Security Roundup - 2017-06-01

Let’s start with a Samba exploit roundup:

  • With Microsoft releasing a patch for Windows XP, people (including myself) were quick to blame it for the spread of WannaCry. However, it was actually Windows 7 that was the most infected. Windows 7 still is end of life, meaning that the only extended support customers are likely to have gotten the initial security patch.
  • The EternalRocks author has thrown in the towel after being scared off by last weeks’s news coverage.
  • Hardware providers are rolling out patches for impacted devices, check your device for updates today!

The ShadowBrokers have announced details of their monthly exploit dumps. For 100 Zcash, a privacy oriented cryptocurrency (which is equivalant to ~$26K USD at time of writing), will get anyone access to an unknown slate of exploits. Security experts are torn between not wanting to pay for exploits, and wanting to avoid another WannaCry situation. One group of individuals has taken to crowdfunding to gain access, promising to alert companies of zero days and then releasing the data publicly for additional scrutiny. It has since been cancelled due to legal concerns over purchasing explicit exploits.

Another Windows XP and Windows 2004 security patch has been released, this time not by Microsoft but by EnSilo Security. This patch protects against the ESTEEMAUDIT remote desktop exploit that was released due to the ShadowBrokers exploit leak. While EnSilo feels it is important to move away from Windows XP, they are releasing this patch because they feel it is important to control the amount of damage possible due to these exploits being public.

Windows DID push out an out of band security update this week, fixing several vulnerabilities in their Malware Protection Engine including 3 remote execution flaws.

RoughTed is a malvertising operation that has recently added some new tricks to avoid ad-blocking. MalwareBytes has dived in depth, demonstrating the range of payloads, from malicious chrome extensions, adware, tech support scams, and other exploit kits.

Google has apparently been expanding their safe browsing initiative. The current iteration appears to have started blocking sites that serve logins over HTTP, further pushing Google’s agenda of SSL adoption.

NIST has released a number of new reports this year, including a new report on lightweight cryptography (you know, for all those IoT devices). There are a number of recommendations, but unfortunate findings such as all NIST approved hashing functions not being feasible for 8-bit micro-controllers. NIST also points out that the landscape for crypto and IoT is changing rapidly, and is rethinking their traditional ‘crypto challenge’ approach, which has historically taken years.

Interestingly, there has been a bunch of discussion around hashing algorithms recently, resulting in commentary of ‘Maybe we should skip SHA3’ and move on to better algorithms (and maybe stop naming hashing algorithms after SHA, to avoid confusion), and a dive into two new algorithms for consideration SHAKE2 and KangarooTwelve.

Security researchers have published a workaround of Email Encryption Appliance (EEA)/Email Security Gateway (ESG) setups. This attack works when both items are accessible, allowing an attacker to send email directly to the email encryption appliance. The attack works in two cases, one where the EEA sends messages directly to the mail server, bypassing the ESG, and the other where the EEA relays emails to the ESG, but the ESG treats the email as coming from a whitelisted IP. In both cases, the researchers were able to reliably deliver malicious payloads to their targets.

Medical systems have been heavily impacted by security issues in the last year. A recent audit of pacemaker systems (including pacemakers themselves, monitoring systems, and programmers) highlights additional problems, with several systems being subject to thousands of known security vulnerabilities due to out of date libraries, and in some cases unencrypted patient data being accessible from second hand devices the researchers purchased.

Using AWS Electronic Block Storage? Make sure you review your usage of ‘public’ snapshots, as you could be leaking all sorts of information to the world, including customer data, encryption keys, corporate documents, just to name a few things that security researchers discovered in a recent investigation.

Crysis ransomware had its master decryption keys leaked earlier this week.

Similarly, so did some encryption keys for the AES-NI ransomware. In this case, the author of the ransomware claims to have released the keys, as an attempt to deflect blame for the XData ransomware, which was built on top of AES-NI. Interestingly, the decryption key for XData has also subsequently been released.

Security Roundup - 2017-05-25

The ShadowVault continues to have an impact on the world, with the exploits they leaked having a far reaching impact.

The MalwareTech researcher that accidentally stopped WannaCry performed an AMA on Reddit earlier this week

While WannaCry was the combination of two exploits from the data leak, a new worm dubbed EternalRocks is using 7 exploits from the leak to spread. Currently, it appears not to be deploying any payload.

