Posted on by Sean Smith
LastPass had another issue last week. While this is unfortunate, Troy Hunt goes into why password managers are ultimately better. Summary: the best password is a long one you don’t actually know vs systems that are easy to remember. XKCD contributes it’s own set of security tips, likely prompted by this recent issue as well.
I’ve talked about Google’s “Potentially Harmful App” detection before, but this week they go into how they detected one installed on a few dozen devices. Of note, this app was never available in the Play App store.
An IIS 6.0 zero day has been revealed to have been in play since mid-2016. Unfortunately, while IIS 6.0 reached end of life in mid-2015, it seems (there are still plenty of installs in the wild. Shodan.io shows ~600K entries per their latest scans.
Some really fun IoT exploits this week. One involves injecting attack code into the broadcast stream, which allows attackers to take over some smart TVs.
Finally, security researchers have taken a look at Samsung’s open source Tizen operating system, used by the company for many IoT devices and found a bevy of security problems.
Threat Intelligence researchers have noticed that users are uploading plenty of sensitive documents to malware scanning services, using them in a sense as antivirus without thinking about how these files are available to researchers. The researcher in question found a number of interesting files, from private keys to confidential business plans.
A new version of Mirai has apparently raised its head, having slammed a college network for 52 hours in late February.
Posted on by Sean Smith
Big news this week is Symantec’s miss-issue of 30K Extended Validation certificates, largely through third parties with privileged access. Extended Validation certificates are intended to require additional validation steps for further proof of ownership, and the lack of that compromises their advantage. This isn’t the first time that Symantec has mis-issued certificates, with Google recently requiring Symantec to submit ALL certificates to Certificate Transparency logs for auditing. After the most recent incident, however, Google has declared they will stop treating Symantec Extended Validation certificates as extended validation. Further, Google has suggested plans to stop trusting Symantec as an SSL certificate provider, phasing out support in Chrome to essentially delist said certificates. Symantec has posted a rebuttal, pointing out their usage of certificate transparency, and their championing of Certificate Authority Authorization. Regardless of the outcome, it appears that the end result will be more transparency and security for the internet as a whole.
Let’s Encrypt came under attack of actually providing transparency this week, since it points out that they have issues quite a number of SSL Certificates which could be used for phishing attacks, having issues ~15k certificates using the term ‘Paypal’ this quarter. Let’s Encrypt has pointed out since inception their belief that Certificate Authorities constitute poor watchdogs, with their primary aim to encrypt all web communications. Bleeping Computer points out that a number of these certificates have been flagged by safe browsing, which does indicate that other user protections are in play. While on the one hand these certificates are being issues, the fact that they are going through certificate transparency and being on the record is at least shedding more light on the issue.
Congress has voted to repeal FCC Privacy laws, but right before that the EFF posted some impacts of CyberSecurity. Particularly worrying to me is the concept of “Explicit Trusted Proxies”, which are designed to decrypt and inspect SSL communications, which we learned last week that the the US-CERT has said doing this type of traffic interception actually decreases overall security.
After yet another round of breaches, Troy Hunt has written an article on How To Handle a Breach Disclosure. Using Cloudpets as example, Troy points out that someone noticed their exposed Mongo database and attempted to contact them to remediate before the breach occurred. Troy points out that making it harder for someone to start a dialogue makes it easier for a company to be unaware of action in need of taking. He goes on to point out that once a breach is known, it is in the company’s best interest to disclose as soon as possible, to allow their users time to protect themselves, pointing out the rampant reuse of user passwords. He references the upcoming General Data Protection Regulation in Europe, where companies will be required to disclose breaches within 72 hours. The entire article is fairly interesting, containing a number of breach disclosure successes, as well as quite a few failures.
Many malware strains are starting to make use of a technique called Domain Fronting. This technique works by using a hosting provider essentially as a relay to some other communication like TOR. These providers include Amazon and Google’s Appspot in order to avoid block evasion/delisting.
For those that enjoy reading up on malware detection evasion Talos Intel shares some recent obfuscation methods by LokiBot.
Talos also details an NTP vulnerability they discovered in Cisco’s effort to test NTP implementations for security flaws.
Finally, BleepingComputer talks about GiftGhostBot, a botnet devoted to brute forcing gift card apis to discover gift cards with usable funds. On average, this botnet is apparently hitting some eCommerce sites with an average of 1.7 million requests per hour.
