Tag malware

InfoSec Week 51, 2017

There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.
http://seclists.org/fulldisclosure/2017/Dec/85

Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.
https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/

Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.
https://events.ccc.de/congress/2017/Fahrplan/events/9021.html

Explanation how web trackers exploit browser login managers to track users on the Internet.
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.
https://www.unian.info/world/2319991-russian-hacker-says-fsb-involved-in-creation-of-wannacry-malware.html

Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.
https://blog.didierstevens.com/2017/12/27/cracking-encrypted-pdfs-part-2/

Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.
https://blog.fortinet.com/2017/12/20/group-behind-venuslocker-switches-from-ransomware-to-monero-mining

Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.
https://lite.cnn.io/en/article/h_910710e71e532e73a80deb1294a2db7c

Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new

InfoSec Week 50, 2017

Crooks hacked Fox-IT by capturing fox-it.com DNS record, then obtained a certificated and executed a man-in-the-middle attack on connection.
https://www.fox-it.com/en/insights/blogs/blog/fox-hit-cyber-attack/

The Mandiant - FireEye company analyzed an incident at a critical infrastructure organization where an attacker deployed so called TRITON malware designed to manipulate industrial safety system. According to the analysis, "the malware was delivered as a Py2EXE compiled python script [...] containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers."
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

The anonymous researcher behind the massive internet scans of the IoT devices known for the BrickerBot case published some insights on his operation. Looks like he is a gray hat after all.
https://ghostbin.com/paste/q2vq2

Google published Android security roadmap for the next year. There will be lots of improvements, and new requirements for App developers.
https://android-developers.googleblog.com/2017/12/improving-app-security-and-performance.html

Multiple vulnerabilities were identified in Telegram messenger for Android, like arbitrary file overwrite on receiving and directory traversal. There are definitely better alternatives to this software...
https://bugs.chromium.org/p/project-zero/issues/detail?id=1470

Guy uploaded his self-signed malformed certificate to the websites which process them and found out lots of them is vulnerable to the XSS injection.
https://binaryfigments.com/2017/12/11/dont-trust-all-ssl-tls-certificates/

Mavinject is a legitimate Windows component digitally signed by Microsoft, that can be abused to inject any DLL inside a running process.
https://reaqta.com/2017/12/mavinject-microsoft-injector/

Microsoft pushed comprehensive audit reports on Windows Events to GitHub.
https://github.com/MicrosoftDocs/windows-itpro-docs/tree/master/windows/device-security/auditing

InfoSec Week 49, 2017

The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.
https://robotattack.org/

HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.
https://zwclose.github.io/HP-keylogger/

There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.
http://seclists.org/fulldisclosure/2017/Dec/38

Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.
https://securityaffairs.co/wordpress/66591/cyber-crime/moneytaker-group.html

Recorded Future analyzed costs of various cybercriminal services sold on the dark market.
https://www.recordedfuture.com/cyber-operations-cost/

Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.
https://bgpmon.net/popular-destinations-rerouted-to-russia/

Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.
https://www.bleepingcomputer.com/news/security/microsoft-fixes-malware-protection-engine-bug-discovered-by-british-intelligence/

Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.
https://blog.avast.com/avast-open-sources-its-machine-code-decompiler

Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.
http://blog.kismetwireless.net/2017/11/dji-uav-drone-id.html

Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.
https://github.com/wazuh/wazuh

Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.
https://github.com/wifiphisher/wifiphisher

InfoSec Week 48, 2017

The German Interior Minister is preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations.
https://www.bleepingcomputer.com/news/government/germany-preparing-law-for-backdoors-in-any-type-of-modern-device/

According to the Citizen Lab, Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware sold by Israeli firm Cyberbit.
https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/

Elcomsoft wrote an insight about the drastically degraded security of the Apples iOS 11 operating system.
https://blog.elcomsoft.com/2017/11/ios-11-horror-story-the-rise-and-fall-of-ios-security/

Chinese drone maker D.J.I. is potentially sharing collected data with the Chinese government.
https://mobile.nytimes.com/2017/11/29/technology/dji-china-data-drones.html

Crooks are installing cryptocurrency miners by using typosquatting npm package names. They are searching for the unregistered package names with the difference of one bit from a well known packages.
https://medium.com/avahowell/bitsquatting-npm-packages-533c988d568f

