Downclimb: Summit Route’s Weekly Infosec News Recap
2015.09.27 – 2015.10.04: https://SummitRoute.com
Quotes
“If you must read the rest of this document to understand the behavior of your program, you are being too clever.” The Go Memory Model
“random thought: we, the hax community, hacked cars for fun and giggles, but we didn’t see the Volkswagen’s backdoor. We missed the priority” @izsh1911
“In 2012, answering this question incorrectly meant that you were infected by RCS malware. Life or death over a modal.” the grugq on an Apple dialog box asking to install an applet, which was Hacking Team’s infection vector
“I’d pay to see the look on the faces of these “Embedded vuln scanner” guys when they realize you can’t scan ICS/Medtech w/out crashin most. Mark my words you’re not gonna create the ‘Nessus’ or ‘Qualys’ of ICS/SCADA. The tech is diff. Scan any RS485->Ethernet bridge. It hangs.” Stephen A. Ridley
“Just wondering, does National Cybersecurity Awareness mean 31 days of breach notifications? I don’t like this holiday.” @Kym_Possible
“OH: ‘Security people are now exploiting investors. Software is too hard.’” @quine
Top stories
Threat group targeting IR teams
This story from Kaspersky describes a threat group in the Middle East and North Africa that is targeting IT and Incident Response staff. Their tools and tactics are pretty basic, sending RATs like XtremeRAT and PoisonIvy, but their targets are more interesting, since they are using filenames like “Hex_Workshop_Hex_Editor-o.exe” and “PE-Explorr.exe” for their RATs. These targetted groups are quite valuable to attackers because of their level of access, and for the IR teams you can monitor them to avoid being caught.
- https://securelist.com/blog/research/72283/gaza-cybergang-wheres-your-ir-team/
ATM Skimmer Gang Firebombed Antivirus Firm
Russian antivirus firm Dr.Web received physical threats after posting a write-up about malware designed to steal card data from infected ATMs. The threats were followed through with via an attack against a third-party company that distributes Dr. Web’s software by throwing a Molotov cocktail at the office (minimal damage, no injuries). Although there have always been ties between criminals’ online and offline activities, this is a scary reminder to security researchers that impacting the revenue of these organizations in cyberspace can have real-world retributions.
- http://krebsonsecurity.com/2015/09/atm-skimmer-gang-firebombed-antivirus-firm/
Router worm protecting routers
First discovered in 2014, Linux.Wifatch is infecting IoT devices of various architectures, and creating a P2P network of them from which it distributes threat updates to protect the devices. No mention was made of what type of protections it is using, other than killing the telnet daemon and rebooting devices (potentially to kill off other infections that don’t persist). It seems to infect via weak credentials on the devices and infects ARM, MIPS, PowerPC, and x86 (it has to carry it’s own Perl interpreter to these devices). Tens of thousand of infections exist, but no malicious purpose has yet been discovered.
- http://www.symantec.com/connect/ko/blogs/there-internet-things-vigilante-out-there
OSX 10.11 Released with System Integrity Protection
Named El Capitan, this release of Apple’s operating system brings with it System Integrity Protection (SIP) which has been referred to by some misleadingly as “rootless”. This adds the following restrictions, even as the root user:
- You can’t modify anything in /System, /bin, /sbin, or /usr (except /usr/local).
- You can’t attach to system processes.
- You can’t load kernel extensions (kexts) unless they’re properly signed (i.e. by Apple or an Apple-approved developer).
This is a big step for Apple in realizing that they have the same malware problems as Windows. Similar technologies have existed in Windows for nearly a decade:
- Restricting access to system files is much like Windows File Protection (from Windows 2000 and Windows ME).
- Denying debugging of system processes is like Protected Processes (from Windows Vista, but this was primarily introduced for DRM reasons).
- Only allowing signed drivers to be loaded was introduced in Windows XP x64.
