Security Roundup - 2017-02-15

RSA is happening this week, and some interesting things are coming out of it. The most interesting to me so far is Google apparently talked about BeyondCorp their 6 year mission to allow employees to work from untrusted networks without a VPN. Rather than relying on VPNs, BeyondCorp relies on over a dozen metrics to decide access for a user for a specific resource, allowing for dynamic policies vs static policies.

As a companion piece to the above, O’reilly posts a conversation with an SRE at Stripe on Zero trust networks.

Sucuri has released their monthly lab notes, and there are some interesting gems. First is a note on bad actors masquerading malicious scripts as image files, to evade casual investigation of logs/traffic. Second, they cover some techniques malicious actors use to spread backdoors/malware/etc on shared hosts, expanding their influence quickly due to lack of security for one neighbor.

Brian Krebs follows up on the LeakedSource takedown, by assembling some clues on who might have been behind the site.

A self-healing malware strain has been found in the Magento platform which uses SQL triggers to see if it has been cleaned up and re-installs itself if so.

Another bad news day for Yahoo as they announce that some accounts might have been accessed without a password in 2015 or 2016, using forged cookies generated by a tool internal to Yahoo.

Following last week’s Wordpress API security flaw, it is reported that up to 1.5 million Wordpress sites have been defaced, despite security features that would update a percentage of sites and additional security plugins that were intended to mitigate the problem. More than a dozen different defacement campaigns have been detected as of this writing.

This week I learned that some Ransomware is delivered via brute force RDP attacks, where the attacker breaks into machines via exposed remote desktops and manually executes malware. Sadly, this method appears to be on the rise.

Akamai has released their Q4 State of the Internet Report this week. Overall DDoS attacks were down QoQ, which they attribute to the various Botnets fighting over resources vs performing actual attacks. However, web application attacks were up QoQ, with SQLi attacks growing the most in that time period. Unsurprisingly, they expect IoT botnets to increase in the near future.

Speaking of the internet of things, BleepingComputer posts an interesting story where smart devices at a university were hijacked, causing the botnet to accidentally overwhelm the network with traffic. To the university’s credit, they had the smart devices segregated in a separate network, preventing the infection from spreading out of the network.

Sophos Labs has released their Malware Forecast report. Unsurprisingly, IoT devices are ALSO at the top of this list. Also highlighted, Android malware and macOS malware being on the rise,

Finally, Talos Intel has an analysis on the AthenaGO malware strain. This malware is interesting for a few reasons. First being the language (Golang), which is not commonly used for malware. The second is its use of Tor2Web proxies, to communicate to C2C nodes on TOR without having to install TOR on the infected machine. This provides some additional anonymity to the attacker, though does allow for blocking at the proxy level.

Written on February 15, 2017