InfoSec Week 19, 2017

Posted May 16, 2017

You have probably heard about the WannaCry/WannaCrypt/WannaWhatever worm spreading ransomware, because of the sensation created by parties profiting from the scare tactics. But also because it is using really good spreading technique - exploiting MS17-010 SMB vulnerability leaked from the NSA.
Some post-mortem analysis of the first version (with the killswich) and TheShadowBrokers blog are listed below. Crypto is working, so no trivial decrypter is probable, except if the keys are published.
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition

Nice analysis of a P2P botnet. The researchers determined the botnet size by injecting fake nodes to the network, as well as using crawling. http://securityaffairs.co/wordpress/58931/malware/p2p-transient-rakos-botnet.html

Fatboy Ransomware-as-a-Service is using The Economist’s Big Mac Index to calculate the ransom amount.
https://www.recordedfuture.com/fatboy-ransomware-analysis/

Tor hidden service operator is analysing bots used to enumerates and attack hidden services.
http://www.hackerfactor.com/blog/index.php?/archives/763-The-Continuing-Tor-Attack.html

Google Project Zero post about the process of discovering CVE-2017-7308 vulnerability. Found by fuzzing, with the later exploitation to escalate privileges.
https://googleprojectzero.blogspot.ch/2017/05/exploiting-linux-kernel-via-packet.html https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308

Wikileakes released “AfterMidnight” and “Assassin " malware frameworks designed, two CIA malware frameworks for the Microsoft Windows platform. Those services allow operators to dynamically load and execute malware payloads on a target machine & exfiltrate the data.
https://wikileaks.org/vault7/#AfterMidnight

A Security researcher Thorsten Schroeder discovered that an audio driver shipped on dozens HP laptops and tablet PCs logs keystrokes. It’s actually a badly written application outputting pressed keystrokes to the debug output, so everyone is able to list them using MapViewOfFile function.
https://www.modzero.ch/modlog/archives/2017/05/11/en_keylogger_in_hewlett-packard_audio_driver/index.html

malwaresearch - A command line tool to find malware samples on the openmalware.org. It’s possible to use the various hashes or common name.
https://github.com/MalwareReverseBrasil/malwaresearch