Week 8 in Review – 2013

Event Related

• ShmooCon Firetalks 2013 – irongeek.com

  These are the videos I have for the ShmooCon Firetalks 2013.

Resources

• APT 1
• APT 1: Exposing One of China’s Cyber Espionage Units – intelreport.mandiant.com

  APT1: Exposing One of China’s Cyber Espionage Units

• Threat Actors Using Mandiant APT1 Report as a Spear Phishing Lure: The Nitty Gritty – mandiant.com

  As we noted yesterday, Brandon Dixon’s 9B+ blog and Symantec reported the discovery of two malicious versions of our APT1 report. We wanted to provide follow-on details based on our analysis of these samples.

• Application Security Testing of Thick Client Applications – resources.infosecinstitute.com

  In this article, we will learn about thick client applications, their vulnerabilities and ways to carry out security assessment of these applications.

• Real Life Vulnerabilities Statistics: an overview – blog.mindedsecurity.com

  For this reason, we collected all our reports from 2010 until 2012 and performed a statistical analysis that, in conjunction with other contributors’ results, will help the new OWASP Top Ten to better fit these times and to keep track of differences from previous versions.

• DEPS Precise Heap Spray on Firefox and IE10 – corelan.be

  Last week, while doing my bi-weekly courseware review and update, I discovered that my heap spray script for Firefox 9 no longer works on recent versions.

• Easy DOM-based XSS detection via Regexes – blog.spiderlabs.com

  If you are interested in finding DOM-based XSS, you must have knowledge of http://code.google.com/p/domxsswiki/wiki/Introduction already. This is the best online resource about DOM-based XSS maintained by my friends Stefano di Paola and Mario Heiderich.

• CMD.EXE LOOPS PART III – resources.infosecinstitute.com

  CMD.exe provides FOR loops that work in a rather awkward manner but they are quite powerful indeed. In this section, let us see how can we understand the for loop switches and their purposes, using a problem description and solution approach.

• IDA Program Patching – resources.infosecinstitute.com

  Ida’s primary purpose is not binary patching, because when you first load the binary, it takes a snapshot of the binary and builds an internal representation, which is saved in the .idb database.

• Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit – mcafee.com

  As promised in our previous blog entry for the recent Adobe Reader PDF zero-day attack, we now offer more technical details on this Reader “sandbox-escape” plan. In order to help readers understand what’s going on there, we first need to provide some background.

• Infosec and Higher Education Part 2 – ptcoresec.eu

  So when this week I received an email from a Student asking me for some help ( students from his university had been complaining about the degree and lecturers asked them to go and re-write the degree as they saw fit and that they would consider doing it), I felt like I should do this blogpost which I had prepared for a while.

Tools

• ThreatModeler 3.0 – myappsecurity.com

  MyAppSecurity is proud to release ThreatModeler 3.0. Packed with several in-demand features to easily manage threats and measure the state of security at an organization, this new release comes updated with features to.

• Update XORSearch V1.8.0: Shifting – blog.didierstevens.com

  This new version of XORSearch comes with a new operation: shifting left.

• Introducing the WAF Testing Framework – blog.imperva.com

  Last week I attended an OWASP conference in Israel and participated in a panel about WAFEC.

Techniques

• SSHD Rootkit
• SSHD rootkit in the wild – isc.sans.edu

  There are a lot of discussions at the moment about a SSHD rootkit hitting mainly RPM based Linux distributions. Thanks to our reader unSpawn, we received a bunch of samples of the rootkit.

• Linux Based SSHD Rootkit Floating The Interwebs – blog.sucuri.net

  For the past couple of days we have been a lot of discussion on a number of forums about a potential kernel rootkit making it’s rounds on the net. Interesting enough when we wrote about the case it wasn’t being picked up by anyone, today however it’s being picked up my an number of AV’s .

• Hacking Facebook OAuth
• Egor Homakov: How we hacked Facebook with OAuth2 and Chrome bugs – homakov.blogspot.com

  We (me and @isciurus) chained several different bugs in Facebook, OAuth2 and Google Chrome to craft an interesting exploit. MalloryPage can obtain your signed_request, code and access token for any client_id you previously authorized on Facebook. The flow is quite complicated so let me explain the bugs we used.

• How I Hacked Facebook OAuth To Get Full Permission On Any Facebook Account – nirgoldshlager.com

  I decided to share one of my favorite flaws i discovered in facebook.com. This flaw allowed me to take a full control over any Facebook account,

• De-duping multiple interface nessus results with sed. – pentesticles.com

  Lets assume that you have your Nessus output and have it it some useful parse-able format. (xmlstarlet anyone?)

• Finding and Reverse Engineering Deleted SMS Messages – az4n6.blogspot.com.br

  Recovering deleted SMS messages from Android phones is a frequent request I get. Luckily, there are several places and ways to recover these on an Android phone. After working a case that involved manually carving hundreds of juicy, case making messages, I collaborated with cheeky4n6monkey on a way to automate the process.

• Forwarding SMS to Email on
  [Jailbroken] iOS – blog.opensecurityresearch.com

  As with most ideas, this one also took shape out of necessity to reduce manual work and dependencies in various scenarios. This blog post shows one of the many ways to read SMS messages from a jailbroken iPhone and send it as an email.

