Zero-Days in Counter Strike client could be used to build a major botnet, huge aluminum plants hit by ‘severe’ ransomware attack, Myspace loses 50 million songs in server migration, wifi signals can reveal your password, and PuTTY in your hands: an SSH client gets patched after RSA key exchange memory vulnerability was spotted! Ralf Hund from VMRay joins us for expert commentary to discuss the Evolution of GandCrab!
- Zero-Days in Counter-Strike Client Used to Build Major Botnet – This a really neat attack: A player launches the official Steam client and selects a game server,” researchers said. “Upon connecting to a malicious server, it exploits an RCE vulnerability, uploading … malicious libraries to a victim’s device. Depending on the type of vulnerability, one of two libraries will be downloaded and executed: client.dll (Trojan.Belonard.1) or Mssv24.asi (Trojan.Belonard.5). The trojan was spread by already infected clients advertising low-ping servers, in this case they are proxies run by the attacker, continually infecting new hosts. Also, people still play this version of CounterStrike? I personally have been camping in one for about 10 years…
- Beto ORourkes secret membership in Americas oldest hacking group – I think this is really cool: There is no indication that O’Rourke ever engaged in the edgiest sorts of hacking activity, such as breaking into computers or writing code that enabled others to do so. But his membership in the group could explain his approach to politics better than anything on his resume. His background in hacking circles has repeatedly informed his strategy as he explored and subverted established procedures in technology, the media and government. I am also excited to learn about a new book being released about the cDc: “Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World Hardcover” by Joseph Menn due to be released this summer.
- Huge aluminium plants hit by ‘severe’ ransomware attack – Hydro, which employs more than 35,000 people in 40 countries, says the attack began on Monday night and is ongoing. Some of the company’s factories have been forced to halt production though other facilities, including its power plants, are functioning normally. It was a ransomeware attack, and they do have backups, but are working on removing the malware from systems before a complete restore. They are also communicating their status via social media. Communication is key in times of chaos!
- PSA: Dont Store 2FA Codes in Password Managers – Password managers have limits: For many users, this is still too inconvenient — they still need to have their phone, and now they need to proactively generate a code instead of just waiting for an SMS message, so password managers have started to offer TOTP generation features. The password manager scans the QR code when the user signs up, and then when they go to log in the password manager can input their username, password, and 2FA code all at once. Super convenient! There’s just one issue: the user just turned their secure two factor authentication method into a single factor — their password manager.
- MySpace loses 50 million songs in server migration – Over 50 million songs up until 2015 are no longer available and officially MySpace says: As a result of a server migration project, any photos, videos, and audio files you uploaded more than three years ago may no longer be available on or from Myspace. We apologize for the inconvenience and suggest that you retain your back up copies. If you would like more information, please contact our Data Protection Officer. What will we do without 15 years of MySpace music? Somehow I believe we will press on…
- Epic in hot water over Steam-scraping code – Not cool: Last week, players found it gathering information about their accounts on rival online gaming service Steam, and Reddit was up in arms. Reddit user notte_m_portent alerted Fortnite users to alleged suspicious activity in the Epic Game Launcher, which controls the Fortnite software. They claimed that it was watching other processes on the machine, reading root certificates, and storing hardware information in the registry, among other things. Stay in your lane Epic.
- Wi-fi Signals Can Reveal Your Password – did you know that you can detect someone’s breathing and heart rate, even if you are in the next room? Well you can, as the breathing and skin movements affect the propagation of wi-fi signals, and the changes in the wi-fi signal can be detected for even the smallest of movements This movement includes when you enter your PIN on your phone, and academic research states that in their test they had about an 80% accuracy rate when using WiFi to grab your pin! Tin foil hats, and screen protectors FTW?
- PuTTY in your hands: SSH client gets patched after RSA key exchange memory vuln spotted – Time to update PuTTY: The fixes implemented on PuTTY over the weekend include new features plugging a plethora of vulns in the Telnet and SSH client, most of which were uncovered as part of an EU-sponsored HackerOne bug bounty. Version 0.71 of PuTTY includes fixes for: A remotely triggerable memory overwrite in RSA key exchange, which can occur before host key verification, Potential recycling of random numbers used in cryptography, On Windows, hijacking by a malicious help file in the same directory as the executable, On Unix, remotely triggerable buffer overflow in any kind of server-to-client forwarding, multiple denial-of-service attacks that can be triggered by writing to the terminal
- Mirai variant picks up new tricks, expands list of targeted devices – Help Net Security – This latest variant, spotted by Palo Alto Networks researchers, uses 27 exploits, 11 of which are new to it, and wields four new sets of default login credentials to brute-force devices with. The newer exploits are for targeting the aforementioned LG and WePresent devices, DLink network video cameras and routers, Zyxel routers, and assorted Netgear devices, routers and wireless controllers.
- NSAs Ghidra Reverse-Engineering Tool Can Be Used for RCE – The Ghidra project loading process in version 9.0 and below contains an XML external entity (XXE) vulnerability; the issue was uncovered less than 24 hours after Ghidra was released, by a researcher with the handle @sghctoma.“This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser,” according to the group. “This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.”
Expert Commentary: Ralf Hund, VMRay
- GandCrab v5.2 – https://www.vmray.com/analyses/329b3ddbf1c0/report/overview.html
- GandCrab v5.0 – https://www.vmray.com/analyses/d77378dcc42b/report/overview.html
Paul Asadorian – CEO, Security Weekly.