Security Roundup - 2017-02-15

RSA is happening this week, and some interesting things are coming out of it. The most interesting to me so far is Google apparently talked about BeyondCorp their 6 year mission to allow employees to work from untrusted networks without a VPN. Rather than relying on VPNs, BeyondCorp relies on over a dozen metrics to decide access for a user for a specific resource, allowing for dynamic policies vs static policies.

As a companion piece to the above, O’reilly posts a conversation with an SRE at Stripe on Zero trust networks.

Sucuri has released their monthly lab notes, and there are some interesting gems. First is a note on bad actors masquerading malicious scripts as image files, to evade casual investigation of logs/traffic. Second, they cover some techniques malicious actors use to spread backdoors/malware/etc on shared hosts, expanding their influence quickly due to lack of security for one neighbor.

Brian Krebs follows up on the LeakedSource takedown, by assembling some clues on who might have been behind the site.

A self-healing malware strain has been found in the Magento platform which uses SQL triggers to see if it has been cleaned up and re-installs itself if so.

Another bad news day for Yahoo as they announce that some accounts might have been accessed without a password in 2015 or 2016, using forged cookies generated by a tool internal to Yahoo.

Following last week’s Wordpress API security flaw, it is reported that up to 1.5 million Wordpress sites have been defaced, despite security features that would update a percentage of sites and additional security plugins that were intended to mitigate the problem. More than a dozen different defacement campaigns have been detected as of this writing.

This week I learned that some Ransomware is delivered via brute force RDP attacks, where the attacker breaks into machines via exposed remote desktops and manually executes malware. Sadly, this method appears to be on the rise.

Akamai has released their Q4 State of the Internet Report this week. Overall DDoS attacks were down QoQ, which they attribute to the various Botnets fighting over resources vs performing actual attacks. However, web application attacks were up QoQ, with SQLi attacks growing the most in that time period. Unsurprisingly, they expect IoT botnets to increase in the near future.

Speaking of the internet of things, BleepingComputer posts an interesting story where smart devices at a university were hijacked, causing the botnet to accidentally overwhelm the network with traffic. To the university’s credit, they had the smart devices segregated in a separate network, preventing the infection from spreading out of the network.

Sophos Labs has released their Malware Forecast report. Unsurprisingly, IoT devices are ALSO at the top of this list. Also highlighted, Android malware and macOS malware being on the rise,

Finally, Talos Intel has an analysis on the AthenaGO malware strain. This malware is interesting for a few reasons. First being the language (Golang), which is not commonly used for malware. The second is its use of Tor2Web proxies, to communicate to C2C nodes on TOR without having to install TOR on the infected machine. This provides some additional anonymity to the attacker, though does allow for blocking at the proxy level.

Security Roundup - 2017-02-09

Kaspersky details a sophisticated malware attack , where attackers used a variety of free tools to load programs directly into memory and grant remote access. This allowed attackers to obscure their identity, as well as made it harder for their work to be detected. Kaspersky states this is getting more common, making memory forensics something to consider.

For some more benign hacks due to devices exposed to the internet with default passwords:

IP streamers used to play music for radio stations was compromised to play a specific song for 15 minutes. Rapid 7 also did some extra digging and provides details.

One prankster caused a number printers to print out messages telling users that their device was part of a botnet.

Also a few unauthenticated API exploits were noticed this week:

The first is in McAfee ePolicy Orchestrator, which would allow an attacker to dump information from the server, or pretend to be a client in order to dump information about the client.

Honeywell SCADA controllers had a number of bugs which allowed an attacker to retrieve a password in plain text and then use it to log in.

Sophos disclosed a subtle bug in the new Wordpress API system that would allow someone without privileges to update any blog post. This vulnerability has been patched, but after the word got out plenty of Wordpress instances were defaced.

In other news:

SSL hits a big milestone, where now more than 50% of user traffic (according to telemetry data from Firefox) is now encrypted. This is, in large part, due to more large players encrypting all of their traffic by default, but indicates that using SSL only is becoming the norm, rather than the exception.

Etsy has an in depth article on the many steps they make to ensure Private TLS certificates they use are secure, which is interesting for any system where you need to keep information particularly secure.

