Security Roundup - 2017-10-13

Credit Unions Serving Malicious Ads. Equifax issues continue this week, with one of their ad providers serving malware. While it is true that Equifax itself was not hacked, this further erodes trust if their supply chain is putting visitors at risk. Not to be left out, Transunion was also noticed to have the same problem.

Supply Chain Attack Rundown. Attacks like the above leverage the supply chain of services that a vendor uses. Malvertisements are nothing new, but supply chain attacks are increasing in both sophistication and frequency. Crowdstrike provides a brief rundown for anyone needing to catch up.

KnockKnock (but quietly). A brute force attack (but a sneaky one) against Office 365 accounts was discovered by researchers. KnockKnock, as it is called, was a targeted attack against a specific set of accounts for a specific set of companies using Office 365. The attack appears to have been spread out and coordinated across a wide number of ips. Attackers also singled out senior and/or long term employees, perhaps hoping they would be more likely to have access to sensitive information.

Attackers abuse overdraft functionality to milk ATMs. Follow along with this story, of attackers that social engineered their way into a bank’s infrastructure, stuck around, and then used their privileges to create new accounts and withdraw millions of dollars by abusing overdraft protection settings.

DNS requests could compromise your machine. In this week’s terrifying news, a Windows CVE was just patched that allowed a malicious DNS response to trigger remote access to someone’s machine. This applies in a number of scenarios, like using internet from a coffee shop, or from the airport. Full details can be found here.

Magento eCommerce Roundup. Lots of Magento related news this week, including Sucuri’s deep dive into a credit card stealing malware ring, this Detectify blog about how bad patching cadence is for some Magento users,and this announcement about PoC code for two patched exploits.

Disqus customer data exposed. Company promptly addresses. Disqus was made aware customer data being available this week, compromising 17.5 million accounts from 2007 to 2012. Overall, the company has excelled in their response. In under 24 hours, Disqus had accepted a report, validated the findings, reset user passwords and contacted customers. Their expedient behavior and transparency has blown away Troy Hunt, owner of HaveIBeenPwned.com and overall raised the bar for how to handle breach disclosures. Of course, user’s should make sure they are not reusing their passwords, which would leave them open to a credential stuffing attack.

Security Roundup - 2017-07-06

Scott Helme has been analyzing various internet security mechanisms over the last several years. His latest focus is TLS security, and he provides a great writeup on ‘Why TLS Revocation is Broken’. From why Certificate Revocation Lists (CRLs) are too cumbersome and Online Certificate Status Protocol (OCSP) is better for revocation, but worse for privacy, Scott covers the current problem and highlights a number of new options that can further mitigate man in the middle attacks against TLS communications.

Let’s Encrypt hits another milestone by having reached 100 MILLION generated SSL certificates. Given that Let’s Encrypt has only been in operation for a year and a half, this is a remarkable achievement. In that same time period, HTTPS adoption has increased 18% (essentially 1% every month!) to reach 58%, no doubt at least partially due to Let’s Encrypt’s free service. They have also announced they will start issuing wildcard certificates in the new year, citing it as a much requested feature, and their hope that it will help drive adoption of TLS closer to the 100% goal.

The end of this quarter actually saw a large amplification attack on Cloudflare’s infrastructure, crossing 100Gbps and lasting 38 minutes. SSDP is used for discovery of UPnP devices, and allows the query for ‘all’ devices. Since SSDP happens over UDP, the return address can be forged, allowing an attacker to make queries and redirect responses to their victim. We’ve previously covered a number of problems with UPnP, and this is just one more example of why it should be disabled. Cloudflare provides a number of other recommendations to eliminate/reduce the efficacy of these attacks.

A security researcher recently aided in making packages served from node package manager (npm) more secure. The researcher was able to access enough accounts to be able to hijack 14% of all packages, some of which are in use by millions of users. The majority of these accounts were not brute forced, but used involved password reuse from other accounts that were available in one of the many leaks in the last year (check your passwords!), by users publishing these passwords in their packages accidentally or accidentally uploaded to places like Github. 17% of accounts were brute forced, using embarrassingly bad password lists (one password was literally “password”). NPM has tightened password policies, as well as monitoring password based endpoints, and is working to roll out even more security improvements intended to increase account security and mitigate risk.

This week celebrated the 50th anniversary of the ATM. We’ve previously shared stories on ATMs and skimmers, and this week Brian Krebs gives us an update on the current state of ATM skimmer technology.

For those that love to dive into malware breakdowns, Palo Alto Networks provides one on OceanLotus. OceanLotus is a Mac backdoor and interesting for a few reasons, including a custom binary communication protocol with its C2s.

