Security Roundup - 2017-02-09

Kaspersky details a sophisticated malware attack , where attackers used a variety of free tools to load programs directly into memory and grant remote access. This allowed attackers to obscure their identity, as well as made it harder for their work to be detected. Kaspersky states this is getting more common, making memory forensics something to consider.

For some more benign hacks due to devices exposed to the internet with default passwords:

IP streamers used to play music for radio stations was compromised to play a specific song for 15 minutes. Rapid 7 also did some extra digging and provides details.

One prankster caused a number printers to print out messages telling users that their device was part of a botnet.

Also a few unauthenticated API exploits were noticed this week:

The first is in McAfee ePolicy Orchestrator, which would allow an attacker to dump information from the server, or pretend to be a client in order to dump information about the client.

Honeywell SCADA controllers had a number of bugs which allowed an attacker to retrieve a password in plain text and then use it to log in.

Sophos disclosed a subtle bug in the new Wordpress API system that would allow someone without privileges to update any blog post. This vulnerability has been patched, but after the word got out plenty of Wordpress instances were defaced.

In other news:

SSL hits a big milestone, where now more than 50% of user traffic (according to telemetry data from Firefox) is now encrypted. This is, in large part, due to more large players encrypting all of their traffic by default, but indicates that using SSL only is becoming the norm, rather than the exception.

Etsy has an in depth article on the many steps they make to ensure Private TLS certificates they use are secure, which is interesting for any system where you need to keep information particularly secure.

Ars Technica has an article on how Google took on Mirai by admitting KrebsOnSecurity.com to Project Shield. The article provides some additional insight into what sorts of attacks they were seeing, once Google took over.

Meanwhile, Mirai apparently received an update, now targeting Windows! Infected Windows agents are used to figure out passwords of other systems and spread the botnet. Also apparently part of it are breaking into databases, presumably to steal information.

Following the success of bug bounty programs for public companies, reports indicate that some dark net markets are doing the same.

Checkpoint indicates they are seeing a resurgence of Slammer, the worm that was primarily active in 2013 and has been largely dormant since.

Written on February 9, 2017