9283 8B4A 87FE DC6E C327 EF05 70A8 B78D 1623 3FB5

Infosec bits for week 02-18

  1. Meltdown and Spectre Updates Causing Problems for Some Users
    - Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers
    - Warning: Microsoft Fix Freezes Some PCs With AMD Chips
    - Important: Windows security updates released January 3, 2018, and antivirus software
    - “We’ll display this in red so it sticks out. Do not run the .reg file unless you’ve confirmed with your AV vendor that they’re compatible with the Meltdown and Spectre patches.”
    - Intel Releases Linux CPU Microcodes To fix Meltdown & Spectre Bugs
    - Qualcomm joins Intel, Apple, Arm, AMD in confirming its CPUs suffer hack bugs, too
    - List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates + see the US-CERT advisory
    - How to Protect Your Devices Against Meltdown and Spectre Attacks
    - You could resort to running everything on Raspberry Pi’s ;) jaxenter.com/spectre-meltdown-not-raspberry-pi-140201.html
    - And for the curious… Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw At the Same Time
  2. WPA3 announced
    - With WPA3, Wi-Fi security is about to get a lot tougher
    - WPA3 WiFi Standard Announced After Researchers KRACKed WPA2 Three Months Ago
  3. MADIoT – The nightmare after XMAS
  4. The Week in Ransomware – January 5th 2018 – Slow For The Holidays
  5. Monero going after just about everything…
    - New sophisticated Malware campaign Leveraging NSA Exploits to Mine Monero on Windows and Linux Systems
    - Massive Brute-Force Attack Infects WordPress Sites with Monero Miners
    - WebLogic Flaw Used to Install Monero Crypto Coin Miner + Hackers Make Whopping $226K Installing Monero Miners on Oracle WebLogic Servers
    - Miner blacklist
  6. Python-Based Botnet Targets Linux Systems with Exposed SSH Ports
  7. Hundreds of GPS Location Tracking Services Leaving User Data Open to Hackers
  8. Some news from December (worth mentioning):
    1. Stanford University executive leaves job after huge data breach
      - Stanford U. official ousted after keeping quiet about huge exposure of sensitive data
    2. Firewall Bursting: A New Approach to Better Branch Security
    3. Microsoft Word slams the door on DDEAUTO malware attacks
    4. Three More WordPress Plugins Found Hiding a Backdoor
      - www.wordfence.com/blog/2017/12/backdoor-captcha-plugin/

Infosec bits for weeks 48-49/17

  1. US-CERT TA14-017A: UDP-Based Amplification Attacks – updated
    - Good background, detection methods and mitigation advice
    - CLDAP attacks have moved up to no. 3
  2. Google study finds phishing attacks more efficient than data breaches
    - www.scmagazine.com/google-study-finds-250000-web-credentials-stolen-every-week/article/706810/
    - www.zdnet.com/article/google-our-hunt-for-hackers-reveals-phishing-is-far-deadlier-than-data-breaches/
  3. Intel Releases Firmware Updates for Multiple Vulnerabilities
    - www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability
    - www.theregister.co.uk/2017/11/23/intel_firmware_fixes_slow_to_arrive/
    - www.bleepingcomputer.com/news/hardware/dell-other-vendors-start-shipping-laptops-with-intel-me-firmware-disabled/
  4. Patches Available for Samba Vulnerabilities
    - Patch your embedded devices (or any others using samba) and/or disable SMB1
    - blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
    - redmondmag.com/articles/2017/05/18/more-advice-on-disabling-windows-smb-1.aspx
    - Remember to check your printers!
  5. Microsoft Office Equation Editor Flaw is Already Being Exploited
  6. Malicious Document Turns Off Word Macro Protections
  7. GitHub: Introducing security alerts on GitHub
  8. AWS Bucket Misconfiguration Exposes Classified NSA Data
    - Key takeaway: Use Amazon’s free vulnerability assessment service for the first 90 days while you implement a plan to extend your own vulnerability management solution to include the new AWS bucket
  9. Enable First-Party Isolation (FPI) on FireFox to further block trackers from adding to your online profile
  10. FaceID Beaten By Mask
  11. ‘Pop-Unders’ used to Launch Hidden, Persistent Cryptocurrency Miners
    - www.bleepingcomputer.com/news/security/cryptojacking-script-continues-to-operate-after-users-close-their-browser/
    - isc.sans.edu/forums/diary/9+Fast+and+Easy+Ways+To+Lose+Your+Crypto+Coins/23071/
  12. Prison hacker who tried to free friend now likely to join him inside!

