Security Roundup - 2016-11-11

A few good IoT related articles:

  • Mirai may be imploding as competing hackers fight over the resources. As these botnets are also designed to keep out the competition, the botnets may be fracturing into smaller and smaller groupings.
  • Rapid 7 has been tracking Mirai, and also noticed a drop in overall active nodes.
  • Several people sent me “IoT Goes Nuclear”, a research paper that illustrates a proof of concept worm for the Philip’s Hue. They were able to develop a technique to force a bulb in proximity to update its firmware. From there, the infected device was able to spread through the network. Assuming a critical mass of similar devices, the entire network could be shut down or repurposed for malicious activity.
  • Wired has a story of a researches that built a stingray device that looks like an office printer. Since the device is indoors, it is that much easier to overwhelm outside cell towers, to monitor your traffic and perform malicious things.

Sucuri has published their October Lab Notes recap. Lots of eCommerce related maliciousness, where they believe attackers are preparing for the holiday season. Additionally, two notes on tricks backdoors are using to avoid casual detection.

Google has expanded their HTTPS Transparency Report, demonstrating an upwards trend in Chrome users interacting with sites over HTTPS. Additionally, they have rolled out a new Safe Browsing site.

Rapid 7 has developed a new Honeypot network and has a writeup of some early observations. They spread their pots across a number of cloud providers, and noticed a decidedly uneven distribution of attacks. They also noticed that inter-cloud communication was heavier in AWS to AWS public traffic than expected, a possible indicator of companies using AWS Classic, vs using VPCs to keep traffic internal.

Can your password survive 100 guesses? This is the question posed by recent research, which found that, with a little bit of PII, they has a one in five chance of guessing a password before reaching NIST’s lockout guidelines.

Endgame Security researcher Bobby Flair provides a writeup of AISec, where they also presented their paper on “DeepDGA: Adversarially-Tuned Domain Generation and Detection”. Effectively automating better ways to avoid DGA detection, to be used to automate better detection of generated domains.

Talos does a deep dive on the RIG Exploit Kit. RIG apparently has a number of configurable variants, and various levels of obfuscation to make tracking difficult. It tends to try to infect with various scripts, so where one might fail another may succeed. This includes ActionScript, Flash, JavaScript, and VBScript. MalwareBytes also has an Exploit Kit Retrospective for the last few months, giving some highlights on how these operate and are changing.

BleepingComputer rounds up the ransomware, detailing several new ransomware variants.

Written on November 11, 2016