Downclimb: Summit Route's Weekly Cyber News Recap
2015.07.26 – 2015.08.02: https://SummitRoute.com
"if you're supposedly my adversary (i.e. on team defense) and yet you're sitting right alongside me going "oooh" and "aaah" at whichever software vulnerability then you're probably in the wrong place, or ... I suppose ... maybe just in the wrong time." Bas Alberts
"It’s like breaking into an apartment by repeatedly slamming a neighbor’s door until the vibrations open the door you were after" Alix Jean-Pharuns on Rowhammer
"Google paid $1,337 for Android RCE via MMS aka Stagefright, we pay up to $100,000 for such exploits. We pay big bounties, not bug bounties!" Zerodium
"I might be a little old fashioned, but where I come from we don't write public advisories for NULL pointer dereference bugs." jduck in reference to Trend Micro trying to jump on the media blitz around Stagefright by announcing a weaker Android bug they found.
"Honestly if you're savvy enough to seed your password database with JtR 0day you've kinda earned that shell" Dan Kaminsky in response to Solar Designer mentioning they had fuzzed John the Ripper for vulns
" somewhere hackers are hacking, and they've got shit to do. None of which includes telling you about it at blackhat or anywhere else." Bas Alberts
Monitoring emails and phishing
Phishing emails that ask someone to wire money are nothing new, but in this twist, the attackers are first gaining access to the mail servers, identifying real business emails involving wire transfers, and then modifying those to direct where wire transfers should be made.
Stagefright is both the name of the media playback engine in Android and the name of the exploit which is composed of 7 vulns: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829. It uses specially crafted MMS (multimedia messages) and affects Android phones since 2.2 (released in 2010), meaning nearly every Android phone. It was disclosed to Google months ago, and Google fixed it, but because the Android market is so fractured and the various vendors don't often provide patches, many people will be vulnerable until they buy a new phone.
The original post broke the story, but for details, the best place to look is the Chinese blogs[2,3], and if you want to do some ambulance chasing there is a fuzzer[4,5] already built for this library.
- Blog post: http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/
- Discussion of the individual vulns and patches: https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F7558&edit-text=&act=url
- A POC exploit: https://translate.google.com/translate?hl=en&ie=UTF8&prev=_t&sl=zh-CN&tl=en&u=http://drops.wooyun.org/papers/7557
- Fuzzing framework for StageFright from someone else: https://github.com/fuzzing/MFFA
- Paper on the fuzzer: http://events.linuxfoundation.org/sites/events/files/slides/ABS2015.pdf
Yahoo's Bounty Stats
Quick stats from Yahoo's bug bounty. They've received 10K submissions, of which 15% were awarded, and have paid out $1M+. 50% of the submissions are from the top 6% of contributors.
- Cylance announces $42M Series C: There is a saying in infosec: "Those who use machine learning for security are doing neither." Cylance is an antivirus vendor that uses machine learning.
- BitDefender hacked: The antivirus vendor BitDefender has been hacked and usernames and plain-text passwords for it's customers have been compromised.
Conference materials and publications
- Infiltrate videos: Infiltrate is an infosec conference focused on offensive research (which is actually all infosec conferences, but at least Infiltrate is honest about it). This is the first time they've released videos.
- One font vulnerability to rule them all #1: Introducing the BLEND vulnerability Massive post from J00ru at Google P0 discussing the history of fonts on computers.
- Technical Details of the S3 Resume Boot Script Vulnerability: Discussion of a vuln in EFI based system firmware and platform configuration when resuming from the S3 sleep state.
- WDK 10 and symbols: The Windows Driver Kit (WDK) for Windows 10 is now available along with symbols for the official Windows 10 release.
- libbdvmi: BitDefender has open-sourced their library for x86 virtual machine introspection for Xen. Intro post here. This library is similar to LibVMI and so what it does is help you inspect the memory of a running virtual machine. BitDefender doesn't state their use case, but one possible use case might be to analyze malware or exploits by running them in a VM, and then inspecting them with this library. It's really cool to see an AV company open-sourcing some of their work.
- BinDiff: New version of the IDA Pro diff'ing plugin is now available with support for Arm64.
- Picon: Control Flow Integrity protection implemented as an LLVM compiler along with a monitor app that is used to do the execution integrity. Intro post here. This is an alternative to the NSA's library released last week.
- Operation Potao Express: Report from ESET on a malware campaign in Ukraine and the nation of Georgia that used trojaned TrueCrypt binaries.
- Compromised by Endpoint Protection: Discussion of a series of vulns found in Symantec Endpoint Protection that lead to the full compromise of a network using that product, beginning with compromise of the management server via poorly implemented password reset functionality.
- CVE-2015-0097: Office can open documents as HTML files which can then write to disk allowing them to write malware to the user's start-up directory and persist.
- Flash threats not just in the browser: Flash vulns are being exploited in Outlook emails and Word documents since both of these are capable of doing everything that Internet Explorer can do.
- Black Vine: Report on the Anthem hackers which calls out a specific company in China named Topsec that Symantec believe is behind the attack.