BF-SIRT Newsletter 2018-01

Meltdown and Spectre, two security flaws said to be affecting almost all CPUs released since 1995, was announced this week, and will probably haunt us for years to come.

Exploit code used in the Mirai malware variant called Satori, which was used to attack hundreds of thousands of Huawei routers over the past several weeks, is now public. We might see more of this in near future botnets.

A researcher released details of a local privilege escalation attack against macOS that dates back to 2002, totally ignoring any responsible disclosure process.

Top 5 Security Links
Meltdown and Spectre – Bugs in modern computers leak passwords and sensitive data.
Mozilla Patches Critical Bug in Thunderbird
Attention, vSphere VDP backup admins: There is a little remote root hole you need to patch…
MacOS LPE Exploit Gives Attackers Root Access
Code Used in Zero Day Huawei Router Attack Made Public

BF-SIRT Newsletter 2018-02

Microsoft released patches for Meltdown and Spectre, but it’s important to update ones antivirus before applying the patches.

Latest WebLogic exploit caused an increase in compromised hosts being used for mining Cryptocurrencies.

F-Secure finds a new Intel AMT Security Issue which gives hackers with physical access full control of laptops in 30 seconds.

Top 5 Security Links
Police give out infected USBs as prizes in cybersecurity quiz
Wi-Fi Alliance launches WPA3 protocol with new security features
Mining or Nothing!
Anti-Virus updates required ahead of Microsoft’s Meltdown, Spectre patches
New Intel AMT Security Issue Lets Hackers Gain Full Control of Laptops in 30 Seconds

BF-SIRT Newsletter 2018-03

Researchers have uncovered a government-sponsored mobile hacking group operating since 2012.
OnePlus had its store compromised, leaving 40 000 credit cards compromised.
Hackers have started exploiting three Microsoft Office flaws to spread Zyklon malware.

Top 5 Security Links
OnePlus minus 40,000 credit cards: Smartmobe store hacked to siphon payment info to crooks
Transmission users beware: Flaw lets hackers control your computer
Skygofree Android malware is “one of the most powerful ever seen”
Hackers Exploiting Three Microsoft Office Flaws to Spread Zyklon Malware
Researchers Uncover Government-Sponsored Mobile Hacking Group Operating Since 2012

BF-SIRT Newsletter 2018-04

It has been announced that hackers from the Dutch intelligence service AIVD have provided the FBI with crucial information about Russian interference with the American elections. This seem to be a good showcase of cyber warfare and capabilities.

Maersk chair detailed the reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications” after the NotPetya attack in 2017, providing good insights into a working disaster recovery process, completing 6 months work in 10 days and only suffering 20 percent drop in volumes.

Top 5 Security links
Dutch agencies provide crucial intel about Russia’s interference in US-elections
IT ‘heroes’ saved Maersk from NotPetya with ten-day reinstallation bliz
The popular former NSA hacker Patrick Wardle published a detailed analysis of the CrossRAT malware used by Dark Caracal for surveillance.
Alphabet enters enterprise cybersecurity market, launches Chronicle
Critical Flaw Hits Popular Windows Apps Built With Electron JS Framework

BF-SIRT Newsletter 2018-05

We need to prepare ourselves for that Meltdown/Specter-based Malware might be coming soon to devices near us, but are we ready? Lately researchers have discovered more than 130 malware samples trying to exploit these chip flaws.


Top 5 Security links
Secret military bases revealed by fitness app Strava
South Korea Warns of Flash Zero-Day flaw exploited by North Korea in surgical attacks
Cisco Patches Critical VPN Vulnerability
Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit
Keylogger Campaign Returns, Infecting 2,000 WordPress Sites

BF-SIRT Newsletter 2018-06

Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”.

