Weekly infosec news summary for 2017.09.10 – 2017.09.17
Quotes
“The number of known attacks against AWS is small, which is at odds with the huge number (and complexity) of services available. It’s not a deep insight to argue that the number of classes of cloud specific attacks will rise.” marco slaviero
“If you hunted for adversaries as well as you hunted for excuses Crowdstrike would be out of animals by now!” Scott J Roberts
“look for the snowflakes in your infra (hosts, networks, apps, users, etc) and melt them with extreme prejudice” Aaron Grattafiori
“Can’t staff a red team? Hire 2-3 junior people to do nothing but identify and remove unused hosts and software. Its likely the same ROI.” Chris Rohlf
“Continuing to demand users create and remember random passwords is the infosec equivalent of demanding the earth spin the other way.” scriptjunkie
“Users don’t go looking for adware. If your endpoints are riddled with it, try figuring out what software users need but aren’t being given.” @kwm
Top stories
Bluetooth “BlueBorne” vulns
A handful of vulnerabilities in Bluetooth were discovered that allow RCE and MiTM on a wide range of devices including iPhones and other iOS devices <= iOS 9.3.5, Windows >= Vista, and many Linux and Android devices (link). Luckily unique exploits need to be made for the different devices and physical proximity is required. A good best practice is to reduce your attack surface as much as possible by avoiding as many connection points as possible, including avoiding Bluetooth keyboards and mice for laptops of especially high impact engineers. Bluetooth keyboards have a long history of being eavesdropped on (ex. here and here) and the ability to spin around in your chair while tapping from your lap simply isn’t worth the risk for some employees that may have access to critical resources.
WordPress plugin hijack
A WordPress plugin named “Display Widgets” that was used in over 200K WordPress installations was purchased for $15K (link). After possibly being promptly resold, it ended up injecting spam into the forums of sites, but would not show these ads to logged in users, thereby avoiding detection from the admins. Although the impact was relatively benign and some of its activities were easily detected, this could have been much worse and shows how cheap it is for an attacker to gain control of a large number of servers. The activities were easily detected because it was downloading data from a third-party site (a full 38MB of data to every visitor) and was taken down 4 times before WordPress decided to finally take-over the plugin themselves and release a version without the malicious code.
Tools
- IDA 7.00: The reversing tool IDA Pro is now a 64-bit application! An update for the decompiler has also been released (link).
- objective-see/LuLu: Lulu is an alpha version of an open-source macOS firewall that aims to block unknown outgoing connections, unless explicitly approved by the user. See the intro post here. This is similar to Little Snitch.
- palantir/windows-event-forwarding: Palantir has released a pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. See their intro post at Windows Event Forwarding for Network Defense.
Other reads
- Pytosquatting: 128 Python stdlib packages have been squatted by researchers in order to try to avoid people being compromised by attempting to install versions that could have been malicious. They’ve found that thousands of installs have been made over the course of a few days. If you use osquery, you can use this query to look for installs of these packages on your own networks.
- Responding to typical breaches on AWS: Ryan McGeehan discusses what it looks like when an AWS environment is breached via automated scanners from finding exposed AWS keys or compromising a vulnerable EC2.
- The Road To HSTS: Martin Georgiev from Yelp discusses their path to implementing HSTS to enforce HTTPS. One highlight is their use of a “tracking pixel” to connect to the apex domain yelp.com in order to enforce HTTPS across all of its sub-domains, as the main site is hosted at www.yelp.com which does not allow other subdomains, such as api.yelp.com, to have HTTPS enforced on it via HSTS.
- Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol and Enlarge your botnet with: top D-Link routers: A number of vulnerabilities were discovered and full-disclosed in DLink routers in two separate posts.
- New Variants of Agent.BTZ/ComRAT Found: This post took a number of samples of the old Agent.BTZ malware in order to find common functions between them, and then by looking for that function were able to identify newer, previously unknown, versions of the malware.
- Farseeing: a look at BeyondCorp: This post from Marco Slaviero of Thinkst explains the types of attacks that a BeyondCorp strategy can shut down
- AWS IAM Policy Summaries Now Help You Identify Errors and Correct Permissions in Your IAM Policies: Amazon Web Service IAM policies have many gotchas. AWS is now doing a better job of identifying incorrect policies, however you have to look at a special page after creating your policy in order to find these new warnings.
- Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes: Equifax released a statement regarding their breach. They’ve confirmed that they observed suspicious network traffic on July 29 and 30, prompting them to bring in Mandiant on August 2. Unauthorized access had been happening since May 13. The attack vector was in Apache Struts (CVE-2017-5638), a vuln that had been announced with a patch for it in early March (so not an 0-day for the Struts vuln announced last week). This represents an anomaly in major breaches in that the company discovered it on their own. Most breaches are discovered because stolen credit cards are used that are traced back to the company, a ransom or other announcement from the attacker is made, or some law enforcement contacts the company. So congrats to Equifax’s security team for that. I’m curious how that was detected (bad IP? Large amount of traffic? IDS rule on struts exploit? DLP watching traffic?). Also, congrats to them for responding quickly to bring in an incident response team. That said, not patching the known vuln, and having an architecture that allows the breach of one system to result in the breach of everything, is not good. See Exfiltration Resistant Infrastructure for ideas on how to improve that architecture.
- Equifax + 3rd party code != security: Collin Greene discusses how to manage the use third-party code in your environments, and how to ensure this software is actually patched.
If you find Downclimb useful, please retweet or share internally on your Slacks and with your teams.