Tag Linux

InfoSec Week 8, 2019

Dutch security researcher Victor Gevers found misconfigured MongoDB database containing facial recognition and other sensitive information about the Uyghur Muslim minority in China. Looks like the company behind the database is Chinese surveillance company SenseNets.
https://www.zdnet.com/article/chinese-company-leaves-muslim-tracking-facial-recognition-database-exposed-online/

The UK's GCHQ intelligence agency subsidiary, the National Cyber Security Centre, evaluated Huawei devices with the vendor and unofficially decided that the risk using Huawei devices in the infrastructure can be managed.
This is a quite interesting turning point as other US allies are banning Huawei devices from their networks.
https://www.bbc.com/news/business-47274643

If you want to know the alternatives for the PGP functionality, George Tankersley wrote a nice list for that.
https://blog.gtank.cc/modern-alternatives-to-pgp/

Open Privacy Research Society released an alpha version of Cwtch, decentralized, privacy-preserving, asynchronous multi-party messaging protocol that can be used to build other applications.
https://openprivacy.ca/blog/2019/02/14/cwtch-alpha/

Linux kernel through 4.20.10 version contain use after free arbitrary code execution vulnerability.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8912

Check Point researchers have discovered 19 years old critical vulnerability in the WinRAR software that can be exploited just by extracting an archive.
https://research.checkpoint.com/extracting-code-execution-from-winrar/

Tavis Ormandy discovered old stack buffer overflow vulnerability in the MatrixSSL implementation used primarily by the embedded devices.
https://www.openwall.com/lists/oss-security/2019/02/15/1

Really in-depth article about the discovery and exploitation of the local privilege elevation vulnerability in the LG kernel driver (CVE-2019-8372).
http://www.jackson-t.ca/lg-driver-lpe.html

Microsoft is finally deprecating weak SHA-1 hash family in their Windows update mechanism.
https://arstechnica.com/gadgets/2019/02/mandatory-update-coming-to-windows-7-2008-to-kill-off-weak-update-hashes/

Brian Krebs wrote an article about the recent widespread DNS hijacking attacks attributed to the Iranian hackers.
https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/

Independent Security Evaluators published a security comparison of the top five password managers which are working on Windows 10.
https://www.securityevaluators.com/casestudies/password-manager-hacking/

InfoSec Week 7, 2019

Ubiquiti network devices are being remotely exploited, via port 10001 discovery service. Results in loss of device management, also being used as a weak UDP DDoS amplification attack: 56 bytes in, 206 bytes out.
https://www.zdnet.com/article/over-485000-ubiquiti-devices-vulnerable-to-new-attack/

Researchers demonstrated that Intel SGX trusted enclave poses a security thread, when they implemented proof malware that bypasses antivirus protection by leveraging SGX properties. Find more information in the research paper named "Practical Enclave Malware with Intel SGX".
https://arxiv.org/abs/1902.03256

Looks like the diffusion layer of Russian symmetric ciphers Kuznyechik and hash function Streebog, have mathematical properties required for the backdoor. There is no theoretical attack yet, and I am not convinced that it is on purpose, but the construction is suspicious.
https://mailarchive.ietf.org/arch/msg/cfrg/4PmssKzCBsxTmLCieDgqD7Nynwg

Google engineers have designed a new encryption mode for ChaCha stream cipher called Adiantum. The new encryption mode should be used on cheap ARM processors that does not have hardware support for AES, and it is almost 5x faster than AES-256-XTS.
https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html

Current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API.
https://www.exploit-db.com/exploits/46362

Phones running Android OS can be compromised remotely by viewing malicious PNG image.
https://source.android.com/security/bulletin/2019-02-01.html

A new vulnerability in the runc, container runtime used by Docker, Kubernetes and others. allows container escape just by running a malicious image.
https://www.openwall.com/lists/oss-security/2019/02/11/2

NCC Group published an interesting blog about a downgrade attack on TLS 1.3 and multiple other vulnerabilities in major TLS Libraries which they found last year.
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/

Researcher Scott Gayou published a step by step guide on how to jailbreak Subaru Crosstrek 2018 head unit leveraging USB port and update mechanism.
https://github.com/sgayou/subaru-starlink-research/tree/master/doc

According to the Airbnb presentation, 38 percent of bugs at Airbnb could have been prevented by using types.
https://www.reddit.com/r/typescript/comments/aofcik/38_of_bugs_at_airbnb_could_have_been_prevented_by/

