Tag hacking

InfoSec Week 46, 2018

Researchers at the University of California have found that GPUs are vulnerable to side-channel attacks and demonstrated multiple types of attacks. After reverse engineering Nvidia GPU, researchers were able to steal rendered password box from a browser, sniffed other browser related data and also settings from the neural network computations on a GPU in the data center.
https://www.networkworld.com/article/3321036/data-center/gpus-are-vulnerable-to-side-channel-attacks.html

Cybersecurity firm Trend Micro has analyzed a new cryptocurrency mining malware that targets Linux OS and is able to hide its processes by implementing a rootkit component.
The rootkit will replace and hooks the readdir and readdir64 application programming interfaces (APIs) of the libc library so the system is unable to monitor miner workers anymore.
https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth

An Australian hacker has spent thousands of hours hacking the DRM that medical device manufacturers put on a continuous positive airway pressure (CPAP) machines to create a free tool that lets patients modify their treatment.
https://motherboard.vice.com/en_us/article/xwjd4w/im-possibly-alive-because-it-exists-why-sleep-apnea-patients-rely-on-a-cpap-machine-hacker

In 2016, Russia's Internet Research Agency used browser plugin malware called FaceMusic which "liked" Russian content and made their content popular on a social networks.
Now a Russian national living in Bulgaria has been detained on an US arrest warrant and is accused of online fraud & maintaining a computer network with servers in Dallas between Sep 2014 - Dec 2016.
https://edition.cnn.com/2018/11/10/world/russian-hacker-wanted-by-the-united-states-arrested-in-bulgaria/index.html

The European Commission has just announced trials in Hungary, Greece and Latvia of iBorderCtrl project that includes the use of an AI-based lie detection system to spot when visitors to the EU give false information about themselves and their reasons for entering the area.
https://www.privateinternetaccess.com/blog/2018/11/ai-based-lie-detection-system-at-eu-borders-will-screen-travellers-for-biomarkers-of-deceit

Troy Hunt analyzed 2FA, U2F authentication mechanisms and commented on the Google Advanced Protection enrollment procedure.
https://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/

Bitwarden open source password manager has completed a thorough security audit and cryptographic analysis from the security experts at Cure53.
https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33

According to a Censys online platform, over a million AT&T devices, probably cable modems share the same TLS private key.
https://twitter.com/nikitab/status/1062161234173288449

Researchers from Mozilla published blog on how they have designed privacy-aware Firefox Sync.
https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

Two weeks ago we wrote about an attack against the OCB2 authenticated encryption scheme. It breaks integrity of OCB2.
Now there are two more papers, one breaks confidentiality and the other recovers plain text.
https://ia.cr/2018/1087
https://ia.cr/2018/1090

There is a zero day exploit "PHP_imap_open_exploit" in PHP that allows bypassing disabled exec functions by using call to imap_open.
https://github.com/Bo0oM/PHP_imap_open_exploit

InfoSec Week 44, 2018

The US federal prosecutors say that Chinese spies hacked dozen firms to steal aviation engineering secrets for the Chinese aerospace company.
https://arstechnica.com/tech-policy/2018/10/feds-say-chinese-spies-and-their-hired-hackers-stole-aviation-secrets/

Apple's ICMP packet-handling code contains a heap buffer overflow vulnerability (CVE-2018-4407).
Exploit can DoS any Mac, iOS device on a network by sending a crafted packet. The ping of death is back.
https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407

Microsoft is sharing Indian bank customers' data with U.S. intelligence agencies.
Looks like the banks were aware of it, when they have signed the Office 365 license agreements.
https://www.neowin.net/news/microsoft-has-been-sharing-indian-bank-customers039-data-with-us-intelligence-agencies

Google announced the launch of reCAPTCHA v3, which aims to improve user experience by removing the need for challenges. It uses the score based on the user on-site interactions.
https://developers.google.com/recaptcha/docs/v3

The end-to-end encrypted instant messaging application Signal introduced a new "Sealed sender" privacy feature that is protecting the sender before traffic observation.
https://signal.org/blog/sealed-sender/

Multiple malicious python libraries found and removed from PyPI. Guys are typo-squatting popular repository names and deliver malware.
https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/

Great list of lessons learned over 20 years of red teaming by security expert Matt Devost.
https://www.oodaloop.com/ooda-original/2015/10/22/10-red-teaming-lessons-learned-over-20-years/

Cisco Talos researchers found a code execution vulnerability in the anti-malware tool Sophos HitmanPro.Alert.
https://www.scmagazineuk.com/vulnerability-found-sophos-anti-malware-product/article/1497367

Researcher Jay Rosenberg documents clear connection between one of Lazarus Group's tools and an open source Chinese CasperPhpTrojan remote access trojan.
https://www.intezer.com/paleontology-the-unknown-origins-of-lazarus-malware/

