Tag Necurs

InfoSec Week 38, 2018

Purism project introduced their own security token called the Librem Key. They have partnered with the Nitrokey manufacturer, but the firmware provides additional functionality, like a challenge response mode where the key informs you if the bios running on a PC has validated itself to the key.
https://puri.sm/posts/introducing-the-librem-key/

Google built a prototype of a censored search engine which should be used in China, that links users’ searches to their phone numbers.
https://theintercept.com/2018/09/14/google-china-prototype-links-searches-to-phone-numbers/

According to a Swiss officials, two Russian spies caught in the Netherlands had been plotting a cyber attack on a Swiss defense lab analyzing the Novichok nerve agent used in the Salisbury poisoning.
https://www.nytimes.com/2018/09/14/world/europe/russians-salisbury-swiss-lab-sabotage.html

Citizen Lab has published a new report about the Pegasus spyware created by Israeli cyber-security firm NSO Group.
The malware is operating on both Android and iOS devices, and the researchers identified 45 countries in which operators of NSO Group’s Pegasus spyware may be conducting operations.
https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/

Hackers were running cryptocurrency mining malware on the Indian government sites.
https://economictimes.indiatimes.com/small-biz/startups/newsbuzz/hackers-mined-a-fortune-from-indian-websites/articleshow/65836088.cms

Every day this week, Cloudflare is announcing support for a new technology that uses cryptography.
They have introduced Onion service, BGP PKI (RPKI), IPFS node. Essentially, we can call them an active global adversary now.
https://blog.cloudflare.com/crypto-week-2018/

The Western Digital My Cloud was affected by an authentication bypass vulnerability.
An unauthenticated attacker could exploit this vulnerability to authenticate as an admin user without needing to provide a password.
https://securify.nl/en/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html

NSS Labs filed an antitrust suit against CrowdStrike, Symantec, ESET and the Anti-Malware Testing Standards Organization (AMTSO), because they found out that the "vendors have conspired to prevent testing of their products by placing clauses in their end user licensing agreements (EULA) that make testing of their products subject to their permission."
https://www.nsslabs.com/blog/company/advancing-transparency-and-accountability-in-the-cybersecurity-industry/

The new Necurs botnet spam campaign targets Banks with the malicious Wizard (.wiz) files used by Microsoft programs such as Word to guide users through complex or repetitive tasks.
https://blog.barkly.com/wiz-file-malware-necurs-campaign

Informative blog by the LineageOS engineers covering Qualcomm bootloader chain of trust to the point of Android OS being loaded.
https://lineageos.org/engineering/Qualcomm-Firmware/

GnuPG can now be used to perform notarial acts in the State of Washington.
https://lists.gnupg.org/pipermail/gnupg-users/2018-September/060987.html

A new CSS-based web attack will crash and restart your iPhone.
https://techcrunch.com/2018/09/15/a-new-css-based-web-attack-will-crash-and-restart-your-iphone/

Interesting project - SlotBot: Hacking slot machines to win the jackpot with a buttonhole camera and brute-force search.
https://github.com/tensor8/hacking_slot_machines

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
https://www.bleepingcomputer.com/news/cryptocurrency/worlds-largest-spam-botnet-is-pumping-and-dumping-an-obscure-cryptocurrency/

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
https://www.fastcompany.com/40515682/the-other-scary-foreign-hacking-threat-trump-is-ignoring

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
https://www.theregister.co.uk/AMP/2018/01/10/taiwanese_police_malware/

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
https://caastudy.github.io/

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
https://www.bleepingcomputer.com/news/security/lenovo-discovers-and-removes-backdoor-in-networking-switches/

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/

InfoSec Week 22, 2017

Notoriously known Gh0st RAT spyware is spreading through the same SMB vulnerability as a WannaCry ransomware.
https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html

Jaff, ransomware distributed by the today's biggest spam botnet Necurs, is sharing server infrastructure with a PaySell cybercrime marketplace based in Saint Petersburgh, Russia.
https://heimdalsecurity.com/blog/jaff-ransomware-operation-cyber-crime-marketplace/

Security researchers have spotted a new PowerPoint infection vector. Malware is downloaded to a computer whenever a victim hovers a link. Without the macros.
https://www.bleepingcomputer.com/news/security/powerpoint-file-downloads-malware-when-you-hover-a-link-no-macros-required/

Wikileaks has published yet another CIA toolkit - Windows implant capable of the on-the-fly infection of a file executed over the network.
https://wikileaks.org/vault7/releases/#Pandemic

This guy lost lots of bitcoin in 15 minutes as attacker exploited Verison alternative authentification method. Interesting read.
https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac

Company behind OneLogin, a single sign-on and identity management for cloud-based applications, has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data.
https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/

InfoSec Week 8, 2017

Malware samples recovered from watering hole attacks against the Polish financial regulator's website contain false flags that fraudulently suggest Russian actors are behind the campaign. BAE Systems Threat Research attributed the attack to the notoriously known Lazarus Group.
https://baesystemsai.blogspot.ch/2017/02/lazarus-false-flag-malware.html

TeamSpy malware targets high-profile industrial executives, researchers and diplomats using phishing attack. If successful, the malware installs keylogger and hidden TeamViewer application.
https://heimdalsecurity.com/blog/security-alert-teamspy-turn-teamviewer-into-spying-tool/

The world's largest spam botnet Necurs, with 5 million infected hosts, has added a DDoS module.
http://blog.anubisnetworks.com/blog/necurs-proxy-module-with-ddos-features

Montenegro suffered massive cyberattacks against government and media websites.
http://www.balkaninsight.com/en/article/montenegro-govt-on-alert-over-new-cyber-attacks-02-21-2017

This one about Cloudflare bug is all over the internet, but I found the report from the Google Project Zero engineer interesting.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139 https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165

Google announces first SHA1 collision attack, demonstrating it with two PDF files.
https://shattered.io/

Short blog with the self explanatory headline "Why it sucks to be a Security Researcher" written by a Sakurity infosec guy.
https://medium.com/@homakov/why-it-sucks-to-be-a-security-researcher-8a1d17fbffe8

Crackle is a tool to crack Bluetooth Smart Encryption (BLE). It exploits a flaw in the pairing mechanism that leaves all communications vulnerable to decryption by passive eavesdroppers.
https://github.com/mikeryan/crackle http://www.darknet.org.uk/2017/02/crackle-crack-bluetooth-smart-encryption-ble/

The Mercure is a tool for generating and managing phishing campaigns. It includes email templates, attachments and landing page management.
https://github.com/synhack/mercure/