Tag Linux

InfoSec Week 1, 2018

Daniel Shapira from Twistlock wrote a blog about exploiting a Linux kernel vulnerability in the waitid() syscall (CVE-2017-5123) in order to modify the Linux capabilities of a Docker container, gain privileges and escape the container jail.

There is a critical hardware bug in the Intel chips, which enables a user level process to access kernel address space, thus read other processes memory. Cloud providers and OS makers are preparing software patches, but the performance penalty could be significant. According to the Wired:
"[researchers] confirmed that when Intel processors perform that speculative execution, they don't fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer's kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel's memory with speculative execution."

The guy dumped PlayStation 4 kernel by leaking arbitrary memory into accessible crashdumps.

ACM published article about more than 2 decades old ransomware experiments with the name "Cryptovirology: The Birth, Neglect, and Explosion of Ransomware".

Nice write up about exploit development for the arbitrary command execution on a BMC Server Automation remote agent software.

MacOS-only 0day vulnerability published on a last day of 2017. It is an IOHIDSystem kernel vulnerability that can be exploited by any unprivileged user.

Edward Snowden’s open source Haven application uses smartphone sensors to detect physical tampering.

PiKarma detects wireless network attacks performed by KARMA module (fake AP). Starts deauthentication attack (for fake access points).

InfoSec Week 47, 2017

According to the annual State of Open Source Security report, 77% of 433000 analyzed sites use at least one front-end JavaScript library with a known security vulnerability.

The AWS team published blog about the recent improvements to the secure random number generation in Linux 4.14, OpenSSL and libc.

Really good introduction to the anonymous communication network design and mix nets in general, published by Least Authority.

Those guys reverse-engineered the Furby Connect DLC file format and are able to remotely upload their own logos, songs to the device over Bluetooth.

There is a critical vulnerability in the MacOS High Sierra, anyone can login as root with empty password after clicking on login button several times. For now, it could be mitigated by just changing the root password.

Very good investigative journalism about the mysterious NSA contractor which could provided top secret documents to the Shadow Brokers.

Uber paid hackers $100k to delete stolen data on 57 million people and shut up. They have even tried to fake it as an bug bounty payment.

Someone published remote code execution exploit for the Exim Mail server (CVE-2017-16944) on GitHub. Shodan.io shows more than 400k servers with the vulnerable CHUNKING feature.

InfoSec Week 44, 2017

There are at least 14 newly discovered vulnerabilities in the Linux kernel USB subsystem. The vulnerabilities were found by the Google syzkaller kernel fuzzer. According to the researchers, all of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine.

Mozilla will remove root certificate of the Staat der Nederlanden (State of the Netherlands) Certificate Authority from Firefox browser if the Dutch government vote a new law that grants local authorities the power to intercept Internet communication using "false keys".

Bug hunter Scott Bauer has published an in depth analysis of the Android remotely exploitable bug in the blog post named "Please Stop Naming Vulnerabilities: Exploring 6 Previously Unknown Remote Kernel Bugs Affecting Android Phones".

Some web pages use textfield with the CSS "asterix" trick instead of the password field so they can bypass browser security warning when password field is on an unencrypted web page. Nonsense.

More than 54 thousand have the same pair of 512-bit RSA keys as their DNS Zone Signing Keys.

Good blog from the ElcomSoft about the history and current possibilities in the iOS and iCloud forensics.

The Norwegian National Communications Authority reported GPS signal jamming activity in the Finnmark region near the Russian border.

Mac and Linux versions of the Tor anonymity software contained a flaw that can leak users real IP addresses.

Software and HDL code for the PCILeech FPGA based devices that can be used for the Direct Memory Access (DMA) attack and forensics is now available on a GitHub. The FPGA based hardware provides full access to 64-bit memory space without having to rely on a kernel module running on the target system.

InfoSec Week 39, 2017

Security researcher Gal Beniamini from Google has discovered a security vulnerability (CVE-2017-11120) in Apple's iPhone and other devices that use Broadcom Wi-Fi chips and published working exploit after notifying affected parties.

Google engineers also found multiple flaws and vulnerabilities in the popular DNS software package - Dnsmasq. The patches are now committed to the project’s git repository. Make sure to upgrade to v2.78.

Arbor Networks researchers attributed Flusihoc DDoS botnet to the Chinese origins. More than 154 different command and control servers were used during the years, with over 48 still active right now.

