Security Roundup - 2018-04-26

“Hacker” accesses non-public data in public portal. The most dissapointing news lately is about how a young Canadian realized that the Nova Scotia Freedom of Information Act site has an enumerable url parameter. Said individual wrote a script to download a bunch of files, and was later arrested due to said files being deemed ‘sensitive’ and erroneously uploaded in a public matter. This has led many people to be critical, pointing out that this wasn’t the 19 year old’s fault so much as the fault of the owners of the system (again, portrayed as public information). Troy Hunt has a good writeup, including some history of similar accusations of “unauthorized use of a computer”.

BGP Hijack of Amazon DNS. Malicious attackers somehow used an Ohio based ISP to advertise several hundred IP addresses, many of them addresses for AWS’ DNS offering. The ultimate target was hijacking cryptocurrency website MyEtherWallet, making off with $150K over 3 hours. Other AWS customers were potentially impacted as well, but current scope is still unknown.

Webstresser de-stressed. Attack-as-a-service platform Webstresser was taken offline the other day after a coordinated effort several law enforcement agencies. Interestingly, this has resulted in a number of other malicious services down, as they appear to have been resellers of Webstresser.

How OSX malware can take screenshots. After some reports of malware families taking screenshots of desktops on OSX, one security researcher has dived in. Reverse engineering the technique independently, as well as digging in to actual malware samples, he finally suggests ways in which this type of activity could actually be detected.

IPv6 as a backdoor. Think you’ve locked down your local network? Have you checked your IPv6 setup? Trustwave points out that modern devices configure IPv6 automatically and the same rules that you have set up to protect services on IPv4 interfaces may still be open on IPv6.

Drupal suffers multiple high severity vulnerabilities. Last month was Drupalgeddon 2, but now Drupal has announced another highly critical vulnerability which impacts all versions of Drupal, going so far as to provide patches for unsupported versions of the CMS. Unlike Drupalgeddon2, this vulnerability was immediately seized upon and is currently being exploited in the wild.

Steganography new tool on the block. Security researchers warn that steganography, the act of hiding data in other files, is increasingly being deployed by malicious actors. This technique is being used to avoid monitoring solutions by making payloads look like images rather than the malicious package they actually are.

Written on April 26, 2018