Security Roundup - 2017-07-06

Scott Helme has been analyzing various internet security mechanisms over the last several years. His latest focus is TLS security, and he provides a great writeup on ‘Why TLS Revocation is Broken’. From why Certificate Revocation Lists (CRLs) are too cumbersome and Online Certificate Status Protocol (OCSP) is better for revocation, but worse for privacy, Scott covers the current problem and highlights a number of new options that can further mitigate man in the middle attacks against TLS communications.

Let’s Encrypt hits another milestone by having reached 100 MILLION generated SSL certificates. Given that Let’s Encrypt has only been in operation for a year and a half, this is a remarkable achievement. In that same time period, HTTPS adoption has increased 18% (essentially 1% every month!) to reach 58%, no doubt at least partially due to Let’s Encrypt’s free service. They have also announced they will start issuing wildcard certificates in the new year, citing it as a much requested feature, and their hope that it will help drive adoption of TLS closer to the 100% goal.

The end of this quarter actually saw a large amplification attack on Cloudflare’s infrastructure, crossing 100Gbps and lasting 38 minutes. SSDP is used for discovery of UPnP devices, and allows the query for ‘all’ devices. Since SSDP happens over UDP, the return address can be forged, allowing an attacker to make queries and redirect responses to their victim. We’ve previously covered a number of problems with UPnP, and this is just one more example of why it should be disabled. Cloudflare provides a number of other recommendations to eliminate/reduce the efficacy of these attacks.

A security researcher recently aided in making packages served from node package manager (npm) more secure. The researcher was able to access enough accounts to be able to hijack 14% of all packages, some of which are in use by millions of users. The majority of these accounts were not brute forced, but used involved password reuse from other accounts that were available in one of the many leaks in the last year (check your passwords!), by users publishing these passwords in their packages accidentally or accidentally uploaded to places like Github. 17% of accounts were brute forced, using embarrassingly bad password lists (one password was literally “password”). NPM has tightened password policies, as well as monitoring password based endpoints, and is working to roll out even more security improvements intended to increase account security and mitigate risk.

This week celebrated the 50th anniversary of the ATM. We’ve previously shared stories on ATMs and skimmers, and this week Brian Krebs gives us an update on the current state of ATM skimmer technology.

For those that love to dive into malware breakdowns, Palo Alto Networks provides one on OceanLotus. OceanLotus is a Mac backdoor and interesting for a few reasons, including a custom binary communication protocol with its C2s.

Finally, researchers have published a paper detailing information leak in libgcrypt’s implementation of RSA-1024 keys, resulting in excessive information leaking and allowing researchers to reconstruct the key in use. At time of writing, the library has issued a patch, and many linux providers have provided updates and/or other layers of protection.

Security Roundup - 2017-06-23

This roundup made possible with contributions from my co-worker Michael Cereda.

Layers upon layers upon layers. This is the first thing that comes to mind after reading Sophos’ recent report on old tricks turned new for malware. While many malware campaigns involve embedded objects with malicious payloads, Sophos has noticed a number of strains which host these embedded objects on remote servers. Among other things, this makes it easier for someone to shut down a malware campaign, or perform upgrades on the payload after the spam campaign has launched.

McAfee also discovered new tricks in the PinkSlip malware. What sets this apart from its peers is the fact that it will set some infected hosts as remote proxies, allowing it to be used to further obfuscate where a C&C is located. This is set up independent of the trojan, meaning any machines that were previously cleaned up potentially still have this unwanted guest on their machines.

Google’s engineers have announced many anti-malicious software detection news lately, and security researchers continue to unearth more of it. Last week involves the discovery of Xavier, a malware strain which silently steals personal and financial data while the user of the infected app is trying to change the ringtone or boosting the speed of the device. Xavier is actually the evolution of the AdDown malware, which first hit the scene in 2015 with ‘Joymobile’, but has learned several new obfuscation tricks including downloading instructions remotely and dynamic analysis evasion.

