Security Roundup - 2017-05-11

Posted on  by

Microsoft rushed out with a critical fix to their Malware Protection Engine, releasing the fix one day before their regular ‘Patch Tuesday’ cycle. The exploit resulted in a specially crafted file to have Malware Protection Engine execute the malware. A number of other security fixes went out as part of patch Tuesday, including one that triggers with specially crafted images in Office. Talos Intel has a breakdown of all the security items.

Another day, another billion (yes, with a b) user records leaked. Troy Hunt of HaveIBeenPwned goes over how leaks on one site allow for credential stuffing, which is attempting to reuse those credentials on other sites in order to provide more accounts to sell. And, since password reuse is still fairly common, this results in plenty of hits. Troy details 2 big combo lists of usernames and passwords that have been brought to his attention, containing the aforementioned billion credentials. Troy also went into why he doesn’t store passwords for his service.

DUO Labs also got ahold of one of the combo lists and performed some analysis on the passwords. Interestingly, 25% of passwords are 9 characters long (better than the 8 characters suggested in the current draft of NIST guidelines, but the most common passwords contained in the list is still pretty bad.

A large scale Signaling System #7 attack took place recently to intercept 2FA text messages for bank accounts, and drain the account of all funds.

Plenty of states and countries are rolling out disclosure laws. Techcrunch has an article pointing out this can paint a target on a company that has disclosed, but not taken appropriate steps to prevent further breaches.

MalwareBytes write that the Snake trojan, which has been around since 2008, has been ported to OSX. This masquerades as a Flash installer, with the added deception of actually installing flash vs just pretending to install flash.

Google follows up on the first five months of their Open Source Software Fuzzing experiment. In that time period they have integrated 47 projects (including several SSH and SSL projects), and discovered 1000+ bugs, of which 264 are potential security vulnerabilities. To further the project, they are now offering financial rewards for projects to integrate with the process.

A new malware strain came to light this week which has a remote accessible API. This is interesting in that it allows the botnet to invert the traditional C2 model as required, making it easier for botnet owners to re-establish control after a C2 takedown.

Handbrake, a popular transcoding app, was hacked to deliver a trojan for up to 4 days For those that love in depth of what malware is doing under the hood, check out Patrick Wardle’s blog post.

Security researchers classify a number of breaches according to the OWASP Top 10. The Results are interesting, with ‘Known Vulnerable Components’ being the cause of 24% of breaches, and another 15% attributable to causes not in the top 10.


Security Roundup - 2017-05-04

Posted on  by

A large scale phishing attack was initiated this week, imitating an email to share a document with Google Docs. If the user followed through, they were presented with a dialogue to authorize a fake Google Docs app, allowing the attacker gain unlimited access to the victim’s email. For each victim, the exploit used contacts to try to send to another round of victims.

Meanwhile, Google Chrome has taken an additional step towards their goal of visibly indicating that all HTTP sites are “Not secure” in terms of the information you are sending. On the heels of January’s change to label sites over HTTP with password fields as “Not secure”, they are not going to label all HTTP sites visited in Incognito mode as “Not secure”, due to increased privacy expectations.

O’reilly and the Software Improvement group recently surveyed a number of programmers on their company’s secure code practices. While 69% of respondents stated security requirements and 60% mentioned guidelines, most felt that they were not doing enough. They also cited how security is not ‘visible’ making it hard to gain proper traction when overall company goals are to ship new features and gain new customers.

What is worse than a site that allows short passwords and returns them in plaintext when you forget them? Apparently it is a site that doesn’t ever allow you to change the password.

Intel processors with remote management features have recently been found to have remote exploit flaws. This flaw, existing since 2010, is only accessible if Intel’s Active Management Technology is enabled, and the attacker is able to access port 16992 and 16993. This means that remote attacks over the internet should be fairly rare, but attacks on a local network, perhaps such as ublic wifi for a targeted attack, are possible.

