Cybersecurity Newsletter, August 10 - 16
Qrator

Hello and welcome to the regular networking and cybersecurity newsletter brought to you every weekend by Qrator Labs! This time we are looking at the articles and materials published between August 10 and 16, 2020.

Probably the hottest discovery of this week is the "Drovorub" malware - reported by FBI and the NSA 

"The FBI and NSA have issued a joint report warning that Russian state hackers are using a previously unknown piece of Linux malware to stealthily infiltrate sensitive networks, steal confidential information, and execute malicious commands." - ArsTechnica.

"Per the two agencies, Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server." - ZDNet.
 

And then there's a great story from Binary Defense on EmoCrash: Exploiting A Vulnerability In Emotet Malware For Defense

"For six months, security researchers have secretly distributed an Emotet vaccine across the world." - ZDNet.
 

Researchers from Ruhr University Bochum and NYU Abu Dhabi found a way to eavesdrop encrypted LTE calls with ReVoLTE: "Call Me Maybe"

"Hackers can eavesdrop on mobile calls with $7,000 worth of equipment." - ArsTechnica.
 

TCP window scaling, timestamps and SACK

"There are  multiple articles that recommend to disable TCP extensions, such as timestamps or selective acknowledgments (SACK) for various “performance tuning” or “security” reasons.

This article provides background on what these extensions do, why they are enabled by default, how they relate to one another and why it is normally a bad idea to turn them off." - Fedora Magazine.
 

How Malicious Tor Relays are Exploiting Users in 2020

">23% of the Tor network’s exit capacity has been attacking Tor users".
 

SNIcat: Circumventing the guardians

"How the security features in state-of-the-art TLS inspection solutions can be exploited for covert data exfiltration."
 

Machine Function Splitter - Split out cold blocks from machine functions using profile data

"We present “Machine Function Splitter”, a codegen optimization pass which splits functions into hot and cold parts. This pass leverages the basic block sections feature recently introduced in LLVM from the Propeller project. The pass targets functions with profile coverage, identifies cold blocks and moves them to a separate section. The linker groups all cold blocks across functions together, decreasing fragmentation and improving icache and itlb utilization. Our experiments show >2% performance improvement on clang bootstrap, ~1% improvement on Google workloads and 1.6% mean performance improvement on SPEC IntRate 2017."
 

SpaceX Starlink speeds revealed as beta users get downloads of 11 to 60Mbps

"Ookla tests aren't showing the gigabit speeds SpaceX teased, but it's early."
 

The Secret SIMs Used By Criminals to Spoof Any Number

"Criminals use so-called Russian, encrypted, or white SIMs to change their phone number, add voice manipulation to their calls, and try to stay ahead of law enforcement."
 

Academic paper of the week - Zero Downtime Release: Disruption-free Load Balancing of a Multi-Billion User Website

 

Thanks for reading and sharing!

For feedback, please write to us at cybersec@qrator.net.