The post ARMORY: Fully Automated and Exhaustive Fault Simulation on ARM-M Binaries appeared first on Malware Devil.
The post The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs appeared first on Malware Devil.
The post SPFA: SFA on Multiple Persistent Faults appeared first on Malware Devil.
Unlike the rest of the world, adoption of enterprise-wide encryption strategies has not grown in the Middle East, in fact…
The post A Road to a Consistent Encryption Strategy appeared first on Entrust Blog.
The post A Road to a Consistent Encryption Strategy appeared first on Security Boulevard.
The post A Road to a Consistent Encryption Strategy appeared first on Malware Devil.
The post Lest We Forget, All Gave Some, Some Gave All appeared first on Security Boulevard.
The post Lest We Forget, All Gave Some, Some Gave All appeared first on Malware Devil.
Thanks to BSides Canberra for publishing their outstanding videos on the organization’s YouTube channel. Enjoy!
The post BSides Canberra 2021 – Sean Yeoh’s, Patrick Mortensen’s, Michael Gianarakis’ And Shubham Shah’s ‘Context Aware Content Discovery: The Natural Evolution’ appeared first on Security Boulevard.
The post BSides Canberra 2021 – Sean Yeoh’s, Patrick Mortensen’s, Michael Gianarakis’ And Shubham Shah’s ‘Context Aware Content Discovery: The Natural Evolution’ appeared first on Malware Devil.
Behold: Dave Granlund’s superb editorial cartoonery, courtesy of PoliticalCartoons, via on Cagle Post
The post Memorial Day Weekend Plans? appeared first on Security Boulevard.
The post Memorial Day Weekend Plans? appeared first on Malware Devil.
One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS.
This can be tested with a simple DNS TXT query:
The content of this TXT record contains the start of a Cobalt Strike beacon, encoded with Netbios Name encoding. I recently published an update to my base64dump.py tool to handle this encoding.
In the following video, I show how to use my new, quick & dirty tool to retrieve all DNS TXT records (cs-dns-stager.py) that make up the encoded beacon, and how to decoded this with base64dump and extract the config with my 1768.py tool.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post Video: Cobalt Strike & DNS – Part 1, (Sun, May 30th) appeared first on Malware Devil.
Thanks to BSides Canberra for publishing their outstanding videos on the organization’s YouTube channel. Enjoy!
The post BSides Canberra 2021 – Jayden Rivers’ ‘Attacking The TCache In GLibc 2.32’ appeared first on Security Boulevard.
The post BSides Canberra 2021 – Jayden Rivers’ ‘Attacking The TCache In GLibc 2.32’ appeared first on Malware Devil.
New versions of Sysinternals’ tools Procmon, Sysmon, TcpView and Process Explorer were released.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update, (Sun, May 30th) appeared first on Malware Devil.
YARA version 4.1.1 was released.
This is a bug fix release.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post YARA Release v4.1.1, (Sun, May 30th) appeared first on Malware Devil.
Based on current trends, marketers are going to have to get used to operating in a world without cookies. In light of that, Google has recently made some significant changes to Google Analytics designed to help marketers live and ultimately thrive in that world.
Back in October 2020, the company rolled out the first significant update to their analytics platform in nearly a decade, an outgrowth of Google’s significant investments in machine learning. This latest update builds on that earlier one with new features designed to help marketers evolve, given the changing landscape.
On the privacy front, Google plans to extend its machine learning models to behavioral reporting on the Analytics platform. In User Acquisition, for instance, machine learning models will seek to fill in any gaps in the numbers of new users a campaign has acquired. This is in a bid to allow marketers to track customer journeys without the need for cookies.
Vidhya Srinivasan, the VP of Engineering for Google Ads, had this to say about the coming changes:
“Now’s the time to adopt new privacy-safe techniques to ensure your measurement remains accurate and actionable. And while this can seem daunting, we’re here to help you succeed in a world with fewer cookies and other identifiers with new ways to respect user consent, measure conversions and unlock granular insights from your sites and apps.”
Since 2005, Google Analytics has been the industry standard, and is a tool that marketers all over the world rely on.
Google itself has pushed hard for increased user privacy and for ultimately doing away with cookies. Here, they’re clearly attempting to thread a needle, keeping users happy, while simultaneously keeping Google Analytics relevant in the years ahead. It is a daunting task, but if any company can do it, Google can.
Used with permission from Article Aggregator
The post Google Analytics Gets New Security Feature appeared first on Malware Devil.
Thanks to BSides Canberra for publishing their outstanding videos on the organization’s YouTube channel. Enjoy!
The post BSides Canberra 2021 – Christopher Vella’s ‘Easy LPEs And Common Software Vulnerabilities’ appeared first on Security Boulevard.
The post BSides Canberra 2021 – Christopher Vella’s ‘Easy LPEs And Common Software Vulnerabilities’ appeared first on Malware Devil.
