The Equation Group’s post-exploitation tools (DanderSpritz and more) Part 1

Since the April 14th leak of the Equation Group’s hacking tools, I have been busy testing (and decompiling / reversing) the tools, understanding and documenting capabilities, and identifying potential indicators of compromise (IOCs). My goal is to build documentation and IOCs that we at Kudelski Security (and other organizations) could leverage to identify these tools, … Continue reading The Equation Group’s post-exploitation tools (DanderSpritz and more) Part 1

WannaCry Ransomware Webcast

The number of individuals, organizations and countries affected by the WannaCry malware attack is growing at an alarming rate. After the initial infection is executed, no user intervention at all is required for the malware to spread. As this is one of the largest cybersecurity attacks in history, it's important that you have all the facts. … Continue reading WannaCry Ransomware Webcast

Security Advisory: WCry2 Ransomware Outbreak

wCry2 Ransomware spreading via EternalBlue (MS17-010) Update May 13 Data was coming in very quickly on Friday and while we worked to provide timely and reasonable information we know now more about what happened and how the Wana Decrypt0r 2.0 ransomware outbreak managed to escalate so quickly. First some good news: The malware, once executed … Continue reading Security Advisory: WCry2 Ransomware Outbreak

Configuring YubiKey for GPG and U2F

Here is a little walkthrough on how to get started with the YubiKey and GPG. After following this guide you will have a secure setup using a YubiKey containing your GPG keys as well as an authentication key that could be used for SSH. Moreover the configured YubiKey will also be capable of U2F and managing a password store (for examples, … Continue reading Configuring YubiKey for GPG and U2F

Should Curve25519 keys be validated?

While analyzing Signal with Markus, I noticed that Signal's Curve25519-based ECDH doesn't validate public keys, and in particular will accept the 0 point as a public key—leading to a shared secret equivalent to 0 regardless of the value of the private key scalar. In contrast, libsodium will return an error if the shared secret happens … Continue reading Should Curve25519 keys be validated?

Auditing code for crypto flaws: the first 30 minutes

Auditing your code for proper crypto use is extremely important.  However, what if it's not generally your focus?  If your job today is to find flaws in the cryptographic components of application א, where should you start? I like to start an audit by checking which crypto primitives are used. This often gives you an idea of … Continue reading Auditing code for crypto flaws: the first 30 minutes

Shadow Broker’s April 2017 Release

Update - April 15, 2017 Microsoft has evaluated the exploits released by the Shadow Brokers and confirmed that the exploits previously through to be “zero-days” were patched last month with the release of MS17- 010. Kudelski Security highly recommends that clients apply the patches included in MS17-010 as soon as possible to ensure they are … Continue reading Shadow Broker’s April 2017 Release