Security Roundup - 2016-10-27

Biggest news this week is, of course, the big DDoS attacks against Dyn from Mirai infected electronic devices. Dyn has provided some details of the attacks, the first which lasted ~2 hours, and the second of which lasted ~3.5 hours. Initial analysis leads them to say there were traffic surges 40-50x higher than normal. They are not able to confirm independent reports of the size and volume of the attack at this time.

The rest of the internet is abuzz with commentary:

In related news, another DDoS mitigation provider has noticed a growing number of LDAP servers participating in DDoS attacks. As some LDAP server variants work over UDP, this allows attackers to perform UDP amplification attacks, while hiding the source of the overall attack.

In other news:

Dirty Cow also landed on Friday. A nine year old Linux vulnerability that is based on a race condition that allows people to write to files they don’t normally have permissions for. This, of course, includes files for usernames and passwords to gain more access to the machine.

Mozilla has already baked in TLS 1.3 support into Firefox, but they have also announced that they will turn it on by default March 2017. They join Cloudflare and Google in being proactive about pushing this new standard forward.

Sucuri has covered a number of credit card stealers for eCommerce sites, and goes into depth for a specific version they found infecting Prestashop instances, as well as one that impacts Magento. The latter is interesting in that it dumps data into image files, and legitimate looking image files as well, making it harder for people to detect the data being collected, as well as the data being exfiltrated via a regular file access.

Breakpoint labs continues their series on how they break into networks. This week is Web Application Vulnerabilities. Sadly standard fare, such as failing to update software and plugins, as well as not sanitizing user inputs.

The DoD is apparently expanding on the ‘Hack the Pentagon’ initiative and launching a more long term bug bounty program.

Security researchers have demonstrated bit flipping attacks on Android. Labelled ‘Drummer’, it relies on continuously accessing memory to induce an error state and flip a bit to produce undesired behaviour, enabling apps to do things like break out of security sandboxes and obtain root permissions on a device. The research indicates this could even be triggered by javascript in a browser.

Checkpoint has released the September edition of ‘Most Wanted’ Malware. Conficker is still #1. Locky has made it to #3, making the first time ransomware has been in the top 3. ThreatPost indicates that Locky has at least 10 downloader variants as of this writing, and still evolves in the way in which it evades detection and infects systems.

BleepingComputer provides the rest of the Ransomware Roundup. Some minor new players, but one variant that includes a game, and Talos Intel providing a tool to block updates to the Master Boot Record to mitigate ransomware attacks that use this strategy.

Written on October 27, 2016