Security Roundup - 2017-05-25

The ShadowVault continues to have an impact on the world, with the exploits they leaked having a far reaching impact.

The MalwareTech researcher that accidentally stopped WannaCry performed an AMA on Reddit earlier this week

While WannaCry was the combination of two exploits from the data leak, a new worm dubbed EternalRocks is using 7 exploits from the leak to spread. Currently, it appears not to be deploying any payload.

Tools have emerged to decrypt files, as long as the computer has not been restarted. Turns out that the numbers to generate the encryption key are potentially left in memory, allowing the public and private key to be regenerated. The tool works for at least Windows XP and Windows 7.

A similar exploit for Samba has been reported by Rapid7, allowing an attacker to upload and execute a program on a Samba share. It is a sad fact that there are a LOT of systems exposed, which should not be. A fix has already surfaced, making the key here how quickly systems will get updated.

Tech support scammers are playing up on WannaCry fear by selling fake security upgrades.

For things that are not related to ShadowBrokers….

Wordpress has launched a bug bounty program, right before releasing a new version that fixes several security flaws. Wordpress has already been running the program privately for a year, in order to build process around any bugs that came in. Since launching, they have already paid out $3700 to developers that have reported security issues.

In the IoT news, New York’s attorney office has reached a settlement with Safetech Products to add security and encryption to all Safetech smart locks.

Similarly, researchers at the University of Michigan managed to gain access to traffic light control software due to very lax security implementations.

Both Yahoo and ImageMagick have taken a beating this last year, but thankfully this will change now that Yahoo has removed that library from their software products. Triggered by yet another exploit, dubbed ‘YahooBleed’, this would have allowed malicious users to extract pieces of memory from servers that handled images, which included api tokens.

Checkpoint Security has discovered a way to take control of a user’s laptop by using malicious subtitle files for movies. While subtitle files may generally be considered text files, Checkpoint has found a way to invoke malicious behavior. The impacted video services have been contacted and have all issued patches.

Finally, Talos Intel reports on how the Terror Exploit Kit has evolved, becoming much more targeted in their exploits, resulting in it being harder to detect and more successful overall. The biggest change is fingerprinting browsers, allowing them to be more targeted in exploits, rather than iterating through a large list of them.

Security Roundup - 2017-05-19

In the aftermath of WannaCry, there are a few important developments:

If WannaCry wasn’t bad enough, another IoT device has vulnerabilities which could lead to a botnet with over 185K nodes, and Docusign has determined that a recent malware campaign that targeted their customers was due to a breach involving their customer list being stolen.

WikiLeaks has dumped more Vault7 information, the latest being two malware frameworks dubbed “AfterMidnight” and “Assassin”. AfterMidnight is a play on “Gremlins”, as it is intended to allow for the running of small applications to do malicious things to targets, and Assassin provides much of the same functionality.

Unfortunately, even more things leaked on the internet as a code breaking program was found exposed to the public internet. A project between NYU, IBM and the Department of Defense, “WindsorGreen” is an encryption cracking program intended to run on specialized hardware. Experts that have reviewed the documents suggest the computing power would eclipse most of the world’s supercomputers in the specific field of encryption. That being said, experts believe that modern key strengths such as RSA 4096 are still orders of magnitude stronger.

Two security groups have finished audits of the OpenVPN codebase. Both teams found a number of vulnerabilities, which the OpenVPN team has already fixed. Overall, they congratulated OpenVPN on their adherence to secure development practices while also offering a few suggestions on how to improve both the codebase and push forward best practices for security.

Checked that your router is up to date lately? I thankfully did several weeks ago, grabbing new firmware that protects my Asus RT router from a number of security vulnerabilities.

Both Edge and Chrome have flaws this week which allow credential leakage. Edge’s flaw allows the bypassing of the Same Origin Policy process, allowing a determined attacker to confuse the system and get credentials it otherwise should not have access to. The Chrome bug is also a Windows bug which could allow an attacker to obtain a user’s login hash.

