Tag Google

InfoSec Week 2, 2018

New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.
https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/

Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.
http://depastedihrn3jtw.onion.link/show.php?md5=ee7136ac48fa59fba803b9fbcbc6d7b9
http://depastedihrn3jtw.onion.link/show.php?md5=7e7bfe406315f120d8ed325ffb87670b

A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.
https://www.bleepingcomputer.com/news/security/hc7-planetary-ransomware-may-be-the-first-to-accept-ethereum/

There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.
http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125
https://twitter.com/dragosr/status/949822668563365889

Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements

Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.
https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.
http://seclists.org/fulldisclosure/2018/Jan/12

Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.
https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/

VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.
http://blog.virustotal.com/2018/01/virustotal-graph.html

A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.
https://github.com/RealJTG/Meltdown

InfoSec Week 49, 2017

The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.
https://robotattack.org/

HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.
https://zwclose.github.io/HP-keylogger/

There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.
http://seclists.org/fulldisclosure/2017/Dec/38

Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.
https://securityaffairs.co/wordpress/66591/cyber-crime/moneytaker-group.html

Recorded Future analyzed costs of various cybercriminal services sold on the dark market.
https://www.recordedfuture.com/cyber-operations-cost/

Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.
https://bgpmon.net/popular-destinations-rerouted-to-russia/

Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.
https://www.bleepingcomputer.com/news/security/microsoft-fixes-malware-protection-engine-bug-discovered-by-british-intelligence/

Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.
https://blog.avast.com/avast-open-sources-its-machine-code-decompiler

Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.
http://blog.kismetwireless.net/2017/11/dji-uav-drone-id.html

Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.
https://github.com/wazuh/wazuh

Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.
https://github.com/wifiphisher/wifiphisher

InfoSec Week 43, 2017

Researchers from the Masaryk University finally published full paper of the practical cryptographic attack against the implementation of RSA in the widely used trusted platform modules / crypto tokens.
"The Return of Coppersmith’s A‚ttack: Practical Factorization of Widely Used RSA Moduli" https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf

Those guys published an interesting paper about the secure cryptographic computation with the threat model without attackers based on Earth. They are proposing SpaceHSM hardware secure devices on the orbit.
"SpaceTEE: Secure and Tamper-Proof Computing in Space using CubeSats"
https://arxiv.org/abs/1710.01430

There is a small chance that the documents encrypted by Bad Rabbit ransomware could be recovered without paying ransom, if the shadow copies had been enabled in the Windows prior to infection. Victims can restore the original versions of the encrypted files using standard Windows backup mechanism.
For technical analysis of the Bad Rabbit ransomware, see the second link.
https://securelist.com/bad-rabbit-ransomware/82851/
https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis

Google is going to deprecate the use of pinned public key certificates, public key pinning (PKP), from the Google Chrome browser.
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ

The British government has publicly attributed North Korean government hackers as a source behind the "WannaCry" malware epidemy.
https://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html

Multiple remote execution vulnerabilities (CVE-2017-13089, CVE-2017-13090) were patched in the popular software Wget. Update!
https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html

The source code of an AhMyth Android remote administration tool is available on GitHub. It can steal contact information, turn on camera, microphone, read SMS, and more.
https://github.com/AhMyth/AhMyth-Android-RAT

Malscan is a robust and fully featured scanning platform for Linux servers built upon the ClamAV platform, providing all of the features of Clamscan with a host of new features and detection modes.
https://github.com/jgrancell/malscan

There is an update for the world's fastest and most advanced password recovery utility Hashcat.
https://github.com/hashcat/hashcat/releases/tag/v4.0.0

InfoSec Week 39, 2017

Security researcher Gal Beniamini from Google has discovered a security vulnerability (CVE-2017-11120) in Apple's iPhone and other devices that use Broadcom Wi-Fi chips and published working exploit after notifying affected parties.
https://googleprojectzero.blogspot.sk/2017/10/over-air-vol-2-pt-2-exploiting-wi-fi.html

Google engineers also found multiple flaws and vulnerabilities in the popular DNS software package - Dnsmasq. The patches are now committed to the project’s git repository. Make sure to upgrade to v2.78.
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Arbor Networks researchers attributed Flusihoc DDoS botnet to the Chinese origins. More than 154 different command and control servers were used during the years, with over 48 still active right now.
https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/

