Security Roundup - 2017-01-18

Google has announced their intent to start recording ‘Key Transparency’. In a sense, it is a key verification idea in a similar sense as Keybase, while also preserving the privacy of the user. A writeup of the idea is available on Github.

Mobile malware is a large problem, with the likes of Gooligan and Hummingbad making the rounds. Google has written an article on a technique they use to detect apps with this kind of malware, using a combination of their Potentially Harmful Apps (PHA) detection and monitoring for devices that stop checking for these PHAs. Cross referencing downloaded apps with devices that stop reporting makes it possible to detect which apps are potentially performing malicious behavior and automatically flagging for review.

Brian Krebs has been investigating the person behind the Mirai Botnet and believes he has figured out the real world identify of the person responsible. Note: this is a long read, going over his entire investigation. It is a really interesting read on the entire DDoS ecosystem.

With last week’s MongoDB landgrab reaching the end, it looks like attackers have shifted towards publically accessible ElasticSearch clusters. Duo Security also points out that this shouldn’t be a surprise, given that reports of how much exposed data has been reported multiple times over the course of the last two years. Plenty of other datastores are still exposed, and Redis was already a victim last year. What’s next after ElasticSearch? BinaryEdge gives us a brief history of DB ransomware and says there are early signs that Hadoop is the next target. BleepingComputer points out some vandalized Hadoop servers as well as some CouchDB servers with ransom notes already.

Threatpost has a story on the Carbanak malware family, which is apparently using Google sheets as a C&C mechanism, having nodes update sheets to exfiltrate data, and read sheets to accept new commands. This joins Telecrypt as another malware strain that leverages 3rd party services rather than manage their own C&C nodes.

SchmooCon has wrapped up, and some interesting news to come out of it. Did you know that Squirrels cause more infrastructure outages than cyberattacks? Apparently some cyberattacks are actually mis-attributed animal outages.

SHA-1 Certificates should be on their way out this year, as browsers are poised to point out certificates that are not on SHA-2. In the Alexa top million, apparently only 536 sites do not offer SHA-2 at this time. Caught in the crossfire are all those devices that are hard to upgrade, but use SSL certificates. Things like routers and PoS/banking system.

Sucuri has a roundup of their December Lab Notes, which detail a number of CMS related security problems.

Checkpoint has released their Malware Most Wanted update, and there is a lot of movement on the board. Conficker is still at the top, and overall malware attacks were down over the holidays.

In other ransomware news, One of the C&C servers for Cerber was recently compromised by security researchers. They observed 700 downloads of Cerber during their observation window, which they extrapolated to 8400 downloads per day.

Also, Endgame Security goes on an in depth analysis of a ransomware strain for the latest Flare On Challenge.

Written on January 18, 2017