🔓 [CyberFacts Weekly - Issue 0x07] I Visited an Abandoned IBM Facility

FBI Portal Abused to Mass Email / Breached Robinhood Data for Sale / New Rowhammer-class Vulnerability / Backdooring Rust Crates

Nov 20, 2021

This weekend I had two interesting experiences that got my nerd spirit boil hot: I brought my 6yo son to his first cyber-security conference (NoHat 2021 on Sat) and this morning I visited an IBM abandoned facility.

Only if you’re a father or a geek, or both, you can imagine the feelings and fully appreciate these moments. It was just amazing.

BTW, if you’re curious how to maintain a news digest like this one with only a few minutes a day, I documented my semi-automated workflow.

Oh, and I’m experimenting baking panettone (I screwed up with the timing so I’ll have to wake up at 2am to prepare the last round of dough): Winter Hols are getting closer and closer!

Top Picks

8 Supply-chain Attack Techniques on Rust Dev Ecosystem

by Sylvain Kerkour // Sylvain Kerkour’s Blog

This article reviews

[…] developers’, CI/CD, or users’ machines. I voluntarily ignored perniciously backdoored algorithms such as cryptographic primitives or obfuscated code because this is a whole different topic.

Hard-to-Fix, New Rowammer Patterns can Bypass All Mitigations (CVE-2021-42114)

by Patrick Jattke, Victor van der Veen, Pietro Frigo, Stijn Gunter, Kaveh Razavi // ETHZ Computer Security Group

Researchers from ETHZ, Qualcomm, and VU, have discovered that it is possible to trigger Rowhammer bit flips on all DRAM devices despite deployed mitigations on commodity DDR devices.

In their paper (IEEE S&P 2022) they release rowhammer access patterns that bypass undocumented, proprietary in-DRAM Target Row Refresh (TRR). A demo is available. The vulnerability is tracked as CVE-2021-42114.

User Email Addresses Breached from Robinhood for Sale

by Lawrence Abrams // BleepingComputer

Robinhood, the popular trading app and platform, has been breached a couple of weeks ago. This week, a threat actor named ‘pompompurin’ announced that they were selling the breached data (e.g., email addresses) on a popular hacking forum, for at least $10,000. The advertisers claims to have the user IDs, but saying that they’re not for sale.

One of FBI's Portals Abused to Send Out Prank Emails

by Brian Krebs // Krebs on Security

Very likely this was due to a header-injection vulnerability in the user-registration function of an online portal designed to share information with state and local law enforcement authorities.

Why was this such a big deal? Well, it’s FBI. But this is an example of how much a simple vulnerability in a “random” web application, which happens to be quite critical, can have impact.

See also here.

Also Noteworthy

How Malware Infiltrate PyPi via Dependency Confusion

by Andrey Polkovnychenko, Shachar Menashe // JFrog Blog

A walk-through 9 of the more advanced techniques used by Python malware developers to avoid detection. Targeted package names include: importantpackage, pptest, ipboards, owlmoon, DiscordSafety, trrfab, 10Cent10, yandex-yt, and yiffparty.

New Python-based Ransomware Encrypts via WinRAR

by Sean Gallagher // Sophos News

Sophos […] encountered a new ransomware group […] “Memento Team,” [which malware] doesn’t encrypt files. Instead, it copies files into password-protected archives, using […] WinRAR—and then encrypts the password and deletes the original files.

NK-aligned Threat Actor TA406 Credential Theft Against Research, Education, Government

by Catalin Cimpanu // The Record by Recorded Future

Suspected government-backed hackers from North Korea launched almost weekly cyberattacks on a wide array of targets throughout the first half of 2021, according to research released on Thursday by security firm Proofpoint.

Data Breach of 100,000 California Pizza Kitchen Employee Records

by Anne Cusack // TechCrunch

California Pizza Kitchen (CPK) has revealed a data breach that exposed the Social Security numbers of more than 100,000 current and former employees.

4,000+ GitHub Repos Contain Firefox Cookie Databases

by Thomas Claburn // The register

It’s not uncommon that unwanted supposedly private information gets incidentally sucked into a git repository (e.g., private keys, credentials, configuration files). But this…this is very new to me. How in the world one would, even by mistake, have “git init” a repository containing the “~/.mozilla” profile directory? Sadly, 4K repos 😢 here, check by yourself.

US, UK, Australia Warn of Ongoing Iranian Gov-sponored Intrusions

by Catalin Cimpanu // The Record by Recorded Future

Cybersecurity agencies from the US, UK, and Australia have published a joint security alert to raise awareness of an ongoing wave of intrusions carried out by Iranian government-sponsored hacking groups since the start of the year.

The joint advisory, authored by the FBI, CISA, ACSC, and NCSC, comes a day after Microsoft has published its own report on the matter, detailing a rise in the sophistication and number of attacks carried out by Iranian groups.

Netgear patches severe pre-auth RCE in 61 router and modem models

by Catalin Cimpanu // The Record by Recorded Future

Networking equipment vendor Netgear has patched the fifth set of dangerous remote code execution bugs impacting its small office and small home (SOHO) routers this year.

Phishing Campaign Impersonating TikTok Employees Target Influencers

by Bill Toulas // BleepingComputer

On October 2, 2021 and on November 1, 2021 Abnormal Security researchers have observed the peaks of a phishing campaign targeting high-profile influencers.

Getting Paid to Delete a NPM Module

by Drew DeVault // Drew DeVault’s blog

I love this crazy idea:

npm’s culture presents a major problem for global software security. It’s grossly irresponsible to let dependency trees grow to thousands of dependencies, from vendors you may have never heard of and likely have not critically evaluated, to solve trivial tasks which could have been done from scratch in mere seconds, or, if properly considered, might not even be needed in the first place.

