Saturday, April 1, 2017

Cyber Updates - 01/04

Hey all,
Here are this week's cyber updates:


(1) Facial recognition is one of the most promising features of the new Galaxy S8 as it offers users with the ability to unlock the mobile phone based on the user’s face – a fingerprint is not required! Users should simply hold their Galaxy S8 in front of their eyes or their entire face, as if they were taking a selfie, in order to unlock their phone.

However, users might have to think twice before activating this feature as it was bypassed by showing the mobile phone with a picture of the user, thus allowing any malicious user to gain access to a stolen phone.

And here’s a PoC video: https://youtu.be/uS1NmvJvHNk

(2) Github users were subjected to a targeted phishing campaign: users have received an email offering them a new job based on their Github repo. The email also contained an attachment with the job description. Once opened, a macro was executed to run powershell and install a Trojan on the infected workstattion.

What’s interesting to note about this malware (known as Dimnie) is that it sends a GET request to a C&C server, but with the host header of Google (toolbarqueries.google.com and gmail.com), thus disguising its activity from unsuspecting SOC teams.

SOC & IR teams are advised to verify the target IP address is in fact owned by Google, and not rely solely on the GET URI.


(3) A new variant of the Mirai botnet is out there, and it is sophisticated than ever. 
Incapsula has managed to detect a new variant of the malware, which targets the website with application-layer attacks, thus causing it harder to defend against. In the reported case, a US college was targeted last month, resulting in 54 hours of the website’s unavailability. 


And if you fear your website might be the victim of a future attack, be sure to check Comsec’s DDoS readiness/simulation service by contacting me at dang@comsecglobal.com

(4) In the previous Cyber Updates post, I’ve mentioned that Chrome is about to distrust Symantec’s EV certificates. Security researcher Chris Byrne may have found the reason why – it appears that Symantec provides their resellers with an API that contains a UID. By changing the UID to another client’s UID, an unauthenticated user can gain access to other customers' private keys.


Stay tuned for more updates,

Dan Gurfinkel
Head of Offensive Security & Response Unit