TL;DR: Additional, non-all zeroes challenge strings, to exploit Zerologon
The recently discovered Zerologon vulnerability (CVE-2020-1472) is one of the most dangerous Windows’ security issues exposed in recent years. Zerologon enables attackers to take over a whole Windows domain, and therefore its criticality appropriately scored the ultimate, perfect 10 CVSS score.
Microsoft released a patch for this issue on August, but it got the deserved attention only after the discovering party, Secura, released their technical report on September. Once the technical details were exposed, multiple exploits were publicly released, requiring an emergency directive for federal agencies to patch immediately. …
TL;DR: Hunting for real-world incidents in blockchain data sometimes leads to interesting insights and findings. In this case, we were able to find UCSF’s $1.14M ransom payment on the blockchain and correlate it to an additional $700K transaction. This potentially increases the paid UCSF ransom to over $1.8M.
Following our recent article on the $4M Bitcoin CWT ransomware payment, we continued to hone our blockchain hunting skills. Usually, these skills are used to protect ZenGo customers.
This time, however, we had a different focus. We managed to track down the $1.14M …
Digitally signed files are more trusted by the Operating System. This higher trust allows such files to execute in sensitive contexts or excluded from Antivirus scans. Consequently, attackers are trying to spoof these digital certificates to gain these extended privileges for their malicious code.
Earlier this year, Peleg Hadar and I worked together on some aspects of the CurveBall attack, a “spoofing bug” which allowed attackers to abuse a cryptographic flaw in Microsoft Windows implementation to pass their malicious network traffic and files as validly signed.
TL;DR: Enterprise ransomware attacks are spiralling out of control. Victim companies are compelled to pay, using cyber-insurance as a “pain killer” that relieves the immediate pain but worsens the problem. Soon, regulators would have to step in and stop this vicious cycle and the withdrawal symptoms will be harsh.
Reading business and security news, it seems that there is a sharp increase in enterprise ransomware. The victims are household names (Garmin, CWT, and Cannon to name a few mentioned in last weeks’ news) and ransom payments are in the millions.
Analyzing ransomware incidents’ data reveals that this is not merely a subjective feeling and indeed ransomware payments are increasing in an exponential rate. …
TL;DR: We present a unique glimpse into Bitcoin money laundering practices, including a hack of more than $1.5M laundered via the Binance exchange.
A few days ago, CWT, the travel giant with more than $1B in revenue last year, was hit by the Ragnar Locker ransomware. The attackers encrypted data on CWT computers and exfiltrated some of it, threatening to expose the data unless a ransom was paid.
This story is not extraordinary by itself, as many companies and individuals have been hit by ransomware. However, it has a very unique angle to it. While most ransomware cases occur behind closed doors, CWT and their attackers inadvertently left the trail of their conversations open to public view, providing a unique glimpse into an otherwise secret world of ransomware-related negotiations. …
Trigger Warning: This post uses COVID-19 pandemic analogies to discuss Ransomware. While we think these analogies are justified, we do recognize that some might find it offensive. If you do, just stop reading now.
As of lately, we all unwillingly became experts in protecting ourselves and our loved ones against the COVID-19 pandemic. While we may wish we never had to learn these hard lessons, they are still useful. We can use our newly acquired knowledge and awareness of human pandemics, and apply it to defend our IT environment against network pandemics.
Ransomware has been around for quite some time, as attackers found its associated business model to be quite profitable. Ransomware attackers infect victims’ machines with malware to encrypt their data and demand a ransom to be paid in order to decrypt it. This model got an additional boost with the emergence of cryptocurrencies such as Bitcoin that enabled attackers to receive the ransom money in a relatively anonimized manner. …
I am a sucker for “Load Bearing Analogies” (© Dan Kaminsky) in cryptography. If you have been following my stories, you have already noticed that. One of the best examples for such analogies is the known ECB penguin.
Therefore, when Zoom upgraded its encryption from ECB, I just had to pay homage to it.
Although the ECB issue is very well know within the crypto community the tweet received some nice attention. …
Last month (Jan 14th 2020), Microsoft has released a security update for Windows which includes a fix to a dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source. The vulnerability (CVE-2020–0601 , AKA CurveBall) was reported to Microsoft by the NSA. In this blog post, we will explore how defenders can detect the exploitation of this vulnerability.
Last week, Microsoft has released a security update for Windows which includes a fix to a dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source. The vulnerability (CVE-2020–0601 , AKA CurveBall) was reported to Microsoft by the NSA.
In our previous blog post, we explained the cryptography principles behind CurveBall, enabling attackers to create an “evil twin” of a legitimate certificate.
This “evil twin” certificate is similar to the original certificate, as it shares the same public key (and some other features). …
Yesterday, Microsoft has released a security update for Windows which includes a fix to a dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source. The vulnerability (CVE-2020–0601) was reported to Microsoft by the NSA.
The root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.