Security Roundup - 2017-06-23

This roundup made possible with contributions from my co-worker Michael Cereda.

Layers upon layers upon layers. This is the first thing that comes to mind after reading Sophos’ recent report on old tricks turned new for malware. While many malware campaigns involve embedded objects with malicious payloads, Sophos has noticed a number of strains which host these embedded objects on remote servers. Among other things, this makes it easier for someone to shut down a malware campaign, or perform upgrades on the payload after the spam campaign has launched.

McAfee also discovered new tricks in the PinkSlip malware. What sets this apart from its peers is the fact that it will set some infected hosts as remote proxies, allowing it to be used to further obfuscate where a C&C is located. This is set up independent of the trojan, meaning any machines that were previously cleaned up potentially still have this unwanted guest on their machines.

Google’s engineers have announced many anti-malicious software detection news lately, and security researchers continue to unearth more of it. Last week involves the discovery of Xavier, a malware strain which silently steals personal and financial data while the user of the infected app is trying to change the ringtone or boosting the speed of the device. Xavier is actually the evolution of the AdDown malware, which first hit the scene in 2015 with ‘Joymobile’, but has learned several new obfuscation tricks including downloading instructions remotely and dynamic analysis evasion.

Researchers have discovered a new way to gain root access on several unix based operating systems. Dubbed ‘Stack Clash’, this exploit involves the attacker ‘clashing’ the memory system that keeps track of running programs with another memory region, potentially overwriting instructions and executing unexpected code. At time of writing, impacted OSes have patches.

Man In The Middle Attacks allow someone to see all your traffic. This could be mitigated by sending traffic encrypted, but what if someone is intercepting traffic by using “trusted” certificates? Security gateways and anti-virus sometimes do this in order to ‘inspect’ web traffic for malicious signals. Researchers recently worked with various industry partners to try and fingerprint this type of interception, seeing upwards to 10% of communications falling into this bucket, with a sizable portion of it not backtrack-able to security products. Even security products doing this is a problem, as security problems can mean this is abuse, or bad crypto implementations mean that communication is less secure than it would be otherwise.

More Internet of Things stories this week including:

Duo Security “drills in” to the security of an internet enabled drill. They take you through the discovery process, including checking out the associated app as well as the drill itself. While they unfortunately found hard coded passwords, and the ability to tamper with the Geolocation security feature, overall they found a number of security features like encryption and security headers in API responses, meaning that perhaps there is hope for the Internet of Things yet.

TP-Link joins the list of vendors to patch end of life products, fixing a bug that would allow remote account takeover in one of their older router models. This is a positive step forward, as research continues to demonstrate more and more vulnerable devices, and attackers shifting from simplistic approaches of brute forcing passwords (which still works way too often), to more complex vulnerabilities in router software itself.

Unfortunately, we are halfway through the year and Kaspersky labs has already seen twice the amount of IoT based malware as all of last year. Based on the number of stories we’ve covered already, this will likely get worse before things get better.

Case in point, more Vault 7 documents have been released showcasing CherryBlossom a framework for pushing malicious firmware to your router. After the infection, routers can be controlled remotely using a browser-based interface and can be used for different missions that include scanning mail addresses, chat usernames, MAC addresses and VOIP numbers.

Written on June 23, 2017