Security Roundup - 2016-05-26

Malware targeting wireless networking equipment has been making the rounds, impacting several ISPs. Despite a patch being available last July, many users appear to have been unaware and not updated. The malware in question leaves a backdoor in a large range of devices, but otherwise appears to do no other malicious activitiy at this time.

Malware on USB devices, and a user’s ability to plug in USB devices can allow for deep network penetration. Checkpoint has a story where parts of a nuclear facility were infected. While restricted networks were not infected, a number of USB devices were, which could have resulted in cross contamination.

As more campaigns move away from TeslaCrypt and over to CryptXXX, TeslaCrypt has apparently shut down and released a master decryption key. Interestingly, Kaspersky has defeated CryptXXX this week and has updated their unlocker for it, resulting in CryptXXX releasing a new version which was again promptly defeated.

A number of security researchers have blogged about obfuscation this week. Checkpoint has an interesting article on how Spear Phishing malware attacks are starting to include sandbox/analysis tool detection and evasion techniques to slow down malware researchers. Sucuri has a fun article on how a Joomla backdoor used multiple obfuscation techniques. And Fortinet has an interesting article on android malware, which again has checks around whether or not it is running in a virtual environment, and encrypts outbound communication. Finally, ThreatPost has a writeup of a new Microsoft Office macro obfuscation technique where payloads are stored in the names of buttons, and triggered when clicked.

In further, “I don’t know if I will ever use an ATM again” news, I’ve learned that some criminals implement skimmer malware, rather than just skimmer hardware. Initially popular between 2010 and 2013, Kaspersky Labs recently discovered a new variant after being asked to investigate a bank robbery where nothing was stolen. Said malware activates when a specific keycard is used, allowing a user to do things ranging from spitting out ids and pins, dispensing cash, or receiving an update.

A breach of LinkedIn data impacted 6.5 million users in 2012. Recently it was discovered that another 117 million users might be impacted, with those accounts surfacing this week. Security experts are dissatisfied with LinkedIn’s approach to reseting only known impacted accounts, an action that has resulted in these 117 million users being targeted years later. Troy Hunt has an interesting followup where he talks about LinkedIn’s response, the impact on breach disclosure on leaked information prices, and phishing events surrounding leak disclosures (because people are expecting password resets!).

A follow up to my previous coverage of MITRE, one security professional has complained about the difficulty of getting CVE numbers assigned to found vulnerabilities, resulting in setting up websites to disclose vulnerabilites as a result. MITRE has scrapped the previous decentralized proposal, meaning that they are still being overwhelmed with CVE requests.

A coworker of mine recently introduced me to the concept of Pastejacking, by which an attacker overrides the contents of the clipboard. If copied content looks innocent and is something that is pasted into a terminal, for example, it results in a user accidentally executing potentially malicious code.

Written on May 26, 2016