Tag Sophos

InfoSec Week 44, 2018

The US federal prosecutors say that Chinese spies hacked dozen firms to steal aviation engineering secrets for the Chinese aerospace company.
https://arstechnica.com/tech-policy/2018/10/feds-say-chinese-spies-and-their-hired-hackers-stole-aviation-secrets/

Apple's ICMP packet-handling code contains a heap buffer overflow vulnerability (CVE-2018-4407).
Exploit can DoS any Mac, iOS device on a network by sending a crafted packet. The ping of death is back.
https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407

Microsoft is sharing Indian bank customers' data with U.S. intelligence agencies.
Looks like the banks were aware of it, when they have signed the Office 365 license agreements.
https://www.neowin.net/news/microsoft-has-been-sharing-indian-bank-customers039-data-with-us-intelligence-agencies

Google announced the launch of reCAPTCHA v3, which aims to improve user experience by removing the need for challenges. It uses the score based on the user on-site interactions.
https://developers.google.com/recaptcha/docs/v3

The end-to-end encrypted instant messaging application Signal introduced a new "Sealed sender" privacy feature that is protecting the sender before traffic observation.
https://signal.org/blog/sealed-sender/

Multiple malicious python libraries found and removed from PyPI. Guys are typo-squatting popular repository names and deliver malware.
https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/

Great list of lessons learned over 20 years of red teaming by security expert Matt Devost.
https://www.oodaloop.com/ooda-original/2015/10/22/10-red-teaming-lessons-learned-over-20-years/

Cisco Talos researchers found a code execution vulnerability in the anti-malware tool Sophos HitmanPro.Alert.
https://www.scmagazineuk.com/vulnerability-found-sophos-anti-malware-product/article/1497367

Researcher Jay Rosenberg documents clear connection between one of Lazarus Group's tools and an open source Chinese CasperPhpTrojan remote access trojan.
https://www.intezer.com/paleontology-the-unknown-origins-of-lazarus-malware/

Apple releases specification of T2 security chip.
https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf

Researchers announced a fast attack breaking OCB2, an ISO-standard authenticated encryption scheme.
https://eprint.iacr.org/2018/1040

InfoSec Week 15, 2018

The U.S. Secret Service is warning about a new scam scheme where the crooks are intercepting new debit cards in the mail and replace the chips on the cards with chips from old cards. Once owners activate the cards, crooks will use stolen chips for their financial gain.
https://krebsonsecurity.com/2018/04/secret-service-warns-of-chip-card-scheme/

Russian state regulator Roskomnadzor have ordered to block the Telegram messaging application 48 hours after it missed a deadline to give up encryption keys to the online conversations of its users. I am not sure whether the Telegram protocol is actually blocked in Russia now.
https://phys.org/news/2018-04-russian-block-telegram-messaging-app.html

A new Android P version will enforce applications to communicate over TLS secured connection by default.
https://android-developers.googleblog.com/2018/04/protecting-users-with-tls-by-default-in.html

Kudelski Security published a walk-through guide about Manger's attack against RSA OAEP. 1-bit leak from oraculum suffices to decrypt ciphertexts.
https://research.kudelskisecurity.com/2018/04/05/breaking-rsa-oaep-with-mangers-attack/

In depth article about stealing FUZE credit card content via Bluetooth.
https://blog.ice9.us/2018/04/stealing-credit-cards-from-fuze-bluetooth.html

Understanding Code Signing Abuse in Malware Campaigns. Pretty good statistics.
https://blog.trendmicro.com/trendlabs-security-intelligence/understanding-code-signing-abuse-in-malware-campaigns/

There is a vulnerability that results in a bypass of a tamper protection provided by the Sophos Endpoint Protection v10.7. Protection mechanism can be bypassed by deleting the unprotected registry key.
http://seclists.org/fulldisclosure/2018/Apr/6

Several vulnerabilities have been found in the Apache HTTPD server. Update now.
http://seclists.org/bugtraq/2018/Apr/6

Microsoft Windows tool certutil.exe for displaying certification authority information can be used to fetch data from the internet in the similar fashion like WGET or CURL.
https://isc.sans.edu/diary/rss/23517

There is a paper about breaking 256-bit security (NIST post-quantum candidate) WalnutDSA in under a minute.
https://eprint.iacr.org/2018/318

Snallygaster - a Tool to Scan for Secrets on Web Servers
https://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html

Nice map of the ongoing Linux kernel defenses. The map shows the relations between the vulnerability classes, current kernel defenses and bug detection mechanisms.
https://github.com/a13xp0p0v/linux-kernel-defence-map

InfoSec Week 20, 2017

Researchers published WannaCry ransomware decryption tool for older Windows (XP, 2003, 7). It uses bug in the Windows Crypto API which does not immediately erase private key. The application is crawling the computer memory, looking for the prime numbers which can divide the public key used for the encryption.
https://github.com/gentilkiwi/wanakiwi/releases

Google introduced behavior-based malware scanner to every Android device. It's part of the Google Play Service and scans installed apps and provides phone tracking in the case of theft.
https://blog.google/products/android/google-play-protect/

Croatian CERT honeypot detected a new SMB worm which uses seven tools from the NSA hacking toolkit. It uses Tor based C&C server, currently only beaconing the server, and spreading using the SMB exploit.
https://github.com/stamparm/EternalRocks

Research by the Recorded Future and the Intrusiontruth group concludes that so-called APT3, widely believed to be a China-based threat actor, is directly connected to the Chinese Ministry of State Security (MSS).
https://www.recordedfuture.com/chinese-mss-behind-apt3/
https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/

Sophos discovered malware infecting Seagate NAS devices which turn them into Monero cryptocurrency miners. However, “This threat is not targeting the Seagate Central device specifically; however, the device has a design flaw that allows it to be compromised. Most all of these devices have already been infected by this threat.” https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Cryptomining-malware-on-NAS-servers.pdf?la=en

Wikileaks released another CIA malware spying framework. Called 'Athena', the program "provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10)."
https://wikileaks.org/vault7/#Athena

Maltrail is a malicious traffic detection system, utilizing publicly available lists containing malicious and generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists.
https://github.com/stamparm/maltrail