Week 39 In Review – 2015

Events Related

• The CIA Campaign to Steal Apple’s Secrets – theintercept.com
  The security researchers presented their latest tactics and achievements at a secret annual gathering, called the “Jamboree,” where attendees discussed strategies for exploiting security flaws in household and commercial electronics.

Resources

• Reversing Mobile Traffic Lights – www.bastibl.net
  I wanted to have a look at the signal. I once heard that they transmit in the 2 meters band and that turned out to be true. With GQRX I found them at around 170MHz.

• InfoCon – infocon.org

Tools

• Cisco AnyConnect Secure Mobility Client v3.1.08009 Elevation of Privilege – code.google.com
  The fix for CVE-2015-4211 is insufficient which allows a local application to elevate to local system through the CMainThread::launchDownloader command.

• Nmap Project News: 6.49BETA5 release – seclists.org
  We’ve had four new releases since then, including today’s release of Nmap 6.49BETA5. They are all stability-focused releases to fix all the bugs and problems we can find in preparation for a big upcoming stable release in October.

• SpiderFoot v2.5.0 Released – www.toolswatch.org
  SpiderFoot is a free, open-source footprinting tool, enabling you to perform various scans against a given domain name in order to obtain information such as sub-domains, e-mail addresses, owned netblocks, web server versions and so on.

Techniques

• Detecting XCodeGhost Activity – isc.sans.edu
  End of last week, Palo Alto Networks published information about the “XCodeGhost” malware. Johannes already talked about it in today’s podcast episode but I searched for more details about this story.

• How to get Windows to give you credentials through LLMNR – www.pentestpartners.com
  It sounds like a bacterial resistant disease doesn’t it? It’s short for Local Loop Multicast Name Resolution. It’s a lightweight name service that works by using a multicast group to try and resolve basic names within a small(ish) network area.

• Kaspersky: Mo Unpackers, Mo Problems – googleprojectzero.blogspot.com
  Among the products I’m working on is Kaspersky Antivirus, and I’m currently triaging and analyzing the first round of vulnerabilities I’ve collected. As well as fuzzing, I’ve been auditing and reviewing the design, resulting in identifying multiple major flaws that Kaspersky are actively working on resolving.

• Ways To Load Kerberos Tickets – carnal0wnage.attackresearch.com
  Everyone is aware of the awesomeness that Mimikatz is and most likely golden tickets. Mimikatz ships with lots of kerberos functionality.

• How I hacked my IP camera, and found this backdoor account – jumpespjump.blogspot.com
  The time has come. I bought my second IoT device – in the form of a cheap IP camera. As it was the cheapest among all others, my expectations regarding security was low. But this camera was still able to surprise me.

• Exploiting MS Excel 2007 with OLE embedded objects heapspray on Win7/8/10 – kingcope.wordpress.com
  This tutorial will show how to completely bypass Win7/8/10 protections when exploiting MS Excel 2007 through embedded OLE objects. During a fuzzing session by lsd a code execution bug in MS Office 2007 was discovered, this vulnerability is patched by Microsoft by now.

• Empire Post-Exploitation Analysis with Rekall and PowerShell Windows Event Logs – www.redblue.team
  In this post I want to demonstrate how to use Empire, conduct basic IR memory analysis and, more importantly, highlight some discussion around automated detection at the network and host level.

Vendor / Software Patches

• Adobe Flash Patch, Plus Shockwave Shocker – krebsonsecurity.com
  Adobe has released a critical software update to fix nearly two-dozen security holes in itsFlash Player browser plugin. Separately, I want to take a moment to encourage users who have Adobe Shockwave Player installed to finally junk this program; turns out Shockwave — which comes with its own version of Flash — is still many versions behind in bundling the latest Flash fixes.

Vulnerabilities

• Malware XcodeGhost infects iOS Apps.
  Apple announced on Sunday that hundreds of legitimate apps on its App Store had been infected by malware. The company has removed the infected versions.
  • Apple cleaning up iOS App Store after first major attack – www.reuters.com
  • Hundreds of millions of devices potentially affected by first major iOS malware outbreak – blog.lookout.com
  • XcodeGhost Exploits the Security Economics of Apple’s Ecosystem – tidbits.com
  • Hundreds of Legitimate iOS Apps Infected by Malware, Removed From App Store – lifehacker.com
  • Malware XcodeGhost Infects 39 iOS Apps, Including WeChat, Affecting Hundreds of Millions of Users – researchcenter.paloaltonetworks.com
  • 85 legitimate iPhone apps that were infected with malware in the big App Store hack – bgr.com
  • XCodeGhost ‘Materializes’ on App Store – labs.opendns.com
  • More Details on the XcodeGhost Malware and Affected iOS Apps – researchcenter.paloaltonetworks.com
  • The XcodeGhost Plague – How Did It Happen? – blog.trendmicro.com

• Linkedin Reflected Filename Download – davidsopas.com
  When researching another website I discovered a XHR request on my Google Inspector on Linkedin that seemed interesting. Basically it was the request made by websites to count how many shares their site have on Linkedin network.

• iOS 9 security blooper lets you BYPASS PINs, eye up photos, contacts – www.theregister.co.uk
  Vid A security flaw in iOS 9 allows anyone who has a locked Apple iThing in their hand to view its contacts and photos without having to enter a passcode.

• Cookies set via HTTP requests may be used to bypass HTTPS and reveal private information – www.kb.cert.org
  RFC 6265 (previously RFC 2965) established HTTP State Management, also known as “cookies”. In most web browser implementations of RFC 6265, cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information.

• The Inside Story Behind MS08-067 – blogs.technet.com
  Seven years ago a small set of targeted attacks began.  In 2008 an unknown set of attackers had a zero day vulnerability that would soon have worldwide attention.

Other News

• Inside Target Corp., Days After 2013 Breach – krebsonsecurity.com
  In December 2013, just days after a data breach exposed 40 million customer debit and credit card accounts, Target Corp. hired security experts at Verizon to probe its networks for weaknesses.

• OPM says 5.6 million fingerprints stolen in cyberattack, five times as many as previously thought – www.washingtonpost.com
  One of the scariest parts of the massive cybersecurity breaches at the Office of Personnel Management just got worse: The agency now says 5.6 million people’s fingerprints were stolen as part of the hacks.

• CIA details agency’s new digital and cyber espionage focus – www.networkworld.com
  It seems like it might be about 10 years too late to the party but come October 1, the Central Intelligence Agency will add a new directorate that will focus on all things cyber and digital espionage.

• OIG: Obamacare Data Repository Had Security Flaws – www.bankinfosecurity.com
  Federal auditors say a data repository the Department of Health and Human Services uses for data analysis and reporting for the Affordable Care Act, better known as Obamacare, had numerous data security shortcomings that have since been addressed.

• With Stolen Cards, Fraudsters Shop to Drop – krebsonsecurity.com
  A time-honored method of extracting cash from stolen credit cards involves “reshipping” scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia.

• Banks: Card Breach at Hilton Hotel Properties – krebsonsecurity.com
  Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims.