Tag ransomware

InfoSec Week 52, 2018

The Chinese battery expert is charged with stealing trade secrets from US employer, as he prepared to return home. Forensics found deleted research materials not related to his contract on a USB voluntarily provided to a supervisor.
https://beta.scmp.com/news/world/united-states-canada/article/2179192/chinese-battery-expert-hongjin-tan-charged-stealing

The New York Times published an article about the insecurity of the mobile networks' Signaling System 7 (SS7) and the unwillingness to address mobile network vulnerabilities in general.
https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html

Iraq government took down unlicensed towers used for illegal internet bandwidth smuggling operation in the disputed province of Kirkuk.
http://www.kurdistan24.net/en/news/09d4b5aa-6638-42fe-bbb1-b2ef48b4401b

Indias' Ministry of Home Affairs has issued a notification authorizing 10 agencies to tap, intercept and decrypt all personal data on computers and networks.
https://twitter.com/i/web/status/1075954903279943681

Yet another article from NY Times, this time on how Facebook uses 7500 moderators around the world to keep content "normal".
https://www.nytimes.com/2018/12/27/world/facebook-moderators.html

Hackers are infecting Linux servers with JungleSec ransomware using IPMI remote console, manually running encryption program, then asking for ransom.
https://www.bleepingcomputer.com/news/security/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/

The beta version of the WireGuard next gen VPN for iOS was released into the App Store.
https://lists.zx2c4.com/pipermail/wireguard/2018-December/003694.html

Someone from the France uploaded a new sample of Shamoon wiper malware to VirusTotal. The sample is signed with Baidu digital certificate expired back in 2016.
https://securityaffairs.co/wordpress/79248/malware/shamoon-3-france.html

The Wired magazine published a list of articles they have published on a security topic in 2018. Some of them are really good.
https://www.wired.com/gallery/the-most-read-security-stories-of-2018/

Amazon sends 1700 Alexa voice recordings to a random person.
https://threatpost.com/amazon-1700-alexa-voice-recordings/140201/

InfoSec Week 49, 2018

Apple included support for the WebAuthentication API in the latest Safari Release 71 (Technology Preview). The new WebAuthentication as implemented supports USB-based CTAP2 devices.
https://webkit.org/blog/8517/release-notes-for-safari-technology-preview-71/

Critical Kubernetes privilege escalation bug (CVE-2018-1002105) was found and patched during this week. When exploited, the bug allows anonymous users as well a authenticated one to use admin privileges over the cluster API.
There is an exploit published on a GitHub already.
https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/
https://github.com/evict/poc_CVE-2018-1002105

British Telecom will not use Huawei's 5G kit within the core of the network due to security concerns.
https://www.bbc.com/news/technology-46453425

Security agencies in Australia will gain greater access to encrypted messages due to a new legislative.
https://mobile.abc.net.au/news/2018-12-06/labor-backdown-federal-government-to-pass-greater-surveillance/10591944

US National Security Archive published a complete index of all 1504 items in the declassified collection of NSA internal Cryptolog periodical.
https://nsarchive.gwu.edu/briefing-book/cyber-vault/2018-12-04/cyber-brief-cryptolog

Security researchers released attacks on 7 TLS implementations, making use of Bleichenbacher and Manger's attack.
The research with a name "The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations" also includes a TLS 1.3 downgrade attack.
http://cat.eyalro.net/

Ransomware Infected 100k computers in China then demands WeChat Payment and is using XOR as an "encryption". Author was probably identified because he registered domain to his own name.
https://movaxbx.ru/2018/12/05/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/

It looks like 13 years old Virut botnet is resurrected in the wild.
https://chrisdietri.ch/post/virut-resurrects/

Great blog on how guy scammed the scammer to send him photo of his ID.
https://medium.com/@hackerfantastic/scamming-the-scammers-2fb934099ccc

Nearly 250 Pages of internal Facebook documents, emails and statistics were posted online by the UK Parliament.
https://motherboard.vice.com/en_us/article/59vwez/nearly-250-pages-of-devastating-internal-facebook-documents-posted-online-by-uk-parliament

A User Data of the question-and-answer website Quora were compromised.
https://help.quora.com/hc/en-us/articles/360020212652

The records of 500 million customers of the Marriott International hotel group were compromised.
https://www.bbc.com/news/technology-46401890

Interesting revisited paper: "From Keys to Databases -- Real-World Applications of Secure Multi-Party Computation."
https://eprint.iacr.org/2018/450

GTRS - is a tool that uses Google Translator as a proxy to send arbitrary commands to an infected machine.
https://github.com/mthbernardes/GTRS

InfoSec Week 31, 2018

Reddit got hacked. According to the investigation, it looks like hackers accessed employees 2FA protected accounts.
An attacker "compromised a few of Reddit's accounts with cloud and source code hosting providers by intercepting SMS 2FA verification codes".
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

