Security Roundup - 2017-03-23

LastPass urges users to upgrade all clients (including web extensions), due to a number of security issues that allow users to potentially steal credentials or execute arbitrary code.

Interested in web shell analysis? Trustwave Security writes about how they discovered and analyzed a web shell used to take over a client network.

Sucuri has an update on malicious subdirectories where malicious users upload content (like essay selling sites) and serve them from otherwise legit accounts.

Cisco has been analyzing the ‘Vault7’ data and has released a customer warning, pointing out a CVE that impacts 300 of their products. While no fix is available at time of writing, Cisco has pointed out a few mitigation strategies. Since the CVE involves Telnet being enabled, the simplest solution is to disable that and use SSH.

More IoT exploits found, this time in the form of an actual backdoor in certain VOIP gateways. Hackaday revisits the topic of IoT Security, discussing both accidental and deliberate backdoors which, once known, then become usable for everyone.

Pwn2Own happened last week, and once again some enterprising hackers found exploits in a number of products. This year Google Chrome managed to escape without being exploited, but other major browsers did not share this fortune. Windows and macOS also fell victim to exploits. New this year was an exploit found for VMware Workstation, which was largely avoided last year. Mozilla managed to patch the flaw discovered in Firefox in a quick 22 hours.

Speaking of Firefox, I just learned that it now points out when logins are over HTTP connections. This news seems to have been primarily spread because Oil and Gas International filed a ticket complaining to Mozilla for this change. They claimed to have their own security system, which resulted in reddit users poking around and finding a number of vulnerabilities, such as SQL injections and pointing out that payments were processed over plaintext.

A common theme for the last year has been security products that eventually compromise security. Whether that be Antivirus being exploited, or making it harder to implement browser security, or provide a larger attack surface.

The latest is security issue which allows attackers to take over antivirus software. Dubbed ‘DoubleAgent’, as it turns anti-virus against you, this exploit leverages a bug in Windows ‘Microsoft Application Verifier’, which allows a malicious agent to inject their own verification process. Microsoft has provided a better mechanism in Windows 8.1+, which requires properly signed software updates.

This issue is not limited to antivirus products, however. A research paper entitled The Security Impact Of HTTPS Interception, has prompted US-CERT to suggest that security appliances that perform TLS interception are themselves security flaws. Since the devices man in the middle TLS connections and are potentially using weaker cipher suites and protocols (I wonder how many support TLS 1.3) than user’s devices do (Chrome and Firefox support TLS 1.3). Vendors who sell these products happen to disagree.

Google reviews the last year in Android Security, highlighting the decrease in malicious software due to their “Verify Apps” initiative, the security improvements they have made to Android itself, and their efforts to ensure the entire software chain gets security updates out faster.

In ransomware news:

After a year of brisk business, it seems that Locky is finally in decline, with no new versions discovered this year.

Part of Locky’s decline is partially due to the disappearance of the Necurs botnet at the start of the year. Talos Intel reports that Necurs is back, but back to trying to manipulate penny stocks in ‘pump and dump’ schemes.

Security Roundup - 2017-03-16

‘Vault7’ coverage continues this week:

WikiLeaks has apparently decided to follow ‘responsible disclosure’ and give access to exploits to the companies that have vulnerable products, allowing them time to create appropriate patches.

McAfee has apparently already written a scanner to check for compromised EFI Firmware, based on comments made in the Vault7 data set.

Notepad++ has quickly moved to check the certificates of DLLs it uses, that were described in Vault7 documentation. The Reddit Community discusses whether this will actually make a difference.

In other news:

More news on last year’s Yahoo breach announcements: the FBI believes it is likely that initial access was gained by a speak phishing attack on a somewhat privileged user, allowing attackers to discover and then exfiltrate a program that allowed some Yahoo employees to generate authentication cookies to access user’s accounts.

Some scanning of ‘official’ docker repositories in Docker Hub indicate that a large number of said images have major vulnerabilities. Almost 11% have high priority vulnerabilities present in the container, and the scan only covered ~68% of the ‘official’ repos, and doesn’t cover a subset of operating systems (due to them not being supported with the scanning tool). While this doesn’t make the containers directly vulnerable, it certainly leaves bigger attack surfaces. Docker Hub, at least, provides indicators on their site that said containers contain a set of vulnerabilities.