Finally, researchers have published a paper detailing information leak in libgcrypt’s implementation of RSA-1024 keys, resulting in excessive information leaking and allowing researchers to reconstruct the key in use. At time of writing, the library has issued a patch, and many linux providers have provided updates and/or other layers of protection.

Security Roundup - 2017-06-23

This roundup made possible with contributions from my co-worker Michael Cereda.

Layers upon layers upon layers. This is the first thing that comes to mind after reading Sophos’ recent report on old tricks turned new for malware. While many malware campaigns involve embedded objects with malicious payloads, Sophos has noticed a number of strains which host these embedded objects on remote servers. Among other things, this makes it easier for someone to shut down a malware campaign, or perform upgrades on the payload after the spam campaign has launched.

McAfee also discovered new tricks in the PinkSlip malware. What sets this apart from its peers is the fact that it will set some infected hosts as remote proxies, allowing it to be used to further obfuscate where a C&C is located. This is set up independent of the trojan, meaning any machines that were previously cleaned up potentially still have this unwanted guest on their machines.

Google’s engineers have announced many anti-malicious software detection news lately, and security researchers continue to unearth more of it. Last week involves the discovery of Xavier, a malware strain which silently steals personal and financial data while the user of the infected app is trying to change the ringtone or boosting the speed of the device. Xavier is actually the evolution of the AdDown malware, which first hit the scene in 2015 with ‘Joymobile’, but has learned several new obfuscation tricks including downloading instructions remotely and dynamic analysis evasion.

Researchers have discovered a new way to gain root access on several unix based operating systems. Dubbed ‘Stack Clash’, this exploit involves the attacker ‘clashing’ the memory system that keeps track of running programs with another memory region, potentially overwriting instructions and executing unexpected code. At time of writing, impacted OSes have patches.

Man In The Middle Attacks allow someone to see all your traffic. This could be mitigated by sending traffic encrypted, but what if someone is intercepting traffic by using “trusted” certificates? Security gateways and anti-virus sometimes do this in order to ‘inspect’ web traffic for malicious signals. Researchers recently worked with various industry partners to try and fingerprint this type of interception, seeing upwards to 10% of communications falling into this bucket, with a sizable portion of it not backtrack-able to security products. Even security products doing this is a problem, as security problems can mean this is abuse, or bad crypto implementations mean that communication is less secure than it would be otherwise.

More Internet of Things stories this week including:

Duo Security “drills in” to the security of an internet enabled drill. They take you through the discovery process, including checking out the associated app as well as the drill itself. While they unfortunately found hard coded passwords, and the ability to tamper with the Geolocation security feature, overall they found a number of security features like encryption and security headers in API responses, meaning that perhaps there is hope for the Internet of Things yet.

TP-Link joins the list of vendors to patch end of life products, fixing a bug that would allow remote account takeover in one of their older router models. This is a positive step forward, as research continues to demonstrate more and more vulnerable devices, and attackers shifting from simplistic approaches of brute forcing passwords (which still works way too often), to more complex vulnerabilities in router software itself.

Unfortunately, we are halfway through the year and Kaspersky labs has already seen twice the amount of IoT based malware as all of last year. Based on the number of stories we’ve covered already, this will likely get worse before things get better.

Case in point, more Vault 7 documents have been released showcasing CherryBlossom a framework for pushing malicious firmware to your router. After the infection, routers can be controlled remotely using a browser-based interface and can be used for different missions that include scanning mail addresses, chat usernames, MAC addresses and VOIP numbers.

Security Roundup - 2017-06-16

Imagine if you had gone to the trouble of paying for and setting up security products, but they weren’t running properly. Malware authors are imagining, and making this a reality. BleepingComputer details CertLock, a malware strain that prevents new security programs from being installed or security products from running, by adding the signing certificates of these programs to a special disallowed list in Windows, effectively preventing the applications from running. Going farther, it even adds a bunch of update domains to the hosts file of a device, redirecting to localhost and breaking update capabilities.

Microsoft provides another security update for older versions of Windows this week, including XP, Vista and Server 2003, to protect against 3 other exploits found in the ShadowBrokers exploit dump. Microsoft believes the threat level of these exploits is severe enough to warrant a wider distribution of the patches, but points out the best protection is to stop using end of service versions of Windows. All told, Microsoft released fixes for 97 vulnerabilities across all their products, 17 of which were labelled as Critical. Microsoft has also announced that SMBv1 will be disabled by default for future windows versions.

Interested in a deeper dive into Memory Resident Malware? Endgame security delivers this week covering known attacker techniques, as well as going over some of the difficulty in detecting these techniques.

