Week 15 In Review – 2017

Events Related 

• HITB 2017
  This year, the conference was based on four(!) tracks: two regular ones, one dedicated to more “practical” presentations (HITBlabs) and the last one dedicated to small talks (30-60 mins).
  • HITB Amsterdam 2017 Day #1 Wrap-Up – blog.rootshell.be
  • HITB Amsterdam 2017 Day #2 Wrap-Up – blog.rootshell.be

Resources 

• Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2) – googleprojectzero.blogspot.com
  In this blog post we’ll continue our journey into gaining remote kernel code execution, by means of Wi-Fi communication alone. Having previously developed a remote code execution exploit giving us control over Broadcom’s Wi-Fi SoC, we are now left with the task of exploiting this vantage point in order to further elevate our privileges into the kernel.

• HITBSecConf2017 – conference.hitb.org

• Protecting customers and evaluating risk – blogs.technet.microsoft.com
  Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched.

Vendor/Software Patches

• Adobe Patches 59 Vulnerabilities Across Flash, Reader, Photoshop – threatpost.com
  Among the patches are fixes for vulnerabilities uncovered at Pwn2Own, the hacking competition held alongside CanSecWest last month in Vancouver. A team of hackers from Qihoo 360 exploited a heap overflow in the way Reader parsed JPEG200 to take down the PDF software on the competition’s first day.

• Microsoft Patches Word Zero-Day Spreading Dridex Malware – threatpost.com
  Attacks were spreading via a massive spam campaign where emails contain Microsoft Word documents with malicious attachments that exploited a vulnerability in the way Microsoft handles OLE2Link objects. According to researchers, the attacks were effective at bypassing most mitigation efforts.

Vulnerabilities

• Travel Routers, NAS Devices Among Easily Hacked IoT Devices – threatpost.com
  Jan Hoersch, an IT security consultant at Securai GmbH, a small pen-testing firm based in Munich, described vulnerabilities that affected off-the-shelf IoT devices such as travel routers and retinal scanners in a talk at Kaspersky Lab’s Security Analyst Summit.

• Dallas Siren Hack
  The emergency sirens were activated in Dallas County last Friday night at 11:42pm. This is not an unusual event in Dallas and the surrounding areas, in fact this is kind of a common occurrence during the springtime.
  • The Dallas County Siren Hack – duo.com
  • Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack – arstechnica.com

• The Riddle – riddle.link
  The Riddle is a critical security vulnerability found in Oracle’s MySQL 5.5 and 5.6 client database libraries. The vulnerability allows an attacker to use man riddle in the middle for breaking SSL configured connection between MySQL client and server.

• Shadow Brokers Dump
  Here’s the quick rundown on the latest Shadow Brokers “Equation Group” dump.
  • ShadowBrokers Dump More Equation Group Hacks, Auction File Password – threatpost.com
  • Latest Shadow Brokers dump — owning SWIFT Alliance Access, Cisco and Windows – medium.com
  • EQGRP Lost in Translation – github.com
  • ShadowBrokers: The NSA compromised the SWIFT Network – blog.comae.io
  • Shadow Brokers Exploits – github.com
  • Equation Group Dump Analysis and Full RCE on Win7 on MS17-010 with Cobalt Strike – www.trustedsec.com

• A Remote Attack on the Bosch Drivelog Connector Dongle – argus-sec.com
  In this blog post, I discuss the vulnerabilities of the Bosch Drivelog Connector OBD-II dongle found by the Argus Research Team. The vulnerabilities allowed us to stop the engine of a moving vehicle using the Drivelog platform.

• Phishing with Unicode Domains – www.xudongz.com
  From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”.

• ‘High Risk’ Zero Day Leaves 200,000 Magento Merchants Vulnerable – threatpost.com
  A popular version of the open source Magento ecommerce platform is vulnerable to a zero-day remote code execution vulnerability, putting as many as 200,000 online retailers at risk. The warning comes from security firm DefenseCode, which found and originally reported the vulnerability to Magento in November.

Other News

• NIST Cybersecurity Framework 1.1 – www.tenable.com
  Measuring and demonstrating cybersecurity to business leaders and partners is simultaneously very important and very challenging. Various sources, including the EisnerAmper accounting firm and the National Association of Corporate Directors, have reported that only about 20% of boards have confidence in the state of their organization’s cybersecurity.

• Inside the Tech Support Scam Ecosystem – www.onthewire.io
  A pair of doctoral students and their advisor, looking for insights into the inner workings of tech support scams, spent eight months collecting data on and studying the tactics and infrastructure of the scammers, using a purpose-built tool. What they uncovered is a complex, technically sophisticated ecosystem supported by malvertising and victimizing people around the world.