You can try to find bugs in the Swiss eVoting System, as they opened a bug bounty program. There is also a source code available for registered bug hunters.
https://onlinevote-pit.ch/details/

Google open sourced ClusterFuzz, an infrastructure used for fuzzing Chrome and OSS-Fuzz, continuous fuzzing pipeline of open source software.
https://opensource.googleblog.com/2019/02/open-sourcing-clusterfuzz.html

InfoSec Week 46, 2018

Researchers at the University of California have found that GPUs are vulnerable to side-channel attacks and demonstrated multiple types of attacks. After reverse engineering Nvidia GPU, researchers were able to steal rendered password box from a browser, sniffed other browser related data and also settings from the neural network computations on a GPU in the data center.
https://www.networkworld.com/article/3321036/data-center/gpus-are-vulnerable-to-side-channel-attacks.html

Cybersecurity firm Trend Micro has analyzed a new cryptocurrency mining malware that targets Linux OS and is able to hide its processes by implementing a rootkit component.
The rootkit will replace and hooks the readdir and readdir64 application programming interfaces (APIs) of the libc library so the system is unable to monitor miner workers anymore.
https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/cryptocurrency-mining-malware-targets-linux-systems-uses-rootkit-for-stealth

An Australian hacker has spent thousands of hours hacking the DRM that medical device manufacturers put on a continuous positive airway pressure (CPAP) machines to create a free tool that lets patients modify their treatment.
https://motherboard.vice.com/en_us/article/xwjd4w/im-possibly-alive-because-it-exists-why-sleep-apnea-patients-rely-on-a-cpap-machine-hacker

In 2016, Russia's Internet Research Agency used browser plugin malware called FaceMusic which "liked" Russian content and made their content popular on a social networks.
Now a Russian national living in Bulgaria has been detained on an US arrest warrant and is accused of online fraud & maintaining a computer network with servers in Dallas between Sep 2014 - Dec 2016.
https://edition.cnn.com/2018/11/10/world/russian-hacker-wanted-by-the-united-states-arrested-in-bulgaria/index.html

The European Commission has just announced trials in Hungary, Greece and Latvia of iBorderCtrl project that includes the use of an AI-based lie detection system to spot when visitors to the EU give false information about themselves and their reasons for entering the area.
https://www.privateinternetaccess.com/blog/2018/11/ai-based-lie-detection-system-at-eu-borders-will-screen-travellers-for-biomarkers-of-deceit

Troy Hunt analyzed 2FA, U2F authentication mechanisms and commented on the Google Advanced Protection enrollment procedure.
https://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/

Bitwarden open source password manager has completed a thorough security audit and cryptographic analysis from the security experts at Cure53.
https://blog.bitwarden.com/bitwarden-completes-third-party-security-audit-c1cc81b6d33

According to a Censys online platform, over a million AT&T devices, probably cable modems share the same TLS private key.
https://twitter.com/nikitab/status/1062161234173288449

Researchers from Mozilla published blog on how they have designed privacy-aware Firefox Sync.
https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

Two weeks ago we wrote about an attack against the OCB2 authenticated encryption scheme. It breaks integrity of OCB2.
Now there are two more papers, one breaks confidentiality and the other recovers plain text.
https://ia.cr/2018/1087
https://ia.cr/2018/1090

There is a zero day exploit "PHP_imap_open_exploit" in PHP that allows bypassing disabled exec functions by using call to imap_open.
https://github.com/Bo0oM/PHP_imap_open_exploit

InfoSec Week 39, 2018

Linux had officially committed to implementing and obeying the Code of Conduct — which is immediately misused to remove top Linux coders.
Some of the Linux developers are now threatening to withdraw the license to all of their code.
https://lulz.com/linux-devs-threaten-killswitch-coc-controversy-1252/

Bug in Twitter sent users' private direct messages to third-party developers who were not authorized to receive them. Some brand accounts should be affected.
https://blog.twitter.com/developer/en_us/topics/tools/2018/details-for-developers-on-Account-Activity-API-bug.html

Qualcomm accuses Apple of stealing chip secrets for the purpose of helping Intel overcome engineering flaws in its chips.
https://www.cnbc.com/2018/09/25/qualcomm-accuses-apple-of-giving-its-chip-secrets-to-intel.html

Australian government pushes for the smartphone spyware implanted by Telco vendors, manufacturers.
https://www.brisbanetimes.com.au/business/companies/spyware-on-phone-fears-as-dutton-pushes-new-security-laws-20180924-p505oc.html

