Security Roundup - 2017-07-13

Posted on  by , , and

A breach involving credit card information occurred this week, and Troy Hunt contrasts the company’s response with the 5 stages of grief. Troy promptly posted a follow up on Data Breach coverups, as he has started seeing more and more companies opt to not inform customers of breaches /deny that breaches are as bad as they really are.

Checkpoint has provided the technical details of the “subtitle as an attack vector” discovery a month and a half ago. The various media players were actually exploited in different ways, though the vector of subtitle was the same in each case. 2 of the media players rely on them being able to render HTML from a subtitle file. Another involved parameter overloading, allowing a malicious attacker to actually overwrite functionality in the media player itself (to introduce a backdoor or other exploit). Finally, VLC’s exploits were much, MUCH more involved, with a much more carefully crafted payload to corrupt system memory and execute an arbitrary command.

Matthew Bryant, a security engineer at Uber, has been interested in methodologies in taking over complete Top Level Domain infrastructure. His research paid off recently when he discovered that several of the .io TLD name servers were up for grabs, their DNS entries having erroneously expired. He registered one in order to validate that this is indeed possible and upon realizing what had just occurred, reached out to the TLD’s to report the issue. After discovering the TLD’s support email was offline, he registered the rest of the available name servers to prevent a malicious entity from doing so, ultimately gaining control of more than 50% of the listed name servers.

Talos Intel has noticed a new, novel exploit mechanism for phishing emails. Rather than the payload being in the email, the exploit tries to download the payload over SMB, in an effort to also harvest user credentials.

Researchers at Recorded Future have discovered a new SQL injection scanner platform based on the Arachni Scanner product. Dubbed Katyusha, the scanner makes it easy to automate exploit discovery, and is somewhat novel as it allows users to control and receive results from the tool using Telegram.

MalwareBytes has released a “CyberCrime tactics and techniques” report for Q2. Unsurprising to this writer, there is quite a bit of ransomware coverage. All told, it is a fairly good reminder of all the incidents that have occurred over the last few months. Some facts: Tool leaks seem to be in vogue, between ShadowBrokers and Vault7. Expect to see more of these this year, and the chaos that ensues after. Mac Malware has hit an all time high, with more malware families appearing the first half of this year than all of last year. Browser exploit kits have stagnated, as browsers tighten up security, and some high profile arrests for those involved in their creation have occurred. Rate of breaches continues to accelerate, with more damaging information being regularly released, including financial details of users.

AVTest has put up a similar report, though annual in scope. Their 2016/2017 Security Report report is interesting, in that there is an overall downward trend in malware (though still 4 new samples a second!!), and that Ransomware only accounted for 1% of malware strains they observed, calling it ‘more of a marginal phenomenon’. There is also a heavy focus on the Android space, pointing out that discovered malware strains for Android have more than doubled year after year.

Kaspersky Lab also coincidentally released a Ransomware report recently, which lends itself to this being a growing problem with the number of impacted users having doubled year over year. However, that does mean that just over 1 million users were impacted by Malware in the 2016/2017 area they measured. They also pointed out that ransomware is evolving from “spray and pray” for the average user, and evolving into much more targeted attacks on businesses, who can ill afford the disruption to their day to day activities. Finally, ransomware is becoming commoditized, with more and more ‘ransomware-as-a-service’ groups popping up, causing not necessarily friendly competition

WikiLeaks published more Vault 7 materials this week, unveiling 2 exploits that attempt to steal SSH credentials and session data by hooking into SSH clients. The first exploit, called BothanSpy, targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials and keys for all active SSH sessions. The exploit can exfiltrate the keys to a control server or save them in an encrypted file. The CIA also created a similar exploit for Linux platforms. This exploit is called Gyrfalcon and it’s capable of stealing credentials of active OpenSSH sessions but also collecting session traffic. All the data can be stored on the local machine for later exfiltration.

Android users beware! A researcher uncovered a critical vulnerability, dubbed “Broadpwn,” in family of Broadcom WiFi chips present in millions of Android devices. The CVE could allow a party within wifi range of a device to gain access to the system and execute arbitrary code. Google is the only company that has released a patch to address Broadpwn so far, and any Android users who did not receive this month’s patch should only connect to trusted wifi networks. iOs devices are affected by the same CVE, but there is too little information available at this point to determine breadth of Apples devices affected or the availability of a patch. More information about Broadpwn will be presented at the Blackhat conference in Las Vegas at the end of July.

In other Android vulnerability news, a strain of malware called CopyCat affected 14 million devices in April and May 2016, primarily in Southeast Asia. The malware strain attempts to gain root privileges, and thus total access to activities on the phone, allowing it to do things such as perform ad fraud. Researchers believe this netted the operators up to $1.5 million dollars in a 2 month time period.

breaches dns exploits mobile ransomware reports