Tag Spectre

InfoSec Week 30, 2018

Researchers from the Palo Alto Networks analyzed new Mirai and Gafgyt IoT/Linux botnet campaigns. The samples used more than 11 exploits for spreading, exploiting D-Link, Dasan GPON routers.
https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/

Brian Krebs published a blog post about the current status of the Universal 2nd Factor (U2F) support. Google practically eliminated employee phishing by introducing mandatory usage of the physical security keys.
https://krebsonsecurity.com/2018/07/google-security-keys-neutered-employee-phishing/

There is a new module for the CHIPSEC Security Assessment Framework to check CPU USB debug features and host Direct Connection Interface (DCI), which can be used to modify system firmware with physical access and introduce "Evil Maid" firmware attacks.
https://blog.eclypsium.com/2018/07/23/evil-mai%EF%BB%BFd-firmware-attacks-using-usb-debug/

Chinese police arrested malware developers for hacking millions of computers to steal $2 million in cryptocurrencies.
https://www.ccn.com/chinese-police-arrest-malware-developers-who-hacked-2-million-in-crypto/

Paper on a new Spectre variant called SpectreRSB was published with the name "Spectre Returns! Speculation Attacks using the Return Stack Buffer".
According to a paper „none of the known defenses including Retpoline and Intel's microcode patches stop all SpectreRSB attacks.“
https://arxiv.org/abs/1807.07940

The source code of an Exobot Android Banking Trojan has been leaked online back in May has rapidly spread in the malware community.
https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/

Because of insufficient validation of parameters in many Bluetooth implementations, attackers can inject invalid elliptic curve parameters which aren’t checked by many implementations in an invalid public key making session keys vulnerable.
https://www.kb.cert.org/vuls/id/304725

The Cisco Talos security team found multiple vulnerabilities, including remote code execution vulnerability in the Sony IPELA E series network camera. https://blog.talosintelligence.com/2018/07/sony-ipela-vulnerability-spotlight-multiple.html

NSA declassified papers from John Tiltman, one of Britain’s top cryptanalysts during the Second World War, which reveal how pre-world war 2 Brits analyzed and decrypted Russian cryptography.
https://www.theregister.co.uk/2018/07/19/russia_one_time_pads_error_british/

InfoSec Week 25, 2018

Marcus Brinkmann demonstrated how some configuration options in the GnuPG allow remote attackers to spoof arbitrary signature. He used the embedded “filename” parameter in OpenPGP literal data packets, together with the verbose option set in their gpg.conf file.
https://neopg.io/blog/gpg-signature-spoof/

Tapplock Smart Lock has critical bugs making it a trivial protection. They are using the AES key derived from the MAC address, so anyone with a Bluetooth enabled smartphone can pick up the key upon getting to a smart lock Bluetooth range.
https://latesthackingnews.com/2018/06/16/tapplock-smart-lock-is-having-a-bad-time-two-bugs-reported-in-one-week/

Crooks are injecting credit card stealing backdoor to the config files of a hacked Magento e-commerce platforms. They can reinfect the rest of code base over and over again with the config load.
https://thehackernews.com/2018/06/magento-security-hacking.html

Updated Satori botnet began to perform network wide scan looking for exploitable XiongMai uc-httpd 1.0.0 devices (CVE-2018-10088).
https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/

Baby Monitors in the USA were hacked via obscure Chinese IoT cloud. The woman from the Facebook post claims that someone controlled the camera remotely and spied on her, possibly listened in to conversations.
https://www.sec-consult.com/en/blog/2018/06/true-story-the-case-of-a-hacked-baby-monitor-gwelltimes-p2p-cloud/

OpenBSD disables Intel's hyper-threading due to possible exploitable spectre-class bugs in the architecture.
https://www.mail-archive.com/source-changes@openbsd.org/msg99141.html

Linux is getting support for in-kernel hibernation encryption. Encrypts disk-image memory, thereby increasing the general security of full-disk encryption on Linux and reducing the attack surface.
http://lkml.iu.edu/hypermail/linux/kernel/1806.2/03567.html

OTSECA - (ot)her (sec)urity (a)wareness is an open source security auditing tool to search and dump system configuration. It allows you to generate reports in HTML or RAW-HTML formats.
https://github.com/trimstray/otseca

