Weekly infosec news summary for 2017.08.20 – 2017.08.27
"Tweeting about crypto-currencies will get you on a to-hack list pretty quickly. Seeing the base-rate of account reset requests pick-up." Diogo Mónica
"Pretty interesting how many scrapers get pwned by blind XSS." @IAmMandatory
"Go ahead folks and keep writing sysmon rules to detect attacks so easily mitigated with whitelisting." Matt Graeber
Zerodium exploit payouts updated
The exploit vendor Zerodium has updated their payout list for the max prices they are willing to pay for different targets, and helpfully provided a change-log (link). Zerodium added some new targets, such as mobile messengers (SMS/MMS, iMessage, Telegram, WhatsApp, Signal, Facebook, Viber, WeChat) with a $500K bounty, baseband RCE for $150K, and most anything else against mobile for $100K. iPhone exploits with zero interaction are $1.5M, whereas requiring the user to click is $1M.
The last major release of this price list was in November 2015. Inflation between then and now has increased 3.1%, but we can see many prices roughly doubled.
It is always hard to draw conclusions from these exploit price numbers. One could argue that because prices have gone up that software is getting more secure, which would be great. One could also argue that more organizations are using exploits which is driving prices up due to a greater buyer appetite, which is not good. Or everything has remained static and exploit writers are just getting better at negotiating or Zerodium is just listing higher prices as a means of advertising.
Conference materials and publications
- HITB GSEC slides: Conference in Singapore last week.
- A Brief History of Open Source from the Netflix Cloud Security Team: Netflix walks through all of the open-source cloud security tools they have released in the past three years.
- hillbrad/U2FReviews: Reviews of different U2F devices.
- I'm giving up on HPKP: Scott Helme discusses the dangers of the HTTP header HPKP that is used to pin the TLS keys a site will always use. Some sites have accidentally made themselves unavailable with this header, and potentially an attacker could abuse this to make your site inaccessible.
- Amazon Route 53 now supports CAA records: These records allow a form of certificate pinning in a way that avoids the pitfalls of HPKP.
- Slack IP whitelisting: Slack users and bots can now be IP restricted, ensuring that your users can only access Slack from your corporate network or VPN, and the tokens used by bots can not be used by an attacker if they are leaked, without the attacker also having access to your infrastructure.
- Planning a Red Team exercise: Post by Ryan McGeehan.
- Chinese man arrested for malware used in OPM hack: "GoldSun" was arrested by the FBI in LA for conspiring with others who hacked different US companies (link). In addition to using the rarely seen Sakula malware that was used in the OPM hack, these men used a variety of zero-day in hacking the companies involved in this indictment.
- Cerber ransomware variants now actively try to detect and evade Canary files: The product RansomFree by Cybereason was creating canary files that were not correctly formatted image files, so the Cerber ransomware was checking the files it encrypts were well-formed before encrypting them, thereby bypassing the ransomware detection of the product.
- Peripheral Pwnage: This post shows how wireless mice or keyboards can be spoofed to allow injecting malicious keystrokes (even if the target is only using a wireless mouse) into the associated USB dongle. Most of the research for this originally came from Bastille in 2016 (link), but this post shows step-by-step how to perform this attack. You should never use wireless mice or keyboards for your more critical systems, and for the rest you should be cautious about which vendors and versions use.