These technologies have perhaps impeded Windows malware, but by no means have been effective in stopping them. Although I support defense-in-depth and generally any obstacles for attackers, I suspect the biggest impact of this will simply be a new category of talks for conferences.
- Apple’s SIP documentation
- Ars Technica explores SIP and some other security features such as enforcing stronger TLS on apps.
Fuzzing for MS15-010
This post is conceptually interesting as it shows how to use a patch for directed fuzzing. Even knowing you have a security patch it can sometimes be difficult to identify the original vuln and work towards an exploit.
- http://blog.beyondtrust.com/fuzzing-for-ms15-010
Business
- Cisco acquires Portcullis: Portcullis is a UK-based cybersecurity consultancy.
- Raytheon wins $1B contract to battle cyber attacks on US agencies: The Department of Homeland Security awarded Raytheon a $1B contract to protect more than 100 federal civilian agencies.
Newspaper news
- OPM fallout:
- CIA puled officers from Beijing dues to OPM breach: We’ve all recognized that the OPM breach would be bad for covert intelligence. In all likelihood, China already knew who any CIA personnel were and this article is just making a political statement.
- Stolen fingerprints: Schneir discusses the unique concerns of 4.6M US government employee fingerprints having been stolen as part of the OPM breach. Specifically, as opposed to credentials, biometrics can’t be changed.
- RAR “vuln”: A “vulnerability” was disclosed in WinRAR allowing for code execution when extracting SFX files. SFX files are SelF-eXtracting files, meaning they are just executables, just like any other .exe file. This may be unknown functionality (even the PoC was much more complicated than it needed to be), but it’s not a vulnerability as the WinRAR site explains.
- Car brothel: This story is about how you could modify a car to infect dealerships and mechanic shops that it goes to, which then in turn infects the cars that visits those shops.
- T-Mobile breach: Customer data for 15M customers was compromised due to T-Mobile’s ties with Experian who was breached. I don’t normally report on breaches, but this one is interesting as the data was stolen by going after a third-party that people didn’t realize their data was going to.
- Test update for Windows accidentally published: People freaked out a bit when they saw a Windows update with a randomly generated name. No one actually received the update and it appears to have only been a test gone bad. This is scary since if Microsoft’s update service get’s owned, hundreds of millions of systems would be compromised, but no such problem seems to have occurred. Even a mistake in the update procedure though is cause for concern.
Conference materials and publications
- VB2015 slides: VirusBulletin is an annual conference that moves around and was in Prague this year.
- Advanced Threat Tactics: 6 hours of material going over different attack tactics.
- Hack in Paris videos: Conference in Paris in June.
- DFRWS 2015 EU slides and papers: Conference focused on forensics in Dublin from March (I don’t know when slides were posted). One interesting presentation is this one on TOR browser forensics.
Tools
- Qubes 3.0: Qubes is an operating system to provide isolation between applications by running them in their own Xen virtualization. This release primarily focuses on better abstraction layers under the covers, and better testing and making it a little easier to use.
- Cuckoo for OSX: As part of a Google Summer of Code project, a work-in-progress of a port of Cuckoo Sandbox to OSX has been created. Description of the project here.
- M/o/Vfuscator: M/o/Vfuscator 2.0 is a complete single-instruction C compiler that compiles programs into only “mov” instructions, or only one of the following Turing complete instructions: XOR, SUB, ADD, XADD, ADC, SBB, AND/OR, PUSH/POP, 1-bit shifts, or CMPXCHG/XCHG. This would make reversing a very painful ordeal.
Other reads
- An interesting detail about Control Flow Guard: Shows a real-life workaround for Control Flow Guard by finding a function that expects to call a cdecl function pointer, but feeding it a stdcall function.
- TrueCrypt EoP: Some vulns in TrueCrypt for Windows found, but they are just escalation of privilege vulns that require initial code execution.
- Hybrid Decompilation: Joe Security discusses the benefits for reverse engineering of running decompilation on memory snapshots as opposed to the initial PE file.