Security Roundup - 2017-05-04

A large scale phishing attack was initiated this week, imitating an email to share a document with Google Docs. If the user followed through, they were presented with a dialogue to authorize a fake Google Docs app, allowing the attacker gain unlimited access to the victim’s email. For each victim, the exploit used contacts to try to send to another round of victims.

Meanwhile, Google Chrome has taken an additional step towards their goal of visibly indicating that all HTTP sites are “Not secure” in terms of the information you are sending. On the heels of January’s change to label sites over HTTP with password fields as “Not secure”, they are not going to label all HTTP sites visited in Incognito mode as “Not secure”, due to increased privacy expectations.

O’reilly and the Software Improvement group recently surveyed a number of programmers on their company’s secure code practices. While 69% of respondents stated security requirements and 60% mentioned guidelines, most felt that they were not doing enough. They also cited how security is not ‘visible’ making it hard to gain proper traction when overall company goals are to ship new features and gain new customers.

What is worse than a site that allows short passwords and returns them in plaintext when you forget them? Apparently it is a site that doesn’t ever allow you to change the password.

Intel processors with remote management features have recently been found to have remote exploit flaws. This flaw, existing since 2010, is only accessible if Intel’s Active Management Technology is enabled, and the attacker is able to access port 16992 and 16993. This means that remote attacks over the internet should be fairly rare, but attacks on a local network, perhaps such as ublic wifi for a targeted attack, are possible.

Another problem that has flown under the radar has been the existence of the Konni RAT, which Talos Intel discovered. Backtracking, they have unearthed 3 years of activity across 4 campaigns, and document the evolution.

MalwareBytes provides details on the OSX.Dok malware, a sophisticated attack that installs the means to monitor and intercept all HTTP AND HTTPS traffic on a victim’s computer. This allows an attacker to potentially harvest credentials that a user over a connection they otherwise feel is secure. Apple has already revoked the signing certificate the malware author used to sign his app, meaning that the casual user will not be able to install. However, MalwareBytes has found a second strain that installs a different backdoor, but looks to be from the same author.

Arbor Networks does a deep dive into the Ismdoor RAT, which communicates to its C&C using DNS AAAA (IPv6) queries and responses to hide its activity.

Verizon’s 2017 Data Breach Report has been released (now celebrating its 10th year!). Unsurprisingly, Ransomware accounted for a large number of incidents and continues to be trending upwards. Financial institutes are still the most popular target, but targets like healthcare and education are seeing an uptick of attacks.

BleepingComputer rounds things out with an unfortunately busy week in Ransomware, including a big update for Cerber which includes a new encryption process and anti-VM/sandboxing features.

Written on May 4, 2017