Weekly infosec news summary for 2017.04.02 – 2017.04.09

Quotes

“I can run a Tor exit node. I can’t run your ISP. Tor lowers the cost of surveillance.” Dan Guido‏

“Protip: name your ssh bastion ‘honeypot01’” Ryan Huber

“Choose a malware signature as your username. Gets logged, and server-side anti-malware will delete whole log file :)” Mark Kriegsman‏

“Fear of 0day is like being terrified of ninjas instead of cardiovascular disease.” the grugq

Top stories

Operation Cloud Hopper

PwC UK and BAE Systems exposed this operation from APT10 (China) (link). The threat actor targeted managed IT service providers (MSPs) which manage the IT systems of other companies. By hacking the MSPs they were then able to get access to the customers of the MSPs in order to steal intellectual property.

Conference materials and publications

• TROOPERS videos: Conference in German last week. One of my favorites was a surprise talk from the grugq (link) on his beliefs on how Russia, China, and America play the cybers. One interesting point he hints at is that Russians may be purposefully burning 0-days in order to make more money, because every time one is burned, a new one needs to be bought which means if you keep burning them, you’ll make more money. This means that an increase in 0-day detections is not due to defenders getting better, but rather due to exploit developers getting smarter about their business. Another important point he makes is the value of targeting. We see an example of that this week with Operation Cloud Hopper where APT10’s tooling is immature (they use PlugX heavily, which is detected by many defensive tools), but by leveraging the trust relationships inherent in MSPs they are are able to exploit targets more easily and with less detection.
• Art into Science videos: Marketed as a “conference for defense”, this conference took place in Austin, Texas in late January.
• Security Engineering book: This book from Ross Anderson is now available online for free.

Tools

• Evilginx: nginx proxy for capturing sessions used in 2FA logins.

Other reads

• Pegasus for Android and iOS: Google and LookOut released reports on the malware used by NSO Group known as Pegasus (aka Chrysaor) (Google, LookOut). The malware has the ability to exfiltrate data from apps (ex. Gmail, Twitter, Skype), use the microphone to collect audio, take images using the front and read camera, keylogging, screenshots, and disabling updates.
• iOS 10.3.1 security update: Google’s Project Zero is starting to look at iOS and macOS as Ian Beer alone has had 11 bugs reported and disclosed in just the past two weeks (link) and there is no telling how many have yet to be disclosed. This update patches the wifi chip due to issues disclosed by Gal Beniamini from Google’s Project Zero in his post Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1) where he investigates the wifi chip used by all iPhones since the iPhone 4, and many Nexus and Samsung phones. This long article shows how to investigate such a thing, identifies a number of simple buffer and heap overflows (as these chips don’t have modern exploit protections), and finally is able to get RCE on the wifi chip from within range of the wifi. Part 2 will show how to leverage this to get execution on the main application processor of the phone. This article is heavily researched and acts as a tutorial for a number of needed techniques for this type of activity.
• Google Chrome OS and browser updates: Security fixes came out this week for Google’s Chrome OS and browser. Oddly, Google is not patching some Chrome OS devices, including their own 2015 Chromebook Pixel. Google’s auto update policy for education and businesses state that the 2015 Pixel is supported until 2020. The other devices not receiving this update are also supposed to be supported still.
• EquationGroup dump: ShadowBrokers (Russia) dumped Linux tools from the EquationGroup. The link is to a github repo containing the files, as there isn’t much analysis on it yet.