Security Roundup - 2016-06-23

Fallout of the recent password leaks has continued as vendors such as Github, TeamViewer, and GoToMyPC all being victims of account/password reuse attacks. They have all stressed the importance of 2 factor auth.

Summer is upon as, as is some of the larger US based security conferences. Hackaday has an interesting article highlighting the importance of talks, but also delving into Network Security Theater, where some individuals have made wild claims, and then bailed in several occasions for unknown reasons. In a number of them, just the basic concept of the proposed talk led to multiple security researchers to quickly replicate the results.

The Pentagon recently released the results of their bug bounty program. From the HackerOne summary, 1,410 participants submitted 1,189 reports detailing 138 unique, valid vulnerabilities across a number of webapps. Common vulnerabilities appear to have been XSS and CSRF related, with some more severe SQL injections discovered as well. The Pentagon has touted this as a success citing cost savings, innovative approaches, and community building that would not occur under a more traditional security audit.

Last week Kaspersky labs uncovered the xDedic underground marketplace that was selling RDP access to compromised servers. This week, they analyze a public leak of hosts that allegedly compromised. They found a high correlation with their own observations, but interesting results that pushed US and UK servers to the top of their list of countries with most compromised servers. Their hypothesis is that a lot of servers are quickly sold, and their initial observations were potentially just the tip of the iceberg.

This year has seen a number of archive library related CVEs and Talos Security spins another tale of Poisoned Archives, detailing 3 more such vulnerabilities. All these vulnerabilities are due to validate input, and unfortunately can lead to remote code execution. Click the link if you are interested in the nitty gritty details.

In malware news, Checkpoint points out some interesting evolutions. One mobile malware variant that steals money sent via SMS is now hijacking the raw SMS data at the system level. Viking Horde is a new mobile malware with the intent to create a fraud related botnet on Android phones. And a ransomware variant called Flocker is apparently infecting Smart TVs. Additionally, they have published an updated Top 10 “Most Wanted” Malware. Conficker continues to be at the top, but otherwise there is a lot of movement on the board.

I found the SmartTV news interesting, when I also read Akamai’s recent post on Account Takeover Campaigns, where they noticed what they believe to be infected routers taking place in botnets used to try to break into accounts.

Trend Micro contributes with the discovery of ‘Godless’, an android malware program that tries to root a phone and then silently install other apps.

MalwareBytes, on the other hand, has a rundown on the disappearance of the popular Angular exploit kit, as well as an analysis of recent activity in the Necurs Botnet, which apparently took a bit of vacation recently, as well as a scope of its operations.

Finally, Etherium, a bitcoin alternative, has had some problems this week. One of the large contracts called The DAO had an implementation flaw that allowed an attacker to begin draining the currency into another account. Value in the currency plummeted after the news of the attack, and there is some belief that the hacker hedged their bets by shorting the currency. The people behind Etherium have released a blog post on ‘Thinking About Smart Contract Security’, detailing a number of poorly coded contracts. The current lesson appears to be that writting ‘smart’ contracts can be just as hard as real ones, and errors can be magnified since they are deliberately automatic, trying to avoid human arbitration. Conversely, given their public nature, they are potentially easier to exploit by a third party. A number of cryptocurrency enthusiasts have shown that programming issues appear to be somewhat common in the smart contract space at the moment.

Written on June 23, 2016