🔓[CyberFacts Weekly - Issue 0x03] Twice the Content, New Workflow
Hello! đź‘‹
I should have never skipped last week's CyberFacts Weekly, because...guess what, now I had to process twice the load! 🥵
But last week was definitely too packed with prepping for Black Hat Europe and I had to prioritize that! By the way, consider attending Black Hat Europe, which is taking place both on site (at the London ExCeL) and virtually.
Despite being overwhelmed, I finally found the time to use Zotero to manage this digest. Here's the workflow:
- Every time I find an interesting news item, I tag it in my favorite RSS reader so it gets pushed immediately in the feed and via Twitter.
- Every once in a while I skim through the list of tagged items in my reader and visit the web page.
- Use Zotero Companion to take a snapshot and automagically import it into Zotero along with the relevant metadata.
- I organize the items into sub-collections and create child notes to highlight the relevant bits.
- Use Better BibTex for Zotero to keep a synced JSON database for each weekly issue.
- Run a Python script I cooked to convert from the JSON database into the Markdown file that holds each issue.
It looks more complex than it actually is, but it's much better than having to fumble with a JSON manually, having to reorder manually, get the dates wrong, etc.
A lot has happened in the past two weeks, but these are my personal highlights:
- Two SGX Enclave SDKs Patched Against Info-disclosure Exploits
- Former Twitch Engineers Says the Massive Leak isn't Surprising
- Abusing GitHub Actions to Bypass Code Reviews
- Video Transcoding Pipelines Can be Exploited, Too
All the rest, as usual, it's here below! If you like this, consider subscribing!
-
Top Picks
- Discord CDN Abused to Spread 27 Unique Malware Types
- Edward Snowden Launches Global Encryption Day to Promote the Use of Strong Encryption
- WinRAR Trial is Affected by a Trivial Vulnerability Allowing RCE (CVE-2021-35052)
- Trick or Treat: Ransomware Interrupts Production at US Candy Maker
- Brave Browser Enables Brave Search as the Default Search Engine
- How a simple Linux kernel memory corruption bug can lead to complete system compromise
- CISA, FBI, and NSA Release Joint Cybersecurity Advisory on BlackMatter Ransomware | CISA
- RCE Exploit for iOS 15.0.2 Safari Running on iPhone 13 Pro Acquired During the Tianfu Cup
- The Home Page of Donald Trump’s Website has been Defaced
- Several TV Broadcasts Interrupted as Sinclair Got Hit by a Ransomware Attack
- Known Ransomware Payments Grows 40% YoY in 2021
- Fraudsters Allegedly Used Deepfake Voice-Cloning to Authorized a $35M Transfer
- Apple Client-side Content Scanning Feature More Harmful Than Useful
- Thingiverse Data Leak (36GB worth of email addresses and 3D models)
- Former Twitch Engineers Says the Massive Leak isn’t Surprising
- Also AMD Zen CPUs Exhibit Meltdown Patterns, not Just Intel
- Abusing GitHub Actions to Bypass Code Reviews
- Two SGX Enclave SDKs Patched Against Info-disclosure Exploits
- MyKing Botnet (aka Smominru and DarkCloud) has been Active Since 2016
- Proton Launches Bug Bounty Program
- Microsoft Unaffected by a 2.4 Tbps DDoS Attack Against Azure
- Video Transcoding Pipelines Can be Exploited, Too
- Cloudflare launches Cloudflare Research Hub
-
Also Noteworthy
- FIN7 is now Running a New Fake Company to Recruit IT Specialists to Participate in Ransomware Attacks
- How the Direct-on-Receiver (DOR) Feature of Some Garage Door Openers Can be Abused
- Two Individuals Sentenced for Providing “Bulletproof Hosting” for Cybercriminals
- Chrome v95 Breaking Changes: No More FTP and Old U2F Keys
- New PurpleFox botnet variant uses WebSockets for C2 communication
- Advanced Spoofing of a Browser Fingerprint is Possible
- Google Disrupts a Phishing Campaign Targeting YouTubers
- Newly Found npm Malware Mines Cryptocurrency on Windows, Linux, macOS Devices
- DDoS Attacks Against Russian Firms Have Tripled in 2021
- Free decrypter released for BlackByte ransomware victims
- Mobile Malware Hides into Unofficial “Squid Game” Apps
- Accenture lost ‘proprietary information’ in summer ransomware attack
- Guessing a PIN From Hands' Micro Movements
- Ongoing Cyber Threats to U.S. Water and Wastewater Systems | CISA
- Missouri Governor vs. Responsible Vulnerability Disclosure
- OpenSea Fixes Vulnerabilities Reported by Check Point Research
- GitHub is Revoking Weak SSH Keys Generated by GitKraken
- FontOnLake: Previously unknown malware family targeting Linux
-
Tools
- Deepfence Releases ThreatMapper Open Source
- VMware Labs Releases an Open-source Attack Surface Watchdog
- Fuzz CPU Emulators to Find Logic Bugs in the Silicon!
