Tag Necurs

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
https://www.bleepingcomputer.com/news/cryptocurrency/worlds-largest-spam-botnet-is-pumping-and-dumping-an-obscure-cryptocurrency/

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
https://www.fastcompany.com/40515682/the-other-scary-foreign-hacking-threat-trump-is-ignoring

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
https://www.theregister.co.uk/AMP/2018/01/10/taiwanese_police_malware/

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
https://caastudy.github.io/

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
https://www.bleepingcomputer.com/news/security/lenovo-discovers-and-removes-backdoor-in-networking-switches/

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/

InfoSec Week 22, 2017

Notoriously known Gh0st RAT spyware is spreading through the same SMB vulnerability as a WannaCry ransomware.
https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html

Jaff, ransomware distributed by the today's biggest spam botnet Necurs, is sharing server infrastructure with a PaySell cybercrime marketplace based in Saint Petersburgh, Russia.
https://heimdalsecurity.com/blog/jaff-ransomware-operation-cyber-crime-marketplace/

Security researchers have spotted a new PowerPoint infection vector. Malware is downloaded to a computer whenever a victim hovers a link. Without the macros.
https://www.bleepingcomputer.com/news/security/powerpoint-file-downloads-malware-when-you-hover-a-link-no-macros-required/

Wikileaks has published yet another CIA toolkit - Windows implant capable of the on-the-fly infection of a file executed over the network.
https://wikileaks.org/vault7/releases/#Pandemic

This guy lost lots of bitcoin in 15 minutes as attacker exploited Verison alternative authentification method. Interesting read.
https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac

Company behind OneLogin, a single sign-on and identity management for cloud-based applications, has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data.
https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/

InfoSec Week 8, 2017

Malware samples recovered from watering hole attacks against the Polish financial regulator's website contain false flags that fraudulently suggest Russian actors are behind the campaign. BAE Systems Threat Research attributed the attack to the notoriously known Lazarus Group.
https://baesystemsai.blogspot.ch/2017/02/lazarus-false-flag-malware.html

TeamSpy malware targets high-profile industrial executives, researchers and diplomats using phishing attack. If successful, the malware installs keylogger and hidden TeamViewer application.
https://heimdalsecurity.com/blog/security-alert-teamspy-turn-teamviewer-into-spying-tool/

The world's largest spam botnet Necurs, with 5 million infected hosts, has added a DDoS module.
http://blog.anubisnetworks.com/blog/necurs-proxy-module-with-ddos-features

Montenegro suffered massive cyberattacks against government and media websites.
http://www.balkaninsight.com/en/article/montenegro-govt-on-alert-over-new-cyber-attacks-02-21-2017

This one about Cloudflare bug is all over the internet, but I found the report from the Google Project Zero engineer interesting.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139 https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165

Google announces first SHA1 collision attack, demonstrating it with two PDF files.
https://shattered.io/

Short blog with the self explanatory headline "Why it sucks to be a Security Researcher" written by a Sakurity infosec guy.
https://medium.com/@homakov/why-it-sucks-to-be-a-security-researcher-8a1d17fbffe8

Crackle is a tool to crack Bluetooth Smart Encryption (BLE). It exploits a flaw in the pairing mechanism that leaves all communications vulnerable to decryption by passive eavesdroppers.
https://github.com/mikeryan/crackle http://www.darknet.org.uk/2017/02/crackle-crack-bluetooth-smart-encryption-ble/

The Mercure is a tool for generating and managing phishing campaigns. It includes email templates, attachments and landing page management.
https://github.com/synhack/mercure/