Tag Telegram

InfoSec Week 50, 2017

Crooks hacked Fox-IT by capturing fox-it.com DNS record, then obtained a certificated and executed a man-in-the-middle attack on connection.
https://www.fox-it.com/en/insights/blogs/blog/fox-hit-cyber-attack/

The Mandiant - FireEye company analyzed an incident at a critical infrastructure organization where an attacker deployed so called TRITON malware designed to manipulate industrial safety system. According to the analysis, "the malware was delivered as a Py2EXE compiled python script [...] containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers."
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

The anonymous researcher behind the massive internet scans of the IoT devices known for the BrickerBot case published some insights on his operation. Looks like he is a gray hat after all.
https://ghostbin.com/paste/q2vq2

Google published Android security roadmap for the next year. There will be lots of improvements, and new requirements for App developers.
https://android-developers.googleblog.com/2017/12/improving-app-security-and-performance.html

Multiple vulnerabilities were identified in Telegram messenger for Android, like arbitrary file overwrite on receiving and directory traversal. There are definitely better alternatives to this software...
https://bugs.chromium.org/p/project-zero/issues/detail?id=1470

Guy uploaded his self-signed malformed certificate to the websites which process them and found out lots of them is vulnerable to the XSS injection.
https://binaryfigments.com/2017/12/11/dont-trust-all-ssl-tls-certificates/

Mavinject is a legitimate Windows component digitally signed by Microsoft, that can be abused to inject any DLL inside a running process.
https://reaqta.com/2017/12/mavinject-microsoft-injector/

Microsoft pushed comprehensive audit reports on Windows Events to GitHub.
https://github.com/MicrosoftDocs/windows-itpro-docs/tree/master/windows/device-security/auditing

InfoSec Week 28, 2017

Porn spam botnet consisting of more than 80,000 automated female Twitter accounts has been prompting millions of clicks from Twitter users to the various affiliate dating schemes (known as "partnerka").
https://krebsonsecurity.com/2017/07/porn-spam-botnet-has-evil-twitter-twin/

Two malware families, NemucodAES ransomware and Kovter trojan are being distributed via email, pretending to be a delivery notice from the United Parcel Service.
https://isc.sans.edu/forums/diary/NemucodAES+and+the+malspam+that+distributes+it/22614/

Reyptson ransomware is using victim’s configured Thunderbird email account to execute spam distribution campaign against its contacts.
http://www.securitynewspaper.com/2017/07/18/reyptson-ransomware-spams-friends-stealing-thunderbird-contacts/

Android spyware targeting Iranians is using Telegram bot API to exfiltrate data to the remote server.
https://blog.avast.com/spyware-targets-iranian-android-users-by-abusing-messaging-app-telegram-bot-api

Trustwave SpiderLabs researchers discovered a zero-day vulnerability in Humax HG-100R WiFi Router, that could be exploited by attackers to compromise the WiFi credentials and obtain the router console administrative password.
https://www.trustwave.com/Resources/SpiderLabs-Blog/0-Day-Alert--Your-Humax-WiFi-Router-Might-Be-In-Danger/

Proofpoint analyzed Ovidiy Stealer, undocumented credential stealer, which is sold on the Russian-speaking forums.
https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses

Guido Vranken fuzzed FreeRADIUS source code and found 15 issues, four exploitable, and one of which is a remote code execution bug (RCE). Compile and upgrade now.
http://freeradius.org/security/fuzzer-2017.html

Humble Bundle is selling for next 12 days a lots of DRM-free cybersecurity books very cheaply.
https://www.humblebundle.com/books/cybersecurity-wiley

WireGuard, fast, modern, secure VPN tunnel is now formally verified with the Tamarin equational theorem prover. Really powerful software.
https://www.wireguard.com/formal-verification/

Interesting USENIX paper on the security (and analysis) of bootloaders in mobile devices:
BootStomp: On the Security of Bootloaders in Mobile Devices
http://cs.ucsb.edu/~yanick/publications/2017_sec_bootstomp.pdf

PyREBox is a Python scriptable Reverse Engineering sandbox developed by Cisco Talos. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective.
https://github.com/Cisco-Talos/pyrebox

InfoSec Week 25, 2017

Ukrainian critical infrastructure, including banks, Kyiv’s metro system, the airport and the Chernobyl's radiation monitoring system, was hit by the worldwide malware campaign.
The attack is believed to be a new campaign by the group behind Petya ransomware. It takes advantage of the known SMB exploit (EternalBlue), and is spreading fast to the other countries.
https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759
https://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