- L0phtCrack is Now Open Source
- Pithus: An Open-source Mobile Threat Intelligence Platform
- Intel Labs Releases Open-source Debugging Tool to Detect Anomalous Patterns
- Acquisitions
Top Picks
Discord CDN Abused to Spread 27 Unique Malware Types
by Team RiskIQ**
Discord has been used by 140 million people just in 2021. RiskIQ has discovered that its CDN is being abused by cybercriminals to deploy malware files.
Edward Snowden Launches Global Encryption Day to Promote the Use of Strong Encryption
by Mike Butcher // TechCrunch
The Global Encryption Coalition promotes and defends encryption in key countries and multilateral fora where it is under threat. It also supports efforts by companies to offer encrypted services to their users.
WinRAR Trial is Affected by a Trivial Vulnerability Allowing RCE (CVE-2021-35052)
by Igor Sak-Sakovskiy // PT SWARM
The trial version of WinRAR is affected by a vulnerability that allows an attacker to intercept and modify requests sent to the user of the application and can be used to achieve remote code execution on a victim’s computer.
However, it seems that the CVE ID mentioned in the original blog post is not (yet?) correctly assigned to this vulnerability.
Trick or Treat: Ransomware Interrupts Production at US Candy Maker
by Lee Mathews // Forbes
Not many details available about this attack that took place on Oct 9th.
Brave Browser Enables Brave Search as the Default Search Engine
by Brave // Brave Browser
New Brave users will have the privacy-friendly Brave Search functionality in the Brave browser.
How a simple Linux kernel memory corruption bug can lead to complete system compromise
by Jarn Horn // Project Zero
A "straightforward Linux kernel locking bug" can lead to whole system compromise if not mitigated.
CISA, FBI, and NSA Release Joint Cybersecurity Advisory on BlackMatter Ransomware | CISA
by CISA**
Threat actors have been using BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization.
RCE Exploit for iOS 15.0.2 Safari Running on iPhone 13 Pro Acquired During the Tianfu Cup
by Davey Winder // Forbes
During the Tianfu Cup, the top-ranked team dropped a remote code execution exploit of the mobile Safari web browser running iOS 15.0.2 on the iPhone 13 Pro.
Other targets exploited during the contest include Windows 10, iOS 15, Ubuntu, and Chrome.
The Home Page of Donald Trump's Website has been Defaced
by Joseph Cox // Motherboard
RootAyyildiz told Motherboard in a Facebook message that they defaced the Trump site using Server Side Template Injection (SSTI), which is a technique where an attacker can put their own arbitrary code into a site's template. They said they had control over that part of the site for 3 months.
If you're curious, my colleagues and I did a research on web defacement.
Several TV Broadcasts Interrupted as Sinclair Got Hit by a Ransomware Attack
by Catalin Cimpanu // The Record by Recorded Future
Sinclair formally confirmed the ransomware attack a day after this initial report in SEC documents.
Known Ransomware Payments Grows 40% YoY in 2021
by Ian Talley // Wall Street Journal
Nearly $600 million in transactions were linked to possible ransomware payments in so-called Suspicious Activity Reports financial services firms filed to the U.S. government in the first six months of this year, according to a Treasury Department report. That is more than 40% more than the total for all of 2020.
