Security Roundup - 2017-02-02

Posted on  by

Think last year was a bad year for modems? A security researcher from Trustwave Security details how he found a bug in his router that impacted 31 different Netgear routers overall. Sadly, part of his research involved finding two publically disclosed exploits for similar flaws in 2014 and expanding on that work. Netgear responded to this responsible disclosure and has issued patches for the affected devices.

Trustwave Security also increased my knowledge about SVG this week with their article on how SVG can actually contain Javascript and be used to execute remote payloads as a result.

In more device security news, Threatpost reports on a printer flaw that allows an attacker to extract information, including documents and credentials, remotely. They achieved this using a combination of “Cross Site Printing” and CORS spoofing to make a user’s browser act as a relay to exfiltrate data.

Akamai has been doing research into credential abuse, specifically scenarios where a botnet is working to avoid standard security controls. In these scenarios an individual website is unlikely to detect this behavior, since volumes are low and attempts are spread out across ips, accounts and time. However, when viewed in an aggregate across a number of sites they are protecting, Akamai was able to detect a number of sources and targets and increased detection of these attacks more readily than single site observation would.

LeakedSource, a website that obtained breach data and sold it openly was taken down this week. Troy Hunt, owner of HaveIBeenPwned, provides his thoughts on the service and the takedown. In his article, Troy is critical of the LeakedSource model where anyone could pay and get personal details from leaks. He points out a number of instances where this information has clearly been used maliciously (in Ourmine account takeover ways), and suggests that LeakedSource was also incentivizing attackers to find and turn up more data.

Google has just announced that they will now operate their own Root Certificate Authority, as well as aquiring two existing root CAs from GlobalSign. Among other things, this will allow Google tighter control over who can generate ‘official’ Google certificates, as their products could check the entire certificate chain, rather than just trust existing root CAs. With CAs like StartCom issuing rogue certificates, and even well known CAs like Symantec and GlobalSign having issues with certificates in the last year, it is understandable that a company like Google has shifted towards wanting more control over the security of all their properties.

Ars has an interesting article suggesting that Antivirus is making it harder to secure the browser. In this article, several browser engineers have pointed out where security protections have been delayed/had problems due to Antivirus hooking into and in some cases disabling functionality. An additional observation, supported by a number of vulnerabilities last year, is that the addition of anti-virus provides a larger attack surface.

In ransomware, BleepingComputer provides two terrible infection stories. In one, a police department lost up to 8 years of digital evidence, with some data having backups but recent data likely not. The second was for a hotel where the infected computer was also used to provision key cards for electronic locks. Since this only impacted the generation of the key, no customers were actually impacted.

Want to learn more about the new Locky Bart versions? Malwarebytes does an in depth analysis of the inner operations.

Talos Intel recently analyzed a malicious attachment apparently aimed at some government officials. They go into detail on the several layers of complexity the payload goes into in order to execute (doc file, with flash that executes actionscript) as well as some methods it used to avoid casual analysis.

For further in depth malware analysis Talos also disects EyePyramid, a malware sample that had remained undetected for a few years.


Security Roundup - 2017-01-26

Posted on  by

Some missed news from last month: an incident response worker did a 2016 review on learning from security breaches. Some high level lessons:

  • Centralized logging makes problems much easier to track down.
  • Root causes might not be found.
  • If you rely heavily on third party technology, evaluate it for risk.
  • Most organizations he visited did not have a good secrets management solution.
  • Companies with higher tech debt also correlate with companies with high security debt.

The EFF put out an update on the Technical Developments in Cryptography, covering backdoored crypto, the finalization of TLS 1.3, a review of crypto attacks in 2016, as well as the strengthening of HTTPs.

Symantec-owned certificate authorities have been found to have violated SSL Certificate issuing guidelines for 108 certificates. 9 of these certificates were issued to people that were not controllers of the domains in question. Many of these appear to be ‘test’ certificates and were promptly revoked, but could still have been used for malicious behavior, especially as browsers are generally not able to deal with issuance and revocation of certificates in real time. These violations were apparently only discovered via Google’s Certificate Transparency project.

Hack The Army started up at the end of last year, and TechCrunch provides a story of some of the initial results.

Use Cisco WebEx? You might want to check that the extension is up to date, since older versions contain a remote execution vulnerability, allowing for computers to be taken over just by browsing a specially crafted page. Sophos gives you a breakdown.