Apple releases specification of T2 security chip.
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

Researchers announced a fast attack breaking OCB2, an ISO-standard authenticated encryption scheme.
https://eprint.iacr.org/2018/1040

InfoSec Week 19, 2018

There is a first ransomware which is taking advantage of a new Process Doppelgänging fileless code injection technique. Working on all modern versions of Microsoft Windows, since Vista. This variant of a known SynAck ransomware is using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process.
https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/

Security researchers from the Dutch information security company Computes has found that some Volkswagen and Audi cars are vulnerable to remote hacking. They were able to exploit vehicle infotainment systems. The possible attackers could track car location as well as listen to the conversations in a car.
https://www.bleepingcomputer.com/news/security/volkswagen-and-audi-cars-vulnerable-to-remote-hacking/

Twitter found a bug that stored user passwords unmasked in an internal log, there is no indication of a breach, but all Twitter users should change their passwords.
https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html

There is a breakthrough cryptographic attack on 5-round AES using only 2^22 (previous best was 2^32) presented at CRYPTO 2018. It is joint work of Nathan Keller, Achiya Bar On, Orr Dunkelman, Eyal Ronen and Adi Shamir. This kind of attack is good when evaluating the security of a cipher, it does not have any real world implication as the AES is using at least 10 rounds in production implementations.
https://eurocrypt.2018.rump.cr.yp.to/a7141747a6c49798313a278e9a70afe2.pdf

Bug hunter which found multiple vulnerabilities in the 7-zip software used by anti-virus vendors wrote an blog on how to exploit one of such bugs. Interesting read.
https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/

The 360 Core Security Division response team detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses a browser 0-day vulnerability (CVE-2018-8174). It is a remote code execution vulnerability of Windows VBScript engine and affects the latest version of Internet Explorer.
Microsoft patched this vulnerability few days ago and credited Chinese researchers.
http://blogs.360.cn/blog/cve-2018-8174-en/

Source code of TreasureHunter Point-of-Sale malware leaks online.
https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/

The ssh-decorator package from Python pip had an obvious backdoor (sending ip+login+password to ssh-decorate[.]cf in cleartext HTTP).
https://www.reddit.com/r/Python/comments/8hvzja/backdoor_in_sshdecorator_package/

Luke Picciau wrote about his experience with Matrix and it's Riot messenger for one year.
https://itscode.red/posts/1-year-using-matrix/

There is a first official version 1.0 RC of Briar for Android.
Briar is an open-source End-to-end encrypted Bluetooth / WiFi / Tor based mesh-networking (decentralized) messaging application.
https://briarproject.org/download.html

The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection.
https://github.com/guardicore/monkey

InfoSec Week 13, 2018

The city of Atlanta government has become the victim of a ransomware attack. The ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees were told to turn off their computers.
https://arstechnica.com/information-technology/2018/03/atlanta-city-government-systems-down-due-to-ransomware-attack/

The academic researchers have discovered a new side-channel attack method called BranchScope that can be launched against devices with Intel processors and demonstrated it against an SGX enclave. The patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.
http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf

Good insight into the ransomware business and how it operates, how it transfers Bitcoin funds, with data gathered over a period of two years.
The paper is named "Tracking Ransomware End-to-end"
https://www.elie.net/static/files/tracking-ransomware-end-to-end/tracking-ransomware-end-to-end.pdf

Mozilla has created a Facebook Container extension for Firefox, which should enable users to protect their online habits by sandboxing Facebook webpage.
https://blog.mozilla.org/firefox/facebook-container-extension/

Interesting article about the North Korean army of hackers operating abroad with the mission to earn money by any means necessary.
https://www.bloomberg.com/news/features/2018-02-07/inside-kim-jong-un-s-hacker-army

Unified logs in the MacOS High Sierra (up to 10.13.3) show the plain text password for APFS encrypted external volumes via disk utility application.
https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp

SophosLabs researchers analyzed a new Android malware which is pretending to he a legitimate QR reader application, but actually is monetizing users by showing them a flood of full-screen advertisements. More than 500k apps were installed.
https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities/

Brian Krebs analyzed the social network behind the recently famous Coinhive javascript cryptocurrency mining business.
https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/

CloudFlare published a Merkle Town dashboard, Certificate Transparency logs visualization tool.
https://blog.cloudflare.com/a-tour-through-merkle-town-cloudflares-ct-ecosystem-dashboard/

Facebook is tracking users' phone call information via their Android Messenger application.
https://twitter.com/i/web/status/977325434030428160

There are multiple critical vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp

New version (4.0) of the most secure operating system on the planet - Qubes OS was released.
https://www.qubes-os.org/news/2018/03/28/qubes-40/