Researchers have discovered a new way to gain root access on several unix based operating systems. Dubbed ‘Stack Clash’, this exploit involves the attacker ‘clashing’ the memory system that keeps track of running programs with another memory region, potentially overwriting instructions and executing unexpected code. At time of writing, impacted OSes have patches.

Man In The Middle Attacks allow someone to see all your traffic. This could be mitigated by sending traffic encrypted, but what if someone is intercepting traffic by using “trusted” certificates? Security gateways and anti-virus sometimes do this in order to ‘inspect’ web traffic for malicious signals. Researchers recently worked with various industry partners to try and fingerprint this type of interception, seeing upwards to 10% of communications falling into this bucket, with a sizable portion of it not backtrack-able to security products. Even security products doing this is a problem, as security problems can mean this is abuse, or bad crypto implementations mean that communication is less secure than it would be otherwise.

More Internet of Things stories this week including:

Duo Security “drills in” to the security of an internet enabled drill. They take you through the discovery process, including checking out the associated app as well as the drill itself. While they unfortunately found hard coded passwords, and the ability to tamper with the Geolocation security feature, overall they found a number of security features like encryption and security headers in API responses, meaning that perhaps there is hope for the Internet of Things yet.

TP-Link joins the list of vendors to patch end of life products, fixing a bug that would allow remote account takeover in one of their older router models. This is a positive step forward, as research continues to demonstrate more and more vulnerable devices, and attackers shifting from simplistic approaches of brute forcing passwords (which still works way too often), to more complex vulnerabilities in router software itself.

Unfortunately, we are halfway through the year and Kaspersky labs has already seen twice the amount of IoT based malware as all of last year. Based on the number of stories we’ve covered already, this will likely get worse before things get better.

Case in point, more Vault 7 documents have been released showcasing CherryBlossom a framework for pushing malicious firmware to your router. After the infection, routers can be controlled remotely using a browser-based interface and can be used for different missions that include scanning mail addresses, chat usernames, MAC addresses and VOIP numbers.

Security Roundup - 2017-06-16

Imagine if you had gone to the trouble of paying for and setting up security products, but they weren’t running properly. Malware authors are imagining, and making this a reality. BleepingComputer details CertLock, a malware strain that prevents new security programs from being installed or security products from running, by adding the signing certificates of these programs to a special disallowed list in Windows, effectively preventing the applications from running. Going farther, it even adds a bunch of update domains to the hosts file of a device, redirecting to localhost and breaking update capabilities.

Microsoft provides another security update for older versions of Windows this week, including XP, Vista and Server 2003, to protect against 3 other exploits found in the ShadowBrokers exploit dump. Microsoft believes the threat level of these exploits is severe enough to warrant a wider distribution of the patches, but points out the best protection is to stop using end of service versions of Windows. All told, Microsoft released fixes for 97 vulnerabilities across all their products, 17 of which were labelled as Critical. Microsoft has also announced that SMBv1 will be disabled by default for future windows versions.

Interested in a deeper dive into Memory Resident Malware? Endgame security delivers this week covering known attacker techniques, as well as going over some of the difficulty in detecting these techniques.

Microsoft has discovered malware that abuses Intel’s Active Management Technology (AMT) to exfiltrate data. Since the AMT is low enough level, communications through it avoids the application level network stack, and any monitoring/firewall systems that are operating at that level.

More and more malware is targeting Apple computers. Fortinet researchers have recently stumbled across MacRansom, an OSX Ransomware as a service portal. After communicating with the author, they were given a sample which they then analyzed. Sadly, it looks like any victims will be unable to decrypt their files, since part of the encryption key is random, and there is no outbound communication to a C&C.

In some alarming news this week, one security researcher has posted a number of Man-in-the-Middle vulnerabilities for several iOS applications. These applications talk to unsecured backend services, allowing login information to be stolen. The applications in question unfortunately range from grocery deals to voting and banking apps.