In similar news, researchers have done analysis of a number of websites and found that 37% of them have outdated and vulnerable libraries, with many being popular libraries like jQuery and Angular.

Two new bug bounties have been announces, where Intel has opened one that covers software and hardware, while Microsoft has launched one that provides access to Microsoft Office Insider Builds, allowing researchers to find vulnerabilities before new releases.

1Password has set up a very specific bug challenge called ‘bad poetry’, which is eligible for a whopping $100k bounty. The details of this are, unfortunately, invite only.

One developer writes of how awful our password policies are and lists several observations made when building a new auth system. Length is the primary item he points out, where extending minimum password length to 10 characters makes 80% of the most common passwords in use today invalid.

Checkpoint discloses vulnerabilities discovered in both Telegram and Whatsapp which would have allowed malicious attackers to take over accounts by sending a user a malicious file that looks like an image.

Checkpoint has also released their newest Malware ‘Most Wanted’. Biggest shift is the malware strain Hanticor, which has climbed 22 places to rank #5 on the list.

More IoT devices are under siege as a number of Dahua and Hikvision IoT Devices have been attacked with accessible credentials.

Google goes into how they detected, and shut down, the Chamois Android botnet, beginning from ad traffic analysis and ending with their Verify Apps program allowing users to be notified and remove.

Threatpost declares a decline in browser exploit kits, citing both stronger defenses as browsers improve their own security as well as some recent arrests causing groups to shut down operations.

For those who like reading up on the internals of malware, MalwareBytes has a good writeup of the Spora ransomware.

BleepingComputer covers RanRan, a ransomware that asked users to create a subdomain for decryption, as well as provided several ‘tiers’ (based on file size), to encrypt files.

Security Roundup - 2017-03-10

Big news this week is the ‘Vault7’ dump of CIA exploits on Wikileaks. There is a lot of information, and I fully expect people to be picking it apart over the next few weeks, but some early things:

One Rapid7 engineer says, at a first glance, it mirrors the sorts of things he works on, including work on the Metasploit frameworks.

Ars Technica latched on to the CIA’s analysis of where the hacking unit Equation Group went wrong, and what they could do to avoid the same mistakes in their own tools, resulting in some coding tips.

BleepingComputer has a few articles. Covering things like code reuse from malware, decoy applications to infect machines while under scrutiny, and indications of zero days for a number of security products.

In other news:

Leaked accounts came from an unexpected source this week when one security researcher found an unsecured backup of a spammer’s database, composed of 1.37 billion email addresses. The backups also contain other files, providing details of the spamming operation itself.

SHA1 exploit research has continued, with researchers developing the BitErrant exploit which allows them to generate executables which do different things, but produce identical hashes for Bittorrent.

Security researchers have done tests on a number of Android password managers finding 26 flaws across them, most allowing for leakage of secrets. At time of writing, all found vulnerabilities have been fixed.

HackerOne has announced their ‘community edition’, allowing open source projects to sign up to the service for free. The only caveat is that HackerOne will not provide the customer support they provide customers, but otherwise all tools are identical.

Google has announced they have wrapped up ‘Operation Rosehub’, where they identified 2600 unique open source projects that depended on a library with a particularly bad remote execution bug. Google engineers took it upon themselves to update these projects, promoting safety across the internet. This process took the better part of a year. They mention how they are able to use BigQuery to quickly identify known problems like this, to figure out overall scope.

HackerOne did an AMA on Reddit this week. If you missed it, there is some pretty good Q&A.

Talos Intel has started their own weekly malware roundup, composed of the threats they have discovered in a given week, that they might not otherwise have written about. One thing they DID go into depth about though is a malware strain that uses DNS records as a C&C delivery mechanism.

Additionally, Talos reports on an exploit in Apache Struts, where users can potentially execute remote commands by putting malicious requests in the Content-Type request header. This is full remote execution, with some malicious actors doing attacks that would provide further access or install botnets and malware.

