Security Roundup - 2018-05-25

VPNFilter. Talos Intel has decided preliminary research on VPNFilter, due to active exploit in the Ukraine. This malware strain appears to be installed on networking devices across the globe, and has device destructive capabilities. It is also installed on half a million devices, which would have a large impact if triggered.

More IoT Failure. In related news, vulnerabilities have been found in some D-Link routers. Additionally, Comcast just fixed a bug in some routers that may accidentally leak wifi passwords.

Vigilant Observation. An ESET researcher discovered two zero days in the making after reverse engineering samples that attackers had uploaded to virus scanning engines to test their detectability.

Living in a post-Drupalgeddon world. Two major Drupal vulnerabilities dropped last week, and now MalwareBytes serves up a look at how Drupal in the wild now looks. Expect unpatched instances, and those instances having been exploited.

Business model for botnets. After all, the goal if to make money. But how much?.

More Spectre Like Flaws. Another processor side channel attack was announced on Monday and, with increased scrutiny, researchers expect to announce more in the future.

New way to abuse cryotominers. Cryptominers have been abusing client’s resources for months, and now a new abuse has been found - URL Shorteners. Specifically, Coinhive has been experimenting with a URL shortener that forwards users after they have solved a number of hashes, which some are abusing by embedding in iFrames in other sites to have the cryptominer run as long as the page is loaded.

Botnet Persistence. According to some recent research, 58% of botnet infections only last a day.

Security Roundup - 2018-05-18

Incorrect handling of HTML leads to security problems. eFail is the latest named vulnerability going around. Initially hyped as a PGP failure, what actually is happening is that systems interpreting HTML can be abused to exfiltrate data. If you combine this with automatic decryption of PGP data in your email client, you potentially have your client decrypt the text and then handily send it to an external source. The EFF has an extensive FAQ.

Remote code injection in DHCP client. RedHat Linux and variants have released patches for a bug that caused the dhcp client to parse responses like commands allowing for remote code execution. The PoC exploit fit into a tweet.

Rowhammer in the wild. Several Rowhammer attacks have been demonstrated in the wild, including one triggered by sending packets over a network and another that used the GPU on phones.

When your desktop apps have XSS. Electron, a framework for creating cross platform desktop apps using html, css and javascript had a remote code execution exploit disclosed this week, due to an incorrect handling of defaults. This potentially means that a number of Electron apps are exposed to cross site scripting attacks. Related, the secure messaging app Signal had two XSS vulnerabilities found in their desktop app.

Active zero day for Internet Explorer. Discovered by two seperate security companies investigating attacks, make sure you upgrade and/or move to more modern browsers.

IBM bans thumb drives. IBM has recently reviewed their security standards and has decided that thumb drives are no longer to be used. Given their history as an attack vector, as well as a common method to lose/leak data this seems like a smart (though perhaps hard to enforce/implement) strategy.

Subliminal IoT. Students at UC Berkley have demonstrated that voice assistants can be controlled by subliminal messages.

This photocopier contains secrets. Getting rid of old photocopiers/scanners at work? Make sure they aren’t storing secrets, like maybe social security numbers, contracts, or medical records.

People Don’t Patch. I actually talked to members at Sonatype about this, where they see thousands of organizations downloading vulnerable software packages, like the Struts vulnerability that resulted in huge news stories when it was the cause of the Equifax breach.

Security Roundup - 2018-05-10

RouterSploit 3.0 Released. A security tool for auditing routers has gotten a major upgrade. The biggest new feature tries to address the plague of default credentials, but providing a framework for anyone to add the appropriate authentication method for devices. This seems pretty important area of research, given stories like:

Other internet connected device flaws. Routers are not the only devices with reported flaws this week:

Office 365 Zero day discovered. Overlooked html functionality has resulted in an Office 365 zero day which bypasses security checks.

Fun with passwords. Who better to get password tips than from those that break them? Rapid7 has collected passwords from a number of security engagements and has some tips on how people can do better. Troy Hunt also reminds us all that password selection is horrible, with more than 86% of passwords in a recent breach already appearing in other breaches making brute force attempts that much easier.

Hijacked Accounts on Steam. Finally frustrated by scammers on the online gaming community Steam, one security researchers set out to discover how they worked, leading to him finding their admin console and alerting Steam of compromised user accounts.