Posted on by Sean Smith
LastPass urges users to upgrade all clients (including web extensions), due to a number of security issues that allow users to potentially steal credentials or execute arbitrary code.
Interested in web shell analysis? Trustwave Security writes about how they discovered and analyzed a web shell used to take over a client network.
Sucuri has an update on malicious subdirectories where malicious users upload content (like essay selling sites) and serve them from otherwise legit accounts.
Cisco has been analyzing the ‘Vault7’ data and has released a customer warning, pointing out a CVE that impacts 300 of their products. While no fix is available at time of writing, Cisco has pointed out a few mitigation strategies. Since the CVE involves Telnet being enabled, the simplest solution is to disable that and use SSH.
More IoT exploits found, this time in the form of an actual backdoor in certain VOIP gateways. Hackaday revisits the topic of IoT Security, discussing both accidental and deliberate backdoors which, once known, then become usable for everyone.
Pwn2Own happened last week, and once again some enterprising hackers found exploits in a number of products. This year Google Chrome managed to escape without being exploited, but other major browsers did not share this fortune. Windows and macOS also fell victim to exploits. New this year was an exploit found for VMware Workstation, which was largely avoided last year. Mozilla managed to patch the flaw discovered in Firefox in a quick 22 hours.
Speaking of Firefox, I just learned that it now points out when logins are over HTTP connections. This news seems to have been primarily spread because Oil and Gas International filed a ticket complaining to Mozilla for this change. They claimed to have their own security system, which resulted in reddit users poking around and finding a number of vulnerabilities, such as SQL injections and pointing out that payments were processed over plaintext.
A common theme for the last year has been security products that eventually compromise security. Whether that be Antivirus being exploited, or making it harder to implement browser security, or provide a larger attack surface.
The latest is security issue which allows attackers to take over antivirus software. Dubbed ‘DoubleAgent’, as it turns anti-virus against you, this exploit leverages a bug in Windows ‘Microsoft Application Verifier’, which allows a malicious agent to inject their own verification process. Microsoft has provided a better mechanism in Windows 8.1+, which requires properly signed software updates.
This issue is not limited to antivirus products, however. A research paper entitled The Security Impact Of HTTPS Interception, has prompted US-CERT to suggest that security appliances that perform TLS interception are themselves security flaws. Since the devices man in the middle TLS connections and are potentially using weaker cipher suites and protocols (I wonder how many support TLS 1.3) than user’s devices do (Chrome and Firefox support TLS 1.3). Vendors who sell these products happen to disagree.
Google reviews the last year in Android Security, highlighting the decrease in malicious software due to their “Verify Apps” initiative, the security improvements they have made to Android itself, and their efforts to ensure the entire software chain gets security updates out faster.
In ransomware news:
After a year of brisk business, it seems that Locky is finally in decline, with no new versions discovered this year.
Part of Locky’s decline is partially due to the disappearance of the Necurs botnet at the start of the year. Talos Intel reports that Necurs is back, but back to trying to manipulate penny stocks in ‘pump and dump’ schemes.
Posted on by Sean Smith
‘Vault7’ coverage continues this week:
WikiLeaks has apparently decided to follow ‘responsible disclosure’ and give access to exploits to the companies that have vulnerable products, allowing them time to create appropriate patches.
McAfee has apparently already written a scanner to check for compromised EFI Firmware, based on comments made in the Vault7 data set.
In other news:
More news on last year’s Yahoo breach announcements: the FBI believes it is likely that initial access was gained by a speak phishing attack on a somewhat privileged user, allowing attackers to discover and then exfiltrate a program that allowed some Yahoo employees to generate authentication cookies to access user’s accounts.
Some scanning of ‘official’ docker repositories in Docker Hub indicate that a large number of said images have major vulnerabilities. Almost 11% have high priority vulnerabilities present in the container, and the scan only covered ~68% of the ‘official’ repos, and doesn’t cover a subset of operating systems (due to them not being supported with the scanning tool). While this doesn’t make the containers directly vulnerable, it certainly leaves bigger attack surfaces. Docker Hub, at least, provides indicators on their site that said containers contain a set of vulnerabilities.
In similar news, researchers have done analysis of a number of websites and found that 37% of them have outdated and vulnerable libraries, with many being popular libraries like jQuery and Angular.