Ars Technica has an article on how Google took on Mirai by admitting KrebsOnSecurity.com to Project Shield. The article provides some additional insight into what sorts of attacks they were seeing, once Google took over.

Meanwhile, Mirai apparently received an update, now targeting Windows! Infected Windows agents are used to figure out passwords of other systems and spread the botnet. Also apparently part of it are breaking into databases, presumably to steal information.

Following the success of bug bounty programs for public companies, reports indicate that some dark net markets are doing the same.

Checkpoint indicates they are seeing a resurgence of Slammer, the worm that was primarily active in 2013 and has been largely dormant since.

Security Roundup - 2017-02-02

Think last year was a bad year for modems? A security researcher from Trustwave Security details how he found a bug in his router that impacted 31 different Netgear routers overall. Sadly, part of his research involved finding two publically disclosed exploits for similar flaws in 2014 and expanding on that work. Netgear responded to this responsible disclosure and has issued patches for the affected devices.

Trustwave Security also increased my knowledge about SVG this week with their article on how SVG can actually contain Javascript and be used to execute remote payloads as a result.

In more device security news, Threatpost reports on a printer flaw that allows an attacker to extract information, including documents and credentials, remotely. They achieved this using a combination of “Cross Site Printing” and CORS spoofing to make a user’s browser act as a relay to exfiltrate data.

Akamai has been doing research into credential abuse, specifically scenarios where a botnet is working to avoid standard security controls. In these scenarios an individual website is unlikely to detect this behavior, since volumes are low and attempts are spread out across ips, accounts and time. However, when viewed in an aggregate across a number of sites they are protecting, Akamai was able to detect a number of sources and targets and increased detection of these attacks more readily than single site observation would.

LeakedSource, a website that obtained breach data and sold it openly was taken down this week. Troy Hunt, owner of HaveIBeenPwned, provides his thoughts on the service and the takedown. In his article, Troy is critical of the LeakedSource model where anyone could pay and get personal details from leaks. He points out a number of instances where this information has clearly been used maliciously (in Ourmine account takeover ways), and suggests that LeakedSource was also incentivizing attackers to find and turn up more data.

Google has just announced that they will now operate their own Root Certificate Authority, as well as aquiring two existing root CAs from GlobalSign. Among other things, this will allow Google tighter control over who can generate ‘official’ Google certificates, as their products could check the entire certificate chain, rather than just trust existing root CAs. With CAs like StartCom issuing rogue certificates, and even well known CAs like Symantec and GlobalSign having issues with certificates in the last year, it is understandable that a company like Google has shifted towards wanting more control over the security of all their properties.

Ars has an interesting article suggesting that Antivirus is making it harder to secure the browser. In this article, several browser engineers have pointed out where security protections have been delayed/had problems due to Antivirus hooking into and in some cases disabling functionality. An additional observation, supported by a number of vulnerabilities last year, is that the addition of anti-virus provides a larger attack surface.

In ransomware, BleepingComputer provides two terrible infection stories. In one, a police department lost up to 8 years of digital evidence, with some data having backups but recent data likely not. The second was for a hotel where the infected computer was also used to provision key cards for electronic locks. Since this only impacted the generation of the key, no customers were actually impacted.

Want to learn more about the new Locky Bart versions? Malwarebytes does an in depth analysis of the inner operations.

Talos Intel recently analyzed a malicious attachment apparently aimed at some government officials. They go into detail on the several layers of complexity the payload goes into in order to execute (doc file, with flash that executes actionscript) as well as some methods it used to avoid casual analysis.

For further in depth malware analysis Talos also disects EyePyramid, a malware sample that had remained undetected for a few years.

Security Roundup - 2017-01-26

Some missed news from last month: an incident response worker did a 2016 review on learning from security breaches. Some high level lessons:

  • Centralized logging makes problems much easier to track down.
  • Root causes might not be found.
  • If you rely heavily on third party technology, evaluate it for risk.
  • Most organizations he visited did not have a good secrets management solution.
  • Companies with higher tech debt also correlate with companies with high security debt.

The EFF put out an update on the Technical Developments in Cryptography, covering backdoored crypto, the finalization of TLS 1.3, a review of crypto attacks in 2016, as well as the strengthening of HTTPs.

