Tag malware

InfoSec Week 15, 2018

The U.S. Secret Service is warning about a new scam scheme where the crooks are intercepting new debit cards in the mail and replace the chips on the cards with chips from old cards. Once owners activate the cards, crooks will use stolen chips for their financial gain.

Russian state regulator Roskomnadzor have ordered to block the Telegram messaging application 48 hours after it missed a deadline to give up encryption keys to the online conversations of its users. I am not sure whether the Telegram protocol is actually blocked in Russia now.

A new Android P version will enforce applications to communicate over TLS secured connection by default.

Kudelski Security published a walk-through guide about Manger's attack against RSA OAEP. 1-bit leak from oraculum suffices to decrypt ciphertexts.

In depth article about stealing FUZE credit card content via Bluetooth.

Understanding Code Signing Abuse in Malware Campaigns. Pretty good statistics.

There is a vulnerability that results in a bypass of a tamper protection provided by the Sophos Endpoint Protection v10.7. Protection mechanism can be bypassed by deleting the unprotected registry key.

Several vulnerabilities have been found in the Apache HTTPD server. Update now.

Microsoft Windows tool certutil.exe for displaying certification authority information can be used to fetch data from the internet in the similar fashion like WGET or CURL.

There is a paper about breaking 256-bit security (NIST post-quantum candidate) WalnutDSA in under a minute.

Snallygaster - a Tool to Scan for Secrets on Web Servers

Nice map of the ongoing Linux kernel defenses. The map shows the relations between the vulnerability classes, current kernel defenses and bug detection mechanisms.

InfoSec Week 14, 2018

There is a critical flaw in Microsoft Malware Protection Engine (CVE-2018-0986). They have used the open source unrar code, changed all the signed ints, breaking the code. Remote SYSTEM memory corruption.

Blog by Latacora about the right choices and parameters when dealing with cryptography for backups, communication, authentication, etc. Nice summary, with the explanation and historical references.

An Italian football club Lazio has been scammed by a social engineering attack via email. The club sent out transfer bill of €2 million to a fraudster’s bank account instead of the Feyenoord Dutch club.

The people behind the Google Wycheproof project, which is testing crypto libraries against known attacks released test vectors for many crypto primitives.

Cloudflare announced consumer DNS service sitting on a address. Supports DNS-over-TLS, also DNS-over-HTTPS.

Good explanatory blog about the oblivious DNS and why DNS should not require our trust at all.

There is a local privilege escalation vulnerability (CVE-2018-0492) in the Debian beep package. Yes, beep package for motherboard beeping. Escalation, because setuid + race condition.

LibreSSL 2.7.0 was accepting all invalid host names as correct. A vulnerability was found by Python maintainer Christian Heimes when running tests after porting new LibreSSL to the Python 3.7. Nobody affected.

VirusTotal launches a new Android Sandbox system VirusTotal Droidy to help security researchers detect malicious apps based on behavioral analysis.

MesaLink is a new memory-safe and OpenSSL-compatible TLS library written in Rust.

InfoSec Week 13, 2018

The city of Atlanta government has become the victim of a ransomware attack. The ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees were told to turn off their computers.

The academic researchers have discovered a new side-channel attack method called BranchScope that can be launched against devices with Intel processors and demonstrated it against an SGX enclave. The patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.

Good insight into the ransomware business and how it operates, how it transfers Bitcoin funds, with data gathered over a period of two years.
The paper is named "Tracking Ransomware End-to-end"

Mozilla has created a Facebook Container extension for Firefox, which should enable users to protect their online habits by sandboxing Facebook webpage.

Interesting article about the North Korean army of hackers operating abroad with the mission to earn money by any means necessary.

Unified logs in the MacOS High Sierra (up to 10.13.3) show the plain text password for APFS encrypted external volumes via disk utility application.

SophosLabs researchers analyzed a new Android malware which is pretending to he a legitimate QR reader application, but actually is monetizing users by showing them a flood of full-screen advertisements. More than 500k apps were installed.

