Malware & other nasty IT / cyber things

[OUTLAW 09]

CRITICAL


PSA: someone is spreading a massive Gmail phishing email right now. DO NOT CLICK on the Google Doc link.
https://motherboard.vice.com/en_us/a...hishing-email#

(Added by Mod) orhttp://www.independent.co.uk/life-st...-a7716581.html
…

[OUTLAW 09]

In other infosec news, German bank hackers used SS7 hijacking to steal SMS 2FA tokens and drain accounts [in German]

http://www.sueddeutsche.de/digital/i...leer-1.3486504

European and US telco providers have known about this major issue since 2014 and failed to implement stronger available security features.....and we are now in 2017....

I would be interested to know if this is a coincidence with the Trend Micro report on Friday, or someone making an OAUTH bomb after reading it.

[OUTLAW 09]

Reference the Google Gmail phishing attack yesterday.....

Shout out to @Google security ppl who got the #OAuthWorm disabled in under an hour and to @Cloudflare for sinkholing. Great response.

Was the attack actually generated after reading the Micro Trend report on the Russian state sponsored French hacking of Marcon using OAuth?

Not clear who's behind the attack, but conspicuously similar MO to a major APT28 campaign last year disclosed by Trend Micro last Friday.

This big phishing attack is clever; an OAUTH based attack. Tricks you into giving "permission" to read your emails a fake Google Docs app.

Password Alert is a free Chrome extension that journalists (or anyone) can use to protect against phishing
https://goo.gl/vrIEkA# #WPDF2017

A good video of the actual attack in progress....

https://twitter.com/zachlatta/status/859843151757955072

[OUTLAW 09]

Apple has recently fixed an iCloud Keychain vulnerability that could have been exploited by hackers to steal sensitive data from iCloud users.

The flaw allowed hackers to run man-in-the-middle (MitM) attacks to obtain sensitive user information (i.e. names, passwords, credit card data, and Wi-Fi network information).

The researcher Alex Radocea of Longterm Security discovered in March a vulnerability tracked as CVE-2017-2448 that affects the iCloud Keychain

[OUTLAW 09]

http://securityaffairs.co/wordpress/...os-botnet.html

A really great article..well worth reading for those that follow this type of infomation....

The Rakos botnet – Exploring a P2P Transient Botnet From Discovery to Enumeration
May 10, 2017# By#Pierluigi#Paganini

1. Introduction
We recently deployed a high interaction honeypots#expecting it to be compromised by a specific malware. But in the first few days, instead of getting infected by the expected malware, it received a variety of attacks ranging from SSH port forwarding to “Viagra and Cialis” SPAM to XORDDoS failed deployment attempts. By the third day, it was insistently hit and compromised by Rakos, a Linux/Trojan.
Based on the expected Rakos behavior reported last December by ESET [1], our honeypot was recruited to a botnet and immediately began attempting connections to other hosts on the Internet, both to “call home” and to search for new victims. Although it wasn’t our initial plan, we noticed that this sample didn’t behave like the one ESET described, which got us curious and made us analyze it here at Morphus Labs.
After analyzing and exploiting this botnet’s communication channel and employing Crawling and Sensor Injection enumeration methods, we did find a network floating around 8,300 compromised devices per day spread over 178 countries worldwide. Considering the recent DDoS attack reported by Incapsula [2] against a US College, originated from 9,793 bots, which was able to generate 30,000 requests per second during 54 hours, we may infer how potentially threatening is Rakos botnet.
2. Botnet C&C channel analysis
To better understand this P2P Transient botnet behavior and its C&C protocol, we listened to its traffic for 24 hours, and after analyzing it, we noticed two kinds of communications: one between bots through HTTP and, the other, between bots and C&C servers through TLS/SSL. In this section, we detail the commands we mapped.
Some definitions before start:
Checker: An infected machine (“bot”) that is part of the botnet.
Skaro: C&C server
A particular node may play both roles

Continued.....

The other graph shows the real interconnection between nodes, as seen in Figure 6. Here we can see a very thick botnet where#virtually#all Checkers know all Skaros.
Now, plotting the discovery path graph on the world map, as seen in Figure 7, we may have an idea of the botnet worldwide. To geolocalize the nodes, we used MaxMind database [8].