Downclimb: Summit Route’s Weekly Infosec News Recap
2015.05.24 – 2015.05.31: https://SummitRoute.com

Quotes

“Worms written in 2001 are more capable of lateral movement than most pentesters” Chris Rolf

 

“Penetration testing & exploit development has to be < 1% of InfoSec jobs but if you listen to Twitter you’d think everyone was writing 0day.” Marcus Carey

 

“A doctor can tell his patients don’t eat Twinkies. Likewise we can’t force people to implement cybersecurity. Cyber Twinkies bro.” Marcus Carey

 

“Security reporters PLEASE get competing views and analysis - else you fall prey to being the PR arm of security vendors.” Robert M. Lee

 

“In 2013, Bitcoin miners collectively performed ≈ 2^75 SHA-256 hashes in exchange for bitcoin rewards worth ≈ US$257M” Nadim Kobeissi

 

“Once upon a time people thought the Internet was anonymous because IP addresses don’t include names. Now they think that about Bitcoin.” zooko

Top stories

The Cost of Bad Threat Intelligence

In the world of anti-virus, one of the worst things you can have happen is a False Positive (FP), especially one that causes you to block vital Windows processes (like svchost) from running, causing the system to be bricked. This problem isn’t discussed with regards to Threat Intelligence, usually because the result is just more alerts, but this is still a problem.

• http://www.activeresponse.org/the-cost-of-bad-threat-intelligence/

Sourceforge has hijacked the GIMP for Windows repo and is distributing adware-riddled binary installers instead

Sourceforge was a popular place to host open-source projects before Github. Unfortunately, in recent times, it has begun adding adware to binaries users download from the site.

• GIMP developer’s complaint: https://plus.google.com/+gimp/posts/cxhB1PScFpe
• Sourceforge’s response: https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/

Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities

30% of the docker images in the official repositories use old software that are vulnerable to various attacks (Shellshock, Heartbleed, etc.). Images pushed by users contain more. This article discusses this problem and also provides a tool to scan docker images.

• http://www.banyanops.com/blog/analyzing-docker-hub/

A New UAC Bypass Method that Dridex Uses

Interesting UAC bypass on Windows 7 used by Dridex malware leverages application compatibility files (.sdb files).

• http://blog.jpcert.or.jp/.s/2015/05/a-new-uac-bypass-method-that-dridex-uses.html

An Exploit Kit dedicated to CSRF Pharming

This exploit kit tries to exploit SOHO routers via CSRF to change the DNS settings. It will also try to brute-force the credentials of the router to login and perform this action.

• http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html

Dissecting Linux/Moose: a Linux Router-based Worm Hungry for Social Networks

This worm infects routers. It’s main focus seems to be social networking fraud, but it will also change the DNS settings on the router and kill and other malware processes on the router.

• http://www.welivesecurity.com/2015/05/26/dissecting-linuxmoose/

Blockchain wallet crypto issues

Blockchain is the name of a bitcoin company that, amongst other things, provides a wallet app for Android. Crypto issues stemming from poorly acquired random allowed some bitcoin users to have funds stolen. Specifically:

• When initializing things for their random they don’t bail on failure.
• They get a seed from random.org (slightly odd in itself), and do so over HTTP (which could be MiTM’d).
• random.org was changed to force people to use HTTPS, so the request was always returning a 301 to this app, resulting in the same seed (a redirect message) always being used.

Whether or not you believe bitcoin can compete as a legitimate currency, the flaws in the applications and services that use it are enough of a deterrent for many.

• Android announcement on the issue (no technical info): http://blog.blockchain.com/2015/05/28/android-wallet-security-update/
• User comment (technical info): https://www.reddit.com/r/Bitcoin/comments/37oxow/the_security_issue_of_blockchaininfos_android/crolfk4

Newspaper News

• IRS: Crooks Stole Data on 100K Taxpayers Via ‘Get Transcript’ Feature: Crooks abused a feature of the IRS website to steal $50M in fraudulent refunds.
• Silk Road Creator Ross Ulbricht Sentenced to Life in Prison

Business

• Canary debuts: Canary is a honeypot, developed by Thinkst, that you deploy on your network to alert you when intruders get inside your network.
  This has been an emerging market which Gartner refers to as “Threat Deception Technologies”. Other vendors in this space include TrapX, KeyFocus, Cymmetria, Attivo Networks, HoneyBot, and Specter.
• Google debuts Project Vault: Project Vault is a secure computing environment on a micro SD card, for any platform. Mudge was on the team that built this. Video and some code.
• Insurer tells hospitals: You let hackers in, we’re not bailing you out: After hackers stole medical records from a hospital, the customers sued the hospital for $4M. The hospital’s insurance paid this, but now the insurer wants it’s money back after realizing how poorly secured the networks were.

Conference materials and publications

• Confidence 2015: Conference in Krakow, Poland this past week.
  • “When is something overflowing”: Peter Hlavaty
  • “DTrace + OS X = Fun”: Andrzej Dyjak
  • “Automated Security Testing with Seccubus”: Frank Breedijk and Glenn ten Cate
• Hack in the Box AMS: Conference in Amsterdam this past week.
• BSidesNOLA: Conference in New Orleans this weekend.
  • “Offense at Scale”: Chris Rohlf
  • ”(Encrypted) iPhone Backups”: Hal Pomeranz
  • “Ubiquity Forensics: Your iCloud and You”: Sarah Edwards
  • “Embedding IR into the DNA of the Biz”: Sean Mason
• LangSec: Conference by the IEEE last week in San Jose, CA.

Tools

• Selfie: A Tool to unpack self-modifying code using DynamoRIO.
• detux: This “Linux Sandbox” site provides some basic dynamic analysis of linux samples on x86, x86-64, ARM, MIPS and MIPSEL cpu architecture. It looks like right now it only shows what IP’s samples connect to. This looks like it could be the start of a Linux version of what malwr.com is.
• IdaRef: A plugin for IDA Pro that gives full documentation for assembly instructions for x86-64 and ARM.

Other reads

• Meet ‘Tox’: Ransomware for the Rest of Us: Ransomware now has an easy to use service for generating your own ransomware.
• iPrint Client: nipplpt.sys vulernabilities: If you’re interested in looking at driver vulnerabilities on Windows, Google Project Zero just released 6 privilege escalation vulns they found in a single driver.
• The Empire Strikes Back Apple – how your Mac firmware security is completely broken: EFI attack on Apple Macs.
• Security Monitoring with Attack Behavior Based Signatures: Shows how to use sysmon to identify malicious behavior.
• OceanLotus: This is an APT report published by SkyEye Lab of Qihoo 360 (a Chinese security firm) about a threat against the Chinese government. There isn’t much that caught by eye in trying to read Google’s translation, other than this appears to be an Apple OSX malware campaign. The most exciting part though is simply that it’s great to see Chinese security firms pushing out reports similar to the US firms, and funny to see them use the term APT as well, especially with regards to a threat against the Chinese government, since this term was coined as a way of describing threats assumed to be originating from the Chinese government.