Weekly infosec news summary for 2017.09.17 – 2017.09.24
"Security folks who want access to resources scare me. Least privilege applies to security as much as (if not more than) "regular" users. If you're in security or ops have large amount of privileged access you are a risk and should be scared not pleased. Act accordingly." Scott J Roberts
"Effective detection requires embracing false positives. Don't fixate on detection accuracy. Demand or design better systems for FP handling" @kwm
The antivirus company Avast acquired the maker of CCleaner recently on July 18, which is software for cleaning up registry keys on Windows. Shortly after the acquisition, on August 15, the CCleaner installer was trojaned with malware, and code-signed with the legitimate signing certificate used by CCleaner, making this a difficult to detect infection (link). Astonishingly, 2.27M systems were infected (link), which is amazing given that there is no auto-update mechanism. There are over 5M manual downloads of this software each week, of which only some were impacted. Avast has attempted to clean these, but after the C2 domains were taken over, 200K callbacks have still been seen.
A little-known company named Morphisec originally detected this trojaning (link), and disclosed their finding to Avast, Cisco, and likely other security vendors. Awkwardly, Cisco has claimed credit for this discovery, which is a problem in the AV world of companies trying to work together to stop threats, while at the same time the companies with the best marketing departments push to claim credit for the effectiveness of their products. Cisco does have good write-ups here and here).
In Cisco's second write-up, someone seems to have hacked back against the C2 server of the malware, as Cisco was "provided an archive containing files that were stored on the C2 server." With that archive, they were able to identify that special payloads were to be provided to certain tech companies, possibly as a way of infecting those. This is a surprsing tactic, given that those companies are large enough to have IT departments which should be marking CCleaner as malware. I would have assumed CCleaner would only be used by home users.
The story is also interesting in that Avast acquired a company that had already been breached. This should be part of due diligence, especially for a security company. One historic example of a previous "breach acquisition" was Samsung's acquisition of the breached LoopPay (link).
Chris Rohlf points out that backdooring downloads has been happening for a long time, noting that in one example from 2002 an IRC client was backdoored from its download site. However, this strategy is become more prevalent, and then, as now, we still don't have good solutions to this problem.
Two massive browser reports were released this week by X41 and Cure53 at 169 pages and 330 pages respectively. Both were sponsored by Google to compare the security of primarily the Microsoft Edge and Google Chrome browsers on Windows 10. These were massive undertakings spanning about 4 months by multiple researchers from each company. These reports span a large variety of issues, including how the companies respond to security issues raised by researchers, enterprise configuration capabilities, sandboxing and exploit hardening, plugins and extensions, UI features used for security, and more.
Additionally, Ivan Fratric of Google's Project Zero released The Great DOM Fuzz-off of 2017, where he fuzzed all the major browsers.
The Chrome browser released updates this week, including one from Microsoft's Offensive Security Research team involving a compiler performance optimization which Google is temporarily disabling until they can figure out a way to resolve this. Similarly, SecuriTeam found a vulnerability resulting from an incorrect compiler optimization (link). The issues with compilers are an interesting new focus of concern.
iTerm2 leaking data via DNS
The popular console app for macOS was found to be making DNS requests for anything a user hovered their mouse over and hit Cmd (issue filing, and official statement). This would happen for example anytime you hit Cmd+C to copy text, with some constraints such as it needed to contain a "." or "/". The console would attempt to see if the text hovered over was a URL, so it would make a DNS request to it. This meant if you happened to copy/paste secrets, such as passwords, they would be beaconed out as plain-text in DNS requests. This feature was added over a year ago, but was fixed almost immediately once the issue was filed. This software auto-updates so there isn't much that should be done now. Although this is bad, an attacker would need to be in a network position to record traffic. They also would only see small blips of text periodically, which they might not be able to tie easily back to what its purpose is. So consider your risks and roll secrets if desired.
This issue also high-lights that no one is effectively monitoring their network or DNS traffic of macOS environments or else someone might have tracked this down earlier. EDRs such as CrowdStrike, CarbonBlack, etc. should be high-lighting network traffic by non-browsers. Better functionality there would have help notice this issue earlier, and also be effective for detecting many other concerns and malware.
Inti De Ceukelaire introduced an issue he called Ticket Trick in his post How I hacked hundreds of companies through their helpdesk. The issue couples functionality of two services. First, communication tools such as Slack, Yammer and Facebook Workplace require employees to sign up with their @company email addresses. Next, many services offer you email addresses, such as GitLab offering a feature to create issues by email by sending them to a unique @gitlab.com email address. By combining these features, the author was able to get access to the Slack channels of Gitlab employees, and other companies.
