Security Roundup - 2017-09-22

Posted on  by , and

CCleaner malware carried out targeted attacks. CCleaner made the rounds this week, when a backdoor was discovered in official releases from Avast. Further investigation has indicated that this backdoor was actually used in a targeted fashion against specific companies, including Cisco, Intel, Akamai and Microsoft. In total, it looks like this backdoor was active for 31 days, infecting 700K machines in just 4 of those days.

AI improves upon password guessing techniques. Until now, “smart” password guessing techniques relied upon permutations supplied data and common password choosing techniques. However, due to the numerous breaches and resulting disclosure in passwords, we’ve reached a point where there is enough data to train learning algorithms to guess passwords. That’s right, by using known passwords, we can now more accurately predict unknown passwords. This is yet another case for password managers, and letting them generate random, long, passwords for you, for every single login.

iTerm accidentally discloses passwords. iTerm was making DNS requests on your behalf, trying to determine if your DNS provider could resolve the name in question. If the domain resolved, the UI would make the link blue, indicating that you could click through. We tried this out by holding the command button while hovering over this fabricated domain name to test:

iTerm Input

Here comes the response- the domain wasn’t found, so the UI does not highlight the domain name:

iTerm Request

This issue was fixed tremendously fast by the developer, and you can see the timeline here.

iTerm Response

International Standards Organization Rejects NSA Encryption Algorithms. As a result of the leaks by Edward Snowden, and the exposure of the NSA conspiring to advocate for algorithms that they could penetrate, the International Standards Organization(ISO) has rejected two proposed block ciphers from the NSA: SIMON and SPECK. The general sentiment was that the NSA is in the business of undermining standards, while members of the ISO are in the business of securing standards.

SEC attempts to bury breach disclosure amid 4k word statement. In Section II, second paragraph, the SEC admits to being breached in this post, which then continues to ramble on about many other things in an effort to mitigate the fact that filings had been accessed, and trades were probably made based upon the information that was not yet public.

Sparkfun analyzes credit card skimmers. We’ve covered credit card skimmers in the past, and ones at the pump most recently. Sparkfun goes over some recent skimmers they helped law enforcement evaluate, as well as an app they designed to try to detect skimmers that pretty much anyone can use.

Ichidan is a Shodan-like Search engine for the Dark Web. Recently, a Bleeping Computer staff member came across Dark Web portal called Ichidan which is used to search for Tor onion sites, similarly to how Shodan is used to search for exposed IoT devices. A researcher contacted by Bleeping Computer commented saying the Search Engine is quite useful, and allowed him to discover security issues with a Dark Web service in a matter of minutes. They also mention this is useful when tracking cyber-criminals, but is a bit less desirable when you’re a legitimate user just trying to stay anonymous. Ichidan isn’t the only way to discover such data, but it is a more convenient method over cumbersome command-line pen-testing tools. Also of note is the ease with which Ichidan allowed the researchers to confirm a previous result that the Dark Web is shrinking 85% in size in just last year, from about 30000 websites down to around 5000.


Security Roundup - 2017-09-15

Posted on  by and

FaceID and a Calculable Risk. Troy Hunt dives into an in-depth analysis on the new FaceID technology and some support for the numbers that Apple presented. This mostly distills down to the trust of the people around you, and the likelihood of a random person being able to unlock your phone (it’s very, very low). My primary concern that wasn’t addressed in the article is the “fuzzy-logic” inside that enables a lesser match in the name of usability.

More insecure D-Link Routers. Another month, another entry into routers having critical vulnerabilities. This month it is a model provided by D-Link, which has a number of remotely exploitable vulnerabilities, and of which it appears ~100K units are exposed on the internet.

Critical bluetooth vulnerabilities impact billions of devices. Even more critical than exploitable routers is a recent series of vulnerabilities in Bluetooth. Dubbed “BlueBorne”, this group of 8 vulnerabilities allows for a variety of attacks, from remote code execution to man in the middle attacks, even without the target bluetooth device being paired or even discoverable. Among other things, researchers believe this could leave to a wormable exploit, where the number of existing vulnerable devices could be as much as 8.2 BILLION devices. For Android users, you can use this app to not only check if your device is impacted, but also scan for other impacted devices around you.

