Security Roundup - 2017-06-01

Let’s start with a Samba exploit roundup:

  • With Microsoft releasing a patch for Windows XP, people (including myself) were quick to blame it for the spread of WannaCry. However, it was actually Windows 7 that was the most infected. Windows 7 still is end of life, meaning that the only extended support customers are likely to have gotten the initial security patch.
  • The EternalRocks author has thrown in the towel after being scared off by last weeks’s news coverage.
  • Hardware providers are rolling out patches for impacted devices, check your device for updates today!

The ShadowBrokers have announced details of their monthly exploit dumps. For 100 Zcash, a privacy oriented cryptocurrency (which is equivalant to ~$26K USD at time of writing), will get anyone access to an unknown slate of exploits. Security experts are torn between not wanting to pay for exploits, and wanting to avoid another WannaCry situation. One group of individuals has taken to crowdfunding to gain access, promising to alert companies of zero days and then releasing the data publicly for additional scrutiny. It has since been cancelled due to legal concerns over purchasing explicit exploits.

Another Windows XP and Windows 2004 security patch has been released, this time not by Microsoft but by EnSilo Security. This patch protects against the ESTEEMAUDIT remote desktop exploit that was released due to the ShadowBrokers exploit leak. While EnSilo feels it is important to move away from Windows XP, they are releasing this patch because they feel it is important to control the amount of damage possible due to these exploits being public.

Windows DID push out an out of band security update this week, fixing several vulnerabilities in their Malware Protection Engine including 3 remote execution flaws.

RoughTed is a malvertising operation that has recently added some new tricks to avoid ad-blocking. MalwareBytes has dived in depth, demonstrating the range of payloads, from malicious chrome extensions, adware, tech support scams, and other exploit kits.

Google has apparently been expanding their safe browsing initiative. The current iteration appears to have started blocking sites that serve logins over HTTP, further pushing Google’s agenda of SSL adoption.

NIST has released a number of new reports this year, including a new report on lightweight cryptography (you know, for all those IoT devices). There are a number of recommendations, but unfortunate findings such as all NIST approved hashing functions not being feasible for 8-bit micro-controllers. NIST also points out that the landscape for crypto and IoT is changing rapidly, and is rethinking their traditional ‘crypto challenge’ approach, which has historically taken years.

Interestingly, there has been a bunch of discussion around hashing algorithms recently, resulting in commentary of ‘Maybe we should skip SHA3’ and move on to better algorithms (and maybe stop naming hashing algorithms after SHA, to avoid confusion), and a dive into two new algorithms for consideration SHAKE2 and KangarooTwelve.

Security researchers have published a workaround of Email Encryption Appliance (EEA)/Email Security Gateway (ESG) setups. This attack works when both items are accessible, allowing an attacker to send email directly to the email encryption appliance. The attack works in two cases, one where the EEA sends messages directly to the mail server, bypassing the ESG, and the other where the EEA relays emails to the ESG, but the ESG treats the email as coming from a whitelisted IP. In both cases, the researchers were able to reliably deliver malicious payloads to their targets.

Medical systems have been heavily impacted by security issues in the last year. A recent audit of pacemaker systems (including pacemakers themselves, monitoring systems, and programmers) highlights additional problems, with several systems being subject to thousands of known security vulnerabilities due to out of date libraries, and in some cases unencrypted patient data being accessible from second hand devices the researchers purchased.

Using AWS Electronic Block Storage? Make sure you review your usage of ‘public’ snapshots, as you could be leaking all sorts of information to the world, including customer data, encryption keys, corporate documents, just to name a few things that security researchers discovered in a recent investigation.

Crysis ransomware had its master decryption keys leaked earlier this week.

Similarly, so did some encryption keys for the AES-NI ransomware. In this case, the author of the ransomware claims to have released the keys, as an attempt to deflect blame for the XData ransomware, which was built on top of AES-NI. Interestingly, the decryption key for XData has also subsequently been released.

Written on June 1, 2017