Still using fingerprints to unlock your phone? Researchers have recently figured out how to make artificial fingerprint that will unlock phones 25-65% of the time, based on the fact that most fingerprint scanners only check a subset of your finger.

The President signed a Cybersecurity executive order this week. Highlights include: prompting government agencies to adopt the NIST framework and consolidate services for more effective management, increase protections around critical infrastructure. Various groups are expected to provide plans within certain intervals, making this a start.

400 new SLocker (Android Ransomware) variants were discovered this week bringing up the total number of known variants to 3000.

Talos Intel has observed a new Ransomware spam campaign they call ‘Jaff’. Taking notes from Dridex and Locky, it uses a PDF with an embedded word doc to install its malicious package. As always, they prepared a detailed technical breakdown

Want to know even MORE about Ransomware? Troy Hunt now offers a free course.

Hang Down Your Head And (Wanna)Cry

WannaCry took the world by storm starting on Friday, and everyone blogged about it. A ransomware that spread not by phishing, but via an internet worm compared to worms of old including Sasser, Slammer and Conficker. Specifically, leveraging the ‘DoublePulsar/ETERNALBLUE’ exploit from the NSA stash that ShadowBrokers released several weeks ago, to install a backdoor and then execute the ransomware automatically.

You can read a full technical breakdown on the Talos Blog, as well as MalwareBytes (who has also been tracking the infection, and Endgame Security.

Interestingly, it looks like this was exploited earlier by a botnet to infect users with cryptocurrency miners, which may have actually limited some of the damage since this malware closed the vulnerable port to prevent additional infections.

Microsoft is pissed off at the NSA for stockpiling exploits. While Microsoft quickly patched against this problem 2 months ago, the fact that there are still so many victims is unfortunate. It certainly doesn’t help that certain users are disabling Windows Auto-update, making it that much more likely for someone to be a victim of an exploit like this, or the fact that pirated versions of Windows are prevalent and don’t necessarily receive software updates.

The EFF talks up this patching problem, pointing out that Microsoft eventually felt the need to upgrade EOL versions of Windows (XP and Windows Server 2003 received emergency patches) as a large number of organizations still rely on these versions, including medical systems with specialized software. They then furthered it by pointing out all the un-upgradable software present in IoT devices, as well as mobile phones as older versions of Android are still in use with manufacturers not updating for older devices.

WannaCry wasn’t without its bugs. One bug failed to create unique bitcoin wallets for each victim, allowing payments to be tracked easily. And then, of course, was the kill switch, which was accidentally activated when a malware researcher tried to sinkhole communications. However, this is not the end, with a number of copycats emerging from the woodwork.

The ShadowBrokers have left commentary in the wake of WannaCry, suggesting that they are going to start providing zero day dumps as a service for exploits that were not part of April’s massive leak, including additional Windows 10 vulnerabilities.

Security Roundup - 2017-05-11

Microsoft rushed out with a critical fix to their Malware Protection Engine, releasing the fix one day before their regular ‘Patch Tuesday’ cycle. The exploit resulted in a specially crafted file to have Malware Protection Engine execute the malware. A number of other security fixes went out as part of patch Tuesday, including one that triggers with specially crafted images in Office. Talos Intel has a breakdown of all the security items.

Another day, another billion (yes, with a b) user records leaked. Troy Hunt of HaveIBeenPwned goes over how leaks on one site allow for credential stuffing, which is attempting to reuse those credentials on other sites in order to provide more accounts to sell. And, since password reuse is still fairly common, this results in plenty of hits. Troy details 2 big combo lists of usernames and passwords that have been brought to his attention, containing the aforementioned billion credentials. Troy also went into why he doesn’t store passwords for his service.

DUO Labs also got ahold of one of the combo lists and performed some analysis on the passwords. Interestingly, 25% of passwords are 9 characters long (better than the 8 characters suggested in the current draft of NIST guidelines, but the most common passwords contained in the list is still pretty bad.

