowBrokers back in April 2017.

ESET researchers have analyzed a Stantinko botnet consisting of almost half a million machines used for ad-related fraud. It uses malicious Chrome extensions, but also creating and managing Facebook profiles and brute-forcing Joomla and WordPress websites.

A buffer overflow in the Source SDK in Valve's Source SDK allows an attacker to remotely execute code on a user's computer machine.

Secure messaging application Wire is now supporting end-to-end encrypted chats, file sharing and calls to businesses. But it's paid feature.

Briar, a secure messaging app for Android, was released for a public beta testing. It's using Tor, or P2P direct messaging over Wifi, Bluetooth. Very interesting project.

D. J. Bernstein has published blog about the secure key material erasure: "2017.07.23: Fast-key-erasure random-number generators"

Google Project Zero analyzed the security properties of the two major Trusted Execution Environment present on Android devices - Qualcomm’s QSEE and Trustonic’s Kinibi.

Prowler is a tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark.

Hardentools is a utility that disables a number of risky Windows "features" exposed by Windows operating system.