Fraudsters Allegedly Used Deepfake Voice-Cloning to Authorized a $35M Transfer
by Thomas Brewster // Forbes
It’s only the second known case of fraudsters allegedly using voice-shaping tools to carry out a heist, but appears to have been far more successful than the first, in which fraudsters used the tech to impersonate a CEO of a U.K.-based energy firm in an attempt to steal $240,000 in 2019, according to the Wall Street Journal.
Apple Client-side Content Scanning Feature More Harmful Than Useful
by Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague, Carmela Troncoso // arXiv:2110.07450 [cs]
The controversial and quickly retired client-side content scanning (CSS) feature by Apple creates serious security and privacy risks for all society, whereas the benefit it can provide for law enforcement is problematic.
Thingiverse Data Leak (36GB worth of email addresses and 3D models)
by Mihir Bagwe // Data Breach Today
A database backup taken from the 3D model sharing service Thingiverse began extensively circulating within the hacking community, dating back to October 2020.
Former Twitch Engineers Says the Massive Leak isn't Surprising
by Lorenzo Franceschi-Bicchierai // Motherboard
"This attack definitely had the characteristic of a minimally skilled adversary," he told Motherboard.
Also AMD Zen CPUs Exhibit Meltdown Patterns, not Just Intel
by Catalin Cimpanu // The Record by Recorded Future
Researchers have demonstrated that also the AMD Zen family of CPUs exibits Meltdown patterns, confirming the possibility of exploiting them for transient execution hijacking attacks, like in Intel CPUs.
Abusing GitHub Actions to Bypass Code Reviews
by Omer Gil // Cider Security
It's possible to abuse the unique token generated when each Actions workflow is run to authorized a push command to upload unreviewed code to a protected branch, bypassing reviews.
Two SGX Enclave SDKs Patched Against Info-disclosure Exploits
by Jinhua Cui, Jason Zhijingcheng Yu, Shweta Shinde, Prateek Saxena, Zhiping Cai // arXiv:2110.06657 [cs]
The vulnerability lies in how the exceptions are handled, allowing ROP-style exploitation leading to info disclosure of the data protected by the enclave.
As Catalin Cimpanu reminds us:
Over the past few years, we’ve seen similar attacks that broke SGX enclaves to retrieve data. Past examples include PlunderVolt, SgxSpectre, Foreshadow, BranchScope, Platypus, V0LTpwn, Game of Threads, AsyncShock, The Guard’s Dilemma, and Iago.
MyKing Botnet (aka Smominru and DarkCloud) has been Active Since 2016
by Jan RubĂn, Jakub KaloÄŤ // Avast Threat Labs
MyKing is a botnet that has been active since 2016, if not earlier. According to the research, the operators of MyKings have accumulated more than $24 million USD in Bitcoin, Ethereum, and Dogecoin cryptowallets.
Proton Launches Bug Bounty Program
by Proton Team // ProtonMail Blog
Proton, which recently publicly announced that "now they keep logs", has launched a bug bounty program in partnership with Bug Bounty Switzerland.
Microsoft Unaffected by a 2.4 Tbps DDoS Attack Against Azure
by Amir Dahan // Microsoft Blog
[Microsoft has] observed a 2.4 Tbps DDoS attack targeting an Azure customer in Europe. This is 140 percent higher than 2020’s 1 Tbps attack and higher than any network volumetric event previously detected on Azure.
Video Transcoding Pipelines Can be Exploited, Too
by Florian Mathieu // Keyboard Warrior
An independent researcher has accidentally discovered a vulnerability in YouTube video timestamp calculation, and was able to cook a 4MB video claimed to have 15 hours of footage. Google has acknowledged the contribution in their Hall of Fame.
Cloudflare launches Cloudflare Research Hub
by Vânia Gonçalves, Thomas Ristenpart // Cloudflare Blog
Cloudflare launches an academic-style research branch, inviting interns and visiting researchers to collaborate in research projects.
