Security Roundup - 2017-03-16

‘Vault7’ coverage continues this week:

WikiLeaks has apparently decided to follow ‘responsible disclosure’ and give access to exploits to the companies that have vulnerable products, allowing them time to create appropriate patches.

McAfee has apparently already written a scanner to check for compromised EFI Firmware, based on comments made in the Vault7 data set.

Notepad++ has quickly moved to check the certificates of DLLs it uses, that were described in Vault7 documentation. The Reddit Community discusses whether this will actually make a difference.

In other news:

More news on last year’s Yahoo breach announcements: the FBI believes it is likely that initial access was gained by a speak phishing attack on a somewhat privileged user, allowing attackers to discover and then exfiltrate a program that allowed some Yahoo employees to generate authentication cookies to access user’s accounts.

Some scanning of ‘official’ docker repositories in Docker Hub indicate that a large number of said images have major vulnerabilities. Almost 11% have high priority vulnerabilities present in the container, and the scan only covered ~68% of the ‘official’ repos, and doesn’t cover a subset of operating systems (due to them not being supported with the scanning tool). While this doesn’t make the containers directly vulnerable, it certainly leaves bigger attack surfaces. Docker Hub, at least, provides indicators on their site that said containers contain a set of vulnerabilities.

In similar news, researchers have done analysis of a number of websites and found that 37% of them have outdated and vulnerable libraries, with many being popular libraries like jQuery and Angular.

Two new bug bounties have been announces, where Intel has opened one that covers software and hardware, while Microsoft has launched one that provides access to Microsoft Office Insider Builds, allowing researchers to find vulnerabilities before new releases.

1Password has set up a very specific bug challenge called ‘bad poetry’, which is eligible for a whopping $100k bounty. The details of this are, unfortunately, invite only.

One developer writes of how awful our password policies are and lists several observations made when building a new auth system. Length is the primary item he points out, where extending minimum password length to 10 characters makes 80% of the most common passwords in use today invalid.

Checkpoint discloses vulnerabilities discovered in both Telegram and Whatsapp which would have allowed malicious attackers to take over accounts by sending a user a malicious file that looks like an image.

Checkpoint has also released their newest Malware ‘Most Wanted’. Biggest shift is the malware strain Hanticor, which has climbed 22 places to rank #5 on the list.

More IoT devices are under siege as a number of Dahua and Hikvision IoT Devices have been attacked with accessible credentials.

Google goes into how they detected, and shut down, the Chamois Android botnet, beginning from ad traffic analysis and ending with their Verify Apps program allowing users to be notified and remove.

Threatpost declares a decline in browser exploit kits, citing both stronger defenses as browsers improve their own security as well as some recent arrests causing groups to shut down operations.

For those who like reading up on the internals of malware, MalwareBytes has a good writeup of the Spora ransomware.

BleepingComputer covers RanRan, a ransomware that asked users to create a subdomain for decryption, as well as provided several ‘tiers’ (based on file size), to encrypt files.

Written on March 16, 2017