Weekly infosec news summary for 2017.04.09 – 2017.04.16

Quotes

“How many FORTUNE 500 cos have a big team for attack analysis and no corresponding team to slowly but surely disable macros across their org? This is a rhetorical question. Macros are the entry for a huge percentage of major corporate breaches. But it’s a pathological security problem: sounds easy; actually hard. Technically disabling them is trivial, of course. Takes half an hour. The problem is always on the business side, not the technology side. But big businesses rely on macros, and know they rely on macros, -and here’s the killer - can’t enumerate where those places are. In reality you need to staff it like you staff an attack analysis team. Hunt for (legit) macros, sign them, and then can disable them. I mean this entirely seriously: big orgs should have staff whose full time job is going after big systemic infosec risks one-by-one.” @pwnallthethings

Top stories

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

FireEye disclosed details about a vuln that has been been fixed by Microsoft that was being actively exploited in the wild against Office (link). This logic bug would trigger when a victim opened a malicious Microsoft Word (or other Office) document. Before any prompt appears (such as you see with macros), an HTTP request would be made to download an HTA file containing vbscript code that get’s executed. There are a couple of ways in which Microsoft is doing things poorly here, including allowing Microsoft Word to talk out on the Internet, having functionality in the document exercised before a prompt, and executing the script in the file by a another process which appears to escape any sandboxing.

Shadowbrokers dump

Russia released another set of EquationGroup files this week including notes on a SWIFT hack and Windows tools (link to a githup repo with the files). Although some have accused the SWIFT hack of abusing banking systems in some way, it appears to be for the more acceptable purpose of tracking terrorist finances. The Windows tools include exploits and malware. According to Microsoft, all of the vulns have been patched or do not affect currently supported Windows versions (link). The security companies are largely quiet on these Shadowbroker dumps, while independent analysts have been making twitter and medium posts, but nothing worth pointing out with regard to the Windows tools.

Tools

• Netflix/BetterTLS: Netflix released a project for testing SSL cert name constraints after having found and helped fix flaws in many clients, including Google Chrome and many libraries.
• lyft/python-blessclient: Lyft has released the code for their BLESS client. BLESS is a project from Netflix for generating short-lived SSH keys for authenticating clients. Additionally, they use a CA cert for their SSH servers to allow clients to trust those without having to respond to the common fingerprint prompt that SSH’ing normally involves. They have a video presentation of their work from BSidesSF (link).
• Cuckoo Sandbox 2.0.0: The open-source malware detonation environment is now at version 2.0. There aren’t any major changes or major new features, just a lot of smaller improvements.

Conference materials and publications

• Hack in the box Amsterdam slides: Conference in Amsterdam this past week.

Other reads

• Longhorn: Symantec posted an article about malware detections they’ve seen that are linked to Vault7 (the CIA), with Kaspersky following on with some of their history tracking this actor (link), including links to work that was done by FireEye (link). Kaspersky’s report is interesting as they mention that although the actor modified most of the executable timestamps in the PE header, they missed the timestamps in the export section, allowing them to not only identify the true timestamps, but also the algorithm used for faking the other timestamps. The actor subtracted a full 8 years from the timestamp. This all indicates sloppy work on the actor, as 8 years is a massive amount of time and likely led to other time related issues, for example, a classic way of identifying malware is to look for logical inconsistencies in the timestamps, such as malware that uses recently released libraries, compilers, OS’s, or recently registered C&C domains, but has timestamps indicating it was somehow “compiled” years before those things existed. The logical inconsistencies between timestamps in the same file are of course an even more egregious mistake. The Symantec paper mentions what appears to be codewords for targets are also included in the malware.
• OWASP Top 10 - 2017 RC1: The OWASP Top 10 is a list of the top issues impacting webapps, and the last list was released in 2013. An updated list is being worked on with a release candidate posted this week. In the update, the most controversial is a new item A7 “Insufficient Attack Protection”, which basically requires people to buy a WAF or similar solution. People are therefore frustrated that this list is playing toward vendor sales, as opposed to helping with security.
• Vista EOL: The Microsoft Windows Vista OS is no longer supported for extended support, meaning it will no longer receive security updates.
• UDP RCE CVE-2016-10229: A potentially devastating vulnerability was disclosed on April 4 described as “Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.” Not many seem to have noticed until Mudge tweeted about it, at which point people worried that nearly every Linux system could be owned via a UDP packet. RedHat/Fedora is unaffected and Debian/Ubuntu seem to have patched it in January. I haven’t seen any proof-of-concept to show how this RCE is possible, and Dan Rosenberg (a linux kernel exploiter) of Azimuth Security and Tavis Ormandy of Google Project Zero are also unclear on how this allows RCE, so despite initial concern, so far this does not appear to be impacting anything.