At least the sixth backdoor account was removed from Cisco devices this year.
This time it's "hardcoded credentials" in the Cisco Video Surveillance Manager (VSM) Software.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm

ESET researchers discovered, that the Kodi Media Player add-ons are misused for the cryptocurrency mining malware distribution.
https://www.welivesecurity.com/2018/09/13/kodi-add-ons-launch-cryptomining-campaign/

According to a stackexchange post, "the Chinese police is forcing whole cities to install an Android spyware app Jingwang Weishi.
They are stopping people in the street and detaining those who refuse to install it."
https://security.stackexchange.com/questions/194353/police-forcing-me-to-install-jingwang-spyware-app-how-to-minimize-impact

Researchers proved that the security of PKCS #1 Digital Signatures is as secure as any of its successors like RSA-PSS and RSA Full-Domain.
https://www.schneier.com/blog/archives/2018/09/evidence_for_th.html

There is a novel cache poisoning attack on WiFi by a remote off-path mitm attack vector.
Takes only 30 seconds and is using interesting multi-packet injection for timing side channel inference for injection. Works on Windows, OSX and Linux.
https://www.usenix.org/conference/usenixsecurity18/presentation/chen-weiteng

InfoSec Week 34, 2018

If you are running Linux machines in Microsoft Azure, you should disable built-in wa-linux-agent backdoor that enable root access from Azure console.
https://raymii.org/s/blog/Linux_on_Microsoft_Azure_Disable_this_built_in_root_access_backdoor.html

There is a good blog post by Stuart Schechter about the dark side of the two factor authentication. Highly recommended reading.
https://medium.com/@stuartschechter/before-you-turn-on-two-factor-authentication-27148cc5b9a1

Great research by Eyal Ronen, Kenneth G. Paterson and Adi Shamir demonstrate that adopting pseudo constant time implementations of TLS are not secure against the modified Lucky 13 attack on encryption in CBC-mode. Tested against four fully patched implementations of TLS - Amazon's s2n, GnuTLS, mbed TLS and wolfSSL.
https://eprint.iacr.org/2018/747

Traefik, popular open source reverse proxy and load balancing solution is leaking (CVE-2018-15598) TLS certificate private keys via API.
https://www.bleepingcomputer.com/news/security/cloud-product-accidentally-exposes-users-tls-certificate-private-keys/

Google enrolled Hardware Secure Module to their Cloud Key Management Service. The customers can use it to store their encryption keys with FIPS 140-2 Level 3 security certified devices from now on.
https://cloud.google.com/hsm/

Microsoft Corp said that Russian hackers are targeting U.S. political groups ahead of November’s congressional elections.
https://www.reuters.com/article/us-usa-russia-hackers/russian-hacking-of-conservative-groups-sites-thwarted-microsoft-idUSKCN1L60I0

The WIRED cover story on how Russian NotPetya malware took down Maersk, the world’s largest shipping firm.
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

Kaspersky Lab published analysis of a sophisticated "Dark Tequila" banking malware which is targeting customers in Mexico and other Latin American nations.
https://securelist.com/dark-tequila-anejo/87528/

NSA successfully cracked and listened for years to encrypted networks of Russian Airlines, Al Jazeera, and other “High Potential” targets.
https://theintercept.com/2018/08/15/nsa-vpn-hack-al-jazeera-sidtoday/

Anonymous targeted Spanish Constitutional Court, economy and foreign ministry websites to support Catalonia separatist drive.
https://securityaffairs.co/wordpress/75509/hacking/anonymous-catalonia.html

Red Teaming/Adversary Simulation Toolkit is a collection of open source and commercial tools that aid in red team operations.
https://github.com/infosecn1nja/Red-Teaming-Toolkit

InfoSec Week 33, 2018

There is an OpenSSH user enumeration attack against all software versions on all operating systems.
It's a timing attack with proof of concept already published.
http://www.openwall.com/lists/oss-security/2018/08/15/5
https://bugfuzz.com/stuff/ssh-check-username.py

The so-called RedAlpha malware campaign targeting the Tibetan community is deploying a novel “ext4” Linux backdoor. The group is using infrastructure registered with Tsinghua1 University, China and is believed to be conducted by Chinese state-sponsored actors in support of China’s economic development goals.
https://www.recordedfuture.com/chinese-cyberespionage-operations/

The Australia’s Assistance and Access Bill, introduced this week, want to jail people for up to 10 years if they refuse to unlock their phones.
https://nakedsecurity.sophos.com/2018/08/16/australians-who-wont-unlock-their-phones-could-face-10-years-in-jail/