In February I posted about spam pretending to be an Outlook Version update [1] and now for the past several weeks I have been receiving spear-phishing emails that pretend to be coming from Microsoft Outlook to “Sign in to verify” my account, new terms of services, new version, etc. There also have been some reports this week about large ongoing spear-phishing campaign [2][3] worth reading. Here are some samples which always include a sense of urgency to login as soon as possible:
It is always a good idea to verify the source email (From, To, text for errors and URL) and hovering the mouse cursor over the URL, to verify the embedded URL in the email before clicking on it. Better yet, simply login to the website using a trusted URL.Being careful always pays off.
Indicator of Compromise
microsoft.mntl.format[.]com
microsoft123.bookmark[.]com
server-update.vpxe[.]com
website409819.nicepage[.]io
sfjksdd.weebly[.]com
[1] https://isc.sans.edu/forums/diary/Pretending+to+be+an+Outlook+Version+Update/27144/
[2] https://us-cert.cisa.gov/ncas/current-activity/2021/05/28/joint-cisa-fbi-cybersecurity-advisory-sophisticated-spearphishing
[3] https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
[4] https://www.sans.org/security-awareness-training/resources/posters/dont-get-hooked (Poster)
[5] https://www.youtube.com/watch?v=sEMrBKmUTPE (SANS Security Awareness: Email and Phishing)
[6] https://www.canada.ca/en/revenue-agency/corporate/security/protect-yourself-against-fraud.html
[7] https://www.irs.gov/newsroom/tax-scams-consumer-alerts
[8] https://ec.europa.eu/taxation_customs/node/1029_en
[9] https://www.gov.uk/government/organisations/hm-revenue-customs/contact/reporting-fraudulent-emails
[10] https://isc.sans.edu/forums/diary/Malware+Analysis+with+elasticagent+and+Microsoft+Sandbox/27248/
———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More
The post Spear-phishing Email Targeting Outlook Mail Clients , (Sat, May 29th) appeared first on Malware Devil.
Fake, positive reviews have infiltrated nearly every corner of life online these days, confusing consumers while offering an unwelcome advantage to fraudsters and sub-par products everywhere. Happily, identifying and tracking these fake reviewer accounts is often the easiest way to spot scams. Here’s the story of how bogus reviews on a counterfeit Microsoft Authenticator browser extension exposed dozens of other extensions that siphoned personal and financial data.
The post Using Fake Reviews to Find Dangerous Extensions appeared first on Security Boulevard.
The post Using Fake Reviews to Find Dangerous Extensions appeared first on Malware Devil.
via the comic delivery system monikered Randall Munroe resident at XKCD!
The post XKCD ‘Astronomy Status Board’ appeared first on Security Boulevard.
The post XKCD ‘Astronomy Status Board’ appeared first on Malware Devil.
Fake, positive reviews have infiltrated nearly every corner of life online these days, confusing consumers while offering an unwelcome advantage to fraudsters and sub-par products everywhere. Happily, identifying and tracking these fake reviewer accounts is often the easiest way to spot scams. Here’s the story of how bogus reviews on a counterfeit Microsoft Authenticator browser extension exposed dozens of other extensions that siphoned personal and financial data.
Comments on the fake Microsoft Authenticator browser extension show the reviews for these applications are either positive or very negative — basically calling it out as a scam. Image: chrome-stats.com.
After hearing from a reader about a phony Microsoft Authenticator extension that appeared on the Google Chrome Store, KrebsOnSecurity began looking at the profile of the account that created it. There were a total of five reviews on the extension before it was removed: Three Google users gave it one star, warning people to stay far away from it; but two of the reviewers awarded it between three and four stars.
“It’s great!,” the Google account Theresa Duncan enthused, improbably. “I’ve only had very occasional issues with it.”
“Very convenient and handing,” assessed Anna Jones, incomprehensibly.
Google’s Chrome Store said the email address tied to the account that published the knockoff Microsoft extension also was responsible for one called “iArtbook Digital Painting.” Before it was removed from the Chrome Store, iArtbook had garnered just 22 users and three reviews. As with the knockoff Microsoft extension, all three reviews were positive, and all were authored by accounts with first and last names, like Megan Vance, Olivia Knox, and Alison Graham.
Google’s Chrome Store doesn’t make it easy to search by reviewer. For that I turned to Hao Nguyen, the developer behind chrome-stats.com, which indexes and makes searchable a broad array of attributes about extensions available from Google.
Looking at the Google accounts that left positive reviews on both the now-defunct Microsoft Authenticator and iArtbook extensions, KrebsOnSecurity noticed that each left positive reviews on a handful of other extensions that have since been removed.
Reviews on the iArtbook extension were all from apparently fake Google accounts that each reviewed two other extensions, one of which was published by the same developer. This same pattern was observed across 45 now-defunct extensions.
