The Equation Group’s post-exploitation tools (DanderSpritz and more) Part 1

Since the April 14th leak of the Equation Group’s hacking tools, I have been busy testing (and decompiling / reversing) the tools, understanding and documenting capabilities, and identifying potential indicators of compromise (IOCs). My goal is to build documentation and IOCs that we at Kudelski Security (and other organizations) could leverage to identify these tools, … Continue reading The Equation Group’s post-exploitation tools (DanderSpritz and more) Part 1

Do not create a backdoor, use your provider’s one !

It was recently shown by the Mirai botnet or Linux/Moose worm that more and more connected devices can run a large scale DDoS. As an example, I'll provide here a small analysis showing that the problem is even more complicated since we sometimes have to live with old devices which have not been updated by Internet providers. A … Continue reading Do not create a backdoor, use your provider’s one !

TROOPERS 2016

I recently attended the TROOPERS conference, held in Heidelberg, Germany. A lot of interesting research was presented, in this blog post I’m going to summarize selected talks that I particularly enjoyed. The first presentation was by Philippe Teuwen, where he demonstrated his latest attack on white-box cryptography. The idea is to apply existing hardware attacks such as side-channel … Continue reading TROOPERS 2016

A perspective on the state of the SSLiverse as of early 2016

tl;dr; Most studies about SSL tend to use SSL information retrieved by DNS domain names. This article provides an overview of the SSLiverse when SSL information is retrieved from each SSL enabled host in the IPv4 range on port 443. With today's state of the art scanning tools and proper infrastructure, it is now possible to … Continue reading A perspective on the state of the SSLiverse as of early 2016

Honey! Where is my POS??

Introduction Not a month goes by without news about another new POS (point-of-sale) malware or credit card data breach. Obviously, details of this kind of breach cannot be made public (banks, ongoing investigation, reputation …). But what do we know really about POS malware? Can we create groups of malware and relate them to groups of cyber … Continue reading Honey! Where is my POS??

Sphinx Moth: Expanding our knowledge of the “Wild Neutron” / “Morpho” APT

The Kudelski Security Cyber Fusion Center together with the KS-CERT has been monitoring and investigating the “Sphinx Moth” threat activity since mid-2014. When Kaspersky and Symantec released reports on a powerful threat actor earlier this year, it became clear that what they had respectively called “Wild Neutron” or “Butterfly”/“Morpho”, corresponded with the “Sphinx Moth” advanced … Continue reading Sphinx Moth: Expanding our knowledge of the “Wild Neutron” / “Morpho” APT

OpenSSH jump-host and file-transfer

This article was inspired by a previous post on my personal blog: https://www.freeture.ch/?p=815 Intro OpenSSH is a great tool, everybody knows that (even Microsoft). It's commonly used to securely take control or copy a bunch of files to or from remote machines. Another common scenario is to have a machine between two networks that acts as … Continue reading OpenSSH jump-host and file-transfer