Weekly infosec news summary for 2017.03.12 – 2017.03.19

Top stories

Yahoo hackers indicted

Yahoo announced this week that 4 Russian hackers and government employees have been indicted for Yahoo’s 2014 breach (link). Kreb’s has a good article about the people and their activities, and the Department of Justice’s announcement gives further details on what the actual activities were. One of the people, Belan, has been on the FBI’s “Cyber Most Wanted” list since 2013 and has had an interpol Red Notice out for him, so this is a guy who has protection and can hack whatever he wants without consequences. Two of the people were FSB employees who likely forced Belan to perform this work so they could collect information relevant to the FSB, and provided protection to Belan to avoid him being arrested for the Red Notice. The last person lives in Canada and has been arrested.

What’s interesting is here you have a Russian intelligence operation that is commingled with banal cyber criminal activities, which I suspect was the downfall of this whole operation. Belan and the Canadian tried to monetize their access in anyway they could. They searched the email accounts for credit card and gift card numbers, they sold email contacts for spam campaigns, they redirected search engine traffic to collect commissions, and they sold access to email accounts for $60/account. I suspect it’s that last item that got them caught. I have no knowledge of Yahoo’s investigation, but I assume they paid for that service to get access to a test account (or more likely hired a third-party to pay it so they didn’t get their hands dirty handing money over to criminals). They then must have heavily monitored access to that account, drawn conclusions about how the account was being accessed, and expanded the investigation from there.

The Account Takeover Runbook

Ryan McGeehan has an eye-opening article on many of the ways that attackers can persist their access to compromised accounts (link). Even if you change your password and re-image a system, attackers can still continue reading your emails if they’ve set up mail forwarding rules, added application integrations, or a number of other tricks. Attackers can also “backdoor” the account to allow them to easily regain access by, for example, changing the recovery email, or in the case of Facebook they can set a “Legacy Contact” to use in the event of your “death” to set up a memorialization.

This is very important for incident response in the enterprise, where most response procedures are simply to roll passwords and reimage the system, as the techniques Ryan points out can bypass those responses. These attacks and responses become more important as businesses leverage more SaaS solutions where gaining account access via phishing is as valuable as, but much easier than, RCE on end-points. This is an area that needs more research and public runbooks for procedures.

There are a lot of things that should be checked, but for consumer services such as Facebook and the non-enterprise versions of gmail, there are no APIs available to be able to automate this investigation. One option might be to set up Selenium scripts to automatically poke around through the various settings, in order to develop a tool like the popular sysinternal’s tool autoruns on Windows. This is also concerning for consumers where dealing with events like this can be even more confusing, and if you search online for phrases like “how to check if my spouse is cheating on me” you’ll find tutorials on using these backdoor techniques.

Pwn2Own

The annual exploit purchasing event took place this past week (link). There were two withdrawals for teams targeting Windows which could have been due in part to Windows having delayed its patches a month and then releasing them just prior to the competition, along with changing the patch process slightly. There were also two failures for failed exploit chains, which is odd.

Details are scant on how the exploits actually work, but there are some lessons to be learned. In the Safari exploit to obtain root on macOS, which $28K was paid for, it states a “use-after-free in Safari combined with three logic bugs and a null pointer dereference” was used. It’s great that a chain of bugs was needed, but the use of a null pointer dereference also reminds us the lack of modern exploit mitigations on macOS. The Windows tool EMET, when it was released in 2009, blocked the ability to use null pointer dereferences, and this defense was built into Windows 8, released in 2012, and backported to Windows Vista.

Tools

• Netflix Security Monkey on Google Cloud Platform: Netflix’s Security Monkey, which has been helping folks audit their AWS environments for security issues since 2014, now works for Google Cloud as well.
• ukncsc/mail-check: The recently created British government organization, the National Cyber Security Centre, has open-sourced a project of theirs for processing DMARC reports which they use on 500 domains per week.

Conference materials and publications

• BSidesSF videos: This conference in San Francisco from mid-February has a number of presentations of higher quality than your typical BSides. I especially liked Make Alerts Great Again from Daniel Popescu of Yelp, and Linux Monitoring at Scale with eBPF from Brendan Gregg and Alex Maestretti of Netflix.
• CanSecWest slides: Conference in Vancouver, Canada this past week.

Other reads

• HTTPS Interception Weakens TLS Security: The US-CERT advised that HTTPS interception, such as is performed by Blue Coat to inspect the data in TLS protected communications, weakens TLS security. The alert points out that some HTTPS interception products do not validate the TLS certs properly and provide greater opportunity for MiTM attacks.
• Critical Vulnerability Uncovered in JSON Encryption: Security researchers at Adobe announced an issue affecting a number of JWT libraries. A number of crypto folks online jumped into the conversation to exclaim that JWT should never be used, which isn’t very good advice. Conceptually, JWT is just a way to sign and validate data stored with the client to avoid database look-ups. The historic problems with it are that many algorithms, including a “none” algorithm (see here), can be specified by the client. JWT can make some issues awkward to address because it avoids the server keeping track of sessions, but with regard to its cryptographic security, if you enforce only one, trusted algorithm to be used, you can avoid all these issues that crop up periodically.
• Defending Office 365 with Graph Analytics: Matt Swann at Microsoft is doing interesting work with using graph clustering on alerts to aggregate multiple alerts into single incidents and to help filter our false positives and prioritize where to investigate.
• M-Trends: FireEye’s subsidiary Mandiant released their annual M-Trends report. The only thing interesting was data that Richard Bejtlich extracted from this report and previous years (link) to show that in 2011, dwell time of attackers on victim networks before they were detected was 416 days, with only 6% discovered internally. In 2016, the dwell time has droppd to 99 days, and 53% are discovered internally. So companies are both doing a better job of detecting attacks and finding them themselves without being notified by the FBI or other external sources. Neither of these numbers are still very good, but it’s improving.
• Messenger-for-Desktop domain sold for trojaning installs: In this github issue to the aluxian/Messenger-for-Desktop project, the poster notices that malware (ZipCloud and MacKeeper) were installed on his system after installing the Messenger-for-Desktop app. The developer of that project casually mentions that he sold the domain where the apps were downloaded from. This is a very hard problem to handle where developers of benign and trusted projects decide to earn some quick cash in exchange for helping to distribute various forms of unwanted software.
• Patch Tuesday: Microsoft provided thier monthly patches this week, with still no announcement as to why they missed last month.
• Twitter Counter hacked: A number of high profile twitter accounts began displaying swastikas after the app “Twitter Counter” was hacked. It’s not well understood to many people that seemingly simple apps to do things like track your retweets, often have much greater capabilities than are visible to the user, such as being able to read your Direct Messages, or tweet things as if you had. This becomes more problematic as different apps get tied together, for example the encryption service Keybase watches for a tweet from you to verify who you are.