Security Roundup - 2016-06-09

Two big reports have landed this week.

The first is an analysis from Rapid 7 and their Project Sonar, called the National Exposure Index. It provides details on some of the most popular open ports on the internet today. Some interesting observations, including the adoption of secure alternatives to a number of protocols is still lower than the non-encrypted versions (POP3, SMTP, HTTP, IMAP), with the exception of SSH vs Telnet. That being said, there are still a lot of things responding as Telnet, and the authors are (rightfully worried) by the fact that there are still so many devices using Telnet on the internet. “Most services on the internet are unencrypted, which is worrisome for any standards or enforcement body charged with keeping up a reasonable security profile for an organization.”

The second is Akamai’s State of the Internet report. This report looks at attack trends that Akamai sees over their network. Some surprising things include: ‘mega attacks’ (> 100 Gbps) have increased by 280% since last quarter. There is a big jump of 87% in SQL injection attacks since last quarter. More web app attacks are coming over HTTPS, possibly due to the increased roll out of HTTPS across sites. Reflectors, using common internet services like NTP and DNS are increasingly used in DDoS attacks, with NTP reflection jumping 71%.

Related to the uptick in NTP reflection, ThreatPost reports on a number of NTP flaws that allow for Denial of Service attacks. These have all been disclosed and patched, so we will see if next quarter’s State of the Internet report shows a corresponding drop in this type of DDoS.

The more payment processing news I read, the more convinced I am that maybe I should just switch back to cash that I get straight from a teller at a physical bank. The latest example is another Krebs article on a Point of Sale Botnet that has probably harvested more than 1.2 million credit cards. It seems that the impacted restaurants are victims of social engineering, giving access to remote individuals so they can run some ‘support tasks’.

I came across this fascinating extension to typosquats, where someone decided to apply the concept to software packages. By setting up a number of packages with slightly different names, containing an application that just reported statistics to him, the author received a number of hits from 17289 different servers over a short period of time. Of these, 43.6% of them updated the packages with admin rights.

Discussion on the above led me to another interesting article on bitsquating, which are like typosquats but based on differences in bits, so random fluctuations in memory/cosmic rays could conceivably send someone to an incorrect website.

Sucuri points out that forms will allow data theft if your site is ever hacked, and this makes payment processing hard by going over a Magento payment processing plugin for Braintree. Attackers essentially used the extension’s own information collection facilities to harvest credit card and user information and send it somewhere remote for collection.

MalwareTech did a good job busting that Cerber became polymorphic by generating a new hash every 15 seconds. Coincidentally, Fortinet has an article demonstrating how a piece some malware becomes polymorphic by re-encrypting some functions on each use, meaning the malware signature changes on an individual machine over its lifetime.

Checkpoint recently pointed out a flaw in Facebook’s Messenger platform, which would allow someone to modify messages. Following malware trends, they posit that flaws like these would allow a malicious actor to constantly update landing pages for malware, as other products begin detecting them and blocking URLs, thus lengthening the amount of time for someone to click through and become infected.

BleepingComputer has the best roundup in ransomware news. This week features Ransomware updates (including CryptXXX rebranding as UltraCrypter!), as well as new kids on the block with BlackShades (which taunts security researchers) and JuicyLemon, which interestingly asks people to email a certain address for instructions.

Written on June 9, 2016