Security Roundup - 2016-12-08

Botnets might get a big influx in nodes this holiday season as researchers have discovered hard coded credentials in 80 Sony IP cameras. Sony has released a fix to remove this ‘debugging code’, but user’s still have to apply the updates.

A mobile malware strain called Gooligan has been making the rounds. Using unpatched exploits on older versions of Android, it roots the device to gain admin access, allowing it to download additional applications in the background to do things like steal information, install adware, and interact in the Google ecosystem as the user. Checkpoint has indicated that over 1 million accounts are impacted.

Duo does an analysis of their data to see if 2FA over SMS has decreased since NIST suggested it is insecure. Overall, it appears that in the 2 months since the announcement there has been no marked decrease so far, but overall SMS as a factor seems to be declining over the year in favor of methods like Universal 2 Factor (U2F) and Duo Push.

Researchers have discovered some attack vectors for credit cards which would allow attackers to repeatedly guess at details by distributing hundreds of guesses across eCommerce systems, allowing them to figure out information in seconds. MasterCard users will apparently have fraudulent activity lockdowns that occur after 100 tries. Visa, unfortunately, does not apparently have a similar lockdown.

The FBI has apparently stuck a major blow against the Avalanche botnet, taking ownership of 800K domains used by the DGA as well as seizing and shutting down servers suspected of being C&C nodes.

DeepDotWeb dives into the latest Locky mechanism where a specially crafted SVG image can direct users to malware, exploring the image itself and the browser extension it prompts users to install.

Similarly, Ars Technica explores some malware that was hidden in pixel ad banners on a variety of sites. The malware resides in a heavily obfuscated javascript file, but the actual malicious payload occurs when it loads an ad image that contains hidden malicious instructions.

BleepingComputer rounds up the ransomware. New this week: Screen lockers, tech support scams, new ransomware variants, including one that uses GPG to encrypt files.

Security Roundup - 2016-12-01

cURL, an open source program/library used by many open source projects, recently underwent a security audit from Mozilla’s Secure Open Source initiative. Overall 23 issues were proactively identified and fixed, prior to a ‘Heartbleed’ like event the initiative was created in reaction to.

In a post Mirai world, Fortinet delves in to managing the attack surface of Smart Cities in the world of tomorrow.

Deutsche Telekom customers have had their modems targeted this week, knocking users off the internet. Researchers from the SANS institute indicate that left unchecked these routers could be compromised and become part of a botnet. Deutsche Telekom has apparently already pushed out a fix. Rapid7 has a summary of some of the raw data.

Firefox user’s should update, as Mozilla has fixed a 0-Day that was used to de-anonymize users. While this is important for TOR users specifically, researchers indicate the payload could also have been used to execute malware. Endpoint Security provides an in-depth technical writeup.

On the importance of maintaining and monitoring your third party accounts, it appears as though a small number of MailChip accounts were broken into and used to send malicious attachments. Mailchimp does offer 2FA, making it easier for user’s to secure their accounts.

Proving that pretty much anyone can be a victim of Ransomware, SF MUNI was a victim to HDDCryptor. MUNI suggests that there was no actual breach, and no data was stolen, nor were actual transit systems impacted. KrebsOnSecurity has already been provided some information on the hacker in the form of emails from his email account, which someone has hacked. These provide details into the number of companies impacted, as well as the techniques the attacker used.

BleepingComputer brings the rest of the Ransomware Roundup. Nothing particularly ‘new’ this week, but still plenty of variants, new versions, and decryptors.

Security Roundup - 2016-11-23

Happy Thanksgiving! I just found out that DerbyCon 2016 videos have been up for over a month, and DefCon 24 videos went up in the last week, so I know what I am going to be filling SOME of my time this weekend.

Some internet of things news:

Several Siemen’s branded CC TV cameras are vulnerable to a bug that would allow attackers to gain admin credentials.

Similarly, security researcher Robers Stevens recently purchased an IP based camera and decided to see how quickly it was compromised. In under 2 minutes he had details on how some attackers were exploiting and what they were doing once they gained control.

Some phone related problems were mentioned this week including:

An insecure update mechanism for a number of phones which could operate as a rootkit to execute arbitrary system commands.

An unknown set of phones regularly sends user data to servers in China. The company responsible declares it was a mistake, intended for Chinese devices, but it unfortunately impacts some US ones as well. The company in question has also suggested they have taken steps to correct, including distruction of the data, but as of this time they have not detailed which devices might actually be impacted.

Qualcomm has opened up a bug bounty program for their Snapdragon processors used to power multiple mobile devices.

In a follow up on a previous article on how he validates data breaches, Troy Hunt reiterates why alleged data breaches need to be validates, before being shared as such. It all comes down to publicity, who wants it and how easy it might be to just make up/relabel data to gain it.

In a somewhat similar vein, O’Reilly hosts an article on the challenges of validating attack detection methods. Challenges include tainted data, a variety of datasets, attacks in the wild being perhaps detected so rarely as to provide too small a sample set, and no incentive for defenders to share their overall raw data to provide data scientists better data.

Akamai released their Q3 State of the Internet Report. Unsurprising at this point, DDoS attacks are up with a 138% increase of attacks

100 Gbps YoY and a 58% increase QoQ. They have also noticed a downward trend of NTP reflection attack volume, from upwards to 40 Gbps in 2014 to 700 Mpbs in 2016, this decrease is attributed to organizations patching their servers to mitigate known problems that allowed these attacks.