A large scale Signaling System #7 attack took place recently to intercept 2FA text messages for bank accounts, and drain the account of all funds.

Plenty of states and countries are rolling out disclosure laws. Techcrunch has an article pointing out this can paint a target on a company that has disclosed, but not taken appropriate steps to prevent further breaches.

MalwareBytes write that the Snake trojan, which has been around since 2008, has been ported to OSX. This masquerades as a Flash installer, with the added deception of actually installing flash vs just pretending to install flash.

Google follows up on the first five months of their Open Source Software Fuzzing experiment. In that time period they have integrated 47 projects (including several SSH and SSL projects), and discovered 1000+ bugs, of which 264 are potential security vulnerabilities. To further the project, they are now offering financial rewards for projects to integrate with the process.

A new malware strain came to light this week which has a remote accessible API. This is interesting in that it allows the botnet to invert the traditional C2 model as required, making it easier for botnet owners to re-establish control after a C2 takedown.

Handbrake, a popular transcoding app, was hacked to deliver a trojan for up to 4 days For those that love in depth of what malware is doing under the hood, check out Patrick Wardle’s blog post.

Security researchers classify a number of breaches according to the OWASP Top 10. The Results are interesting, with ‘Known Vulnerable Components’ being the cause of 24% of breaches, and another 15% attributable to causes not in the top 10.

Security Roundup - 2017-05-04

A large scale phishing attack was initiated this week, imitating an email to share a document with Google Docs. If the user followed through, they were presented with a dialogue to authorize a fake Google Docs app, allowing the attacker gain unlimited access to the victim’s email. For each victim, the exploit used contacts to try to send to another round of victims.

Meanwhile, Google Chrome has taken an additional step towards their goal of visibly indicating that all HTTP sites are “Not secure” in terms of the information you are sending. On the heels of January’s change to label sites over HTTP with password fields as “Not secure”, they are not going to label all HTTP sites visited in Incognito mode as “Not secure”, due to increased privacy expectations.

O’reilly and the Software Improvement group recently surveyed a number of programmers on their company’s secure code practices. While 69% of respondents stated security requirements and 60% mentioned guidelines, most felt that they were not doing enough. They also cited how security is not ‘visible’ making it hard to gain proper traction when overall company goals are to ship new features and gain new customers.

What is worse than a site that allows short passwords and returns them in plaintext when you forget them? Apparently it is a site that doesn’t ever allow you to change the password.

Intel processors with remote management features have recently been found to have remote exploit flaws. This flaw, existing since 2010, is only accessible if Intel’s Active Management Technology is enabled, and the attacker is able to access port 16992 and 16993. This means that remote attacks over the internet should be fairly rare, but attacks on a local network, perhaps such as ublic wifi for a targeted attack, are possible.

Another problem that has flown under the radar has been the existence of the Konni RAT, which Talos Intel discovered. Backtracking, they have unearthed 3 years of activity across 4 campaigns, and document the evolution.

MalwareBytes provides details on the OSX.Dok malware, a sophisticated attack that installs the means to monitor and intercept all HTTP AND HTTPS traffic on a victim’s computer. This allows an attacker to potentially harvest credentials that a user over a connection they otherwise feel is secure. Apple has already revoked the signing certificate the malware author used to sign his app, meaning that the casual user will not be able to install. However, MalwareBytes has found a second strain that installs a different backdoor, but looks to be from the same author.

Arbor Networks does a deep dive into the Ismdoor RAT, which communicates to its C&C using DNS AAAA (IPv6) queries and responses to hide its activity.

Verizon’s 2017 Data Breach Report has been released (now celebrating its 10th year!). Unsurprisingly, Ransomware accounted for a large number of incidents and continues to be trending upwards. Financial institutes are still the most popular target, but targets like healthcare and education are seeing an uptick of attacks.

BleepingComputer rounds things out with an unfortunately busy week in Ransomware, including a big update for Cerber which includes a new encryption process and anti-VM/sandboxing features.

Page 8 of 23