Security Roundup - 2017-05-25

The ShadowVault continues to have an impact on the world, with the exploits they leaked having a far reaching impact.

The MalwareTech researcher that accidentally stopped WannaCry performed an AMA on Reddit earlier this week

While WannaCry was the combination of two exploits from the data leak, a new worm dubbed EternalRocks is using 7 exploits from the leak to spread. Currently, it appears not to be deploying any payload.

Tools have emerged to decrypt files, as long as the computer has not been restarted. Turns out that the numbers to generate the encryption key are potentially left in memory, allowing the public and private key to be regenerated. The tool works for at least Windows XP and Windows 7.

A similar exploit for Samba has been reported by Rapid7, allowing an attacker to upload and execute a program on a Samba share. It is a sad fact that there are a LOT of systems exposed, which should not be. A fix has already surfaced, making the key here how quickly systems will get updated.

Tech support scammers are playing up on WannaCry fear by selling fake security upgrades.

For things that are not related to ShadowBrokers….

Wordpress has launched a bug bounty program, right before releasing a new version that fixes several security flaws. Wordpress has already been running the program privately for a year, in order to build process around any bugs that came in. Since launching, they have already paid out $3700 to developers that have reported security issues.

In the IoT news, New York’s attorney office has reached a settlement with Safetech Products to add security and encryption to all Safetech smart locks.

Similarly, researchers at the University of Michigan managed to gain access to traffic light control software due to very lax security implementations.

Both Yahoo and ImageMagick have taken a beating this last year, but thankfully this will change now that Yahoo has removed that library from their software products. Triggered by yet another exploit, dubbed ‘YahooBleed’, this would have allowed malicious users to extract pieces of memory from servers that handled images, which included api tokens.

Checkpoint Security has discovered a way to take control of a user’s laptop by using malicious subtitle files for movies. While subtitle files may generally be considered text files, Checkpoint has found a way to invoke malicious behavior. The impacted video services have been contacted and have all issued patches.

Finally, Talos Intel reports on how the Terror Exploit Kit has evolved, becoming much more targeted in their exploits, resulting in it being harder to detect and more successful overall. The biggest change is fingerprinting browsers, allowing them to be more targeted in exploits, rather than iterating through a large list of them.

Written on May 25, 2017