Latest Entries »

Abstract—Modern vehicles are required to comply with a range of environmental regulations limiting the level of emissions for various greenhouse gases, toxins and particulate matter. To ensure compliance, regulators test vehicles in controlled settings and empirically measure their emissions at the tailpipe. However, the black box nature of this testing and the standardization of its forms have created an opportunity for evasion.  View full article »

Today, a new vulnerability affecting the widely used Samba software was released. Samba is the SMB/CIFS protocol commonly used in *NIX operating systems. CVE-2017-7494 has the potential to impact many systems around the world. This vulnerability could allow a user to upload a shared library to a writeable share on a vulnerable Samba server and result in the server executing the uploaded file.   View full article »

Server Message Block (SMB) is the transport protocol used by Windows machines for a wide variety of purposes such as file sharing, printer sharing, and access to remote Windows services. SMB operates over TCP ports 139 and 445. In April 2017, Shadow Brokers released an SMB vulnerability named “EternalBlue,” which was part of the Microsoft security bulletin MS17-010. View full article »

An adventure of iteration and some fun technical details.

View full article »

A paper capturing a comparison of pacemaker systems can be found here While potential vulnerabilities were discovered in all pacemaker systems, the specifics of those issues will not be discussed in this post. All potential vulnerabilities discovered in this study have been/will be reported to DHS ICS-CERT.

View full article »

MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed. Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator. You can simply create an import library like this and then call it from emulated code: View full article »

Check Point researchers discovered another widespread malware campaign on Google Play, Google’s official app store. The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it. The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads. View full article »

Rarely does the release of an exploit have such a large impact across the world. With the recent leak of the NSA exploit methods, we saw the effects of powerful tools in the wrong hands. On April 14, 2017, a group known as the Shadow Brokers released a large portion of the stolen cyber weapons in a leak titled, “Lost in Translation.” This leak contained many exploits, some of which were already patched a month earlier in the Microsoft SMB critical security update (MS17-010). However, many users were unable to update their systems. View full article »

After identifying a spike in malicious Visual Basic scripts (VBScript) posted on paste sites, Recorded Future created an automated process using our API to automatically collect the command and control (C2) servers from each malicious VBScript. While reviewing the results, we identified a threat actor from Germany that goes by “Vicswors Baghdad.” This individual appears to be at least partially responsible for the identified malicious VBScripts posted to paste sites, and is actively editing an open source ransomware variant called “MoWare H.F.D”. View full article »