Security Roundup - 2017-06-29

Posted on  by , and

The leading news this week is, unfortunately, the latest big ‘ransomware’ outbreak. PetrWrap ransomware attacked computers worldwide using a mix of techniques inherited from WannaCry (leveraging EternalBlue) associated to credentials stealing. The malware started spreading in Ukraine as an “update” of a software called M.E.Doc and soon started to infect computers of the same network using legitimate credentials stolen from the memory of the infected machines. Security professionals indicate that the ‘recovery code’ is just random, and with no communication back to a C&C, meaning that it is likely that any encrypted files are actually not recoverable.

HackerOne has published a “Hacker Powered Security Report”, breaking down insights from more than 50K resolved vulnerabilities across 800 bug bounty programs. Some interesting statistics, including:

  • Some companies spending almost $1M a year on bug bounty payouts.
  • 40% of companies running bug bounty programs are NOT tech companies.
  • The most common vulnerabilities differ by industy, with healthcare having more SQL injections, finance having more authentication based problems, and gaming having higher levels of information disclosure.
  • Resolution rates differ per industry, with eCommerce remediating in an average of 31 days, and Telecom industries being the worst at an average 91 days.

Read the entire report for more facts like pay rates, and insight into the hackers that contribute to these programs.

Joining it is this year’s “Cost of a Data Breach” report by the Ponemon Institute. Some interesting statistics:

  • Reported costs of a breach are down for the first time in several years, by 10%.
  • This does not hold true for the US, where costs continue to climb by 10%.
  • The value of an individual record appears to be decreasing, potentially linked to the vast volume of data that has been leaked in the last year.
  • The probability of a covered organization having a breach increased by 2% YoY.
  • Mean Time To Investigate and Mean Time To Contain are down ~5%.

Be sure to read the entire report for what all goes into the cost of a breach, as well as insights across industries and countries and how costs are calculated.

Apple’s Mac has a long-standing reputation of being malware resistant, but a new report released by McAfee found that the number of malware infections on Mac devices is increasing. Q1 2017 yielded more malware infections on Macs than any other quarter to date. While it appears that the majority of malware affecting Macs is adware, and that more serious threats are still targeting Windows-powered devices, Mac users should remain wary of suspicious links and messages.

Speed cameras in Australia fell ill this week, resulting in them repeatedly rebooting. These cameras were not connected to the internet, but a technician accidentally spread some malware as part of a routine software upgrade, due to an infected USB stick. The same lack of internet connection ensured that no other systems were infected, meaning the overall damage was limited.

Ethical hackers were able to infiltrate Virgin Media’s Super Hub 2 router and use it to gain control of connected household devices, including security cameras, smart locks, and IP cameras. Virgin advised 800,000 Superhub users to change the default password provided on the router as well as their network password to protect against potential hacks. This is another reminder that connected devices can have benefits, but many also have vulnerabilities and little in the way of security measures.

Malware of days past followup:

The death of the Locky ransomware may have been exaggerated, as ransomware campaigns fall back to Locky after the quick defanging of Jaff. Interestingly, this version may only work on Windows XP, indicating that the authors may have been hasty on pushing this variant out.

The recently report on Fireball may be slightly exagerated. While Checkpoint previously claimed 250 million infected devices, but Microsoft puts claims at closer to 40 million, having been tracking Fireball since 2015. 40 million is still a lot of infected machines, but nowhere near the threat of the original estimate. CheckPoint and Microsoft are continuing to work together on analysis.


Security Roundup - 2017-06-23

Posted on  by and

Layers upon layers upon layers. This is the first thing that comes to mind after reading Sophos’ recent report on old tricks turned new for malware. While many malware campaigns involve embedded objects with malicious payloads, Sophos has noticed a number of strains which host these embedded objects on remote servers. Among other things, this makes it easier for someone to shut down a malware campaign, or perform upgrades on the payload after the spam campaign has launched.

McAfee also discovered new tricks in the PinkSlip malware. What sets this apart from its peers is the fact that it will set some infected hosts as remote proxies, allowing it to be used to further obfuscate where a C&C is located. This is set up independent of the trojan, meaning any machines that were previously cleaned up potentially still have this unwanted guest on their machines.

