A coalition of researchers and cryptographers are urging the Guardian to retract a story it published last week which suggested the encrypted messaging app WhatsApp contained a backdoor.
Source: Threatpost

Mike Mimoso, Tom Spring, and Chris Brook discuss security-wise what they hope will and won’t change under a Trump presidency, then discuss the news of the week, including SHA-1 deprecation, Carbanak’s return, and the WhatsApp “backdoor” debacle.
Source: Threatpost

A Turkish hacker is advertising into the hacking underground a new DDoS platform, dubbed Surface Defense (Translation to English).

According to the security firm Forcepoint the hacker started prompting the DDoS platform in Turkey. He was offering a tool known as Balyoz, the Turkish word for Sledgehammer, that can be exploited by hackers to launch powerful DDoS attacks against a select number of websites.

The hacker rewards with a point its customers for every ten minutes they hit a website. These prizes include a more powerful DDoS attacking tool, access to bots designed to generate revenue from

These hacker is offering interesting prizes for the users of its Sledgehammer platform. they include a more powerful DDoS attacking tool, a malicious code that can be used to scare the victim with sounds and images, and the access to a click fraud botnet that could allow them to earn money.

The researchers discovered that DDoS platform has been advertised on Turkish hacking forums, but Forcepoint has no idea about the number of participants recruited with this gamification of DDoS attacks.

The list of websites targeted by the tool is composed of 24 political websites having a specific position with regards of Turkey.

“Most, if not all, of the targets identified on the target list were chosen because of their political position with regards to Turkey. Kurdistan was prominent, with organizations such as the Kurdistan Workers Party (PKK)2 and its military wing the People’s Defense Force (HPG)3 being targeted. But the German Christian Democratic Party (CDU) was also among the targets, as was the Armenian Genocide archive run by the Armenian National Institute in Washington DC” continues the report.

Surface Defense DDoS platform

Users can also suggest new websites to include in the list of targets, the platform displays live scoreboard for participants in the attacks.

The author of the DDoS platform has implemented a series of rules to optimize the use and the access to the Surface Defense, for example, the participants can run the tool only on a single machine, a measure necessary to ensure fairness during the competition.

But Forcepoint noticed that the DDoS attack tool given to the participants also contains a backdoor that will secretly install a Trojan on the computer.

Forcepoint discovered also the presence of a backdoor in the software executed by the participant to the DDoS platform. This backdoor is triggered if a participant has been banned from the competition.

“When we began to reverse engineer the software, taking it apart in order to analyze what it did, we discovered a backdoor. Whoever wrote this software gave themselves the opportunity to compromise the computers of those participating in the “game”.” continues the report. “What we know about the author is that they have already produced a number of “malicious” tools written in C#/.NET, which they describe on a YouTube channel. However, the evidence in the author’s videos combined with other data points collated during the investigation, led us to hypothesize that it is a realistic possibility this author may work for a Turkish defense contractor which supplies, amongst other things, signals intelligence (SIGINT) systems”

Who is the hacker behind the Surface Defense platform?

Experts believe he is a hacker using the online moniker “Mehmet,” based in the city of Eskisehir (Turkey).

Enjoy the Surface Defense!

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Surface Defense, DDoS platform)

The post Surface Defense DDoS platform – Gamification of attacks appeared first on Security Affairs.

Source: securityaffairs

For the second time in a few days, security experts spotted a backdoor in the firmware of low-cost Android devices.

Last week, security experts from Kryptowire firm have discovered a backdoor in the firmware installed on low-cost Android phones. The backdoor affects mobile phones from BLU Products that are available for sale on both Amazon and Best Buy.

The backdoor resides in the commercial Firmware Over The Air (FOTA) update software that is installed on BLU Android devices provided as a service to BLU by AdUps.

Now researchers from Anubis Networks have discovered that a third-party firmware included in more than 2.8 million low-cost Android devices could be exploited to compromise the smartphones Over-the-Air (OTA) updates and gain root privileges.

