Security Roundup - 2017-04-14

Bleeping Computer does a great writeup of the new CAA DNS record, which allows domain providers to specify which SSL providers are allowed to issue certificates. In a recent vote, the majority of browser and Certificate Authorities voted to implement this standard by September 8, 2017, setting the expectation that Certificate Authorities will check whether they are allowed to issue a certificate for a domain.

Of course, this only helps when an organization remains in control of their DNS. In an impressive accomplishment, hackers managed to take over a bank’s entire digital footprint, redirecting users and potentially even ATM transactions to their infrastructure. Since they controlled the actual domain names, they were able to quickly obtain legitimate SSL certificates, to make the attack all the more transparent to users. Given the totality of the takeover, the bank was not even able to send legitimate emails to their customers, and had to rely on the registrar returning control. Total duration of takeover: ~5 hours.

Vault 7 news continues this week as the “Grasshopper” documents detailing windows installer laced malware was released. The installer performed a number of checks to reduce the liklihood of installing on a system that might be able to detect the payload. Some news stories of the tools being linked to known hacks have started to surface.

Coincidentally, the Shadow Brokers are also back releasing the password to another cache of NSA files.

Threatpost provides an interview with the Google Chrome Security Team, where they mention that a number of instabilities/security problems are due to other third party software installed on systems. Whether that be bundled software from an OEM, bad Certificate Authority, or third party plugins.

We’ve talked about malicious apps before, but did you know that apps could leak information from other apps? Either internationally, or unintentionally, apps are able to access data in use by other apps, allowing a combination of apps exfiltrate data. Most common appears to be location data, where a location aware app might make data available to other applications.

The newest IoT malware is running around, and this one tries to brick all the devices. On the one hand, dead devices means fewer botnets, on the other plenty of consumers that are going to be surprised when their devices stop working.

Of course, another security researcher found an easy way to gain access to his smart tv.

Running a SEIM to analyze security events? Make sure to lock it down! One security researcher was recently shocked by some SEIM systems using default credentials and hosting a bevy of information.

Another security firm has traced back attacks to residential routers which have been infected. The specific router in question is vulnerable to an attack on a non-typical port, causing the security researchers to suggest ISPs filter out attacks of this nature before it reaches their customers.

An amusing strain of ransomware made the rounds this week requiring users to score a high score in a video game to retrieve their files.

BleepingComputer provides a good ransomware article, showing another open source ransomware getting weaponized, and demonstrating how working examples make it easier for future developers.

Written on April 14, 2017