Tag WhatsApp

InfoSec Week 50, 2018

According to the New York Times sources, Marriott customers' data were breached by Chinese hackers.
Attribution is hard, especially when investigating government related hacks. We have to wait for more information.
https://www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html

A Google+ API software update introduced in November had caused the Google+ API to broadcast user profiles to third-party developers, exposing the personal information of more than 52 million users.
https://www.blog.google/technology/safety-security/expediting-changes-google-plus/

Excellent journalistic piece about the location data industry. It's impossible to anonymize this kind of datasets. Really recommended!
https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html

Check Point researchers found 53 critical bugs in Adobe Reader and Adobe Pro by using WinAFL fuzzer.
https://research.checkpoint.com/50-adobe-cves-in-50-days/

The Cisco Talos team wrote about the various practical side-channel attack scenarios against the encrypted messaging apps like WhatsApp, Telegram, and Signal.
https://blog.talosintelligence.com/2018/12/secureim.html

Study finds 5 out of 17 tested certification authorities are vulnerable to spoofing domain validation by using the IP fragmentation attack.
https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Heftrig-Off-Path-Attacks-Against-PKI.pdf

A team behind the open source automation tool Jenkins published a patch for a critical vulnerability that could allow permission checks to be bypassed through the use of specially-crafted URLs.
https://jenkins.io/security/advisory/2018-12-05/

Microsoft took the first step in advocacy for the regulation of a facial recognition technology.
https://blogs.microsoft.com/on-the-issues/2018/12/06/facial-recognition-its-time-for-action/

A recent variant of a Shamoon malware wiped around ten percent PCs of the Italian oil and gas company Saipem.
https://www.zdnet.com/article/shamoon-malware-destroys-data-at-italian-oil-and-gas-company/

Russian State Duma is going to prohibit Russian servicemen from publishing personal information online.
https://informnapalm.org/en/seared-by-napalm-russian-state-duma-advances-legislation-banning-russian-servicemen-from-publishing-personal-information-online/

Researcher Natalie Silvanovich from the Google Project Zero fuzzed WhatsApp application and (surprisingly) didn't find exploitable bugs, just a heap corruption.
https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-3.html

Australian guys, there is a GitHub repository where you can ask legal questions about the terrible Assistance and Access Bill. The questions are answered by lawyers.
https://github.com/alfiedotwtf/AABillFAQ

InfoSec Week 41, 2018

Memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation can screw you. Just answering a call from an attacker could completely compromise WhatsApp.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1654

Great story about the spear phishing scheme against the MacEwan University in Canada. Investigators were able to track stolen money to China and back to the Canadian real estate investments.
https://www.thestar.com/edmonton/2018/10/09/how-a-fraudster-got-12-million-out-of-a-canadian-university-they-just-asked-for-it.html

Millions of Xiongmai video surveillance devices can be easily hacked. Devices can be discovered because of predictable cloud ID derived from the MAC address, then compromised by using malicious firmware images delivered by fake update server.
https://sec-consult.com/en/blog/2018/10/millions-of-xiongmai-video-surveillance-devices-can-be-hacked-via-cloud-feature-xmeye-p2p-cloud/

US Department of Defense published some findings from the weapons systems pentesting.
Weak passwords, port scans that caused the weapons system to fail, etc.
https://www.gao.gov/mobile/products/GAO-19-128

"Making sense of the alleged Supermicro motherboard attack" published by researchers at the University of Cambridge Computer Laboratory is explaining the possible technical aspects behind the recent Bloomberg story about the hardware backdoors shipped from China.
https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

US Police used victims' Fitbit data to charge 90-Year-Old man in stepdaughter’s killing.
They knew about the suspect, but the Fitbit data made the investigation easier.
https://www.nytimes.com/2018/10/03/us/fitbit-murder-arrest.html

New Zealand can now fine travelers who refuse to unlock their digital devices for a search.
http://www.abc.net.au/news/2018-10-04/nz-customs-can-force-travellers-to-unlock-digital-devices/10338662