Also Noteworthy
FIN7 is now Running a New Fake Company to Recruit IT Specialists to Participate in Ransomware Attacks
by Gemini Advisory // Gemini Advisory Blog
FIN7’s decision to use a fake cybersecurity company to recruit IT specialists for its criminal activity is driven by FIN7’s desire for comparatively cheap, skilled labor. Bastion Secure’s job offers for IT specialist positions ranged between $800 and $1,200 USD a month.
How the Direct-on-Receiver (DOR) Feature of Some Garage Door Openers Can be Abused
by SĂ©bastien Dudek // Trend Micro Research
Using jamming and replaying signals, the research shows how to record a second remote into the receiver and keep permanent access.
Two Individuals Sentenced for Providing “Bulletproof Hosting” for Cybercriminals
by Office of Public Affairs // U.S. Department of Justice
Two Eastern European men were sentenced for providing “bulletproof hosting” services, which were used by cybercriminals between 2009 to 2015 to distribute malware and attack financial institutions and victims throughout the United States.
Chrome v95 Breaking Changes: No More FTP and Old U2F Keys
by Catalin Cimpanu // The Record by Recorded Future
Chrome v95 removes support for FTP (ftp://), old-gen U2F keys and few other breaking changes.
New PurpleFox botnet variant uses WebSockets for C2 communication
by Bill Toulas // BleepingComputer
The PurpleFox botnet has refreshed its arsenal with new vulnerability exploits and dropped payloads, now also leveraging WebSockets for C2 bidirectional communication.
Advanced Spoofing of a Browser Fingerprint is Possible
by Bill Toulas // BleepingComputer
Researchers from TAMU and UFL have demonstrated that it's possible to spoof a browser's activity to the point that state-of-the-art browser-fingerprinting techniques won't be able to tell the difference from the real, spoofed browser.
Google Disrupts a Phishing Campaign Targeting YouTubers
by Ashley Shen // Google Threat Analysis Group
Since 2019, Google’s Threat Analysis Group tracked and disrupted financially motivated phishing campaigns targeting YouTubers with cookie-stealing malware.
Newly Found npm Malware Mines Cryptocurrency on Windows, Linux, macOS Devices
by Sonatype Security Research Team // Sonatype Blog
Multiple malicious packages on the npm registry disguise themselves as legitimate JavaScript libraries, but were caught launching cryptominers on Windows, macOS and Linux machines.
DDoS Attacks Against Russian Firms Have Tripled in 2021
by Bill Toulas // BleepingComputer
In a report from Rostelecom, the largest telecommunications provider in Russia, September 2021 was recorded as the worst period for DDoS attacks again Russia in recent history.
During that time, threat actors launched 90% of all 2021 DDoS attacks analyzed in the report, a notable surge that also manifested in other regions.
Free decrypter released for BlackByte ransomware victims
by Catalin Cimpanu // The Record by Recorded Future
Trustwave has released on Friday a free utility that victims of the BlackByte ransomware can use to decrypt and restore their files without paying the ransom demand.
Mobile Malware Hides into Unofficial "Squid Game" Apps
by Thomas Brewster // Forbes
If you’re going crazy for Squid Game like the rest of the Netflix-watching world, you might be tempted to download an app based on the smash hit TV show. But beware: Developers have already managed to get malware masquerading as a Squid Game phone wallpaper app onto Google Play as hundreds of unofficial apps have hit the Android app store.
Accenture lost 'proprietary information' in summer ransomware attack
by Tim Starks // CyberScoop
Accenture has acknowledged in a filing to the Securities and Exchange Commission that outsiders extracted “proprietary information” in a cyber incident this summer.
Guessing a PIN From Hands' Micro Movements
by Bill Toulas // BleepingComputer
It’s possible to train a special-purpose deep-learning algorithm that can guess 4-digit card PINs 41% of the time, even if the victim is covering the pad with their hands (paper).
Ongoing Cyber Threats to U.S. Water and Wastewater Systems | CISA
by CISA // ICS Alert
Ransomware gangs have silently hit three US water and wastewater treatment facilities this year, in 2021, the US government said in a joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA.