Like an ever-expanding venn diagram, a review of the extensions commented on by each new fake reviewer found led to the discovery of even more phony reviewers and extensions. In total, roughly 24 hours worth of digging through chrome-stats.com unearthed more than 100 positive reviews on a network of patently fraudulent extensions.
Those reviews in turn lead to the relatively straightforward identification of:
-39 reviewers who were happy with extensions that spoofed major brands and requested financial data
-45 malicious extensions that collectively had close to 100,000 downloads
-25 developer accounts tied to multiple banned applications
The extensions spoofed a range of consumer brands, including Adobe, Amazon, Facebook, HBO, Microsoft, Roku and Verizon. Scouring the manifests for each of these other extensions in turn revealed that many of the same developers were tied to multiple apps being promoted by the same phony Google accounts.
Some of the fake extensions have only a handful of downloads, but most have hundreds or thousands. A fake Microsoft Teams extension attracted 16,200 downloads in the roughly two months it was available from the Google store. A counterfeit version of CapCut, a professional video editing software suite, claimed nearly 24,000 downloads over a similar time period.
More than 16,000 people downloaded a fake Microsoft Teams browser extension over the roughly two months it was available for download from the Google Chrome store.
Unlike malicious browser extensions that can turn your PC into a botnet or harvest your cookies, none of the extensions examined here request any special permissions from users. Once installed, however, they invariably prompt the user to provide personal and financial data — all the while pretending to be associated with major brand names.
In some cases, the fake reviewers and phony extension developers used in this scheme share names, such as the case with “brook ice,” the Google account that positively reviewed the malicious Adobe and Microsoft Teams extensions. The email address brookice100@gmail.com was used to register the developer account responsible for producing two of the phony extensions examined in this review (PhotoMath and Dollify).
Some of the data that informed this report. The full spreadsheet is available as a link at the end of the story.
As we can see from the spreadsheet snippet above, many of the Google accounts that penned positive reviews on patently bogus extensions left comments on multiple apps on the same day.
Additionally, Google’s account recovery tools indicate many different developer email addresses tied to extensions reviewed here share the same recovery email — suggesting a relatively few number of anonymous users are controlling the entire scheme. When the spreadsheet data shown above is sorted by email address of the extension developer, the grouping of the reviews by date becomes even clearer.
KrebsOnSecurity shared these findings with Google and will update this story in the event they respond. Either way, Google somehow already detected all of these extensions as fraudulent and removed them from its store.
However, there may be a future post here about how long that bad extension identification and removal process has taken over time. Overall, most of these extensions were available for two to three months before being taken down.
As for the “so what?” here? I performed this research mainly because I could, and I thought it was interesting enough to share. Also, I got fascinated with the idea that finding fake applications might be as simple as identifying and following the likely fake reviewers. I’m positive there is more to this network of fraudulent extensions than is documented here.
As this story illustrates, it pays to be judicious about installing extensions. Leaving aside these extensions which are outright fraudulent, so many legitimate extensions get abandoned or sold each year to shady marketers that it’s wise to only trust extensions that are actively maintained (and perhaps have a critical mass of users that would make noise if anything untoward happened with the software).
According to chrome-stats.com, the majority of extensions — more than 100,000 of them — are effectively abandoned by their authors, or haven’t been updated in more than two years. In other words, there a great many developers who are likely to be open to someone else buying up their creation along with their user base.
The data that informed this report is searchable in this Google spreadsheet.
The post Using Fake Reviews to Find Dangerous Extensions appeared first on Malware Devil.
Thanks to BSides Canberra for publishing their outstanding videos on the organization’s YouTube channel. Enjoy!
The post BSides Canberra 2021 – Alex’s ‘Finding Tony Abbott’s Passport Number And Entering The Do Not Get Arrested Challenge 2020’ appeared first on Security Boulevard.
The post BSides Canberra 2021 – Alex’s ‘Finding Tony Abbott’s Passport Number And Entering The Do Not Get Arrested Challenge 2020’ appeared first on Malware Devil.
Cybersecurity researchers have disclosed two new attack techniques on certified PDF documents that could potentially enable an attacker to alter a document’s visible content by displaying malicious content over the certified content without invalidating its signature.
“The attack idea exploits the flexibility of PDF certification, which allows signing or adding annotations to certified documents under different permission levels,” said researchers from Ruhr-University Bochum, who have systematically analyzed the security of the PDF specification over the years.
The findings were presented at the 42nd IEEE Symposium on Security and Privacy (IEEE S&P 2021) held this week.
The two attacks — dubbed Evil Annotation and Sneaky Signature attacks — hinge on manipulating the PDF certification process by exploiting flaws in the specification that governs the implementation of digital signatures (aka approval signature) and its more flexible variant called certification signatures.
