(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge (credit: D-Link)

Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That's according to secret documents posted Thursday by WikiLeaks.

CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it's likely modifications would allow the implant to run on at least 100 more.

(credit: WikiLeaks)

The 175-page CherryBlossom user guide describes a Linux-based operating system that can run on a broad range of routers. Once installed, CherryBlossom turns the device into a "FlyTrap" that beacons a CIA-controlled server known as a "CherryTree." The beacon includes device status and security information that the CherryTree logs to a database. In response, the CherryTree sends the infected device a "Mission" consisting of specific tasks tailored to the target. CIA operators can use a "CherryWeb" browser-based user interface to view Flytrap status and security information, plan new missions, view mission-related data, and perform system administration tasks.

Read 8 remaining paragraphs | Comments


E-mail scams, phishing and social engineering is something that we (security people) became really used to. Even from the penetration testing engagements I do, when we utilize social engineering, it width:550px" />

Of course, none of the users that receive this e-mail would have taken this trip so the phisher in this case is trying to get people to click on the link to dispute the received receipt.

See the domain? uberdisputes.com is not an Uber width:600px" />

After logging in, in order to dispute the receipt, the site would ask for the credit card number, of course, so the victim can be reimbursed. You can probably guess what happened with the credit card after submission

While all this is nothing particularly amazing, what I do find unbelievable is how easy it is for the bad guys to get certificates for such web sites. Although there has been a lot of discussion about how Let width:280px" />

(Small rage: I wonder who was the GENIUS in Google that decided to remove SSL/TLS certificate information from the lock icon in Google Chrome. Yeah, it was a great idea to make users open Developer Tools to see it grrrr).

Such cases are very common and always make me wonder why both CAs and big companies do not do the following:

  • For CAs, they should have a list of critical keywords of big players that are commonly used in attacks. For example, I would not let automatic systems issue a certificate for a domain such as microsoft-software.com (it belongs to Microsoft luckily),
  • For big(ger) companies, I would try to register/buy most domains that are similar to the companys name, and especially those that can be potentially used for phishing.


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Researchers at PhishLabs recently spotted a trend emerging in malicious websites presented to customers: mobile-focused phishing attacks that attempt to conceal the true domain they were served from by padding the subdomain address with enough hyphens to push the actual source of the page outside the address box on mobile browsers.

"The tactic we're seeing is a tactic for phishing specifically mobile devices," said Crane Hassold,  a senior security threat researcher at PhishLabs’ Research, Analysis, and Intelligence Division (RAID).

Hassold called the tactic "URL padding," the front-loading of the Web address of a malicious webpage with the address of a legitimate website. The tactic, he said, is part of a broad credential-stealing campaign that targets sites that use an e-mail address and password for authentication; PhishLabs reports that there has been a 20 percent increase overall in phishing attacks during the first quarter of 2017 over the last three months of 2016. The credentials are likely being used in other attacks based on password reuse.

Read 6 remaining paragraphs | Comments

Mozilla Firefox Multiple Security Vulnerabilities
CVE-2017-9613: Stored Cross-Site Scripting in SAP successfactors
[slackware-security] bind (SSA:2017-165-01)
[SECURITY] [DSA 3881-1] firefox-esr security update
[slackware-security] mozilla-firefox (SSA:2017-165-02)
Internet Storm Center Infocon Status