Downclimb

2017.07.02

RSS feed

Weekly infosec news summary for 2017.06.10 – 2017.07.02

Summit Route news

This issue of Downclimb catches up on events from the past three weeks.

Quotes

"implant writers have lineages like martial artists. There are so many important choices to make and you're going to forget why you made them. Not just you, your entire community and team. So when I rewatched Stephanie's talk, I'm looking at it in two dimensions - what are the technical issues she's solving, so I don't have to solve them myself, but also what choices is she making that she doesn't even know she's making because those trade offs are as much a part of her inherited culture as her clothes and speech and the food she eats?" Dave Aitel

 

"Enterprises should stop treating updates as optional. You can't risk-accept your way out of the current threat landscape. We need more software with an update UX that isn't disruptive to workflow. We need software that can be trusted with passive forced updates. People lives are being impacted in real ways because of forever days, not zero days." Geoff Belknap

 

"Every time you say "Why don't you just ...?" you're proving that you don't understand the problem. There is no "just."" Wendy Nather

 

"Ciphersuites aren't pokemon, you shouldn't try to catch 'em all" unattributed

 

"this whole year has been like the black death for computers.
the old, the weak, unvaccinated and ignorant are dying off." @Viss

 

"Remember people: patch early and patch often. Like my Ukrainian accounting software, which just downloaded a new update." Martijn Grooten‏

 

"Either all VMs on only one of my servers have gotten really good at finding memory corruption bugs, or the hardware is about to fail :)" SkyLined

 

"Reminder that the current fashion of testing “just the web application” while ignoring the rest of the infrastructure is not effective." @0xdea

 

"For years infosec professionals have said that 'security is a process not a product'. Now its 'just buy a Chromebook'. One of these is wrong." Chris Rohlf

 

"If you think you can't patch because it'll be too disruptive, imagine how disruptive being breached will be. Forensics, Lawyers, Investors.." Geoff Belknap‏

 

"Sure, you can say, “Never pay”, but understand kidnapping & ransom is a crime as old as time. Ransomware will be absolutely no different. Extortion crimes can only be minimized and managed, never eliminated. And of course, try not to judge those who feel it necessary to pay." Jeremiah Grossman‏

 

"interesting how people who are comfortable with the security model of a car or house key don't feel safe with that same idea online." @hillbrad

 

"The fact security guidance is labeled as 'Best Practices' and not 'Standard Operating Procedures' is what attackers count on for success. This is why we stressed 'old techniques' in our Petya writeup, the success was predominantly not based on an exploit. While many places are focused on a patch or a 'kill switch,' that is not what Petya counted on, it counted on missing security fundamentals. [...] The better takeaway for Petya should be 'lack of host firewalls and credential hygiene cause down time' more than 'shiny exploit.'" Jessica Payne‏

 

"iPhone is 10 years old today. After 10 years, not a single serious malware case. It's not just luck; we need to congratulate Apple on this." Mikko Hypponen‏

 

"Pundits still prattling on about ethics of 0day while simultaneously ignoring that 99% of criminal/nationstate attacks use very old exploits" Don A. Bailey‏

 

"People always forget we used to live in an Internet full of worms." Dave Aitel from 2016

Top stories

NotPetya

A new "ransomware", originally thought to be Petya, but is something different and can't recover the files it encrypts (essentially wiping them), has begun infection by compromising the auto-update software of Me-Doc, which is accounting software used in Ukraine. This malware is also being referred to as GoldenEye and Nyetya. According to the grugq, this software is required for business to pay taxes in Ukraine (link). Due to the targetting of Ukraine by this malware and a car bombing in the capital of Ukraine the same day that killed a high ranking intelligence officer, this is suspected of being a multi-faceted attack against Ukraine. Although the attack targetted Ukraine, and caused lot's of disruption there, including impacting the radiation monitoring at Chernobyl, the malware is affecting businesses outside of Ukraine, including the shipping company Maersk (the largest container ship operator and supply vessel operator in the world) and DLA Piper (the largest law firm by revenue in the world).

The malware does contain the EternalBlue (MS17-010) exploit, that was previously used by the WannaCry ransomware (causing more irrelevant discussions about the role of the US gov in disclosing vulns), but more importantly it spread via the use of an auto-update and local network infections via PsExec and WMIC after using a stripped down version of the Mimikatz tool to steal passwords from the systems it infects.

