Security Roundup - 2017-04-27

News of DoublePulsar has been making the rounds, with some claims of several 100K systems impacted. Now, it appears as if the exploit is remotely removable, allowing for perhaps a Robin Hood botnet to scrub the internet while the infected systems are upgraded.

Despite the things Google does to prevent malicious apps in the Play Store, things still get listed. CheckPoint has pointed out a new BotNet they dub FalseGuide, which currently involves 40 known apps and may have been installed on over half a million devices.

Leaked passwords appear to be behind a rash of Amazon 3rd Party reseller account takeovers. The attackers take over an amazon account, update payment information, and then try to get buyers to buy goods that will never be shipped.

Microsoft recently stopped supporting Windows 7 and 8 on older hardware architectures, despite offering long term support. One user in particular was annoyed by this and reverse engineered the latest patches to allow the updates to be applied anyway.

LastPass has been under a lot of security scrutiny lately. The latest was a flaw in their 2FA implementation which would have allowed a user to potentially bypass 2FA altogether. The security researcher who found the flaw has posted a full technical breakdown.

Running an IoT company? Concerned about Security? Hackaday has you covered, taking a year’s worth of information and writing up the things you need to know if you want to avoid IoT security failures.

Cloudflare reports the continued decline of old cipher suites with both AES-CBC and RSA on the decline in favor of the faster and more secure ECDSA.

Some AV based news this week. First, Trustwave Security points out a vulnerability they discovered and helped Avast fix. Second, the AV provider Webroot experienced a problem earlier this week that caused important Windows files needed for regular operation being quarantined.

Locky, the ransomware, and Necurs, the botnet that distributes it, have recently realized a resurgence. Now, it appears to use a document within a document in order to try to avoid detection and circumvent protection.

Security Roundup - 2017-04-20

The malware industry starts pointing fingers, with this article from Ars Technica on ‘Lawyers, malware, and money’. In it, a number of malware detection services and malware detection benchmark services largely all blame each other for misrepresenting their products in demos and sales bakeoffs. Some suggest that the benchmarks are not representative of the ‘real world’, others suggest that some people are rigging the game in their favor, and a number of these disputes have apparently devolved into lawsuits/revocation of licenses.

The return of the ShadowBrokers has resulted in another trove of exploits being released. Apparently, more than 1k Windows Binaries are part of this trove. Microsoft indicates a number of the vulnerabilities have already been fixed. There is plenty of coverage from multiple security sites, for those that want to dig in further.

Phishing is temporarily much easier on Chrome and Firefox, as PunyCode domains, ones using non-ascii characters, apparently render domain names that look identical to the ascii versions they are masquerading as.

The recent Struts exploit has been fixed, along with 299 other vulnerabilities in various Oracle products. This number of security fixes is a new record for Oracle, beating out the 276 reported in July 2016.

Plenty of Android malware news, where Sophos points out how Android malware is taking emulation detection techniques used in desktop malware to avoid analysis, and Threatpost going into how Google is combating malware on Android. That doesn’t stop some malware campaigns from trying their hardest to stay in the app store.

Sucuri has posted March’s Lab Notes. Of interest: Backdoors executed via cookies.

Checkpoint’s March Malware Most Wanted is out showing that, after a recent downturn, exploit kits are once more in active use.

In a bout of Robin Hood Hacking, a botnet named Hajime is competing against Mirai. Hajime infects IoT systems and then sets up protections designed to disrupt Mirai.

The FBI was involved in the recent take down of the Kelhios Botnet. Threatpost provides some details on how they were involved, while a MalwareTech researcher provides us with details on Kelhios from his own research

Another in depth into malware with Sathurbot, a malware strain that initially spreads through malicious torrents and attempt to do brute force attacks on common login portals.

Ransomware as a service hits a new low, where a version called Karmen can be purchased outright for $175 dollars.

Another instance of open source malware made the rounds this week. Labelled as a ‘remote administration tool’, which isn’t even a particularly fancy term for remote access trojan, this one used Telegram as its C&C. BleepingComputer has the details.

Security Roundup - 2017-04-14

Bleeping Computer does a great writeup of the new CAA DNS record, which allows domain providers to specify which SSL providers are allowed to issue certificates. In a recent vote, the majority of browser and Certificate Authorities voted to implement this standard by September 8, 2017, setting the expectation that Certificate Authorities will check whether they are allowed to issue a certificate for a domain.

Of course, this only helps when an organization remains in control of their DNS. In an impressive accomplishment, hackers managed to take over a bank’s entire digital footprint, redirecting users and potentially even ATM transactions to their infrastructure. Since they controlled the actual domain names, they were able to quickly obtain legitimate SSL certificates, to make the attack all the more transparent to users. Given the totality of the takeover, the bank was not even able to send legitimate emails to their customers, and had to rely on the registrar returning control. Total duration of takeover: ~5 hours.

Vault 7 news continues this week as the “Grasshopper” documents detailing windows installer laced malware was released. The installer performed a number of checks to reduce the liklihood of installing on a system that might be able to detect the payload. Some news stories of the tools being linked to known hacks have started to surface.

Coincidentally, the Shadow Brokers are also back releasing the password to another cache of NSA files.

Threatpost provides an interview with the Google Chrome Security Team, where they mention that a number of instabilities/security problems are due to other third party software installed on systems. Whether that be bundled software from an OEM, bad Certificate Authority, or third party plugins.

We’ve talked about malicious apps before, but did you know that apps could leak information from other apps? Either internationally, or unintentionally, apps are able to access data in use by other apps, allowing a combination of apps exfiltrate data. Most common appears to be location data, where a location aware app might make data available to other applications.