ShadowBrokers return. The Shadowbrokers have returned, leaking the manual for UNITEDRAKE, a trojan platform developed by the NSA to infect windows machines with one or more payloads. The Shadowbrokers have also announced they will be providing exploits twice a month, for paying for their service presumably releasing the manual for UNITEDRAKE as a sort of marketing activity.

Sophos Catches Kedi The Rat. Sophos writes up a breakdown of a new RAT found in the wild, dubbed Kedi. Kedi is pretty sophisticated, looking like a legitimate Citrix update to hide its intentions. Of further interest is the fact that one of its capabilities is using Gmail as a method to to receive instructions and exfiltrate data, making it a bit harder to block.

To infect a CMS. What is a great way to infect a CMS with malware? Store it in the database! Sucuri writes of some infections they have seen due to out of date themes and maintenance tools being exploited to write malicious data into the database, potentially infecting multiple pages and making cleanup difficult. In particular, Wordpress allows for serialized content, which improper cleanup can actually break a site, introducing additional risk during remediation.

Bashware bypasses security solutions. Microsoft has been rolling out the Windows Subsystem for Linux for Windows 10, and now security researchers at Checkpoint have realized that existing security solutions do not monitor Linux processed well, allowing an attacker to leverage that fact to potentially bypass anti-virus protections.

POS Malware hosted in ElasticSearch with skipped security configurations. The ability to skip security configurations on AWS for ElasticSearch means that people skip the security configurations on AWS for ElasticSearch. This recently resulted in several thousand ElasticSearch clusters becoming the home of malware. This is another case of security taking a back seat to usability. When you skip security configurations, you invite malware to take up residence.


Security Roundup - 2017-09-09

Posted on  by and

Forms over HTTP to be considered insecure. Reminder that Google is planning to show pages as insecure if they contain forms that get posted over HTTP, rather than HTTPS. Avoiding essentially requires upgrading to use SSL.

WikiLeaks Website Apparently hacked by OurMine using DNS poisoning. Recently, the Wikileaks website, known for its high-profile leaks against big names like the CIA, was attacked by OurMine, a hacker group calling themselves White Hats who try to point out bugs. On Thursday, users of the website were welcomed by an announcement from OurMine, taunting Wikileaks and Anonymous for challenging them previously. The attack was based on DNS poisoning, navigating users to an OurMine server instead of Wikileak’s, which means that actual Wikileaks servers were not compromised.

Accessing Uber’s Internal Chat System. For those of you interested in exploits, check out this security researchers run down of how they bypassed Uber’s SSO for their internal chat app, allowing them to impersonate users.

MongoPocalypse Resumes. You may recall last winter where various DBs were being exploited and held for ransom, starting with MongoDB. Reports have it that this has again resumed, with 45K MongoDB instances being hit. A tragedy in that these databases are still exposed to the internet after the previous wake up call, which would mitigate casual automated drive bys.

Popular file converter sites hacked. A server hosting a collection of popular file conversion sites like pdf2jpg, used by thousands daily, has been discovered to have been repeatedly compromised during the past year. The breach, performed by exploiting a known issue with the ImageMagick library, allowed the attacker complete control of the server. Given that ImageTragick was reported last year, this is yet another unfortunate incident of poor patching cadence.

Abandoned domains should be treated as security problems. We’ve previously reported on some stories involving expired domains still receiving potentially serious traffic, or potentially allowing someone to do something malicious (like deface a website or serve malware). For those that missed them, and this article provides additional examples, including Flickr.

More IoT exploits. Security researchers have found three backdoor accounts in two Arris commercial modems which currently appear to be discontinues. These backdoors would allow users to take over the device and, according to scan data from sources like, researchers believe there are 220K said modems currently on the internet.


Security Roundup - 2017-09-01

Posted on  by and

Neutrino to Jimmy, a Malware Evolution. A few months ago, Kaspersky provided an analysis of a banking trojan called Neutrino, and this week they dive into its evoluton, which they call Jimmy. The malware strain has evolved from straight up banking card stealing, to being able to load remote modules to perform a number of tasks, including cryptocurrency mining and web traffic injection.

