Tag GitHub

InfoSec Week 50, 2017

Crooks hacked Fox-IT by capturing fox-it.com DNS record, then obtained a certificated and executed a man-in-the-middle attack on connection.
https://www.fox-it.com/en/insights/blogs/blog/fox-hit-cyber-attack/

The Mandiant - FireEye company analyzed an incident at a critical infrastructure organization where an attacker deployed so called TRITON malware designed to manipulate industrial safety system. According to the analysis, "the malware was delivered as a Py2EXE compiled python script [...] containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers."
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

The anonymous researcher behind the massive internet scans of the IoT devices known for the BrickerBot case published some insights on his operation. Looks like he is a gray hat after all.
https://ghostbin.com/paste/q2vq2

Google published Android security roadmap for the next year. There will be lots of improvements, and new requirements for App developers.
https://android-developers.googleblog.com/2017/12/improving-app-security-and-performance.html

Multiple vulnerabilities were identified in Telegram messenger for Android, like arbitrary file overwrite on receiving and directory traversal. There are definitely better alternatives to this software...
https://bugs.chromium.org/p/project-zero/issues/detail?id=1470

Guy uploaded his self-signed malformed certificate to the websites which process them and found out lots of them is vulnerable to the XSS injection.
https://binaryfigments.com/2017/12/11/dont-trust-all-ssl-tls-certificates/

Mavinject is a legitimate Windows component digitally signed by Microsoft, that can be abused to inject any DLL inside a running process.
https://reaqta.com/2017/12/mavinject-microsoft-injector/

Microsoft pushed comprehensive audit reports on Windows Events to GitHub.
https://github.com/MicrosoftDocs/windows-itpro-docs/tree/master/windows/device-security/auditing

InfoSec Week 47, 2017

According to the annual State of Open Source Security report, 77% of 433000 analyzed sites use at least one front-end JavaScript library with a known security vulnerability.
https://snyk.io/blog/77-percent-of-sites-still-vulnerable/

The AWS team published blog about the recent improvements to the secure random number generation in Linux 4.14, OpenSSL and libc.
https://aws.amazon.com/blogs/opensource/better-random-number-generation-for-openssl-libc-and-linux-mainline/

Really good introduction to the anonymous communication network design and mix nets in general, published by Least Authority.
https://leastauthority.com/blog/mixnet-intro/

Those guys reverse-engineered the Furby Connect DLC file format and are able to remotely upload their own logos, songs to the device over Bluetooth.
https://www.contextis.com/blog/dont-feed-them-after-midnight-reverse-engineering-the-furby-connect

There is a critical vulnerability in the MacOS High Sierra, anyone can login as root with empty password after clicking on login button several times. For now, it could be mitigated by just changing the root password.
https://krebsonsecurity.com/2017/11/macos-high-sierra-users-change-root-password-now/
https://objective-see.com/blog/blog_0x24.html

Very good investigative journalism about the mysterious NSA contractor which could provided top secret documents to the Shadow Brokers.
https://krebsonsecurity.com/2017/11/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/

Uber paid hackers $100k to delete stolen data on 57 million people and shut up. They have even tried to fake it as an bug bounty payment.
http://blog.trendmicro.com/uber-how-not-to-handle-a-breach/

Someone published remote code execution exploit for the Exim Mail server (CVE-2017-16944) on GitHub. Shodan.io shows more than 400k servers with the vulnerable CHUNKING feature.
https://twitter.com/_miw/status/934872934681804800
https://github.com/LetUsFsck/PoC-Exploit-Mirror

InfoSec Week 44, 2017

There are at least 14 newly discovered vulnerabilities in the Linux kernel USB subsystem. The vulnerabilities were found by the Google syzkaller kernel fuzzer. According to the researchers, all of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine.
http://www.openwall.com/lists/oss-security/2017/11/06/8

Mozilla will remove root certificate of the Staat der Nederlanden (State of the Netherlands) Certificate Authority from Firefox browser if the Dutch government vote a new law that grants local authorities the power to intercept Internet communication using "false keys".
https://www.bleepingcomputer.com/news/security/mozilla-wants-to-distrust-dutch-https-provider-because-of-local-dystopian-law/

Bug hunter Scott Bauer has published an in depth analysis of the Android remotely exploitable bug in the blog post named "Please Stop Naming Vulnerabilities: Exploring 6 Previously Unknown Remote Kernel Bugs Affecting Android Phones".
https://pleasestopnamingvulnerabilities.com/

Some web pages use textfield with the CSS "asterix" trick instead of the password field so they can bypass browser security warning when password field is on an unencrypted web page. Nonsense.
https://www.troyhunt.com/bypassing-browser-security-warnings-with-pseudo-password-fields/

More than 54 thousand have the same pair of 512-bit RSA keys as their DNS Zone Signing Keys.
https://lists.dns-oarc.net/pipermail/dns-operations/2017-October/016878.html

Good blog from the ElcomSoft about the history and current possibilities in the iOS and iCloud forensics.
https://blog.elcomsoft.com/2017/11/the-art-of-ios-and-icloud-forensics/

The Norwegian National Communications Authority reported GPS signal jamming activity in the Finnmark region near the Russian border.
https://twitter.com/aallan/status/926553232591159296/photo/1
https://rntfnd.org/wp-content/uploads/Norway-Comms-Auth-Report-GPS-Jamming-Sept-2017.pdf

Mac and Linux versions of the Tor anonymity software contained a flaw that can leak users real IP addresses.
https://blog.torproject.org/tor-browser-709-released

