Downclimb

2017.02.19

RSS feed

Weekly infosec news summary for 2017.02.12 – 2017.02.19

Quotes

“Expected behavior: I should see a muscular girl in the JPEG file
Actual behavior: I hear industrial music instead” bug report

 

“a key signing party is basically “bring your children over to get infected with chicken pox”, but for grownup’s laptops” the grugq

 

“Best part of RSA so far: seeing a guy in a tshirt that says “no purchasing authority” sitting by himself in a bar crowded with suits.” @nousie

Top stories

AnC attack against ASLR

VUSec shows how to fully derandomize ASLR from JavaScript (link). In tests on Chrome and Firefox on x86_64 architecture where 36 bits of entropy are possible, on 22 different microarchitectures, they are able to reduce the entropy down to about 6 bits in 20 seconds (depends on browser, and some other details). This is great work where they’ve essentially “broken” ASLR for browsers, but it should be noted that info leaks are very common for browsers so attackers have already been frequently bypassing ASLR, albeit in ways that were previously fixable.

XAgent

This week new mac malware from APT28 (ie. Russians) was discovered. Patrick Wardle has the most extensive write-up on it here. In it he discovers that it shares code with HackingTeam’s Mac malware, whose source code was leaked in 2015. This doesn’t mean that Italy (where HackingTeam was based) is sharing code with Russia, but more likely that the group behind XAgent copy and pasted HackingTeam’s code after it was leaked. This shows the importance of writing signatures for various aspects of attacks, because you never know what tradecraft might be reused, even by different groups.

In addition to this, an internal paper from Google from 2014 on this attack group was leaked, titled Peering into the Aquarium: Analysis of a Sophisticated Multi-Stage Malware Family. The report begins by showing some stats that Google is able to collect from VirusTotal to show where infections are (or at least where samples have been uploaded from). The report is only on the Windows malware, as the Mac malware more is recent. The first stage malware (Sofacy) does some interesting things such as disabling Windows Error Reporting, and can be assumed to be targeting organizations as it collects info about the physical location of where the machine has been labeled as being, which only large organizations would set. It has a variety of C2 mechanisms, and will clone and hollow out legitimate processes to inject it’s own code to communicate with a C2 via a mechanism that matches the cloned process (HTTP, SMTP or POP3). It somewhat intelligently uses encryption by making use of an RSA public key to encrypt a symmetric session key (however, all ciphers are weak, RSA-1024 and RC4). Google’s analysis paper is much better than the APT reports from security companies because it’s actually meant for learning and detection, and not marketing.

Kingslayer

RSA (the company) broke news of an attack they call Kingslayer at RSA (the conference) (link). An undisclosed company that provides Windows administration tools was hacked and it’s software trojaned so that anyone who downloaded the tool would be infected, meaning that the admins of companies were being breached by this software. This is known as a supply chain attack and is what I discussed is our current “era of exploitation” in my post The Great Graph from last year.

Kingslayer was discovered by RSA during a separate takedown operation in which they discovered something different and unknown was beaconing home to the domains they had taken down. Once again, this highlights how the shared tradecraft of attackers between their toolsets can be used to discover more of their attacks. What is saddening though is that the infections started in March, 2015, then RSA discovered this malware in April 2016, then contacted the source of the remaining beacons in September, 2016, and then sat on this for 6 months until the RSA conference in order to announce it. An earlier announcement could have resulted in more, and earlier, discoveries, but the marketing cycle of infosec directs different decisions.

Business

This week was RSA, the vendor conference, and every company had some sort of announcement, but mostly it was just highlighting minor new features.

  • Australia get mandatory data breach notification: Coming into line with the regulations of many other countries, Australian companies now have to disclose breaches.
  • CrowdStrike sues NSS Labs: NSS Labs was testing different next-gen security products, and made it’s findings available at RSA for purchase (at the lofty price of $12K). CrowdStrike did poorly in the tests, so they sued NSS Labs. However, it seems NSS Labs had some funny testing techniques, such as viewing CrowdStrike negatively for not identifying Firefox, Skype, and Java as malware. It’s frowned upon for companies to sue testing organizations, but this case has more of a Streisand effect to it, where it garnered much more negative attention to CrowdStrike due to the litigation than it would have for simply doing poorly in the test.

Other reads

  • Microsoft delaying Patch Tuesday for a month: Microsoft did not disclose why they have delayed this month’s patches, but they’ve announced these will be distributed next month.
  • Understanding differences between corporate and consumer Gmail threats: Google released some stats showing that corporate email receives 4x more malware than personal email, but half as much spam.
  • Building a VPC with the AWS Startup Kit: Amazon has released Cloudformation templates to setup VPCs, a bastion host, and internet gateway, as the basis of a secure AWS environment. It’s not clear to most people that when you use AWS, and have more than one EC2, that you really need to know and do a number of things to have a secure setup, which I mentioned in Downclimb in January after all the MongoDB instances on AWS and elsewhere were being hacked.