Brian Krebs analyzed the social network behind the recently famous Coinhive javascript cryptocurrency mining business.

CloudFlare published a Merkle Town dashboard, Certificate Transparency logs visualization tool.

Facebook is tracking users' phone call information via their Android Messenger application.

There are multiple critical vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software.

New version (4.0) of the most secure operating system on the planet - Qubes OS was released.

InfoSec Week 11, 2018

A cyberattack on a Saudi Arabian petrochemical company was probably planed with the physical explosion in mind. They have attributed Iran, and didn't mention Stuxnet at all, so a little bit one-sided view of this cyberwarfare exchange.

There is a critical vulnerability in Credential Security Support Provider protocol (CredSSP) that affects all versions of Windows. Due to cryptographic flaw, man-in-the-middle attack could allow remote procedure calls attack and data exfiltration against the RDP and WinRM.

A vulnerability (CVE-2018-1057) in Samba allows authenticated users to change other users' password.

Kubernetes vulnerability (CVE-2017-1002101) allows containers using subpath volume mounts with any volume type to access files/directories outside of the volume, including the host’s filesystem. Updated version is already available.

Quite good exchange on the encryption policy and the government backdoor proposals between the US National Academy of Sciences and the Electronic Frontier Foundation. Relevant for all democratic regimes.

Kaspersky has discovered PlugX remote access tool (RAT) malware installed across the pharmaceutical organizations in Vietnam, aimed at stealing drug formulas and business information.

Encrypted Email Service provider ProtonMail is being blocked by internet service providers in Turkey.

CTS-Labs security researchers has published a whitepaper identifying four classes of potential vulnerabilities of the Ryzen, EPYC, Ryzen Pro, and Ryzen Mobile processor lines.

Adam Langley's blog post about the inability of the TLS 1.3 to snoop on proxy traffic.

Hacker Adrian Lamo dies at 37. He was known for his involvement in passing information on whistleblower Chelsea Manning, a former US Army soldier who leaked sensitive information to the WikiLeaks.

To find assault suspect, police in the Raleigh, North Carolina used search warrants to demand Google accounts not of specific suspects, but from any mobile devices that veered too close to the scene of a crime in specific time.

Kaspersky releases Klara, a distributed system written in Python, designed to help threat intelligence researchers hunt for new malware using Yara rules.

Nice paper about the simple manual cipher that should be resistant against the modern cryptanalysis.
LC4: A Low-Tech Authenticated Cipher for Human-To-Human Communication https://eprint.iacr.org/2017/339

InfoSec Week 9, 2018

Wandera security researchers spotted a new sophisticated Android RedDrop malware hidden in at least 53 Android applications. It can intercept SMS, record audio and exfiltrate data to the remote server.

There is an experimental support for forward secure post-quantum Extended Hash-Based Signatures (XMSS) in the OpenSSH protocol.

Blog by Matthew Green on the probable encryption key handling by Apple in the China mandated cloud. Not really satisfied explanation, only guesses, as Apple is silent about the exact key handling methodology.

Cloudflare detected new Memcached based amplification DDoS attack vector. The attacker just implants a large payload on an exposed memcached server, then, the attacker spoofs the "get" request message with target Source IP address. The memcached server could be really huge - around 1MB.

A group of computer scientists from the US and China published a paper proposing the first-ever trojan for a neural network. It's called PoTrojan and is triggered by special network input. After that, the network start to work differently.

The Cisco Talos team analyzed attribution claims around Olympic Destroyer malware. The result is to not imply blindly to Russia. Attribution is hard.

New KeePassXC version 2.3.0 was released. There are lots of new features, like new Argon2 key derivation function, SSH agent integration, browser plugin.

Trustico SSL certificate reseller revoked 23000 customer certificates by sending private keys(?!) over email to the Digicert certification authority.

There are rumors that major U.S. government contractor Cellebrite is able to unlock all current iPhone models.

An advertising network has been using a well-known malware trick, a Domain Generation Algorithm (DGA), to bypass ad blockers and deploy in-browser cryptocurrency miners since December 2017.

