Tag spyware

InfoSec Week 43, 2018

A zero-day vulnerability in the jQuery File Upload plugin is actively exploited for at least three years. Patch now!
https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/
https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206

A massive ad fraud scheme involving more than 125 Android apps and websites exploited Android Phones to steal millions.
Literally, almost everybody is doing this scheme against the smartphone users these days.
https://www.buzzfeednews.com/article/craigsilverman/how-a-massive-ad-fraud-scheme-exploited-android-phones-to

Kaspersky Lab analyzed complex DarkPulsar backdoor administrative module for a malware leaked by the ShadowBrokers.
They have found around 50 victims located in Russia, Iran and Egypt, mostly companies working in the nuclear energy, telecommunications, IT, aerospace and R&D.
https://securelist.com/darkpulsar/88199/

Haaretz investigation reveals Israel has become a leading exporter of tools for spying on civilians.
Dictators around the world use them eavesdrop on human rights activists, monitor emails, hack into apps and record conversations.
https://www.haaretz.com/israel-news/.premium.MAGAZINE-israel-s-cyber-spy-industry-aids-dictators-hunt-dissidents-and-gays-1.6573027

The consultancy firm McKinsey helping Saudi Arabia identify influential Saudis who opposed the government's line on Twitter.
Some of those individuals were later imprisoned & targeted with sophisticated spyware.
https://www.nytimes.com/2018/10/20/us/politics/saudi-image-campaign-twitter.html

Companies building "Smart home" products refuse to say whether law enforcement is using their products to spy on citizens.
https://techcrunch.com/2018/10/19/smart-home-devices-hoard-data-government-demands/

Mozilla announces experimental partnership with the ProtonVPN.
They will offer a virtual private network (VPN) service to a small group of Firefox users.
https://blog.mozilla.org/futurereleases/2018/10/22/testing-new-ways-to-keep-you-safe-online/

The UK grassroots internet provider is testing a data only SIM card that blocks any non-Tor traffic from leaving the phone.
https://motherboard.vice.com/en_us/article/d3qqj7/sim-card-forces-data-through-tor-brass-horn-communications

That feeling when you can steal a Tesla by relay attack (or key cloning?), but you have to Google how to unplug the charger.
https://gizmodo.com/hackers-allegedly-caught-on-video-stealing-tesla-model-1829905478

An insightful review of Android's secure backup practices published by NCC Group.
https://www.nccgroup.trust/us/our-research/android-cloud-backuprestore/?research=Public+Reports

Endpoint security pioneer Joanna Rutkowska leaves Qubes OS, joins the Golem project.
https://www.qubes-os.org/news/2018/10/25/the-next-chapter/

Matthew Green wrote a post on password-based authenticated key exchange (PAKE )and the new OPAQUE protocol.
Quite useful techniques more people should know about.
https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/

Signal Desktop leaves message decryption key in the plain text.
https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/

Trail of Bits published a useful guide to the post-quantum cryptography.
https://blog.trailofbits.com/2018/10/22/a-guide-to-post-quantum-cryptography/

InfoSec Week 39, 2018

Linux had officially committed to implementing and obeying the Code of Conduct — which is immediately misused to remove top Linux coders.
Some of the Linux developers are now threatening to withdraw the license to all of their code.
https://lulz.com/linux-devs-threaten-killswitch-coc-controversy-1252/

Bug in Twitter sent users' private direct messages to third-party developers who were not authorized to receive them. Some brand accounts should be affected.
https://blog.twitter.com/developer/en_us/topics/tools/2018/details-for-developers-on-Account-Activity-API-bug.html

Qualcomm accuses Apple of stealing chip secrets for the purpose of helping Intel overcome engineering flaws in its chips.
https://www.cnbc.com/2018/09/25/qualcomm-accuses-apple-of-giving-its-chip-secrets-to-intel.html

Australian government pushes for the smartphone spyware implanted by Telco vendors, manufacturers.
https://www.brisbanetimes.com.au/business/companies/spyware-on-phone-fears-as-dutton-pushes-new-security-laws-20180924-p505oc.html

At least the sixth backdoor account was removed from Cisco devices this year.
This time it's "hardcoded credentials" in the Cisco Video Surveillance Manager (VSM) Software.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm

ESET researchers discovered, that the Kodi Media Player add-ons are misused for the cryptocurrency mining malware distribution.
https://www.welivesecurity.com/2018/09/13/kodi-add-ons-launch-cryptomining-campaign/

According to a stackexchange post, "the Chinese police is forcing whole cities to install an Android spyware app Jingwang Weishi.
They are stopping people in the street and detaining those who refuse to install it."
https://security.stackexchange.com/questions/194353/police-forcing-me-to-install-jingwang-spyware-app-how-to-minimize-impact

