Security Roundup - 2017-07-20

Posted on  by , and

To start, if you need some summer reading, Humble Bundle has a CyberSecurity collection at a ridiculously low price this week.

After last week’s .io TLD takeover, the last thing I would expect is a follow up a week later. However, this week found numerous domains hijacked after an attacker compromised part of a provider and introduced a rogue DNS server, redirecting traffic to other servers to drive users to malware laden sites. This attack ultimately impacted 751 domains across 34 TLDs for up to 2.5 hours.

Another week brings another tale of slow patching cadence. This week’s story comes from Talos Intel, who decided to track the fix rate of a specific memcached bug they disclosed and was fixed last year. Over a six month period, they only saw a 10% change in vulnerable servers, despite having proactively contacted system owners. More discouragingly, a portion of the servers appeared to have been shut down, but overall vulnerability rates remained stable, indicating either than ip addresses changed, or that new vulnerable systems were deployed.

With so many devices on the internet, a vulnerability in a software package used across devices can pose a serious cross-device threat. This is what security researchers discovered this week with a flaw in a library called gSoap, used by many brands of security cameras, networking equipment, sensors and other IoT devices. If a malicious payload gets sent to the device the attacker can execute code, taking over the device. Thankfully, the payload size is 2GB, which reduces the ‘drive by’ ability to target devices, but does present opportunity for targeted attacks. The company behind gSoap promptly patched it’s software but the upgrades on the individual devices is left to the companies that produce the devices and the device owners themselves. With at least 34 device providers being paying customers of the library in question, which translates itself into thousands of devices fairly easily.

Troy Hunt has been following SSL trends, and sparked off a large discussion around the value of Extended Validation certificates last week. Partially tied to the uptick of Let’s Encrypt adoption, and the decrease in certificates issued by traditional Certificate Authorities, and recent comments about the “dangers” of free certificates, Troy distills a long conversation into a still very long, but definitely interesting post. Ultimately, it seems that the majority of users are not sure what EV certs are, so what are the tangible benefits?

Interested in the inner workings of Malware? Endgame Security has the post for you this week with “Ten Process Injection Techniques”, diving deep into various ways that malware hides its activities by getting other processes to run its payload.

Trend Micro recently discovered the third iteration of a malware named GhostCtrl. This malware is a variant of the commercially available omniRAT, and is generally hidden inside another fake application. Once infection occurs, it allows an attacker to control many aspects of the infected device including wifi and it’s able to record audio and video, as well as intercept texts and upload these to its C&C server.

Akamai Goes over the “Myth of the Self Tuning/Machine Learning Web Application Firewall”, discussing false positive and false negative rates vs service ability vs security.

In the last few weeks, we have noticed a few Cryptocoin based security issues.

The first one is the recent “Initial Coin Offering” of CoinDash. An “Initial Coin Offering” is when a new cryptocoin fund starts up and seeks investors. In recent months, many such ICOs of dubious nature have taken place, raising funds in the hundreds of millions. Even though many of the ICOs have little, if anything, to show for themselves, the fact that previous ICOs have made investors an impressive ROI seems to continue to bring in new investors who are looking to make a quick buck. In the CoinBase case, it was hackers who sought to make a quick buck, hacking CoinDash’s official homepage just minutes prior to their token sale. The hacker altered the Ethereum wallet address to which prospective buyers were meant to send their Ethereum, to which about $7.7m were sent. Many have voiced outrage at CoinDash’s seemingly lack of secure practices even before the ICO took place.

The second involves a cryptocoin wallet implementation, with an exploitable bug allowing a hacker to siphon funds from these wallets if they were set up to be multi-signature wallets. Several projects using Ethereum and this wallet type were impacted, to the tune of $30m.

books cryptocoin dns internetofthings patchingcadence ransomware tls