Facebook, Google, Cisco, WhatsApp and other industry partners get together to create Message Layer Security as an open standard for end-to-end encryption with formal verification. Messaging Layer Security is now an IETF working group as well.
Long read about the takedown of Gooligan, Android botnet that was stealing OAuth credentials back in 2016.
The Israeli security company CTS Labs published information about a series of exploits against AMD chips just one day after they have notified the AMD.
Russia orders company behind the Telegram messaging application to hand over users’ encryption keys.
Hacker behind Guccifer 2.0 pseudonym, known for providing WikiLeaks with stolen emails from the US Democratic National Committee, was an officer of Russia’s military intelligence directorate.
Fascinating in depth blog about the breaking security of the Ledger cryptocurrency hardware wallet.
There was a Facebook bug which made persistent XSS in Facebook wall possible by embedding an external video using the Open Graph protocol.
Documents leaked by Edward Snowden reveal that the NSA worked to “track down” Bitcoin users.
Dark Web Map - a visualization of the structure of 6.6k Tor's onion services, a.k.a. hidden services, a.k.a. the dark web.
A buffer overflow vulnerability in older Starcraft version enabled modders to create new maps, so Blizzard tasked reverse engineer to safely emulate the bug in the newer, fixed version.
The author says it all: "This is a tale about what dedication to backward compatibility implies."
A bug in the Grammarly chrome extension (approx ~22M users) exposes user authentication token to all websites, so everybody collecting user data can access their cloud data at grammarly.com.
With the release of Google Chrome 68, Chrome will mark all HTTP sites as a “not secure” in the status bar.
Article about the Australian startup Azimuth Security which sells hacking software to the "Five Eyes" police and intelligence agencies.
Rumors are that they are able to remotely hack Android devices and iPhones.
SEC Consult researchers found multiple vulnerabilities in their smart sex toys security review. Customer database, clear passwords, vulnerable remote controllers...
Metasploit integrated EternalRomance, EternalSynergy, and EternalChampion Windows (MS17-010) vulnerabilities leaked from the NSA by Shadow Brokers.
Someone leaked the source code of Apples' iBoot iOS trusted boot program on GitHub. It is a critical part of iOS system. Meanwhile, Apple filed a copyright takedown request with GitHub.
Hackers infected water utility SCADA systems in Europe with the cryptocurrency mining software.
Security researchers discovered vulnerabilities in an automated gas management system that allowed them to hijack credit card payments, steal card numbers and more.
APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was the victim of an APT attack.
There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.
Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.
Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.
Explanation how web trackers exploit browser login managers to track users on the Internet.
According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.
Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.
Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.
Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.
Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.
The AWS team published blog about the recent improvements to the secure random number generation in Linux 4.14, OpenSSL and libc.
Really good introduction to the anonymous communication network design and mix nets in general, published by Least Authority.
Those guys reverse-engineered the Furby Connect DLC file format and are able to remotely upload their own logos, songs to the device over Bluetooth.
There is a critical vulnerability in the MacOS High Sierra, anyone can login as root with empty password after clicking on login button several times. For now, it could be mitigated by just changing the root password.
Very good investigative journalism about the mysterious NSA contractor which could provided top secret documents to the Shadow Brokers.
Uber paid hackers $100k to delete stolen data on 57 million people and shut up. They have even tried to fake it as an bug bounty payment.
Someone published remote code execution exploit for the Exim Mail server (CVE-2017-16944) on GitHub. Shodan.io shows more than 400k servers with the vulnerable CHUNKING feature.
Researchers exploited antivirus software quarantine mechanism to gain privileges by manipulating the restore process from the virus quarantine. By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations.
Wikileaks released source code of leaked CIA hacking tools and it indicates that the CIA used fake certificates attributed to Kaspersky Labs for signing their malware.
A security researcher has discovered factory application in OnePlus devices. It can be used to gain root privileges, dump photos, collect WiFi & GPS information.
Researchers from the Princeton university have been studying third-party trackers that record sensitive personal data that users type into websites, and the results are not good.
iPhone X's Face ID facial recognition security mechanism system was circumvented by Vietnam experts using a 3D mask.