How could ransomware get smarter? One cryptographer performs a thought experiment in how ransomware could leverage automated systems to be more ‘reliable’ and autonomous via smart contracts, or more insidious by eventually leveraging hardware security features called security enclaves.

Akamai reveals that some web caches may be subject to a ‘Web Cache Deception Attack’, whereby an attacker convinces a user to initiate a web request such that an intermediate cache erroneously caches a web page with sensitive information, as it believes the content is something else. This relies on back end web applications interpreting a request in a diffent way than the cache, resulting in the application returning legitimate information, but the cache believing it is cacheable content. Attackers are then able to query the cache and potentially do things like harvest session tokens and sensitive information.

Sucuri has published their monthly lab notes, which contain a few interesting malware finds. One such was a backdoor trying to hide in a google verification file (unsuccessfully), malware that only worked in 2011 (and was finally discovered now), and malware using exotic PHP functions to operate.

Security Roundup - 2017-03-02

The big news this week is, of course, Cloudbleed. Troy hunt provides his own take on the issue. Of note, he points out the total impact is not measurable. While Cloudflare was able to measure 0.00003% of requests, since the bug leaked information from unrelated sites it is unable to measure how many sites were actually impacted. He also points out that 0.00003% is still a huge volume of traffic, given that Cloudflare deals with trillions of requests per month, meaning millions of requests potentially leaked data. However, not all Cloudflare users are at risk, simply due to the fact that not all Cloudflare customers have sensitive data. Plenty of informational only sites use Cloudflare services, meaning there was no sensitive information to leak for those sites. Cloudflare has their own follow up on impact.

Duo Security posts a summary of the ‘The Human Exploitation Kill Chain’ talk from the RSA Conference. The talk goes over the various points of a phishing attack that we should attempt to layer security, vs just training users on identification. While humans are important, it is also important for them not to have enough individual power to allow an attacker to pivot through an entire system.

Yahoo has followed up on the report of forged browser cookies by announcing up to 32 million accounts were impacted.

605 websites were defaced recently, after attackers achieved access to the machine they were all hosted on. Any data that those sites were storing are likely to have been stolen as part of the attack.

For those familiar with the Hak5 suite of tools such as the RubberDucky, Hak5 has announced the BashBunny. It is essentially a ‘bring your own network MitM attack platform’, ala the PoisonTap that was demonstrated last year, just with the convenience and form factor closer to the RubberDucky, and including a full linux machine that allows a pentester to use all their normal security tools. Hak5 has done a handy how-to video going into detail.

Netsparker goes into depth about how lack of access control let anyone take over the Maiain Support system. While users were limited from seeing things due to roles, the backend apis themselves were not authenticated, potentially allowing someone who doesn’t even have login privileges to the application to access data.

With a recent article on data exflitration via drones and blinking LEDs, Naked Security provides a recap of exotic exfiltration methods. While many are not immediately practical without close access to a machine, they are still fairly interesting. Some highlights: Using ultrasound, smartphone sensors, measuring fan sounds, and thermal cameras.

In some fun news, one researcher breaks Google’s Recaptcha mechanism by using Google’s Speech recognition API and the audio ReCaptcha

Following up on last week’s breach notification news:

A discussion at RSA argued that the US Government’s Vulnerability Equities Process (VEP) should not be voluntary, but mandatory. The VEP has largely been criticized as allowing government agencies to stockpile, rather than disclose, vulnerabilities they find. Generally, the community is supportive of the government aiding research and finding vulnerabilities, and are pushing for more disclosure to raise the bar on security.

MalwareBytes has an article on What to do after recovering from a cyberattack. Important in the article is to promptly inform customers. In regards to the Australian breach disclosure laws,

Troy Hunt writes a critical article about it. In this article he points out that disclosure is far from mandatory, allowing companies up to 30 days to investigate, allowing them to not inform customers if there is an ‘administrative burden’, and suggesting that not ever breach should result in notification as that might result in ‘breach fatigue’. Troy points out that this just gives attackers that much extra harm to use any data they retrieved, furthering harm to any individuals that had their data stolen.

