Weekly infosec news summary for 2016.12.25 – 2017.01.01
"the speed at which most help desks need to operate prevents every single administrative action they take from being secured like a consensus driven, multi-factor nuclear launch system" Ryan McGeehan
GRIZZLY STEPPE: Retaliation against the Russians for their involvement with the US election
The US government took action against Russia this week for their hacking related involvement in the US election. This includes the President issuing an Executive Order resulting in the Treasury Department adding 35 people and organizations to its Specially Designated Nationals and Blocked Persons list (link), and the US CERT providing IOCs to identify the IPs, domains, hashes, and YARA signature for the threat (link). These actions were all very weak. The blocked persons includes 2 people that were already on the FBI most wanted list and executives of the GRU and FSB (Russian intelligence agencies), so these people should already have been sanctioned in some way or otherwise can't be touched because they don't travel to the US or have property the US could seize. There were also some companies and property called out that will result in minimal financial impact, as the people behind those companies re-establish new shell companies if needed. The CERT's IOCs were all false positive prone, including IPs of known proxies and Tor nodes, and the YARA signature is for a public, generic PHP backdoor that is used by many hackers. The result is the IOCs are of little to no use to anyone, other than possibly politicians. Between the punishment and the IOCs this was a let down for many.
The President also signed into law the National Defense Authorization Act for Fiscal Year 2017 which is an annual budget approval for the military. It also include various new orders, and way down in Section 1287 is the establishment of the "Global Engagement Center", which some jokingly refer to as the Ministry of Truth in reference to the book 1984, but is needed to counter the results of the threats that the GRIZZLY STEPPE campaign created. From the bill, "The purpose of the Center shall be to lead, synchronize, and coordinate efforts of the Federal Government to recognize, understand, expose, and counter foreign state and non-state propaganda and disinformation efforts aimed at undermining United States national security interests. ... The Center shall ... support the development and dissemination of fact-based narratives and analysis to counter propaganda and disinformation directed at the United States and United States allies and partner nations." The center will receive about $60M for 2017.
Also included in this bill is Section 923 which establishes the Cyber Command as a separate entity from the NSA. Cyber Command was formed inside the NSA in 2009, as an armed forces organization with the mission of pursuing cyber related activities specifically for the military (including defense), whereas the NSA is an intelligence organization. To phrase this differently, this means that Cyber Command has more of a focus on being able to disrupt or destroy enemy infrastructure as needed, whereas the NSA just wants to know about everything the enemy is doing without taking action on it.
On Christmas day an RCE vuln was disclosed in phpmailer, which is used by pretty much every PHP app (ex. WordPress, Drupal, SugarCRM, and Joomla) (link). Although this library is used in many apps, it's unclear if those applications can be exploited, as this vuln requires the ability to set the 'from' field that emails are sent from. A patch was put out, but quickly bypassed (link). A very similar vuln was disclosed in a different PHP app, Roundcube, a month prior (link).
Switcher: Android joins the "attack-the-router" club
Kaspersky reports on an Android app that instead of attacking the user directly in some way, it goes after the router the device connects to (link). When an Android device that has this app installed on it connects to wifi, it will try to brute-force the admin page for the router. Once in, it then changes the DNS to attacker controlled DNS servers. No information is provided about what the rogue DNS servers are then used for. This is an interesting attack because it can affect not only device, but also other users on the network.
- Three Chinese citizens charged with hacking law firms: The men were charged with trading on confidential corporate information obtained by hacking into networks and servers of law firms working on mergers. This includes deals from Intel Corp and Pitney Bowes Inc. This follows on news from March of law firms being hacked (link), and a notice from the FBI at the time regarding this threat to law firms (link).
- comaeio/Hibr2Bin: Matt Suiche of comae technologies (formerly of MoonSols, a forensics company), has released tool for decompressing Windows hibernation files.
Conference materials and publications
- ekoparty videos: Conference in Argentina in October.
- 33c3 videos: Chaos Communication Congress conference this past week in Germany.
- Learning from the Expedia Heist: Ryan McGeehan discusses the problem of when an IT admin is the inside threat against a company.
- Let’s talk about CFI: Microsoft Edition: Trail of Bits follows up on their work from October where they looked at CFI (control flow integrity) using Clang and Linux (link), and now looks at Visual Studio and Windows's implementation. They also included code samples (link). To test if applications are compiled with CFI on Windows, you can use my tool Serene.
- Format string issue for Python: This post shows how format string vulns can be applied to Python, not to get RCE, but to expose otherwise secret information by reading the variables used by the application.
- How to bypass CSP nonces with DOM XSS: This post provides a history of Content Security Policy and bypasses, and then shows a new proof-of-concept bypass.
- With the start of a new year, it's a good time to reflect on what went well and what went poorly last year, and what your goals are to improve things this coming year.
To receive a weekly email notification of this newsletter, email firstname.lastname@example.org