  • Over 68% of Chrome traffic on both Android and Windows is now protected
  • Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
  • 81 of the top 100 sites on the web use HTTPS by default


Top 5 Security links

WordPress users do an update NOW and do it by hand
Apple iboot source code leaked
Covert data channel in TLS dodges network perimeter protection
Leaky amazon S3 bucket exposes personal data of 12000 social media influencers
Bitglass Report Microsoft SharePoint Google Drive and Majority of AV Engines Fail to Detect New Ransomware Variant

BF-SIRT Newsletter 2018-07

NCCGroup rebuilt NotPetya, replacing its destructive payload with telemetry and safeguards to see what the impact could have been. They found the following:

  • The customer ran it on one machine in their engineering network with no privileges.
  • It found three machines unpatched.
  • It exploited those three machines to obtain kernel level access.
  • It infected those three machines.
  • Within ten minutes it had gone through the entire engineering network using recovered/stolen credentials.
  • It then took the domain about two minutes later.
  • 107 hosts were owned in roughly 45 minutes before the client initiated the kill and remove switch.

Top 5 Security links
A rebuilt NotPetya gets its first execution outside of the lab
Cryptomining script poisons government websites – What to do
Hackers Exploit ‘Telegram Messenger’ Zero-Day Flaw to Spread Malware
Winter Olympics network outages blamed on unexplained cyberhack
UK names Russia as source of NotPetya, USA follows suit

BF-SIRT Newsletter 2018-08

Apple fixes that “1 character to crash your Mac and iPhone” bug

Apple has pushed out an emergency update for all its operating systems and devices, including TVs, watches, tablets, phones and Macs.

The fix patches a widely-publicised vulnerability known officially as CVE-2018-4124, and unofficially as “one character to crash your iPhone”, or “the Telugu bug”.

  • Telugu is a widely-spoken Indian language with a writing style that is good news for humans, but surprisingly tricky for computers.
  • Computers can store and reproduce English words really easily, because there are only 26 symbols (if you ignore lower-case letters, the hyphen and that annoying little dingleberry thing called the apostrophe that our written language could so easily do without).
  • Many languages use a written form in which each character is made up of a combination of components that denote how to pronounce it, typically starting with a basic sound and indicating the various modifications that should be applied to it.
  • In English, each left-arrow or right-arrow simply moves you one character along in the current line, and one byte along in the current ASCII string, but what if there are four different sub-characters stored in memory to represent the next character that’s displayed?

For your iPhone, you ‘ll be updating to iOS 11.2.6; for your Mac, you need the macOS High Sierra 10.13.3 Supplemental Update.

Top 5 Security links

BF-SIRT Newsletter 2018-09

Memcrashed – Major amplification attacks from UDP port 11211

Over last couple of days we’ve seen a big increase in an obscure amplification attack vector – using the memcached protocol, coming from UDP port 11211.

The general idea behind all amplification attacks is the same. An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. The problem happens when thousands of responses are delivered to an unsuspecting target host, overwhelming its resources – most typically the network itself.

  • A discovery of a new amplification vector though, allowing very great amplification, happens rarely. This new memcached UDP DDoS is definitely in this category.
  • In total we’ve seen only 5,729 unique source IPs of memcached servers. We’re expecting to see much larger attacks in future, as Shodan reports 88,000 open memcached servers
  • Github DDos incident on 28 Feb 2018, they received at peaks 1.35Tbps via 126.9 million packets per second.
  • Please ensure that your memcached servers are firewalled from the internet!

Top 5 Security links

BF-SIRT Newsletter 2018-10

Netflix could pwn 2020s IT security – they need only reach out and take

The container is doomed, killed by serverless. Containers are killing Virtual Machines (VM). Nobody uses bare metal servers. Oh, and tape is dead. These, and other clichés, are available for a limited time, printed on a coffee mug of your choice alongside a complimentary moon-on-a-stick for $24.99. Snark aside, what does the future of containers really look like?

  • No one company is going to dominate IT security in the 2020s, but there is an empire to be built on building the very best workload wrapper money can buy.
  • VMware has all components to build this puzzle piece. Unfortunately, they’re trapped in whatever hell befell Microsoft in 2005.
  • Red Hat has most of the required components, but it will probably take them at least a decade to integrate all of it into systemd.
  • Nobody is going to build an empire on containers, because containers are only one part of a more important puzzle piece.
  • Netflix gave the world the Chaos Monkey, and then decided to build a full-scale Simian Army.
  • Which vendor(s) will pull it together and dominate that niche?


Top 5 Security links