OS Makers misread docs, build in vulnerabilities. The majority of OS providers are releasing patches this week to deal with a misunderstanding on how Intel deals with debug exceptions due to ambiguous documentation. This could allow an attacker with physical access to a machine to get elevated privileges.

Security Roundup - 2018-05-03

Backdooring Encryption. An industry veteran claims they have solved how to ‘safely’ backdoor cryptography. The solution is effectively key escrow. But, as a number of experts, such as Matthew Green are pointing out, Key escrow is going to make that key storage a big target. Especially given either: a) every organization will have to create their own implementation or b) Someone will mandate a centralize repo, ripe for exploitation and/or abuse. Also, that a lot of phones are manufactured overseas, what happens when a foreign government coerces the manufacturer to provide access to all the escrowed keys?

Alexa, record everything. Security researchers figured out a way to make an Alexa skill record all audio after a user activates their task.

RFID Lock Insecurities. When was the last time you were at a hotel that DIDN’T have an RFID or a magstripe lock? A+ for convenience, but a number of these locks have vulnerabilties, as security researchers prove they can break into a number of RFID locks with ~$300 worth of materials, an expired keycard, and about a minute of time.

Fun with Honeypots. A 2018 look at what happens when you set up an SSH honeypot. No surprise that there is a lot of IoT type guesses.

Share passwords…. Be careful using ‘sharing cultute’ SaaS apps. You may, for example, end up sharing passwords or confidential information with the public, as some Trello users accidentally did.

… or log passwords!. Both Twitter and Github announced they found subsystems that accidentally logged passwords. While no indication that someone obtained these logs, make sure to change passwords anyway.

Supply chain attacks in npm libs. A crafted backdoor was found in an npm package. While this npm package was not itself popular, the attackers actually got it merged in to an older, but still used, software package. The package would have allowed remote code execution, and could have been included in project just by a developer updating all packages. The impacted npm libraries have now been removed.

Massminer. Finally, for those that love stories of malware, check out Massminer the latest in cryptocurrency malicious miners. What seperated Massminer apart is its inclusion of masscan, a tool for scanning for open ports, which it then leverages to find targets for a number of popular exploits.

Security Roundup - 2018-04-26

“Hacker” accesses non-public data in public portal. The most dissapointing news lately is about how a young Canadian realized that the Nova Scotia Freedom of Information Act site has an enumerable url parameter. Said individual wrote a script to download a bunch of files, and was later arrested due to said files being deemed ‘sensitive’ and erroneously uploaded in a public matter. This has led many people to be critical, pointing out that this wasn’t the 19 year old’s fault so much as the fault of the owners of the system (again, portrayed as public information). Troy Hunt has a good writeup, including some history of similar accusations of “unauthorized use of a computer”.

BGP Hijack of Amazon DNS. Malicious attackers somehow used an Ohio based ISP to advertise several hundred IP addresses, many of them addresses for AWS’ DNS offering. The ultimate target was hijacking cryptocurrency website MyEtherWallet, making off with $150K over 3 hours. Other AWS customers were potentially impacted as well, but current scope is still unknown.

Webstresser de-stressed. Attack-as-a-service platform Webstresser was taken offline the other day after a coordinated effort several law enforcement agencies. Interestingly, this has resulted in a number of other malicious services down, as they appear to have been resellers of Webstresser.

How OSX malware can take screenshots. After some reports of malware families taking screenshots of desktops on OSX, one security researcher has dived in. Reverse engineering the technique independently, as well as digging in to actual malware samples, he finally suggests ways in which this type of activity could actually be detected.

IPv6 as a backdoor. Think you’ve locked down your local network? Have you checked your IPv6 setup? Trustwave points out that modern devices configure IPv6 automatically and the same rules that you have set up to protect services on IPv4 interfaces may still be open on IPv6.

Drupal suffers multiple high severity vulnerabilities. Last month was Drupalgeddon 2, but now Drupal has announced another highly critical vulnerability which impacts all versions of Drupal, going so far as to provide patches for unsupported versions of the CMS. Unlike Drupalgeddon2, this vulnerability was immediately seized upon and is currently being exploited in the wild.

Steganography new tool on the block. Security researchers warn that steganography, the act of hiding data in other files, is increasingly being deployed by malicious actors. This technique is being used to avoid monitoring solutions by making payloads look like images rather than the malicious package they actually are.

Page 1 of 23