Security Roundup - 2017-05-04

A large scale phishing attack was initiated this week, imitating an email to share a document with Google Docs. If the user followed through, they were presented with a dialogue to authorize a fake Google Docs app, allowing the attacker gain unlimited access to the victim’s email. For each victim, the exploit used contacts to try to send to another round of victims.

Meanwhile, Google Chrome has taken an additional step towards their goal of visibly indicating that all HTTP sites are “Not secure” in terms of the information you are sending. On the heels of January’s change to label sites over HTTP with password fields as “Not secure”, they are not going to label all HTTP sites visited in Incognito mode as “Not secure”, due to increased privacy expectations.

O’reilly and the Software Improvement group recently surveyed a number of programmers on their company’s secure code practices. While 69% of respondents stated security requirements and 60% mentioned guidelines, most felt that they were not doing enough. They also cited how security is not ‘visible’ making it hard to gain proper traction when overall company goals are to ship new features and gain new customers.

What is worse than a site that allows short passwords and returns them in plaintext when you forget them? Apparently it is a site that doesn’t ever allow you to change the password.

Intel processors with remote management features have recently been found to have remote exploit flaws. This flaw, existing since 2010, is only accessible if Intel’s Active Management Technology is enabled, and the attacker is able to access port 16992 and 16993. This means that remote attacks over the internet should be fairly rare, but attacks on a local network, perhaps such as ublic wifi for a targeted attack, are possible.

Another problem that has flown under the radar has been the existence of the Konni RAT, which Talos Intel discovered. Backtracking, they have unearthed 3 years of activity across 4 campaigns, and document the evolution.

MalwareBytes provides details on the OSX.Dok malware, a sophisticated attack that installs the means to monitor and intercept all HTTP AND HTTPS traffic on a victim’s computer. This allows an attacker to potentially harvest credentials that a user over a connection they otherwise feel is secure. Apple has already revoked the signing certificate the malware author used to sign his app, meaning that the casual user will not be able to install. However, MalwareBytes has found a second strain that installs a different backdoor, but looks to be from the same author.

Arbor Networks does a deep dive into the Ismdoor RAT, which communicates to its C&C using DNS AAAA (IPv6) queries and responses to hide its activity.

Verizon’s 2017 Data Breach Report has been released (now celebrating its 10th year!). Unsurprisingly, Ransomware accounted for a large number of incidents and continues to be trending upwards. Financial institutes are still the most popular target, but targets like healthcare and education are seeing an uptick of attacks.

BleepingComputer rounds things out with an unfortunately busy week in Ransomware, including a big update for Cerber which includes a new encryption process and anti-VM/sandboxing features.

Security Roundup - 2017-04-27

News of DoublePulsar has been making the rounds, with some claims of several 100K systems impacted. Now, it appears as if the exploit is remotely removable, allowing for perhaps a Robin Hood botnet to scrub the internet while the infected systems are upgraded.

Despite the things Google does to prevent malicious apps in the Play Store, things still get listed. CheckPoint has pointed out a new BotNet they dub FalseGuide, which currently involves 40 known apps and may have been installed on over half a million devices.

Leaked passwords appear to be behind a rash of Amazon 3rd Party reseller account takeovers. The attackers take over an amazon account, update payment information, and then try to get buyers to buy goods that will never be shipped.

Microsoft recently stopped supporting Windows 7 and 8 on older hardware architectures, despite offering long term support. One user in particular was annoyed by this and reverse engineered the latest patches to allow the updates to be applied anyway.

LastPass has been under a lot of security scrutiny lately. The latest was a flaw in their 2FA implementation which would have allowed a user to potentially bypass 2FA altogether. The security researcher who found the flaw has posted a full technical breakdown.

Running an IoT company? Concerned about Security? Hackaday has you covered, taking a year’s worth of information and writing up the things you need to know if you want to avoid IoT security failures.

Cloudflare reports the continued decline of old cipher suites with both AES-CBC and RSA on the decline in favor of the faster and more secure ECDSA.

Some AV based news this week. First, Trustwave Security points out a vulnerability they discovered and helped Avast fix. Second, the AV provider Webroot experienced a problem earlier this week that caused important Windows files needed for regular operation being quarantined.

Locky, the ransomware, and Necurs, the botnet that distributes it, have recently realized a resurgence. Now, it appears to use a document within a document in order to try to avoid detection and circumvent protection.

Security Roundup - 2017-04-20

The malware industry starts pointing fingers, with this article from Ars Technica on ‘Lawyers, malware, and money’. In it, a number of malware detection services and malware detection benchmark services largely all blame each other for misrepresenting their products in demos and sales bakeoffs. Some suggest that the benchmarks are not representative of the ‘real world’, others suggest that some people are rigging the game in their favor, and a number of these disputes have apparently devolved into lawsuits/revocation of licenses.

The return of the ShadowBrokers has resulted in another trove of exploits being released. Apparently, more than 1k Windows Binaries are part of this trove. Microsoft indicates a number of the vulnerabilities have already been fixed. There is plenty of coverage from multiple security sites, for those that want to dig in further.

Phishing is temporarily much easier on Chrome and Firefox, as PunyCode domains, ones using non-ascii characters, apparently render domain names that look identical to the ascii versions they are masquerading as.

