Security Roundup - 2017-06-16

Imagine if you had gone to the trouble of paying for and setting up security products, but they weren’t running properly. Malware authors are imagining, and making this a reality. BleepingComputer details CertLock, a malware strain that prevents new security programs from being installed or security products from running, by adding the signing certificates of these programs to a special disallowed list in Windows, effectively preventing the applications from running. Going farther, it even adds a bunch of update domains to the hosts file of a device, redirecting to localhost and breaking update capabilities.

Microsoft provides another security update for older versions of Windows this week, including XP, Vista and Server 2003, to protect against 3 other exploits found in the ShadowBrokers exploit dump. Microsoft believes the threat level of these exploits is severe enough to warrant a wider distribution of the patches, but points out the best protection is to stop using end of service versions of Windows. All told, Microsoft released fixes for 97 vulnerabilities across all their products, 17 of which were labelled as Critical. Microsoft has also announced that SMBv1 will be disabled by default for future windows versions.

Interested in a deeper dive into Memory Resident Malware? Endgame security delivers this week covering known attacker techniques, as well as going over some of the difficulty in detecting these techniques.

Microsoft has discovered malware that abuses Intel’s Active Management Technology (AMT) to exfiltrate data. Since the AMT is low enough level, communications through it avoids the application level network stack, and any monitoring/firewall systems that are operating at that level.

More and more malware is targeting Apple computers. Fortinet researchers have recently stumbled across MacRansom, an OSX Ransomware as a service portal. After communicating with the author, they were given a sample which they then analyzed. Sadly, it looks like any victims will be unable to decrypt their files, since part of the encryption key is random, and there is no outbound communication to a C&C.

In some alarming news this week, one security researcher has posted a number of Man-in-the-Middle vulnerabilities for several iOS applications. These applications talk to unsecured backend services, allowing login information to be stolen. The applications in question unfortunately range from grocery deals to voting and banking apps.

The Internet of Things has been demonstrated to be the Internet of VULNERABLE Things in the last year. Talos Intel does both a retrospective, as well as provides advice to companies that may be purchasing devices connected to the internet. Case in point, yet another batch of internet enabled web cameras has been demonstrated to be riddled with insecurities.

Written on June 16, 2017