Security Roundup - 2017-06-09

EternalBlue and WannaCry coverage continues this week:

To start, looks like WannaCry may have a number of bugs which may make it possible for users to retrieve their files.

EternalBlue has unfortunately been ported to Windows 10. Security researchers did this by analyzing the existing exploit and adapting it to work around additional Windows 10 protections. Speculation abounds on whether this zero day is known in certain circles, but points out how everyone is learning from the trove of exploits dumped.

This is particularly demonstrable/troubling, as EternalBlue is now being used for a variety of malicious programs. While thankfully protection is a Windows update away, some systems are still vulnerable.

Finally, Sophos does an overview of WannaCry, suggesting that adhering to security basics like strong passwords, endpoint security, and (most importantly) proper patching hygene could have made WannaCry more like DoNotCry.

Vault7 continues to hit the news as WikiLeaks has published documentation on Pandemic, a tool that turns a Windows File Server into a malware distribution server, injecting Trojans into files that users are trying to access.

MalwareBytes starts a new series called “Interview with a Malware Hunter”. The first in the series is Pieter Arntz, Security researcher for MalwareBytes.

Balancing data portability AND data security is a hard problem, since a full download of a user’s data is a gold mine for attackers. Jeff Attwood, founder of Stack Overflow and Discourse, goes into some of the steps his team built in to try to manage both for their users. In addition to strong passwords (15 characters, more than the current NIST standard), locking down which accounts can export, and using single use tokens, the Discourse team actually tried cracking their own passwords to look at computational liklihood. After more than 3 weeks of cracking, they managed to break less than 1% of accounts, and those that were involved a number of dictionary words.

Sucuri has released their monthly Lab Notes. Some interesting things include a look into a Wordpress backdoor, a look into a data collection script that hides as a benign script, and a dip into malvertisement targeting.

Researchers this week noticed a novel way that malware is checking for C&Cs out of band, Instagram comments! By using non-printable characters as markers, a comment may seem legitimate, but otherwise hides a secret message redirecting programs to an appropriate location.

Last month, the Jaff ransomware started making the rounds as a fairly successful strain. Now, security researchers have linked it to a cybercrime marketplace. Researchers uncovered this when they discovered shared infrastructure for the two systems. They then found thousands of compromised accounts, from banking credentials to Amazon accounts.

The RIG Exploit kit takes a blow recently, as various security groups in conjunction with GoDaddy mapped out and then shut down a major chunk of its infrastructure. Specifically, RIG was relying on compromised hosting accounts to create subdomains on other users accounts, in order to use them as relays for the exploit kit. You can read up on the whole operation on RSA’s blog.

Checkpoint security recently published new research into two ad-revenue generating malware platforms:

First, meet Judy. A korean company named Kiniwini (ENISTUDIO corp. on Google Play) released 41 apps on the app store about Judy, cute little lady with a desire to take care of animals, make food, and study fashion. Judy, however, also has a compulsive addiction to ad clicking, as the apps had malicious code they leveraged to perform auto-click ad fraud. So while users were creating cakes and dealing with virtual pets, Judy was taking care of their devices.

Last, but not least, Fireball exploded onto the scene with an estimated 250 million infections, possibly making it the largest malware infection ever recorded. The malware has been pinned to the chinese company Rafotech, which specializes in “creative advertising”; the company denies any wrongdoing. The malware currently configures a target’s browser homepage and default search engine with a “fake search engine”, collecting user information and, guess what, clicking on advertising. The malware also has the ability to remotely execute code, making it a potent (and widespread) backdoor into many organizations.

Written on June 9, 2017