Downclimb: Summit Route’s Weekly Infosec News Recap
2016.08.07 – 2016.08.14: https://SummitRoute.com
To receive a weekly email notification of this newsletter, email scott@summitroute.com
Quotes
“Remember when spam was exciting? Nigerian princes and rich dead uncles? Now it’s all invoices, receipts, and documents from my scanner.” Ted Unangst
“Apple tends to treat security issues as marketing issues. The brand must be protected. Products are augmented with a shiny dream reality where everything just works and problems do not exist. There are no security problems, so there is no need to check for security problems” Ben Fuhrmannek of SektionEins on Apple pulling their app that from the AppStore that checks if the phone was jailbroken
“In none of the targeted attacks me and @CDA observed against Iranian civil society we found a 0day used. Mostly no “exploit” at all in fact. Besides the usual .scr, we see a variety of Office tricks, and embedding of PowerShell in a variety of file formats (e.g. LNK) as well as repackaging of legitimate software. […] Surely, there’s a lot of human mistakes involved, but as long as we enable e.g. executing embedded EXEs through PowerPoint animations the human mistakes seem more tolerable, and development and employment of exploits way less “profitable”. Most of the tricks I observe used for infection also have the “advantage” of requiring way less situational awareness from the attacker which significantly reduces costs and improve success rate for attackers […] In some sadistic way, I wish we’d be in a place where exploits were really required, at least it would sensibly increase costs for attacks.” @botherder
Top stories
On Cybersecurity and Being Targeted
This post describes an attempted attack where the victim realized that an attacker had taken over their DNS account, in order to modify the DNS settings for their email, so they could intercept a password reset email from Github in an attempt to takeover their account there. Luckily the victim had 2FA on their Github account. The near-victim is the author of the Python Requests library (50K stars on Github), which may have been the target, or it could be due to them working at Heroku (part of Salesforce) to get at some secrets in their code. This story high-lights the importance of 2FA for account protection, the need for end-to-end encryption on emails, and the dangers of account recovery methods.
This story also high-lights the dangers of libraries being backdoored. If the Requests library did have malicious code inserted into it, there are likely many developers and CI systems that would have pulled this and ended up executing it on production systems for other companies. The best mitigation against an attack like this is to locally host your own package repos, such that hopefully there is enough of a delay between the attack occurring and it being discovered that your local repos will not have been updated with the malicious code. Doing this however, requires vigilance in updating the repo to ensure any security related patches are pulled.
ProjectSauron
ProjectSauron, aka Strider, is a new APT group discovered by Kaspersky and Symantec, with the name of the attack tools referred to as Remsec. It has ties with Flame, specifically it’s use of a Lua interpreter (which they improved to support Unicode). Highlights from the report:
- Discovered by Kaspersky from anomalous network traffic in a government organization network. Analysis of this incident led to the discovery of a strange executable program library loaded into the memory of the domain controller server. Discovered by Symantec from “a customer who submitted it following its detection by [their] behavioral engine.”
- It sprawled out through networks via modified scripts the admin’s were already using to deploy software.
- Kaspersky’s report provides IOCs for strings to search for in memory, as file hash searches are unlikely to uncover anything.
- Executables are as small as 5K. Kaspersky, with regards to another aspect of the malware, remarked “the developers of the ProjectSauron modules are […] old school hackers”.
- After the release of their report, Qihoo 360 announced (in Chinese) that they then were able to discover this same group on a number of the customers they monitor.
Data Breach At Oracle’s MICROS Point-of-Sale Division
Krebs broke news that Oracle’s Point-of-Sale division (one of the top 3 point-of-sale vendors globally) has been breached (link). Through this, the attackers may have compromised the point-of-sale systems of Oracle’s customers. Visa issued a security alert warning these customers to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices (link). Both Krebs and Visa have released seperate sets of IOCs for this attacker.
Equities processes
There has been a lot of discussion in the past regarding the vulnerability equities process, which questions how one should disclose vulnerabilities, and should places like intelligence agencies disclose vulnerabilities at all that they find that they might wish to use to spy on targets. Less frequently discussed is a similar equities process for discoveries of threat actors. Some examples:
- Brian Kreb’s mentioned that he had received IOCs for the Oracle breach prior to his announcement of them, but was asked to delay publication of them during the on-going investigation.