Swiftype written a good blog about their infrastructure risk assessment and threat modeling.
https://swiftype.engineering/threat-modelling-and-infrastructure-risk-assessment-at-swiftype-6c1b337c7df1

Nvidia published a paper about the clustering of a benign and malicious Windows executables using neural networks.
https://devblogs.nvidia.com/parallelforall/malware-detection-neural-networks/

Bucket Stream - Find interesting Amazon S3 Buckets by watching certificate transparency logs.
https://github.com/eth0izzle/bucket-stream

Sysdig Inspect – a powerful interface for container troubleshooting and security investigation
https://github.com/draios/sysdig-inspect/

InfoSec Week 46, 2017

Multiple critical vulnerabilities were found in the Intel Management Engine, Trusted Execution Engine and Server Platform Services by Intel audit after 3rd party researchers reported the privilege escalation vulnerability.
http://www.zdnet.com/article/intel-weve-found-severe-bugs-in-secretive-management-engine-affecting-millions/

If you have a vulnerable F5, basically attackers can sign anything with your RSA private key. An F5 BIG-IP virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages.
https://support.f5.com/csp/article/K21905460

MalwareHunterTeam discovered a new variant of the CryptoMix ransomware. It uses hardcoded RSA keys and can work offline.
https://securityaffairs.co/wordpress/65716/malware/cryptomix-ransomware-2.html

Attackers are using Microsoft’s Office documents Dynamic Data Exchange protocol to download and install malware. Microsoft does not consider it a vulnerability.
https://www.zscaler.com/blogs/research/microsoft-dde-protocol-based-malware-attacks

Nice step by step guide on how to put shellcode into a legitimate PE file, and make it undetectable.
https://haiderm.com/fully-undetectable-backdooring-pe-files/

Extensive review of U2F hardware devices.
https://github.com/hillbrad/U2FReviews

al-khaser is a PoC malware with good intentions that aims to stress your anti-malware system. It performs a bunch of nowadays malware tricks and the goal is to see if you stay under the radar.
https://github.com/LordNoteworthy/al-khaser

Puffs is a domain-specific language and library for parsing untrusted file formats safely. Examples of such file formats include images, audio, video, fonts and compressed archives.
https://github.com/google/puffs

InfoSec Week 45, 2017

Researchers exploited antivirus software quarantine mechanism to gain privileges by manipulating the restore process from the virus quarantine. By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations.
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/

Wikileaks released source code of leaked CIA hacking tools and it indicates that the CIA used fake certificates attributed to Kaspersky Labs for signing their malware.
https://wikileaks.org/vault8/
https://twitter.com/i/web/status/928669548210991104

A security researcher has discovered factory application in OnePlus devices. It can be used to gain root privileges, dump photos, collect WiFi & GPS information.
https://www.bleepingcomputer.com/news/security/second-oneplus-factory-app-discovered-this-one-dumps-photos-wifi-and-gps-logs/
https://github.com/sirmordred/AngelaRoot

There was a vulnerability in CouchDB caused by a discrepancy between the database’s native JSON parser and the Javascript JSON parser used during document validation. Because CouchDB databases are meant to be exposed directly to the internet, this enabled privilege escalation, and ultimately remote code execution, on a large number of installations.
https://justi.cz/security/2017/11/14/couchdb-rce-npm.html

Researchers from the Princeton university have been studying third-party trackers that record sensitive personal data that users type into websites, and the results are not good.
https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/

iPhone X's Face ID facial recognition security mechanism system was circumvented by Vietnam experts using a 3D mask.
http://www.bkav.com/d/top-news/-/view_content/content/103968/face-id-beaten-by-mask-not-an-effective-security-measure

Security researcher Maxim Goryachy reports being able to execute unsigned code on computers running the Intel Management Engine through USB.
https://twitter.com/h0t_max/status/928269320064450560

Deep dive into the Facebook sextorcism scheme using fake young girls profiles by the guys from Marseille.
http://ici.radio-canada.ca/special/sextorsion/en/index.html

Long read about how the security breaches by the Shadow Brokers damaged the US National Security Agency.
https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html

Analysis of a low cost Chinese GSM listening and location device hidden inside the plug of a standard USB data/charging cable.
https://ha.cking.ch/s8_data_line_locator/

Privacy Pass is a browser extension for Chrome and Firefox, which uses privacy-preserving cryptography to allow users to authenticate to the services without compromising their anonymity. It uses blind signature schemes.
https://privacypass.github.io

