Weekly infosec news summary for 2016.09.25 – 2016.10.02
Top stories
Application Guard
Microsoft announced that Windows 10 Enterprise will use Microsoft’s Hyper-V virtualization to virtualize Edge processes so when one instance of the browser is compromised, it will be contained within it’s virtual environment so other instances and the rest of the system will be unaffected. They will be extending this to other applications. Until then, Edge seems to have leapfrogged Google Chrome with regard to providing a more isolated sandbox. This technology is similar to what Bromium offers, and Bromium announced that they have partnered with Microsoft, but the benefit of Bromium’s solution will decline as Microsoft extends this to more applications.
Sofacy’s ‘Komplex’ OS X Trojan
Palo Alto discovered that Sofacy (aka APT28/Pawn Storm/Fancy Bear/Sednit/Strontium) is now targetting macOS (link). Palo Alto states that it was first seen delivered through a vulnerability in “the MacKeeper antivirus application” (Note: If you secure a macOS fleet, you should already be treating MacKeeper as malware). That vulnerability can be seen here. That vuln was exploited by what appears to be the same malware as far back as June, 2015, based on this post from BAE systems, who unfortunately never provided enough information about the malware they discovered for others to investigate.
The malware itself opens a PDF for the victim while infecting the system. It proceeds to check if it is being debugged and has internet connectivity by reaching out to google.com. It uses a multi-byte XOR key for all it’s strings, and it’s C2 servers are appleupdate[.]org, apple-iclouds[.]net, itunes-helper[.]net where it makes legitimate looking HTTP POST requests. Based on this information, this is very respectable malware. It shares many similarities the Windows based Carberp banking trojan, whose source code was leaked in 2013, and minimally served as inspiration for this.
Business
- Data Breach Insurance Act: This proposed legislation would provide a tax credit of 15% to premiums paid for breach insurance to companies that adopt the NIST Framework for Improving Critical Infrastructure Cybersecurity. This would be the first time to my knowledge that the government would have introduced a carrot or stick for private businesses to abide by that framework, outside of actual critical infrastructure.
- Mozilla will…no longer accept audits carried out by Ernst & Young (Hong Kong): Mozilla will no longer be trusting WoSign and StartCom certificate authorities due to some shadiness from them. This is a win for Certificate Transparency which provided cryptographic evidence of their actions. Also interesting is that Mozilla will no longer accept audits from Ernst & Young (Hong Kong), as this gives an example of an auditor being punished for doing a poor job.
Conference materials and publications
- Derbycon Videos: Conference in Louisville, Kentucky last week.
- Hack In The Box Singapore Videos: Conference in Singapore in late August.
- BSides Manchester Videos: Conference in Manchester, UK in mid-August.
- Crypto 2016 Videos: Conference in Santa Barbara, CA in mid-August.
Tools
- osquery for Windows: Trail of Bits ported Facebook’s osquery to Windows (their write-up here). The osquery project allows you to query information about Linux, macOS, and now Windows systems as SQL, collecting diff’s of that information to more efficiently store and alert on. The project has now has an ecosystem of tools such as doorman for remotely managing osquery instances.
- blacktop/malice: Open-source project so you can host your own VirusTotal clone.
- Project Springfield: Microsoft announced a fuzzing-as-a-service offering for binary files. This is based on their project SAGE. You can see a summary of SAGE here.
- csp-evaluator: Google has now released a service to evaluate Content Security Policies, which they expect to open-source in the coming weeks. More information can be found in their post Reshaping web defenses with strict Content Security Policy:
Other reads
- An Incident Response Plan for Startups: Ryan McGeehan has a number of blog posts of actionable steps to take to secure companies. You should go back and read through some of his past writings such as Starting Up Security: From Scratch.
- Imitation uBlock Origin app spotted on Chrome Store: This post shows an imitation of the popular browser extension that was discovered and how to avoid identify such malware. Also in the world of malware on Google’s marketplaces, there were stories from Checkpoint and TrendMicro on 40 and 400, respectively, trojanized apps found in the Google Play store for Androids using malware called DressCode.
- Control Flow Guard. Principle and workarounds for the example of Adobe Flash Player: (Russian) Summary of how CFG (Control Flow Guard) works, tying together work from various attacks that have been found against it.
To receive a weekly email notification of this newsletter, email scott@summitroute.com