CheckPoint labs provides their ‘October Most Wanted Malware List’, where they see a 5% growth in families and distribution over the course of the month. Zeus and Locky continue to be prevalent in the ranks, though Conficker is still #1 after several months.

Ars Technica reports on one researcher’s discovery of subtle bugs in a linux audio processing library. With it, the researcher was able to craft specific audio files that could be used to bypass some standard linux security constraints.

BleepingComputer provides plenty of interesting ransomware news again this week. This week: The CrySiS ransomware had its encryption keys released, ransomware writers seeking help from security researchers to fix their crypto to ‘help victims ensure their files can be decrypted’, an uptick in distribution channels, and plenty of new variants.

Security Roundup - 2016-11-17

Following up on the ‘Hack The Pentagon’ bug bounty program, the Army announced ‘Hack The Army’ on Veteran’s Day.

The Verge reports an unfortunate cause of user’s Skype accounts being compromised. Despite urging customer’s to migrate their accounts to Microsoft accounts for stricter security, user’s original Skype accounts could be used to log in, potentially leaving accounts vulnerable due to leaked credentials. User’s are urged to ‘complete’ the migration.

‘Pwnfest’, a security bug finding festival wrapped up this week. Among the systems available, VMWare was exploited (and subsequently fixed), as well as Microsoft Edge exploits found, as well as the new Pixel phone being exploited.

Talos goes in depth on how they do triage for some vulnerabilities for binaries, specifically stack based buffer overflow and heap based buffer overflow/heap overflow bugs.

I imagine everyone has heard of PoisonTap at this point, but for those who haven’t…. PoisonTap is an exploit device based on the Raspberry Pi that emulates a network device. Once connected, it convinces the laptop that all traffic should be routed to it. This allows the device to intercept traffic, harvest cookies, and poison the browser. The later allows the device to open up a websocket to allow remote control of the browser. The engineer behind the device suggests simple security measures be added for usb devices: simply prompt the user when (most/all) when connected if they would like the device to be allowed.

Chinese researchers have revealed that poor OAuth 2.0 (used to do single sign on via services like Facebook and Google) implementations cam be hijacked. Based on their analysis of top performing apps, they believe more than 1 billion accounts could be subject to compromise. The attack relies on a a malicious app being installed on the device, allowing the attacker to MitM connections.

Fortinet has been working to identify the author of several strains of malware and gives an inside view of what sorts of information they look for in order to find relationships.

BleepingComputer wraps us up with the Ransomware Roundup. Among the regular variants, some interesting news: Multiple new versions of Cerber, which has expanded the ip subnets they use to communicate back information and statistics to C&C nodes; A ransomware variant that is marketed as a Paysafe (Prepaid money card) number generator, asking people who are trying to ‘generate’ money to pay money; proof of concept PHP ransomware which could use another exploit to encrypt web servers; a new variant dubbed ‘Telecrypt’ due to the fact that it uses the Telegram service as its C&C channel.

Security Roundup - 2016-11-11

A few good IoT related articles:

  • Mirai may be imploding as competing hackers fight over the resources. As these botnets are also designed to keep out the competition, the botnets may be fracturing into smaller and smaller groupings.
  • Rapid 7 has been tracking Mirai, and also noticed a drop in overall active nodes.
  • Several people sent me “IoT Goes Nuclear”, a research paper that illustrates a proof of concept worm for the Philip’s Hue. They were able to develop a technique to force a bulb in proximity to update its firmware. From there, the infected device was able to spread through the network. Assuming a critical mass of similar devices, the entire network could be shut down or repurposed for malicious activity.
  • Wired has a story of a researches that built a stingray device that looks like an office printer. Since the device is indoors, it is that much easier to overwhelm outside cell towers, to monitor your traffic and perform malicious things.

Sucuri has published their October Lab Notes recap. Lots of eCommerce related maliciousness, where they believe attackers are preparing for the holiday season. Additionally, two notes on tricks backdoors are using to avoid casual detection.

Google has expanded their HTTPS Transparency Report, demonstrating an upwards trend in Chrome users interacting with sites over HTTPS. Additionally, they have rolled out a new Safe Browsing site.

Rapid 7 has developed a new Honeypot network and has a writeup of some early observations. They spread their pots across a number of cloud providers, and noticed a decidedly uneven distribution of attacks. They also noticed that inter-cloud communication was heavier in AWS to AWS public traffic than expected, a possible indicator of companies using AWS Classic, vs using VPCs to keep traffic internal.

Can your password survive 100 guesses? This is the question posed by recent research, which found that, with a little bit of PII, they has a one in five chance of guessing a password before reaching NIST’s lockout guidelines.

Endgame Security researcher Bobby Flair provides a writeup of AISec, where they also presented their paper on “DeepDGA: Adversarially-Tuned Domain Generation and Detection”. Effectively automating better ways to avoid DGA detection, to be used to automate better detection of generated domains.

Talos does a deep dive on the RIG Exploit Kit. RIG apparently has a number of configurable variants, and various levels of obfuscation to make tracking difficult. It tends to try to infect with various scripts, so where one might fail another may succeed. This includes ActionScript, Flash, JavaScript, and VBScript. MalwareBytes also has an Exploit Kit Retrospective for the last few months, giving some highlights on how these operate and are changing.

BleepingComputer rounds up the ransomware, detailing several new ransomware variants.

Page 13 of 23