Weekly Cybersecurity Roundup #7
"Amateurs hack systems, professionals hack people" - Bruce Schneier
Zoom to add end-to-end encryption with Keybase acquisition
Zoom has acquired secure messaging and identity management firm Keybase as its looks to shore up security capabilities on its platform with end-to-end encryption.
The acquisition will give Zoom access to Keybase’s encryption technology, used to secure online identities, as well as its team of engineers. Launched in 2014, Keybase lets users encrypt social media messages and shared files with public key encryption to ensure that communications stay private.
Keybase’s cofounder Max Krohn will now head up Zoom’s security team, Zoom said. Krohn’s new role was first detailed by CNBC.
Hackers use the Fake Image Hosting Website as a Decoy to Launch E-Skimming Attacks
In what is said to be one of the most creative hacking technique to date, a group of hackers made a fake image hosting website to use it as a disguise for their web skimming operations. The aim is to deploy harmful codes that will steal payment card credentials from users via infected websites. The cybersecurity experts refer to this technique as e-skimming, web skimming, or Magecart attack. In this operation, the hackers attack a website, insert malicious codes in the webpages.
Black Hat and Def Con security conferences go virtual due to pandemic
Def Con and Black Hat announced today that their upcoming security conferences in Las Vegas this summer will no longer be in-person and are instead moving to an all-virtual event.
Every summer, large groups of security researchers, law enforcement, government agencies, security companies, the media, and hackers descend upon Las Vegas for the Black Hat and Def Con security conferences where they learn about the latest security research and threats.
Black Hat 2020 was scheduled for August 1st - 6th, and Def Con 28 was to follow it on August 7th - 9th.
One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batch
Samsung has patched a serious security hole in its smartphones that can be exploited by maliciously crafted text messages to hijack devices.
It appears no user interaction is required: if Samsung's messaging app bundled with phones since 2015 receives a booby-trapped MMS, it will parse it automatically before the user even opens it. This will trigger a vulnerability in the Skia graphics library, used by the app to decode the message's embedded Qmage image. The end result is code execution on the device, allowing the miscreant who sent it to potentially snoop on their victim and come up with other mischief.
The remote-code execution flaw, labeled SVE-2020-16747, was discovered and reported by Google Project Zero's Mateusz Jurczyk. You can find an in-depth explanation of the bug here.
Rowhammer memory attacks close in on the real world
This theoretical security problem is becoming all too real. Expect to see a major Rowhammer security exploit within the next year as attackers tap GPUs, FPGAs and more to accelerate the process. Here's how to protect yourself.
Phishing Campaigns Threatens Users With Fear of Disruption of Essential Services
Hackers have been using fake messages related to essentials services to craft their scams. They often pose as a service provider and threaten the victims about the discontinuation of essential services if immediate action is not taken by the user. The Italian postal service provider Poste Italiane is the latest one to be added to the list of such lures used by hackers.
Sodinokibi ransomware can now encrypt open and locked files
The Sodinokibi (REvil) ransomware has added a new feature that allows it to encrypt more of a victim's files, even those that are opened and locked by another process.
Some applications, such as database or mail servers, will lock files that they have open so that other programs cannot modify them. These file locks prevent the data from being corrupted by two processes writing to a file at the same time.
When a file is locked, this also prevents ransomware applications from encrypting them without first shutting down the process that locked the file.
For this reason, many ransomware infections will attempt to shut down database servers, mail servers, and other applications that perform file locking before encrypting a computer.
Introducing Blue Mockingbird
Blue Mockingbird is the name we’ve given to a cluster of similar activity we’ve observed involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. They achieve initial access by exploiting public-facing web applications, specifically those that use Telerik UI for ASP.NET, followed by execution and persistence using multiple techniques (check out my colleague Jesse Brown’s new blog for details on Blue Mockingbird’s
COR_PROFILER
persistence mechanism). During at least one incident, the adversary used proxying software and experimented with different kinds of reverse shell payloads to connect to external systems. The earliest Blue Mockingbird tools we’ve observed were created in December 2019.