Weekly infosec news summary for 2017.04.30 – 2017.05.07
"In general, everyone ships an out of date WebKit and Linux distributions are no different." Chris Evans / scarybeasts in his post "Ode to the use-after-free: one vulnerable function, a thousand possibilities"
"Would be nice to see an MS patch that localizes Enable Content to a more descriptive string. 'Click here to get fired.'" @RotoPenguin
"Google Docs" OAuth worm
On Wednesday, a phishing worm spread across the Internet (link). The email looked like an attempt at sharing a document, which then resulted in a request to grant the fake application "Google Docs" access to your email account. Once granted access it would then email all of the victims contacts. Given that the emails were from known contacts, the actual google.com domain was hosting "the attack" (the OAuth permission grant), and the request looked like a legitimate Google Docs application, this worm was very successful. I don't think we've seen an email based worm with this level of success since the ILOVEYOU worm of 2000. Unlike that worm though, there was no RCE, but that's not really necessary anymore as the way we use computers no longer is as dependent on the end-points.
The best place to be as a defender as this worm was hitting was in the macadmins Slack in #g-suite as detections and mitigations were being shared in real-time, including GAM scripts (look under pinned items). The following morning, Duo Security then did a live Q&A with their corporate security team about this as well (link), which was great to hear the thoughts of other defenders that dealt with this.
The entire situation was resolved in about an hour as Google took action (see their responses here), Cloudflare blocked domains, and mailinator sink-holed an account. Even though this worm was only alive for an hour, its quick spread and what it could have done had put people on high alert. The only reason most people weren't compromised that had received the emails was because of a reply email address mentioned in the body of the emails for "firstname.lastname@example.org" which made people suspicious.
The worm seems to have been motivated as just a classic worm, in that although it could have exfilled emails or caused all sorts of incidents, it was only coded to spread. The use of mailinator and google ads it included seems to have been to help track it by the creator. No real incidents seem to have been caused. However, hopefully this worm serves as a wake up call to Google in the same way that Code Red and other worms caused Bill Gates to release his famous Trustworthy Computing memo to Microsoft. As reported last week in Downclimb, abusing OAuth had recently been seen by APT28, which was abusing this since 2015. Concerns related to the issues involved had been raised as early as 2011 (link). As I mentioned last week, Google needs to make settng up OAuth apps more like an app store with better checks on which apps are allowed. Google also needs to provide the ability to G-Suite admins to white-list allowed apps for their enterprise, and Google needs to vastly improve their logging latency from up to a week (link) down to minutes so alerting and investigations can be performed faster.
Supply chain attacks
Microsoft reported on WilySupply, an attack that targeted high-profile technology and financial organizations by compromising the auto-update server of an application they use (link). The application was Ultra-Edit (a text editor), and their response is here. The most frightening aspect of this attack was "it only affected certain machines and ignored most of the machines that it could have targeted." Selective targeting makes an attack like this even more difficult to discover, which is similar to the auto-update attack that occurred with Puush in 2015 which used geo-targetting to avoid infecting certain countries (link).
A similar attack occurred with the macOS application Handbrake this week. The mirror server for the application downloads was compromised (link). Patrick Wardle has a great write-up on what the malware does on his Objective-See site here. This is similar to the two incidents involving the macOS app Transmission last year (and possibly unrelated, there is someone that is mentioned as one of the original author for both apps).
SS7 abused for banking fraud in Germany
Thieves compromised computers via traditional malware in order to gain access to bank accounts. The banks authorized transfers by sending one-time passwords via text messages to users, and the thieves, in January, exploited SS7 to redirect these messages to themselves to confirm the transfers (link).
Intel's remote AMT vulnerablity
The company SemiAccurate announced the scary headline "Remote security exploit in all 2008+ Intel platforms" (link) and mentioned that the AMT is involved. As Matthew Garrett explains "Intel chipsets for some years have included a Management Engine, a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME [including the AMT, which provides] IT departments with a means to manage client systems. [...] any packets sent to the machine's wired network port on port 16992 or 16993 will be redirected to the ME and passed on to AMT - the OS never sees these packets. AMT provides a web UI that allows you to do things like reboot a machine, provide remote install media or even (if the OS is configured appropriately) get a remote console." (link). The AMT uses HTTP Digest authentication, and Tenable was able to discover that a faulty memcmp call allows authentication to be bypassed if a NULL response hash was used, allowing an attacker to get access to the AMT web UI (link). The original discoverer of this, Embedi, has a report here.
Instructions on Disabling AMT are here. Firewalls should also be used to deny traffic to 16992 and 16993. The number of devices impacted is hard to identify. Macs are not affected. Matthew Garrett writes "Unless you've explicitly enabled AMT at any point, you're probably fine. [...] Most Intel systems don't ship with AMT. Most Intel systems with AMT don't have it turned on."
The Intel Management Engine has been a hot topic for some security researchers for it being a backdoor into systems with little transparency around it and no ability to disable it. For example, see Joanna Rutkowska's 2015 paper Intel x86 considered harmful.
- Five Pitfalls of Cybersecurity Insurance: This article describes 5 US cyber insurance cases where the insurer denied coverage for incidents due to them being outside of the scope of the coverage.
Conference materials and publications
- The (Memory Corruption) Safety Dance: Video of Mark Dowd at the Kaspersky SAS conference: This shows the mitigations that an exploit developer needs to work around starting with a 2008 era exploit.
- Beset on All Sides: Keynote video of Justin Schuh at Infiltrate 2017.
- Nullcon videos and slides: Conference in Goa, India from the beginning of March.
- Business risk for security engineers: Collin Greene describes the value of reading 10K's in order to understand business risks company view for themselves. 10K's are annual reports that companies file with the SEC as part of the requirements of being publicly traded companies (ie. companies that you can buy stock in). America has a lot of laws to protect investors so 10K's are a great way to really understand businesses, becausee there is no marketing fluff in a 10K filing and everything stated must be honest enough to hold up in court. As another example, beyond the 10K's Collin listed that are worth skimming, I also found Yahoo's 10K to be a valueable skim to understand the business impact of their breach.
- How to Protect an Exploit: Detecting PageHeap: This article is a great follow-on to Mark Dowd's talk mentioned above, as this describes the additional work one might perform to avoid an exploit from being discovered. Attacks and defenses on the lifespans of exploits is an interesting area for research. This article is a good example of what might be done to increase the lifespan of an exploit. The author describes this work as "how to protect an exploit from executing in an environment where it might not succeed. The wild is a dangerous place and lot of hackers have lost exploits to it."
- Windows 10 S: Microsoft is taking on Chrome OS with a new Windows varient named Windows 10 S, that is supposed to be a more locked down version of Windows, such as only allowing downloads from the Microsoft Store (which needs to get cleaned up before Microsoft can make claims about this being an improvement for security). Further details are scarce.
- Outlook Forms and Shells: Yet another way to backdoor an email account, for users of Outlook, using Outlook Forms which allow for arbitrary code and are synchronised between Outlook instances. Unlike the OAuth trick abused this week, this not only would allow access to emails, but actually can get an attacker a shell on the client system!
- Attacked Over Tor: The author of this article runs a Tor Hidden Service that provides a front-end to the Internet Archive and there were bots trying to crawl it, which is pretty much impossible, so the author wanted to stop them. He uses a variety of means including zip bombs and crashing a parser. He's able to profile the systems and a bit of the code used by the bots. He's then able to discover some oddities about a tor relay he suspects is involved with this using some interesting heuristics that could be applied to identify malicious IPs.