Downclimb

2017.05.21

RSS feed

Weekly infosec news summary for 2017.05.14 – 2017.05.21

News from Summit Route

Following on interest from my flaws.cloud tutorial, I'll now be providing independent AWS security consulting work, including security assessments, training, and assistance with detection engineering (ie. collecting logs and setting up alerting). Contact me at scott@summitroute.com for more info.

Quotes

"Microsoft patched WannaCry XP flaw in February but only for paying customers. Now blaming NSA for 0day 'stockpiling'. [...] Timestamp for XP patch is February 11, 2017." Patrick Gray (1, 2)

 

"APT28 still going through about 2 0days a month, they don't stockpile, they burn." ‏@thegrugq

 

"Pentesters are just way too scope limited these days. You're not simulating real threats until they can kidnap sysadmins' family members." scriptjunkie‏

 

"The only difference between this worm and every other worm is we know this one happened because it has ransomware." ‏Dave Aitel

 

"During early L0pht days I was a Unix admin for ~50 DoD/USG systems. The government would not let me make needed changes to secure them. The default configs were so bad the systems would crash w/o needing to be exploited. Of the ~50 boxes one, at Ramstein Air Base, never had problems. It ran perfectly with out need for intervention, unlike the others. I figured since it was a 'blessed' configuration, I could find out what was different and ask the govt. to recreate elsewhere. This system had been compromised was being used to distribute pirated software. They also patched the vulns I wasn't permitted to fix. My response was to request [agency] allow their other systems to be compromised to improve uptime and integrity of operations. It seemed a much easier path than getting the core changes to the system(s) approved." [‏Mudge]https://twitter.com/dotMudge/status/865987293084917760()

 

"Ransomware should become this generation's 'The dog ate my homework.'" ‏Ryan Huber

 

Top stories

WannaCry follow-up

98% of systems infected by the WannaCry worm from last week were Windows 7 (link). Although some researchers discovered that you could extract the WannaCry decryption key from memory on Windows XP systems, the only Windows XP systems that were apparently infected were researcher's own systems that they had infected manually. The vuln used does impact Windows XP, but the WannaCry worm's exploit only worked against Windows 7 and Windows 2008 (link). The tool gentilkiwi/wanakiwi may be able to decrypt ransomed files on Windows 7.

As odd as it sounds, there are suspicions that WannaCry may have been developed by the Lazarus group (North Korea). The technical reasoning behind that is tenuous, but the grugq offers some insights on that theory here.

Prior to WannaCry, another worm (Adylkuzz) was actually exploiting the same vuln, but had gone unnoticed because instead of displaying a ransomware message, it was quietly mining bitcoin (link). This worm was also disabling SMB after installing, so if you had Windows 7 boxes exposed to the Internet that weren't infected with ransomware, then they may be mining bitcoin now. This bitcoin mining earned them at least $43K, whereas the WannaCry ransoming has so far earned $95K. The guy that registered the domain that acted as a killswitch for the WannaCry worm was awarded $10K by HackerOne (link), which he donated to charity.

Business

Other reads

  • The Case of the Stolen Source Code: The company Panic, which makes macOS and iOS apps, such as Transmit, was one of the victims of the HandBrake compromise from two weeks ago. The only impact was theft of their source code (no customer data breached). This post walks through the compromise, their response, and their reasoning as to the impact for them of the theft of their source code, which they've decided is minimal.
  • Security Rarely Flows Downhill: Adam Shostack reminds us how if you work at higher levels in a stack, you can't secure against issues in the lower levels.
  • Breach at DocuSign Led to Targeted Email Malware Campaign: Docusign was breached, but only email addresses were compromised. No content or any customer documents were accessed. This compromise however did allow the attackers to send phishing emails from domains such as docusgn[.]com.
  • *bleed continues: 18 byte file, $14k bounty, for leaking private Yahoo! Mail images: Chris Evans (scarybeasts) continues his Imagemagick mayhem this week by leaking data from Yahoo Mail image attachments that were converted to thumb-nails. Yahoo took the thorough response of simply retiring ImageMagick, which is for the best. In another post, *bleed, more powerful: dumping Yahoo! authentication secrets with an out-of-bounds read, Chris shows how he is able to make sense of his data leaks. The ability to turn a data leak, which appears as random noise initially, into understandable signal, is a very interesting skill that still exists as only an art without any tools or methodologies, and would be interesting to see more work in.
  • Is your ePub reader secure enough?: This researcher looked at the ePub format and the various readers for it. The general take-away is that when something acts as a web browser, that isn't exactly a web browser and thus not as battle tested, it's going to have security issues.
  • Penetration testing AWS storage: Kicking the S3 bucket: Rhino Security went looking for loose S3 bucket permissions, as described in my flaws.cloud tutorial, and found 107 S3 buckets from domains used by the Alexa Top 10,000, that had loose permissions, including some that were write-able, at least one with a .git repo (another flaws.cloud level), and more issues.
  • One Cloud-based Local File Inclusion = Many Companies affected: This bug bounty report shows how because many companies use the same products and services, if you find a bug in one of these products, you can quickly find them across many other companies.
  • Bridgewater: Securing their AWS Infrastructure with Vault: A release this month of the secret management solution Hashicorp Vault now includes the ability for AWS resources to authenticate to Vault by forwarding signed requests to sts:GetCallerIdentity to Vault to call.