The author also lists some important lessons learned. For example, he found that once inside these different services, he found "employees pasted passwords, company secrets and customer information in channels everyone in the team had access to." People talk about the dangers of businesses having hard outsides and soft insides, but this concept doesn't just apply to servers having port restrictions, but also applies to the trust granted across all employees within companies. You should apply retention periods to your Slack channels and other internal chats.
Another great bullet point high-lights "rogue IT" problems:
"Large companies have no clue what their employees are doing. I discussed this flaw with a CISO of a giant payment processing company. He assured me this wouldn’t be a problem, as their employees weren’t supposed to communicate through Slack. They had their own intranet set up to handle these things. I proved him wrong by joining 8 rogue Slack channels actively used by 332 employees all around the globe."
FinFisher using ISP level MiTM
ESET reports that the surveillance software vendor FinFisher appears to be using ISP level MiTM to infect targets (link). When users go to download legitimate applications, the MiTM trojans them for delivery. This is happening in 7 unspecified countries. Make sure any software downloaded via HTTP is code signed.
- sakurity/racer: Chrome extension to test race conditions in web pages by recording the web requests that were going to be made and then sending them multiple times at once. The author, Egor Homakov, used this technique back in 2015 against Starbucks for a bug bounty (link).
- airbnb/binaryalert: Airbnb's tool for using AWS to scan binaries with YARA signatures released their 1.0 version this week. Their other project, streamalert, released a 1.5 release with a number of new features included new functionality to leverage AWS Athena.
- cldrn/macphish: Office for Mac Macro Payload Generator, because macOS has the same problem Windows does with Office macros.
- AWS API key Canarytoken: It has been mentioned previously, but it bears repeating, and now Thinkst has a blog post for it. They provide AWS keys as free canarytokens, that will email you when they are used.
- Forseti: Google and Spotify have released a tool for GCE to detect security issues. It is similar to Security Monkey (which also works with GCE, although it is most known for working with AWS). Spotify's post is here.
- rVMI: Debugger from FireEye that runs at the hypervisor level and provides memory analysis via Rekall.
- Python security mailing list: Python now has a security mailing list. This should be useful to be on in the wake of last week's Pytosquatting. As an example of backdoored python libraries, check out this find by LinkedIn's security team (scroll to the very bottom).
- Native-Windows-Useragentss.txt: To help identify common binaries being abused by attackers, Chris Long has put together a list of the user-agent strings used by some of these binaries. If you see these user-agent strings calling out to domains other than Microsoft, Google, or Adobe owned domains, you should investigate.
- A secure captive portal browser with automatic DNS detection: Filippo Valsorda has a post and tool for getting through captive portals on wifi in a secure way.
- Derbycon videos: Conference this weekend in Kentucky.
- USENIX Security Videos and Papers: Conference in Vancouver, Canada from August.
- SREcon17: Slides and some videos are posted for this conference in Ireland in late August. Not all of the talks are specifically about security, but many concepts are useful. For example, Capturing and Analyzing Millions of Queries without Any Overhead from Karthik Appigatla and Basavaiah Thambara of LinkedIn discusses parsing network PCAPs to analyze SQL queries as opposed to using the Slow Query Log which is not as performant. In order to spot SQL Injection issues and other auditing it is useful to record SQL queries, and this offers a way of doing that which won't impact performance. There are also talks about being on-call and dealing with alerts.
- Repeated vs. single-round games in security: Halvar Flake (Thomas Dullien) of Project Zero has a lot of strategic thoughts packed into this presentation from BSides Zurich.
- Equifax's twitter account linking to a phishing version of their site: In yet more bad news around Equifax, instead of linking to the real equifaxsecurity2017[.]com site, their twitter account linked to the fake site securityequifax2017[.]com.
- Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments: iCloud has historically been one of the weakest links in Apple's security, as witnessed in "The Fappening" of 2014 when celebrity nude photos were pulled from iCloud accounts. Attackers have been abusing iCloud for a while now (since at at least 2016) by using the "Find my iPhone" feature to ransom access to people's phones. For as important as iCloud access is, Apple does a poor job of handling ATO (Account Take-Over) of those accounts. (Advice to Apple: Given that you can identify the location of the iPhones, geographically dispersed iPhones being locked suddenly from the same IP, along with likely millions of failed login attempts, should generate alerts to your SOC). Choosing a strong password for your iCloud account is good to do, but this strategy is frustrated by the fact that you're going to have to periodically type in whatever long, random password you created, and in the event of your phone being stolen, you're going to want to remember that password so you can lock it. This makes for a difficult trade-off in usable vs strong security.