Tools have emerged to decrypt files, as long as the computer has not been restarted. Turns out that the numbers to generate the encryption key are potentially left in memory, allowing the public and private key to be regenerated. The tool works for at least Windows XP and Windows 7.

A similar exploit for Samba has been reported by Rapid7, allowing an attacker to upload and execute a program on a Samba share. It is a sad fact that there are a LOT of systems exposed, which should not be. A fix has already surfaced, making the key here how quickly systems will get updated.

Tech support scammers are playing up on WannaCry fear by selling fake security upgrades.

For things that are not related to ShadowBrokers….

Wordpress has launched a bug bounty program, right before releasing a new version that fixes several security flaws. Wordpress has already been running the program privately for a year, in order to build process around any bugs that came in. Since launching, they have already paid out $3700 to developers that have reported security issues.

In the IoT news, New York’s attorney office has reached a settlement with Safetech Products to add security and encryption to all Safetech smart locks.

Similarly, researchers at the University of Michigan managed to gain access to traffic light control software due to very lax security implementations.

Both Yahoo and ImageMagick have taken a beating this last year, but thankfully this will change now that Yahoo has removed that library from their software products. Triggered by yet another exploit, dubbed ‘YahooBleed’, this would have allowed malicious users to extract pieces of memory from servers that handled images, which included api tokens.

Checkpoint Security has discovered a way to take control of a user’s laptop by using malicious subtitle files for movies. While subtitle files may generally be considered text files, Checkpoint has found a way to invoke malicious behavior. The impacted video services have been contacted and have all issued patches.

Finally, Talos Intel reports on how the Terror Exploit Kit has evolved, becoming much more targeted in their exploits, resulting in it being harder to detect and more successful overall. The biggest change is fingerprinting browsers, allowing them to be more targeted in exploits, rather than iterating through a large list of them.

Security Roundup - 2017-05-19

In the aftermath of WannaCry, there are a few important developments:

If WannaCry wasn’t bad enough, another IoT device has vulnerabilities which could lead to a botnet with over 185K nodes, and Docusign has determined that a recent malware campaign that targeted their customers was due to a breach involving their customer list being stolen.

WikiLeaks has dumped more Vault7 information, the latest being two malware frameworks dubbed “AfterMidnight” and “Assassin”. AfterMidnight is a play on “Gremlins”, as it is intended to allow for the running of small applications to do malicious things to targets, and Assassin provides much of the same functionality.

Unfortunately, even more things leaked on the internet as a code breaking program was found exposed to the public internet. A project between NYU, IBM and the Department of Defense, “WindsorGreen” is an encryption cracking program intended to run on specialized hardware. Experts that have reviewed the documents suggest the computing power would eclipse most of the world’s supercomputers in the specific field of encryption. That being said, experts believe that modern key strengths such as RSA 4096 are still orders of magnitude stronger.

Two security groups have finished audits of the OpenVPN codebase. Both teams found a number of vulnerabilities, which the OpenVPN team has already fixed. Overall, they congratulated OpenVPN on their adherence to secure development practices while also offering a few suggestions on how to improve both the codebase and push forward best practices for security.

Checked that your router is up to date lately? I thankfully did several weeks ago, grabbing new firmware that protects my Asus RT router from a number of security vulnerabilities.

Both Edge and Chrome have flaws this week which allow credential leakage. Edge’s flaw allows the bypassing of the Same Origin Policy process, allowing a determined attacker to confuse the system and get credentials it otherwise should not have access to. The Chrome bug is also a Windows bug which could allow an attacker to obtain a user’s login hash.

Still using fingerprints to unlock your phone? Researchers have recently figured out how to make artificial fingerprint that will unlock phones 25-65% of the time, based on the fact that most fingerprint scanners only check a subset of your finger.

The President signed a Cybersecurity executive order this week. Highlights include: prompting government agencies to adopt the NIST framework and consolidate services for more effective management, increase protections around critical infrastructure. Various groups are expected to provide plans within certain intervals, making this a start.

400 new SLocker (Android Ransomware) variants were discovered this week bringing up the total number of known variants to 3000.

Talos Intel has observed a new Ransomware spam campaign they call ‘Jaff’. Taking notes from Dridex and Locky, it uses a PDF with an embedded word doc to install its malicious package. As always, they prepared a detailed technical breakdown

Want to know even MORE about Ransomware? Troy Hunt now offers a free course.

