Week 8 In Review – 2015

Resources

  • Equation Group: The Crown Creator of Cyber-Espionage – kaspersky.com
    Kaspersky Lab’s experts can confirm they have discovered a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades – The Equation Group.

    • Russian researchers expose breakthrough U.S. spying program – reuters.com
      The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world’s computers, according to cyber researchers and former operatives.
    • Your hard drives were RIDDLED with NSA SPYWARE for YEARS – theregister.co.uk
      The US National Security Agency (NSA) infected hard disk firmware with spyware in a campaign valued as highly as Stuxnet that dates back at least 14 years and possibly up to two decades – all according to an analysis by Kaspersky Labs.
    • The Equation Group Equals NSA / IRATEMONK – f-secure.com
      Well, funny story — components related to IRATEMONK have now been detected — by the folks at Kaspersky Labs. Kaspersky’s research paper refers to a threat actor called the “Equation group” whose country of origin is not named, but the group has exactly the capabilities detailed by the NSA’s ANT catalog.
  • Another update on the Truecrypt audit – blog.cryptographyengineering.com
    There’s a story on Hacker News asking what the hell is going on with the Truecrypt audit. In this post Matthew Green would like to offer you some news, including an explanation of why this has moved slowly.

Tools

  • Packet Sender – packetsender.com
    Packet Sender is an open source utility to allow sending and receiving TCP and UDP packets. It is available for Windows, Mac, Linux, and Android.
  • My GoldDigger Script – carnal0wnage.attackresearch.com
    CG created a post module that would index various types of file types so he could more quickly find and decide if he wanted to do download potentially useful files.
  • The Social-Engineer Toolkit (SET) v6.2 released – github.com
    The latest release of SET v6.2 codename “Recharge” is now available. This version has a number of features including a redesigned Java Applet for higher and more reliable exploitation.
  • The LaZagne Project – github.com
    The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. his tool has been developped to find these passwords for most common softwares.
  • Superphish – github.com
    This script will silently intercept SSL connections made from computers infected with Superfish malware on the local network. All traffic will be logged into ‘superphish.log’.
  • Demonstrating ClickJacking with Jack – sensepost.com
    ClickJacking PoC development assistance tool. Jack is a static HTML and JavaScript web-based tool.

Vulnerabilities

  • Re: Potentially Unwanted Program – forums.lenovo.com
    This is more serious than just a simple socket messup. Superfish Inc aka VisualDiscovery aka Similarproducts application will hijack ALL your secure webconnections (SSL/TLS) by using self signed root certificate authority, making it look legitimate to the browser.

    • Extracting the SuperFish certificate – blog.erratasec.com
      Robert Graham extracted the certificate from the SuperFish adware and cracked the password (“komodia”) that encrypted it. He discussed how in this post.
    • Superfish cert/encrypted key – pastebin.com
    • Some notes on SuperFish – blog.erratasec.com
      It does two things. The first is that SuperFish installs a transparent-proxy (MitM) service on the computer intercepting browser connections. It appears to be based on Komodia’s “SSL Digestor”, described in detail here.
    • Exploiting the Superfish certificate – blog.erratasec.com
      As discussed in the previous blogpost, it took about 3 hours to reverse engineer the Lenovo/Superfish certificate and crack the password. In this blog post, Robert described how he used that certificate in order to pwn victims using a rogue WiFi hotspot.
    • Superfish Uninstall Instructions – support.lenovo.com
      Download and run the Automatic Removal tool executable to ensure complete removal of Superfish and Certificates for all major browsers.
  • The Great SIM Heist:How Spies Stole The Keys to The Encryption Castle – firstlook.org
    American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

Other News

  • Bank Hackers Steal Millions via Malware – nytimes.com
    The bank’s internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move.
  • Duplicate SSH Keys Everywhere – blog.shodan.io
    Back in December when John Matherly revamped the SSH banner and started collecting the fingerprint he noticed an odd behavior. It turns out that a few SSH keys are used a lot more than once.

Leave A Comment