Security Roundup - 2016-06-23

Fallout of the recent password leaks has continued as vendors such as Github, TeamViewer, and GoToMyPC all being victims of account/password reuse attacks. They have all stressed the importance of 2 factor auth.

Summer is upon as, as is some of the larger US based security conferences. Hackaday has an interesting article highlighting the importance of talks, but also delving into Network Security Theater, where some individuals have made wild claims, and then bailed in several occasions for unknown reasons. In a number of them, just the basic concept of the proposed talk led to multiple security researchers to quickly replicate the results.

The Pentagon recently released the results of their bug bounty program. From the HackerOne summary, 1,410 participants submitted 1,189 reports detailing 138 unique, valid vulnerabilities across a number of webapps. Common vulnerabilities appear to have been XSS and CSRF related, with some more severe SQL injections discovered as well. The Pentagon has touted this as a success citing cost savings, innovative approaches, and community building that would not occur under a more traditional security audit.

Last week Kaspersky labs uncovered the xDedic underground marketplace that was selling RDP access to compromised servers. This week, they analyze a public leak of hosts that allegedly compromised. They found a high correlation with their own observations, but interesting results that pushed US and UK servers to the top of their list of countries with most compromised servers. Their hypothesis is that a lot of servers are quickly sold, and their initial observations were potentially just the tip of the iceberg.

This year has seen a number of archive library related CVEs and Talos Security spins another tale of Poisoned Archives, detailing 3 more such vulnerabilities. All these vulnerabilities are due to validate input, and unfortunately can lead to remote code execution. Click the link if you are interested in the nitty gritty details.

In malware news, Checkpoint points out some interesting evolutions. One mobile malware variant that steals money sent via SMS is now hijacking the raw SMS data at the system level. Viking Horde is a new mobile malware with the intent to create a fraud related botnet on Android phones. And a ransomware variant called Flocker is apparently infecting Smart TVs. Additionally, they have published an updated Top 10 “Most Wanted” Malware. Conficker continues to be at the top, but otherwise there is a lot of movement on the board.

I found the SmartTV news interesting, when I also read Akamai’s recent post on Account Takeover Campaigns, where they noticed what they believe to be infected routers taking place in botnets used to try to break into accounts.

Trend Micro contributes with the discovery of ‘Godless’, an android malware program that tries to root a phone and then silently install other apps.

MalwareBytes, on the other hand, has a rundown on the disappearance of the popular Angular exploit kit, as well as an analysis of recent activity in the Necurs Botnet, which apparently took a bit of vacation recently, as well as a scope of its operations.

Finally, Etherium, a bitcoin alternative, has had some problems this week. One of the large contracts called The DAO had an implementation flaw that allowed an attacker to begin draining the currency into another account. Value in the currency plummeted after the news of the attack, and there is some belief that the hacker hedged their bets by shorting the currency. The people behind Etherium have released a blog post on ‘Thinking About Smart Contract Security’, detailing a number of poorly coded contracts. The current lesson appears to be that writting ‘smart’ contracts can be just as hard as real ones, and errors can be magnified since they are deliberately automatic, trying to avoid human arbitration. Conversely, given their public nature, they are potentially easier to exploit by a third party. A number of cryptocurrency enthusiasts have shown that programming issues appear to be somewhat common in the smart contract space at the moment.

Security Roundup - 2016-06-16

Verizon has had two communication redirect issues this week. The first is where one determined hacker convinced a Verizon rep to change a phone number to a new SIM. This allowed the attacker to receive all calls/texts to a phone they controlled, intercepting 2 factor auth tokens. Similarly, Verizon recently patched a system vulnerability that would allow attackers to redirect a victim’s email to an account of their choosing, which would have allowed an attacker to redirect any password reset emails for accounts Verizon customers might have associated with their accounts.

TeamViewer has been having a rough time, with a lot of their customers having their machines accessed. Speculation abounds around whether these accounts were hacked due to leaked passwords via one of the many, many recent breaches or whether TeamViewer has had a breach themselves.

Twitter felt the weight of a password leak this week and has already proactively started resetting passwords for some accounts. Similar to the TeamViewer incident, the current belief is that these have been cross referenced from other breaches. Twitter indicates they are proactively cross referencing and resetting accounts as breaches come to light.

iMesh, a company that recently out of business, ALSO had old breached account data surface this week. Based on available records, this break might have occured in 2013 and 51 million accounts, including passwords which were hashed using MD5.

The Windows Background Intelligent Transfer Service (BITS), used by Windows to asyncronously fetch things like software updates, has been exploited to infect and re-infect systems by leveraging the “notification” feature to schedule persistent updates. As BITS is a trusted service, this allowed malware downloads from being triggered as potentially malicious activity by some monitoring systems.