Microsoft patches zero day vulnerability (CVE-2018-8453) in the win32k.sys discovered by Kaspersky Lab back in August.
The exploit is used to target victims in the Middle East.
https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/

There are multiple severe vulnerabilities reported in the Juniper network devices.
https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES

Red Hat's Flatpak used for application distribution on Linux is implementing some questionable security practices.
https://flatkill.org/

Exploit for MikroTik router WinBox vulnerability gives full root access.
https://thehackernews.com/2018/10/router-hacking-exploit.html

Congratulations to ICANN for the first-ever DNSSEC root key signing key rollover that took place on 11 October 2018.
https://www.icann.org/resources/pages/ksk-rollover

Mozilla decided to delay distrust of the Symantec TLS certification authority from their browsers.
https://blog.mozilla.org/security/2018/10/10/delaying-further-symantec-tls-certificate-distrust/

ADAPE-Script - Active Directory Assessment and Privilege Escalation Script can automate your AD recon and pentesting.
https://github.com/hausec/ADAPE-Script

InfoSec Week 35, 2018

Google started selling their Titan Security Key bundle that support FIDO standards for secure authentication. They have written the firmware by themselves, but the price should be lower for this kind of hardware.
https://store.google.com/us/product/titan_security_key_kit

Interesting three month research on hacking Australian law firms by registering expired domain names. Thousands of emails received with sensitive material.
https://medium.com/@gszathmari/hacking-law-firms-abandoned-domain-name-attack-560979e0b774

Researchers systematically retrieved 3500 AT controlling commands from over 2000 Android smartphone firmware images across 11 vendors and "demonstrated that the AT command interface contains an alarming amount of unconstrained functionality and represents a broad attack surface on Android devices."
https://atcommands.org/

Fortnite Installer created by Epic Games allowed to install anything on the customer Android phone. An Epic security engineer requested Google to delay public disclosure for the 90 days period, to allow time for the update, but Google refused.
https://m.androidcentral.com/epic-games-first-fortnite-installer-allowed-hackers-download-install-silently

US T-Mobile Database was breached, 2 millions of customers' data exposed.
https://www.databreachtoday.com/t-mobile-database-breach-exposes-2-million-customers-data-a-11420

Ars Technica published a good introductory review of the WireGuard next generation VPN software.
https://arstechnica.com/gadgets/2018/08/wireguard-vpn-review-fast-connections-amaze-but-windows-support-needs-to-happen/

WhatsApp has warned users that by using a free backup service offered by Google, messages will no longer be protected by end-to-end encryption.
https://www.zdnet.com/article/whatsapp-warns-free-google-drive-backups-are-not-encrypted/

Assured researchers published an article which provides a brief overview of the new TLS 1.3.
https://assured.se/2018/08/29/tls-1-3-in-a-nut-shell/

If you wanted to know how to use PGP in an organization of 200 people, read this blog about OpenPGP key distribution.
They are now turning the lessons learned into an Internet standard.
https://tech.firstlook.media/keylist-rfc-explainer

Mozilla Firefox 62 and newer support a new TLS API for WebExtensions.
There is now a certificate viewer leveraging new API called Certainly Something (Certificate Viewer).
https://addons.mozilla.org/en-US/firefox/addon/certainly-something/

In-depth blog spot by voidsecurity about the VirtualBox code execution vulnerability.
https://www.voidsecurity.in/2018/08/from-compiler-optimization-to-code.html

Mark Ermolov and Maxim Goryachy researchers have published a detailed walk-through for accessing an Intel's Management Engine (IME) JTAG feature, which provides debugging access to the processor.
https://github.com/ptresearch/IntelTXE-POC

InfoSec Week 8, 2018

Fraudsters are impersonating authors and publishing computer generated books so they can launder money via Amazon.
https://krebsonsecurity.com/2018/02/money-laundering-via-author-impersonation-on-amazon/

