Security Roundup - 2016-10-27
Biggest news this week is, of course, the big DDoS attacks against Dyn from Mirai infected electronic devices. Dyn has provided some details of the attacks, the first which lasted ~2 hours, and the second of which lasted ~3.5 hours. Initial analysis leads them to say there were traffic surges 40-50x higher than normal. They are not able to confirm independent reports of the size and volume of the attack at this time.
The rest of the internet is abuzz with commentary:
Rapid 7 has put together a Mirai FAQ.
Incapsular analyzes the Mirai source code. Includes the password list, what hosts NOT to scan, and attempts to clean out other intruders.
Krebs provided lots of coverage. Notably, a summary of the sudden increase in DDoS volume, demonstrating potential ties between Mirai and vDOS botnets, as well as new on one chinese electronics firm who has vowed to issue a recall for a number of vulnerable devices.
A Motherboard article suggests that white hat hackers could write a virus to hack vulnerable devices and update them such that Mirai no longer works.
Meanwhile, some senators are expressing concern that there is no standards and no liability for device manufacturers, which some hope will cause manufacturers to sit up and self regulate before the government imposes potentially harsher regulations.
Threatpost indicates that only 10% of the devices infected by Mirai may have been used in the attack, and that since Mirai went open source, the number of infections has doubled.
In related news, another DDoS mitigation provider has noticed a growing number of LDAP servers participating in DDoS attacks. As some LDAP server variants work over UDP, this allows attackers to perform UDP amplification attacks, while hiding the source of the overall attack.
In other news:
Dirty Cow also landed on Friday. A nine year old Linux vulnerability that is based on a race condition that allows people to write to files they don’t normally have permissions for. This, of course, includes files for usernames and passwords to gain more access to the machine.
Mozilla has already baked in TLS 1.3 support into Firefox, but they have also announced that they will turn it on by default March 2017. They join Cloudflare and Google in being proactive about pushing this new standard forward.
Sucuri has covered a number of credit card stealers for eCommerce sites, and goes into depth for a specific version they found infecting Prestashop instances, as well as one that impacts Magento. The latter is interesting in that it dumps data into image files, and legitimate looking image files as well, making it harder for people to detect the data being collected, as well as the data being exfiltrated via a regular file access.
Breakpoint labs continues their series on how they break into networks. This week is Web Application Vulnerabilities. Sadly standard fare, such as failing to update software and plugins, as well as not sanitizing user inputs.
The DoD is apparently expanding on the ‘Hack the Pentagon’ initiative and launching a more long term bug bounty program.
Checkpoint has released the September edition of ‘Most Wanted’ Malware. Conficker is still #1. Locky has made it to #3, making the first time ransomware has been in the top 3. ThreatPost indicates that Locky has at least 10 downloader variants as of this writing, and still evolves in the way in which it evades detection and infects systems.
BleepingComputer provides the rest of the Ransomware Roundup. Some minor new players, but one variant that includes a game, and Talos Intel providing a tool to block updates to the Master Boot Record to mitigate ransomware attacks that use this strategy.