Source: The Record
Missouri Governor vs. Responsible Vulnerability Disclosure
by Brian Krebs // Krebs on Security
Missouri Gov. Parson said he would seek to prosecute and investigate who reported a "leaky" web page of the Missouri state Department of Elementary and Secondary Education (DESE) that allowed anyone able to inspect the source code of the page to view teacher certifications, credentials, and over 100,000 SSNs.
OpenSea Fixes Vulnerabilities Reported by Check Point Research
by Mitchell Clark // The Verge
OpenSea has fixed vulnerabilities in its platform that could’ve let hackers steal someone’s crypto after sending them a maliciously crafted NFT. The issue was found by security firm Check Point Research, which noticed tweets from people claiming they were hacked after being gifted NFTs [...]
GitHub is Revoking Weak SSH Keys Generated by GitKraken
by Mike Hanley // The GitHub Blog
GitHub has revoked all keys generated by [the] vulnerable versions of the GitKraken client that were in use on GitHub.com, along with other potentially weak keys created by other clients that may have used the same vulnerable dependency.
FontOnLake: Previously unknown malware family targeting Linux
by ESET Research // WeLiveSecurity
ESET researchers have discovered a previously unknown malware family that utilizes custom and well-designed modules, targeting systems running Linux.
Tools
Deepfence Releases ThreatMapper Open Source
by Deepfence // GitHub
Deepfence ThreatMapper is a tool to monitor running applications, in cloud, Kubernetes, Docker, and fargate serverless.
VMware Labs Releases an Open-source Attack Surface Watchdog
by VMware Labs // GitHub
The Attack Source Framework (ASF) is a watchdog that, provided Domain, IP address or CIDR (Internal or External), will discover assets/subdomains, enumerate their ports and services, track deltas and serve as a continuous and flexible attacking and alerting framework leveraging an additional layer of support against 0 day vulnerabilities with publicly available POCs.
Fuzz CPU Emulators to Find Logic Bugs in the Silicon!
by Kostya Serebryany, Maxim Lifantsev, Konstantin Shtoyk, Doug Kwan**
That's what SiliFuzz does, and that's a pretty smart idea, because CPU emulators are typically developed around the specifications of the silicon CPU. Under this hypothesis, if a SiliFuzz fuzzer will find a bug in an emulator, it's worth looking for the same bug in the bare metal CPU!
L0phtCrack is Now Open Source
by @dildog**
L0phtCrack is no longer being sold. The current owners have no plans to sell licenses or support subscriptions for the L0phtCrack software. All sales have ceased as of July 1, 2021. Refunds for any subscription renewals after June 30, 2021 are being processed.
Pithus: An Open-source Mobile Threat Intelligence Platform
by @evilcel3ri**
Pithus brings transparency through clear and structured reports. Activists, journalists, NGOs, and any other technical community can easily generate these reports and leverage them to better understand the threat landscape.
Intel Labs Releases Open-source Debugging Tool to Detect Anomalous Patterns
by Niranjan Hasabnis, Justin Gottschlich // arXiv:2011.03616 [cs]
ControlFlag is a self-supervised idiosyncratic pattern detection system that learns typical patterns that occur in the control structures of high-level programming languages, such as C/C++, by mining these patterns from open-source repositories (on GitHub and other version control systems). It then applies learned patterns to detect anomalous patterns in user's code.
Acquisitions
Akamai Technologies Completes Acquisition of Guardicore
by October 21, 2021 // Dark Reading
[Akamai] has completed its acquisition of Guardicore of Tel Aviv, Israel. On September 29, Akamai announced an agreement between the two parties for Akamai to acquire the company in exchange for approximately $600 million.
Combination of McAfee Enterprise and FireEye Complete
by FireEye // FireEye Press Releases
McAfee Enterprise and FireEye today announced Symphony Technology Group (“STG”) has closed its sponsored acquisition of FireEye in an all-cash transaction totaling $1.2 billion. This transaction completes the combination of McAfee Enterprise with FireEye.