HP Enterprise shared ArcSight source code with the Russians.
https://www.schneier.com/blog/archives/2017/10/hp_shared_arcsi.html

The vulnerability in Siemens industrial switches allows an unauthenticated attacker who has access to the network to remotely perform administrative actions.
https://ics-cert.us-cert.gov/advisories/ICSA-17-271-01

Computer manufacturer company Purism is currently running crowdfunding campaign to finance Librem 5 – A Security and Privacy Focused Phone.
From the campaign webpage:
"Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers."
Support them!
https://puri.sm/shop/librem-5/

Microsoft announced new cloud-based memory corruption bug detector with the codename Project Springfield.
https://blogs.microsoft.com/ai/2016/09/26/microsoft-previews-project-springfield-cloud-based-bug-detector/

Super-Stealthy Droppers - Linux "Diskless" binary execution by example.
https://0x00sec.org/t/super-stealthy-droppers/3715

InfoSec Week 29, 2017

Microsoft has analyzed EnglishmansDentist exploit used against the Exchange 2003 mail servers on the out-dated Windows Server 2003 OS. Exploit was released by ShadowBrokers back in April 2017.
https://blogs.technet.microsoft.com/srd/2017/07/20/englishmansdentist-exploit-analysis/

ESET researchers have analyzed a Stantinko botnet consisting of almost half a million machines used for ad-related fraud. It uses malicious Chrome extensions, but also creating and managing Facebook profiles and brute-forcing Joomla and WordPress websites.
https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/

A buffer overflow in the Source SDK in Valve's Source SDK allows an attacker to remotely execute code on a user's computer machine.
https://www.bleepingcomputer.com/news/security/valve-patches-security-flaw-that-allows-installation-of-malware-via-steam-games/
https://motherboard.vice.com/en_us/article/nevmwd/counter-strike-bug-allowed-hackers-to-completely-own-your-computer-with-a-frag

Secure messaging application Wire is now supporting end-to-end encrypted chats, file sharing and calls to businesses. But it's paid feature.
https://medium.com/@wireapp/wire-at-work-introducing-teams-beta-e50dacf6e9f1

Briar, a secure messaging app for Android, was released for a public beta testing. It's using Tor, or P2P direct messaging over Wifi, Bluetooth. Very interesting project.
https://briarproject.org/news/2017-beta-released-security-audit.html

D. J. Bernstein has published blog about the secure key material erasure: "2017.07.23: Fast-key-erasure random-number generators"
https://blog.cr.yp.to/20170723-random.html

Google Project Zero analyzed the security properties of the two major Trusted Execution Environment present on Android devices - Qualcomm’s QSEE and Trustonic’s Kinibi.
https://googleprojectzero.blogspot.sk/2017/07/trust-issues-exploiting-trustzone-tees.html

Prowler is a tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark.
https://github.com/alfresco/prowler

Hardentools is a utility that disables a number of risky Windows "features" exposed by Windows operating system.
https://github.com/securitywithoutborders/hardentools

InfoSec Week 25, 2017

Ukrainian critical infrastructure, including banks, Kyiv’s metro system, the airport and the Chernobyl's radiation monitoring system, was hit by the worldwide malware campaign.
The attack is believed to be a new campaign by the group behind Petya ransomware. It takes advantage of the known SMB exploit (EternalBlue), and is spreading fast to the other countries.
https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759
https://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

Indian ATMs running outdated Windows XP are suffering jackpotting attack by the Rufus ATM malware.
http://securityaffairs.co/wordpress/60220/breaking-news/rufus-malware-atm.html

Analysis of a new Marcher Android banking trojan variant which is posing as Adobe Flash Player Update.
https://www.zscaler.com/blogs/research/new-android-marcher-variant-posing-adobe-flash-player-update

The Russian government is threatening to ban Telegram messenger because it refused to be compliant with the data protection laws.
http://securityaffairs.co/wordpress/60449/terrorism/russia-telegram-ban.html