Indian ATMs running outdated Windows XP are suffering jackpotting attack by the Rufus ATM malware.
http://securityaffairs.co/wordpress/60220/breaking-news/rufus-malware-atm.html

Analysis of a new Marcher Android banking trojan variant which is posing as Adobe Flash Player Update.
https://www.zscaler.com/blogs/research/new-android-marcher-variant-posing-adobe-flash-player-update

The Russian government is threatening to ban Telegram messenger because it refused to be compliant with the data protection laws.
http://securityaffairs.co/wordpress/60449/terrorism/russia-telegram-ban.html

Bug hunter from Google, Tavis Ormandy, has found yet another serious vulnerability in the Microsoft's Malware Protection Engine.
http://www.databreachtoday.com/google-security-researcher-pops-microsofts-av-defenses-a-10058

The Hardware Forensic Database (HFDB) is a project of CERT-UBIK aiming at providing a collaborative knowledge base related to IoT Forensic methodologies and tools.
http://hfdb.io/

Good summary of the most common memory based attacker techniques such as shellcode injection, reflective DLL injection or process hollowing.
https://www.endgame.com/blog/technical-blog/hunting-memory

InfoSec Week 2, 2017

Brother and sister arrested in Italy for spying on top public officials, businessmen and institutions. They wrote a VB.NET malware with RAT / spyware features. They infected high level targets via spear-phishing and pivoted on their email to infect more higher level targets. They had terrible OPSEC, bought some domains and hosting with real names.
http://www.telegraph.co.uk/news/2017/01/10/italian-brother-sister-arrested-cyber-espionage-operation-tapped/ https://jekil.sexy/blog/2017/eyepyramid-i-forgot-to-do-myhomework.html

BuzzFeed article about Trump claims that the Russian Security Service FSB has "capabilities" against the Telegram messaging app. Security researcher Frederic Jacobs wrote about this back in April 2016.
https://www.fredericjacobs.com/blog/2016/04/29/more-on-sms-logins/ https://twitter.com/i/web/status/819127046588813313 https://www.buzzfeed.com/kenbensinger/these-reports-allege-trump-has-deep-ties-to-russia

At 33rd Chaos Communication Congress, security researcher Claudio Guarnieri launched open initiative "Security Without Borders". "Security Without Borders will provide digital security assistance to organizations to harden infrastructure against attacks, perform incident response to secure organizations, engage in public education, and produce research on the threats posed to activists. Among our members we count penetration testers, malware analysts, reverse engineers, vulnerability researchers, and software developers."
https://securitywithoutborders.org/ https://medium.com/security-without-borders/transmission-1-7eaae7bc8caf

3 BYTES long RSA key secures implanted cardiac devices, and yes, it's also backdoored. As Matthew Green said on Twitter: "But in case 24-bit RSA isn't bad enough, the manufacturers also included a hard-coded 3-byte fixed override code. I'm crying now." Public statement: "The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's Merlin@home Transmitter and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user, i.e., someone other than the patient's physician, to remotely access a patient's RF-enabled implanted cardiac device by altering the Merlin@home Transmitter. The altered Merlin@home Transmitter could then be used to modify programming commands to the implanted device, which could result in rapid battery depletion and/or administration of inappropriate pacing or shocks."
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm http://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack/index.html

Security company Emsisoft spotted a new ransomware named Spora, that allows potential victims to pay for immunity from future attacks. From the article: "You can choose to only recover your files or pay for removal of the ransomware and immunity from future attacks at an extra cost." It has also very interesting intel gathering technique, which is later used for the monetisation.
http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/

Google has released a toolkit for a transparent and secure way to look up public keys. "Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable." This solves an open problem in messaging.
https://github.com/google/key-transparency/

Company E-Sports Entertainment Association refused to pay $100,000 to hackers, so they published customer dataset online.
http://fortune.com/2017/01/10/hackers-havoc-ransomware-esea/

Popular browsers and extensions can be tricked into leaking private information using hidden text boxes. https://github.com/anttiviljami/browser-autofill-phishing

Fake "Migrant Helpline" donations emails delivers malware.
https://myonlinesecurity.co.uk/spoofed-migrant-helpline-donations-delivers-malware/