Google’s engineers have announced many anti-malicious software detection news lately, and security researchers continue to unearth more of it. Last week involves the discovery of Xavier, a malware strain which silently steals personal and financial data while the user of the infected app is trying to change the ringtone or boosting the speed of the device. Xavier is actually the evolution of the AdDown malware, which first hit the scene in 2015 with ‘Joymobile’, but has learned several new obfuscation tricks including downloading instructions remotely and dynamic analysis evasion.

Researchers have discovered a new way to gain root access on several unix based operating systems. Dubbed ‘Stack Clash’, this exploit involves the attacker ‘clashing’ the memory system that keeps track of running programs with another memory region, potentially overwriting instructions and executing unexpected code. At time of writing, impacted OSes have patches.

Man In The Middle Attacks allow someone to see all your traffic. This could be mitigated by sending traffic encrypted, but what if someone is intercepting traffic by using “trusted” certificates? Security gateways and anti-virus sometimes do this in order to ‘inspect’ web traffic for malicious signals. Researchers recently worked with various industry partners to try and fingerprint this type of interception, seeing upwards to 10% of communications falling into this bucket, with a sizable portion of it not backtrack-able to security products. Even security products doing this is a problem, as security problems can mean this is abuse, or bad crypto implementations mean that communication is less secure than it would be otherwise.

More Internet of Things stories this week including:

Duo Security “drills in” to the security of an internet enabled drill. They take you through the discovery process, including checking out the associated app as well as the drill itself. While they unfortunately found hard coded passwords, and the ability to tamper with the Geolocation security feature, overall they found a number of security features like encryption and security headers in API responses, meaning that perhaps there is hope for the Internet of Things yet.

TP-Link joins the list of vendors to patch end of life products, fixing a bug that would allow remote account takeover in one of their older router models. This is a positive step forward, as research continues to demonstrate more and more vulnerable devices, and attackers shifting from simplistic approaches of brute forcing passwords (which still works way too often), to more complex vulnerabilities in router software itself.

Unfortunately, we are halfway through the year and Kaspersky labs has already seen twice the amount of IoT based malware as all of last year. Based on the number of stories we’ve covered already, this will likely get worse before things get better.

Case in point, more Vault 7 documents have been released showcasing CherryBlossom a framework for pushing malicious firmware to your router. After the infection, routers can be controlled remotely using a browser-based interface and can be used for different missions that include scanning mail addresses, chat usernames, MAC addresses and VOIP numbers.


Security Roundup - 2017-06-16

Posted on  by and

Imagine if you had gone to the trouble of paying for and setting up security products, but they weren’t running properly. Malware authors are imagining, and making this a reality. BleepingComputer details CertLock, a malware strain that prevents new security programs from being installed or security products from running, by adding the signing certificates of these programs to a special disallowed list in Windows, effectively preventing the applications from running. Going farther, it even adds a bunch of update domains to the hosts file of a device, redirecting to localhost and breaking update capabilities.

Microsoft provides another security update for older versions of Windows this week, including XP, Vista and Server 2003, to protect against 3 other exploits found in the ShadowBrokers exploit dump. Microsoft believes the threat level of these exploits is severe enough to warrant a wider distribution of the patches, but points out the best protection is to stop using end of service versions of Windows. All told, Microsoft released fixes for 97 vulnerabilities across all their products, 17 of which were labelled as Critical. Microsoft has also announced that SMBv1 will be disabled by default for future windows versions.

Interested in a deeper dive into Memory Resident Malware? Endgame security delivers this week covering known attacker techniques, as well as going over some of the difficulty in detecting these techniques.

Microsoft has discovered malware that abuses Intel’s Active Management Technology (AMT) to exfiltrate data. Since the AMT is low enough level, communications through it avoids the application level network stack, and any monitoring/firewall systems that are operating at that level.

More and more malware is targeting Apple computers. Fortinet researchers have recently stumbled across MacRansom, an OSX Ransomware as a service portal. After communicating with the author, they were given a sample which they then analyzed. Sadly, it looks like any victims will be unable to decrypt their files, since part of the encryption key is random, and there is no outbound communication to a C&C.

In some alarming news this week, one security researcher has posted a number of Man-in-the-Middle vulnerabilities for several iOS applications. These applications talk to unsecured backend services, allowing login information to be stolen. The applications in question unfortunately range from grocery deals to voting and banking apps.

The Internet of Things has been demonstrated to be the Internet of VULNERABLE Things in the last year. Talos Intel does both a retrospective, as well as provides advice to companies that may be purchasing devices connected to the internet. Case in point, yet another batch of internet enabled web cameras has been demonstrated to be riddled with insecurities.

