Security Roundup - 2017-03-30

Big news this week is Symantec’s miss-issue of 30K Extended Validation certificates, largely through third parties with privileged access. Extended Validation certificates are intended to require additional validation steps for further proof of ownership, and the lack of that compromises their advantage. This isn’t the first time that Symantec has mis-issued certificates, with Google recently requiring Symantec to submit ALL certificates to Certificate Transparency logs for auditing. After the most recent incident, however, Google has declared they will stop treating Symantec Extended Validation certificates as extended validation. Further, Google has suggested plans to stop trusting Symantec as an SSL certificate provider, phasing out support in Chrome to essentially delist said certificates. Symantec has posted a rebuttal, pointing out their usage of certificate transparency, and their championing of Certificate Authority Authorization. Regardless of the outcome, it appears that the end result will be more transparency and security for the internet as a whole.

Let’s Encrypt came under attack of actually providing transparency this week, since it points out that they have issues quite a number of SSL Certificates which could be used for phishing attacks, having issues ~15k certificates using the term ‘Paypal’ this quarter. Let’s Encrypt has pointed out since inception their belief that Certificate Authorities constitute poor watchdogs, with their primary aim to encrypt all web communications. Bleeping Computer points out that a number of these certificates have been flagged by safe browsing, which does indicate that other user protections are in play. While on the one hand these certificates are being issues, the fact that they are going through certificate transparency and being on the record is at least shedding more light on the issue.

Congress has voted to repeal FCC Privacy laws, but right before that the EFF posted some impacts of CyberSecurity. Particularly worrying to me is the concept of “Explicit Trusted Proxies”, which are designed to decrypt and inspect SSL communications, which we learned last week that the the US-CERT has said doing this type of traffic interception actually decreases overall security.

In further Vault7 news, Engadget has a list of tool names and descriptions, as well as an article explicitly on OSX exploits. Apple has already said that these exploits are old, and have been fixed.

After yet another round of breaches, Troy Hunt has written an article on How To Handle a Breach Disclosure. Using Cloudpets as example, Troy points out that someone noticed their exposed Mongo database and attempted to contact them to remediate before the breach occurred. Troy points out that making it harder for someone to start a dialogue makes it easier for a company to be unaware of action in need of taking. He goes on to point out that once a breach is known, it is in the company’s best interest to disclose as soon as possible, to allow their users time to protect themselves, pointing out the rampant reuse of user passwords. He references the upcoming General Data Protection Regulation in Europe, where companies will be required to disclose breaches within 72 hours. The entire article is fairly interesting, containing a number of breach disclosure successes, as well as quite a few failures.

Many malware strains are starting to make use of a technique called Domain Fronting. This technique works by using a hosting provider essentially as a relay to some other communication like TOR. These providers include Amazon and Google’s Appspot in order to avoid block evasion/delisting.

For those that enjoy reading up on malware detection evasion Talos Intel shares some recent obfuscation methods by LokiBot.

Talos also details an NTP vulnerability they discovered in Cisco’s effort to test NTP implementations for security flaws.

Finally, BleepingComputer talks about GiftGhostBot, a botnet devoted to brute forcing gift card apis to discover gift cards with usable funds. On average, this botnet is apparently hitting some eCommerce sites with an average of 1.7 million requests per hour.

Security Roundup - 2017-03-23

LastPass urges users to upgrade all clients (including web extensions), due to a number of security issues that allow users to potentially steal credentials or execute arbitrary code.

Interested in web shell analysis? Trustwave Security writes about how they discovered and analyzed a web shell used to take over a client network.

Sucuri has an update on malicious subdirectories where malicious users upload content (like essay selling sites) and serve them from otherwise legit accounts.

Cisco has been analyzing the ‘Vault7’ data and has released a customer warning, pointing out a CVE that impacts 300 of their products. While no fix is available at time of writing, Cisco has pointed out a few mitigation strategies. Since the CVE involves Telnet being enabled, the simplest solution is to disable that and use SSH.

More IoT exploits found, this time in the form of an actual backdoor in certain VOIP gateways. Hackaday revisits the topic of IoT Security, discussing both accidental and deliberate backdoors which, once known, then become usable for everyone.