Google has been building tools that will eventually leverage their Key Transparency initiative. The latest is E2Email, a browser extension that makes it easier to use PGP keys for emails in web browsers.

Interested in attack mitigation techniques and circumvention? Endgame security discusses the Chakra exploit in Windows 10 and Edge and how it avoids some security features therein.

Exposed databases being compromised and held from ransom has continued, with Mysql being the latest victim. In all cases, these attacks could be mitigated by following simple security practices, such as not having databases on the internet and using strong passwords for database accounts.

Bleeping Computer also reports that Necurs may have added a DDoS component. Necurs is a botnet that produces spam, and BleepingComputer covers why this addition doesn’t make much sense.

Speaking of Botnets, Bruce Schnier has a long post on the subject, covering the growth of the Internet of Things based botnets.

A major version of Dridex has been detected in the wild and is apparently the first malware strain to make use of the Atombombing technique of code injection that EnSilo published last October.

Security Roundup - 2017-02-23

I am sure no one missed the death knell of SHA1 as a security hash today, as Google has announced a practical SHA1 collision. Set to be unveiled in 90 days, allowing those stragglers that still haven’t updated, despite warnings from Google over the last several years, the attack is apparently 100K times faster than a brute force on a SHA1 hash making it only a matter of time before it if even cheaper.

RSA wrapped up last week, and Brian Krebs reports on an overlooked announcement with big impact. Apparently, researchers at RSA announced a breach by a company selling log management tools, where the update server was compromised for two weeks, in 2015 and clients automatically downloaded a compromised version of the software. RSA investigators discovered this in 2016 during an investigation and believe a number of organizations may still be compromised.

A frightening new persistent threat called ‘Operation Bugdrop’ was uncovered this week. The malware operates by controlling the microphone of the infected machine and uploading the data elsewhere. So far, more than 70 targets across a variety of industries, with most located in the Ukraine.

PhishingLabs has released their 2017 Phishing Trends Report. Highlights include: one million confirmed malicious phishing sites in 2016, 7800 phishing attacks investigated and/or mediated by Phishing Labs every month, and the top 5 targeted industries had an average 33% growth in attacks year over year. They expect Cloud Storage Services to be the number one target by end of year, supplanting the financial industry which is actually showing a decline. Finally, phishing attacks targeting people as the IRS in 2016 resulted in more phishing attempts than all of 2015 combined. With tax season underway, be wary!

This week Australia expanding its Breach Notification policy, while Canada is preparing new legislation requiring prompt breach notifications.

Chrome extensions can do fairly powerful things, and MalwareBytes covers how one malicious extension can abuse current abilities and make it extremely hard for the average user to uninstall. The extension in question enables a tech support scam, as well as connects to a C2C to potentially execute other code.

BleepingComputer has a nice rundown of Ramnit’s return from the 2015 takedown attempt. Unfortunately, it looks like as of 2017 it has reached the top 5 of active banking trojans.

Netflix released a project this week focused on ‘User Focused Security’. Called ‘Stethoscope’, the tool empowers users to go to a website, which will figure out some device information and provide actionable results and education for the user.

Dropbox also released a security focused product this week with SecurityBot. SecurityBot is chatbot that enables faster incident detection and resolution by automatically asking users to verify certain actions (like running sudo accidentally on a machine they don’t have permissions), allowing security to escalate quickly if the user indicates they did NOT perform said action. This allows Dropbox security to deal with false positives quickly, without necessarily requiring the security team to manually follow up on each signal, or ignore certain signals just because some individuals generate a high rate of false positives.

In ransomware, BleepingComputer provides coverage of a new ransomware family being reverse engineered live. The ransomware in question, Hermes, contained an randomization seed that could be attacked to create a decryptor for the malware.

Things to watch:

Wired reports on a newly reported memory attack that allows attackers to circumvent memory randomization efforts in modern operating systems. Being executable from Javascript in the browser, the attack relies on being able to measure operations of memory writes for a program to figure out where in memory it is, allowing them to potentially execute other memory corruption actions with greater certainty.

Page 10 of 23