Security Roundup - 2016-06-30

Apple makes further security transparency strides by leaving their next iOS kernel unencrypted. Apple has previously obscured this, but the hope is that with a more open kernel, security researchers will have an easier time finding and reporting security issues. Some security researchers say, however, that this could lead to additional attacks against the OS. Kasperksy collects some further arguments on either side.

Uber’s bug bounty program has resulted in some interesting results from researchers. Sophos labs has a nice writeup of one team’s findings, using a number of smaller leakages to work up to a larger data leakage. Going back to their original post detailing their overall process is a great read as well, including a brute force promo code vulnerability, the ability to track where drivers have been, as well as trip history of other users.

TOR has added ‘Selfrando’ to strengthen the user browser. This technique involves randomizing the location of code in memory. This prevents ‘code re-use’ attacks, where an attacker can target known code loaded in memory to try to make it do unexpected things.

Rapid 7 has done some follow up on the recent discovery of being able to issue administrative commands to ClamAV remotely by scanning the internet for exposed nodes and performing some analysis. In general, under 6k nodes across the entire internet are exposed. They believe a number of these are systems that the owner doesn’t realize ClamAV is installed on (or have forgotton).

Related, Symantec has announced that a number of products are subject to a system level vulnerability. This is related to a number of archive software vulnerabilities, which can cause malicious code to be executed just by Symantec AV scanning it. Since the scanner runs with elevated privileges, this allows an exploit to compromise the entire machine.

DDoSes are still a popular attack method, but Sucuri has been surprised by the rise in IoT device participation in said attacks. where a recent attack included 25K compromised CCTV cameras.

In another great article by Sucuri, malicious ads appear to be hosted on parked/expired domains. Findings include a CMS template that linked third party content that was no longer maintained, and so bought up by someone monitoring for expired domains with live links. The importance of hosting your own assets, vs hotlinking, though the W3C just recommended the usage of Subresource Integrity of assets to verify that some asset that is delivered is the one expected. Usage of SRI would protect over 50% of web browser traffic.

The Talos research group has an excellent article on how malware uses DNS to exfiltrate data and how one can use Passive DNS to detect these attacks.

Malware Bytes put together an amazing infographic on the Bonnie and Clyde of Advanced Threats. Malvertising and Ransomware, two threats that multiply their overall potential together. Shockingly, they estimate that 70% of malvertising campaigns are delivering ransomware now.

As always, BleepingComputer has the best roundup of ransomware. This week includes the return of Necurs and Locky, as well as multiple new types of ransomware.

Written on June 30, 2016