Emmentaler pigeonholes

Emmental is a type of Swiss cheese that melts well and features a nutty, buttery flavor. It's one of two main kinds of cheese used for making fondue. Emmental has walnut-sized holes. The internet is like that. With extra holes.

CCleaner

CCleaner is a PC cleaning tool developed by Piriform, acquired by antivirus (AV) provider Avast in June of 2017. In September of 2017, security researchers at Cisco Talos and Morphisec disclosed CCleaner had been compromised. The 5.33 version of CCleaner had widespread distribution across multiple industries, but the embedded code appeared to be targeted at specific groups in the technology sector.

It was infected with a modified __scrt_common_main_seh function that routed the execution flow to a custom function that decoded and loaded a malware.

  • The infection took place before the entry point (EP) of the tool. The new execution flow lead to a function that decoded a blob of data.
  • The result of the decoding was some shellcode and a payload.
  • The program then created an executable memory heap, copied the shellcode on the heap, and executed it.
  • The shellcode was responsible for loading the payload in memory.
  • Once the payload was copied to newly allocated memory, the shellcode resolved the needed API’s, and called the OEP (original entry point) of the payload in memory.
  • The payload created a thread that performed the core functionality of the malware.
  • First it made some steps to guard against debugging and/or sandboxing.
  • It checked that the current user is member of the administrator’s group.
  • The malware also checked the privilege levels of its own process; if the process did not have administrative privileges, it set debug privileges.
  • The malware then checked for the registry keys HKLM\SOFTWARE\Piriform\Agomo\TCID and HKLM\SOFTWARE\Piriform\Agomo\MUID.
  • Once the checks were completed, the malware gathered information about the victim machine: OS major version, OS minor version, OS architecture, Computer name, Computer DNS domain, IPv4 addresses associated with the machine, installed applications, and full name of the executable image of each running process.
  • This information was encoded and stored in a data structure in memory.
  • The information was sent to C&C servers in an inconspicuous and hard to detect way.

The intent behind the injected packages was to collect an initial set of reconnaissance data.

→ Read more...

PowerPool

Named after the PowerPool group (perhaps a nation-state-sponsored hacker group), the malware comes in through an email and its attachment infects Microsoft Windows machines with a backdoor. If the machine contains for the attackers interesting data, a second backdoor is installed and a Windows zero-day exploit is used to gain admin rights.

The zero-day exploit was only two days old. That's incredibly fast.

Most probably there is a story behind the “Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

  • On August 27, 2018, the zero-day vulnerability was published on GitHub and Twitter by SandboxEscaper (The accounts have been removed).
  • SandboxEscaper released in the proof-of-concept both a compiled binary and the exploit's source code (no reverse engineering necessary, anyone can modify and recompile the exploit, in order to “improve it”, evade detection, or even incorporate it into their code), and without patches already being available (it was not a coordinated vulnerability disclosure).
  • Also on August 27, Will Dormann (CERT/CC) verified the bug as a local privilege escalation security flaw in the Microsoft Windows task scheduler caused by errors in the handling of Advanced Local Procedure Call (ALPC) systems. This means it affects Microsoft Windows OSes from Windows 7 to Windows 10, and in particular the Advanced Local Procedure Call (ALPC) function, and allows a Local Privilege Escalation (LPE).
  • Matthieu Faou (ESET) wrote he was tracking a group that was leveraging the Windows ALPC zero-day already two days later, in what is now called the PowerPool malware. Apparently the PowerPool group has been sending low-volume spam to people in Chile, Germany, India, the Philippines, Poland, Russia, United Kingdom, United States, and Ukraine.

→ Read more...

US FCC making up a cyber attack

At the height of the US FCC’s efforts to kill off net neutrality, in May 2017, the FCC claimed their comment system had fallen victim to a DDoS attack. It wasn't. The Federal Communication Commission’s inspector general investigated, and officially refutes the controversial claims. And the report is made public.

Reading the report makes me wonder about Interventions by governments scenarios. In any case, it is a Häagen-Dazs level read with crispy caramelised bits:

  • Providing false information (lying) to politicians and investigators.
  • A willingness to ignore logic and contradictory evidence.
  • Seeking indicators that support preconceived notions and political agenda.
  • Dismissing critics.
  • Ignoring and/or covering up system design flaws.
  • Not discussing criteria.

The matter was officially referred to the U.S. Justice Department in December, but after reviewing information and interviews related to the case, the U.S. Attorney’s Office in Washington declined to prosecute. The report was made public on google drive, and for those of us not wanting to allow google trackers, I provide this local download link (pdf, 9.5 MB).


GandCrab

GandCrab was first spotted on Jan 26 and later identified in exploit kit campaigns. This ransomware virus spreads via several exploit kits and malware files and uses strong encryption method to eliminate the possibility of brute force a key that will allow to decrypt encrypted documents, photos and music. After launch, it scans all available drives, including network and cloud storage, to determine which files will be encrypted (personal photos, documents and music), encrypts the chosen files and appends the .GDCB extension to encrypted files and then shows a ransom demanding payment.

→ Read more...

Exactis database without firewall

Security researcher Vinny Troia of Night Lion Security wanted to know more about ElasticSearch databases visible on publicly accessible servers with American IP addresses. Shodan returned about 7,000 results. As Troia combed through them, he quickly found the Exactis database, unprotected by any firewall.

A few days later, the first class action lawsuit against Exactis was filed.


Dead Battery Anxiety

A malware discovered by RiskIQ. Do not click, not even the Cancel option. Restart device instead.


<< Newer entries | Older entries >>