A novel technique is using hardware branch predictor side channel attack to bypass ASLR protection:
"Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR"

InfoSec Week 8, 2018

Fraudsters are impersonating authors and publishing computer generated books so they can launder money via Amazon.

Crooks made over $3 million by installing cryptocurrency miners on Jenkins Servers by exploiting Java deserialization RCE vulnerability (CVE-2017-1000353) in the Jenkins.

Tesla's Kubernetes installed in the Amazon AWS infrastructure was compromised by hackers.They have set up private cryptocurrency mining pool there.

The co-founder of WhatsApp, Brian Acton, has given $50 millions to support Signal messenger and create a self-sustaining foundation. Very good news for this donation funded privacy technology.

Hackers are exploiting the CISCO ASA vulnerability (CVE-2018-0101) in attacks in the wild.

Security Researcher Troy Hunt published half a billion passwords collected and processed from various breaches. There is also API for this dataset, and some statistics about the password usage.

There is a critical vulnerability in Mi-Cam baby monitors that let attackers spy on infants. At least 52k users are affected.

Public key cryptography explained in the form of Ikea instructions. Check other images as well!

InfoSec Week 7, 2018

The Fidelis Cybersecurity researcher Jason Reaves demonstrated how covertly exchange data using X.509 digital certificates. The proof of concept code is using SubjectKeyIdentifier and generating certificates on the fly.

The "UDPoS" Point of Sale malware is using DNS traffic to exfiltrate stolen credit card data.

Talos analyzed malware threat targeting Olympic computer systems during the opening ceremony. The main purpose was information gathering and destroying the system.

Zero-day vulnerability in the Bitmessage messaging client was exploited to steal Electrum cryptocurrency wallet keys.

Trustwave analyzed multi-stage Microsoft Word attack which is NOT using macros. Really creative technique.

Microsoft can't fix Skype privilege escalation bug without the massive code rewrite, so they postponed it for a while.

Facebook is advertising their Onavo VPN application, but there are a few reasons why it is really not a good idea to use it.

Facebook is spamming users via SMS registered for two factor authentication (2FA). Then posts their responses on a wall.

(Not only) Performance analysis of a Retpoline mitigation for Spectre vulnerability.

A guide on how to brutefoce Linux Full Disk Encryption (LUKS) volumes using Hashcat software.

Proof of concept of LibreOffice remote arbitrary file disclosure vulnerability. It is possible to silently send any files. All operating systems affected before 5.4.5/6.0.1 versions.

InfoSec Week 51, 2017

There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.

Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.

Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.

Explanation how web trackers exploit browser login managers to track users on the Internet.

According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.

Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.

Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.

Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.

Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.

InfoSec Week 50, 2017

Crooks hacked Fox-IT by capturing fox-it.com DNS record, then obtained a certificated and executed a man-in-the-middle attack on connection.

The Mandiant - FireEye company analyzed an incident at a critical infrastructure organization where an attacker deployed so called TRITON malware designed to manipulate industrial safety system. According to the analysis, "the malware was delivered as a Py2EXE compiled python script [...] containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers."

The anonymous researcher behind the massive internet scans of the IoT devices known for the BrickerBot case published some insights on his operation. Looks like he is a gray hat after all.

Google published Android security roadmap for the next year. There will be lots of improvements, and new requirements for App developers.

Multiple vulnerabilities were identified in Telegram messenger for Android, like arbitrary file overwrite on receiving and directory traversal. There are definitely better alternatives to this software...

Guy uploaded his self-signed malformed certificate to the websites which process them and found out lots of them is vulnerable to the XSS injection.

Mavinject is a legitimate Windows component digitally signed by Microsoft, that can be abused to inject any DLL inside a running process.

Microsoft pushed comprehensive audit reports on Windows Events to GitHub.

InfoSec Week 49, 2017

The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.

According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.

HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.

There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.

Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.

Recorded Future analyzed costs of various cybercriminal services sold on the dark market.

Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.

Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.

Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.

Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.

Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.

Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.

Page 1 / 6