Security Roundup - 2017-11-10
Digitally Signed Malware Surprisingly Common. Code signing is a method where a legitimate certificate is used to sign an application such that operating systems will trust it. However, in some cases we have seen malicious packages that are correctly signed. Originally tied to nation state attacks, and criminal enterprises, researchers have shown that this has actually happened more often than expected, having discovered 189 instances going back to 2003. 109 of the digital certificates used to sign these malicious apps are still valid. Some of these appear to have previously signed benign software, meaning that an organization may have lost control of their private keys. Related research have also published results on broken trust in digital key signing and Anti Virus. The most shocking is that something signed (even if using an expired key, or if the signature doesn’t match), will cause a number of Anti Virus programs to mark the files as benign, abusing trust. But perhaps more interesting is the ability to hijack signatures, which one researcher has demonstrated.
Mobile Pwn2Own Competition Results. Pwn2Own is a yearly competition in which hackers compete to discover zero days in browsers. Last year it expanded into Virtual Machines, and this year it has its own competition for Mobile Devices. A large number of bugs were discovered for devices including the Samsung Galaxy S8 and the iPhone 7, all of which have been privately disclosed to the manufacturers to create patches. You can read up on details for day one and day two.
Spam And Phishing Q3 Report. Want to stay on top of the latest spam and phishing techniques? Kaspersky has released their Q3 observations. Highlights are messages trying to coerce people into cryptocurrency get rich quick schemes and free stuff (from flights to phones).
Account Takeovers. Google has released research into the root cause of account takeovers. While not particularly surprising that a fair portion of it is due to credential reuse (use unique passwords everywhere!), a fair amount is gathered via phishing and keyloggers. Phishing attacks appear to increasingly try to collect other information, to help circumvent other protections.
Companies Actively Trying To Work Around Browser Security Warnings. What’s worse than a company not securing a form over HTTPS? Actively working around browser protections to try to pretend things are all right. Check out this….. Interesting story of the amount of effort one company put into evading browser checks rather than just integrate HTTPS.
Size Matters Not. At least in terms of your risk to exploit. Regardless of what your website actually does, it is valuable to an attacker in terms of resources. Even if you don’t have anything to directly steal, an attacker can leverage your infrastructure to run phishing attacks, malvertisements, or spam with less risk to themselves (and more risk to you!).
DarkVNC Deep Dive. And for those that like deep dives, check out this article going over an exploit to infect someone with ‘DarkVNC’, a malicious VNC client so attackers can view and control a machine remotely.