Security Roundup - 2017-02-23

I am sure no one missed the death knell of SHA1 as a security hash today, as Google has announced a practical SHA1 collision. Set to be unveiled in 90 days, allowing those stragglers that still haven’t updated, despite warnings from Google over the last several years, the attack is apparently 100K times faster than a brute force on a SHA1 hash making it only a matter of time before it if even cheaper.

RSA wrapped up last week, and Brian Krebs reports on an overlooked announcement with big impact. Apparently, researchers at RSA announced a breach by a company selling log management tools, where the update server was compromised for two weeks, in 2015 and clients automatically downloaded a compromised version of the software. RSA investigators discovered this in 2016 during an investigation and believe a number of organizations may still be compromised.

A frightening new persistent threat called ‘Operation Bugdrop’ was uncovered this week. The malware operates by controlling the microphone of the infected machine and uploading the data elsewhere. So far, more than 70 targets across a variety of industries, with most located in the Ukraine.

PhishingLabs has released their 2017 Phishing Trends Report. Highlights include: one million confirmed malicious phishing sites in 2016, 7800 phishing attacks investigated and/or mediated by Phishing Labs every month, and the top 5 targeted industries had an average 33% growth in attacks year over year. They expect Cloud Storage Services to be the number one target by end of year, supplanting the financial industry which is actually showing a decline. Finally, phishing attacks targeting people as the IRS in 2016 resulted in more phishing attempts than all of 2015 combined. With tax season underway, be wary!

This week Australia expanding its Breach Notification policy, while Canada is preparing new legislation requiring prompt breach notifications.

Chrome extensions can do fairly powerful things, and MalwareBytes covers how one malicious extension can abuse current abilities and make it extremely hard for the average user to uninstall. The extension in question enables a tech support scam, as well as connects to a C2C to potentially execute other code.

BleepingComputer has a nice rundown of Ramnit’s return from the 2015 takedown attempt. Unfortunately, it looks like as of 2017 it has reached the top 5 of active banking trojans.

Netflix released a project this week focused on ‘User Focused Security’. Called ‘Stethoscope’, the tool empowers users to go to a website, which will figure out some device information and provide actionable results and education for the user.

Dropbox also released a security focused product this week with SecurityBot. SecurityBot is chatbot that enables faster incident detection and resolution by automatically asking users to verify certain actions (like running sudo accidentally on a machine they don’t have permissions), allowing security to escalate quickly if the user indicates they did NOT perform said action. This allows Dropbox security to deal with false positives quickly, without necessarily requiring the security team to manually follow up on each signal, or ignore certain signals just because some individuals generate a high rate of false positives.

In ransomware, BleepingComputer provides coverage of a new ransomware family being reverse engineered live. The ransomware in question, Hermes, contained an randomization seed that could be attacked to create a decryptor for the malware.

Things to watch:

Wired reports on a newly reported memory attack that allows attackers to circumvent memory randomization efforts in modern operating systems. Being executable from Javascript in the browser, the attack relies on being able to measure operations of memory writes for a program to figure out where in memory it is, allowing them to potentially execute other memory corruption actions with greater certainty.

Written on February 23, 2017