Security Roundup - 2016-06-16

Verizon has had two communication redirect issues this week. The first is where one determined hacker convinced a Verizon rep to change a phone number to a new SIM. This allowed the attacker to receive all calls/texts to a phone they controlled, intercepting 2 factor auth tokens. Similarly, Verizon recently patched a system vulnerability that would allow attackers to redirect a victim’s email to an account of their choosing, which would have allowed an attacker to redirect any password reset emails for accounts Verizon customers might have associated with their accounts.

TeamViewer has been having a rough time, with a lot of their customers having their machines accessed. Speculation abounds around whether these accounts were hacked due to leaked passwords via one of the many, many recent breaches or whether TeamViewer has had a breach themselves.

Twitter felt the weight of a password leak this week and has already proactively started resetting passwords for some accounts. Similar to the TeamViewer incident, the current belief is that these have been cross referenced from other breaches. Twitter indicates they are proactively cross referencing and resetting accounts as breaches come to light.

iMesh, a company that recently out of business, ALSO had old breached account data surface this week. Based on available records, this break might have occured in 2013 and 51 million accounts, including passwords which were hashed using MD5.

The Windows Background Intelligent Transfer Service (BITS), used by Windows to asyncronously fetch things like software updates, has been exploited to infect and re-infect systems by leveraging the “notification” feature to schedule persistent updates. As BITS is a trusted service, this allowed malware downloads from being triggered as potentially malicious activity by some monitoring systems.

That is not the biggest vulnerability that Microsoft has patched though. “Badtunnel” is an escalation attack which can be triggered with a variety of medium and allows an attacker to hijack traffic and gain control of remote machines. Versions of windows going back to Windows 95 are impacted by this vulnerability.

Krebs has another fascinating/terrifying update on ATM insert skimmers. This one contains videos of how they actually work, and how hard they would be to detect in real life.

Ever wonder how a ransomware-as-a-service ring works? Business insider has an interview with Flashpoint Intel, who convinced one russian ransomware boss to make them part of his ring.

Similar to the recent abrupt shutdown of TeslaCrypt, it looks like the Angler Exploit Kit has shut down, with malware campaigns migrating to a variety of other exploit kits.

Written on June 16, 2016