Downclimb

2014.12.12

RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2014.12.05 – 2014.12.12: https://SummitRoute.com

Quotes

"So, I know people are excited that I'm posting malware PCAPs. But that misses the point. I'm posting entire malware executions!" @moyix

Top stories

Control Flow Guard in Visual Studio 2015 Preview

Control Flow Guard (CFG) is a mitigation against ROP attacks. It checks every indirect-call instruction is going to a location that it is expected to reach. Ideally you would want to ensure every library used by your application has been compiled with CFG, so this will take awhile for it to become more effective. There are still ways around it, but the hope is it will make life more difficult for attackers. This is only in the preview of Visual Studio 2015 and is still viewed as experimental so you have to make some changes from the default compilation settings to take advantage of this.

Turkish pipeline blast from 2008 involved hackers

Bloomberg is reporting that in 2008, hackers used vulnerabilities in the surveillance cameras that monitored an oil pipeline through Turkey to make their way into the network. From there they compromised a Windows computer in charge of alarm management. The hackers shut off the alarms and surveillance cameras so two men could walk up to the pipelines with laptops in order to increase the pressure which ultimately caused the explosion and shut the pipeline down for 3 weeek, resulting in the State Oil Fund of the Republic of Azerbaijan losing $1 billion in export revenue while the line was shut down. The hackers erased more than 60 hours of surveillance video. Russia is believed to have been behind this, as 3 days later they went to war with Georgia, where the pipeline also runs through.

Code Execution In Spite of BitLocker

Windows 8 changed how BitLocker works from the implementation used for Windows Vista and Windows 7, by no longer using one of the features (something called the Elephant Diffuser). The removal of this feature means that an attacker could flip bits on a hard-drive such that the next time the owner logs in, code execution could be obtained. If an attacker obtains physical access to your equipment you should assume it has been compromised (it could be physically bugged in some manner) but the threat identified in this article is still unexpected and it's unfortunate this feature was removed.

Malware signed with Sony Pictures cert

Due to the breach of Sony Pictures Entertainment, their signing cert has been compromised and used to sign malware. It appears the hackers signed this malware just to show how thoroughly they have compromised Sony Pictures. They likely wanted this malware to get picked up by antivirus vendors just to show off that they acquired a copy of the signing cert.

Cyber Supply Chain and Transparency Act of 2014 bill introduced

A bill has been introduced in Congress that proposes "that any supplier of software to the Federal government must identify which 3rd party and open source components are used, and they cannot include known vulnerabilities (per the NIST NVD) for which a less vulnerable alternative is available." This bill has not been made into law yet but it will be interesting to follow and will likely force a lot of new work to be created to check software being provided to the government does not have known vulnerabilities.

Malware analysis using docker containers

One of the difficulties of doing malware analysis is simply getting the tools to work. There are now docker images available to make it easier to use V8, Thug, Viper, Rekall, and JSDetox. Precautions should still be taken when analyzing malware.

Business

Publications and Conference materials

Tools

  • Snort 3.0: Snort 3.0 has been in development since 2005, and is still an Alpha release, but this release includes lots of new functionality such as now being multithreaded.

Other news