Pwn2Own happened last week, and once again some enterprising hackers found exploits in a number of products. This year Google Chrome managed to escape without being exploited, but other major browsers did not share this fortune. Windows and macOS also fell victim to exploits. New this year was an exploit found for VMware Workstation, which was largely avoided last year. Mozilla managed to patch the flaw discovered in Firefox in a quick 22 hours.

Speaking of Firefox, I just learned that it now points out when logins are over HTTP connections. This news seems to have been primarily spread because Oil and Gas International filed a ticket complaining to Mozilla for this change. They claimed to have their own security system, which resulted in reddit users poking around and finding a number of vulnerabilities, such as SQL injections and pointing out that payments were processed over plaintext.

A common theme for the last year has been security products that eventually compromise security. Whether that be Antivirus being exploited, or making it harder to implement browser security, or provide a larger attack surface.

The latest is security issue which allows attackers to take over antivirus software. Dubbed ‘DoubleAgent’, as it turns anti-virus against you, this exploit leverages a bug in Windows ‘Microsoft Application Verifier’, which allows a malicious agent to inject their own verification process. Microsoft has provided a better mechanism in Windows 8.1+, which requires properly signed software updates.

This issue is not limited to antivirus products, however. A research paper entitled The Security Impact Of HTTPS Interception, has prompted US-CERT to suggest that security appliances that perform TLS interception are themselves security flaws. Since the devices man in the middle TLS connections and are potentially using weaker cipher suites and protocols (I wonder how many support TLS 1.3) than user’s devices do (Chrome and Firefox support TLS 1.3). Vendors who sell these products happen to disagree.

Google reviews the last year in Android Security, highlighting the decrease in malicious software due to their “Verify Apps” initiative, the security improvements they have made to Android itself, and their efforts to ensure the entire software chain gets security updates out faster.

In ransomware news:

After a year of brisk business, it seems that Locky is finally in decline, with no new versions discovered this year.

Part of Locky’s decline is partially due to the disappearance of the Necurs botnet at the start of the year. Talos Intel reports that Necurs is back, but back to trying to manipulate penny stocks in ‘pump and dump’ schemes.

Security Roundup - 2017-03-16

‘Vault7’ coverage continues this week:

WikiLeaks has apparently decided to follow ‘responsible disclosure’ and give access to exploits to the companies that have vulnerable products, allowing them time to create appropriate patches.

McAfee has apparently already written a scanner to check for compromised EFI Firmware, based on comments made in the Vault7 data set.

Notepad++ has quickly moved to check the certificates of DLLs it uses, that were described in Vault7 documentation. The Reddit Community discusses whether this will actually make a difference.

In other news:

More news on last year’s Yahoo breach announcements: the FBI believes it is likely that initial access was gained by a speak phishing attack on a somewhat privileged user, allowing attackers to discover and then exfiltrate a program that allowed some Yahoo employees to generate authentication cookies to access user’s accounts.

Some scanning of ‘official’ docker repositories in Docker Hub indicate that a large number of said images have major vulnerabilities. Almost 11% have high priority vulnerabilities present in the container, and the scan only covered ~68% of the ‘official’ repos, and doesn’t cover a subset of operating systems (due to them not being supported with the scanning tool). While this doesn’t make the containers directly vulnerable, it certainly leaves bigger attack surfaces. Docker Hub, at least, provides indicators on their site that said containers contain a set of vulnerabilities.

In similar news, researchers have done analysis of a number of websites and found that 37% of them have outdated and vulnerable libraries, with many being popular libraries like jQuery and Angular.

Two new bug bounties have been announces, where Intel has opened one that covers software and hardware, while Microsoft has launched one that provides access to Microsoft Office Insider Builds, allowing researchers to find vulnerabilities before new releases.

1Password has set up a very specific bug challenge called ‘bad poetry’, which is eligible for a whopping $100k bounty. The details of this are, unfortunately, invite only.

One developer writes of how awful our password policies are and lists several observations made when building a new auth system. Length is the primary item he points out, where extending minimum password length to 10 characters makes 80% of the most common passwords in use today invalid.

