Tag NSA

InfoSec Week 51, 2017

There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.
http://seclists.org/fulldisclosure/2017/Dec/85

Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.
https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/

Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.
https://events.ccc.de/congress/2017/Fahrplan/events/9021.html

Explanation how web trackers exploit browser login managers to track users on the Internet.
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.
https://www.unian.info/world/2319991-russian-hacker-says-fsb-involved-in-creation-of-wannacry-malware.html

Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.
https://blog.didierstevens.com/2017/12/27/cracking-encrypted-pdfs-part-2/

Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.
https://blog.fortinet.com/2017/12/20/group-behind-venuslocker-switches-from-ransomware-to-monero-mining

Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.
https://lite.cnn.io/en/article/h_910710e71e532e73a80deb1294a2db7c

Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new

InfoSec Week 47, 2017

According to the annual State of Open Source Security report, 77% of 433000 analyzed sites use at least one front-end JavaScript library with a known security vulnerability.
https://snyk.io/blog/77-percent-of-sites-still-vulnerable/

The AWS team published blog about the recent improvements to the secure random number generation in Linux 4.14, OpenSSL and libc.
https://aws.amazon.com/blogs/opensource/better-random-number-generation-for-openssl-libc-and-linux-mainline/

Really good introduction to the anonymous communication network design and mix nets in general, published by Least Authority.
https://leastauthority.com/blog/mixnet-intro/

Those guys reverse-engineered the Furby Connect DLC file format and are able to remotely upload their own logos, songs to the device over Bluetooth.
https://www.contextis.com/blog/dont-feed-them-after-midnight-reverse-engineering-the-furby-connect

There is a critical vulnerability in the MacOS High Sierra, anyone can login as root with empty password after clicking on login button several times. For now, it could be mitigated by just changing the root password.
https://krebsonsecurity.com/2017/11/macos-high-sierra-users-change-root-password-now/
https://objective-see.com/blog/blog_0x24.html

Very good investigative journalism about the mysterious NSA contractor which could provided top secret documents to the Shadow Brokers.
https://krebsonsecurity.com/2017/11/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/

Uber paid hackers $100k to delete stolen data on 57 million people and shut up. They have even tried to fake it as an bug bounty payment.
http://blog.trendmicro.com/uber-how-not-to-handle-a-breach/

Someone published remote code execution exploit for the Exim Mail server (CVE-2017-16944) on GitHub. Shodan.io shows more than 400k servers with the vulnerable CHUNKING feature.
https://twitter.com/_miw/status/934872934681804800
https://github.com/LetUsFsck/PoC-Exploit-Mirror

InfoSec Week 45, 2017

Researchers exploited antivirus software quarantine mechanism to gain privileges by manipulating the restore process from the virus quarantine. By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations.
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/

Wikileaks released source code of leaked CIA hacking tools and it indicates that the CIA used fake certificates attributed to Kaspersky Labs for signing their malware.
https://wikileaks.org/vault8/
https://twitter.com/i/web/status/928669548210991104

A security researcher has discovered factory application in OnePlus devices. It can be used to gain root privileges, dump photos, collect WiFi & GPS information.
https://www.bleepingcomputer.com/news/security/second-oneplus-factory-app-discovered-this-one-dumps-photos-wifi-and-gps-logs/
https://github.com/sirmordred/AngelaRoot

There was a vulnerability in CouchDB caused by a discrepancy between the database’s native JSON parser and the Javascript JSON parser used during document validation. Because CouchDB databases are meant to be exposed directly to the internet, this enabled privilege escalation, and ultimately remote code execution, on a large number of installations.
https://justi.cz/security/2017/11/14/couchdb-rce-npm.html

Researchers from the Princeton university have been studying third-party trackers that record sensitive personal data that users type into websites, and the results are not good.
https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/

iPhone X's Face ID facial recognition security mechanism system was circumvented by Vietnam experts using a 3D mask.
http://www.bkav.com/d/top-news/-/view_content/content/103968/face-id-beaten-by-mask-not-an-effective-security-measure

