Tag Russia

InfoSec Week 51, 2017

There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.
http://seclists.org/fulldisclosure/2017/Dec/85

Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.
https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/

Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.
https://events.ccc.de/congress/2017/Fahrplan/events/9021.html

Explanation how web trackers exploit browser login managers to track users on the Internet.
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.
https://www.unian.info/world/2319991-russian-hacker-says-fsb-involved-in-creation-of-wannacry-malware.html

Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.
https://blog.didierstevens.com/2017/12/27/cracking-encrypted-pdfs-part-2/

Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.
https://blog.fortinet.com/2017/12/20/group-behind-venuslocker-switches-from-ransomware-to-monero-mining

Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.
https://lite.cnn.io/en/article/h_910710e71e532e73a80deb1294a2db7c

Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new

InfoSec Week 49, 2017

The "Janus" Android vulnerability (CVE-2017-13156) allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. The vulnerability allows attackers to inject malware into legitimate application and avoiding detection.
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures

According to the research by Hanno Böck, Juraj Somorovsky and Craig Young, the Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption still works on almost 3% of the Alexa top million most visited websites. The researchers were even able to sign a message using Facebook’s private TLS key. Vendors like Citrix, F5, Cisco, and multiple SSL implementations are affected.
https://robotattack.org/

HP had a keylogger in the Touchpad driver, which was disabled by default, but could be enabled by setting a registry value.
https://zwclose.github.io/HP-keylogger/

There is a remote root code execution flaw (CVE-2017-15944) in the Palo Alto Networks firewalls.
http://seclists.org/fulldisclosure/2017/Dec/38

Researchers from the Group-IB spotted the operations of a Russian-speaking MoneyTaker group that stole as much as $10 million from US and Russian banks.
https://securityaffairs.co/wordpress/66591/cyber-crime/moneytaker-group.html

Recorded Future analyzed costs of various cybercriminal services sold on the dark market.
https://www.recordedfuture.com/cyber-operations-cost/

Internet traffic for organizations such as Google, Apple, Facebook, Microsoft, Twitch were briefly rerouted to Russia.
https://bgpmon.net/popular-destinations-rerouted-to-russia/

Microsoft started rolling out an update for Malware Protection Engine to fix a remotely exploitable bug discovered by the British intelligence agency.
https://www.bleepingcomputer.com/news/security/microsoft-fixes-malware-protection-engine-bug-discovered-by-british-intelligence/

Avast open-sources RetDec machine-code decompiler for platform-independent analysis of executable files. It's based on LLVM.
https://blog.avast.com/avast-open-sources-its-machine-code-decompiler

Wireless network sniffer Kismet now supports the DJI DroneID UAV telemetry extensions.
http://blog.kismetwireless.net/2017/11/dji-uav-drone-id.html

Wazuh - Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level.
It supports log management and analysis, integrity monitoring, anomaly detection and compliance monitoring.
https://github.com/wazuh/wazuh

Wifiphisher is an automated victim-customized phishing attacks against Wi-Fi clients.
https://github.com/wifiphisher/wifiphisher

InfoSec Week 44, 2017

There are at least 14 newly discovered vulnerabilities in the Linux kernel USB subsystem. The vulnerabilities were found by the Google syzkaller kernel fuzzer. According to the researchers, all of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine.
http://www.openwall.com/lists/oss-security/2017/11/06/8

Mozilla will remove root certificate of the Staat der Nederlanden (State of the Netherlands) Certificate Authority from Firefox browser if the Dutch government vote a new law that grants local authorities the power to intercept Internet communication using "false keys".
https://www.bleepingcomputer.com/news/security/mozilla-wants-to-distrust-dutch-https-provider-because-of-local-dystopian-law/

Bug hunter Scott Bauer has published an in depth analysis of the Android remotely exploitable bug in the blog post named "Please Stop Naming Vulnerabilities: Exploring 6 Previously Unknown Remote Kernel Bugs Affecting Android Phones".
https://pleasestopnamingvulnerabilities.com/

Some web pages use textfield with the CSS "asterix" trick instead of the password field so they can bypass browser security warning when password field is on an unencrypted web page. Nonsense.
https://www.troyhunt.com/bypassing-browser-security-warnings-with-pseudo-password-fields/

More than 54 thousand have the same pair of 512-bit RSA keys as their DNS Zone Signing Keys.
https://lists.dns-oarc.net/pipermail/dns-operations/2017-October/016878.html

Good blog from the ElcomSoft about the history and current possibilities in the iOS and iCloud forensics.
https://blog.elcomsoft.com/2017/11/the-art-of-ios-and-icloud-forensics/

The Norwegian National Communications Authority reported GPS signal jamming activity in the Finnmark region near the Russian border.
https://twitter.com/aallan/status/926553232591159296/photo/1
https://rntfnd.org/wp-content/uploads/Norway-Comms-Auth-Report-GPS-Jamming-Sept-2017.pdf