Kaspersky reports on Russian hacking toolkit. This week, Kaspersky also revealed the existence of Whitebear, a hacking toolkit apparently in use by the Russian speaking Turla group to target embassies and other diplomatic related targets. There is some speculation around why Kaspersky, a Russian company, would release information around this toolkit. Is it already burned? Has it been neutralized? Are they attempting to distance themselves from the Kremlin? Don your tinfoil hats and read on.

*DDoS Providers Collaborate to Identify and Neutralize Botnet *. A large number of security companies, including direct competitors, collaborated this year to take down a botnet by the name of ‘WireX’. WireX was actually a mobile botnet, caused by ~300 malicious apps in the android store, and believed to be installed on at least 70k devices. Google has since removed the malicious apps and has been cleaning up client devices.

Malware making made easy. In other Android news, a new ransomware toolkit has been released that allows anyone to create an Android ransomware app in just a few clicks. Expect future stories of more app store removals in the future.

IoT Credential Leak. A number of IoT device credentials was discovered online last week, totalling at most ~8K unique hosts. Researchers have determined that fewer than 2K were still accessible, which is a miniscule amount that may be added to a botnet, but still cause for concern for whoever owns the devices. Also of interest is that the list allegedly consisted of 144 credential combos, up from the 60 that were initially used by Mirai. This discovery prompted security researchers to put an insecure device on the internet and observe what happens, resulting in the device being exploited approximately once every 2 minutes over the course of 44 hours.

RAT Provided For Free. A RAT builder named Cobain made the rounds underground recently, as it was being offered for free. This turned out to be due to the fact that the builder itself had a backdoor. This is another example of “when something is free, you are the product.”

711 million record spam list makes the rounds. You may have heard about the massive spam list this week, composed of 711 million records. Troy Hunt, in his usual style, breaks down what is in the dataset and what it means.


Security Roundup - 2017-08-24

Posted on  by and

This week the cybersecurity landscape is evolving as quickly as ever. In tribute to those who are racing to keep up with the latest cybersecurity events, here’s the headlines:

Kudos to a Young Cybersecurity Enthusiast. The Air Force recently ran a bug bounty program, and the overall winner (with 30 unique vulnerabilities disclosed) was Jack Cable, a 17 year old cybersecurity enthusiast from Chicago. HackerOne has an interview with Jack, on how he got involved in bug bounties and security.

Don’t Deny the DDoS News. First comes from Incapsula, a CDN provider who has observed a new DDoS pattern they term “pulse waves”. Their belief is that some DDoS providers are leveraging their botnets to have peak traffic readily available, and then rotate through targets. If a target goes down, mission accomplished, and the company likely has to spend hours or even days to recover. Since traffic is already peak, this makes some strategies like auto-scaling ineffective given the ramp up time for more resources to come online. Talos Intel has notices an increase of DDoS as a Service providers in China, after someone started selling the platform online. Expect more DDoS news in the coming months.

iPhones in Danger, a Whole New Way. Last week ended with the release of the decryption key for Apple’s Secure Enclave Processor (SEP) firmware. SEP is a coprocessor that handles cryptographic data and is also used to verify TouchID (fingerprint) transactions. Even if this leak by itself doesn’t constitute any danger for iPhone users, it’s still concerning that the firmware has been exposed. Why? Now, companies, researchers, and others will have a chance to analyze an area of the iOS devices that was previously locked, opening the doors to the development of exploits that can bypass the fingerprint authentication or approve fraudulent transactions.

Targeted Phishing Attack Comes With Huge Price Tag. We are also noticing an increment of targeted phishing attacks, noteworthy are phishing campaigns conducted against the Raiffeisen Bank and Enigma ETH marketplace that resulted in a loss of 500,000 US dollars in ETH coins. And as if phishing could not get any more intimidating, we recently heard about first attempt in exploiting a Power Point vulnerability to bypass anti-viruses and execute malevolent code; we are going to keep an eye on this one too!