Checkpoint discloses vulnerabilities discovered in both Telegram and Whatsapp which would have allowed malicious attackers to take over accounts by sending a user a malicious file that looks like an image.

Checkpoint has also released their newest Malware ‘Most Wanted’. Biggest shift is the malware strain Hanticor, which has climbed 22 places to rank #5 on the list.

More IoT devices are under siege as a number of Dahua and Hikvision IoT Devices have been attacked with accessible credentials.

Google goes into how they detected, and shut down, the Chamois Android botnet, beginning from ad traffic analysis and ending with their Verify Apps program allowing users to be notified and remove.

Threatpost declares a decline in browser exploit kits, citing both stronger defenses as browsers improve their own security as well as some recent arrests causing groups to shut down operations.

For those who like reading up on the internals of malware, MalwareBytes has a good writeup of the Spora ransomware.

BleepingComputer covers RanRan, a ransomware that asked users to create a subdomain for decryption, as well as provided several ‘tiers’ (based on file size), to encrypt files.

Security Roundup - 2017-03-10

Big news this week is the ‘Vault7’ dump of CIA exploits on Wikileaks. There is a lot of information, and I fully expect people to be picking it apart over the next few weeks, but some early things:

One Rapid7 engineer says, at a first glance, it mirrors the sorts of things he works on, including work on the Metasploit frameworks.

Ars Technica latched on to the CIA’s analysis of where the hacking unit Equation Group went wrong, and what they could do to avoid the same mistakes in their own tools, resulting in some coding tips.

BleepingComputer has a few articles. Covering things like code reuse from malware, decoy applications to infect machines while under scrutiny, and indications of zero days for a number of security products.

In other news:

Leaked accounts came from an unexpected source this week when one security researcher found an unsecured backup of a spammer’s database, composed of 1.37 billion email addresses. The backups also contain other files, providing details of the spamming operation itself.

SHA1 exploit research has continued, with researchers developing the BitErrant exploit which allows them to generate executables which do different things, but produce identical hashes for Bittorrent.

Security researchers have done tests on a number of Android password managers finding 26 flaws across them, most allowing for leakage of secrets. At time of writing, all found vulnerabilities have been fixed.

HackerOne has announced their ‘community edition’, allowing open source projects to sign up to the service for free. The only caveat is that HackerOne will not provide the customer support they provide customers, but otherwise all tools are identical.

Google has announced they have wrapped up ‘Operation Rosehub’, where they identified 2600 unique open source projects that depended on a library with a particularly bad remote execution bug. Google engineers took it upon themselves to update these projects, promoting safety across the internet. This process took the better part of a year. They mention how they are able to use BigQuery to quickly identify known problems like this, to figure out overall scope.

HackerOne did an AMA on Reddit this week. If you missed it, there is some pretty good Q&A.

Talos Intel has started their own weekly malware roundup, composed of the threats they have discovered in a given week, that they might not otherwise have written about. One thing they DID go into depth about though is a malware strain that uses DNS records as a C&C delivery mechanism.

Additionally, Talos reports on an exploit in Apache Struts, where users can potentially execute remote commands by putting malicious requests in the Content-Type request header. This is full remote execution, with some malicious actors doing attacks that would provide further access or install botnets and malware.

How could ransomware get smarter? One cryptographer performs a thought experiment in how ransomware could leverage automated systems to be more ‘reliable’ and autonomous via smart contracts, or more insidious by eventually leveraging hardware security features called security enclaves.

Akamai reveals that some web caches may be subject to a ‘Web Cache Deception Attack’, whereby an attacker convinces a user to initiate a web request such that an intermediate cache erroneously caches a web page with sensitive information, as it believes the content is something else. This relies on back end web applications interpreting a request in a diffent way than the cache, resulting in the application returning legitimate information, but the cache believing it is cacheable content. Attackers are then able to query the cache and potentially do things like harvest session tokens and sensitive information.

Sucuri has published their monthly lab notes, which contain a few interesting malware finds. One such was a backdoor trying to hide in a google verification file (unsuccessfully), malware that only worked in 2011 (and was finally discovered now), and malware using exotic PHP functions to operate.