Engineers at recently built a tool to find secrets in Android apps. After analyzing 16K applications, they decided to write up some findings. Unsuprisingly, quite a few applications had hard coded some sort of api token in the application. has released an updated Heartbleed report, indicating that 200K servers are still susceptible to CVE-2014-0160 (yes, Heartbleed is now 2 years old).

BleepingComputer reports on a banking ransomware that had its source code leaked. Initial investigation seems to indicate it has already been modified into banking trojan.

Speaking of modified versions, Checkpoint Security warns of a new version of HummingBad, called HummingWhale. They have already contacted Google to take down a number of apps, and shares their overall findings.

Finally, BleepingComputer details how members of the MalwareHuntingTeam are being harassed on VirusTotal, presumably by malware authors that MalwareHuntingTeam has exposed.


Security Roundup - 2017-01-18

Posted on  by

Google has announced their intent to start recording ‘Key Transparency’. In a sense, it is a key verification idea in a similar sense as Keybase, while also preserving the privacy of the user. A writeup of the idea is available on Github.

Mobile malware is a large problem, with the likes of Gooligan and Hummingbad making the rounds. Google has written an article on a technique they use to detect apps with this kind of malware, using a combination of their Potentially Harmful Apps (PHA) detection and monitoring for devices that stop checking for these PHAs. Cross referencing downloaded apps with devices that stop reporting makes it possible to detect which apps are potentially performing malicious behavior and automatically flagging for review.

Brian Krebs has been investigating the person behind the Mirai Botnet and believes he has figured out the real world identify of the person responsible. Note: this is a long read, going over his entire investigation. It is a really interesting read on the entire DDoS ecosystem.

With last week’s MongoDB landgrab reaching the end, it looks like attackers have shifted towards publically accessible ElasticSearch clusters. Duo Security also points out that this shouldn’t be a surprise, given that reports of how much exposed data has been reported multiple times over the course of the last two years. Plenty of other datastores are still exposed, and Redis was already a victim last year. What’s next after ElasticSearch? BinaryEdge gives us a brief history of DB ransomware and says there are early signs that Hadoop is the next target. BleepingComputer points out some vandalized Hadoop servers as well as some CouchDB servers with ransom notes already.

Threatpost has a story on the Carbanak malware family, which is apparently using Google sheets as a C&C mechanism, having nodes update sheets to exfiltrate data, and read sheets to accept new commands. This joins Telecrypt as another malware strain that leverages 3rd party services rather than manage their own C&C nodes.

SchmooCon has wrapped up, and some interesting news to come out of it. Did you know that Squirrels cause more infrastructure outages than cyberattacks? Apparently some cyberattacks are actually mis-attributed animal outages.

SHA-1 Certificates should be on their way out this year, as browsers are poised to point out certificates that are not on SHA-2. In the Alexa top million, apparently only 536 sites do not offer SHA-2 at this time. Caught in the crossfire are all those devices that are hard to upgrade, but use SSL certificates. Things like routers and PoS/banking system.

Sucuri has a roundup of their December Lab Notes, which detail a number of CMS related security problems.

Checkpoint has released their Malware Most Wanted update, and there is a lot of movement on the board. Conficker is still at the top, and overall malware attacks were down over the holidays.

In other ransomware news, One of the C&C servers for Cerber was recently compromised by security researchers. They observed 700 downloads of Cerber during their observation window, which they extrapolated to 8400 downloads per day.

Also, Endgame Security goes on an in depth analysis of a ransomware strain for the latest Flare On Challenge.


Security Roundup - 2017-01-12

Posted on  by

Bruce Schneier writes a thoughtful article on Class Breaks, where a security vulnerability doesn’t just impact one system but an entire class of systems. He feels this concept should be thought about more, as we move to a more connected world. The IoT ecosystem has shown plenty of ‘class breaks’, where one vulnerability means that a large number of systems are impacted. As we automate more technology, building security in and planning for eventual class breaks will be important, as 2016’s IoT news has demonstrated.

Krebs on Security has a detailed article of problems with cardless ATMs. In this story, an attacker was able to add another number to someone’s account, and then use a cardless ATM strategy that Chase was testing to withdraw cash. This attack was made easier, since by default the transaction lacked 2FA (of which a bank card counts).

The above article led me to Two Factor Auth, a database of all the services that allow users to enable 2FA.