HP Enterprise shared ArcSight source code with the Russians.

The vulnerability in Siemens industrial switches allows an unauthenticated attacker who has access to the network to remotely perform administrative actions.

Computer manufacturer company Purism is currently running crowdfunding campaign to finance Librem 5 – A Security and Privacy Focused Phone.
From the campaign webpage:
"Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers."
Support them!

Microsoft announced new cloud-based memory corruption bug detector with the codename Project Springfield.

Super-Stealthy Droppers - Linux "Diskless" binary execution by example.

InfoSec Week 27, 2017

WikiLeaks has published documents detailing two alleged CIA implants, BothanSpy and Gyrfalcon, designed to steal SSH credentials from Windows and Linux.

Popular article about the background of iPhone Jailbreaking. Really interesting.

Domains for an authoritative name servers of .io domain was free, so guy registered one, and published blog about the possibility of .io domains takeover.

The author of the original variant of the Petya ransomware has published the master key via Twitter.

Security researcher Nitay Artenstein has discovered a serious Broadcom Wi-Fi chip bug CVE-2017-9417.

Chinese researchers published an attack on a satellite phone encryption that enable them to decrypt communication encrypted by GMR-2 cipher in real-time.

API Security Checklist is the checklist of the most important security countermeasures when designing, testing, and releasing an online API.

Horcrux: A Password Manager for Paranoids is an research project and experimental implementation of a highly secure password manager. Credentials are secretshared over multiple servers, the passwords are filled by modifying outgoing POST requests.

InfoSec Week 24, 2017

Erebus ransomware distributed by the malicious advertisement campaign is using Rig exploit kit to infect Linux servers across the world.
Some companies had to pay already.

FireEye published anatomy of a cyber extortion scheme executed by FIN10 group. They infiltrate company networks, steal valuable data, then attempt to extort executives and board members of a company.

Researchers changed e-cigarette USB compatible charger for a keyboard emulator, so it can issue commands when connected to the PC.

Wired has published an article about the malware behind the Ukraine power grid blackout.

A lottery computer programmer designed his code so that on three days of the year, he could predict winning numbers in some games.

Part of the Wikileaks Vault 7 release, Cherry Blossom, exposes CIA wireless hacking toolkit.
https://wikileaks.org/vault7/#Cherry Blossom

Cisco Talos has published BASS - Automated Signature Synthesizer for malware detection.

Some (AVG, Avast, Avira, CheckPoint, K7) antivirus software‘s kernel vulnerabilities found by the bee13oy security researcher.

InfoSec Week 23, 2017

Turla malware is communicating with the C&C infrastructure by leaving comments in Britney Spears's Instagram account.

The gang behind Platinum threat is using Intel Active Management technology Serial-over-LAN channel to bypass the software firewall when transferring files, due to operating system independence of this low level technology.

Montenegro is continuously targeted by cyber attacks attributed to the APT28 group as a part of a broader influence campaign.

MacSpy malware-as-a-service is a feature rich RAT targeting OS X operating system.

IBM researchers analyzed QakBot banking trojan responsible for "lock out" of the hundreds of Active Directory users.

A Linux malware is installing cryptocurrency mining software on Raspberry Pi via SSH. It's using only default SSH user & passphrase.

The GNU Privacy Guard (GnuPG) developers start new fundraising effort for the continued development of this well known encryption software.
If you want to know more about the capabilities of GnuPG, check the linked "An Advanced Intro to GnuPG" presentation from the last year.
Please, donate.

InfoSec Week 21, 2017

Check Point researchers revealed a new attack vector using malicious subtitle files, which, when downloaded by a victim’s media player, can provide complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io.

Check Point also discovered an auto-clicking adware found on 41 apps in Google Play Store. It is silently sending "clicks" to an advertisements pushed by the remote C&C server.

WannaCry support staff decrypted files for free because their "Taiwanese campaign seems to be a total failure." and they have "overestimated income of the population". How generous.

Cloak & Dagger is a new class of potential attacks affecting Android devices. It's basically an attack vector based on two Android permissions (SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE) that are allowed by default and malicious app can use them to do bad stuff.

Interesting security evaluation "of the Implantable Cardiac Device Ecosystem Architecture" by the WhiteScope. Basically, these devices are not authenticated, nor encrypted and can be programmed by anyone competent.

