Tag FireEye

InfoSec Week 50, 2017

Crooks hacked Fox-IT by capturing fox-it.com DNS record, then obtained a certificated and executed a man-in-the-middle attack on connection.
https://www.fox-it.com/en/insights/blogs/blog/fox-hit-cyber-attack/

The Mandiant - FireEye company analyzed an incident at a critical infrastructure organization where an attacker deployed so called TRITON malware designed to manipulate industrial safety system. According to the analysis, "the malware was delivered as a Py2EXE compiled python script [...] containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers."
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

The anonymous researcher behind the massive internet scans of the IoT devices known for the BrickerBot case published some insights on his operation. Looks like he is a gray hat after all.
https://ghostbin.com/paste/q2vq2

Google published Android security roadmap for the next year. There will be lots of improvements, and new requirements for App developers.
https://android-developers.googleblog.com/2017/12/improving-app-security-and-performance.html

Multiple vulnerabilities were identified in Telegram messenger for Android, like arbitrary file overwrite on receiving and directory traversal. There are definitely better alternatives to this software...
https://bugs.chromium.org/p/project-zero/issues/detail?id=1470

Guy uploaded his self-signed malformed certificate to the websites which process them and found out lots of them is vulnerable to the XSS injection.
https://binaryfigments.com/2017/12/11/dont-trust-all-ssl-tls-certificates/

Mavinject is a legitimate Windows component digitally signed by Microsoft, that can be abused to inject any DLL inside a running process.
https://reaqta.com/2017/12/mavinject-microsoft-injector/

Microsoft pushed comprehensive audit reports on Windows Events to GitHub.
https://github.com/MicrosoftDocs/windows-itpro-docs/tree/master/windows/device-security/auditing

InfoSec Week 36, 2017

The security researcher Pierre Kim has discovered ten critical zero-day vulnerabilities in D-Link routers.
https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html

There is a new research paper published on a security of a Bluetooth stack named "The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks." Really alarming vulnerabilities discussed.
From a paper: "BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware to other devices. The attack does not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device."
http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf

FireEye has analyzed a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability leveraged by attackers to distribute notoriously known FinFisher / FINSPY malware.
I have included exploit example that is published on a GitHub.
https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html
https://github.com/Voulnet/CVE-2017-8759-Exploit-sample

Kaspersky Labs have analyzed the trend of malicious cryptocurrency mining practices on an infected machines.
https://securelist.com/miners-on-the-rise/81706/

The Android BankBot malware found on Google Play store is targeting multiple UAE banking applications.
http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-play-targets-ten-new-uae-banking-apps

Good analysis of how the JavaScript framework can be abused to bypass XSS mitigations, specifically NoScript’s XSS filter.
http://blog.portswigger.net/2017/09/abusing-javascript-frameworks-to-bypass.html

NSA had developed the capability to decrypt and decode Kazaa and eDonkey file-sharing apps traffic to determine which files are being shared, and what queries are being performed over those P2P networks.
https://theintercept.com/2017/09/13/nsa-broke-the-encryption-on-file-sharing-apps-kazaa-and-edonkey/

Formally verified implementation of Curve25519 made it into Firefox 57. And it is 20% faster on 64-bit architectures.
https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/

A nice curated list of IDA plugins.
https://github.com/onethawt/idaplugins-list

InfoSec Week 24, 2017

Erebus ransomware distributed by the malicious advertisement campaign is using Rig exploit kit to infect Linux servers across the world.
Some companies had to pay already.
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures

FireEye published anatomy of a cyber extortion scheme executed by FIN10 group. They infiltrate company networks, steal valuable data, then attempt to extort executives and board members of a company.
https://www.hackread.com/wp-content/uploads/2017/06/fin10-cyber-extortionist-canadian-mining-firms-casinos-to-ransom.pdf
https://www.fireeye.com/blog/threat-research/2017/06/fin10-anatomy-of-a-cyber-extortion-operation.html

Researchers changed e-cigarette USB compatible charger for a keyboard emulator, so it can issue commands when connected to the PC.
http://news.sky.com/story/e-cigarettes-can-be-used-to-hack-computers-10908333

Wired has published an article about the malware behind the Ukraine power grid blackout.
https://www.wired.com/story/crash-override-malware/

A lottery computer programmer designed his code so that on three days of the year, he could predict winning numbers in some games.
https://www.bloomberg.com/news/articles/2017-06-12/programmer-pleads-guilty-to-theft-in-lottery-rigging-scandal

Part of the Wikileaks Vault 7 release, Cherry Blossom, exposes CIA wireless hacking toolkit.
https://wikileaks.org/vault7/#Cherry Blossom

Cisco Talos has published BASS - Automated Signature Synthesizer for malware detection.
https://github.com/Cisco-Talos/bass

Some (AVG, Avast, Avira, CheckPoint, K7) antivirus software‘s kernel vulnerabilities found by the bee13oy security researcher.
https://github.com/bee13oy/AV_Kernel_Vulns