Researchers proved that the security of PKCS #1 Digital Signatures is as secure as any of its successors like RSA-PSS and RSA Full-Domain.
https://www.schneier.com/blog/archives/2018/09/evidence_for_th.html

There is a novel cache poisoning attack on WiFi by a remote off-path mitm attack vector.
Takes only 30 seconds and is using interesting multi-packet injection for timing side channel inference for injection. Works on Windows, OSX and Linux.
https://www.usenix.org/conference/usenixsecurity18/presentation/chen-weiteng

InfoSec Week 38, 2018

Purism project introduced their own security token called the Librem Key. They have partnered with the Nitrokey manufacturer, but the firmware provides additional functionality, like a challenge response mode where the key informs you if the bios running on a PC has validated itself to the key.
https://puri.sm/posts/introducing-the-librem-key/

Google built a prototype of a censored search engine which should be used in China, that links users’ searches to their phone numbers.
https://theintercept.com/2018/09/14/google-china-prototype-links-searches-to-phone-numbers/

According to a Swiss officials, two Russian spies caught in the Netherlands had been plotting a cyber attack on a Swiss defense lab analyzing the Novichok nerve agent used in the Salisbury poisoning.
https://www.nytimes.com/2018/09/14/world/europe/russians-salisbury-swiss-lab-sabotage.html

Citizen Lab has published a new report about the Pegasus spyware created by Israeli cyber-security firm NSO Group.
The malware is operating on both Android and iOS devices, and the researchers identified 45 countries in which operators of NSO Group’s Pegasus spyware may be conducting operations.
https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/

Hackers were running cryptocurrency mining malware on the Indian government sites.
https://economictimes.indiatimes.com/small-biz/startups/newsbuzz/hackers-mined-a-fortune-from-indian-websites/articleshow/65836088.cms

Every day this week, Cloudflare is announcing support for a new technology that uses cryptography.
They have introduced Onion service, BGP PKI (RPKI), IPFS node. Essentially, we can call them an active global adversary now.
https://blog.cloudflare.com/crypto-week-2018/

The Western Digital My Cloud was affected by an authentication bypass vulnerability.
An unauthenticated attacker could exploit this vulnerability to authenticate as an admin user without needing to provide a password.
https://securify.nl/en/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html

NSS Labs filed an antitrust suit against CrowdStrike, Symantec, ESET and the Anti-Malware Testing Standards Organization (AMTSO), because they found out that the "vendors have conspired to prevent testing of their products by placing clauses in their end user licensing agreements (EULA) that make testing of their products subject to their permission."
https://www.nsslabs.com/blog/company/advancing-transparency-and-accountability-in-the-cybersecurity-industry/

The new Necurs botnet spam campaign targets Banks with the malicious Wizard (.wiz) files used by Microsoft programs such as Word to guide users through complex or repetitive tasks.
https://blog.barkly.com/wiz-file-malware-necurs-campaign

Informative blog by the LineageOS engineers covering Qualcomm bootloader chain of trust to the point of Android OS being loaded.
https://lineageos.org/engineering/Qualcomm-Firmware/

GnuPG can now be used to perform notarial acts in the State of Washington.
https://lists.gnupg.org/pipermail/gnupg-users/2018-September/060987.html

A new CSS-based web attack will crash and restart your iPhone.
https://techcrunch.com/2018/09/15/a-new-css-based-web-attack-will-crash-and-restart-your-iphone/

Interesting project - SlotBot: Hacking slot machines to win the jackpot with a buttonhole camera and brute-force search.
https://github.com/tensor8/hacking_slot_machines

InfoSec Week 28, 2018

Hackers have poisoned the Arch Linux PDF reader package named “acroread” that was found in a user-provided Arch User Repository (AUR). They have put downloader malware inside.
https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/

Hackers took over the maintainer account of the eslint-scope and eslint-config-eslint npm packages and published malicious versions which were downloading some juicy scripts from the pastebin.com. https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes

Backend of the TimeHop iOS application was compromised, personal records of the 21 million customers leaked.
https://www.timehop.com/security/technical

Nice journalism about how few researchers found the names and addresses of soldiers and secret agents using Strava fitness application when the company published tracking maps on the internet.
https://decorrespondent.nl/8481/heres-how-we-found-the-names-and-addresses-of-soldiers-and-secret-agents-using-a-simple-fitness-app

Lexington Insurance Company and Beazley Insurance Company are suing Trustwave over a 2009 breach. Trustwave supposedly failed to detect malware that caused a breach.
This will be huge precedent in the whole industry.
https://www.bleepingcomputer.com/news/security/security-firm-sued-for-failing-to-detect-malware-that-caused-a-2009-breach/

One email to a North American Network Operators mailing list led to a concerted effort to kick a notorious BGP hijacking factory off the Internet.
https://blog.apnic.net/2018/07/12/shutting-down-the-bgp-hijack-factory/

