Security Roundup - 2016-05-11

Verizon released their yearly Data Breach Investigations Reports. The Rapid 7 Community has a pretty good writeup. Reading the report has some interesting information:

  • Server assets being the cause of breaches is declining. Breaches due to people and their devices as the weak link is continuing to rise.
  • Breaches are more often than not discovered by third parties.
  • Webapp breaches have increased dramatically, which should be unsurprising given the easy of drive by scans and exploits.
  • Crimeware decreased drastically in 2015 (though this year’s ransomware reports lead me to believe it will be more prevalent in the next report)

The report also focuses on a few factors as primary points of vulnerability:

  • Patching Cadence - how long between a vulnerability being discovered and exploits being developed vs the time it takes organizations to upgrade/mitigate.
  • Social Engineering - phishing attacks are still highly effective.
  • Passwords - 63% of breaches apparently involve leaked/reused/weak passwords.

Related to the ease of drive by exploits, one anonymous user recently decided to scan for open VPC ports and make use of the screenshot facility to take some pictures. Among things found appear to be security systems, checkout systems, and desktops.

ImageTragick made the rounds this week, which results in ImageMagick running code embedded in certain image formats, as well as being able to do file manipulation on the system such as moving/deleting/reading files. Cloudflare has an article detailing usages they have seen in the wild starting at recon and escalating to attempted server takeover. Sucuri has seen some similar exploits.

Warby Parker recently decided to test their Cyber Security Response time, by staging a site takedown. Much fun was had by the ‘attackers’, practice was had, and lessons were learned.

Last week, there was news to the effect that millions of email addresses were leaked. This turned out not to be the case, with various email providers declaring the majority of the information was bogus. Troy Hunt (who is behind, goes into depth on how he does validation on data leaks, rather than just accept them at face value.

ThreatPost has some good ransomware articles, including a post on ‘Ransomware as a Service’, ‘A Diary of a Ransomware Victim’, where a casino’s consultant had no security precautions and allowed TeslaCrypy to spread rapidly through the network, and an update on the Bucbi ransomware which is being used as a targeted attacks, rather than randomly seeking targets.

Malwarebytes has a very in depth analysis of the 7ev3n ransomware variant. After completely reverse engineering, they were able to tell the implementor designed their own custom crypto mechanism, making it easier to recover files.

A few months ago, I mentioned people performing man in the middle attacks between free standing ATMs and networks. This week I’ve learned that sophisticated skimmers can actually be inserted into the card reader slot.

Written on May 11, 2016