Crooks made over $3 million by installing cryptocurrency miners on Jenkins Servers by exploiting Java deserialization RCE vulnerability (CVE-2017-1000353) in the Jenkins.
https://securityaffairs.co/wordpress/69232/malware/jenkinsminer-targets-jenkins-servers.html

Tesla's Kubernetes installed in the Amazon AWS infrastructure was compromised by hackers.They have set up private cryptocurrency mining pool there.
https://www.bleepingcomputer.com/news/security/tesla-internal-servers-infected-with-cryptocurrency-miner/

The co-founder of WhatsApp, Brian Acton, has given $50 millions to support Signal messenger and create a self-sustaining foundation. Very good news for this donation funded privacy technology.
https://signal.org/blog/signal-foundation/

Hackers are exploiting the CISCO ASA vulnerability (CVE-2018-0101) in attacks in the wild.
https://securityaffairs.co/wordpress/68959/hacking/cve-2018-0101-cisco-asa-flaw.html

Security Researcher Troy Hunt published half a billion passwords collected and processed from various breaches. There is also API for this dataset, and some statistics about the password usage.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/

There is a critical vulnerability in Mi-Cam baby monitors that let attackers spy on infants. At least 52k users are affected.
https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html

Public key cryptography explained in the form of Ikea instructions. Check other images as well!
https://idea-instructions.com/public-key/

InfoSec Week 2, 2018

New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.
https://blog.cryptographyengineering.com/2018/01/10/attack-of-the-week-group-messaging-in-whatsapp-and-signal/

Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.
http://depastedihrn3jtw.onion.link/show.php?md5=ee7136ac48fa59fba803b9fbcbc6d7b9
http://depastedihrn3jtw.onion.link/show.php?md5=7e7bfe406315f120d8ed325ffb87670b

A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.
https://www.bleepingcomputer.com/news/security/hc7-planetary-ransomware-may-be-the-first-to-accept-ethereum/

There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.
http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125
https://twitter.com/dragosr/status/949822668563365889

Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements

Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.
https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.
http://seclists.org/fulldisclosure/2018/Jan/12

Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.
https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/

VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.
http://blog.virustotal.com/2018/01/virustotal-graph.html

A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.
https://github.com/RealJTG/Meltdown

InfoSec Week 34 - 35, 2017

Autodesk A360 cloud-based online storage misused as a delivery platform for multiple malware families.
http://blog.trendmicro.com/trendlabs-security-intelligence/a360-drive-adwind-remcos-netwire-rats/

Brian Krebs has done a good open source intel work on a shadowy past of Marcus Hutchins, author of the popular cybersecurity blog MalwareTech.
https://krebsonsecurity.com/2017/09/who-is-marcus-hutchins/

Wikileaks has published documents about the CIA Angelfire - "persistent framework that can load and execute custom implants on target computers running the Microsoft Windows operating system (XP or Win7)"
https://wikileaks.org/vault7/#Angelfire

ESET has published a research paper about a Gazer, stealth cyberespionage trojan, attributed to the notoriously known Turla group. The group was spreading malware using watering hole and spearphishing campaigns. I cannot find any more direct attribution except the fact that it is targeting "embassies and consulates" which, I believe, are a very common target for every intelligence actor...
https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

Zimperium Researcher Adam Donenfeld published a proof-of-concept for iOS Kernel Exploit.
https://github.com/doadam/ziVA

Very good analysis of a group chat vulnerabilities in a popular IM applications:
"Insecurities of WhatsApp's, Signal's, and Threema's Group Chats"
https://web-in-security.blogspot.ch/2017/07/insecurities-of-whatsapps-signals-and.html

Cloudflare's blog post about a quantum resistant supersingular isogeny Diffie-Hellman key agreement used in TLS 1.3.
https://blog.cloudflare.com/sidh-go/

A Phrack-style paper on research into abusing Windows token privileges for escalation of privilege. Deep down the rabbit hole.
https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt

Security researchers at Positive Technologies have discovered an undocumented configuration setting that disables the Intel Management Engine.
http://securityaffairs.co/wordpress/62470/hacking/intel-management-engine-kill-switch.html