The firmware affected by the backdoor is developed by the Chinese company Ragentek Group. The problem resides in the lack of encryption for the OTA mechanisms that expose users to MITM attacks. The analysis revealed that the Ragentek firmware running on the smartphone implements an insecure Over-the-Air update mechanism that establishes an unprotected connection to remote servers via an unencrypted communications channel.

Compared to the Adups backdoor discovered a few days ago, the Ragentek didn’t collect user data, but a malicious update could also implement such kind of behavior.

Experts highlighted that the OTA mechanism is pre-installed on million devices and runs as root without SSL protection, a perfect backdoor for attackers.

“It allowed for adversaries to remotely execute commands on the devices as a privileged user if they were in a position to conduct a Man-in-the-Middle attack. The binary responsible appears to be an insecure implementation of an OTA (Over-the-air) mechanism for device updates associated to the software company, Ragentek Group, in China.” reads the analysis published by Anubisnetworks.

 “All transactions from the binary to the third-party endpoint occur over an unencrypted channel, which not only exposes user-specific information during these communications, but would allow an adversary to issue commands supported by the protocol. One of these commands allows for the execution of system commands. This issue affected devices out of the box.”

The discovery was made after a researcher bought a BLU Studio G smartphone from Best Buy, a circumstance similar to the previous discovery made by the experts at Kryptowire.

The researchers from AnubisNetworks found another disconcerting discovery, the firmware components that implement the OTA update mechanism also includes code to disguise its presence from the Android OS. This means that there in no evidence in the list of active Android processes of ongoing OTA updates.

Furthermore, the OTA code was distributed with a set of domains preconfigured in the binary. Surprisingly, only one of these domains was registered at the time of the discovery of this issue, this means that if an adversary will register these remaining two domains, they would potentially send malicious updates to almost 3,000,000 devices. AnubisNetworks bought these two domains to prevent any abuse.

Several low-price Android models are affected by the issues, mostly BLU Product, other impacted vendors are Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO.

low-cost Android device backdoor

 

Anubis, alongside with Google, BLU, and the US-CERT is notifying all affected vendors. The US-CERT has also issued a public advisory on the disconcerting discovery.

Below the list of affected binaries reported by the US CERT:

  • BLU Studio G
  • BLU Studio G Plus
  • BLU Studio 6.0 HD
  • BLU Studio X
  • BLU Studio X Plus
  • BLU Studio C HD
  • Infinix Hot X507
  • Infinix Hot 2 X510
  • Infinix Zero X506
  • Infinix Zero 2 X509
  • DOOGEE Voyager 2 DG310
  • LEAGOO Lead 5
  • LEAGOO Lead 6
  • LEAGOO Lead 3i
  • LEAGOO Lead 2S
  • LEAGOO Alfa 6
  • IKU Colorful K45i
  • Beeline Pro 2
  • XOLO Cube 5.0
medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – low-cost Android devices, backdoor)

The post A second backdoor in a week discovered in firmware of Chinese low-cost Android devices appeared first on Security Affairs.

Source: securityaffairs

A new attack tool devised by security researcher Samy Kamkar will leave you wishing you could take your computer with you everywhere you go. Dubbed PoisonTap, the tool consists of a Raspberry Pi Zero controller with a USB or Thunderbolt plug, loaded with open source software. All in all, this setup can be achieved by anyone who has $5 to spare. What is PoisonTap capable of, you ask? Plugged into a locked/password protected computer, it … More
Source: helpnetsecurity

Due to Google’s public release of information about an actively exploited Windows zero-day, Microsoft was forced to offer its own view of things and more information about the attack. The vulnerability is just one part of the attack chain leveraged by the Strontium (aka Fancy Bear, aka APT28) hacker group, which is widely believed to be behind the DNC and John Podesta email hacks, and backed by the Russian government. “This attack campaign, originally identified … More
Source: helpnetsecurity