Security Roundup - 2017-02-02

Think last year was a bad year for modems? A security researcher from Trustwave Security details how he found a bug in his router that impacted 31 different Netgear routers overall. Sadly, part of his research involved finding two publically disclosed exploits for similar flaws in 2014 and expanding on that work. Netgear responded to this responsible disclosure and has issued patches for the affected devices.

Trustwave Security also increased my knowledge about SVG this week with their article on how SVG can actually contain Javascript and be used to execute remote payloads as a result.

In more device security news, Threatpost reports on a printer flaw that allows an attacker to extract information, including documents and credentials, remotely. They achieved this using a combination of “Cross Site Printing” and CORS spoofing to make a user’s browser act as a relay to exfiltrate data.

Akamai has been doing research into credential abuse, specifically scenarios where a botnet is working to avoid standard security controls. In these scenarios an individual website is unlikely to detect this behavior, since volumes are low and attempts are spread out across ips, accounts and time. However, when viewed in an aggregate across a number of sites they are protecting, Akamai was able to detect a number of sources and targets and increased detection of these attacks more readily than single site observation would.

LeakedSource, a website that obtained breach data and sold it openly was taken down this week. Troy Hunt, owner of HaveIBeenPwned, provides his thoughts on the service and the takedown. In his article, Troy is critical of the LeakedSource model where anyone could pay and get personal details from leaks. He points out a number of instances where this information has clearly been used maliciously (in Ourmine account takeover ways), and suggests that LeakedSource was also incentivizing attackers to find and turn up more data.

Google has just announced that they will now operate their own Root Certificate Authority, as well as aquiring two existing root CAs from GlobalSign. Among other things, this will allow Google tighter control over who can generate ‘official’ Google certificates, as their products could check the entire certificate chain, rather than just trust existing root CAs. With CAs like StartCom issuing rogue certificates, and even well known CAs like Symantec and GlobalSign having issues with certificates in the last year, it is understandable that a company like Google has shifted towards wanting more control over the security of all their properties.

Ars has an interesting article suggesting that Antivirus is making it harder to secure the browser. In this article, several browser engineers have pointed out where security protections have been delayed/had problems due to Antivirus hooking into and in some cases disabling functionality. An additional observation, supported by a number of vulnerabilities last year, is that the addition of anti-virus provides a larger attack surface.

In ransomware, BleepingComputer provides two terrible infection stories. In one, a police department lost up to 8 years of digital evidence, with some data having backups but recent data likely not. The second was for a hotel where the infected computer was also used to provision key cards for electronic locks. Since this only impacted the generation of the key, no customers were actually impacted.

Want to learn more about the new Locky Bart versions? Malwarebytes does an in depth analysis of the inner operations.

Talos Intel recently analyzed a malicious attachment apparently aimed at some government officials. They go into detail on the several layers of complexity the payload goes into in order to execute (doc file, with flash that executes actionscript) as well as some methods it used to avoid casual analysis.

For further in depth malware analysis Talos also disects EyePyramid, a malware sample that had remained undetected for a few years.

Written on February 2, 2017