The recent Struts exploit has been fixed, along with 299 other vulnerabilities in various Oracle products. This number of security fixes is a new record for Oracle, beating out the 276 reported in July 2016.

Plenty of Android malware news, where Sophos points out how Android malware is taking emulation detection techniques used in desktop malware to avoid analysis, and Threatpost going into how Google is combating malware on Android. That doesn’t stop some malware campaigns from trying their hardest to stay in the app store.

Sucuri has posted March’s Lab Notes. Of interest: Backdoors executed via cookies.

Checkpoint’s March Malware Most Wanted is out showing that, after a recent downturn, exploit kits are once more in active use.

In a bout of Robin Hood Hacking, a botnet named Hajime is competing against Mirai. Hajime infects IoT systems and then sets up protections designed to disrupt Mirai.

The FBI was involved in the recent take down of the Kelhios Botnet. Threatpost provides some details on how they were involved, while a MalwareTech researcher provides us with details on Kelhios from his own research

Another in depth into malware with Sathurbot, a malware strain that initially spreads through malicious torrents and attempt to do brute force attacks on common login portals.

Ransomware as a service hits a new low, where a version called Karmen can be purchased outright for $175 dollars.

Another instance of open source malware made the rounds this week. Labelled as a ‘remote administration tool’, which isn’t even a particularly fancy term for remote access trojan, this one used Telegram as its C&C. BleepingComputer has the details.

Security Roundup - 2017-04-14

Bleeping Computer does a great writeup of the new CAA DNS record, which allows domain providers to specify which SSL providers are allowed to issue certificates. In a recent vote, the majority of browser and Certificate Authorities voted to implement this standard by September 8, 2017, setting the expectation that Certificate Authorities will check whether they are allowed to issue a certificate for a domain.

Of course, this only helps when an organization remains in control of their DNS. In an impressive accomplishment, hackers managed to take over a bank’s entire digital footprint, redirecting users and potentially even ATM transactions to their infrastructure. Since they controlled the actual domain names, they were able to quickly obtain legitimate SSL certificates, to make the attack all the more transparent to users. Given the totality of the takeover, the bank was not even able to send legitimate emails to their customers, and had to rely on the registrar returning control. Total duration of takeover: ~5 hours.

Vault 7 news continues this week as the “Grasshopper” documents detailing windows installer laced malware was released. The installer performed a number of checks to reduce the liklihood of installing on a system that might be able to detect the payload. Some news stories of the tools being linked to known hacks have started to surface.

Coincidentally, the Shadow Brokers are also back releasing the password to another cache of NSA files.

Threatpost provides an interview with the Google Chrome Security Team, where they mention that a number of instabilities/security problems are due to other third party software installed on systems. Whether that be bundled software from an OEM, bad Certificate Authority, or third party plugins.

We’ve talked about malicious apps before, but did you know that apps could leak information from other apps? Either internationally, or unintentionally, apps are able to access data in use by other apps, allowing a combination of apps exfiltrate data. Most common appears to be location data, where a location aware app might make data available to other applications.

The newest IoT malware is running around, and this one tries to brick all the devices. On the one hand, dead devices means fewer botnets, on the other plenty of consumers that are going to be surprised when their devices stop working.

Of course, another security researcher found an easy way to gain access to his smart tv.

Running a SEIM to analyze security events? Make sure to lock it down! One security researcher was recently shocked by some SEIM systems using default credentials and hosting a bevy of information.

Another security firm has traced back attacks to residential routers which have been infected. The specific router in question is vulnerable to an attack on a non-typical port, causing the security researchers to suggest ISPs filter out attacks of this nature before it reaches their customers.

An amusing strain of ransomware made the rounds this week requiring users to score a high score in a video game to retrieve their files.

BleepingComputer provides a good ransomware article, showing another open source ransomware getting weaponized, and demonstrating how working examples make it easier for future developers.

Security Roundup - 2017-04-06

LastPass had another issue last week. While this is unfortunate, Troy Hunt goes into why password managers are ultimately better. Summary: the best password is a long one you don’t actually know vs systems that are easy to remember. XKCD contributes it’s own set of security tips, likely prompted by this recent issue as well.

I’ve talked about Google’s “Potentially Harmful App” detection before, but this week they go into how they detected one installed on a few dozen devices. Of note, this app was never available in the Play App store.

An IIS 6.0 zero day has been revealed to have been in play since mid-2016. Unfortunately, while IIS 6.0 reached end of life in mid-2015, it seems (there are still plenty of installs in the wild. shows ~600K entries per their latest scans.

Some really fun IoT exploits this week. One involves injecting attack code into the broadcast stream, which allows attackers to take over some smart TVs.

Project Zero has found an exploit for certain wifi chipsets that allow wifi drive by takeovers of devices. Patches are already available, but an overall hardware fix will take a few months.

Finally, security researchers have taken a look at Samsung’s open source Tizen operating system, used by the company for many IoT devices and found a bevy of security problems.

Threat Intelligence researchers have noticed that users are uploading plenty of sensitive documents to malware scanning services, using them in a sense as antivirus without thinking about how these files are available to researchers. The researcher in question found a number of interesting files, from private keys to confidential business plans.

A new version of Mirai has apparently raised its head, having slammed a college network for 52 hours in late February.

Page 9 of 23