Another problem that has flown under the radar has been the existence of the Konni RAT, which Talos Intel discovered. Backtracking, they have unearthed 3 years of activity across 4 campaigns, and document the evolution.

MalwareBytes provides details on the OSX.Dok malware, a sophisticated attack that installs the means to monitor and intercept all HTTP AND HTTPS traffic on a victim’s computer. This allows an attacker to potentially harvest credentials that a user over a connection they otherwise feel is secure. Apple has already revoked the signing certificate the malware author used to sign his app, meaning that the casual user will not be able to install. However, MalwareBytes has found a second strain that installs a different backdoor, but looks to be from the same author.

Arbor Networks does a deep dive into the Ismdoor RAT, which communicates to its C&C using DNS AAAA (IPv6) queries and responses to hide its activity.

Verizon’s 2017 Data Breach Report has been released (now celebrating its 10th year!). Unsurprisingly, Ransomware accounted for a large number of incidents and continues to be trending upwards. Financial institutes are still the most popular target, but targets like healthcare and education are seeing an uptick of attacks.

BleepingComputer rounds things out with an unfortunately busy week in Ransomware, including a big update for Cerber which includes a new encryption process and anti-VM/sandboxing features.


Security Roundup - 2017-04-27

Posted on  by

News of DoublePulsar has been making the rounds, with some claims of several 100K systems impacted. Now, it appears as if the exploit is remotely removable, allowing for perhaps a Robin Hood botnet to scrub the internet while the infected systems are upgraded.

Despite the things Google does to prevent malicious apps in the Play Store, things still get listed. CheckPoint has pointed out a new BotNet they dub FalseGuide, which currently involves 40 known apps and may have been installed on over half a million devices.

Leaked passwords appear to be behind a rash of Amazon 3rd Party reseller account takeovers. The attackers take over an amazon account, update payment information, and then try to get buyers to buy goods that will never be shipped.

Microsoft recently stopped supporting Windows 7 and 8 on older hardware architectures, despite offering long term support. One user in particular was annoyed by this and reverse engineered the latest patches to allow the updates to be applied anyway.

LastPass has been under a lot of security scrutiny lately. The latest was a flaw in their 2FA implementation which would have allowed a user to potentially bypass 2FA altogether. The security researcher who found the flaw has posted a full technical breakdown.

Running an IoT company? Concerned about Security? Hackaday has you covered, taking a year’s worth of information and writing up the things you need to know if you want to avoid IoT security failures.

Cloudflare reports the continued decline of old cipher suites with both AES-CBC and RSA on the decline in favor of the faster and more secure ECDSA.

Some AV based news this week. First, Trustwave Security points out a vulnerability they discovered and helped Avast fix. Second, the AV provider Webroot experienced a problem earlier this week that caused important Windows files needed for regular operation being quarantined.

Locky, the ransomware, and Necurs, the botnet that distributes it, have recently realized a resurgence. Now, it appears to use a document within a document in order to try to avoid detection and circumvent protection.


Security Roundup - 2017-04-20

Posted on  by

The malware industry starts pointing fingers, with this article from Ars Technica on ‘Lawyers, malware, and money’. In it, a number of malware detection services and malware detection benchmark services largely all blame each other for misrepresenting their products in demos and sales bakeoffs. Some suggest that the benchmarks are not representative of the ‘real world’, others suggest that some people are rigging the game in their favor, and a number of these disputes have apparently devolved into lawsuits/revocation of licenses.

The return of the ShadowBrokers has resulted in another trove of exploits being released. Apparently, more than 1k Windows Binaries are part of this trove. Microsoft indicates a number of the vulnerabilities have already been fixed. There is plenty of coverage from multiple security sites, for those that want to dig in further.

Phishing is temporarily much easier on Chrome and Firefox, as PunyCode domains, ones using non-ascii characters, apparently render domain names that look identical to the ascii versions they are masquerading as.