A new research paper named "Piping Botnet - Turning Green Technology into a Water Disaster" demonstrate that the researchers were able to manipulate commercial smart IoT systems used for regulating water and electricity resources.
https://arxiv.org/abs/1808.02131

The guy with his BMW car encountered the theft attempt, where something that looked like a vandalism was actually a really smart attack against the modern alarm system.
https://mrooding.me/a-dutch-first-ingenious-bmw-theft-attempt-5f7f49a96ec8

Cloudflare analyzed the changes and improvements of a new TLS 1.3 (RFC 8446) standard that was finally published last week.
https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

New Foreshadow attack demonstrates how speculative execution can be exploited for reading the contents of Intels' SGX-protected memory as well as extracting the machine’s private attestation key.
https://foreshadowattack.eu/

Practical dictionary attacks are possible against the main mode of IPsec IKEv1/v2 standard. Successful exploitation of a weak password requires only a single active man-in-the-middle attack.
https://web-in-security.blogspot.com/2018/08/practical-dictionary-attack-on-ipsec-ike.html

If you are interested how cryptographic key management is practically done, I have written a blog Commercial Cryptographic Key Management in 2018, where I am explaining a little bit about the hardware, people and processes behind it.
https://www.malgregator.com/key-management.html

Google published BrokenType, the font fuzzing toolset that helped find lots of vulnerabilities in the Windows kernel. It includes a font mutator, generator and loader.
https://github.com/google/BrokenType

InfoSec Week 31, 2018

Reddit got hacked. According to the investigation, it looks like hackers accessed employees 2FA protected accounts.
An attacker "compromised a few of Reddit's accounts with cloud and source code hosting providers by intercepting SMS 2FA verification codes".
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

A non-official French website keepass.fr using an URL similar to the popular password manager KeePass one lets you download a tampered version of the password manager with some adware in it.
https://twitter.com/JusticeRage/status/1021815597972291591

According to The Intercept_, Google is planning to launch a censored version of its search engine in China that will blacklist websites and search terms about human rights, democracy, religion, and peaceful protest.
One can only wonder whether it is some part of a broader strategy, how to spread channels of influence abroad.
https://theintercept.com/2018/08/01/google-china-search-engine-censorship/

There is a great blog published on a Trail of Bits about the recent invalid elliptic curve point attack against the Bluetooth implementations.
Give it a try if you are interested, it's really easy to read!
https://blog.trailofbits.com/2018/08/01/bluetooth-invalid-curve-points/amp/

A borough and a town in Alaska have been hit by a devastating ransomware attack, forcing employees to completely stop using computers and go back to typewriters and hand receipts.
https://mashable.com/2018/08/02/malware-alaska-town

BYOB (Build Your Own Botnet) is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop countermeasures against these threats.
https://github.com/colental/byob

FireEye wrote article about the internals of a FIN7 hacking group global operation.
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

WireGuard, next generation VPN software, is finally submitted for the Linux kernel inclusion. Linus Torvalds commented the pull request:
"I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art."
https://marc.info/?l=linux-netdev&m=153306429108040&w=2
http://lists.openwall.net/netdev/2018/08/02/124

Malhunt: automated malware search in memory dumps using volatility and Yara rules.
https://github.com/andreafortuna/malhunt

InfoSec Week 30, 2018

Researchers from the Palo Alto Networks analyzed new Mirai and Gafgyt IoT/Linux botnet campaigns. The samples used more than 11 exploits for spreading, exploiting D-Link, Dasan GPON routers.
https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/

Brian Krebs published a blog post about the current status of the Universal 2nd Factor (U2F) support. Google practically eliminated employee phishing by introducing mandatory usage of the physical security keys.
https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/

There is a new module for the CHIPSEC Security Assessment Framework to check CPU USB debug features and host Direct Connection Interface (DCI), which can be used to modify system firmware with physical access and introduce "Evil Maid" firmware attacks.
https://blog.eclypsium.com/2018/07/23/evil-mai%EF%BB%BFd-firmware-attacks-using-usb-debug/

Chinese police arrested malware developers for hacking millions of computers to steal $2 million in cryptocurrencies.
https://www.ccn.com/chinese-police-arrest-malware-developers-who-hacked-2-million-in-crypto/

Paper on a new Spectre variant called SpectreRSB was published with the name "Spectre Returns! Speculation Attacks using the Return Stack Buffer".
According to a paper „none of the known defenses including Retpoline and Intel's microcode patches stop all SpectreRSB attacks.“
https://arxiv.org/abs/1807.07940