It looks like that the Carbanak banking malware source code was leaked.
https://malware-research.org/carbanak-source-code-leaked/

Researchers found spying malware signed using digital certificates stolen from D-Link and other Taiwanese tech-companies.
https://thehackernews.com/2018/07/digital-certificate-malware.html

InfoSec Week 48, 2017

The German Interior Minister is preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations.
https://www.bleepingcomputer.com/news/government/germany-preparing-law-for-backdoors-in-any-type-of-modern-device/

According to the Citizen Lab, Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware sold by Israeli firm Cyberbit.
https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/

Elcomsoft wrote an insight about the drastically degraded security of the Apples iOS 11 operating system.
https://blog.elcomsoft.com/2017/11/ios-11-horror-story-the-rise-and-fall-of-ios-security/

Chinese drone maker D.J.I. is potentially sharing collected data with the Chinese government.
https://mobile.nytimes.com/2017/11/29/technology/dji-china-data-drones.html

Crooks are installing cryptocurrency miners by using typosquatting npm package names. They are searching for the unregistered package names with the difference of one bit from a well known packages.
https://medium.com/avahowell/bitsquatting-npm-packages-533c988d568f

Swiftype written a good blog about their infrastructure risk assessment and threat modeling.
https://swiftype.engineering/threat-modelling-and-infrastructure-risk-assessment-at-swiftype-6c1b337c7df1

Nvidia published a paper about the clustering of a benign and malicious Windows executables using neural networks.
https://devblogs.nvidia.com/parallelforall/malware-detection-neural-networks/

Bucket Stream - Find interesting Amazon S3 Buckets by watching certificate transparency logs.
https://github.com/eth0izzle/bucket-stream

Sysdig Inspect – a powerful interface for container troubleshooting and security investigation
https://github.com/draios/sysdig-inspect/

InfoSec Week 30, 2017

NSA's XKeyscore spying tool is used to fish Microsoft Windows crash reports out of the Internet traffic. They have used it against the Mexico's Secretariat of Public Security.
https://www.schneier.com/blog/archives/2017/08/nsa_collects_ms.html

Researchers from the Exodus Intelligence wrote remote exploit against the Android and iOS operating system, using Broadcom’s Wi-Fi chipset bug.
"Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit."
https://blog.exodusintel.com/2017/07/26/broadpwn/

Great blog about chaining 4 vulnerabilities on the GitHub Enterprise in order to achieve remote code execution!
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html

Trend Micro researchers analyzed infection chain used by JS_POWMET fileless malware.
http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/

Researchers used antivirus cloud-based sandbox to exfiltrate data from the endpoint.
https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox.pdf
https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox-wp.pdf

The Google team has blocked a new "Lipizzan" Android spyware family from the Google Play.
https://android-developers.googleblog.com/2017/07/from-chrysaor-to-lipizzan-blocking-new.html

Microsoft won't patch a 20 years old SMBv1 SMBloris memory handling bug, that could be exploited by attackers to execute a Denial of Service attack on a web servers.
http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html

Private notes application Standard Notes got a cryptography audit.
https://standardnotes.org/blog/7/announcing-our-2017-security-audit-results

Framework for Testing WAFs (FTW) is a project created by researchers from ModSecurity and Fastly to help provide rigorous tests for WAF rules. It uses the OWASP Core Ruleset V3 as a baseline to test rules on a WAF.
https://github.com/fastly/ftw

InfoSec Week 6, 2017

A new malware called MacDownloader, attributed to the Iran, targeting macOS systems spotted in the wild. Spreading as an Adobe Flash installer or a Bitdefender Adware Removal Tool, depend on social engineering. After installation, it attempts to exfiltrate OS X keychain database as well as the other system information.
https://iranthreats.github.io/resources/macdownloader-macos-malware/

Google Project Zero investigated inner-working of Real-Time Kernel Protection (RKP) used by Samsung KNOX using a fully updated Galaxy S7 Edge. They have presented multiple vulnerabilities which allow them to subvert each of RKP’s security mechanisms.
https://googleprojectzero.blogspot.ch/2017/02/lifting-hyper-visor-bypassing-samsungs.html

A former National Security Agency contractor Harold T. Martin III is accused of carrying out theft of 50 terabytes of classified information.
"The indictment against Harold T. Martin III is expected to contain charges of violating the Espionage Act by "willfully" retaining information that relates to the national defense, including classified data such as NSA hacking tools and operational plans against "a known enemy" of the United States, according to individuals familiar with the case."
https://www.washingtonpost.com/world/national-security/prosecutors-to-seek-indictment-against-former-nsa-contractor-as-early-as-this-week/2017/02/06/362a22ca-ec83-11e6-9662-6eedf1627882_story.html