- Apple patches Xcode 9: Apple historically does not provide security fixes for issues affecting developers in a timely manner. They have finally fixed CVE-2017-1000117 for git that was made public 40 days prior (link). Another example is the 79 day lag time for CVE-2016-0778 that affected ssh. These are issues that each had public exploits available for them, and still took Apple over a month to fix. They are improving, but Apple's lack of concern for developer security is off-putting.
- Unsecured Elasticsearch Instance: Pornhub had an exposed Elasticsearch instance. What I find interesting is something in front used round-robin between multiple instances and only one of the instances was exposed.
- The Principles of a Subdomain Takeover: This post shows how AWS CloudFront distributions can be taken over.
- Adobe security team posts private PGP key on blog: Adobe accidentally posted their private PGP key along with their public key for contacting them about security issues. PGP has always been difficult to use (and this mistake is sadly very common), but creating a secure means of communicating with a security team is even more difficult, especially given that security teams often have privileged accesses and yet also need to handle potential malware and exploits. This issue also points to concerns with how Adobe is handling their PGP key and security communications. Adobe should have an automated system for these incoming emails that takes care of issues such as decryption and sanitization.
- .cat TLD registrar raided: The TLD created for the Spanish region of Catalonia was raided by the police and redirected a number of sites hosted there to a page run by the police. Catalonia is trying to secede from Spain, so arrests were made for sedition. This high-lights the importance of domain registrars. Speaking of domain registrars, some reports came in this week of issues with .io domains returning bad results (link). Heed the advice of that poster "I wouldn't recommend running something important on a .io domain."
- Default password used in MySQL installs: DigitalOcean reports that their 1-click installs of MySQL, along with applications that use MySQL, including PHPMyAdmin, LAMP WordPress, and more created a user named debian-sys-maint, and this MySQL user has a default password that was not changed. DigitalOcean reports that this issue affects many other cloud providers and market places. Databases should not be exposed publicly, but many are, and this issue affects them, making MySQL and PHPMyAdmin remotely exploitable. Other services are locally exploitable.
- ansible-vault Yaml Load Code Execution Vulnerability: ansible-vault was found to try to execute your password if the password you entered was python code.
- Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection: In yet another awkward password issue, Joomla, when configured to use AD authentication, uses the username as a query instead of a string equivalency. The issue also shows that passwords are saved as plaintext because a query can also be generated that guesses the password one character index at a time.
- How Viacom's Master Controls Were Left Exposed: The Fortune500 company ViaCom that owns Paramount Pictures, had an S3 bucket exposed, which included their Puppet master (and all credentials it has), GPG decryption keys for their backups, secret access keys to Viacom's AWS account, and more, all from the easy to brute S3 bucket "mcs-puppet".
- Optionsbleed: It was discovered that sending an OPTIONS request to Apache servers causes them to leak a bit of data. It doesn't seem this can be controlled, the data isn't enough to be too worrisome, and of the Alexa 1M, only 466 hosts appear affected. The discovery is interesting in that someone simply gathered a list of the responses for this standard call and then noticed some weird responses, so this wasn't fuzzing or code analysis, but just noticing something odd.
- CVE-2017-5462 - A PRNG issue: Firefox had a bug in its PRNG that reduced its entropy. This was ultimately found in two ways. One was through the official test vectors (seeds and outputs) provided in the standard. The other was through formal analysis using a static analysis tool created specifically for finding implementation bugs in pseudo-random number generators.
- Race Conditions in OAuth 2 API implementations: This Hacker One bug bounty request, and the blog post on the issue, are difficult to follow, but it seems that many OAuth 2.0 providers do not properly handle invalidating accesses once a user decides to stop using an app, such that the app can always maintain access to that user's data. It's a good practice to always read Hacker One's "Internet Bounties" as these are bugs in widely used libraries or applications. It's also interesting that this issue took 2 years to disclose, although the reason behind that is unclear.
- AWS changes MFA resets on root account: AWS root account MFA resets for lost devices are now a simplified process. I've heard mixed reports on the account recovery process used in the past, with everyone who has done it saying it was different every time they did it. Although this hopefully standardizes their process, I'm not a fan of AWS making it easier to recover an AWS account. If you're confident in your DR strategy for maintaining control of your own account (ex. you have backup MFA devices), speak with your TAMs about requesting any account recovery be made as difficult as possible.
If you find Downclimb useful, please retweet or share internally on your Slacks and with your teams!