Tag SS7

InfoSec Week 52, 2018

The Chinese battery expert is charged with stealing trade secrets from US employer, as he prepared to return home. Forensics found deleted research materials not related to his contract on a USB voluntarily provided to a supervisor.
https://beta.scmp.com/news/world/united-states-canada/article/2179192/chinese-battery-expert-hongjin-tan-charged-stealing

The New York Times published an article about the insecurity of the mobile networks' Signaling System 7 (SS7) and the unwillingness to address mobile network vulnerabilities in general.
https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html

Iraq government took down unlicensed towers used for illegal internet bandwidth smuggling operation in the disputed province of Kirkuk.
http://www.kurdistan24.net/en/news/09d4b5aa-6638-42fe-bbb1-b2ef48b4401b

Indias' Ministry of Home Affairs has issued a notification authorizing 10 agencies to tap, intercept and decrypt all personal data on computers and networks.
https://twitter.com/i/web/status/1075954903279943681

Yet another article from NY Times, this time on how Facebook uses 7500 moderators around the world to keep content "normal".
https://www.nytimes.com/2018/12/27/world/facebook-moderators.html

Hackers are infecting Linux servers with JungleSec ransomware using IPMI remote console, manually running encryption program, then asking for ransom.
https://www.bleepingcomputer.com/news/security/junglesec-ransomware-infects-victims-through-ipmi-remote-consoles/

The beta version of the WireGuard next gen VPN for iOS was released into the App Store.
https://lists.zx2c4.com/pipermail/wireguard/2018-December/003694.html

Someone from the France uploaded a new sample of Shamoon wiper malware to VirusTotal. The sample is signed with Baidu digital certificate expired back in 2016.
https://securityaffairs.co/wordpress/79248/malware/shamoon-3-france.html

The Wired magazine published a list of articles they have published on a security topic in 2018. Some of them are really good.
https://www.wired.com/gallery/the-most-read-security-stories-of-2018/

Amazon sends 1700 Alexa voice recordings to a random person.
https://threatpost.com/amazon-1700-alexa-voice-recordings/140201/

InfoSec Week 18, 2017

Some good souls are selling Ransomware as a service. It has own logo, support, bug tracker, and a clean website.
https://therainmakerlabs.in/philadelphia

The webpage of the open-source video transcoder application Handbrake was compromised and served malware for the Mac users.
https://objective-see.com/blog/blog_0x1D.html

Comparison of the "http81 IoT botnet" against the Mirai source code. The C&C code is different, but they took some parts of the published source code.
http://blog.netlab.360.com/http-81-botnet-the-comparison-against-mirai-and-new-findings-en/
http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/

IBM shipped malware infected USB flash drives to the customers.
https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146

Shodan can now find malware C&C servers.
https://malware-hunter.shodan.io/
https://threatpost.com/malware-hunter-crawls-internet-looking-for-rat-c2s/125360/

Deep insight into use-after-free vulnerability and many possibilities how to exploit it. https://scarybeastsecurity.blogspot.ch/2017/05/ode-to-use-after-free-one-vulnerable.html

Critical remotely exploitable vulnerability found in the Microsofts' Malware Protection service.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
https://technet.microsoft.com/en-us/library/security/4022344

The criminals are stealing 2FA tokens by abusing widespread telecommunications network equipment.
https://arstechnica.com/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/

Guido Vranken found a vulnerability (CVE-2017-8779) that allows an attacker to allocate any amount of bytes (up to 4 gigabytes per attack) on a remote RPCBIND host, and the memory is never freed unless the process crashes or the administrator halts or restarts the RPCBIND service.
https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/

Good summary of an iCloud Keychain Secrets vulnerability (CVE-2017–2448). From the blog:
"This allows an adversary to craft an OTR message which can negotiate a key successfully while bypassing the actual signature verification...Considering that OTR uses ephemeral keys for encryption, this flaw implies that a syncing identity key is no longer required for an adversary with Man In The Middle capabilities to negotiate an OTR session to receive secrets."
https://hackernoon.com/bypassing-otr-signature-verification-to-steal-icloud-keychain-secrets-9e92ab55b605

Researchers developed the cheapest way so far to hack a passive keyless entry system, as found on some cars. No cryptography broken.
https://conference.hitb.org/hitbsecconf2017ams/sessions/chasing-cars-keyless-entry-system-attacks/
https://hackaday.com/2017/04/27/stealing-cars-for-20-bucks/

OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.
https://github.com/evilsocket/opensnitch

Linux Malware Detect (LMD) is a malware scanner for Linux designed around the threats faced in shared hosted environments.
https://github.com/rfxn/linux-malware-detect