Software and HDL code for the PCILeech FPGA based devices that can be used for the Direct Memory Access (DMA) attack and forensics is now available on a GitHub. The FPGA based hardware provides full access to 64-bit memory space without having to rely on a kernel module running on the target system.
https://github.com/ufrisk/pcileech-fpga

InfoSec Week 43, 2017

Researchers from the Masaryk University finally published full paper of the practical cryptographic attack against the implementation of RSA in the widely used trusted platform modules / crypto tokens.
"The Return of Coppersmith’s A‚ttack: Practical Factorization of Widely Used RSA Moduli" https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf

Those guys published an interesting paper about the secure cryptographic computation with the threat model without attackers based on Earth. They are proposing SpaceHSM hardware secure devices on the orbit.
"SpaceTEE: Secure and Tamper-Proof Computing in Space using CubeSats"
https://arxiv.org/abs/1710.01430

There is a small chance that the documents encrypted by Bad Rabbit ransomware could be recovered without paying ransom, if the shadow copies had been enabled in the Windows prior to infection. Victims can restore the original versions of the encrypted files using standard Windows backup mechanism.
For technical analysis of the Bad Rabbit ransomware, see the second link.
https://securelist.com/bad-rabbit-ransomware/82851/
https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis

Google is going to deprecate the use of pinned public key certificates, public key pinning (PKP), from the Google Chrome browser.
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ

The British government has publicly attributed North Korean government hackers as a source behind the "WannaCry" malware epidemy.
https://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html

Multiple remote execution vulnerabilities (CVE-2017-13089, CVE-2017-13090) were patched in the popular software Wget. Update!
https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html

The source code of an AhMyth Android remote administration tool is available on GitHub. It can steal contact information, turn on camera, microphone, read SMS, and more.
https://github.com/AhMyth/AhMyth-Android-RAT

Malscan is a robust and fully featured scanning platform for Linux servers built upon the ClamAV platform, providing all of the features of Clamscan with a host of new features and detection modes.
https://github.com/jgrancell/malscan

There is an update for the world's fastest and most advanced password recovery utility Hashcat.
https://github.com/hashcat/hashcat/releases/tag/v4.0.0

InfoSec Week 30, 2017

NSA's XKeyscore spying tool is used to fish Microsoft Windows crash reports out of the Internet traffic. They have used it against the Mexico's Secretariat of Public Security.
https://www.schneier.com/blog/archives/2017/08/nsa_collects_ms.html

Researchers from the Exodus Intelligence wrote remote exploit against the Android and iOS operating system, using Broadcom’s Wi-Fi chipset bug.
"Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit."
https://blog.exodusintel.com/2017/07/26/broadpwn/

Great blog about chaining 4 vulnerabilities on the GitHub Enterprise in order to achieve remote code execution!
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html

Trend Micro researchers analyzed infection chain used by JS_POWMET fileless malware.
http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/

Researchers used antivirus cloud-based sandbox to exfiltrate data from the endpoint.
https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox.pdf
https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox-wp.pdf

The Google team has blocked a new "Lipizzan" Android spyware family from the Google Play.
https://android-developers.googleblog.com/2017/07/from-chrysaor-to-lipizzan-blocking-new.html

Microsoft won't patch a 20 years old SMBv1 SMBloris memory handling bug, that could be exploited by attackers to execute a Denial of Service attack on a web servers.
http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html

Private notes application Standard Notes got a cryptography audit.
https://standardnotes.org/blog/7/announcing-our-2017-security-audit-results

Framework for Testing WAFs (FTW) is a project created by researchers from ModSecurity and Fastly to help provide rigorous tests for WAF rules. It uses the OWASP Core Ruleset V3 as a baseline to test rules on a WAF.
https://github.com/fastly/ftw

InfoSec Week 13, 2017

The tale of a misunderstood malware author who has released banking malware - NukeBot- source code on a GitHub to get a track.
https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/

New Android ransomware is using third party stores (what else?) to propagate, mainly to the Russian-speaking users. It asks for 500 rubles (~5 EUR), then keeps screen locked forever.
https://www.bleepingcomputer.com/news/security/new-android-ransomware-evades-all-mobile-antivirus-solutions/

Palo Alto Networks analyzed the "Trochilus and MoonWind" RAT campaign targeting Thai organisations with the keylogger. Two different RATs share the same part of the infrastructure.
http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations

Eset published a detailed analysis of a Turlas second-stage payload, Carbon backdoor. Nice config file and serious pub key encryption in use with the C&C servers.
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/

Phishing campaign targeting owners of GitHub repositories with the Dimnie malware able to log keystrokes and take screenshots.
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/

Analysis of the GhostAdmin 2.0 RAT. Keylogger, screen capture, IRC based C&C, audio recording.
https://www.cylance.com/content/cylance/en_us/blog/threat-spotlight-ghostadmin.html

This stuff has been published for some time, but definitely worth reading. CIA tradecraft for the malware writers: "Development Tradecraft DOs and DON'Ts"
https://wikileaks.org/ciav7p1/cms/page_14587109.html

The Yeti is a threat intelligence platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats.
https://yeti-platform.github.io/

box.js is a utility to analyze malicious JavaScript. It uses Node, and create text reports.
https://github.com/CapacitorSet/box-js

CERT Société Générale published FAME - an open source malware analysis platform that is meant to facilitate analysis of malware-related files, leveraging as much knowledge as possible in order to speed up and automate end-to-end analysis.
https://certsocietegenerale.github.io/fame/