Downclimb: Summit Route’s Weekly Infosec News Recap
2014.09.12 – 2014.09.19: https://SummitRoute.com
Top stories
Joe Security: First Automated Dynamic Analysis system to support Mac OS X
Apple’s OS X is getting it’s share of malware, and Joe Security, which competes with FireEye, LastLine, and others, has released the first automated analysis system for that platform.
- http://joe4security.blogspot.ch/2014/09/joe-sandbox-x-automated-dynamic-malware.html
Watering hole attack analysis
Thorough analysis from Bromium on an attack including many ways in which the attacker tries to avoid getting caught.
- http://labs.bromium.com/2014/09/16/pirates-of-the-internetz-the-curse-of-the-waterhole/
Android Browser Same Origin Bug
In the original Android browser (AOSP) before Android 4.4, you can load arbitrary javascript into any frame or window. So as an example, if you browse an attacker controlled site, while you have your webmail open in another window, the attacker can take over your webmail session (read and write your webmail). This set of Android devices accounts for 75% of the total Android ecosystem today.
- https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041
Mitigating Service Account Credential Theft on Windows
This paper is a joint work between Rapid7, Microsoft, and Palo Alto Networks. It is great to see that collaboration, and it shows in the paper, as a variety of solutions are identified, with a focus on free solutions and actionable steps.
- https://community.rapid7.com/docs/DOC-2881
Debian apt vulns
The package manager apt, used by Debian (and Ubuntu), has a variety of vulnerabilities due to failing to check for certain things.
- https://www.debian.org/security/2014/dsa-3025
Declassified TRANSCOM report
The Senate Armed Service Committie initiated an inquiry in April 2013 into how much was known of cyber intrusions into TRANSCOM and it’s contractors. 50 successful cyber intrusions or other events (which the FBI determined a victim notification was required for) were identified that had occurred in the one year period up to June 2013. Of those, 20 were attributed to APT from China. Of those 20, TRANSCOM was only made aware of 2. Government documents like this are usually declassified in order to suit some political need. In this case, the purpose of the document seems largely to advocate (and ultimately enforce) greater information sharing.
- http://www.armed-services.senate.gov/imo/media/doc/SASC_Cyberreport_091714.pdf
Tools
- IDA Sploiter: New IDA plugin to aid exploit development through finding ROP gadgets and writable function pointers, along with other features. It leverages IDA’s debugging functionality, so it’s working on the real view of the programs in memory, not statically on files on disk.
Other reads
- Windows 8.1 PatchGuard Analysis: http://blog.ptsecurity.com/2014/09/microsoft-windows-81-kernel-patch.html
- Paper from Carbon Black shows how you can use their tool to find malware that has infected your network: https://www.bit9.com/download/whitepapers/CB_Threat_Hunting_Interactive.pdf
- Rogue cell tower in China used for scamming: http://www.theverge.com/2014/9/18/6394391/phony-cell-towers-are-the-next-big-security-risk
- Vuln in Apple CoreGraphics library: http://blog.binamuse.com/2014/09/coregraphics-information-disclosure.html