Microsoft has good write-ups here and here. CrowdStrike's write-up here is also really good as it discusses many of the techniques used by the malware. For example, it mentions how the malware hashes the names of the processes running on the system and compares those values (this avoids using string names in the binary which would be detected). The malware then acts differently depending on which antivirus are running (implying thorough testing). The malware also zeroes itself out on disk before deleting itself (avoiding recovery of it via forensics tools).

ESET has an interesting write-up on how a group called Telebots had been active in Ukraine and previously abused Me-Doc's servers (link). They also found a malicious PHP backdoor in one of the FTP directories on Me-Doc's server.

MalwareBytes makes the case that NotPetya was a binary patched version of Petya and not a recompilation, implying that the actor might have tried to mis-attribute its origins (link).

Stack Clash

Researches at Qualys found a way to elevate privileges on Unix based systems by growing the stack of a process beyond its bounds (link). They then released exploits for Solaris, OpenBSD, NetBSD, FreeBSD, and Linux for this vuln (link). This concept was first discovered in 2005, and then again in 2010 with an attempted mitigation introduced.

TV5Monde 2015 Hack

In 2015, the French TV station TV5Monde was shutdown by a cyber attack, resulting in the broadcasting of a blank screen, along with their email and other internal systems being disrupted, and hijacking of their social media accounts. The attackers originally claimed to be a terrorist group associated with Iraq, but it is believed they actually were APT28 (Russia). A write-up and video presentation by the ANSSI (France's version of the NSA) describes the investigation of the attack. Matt Suiche kindly translated the presentation (link).

Some of my main take-aways:

  • The attackers dwell time was 3 months on the network prior to the attack.
  • Initial compromise was through a 3rd party account on the VPN, then got on 2 windows servers used for their cameras, from there scanned the wiki for terms like "telnet", "ssh", "pass", and "VPN". They collected passwords in order to compromise further systems.
  • The attacker had wiped firmware on routers.
  • ANSII had up to 15 people working on the investigation for several weeks after the attack, with one of the first findings being an administrator account with an English name, whereas all the other account names were in French.
  • The station spent 2 weeks collecting logs after the sabotage incident: 300GB of compressed logs and 13TB of full disk + memory captures. They have about 1K systems total (140 servers, 380 Windows, 310 macOS).

npm credentials reset

With news of breaches, many might assume the account take overs to other services are only to the non-technical folks who re-use passwords, but recently someone discovered that many javascript library developers have also been re-using passwords on npm that were made public in breaches (link). 66876 public packages from 15495 accounts were directly affected, which is 13% of the whole npm ecosystem. Javascript libraries are notorious for loading many other libraries to perform basic actions, such as the infamous leftpad library and its prior incident that broke many sites when the maintainer deleted his library. Due to these dependency chains involving the libraries that could have been compromised, the researcher could have impacted 52% of npm ecosystem.

2017 Duo Trusted Access Report

Duo Security released their Trusted Access Report, which gives stats across their customer base for their services. Duo's customers are going to have higher security postures than your average Internet user, which makes some of these stats especially concerning. These include:

  • 13% of users are using unsupported versions of Internet Explorer (generally any IE less than IE 11).
  • Users running out-of-date versions of Flash has actually increased since last year from 42% to 53%.
  • 21% of end-points run Flash 24.0.0.194 which has 11 critical vulns.
  • Despite browsers such as Chrome which should be "ever-green" and always up-to-date, 35% of Chrome users were using out-of-date browsers.
  • 27% of iPhones were not running the latest major version, and Android as usual is a garbage fire with 73% not running the latest major version.
  • 72% of phones are unencrypted, and 9% have no lock screen. This is especially surprising given that one of the primary uses of Duo for many is discovery of devices that are not secured, so numbers outside of Duo customers must be far worse. 5% are rooted/jailbroken, with 96% of those being Android.
  • In phishing simulations, 25% of recipients clicked on the link within a phishing email and 13% entered their credentials. This is across 3K campaigns and over 80K recipients. 62% of campaigns captured at least one credential.