The Internet of Things has been demonstrated to be the Internet of VULNERABLE Things in the last year. Talos Intel does both a retrospective, as well as provides advice to companies that may be purchasing devices connected to the internet. Case in point, yet another batch of internet enabled web cameras has been demonstrated to be riddled with insecurities.

Security Roundup - 2017-06-09

EternalBlue and WannaCry coverage continues this week:

To start, looks like WannaCry may have a number of bugs which may make it possible for users to retrieve their files.

EternalBlue has unfortunately been ported to Windows 10. Security researchers did this by analyzing the existing exploit and adapting it to work around additional Windows 10 protections. Speculation abounds on whether this zero day is known in certain circles, but points out how everyone is learning from the trove of exploits dumped.

This is particularly demonstrable/troubling, as EternalBlue is now being used for a variety of malicious programs. While thankfully protection is a Windows update away, some systems are still vulnerable.

Finally, Sophos does an overview of WannaCry, suggesting that adhering to security basics like strong passwords, endpoint security, and (most importantly) proper patching hygene could have made WannaCry more like DoNotCry.

Vault7 continues to hit the news as WikiLeaks has published documentation on Pandemic, a tool that turns a Windows File Server into a malware distribution server, injecting Trojans into files that users are trying to access.

MalwareBytes starts a new series called “Interview with a Malware Hunter”. The first in the series is Pieter Arntz, Security researcher for MalwareBytes.

Balancing data portability AND data security is a hard problem, since a full download of a user’s data is a gold mine for attackers. Jeff Attwood, founder of Stack Overflow and Discourse, goes into some of the steps his team built in to try to manage both for their users. In addition to strong passwords (15 characters, more than the current NIST standard), locking down which accounts can export, and using single use tokens, the Discourse team actually tried cracking their own passwords to look at computational liklihood. After more than 3 weeks of cracking, they managed to break less than 1% of accounts, and those that were involved a number of dictionary words.

Sucuri has released their monthly Lab Notes. Some interesting things include a look into a Wordpress backdoor, a look into a data collection script that hides as a benign script, and a dip into malvertisement targeting.

Researchers this week noticed a novel way that malware is checking for C&Cs out of band, Instagram comments! By using non-printable characters as markers, a comment may seem legitimate, but otherwise hides a secret message redirecting programs to an appropriate location.

Last month, the Jaff ransomware started making the rounds as a fairly successful strain. Now, security researchers have linked it to a cybercrime marketplace. Researchers uncovered this when they discovered shared infrastructure for the two systems. They then found thousands of compromised accounts, from banking credentials to Amazon accounts.

The RIG Exploit kit takes a blow recently, as various security groups in conjunction with GoDaddy mapped out and then shut down a major chunk of its infrastructure. Specifically, RIG was relying on compromised hosting accounts to create subdomains on other users accounts, in order to use them as relays for the exploit kit. You can read up on the whole operation on RSA’s blog.

Checkpoint security recently published new research into two ad-revenue generating malware platforms:

First, meet Judy. A korean company named Kiniwini (ENISTUDIO corp. on Google Play) released 41 apps on the app store about Judy, cute little lady with a desire to take care of animals, make food, and study fashion. Judy, however, also has a compulsive addiction to ad clicking, as the apps had malicious code they leveraged to perform auto-click ad fraud. So while users were creating cakes and dealing with virtual pets, Judy was taking care of their devices.

Last, but not least, Fireball exploded onto the scene with an estimated 250 million infections, possibly making it the largest malware infection ever recorded. The malware has been pinned to the chinese company Rafotech, which specializes in “creative advertising”; the company denies any wrongdoing. The malware currently configures a target’s browser homepage and default search engine with a “fake search engine”, collecting user information and, guess what, clicking on advertising. The malware also has the ability to remotely execute code, making it a potent (and widespread) backdoor into many organizations.