- Congressional leaders were briefed a year ago on hacking of Democrats.
- @da_667 also discusses this on his post this week Cat and Mouse: The Effects of Threat Research on Nation-State Actors
The concern here as da_667 states is:
“How long do I lay low to see if I can find additional implants, modules, tools, targets, and/or C2 the actor uses? How long can I stay under the radar and observe these actors without them knowing I’m watching?”
Announcing a finding immediately might help some victims, but it also means that the attackers will better know how to hide before the investigators and defenders can learn as much as possible from them. Further, when they do make the announcement, they need to consider should they release every IOC they have, tipping their hand of what they’ve discovered thus far, and should they describe all their methods of detections or only some? This is an interesting concept to consider, similar to the The Coventry Conundrum of Threat Intelligence.
I should mention that the write-up from da_667 also touches on other concepts, by starting with some history of APT reports, and finally explains a bit about why we keep seeing these reports that often have little useful information in them and always point to nation states:
“The company gets their insurance money, the IR firm that investigated the breach looks like fucking rockstars (and they get to publish a report stating how advanced and sophisticated the actors were, while neglecting to mention the piss poor security in place) and everyone gets paid. Sophisticated, advanced, nation-state hackers means money all around.”
Business
- FireEye to Lay Off Hundreds, Blames Ransomware: FireEye announced it will be laying off 300-400 of it’s employees in it’s earning call as a result of less revenue due to fewer APT related engagements and more ransomware related incidents which are easier and less profitable for the IR firm.
Conference materials and publications
- Defcon slides: This massive conference takes place annually in Las Vegas.
- USENIX security papers and WOOT papers: USENIX Security and WOOT (USENIX Workshop On Offensive Technologies), took place in Austin, TX this week. Some high-lights:
- 2016 Internet Defense Prize Winner Brings New Hope for Post-Quantum Key Exchange: Facebook awarded the 2016 Internet Defense Prize to the authors of “Post-Quantum Key Exchange - A New Hope.” This prize of $100K goes to researchers that “combine a working prototype with significant contributions to the security of the Internet, particularly in the areas of protection and defense.”
- Flip Feng Shui: a new exploitation vector that allows an attacker virtual machine (VM) to flip a bit in a memory page of a victim VM using Rowhammer with example attacks on obtaining a private OpenSSH RSA key and compromising an apt-get download.
- emf videos: This conference/camping trip took place in the UK. Highlight:
- A flaw in Microsoft’s secure boot was disclosed at this conference. Although no video recording was made, a write-up exists here.
- HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol: Imperva report on HTTP/2 and issues discovered in it’s implementations.
Tools
- IDA 6.95: IDA now has a PowerPC decompiler and an iPhone debugger.
- jzdziarski/FlockFlock: File access policy enforcement for macOS, stil under development.
- WhatsYourSign: New tool from Objective-See to add a right-click menu option in the macOS UI to see the signing information for a file.
- mwrlabs/needle: iOS Security Testing Framework to resolve the curent problem of needing many tools to assess the security of iOS apps by providing a “one stop shop” framework.
- kiwiz/411: Etsy released what looks like an alternative to Yelp’s ElastAlert for scheduling queries to generate alerts, along with a UI to go with it.
Other reads
- Shade: not by encryption alone: In this article from Kaspersky, a ransomware family currently infecting computers in Russia, will check if the current user is suspected to be an accountant, and if so, it will install a RAT instead of encrypting files, so that the attackers can attempt to extract more money from the victim than ransomware would.
- freebsd-update and portsnap users still at risk of compromise: Someone is dumping some advanced MiTM exploits against and corresponding defenses for FreeBSD updates.
- ACISM: Aho-Corasick using an Interleaved State-transition Matrix: It’s rare in infosec, or almost any software development these days, to get a chance to nerd out on data structures and algorithms that actually have a worthwhile performance improvement, especially in mature projects that have shaken out a lot of the low hanging fruit, but “YARA 3.5 is 2.6X faster than YARA 3.4” according to it’s author @plusvic due to this paper.
- RedBalloonShenanigans/MonitorDarkly: This repo contains the exploit for the Dell 2410U monitor. By exploiting the monitor, the attacker has the ability to read and modify pixels displayed on the screen.