Security researcher Maxim Goryachy reports being able to execute unsigned code on computers running the Intel Management Engine through USB.
Deep dive into the Facebook sextorcism scheme using fake young girls profiles by the guys from Marseille.
Long read about how the security breaches by the Shadow Brokers damaged the US National Security Agency.
Analysis of a low cost Chinese GSM listening and location device hidden inside the plug of a standard USB data/charging cable.
Privacy Pass is a browser extension for Chrome and Firefox, which uses privacy-preserving cryptography to allow users to authenticate to the services without compromising their anonymity. It uses blind signature schemes.
The security researcher Pierre Kim has discovered ten critical zero-day vulnerabilities in D-Link routers.
There is a new research paper published on a security of a Bluetooth stack named "The dangers of Bluetooth implementations: Unveiling zero day
vulnerabilities and security flaws in modern Bluetooth stacks." Really alarming vulnerabilities discussed.
From a paper: "BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware to other devices. The attack does not require the targeted device to be set on discoverable mode or to be paired to the attacker’s device."
FireEye has analyzed a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability leveraged by attackers to distribute notoriously known FinFisher / FINSPY malware.
I have included exploit example that is published on a GitHub.
Kaspersky Labs have analyzed the trend of malicious cryptocurrency mining practices on an infected machines.
The Android BankBot malware found on Google Play store is targeting multiple UAE banking applications.
NSA had developed the capability to decrypt and decode Kazaa and eDonkey file-sharing apps traffic to determine which files are being shared, and what queries are being performed over those P2P networks.
Formally verified implementation of Curve25519 made it into Firefox 57. And it is 20% faster on 64-bit architectures.
A nice curated list of IDA plugins.
Crooks are already using recently leaked NSA hack tools to exploit thousands of unpatched Windows machines.
Bosch Drivelog Connector dongle could allow hackers to halt the engine.
Android MilkyDoor malware lets attackers infiltrate phone's connected networks via Secure Shell (SSH) tunnels.
The Hajime IoT worm is hardening IoT devices (closing open ports for now) to lock out other IoT malware. The code is not weaponised, contains only white hat's message.
The guy found out how to trade other customers' stocks due to the bad implementation of the iPhone trading app.
NVIDIA is shipping node.js under the name "NVIDIA Web Helper.exe". As it's signed by the NVIDIA key, the application is whitelisted by Microsoft AppLocker, and can be used for bypassing protection.
Criminals are spreading financial malware using spam emails disguised as a payment confirmation email from Delta Air. Looks genuine. https://heimdalsecurity.com/blog/hancitor-malware-delta-airlines/
Some darkmarket real IP addresses can be found through the Shodan search.
"RAMP (Russian drug market, server in Russia) and Hydra (international drug market, server in Germany) are leaking.Anyone see other big ones?"
Nice blog about the common mistakes done by developers when using encryption \ secrets.
Apple File System (APFS), introduced in March 2017, reverse engineered by Jonas Plum.
WikiLeaks publishes the User Guide for CIA's "Weeping Angel" tool - an implant designed for Samsung F Series Smart Televisions. Based on the "Extending" tool from MI5/BTSS, the implant is designed to record audio from the built-in microphone and egress or store the data.
Funny research paper co-authored by Daniel J. Bernstein, "Post-quantum RSA", explores potential "parameters for which key generation,
encryption, decryption, signing, and verification are feasible on today’s computers while all known attacks are infeasible, even assuming highly scalable quantum computers".
Funny part is that the actual parameters are "really" practical. Example: "For the 2Tb (256GB) encryption, the longest multiplication took 13 hours, modular reduction took 40 hours, and in total encryption took a little over 100 hours."
A local privilege escalation via LightDM found in Ubuntu versions 16.10 / 16.04 LTS.
fake sandbox processes (FSP) - script will simulate fake processes of analysis sandbox/VM software that some malware will try to avoid. Windows only. https://github.com/Aperture-Diversion/fake-sandbox
Interesting blog about the generic unpacking of the Locky malware using Radare r2pipe, python and the Windows 7 VM.
More information about the Shadow Brokers NSA hacking toolkit dump are coming out after analysis.
