Tag spam

InfoSec Week 18, 2018

Multiple tech giants like Apple, Microsoft, Google and others formed an industry coalition and have joined security experts in criticizing encryption backdoors, after Ray Ozzie's CLEAR key escrow idea was widely derided. He basically proposed a scheme where the users have no control over their own devices, but the devices can be securely forensically analyzed by the government agencies.
https://www.zdnet.com/article/coalition-of-tech-giants-hit-by-nsa-spying-slams-encryption-backdoors/
https://github.com/rayozzie/clear/blob/master/clear-rozzie.pdf

There is an information leaking vulnerability via crafted user-supplied CDROM image.
"An attacker supplying a crafted CDROM image can read any file (or device node) on the dom0 filesystem with the permissions of the qemu device model process."
QubesOS operationg system is not affected due to the properly compartmentalized architecture.
http://seclists.org/oss-sec/2018/q2/71

Great in-depth blog about the reconstruction of the exploit created by the CIA's "Engineering Development Group" targeting MikroTik's RouterOS embedded operating system. This exploit was made public by the WikiLeaks last year.
http://blog.seekintoo.com/chimay-red.html

Bypassing authentication and impersonating arbitrary users in Oracle Access Manager with padding oracle. The guy basically broke Oracles home grown cryptographic implementation.
https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/

There is a critical privilege escalation vulnerability affecting Apache Hadoop versions from 2.2.0 to 2.7.3.
http://seclists.org/oss-sec/2018/q2/82

According to the Arbor Networks' security researchers have claimed that the anti-theft software Absolute LoJack is serving as an espionage software modified by the Russia-based Fancy Bear group.
https://asert.arbornetworks.com/lojack-becomes-a-double-agent/

Wired wrote an article about the famous Nigerian 419 scammers, their culture and why they are still flourishing.
https://www.wired.com/story/nigerian-email-scammers-more-effective-than-ever/

Matrix and Riot instant messenger applications are confirmed as the basis for the France’s government initiative to implement federated secure messenger.
https://matrix.org/blog/2018/04/26/matrix-and-riot-confirmed-as-the-basis-for-frances-secure-instant-messenger-app/

Amazon threatens to suspend Signal's secure messenger AWS account over censorship circumvention. They are using different TLS Server Name Indication - "domain fronting" - when establishing connection to circumvent network censorship, but Amazon says it is against their terms of services.
https://signal.org/blog/looking-back-on-the-front/

Respected German CT-Magazine says that there are 8 new Spectre vulnerabilities found in the Intel processors.
https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html

InfoSec Week 3, 2018

Notoriously known Necurs spam botnet is sending millions of spam emails that are pumping shitcoin cryptocurrency named Swisscoin. Attackers are probably invested and are expecting to do pump-and-dump scheme.
https://www.bleepingcomputer.com/news/cryptocurrency/worlds-largest-spam-botnet-is-pumping-and-dumping-an-obscure-cryptocurrency/

Nice article on Russia's hacking capabilities against the foreign critical infrastructure.
https://www.fastcompany.com/40515682/the-other-scary-foreign-hacking-threat-trump-is-ignoring

Taiwanese police has handed malware-infected USB sticks as prizes for cybersecurity quiz. The malware was some old sample trying to communicate with non-existing C&C server in Poland. The thumb drives were infected by third-party contractor.
https://www.theregister.co.uk/AMP/2018/01/10/taiwanese_police_malware/

New research is analyzing usage of the Certificate Authority Authorization (CAA) DNS records. CAA records enable domain owners to explicitly tell which certificate authority may issue digital certificates for their domain. Only 4 of the large DNS operators that dominate the Internet’s DNS infrastructure enabled their customers to configure CAA records, but things are getting better after this audit.
https://caastudy.github.io/

Lenovo engineers have discovered a backdoor affecting RackSwitch and BladeCenter switches running ENOS (Enterprise Network Operating System). The company already released firmware updates.
The backdoor was added to the source code in 2004 when it was maintained by Nortel.
https://www.bleepingcomputer.com/news/security/lenovo-discovers-and-removes-backdoor-in-networking-switches/

Nice technical report about PowerStager, Python / C / PowerShell malware used in the Pyeongchang Olympic themed spear phishing attack.
https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/

InfoSec Week 3, 2017

Trustwave released the Carbanak gang campaign threat report called "Operation Grand Mars". The paper explains the modus operandi of the Carbanak group, malware distribution techniques, attack vectors. The interesting point is that the group uses Google Apps, Sheets and Forms as a part of their Command & Control infrastructure. But Trustware is not the only one reporting about this.
https://www2.trustwave.com/rs/815-RFM-693/images/Operation%20Grand%20Mars.pdf https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-command-and-control

After unsecured MongoDB, cyber-criminals have taken control of and wiped the data from CouchDB and Hadoop databases as well.
https://www.bleepingcomputer.com/news/security/database-ransom-attacks-hit-couchdb-and-hadoop-servers/

Xylitol malware researcher discovered new Ransomware as a Service platform named Satan. Satan admin page is a Tor hidden service accepting Bitcoins. The administration panel also contains Droppers section, where the affiliates can create malicious Microsoft Word macros or CHM installers.
https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/ https://twitter.com/Xylit0l/status/821757718885236740

Blog post about the Ursnif banking trojan recent email campaign. It pretends to be DHL package notification email.
https://benkowlab.blogspot.ch/2017/01/a-journey-inside-ursnif-campaign.html

Proofpoint researchers discovered infection technique which is trying to trick users into downloading a font update package - malware - for their browser.
https://www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme

Members of the Hamas Palestinian militant group have posed as women and tricked Israeli soldiers into installing malware on their phones.
https://www.bleepingcomputer.com/news/government/israeli-military-tricked-into-installing-malware-by-hamas-agents-posing-as-women/

Brian Krebs links young man named Paras Jha, owner of a distributed denial-of-service (DDoS) attack mitigation company ProTraf Solutions, to the Anna-Senpai pseudonym, creator and admin of the Mirai IoT worm.
https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

Iranian OilRig malware is using digitally signed malware and fake University of Oxford domains targeting government agencies, financial institutions and technology companies in Saudi Arabia, Israel, the United Arab Emirates, Lebanon, Kuwait and Qatar, the United States, and Turkey.
http://securityaffairs.co/wordpress/55145/apt/oilrig-apt-itan.html