A non-official French website keepass.fr using an URL similar to the popular password manager KeePass one lets you download a tampered version of the password manager with some adware in it.
https://twitter.com/JusticeRage/status/1021815597972291591

According to The Intercept_, Google is planning to launch a censored version of its search engine in China that will blacklist websites and search terms about human rights, democracy, religion, and peaceful protest.
One can only wonder whether it is some part of a broader strategy, how to spread channels of influence abroad.
https://theintercept.com/2018/08/01/google-china-search-engine-censorship/

There is a great blog published on a Trail of Bits about the recent invalid elliptic curve point attack against the Bluetooth implementations.
Give it a try if you are interested, it's really easy to read!
https://blog.trailofbits.com/2018/08/01/bluetooth-invalid-curve-points/amp/

A borough and a town in Alaska have been hit by a devastating ransomware attack, forcing employees to completely stop using computers and go back to typewriters and hand receipts.
https://mashable.com/2018/08/02/malware-alaska-town

BYOB (Build Your Own Botnet) is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop countermeasures against these threats.
https://github.com/colental/byob

FireEye wrote article about the internals of a FIN7 hacking group global operation.
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

WireGuard, next generation VPN software, is finally submitted for the Linux kernel inclusion. Linus Torvalds commented the pull request:
"I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art."
https://marc.info/?l=linux-netdev&m=153306429108040&w=2
http://lists.openwall.net/netdev/2018/08/02/124

Malhunt: automated malware search in memory dumps using volatility and Yara rules.
https://github.com/andreafortuna/malhunt

InfoSec Week 19, 2018

There is a first ransomware which is taking advantage of a new Process Doppelgänging fileless code injection technique. Working on all modern versions of Microsoft Windows, since Vista. This variant of a known SynAck ransomware is using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process.
https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/

Security researchers from the Dutch information security company Computes has found that some Volkswagen and Audi cars are vulnerable to remote hacking. They were able to exploit vehicle infotainment systems. The possible attackers could track car location as well as listen to the conversations in a car.
https://www.bleepingcomputer.com/news/security/volkswagen-and-audi-cars-vulnerable-to-remote-hacking/

Twitter found a bug that stored user passwords unmasked in an internal log, there is no indication of a breach, but all Twitter users should change their passwords.
https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html

There is a breakthrough cryptographic attack on 5-round AES using only 2^22 (previous best was 2^32) presented at CRYPTO 2018. It is joint work of Nathan Keller, Achiya Bar On, Orr Dunkelman, Eyal Ronen and Adi Shamir. This kind of attack is good when evaluating the security of a cipher, it does not have any real world implication as the AES is using at least 10 rounds in production implementations.
https://eurocrypt.2018.rump.cr.yp.to/a7141747a6c49798313a278e9a70afe2.pdf

Bug hunter which found multiple vulnerabilities in the 7-zip software used by anti-virus vendors wrote an blog on how to exploit one of such bugs. Interesting read.
https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/

The 360 Core Security Division response team detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious sample that uses a browser 0-day vulnerability (CVE-2018-8174). It is a remote code execution vulnerability of Windows VBScript engine and affects the latest version of Internet Explorer.
Microsoft patched this vulnerability few days ago and credited Chinese researchers.
http://blogs.360.cn/blog/cve-2018-8174-en/

Source code of TreasureHunter Point-of-Sale malware leaks online.
https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/

The ssh-decorator package from Python pip had an obvious backdoor (sending ip+login+password to ssh-decorate[.]cf in cleartext HTTP).
https://www.reddit.com/r/Python/comments/8hvzja/backdoor_in_sshdecorator_package/

Luke Picciau wrote about his experience with Matrix and it's Riot messenger for one year.
https://itscode.red/posts/1-year-using-matrix/

There is a first official version 1.0 RC of Briar for Android.
Briar is an open-source End-to-end encrypted Bluetooth / WiFi / Tor based mesh-networking (decentralized) messaging application.
https://briarproject.org/download.html

The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection.
https://github.com/guardicore/monkey

InfoSec Week 16, 2018

Google disables domain fronting capability in their App Engine, which was used to evade censorship. What a fortunate timing.
https://arstechnica.com/information-technology/2018/04/google-disables-domain-fronting-capability-used-to-evade-censors/

Bloomberg published article on how Palantir is using the War on Terror tools to track American citizens.
https://www.bloomberg.com/features/2018-palantir-peter-thiel/

Third-party javascript trackers are actively exfiltrating personal identifiers from websites which uses "login with Facebook" button and other such social login APIs.
https://freedom-to-tinker.com/2018/04/18/no-boundaries-for-facebook-data-third-party-trackers-abuse-facebook-login/

