Security Roundup - 2016-07-07

More hardware security vulnerabilities this with, with a firmware problem on certain Gigabyte motherboards impacting such laptops as the Lenovo Thinkpad series and HP Pavilion laptops, allowing for the disabling of numerous security protections and running of arbitrary code. Also, Duo labs reports that a large number of Android devices are vulnerable to previously patched CVEs (specifically, this Qualcomm exploit that undermines full disk encryption, as they have yet to receive an update and may never do so due to the way OEM/carrier patch rollouts work.

As the volume of threat intelligence increases, more groups turn to machine learning to try to sort the signals from noise. MIT’s Computer Science and Artificial Intelligence Lab have apparently developed a system called AI^2 which apparently is able to monitor logs and detect 85% of of attacks, allowing for a reduction of what needs to be reviewed by human beings.

My co-worker, Josh Rendek, recently put together a presentation on a side project of his called sshpot. He has followed up by writing up some of his thoughts, process, and findings from building an SSH honeypot.

TrapX labs has released a report entitled “Anatomy of an Attack – Medical Device Hijack 2”, giving an update on their observations of Hospital focused malware. Interestingly, they are seeing old exploits delivering new payloads, seemingly a result of medical devices being older Windows devices in many cases.

DARPA apparently running a ‘Cyber Grand Slam’ in August, where bots will compete to automatically exploit vulnerabilities, as well as defend against them on the fly. I am looking forward to the reports and follow up of this event.

TrustWave has an interesting article on reverse engineering the Hawkeye Keylogger which is also using very old exploits to try to install itself.

Login security basics: Long passwords, HTTPs, password hashing. Right? Troy Hunt has a long week of appsec issues, where various players forget the basics.

Interested in smart appliances, but worried about security? This week I learned of Matther Garret, a security researcher in SF that has started writing security oriented product reviews about IoT devices.

I knew Domain Hijacking was a thing, but this week I learned that bad actors also try to hijack IPv4 netblocks. Simply by checking for unmaintained WHOIS records, registering the lapsed domain and posing as the legitimate company, attackers are apparently able to successfully flip IPv4 addresses to buyers.

As always, BleepingComputer has the best Ransomware Roundup. This week includes new Locky Variants, a ransomware named ‘EduCrypt’ that attempts to educate users on malware, numerous decryptors for the numerous variants, and Satana a ransomware that not only encrypts your files, but encrypts a machines Master Boot Record to prevent users from starting up their operating system.

Written on July 7, 2016