Security Roundup - 2017-06-01

Let’s start with a Samba exploit roundup:

  • With Microsoft releasing a patch for Windows XP, people (including myself) were quick to blame it for the spread of WannaCry. However, it was actually Windows 7 that was the most infected. Windows 7 still is end of life, meaning that the only extended support customers are likely to have gotten the initial security patch.
  • The EternalRocks author has thrown in the towel after being scared off by last weeks’s news coverage.
  • Hardware providers are rolling out patches for impacted devices, check your device for updates today!

The ShadowBrokers have announced details of their monthly exploit dumps. For 100 Zcash, a privacy oriented cryptocurrency (which is equivalant to ~$26K USD at time of writing), will get anyone access to an unknown slate of exploits. Security experts are torn between not wanting to pay for exploits, and wanting to avoid another WannaCry situation. One group of individuals has taken to crowdfunding to gain access, promising to alert companies of zero days and then releasing the data publicly for additional scrutiny. It has since been cancelled due to legal concerns over purchasing explicit exploits.

Another Windows XP and Windows 2004 security patch has been released, this time not by Microsoft but by EnSilo Security. This patch protects against the ESTEEMAUDIT remote desktop exploit that was released due to the ShadowBrokers exploit leak. While EnSilo feels it is important to move away from Windows XP, they are releasing this patch because they feel it is important to control the amount of damage possible due to these exploits being public.

Windows DID push out an out of band security update this week, fixing several vulnerabilities in their Malware Protection Engine including 3 remote execution flaws.

RoughTed is a malvertising operation that has recently added some new tricks to avoid ad-blocking. MalwareBytes has dived in depth, demonstrating the range of payloads, from malicious chrome extensions, adware, tech support scams, and other exploit kits.

Google has apparently been expanding their safe browsing initiative. The current iteration appears to have started blocking sites that serve logins over HTTP, further pushing Google’s agenda of SSL adoption.

NIST has released a number of new reports this year, including a new report on lightweight cryptography (you know, for all those IoT devices). There are a number of recommendations, but unfortunate findings such as all NIST approved hashing functions not being feasible for 8-bit micro-controllers. NIST also points out that the landscape for crypto and IoT is changing rapidly, and is rethinking their traditional ‘crypto challenge’ approach, which has historically taken years.

Interestingly, there has been a bunch of discussion around hashing algorithms recently, resulting in commentary of ‘Maybe we should skip SHA3’ and move on to better algorithms (and maybe stop naming hashing algorithms after SHA, to avoid confusion), and a dive into two new algorithms for consideration SHAKE2 and KangarooTwelve.

Security researchers have published a workaround of Email Encryption Appliance (EEA)/Email Security Gateway (ESG) setups. This attack works when both items are accessible, allowing an attacker to send email directly to the email encryption appliance. The attack works in two cases, one where the EEA sends messages directly to the mail server, bypassing the ESG, and the other where the EEA relays emails to the ESG, but the ESG treats the email as coming from a whitelisted IP. In both cases, the researchers were able to reliably deliver malicious payloads to their targets.

Medical systems have been heavily impacted by security issues in the last year. A recent audit of pacemaker systems (including pacemakers themselves, monitoring systems, and programmers) highlights additional problems, with several systems being subject to thousands of known security vulnerabilities due to out of date libraries, and in some cases unencrypted patient data being accessible from second hand devices the researchers purchased.

Using AWS Electronic Block Storage? Make sure you review your usage of ‘public’ snapshots, as you could be leaking all sorts of information to the world, including customer data, encryption keys, corporate documents, just to name a few things that security researchers discovered in a recent investigation.

Crysis ransomware had its master decryption keys leaked earlier this week.

Similarly, so did some encryption keys for the AES-NI ransomware. In this case, the author of the ransomware claims to have released the keys, as an attempt to deflect blame for the XData ransomware, which was built on top of AES-NI. Interestingly, the decryption key for XData has also subsequently been released.

Page 7 of 23