🔓 [CyberFacts Weekly - Issue 0x05] It's (Almost) the Season to be Jolly 🎅
Hiding Trojan Source Code via Unicode Tricks / CISA’s Known Exploited Vulnerabilities Feed / CWE Most Important Hardware Weaknesses / How Signal Responds to Law Enforcement Search Warrants / Exchange Vuln. Exploited by Babuk Ransomware Campaign
Oh oh oh!
I guess I’m a little early this year, but after having spent the Halloween weekend at home with no adequate trick or treating because of the rain, I’m really looking forward to the upcoming holiday season!
I don’t know about you, but I changed my business travel plans to make sure I’m back home to watch Home Sweet Home Alone with the family. I guess it’s a little too much 😂
You’ll notice that this week’s edition is pretty short, because I’m head down prepping for Black Hat Europe, where I’ll finally get to speak on a physical stage!
Here are some of the talks I’m planning to attend or re-watch:
- HTTP/2: The Sequel is Always Worse by James Kettle
- Who Did It - How We Attributed Campaigns of a Cyber Mercenary by Feike Hacquebord
- Lost in the Loader: The Many Faces of the Windows PE File Format by Dario Nisi, Mariano Graziano, Yanick Fratantonio, and Davide Balzarotti
- Embedding a Human-Centric Approach Into a Global Cyber Security Program by Kevin Jones (Airbus CISO)
- Clocking On (Keynote) by Adam Laurie
- Locknote: Conclusions and Key Takeaways from Black Hat Europe 2021 with Daniel Cuthbert, Thomas Brandstetter, Meadow Ellis, James Kettle, and Marina Krotofil
And then, I think I can’t avoid “attending” the talk and panel I’m expected to speak at. Stay tuned, my colleagues and I will explain how we found 12 CVEs and 1 spec-level vulnerability affecting most of the DDS implementations, and what their impact is.
Thanks for reading this issue, big thanks to the subscribers, and bigger thanks to the new subscribers! 🙏
-
Top Picks
- MS Exchange Vulnerability (CVE-2021-36942) Exploited for Babuk Ransomware Campaign
- Hiding (Trojan) Functionalities in Source Code Using Unicode Bidirectional Algorithm (CVE-2021-42574)
- How Signal Responds to Law Enforcement Search Warrants
- CWE Most Important Hardware Weaknesses
- US CISA Publishes a Feed of Known Exploited Vulnerabilities
-
Also Noteworthy
- Identity of Cyber-espionage Gamaredon Group Members Revelaed by Ukraine
- Vulnerability in GitLab (self-hosted) Exploited to Build a DDoS Botnet
- Bots that Steal 2FA Codes are Being Sold in Underground Markets
- State of Browser Fingerprinting Techniques and How to Bypass Them for Web Scraping
- Ransomware Attack Against Toronto Transit System
- Hive ransomware now encrypts Linux and FreeBSD systems
- Tools
Top Picks
MS Exchange Vulnerability (CVE-2021-36942) Exploited for Babuk Ransomware Campaign
by Chetan Raghuprasad
Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly affecting users in the U.S. with smaller number of infections in U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand.
Hiding (Trojan) Functionalities in Source Code Using Unicode Bidirectional Algorithm (CVE-2021-42574)
by Ross Anderson
The Security Group of The University of Cambridge have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic, opening the potentially devastating possibility of introducing portions of source code that are invisible to the human eye, on all the major programming languages.
More details: here, here (Rust), paper, and code.
How Signal Responds to Law Enforcement Search Warrants
by Signal // Signal Messenger
Because everything in Signal is end-to-end encrypted by default, the broad set of personal information that is typically easy to retrieve in other apps simply doesn’t exist on Signal’s servers. Once again, this request sought a wide variety of information we don’t have, including the user’s name, address, correspondence, contacts, groups, call records.
Also covered by ZDNet in a less technical way.
CWE Most Important Hardware Weaknesses
by MITRE
The goal of this “first of its kind” list is to drive awareness of common hardware weaknesses.
- CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
- CWE-1191 On-Chip Debug and Test Interface With Improper Access Control
- CWE-1231 Improper Prevention of Lock Bit Modification
- CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
- CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation
- CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State
- CWE-1256 Improper Restriction of Software Interfaces to Hardware Features
- CWE-1260 Improper Handling of Overlap Between Protected Memory Ranges
- CWE-1272 Sensitive Information Uncleared Before Debug/Power State Transition
- CWE-1274 Improper Access Control for Volatile Memory Containing Boot Code
- CWE-1277 Firmware Not Updateable
- CWE-1300 Improper Protection of Physical Side Channels
US CISA Publishes a Feed of Known Exploited Vulnerabilities
by CISA // CISA
CISA will update this catalog with additional exploited vulnerabilities as they become known.
A great complement to Google P0’s 0day in the wild spreadsheet.
Also Noteworthy
Identity of Cyber-espionage Gamaredon Group Members Revelaed by Ukraine
by Catalin Cimpanu // The Record by Recorded Future
The Ukrainian Security Service (SSU) has revealed the real identities of 5 members of the Gamaredon cyber-espionage group, linking its members to the Crimean branch of the Russian Federal Security Service (FSB).
Vulnerability in GitLab (self-hosted) Exploited to Build a DDoS Botnet
Threat actors are exploiting a security flaw in GitLab self-hosted servers to assemble botnets and launch gigantic distributed denial of service (DDoS) attacks, with some in excess of 1 terabit per second (Tbps).
Bots that Steal 2FA Codes are Being Sold in Underground Markets
Unexpectedly, as we increasingly rely on 2FA to secure our communications, they become an attractive and lucrative target.
The bots convincingly and effortlessly help hackers break into Coinbase, Amazon, PayPal, and bank accounts.
State of Browser Fingerprinting Techniques and How to Bypass Them for Web Scraping
by Niespod Dariusz // GitHub
Ransomware Attack Against Toronto Transit System
by Tim Starks // CyberScoop
Online services for communicating with vehicle operators, information platform screens, trip-planning apps, the commission’s website, an online booking portal and internal email messaging were among the affected systems.
Hive ransomware now encrypts Linux and FreeBSD systems
by Sergiu Gatlan // BleepingComputer
ESET has identified Linux and FreeBSD variants of the Hive ransomware, written in Golang with gobfuscate’d strings and package names.
Tools
EMBArk Web-based Firmware Security Scanning Environment
A new web-based tool for firmware scanning joins the list, together with FwAnalyzer by Cruise Automation and Firmadyne by BU.
Watch a demo of EMBArk here.
OpenVDP: Open Source Tool for Vulnerability Disclosure Programs
by parikhakshat // GitHub
OpenVDP is a full stack web application that provides organizations with an easy way to recieve security advice. It is a bug tracking/reporting application for organizations and security researchers.
IMHO it can’t compete with tools like VINCE, but it’s certainly a useful tool for small realms that need to manage vulnerabilities.
CyberFacts Weekly is a digest of my hand-picked readings from the cyber-security world.
CyberFacts Weekly is intended mostly for myself, to have a place to archive and keep public notes of what I read and deem as noteworthy.
If you like it, consider subscribing or forwarding this email to peers and friends. If newsletters aren’t really your thing, maybe you’d prefer to follow the @CyberFactsIT Twitter account, which I use to publish the real-time feed of my selected readings (also available via RSS).
Hope you enjoyed this issue…and see you reading the next one! 🙃
Thanks! Cheers, Fede