That is not the biggest vulnerability that Microsoft has patched though. “Badtunnel” is an escalation attack which can be triggered with a variety of medium and allows an attacker to hijack traffic and gain control of remote machines. Versions of windows going back to Windows 95 are impacted by this vulnerability.

Krebs has another fascinating/terrifying update on ATM insert skimmers. This one contains videos of how they actually work, and how hard they would be to detect in real life.

Ever wonder how a ransomware-as-a-service ring works? Business insider has an interview with Flashpoint Intel, who convinced one russian ransomware boss to make them part of his ring.

Similar to the recent abrupt shutdown of TeslaCrypt, it looks like the Angler Exploit Kit has shut down, with malware campaigns migrating to a variety of other exploit kits.

Security Roundup - 2016-06-09

Two big reports have landed this week.

The first is an analysis from Rapid 7 and their Project Sonar, called the National Exposure Index. It provides details on some of the most popular open ports on the internet today. Some interesting observations, including the adoption of secure alternatives to a number of protocols is still lower than the non-encrypted versions (POP3, SMTP, HTTP, IMAP), with the exception of SSH vs Telnet. That being said, there are still a lot of things responding as Telnet, and the authors are (rightfully worried) by the fact that there are still so many devices using Telnet on the internet. “Most services on the internet are unencrypted, which is worrisome for any standards or enforcement body charged with keeping up a reasonable security profile for an organization.”

The second is Akamai’s State of the Internet report. This report looks at attack trends that Akamai sees over their network. Some surprising things include: ‘mega attacks’ (> 100 Gbps) have increased by 280% since last quarter. There is a big jump of 87% in SQL injection attacks since last quarter. More web app attacks are coming over HTTPS, possibly due to the increased roll out of HTTPS across sites. Reflectors, using common internet services like NTP and DNS are increasingly used in DDoS attacks, with NTP reflection jumping 71%.

Related to the uptick in NTP reflection, ThreatPost reports on a number of NTP flaws that allow for Denial of Service attacks. These have all been disclosed and patched, so we will see if next quarter’s State of the Internet report shows a corresponding drop in this type of DDoS.

The more payment processing news I read, the more convinced I am that maybe I should just switch back to cash that I get straight from a teller at a physical bank. The latest example is another Krebs article on a Point of Sale Botnet that has probably harvested more than 1.2 million credit cards. It seems that the impacted restaurants are victims of social engineering, giving access to remote individuals so they can run some ‘support tasks’.

I came across this fascinating extension to typosquats, where someone decided to apply the concept to software packages. By setting up a number of packages with slightly different names, containing an application that just reported statistics to him, the author received a number of hits from 17289 different servers over a short period of time. Of these, 43.6% of them updated the packages with admin rights.

Discussion on the above led me to another interesting article on bitsquating, which are like typosquats but based on differences in bits, so random fluctuations in memory/cosmic rays could conceivably send someone to an incorrect website.

Sucuri points out that forms will allow data theft if your site is ever hacked, and this makes payment processing hard by going over a Magento payment processing plugin for Braintree. Attackers essentially used the extension’s own information collection facilities to harvest credit card and user information and send it somewhere remote for collection.

MalwareTech did a good job busting that Cerber became polymorphic by generating a new hash every 15 seconds. Coincidentally, Fortinet has an article demonstrating how a piece some malware becomes polymorphic by re-encrypting some functions on each use, meaning the malware signature changes on an individual machine over its lifetime.

Checkpoint recently pointed out a flaw in Facebook’s Messenger platform, which would allow someone to modify messages. Following malware trends, they posit that flaws like these would allow a malicious actor to constantly update landing pages for malware, as other products begin detecting them and blocking URLs, thus lengthening the amount of time for someone to click through and become infected.

BleepingComputer has the best roundup in ransomware news. This week features Ransomware updates (including CryptXXX rebranding as UltraCrypter!), as well as new kids on the block with BlackShades (which taunts security researchers) and JuicyLemon, which interestingly asks people to email a certain address for instructions.

Security Roundup - 2016-06-02

LinkedIn is apparently not the only service to have a large number of user accounts come to light this month. MySpace (breach between 2007 to 2010), Tumblr (2013), and Fling (2011) are all data sets that have apparently been lying dormants, but add up to 642 million user accounts. Troy Hunt of Have I Been Pwned has indicated these 4 breaches are in the top 5 of the 109 breaches he has recorded to date.