• Hacking The Xerox Multifunction Printer Firmware Patch Process – foofus.net

  Its been almost a year since this firmware process hack was first discussed at CarolinaCon by percX. PercX has finally finished up his tutorial/white paper on the subject. In this paper he discusses the hack in-depth.

• How Attackers Steal Private Keys from Digital Certificates – symantec.com

  Regular readers of the Symantec blog may sometimes read blogs that mention a fraudulent file that is signed with a valid digital certificate or that an attacker signed their malware with a stolen digital certificate.

• Exploring WMI using WMI and CIMCmdlets – darkoperator.com

  In the previous blog post I covered how to explorer WMI using a GUI tool, now lets look at how to explorer WMI first using the WMI Cmdlets that are found in PowerShell v2 and PowerShell v3, then we will look at how to use CIM Cmdlets that where introduced in PowerShell v3 and the improvements Microsoft did to make using WMI even better in PowerShell v3.

Vendor/Software Patches

• Adobe Flash Player 0-day and HackingTeam’s Remote Control System – securelist.com

  Adobe Flash Player CVE-2013-0633 is a critical vulnerability that was discovered and reported to Adobe by Kaspersky Lab researchers Sergey Golovanov and Alexander Polyakov. The exploits for CVE-2013-0633 have been observed while monitoring the so-called -legal- surveillance malware created by the Italian company HackingTeam. In this blog, we will describe some of the attacks and the usage of this 0-day to deploy malware from -HackingTeam- marketed as Remote Control System.

Vulnerabilities

• NBC
• Dissecting NBC’s Exploits and Malware Serving Web Site Compromise – ddanchev.blogspot.com

  The web site of the National Broadcasting Company (NBC), NBC.com, is currently compromised, and is redirecting tens of thousands of legitimate users to multiple exploits serving and malware dropping malicious URLs.

• NBC.com hacked, serving up Citadel malware – hitmanpro.wordpress.com

  A few hours ago Ronald Prins of Fox-IT (@cryptoron) was tweeting about NBC.com infecting its visitors with malicious software (malware).

• NBC Website HACKED Be Careful Surfing
  – blog.sucuri.net

  Breaking, the NBC site is currently compromised and blacklisted by Google. Anyone that visits the site (which includes any sub page) will have malicious iframes loaded as well redirecting the user to exploit kits (Redkit).

• KB33425-BSRT-2013-003 Vulnerabilities in BlackBerry Enterprise Server components that process images could allow remote code execution – btsc.webapps.blackberry.com

  These vulnerabilities have a Common Vulnerability Scoring System (CVSS) score of 10.0 (high severity). See the References section below for the list of issues by CVE issue identifier.

• Access restriction in iOS 6 partially useless – h-online.com

  The restriction on modifying account details that was introduced in iOS 6 is easily bypassed
  .

• Zendesk Compromised, Twitter, Tumblr and Pinterest Users Affected – threatpost.com

  Zendesk officials said the company was hacked by an unknown attacker and that emails belonging to users of Twitter, Pinterest and Tumblr all were accessed.

• cPanel Inc. Server Compromised
  – blog.sucuri.net

  It’s unclear on the specifics, but it appears the following letter is going out to cPanel users that have submitted a ticket in the last 6 months.

Other News

• China Hacking
• Researchers Name Three Hackers Tied To One Of China’s Most Active Military Intrusion Teams – forbes.com

  The Internet’s anonymity has offered a powerful advantage for attackers in the game of digital espionage.

• Fascinating video tracks a real Chinese hacker in action – washingtonpost.com

  The American cyber security firm Mandiant, which worked with the New York Times to expose and counter a China-based hacking campaign, has released an extensive report that it says ties years of cyber attacks on U.S. corporations back to the Chinese military.

• Apple Facebook Microsoft Hacking
• Report: This Is the Site Hacking All Those Companies (Updated) – gizmodo.com

  This might be a clue about the hacking going on the past week or so. According the All Things D, a site called iPhonedevSdk (do not visit this site; it’s malicious), is responsible for the hacks of Facebook and Apple.

• Exclusive: Apple, Macs hit by hackers who targeted Facebook – reuters.com

  Apple Inc was recently attacked by hackers who infected Macintosh computers of some employees, the company said Tuesday in an unprecedented disclosure describing the widest known cyber attacks targeting Apple computers used by corporations.

• Facebook Hacked, Mobile Dev Watering Holes, and Mac Malware – f-secure.com

  Friday, February 1st: Twitter announced it was hacked. The post (Keeping our users secure) by Bob Lord, Director of Information Security, was sparse on details but recommended disabling Java’s browser plugin.

• Microsoft admits it was also hit by hackers, malware infects their Mac business unit – nakedsecurity.sophos.com

  Microsoft joins Facebook and Apple in the list of big companies who have suffered at the hands of malware-bearing hackers.

• HDCP is dead. Long live HDCP. – adamsblog.aperturelabs.com

  HDCP (the copyright protection mechanism in HDMI) is broken. I don’t mean just a little bit broken, I mean thoroughly, comprehensively, irredeemably and very publicly broken.

• White House Must Respond Publicly to Ban on Mobile-Phone Unlocking – wired.com

  The President Barack Obama administration must enter the mobile-phone-unlocking fray.