Security Roundup - 2017-05-11

Microsoft rushed out with a critical fix to their Malware Protection Engine, releasing the fix one day before their regular ‘Patch Tuesday’ cycle. The exploit resulted in a specially crafted file to have Malware Protection Engine execute the malware. A number of other security fixes went out as part of patch Tuesday, including one that triggers with specially crafted images in Office. Talos Intel has a breakdown of all the security items.

Another day, another billion (yes, with a b) user records leaked. Troy Hunt of HaveIBeenPwned goes over how leaks on one site allow for credential stuffing, which is attempting to reuse those credentials on other sites in order to provide more accounts to sell. And, since password reuse is still fairly common, this results in plenty of hits. Troy details 2 big combo lists of usernames and passwords that have been brought to his attention, containing the aforementioned billion credentials. Troy also went into why he doesn’t store passwords for his service.

DUO Labs also got ahold of one of the combo lists and performed some analysis on the passwords. Interestingly, 25% of passwords are 9 characters long (better than the 8 characters suggested in the current draft of NIST guidelines, but the most common passwords contained in the list is still pretty bad.

A large scale Signaling System #7 attack took place recently to intercept 2FA text messages for bank accounts, and drain the account of all funds.

Plenty of states and countries are rolling out disclosure laws. Techcrunch has an article pointing out this can paint a target on a company that has disclosed, but not taken appropriate steps to prevent further breaches.

MalwareBytes write that the Snake trojan, which has been around since 2008, has been ported to OSX. This masquerades as a Flash installer, with the added deception of actually installing flash vs just pretending to install flash.

Google follows up on the first five months of their Open Source Software Fuzzing experiment. In that time period they have integrated 47 projects (including several SSH and SSL projects), and discovered 1000+ bugs, of which 264 are potential security vulnerabilities. To further the project, they are now offering financial rewards for projects to integrate with the process.

A new malware strain came to light this week which has a remote accessible API. This is interesting in that it allows the botnet to invert the traditional C2 model as required, making it easier for botnet owners to re-establish control after a C2 takedown.

Handbrake, a popular transcoding app, was hacked to deliver a trojan for up to 4 days For those that love in depth of what malware is doing under the hood, check out Patrick Wardle’s blog post.

Security researchers classify a number of breaches according to the OWASP Top 10. The Results are interesting, with ‘Known Vulnerable Components’ being the cause of 24% of breaches, and another 15% attributable to causes not in the top 10.

Written on May 11, 2017