The U.S. and the UK blame Russia for a campaign of hacks into routers, switches and other connected infrastructure.
https://www.forbes.com/sites/thomasbrewster/2018/04/16/russia-accused-of-hacking-network-infrastructure/

One of the people charged for the Reveton ransomware trojan was actually working as a Microsoft network engineer.
https://www.bleepingcomputer.com/news/security/microsoft-engineer-charged-in-reveton-ransomware-case/

Intel processors now allow antivirus (mostly Microsoft right now) to Use built-in GPUs for in-memory malware scanning.
https://arstechnica.com/gadgets/2018/04/intel-microsoft-to-use-gpu-to-scan-memory-for-malware/

Avast shared CCleaner breach timeline. They were infiltrated via TeamViewer. More than 2.3 million users, 40 companies infected.
https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer

Nice blog post about the quantum resistant hash-based signature schemes. No public key cryptography.
https://blog.cryptographyengineering.com/2018/04/07/hash-based-signatures-an-illustrated-primer/

New Android P enables users to change default DNS server, it will also support DNS over TLS.
https://www.androidpolice.com/2018/04/14/google-explains-new-private-dns-setting-android-p/

There is a new web standard for authentication, designed to replace password login method with the public key cryptography and biometrics.
https://www.w3.org/TR/2018/CR-webauthn-20180320/

OpenSSL is vulnerable to a cache timing vulnerability in RSA Key Generation (CVE-2018-0737).
Could be theoretically exploited by some hypervisor, but they have decided not to release emergency fix.
https://mta.openssl.org/pipermail/openssl-announce/2018-April/000122.html

The Endgame has released Ember (Endgame Malware BEnchmark for Research), an open source collection of 1.1 million portable executable file metadata & derived features from the PE files, hashes and a benchmark model trained on those features.
https://github.com/endgameinc/ember

InfoSec Week 13, 2018

The city of Atlanta government has become the victim of a ransomware attack. The ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees were told to turn off their computers.
https://arstechnica.com/information-technology/2018/03/atlanta-city-government-systems-down-due-to-ransomware-attack/

The academic researchers have discovered a new side-channel attack method called BranchScope that can be launched against devices with Intel processors and demonstrated it against an SGX enclave. The patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.
http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf

Good insight into the ransomware business and how it operates, how it transfers Bitcoin funds, with data gathered over a period of two years.
The paper is named "Tracking Ransomware End-to-end"
https://www.elie.net/static/files/tracking-ransomware-end-to-end/tracking-ransomware-end-to-end.pdf

Mozilla has created a Facebook Container extension for Firefox, which should enable users to protect their online habits by sandboxing Facebook webpage.
https://blog.mozilla.org/firefox/facebook-container-extension/

Interesting article about the North Korean army of hackers operating abroad with the mission to earn money by any means necessary.
https://www.bloomberg.com/news/features/2018-02-07/inside-kim-jong-un-s-hacker-army

Unified logs in the MacOS High Sierra (up to 10.13.3) show the plain text password for APFS encrypted external volumes via disk utility application.
https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp

SophosLabs researchers analyzed a new Android malware which is pretending to he a legitimate QR reader application, but actually is monetizing users by showing them a flood of full-screen advertisements. More than 500k apps were installed.
https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities/

Brian Krebs analyzed the social network behind the recently famous Coinhive javascript cryptocurrency mining business.
https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/

CloudFlare published a Merkle Town dashboard, Certificate Transparency logs visualization tool.
https://blog.cloudflare.com/a-tour-through-merkle-town-cloudflares-ct-ecosystem-dashboard/

Facebook is tracking users' phone call information via their Android Messenger application.
https://twitter.com/i/web/status/977325434030428160

There are multiple critical vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp

New version (4.0) of the most secure operating system on the planet - Qubes OS was released.
https://www.qubes-os.org/news/2018/03/28/qubes-40/

InfoSec Week 5, 2018

A.P. Moller–Maersk Group, the world's largest container shipping company, reinstalled 45000 PCs and 4000 Servers to recover from the NotPetya ransomware attack.
https://www.bleepingcomputer.com/news/security/maersk-reinstalled-45-000-pcs-and-4-000-servers-to-recover-from-notpetya-attack/

The U.S. Secret Service is warning financial institutions that ATM jackpotting attacks are targeting cash machines in the United States. Attackers are able to empty Diebold Nixdorf and possibly other ATM machines with malware, endoscope and social engineering skills.
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/

Microsoft disables Spectre software mitigation released earlier this month due to system instability.
http://www.securityweek.com/microsoft-disables-spectre-mitigations-due-instability

Data from the fitness tracking app Strava gives away the location of sensitive locations like army bases.
https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

China built African union building for free, but the building is riddled with microphones and computers are transmitting all voice data back to servers in Shanghai.
https://twitter.com/i/web/status/957879611513278464