Certification signatures also allow different subsets of modifications on the PDF document based on the permission level set by the certifier, including the ability to write text to specific form fields, provide annotations, or even add multiple signatures.
The Evil Annotation Attack (EAA) works by modifying a certified document that’s provisioned to insert annotations to include an annotation containing malicious code, which is then sent to the victim. On the other hand, the idea behind the Sneaky Signature attack (SSA) is to manipulate the appearance by adding overlaying signature elements to a document that allows filling out form fields.
“By inserting a signature field, the signer can define the exact position of the field, and additionally its appearance and content, the researchers said. “This flexibility is necessary since each new signature could contain the signer’s information. The information can be a graphic, a text, or a combination of both. Nevertheless, the attacker can misuse the flexibility to stealthily manipulate the document and insert new content.”
In a hypothetical attack scenario detailed by the academics, a certifier creates a certified contract with sensitive information while enabling the option to add further signatures to the PDF contract. By taking advantage of these permissions, an attacker can modify the contents of the document, say, to display an International Bank Account Number (IBAN) under their control and fraudulently transfer funds, as the victim, unable to detect the manipulation, accepts the tampered contract.
15 of 26 PDF applications evaluated by the researchers, counting Adobe Acrobat Reader (CVE-2021-28545 and CVE-2021-28546), Foxit Reader (CVE-2020-35931), and Nitro Pro, were found vulnerable to the EAA attack, enabling an attacker to change the visible content in the document. Soda PDF Desktop, PDF Architect, and six other applications were identified as susceptible to SSA attacks.
More troublingly, the study revealed that it’s possible to execute high-privileged JavaScript code — e.g., redirect the user to a malicious website — in Adobe Acrobat Pro and Reader by sneaking such code via EAA and SSA as an incremental update to the certified document. The weakness (CVE-2020-24432) was addressed by Adobe as part of its Patch Tuesday update for November 2020.
To fend off such attacks, the researchers recommend prohibiting FreeText, Stamp, and Redact annotations as well as ensuring that signature fields are set up at defined locations in the PDF document prior to certification, alongside penalizing any subsequent addition of signature fields with an invalid certification status. The researchers have also created a Python-based utility called PDF-Detector, which parses certified documents to highlight any suspicious elements found in the PDF document.
“Although neither EAA nor SSA can change the content itself – it always remains in the PDF – annotations and signature fields can be used as an overlay to add new content,” the researchers said. “Victims opening the PDF are unable to distinguish these additions from regular content. And even worse: annotations can embed high privileged JavaScript code that is allowed to be added to certain certified documents.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
The post Researchers Demonstrate 2 New Hacks to Modify Certified PDF Documents appeared first on Malware Devil.
Cybersecurity researchers from FireEye unmasked additional tactics, techniques, and procedures (TTPs) adopted by Chinese threat actors who were recently found abusing Pulse Secure VPN devices to drop malicious web shells and exfiltrate sensitive information from enterprise networks.
FireEye’s Mandiant threat intelligence team, which is tracking the cyber espionage activity under two activity clusters UNC2630 and UNC2717, said the intrusions line up with key Chinese government priorities, adding “many compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives outlined in China’s recent 14th Five Year Plan.”
On April 20, the cybersecurity firm disclosed 12 different malware families, including STEADYPULSE and LOCKPICK, that have been designed with the express intent to infect Pulse Secure VPN appliances and put to use by at least two cyber espionage groups believed to be affiliated with the Chinese government.
UNC2630 – SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK
UNC2717 – HARDPULSE, QUIETPULSE, AND PULSEJUMP
FireEye’s continued investigation into the attacks as part of its incident response efforts has uncovered four more malware families deployed by UNC2630 — BLOODMINE, BLOODBANK, CLEANPULSE, and RAPIDPULSE — for purposes of harvesting credentials and sensitive system data, allowing arbitrary file execution, and removing forensic evidence.
In addition, the threat actors were also observed removing web shells, ATRIUM, and SLIGHTPULSE, from dozens of compromised VPN devices between April 17 and April 20 in what the researchers describe as “unusual,” suggesting “this action displays an interesting concern for operational security and a sensitivity to publicity.”
At the heart of these intrusions lies CVE-2021-22893, a recently patched vulnerability in Pulse Secure VPN devices that the adversaries exploited to gain an initial foothold on the target network, using it to steal credentials, escalate privileges, conduct internal reconnaissance by moving laterally across the network, before maintaining long-term persistent access, and accessing sensitive data.
“Both UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration,” the researchers said. “They also demonstrate a deep understanding of network appliances and advanced knowledge of a targeted network. This tradecraft can make it difficult for network defenders to establish a complete list of tools used, credentials stolen, the initial intrusion vector, or the intrusion start date.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
The post Chinese Cyber Espionage Hackers Continue to Target Pulse Secure VPN Devices appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