The recent Struts exploit has been fixed, along with 299 other vulnerabilities in various Oracle products. This number of security fixes is a new record for Oracle, beating out the 276 reported in July 2016.

Plenty of Android malware news, where Sophos points out how Android malware is taking emulation detection techniques used in desktop malware to avoid analysis, and Threatpost going into how Google is combating malware on Android. That doesn’t stop some malware campaigns from trying their hardest to stay in the app store.

Sucuri has posted March’s Lab Notes. Of interest: Backdoors executed via cookies.

Checkpoint’s March Malware Most Wanted is out showing that, after a recent downturn, exploit kits are once more in active use.

In a bout of Robin Hood Hacking, a botnet named Hajime is competing against Mirai. Hajime infects IoT systems and then sets up protections designed to disrupt Mirai.

The FBI was involved in the recent take down of the Kelhios Botnet. Threatpost provides some details on how they were involved, while a MalwareTech researcher provides us with details on Kelhios from his own research

Another in depth into malware with Sathurbot, a malware strain that initially spreads through malicious torrents and attempt to do brute force attacks on common login portals.

Ransomware as a service hits a new low, where a version called Karmen can be purchased outright for $175 dollars.

Another instance of open source malware made the rounds this week. Labelled as a ‘remote administration tool’, which isn’t even a particularly fancy term for remote access trojan, this one used Telegram as its C&C. BleepingComputer has the details.


Security Roundup - 2017-04-14

Posted on  by

Bleeping Computer does a great writeup of the new CAA DNS record, which allows domain providers to specify which SSL providers are allowed to issue certificates. In a recent vote, the majority of browser and Certificate Authorities voted to implement this standard by September 8, 2017, setting the expectation that Certificate Authorities will check whether they are allowed to issue a certificate for a domain.

Of course, this only helps when an organization remains in control of their DNS. In an impressive accomplishment, hackers managed to take over a bank’s entire digital footprint, redirecting users and potentially even ATM transactions to their infrastructure. Since they controlled the actual domain names, they were able to quickly obtain legitimate SSL certificates, to make the attack all the more transparent to users. Given the totality of the takeover, the bank was not even able to send legitimate emails to their customers, and had to rely on the registrar returning control. Total duration of takeover: ~5 hours.

Vault 7 news continues this week as the “Grasshopper” documents detailing windows installer laced malware was released. The installer performed a number of checks to reduce the liklihood of installing on a system that might be able to detect the payload. Some news stories of the tools being linked to known hacks have started to surface.

Coincidentally, the Shadow Brokers are also back releasing the password to another cache of NSA files.

Threatpost provides an interview with the Google Chrome Security Team, where they mention that a number of instabilities/security problems are due to other third party software installed on systems. Whether that be bundled software from an OEM, bad Certificate Authority, or third party plugins.

We’ve talked about malicious apps before, but did you know that apps could leak information from other apps? Either internationally, or unintentionally, apps are able to access data in use by other apps, allowing a combination of apps exfiltrate data. Most common appears to be location data, where a location aware app might make data available to other applications.

The newest IoT malware is running around, and this one tries to brick all the devices. On the one hand, dead devices means fewer botnets, on the other plenty of consumers that are going to be surprised when their devices stop working.

Of course, another security researcher found an easy way to gain access to his smart tv.

Running a SEIM to analyze security events? Make sure to lock it down! One security researcher was recently shocked by some SEIM systems using default credentials and hosting a bevy of information.

Another security firm has traced back attacks to residential routers which have been infected. The specific router in question is vulnerable to an attack on a non-typical port, causing the security researchers to suggest ISPs filter out attacks of this nature before it reaches their customers.

An amusing strain of ransomware made the rounds this week requiring users to score a high score in a video game to retrieve their files.

BleepingComputer provides a good ransomware article, showing another open source ransomware getting weaponized, and demonstrating how working examples make it easier for future developers.