Friday, July 19, 2019

Spearphone a attack for Andriod Phones

    A team of cybersecurity researchers - Abhishek Anand, Chen Wang, JIan Liu, Nitesh Saxena, and Yingying Chen - have discovered and demonstrated a new side -channel attack that could potentially allow apps to listen in on the voice coming through an Android phone’s loudspeakers without requiring any device permissions.

    This new attack has been named Spearphone.  It works by taking advantage of the accelerometer built into most Android phones. An accelerometer is a sensor that can detect and monitor the movement of a phone, like being shaken, tilted, or lifted up. The accelerometer can be accessed by any app with any permissions.

    According to The Hacker News, “Since the built-in loudspeaker of a smartphone is placed on the same surface as the embedded motion sensors, it produces surface-borne and aerial speech reverberations in the body of the smartphone when loudspeaker mode is enabled.” The nature of sound is vibrations that travel through a medium transferring energy to our ear drums which then translate the mechanical vibrations into electric signals which our brains translate into sounds. This attack bypasses the need for a second microphone replacing the audio receiver with the accelerometer in the phone itself to translate the soundwaves into electrical messages.

    The researchers created and Android application that was designed to record speech reverberations using the accelerometer and send the captured data back to an attacker-controller server as a proof-of-concept. The researchers have shown that this attack can successfully be used to spy on phone calls, listen to voice notes or multimedia, and to spy on the use of an assistant such as Google Assistant or Bixby, as shown below.

 
 
    The research team believes the Spearphone attack is dangerous and has “significant value as it can be created by low-profile attackers.” The attack can also be used in gender classification with over 90% accuracy and speaker identification with over 80% accuracy. 
 
read the full article here



Linux users be aware


    In the world of malware, almost all malicious software is based around Windows desktop or Linux server systems. Part of this is due to the widespread use of these systems as well as the architecture of the Linux core operating system. This makes it even more surprising when researchers from Intezer recently discovered a desktop Linux spyware application dubbed EvilGnome that no security or antivirus scanners detect yet.

    EvilGnome is a collection of modules designed to spy on a user’s system and exfiltrate data to an external Command & Control (C2) server controlled by the attacker. It is designed to appear as an extension of the Gnome GUI environment for Linux desktop.

    The malware is a self-extracting archive shell script that installs the modules and sets up persistence through use of the crontab. The modules are: • ShooterSound—records audio clips from the user’s microphone using PulseAudio. • ShooterImage—captures screenshots of the user’s desktop. • ShooterFile—scans the filesystem and is capable of filtering files by type and creation date. • ShooterPing—data exfiltration module, also capable of receiving new commands from the C2 server and stopping other modules from running. • ShooterKey—possible keylogger module that appears to be unfinished.

    Many of the modules appear to be very limited or missing some functionality. Also, metadata about the malware’s creation was included in the upload to VirusTotal, leading the researchers to believe this was a prototype version of the malware that was mistakenly released.

    Intezer researchers believe the malware to be tied to the Russian-affiliated group Gamaredon. Not only does EvilGnome use the same hosting provider as Gamaredon for C2 servers and similar domain names such as .space and .ddns, it was also found on an IP address controlled by Gamaredon 2 months ago and uses techniques and modules similar to Gamaredon’s collection of Windows tools. 
To check if a Linux system is infected, look for an executable called gnome-shell -ext in the ~/.cache/gnome-software/gnome-shell-extensions  directory.


Sources:

https://thehackernews.com/2019/07/linux-gnome-spyware.html

https://www.bleepingcomputer.com/news/security/new-evilgnome-backdoor-spies-on-linux-users-steals-their-files/

https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/

Thursday, July 18, 2019

A Methodology for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data: NIST Publishes NISTIR 8221


Hardware/Server Virtualization is a foundational technology in a cloud computing environment and the hypervisor is the key software in that virtualized infrastructure. However, hypervisors are large pieces of software with several thousand lines of code and are therefore known to have vulnerabilities. Hence, a capability to perform forensic analysis to detect, reconstruct and prevent attacks based on vulnerabilities on an ongoing basis is a critical requirement in cloud environments.

To gain a better understanding of recent hypervisor vulnerabilities and attack trends, identify forensic information needed to reveal the presence of such attacks, and develop guidance on taking proactive steps to detect and prevent those attacks, NIST has published NIST Internal Report (NISTIR) 8221, “A Methodology for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data.” NISTIR 8221 outlines a methodology to enable this forensic analysis, and illustrates the methodology using two open-source hypervisors—Xen and Kernel-based Virtual Machine (KVM). The source for vulnerability data is NIST’s National Vulnerability Database (NVD).

Publication details:
https://csrc.nist.gov/publications/detail/nistir/8221/final


CSRC Update:
https://csrc.nist.gov/news/2019/nist-publishes-nistir-8221 

Draft NIST Cybersecurity White Paper on Understanding Emerging Blockchain Identity Management Systems


NIST announces the release of a Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems (IDMS), which provides an overview of the standards, building blocks, and system architectures that support emerging blockchain-based identity management systems and selective disclosure mechanisms. The document also considers the full spectrum of top-down versus bottom-up governance models for both identifier and credential management and addresses some of the risks and security concerns that may arise. The terminology, concepts, and properties introduced in this work can facilitate communications amongst business owners, software developers, cybersecurity professionals within an organization, and individuals who are or will be using such systems.

A public comment period for this document is open until August 9, 2019. See the publication details link for a copy of the document and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/white-paper/2019/07/09/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/draft


CSRC update:
https://csrc.nist.gov/news/2019/draft-white-paper-emerging-blockchain-idms

Saturday, July 13, 2019

NCSC Releases Advisory on Ongoing DNS Hijacking Campaign


 

Original release date: July 12, 2019

The United Kingdom’s National Cyber Security Centre (NCSC) has released an advisory about an ongoing Domain Name System (DNS) hijacking campaign. The advisory details risks and mitigations for organizations to defend against this campaign, in which attackers use compromised credentials to modify the location to which an organization’s domain name resources resolve to redirect users, obtain sensitive information, and cause man-in-the-middle attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review the NCSC Advisory, apply the recommended mitigations, and refer to CISA’s Alert AA19-024A – DNS Infrastructure Hijacking Campaign for more information.

Wednesday, July 10, 2019

Draft NIST Cybersecurity White Paper on Understanding Emerging Blockchain Identity Management Systems


    NIST announces the release of a Draft Cybersecurity White Paper, A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems (IDMS), which provides an overview of the standards, building blocks, and system architectures that support emerging blockchain-based identity management systems and selective disclosure mechanisms. The document also considers the full spectrum of top-down versus bottom-up governance models for both identifier and credential management and addresses some of the risks and security concerns that may arise. The terminology, concepts, and properties introduced in this work can facilitate communications amongst business owners, software developers, cybersecurity professionals within an organization, and individuals who are or will be using such systems.

    A public comment period for this document is open until August 9, 2019. See the publication details link for a copy of the document and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/white-paper/2019/07/09/a-taxonomic-approach-to-understanding-emerging-blockchain-idms/draft


CSRC update:
https://csrc.nist.gov/news/2019/draft-white-paper-emerging-blockchain-idms


 

Saturday, July 6, 2019

First-ever malware strain spotted abusing new DoH (DNS over HTTPS)

Godlua, a Linux DDoS bot, is the first-ever malware strain seen using DoH to hide its DNS traffic.
               
Go Here to read about this from Catalin Cimpanu @ ZDnet.