Hang Down Your Head And (Wanna)Cry

WannaCry took the world by storm starting on Friday, and everyone blogged about it. A ransomware that spread not by phishing, but via an internet worm compared to worms of old including Sasser, Slammer and Conficker. Specifically, leveraging the ‘DoublePulsar/ETERNALBLUE’ exploit from the NSA stash that ShadowBrokers released several weeks ago, to install a backdoor and then execute the ransomware automatically.

You can read a full technical breakdown on the Talos Blog, as well as MalwareBytes (who has also been tracking the infection, and Endgame Security.

Interestingly, it looks like this was exploited earlier by a botnet to infect users with cryptocurrency miners, which may have actually limited some of the damage since this malware closed the vulnerable port to prevent additional infections.

Microsoft is pissed off at the NSA for stockpiling exploits. While Microsoft quickly patched against this problem 2 months ago, the fact that there are still so many victims is unfortunate. It certainly doesn’t help that certain users are disabling Windows Auto-update, making it that much more likely for someone to be a victim of an exploit like this, or the fact that pirated versions of Windows are prevalent and don’t necessarily receive software updates.

The EFF talks up this patching problem, pointing out that Microsoft eventually felt the need to upgrade EOL versions of Windows (XP and Windows Server 2003 received emergency patches) as a large number of organizations still rely on these versions, including medical systems with specialized software. They then furthered it by pointing out all the un-upgradable software present in IoT devices, as well as mobile phones as older versions of Android are still in use with manufacturers not updating for older devices.

WannaCry wasn’t without its bugs. One bug failed to create unique bitcoin wallets for each victim, allowing payments to be tracked easily. And then, of course, was the kill switch, which was accidentally activated when a malware researcher tried to sinkhole communications. However, this is not the end, with a number of copycats emerging from the woodwork.

The ShadowBrokers have left commentary in the wake of WannaCry, suggesting that they are going to start providing zero day dumps as a service for exploits that were not part of April’s massive leak, including additional Windows 10 vulnerabilities.

Security Roundup - 2017-05-11

Microsoft rushed out with a critical fix to their Malware Protection Engine, releasing the fix one day before their regular ‘Patch Tuesday’ cycle. The exploit resulted in a specially crafted file to have Malware Protection Engine execute the malware. A number of other security fixes went out as part of patch Tuesday, including one that triggers with specially crafted images in Office. Talos Intel has a breakdown of all the security items.

Another day, another billion (yes, with a b) user records leaked. Troy Hunt of HaveIBeenPwned goes over how leaks on one site allow for credential stuffing, which is attempting to reuse those credentials on other sites in order to provide more accounts to sell. And, since password reuse is still fairly common, this results in plenty of hits. Troy details 2 big combo lists of usernames and passwords that have been brought to his attention, containing the aforementioned billion credentials. Troy also went into why he doesn’t store passwords for his service.

DUO Labs also got ahold of one of the combo lists and performed some analysis on the passwords. Interestingly, 25% of passwords are 9 characters long (better than the 8 characters suggested in the current draft of NIST guidelines, but the most common passwords contained in the list is still pretty bad.

A large scale Signaling System #7 attack took place recently to intercept 2FA text messages for bank accounts, and drain the account of all funds.

Plenty of states and countries are rolling out disclosure laws. Techcrunch has an article pointing out this can paint a target on a company that has disclosed, but not taken appropriate steps to prevent further breaches.

MalwareBytes write that the Snake trojan, which has been around since 2008, has been ported to OSX. This masquerades as a Flash installer, with the added deception of actually installing flash vs just pretending to install flash.

Google follows up on the first five months of their Open Source Software Fuzzing experiment. In that time period they have integrated 47 projects (including several SSH and SSL projects), and discovered 1000+ bugs, of which 264 are potential security vulnerabilities. To further the project, they are now offering financial rewards for projects to integrate with the process.

A new malware strain came to light this week which has a remote accessible API. This is interesting in that it allows the botnet to invert the traditional C2 model as required, making it easier for botnet owners to re-establish control after a C2 takedown.

Handbrake, a popular transcoding app, was hacked to deliver a trojan for up to 4 days For those that love in depth of what malware is doing under the hood, check out Patrick Wardle’s blog post.

Security researchers classify a number of breaches according to the OWASP Top 10. The Results are interesting, with ‘Known Vulnerable Components’ being the cause of 24% of breaches, and another 15% attributable to causes not in the top 10.

Page 8 of 23