Tag WannaCry

InfoSec Week 5, 2018

A.P. Moller–Maersk Group, the world's largest container shipping company, reinstalled 45000 PCs and 4000 Servers to recover from the NotPetya ransomware attack.

The U.S. Secret Service is warning financial institutions that ATM jackpotting attacks are targeting cash machines in the United States. Attackers are able to empty Diebold Nixdorf and possibly other ATM machines with malware, endoscope and social engineering skills.

Microsoft disables Spectre software mitigation released earlier this month due to system instability.

Data from the fitness tracking app Strava gives away the location of sensitive locations like army bases.

China built African union building for free, but the building is riddled with microphones and computers are transmitting all voice data back to servers in Shanghai.

Journalist Marc Miller has interviewed one of the hackers of the ICEMAN group behind "Emmental" phishing campaign targeting bank clients.

Errata Security blog about the political nature of the cyber attack attribution. Mostly about the WannaCry and North Korea connection, but it is a good overview on attribution bias in general.

Great article about the largest malvertising campaign of a last year. So called Zirconium group operated up to 30 different ad agencies which enabled them to redirect users to the exploit kits, malware downloads and click fraud websites.

AutoSploit is an automated exploitation tool written in python. It is able to search for targets using Shodan.io API and exploiting them with Metasploit.

InfoSec Week 51, 2017

There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.

Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.

Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.

Explanation how web trackers exploit browser login managers to track users on the Internet.

According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.

Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.

Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.

Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.

Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.

InfoSec Week 43, 2017

Researchers from the Masaryk University finally published full paper of the practical cryptographic attack against the implementation of RSA in the widely used trusted platform modules / crypto tokens.
"The Return of Coppersmith’s A‚ttack: Practical Factorization of Widely Used RSA Moduli" https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf

Those guys published an interesting paper about the secure cryptographic computation with the threat model without attackers based on Earth. They are proposing SpaceHSM hardware secure devices on the orbit.
"SpaceTEE: Secure and Tamper-Proof Computing in Space using CubeSats"

There is a small chance that the documents encrypted by Bad Rabbit ransomware could be recovered without paying ransom, if the shadow copies had been enabled in the Windows prior to infection. Victims can restore the original versions of the encrypted files using standard Windows backup mechanism.
For technical analysis of the Bad Rabbit ransomware, see the second link.

Google is going to deprecate the use of pinned public key certificates, public key pinning (PKP), from the Google Chrome browser.

The British government has publicly attributed North Korean government hackers as a source behind the "WannaCry" malware epidemy.

Multiple remote execution vulnerabilities (CVE-2017-13089, CVE-2017-13090) were patched in the popular software Wget. Update!

The source code of an AhMyth Android remote administration tool is available on GitHub. It can steal contact information, turn on camera, microphone, read SMS, and more.

Malscan is a robust and fully featured scanning platform for Linux servers built upon the ClamAV platform, providing all of the features of Clamscan with a host of new features and detection modes.

There is an update for the world's fastest and most advanced password recovery utility Hashcat.

InfoSec Week 22, 2017

Notoriously known Gh0st RAT spyware is spreading through the same SMB vulnerability as a WannaCry ransomware.

Jaff, ransomware distributed by the today's biggest spam botnet Necurs, is sharing server infrastructure with a PaySell cybercrime marketplace based in Saint Petersburgh, Russia.

Security researchers have spotted a new PowerPoint infection vector. Malware is downloaded to a computer whenever a victim hovers a link. Without the macros.

Wikileaks has published yet another CIA toolkit - Windows implant capable of the on-the-fly infection of a file executed over the network.

This guy lost lots of bitcoin in 15 minutes as attacker exploited Verison alternative authentification method. Interesting read.

Company behind OneLogin, a single sign-on and identity management for cloud-based applications, has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data.

InfoSec Week 21, 2017

Check Point researchers revealed a new attack vector using malicious subtitle files, which, when downloaded by a victim’s media player, can provide complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io.