InfoSec Week 43, 2017

Researchers from the Masaryk University finally published full paper of the practical cryptographic attack against the implementation of RSA in the widely used trusted platform modules / crypto tokens.
"The Return of Coppersmith’s A‚ttack: Practical Factorization of Widely Used RSA Moduli" https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf

Those guys published an interesting paper about the secure cryptographic computation with the threat model without attackers based on Earth. They are proposing SpaceHSM hardware secure devices on the orbit.
"SpaceTEE: Secure and Tamper-Proof Computing in Space using CubeSats"
https://arxiv.org/abs/1710.01430

There is a small chance that the documents encrypted by Bad Rabbit ransomware could be recovered without paying ransom, if the shadow copies had been enabled in the Windows prior to infection. Victims can restore the original versions of the encrypted files using standard Windows backup mechanism.
For technical analysis of the Bad Rabbit ransomware, see the second link.
https://securelist.com/bad-rabbit-ransomware/82851/
https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis

Google is going to deprecate the use of pinned public key certificates, public key pinning (PKP), from the Google Chrome browser.
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ

The British government has publicly attributed North Korean government hackers as a source behind the "WannaCry" malware epidemy.
https://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html

Multiple remote execution vulnerabilities (CVE-2017-13089, CVE-2017-13090) were patched in the popular software Wget. Update!
https://www.viestintavirasto.fi/en/cybersecurity/vulnerabilities/2017/haavoittuvuus-2017-037.html

The source code of an AhMyth Android remote administration tool is available on GitHub. It can steal contact information, turn on camera, microphone, read SMS, and more.
https://github.com/AhMyth/AhMyth-Android-RAT

Malscan is a robust and fully featured scanning platform for Linux servers built upon the ClamAV platform, providing all of the features of Clamscan with a host of new features and detection modes.
https://github.com/jgrancell/malscan

There is an update for the world's fastest and most advanced password recovery utility Hashcat.
https://github.com/hashcat/hashcat/releases/tag/v4.0.0

InfoSec Week 42, 2017

Interesting research on the possibility of a cheap online surveillance.
"In this work we examine the capability of [..] an individual with a modest budget -- to access the data collected by the advertising ecosystem. Specifically, we find that an individual can use the targeted advertising system to conduct physical and digital surveillance on targets that use smartphone apps with ads."
https://adint.cs.washington.edu/

Mnemonic company together with the Norwegian Consumer Council tested several smartwatches for children and found numerous security vulnerabilities that allows child tracking, etc.
https://www.forbrukerradet.no/side/significant-security-flaws-in-smartwatches-for-children

The Cisco Talos team discovered an e-mail campaign spreading malicious Visual Basic inserted in a Cyber Conflict U.S. conference flyer, targeting cyber warfare conference participants.
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html

SfyLabs security researchers have spotted a new Android banking trojan named LokiBot. It has banking trojan functionality, but turns into ransomware and locks users out of their phones if they try to remove its admin privileges.
https://www.bleepingcomputer.com/news/security/lokibot-android-banking-trojan-turns-into-ransomware-when-you-try-to-remove-it/

There is a newly published cryptographic attack on some legacy systems like Fortinet FortiGate VPN, which uses ANSI X9.31 random number generator with a hardcoded seed key.
https://duhkattack.com/
https://blog.cryptographyengineering.com/2017/10/23/attack-of-the-week-duhk/

Nice explanation of a remote code execution vulnerability (CVE-2017-13772) on a TP-Link WR940N home WiFi router.
https://www.fidusinfosec.com/tp-link-remote-code-execution-cve-2017-13772/

Purism’s Librem Laptops running open-source coreboot firmware are now available with completely disabled Intel Management Engine.
https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/

Wire, open source end-to-end encrypted messenger is now open for corporate clients. It offers secure chats, calls and file sharing while following strict European data protection laws.
https://medium.com/@wireapp/wire-open-for-business-2c535033cf9a

InfoSec Week 41, 2017

SensePost researchers found out that the Microsoft Office home page is able to compromise user by loading ActiveX component with VBscript.
https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/

Microsoft security department were contacted by a worried user that found 2 seemingly identical µTorrent executables, with valid digital signatures, but different cryptographic hashes. As they have found out there were marketing campaign identifier in "a text file inside a ZIP file inside a PE file, BASE64 encoded and injected in the digital signature of a PE file.". Quite complicated...
https://isc.sans.edu/forums/diary/Its+in+the+signature/22928/