Security researcher Maxim Goryachy reports being able to execute unsigned code on computers running the Intel Management Engine through USB.
https://twitter.com/h0t_max/status/928269320064450560

Deep dive into the Facebook sextorcism scheme using fake young girls profiles by the guys from Marseille.
http://ici.radio-canada.ca/special/sextorsion/en/index.html

Long read about how the security breaches by the Shadow Brokers damaged the US National Security Agency.
https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html

Analysis of a low cost Chinese GSM listening and location device hidden inside the plug of a standard USB data/charging cable.
https://ha.cking.ch/s8_data_line_locator/

Privacy Pass is a browser extension for Chrome and Firefox, which uses privacy-preserving cryptography to allow users to authenticate to the services without compromising their anonymity. It uses blind signature schemes.
https://privacypass.github.io

InfoSec Week 36, 2017

The security researcher Pierre Kim has discovered ten critical zero-day vulnerabilities in D-Link routers.
https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html

There is a new research paper published on a security of a Bluetooth stack named "The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks." Really alarming vulnerabilities discussed.
From a paper: "BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware to other devices. The attack does not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device."
http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf

FireEye has analyzed a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability leveraged by attackers to distribute notoriously known FinFisher / FINSPY malware.
I have included exploit example that is published on a GitHub.
https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html
https://github.com/Voulnet/CVE-2017-8759-Exploit-sample

Kaspersky Labs have analyzed the trend of malicious cryptocurrency mining practices on an infected machines.
https://securelist.com/miners-on-the-rise/81706/

The Android BankBot malware found on Google Play store is targeting multiple UAE banking applications.
http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-play-targets-ten-new-uae-banking-apps

Good analysis of how the JavaScript framework can be abused to bypass XSS mitigations, specifically NoScript’s XSS filter.
http://blog.portswigger.net/2017/09/abusing-javascript-frameworks-to-bypass.html

NSA had developed the capability to decrypt and decode Kazaa and eDonkey file-sharing apps traffic to determine which files are being shared, and what queries are being performed over those P2P networks.
https://theintercept.com/2017/09/13/nsa-broke-the-encryption-on-file-sharing-apps-kazaa-and-edonkey/

Formally verified implementation of Curve25519 made it into Firefox 57. And it is 20% faster on 64-bit architectures.
https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/

A nice curated list of IDA plugins.
https://github.com/onethawt/idaplugins-list

InfoSec Week 16, 2017

Crooks are already using recently leaked NSA hack tools to exploit thousands of unpatched Windows machines.
https://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/

Bosch Drivelog Connector dongle could allow hackers to halt the engine.
https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/

Android MilkyDoor malware lets attackers infiltrate phone's connected networks via Secure Shell (SSH) tunnels.
http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-android-malware-finds-successor-milkydoor/

The Hajime IoT worm is hardening IoT devices (closing open ports for now) to lock out other IoT malware. The code is not weaponised, contains only white hat's message.
https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things

The guy found out how to trade other customers' stocks due to the bad implementation of the iPhone trading app.
https://privacylog.blogspot.ch/2017/04/what-happens-when-you-send-zero-day-to.html

NVIDIA is shipping node.js under the name "NVIDIA Web Helper.exe". As it's signed by the NVIDIA key, the application is whitelisted by Microsoft AppLocker, and can be used for bypassing protection.
http://blog.sec-consult.com/2017/04/application-whitelisting-application.html

Criminals are spreading financial malware using spam emails disguised as a payment confirmation email from Delta Air. Looks genuine. https://heimdalsecurity.com/blog/hancitor-malware-delta-airlines/

Some darkmarket real IP addresses can be found through the Shodan search.
"RAMP (Russian drug market, server in Russia) and Hydra (international drug market, server in Germany) are leaking.Anyone see other big ones?"
https://twitter.com/HowellONeill/status/855550034741309440 https://twitter.com/AlecMuffett/status/855542397165502464

Nice blog about the common mistakes done by developers when using encryption \ secrets.
https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/

Apple File System (APFS), introduced in March 2017, reverse engineered by Jonas Plum.
https://blog.cugu.eu/post/apfs/

