Tag Python

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
https://www.bleepingcomputer.com/news/cryptocurrency/worlds-largest-spam-botnet-is-pumping-and-dumping-an-obscure-cryptocurrency/

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
https://www.fastcompany.com/40515682/the-other-scary-foreign-hacking-threat-trump-is-ignoring

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
https://www.theregister.co.uk/AMP/2018/01/10/taiwanese_police_malware/

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
https://caastudy.github.io/

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
https://www.bleepingcomputer.com/news/security/lenovo-discovers-and-removes-backdoor-in-networking-switches/

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/

InfoSec Week 37, 2017

SfyLabs' researchers discovered a new Android banking Trojan named Red Alert 2.0, that is being offered for rent on many dark websites. It uses Twitter as a fall back mechanism for communication.
https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html

Windows cleanup utility CCleaner distributed by antivirus vendor Avast contained a multi-stage Floxif malware.
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html https://www.bleepingcomputer.com/news/security/avast-clarifies-details-surrounding-ccleaner-malware-incident/

According to Slovak CSIRT, multiple Python packages in the PyPI Python repository was hit by typosquatting attack.
http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/

Medfusion 4000 Wireless Syringe Infusion Pumps used in acute critical care settings could be remotely controlled, patients killed.
https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02

Kaspersky researchers discovered a new attack technique leveraging an undocumented Microsoft Word feature that loads PHP scripts hosted on third-party web servers.
https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/

DigitalOcean warned that some pre-built and pre-configured application (One-Click) offered by the cloud platform are using default admin passwords.
http://www.securityweek.com/digitalocean-warns-vulnerability-affecting-cloud-users

A use after free error in Apache HTTP can leak pieces of arbitrary memory from the server. It's tracked as an CVE-2017-9798 "Optionsbleed" vulnerability.
https://nvd.nist.gov/vuln/detail/CVE-2017-9798 https://github.com/hannob/optionsbleed

Mr. SIP is a tool developed to audit and simulate SIP-based attacks.
https://github.com/meliht/mr.sip

InfoSec Week 11, 2017

MalwareMustDie analyzed new APT Campaign with the Poison Ivy RAT payload. Malware is using obfuscated VBScript, Power Shell to finally drop well known RAT.
"The concept of infection is fileless, it's avoiding known signature for detection by multiple encodings and wraps, and it is also 100% avoiding the original attacker's working territory."
http://blog.0day.jp/p/english-report-of-fhappi-freehosting.html

Fake Chrome browser app named "Betaling - Google Chrome.exe" is spreading, mainly in the Netherlands. The application mimics basic browser functionality in order to steal user credit card information.
https://www.bleepingcomputer.com/news/security/credit-card-stealer-disguises-as-google-chrome-browser/

Conspiracy theory is circulating around the car crash and the death of a journalist Michael Hastings. According to the San Diego 6 News, Hastings had been investigating CIA Director John Brennan. He had also contacted WikiLeaks lawyer Jennifer Robinson just a few hours before he died, confirming that feds investigating his work. Was his vehicle remotely hijacked?
http://securityaffairs.co/wordpress/57094/intelligence/michael-hastings-crash-cia.html

Trend Micro has uncovered the MajikPOS, new point-of-sale (PoS) malware with RAT functionality. MajikPOS targets mainly businesses in the North America and Canada. It's spreading via poorly secured VNC, RDP protocols.
http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/

Avast malware researcher Jakub Kroustek discovered the Kirk Ransomware - new Star Trek themed ransomware written in Python, probably the first one which uses Monero as the ransom payment of choice.
https://www.bleepingcomputer.com/news/security/star-trek-themed-kirk-ransomware-brings-us-monero-and-a-spock-decryptor/

Researchers at the Pwn2Own competition exploited Microsoft Edge browser in a way that escapes a VMware Workstation virtual machine it runs on. Three different exploits in a row.
https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

Very interesting article about the history of US information warfare.
"The United States was birthed in a stew of information, misinformation, disinformation, and propaganda projected by competing entities both internally and externally. Thus, instead of looking at the apparent success of Russian intelligence in the recent election as the perfected form of information warfare, it is worth considering colonial and revolutionary America to appreciate the historical precedent and perspective"
http://thestrategybridge.org/the-bridge/2017/3/8/information-warfare-isnt-russian-its-american-as-apple-pie

Intel Security has released a CHIPSEC security framework able to evaluate whether the system firmware is modified.
Intel also launched its first-ever bug bounty program.
https://github.com/chipsec/chipsec
https://www.hackerone.com/blog/Intel-launches-its-first-bug-bounty-program