Symantec-owned certificate authorities have been found to have violated SSL Certificate issuing guidelines for 108 certificates. 9 of these certificates were issued to people that were not controllers of the domains in question. Many of these appear to be ‘test’ certificates and were promptly revoked, but could still have been used for malicious behavior, especially as browsers are generally not able to deal with issuance and revocation of certificates in real time. These violations were apparently only discovered via Google’s Certificate Transparency project.

Hack The Army started up at the end of last year, and TechCrunch provides a story of some of the initial results.

Use Cisco WebEx? You might want to check that the extension is up to date, since older versions contain a remote execution vulnerability, allowing for computers to be taken over just by browsing a specially crafted page. Sophos gives you a breakdown.

Engineers at Falliable.co recently built a tool to find secrets in Android apps. After analyzing 16K applications, they decided to write up some findings. Unsuprisingly, quite a few applications had hard coded some sort of api token in the application.

Shodan.io has released an updated Heartbleed report, indicating that 200K servers are still susceptible to CVE-2014-0160 (yes, Heartbleed is now 2 years old).

BleepingComputer reports on a banking ransomware that had its source code leaked. Initial investigation seems to indicate it has already been modified into banking trojan.

Speaking of modified versions, Checkpoint Security warns of a new version of HummingBad, called HummingWhale. They have already contacted Google to take down a number of apps, and shares their overall findings.

Finally, BleepingComputer details how members of the MalwareHuntingTeam are being harassed on VirusTotal, presumably by malware authors that MalwareHuntingTeam has exposed.

Security Roundup - 2017-01-18

Google has announced their intent to start recording ‘Key Transparency’. In a sense, it is a key verification idea in a similar sense as Keybase, while also preserving the privacy of the user. A writeup of the idea is available on Github.

Mobile malware is a large problem, with the likes of Gooligan and Hummingbad making the rounds. Google has written an article on a technique they use to detect apps with this kind of malware, using a combination of their Potentially Harmful Apps (PHA) detection and monitoring for devices that stop checking for these PHAs. Cross referencing downloaded apps with devices that stop reporting makes it possible to detect which apps are potentially performing malicious behavior and automatically flagging for review.

Brian Krebs has been investigating the person behind the Mirai Botnet and believes he has figured out the real world identify of the person responsible. Note: this is a long read, going over his entire investigation. It is a really interesting read on the entire DDoS ecosystem.

With last week’s MongoDB landgrab reaching the end, it looks like attackers have shifted towards publically accessible ElasticSearch clusters. Duo Security also points out that this shouldn’t be a surprise, given that reports of how much exposed data has been reported multiple times over the course of the last two years. Plenty of other datastores are still exposed, and Redis was already a victim last year. What’s next after ElasticSearch? BinaryEdge gives us a brief history of DB ransomware and says there are early signs that Hadoop is the next target. BleepingComputer points out some vandalized Hadoop servers as well as some CouchDB servers with ransom notes already.

Threatpost has a story on the Carbanak malware family, which is apparently using Google sheets as a C&C mechanism, having nodes update sheets to exfiltrate data, and read sheets to accept new commands. This joins Telecrypt as another malware strain that leverages 3rd party services rather than manage their own C&C nodes.

SchmooCon has wrapped up, and some interesting news to come out of it. Did you know that Squirrels cause more infrastructure outages than cyberattacks? Apparently some cyberattacks are actually mis-attributed animal outages.

SHA-1 Certificates should be on their way out this year, as browsers are poised to point out certificates that are not on SHA-2. In the Alexa top million, apparently only 536 sites do not offer SHA-2 at this time. Caught in the crossfire are all those devices that are hard to upgrade, but use SSL certificates. Things like routers and PoS/banking system.

Sucuri has a roundup of their December Lab Notes, which detail a number of CMS related security problems.

Checkpoint has released their Malware Most Wanted update, and there is a lot of movement on the board. Conficker is still at the top, and overall malware attacks were down over the holidays.

In other ransomware news, One of the C&C servers for Cerber was recently compromised by security researchers. They observed 700 downloads of Cerber during their observation window, which they extrapolated to 8400 downloads per day.

Also, Endgame Security goes on an in depth analysis of a ransomware strain for the latest Flare On Challenge.

Page 11 of 23