Who turned off the light? Recently researchers at Dragos and Eset released their report on Crash Override malware that caused an electricity outage in Kiev during December 2016. The malware is able to control electricity substation switches and circuit breakers directly leveraging industrial communication protocols used worldwide in power supply infrastructure, transportation control systems and other critical infrastructure systems. Its creators embedded in it some features that are designed to allow it to remain under the radar, ensure its persistency and wipe all the traces after doing the job.

This week signs an important milestone in android’s malware: code injection. Researchers at Kaspersky found an app named ‘Dvmap’ that was capable of installing its malicious modules while also injecting code into the system runtime libraries, enabling root access and further detection avoidance. The malware was still in a testing phase and the researchers noticed that the authors were intermittently updating the malware components for a short period of time before replacing it with a clean version.

Finally, in case you’re into cryptocurrencies do yourself a favor and avoid using Jaxx as your bitcoin wallet. The wallet has a security flaw that allows an attacker to steal the recovery phrase even if the wallet is protected with a PIN and a strong password. How is that possible? The wallet uses just an internal encryption key to encrypt the wallet without using the PIN or the password as salt. The result is that few lines of script are enough to decrypt the recovery phrase, after that the attacker can move the wallet elsewhere and with that all the cryptocurrency contained. The current total losses amount to 400k.


Security Roundup - 2017-06-09

Posted on  by

EternalBlue and WannaCry coverage continues this week:

To start, looks like WannaCry may have a number of bugs which may make it possible for users to retrieve their files.

EternalBlue has unfortunately been ported to Windows 10. Security researchers did this by analyzing the existing exploit and adapting it to work around additional Windows 10 protections. Speculation abounds on whether this zero day is known in certain circles, but points out how everyone is learning from the trove of exploits dumped.

This is particularly demonstrable/troubling, as EternalBlue is now being used for a variety of malicious programs. While thankfully protection is a Windows update away, some systems are still vulnerable.

Finally, Sophos does an overview of WannaCry, suggesting that adhering to security basics like strong passwords, endpoint security, and (most importantly) proper patching hygene could have made WannaCry more like DoNotCry.

Vault7 continues to hit the news as WikiLeaks has published documentation on Pandemic, a tool that turns a Windows File Server into a malware distribution server, injecting Trojans into files that users are trying to access.

MalwareBytes starts a new series called “Interview with a Malware Hunter”. The first in the series is Pieter Arntz, Security researcher for MalwareBytes.

Balancing data portability AND data security is a hard problem, since a full download of a user’s data is a gold mine for attackers. Jeff Attwood, founder of Stack Overflow and Discourse, goes into some of the steps his team built in to try to manage both for their users. In addition to strong passwords (15 characters, more than the current NIST standard), locking down which accounts can export, and using single use tokens, the Discourse team actually tried cracking their own passwords to look at computational liklihood. After more than 3 weeks of cracking, they managed to break less than 1% of accounts, and those that were involved a number of dictionary words.

Sucuri has released their monthly Lab Notes. Some interesting things include a look into a Wordpress backdoor, a look into a data collection script that hides as a benign script, and a dip into malvertisement targeting.

Researchers this week noticed a novel way that malware is checking for C&Cs out of band, Instagram comments! By using non-printable characters as markers, a comment may seem legitimate, but otherwise hides a secret message redirecting programs to an appropriate location.

Last month, the Jaff ransomware started making the rounds as a fairly successful strain. Now, security researchers have linked it to a cybercrime marketplace. Researchers uncovered this when they discovered shared infrastructure for the two systems. They then found thousands of compromised accounts, from banking credentials to Amazon accounts.

The RIG Exploit kit takes a blow recently, as various security groups in conjunction with GoDaddy mapped out and then shut down a major chunk of its infrastructure. Specifically, RIG was relying on compromised hosting accounts to create subdomains on other users accounts, in order to use them as relays for the exploit kit. You can read up on the whole operation on RSA’s blog.

Checkpoint security recently published new research into two ad-revenue generating malware platforms:

First, meet Judy. A korean company named Kiniwini (ENISTUDIO corp. on Google Play) released 41 apps on the app store about Judy, cute little lady with a desire to take care of animals, make food, and study fashion. Judy, however, also has a compulsive addiction to ad clicking, as the apps had malicious code they leveraged to perform auto-click ad fraud. So while users were creating cakes and dealing with virtual pets, Judy was taking care of their devices.

