DataDwarf    About    Archive    Feed
Hacker, coder, tinkerer, brewer, recovering sysadmin, and infosec professional.

InfoSec News Highlights - NSA hacked by the Shadowbrokers, Scolex Malware, and Cerber Ransomware-as-a-Service.

NSA hacked by the Shadowbrokers

A group calling themselves “The Shadow Brokers” is claiming to have dump of the NSA’s malware, private exploits, and hacking tools. They auctioning the tools off to the highest bidder and have said that if the auction brings in $1 Million in bitcoins they will release a second dump to the public for free. They have released a sample dump of about 300MB which contains a number of exploits for Fortinet, Cisco, other Networking Vendor’s Platforms. The exploits in the dump appear to be legit and several security researchers are saying that the dump is from the NSA’s Equation Group. Maybe someone will pay $1 million for the rest of the dump and we’ll get to see some more, but I doubt it.

Scolex Malware

The Zeus trojan was first seen in 2007 and was responsible for hundreds of millions of dollars of losses from bank accounts across the world. Zeus ran strong until about 5 years ago when its operators abruptly closed up shop and released the trojan’s source code to the public. Well, a new Malware variant being sold by criminals is claiming to be the next Zeus. The Scolex malware kit is being advertised with a number of different capabilities including user-mode root kit, web injects, a secure socket reverse proxy, and for an additional cost Hidden Virtual Network Computing. The price tag for the malware ranges between $7500 and $10000 depending on the features, and includes up to 8 hours of support a day. I wonder if the customer service offered by malware writers is as good as Comcast’s?

Cerber Ransomware-as-a-Service

In this current everything-as-a-service craze that we are experiencing with cloud computing, it should be no surprise that Ransomware-as-a-Service is a thing. Researches at Checkpoint have discovered a Ransomware-as-a-Service enterprise selling Cerber. Cerber isn’t new wasn was originally seen earlier this year. What made Cerber interesting when it was first seen was that it is using Windows Script files. When the script is executed it downloads Cerber to the victim system. The script files are distributed via double zipped file which may allow it to bypass some security solutions. The authors are keeping 40 percent of the profits, paying out 60 percent to affiliates who find them fresh new targets. Only a little steeper than Apple’s 30 percent it takes on the app store. There is a new variant of Cerber that was just released on July 29th.

InfoSec News Highlights - Yahoo logins for sale, Apple Bug Bounty Program, Malware on USBs from 02, and Windows Secure Boot Backdoor

Yahoo Logins for Sale

A little over a week ago 200 million Yahoo log-ins went up for sale begging the question; Was Yahoo breached? Well initial review of a sample of the data suggests that this dump is from an older breach or series of breaches. A large number of the sample accounts are no longer active. If you do have a yahoo account I would still suggest you change your password. Also remember that Yahoo offers two factor authentication for added protection

Apple Bug Bounty Program

Apple announced their bug bounty program at BlackHat this past week. With a top payout of $200,000. That top payout is for finding a flaw in the secure boot firmware. Apple also said that if the researcher decides to give the bounty to a charity they will match it dollar for dollar. Unfortunately, the bug bounty program is invite only currently with only a “few dozen” people participating.

Malware on USBs from 02

In a recent market campaign, the British telecom O2 sent out USB drives to all of its business customers. The campaign may have backfired for them as the drives came loaded with malware from the supplier. How many people made the vendor rounds at BlackHat and Defcon to grab all of that sweet vendor loot? And how many USB Flash Drives were handed out? I’d caution against using them. I doubt that the marketing departs at all of those security vendors checked those drives before handing them out and didn’t also source them from the cheapest supplier in china.

Windows Secure Boot Backdoor

So Microsoft made a big mistake a few months ago and published a Secure Boot policy that for anyone to load unsigned or self-signed code. Luckily this policy only effects ARM and RT devices, desktop and enterprise PC’s are safe. Microsoft has released a couple of patches, ms16-094 and ms16-100, but both appear to be incomplete. Many are pointing out that this is why having a backdoor to any security or crypto is an extremely bad idea.

InfoSec News Highlights - Lastpass Vulnerability, Malicious Insider Sentenced, Hacker Summer Camp PSA

Lastpass Vulnerability

Security researcher Mathias Karlsson found a vulnerability in Lastpass someone scrap your passwords from the password manager. The good news is that Lastpass has already patch this. The way this vulnerability works is let’s say you visited a URL like http:[email protected][email protected] the browser would treat the current domain as while the extension would treat it as This is due to the code only URL encoding the last occurrence of the @ symbol, the actual domain is treated as the username portion of the URL. So this was an autofill bug and if you weren’t using autofill you couldn’t have been targeted. Password managers are still better than the alternative of easy to remember passwords and password reuse.

Malicious Insider Sentenced

There have been several stories in past year about malicious insiders causing damaged to networks. We’ve seen cases off both current and ex-employees being involved in these incidents. Well, we have another case. A Citibank employee was just sentenced to 2 years and a $77,000 dollar fine for intentional damage to a computer. After being called into his manager’s office and reprimanded for poor performance the employee issued commands to wipe the configuration files on 10 core routers within Citibank’s internal network. This caused the traffic to be re-routed through a pair of backup routers. There was not a complete outage, but the re-routing led to severe “congestion” which constituted outage for about 90% of Citibank’s branch offices.

Hacker Summer Camp PSA

For everyone heading out to Las Vegas next week for Blackhat, BSides Las Vegas, and Defcon, be safe and have fun! A few things to remember. The 3-2-1 Rule - Three hours of sleep, Two Meals, One Shower. And USE DEODORANT. The best way to have a good time at a hacker conference is to put yourself out there. Be social step, outside of your comfort zone for a few days, and make some friends. In my experience everyone at these events is more than willing to help someone out and show them the ropes. Also, I know everyone is going to be drinking a lot of alcohol, but drink plenty of water also. It’s hot out there in the desert.