Security Roundup - 2017-03-23

LastPass urges users to upgrade all clients (including web extensions), due to a number of security issues that allow users to potentially steal credentials or execute arbitrary code.

Interested in web shell analysis? Trustwave Security writes about how they discovered and analyzed a web shell used to take over a client network.

Sucuri has an update on malicious subdirectories where malicious users upload content (like essay selling sites) and serve them from otherwise legit accounts.

Cisco has been analyzing the ‘Vault7’ data and has released a customer warning, pointing out a CVE that impacts 300 of their products. While no fix is available at time of writing, Cisco has pointed out a few mitigation strategies. Since the CVE involves Telnet being enabled, the simplest solution is to disable that and use SSH.

More IoT exploits found, this time in the form of an actual backdoor in certain VOIP gateways. Hackaday revisits the topic of IoT Security, discussing both accidental and deliberate backdoors which, once known, then become usable for everyone.

Pwn2Own happened last week, and once again some enterprising hackers found exploits in a number of products. This year Google Chrome managed to escape without being exploited, but other major browsers did not share this fortune. Windows and macOS also fell victim to exploits. New this year was an exploit found for VMware Workstation, which was largely avoided last year. Mozilla managed to patch the flaw discovered in Firefox in a quick 22 hours.

Speaking of Firefox, I just learned that it now points out when logins are over HTTP connections. This news seems to have been primarily spread because Oil and Gas International filed a ticket complaining to Mozilla for this change. They claimed to have their own security system, which resulted in reddit users poking around and finding a number of vulnerabilities, such as SQL injections and pointing out that payments were processed over plaintext.

A common theme for the last year has been security products that eventually compromise security. Whether that be Antivirus being exploited, or making it harder to implement browser security, or provide a larger attack surface.

The latest is security issue which allows attackers to take over antivirus software. Dubbed ‘DoubleAgent’, as it turns anti-virus against you, this exploit leverages a bug in Windows ‘Microsoft Application Verifier’, which allows a malicious agent to inject their own verification process. Microsoft has provided a better mechanism in Windows 8.1+, which requires properly signed software updates.

This issue is not limited to antivirus products, however. A research paper entitled The Security Impact Of HTTPS Interception, has prompted US-CERT to suggest that security appliances that perform TLS interception are themselves security flaws. Since the devices man in the middle TLS connections and are potentially using weaker cipher suites and protocols (I wonder how many support TLS 1.3) than user’s devices do (Chrome and Firefox support TLS 1.3). Vendors who sell these products happen to disagree.

Google reviews the last year in Android Security, highlighting the decrease in malicious software due to their “Verify Apps” initiative, the security improvements they have made to Android itself, and their efforts to ensure the entire software chain gets security updates out faster.

In ransomware news:

After a year of brisk business, it seems that Locky is finally in decline, with no new versions discovered this year.

Part of Locky’s decline is partially due to the disappearance of the Necurs botnet at the start of the year. Talos Intel reports that Necurs is back, but back to trying to manipulate penny stocks in ‘pump and dump’ schemes.

Written on March 23, 2017