Downclimb

2017.03.26

RSS feed

Weekly infosec news summary for 2017.03.19 – 2017.03.26

Top stories

Alexsey’s TTPs

Chris McNab has described the TTPs of the main hacker indicted last week for the Yahoo breach (link). No zero days were used, just searches for servers with known vulnerabilities and using those to leap from one system to the next. Some interesting points:

  • Once he had access to internal email, ticketing systems, and filesystems he’d look for client certificates to VPNs or other secrets.
  • Cookies from non-production instances ended up being valid in production, bypassing 2FA.
  • He committed a backdoor to the git repo that was deployed to production.

Conference materials and publications

  • PoC or GTFO 14: E-zine about doing weird things with file formats and software.

Other reads

  • Intent to Deprecate and Remove: Trust in existing Symantec-issued Certificates: Google has found that Symantec has not been properly validating domain ownership control before signing certs. Symantec has been around forever so trying to distrust it without breaking many things is difficult. Google plans on no longer trusting Symantec certs that are valid for more than 9 months and no showing EV status indicators for their EV certs. Both these actions will severely hurt Symantec’s ability to sell new certs and should allow Google to eventually distrust Symantec if they do not improve.
  • Chinese PUPs and backdoor drivers: making systems less secure since 2013: A major PUP bundler network (ie. adware network) began dropping a driver from a WiFi hotspot application to its clients (ie. bots). Malwarebytes investigated and found that this signed driver is being used to load unsigned drivers. Actions like this are why you should be ensuring your networks are clean of adware. Antivirus solutions (and anti-adware software) do not detect many adware strains because as one AV researcher put it “Adware is malware with lawyers”. The best defense against adware is application white-listing, but otherwise, you’ll want to talk with other companies that have private signatures, since publicizing those signatures gets you sued. A conceptually similar open-source project (Professor-plum/Reflective-Driver-Loader) was released recently if you’d like to see code for loading unsigned drivers.
  • Exploring OLE10Native streams within malicious Microsoft Word documents: Alexander Hanel explores malicious Microsoft Word documents, parsing the binary oleObject1.bin to uncover some interesting information about the original file paths where the docs were created. Most interesting is a series of Dridex files where the path identifies the dates, target countries, campaign name, and original payload name, giving insight into the workflows of the attackers.
  • $100M stolen from two tech companies via phishing: The department of justice hasn’t exposed who the victim companies are, but two tech companies were apparently tricked into wiring over $100M via fraudulent emails. It seems this occurred between 2013 and 2015. A man in Lithuania has been arrested and charged.
  • LastPass RCE: Tavis Ormandy found an RCE in the password manager extension LastPass, along with some other lesser vulns, such as stealing your passwords (link, link). Similar to his find in the webex extension from January, browser extensions provide a means of obtaining RCE on systems, and the security concerns to look for are not well understood.
  • Patreons: Both Patrick Wardle and the grugq have created patreon pages to allow people to support their work. Both of these people produce a lot of independent work that has been featured often on Downclimb. Patrick’s Objective-See site provides great analysis of macOS malware along with a number of free macOS tools security tools. Patrick’s patreon is here. The grugq writes articles related to infosec and the intelligence world. The grugq’s patreon is here.