InfoSec Week 4, 2018

Electron applications designed to run on Windows that register themselves as the default handler for a protocol, like Skype, Slack and others, are vulnerable to the remote code execution vulnerability.
https://electronjs.org/blog/protocol-handler-fix

Dutch intelligence service AIVD provided the FBI with important information regarding Russian interference with the American elections. They have following the Cozy Bear APT for years.
https://www.volkskrant.nl/media/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/

Good blog about the exploitation of the Intel Management Engine 11 vulnerabilities. Researchers Mark Ermolov and Maxim Goryachy were able to debug and analyse most of the Intel ME processes.
http://blog.ptsecurity.com/2018/01/running-unsigned-code-in-intel-me.html

It's possible to bypass the Cloudflare protection by scanning internet for misconfigured customers' servers.
https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/

It is possible for an unauthenticated attacker in the LAN network to achieve remote code execution (CVE-2018-5999) in the AsusWRT router as the root user.
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt

The Tinder dating application is not using encryption when accessing data on a backend server. Your naked photos could be seen by a waitress in a restaurant. The geeky one.
https://www.checkmarx.com/2018/01/23/tinder-someone-may-watching-swipe-2/

Oracle has released patches for ten vulnerabilities in VirtualBox, which allows guest to host virtual machine escape.
https://www.techrepublic.com/article/10-new-vm-escape-vulnerabilities-discovered-in-virtualbox/

The guy was able to obtain TLS certificates from the Let's Encrypt certification authority for domains that he does not own, due to the TLS-SNI-01 challenge workflow in a cloud environment. Shared hosting providers like Heroku, AWS CloudFront affected.
https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/

Blog by Joanna Rutkowska on a future Qubes Air operating system architecture roadmap. They want to provide compartmentalized secure Qubes OS as a service.
https://www.qubes-os.org/news/2018/01/22/qubes-air/

There is a cryptographic analysis of the WireGuard protocol. WireGuard is a layer 3 replacement for the IPsec, OpenVPN solutions. Interesting project.
https://eprint.iacr.org/2018/080

Nice introduction on how to fuzz TCP servers by Robert Swiecki.
http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html

InfoSec Week 41, 2017

SensePost researchers found out that the Microsoft Office home page is able to compromise user by loading ActiveX component with VBscript.
https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/

Microsoft security department were contacted by a worried user that found 2 seemingly identical µTorrent executables, with valid digital signatures, but different cryptographic hashes. As they have found out there were marketing campaign identifier in "a text file inside a ZIP file inside a PE file, BASE64 encoded and injected in the digital signature of a PE file.". Quite complicated...
https://isc.sans.edu/forums/diary/Its+in+the+signature/22928/

A vulnerability (CVE-2017-15361) in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace.
https://crocs.fi.muni.cz/public/papers/rsa_ccs17

The rolling code in electronic keys for Subaru Forester (2009) and some other models are not random. Keys can be cloned, cars unlocked, with the hardware costs of $25. https://github.com/tomwimmenhove/subarufobrob

Microsoft reintroduced a Pool-based overflow kernel vulnerability on Windows 10 x64 (RS2) Creators Update which was originally patched in 2016. The guys wrote an exploit with rich explanation.
https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html
https://github.com/siberas/CVE-2016-3309_Reloaded

Blog about the "Exploding Git Repositories" that will crash your git process.
https://kate.io/blog/git-bomb/

MediaTek and Broadcom Wi-Fi AP drivers have a weak random number generator, allowing prediction of Group Temporal Key. Practical attack requires a LOT of handshakes.
https://lirias.kuleuven.be/bitstream/123456789/547640/1/usenix2016-wifi.pdf

How to hide a process from SysInternals without the admin rights, but with the privilege escalation.
https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/

Adam Langley blogged about the low level testing of the FIDO U2F security keys, namely Yubico, VASCO SecureClick, Feitian ePass, Thetis, U2F Zero, KEY-ID / HyperFIDO.
https://www.imperialviolet.org/2017/10/08/securitykeytest.html

Good introductory blog about the (in)security of Intel Boot Guard. The author also published source code of the UEFITool with visual validation of Intel Boot Guard coverage.
https://medium.com/@matrosov/bypass-intel-boot-guard-cc05edfca3a9 https://github.com/LongSoft/UEFITool

A script that tests if access points are affected by Key Reinstallation Attacks (CVE-2017-13082) was published on a GitHub by researcher Mathy Vanhoef.
https://github.com/vanhoefm/krackattacks-test-ap-ft

The Miscreant is a Misuse-resistant symmetric encryption library supporting the AES-SIV (RFC 5297) and CHAIN/STREAM constructions.
https://tonyarcieri.com/introducing-miscreant-a-multi-language-misuse-resistant-encryption-library
https://github.com/miscreant/miscreant