Emmentaler pigeonholes

Emmental is a type of Swiss cheese that melts well and features a nutty, buttery flavor. It's one of two main kinds of cheese used for making fondue. Emmental has walnut-sized holes. The internet is like that. With extra holes.


It all began when attackers compromised the M.E. Doc update server and sent NotPetya to unsuspecting victims. XDATA ransomware was also distributed via M.E. Doc in June 2017 and possibly as early as April. Malwarebytes estimated that, conservatively, we are looking at a number at least in the tens of thousands of systems infected (a significant percentage of which reside in the Ukraine). in the wiper attack - it is impossible for the attackers to decrypt victims' disks, even if they pay the ransom fee. Symantec published a chart.

The Ukranian power grid and other key assets have been the frequent target of Russian state-sponsored hackers. A number of Ukrainian officials laid blame at Russia’s feet.

→


The official repository for the widely used Python programming language PyPI was tainted with modified code packages that had been downloaded by unwitting developers who incorporated them into software for three months.

  • The packages functioned as normal but the added code was executed as soon as a developer or system administrator installed the package (administrator privileges).
  • The executed code was apparently only used to report name and version of the fake package, user name of the user who installed the package, and hostname (with a HTTP request to a remote server at

The attack was made easier by pip not requiring the cryptographic signature and executing arbitrary code during package installation.

The incident resembles an attack carried out in June 2016 in a research experiment in which Hamburg student Nikolai Philipp Tschacher uploaded packages to PyPI and two other repositories.

→


Attackers modified at least five software packages distributed by network connectivity and server management solutions provider NetSarang in order to infect its business users with modular backdoor spyware. A financial institution detected suspicious DNS requests on systems related to the processing of financial transactions and contacted Kaspersky Lab.

Kaspersky reported that the ShadowPad files delivered an encrypted payload capable of remotely downloading and executing arbitrary code, uploading files, creating processes, and storing data in a virtual file system contained within the victim’s registry. The injection worked in a similar way as the CCleaner injection:

  • Using a tiered architecture that stops the backdoor from activating until a designated command-and-control (C&C) server sends a specially crafted DNS TXT record for a specific domain. The attackers implemented a domain generation algorithm for these C&C servers.
  • If the data sent during the DNS request wass interesting, the Command and Control (C&C) servers respond and activate the backdoor.
  • Once the payload was activated, the module exchanged data with the server, which sent backs a decryption key for the next stage of the code.
  • With the backdoor activated, attackers could upload files, create processes, and store information in a VFS contained within the victim’s registry. The VFS and any additional files created by the code were encrypted and stored in locations unique to each victim.

Some of the techniques used were also used to spread the PlugX remote access tool and Winnti backdoor programs, allegedly developed by Chinese-speaking authors.

→


CCleaner is a PC cleaning tool developed by Piriform, acquired by antivirus (AV) provider Avast in June of 2017. In September of 2017, security researchers at Cisco Talos and Morphisec disclosed CCleaner had been compromised. The 5.33 version of CCleaner had widespread distribution across multiple industries, but the embedded code appeared to be targeted at specific groups in the technology sector.

It was infected with a modified __scrt_common_main_seh function that routed the execution flow to a custom function that decoded and loaded a malware.

  • The infection took place before the entry point (EP) of the tool. The new execution flow lead to a function that decoded a blob of data.
  • The result of the decoding was some shellcode and a payload.
  • The program then created an executable memory heap, copied the shellcode on the heap, and executed it.
  • The shellcode was responsible for loading the payload in memory.
  • Once the payload was copied to newly allocated memory, the shellcode resolved the needed API’s, and called the OEP (original entry point) of the payload in memory.
  • The payload created a thread that performed the core functionality of the malware.
  • First it made some steps to guard against debugging and/or sandboxing.
  • It checked that the current user is member of the administrator’s group.
  • The malware also checked the privilege levels of its own process; if the process did not have administrative privileges, it set debug privileges.
  • The malware then checked for the registry keys HKLM\SOFTWARE\Piriform\Agomo\TCID and HKLM\SOFTWARE\Piriform\Agomo\MUID.
  • Once the checks were completed, the malware gathered information about the victim machine: OS major version, OS minor version, OS architecture, Computer name, Computer DNS domain, IPv4 addresses associated with the machine, installed applications, and full name of the executable image of each running process.
  • This information was encoded and stored in a data structure in memory.
  • The information was sent to C&C servers in an inconspicuous and hard to detect way.

The intent behind the injected packages was to collect an initial set of reconnaissance data.

→


Named after the PowerPool group (perhaps a nation-state-sponsored hacker group), the malware comes in through an email and its attachment infects Microsoft Windows machines with a backdoor. If the machine contains for the attackers interesting data, a second backdoor is installed and a Windows zero-day exploit is used to gain admin rights.

The zero-day exploit was only two days old. That's incredibly fast.

Most probably there is a story behind the “Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

  • On August 27, 2018, the zero-day vulnerability was published on GitHub and Twitter by SandboxEscaper (The accounts have been removed).
  • SandboxEscaper released in the proof-of-concept both a compiled binary and the exploit's source code (no reverse engineering necessary, anyone can modify and recompile the exploit, in order to “improve it”, evade detection, or even incorporate it into their code), and without patches already being available (it was not a coordinated vulnerability disclosure).
  • Also on August 27, Will Dormann (CERT/CC) verified the bug as a local privilege escalation security flaw in the Microsoft Windows task scheduler caused by errors in the handling of Advanced Local Procedure Call (ALPC) systems. This means it affects Microsoft Windows OSes from Windows 7 to Windows 10, and in particular the Advanced Local Procedure Call (ALPC) function, and allows a Local Privilege Escalation (LPE).
  • Matthieu Faou (ESET) wrote he was tracking a group that was leveraging the Windows ALPC zero-day already two days later, in what is now called the PowerPool malware. Apparently the PowerPool group has been sending low-volume spam to people in Chile, Germany, India, the Philippines, Poland, Russia, United Kingdom, United States, and Ukraine.

→

US FCC making up a cyber attack

At the height of the US FCC’s efforts to kill off net neutrality, in May 2017, the FCC claimed their comment system had fallen victim to a DDoS attack. It wasn't. The Federal Communication Commission’s inspector general investigated, and officially refutes the controversial claims. And the report is made public.

Reading the report makes me wonder about Interventions by governments scenarios. In any case, it is a Häagen-Dazs level read with crispy caramelised bits:

  • Providing false information (lying) to politicians and investigators.
  • A willingness to ignore logic and contradictory evidence.
  • Seeking indicators that support preconceived notions and political agenda.
  • Dismissing critics.
  • Ignoring and/or covering up system design flaws.
  • Not discussing criteria.

The matter was officially referred to the U.S. Justice Department in December, but after reviewing information and interviews related to the case, the U.S. Attorney’s Office in Washington declined to prosecute. The report was made public on google drive, and for those of us not wanting to allow google trackers, I provide this local download link (pdf, 9.5 MB).

<< Newer entries | Older entries >>