Do you use autofill on web forms? You may be giving away more information than you can see, since these features can also fill in hidden fields.

Troy Hunt wrote up an interesting story where he walks us through the process of data getting into HaveIBeenPwned (note, this uses an adult site as an example).

Kaspersky Labs discovered a C&C server that was also used as a shopping portal to also sell the data. Downside is that the shopping portion had a security vulnerability that allowed a malicious user to make off with the already stolen data.

ThreatPost reports that hackers are specifically targeting Mongo databases, deleting records and leaving a ransom note for if users want their data back. It looks like there are potentially multiple attackers doing this, and they are overwriting each other’s ransom notes in an attempt to get the payout. This decreases the likelihood of victims ever getting their data back. BleepingComputer contacted one hacker, who mentioned that his process is completely automated, and he is motivated that owners of these systems ‘have to learn a lesson’. They have been following the news pretty closely, and at time of writing ~21K MongoDB instances have been hit, and one of the major players has offered up their script for sale, to anyone who wants to fight over the remains.

BleepingComputer also reports on Spora, a very sophisticated ransomware strain. Spora works offline, and the encryption looks to be based on random keys created and then secured by public key encryption, requiring the keys to be manually sent in to attackers to potentially decrypt.


Security Roundup - 2017-01-05

Posted on  by

33c3 happened at the end of the year and videos are already up. Writers for Hackaday attended and did a number of writeups.

At the same time, the FDA announced guidance on managing medical devices in a cybersecurity world. Among the suggestions include ‘having a way to monitor devices for vulnerabilities’, which seems in and of itself a potential exploit vector? I am sure 2017 will have more news on this topic.

Filippo Valsorda, currently on the Cloudflare Security Team, published an op-ed on “Why he is giving up on PGP”. Major difficulties include ease of use, lack of trust that it is working ‘correctly’, and suspicion of use of long term keys. This was followed by a rebuttal by Neal Walfield, an engineer who works on GnuPG, who point out a number of ways to mitigate Filippo’s problems, and some future proposals that might increase usability.

Slate has a good history lesson on the 2011 Notar breach, and how TLS security has changed in the last several years as a result. Minimum security requirement approvals for Cert provides issued by the Certificate Authority Security Council, Google’s Certificate Transparency program, browsers being more willing to de-list bad actors, and more.

Troy Hunt did an ‘Ask Me Anything’ for HaveIBeenPwned’s 3rd Birthday at the start of December, and recently published the video online. He also has an article around how responsible disclosure of account breaches should happen, using the recent Etherium forum breach as an example.

A year review of CVEs in 2016 give some interesting data points. Android OS had the most reported security vulnerabilities for a single product this year, while Oracle has the most CVEs for an individual vendor.

Talos Security goes in depth on hailstorm spam, where spammers launch an email campaign so quickly that traditional detection methods only kick in after the campaign is finished. They go on to describe research into detecting these type of campaigns more quickly, by monitoring DNS traffic.

Google announced Project Wycheproof, a collection of unit tests designed to expose weaknesses in implementations of several cryptographic algorithms. To date, they have uncovered 40 security bugs, which they are working with vendors to fix.

Similarly, Duo Labs has released a tool to do fuzz testing for Microsoft Edge and HTTP/2.

More and more malware kits appear to be turning to steganography to deliver payloads and instructions via image files. This includes the DNSChanger exploit, which attempt to use the victim’s browser to identify and compromise their own router. The attacker then tries to expose the router to the internet (to allow further control/compromise) as well as can manipulate the user’s traffic. A similar concept has also been found on Android, with the Switcher Malware trojan.

MalwareTech wrote up a great article on how Open Source Malware hurts the industry. Arguments include: lowering the bar of entry to those with limited technical experience, faster evolution, and an increase in overall volume of ransomware. Other interesting observations: they point out that ransomware just does a user operation - encrypting files. This makes detection perhaps a bit harder, if antivirus is trying to distinguish between ‘good’ and ‘malicious’ encryption. Open Source Ransomware is typically being written in languages that malicious users are not actually writting malware in, thus not benefitting a lot in terms of evolving analysis.

Check Point joined the “No More Ransomware” project, and promptly identified two new ransomware variants and built decryptors.

Cerber did an update on what files it does and does over the holidays. primarily targeting Microsoft Office documents, as well as potential bitcoin locations.