We have discussed a lot of ransomware here, but we did not spend a lot of time researching the decryption tools available to victims. When ransomware gangs give up or change their names, some of them will release decryption tools for victims who have not yet paid. However, running one of the decryptors is not a good idea. After all, publishers don’t have a good track record of handling your data. When the decryptor is released and verified to work, security researchers will reverse engineer the tool and release a known good decryption program.
Good people No more ransom Is taking the lead in building such tools and hosting their collections. They also provide Crypto Sheriff, a tool used to identify which ransomware strain acquired your files. Upload a few encrypted files and it will tell you what you are working on and whether there is a decryptor available. The website is a collaboration between the Dutch police, Interpol, Kaspersky and McAfee. You may be surprised to find that they recommend reporting every ransomware case to the authorities. I can confirm that, at least, the FBI in the United States is very interested in tracking various ransomware attacks-I received a sudden call from an agent tracking the infection.
Open SSL
The OpenSSL project has Fixed a pair of vulnerabilities, CVE-2021-3711 and CVE-2021-3712 version 1.1.11l.The first one is the possible buffer overflow A simple length calculation function. “Fixed” length headers are actually dynamic, so a well-designed plaintext may overflow the allocated buffer.
Second loophole Not so serious, but more interesting.This is a mismatch between the formal specifications ASN1_STRING
Structure, and how to use it in practice in OpenSSL. The structure contains a byte array and a length, etc. The question is whether the array is null terminated. In almost all OpenSSL code, this is regarded as a standard C string, but there is no place in the documentation that enforces the use of the null terminator. The real problem arises when the program uses the OpenSSL library and constructs the ASN string locally. Strictly following the documentation will result in an unterminated array.When OpenSSL works on the value, it will print the information to the log using the following command printf()
with %s
Placeholder, it will keep printing characters until it hits the next null character. This may reveal all kinds of unexpected information.
Atlassion’s Confluence is vulnerable
Confluence is a knowledge management platform, essentially an exquisite wiki for enterprises. They just patched a loophole Appeared in the last four major releases. CVE-2021-26084 is an OGNL injection problem with a severity of 9.8. Attackers can abuse this vulnerability to execute code on the underlying server, even without authentication in some cases.
OGNL is an object map navigation language, which is described as an expression language of Java. The injection problem is very similar to SQL injection attacks, where the data provided by the user can contain expressions. OGNL injection usually looks like ${(#rt = @java.lang.Runtime@getRuntime(),#rt.exec("calc.exe"))}
.
Smart girl ^H^H^H^H hacker
Remember the trivial matter of elevating permissions to SYSTEM when the Razer mouse is plugged in? The most difficult part of this attack is that you must physically bring the Razer or SteelSeries device to the computer to be compromised. Okay not anymore.If you have root on your Android phone, you can now use usbgadget-tool
Cheat the right hardware. The drivers used by these two specific devices may be fixed soon, but there are certainly many similar situations, and abuse is common.
This is a particularly easy exploit, and you may want to actually use it on a work computer or similar situations. This is your regular reminder that it is a crime to plug in a Razer mouse-if you do this to gain SYSTEM privileges on the machine without permission. In the immortal words of the Bosnian Act, “Keep it safe and keep it legal.”
Honda’s crackable keychain
Rolling key codes have been in use since 1995. The increment counter is used as part of the encryption key and is synchronized between the vehicle and the key fob. This arrangement makes replay attacks more difficult because it allows the vehicle to ignore messages signed with previously used counter values. Some very clever attacks have been designed for this system, such as interfering with the message while capturing it so that the vehicle cannot receive it. This is not one of those smart hackers. This really looks like a broken system deployed in the wild.
[Blake Berry] A simple script is being written to highlight the different bits in the two strings and tested on a pair of key fobs sent to Honda cars.Two strings Disturbingly similarAfter further work, it is found that the captured lock command can be replayed by flipping some specific bits, and the vehicle will be unlocked. The attack has been confirmed on a 2009 vehicle and 2020 model. Honda/Acura does not seem to have any effective encryption in their key fob system at all.This question has been assigned CVE-2019-20626, Which makes the shortcomings in the 2020 model particularly prominent.
(Editor’s note: We were initially skeptical about this because it’s just and also Obviously, we will notice here that CVE is currently being “re-analyzed.” If we have a Honda, we will test it before lunch. could you? let us know. )
Take over subdomain via DNS
Subdomain takeover means that the authorized party can run any service on the IP referenced by the subdomain. There are several ways to solve this problem, such as deleting a GitHub Pages site, but keeping DNS running. Others can propose the same name and then host their own content on that subdomain.There is another way to achieve this by hosting DNS, and There is a new tool to find vulnerable domains. DNSTake allows you to specify a domain, it will look up the name server along the DNS chain, looking for strange DNS status responses.
The goal is to find a domain that uses a hosted DNS provider. The domain has been deleted from the provider’s interface, but the NS record still exists. For many such providers, anyone can add DNS records for unclaimed domains. Once the attacker controls the subdomain, it is possible to cause a considerable range of hoaxes.