The newest IoT malware is running around, and this one tries to brick all the devices. On the one hand, dead devices means fewer botnets, on the other plenty of consumers that are going to be surprised when their devices stop working.

Of course, another security researcher found an easy way to gain access to his smart tv.

Running a SEIM to analyze security events? Make sure to lock it down! One security researcher was recently shocked by some SEIM systems using default credentials and hosting a bevy of information.

Another security firm has traced back attacks to residential routers which have been infected. The specific router in question is vulnerable to an attack on a non-typical port, causing the security researchers to suggest ISPs filter out attacks of this nature before it reaches their customers.

An amusing strain of ransomware made the rounds this week requiring users to score a high score in a video game to retrieve their files.

BleepingComputer provides a good ransomware article, showing another open source ransomware getting weaponized, and demonstrating how working examples make it easier for future developers.

Security Roundup - 2017-04-06

LastPass had another issue last week. While this is unfortunate, Troy Hunt goes into why password managers are ultimately better. Summary: the best password is a long one you don’t actually know vs systems that are easy to remember. XKCD contributes it’s own set of security tips, likely prompted by this recent issue as well.

I’ve talked about Google’s “Potentially Harmful App” detection before, but this week they go into how they detected one installed on a few dozen devices. Of note, this app was never available in the Play App store.

An IIS 6.0 zero day has been revealed to have been in play since mid-2016. Unfortunately, while IIS 6.0 reached end of life in mid-2015, it seems (there are still plenty of installs in the wild. shows ~600K entries per their latest scans.

Some really fun IoT exploits this week. One involves injecting attack code into the broadcast stream, which allows attackers to take over some smart TVs.

Project Zero has found an exploit for certain wifi chipsets that allow wifi drive by takeovers of devices. Patches are already available, but an overall hardware fix will take a few months.

Finally, security researchers have taken a look at Samsung’s open source Tizen operating system, used by the company for many IoT devices and found a bevy of security problems.

Threat Intelligence researchers have noticed that users are uploading plenty of sensitive documents to malware scanning services, using them in a sense as antivirus without thinking about how these files are available to researchers. The researcher in question found a number of interesting files, from private keys to confidential business plans.

A new version of Mirai has apparently raised its head, having slammed a college network for 52 hours in late February.

Security Roundup - 2017-03-30

Big news this week is Symantec’s miss-issue of 30K Extended Validation certificates, largely through third parties with privileged access. Extended Validation certificates are intended to require additional validation steps for further proof of ownership, and the lack of that compromises their advantage. This isn’t the first time that Symantec has mis-issued certificates, with Google recently requiring Symantec to submit ALL certificates to Certificate Transparency logs for auditing. After the most recent incident, however, Google has declared they will stop treating Symantec Extended Validation certificates as extended validation. Further, Google has suggested plans to stop trusting Symantec as an SSL certificate provider, phasing out support in Chrome to essentially delist said certificates. Symantec has posted a rebuttal, pointing out their usage of certificate transparency, and their championing of Certificate Authority Authorization. Regardless of the outcome, it appears that the end result will be more transparency and security for the internet as a whole.

Let’s Encrypt came under attack of actually providing transparency this week, since it points out that they have issues quite a number of SSL Certificates which could be used for phishing attacks, having issues ~15k certificates using the term ‘Paypal’ this quarter. Let’s Encrypt has pointed out since inception their belief that Certificate Authorities constitute poor watchdogs, with their primary aim to encrypt all web communications. Bleeping Computer points out that a number of these certificates have been flagged by safe browsing, which does indicate that other user protections are in play. While on the one hand these certificates are being issues, the fact that they are going through certificate transparency and being on the record is at least shedding more light on the issue.

Congress has voted to repeal FCC Privacy laws, but right before that the EFF posted some impacts of CyberSecurity. Particularly worrying to me is the concept of “Explicit Trusted Proxies”, which are designed to decrypt and inspect SSL communications, which we learned last week that the the US-CERT has said doing this type of traffic interception actually decreases overall security.

In further Vault7 news, Engadget has a list of tool names and descriptions, as well as an article explicitly on OSX exploits. Apple has already said that these exploits are old, and have been fixed.

After yet another round of breaches, Troy Hunt has written an article on How To Handle a Breach Disclosure. Using Cloudpets as example, Troy points out that someone noticed their exposed Mongo database and attempted to contact them to remediate before the breach occurred. Troy points out that making it harder for someone to start a dialogue makes it easier for a company to be unaware of action in need of taking. He goes on to point out that once a breach is known, it is in the company’s best interest to disclose as soon as possible, to allow their users time to protect themselves, pointing out the rampant reuse of user passwords. He references the upcoming General Data Protection Regulation in Europe, where companies will be required to disclose breaches within 72 hours. The entire article is fairly interesting, containing a number of breach disclosure successes, as well as quite a few failures.

Many malware strains are starting to make use of a technique called Domain Fronting. This technique works by using a hosting provider essentially as a relay to some other communication like TOR. These providers include Amazon and Google’s Appspot in order to avoid block evasion/delisting.

For those that enjoy reading up on malware detection evasion Talos Intel shares some recent obfuscation methods by LokiBot.

Talos also details an NTP vulnerability they discovered in Cisco’s effort to test NTP implementations for security flaws.

Finally, BleepingComputer talks about GiftGhostBot, a botnet devoted to brute forcing gift card apis to discover gift cards with usable funds. On average, this botnet is apparently hitting some eCommerce sites with an average of 1.7 million requests per hour.

Page 9 of 23