Downclimb

2015.07.19

Downclimb: Summit Route’s Weekly Cyber News Recap
2015.07.12 – 2015.07.19: https://SummitRoute.com

Quotes

“Authentication is a classification problem amenable to machine learning, with many signals in addition to the password available to large Web services.” Passwords and the Evolution of Imperfect Authentication

“Tomorrow is Windows Server 2003 end of support. And Bastille Day. Both were bloodbaths – http://www.microsoft.com/en-us/server-cloud/products/windows-server-2003/” Kostya Kortchinsky

“Full disclosure at work: Leak 2 Flash 0days, Mozilla kills Flash. “responsibly report” 10s of them to Adobe… nothing happens” @4Dgifts

“Vega$ is two weeks away. Visit the store and purchase deodorant you stinky #hax0rz” jeff bryner

Top stories

Vuln broker timelines

This is the most informative table you’ll ever have seen about the 0-day industry. This table from Vitaliy Toropov (recently famous for being identified as the person who found some of Hacking Team’s 0-days) shows the dates when vulns were reported (sold) to vuln brokers and when they were reported to the vendors. It’s understood that part of the value of the assumedly legitimate brokers is to screen these vulns so these brokers pay for good vulns and only submit valuable vulns, but this chart shows that this process takes hundreds of days and once over 226 days. I understand there can be backlogs, but having repeat submissions from the same vuln researcher should make his submissions more trusted and higher priority which leads to the conclusion that these vuln brokers may be purposefully delaying reporting them for naughty reasons.

https://docs.google.com/spreadsheets/d/1ktYGoERq4CVqqYB4XlPI0QeC44GQkbc5v3Yj2jfRKGY/pubhtml?gid=857507640&single=true

Darkode Shutdown: FireEye Intern Accused Of Creating $65,000 Android Malware

Although it’s long been assumed that some of those who work on defensive products also moonlight as malware authors, I don’t know of any cases of it being revealed until now. In this case someone had interned at FireEye for two summers, some of which time overlapped with this malware selling.

http://www.forbes.com/sites/thomasbrewster/2015/07/15/fireeye-intern-dendroid-charges/

Hacking Team hack

More fallout from the Hacking Team leak.

Serge: In what has now become an infosec meme, it was learned that during one of the Hacking Team customer demos, someone named Serge distracted the potential customer while the other employee clicked through or white-listed antivirus pop-ups that were occurring for their malware.
- https://wikileaks.org/hackingteam/emails/emailid/19213
After the kernel exploit, this post shows what HT did once they had privileges.
- http://labs.lastline.com/catching-the-hacking-teams-system-access-token-thief-red-handed
BIOS rootkit: Hacking Team can maintain persistence on Windows systems even if they are wiped by re-installing their malware from the BIOS once the system has Windows re-installed on it.
- http://www.intelsecurity.com/advanced-threat-research/blog.html
- http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/
Android exploit (uses old exploits: CVE-2011-1202, CVE-2012-2825, CVE-2012-2871).
- https://translate.google.com/translate?act=url&depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&u=http://security.tencent.com/index.php/blog/msg/87
Compiling:
- The OSX malware: https://objective-see.com/blog.html#blogEntry6
- The Windows malware: http://hyperionbristol.co.uk/hacking-team-galileo-rcs-repurposing-espionage-software/
- The server: http://hyperionbristol.co.uk/galileo-rcs-installing-the-entire-espionage-platform/
IE exploit (CVE-2015-2425):
- http://blog.trendmicro.com/trendlabs-security-intelligence/gifts-from-hacking-team-continue-ie-zero-day-added-to-mix/
- http://blog.vectranetworks.com/blog/microsoft-internet-explorer-11-zero-day
Windows phone implant:
- https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fdrops.wooyun.org%2Ftips%2F7196&edit-text=&act=url

Windows issues

Outside of Hacking Team, more vulns have been discovered and explained.