Mac and Linux versions of the Tor anonymity software contained a flaw that can leak users real IP addresses.
https://blog.torproject.org/tor-browser-709-released

Software and HDL code for the PCILeech FPGA based devices that can be used for the Direct Memory Access (DMA) attack and forensics is now available on a GitHub. The FPGA based hardware provides full access to 64-bit memory space without having to rely on a kernel module running on the target system.
https://github.com/ufrisk/pcileech-fpga

InfoSec Week 39, 2017

Security researcher Gal Beniamini from Google has discovered a security vulnerability (CVE-2017-11120) in Apple's iPhone and other devices that use Broadcom Wi-Fi chips and published working exploit after notifying affected parties.
https://googleprojectzero.blogspot.sk/2017/10/over-air-vol-2-pt-2-exploiting-wi-fi.html

Google engineers also found multiple flaws and vulnerabilities in the popular DNS software package - Dnsmasq. The patches are now committed to the project’s git repository. Make sure to upgrade to v2.78.
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

Arbor Networks researchers attributed Flusihoc DDoS botnet to the Chinese origins. More than 154 different command and control servers were used during the years, with over 48 still active right now.
https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/

HP Enterprise shared ArcSight source code with the Russians.
https://www.schneier.com/blog/archives/2017/10/hp_shared_arcsi.html

The vulnerability in Siemens industrial switches allows an unauthenticated attacker who has access to the network to remotely perform administrative actions.
https://ics-cert.us-cert.gov/advisories/ICSA-17-271-01

Computer manufacturer company Purism is currently running crowdfunding campaign to finance Librem 5 – A Security and Privacy Focused Phone.
From the campaign webpage:
"Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers."
Support them!
https://puri.sm/shop/librem-5/

Microsoft announced new cloud-based memory corruption bug detector with the codename Project Springfield.
https://blogs.microsoft.com/ai/2016/09/26/microsoft-previews-project-springfield-cloud-based-bug-detector/

Super-Stealthy Droppers - Linux "Diskless" binary execution by example.
https://0x00sec.org/t/super-stealthy-droppers/3715

InfoSec Week 25, 2017

Ukrainian critical infrastructure, including banks, Kyiv’s metro system, the airport and the Chernobyl's radiation monitoring system, was hit by the worldwide malware campaign.
The attack is believed to be a new campaign by the group behind Petya ransomware. It takes advantage of the known SMB exploit (EternalBlue), and is spreading fast to the other countries.
https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759
https://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

Indian ATMs running outdated Windows XP are suffering jackpotting attack by the Rufus ATM malware.
http://securityaffairs.co/wordpress/60220/breaking-news/rufus-malware-atm.html

Analysis of a new Marcher Android banking trojan variant which is posing as Adobe Flash Player Update.
https://www.zscaler.com/blogs/research/new-android-marcher-variant-posing-adobe-flash-player-update

The Russian government is threatening to ban Telegram messenger because it refused to be compliant with the data protection laws.
http://securityaffairs.co/wordpress/60449/terrorism/russia-telegram-ban.html

Bug hunter from Google, Tavis Ormandy, has found yet another serious vulnerability in the Microsoft's Malware Protection Engine.
http://www.databreachtoday.com/google-security-researcher-pops-microsofts-av-defenses-a-10058

The Hardware Forensic Database (HFDB) is a project of CERT-UBIK aiming at providing a collaborative knowledge base related to IoT Forensic methodologies and tools.
http://hfdb.io/

Good summary of the most common memory based attacker techniques such as shellcode injection, reflective DLL injection or process hollowing.
https://www.endgame.com/blog/technical-blog/hunting-memory

InfoSec Week 23, 2017

Turla malware is communicating with the C&C infrastructure by leaving comments in Britney Spears's Instagram account.
https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/

The gang behind Platinum threat is using Intel Active Management technology Serial-over-LAN channel to bypass the software firewall when transferring files, due to operating system independence of this low level technology.
https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/

Montenegro is continuously targeted by cyber attacks attributed to the APT28 group as a part of a broader influence campaign.
http://securityaffairs.co/wordpress/59820/apt/apt28-targets-montenegro.html

MacSpy malware-as-a-service is a feature rich RAT targeting OS X operating system.
https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service

IBM researchers analyzed QakBot banking trojan responsible for "lock out" of the hundreds of Active Directory users.
https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/

A Linux malware is installing cryptocurrency mining software on Raspberry Pi via SSH. It's using only default SSH user & passphrase.
https://www.bleepingcomputer.com/news/security/linux-malware-mines-for-cryptocurrency-using-raspberry-pi-devices/

The GNU Privacy Guard (GnuPG) developers start new fundraising effort for the continued development of this well known encryption software.
If you want to know more about the capabilities of GnuPG, check the linked "An Advanced Intro to GnuPG" presentation from the last year.
Please, donate.
https://gnupg.org/donate/
https://begriffs.com/posts/2016-11-05-advanced-intro-gnupg.html