My Weekly RoundUp #120
Few news this week: a couple of link about ransomware (Ryuk and Snatch), an interesting attack on Intel CPUs, a Windows 0day and a phishing attack on Office365.
Then, a security incident on S3 buckets and an interesting article about DNS over HTTPS.
Finally, some news about Cyberpunk, Cats and Wonder Woman 1984!
Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk has plagued the public and private sectors alike over the past years, generating hundreds of millions of ransom revenues for the criminals behind it. Usually deployed via an existing malware infection within a target’s network, Ryuk wreaks havoc on any system that can be accessed, encrypting data using a combination of RSA and AES.
Just because Ryuk has been hugely successful, doesn’t mean its creators stopped evolving and improving it, however. So it comes to no surprise that we have seen multiple new features added to Ryuk over the past year.
One of these features that isn’t well documented is its capability to partially encrypt files. Essentially, whenever Ryuk encounters a file that is larger than 57,000,000 bytes (or 54.4 megabytes) it will only encrypt certain parts of it in order to save time and allow it to work its way through the data as quickly as possible before anyone notices.Emisoft
Remote hackers can modify CPU voltage to steal secrets from Intel SGX enclaves
An undocumented feature in Intel CPUs allows attackers to manipulate the voltage of Intel CPUs to trigger computational faults in a controlled manner. This can be used to defeat the security guarantees of the Intel SGX trusted execution environment, which is meant to protect cryptographic secrets and to isolate sensitive code execution in memory.
The Intel Software Guard Extensions (SGX) is a technology present in modern Intel CPUs that allow users to set up so-called enclaves where the CPU encrypts part of the memory and doesn’t allow any programs except those running inside the enclave to access it.CSO Online
Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium
In November 2019, Kaspersky technologies successfully detected a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The exploit is very similar to those developed by the prolific 0-day developer known as ‘Volodya’.
The EoP exploit consists of two stages: a tiny PE loader and the actual exploit. After achieving a read/write primitive in the renderer process of the browser through vulnerable JS code, the PE exploit corrupts some pointers in memory to redirect code execution to the PE loader. This is done to bypass sandbox restrictions because the PE exploit cannot simply start a new process using native WinAPI functions.
The PE loader locates an embedded DLL file with the actual exploit and repeats the same process as the native Windows PE loader – parsing PE headers, handling imports/exports, etc. After that, a code execution is redirected to the entry point of the DLL – the DllEntryPoint function. The PE code then creates a new thread, which is an entry point for the exploit itself, and the main thread simply waits until it stops.Securelist
Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps
A phishing campaign has been discovered that doesn’t target a recipient’s username and password, but rather uses the novel approach of gaining access to a recipient’s Office 365 account and its data through the Microsoft OAuth API.
Almost all Microsoft Office 365 phishing attacks that we see are designed to steal a user’s login name and password by impersonating a Microsoft login landing page.
In a phishing campaign discovered by threat intelligence and mitigation firm PhishLabs, attackers are no longer targeting a user’s login credentials, but are now using Microsoft Office 365 OAuth apps to hijack a recipient’s account.BleepingComputer
Snatch ransomware reboots PCs into Safe Mode to bypass protection
The Sophos Managed Threat Response (MTR) team and SophosLabs researchers have been investigating an ongoing series of ransomware attacks in which the ransomware executable forces the Windows machine to reboot into Safe Mode before beginning the encryption process. The attackers may be using this technique to circumvent endpoint protection, which often won’t run in Safe Mode.Sophos News
DNS over HTTPS’ threat to enterprise security
DNS over HTTPS (DoH) is here, regardless who likes it or not. Unfortunately, a majority of guidance surrounding DoH is centered around individual consumer perspectives. For enterprise security leaders looking to manage the risks of DoH, that hasn’t been entirely helpful.
To clarify the impacts of DoH on enterprise networks and how to manage them, I recently spoke with Chairman and CEO of Farsight Security, Paul Vixie. Below is a summary of the main points we covered.
In the year since the Internet Engineering Task Force (IETF) first published it as a standard, its impact on security and network operations has rightly been the subject of debate and discussion.
Despite this, a number of browser vendors have already rolled out support for DoH, including Chrome and Firefox. Their official goal? To add privacy to internet communications. Microsoft has also announced DoH support in its Windows operating system, though in a different way than the browsers.HelpNetSecurity
Unsecured AWS bucket exposes over 750,000 birth certificate applications
Penetration testing firm Fidus Information Security discovered over 752,000 birth certificate applications that have been exposed online due to an unsecured AWS bucket.
The huge trove of personal data has been exposed online by an unnamed company that allows its customers to get copies of their birth and death records from state governments in the United States.
“More than 752,000 applications for copies of birth certificates were found on an Amazon Web Services (AWS) storage bucket. (The bucket also had 90,400 death certificate applications, but these could not be accessed or downloaded.)” reads the post published by TechCrunch. “The bucket wasn’t protected with a password, allowing anyone who knew the easy-to-guess web address access to the data.”
The bucket also contained 90,400 death certificate applications, that anyway could not be accessed.Security Affairs
The Origins of Cyberpunk Documentary | Neuromancer, Blade Runner, Shadowrun, Akira
Let’s take a journey back to the 1980’s and beyond, to discover the origins of the Cyberpunk movement, in literature, cinema, television, video games, comics and more! In this documentary miniseries, we will discover the wonders of Cyberpunk, dating back to the 1940’s, all the way through 1989, with each successive episode taking on a new decade.Indigo Gaming
Love Actually… But With a Cat!
This has to be one of the most adorable things I have ever seen! The famous “To me you are perfect” scene from Love Actually, but with a cat!OwlKitty
Wonder Woman 1984‘s First Trailer Is Here to Bring Justice to the Reagan Era
Diana’s back, this time in the glitz, glamor, and the glut of corruption of the 1980s. Greed is good, baby, though I imagine Wonder Woman might not agree.Gizmodo
Finally, after a far-too-long wait, the first trailer for Wonder Woman 1984, the sequel to Patty Jenkins’s Wonder Woman, is here, with Gal Gadot and Chris Pine back in tow as Wonder Woman and her best dude pal, Steve Trevor. They’re also joined by Kristen Wiig, who will be playing the classic Wonder Woman villain Cheetah, and Pedro Pascal as businessman Maxwell Lord.