Journalist Marc Miller has interviewed one of the hackers of the ICEMAN group behind "Emmental" phishing campaign targeting bank clients.
https://securityaffairs.co/wordpress/64349/cyber-crime/iceman-hacker-interview.html

Errata Security blog about the political nature of the cyber attack attribution. Mostly about the WannaCry and North Korea connection, but it is a good overview on attribution bias in general.
http://blog.erratasec.com/2018/01/the-problematic-wannacry-north-korea.html

Great article about the largest malvertising campaign of a last year. So called Zirconium group operated up to 30 different ad agencies which enabled them to redirect users to the exploit kits, malware downloads and click fraud websites.
https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85

AutoSploit is an automated exploitation tool written in python. It is able to search for targets using Shodan.io API and exploiting them with Metasploit.
https://github.com/NullArray/AutoSploit

InfoSec Week 2, 2018

New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.
https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/

Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.
http://depastedihrn3jtw.onion.link/show.php?md5=ee7136ac48fa59fba803b9fbcbc6d7b9
http://depastedihrn3jtw.onion.link/show.php?md5=7e7bfe406315f120d8ed325ffb87670b

A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.
https://www.bleepingcomputer.com/news/security/hc7-planetary-ransomware-may-be-the-first-to-accept-ethereum/

There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.
http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125
https://twitter.com/dragosr/status/949822668563365889

Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements

Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.
https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.
http://seclists.org/fulldisclosure/2018/Jan/12

Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.
https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/

VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.
http://blog.virustotal.com/2018/01/virustotal-graph.html

A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.
https://github.com/RealJTG/Meltdown

InfoSec Week 1, 2018

Daniel Shapira from Twistlock wrote a blog about exploiting a Linux kernel vulnerability in the waitid() syscall (CVE-2017-5123) in order to modify the Linux capabilities of a Docker container, gain privileges and escape the container jail.
https://www.twistlock.com/2017/12/27/escaping-docker-container-using-waitid-cve-2017-5123/

There is a critical hardware bug in the Intel chips, which enables a user level process to access kernel address space, thus read other processes memory. Cloud providers and OS makers are preparing software patches, but the performance penalty could be significant. According to the Wired:
"[researchers] confirmed that when Intel processors perform that speculative execution, they don't fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer's kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel's memory with speculative execution."
http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/

The guy dumped PlayStation 4 kernel by leaking arbitrary memory into accessible crashdumps.
https://fail0verflow.com/blog/2017/ps4-crashdump-dump/

ACM published article about more than 2 decades old ransomware experiments with the name "Cryptovirology: The Birth, Neglect, and Explosion of Ransomware".
https://cacm.acm.org/magazines/2017/7/218875-cryptovirology/fulltext

Nice write up about exploit development for the arbitrary command execution on a BMC Server Automation remote agent software.
https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/

MacOS-only 0day vulnerability published on a last day of 2017. It is an IOHIDSystem kernel vulnerability that can be exploited by any unprivileged user.
https://siguza.github.io/IOHIDeous/

Edward Snowden’s open source Haven application uses smartphone sensors to detect physical tampering.
https://github.com/guardianproject/haven

PiKarma detects wireless network attacks performed by KARMA module (fake AP). Starts deauthentication attack (for fake access points).
https://github.com/WiPi-Hunter/PiKarma

InfoSec Week 46, 2017

Multiple critical vulnerabilities were found in the Intel Management Engine, Trusted Execution Engine and Server Platform Services by Intel audit after 3rd party researchers reported the privilege escalation vulnerability.
http://www.zdnet.com/article/intel-weve-found-severe-bugs-in-secretive-management-engine-affecting-millions/

If you have a vulnerable F5, basically attackers can sign anything with your RSA private key. An F5 BIG-IP virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages.
https://support.f5.com/csp/article/K21905460

MalwareHunterTeam discovered a new variant of the CryptoMix ransomware. It uses hardcoded RSA keys and can work offline.
https://securityaffairs.co/wordpress/65716/malware/cryptomix-ransomware-2.html

Attackers are using Microsoft’s Office documents Dynamic Data Exchange protocol to download and install malware. Microsoft does not consider it a vulnerability.
https://www.zscaler.com/blogs/research/microsoft-dde-protocol-based-malware-attacks

Nice step by step guide on how to put shellcode into a legitimate PE file, and make it undetectable.
https://haiderm.com/fully-undetectable-backdooring-pe-files/

Extensive review of U2F hardware devices.
https://github.com/hillbrad/U2FReviews

al-khaser is a PoC malware with good intentions that aims to stress your anti-malware system. It performs a bunch of nowadays malware tricks and the goal is to see if you stay under the radar.
https://github.com/LordNoteworthy/al-khaser

Puffs is a domain-specific language and library for parsing untrusted file formats safely. Examples of such file formats include images, audio, video, fonts and compressed archives.
https://github.com/google/puffs


Page 1 / 4