Microsoft has discovered malware that abuses Intel’s Active Management Technology (AMT) to exfiltrate data. Since the AMT is low enough level, communications through it avoids the application level network stack, and any monitoring/firewall systems that are operating at that level.

More and more malware is targeting Apple computers. Fortinet researchers have recently stumbled across MacRansom, an OSX Ransomware as a service portal. After communicating with the author, they were given a sample which they then analyzed. Sadly, it looks like any victims will be unable to decrypt their files, since part of the encryption key is random, and there is no outbound communication to a C&C.

In some alarming news this week, one security researcher has posted a number of Man-in-the-Middle vulnerabilities for several iOS applications. These applications talk to unsecured backend services, allowing login information to be stolen. The applications in question unfortunately range from grocery deals to voting and banking apps.

The Internet of Things has been demonstrated to be the Internet of VULNERABLE Things in the last year. Talos Intel does both a retrospective, as well as provides advice to companies that may be purchasing devices connected to the internet. Case in point, yet another batch of internet enabled web cameras has been demonstrated to be riddled with insecurities.

Security Roundup - 2017-06-09

EternalBlue and WannaCry coverage continues this week:

To start, looks like WannaCry may have a number of bugs which may make it possible for users to retrieve their files.

EternalBlue has unfortunately been ported to Windows 10. Security researchers did this by analyzing the existing exploit and adapting it to work around additional Windows 10 protections. Speculation abounds on whether this zero day is known in certain circles, but points out how everyone is learning from the trove of exploits dumped.

This is particularly demonstrable/troubling, as EternalBlue is now being used for a variety of malicious programs. While thankfully protection is a Windows update away, some systems are still vulnerable.

Finally, Sophos does an overview of WannaCry, suggesting that adhering to security basics like strong passwords, endpoint security, and (most importantly) proper patching hygene could have made WannaCry more like DoNotCry.

Vault7 continues to hit the news as WikiLeaks has published documentation on Pandemic, a tool that turns a Windows File Server into a malware distribution server, injecting Trojans into files that users are trying to access.

MalwareBytes starts a new series called “Interview with a Malware Hunter”. The first in the series is Pieter Arntz, Security researcher for MalwareBytes.

Balancing data portability AND data security is a hard problem, since a full download of a user’s data is a gold mine for attackers. Jeff Attwood, founder of Stack Overflow and Discourse, goes into some of the steps his team built in to try to manage both for their users. In addition to strong passwords (15 characters, more than the current NIST standard), locking down which accounts can export, and using single use tokens, the Discourse team actually tried cracking their own passwords to look at computational liklihood. After more than 3 weeks of cracking, they managed to break less than 1% of accounts, and those that were involved a number of dictionary words.

Sucuri has released their monthly Lab Notes. Some interesting things include a look into a Wordpress backdoor, a look into a data collection script that hides as a benign script, and a dip into malvertisement targeting.

Researchers this week noticed a novel way that malware is checking for C&Cs out of band, Instagram comments! By using non-printable characters as markers, a comment may seem legitimate, but otherwise hides a secret message redirecting programs to an appropriate location.

Last month, the Jaff ransomware started making the rounds as a fairly successful strain. Now, security researchers have linked it to a cybercrime marketplace. Researchers uncovered this when they discovered shared infrastructure for the two systems. They then found thousands of compromised accounts, from banking credentials to Amazon accounts.

The RIG Exploit kit takes a blow recently, as various security groups in conjunction with GoDaddy mapped out and then shut down a major chunk of its infrastructure. Specifically, RIG was relying on compromised hosting accounts to create subdomains on other users accounts, in order to use them as relays for the exploit kit. You can read up on the whole operation on RSA’s blog.

Checkpoint security recently published new research into two ad-revenue generating malware platforms:

First, meet Judy. A korean company named Kiniwini (ENISTUDIO corp. on Google Play) released 41 apps on the app store about Judy, cute little lady with a desire to take care of animals, make food, and study fashion. Judy, however, also has a compulsive addiction to ad clicking, as the apps had malicious code they leveraged to perform auto-click ad fraud. So while users were creating cakes and dealing with virtual pets, Judy was taking care of their devices.

Last, but not least, Fireball exploded onto the scene with an estimated 250 million infections, possibly making it the largest malware infection ever recorded. The malware has been pinned to the chinese company Rafotech, which specializes in “creative advertising”; the company denies any wrongdoing. The malware currently configures a target’s browser homepage and default search engine with a “fake search engine”, collecting user information and, guess what, clicking on advertising. The malware also has the ability to remotely execute code, making it a potent (and widespread) backdoor into many organizations.

Page 7 of 23