Kudelski Security research published the overview of an Equation Group exploitation arsenal for the Windows platform. Good to note, that this dump has also implicated that the NSA compromised a SWIFT system.
Symantec researchers linked the CIA hacking tools (Vault 7) to a cyber attacks launched in recent years by a Longhorn group gang specialising in the intelligence gathering operations.
Black hats have robbed at least 8 ATMs in Russia and stole $800,000 in one night using a ATMitch "fileless" malware.
FireEye documented a campaign leveraging the CVE-2017-0199 vulnerability, which enabled attackers to "download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit." It delivers so called FINSPY and LATENTBOT samples, targeting mostly Russian speaking users.
I wrote about the Broadcom’s Wi-Fi stack exploit last week, this is the second part of a series of Google Project Zero team.
The Cisco Talos team has analyzed ROKRAT remote administration tool targeting South Koreans by spear phishing campaign.
The "rensenWare" ransomware is asking victims to score over 0.2 billion game currency playing the game "Touhou Project - Undefined Fantastic Object”.
The new BrickerBot malware is performing so called Permanent Denial-of-Service (PDoS) on a IoT device. It's using the same attack vector as a Mirai botnet - bruteforcing ssh passphrase. If succesful, it tries to brick device storage.
Triada Android malware is using open source DroidPlugin sandbox when running, in order to evade detection.
The security issue in the Splunk Enterprise allowed a potential attacker to steal data from the authenticated user if she visited a malicious website.
Google Project Zero demonstrated a Broadcom’s Wi-Fi stack remote code execution exploit on a fully updated Nexus 6P, running Android 7.1.1 version NUF26K.
TheShadowBrokers hacking group just leaked the NSA digital weapons package online.
WikiLeaks published documents detailing the Grasshopper framework used by the CIA to create custom Windows malware installers.
Source code of the "Stolen Goods" module contains parts of the leaked Carberp banking trojan source code.
The Xen Security Team has discovered a security bug in the hypervisor code which, if exploited, can be used for breaking Qubes OS isolation.
Exploit chaining required for the full system takeover tough.
Interesting research about the using antivirus software as a leverage during the attack.
"Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks"
A new malware called MacDownloader, attributed to the Iran, targeting macOS systems spotted in the wild. Spreading as an Adobe Flash installer or a Bitdefender Adware Removal Tool, depend on social engineering. After installation, it attempts to exfiltrate OS X keychain database as well as the other system information.
Google Project Zero investigated inner-working of Real-Time Kernel Protection (RKP) used by Samsung KNOX using a fully updated Galaxy S7 Edge. They have presented multiple vulnerabilities which allow them to subvert each of RKP’s security mechanisms.
A former National Security Agency contractor Harold T. Martin III is accused of carrying out theft of 50 terabytes of classified information.
"The indictment against Harold T. Martin III is expected to contain charges of violating the Espionage Act by "willfully" retaining information that relates to the national defense, including classified data such as NSA hacking tools and operational plans against "a known enemy" of the United States, according to individuals familiar with the case."
Google Chrome 56 lets websites connect to Bluetooth devices and harvest information from them through the browser. Summary of the Web Bluetooth API security model written by Chrome team's Jeffrey Yasskin can be found on Medium.
Doctor Web detects new Mirai trojan fork able to use Windows machines when scanning the internet for the other targets.
CRYSIS ransomware family is targeting a US healthcare sector via remote desktop (RDP) brute force attacks.
A new ransomware known as "Serpent" is targeting Danish recipients using emails linking to malicious Microsoft Office documents.
Multiple proponents of Mexico’s 2014 soda tax aimed at reducing consumption of sugary drinks in Mexico were targeted by spyware.
The malicious program is developed by an Israeli cyberarms dealer NSO Group.
Keybase introduced an end-to-end crypto app for secure interactive messaging which works with already established 3rd party accounts.
Interesting solution to the key exchange problem, other solutions usually use a Trust On First Use (TOFU). Just to note, only "exploding" messages have forward secrecy.
Wire’s encrypted messaging protocol got audited. Kudelski Security and X41 D-Sec found it to have "high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs."
A great story about the Russian "research" company which reverse engineered older slot machines in order to predict the output. And they are cashing in on it...