Bug hunter from Google, Tavis Ormandy, has found yet another serious vulnerability in the Microsoft's Malware Protection Engine.
http://www.databreachtoday.com/google-security-researcher-pops-microsofts-av-defenses-a-10058

The Hardware Forensic Database (HFDB) is a project of CERT-UBIK aiming at providing a collaborative knowledge base related to IoT Forensic methodologies and tools.
http://hfdb.io/

Good summary of the most common memory based attacker techniques such as shellcode injection, reflective DLL injection or process hollowing.
https://www.endgame.com/blog/technical-blog/hunting-memory

InfoSec Week 19, 2017

You have probably heard about the WannaCry/WannaCrypt/WannaWhatever worm spreading ransomware, because of the sensation created by parties profiting from the scare tactics. But also because it is using really good spreading technique - exploiting MS17-010 SMB vulnerability leaked from the NSA.
Some post-mortem analysis of the first version (with the killswich) and TheShadowBrokers blog are listed below. Crypto is working, so no trivial decrypter is probable, except if the keys are published.
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition

Nice analysis of a P2P botnet. The researchers determined the botnet size by injecting fake nodes to the network, as well as using crawling. http://securityaffairs.co/wordpress/58931/malware/p2p-transient-rakos-botnet.html

Fatboy Ransomware-as-a-Service is using The Economist’s Big Mac Index to calculate the ransom amount.
https://www.recordedfuture.com/fatboy-ransomware-analysis/

Tor hidden service operator is analysing bots used to enumerates and attack hidden services.
http://www.hackerfactor.com/blog/index.php?/archives/763-The-Continuing-Tor-Attack.html

Google Project Zero post about the process of discovering CVE-2017-7308 vulnerability. Found by fuzzing, with the later exploitation to escalate privileges.
https://googleprojectzero.blogspot.ch/2017/05/exploiting-linux-kernel-via-packet.html https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308

Wikileakes released "AfterMidnight" and "Assassin " malware frameworks designed, two CIA malware frameworks for the Microsoft Windows platform. Those services allow operators to dynamically load and execute malware payloads on a target machine & exfiltrate the data.
https://wikileaks.org/vault7/#AfterMidnight

A Security researcher Thorsten Schroeder discovered that an audio driver shipped on dozens HP laptops and tablet PCs logs keystrokes. It's actually a badly written application outputting pressed keystrokes to the debug output, so everyone is able to list them using MapViewOfFile function.
https://www.modzero.ch/modlog/archives/2017/05/11/en_keylogger_in_hewlett-packard_audio_driver/index.html

malwaresearch - A command line tool to find malware samples on the openmalware.org. It's possible to use the various hashes or common name.
https://github.com/MalwareReverseBrasil/malwaresearch

InfoSec Week 15, 2017

Interesting blog about the generic unpacking of the Locky malware using Radare r2pipe, python and the Windows 7 VM.
http://blog.devit.co/unpacking-with-r2pipe/

More information about the Shadow Brokers NSA hacking toolkit dump are coming out after analysis.
Kudelski Security research published the overview of an Equation Group exploitation arsenal for the Windows platform. Good to note, that this dump has also implicated that the NSA compromised a SWIFT system.
https://research.kudelskisecurity.com/2017/04/14/shadow-brokers-april-2017-release-2/
http://securityaffairs.co/wordpress/58006/hacking/nsa-hacked-swift.html

Symantec researchers linked the CIA hacking tools (Vault 7) to a cyber attacks launched in recent years by a Longhorn group gang specialising in the intelligence gathering operations.
https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7
https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/

Black hats have robbed at least 8 ATMs in Russia and stole $800,000 in one night using a ATMitch "fileless" malware.
http://securityaffairs.co/wordpress/57881/cyber-crime/atmitch-fileless-malaware.html

FireEye documented a campaign leveraging the CVE-2017-0199 vulnerability, which enabled attackers to "download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit." It delivers so called FINSPY and LATENTBOT samples, targeting mostly Russian speaking users.
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html https://arstechnica.com/security/2017/04/microsoft-word-0day-was-actively-exploited-by-strange-bedfellows/

I wrote about the Broadcom’s Wi-Fi stack exploit last week, this is the second part of a series of Google Project Zero team.
https://googleprojectzero.blogspot.sk/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html

