A Comcast security flaws exposed more than 26 millions of customers’ personal information. Basically, an attacker could spoof IP address using "X-forwarded-for" header on a Comcast login page and reveal the customer’s location.
According to the Check Point Research, more than 150k computers are infected with the new variant of Ramnit botnet named Black. Botnet install second stage malware with the proxy functionality.
Malware infected Apple chip maker Taiwan Semiconductor Manufacturing. All of their factories were shut down last week, but they had already recovered from the attack.
A flaw in the Linux kernel may cause a remote denial of service [CVE-2018-5390]. Attack require less than 2 Kbps of traffic.
GDPR and other cookie consent scripts are used to distribute malware.
Interesting blog on how criminals in Iran make money by creating Android malware apps.
Let's Encrypt root CA certificate is now trusted by all major root programs. They were dependent on a cross-signing on some systems, so this is great news!
There is a really effective new attack on WPA PSK (Pre-Shared Key) passwords. Attackers can ask Access Point for the data required for offline cracking, no client traffic sniffing is needed anymore.
Innovative new research on a software implementation hardening was published with the name "Chaff Bugs: Deterring Attackers by Making Software Buggier".
The idea is simple, introduce a large number of non-exploitable bugs in the program which makes the bug discovery and exploit creation significantly harder.
Researchers from the University of Milan published padding oracle attack against Telegram Passport.
Don't roll your own cryptography schemes if other people depend on it...
A Handshake is a new experimental peer-to-peer root DNS. They have published resolver source code and have test network up and running. Looks like really promising project.
A reverse shell connection is possible from an OpenVPN configuration file. So be cautious and treat ovpn files like shell scripts.
Mozilla integrates Troy Hunts' Have I Been Pwned (HIBP) database of breached passwords into Firefox. They will make breach data searchable via a new tool called Firefox Monitor.
The suspected ringleader behind the well known Carbanak malware is under arrest, but of course, his malware attacks live on.
It is possible to attack resources in the private network from the Internet with DNS rebinding attack.
"Following the wrong link could allow remote attackers to control your WiFi router, Google Home, Roku, Sonos speakers, home thermostats and more."
Wi-Fi Alliance Introduces Wi-Fi Certified WPA3 Security. Again with a questionable cryptography, but we will see. That's how industrial alliances with expensive membership works.
IETF published draft of Issues and requirements for Server Name Indication (SNI) encryption in TLS.
The draft lists known attacks against SNI encryption, discusses the current "co-tenancy fronting" solution, and presents requirements for future TLS layer solutions.
The unpatched WordPress vulnerability allows code execution for authors. Exploiting the vulnerability grants an attacker the capability to delete any file of the WordPress installation or any other file the PHP process user has the proper permissions to delete.
Researchers identified three attack vectors against LTE (Long-Term Evolution, basically 4G) on layer 2 - an active attack to redirect network packets, a passive identity mapping attack, and website fingerprinting based on resource allocation.
Cisco Talos team releases ThanatosDecryptor, the program that attempts to decrypt certain files encrypted by the Thanatos malware.
DEDA is a tool that gives the possibility to read out and decode color tracking dots which encode information about the printer. It also allows anonymisation to prevent arbitrary tracking.
New research has found a flaw in a group messaging part of a Signal protocol used by Signal, WhatsApp and Threema. It’s hardly exploitable, but the server (attacker) could be, in some theoretical scenario, able to silently join an encrypted group chat.
Janit0r, author of the mass internet scanning campaign known as Internet Chemotherapy, released two more blogs about the campaign. Interesting.
A tale about the npm package which crawled user entered credit card information from the websites. It is a work of fiction, but published few hours after dozens of npm packages stopped working due to missing dependencies... Scary.
HC7 Planetary Ransomware is probably the first known ransomware asking for Ethereum as a ransom payment. It's for Windows users only.
There is a hardwired network backdoor in the Western Digital MyCloud drives (user: mydlinkBRionyg, password: abc12345cba). Vendor probably patched it six months after reported.
Wi-Fi Protected Access III - WPA3 will be forced on a marked this year. Hopefully a lot of security enhancements to wi-fi protocol will be delivered by the WPA3-certified devices.
Let's Encrypt certification authority has temporarily disabled TLS-SNI-01 authorization challenge due to reported exploitation technique possible on a shared hosting infrastructure.
Google Cloud security engineers reported remote code execution vulnerability in the AMD Platform Security Processor.
Brian Krebs wrote a blog about the flourishing online markets with the stolen credentials.
VirusTotal has a new feature, a visualization tool for the relationship between files, URLs, domains and IP addresses.
A Meltdown vulnerability proof of concept for reading passwords out of Google Chrome browser.
SensePost researchers found out that the Microsoft Office home page is able to compromise user by loading ActiveX component with VBscript.