WikiLeaks publishes the User Guide for CIA's "Weeping Angel" tool - an implant designed for Samsung F Series Smart Televisions. Based on the "Extending" tool from MI5/BTSS, the implant is designed to record audio from the built-in microphone and egress or store the data.
https://wikileaks.org/vault7/#Weeping Angel

Funny research paper co-authored by Daniel J. Bernstein, "Post-quantum RSA", explores potential "parameters for which key generation, encryption, decryption, signing, and verification are feasible on today’s computers while all known attacks are infeasible, even assuming highly scalable quantum computers".
Funny part is that the actual parameters are "really" practical. Example: "For the 2Tb (256GB) encryption, the longest multiplication took 13 hours, modular reduction took 40 hours, and in total encryption took a little over 100 hours."
https://cr.yp.to/papers/pqrsa-20170419.pdf

A local privilege escalation via LightDM found in Ubuntu versions 16.10 / 16.04 LTS.
http://seclists.org/fulldisclosure/2017/Apr/73

fake sandbox processes (FSP) - script will simulate fake processes of analysis sandbox/VM software that some malware will try to avoid. Windows only. https://github.com/Aperture-Diversion/fake-sandbox

InfoSec Week 15, 2017

Interesting blog about the generic unpacking of the Locky malware using Radare r2pipe, python and the Windows 7 VM.
http://blog.devit.co/unpacking-with-r2pipe/

More information about the Shadow Brokers NSA hacking toolkit dump are coming out after analysis.
Kudelski Security research published the overview of an Equation Group exploitation arsenal for the Windows platform. Good to note, that this dump has also implicated that the NSA compromised a SWIFT system.
https://research.kudelskisecurity.com/2017/04/14/shadow-brokers-april-2017-release-2/
http://securityaffairs.co/wordpress/58006/hacking/nsa-hacked-swift.html

Symantec researchers linked the CIA hacking tools (Vault 7) to a cyber attacks launched in recent years by a Longhorn group gang specialising in the intelligence gathering operations.
https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7
https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/

Black hats have robbed at least 8 ATMs in Russia and stole $800,000 in one night using a ATMitch "fileless" malware.
http://securityaffairs.co/wordpress/57881/cyber-crime/atmitch-fileless-malaware.html

FireEye documented a campaign leveraging the CVE-2017-0199 vulnerability, which enabled attackers to "download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit." It delivers so called FINSPY and LATENTBOT samples, targeting mostly Russian speaking users.
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html https://arstechnica.com/security/2017/04/microsoft-word-0day-was-actively-exploited-by-strange-bedfellows/

I wrote about the Broadcom’s Wi-Fi stack exploit last week, this is the second part of a series of Google Project Zero team.
https://googleprojectzero.blogspot.sk/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html

InfoSec Week 14, 2017

The Cisco Talos team has analyzed ROKRAT remote administration tool targeting South Koreans by spear phishing campaign.
http://blog.talosintelligence.com/2017/04/introducing-rokrat.html

The "rensenWare" ransomware is asking victims to score over 0.2 billion game currency playing the game "Touhou Project - Undefined Fantastic Object”.
http://securityaffairs.co/wordpress/57850/malware/rensenware-ransomware.html

The new BrickerBot malware is performing so called Permanent Denial-of-Service (PDoS) on a IoT device. It's using the same attack vector as a Mirai botnet - bruteforcing ssh passphrase. If succesful, it tries to brick device storage.
https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/

Triada Android malware is using open source DroidPlugin sandbox when running, in order to evade detection.
https://blog.avast.com/mobile-spyware-uses-sandbox-to-avoid-antivirus-detections

The security issue in the Splunk Enterprise allowed a potential attacker to steal data from the authenticated user if she visited a malicious website.
http://seclists.org/fulldisclosure/2017/Mar/89

Google Project Zero demonstrated a Broadcom’s Wi-Fi stack remote code execution exploit on a fully updated Nexus 6P, running Android 7.1.1 version NUF26K.
https://googleprojectzero.blogspot.md/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html

TheShadowBrokers hacking group just leaked the NSA digital weapons package online.
https://github.com/x0rz/EQGRP
https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1

WikiLeaks published documents detailing the Grasshopper framework used by the CIA to create custom Windows malware installers.
Source code of the "Stolen Goods" module contains parts of the leaked Carberp banking trojan source code.
http://www.securityweek.com/wikileaks-details-cia-tool-creating-windows-malware-installers

The Xen Security Team has discovered a security bug in the hypervisor code which, if exploited, can be used for breaking Qubes OS isolation. Exploit chaining required for the full system takeover tough.
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-029-2017.txt

Interesting research about the using antivirus software as a leverage during the attack. "Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks"
https://www.sec.cs.tu-bs.de/pubs/2017-asiaccs.pdf

InfoSec Week 6, 2017

A new malware called MacDownloader, attributed to the Iran, targeting macOS systems spotted in the wild. Spreading as an Adobe Flash installer or a Bitdefender Adware Removal Tool, depend on social engineering. After installation, it attempts to exfiltrate OS X keychain database as well as the other system information.
https://iranthreats.github.io/resources/macdownloader-macos-malware/

Google Project Zero investigated inner-working of Real-Time Kernel Protection (RKP) used by Samsung KNOX using a fully updated Galaxy S7 Edge. They have presented multiple vulnerabilities which allow them to subvert each of RKP’s security mechanisms.
https://googleprojectzero.blogspot.ch/2017/02/lifting-hyper-visor-bypassing-samsungs.html

A former National Security Agency contractor Harold T. Martin III is accused of carrying out theft of 50 terabytes of classified information.
"The indictment against Harold T. Martin III is expected to contain charges of violating the Espionage Act by "willfully" retaining information that relates to the national defense, including classified data such as NSA hacking tools and operational plans against "a known enemy" of the United States, according to individuals familiar with the case."
https://www.washingtonpost.com/world/national-security/prosecutors-to-seek-indictment-against-former-nsa-contractor-as-early-as-this-week/2017/02/06/362a22ca-ec83-11e6-9662-6eedf1627882_story.html

Google Chrome 56 lets websites connect to Bluetooth devices and harvest information from them through the browser. Summary of the Web Bluetooth API security model written by Chrome team's Jeffrey Yasskin can be found on Medium.
https://medium.com/@jyasskin/the-web-bluetooth-security-model-666b4e7eed2

Doctor Web detects new Mirai trojan fork able to use Windows machines when scanning the internet for the other targets.
http://vms.drweb.com/search/?q=Trojan.Mirai.1

CRYSIS ransomware family is targeting a US healthcare sector via remote desktop (RDP) brute force attacks.
http://blog.trendmicro.com/trendlabs-security-intelligence/brute-force-rdp-attacks-plant-crysis-ransomware/

A new ransomware known as "Serpent" is targeting Danish recipients using emails linking to malicious Microsoft Office documents.
https://www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers

Multiple proponents of Mexico’s 2014 soda tax aimed at reducing consumption of sugary drinks in Mexico were targeted by spyware.
The malicious program is developed by an Israeli cyberarms dealer NSO Group.
https://www.nytimes.com/2017/02/11/technology/hack-mexico-soda-tax-advocates.html

Keybase introduced an end-to-end crypto app for secure interactive messaging which works with already established 3rd party accounts.
Interesting solution to the key exchange problem, other solutions usually use a Trust On First Use (TOFU). Just to note, only "exploding" messages have forward secrecy.
https://keybase.io/blog/keybase-chat

Wire’s encrypted messaging protocol got audited. Kudelski Security and X41 D-Sec found it to have "high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs."
https://research.kudelskisecurity.com/2017/02/09/wire-cryptography-audit-with-x41-d-sec/ https://medium.com/wire-news/wires-independent-security-review-61f37a1762a8

A great story about the Russian "research" company which reverse engineered older slot machines in order to predict the output. And they are cashing in on it...
https://www.wired.com/2017/02/russians-engineer-brilliant-slot-machine-cheat-casinos-no-fix/