Oh oh oh!

I guess I’m a little early this year, but after having spent the Halloween weekend at home with no adequate trick or treating because of the rain, I’m really looking forward to the upcoming holiday season!

I don’t know about you, but I changed my business travel plans to make sure I’m back home to watch Home Sweet Home Alone with the family. I guess it’s a little too much 😂

You’ll notice that this week’s edition is pretty short, because I’m head down prepping for Black Hat Europe, where I’ll finally get to speak on a physical stage!

Here are some of the talks I’m planning to attend or re-watch:

• HTTP/2: The Sequel is Always Worse by James Kettle
• Who Did It - How We Attributed Campaigns of a Cyber Mercenary by Feike Hacquebord
• Lost in the Loader: The Many Faces of the Windows PE File Format by Dario Nisi, Mariano Graziano, Yanick Fratantonio, and Davide Balzarotti
• Embedding a Human-Centric Approach Into a Global Cyber Security Program by Kevin Jones (Airbus CISO)
• Clocking On (Keynote) by Adam Laurie
• Locknote: Conclusions and Key Takeaways from Black Hat Europe 2021 with Daniel Cuthbert, Thomas Brandstetter, Meadow Ellis, James Kettle, and Marina Krotofil

And then, I think I can’t avoid “attending” the talk and panel I’m expected to speak at. Stay tuned, my colleagues and I will explain how we found 12 CVEs and 1 spec-level vulnerability affecting most of the DDS implementations, and what their impact is.

Thanks for reading this issue, big thanks to the subscribers, and bigger thanks to the new subscribers! 🙏

---

• Top Picks
  • MS Exchange Vulnerability (CVE-2021-36942) Exploited for Babuk Ransomware Campaign
  • Hiding (Trojan) Functionalities in Source Code Using Unicode Bidirectional Algorithm (CVE-2021-42574)
  • How Signal Responds to Law Enforcement Search Warrants
  • CWE Most Important Hardware Weaknesses
  • US CISA Publishes a Feed of Known Exploited Vulnerabilities
• Also Noteworthy
  • Identity of Cyber-espionage Gamaredon Group Members Revelaed by Ukraine
  • Vulnerability in GitLab (self-hosted) Exploited to Build a DDoS Botnet
  • Bots that Steal 2FA Codes are Being Sold in Underground Markets
  • State of Browser Fingerprinting Techniques and How to Bypass Them for Web Scraping
  • Ransomware Attack Against Toronto Transit System
  • Hive ransomware now encrypts Linux and FreeBSD systems
• Tools
  • EMBArk Web-based Firmware Security Scanning Environment
  • OpenVDP: Open Source Tool for Vulnerability Disclosure Programs

---

Top Picks

MS Exchange Vulnerability (CVE-2021-36942) Exploited for Babuk Ransomware Campaign

by Chetan Raghuprasad

Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly affecting users in the U.S. with smaller number of infections in U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand.

---

Hiding (Trojan) Functionalities in Source Code Using Unicode Bidirectional Algorithm (CVE-2021-42574)

by Ross Anderson

The Security Group of The University of Cambridge have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic, opening the potentially devastating possibility of introducing portions of source code that are invisible to the human eye, on all the major programming languages.

More details: here, here (Rust), paper, and code.

---

How Signal Responds to Law Enforcement Search Warrants

by Signal // Signal Messenger

Because everything in Signal is end-to-end encrypted by default, the broad set of personal information that is typically easy to retrieve in other apps simply doesn’t exist on Signal’s servers. Once again, this request sought a wide variety of information we don’t have, including the user’s name, address, correspondence, contacts, groups, call records.

Also covered by ZDNet in a less technical way.

---

CWE Most Important Hardware Weaknesses

by MITRE

The goal of this “first of its kind” list is to drive awareness of common hardware weaknesses.

• CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
• CWE-1191 On-Chip Debug and Test Interface With Improper Access Control
• CWE-1231 Improper Prevention of Lock Bit Modification
• CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
• CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation
• CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State
• CWE-1256 Improper Restriction of Software Interfaces to Hardware Features
• CWE-1260 Improper Handling of Overlap Between Protected Memory Ranges
• CWE-1272 Sensitive Information Uncleared Before Debug/Power State Transition
• CWE-1274 Improper Access Control for Volatile Memory Containing Boot Code
• CWE-1277 Firmware Not Updateable
• CWE-1300 Improper Protection of Physical Side Channels

---

US CISA Publishes a Feed of Known Exploited Vulnerabilities

by CISA // CISA

CISA will update this catalog with additional exploited vulnerabilities as they become known.

A great complement to Google P0’s 0day in the wild spreadsheet.

---

Also Noteworthy

Identity of Cyber-espionage Gamaredon Group Members Revelaed by Ukraine

by Catalin Cimpanu // The Record by Recorded Future

The Ukrainian Security Service (SSU) has revealed the real identities of 5 members of the Gamaredon cyber-espionage group, linking its members to the Crimean branch of the Russian Federal Security Service (FSB).

---

Vulnerability in GitLab (self-hosted) Exploited to Build a DDoS Botnet

Threat actors are exploiting a security flaw in GitLab self-hosted servers to assemble botnets and launch gigantic distributed denial of service (DDoS) attacks, with some in excess of 1 terabit per second (Tbps).

---

Bots that Steal 2FA Codes are Being Sold in Underground Markets

Unexpectedly, as we increasingly rely on 2FA to secure our communications, they become an attractive and lucrative target.

The bots convincingly and effortlessly help hackers break into Coinbase, Amazon, PayPal, and bank accounts.

---

State of Browser Fingerprinting Techniques and How to Bypass Them for Web Scraping

by Niespod Dariusz // GitHub

---

Ransomware Attack Against Toronto Transit System

by Tim Starks // CyberScoop

Online services for communicating with vehicle operators, information platform screens, trip-planning apps, the commission’s website, an online booking portal and internal email messaging were among the affected systems.

---

Hive ransomware now encrypts Linux and FreeBSD systems

by Sergiu Gatlan // BleepingComputer

ESET has identified Linux and FreeBSD variants of the Hive ransomware, written in Golang with gobfuscate’d strings and package names.

---

Tools

EMBArk Web-based Firmware Security Scanning Environment

A new web-based tool for firmware scanning joins the list, together with FwAnalyzer by Cruise Automation and Firmadyne by BU.

Watch a demo of EMBArk here.

---

OpenVDP: Open Source Tool for Vulnerability Disclosure Programs

by parikhakshat // GitHub

OpenVDP is a full stack web application that provides organizations with an easy way to recieve security advice. It is a bug tracking/reporting application for organizations and security researchers.

IMHO it can’t compete with tools like VINCE, but it’s certainly a useful tool for small realms that need to manage vulnerabilities.

---

CyberFacts Weekly is a digest of my hand-picked readings from the cyber-security world.

CyberFacts Weekly is intended mostly for myself, to have a place to archive and keep public notes of what I read and deem as noteworthy.

If you like it, consider subscribing or forwarding this email to peers and friends. If newsletters aren’t really your thing, maybe you’d prefer to follow the @CyberFactsIT Twitter account, which I use to publish the real-time feed of my selected readings (also available via RSS).

Hope you enjoyed this issue…and see you reading the next one! 🙃

Thanks! Cheers, Fede