New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.
Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.
A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.
HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.
There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.
Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.
Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.
Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.
Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.
VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.
A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.
The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.
According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.
HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.
There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.
Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.
Recorded Future analyzed costs of various cybercriminal services sold on the dark market.
Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.
Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.
Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.
Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.
Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.
Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.
Researchers from the Masaryk University finally published full paper of the practical cryptographic attack against the implementation of RSA in the widely used trusted platform modules / crypto tokens.
"The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli" https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf
Those guys published an interesting paper about the secure cryptographic computation with the threat model without attackers based on Earth. They are proposing SpaceHSM hardware secure devices on the orbit.
"SpaceTEE: Secure and Tamper-Proof Computing in Space using CubeSats"
There is a small chance that the documents encrypted by Bad Rabbit ransomware could be recovered without paying ransom, if the shadow copies had been enabled in the Windows prior to infection. Victims can restore the original versions of the encrypted files using standard Windows backup mechanism.
For technical analysis of the Bad Rabbit ransomware, see the second link.
Google is going to deprecate the use of pinned public key certificates, public key pinning (PKP), from the Google Chrome browser.
The British government has publicly attributed North Korean government hackers as a source behind the "WannaCry" malware epidemy.
Multiple remote execution vulnerabilities (CVE-2017-13089, CVE-2017-13090) were patched in the popular software Wget. Update!
The source code of an AhMyth Android remote administration tool is available on GitHub. It can steal contact information, turn on camera, microphone, read SMS, and more.
Malscan is a robust and fully featured scanning platform for Linux servers built upon the ClamAV platform, providing all of the features of Clamscan with a host of new features and detection modes.
There is an update for the world's fastest and most advanced password recovery utility Hashcat.
Security researcher Gal Beniamini from Google has discovered a security vulnerability (CVE-2017-11120) in Apple's iPhone and other devices that use Broadcom Wi-Fi chips and published working exploit after notifying affected parties.
Google engineers also found multiple flaws and vulnerabilities in the popular DNS software package - Dnsmasq. The patches are now committed to the project’s git repository. Make sure to upgrade to v2.78.
Arbor Networks researchers attributed Flusihoc DDoS botnet to the Chinese origins. More than 154 different command and control servers were used during the years, with over 48 still active right now.
HP Enterprise shared ArcSight source code with the Russians.
The vulnerability in Siemens industrial switches allows an unauthenticated attacker who has access to the network to remotely perform administrative actions.
Computer manufacturer company Purism is currently running crowdfunding campaign to finance Librem 5 – A Security and Privacy Focused Phone.
From the campaign webpage:
"Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers."
Microsoft announced new cloud-based memory corruption bug detector with the codename Project Springfield.
Super-Stealthy Droppers - Linux "Diskless" binary execution by example.
Microsoft has analyzed EnglishmansDentist exploit used against the Exchange 2003 mail servers on the out-dated Windows Server 2003 OS. Exploit was released by ShadowBrokers back in April 2017.
ESET researchers have analyzed a Stantinko botnet consisting of almost half a million machines used for ad-related fraud. It uses malicious Chrome extensions, but also creating and managing Facebook profiles and brute-forcing Joomla and WordPress websites.
A buffer overflow in the Source SDK in Valve's Source SDK allows an attacker to remotely execute code on a user's computer machine.
Secure messaging application Wire is now supporting end-to-end encrypted chats, file sharing and calls to businesses. But it's paid feature.
Briar, a secure messaging app for Android, was released for a public beta testing. It's using Tor, or P2P direct messaging over Wifi, Bluetooth. Very interesting project.
D. J. Bernstein has published blog about the secure key material erasure: "2017.07.23: Fast-key-erasure random-number generators"
Google Project Zero analyzed the security properties of the two major Trusted Execution Environment present on Android devices - Qualcomm’s QSEE and Trustonic’s Kinibi.
Prowler is a tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark.
Hardentools is a utility that disables a number of risky Windows "features" exposed by Windows operating system.
Ukrainian critical infrastructure, including banks, Kyiv’s metro system, the airport and the Chernobyl's radiation monitoring system, was hit by the worldwide malware campaign.
The attack is believed to be a new campaign by the group behind Petya ransomware. It takes advantage of the known SMB exploit (EternalBlue), and is spreading fast to the other countries.
Indian ATMs running outdated Windows XP are suffering jackpotting attack by the Rufus ATM malware.
Analysis of a new Marcher Android banking trojan variant which is posing as Adobe Flash Player Update.
The Russian government is threatening to ban Telegram messenger because it refused to be compliant with the data protection laws.
Bug hunter from Google, Tavis Ormandy, has found yet another serious vulnerability in the Microsoft's Malware Protection Engine.
The Hardware Forensic Database (HFDB) is a project of CERT-UBIK aiming at providing a collaborative knowledge base related to IoT Forensic methodologies and tools.
Good summary of the most common memory based attacker techniques such as shellcode injection, reflective DLL injection or process hollowing.