World renowned password cracker Jeremi M Gosney has an article on “How LinkedIn’s password sloppiness hurts us all”. He has worked with teams to crack 98% of the LinkedIn password data and they managed to do so in 6 days. End result is a large corpus of actual user password data which can be used as a wordlist, to analyze to create newer/better fuzzing rules, and overall makes slow-hashing functions like BCrypt and Argon2 less effective since password crackers will potentially require less attempts to break into accounts.

Microsoft, meanwhile, has announced an initiative to better protect user passwords. One layer actively bans bad passwords, which Microsoft collects more and more data on based on attacks. Another layer actively locks out accounts with attempts meeting a certain criteria and actively notifies an account holder. These features are being rolled out to Azure AD in a limited beta.

In terms of randomness, TOR goes to great lengths to generate enough randomness to encrypt all communications across its network. Naked Security has an article on how Tor generates randomness such that poisoned nodes don’t undermine the network as a whole.

For those procuring workstations for their employees, be sure to read this Duo article on OEM Updater Security. Duo managed to find vulnerabilities in all OEM Updater software that would allow them to execute arbitrary commands as a system user. While some attempts were made to harden updaters, more often than not some basic security measures (TLS communication, update validation, manifest validation) were not done.

The Internet Crime Complaint Centre has published their 2015 report. Highlights include: wire transfer fraud via phishing attacks have losses of over $263 million reported, corporate data breaches resulted in ~$39 million in losses, and malware compromised ~$5 million in losses with ransomware breaking the 1 million mark with ~$1.6 million in losses.

Checkpoint has an updated write up of CryptXXX. Evolving out of TeslaCrypt, CryptXXX seems to be serving their code as a DLL, and then using Windows binaries to execute the code at some later time. Since there is no base executable, this evades many sandboxes. CryptXXX takes this one step further by delaying execution, to further thwart any sandboxing.

This week I learned about some implementations of TLS have apparently failed to respect nonce uniqueness when setting up connections, thus opening the opportunity for forgery attacks against HTTPS sites. Unfortunately, some VISA sites have been discovered to have this issue.

Security Roundup - 2016-05-26

Malware targeting wireless networking equipment has been making the rounds, impacting several ISPs. Despite a patch being available last July, many users appear to have been unaware and not updated. The malware in question leaves a backdoor in a large range of devices, but otherwise appears to do no other malicious activitiy at this time.

Malware on USB devices, and a user’s ability to plug in USB devices can allow for deep network penetration. Checkpoint has a story where parts of a nuclear facility were infected. While restricted networks were not infected, a number of USB devices were, which could have resulted in cross contamination.

As more campaigns move away from TeslaCrypt and over to CryptXXX, TeslaCrypt has apparently shut down and released a master decryption key. Interestingly, Kaspersky has defeated CryptXXX this week and has updated their unlocker for it, resulting in CryptXXX releasing a new version which was again promptly defeated.

A number of security researchers have blogged about obfuscation this week. Checkpoint has an interesting article on how Spear Phishing malware attacks are starting to include sandbox/analysis tool detection and evasion techniques to slow down malware researchers. Sucuri has a fun article on how a Joomla backdoor used multiple obfuscation techniques. And Fortinet has an interesting article on android malware, which again has checks around whether or not it is running in a virtual environment, and encrypts outbound communication. Finally, ThreatPost has a writeup of a new Microsoft Office macro obfuscation technique where payloads are stored in the names of buttons, and triggered when clicked.

In further, “I don’t know if I will ever use an ATM again” news, I’ve learned that some criminals implement skimmer malware, rather than just skimmer hardware. Initially popular between 2010 and 2013, Kaspersky Labs recently discovered a new variant after being asked to investigate a bank robbery where nothing was stolen. Said malware activates when a specific keycard is used, allowing a user to do things ranging from spitting out ids and pins, dispensing cash, or receiving an update.

A breach of LinkedIn data impacted 6.5 million users in 2012. Recently it was discovered that another 117 million users might be impacted, with those accounts surfacing this week. Security experts are dissatisfied with LinkedIn’s approach to reseting only known impacted accounts, an action that has resulted in these 117 million users being targeted years later. Troy Hunt has an interesting followup where he talks about LinkedIn’s response, the impact on breach disclosure on leaked information prices, and phishing events surrounding leak disclosures (because people are expecting password resets!).

A follow up to my previous coverage of MITRE, one security professional has complained about the difficulty of getting CVE numbers assigned to found vulnerabilities, resulting in setting up websites to disclose vulnerabilites as a result. MITRE has scrapped the previous decentralized proposal, meaning that they are still being overwhelmed with CVE requests.

A coworker of mine recently introduced me to the concept of Pastejacking, by which an attacker overrides the contents of the clipboard. If copied content looks innocent and is something that is pasted into a terminal, for example, it results in a user accidentally executing potentially malicious code.

Page 18 of 23