InfoSec Week 21, 2018

500,000 routers in more than 50 countries are infected with the malware targeting routers. Primarily home devices like Linksys, MikroTik, NETGEAR and TP-Link.
Cisco's Talos Security attributed malware to the future Russian cyber operations against the Ukraine. The US FBI agents seize control of the botnet.
https://blog.talosintelligence.com/2018/05/VPNFilter.html
https://www.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet

The Internet Archive's Wayback Machine is deleting evidence on the malware sellers. They have removed from their archive a webpage of a Thailand-based firm FlexiSpy, which offers desktop and mobile malware.
https://motherboard.vice.com/en_us/article/nekzzq/wayback-machine-deleting-evidence-flexispy

According to the McAfee team, North Korean threat actor Sun Team is targeting defectors using the malicious Android applications on Google Play.
https://securingtomorrow.mcafee.com/mcafee-labs/malware-on-google-play-targets-north-korean-defectors/

Don't use sha256crypt & sha512crypt primitives as shipped with GNU/Linux, they're leaking information about the password via time duration of a hashing operation.
Not critical vulnerability, but good to know.
https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/

The Intercept published an interesting article about the Japanese signals intelligence agency, based on Snowden's leaks.
https://theintercept.com/2018/05/19/japan-dfs-surveillance-agency/

The US FBI repeatedly overstated encryption threat figures to Congress and the public.
https://www.washingtonpost.com/world/national-security/fbi-repeatedly-overstated-encryption-threat-figures-to-congress-public/2018/05/22/5b68ae90-5dce-11e8-a4a4-c070ef53f315_story.html

The US internet provider Comcast was leaking the usernames and passwords of customers’ wireless routers to anyone with the valid subscriber’s account number and street address number.
https://techcrunch.com/2018/05/21/comcast-is-leaking-the-names-and-passwords-of-customers-wireless-routers/

Amazon is pitching their facial recognition technology to law enforcement agencies, saying the program could aid criminal investigations by recognizing suspects in photos and videos.
https://www.nytimes.com/2018/05/22/technology/amazon-facial-recognition.html

Great blog about the SMS binary payloads and how SMS is weakening mobile security for years.
https://www.contextis.com/blog/binary-sms-the-old-backdoor-to-your-new-thing

Researchers from the Eclypsium found a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode. They have even published Proof-of-concept.
https://blog.eclypsium.com/2018/05/17/system-management-mode-speculative-execution-attacks/

InfoSec Week 18, 2018

Multiple tech giants like Apple, Microsoft, Google and others formed an industry coalition and have joined security experts in criticizing encryption backdoors, after Ray Ozzie's CLEAR key escrow idea was widely derided. He basically proposed a scheme where the users have no control over their own devices, but the devices can be securely forensically analyzed by the government agencies.
https://www.zdnet.com/article/coalition-of-tech-giants-hit-by-nsa-spying-slams-encryption-backdoors/
https://github.com/rayozzie/clear/blob/master/clear-rozzie.pdf

There is an information leaking vulnerability via crafted user-supplied CDROM image.
"An attacker supplying a crafted CDROM image can read any file (or device node) on the dom0 filesystem with the permissions of the qemu device model process."
QubesOS operationg system is not affected due to the properly compartmentalized architecture.
http://seclists.org/oss-sec/2018/q2/71

Great in-depth blog about the reconstruction of the exploit created by the CIA's "Engineering Development Group" targeting MikroTik's RouterOS embedded operating system. This exploit was made public by the WikiLeaks last year.
http://blog.seekintoo.com/chimay-red.html

Bypassing authentication and impersonating arbitrary users in Oracle Access Manager with padding oracle. The guy basically broke Oracles home grown cryptographic implementation.
https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/

There is a critical privilege escalation vulnerability affecting Apache Hadoop versions from 2.2.0 to 2.7.3.
http://seclists.org/oss-sec/2018/q2/82

According to the Arbor Networks' security researchers have claimed that the anti-theft software Absolute LoJack is serving as an espionage software modified by the Russia-based Fancy Bear group.
https://asert.arbornetworks.com/lojack-becomes-a-double-agent/

Wired wrote an article about the famous Nigerian 419 scammers, their culture and why they are still flourishing.
https://www.wired.com/story/nigerian-email-scammers-more-effective-than-ever/