Check Point also discovered an auto-clicking adware found on 41 apps in Google Play Store. It is silently sending "clicks" to an advertisements pushed by the remote C&C server.

WannaCry support staff decrypted files for free because their "Taiwanese campaign seems to be a total failure." and they have "overestimated income of the population". How generous.

Cloak & Dagger is a new class of potential attacks affecting Android devices. It's basically an attack vector based on two Android permissions (SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE) that are allowed by default and malicious app can use them to do bad stuff.

Interesting security evaluation "of the Implantable Cardiac Device Ecosystem Architecture" by the WhiteScope. Basically, these devices are not authenticated, nor encrypted and can be programmed by anyone competent.

Crypto guys published paper breaking the encryption published 3 days earlier. Should have emailed them instead...
https://eprint.iacr.org/2017/471 https://eprint.iacr.org/2017/458

Vulnerability researcher Tavis Ormandy has ported Windows Defender to Linux:)
"This repository contains a library that allows native Linux programs to load and call functions from a Windows DLL."

InfoSec Week 20, 2017

Researchers published WannaCry ransomware decryption tool for older Windows (XP, 2003, 7). It uses bug in the Windows Crypto API which does not immediately erase private key. The application is crawling the computer memory, looking for the prime numbers which can divide the public key used for the encryption.

Google introduced behavior-based malware scanner to every Android device. It's part of the Google Play Service and scans installed apps and provides phone tracking in the case of theft.

Croatian CERT honeypot detected a new SMB worm which uses seven tools from the NSA hacking toolkit. It uses Tor based C&C server, currently only beaconing the server, and spreading using the SMB exploit.

Research by the Recorded Future and the Intrusiontruth group concludes that so-called APT3, widely believed to be a China-based threat actor, is directly connected to the Chinese Ministry of State Security (MSS).

Sophos discovered malware infecting Seagate NAS devices which turn them into Monero cryptocurrency miners. However, “This threat is not targeting the Seagate Central device specifically; however, the device has a design flaw that allows it to be compromised. Most all of these devices have already been infected by this threat.” https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Cryptomining-malware-on-NAS-servers.pdf?la=en

Wikileaks released another CIA malware spying framework. Called 'Athena', the program "provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10)."

Maltrail is a malicious traffic detection system, utilizing publicly available lists containing malicious and generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists.

InfoSec Week 19, 2017

You have probably heard about the WannaCry/WannaCrypt/WannaWhatever worm spreading ransomware, because of the sensation created by parties profiting from the scare tactics. But also because it is using really good spreading technique - exploiting MS17-010 SMB vulnerability leaked from the NSA.
Some post-mortem analysis of the first version (with the killswich) and TheShadowBrokers blog are listed below. Crypto is working, so no trivial decrypter is probable, except if the keys are published.
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition

Nice analysis of a P2P botnet. The researchers determined the botnet size by injecting fake nodes to the network, as well as using crawling. http://securityaffairs.co/wordpress/58931/malware/p2p-transient-rakos-botnet.html

Fatboy Ransomware-as-a-Service is using The Economist’s Big Mac Index to calculate the ransom amount.

Tor hidden service operator is analysing bots used to enumerates and attack hidden services.

Google Project Zero post about the process of discovering CVE-2017-7308 vulnerability. Found by fuzzing, with the later exploitation to escalate privileges.
https://googleprojectzero.blogspot.ch/2017/05/exploiting-linux-kernel-via-packet.html https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308

Wikileakes released "AfterMidnight" and "Assassin " malware frameworks designed, two CIA malware frameworks for the Microsoft Windows platform. Those services allow operators to dynamically load and execute malware payloads on a target machine & exfiltrate the data.

A Security researcher Thorsten Schroeder discovered that an audio driver shipped on dozens HP laptops and tablet PCs logs keystrokes. It's actually a badly written application outputting pressed keystrokes to the debug output, so everyone is able to list them using MapViewOfFile function.

malwaresearch - A command line tool to find malware samples on the openmalware.org. It's possible to use the various hashes or common name.