Microsoft security department were contacted by a worried user that found 2 seemingly identical µTorrent executables, with valid digital signatures, but different cryptographic hashes. As they have found out there were marketing campaign identifier in "a text file inside a ZIP file inside a PE file, BASE64 encoded and injected in the digital signature of a PE file.". Quite complicated...
A vulnerability (CVE-2017-15361) in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace.
The rolling code in electronic keys for Subaru Forester (2009) and some other models are not random. Keys can be cloned, cars unlocked, with the hardware costs of $25. https://github.com/tomwimmenhove/subarufobrob
Microsoft reintroduced a Pool-based overflow kernel vulnerability on Windows 10 x64 (RS2) Creators Update which was originally patched in 2016. The guys wrote an exploit with rich explanation.
Blog about the "Exploding Git Repositories" that will crash your git process.
MediaTek and Broadcom Wi-Fi AP drivers have a weak random number generator, allowing prediction of Group Temporal Key. Practical attack requires a LOT of handshakes.
How to hide a process from SysInternals without the admin rights, but with the privilege escalation.
Adam Langley blogged about the low level testing of the FIDO U2F security keys, namely Yubico, VASCO SecureClick, Feitian ePass, Thetis, U2F Zero, KEY-ID / HyperFIDO.
Good introductory blog about the (in)security of Intel Boot Guard. The author also published source code of the UEFITool with visual validation of Intel Boot Guard coverage.
A script that tests if access points are affected by Key Reinstallation Attacks (CVE-2017-13082) was published on a GitHub by researcher Mathy Vanhoef.
The Miscreant is a Misuse-resistant symmetric encryption library supporting the AES-SIV (RFC 5297) and CHAIN/STREAM constructions.
WikiLeaks has published documents detailing two alleged CIA implants, BothanSpy and Gyrfalcon, designed to steal SSH credentials from Windows and Linux.
Popular article about the background of iPhone Jailbreaking. Really interesting.
Domains for an authoritative name servers of .io domain was free, so guy registered one, and published blog about the possibility of .io domains takeover.
The author of the original variant of the Petya ransomware has published the master key via Twitter.
Security researcher Nitay Artenstein has discovered a serious Broadcom Wi-Fi chip bug CVE-2017-9417.
Chinese researchers published an attack on a satellite phone encryption that enable them to decrypt communication encrypted by GMR-2 cipher in real-time.
API Security Checklist is the checklist of the most important security countermeasures when designing, testing, and releasing an online API.
Horcrux: A Password Manager for Paranoids is an research project and experimental implementation of a highly secure password manager. Credentials are secretshared over multiple servers, the passwords are filled by modifying outgoing POST requests.
Interesting blog about the generic unpacking of the Locky malware using Radare r2pipe, python and the Windows 7 VM.
More information about the Shadow Brokers NSA hacking toolkit dump are coming out after analysis.
Kudelski Security research published the overview of an Equation Group exploitation arsenal for the Windows platform. Good to note, that this dump has also implicated that the NSA compromised a SWIFT system.
Symantec researchers linked the CIA hacking tools (Vault 7) to a cyber attacks launched in recent years by a Longhorn group gang specialising in the intelligence gathering operations.
Black hats have robbed at least 8 ATMs in Russia and stole $800,000 in one night using a ATMitch "fileless" malware.
FireEye documented a campaign leveraging the CVE-2017-0199 vulnerability, which enabled attackers to "download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit." It delivers so called FINSPY and LATENTBOT samples, targeting mostly Russian speaking users.
I wrote about the Broadcom’s Wi-Fi stack exploit last week, this is the second part of a series of Google Project Zero team.
The Cisco Talos team has analyzed ROKRAT remote administration tool targeting South Koreans by spear phishing campaign.
The "rensenWare" ransomware is asking victims to score over 0.2 billion game currency playing the game "Touhou Project - Undefined Fantastic Object”.
The new BrickerBot malware is performing so called Permanent Denial-of-Service (PDoS) on a IoT device. It's using the same attack vector as a Mirai botnet - bruteforcing ssh passphrase. If succesful, it tries to brick device storage.
Triada Android malware is using open source DroidPlugin sandbox when running, in order to evade detection.
The security issue in the Splunk Enterprise allowed a potential attacker to steal data from the authenticated user if she visited a malicious website.
Google Project Zero demonstrated a Broadcom’s Wi-Fi stack remote code execution exploit on a fully updated Nexus 6P, running Android 7.1.1 version NUF26K.
TheShadowBrokers hacking group just leaked the NSA digital weapons package online.
WikiLeaks published documents detailing the Grasshopper framework used by the CIA to create custom Windows malware installers.
Source code of the "Stolen Goods" module contains parts of the leaked Carberp banking trojan source code.
The Xen Security Team has discovered a security bug in the hypervisor code which, if exploited, can be used for breaking Qubes OS isolation.
Exploit chaining required for the full system takeover tough.
Interesting research about the using antivirus software as a leverage during the attack.
"Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks"