Security Roundup - 2017-06-16

Posted on  by and

Imagine if you had gone to the trouble of paying for and setting up security products, but they weren’t running properly. Malware authors are imagining, and making this a reality. BleepingComputer details CertLock, a malware strain that prevents new security programs from being installed or security products from running, by adding the signing certificates of these programs to a special disallowed list in Windows, effectively preventing the applications from running. Going farther, it even adds a bunch of update domains to the hosts file of a device, redirecting to localhost and breaking update capabilities.

Microsoft provides another security update for older versions of Windows this week, including XP, Vista and Server 2003, to protect against 3 other exploits found in the ShadowBrokers exploit dump. Microsoft believes the threat level of these exploits is severe enough to warrant a wider distribution of the patches, but points out the best protection is to stop using end of service versions of Windows. All told, Microsoft released fixes for 97 vulnerabilities across all their products, 17 of which were labelled as Critical. Microsoft has also announced that SMBv1 will be disabled by default for future windows versions.

Interested in a deeper dive into Memory Resident Malware? Endgame security delivers this week covering known attacker techniques, as well as going over some of the difficulty in detecting these techniques.

Microsoft has discovered malware that abuses Intel’s Active Management Technology (AMT) to exfiltrate data. Since the AMT is low enough level, communications through it avoids the application level network stack, and any monitoring/firewall systems that are operating at that level.

More and more malware is targeting Apple computers. Fortinet researchers have recently stumbled across MacRansom, an OSX Ransomware as a service portal. After communicating with the author, they were given a sample which they then analyzed. Sadly, it looks like any victims will be unable to decrypt their files, since part of the encryption key is random, and there is no outbound communication to a C&C.

In some alarming news this week, one security researcher has posted a number of Man-in-the-Middle vulnerabilities for several iOS applications. These applications talk to unsecured backend services, allowing login information to be stolen. The applications in question unfortunately range from grocery deals to voting and banking apps.

The Internet of Things has been demonstrated to be the Internet of VULNERABLE Things in the last year. Talos Intel does both a retrospective, as well as provides advice to companies that may be purchasing devices connected to the internet. Case in point, yet another batch of internet enabled web cameras has been demonstrated to be riddled with insecurities.

Who turned off the light? Recently researchers at Dragos and Eset released their report on Crash Override malware that caused an electricity outage in Kiev during December 2016. The malware is able to control electricity substation switches and circuit breakers directly leveraging industrial communication protocols used worldwide in power supply infrastructure, transportation control systems and other critical infrastructure systems. Its creators embedded in it some features that are designed to allow it to remain under the radar, ensure its persistency and wipe all the traces after doing the job.

This week signs an important milestone in android’s malware: code injection. Researchers at Kaspersky found an app named ‘Dvmap’ that was capable of installing its malicious modules while also injecting code into the system runtime libraries, enabling root access and further detection avoidance. The malware was still in a testing phase and the researchers noticed that the authors were intermittently updating the malware components for a short period of time before replacing it with a clean version.

Finally, in case you’re into cryptocurrencies do yourself a favor and avoid using Jaxx as your bitcoin wallet. The wallet has a security flaw that allows an attacker to steal the recovery phrase even if the wallet is protected with a PIN and a strong password. How is that possible? The wallet uses just an internal encryption key to encrypt the wallet without using the PIN or the password as salt. The result is that few lines of script are enough to decrypt the recovery phrase, after that the attacker can move the wallet elsewhere and with that all the cryptocurrency contained. The current total losses amount to 400k.

exploits internetofthings malware mobile patchingcadence