Diary

Given the multiple releases around this topic and project, I’ve decided to put together a summary. So far, there is: a tool, a white paper, an academic paper, and (spoiler alert) another white paper coming soon.

Many vulnerabilities in one shot, yet several pre-conditions for a target to be actually exploitable. Here’s simple flowchart to check whether your Dnsmasq deployments are vulnerable.

Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. Besides the mechanical arm, inside an industrial robot there are not just electromechanical components but a multitude of complex embedded controllers.

CAN-based protocols are vulnerable to bit-flipping attacks at the link layer. In this collaborative research, Politecnico di Milano’s NECSTLab and Trend Micro’s FTR analyze the protocol in depth and demonstrate the vulnerability on a real car, with PoC and so on.

The goal of this project is to extract signatures that capture the WebInject behavior of trojans. WebInject-based trojans are still the most popular e-crime tool.

Industrial routers play a very crucial role: a single vulnerability can grant the attacker access to an entire network of critical machines. In this research, I’ve looked at how easy it is for a hypothetical attacker to find and enumerate industrial routers, and the security posture of their vendors.

The day before the EyePyramid case exploded, I received a confidential email with a PDF. It was the scanned copy of the court order for the law enforcement to proceed and arrest the Occhionero brothers. In a few minutes, I noticed that this leaked document was also circulating on various private mailing lists and chat groups I’m part of. At some point, I received a non-redacted copy.

I’ve started this project while advising a Master student who was interested in machine learning. As I’ve been using machine learning since around 2006, I was immediately hooked by the idea of using it to determine whether an Android app was trying to lock the target device as part of a ransomware scheme.

We started this project because we wanted to analyze banking and credit-card transactions and, with as little knowledge as possible, predict whether new ones are fraudulent or not (e.g., due to a banking trojan working on the victim’s computer, made by a cyber criminal with stolen credentials).

We wanted to create a malware tracker similar to ZeusTracker, but for mobile bankers. So we built a tool, DroydSeuss, which uses static analysis to extract relevant C&C endpoints (e.g., phone number, web URLs) and monitors them by running each sample in a sandbox on a daily basis.