I laughed a lot to the reaction of a full-time programmer friend, who told me:

No, if you use a 3-lines NPM module like isArray, you don’t deserve money at all 😂

Of course GitHub, among others, is committing resources to contribute fixing this longstanding problem.

Emotet Malwar Resurrects in November After Its Takedown in January

by Luca Ebach // cyber.wtf

The infamous Emotet, dubbed by EUROPOL as “World’s most dangerous malware” has been taken down in January 2021.

On Sunday, November 14, at around 9:26pm UTC, Luca Ebach noticed suspicious activity in his Trickbot trackers, which manually analysis later on linked to Emotet.

Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet.

We are still conducting more in-depth analyses to raise the confidence even further. New information will be provided as they become available.

Trojanized IDA Pro Linked to Lazarus Group

by Ravie Lakshmanan // The Hacker News

According to a tweet by ESET Research:

Lazarus, the North Korea-affiliated state-sponsored group, is attempting to once again target security researchers with backdoors and remote access trojans using a trojanized pirated version of the popular IDA Pro reverse engineering software.

A ~2Tbps DDoS Attack via UDP, Amplification, Compromised GitLab Instances

by Omer Yoachimik // The Cloudflare Blog

For the past 2-3 weeks ago there has been active exploitation of self-hosted, unpatched GitLab instances to launch—together with some Mirai bots—DDoS attacks. This week, Cloudflare detected and mitigated a 1-minute-long DDoS attack that peaked just below 2 Tbps, a multi-vector attack combining DNS amplification attacks and UDP floods. The attack was launched from approximately 15,000 bots running a variant of the original Mirai code on IoT devices and unpatched GitLab instances.

Android Banking Trojan Targeting Mainly Europeans

by Cleafy // Cleafy Labs

A new type of banking trojan targeting mainly European Android users, code-named SharkBot by the Cleafy researcher who found it. The trojan is distributed via banking applications and cryptocurrency exchanges, and has the capability of bypassing multi-factor authentication.

Tools

Visualizing Manticore Symbolic Execution in BinaryNinja

by Alan Chang // Trail of Bits Blog

I just discovered about MUI (Manticore User Interface), a tool to visualize and interact with Trail of Bits’s Manticore symbolic execution engine into BinaryNinja.

Check out the repo here.

Research

by Oleg Kutkov // rtl-sdr.com

Oleg Kutkov has recently posted about his success at receiving Starlink beacons at 11.325 GHz with his HackRF “supercluster”. Starlink is an Elon Musk / SpaceX venture that aims to provide fast global satellite internet access for low cost.

Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits

by Brian Kondracki, Amin Azad Babak, Oleksii Starov // Proceedings of the ACM Conference on Computer and Communications Security (CCS)

Research paper with results and tool to analyze and classify websites as originating from a MITM phishing toolkit or not. MITM phishing is pretty sneaky, because the victim’s UX is the same as interacting with the original website, while behind the scene the attacker’s proxy is performing credential sniffing and so on.

Read more: paper and tool.

Detecting Hidden Cameras with Commodity Smartphones

by Sriram Sami, Sean Rui Xiang Tan, Bangjie Sun, Jun Han // Proceedings of the 19th ACM Conference on Embedded Networked Sensor Systems

Every modern smartphone camera is equipped with time-of-flight (ToF) sensors, originally intended to measure depth to aid augmented reality applications.

This research uses ToF sensors to detect hidden spy cameras by spotting retro-reflection, which occurs when a lens-sensor combination reflects incoming light directly back towards the source (like when people have red eyes in pictures taken with a flash).

The research is included in the proceedings of the SenSys ‘21 conference. There’s also a teaser video.

How to Review Literature in Systems Security

by Fabio Pierazzi // Fabio Pierazzi

No matter if you’re a student, full-time researcher, or security professional, at some point you’re gonna need to search for previous work about a topic you’re working on (e.g., fuzzing, network segmentation, hardening). Performing literature review is far from just doing some random googling: you need to understand how technical work gets published in order to know how and where to look. This great blog post will teach you exactly about the fine art of finding interesting technical work (with a bias on top academic-vetted research).

Conferences

HITB+ CyberWeek 2021 Coming up Next Week

by HITB // HITB+ CyberWeek 2021

HITB+ CyberWeek 2021 has 4 tracks that reflect the main pillars: Hack, Make, Build, and Break. The event is held in hybrid mode and you can access some content for free and get full access for a moderately low fee.

Attending a Conference with Young Hackers (NoHat 2021)

by BITM // No Hat 2021

I attended NoHat this week. I decided to bring my 6yo with me: We got back home with a bag full of conference swags and a wonderful experience. Most importantly, he was able to “breath” the hacking culture in a very friendly atmosphere backed by solid technical content. This pictures very well the essence of NoHat: an informal and inclusive event curated by young and passionate hackers.

The recordings will be made available on BITM’s YouTube channel. Meanwhile, checkout the program.

CyberFacts Weekly is a digest of my hand-picked readings from the cyber-security world.

CyberFacts Weekly is intended mostly for myself, to have a place to archive and keep public notes of what I read and deem as noteworthy.

If you like it, consider subscribing or forwarding this email to peers and friends. If newsletters aren’t really your thing, maybe you’d prefer to follow the @CyberFactsIT Twitter account, which I use to publish the real-time feed of my selected readings (also available via RSS).

Hope you enjoyed this issue…and see you reading the next one! 🙃

Thanks! Cheers, Fede