Two new bug bounties have been announces, where Intel has opened one that covers software and hardware, while Microsoft has launched one that provides access to Microsoft Office Insider Builds, allowing researchers to find vulnerabilities before new releases.
1Password has set up a very specific bug challenge called ‘bad poetry’, which is eligible for a whopping $100k bounty. The details of this are, unfortunately, invite only.
One developer writes of how awful our password policies are and lists several observations made when building a new auth system. Length is the primary item he points out, where extending minimum password length to 10 characters makes 80% of the most common passwords in use today invalid.
Checkpoint discloses vulnerabilities discovered in both Telegram and Whatsapp which would have allowed malicious attackers to take over accounts by sending a user a malicious file that looks like an image.
More IoT devices are under siege as a number of Dahua and Hikvision IoT Devices have been attacked with accessible credentials.
Google goes into how they detected, and shut down, the Chamois Android botnet, beginning from ad traffic analysis and ending with their Verify Apps program allowing users to be notified and remove.
Threatpost declares a decline in browser exploit kits, citing both stronger defenses as browsers improve their own security as well as some recent arrests causing groups to shut down operations.
For those who like reading up on the internals of malware, MalwareBytes has a good writeup of the Spora ransomware.
BleepingComputer covers RanRan, a ransomware that asked users to create a subdomain for decryption, as well as provided several ‘tiers’ (based on file size), to encrypt files.
Posted on by Sean Smith
Big news this week is the ‘Vault7’ dump of CIA exploits on Wikileaks. There is a lot of information, and I fully expect people to be picking it apart over the next few weeks, but some early things:
One Rapid7 engineer says, at a first glance, it mirrors the sorts of things he works on, including work on the Metasploit frameworks.
BleepingComputer has a few articles. Covering things like code reuse from malware, decoy applications to infect machines while under scrutiny, and indications of zero days for a number of security products.
In other news:
Leaked accounts came from an unexpected source this week when one security researcher found an unsecured backup of a spammer’s database, composed of 1.37 billion email addresses. The backups also contain other files, providing details of the spamming operation itself.
SHA1 exploit research has continued, with researchers developing the BitErrant exploit which allows them to generate executables which do different things, but produce identical hashes for Bittorrent.
Security researchers have done tests on a number of Android password managers finding 26 flaws across them, most allowing for leakage of secrets. At time of writing, all found vulnerabilities have been fixed.
HackerOne has announced their ‘community edition’, allowing open source projects to sign up to the service for free. The only caveat is that HackerOne will not provide the customer support they provide customers, but otherwise all tools are identical.
Google has announced they have wrapped up ‘Operation Rosehub’, where they identified 2600 unique open source projects that depended on a library with a particularly bad remote execution bug. Google engineers took it upon themselves to update these projects, promoting safety across the internet. This process took the better part of a year. They mention how they are able to use BigQuery to quickly identify known problems like this, to figure out overall scope.
HackerOne did an AMA on Reddit this week. If you missed it, there is some pretty good Q&A.
Talos Intel has started their own weekly malware roundup, composed of the threats they have discovered in a given week, that they might not otherwise have written about. One thing they DID go into depth about though is a malware strain that uses DNS records as a C&C delivery mechanism.
Additionally, Talos reports on an exploit in Apache Struts, where users can potentially execute remote commands by putting malicious requests in the Content-Type request header. This is full remote execution, with some malicious actors doing attacks that would provide further access or install botnets and malware.
How could ransomware get smarter? One cryptographer performs a thought experiment in how ransomware could leverage automated systems to be more ‘reliable’ and autonomous via smart contracts, or more insidious by eventually leveraging hardware security features called security enclaves.
Akamai reveals that some web caches may be subject to a ‘Web Cache Deception Attack’, whereby an attacker convinces a user to initiate a web request such that an intermediate cache erroneously caches a web page with sensitive information, as it believes the content is something else. This relies on back end web applications interpreting a request in a diffent way than the cache, resulting in the application returning legitimate information, but the cache believing it is cacheable content. Attackers are then able to query the cache and potentially do things like harvest session tokens and sensitive information.
Sucuri has published their monthly lab notes, which contain a few interesting malware finds. One such was a backdoor trying to hide in a google verification file (unsuccessfully), malware that only worked in 2011 (and was finally discovered now), and malware using exotic PHP functions to operate.