Use-After-Free win32k.sys vulns.
- http://breakingmalware.com/vulnerabilities/class-dismissed-4-use-after-free-vulnerabilities-in-windows/
Hyper-V Buffer overflow: No write-up, but this one is important because Microsoft is acknowledging work of one of their own employees (Thomas Garnier) for finding.
- https://technet.microsoft.com/library/security/dn903755.aspx

Apple issues

Attacking the XNU Kernel For Fun And Profit – Part 2: Discussion of iOS and OSX hardening features and the exploitation of a kernel escalation vuln.
- http://blog.qwertyoruiop.com/?p=48
OSX and iOS Font Parsing Vulnerabilities: Font vulnerabilities aren’t just a Windows thing anymore. This post discusses a little about some vulns found in Apple OSX and iOS.
- http://yahoo-security.tumblr.com/post/123981052855/font-parsing-vulnerabilities

Flash issues

A global perspective on computer usage is valuable and in countries outside the US, the software used can vary greatly. In China, there are modified versions of Chrome and IE that run without a sandbox and with outdated Flash integrated in.
- http://justhaifei1.blogspot.com/2015/04/integrating-outdated-flash-is-bad-idea.html
Google’s Project Zero team helped add mitigations to Flash recently to help Adobe with their whack-a-mole vuln problem. They have issued 4 updates in the past month a half, resulting in Mozilla deciding to disable Flash in Firefox for a few days while Flash put out yet another patch for one of the zero day exploits found in the Hacking Team dump.
- http://googleprojectzero.blogspot.com/2015/07/significant-flash-exploit-mitigations_16.html

SSL issues

The POODLE has friends: More SSL issues have been found, this time not in OpenSSL or the protocol, but in other implementations. This includes Cisco SSL VPNs and F5 servers.
- https://vivaldi.net/en-US/blogs/entry/the-poodle-has-friends
RC4 NOMORE: It’s now widely agreed that RC4 should no longer be allowed in HTTPS and this paper goes into further depth.
- http://www.rc4nomore.com/

Business

Rapid7 IPO’d: Using the ticker RPD, the maker of Metasploit, IPO’d on Friday, and jumped up 58% before the close.
CounterTack acquires ManTech Cyber Solutions International: CounterTack sells an end-point detection and response product. ManTech is a large publicly traded government contractor so what was a bought was a subset of their business. ManTech Cyber Solutions International is a piece of ManTech that develops commercial software, and is a renaming of HBGary from when it was bought by ManTech in 2012.
Crowdstrike’s $100M round: Crowdstrike’s recent $100M rumored round was announced this week as reality, and it wasn’t solely Google Capital investing, but also included Rackspace, Accel and Warburg Pincus.
UK giving £5,000 to SMEs to obtain cyber security advice: The UK has decided to address cyber security with the “throw money at the problem” option. The UK “will offer SMEs up to £5,000 for specialist advice on how to improve their cyber security and protection for intellectual property (IP).”
Software bug prompts Range Rover recall: Keyless entry and ignition systems on Range Rovers have vulnerabilities that allow car thieves to steal them. Other cars are also susceptible, but have not yet been recalled.

Conference materials and publications

SPHINCS: practical stateless hash-based signatures: Paper from DJB and others on a “post-quantum stateless hash-based signature scheme that signs hundreds of messages per second”.
Modern Binary Exploitation - CSCI 4968: All course materials are now up online for the class at RPI that taught vuln research, reverse engineering, and exploit development for Linux targets with mitigations enabled.
Defcon Russia: This Russian infosec conference apparently is releasing some of it’s talk prior to the actual conference which will occur in September. Some are in Russian, but the following is in English and worth skimming.
- “Advanced CFG bypass on Adobe Flash Player 18 and Windows 8.1” Black-Market Archives: Mirrors of tor-bitcoin black-markets and forums scrapes from 2013-2015 have been made available as a 1.6TB download (compressed as 50GB).

Tools

Sleepy Puppy: This tool helps audit for blind XSS. The concept here is that in blind XSS the attacker is getting javascript to execute in contexts that they don’t know about. For example, they send some javascript through a support form that get’s read in a different application by the support staff and the javascript get’s executed there. This might happen days later. This project helps to keep track of where blind XSS attempts were submitted and also includes in the javascript the ability to screenshot the browsing session and beacon it home.
Building reliable SMM backdoor for UEFI based platforms: Discussion and code for an SMM backdoor for UEFI based platforms.
NSA on github: The NSA is no stranger to releasing open-source tools, having developed and released SELinux back in 2000. However, this is their first release of code up on Github (at https://github.com/NationalSecurityAgency/SIMP), but unfortunately, my take is it’s not going to useful for anyone. Their use of Github is odd with the repo at /NationalSecurityAgency/SIMP redirecting people to a different group of repos at /SIMP, which has around 100 repos, none of which contain code in the master branch, but rather in versioned branches within. Confused? I am. The end result of this project is to be able to use Puppet to set up and check the configs of various services.