InfoSec Week 14, 2017

The Cisco Talos team has analyzed ROKRAT remote administration tool targeting South Koreans by spear phishing campaign.
http://blog.talosintelligence.com/2017/04/introducing-rokrat.html

The "rensenWare" ransomware is asking victims to score over 0.2 billion game currency playing the game "Touhou Project - Undefined Fantastic Object”.
http://securityaffairs.co/wordpress/57850/malware/rensenware-ransomware.html

The new BrickerBot malware is performing so called Permanent Denial-of-Service (PDoS) on a IoT device. It's using the same attack vector as a Mirai botnet - bruteforcing ssh passphrase. If succesful, it tries to brick device storage.
https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/

Triada Android malware is using open source DroidPlugin sandbox when running, in order to evade detection.
https://blog.avast.com/mobile-spyware-uses-sandbox-to-avoid-antivirus-detections

The security issue in the Splunk Enterprise allowed a potential attacker to steal data from the authenticated user if she visited a malicious website.
http://seclists.org/fulldisclosure/2017/Mar/89

Google Project Zero demonstrated a Broadcom’s Wi-Fi stack remote code execution exploit on a fully updated Nexus 6P, running Android 7.1.1 version NUF26K.
https://googleprojectzero.blogspot.md/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html

TheShadowBrokers hacking group just leaked the NSA digital weapons package online.
https://github.com/x0rz/EQGRP
https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1

WikiLeaks published documents detailing the Grasshopper framework used by the CIA to create custom Windows malware installers.
Source code of the "Stolen Goods" module contains parts of the leaked Carberp banking trojan source code.
http://www.securityweek.com/wikileaks-details-cia-tool-creating-windows-malware-installers

The Xen Security Team has discovered a security bug in the hypervisor code which, if exploited, can be used for breaking Qubes OS isolation. Exploit chaining required for the full system takeover tough.
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-029-2017.txt

Interesting research about the using antivirus software as a leverage during the attack. "Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks"
https://www.sec.cs.tu-bs.de/pubs/2017-asiaccs.pdf

InfoSec Week 4, 2017

LUNAR is a UNIX security auditing tool which generates a scored audit report of a Unix host's security.
https://github.com/lateralblast/lunar

Spora Ransomware has started to spread worldwide, outside Russian-speaking countries.
https://www.bleepingcomputer.com/news/security/and-so-it-begins-spora-ransomware-starts-spreading-worldwide/

VirLocker ransomware is back, packing user files into executables. Every encrypted file is transformed into executable, so the malware can spread faster. Fortunately, the infected users can access their data without paying the ransom.
http://www.securitynewspaper.com/2017/01/27/virlocker-ransomware-returns-just-virulent-ever/

A malicious Microsoft Word document targeted NATO members in a campaign during the Christmas and New Year holiday.
"The purpose of the document is first to perform a reconnaissance of the victims in order to avoid communicating with sandbox systems or analyst virtual machines. Second, the Adobe Flash requests a payload and an Adobe Flash exploit which is loaded and executed on the fly. This approach is extremely clever, from the attacker point of view, the exploit is not embedded in the document making it more difficult to detect for some security devices than the standard word trojan."
http://blog.talosintel.com/2017/01/matryoshka-doll.html

Google announced the launch of a Root Certificate Authority - Google Trust Services - that will allow the company to independently handle certificates on behalf of Google and Alphabet.
https://security.googleblog.com/2017/01/the-foundation-of-more-secure-web.html https://pki.goog/

A hacker is accessing public and unsecured Apache Cassandra databases, creating extra table with a message that the database is unprotected.
http://www.securitynewspaper.com/2017/01/25/benevolent-hacker-warning-owners-unsecured-cassandra-databases/

Gmail will block .js file attachments starting February 13, 2017. The users who want to send .js files after this date can use Google Drive, Google Cloud Storage, or other storage solutions.
https://gsuiteupdates.googleblog.com/2017/01/gmail-will-restrict-js-file-attachments.html

Facebook now supports physical security keys as a second form of identification.
https://www.facebook.com/notes/facebook-security/security-key-for-safer-logins-with-a-touch/10154125089265766