Earlier this month, we discovered a piece of encryption malware targeting Russian users. One of its peculiarities was that it uses Telegram Messenger’s communication protocol to send a decryption key to the threat actor. To our knowledge, this is the first cryptor to use the Telegram protocol in an encryption malware case.
Trump’s presidency could bring big changes to regulation of Internet service providers—but most of the changes are difficult to predict because Trump rarely discussed telecom policy during his campaign. The Federal Communications Commission’s net neutrality rules could be overturned or weakened, however, if Trump still feels the same way he did in 2014. At the time, he tweeted, “Obama’s attack on the internet is another top down power grab. Net neutrality is the Fairness Doctrine. Will target conservative media.”
Trump has promised "a temporary moratorium on new agency regulations," and he would like the FCC to fine journalists who are critical of him. Trump seems likely to take a deregulatory approach to telecom, benefiting Internet service providers who protested various new rules implemented under Democratic FCC Chairman Tom Wheeler. Aside from net neutrality, Trump hasn't discussed any specific telecom regulations that he’d like to change.
In the last few weeks I took a closer look on caller ID spoofing and the impact which this “feature” can have on todays online services. A few months ago I came across a great blogpost from Shubham Shah which is an Australian security researcher and pentester. You can find the post here.
He did great work 2 ½ years ago – he analyzed the impact of caller ID spoofing on 2 factor authentication on many popular services like Google, Facebook and so on. The caller ID is basically the number which gets displayed on the phone on the receiving end of the call. He was able to bypass the 2 factor authentication on this services quite effectively. For bypassing 2FA he used a long known issue which affects the authentication of voicemails - I will cover this topic in detail later on in this post.
The effectiveness of a zero-day quickly deteriorates as an attack tool after it gets discovered and patched by the affected software vendors. Within the time between the discovery of the vulnerability and the release of the fix, a bad actor might try to get the most out of his previously valuable attack assets. This is exactly what we saw in late October and early November 2016, when the espionage group Pawn Storm (also known as Fancy Bear, APT28, Sofacy, and STRONTIUM) ramped up its spear-phishing campaigns against various governments and embassies around the world. In these campaigns, Pawn Storm used a previously unknown zero-day in Adobe’s Flash (CVE-2016-7855, fixed on October 26, 2016 with an emergency update) in combination with a privilege escalation in Microsoft’s Windows Operating System (CVE-2016-7255) that was fixed on November 8, 2016.
After the fix of CVE-2016-7855 in Adobe’s Flash, Pawn Storm probably devalued the two zero-days in its attack tool portfolio. Instead of only using it against very high profile targets, they started to expose much more targets to these vulnerabilities. We saw several campaigns against still-high-profile targets since October 28 until early November, 2016.