Business

  • Cybersecurity insurance market crossed billion-dollar earnings mark in 2016: $921M was stand-alone cyber insurance; with $429M being the estimated total premium value of package components or multi-risk insurance policies, which cover a variety of hazards.
  • Anthem will pay $115M in largest data breach settlement in history: As a result of the 2015 data breach where hackers gained access to sensitive records for nearly 80M Americans, Anthem will pay for credit monitoring for the victims and $38M in attorney fees. Although I appreciate the penalty to Anthem, where the money will be spent is ridiculous both in the expense for the attorneys and cost for credit monitoring, which has become worthless due to every company needing to pay for overlapping services against the same victims as many have been exposed to multiple breaches.
  • $1M ransom paid: A web-hosting service in South Korea with 153 Linux servers and hosting over 3,400 websites agreed to pay a ransom of over $1M after its servers were encrypted. That is $6,600 per server. This is the largest public ransomware ransom amount ever paid. The servers run old versions of Apache, PHP, and Linux. The attackers originally demanded 550 BTC ($1.62M), but the company negotiated them down to 397.6 BTC ($1.01M) to be paid in three installments, allowing the company to recover batches of servers with each payment. This is smart of the attackers to have encrypted servers with different keys to allow this sort of transaction, as it allows some trust to be established.

Tools

  • Bochspwn Reloaded: Work by j00ru on a custom full-system instrumentation based on the Bochs x86 emulator, designed to detect instances of uninitialized kernel memory disclosure to user-mode applications.
  • NSA on github: The NSA has provided links to all of their open-source projects onto a single page on Github. The account nationalsecurityagency where this page is hosted was opened in 2015, but the NSA has a number of other Github accounts including SELinux and IAD (the Information Assurance Directorate). This page aggregates all the projects onto one page.
  • Detecting secrets in source: A tool for pentesters was released (anshumanbh/git-all-secrets) that can search through git repos to find secrets by leveraging multiple open source tools. A different tool was released for blue teams by Auth0 to alert on possible secrets in source code (link).
  • berzerk0/Probable-Wordlists: Wordlists sorted by popularity as passwords, as opposed to be sorted alphabetically like many wordlists.
  • Security baseline for Windows 10 "Creators Update" (v1703) – DRAFT: New features of this draft include finally disabling things such as SMBv1, TLS 1.0, and Xbox services from enterprise computers.
  • gaasedelen/lighthouse: Code coverage explorer for IDA Pro.
  • m0rtem/CloudFail: Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network.
  • GerbenJavado/LinkFinder: Tool to look through javascript files to identify possible API end-points.
  • Fleetsmith: The options for managing macOS systems has been either roll your own with something like puppet, or pay a lot of money for JAMF/Casper. Fleetsmith is a recent entrant to this area and is now allowing their service to be used for free for up to 10 devices. They also now support deploying osquery and puppet themselves.

Conference materials and publications

Other reads

  • Phishing the darkweb: Phishing attacks not only hit legitimate sites such as banks and email providers, but also darkweb markets. A man was convicted for stealing $365K by setting up phishing pages for darkweb market sites, and stole 10K creds.
  • Secure Kernel Extension Loading on macOS: macOS High Sierra 10.13 is working toward making kexts (the equivalent of drivers on Windows) more difficult to deploy by requiring user approval for them, moving macOS closer to iOS in terms of what developers will be allowed to do on the OS.
  • Preact-CLI and webpack expose developers to HTTPS MiTM: Users of Preact-CLI and webpack-dev-server install a self-signed CA cert to allow them to serve up pages over HTTP/2 in development. Unfortunately, the same cert is distributed to everyone, so if you install this CA cert, then someone can MiTM your HTTPS traffic.
  • Don't leave Coredumps on Web Servers: Webservers can crash, and when they do, they may contain secrets as they are dumps of the process memory. Some webservers write these dumps to the website's root directory, and the author (Hanno Bock), found that of the Alexa Top 1M sites, 1K had core files exposed. Finding contact info for 1K websites and contacting them became another problem. He then explains how to stop servers from creating these.
  • Updated NIST Digital Identity Guidelines: NIST has finalized their SP 800-63 Digital Identity Guidelines documents with updates that recommends against password expiration, hints, complexity rules, and secret questions. Instead, it prohibits users from choosing among the top 100,000 most popular passwords.
  • The OpenVPN post-audit bug bonanza: After two paid, manual, audits recently against OpenVPN, the author of this article fuzzed OpenVPN and found 4 important security vulns.
  • How I hacked 23,900,000 tumblr domains at once: Tumblr is used to host the blogs of many (24M) sites, including blog.instagram.com. A bug hunter found an IDOR issue allowing him to take-over all those blogs. Unfortunately, the Tumblr security team did not view this as a security risk. It seems the bug hunter only took over 5 sites, not the full 24M.
  • Tales from the MSRC: from pixels to POC: Microsoft's security team saw a tweet with a line from a disassembly pointing out a crash. They were then able to find a binary that matched that disassembly, identify the vuln, and create a POC for a crash.