Matrix and Riot instant messenger applications are confirmed as the basis for the France’s government initiative to implement federated secure messenger.
https://matrix.org/blog/2018/04/26/matrix-and-riot-confirmed-as-the-basis-for-frances-secure-instant-messenger-app/

Amazon threatens to suspend Signal's secure messenger AWS account over censorship circumvention. They are using different TLS Server Name Indication - "domain fronting" - when establishing connection to circumvent network censorship, but Amazon says it is against their terms of services.
https://signal.org/blog/looking-back-on-the-front/

Respected German CT-Magazine says that there are 8 new Spectre vulnerabilities found in the Intel processors.
https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html

InfoSec Week 7, 2018

The Fidelis Cybersecurity researcher Jason Reaves demonstrated how covertly exchange data using X.509 digital certificates. The proof of concept code is using SubjectKeyIdentifier and generating certificates on the fly.
https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities

The "UDPoS" Point of Sale malware is using DNS traffic to exfiltrate stolen credit card data.
https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns

Talos analyzed malware threat targeting Olympic computer systems during the opening ceremony. The main purpose was information gathering and destroying the system.
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Zero-day vulnerability in the Bitmessage messaging client was exploited to steal Electrum cryptocurrency wallet keys.
https://securityaffairs.co/wordpress/69100/hacking/bitmessage-zero-day.html

Trustwave analyzed multi-stage Microsoft Word attack which is NOT using macros. Really creative technique.
https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-without-Macros/

Microsoft can't fix Skype privilege escalation bug without the massive code rewrite, so they postponed it for a while.
http://seclists.org/fulldisclosure/2018/Feb/33

Facebook is advertising their Onavo VPN application, but there are a few reasons why it is really not a good idea to use it.
https://gizmodo.com/do-not-i-repeat-do-not-download-onavo-facebook-s-vam-1822937825

Facebook is spamming users via SMS registered for two factor authentication (2FA). Then posts their responses on a wall.
https://twitter.com/Gabriel__Lewis/status/963121814166630400

(Not only) Performance analysis of a Retpoline mitigation for Spectre vulnerability.
https://cyber.wtf/2018/02/13/in-debt-to-retpoline/

A guide on how to brutefoce Linux Full Disk Encryption (LUKS) volumes using Hashcat software.
https://blog.pnb.io/2018/02/bruteforcing-linux-full-disk-encryption.html

Proof of concept of LibreOffice remote arbitrary file disclosure vulnerability. It is possible to silently send any files. All operating systems affected before 5.4.5/6.0.1 versions.
https://github.com/jollheef/libreoffice-remote-arbitrary-file-disclosure

InfoSec Week 5, 2018

A.P. Moller–Maersk Group, the world's largest container shipping company, reinstalled 45000 PCs and 4000 Servers to recover from the NotPetya ransomware attack.
https://www.bleepingcomputer.com/news/security/maersk-reinstalled-45-000-pcs-and-4-000-servers-to-recover-from-notpetya-attack/

The U.S. Secret Service is warning financial institutions that ATM jackpotting attacks are targeting cash machines in the United States. Attackers are able to empty Diebold Nixdorf and possibly other ATM machines with malware, endoscope and social engineering skills.
https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/

Microsoft disables Spectre software mitigation released earlier this month due to system instability.
http://www.securityweek.com/microsoft-disables-spectre-mitigations-due-instability

Data from the fitness tracking app Strava gives away the location of sensitive locations like army bases.
https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

China built African union building for free, but the building is riddled with microphones and computers are transmitting all voice data back to servers in Shanghai.
https://twitter.com/i/web/status/957879611513278464

Journalist Marc Miller has interviewed one of the hackers of the ICEMAN group behind "Emmental" phishing campaign targeting bank clients.
https://securityaffairs.co/wordpress/64349/cyber-crime/iceman-hacker-interview.html

Errata Security blog about the political nature of the cyber attack attribution. Mostly about the WannaCry and North Korea connection, but it is a good overview on attribution bias in general.
http://blog.erratasec.com/2018/01/the-problematic-wannacry-north-korea.html

Great article about the largest malvertising campaign of a last year. So called Zirconium group operated up to 30 different ad agencies which enabled them to redirect users to the exploit kits, malware downloads and click fraud websites.
https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85

AutoSploit is an automated exploitation tool written in python. It is able to search for targets using Shodan.io API and exploiting them with Metasploit.
https://github.com/NullArray/AutoSploit