A vulnerability (CVE-2017-15361) in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace.
https://crocs.fi.muni.cz/public/papers/rsa_ccs17

The rolling code in electronic keys for Subaru Forester (2009) and some other models are not random. Keys can be cloned, cars unlocked, with the hardware costs of $25. https://github.com/tomwimmenhove/subarufobrob

Microsoft reintroduced a Pool-based overflow kernel vulnerability on Windows 10 x64 (RS2) Creators Update which was originally patched in 2016. The guys wrote an exploit with rich explanation.
https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html
https://github.com/siberas/CVE-2016-3309_Reloaded

Blog about the "Exploding Git Repositories" that will crash your git process.
https://kate.io/blog/git-bomb/

MediaTek and Broadcom Wi-Fi AP drivers have a weak random number generator, allowing prediction of Group Temporal Key. Practical attack requires a LOT of handshakes.
https://lirias.kuleuven.be/bitstream/123456789/547640/1/usenix2016-wifi.pdf

How to hide a process from SysInternals without the admin rights, but with the privilege escalation.
https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/

Adam Langley blogged about the low level testing of the FIDO U2F security keys, namely Yubico, VASCO SecureClick, Feitian ePass, Thetis, U2F Zero, KEY-ID / HyperFIDO.
https://www.imperialviolet.org/2017/10/08/securitykeytest.html

Good introductory blog about the (in)security of Intel Boot Guard. The author also published source code of the UEFITool with visual validation of Intel Boot Guard coverage.
https://medium.com/@matrosov/bypass-intel-boot-guard-cc05edfca3a9 https://github.com/LongSoft/UEFITool

A script that tests if access points are affected by Key Reinstallation Attacks (CVE-2017-13082) was published on a GitHub by researcher Mathy Vanhoef.
https://github.com/vanhoefm/krackattacks-test-ap-ft

The Miscreant is a Misuse-resistant symmetric encryption library supporting the AES-SIV (RFC 5297) and CHAIN/STREAM constructions.
https://tonyarcieri.com/introducing-miscreant-a-multi-language-misuse-resistant-encryption-library
https://github.com/miscreant/miscreant

InfoSec Week 40, 2017

There is a great probability that if you used Outlook’s S/MIME encryption in the past 6 months, plaintext of your emails was leaked to the mail exchange because of Outlook S/MIME CVE-2017-11776 vulnerability.
https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/index.html

The Kaspersky anti-virus was allegedly stealing NSA secrets using a silent signature mode that detected classified documents. Israel hacked the Kaspersky, and notified the NSA.
https://www.washingtonpost.com/world/national-security/israel-hacked-kaspersky-then-tipped-the-nsa-that-its-tools-had-been-breached/2017/10/10/d48ce774-aa95-11e7-850e-2bdd1236be5d_story.html
https://www.wsj.com/articles/russian-hackers-scanned-networks-world-wide-for-secret-u-s-data-1507743874

A custom OxygenOS Android fork that comes installed on all OnePlus smartphones, is tracking users, allowing OnePlus to connect each phone to its customer.
https://www.chrisdcmoore.co.uk/post/oneplus-analytics/

Chromebooks and Chromeboxes are affected by a bug in certain Infineon Trusted Platform Module (TPM) firmware versions. RSA keys generated by the TPM being vulnerable to a computationally expensive attacks. Targeted attacks are possible.
https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

KovCoreG hacking group used advertising network on Pornhub to redirect users to a fake browser update websites that installed malware.
https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-campaign-exposes-millions-potential-ad-fraud-malware

Apple released a security patch for macOS High Sierra 10.13 to fix vulnerabilities in the Apple file system (APFS) volumes and Keychain software. The patch also addresses a flaw in the Apple file system that exposes encrypted drive’s password in the hint box.
http://securityaffairs.co/wordpress/63896/hacking/apple-file-system-flaw.html

Yet another part of the reverse engineering blog post series analyzing TrickBot with IDA.
https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core

Keybase has launched a nice new feature - encrypted Git. There are no services like website, pull requests, issue tracking or wiki, just simple git. Encrypted.
https://keybase.io/blog/encrypted-git-for-everyone


Page 1 / 5