You have probably heard about the WannaCry/WannaCrypt/WannaWhatever worm spreading ransomware, because of the sensation created by parties profiting from the scare tactics. But also because it is using really good spreading technique - exploiting MS17-010 SMB vulnerability leaked from the NSA.
Some post-mortem analysis of the first version (with the killswich) and TheShadowBrokers blog are listed below. Crypto is working, so no trivial decrypter is probable, except if the keys are published.
Nice analysis of a P2P botnet. The researchers determined the botnet size by injecting fake nodes to the network, as well as using crawling. http://securityaffairs.co/wordpress/58931/malware/p2p-transient-rakos-botnet.html
Fatboy Ransomware-as-a-Service is using The Economist’s Big Mac Index to calculate the ransom amount.
Tor hidden service operator is analysing bots used to enumerates and attack hidden services.
Google Project Zero post about the process of discovering CVE-2017-7308 vulnerability. Found by fuzzing, with the later exploitation to escalate privileges.
Wikileakes released "AfterMidnight" and "Assassin " malware frameworks designed, two CIA malware frameworks for the Microsoft Windows platform. Those services allow operators to dynamically load and execute malware payloads on a target machine & exfiltrate the data.
A Security researcher Thorsten Schroeder discovered that an audio driver shipped on dozens HP laptops and tablet PCs logs keystrokes. It's actually a badly written application outputting pressed keystrokes to the debug output, so everyone is able to list them using MapViewOfFile function.
malwaresearch - A command line tool to find malware samples on the openmalware.org. It's possible to use the various hashes or common name.
Interesting blog about the generic unpacking of the Locky malware using Radare r2pipe, python and the Windows 7 VM.
More information about the Shadow Brokers NSA hacking toolkit dump are coming out after analysis.
Kudelski Security research published the overview of an Equation Group exploitation arsenal for the Windows platform. Good to note, that this dump has also implicated that the NSA compromised a SWIFT system.
Symantec researchers linked the CIA hacking tools (Vault 7) to a cyber attacks launched in recent years by a Longhorn group gang specialising in the intelligence gathering operations.
Black hats have robbed at least 8 ATMs in Russia and stole $800,000 in one night using a ATMitch "fileless" malware.
FireEye documented a campaign leveraging the CVE-2017-0199 vulnerability, which enabled attackers to "download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit." It delivers so called FINSPY and LATENTBOT samples, targeting mostly Russian speaking users.
I wrote about the Broadcom’s Wi-Fi stack exploit last week, this is the second part of a series of Google Project Zero team.
The Cisco Talos team has analyzed ROKRAT remote administration tool targeting South Koreans by spear phishing campaign.
The "rensenWare" ransomware is asking victims to score over 0.2 billion game currency playing the game "Touhou Project - Undefined Fantastic Object”.
The new BrickerBot malware is performing so called Permanent Denial-of-Service (PDoS) on a IoT device. It's using the same attack vector as a Mirai botnet - bruteforcing ssh passphrase. If succesful, it tries to brick device storage.
Triada Android malware is using open source DroidPlugin sandbox when running, in order to evade detection.
The security issue in the Splunk Enterprise allowed a potential attacker to steal data from the authenticated user if she visited a malicious website.
Google Project Zero demonstrated a Broadcom’s Wi-Fi stack remote code execution exploit on a fully updated Nexus 6P, running Android 7.1.1 version NUF26K.
TheShadowBrokers hacking group just leaked the NSA digital weapons package online.
WikiLeaks published documents detailing the Grasshopper framework used by the CIA to create custom Windows malware installers.
Source code of the "Stolen Goods" module contains parts of the leaked Carberp banking trojan source code.
The Xen Security Team has discovered a security bug in the hypervisor code which, if exploited, can be used for breaking Qubes OS isolation.
Exploit chaining required for the full system takeover tough.
Interesting research about the using antivirus software as a leverage during the attack.
"Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks"
LUNAR is a UNIX security auditing tool which generates a scored audit report of a Unix host's security.
Spora Ransomware has started to spread worldwide, outside Russian-speaking countries.
VirLocker ransomware is back, packing user files into executables. Every encrypted file is transformed into executable, so the malware can spread faster. Fortunately, the infected users can access their data without paying the ransom.
A malicious Microsoft Word document targeted NATO members in a campaign during the Christmas and New Year holiday.
"The purpose of the document is first to perform a reconnaissance of the victims in order to avoid communicating with sandbox systems or analyst virtual machines. Second, the Adobe Flash requests a payload and an Adobe Flash exploit which is loaded and executed on the fly. This approach is extremely clever, from the attacker point of view, the exploit is not embedded in the document making it more difficult to detect for some security devices than the standard word trojan."
Google announced the launch of a Root Certificate Authority - Google Trust Services - that will allow the company to independently handle certificates on behalf of Google and Alphabet.
A hacker is accessing public and unsecured Apache Cassandra databases, creating extra table with a message that the database is unprotected.
Gmail will block .js file attachments starting February 13, 2017. The users who want to send .js files after this date can use Google Drive, Google Cloud Storage, or other storage solutions.
Facebook now supports physical security keys as a second form of identification.