Last, but not least, Fireball exploded onto the scene with an estimated 250 million infections, possibly making it the largest malware infection ever recorded. The malware has been pinned to the chinese company Rafotech, which specializes in “creative advertising”; the company denies any wrongdoing. The malware currently configures a target’s browser homepage and default search engine with a “fake search engine”, collecting user information and, guess what, clicking on advertising. The malware also has the ability to remotely execute code, making it a potent (and widespread) backdoor into many organizations.


Security Roundup - 2017-06-01

Posted on  by

Let’s start with a Samba exploit roundup:

  • With Microsoft releasing a patch for Windows XP, people (including myself) were quick to blame it for the spread of WannaCry. However, it was actually Windows 7 that was the most infected. Windows 7 still is end of life, meaning that the only extended support customers are likely to have gotten the initial security patch.
  • The EternalRocks author has thrown in the towel after being scared off by last weeks’s news coverage.
  • Hardware providers are rolling out patches for impacted devices, check your device for updates today!

The ShadowBrokers have announced details of their monthly exploit dumps. For 100 Zcash, a privacy oriented cryptocurrency (which is equivalant to ~$26K USD at time of writing), will get anyone access to an unknown slate of exploits. Security experts are torn between not wanting to pay for exploits, and wanting to avoid another WannaCry situation. One group of individuals has taken to crowdfunding to gain access, promising to alert companies of zero days and then releasing the data publicly for additional scrutiny. It has since been cancelled due to legal concerns over purchasing explicit exploits.

Another Windows XP and Windows 2004 security patch has been released, this time not by Microsoft but by EnSilo Security. This patch protects against the ESTEEMAUDIT remote desktop exploit that was released due to the ShadowBrokers exploit leak. While EnSilo feels it is important to move away from Windows XP, they are releasing this patch because they feel it is important to control the amount of damage possible due to these exploits being public.

Windows DID push out an out of band security update this week, fixing several vulnerabilities in their Malware Protection Engine including 3 remote execution flaws.

RoughTed is a malvertising operation that has recently added some new tricks to avoid ad-blocking. MalwareBytes has dived in depth, demonstrating the range of payloads, from malicious chrome extensions, adware, tech support scams, and other exploit kits.

Google has apparently been expanding their safe browsing initiative. The current iteration appears to have started blocking sites that serve logins over HTTP, further pushing Google’s agenda of SSL adoption.

NIST has released a number of new reports this year, including a new report on lightweight cryptography (you know, for all those IoT devices). There are a number of recommendations, but unfortunate findings such as all NIST approved hashing functions not being feasible for 8-bit micro-controllers. NIST also points out that the landscape for crypto and IoT is changing rapidly, and is rethinking their traditional ‘crypto challenge’ approach, which has historically taken years.

Interestingly, there has been a bunch of discussion around hashing algorithms recently, resulting in commentary of ‘Maybe we should skip SHA3’ and move on to better algorithms (and maybe stop naming hashing algorithms after SHA, to avoid confusion), and a dive into two new algorithms for consideration SHAKE2 and KangarooTwelve.

Security researchers have published a workaround of Email Encryption Appliance (EEA)/Email Security Gateway (ESG) setups. This attack works when both items are accessible, allowing an attacker to send email directly to the email encryption appliance. The attack works in two cases, one where the EEA sends messages directly to the mail server, bypassing the ESG, and the other where the EEA relays emails to the ESG, but the ESG treats the email as coming from a whitelisted IP. In both cases, the researchers were able to reliably deliver malicious payloads to their targets.

Medical systems have been heavily impacted by security issues in the last year. A recent audit of pacemaker systems (including pacemakers themselves, monitoring systems, and programmers) highlights additional problems, with several systems being subject to thousands of known security vulnerabilities due to out of date libraries, and in some cases unencrypted patient data being accessible from second hand devices the researchers purchased.

Using AWS Electronic Block Storage? Make sure you review your usage of ‘public’ snapshots, as you could be leaking all sorts of information to the world, including customer data, encryption keys, corporate documents, just to name a few things that security researchers discovered in a recent investigation.

Crysis ransomware had its master decryption keys leaked earlier this week.

Similarly, so did some encryption keys for the AES-NI ransomware. In this case, the author of the ransomware claims to have released the keys, as an attempt to deflect blame for the XData ransomware, which was built on top of AES-NI. Interestingly, the decryption key for XData has also subsequently been released.