Security Roundup - 2017-03-10

Big news this week is the ‘Vault7’ dump of CIA exploits on Wikileaks. There is a lot of information, and I fully expect people to be picking it apart over the next few weeks, but some early things:

One Rapid7 engineer says, at a first glance, it mirrors the sorts of things he works on, including work on the Metasploit frameworks.

Ars Technica latched on to the CIA’s analysis of where the hacking unit Equation Group went wrong, and what they could do to avoid the same mistakes in their own tools, resulting in some coding tips.

BleepingComputer has a few articles. Covering things like code reuse from malware, decoy applications to infect machines while under scrutiny, and indications of zero days for a number of security products.

In other news:

Leaked accounts came from an unexpected source this week when one security researcher found an unsecured backup of a spammer’s database, composed of 1.37 billion email addresses. The backups also contain other files, providing details of the spamming operation itself.

SHA1 exploit research has continued, with researchers developing the BitErrant exploit which allows them to generate executables which do different things, but produce identical hashes for Bittorrent.

Security researchers have done tests on a number of Android password managers finding 26 flaws across them, most allowing for leakage of secrets. At time of writing, all found vulnerabilities have been fixed.

HackerOne has announced their ‘community edition’, allowing open source projects to sign up to the service for free. The only caveat is that HackerOne will not provide the customer support they provide customers, but otherwise all tools are identical.

Google has announced they have wrapped up ‘Operation Rosehub’, where they identified 2600 unique open source projects that depended on a library with a particularly bad remote execution bug. Google engineers took it upon themselves to update these projects, promoting safety across the internet. This process took the better part of a year. They mention how they are able to use BigQuery to quickly identify known problems like this, to figure out overall scope.

HackerOne did an AMA on Reddit this week. If you missed it, there is some pretty good Q&A.

Talos Intel has started their own weekly malware roundup, composed of the threats they have discovered in a given week, that they might not otherwise have written about. One thing they DID go into depth about though is a malware strain that uses DNS records as a C&C delivery mechanism.

Additionally, Talos reports on an exploit in Apache Struts, where users can potentially execute remote commands by putting malicious requests in the Content-Type request header. This is full remote execution, with some malicious actors doing attacks that would provide further access or install botnets and malware.

How could ransomware get smarter? One cryptographer performs a thought experiment in how ransomware could leverage automated systems to be more ‘reliable’ and autonomous via smart contracts, or more insidious by eventually leveraging hardware security features called security enclaves.

Akamai reveals that some web caches may be subject to a ‘Web Cache Deception Attack’, whereby an attacker convinces a user to initiate a web request such that an intermediate cache erroneously caches a web page with sensitive information, as it believes the content is something else. This relies on back end web applications interpreting a request in a diffent way than the cache, resulting in the application returning legitimate information, but the cache believing it is cacheable content. Attackers are then able to query the cache and potentially do things like harvest session tokens and sensitive information.

Sucuri has published their monthly lab notes, which contain a few interesting malware finds. One such was a backdoor trying to hide in a google verification file (unsuccessfully), malware that only worked in 2011 (and was finally discovered now), and malware using exotic PHP functions to operate.

Written on March 10, 2017