Weekly infosec news summary for 2017.07.30 – 2017.08.06
"Phishing for bank info is old and boring. Phishing for creds to auto-push code to a million victims is the new hotness." Eric Lawrence
Application extension issues
The developers behind two Chrome extensions ("CopyFish" and "Web Developer") were phished this week and had their extensions modified to show ads (link). One of the most popular extensions for the Sublime text editor (SideBarControl) had code added to it to send telemetry data to Kite (makers of an IDE that makes auto-suggestions by uploading your code and everyone else's to their servers to suggest updates to your code based on the code of others) (link). Another Sublime extension (subl) was found to allow RCE if a user clicked a link within the editor (link).
Despite applications perhaps being secure and trusted, the extensions in the eco-systems they create can subvert that security. As we've seen with Android, running a trusted marketplace is a hard problem, but people assume that the extensions/apps available must be as well trusted as the initial platform. We should expect to see popular extensions abused more in the future. As such, although you may have an application white-listing solution deployed (if you're lucky), it likely cannot doing anything to prevent malicious extensions. Further, although some security solutions such as osquery can help identify browser extensions, no tool that I'm aware of has purpose built functionality to detect editor extensions.
Hacking third-party services to target victim companies
This bug bounty researcher was looking for bug bounties in Google, and noticed a sub-domain of Google used Mailgun, so he found an IDOR issue in Mailgun to allow reading all email of any customer of Mailgun (link). This does not impact gmail/G-Suite users, but does impact part of Google's business. No bounty was awarded by Google, but it shows once again that the weakest links to well defended companies is often through their third-party services.
It is also interesting that the bugs are reported to the affected customers, instead of being fixed at the root cause vendor. We saw this in the past with some issues that LinkedIn's Cory Scott touched on in his presentation Bad Medicine: Contraindications of Bug Bounty Programs. One possible benefit of this tactic is that a customer like Google is going to have a lot more clout to force Mailgun to perform a fix immediately, whereas if the researcher only reported it directly to Mailgun the report might not be acted on as quickly, and Google would be blind to the issue. Uber is somewhat famous for making massive bug bounty payouts for any issues that even indirectly affect them which ensures that any third-party issues are reported directly to Uber first to allow Uber to take corrective action if needed before anyone else knows about problems. For example, this $10K bounty from last June was paid out by Uber for an issue with OneLogin's WordPress plugin, which OneLogin needed to fix, but this strategy by Uber gave them an early warning.
Conference materials and publications
- "Fighting the Previous War": Slides from Thinkst's talk at Black Hat.
- SHA2017 videos: Live-stream from an infosec camp/conferencee happening this weekend in The Netherlands.
- Mandiant (FireEye) analyst hacked: A hacker posted a note to pastebin (since taken down) claiming to have had complete access to Mandiant's internal networks since 2016, and leaked some files from one analyst as proof, including his credentials, some emails, and other information. FireEye claims the compromise was limited to the laptop. Security companies are just as much targets as the companies they seek to protect and given that they are often handling malicious files regularly, they need to take extra care in how they handle data and isolate their systems.
- npm library typo squatting: Typo squatting libraries is where an attacker creates a library with a similar name as a popular library in the hopes that someone will use it. This concept was explored in a research work last year (link), where the researcher set up typo squatted libraries for Pythons PyPi, NodeJS Npmsjs.com and Rubys rubygems.org. This week someone discovered that for npm this was happening for a number of libraries, and this time it was stealing environment variables, which often contain API keys and other secrets. This is a good reminder to beware of the code you introduce to run on your systems.
- A Framework for a Vulnerability Disclosure Program for Online Systems: The US Department of Justice has published guidance on running a vulnerability disclosure program.
- Secrets Management In The Cloud: The author makes a strong case for using AWS's Parameter Store over Hashicorp's Vault for services running on AWS that need to store secrets.
- Microsoft didn’t sandbox Windows Defender, so I did: Fun article from Trail of Bits where the author takes the Windows antivirus scanner and writes a bunch of tools in Rust to sandbox it.
- The Retefe Saga: History of the Retefe banking malware from the Swiss CERT. They point out how for a brief period the malware was actually installing a VPN and SSL CA cert on victims in order to MiTM their traffic, which seems ridiculous due to the cost of running a VPN service for victims, the value of anything they might do with that setup given that they already have full access to the host, and that any banking theft they might try to do through this would be easily detected by banks simply by looking at the IP of the VPN. This attacker also had a macOS variant (OSX/Dok). Interestingly, the attacker sent emails to potential victims in April 2017 with a tracking pixel that they used to identify the OS of the victims and then followed up with OS specific malicious emails.
- MalwareTech arrested on allegations of distributing malware: MalwareTech, aka Marcus Hutchins, who is most recently famous for having registered the killswitch domain to stop WannaCry, was arrested this week on charges of having written and sold the Kronos malware with the intention of causing damage. I'd rather not mention stories like this until more facts are known, but there was lot's of talk on twitter.