Security Roundup - 2017-03-02

The big news this week is, of course, Cloudbleed. Troy hunt provides his own take on the issue. Of note, he points out the total impact is not measurable. While Cloudflare was able to measure 0.00003% of requests, since the bug leaked information from unrelated sites it is unable to measure how many sites were actually impacted. He also points out that 0.00003% is still a huge volume of traffic, given that Cloudflare deals with trillions of requests per month, meaning millions of requests potentially leaked data. However, not all Cloudflare users are at risk, simply due to the fact that not all Cloudflare customers have sensitive data. Plenty of informational only sites use Cloudflare services, meaning there was no sensitive information to leak for those sites. Cloudflare has their own follow up on impact.

Duo Security posts a summary of the ‘The Human Exploitation Kill Chain’ talk from the RSA Conference. The talk goes over the various points of a phishing attack that we should attempt to layer security, vs just training users on identification. While humans are important, it is also important for them not to have enough individual power to allow an attacker to pivot through an entire system.

Yahoo has followed up on the report of forged browser cookies by announcing up to 32 million accounts were impacted.

605 websites were defaced recently, after attackers achieved access to the machine they were all hosted on. Any data that those sites were storing are likely to have been stolen as part of the attack.

For those familiar with the Hak5 suite of tools such as the RubberDucky, Hak5 has announced the BashBunny. It is essentially a ‘bring your own network MitM attack platform’, ala the PoisonTap that was demonstrated last year, just with the convenience and form factor closer to the RubberDucky, and including a full linux machine that allows a pentester to use all their normal security tools. Hak5 has done a handy how-to video going into detail.

Netsparker goes into depth about how lack of access control let anyone take over the Maiain Support system. While users were limited from seeing things due to roles, the backend apis themselves were not authenticated, potentially allowing someone who doesn’t even have login privileges to the application to access data.

With a recent article on data exflitration via drones and blinking LEDs, Naked Security provides a recap of exotic exfiltration methods. While many are not immediately practical without close access to a machine, they are still fairly interesting. Some highlights: Using ultrasound, smartphone sensors, measuring fan sounds, and thermal cameras.

In some fun news, one researcher breaks Google’s Recaptcha mechanism by using Google’s Speech recognition API and the audio ReCaptcha

Following up on last week’s breach notification news:

A discussion at RSA argued that the US Government’s Vulnerability Equities Process (VEP) should not be voluntary, but mandatory. The VEP has largely been criticized as allowing government agencies to stockpile, rather than disclose, vulnerabilities they find. Generally, the community is supportive of the government aiding research and finding vulnerabilities, and are pushing for more disclosure to raise the bar on security.

MalwareBytes has an article on What to do after recovering from a cyberattack. Important in the article is to promptly inform customers. In regards to the Australian breach disclosure laws,

Troy Hunt writes a critical article about it. In this article he points out that disclosure is far from mandatory, allowing companies up to 30 days to investigate, allowing them to not inform customers if there is an ‘administrative burden’, and suggesting that not ever breach should result in notification as that might result in ‘breach fatigue’. Troy points out that this just gives attackers that much extra harm to use any data they retrieved, furthering harm to any individuals that had their data stolen.

Google has been building tools that will eventually leverage their Key Transparency initiative. The latest is E2Email, a browser extension that makes it easier to use PGP keys for emails in web browsers.

Interested in attack mitigation techniques and circumvention? Endgame security discusses the Chakra exploit in Windows 10 and Edge and how it avoids some security features therein.

Exposed databases being compromised and held from ransom has continued, with Mysql being the latest victim. In all cases, these attacks could be mitigated by following simple security practices, such as not having databases on the internet and using strong passwords for database accounts.

Bleeping Computer also reports that Necurs may have added a DDoS component. Necurs is a botnet that produces spam, and BleepingComputer covers why this addition doesn’t make much sense.

Speaking of Botnets, Bruce Schnier has a long post on the subject, covering the growth of the Internet of Things based botnets.

A major version of Dridex has been detected in the wild and is apparently the first malware strain to make use of the Atombombing technique of code injection that EnSilo published last October.

Page 10 of 23