Google Chrome 56 lets websites connect to Bluetooth devices and harvest information from them through the browser. Summary of the Web Bluetooth API security model written by Chrome team's Jeffrey Yasskin can be found on Medium.
https://medium.com/@jyasskin/the-web-bluetooth-security-model-666b4e7eed2

Doctor Web detects new Mirai trojan fork able to use Windows machines when scanning the internet for the other targets.
http://vms.drweb.com/search/?q=Trojan.Mirai.1

CRYSIS ransomware family is targeting a US healthcare sector via remote desktop (RDP) brute force attacks.
http://blog.trendmicro.com/trendlabs-security-intelligence/brute-force-rdp-attacks-plant-crysis-ransomware/

A new ransomware known as "Serpent" is targeting Danish recipients using emails linking to malicious Microsoft Office documents.
https://www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers

Multiple proponents of Mexico’s 2014 soda tax aimed at reducing consumption of sugary drinks in Mexico were targeted by spyware.
The malicious program is developed by an Israeli cyberarms dealer NSO Group.
https://www.nytimes.com/2017/02/11/technology/hack-mexico-soda-tax-advocates.html

Keybase introduced an end-to-end crypto app for secure interactive messaging which works with already established 3rd party accounts.
Interesting solution to the key exchange problem, other solutions usually use a Trust On First Use (TOFU). Just to note, only "exploding" messages have forward secrecy.
https://keybase.io/blog/keybase-chat

Wire’s encrypted messaging protocol got audited. Kudelski Security and X41 D-Sec found it to have "high security, thanks to state-of-the-art cryptographic protocols and algorithms, and software engineering practices mitigating the risk of software bugs."
https://research.kudelskisecurity.com/2017/02/09/wire-cryptography-audit-with-x41-d-sec/ https://medium.com/wire-news/wires-independent-security-review-61f37a1762a8

A great story about the Russian "research" company which reverse engineered older slot machines in order to predict the output. And they are cashing in on it...
https://www.wired.com/2017/02/russians-engineer-brilliant-slot-machine-cheat-casinos-no-fix/

InfoSec Week 2, 2017

Brother and sister arrested in Italy for spying on top public officials, businessmen and institutions. They wrote a VB.NET malware with RAT / spyware features. They infected high level targets via spear-phishing and pivoted on their email to infect more higher level targets. They had terrible OPSEC, bought some domains and hosting with real names.
http://www.telegraph.co.uk/news/2017/01/10/italian-brother-sister-arrested-cyber-espionage-operation-tapped/ https://jekil.sexy/blog/2017/eyepyramid-i-forgot-to-do-myhomework.html

BuzzFeed article about Trump claims that the Russian Security Service FSB has "capabilities" against the Telegram messaging app. Security researcher Frederic Jacobs wrote about this back in April 2016.
https://www.fredericjacobs.com/blog/2016/04/29/more-on-sms-logins/ https://twitter.com/i/web/status/819127046588813313 https://www.buzzfeed.com/kenbensinger/these-reports-allege-trump-has-deep-ties-to-russia

At 33rd Chaos Communication Congress, security researcher Claudio Guarnieri launched open initiative "Security Without Borders". "Security Without Borders will provide digital security assistance to organizations to harden infrastructure against attacks, perform incident response to secure organizations, engage in public education, and produce research on the threats posed to activists. Among our members we count penetration testers, malware analysts, reverse engineers, vulnerability researchers, and software developers."
https://securitywithoutborders.org/ https://medium.com/security-without-borders/transmission-1-7eaae7bc8caf

3 BYTES long RSA key secures implanted cardiac devices, and yes, it's also backdoored. As Matthew Green said on Twitter: "But in case 24-bit RSA isn't bad enough, the manufacturers also included a hard-coded 3-byte fixed override code. I'm crying now." Public statement: "The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm http://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack/index.html

Security company Emsisoft spotted a new ransomware named Spora, that allows potential victims to pay for immunity from future attacks. From the article: "You can choose to only recover your files or pay for removal of the ransomware and immunity from future attacks at an extra cost." It has also very interesting intel gathering technique, which is later used for the monetisation.
http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/

Google has released a toolkit for a transparent and secure way to look up public keys. "Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable." This solves an open problem in messaging.
https://github.com/google/key-transparency/

Company E-Sports Entertainment Association refused to pay $100,000 to hackers, so they published customer dataset online.
http://fortune.com/2017/01/10/hackers-havoc-ransomware-esea/

Popular browsers and extensions can be tricked into leaking private information using hidden text boxes. https://github.com/anttiviljami/browser-autofill-phishing

Fake "Migrant Helpline" donations emails delivers malware.
https://myonlinesecurity.co.uk/spoofed-migrant-helpline-donations-delivers-malware/