The source code of an Exobot Android Banking Trojan has been leaked online back in May has rapidly spread in the malware community.
https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/

Because of insufficient validation of parameters in many Bluetooth implementations, attackers can inject invalid elliptic curve parameters which aren’t checked by many implementations in an invalid public key making session keys vulnerable.
https://www.kb.cert.org/vuls/id/304725

The Cisco Talos security team found multiple vulnerabilities, including remote code execution vulnerability in the Sony IPELA E series network camera. https://blog.talosintelligence.com/2018/07/sony-ipela-vulnerability-spotlight-multiple.html

NSA declassified papers from John Tiltman, one of Britain’s top cryptanalysts during the Second World War, which reveal how pre-world war 2 Brits analyzed and decrypted Russian cryptography.
https://www.theregister.co.uk/2018/07/19/russia_one_time_pads_error_british/

InfoSec Week 29, 2018

The academics have mounted a successful GPS spoofing attack against road navigation systems that can trick humans into driving to incorrect locations. The novel part is that they are using real map data to generate plausible malicious instructions.
https://www.bleepingcomputer.com/news/security/researchers-mount-successful-gps-spoofing-attack-against-road-navigation-systems/

Folks from Cloudflare, Mozilla, Fastly, and Apple during a hackaton implemented Encrypted Server Name Indication (SNI). There are implementations in BoringSSL, NSS and picotls.
https://twitter.com/grittygrease/status/1018566026320019457

Good insight on how credit card thieves use free-to-play apps to steal and launder money from the credit cards.
https://kromtech.com/blog/security-center/digital-laundry

Chromium recently introduced Cross-Origin Read Blocking (CORB) that helps mitigate the threat of side-channel attacks (including Spectre).
https://www.chromium.org/Home/chromium-security/corb-for-developers

For anybody interested in reverse engineering, nice write up about the Smoke Loader malware bot unpacking mechanism and communication with the C&C.
https://www.cert.pl/en/news/single/dissecting-smoke-loader/

A research on how to bypass memory scanners using Cobalt Strike’s beacon payload and the gargoyle memory scanning evasion technique.
https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle/

Eset researchers analyzed ongoing espionage campaign against the Ukrainian government institutions.
https://www.welivesecurity.com/wp-content/uploads/2018/07/ESET_Quasar_Sobaken_Vermin.pdf

The intercept summarized what the public has learned about Russian and U.S. spycraft from the Special Counsel Robert Mueller’s indictment of hackers.
https://theintercept.com/2018/07/18/mueller-indictment-russian-hackers/

Security researchers have uncovered a highly targeted mobile malware campaign that has been operating since August 2015 and found spying on 13 selected iPhones in India.
https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html

There is an exploit for Ubuntu Linux (up to 4.17.4) where other users coredumps can be read via setgid directory and killpriv bypass.
https://www.exploit-db.com/exploits/45033/

InfoSec Week 28, 2018

Hackers have poisoned the Arch Linux PDF reader package named “acroread” that was found in a user-provided Arch User Repository (AUR). They have put downloader malware inside.
https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/

Hackers took over the maintainer account of the eslint-scope and eslint-config-eslint npm packages and published malicious versions which were downloading some juicy scripts from the pastebin.com. https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes

Backend of the TimeHop iOS application was compromised, personal records of the 21 million customers leaked.
https://www.timehop.com/security/technical

Nice journalism about how few researchers found the names and addresses of soldiers and secret agents using Strava fitness application when the company published tracking maps on the internet.
https://decorrespondent.nl/8481/heres-how-we-found-the-names-and-addresses-of-soldiers-and-secret-agents-using-a-simple-fitness-app

Lexington Insurance Company and Beazley Insurance Company are suing Trustwave over a 2009 breach. Trustwave supposedly failed to detect malware that caused a breach.
This will be huge precedent in the whole industry.
https://www.bleepingcomputer.com/news/security/security-firm-sued-for-failing-to-detect-malware-that-caused-a-2009-breach/

One email to a North American Network Operators mailing list led to a concerted effort to kick a notorious BGP hijacking factory off the Internet.
https://blog.apnic.net/2018/07/12/shutting-down-the-bgp-hijack-factory/

It looks like that the Carbanak banking malware source code was leaked.
https://malware-research.org/carbanak-source-code-leaked/

Researchers found spying malware signed using digital certificates stolen from D-Link and other Taiwanese tech-companies.
https://thehackernews.com/2018/07/digital-certificate-malware.html


Page 1 / 3