SSD Security Recap — February 5
In this edition, we’ll talk about Google’s Project Zero ,Libgcrypt, how Noxplayer was used to inject malware into gamers systems and of course we can’t go without speaking about the North Korean backed hacker group targeting security researchers and threatening the community.
North Korean Campaign Targeting researchers
let’s begin with the story that has been troubling our community for the last few weeks, the campaign targeting security researchers backed by the North Korean government.
This troubling news came to us through Google’s threat analysis group, TAG. This group found out that malicious actors backed by the North Korean government have been executing a social engineering campaign targeting security researchers for the last few months.
These malicious actors did this by establishing a research blog and multiple Twitter profiles. Using these fake profiles, the attackers interacted with security researchers by posting links to their blog that contained write-ups and analysis of vulnerabilities that have been publicly disclosed.
The attackers would offer the researchers to collaborate on vulnerability research and then provide the researchers with a Visual Studio Project. The source code within that Project would also hold an additional DLL that would start communicating with the attacker and compromise the researcher.
TAG had also found several cases where researchers have been compromised just by visiting the malicious blog. Once these researchers visited the blog site, a malicious service was installed on the researcher’s system and an in-memory backdoor would contact the attacker.
It seems that the target for this campaign was stealing exploits developed by researchers, and then using these exploits to stage further attacks on other victims.
Luckily Google provided all of their findings in an advisory. We advise you to take a look and see whether you made any contact with any of those twitter profiles or web sites and remember to be cautious online.
Google Project Zero & Libgcrypt
Google Project Zero team found a vulnerability in GnuPG’s Libgcrypt Library that allows attackers exploiting this vulnerability to trigger an RCE attack.
Libgcrypt library is an open-source cryptographic toolkit that encrypts, decrypts and signs data and communications.
The flaw allowing the vulnerability was found in version 1.9 that was released on January 19th and was spotted on January 28th by Tavis Ormandy of Project Zero. He found out that an RCE can be easily triggered by simply sending the victim a block of specially-crafted data for him to decrypt, and tricking the LibgCrypt library into running an embedded shellcode.b
The cryptographer, Filippo Valsorda, did an analysis of this vulnerability and suggested that the bug was caused by memory safety issues found in C and may be related to efforts to defend against timing side-channel attacks.
So if you are using libgcrypt version 1.9.0, we urge you to upgrade to the latest version and avoid becoming a victim.
Hackers Targetting Asian Gamers on NoxPlayer
Last month, security researchers from ESET found a highly targeted supply chain attack in the Android app emulator NoxPlayer developed by the Hong Kong based company BigNox.
While NoxPlayer is used by gamers from all around the world on both Windows and MacOS, this attack seems to have been specifically targeting Asian gamers.
The attackers in this case used at least three malware strains to carry out their malicious plan. The attack payloads included an unknown malware with monitoring capabilities, Gh0st remote access trojan and the PoisonIvy RAT that was added as a second payload from the attackers infrastructure. These malwares where delivered by compromising BigNox’s storage infrastructure.
This attack is a little bit confusing at the moment, because the attackers seem to have targeted only a few users in Asia. Both ESET and BigNox still do not know what was the purpose of this attack and why it was so specific to targeting only gamers. So, will have to wait and see if there will be any new developments explaining this attack.
Want to be in our next edition?
At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software, or devices.
We are constantly publishing our findings, intended on educating our global security researcher’s community. You can find more vulnerabilities on our Advisories page. If you have findings of your own you can send us your findings here using our report template.