Crypto guys published paper breaking the encryption published 3 days earlier. Should have emailed them instead...
https://eprint.iacr.org/2017/471 https://eprint.iacr.org/2017/458

Vulnerability researcher Tavis Ormandy has ported Windows Defender to Linux:)
"This repository contains a library that allows native Linux programs to load and call functions from a Windows DLL."

InfoSec Week 18, 2017

Some good souls are selling Ransomware as a service. It has own logo, support, bug tracker, and a clean website.

The webpage of the open-source video transcoder application Handbrake was compromised and served malware for the Mac users.

Comparison of the "http81 IoT botnet" against the Mirai source code. The C&C code is different, but they took some parts of the published source code.

IBM shipped malware infected USB flash drives to the customers.

Shodan can now find malware C&C servers.

Deep insight into use-after-free vulnerability and many possibilities how to exploit it. https://scarybeastsecurity.blogspot.ch/2017/05/ode-to-use-after-free-one-vulnerable.html

Critical remotely exploitable vulnerability found in the Microsofts' Malware Protection service.

The criminals are stealing 2FA tokens by abusing widespread telecommunications network equipment.

Guido Vranken found a vulnerability (CVE-2017-8779) that allows an attacker to allocate any amount of bytes (up to 4 gigabytes per attack) on a remote RPCBIND host, and the memory is never freed unless the process crashes or the administrator halts or restarts the RPCBIND service.

Good summary of an iCloud Keychain Secrets vulnerability (CVE-2017–2448). From the blog:
"This allows an adversary to craft an OTR message which can negotiate a key successfully while bypassing the actual signature verification...Considering that OTR uses ephemeral keys for encryption, this flaw implies that a syncing identity key is no longer required for an adversary with Man In The Middle capabilities to negotiate an OTR session to receive secrets."

Researchers developed the cheapest way so far to hack a passive keyless entry system, as found on some cars. No cryptography broken.

OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.

Linux Malware Detect (LMD) is a malware scanner for Linux designed around the threats faced in shared hosted environments.

InfoSec Week 10, 2017

People around the Azerbaijan human rights activist and lawyer received spear phishing messages. Multi-year investigation by the Amnesty Global Insights. Keyloggging, screenshots, etc.

New Linux ARM malware ELF_IMEIJ.A (by Trend Micro) exploits a CGI Directory vulnerability in devices from CCTV\IP Cam technology vendor AVTech.

A rather amateurish ransomware has been analysed by the Palo Alto Networks. The only interesting part is, that it is actually not asking for money, instead: "RanRan does not ask for direct payment. Instead, prior to any negotiations regarding payment, the victim must create a subdomain with a seemingly politically inflammatory name as well as a Ransomware.txt file hosted on this subdomain. The hosted file must include a statement of ‘Hacked’ and an email address. By performing these actions, the victim, a Middle Eastern government organization, has to generate a political statement against the leader of the country. It also forces the victim to publicly announce that they have been hacked by hosting the Ransomware.txt file."

Kaspersky Lab published report about the newly discovered disk wiper called StoneDrill. It's targeting organizations in Saudi Arabia and is somehow correlated to the Shamoon disk wiper. The malware uses memory injection into the victim’s browser, and provides also RAT functionality.

Errata Security published short analysis of the Wikileaks CIA/#vault7 refuting some claims published by Wikileaks.
There are a few interesting points in the Wikileaks dump, like one TODO list containing this insane note: "Research into embedding a CRL into a self signed cert as a method of stealthy remote beaconing". Nice.
http://blog.erratasec.com/2017/03/some-comments-on-wikileaks-ciavault7.html https://wikileaks.org/ciav7p1/cms/page_2621753.html https://wikileaks.com/ciav7p1/cms/page_5341230.html

IOActive research discovers multiple security vulnerabilities in Confide messaging application. Confide was not using authenticated encryption on a protocol level, and also was not validating server SSL cert.

SessionGopher is a PowerShell tool that uses WMI to extract saved session information for the remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop.
https://www.fireeye.com/blog/threat-research/2017/03/using_the_registryt.html https://github.com/fireeye/SessionGopher

gargoyle - a technique for hiding program’s executable code in non-executable memory. At some programmer-defined interval, gargoyle will wake up – and with some ROP trickery – mark itself executable and do some work...
https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html https://github.com/JLospinoso/gargoyle