Infosec bits for week 45/17

  1. A look into the global ‘drive-by cryptocurrency mining’ phenomenon
  2. New Amazon S3 Encryption & Security Features
    - including Default Encryption, Permission Checks, Cross-Region Replication ACL Overwrite, Cross-Region Replication with KMS and Detailed Inventory Report
  3. Google releases KRACK patches for Android
  4. Microsoft Provides Guidance on Mitigating DDE Attacks
    - technet.microsoft.com/library/security/4053440
    - Note A: “Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry”
    - Note B: “Users of the Windows 10 Fall Creator Update can leverage Windows Defender Exploit Guard to block DDE-based malware with Attack Surface Reduction (ASR). Attack Surface Reduction is a component within Windows Defender Exploit Guard that provides enterprises with a set of built-in intelligence that can block the underlying behaviors used by malicious documents to execute attacks without hindering product operation. By blocking malicious behaviors independent of what the threat or exploit is, ASR can protect enterprises from never-before-seen zero-day attacks like these recently discovered vulnerabilities: CVE-2017-8759, CVE-2017-11292, and CVE-2017-11826.”
  5. Half of people plug in USB drives they find in the parking lot
    - scary, but a nice (safe and non-intrusive) way to test how many get plugged in
  6. Stop relying on file extensions
  7. Honey Accounts
    - an interesting (and easy to implement) approach for early detection of malicious activity utilising AD
  8. Factsheet Post-quantum cryptography – start planning today!
    - TL;DR : use min 256 bit keys for AES; RSA, ECDSA and DH not secure when quantum comes into play; use SPHINCS-256/XMSS for stateless/stateful digital signatures

Infosec chews for geeks 45/17

  1. High-Level Approaches for Finding Vulnerabilities
  2. Reverse Engineering & Exploitation of a “Connected Alarm Clock”
    - “This article describes my journey into the Aura, from firmware image grabbing to remote buffer overflow exploitation.”
  3. Detecting CrackMapExec (CME) with Bro, Sysmon, and Powershell logs
  4. An (un)documented Word feature abused by attackers
  5. How I hacked Google’s bug tracking system itself for $15,600 in bounties
  6. Defeating Google’s audio reCaptcha with 85% accuracy
  7. Analysing a Cryptocurrency phishing attack that earns $15K in two hours
  8. Hacking Cryptocurrency Miners with OSINT Techniques
  9. CryptoShuffler: Trojan stole $140,000 in Bitcoin
  10. Linux kernel: multiple vulnerabilities in the USB subsystem
    - should be fun to try…
  11. Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB
  12. YARA: The pattern matching swiss knife for malware researchers

WordPress 4.8.3 Security Release

  1. WordPress 4.8.3 Security Release
    - Fixes an issue leading to potential SQL injection (SQLi) (via themes/plugins)
    - “Ferrara … disputes that the WordPress core is not directly affected”
    - While you’re here:
    1. Check your WordPress site for vulnerabilities: wpscans.com/
    2. Enable/Verify automatic updates of WordPress and plugins (or at least email you when updates are available)
      1. WordPress.org: Configuring Automatic Background Updates – note: only minor updates by default
      2. WordPress Upgrade shell Script – plugins, themes, crontab and more! (at own risk – review the code before use)
    3. Other ideas for securing WordPress

DUHK Attack

  1. Don’t Use Hard-coded Keys
    - “DUHK is a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key…DUHK allows attackers to recover secret encryption keys from vulnerable implementations and decrypt and read communications passing over VPN connections or encrypted web sessions.”
    - If you are using any of the following, ensure you’re on the latest firmware to mitigate:
  • Fortinet FortiOS v4 (v5 is not vulnerable)
  • Cisco Aironet
  • BeCrypt Cryptographic Library
  • DeltaCrypt FIPS Module
  • MRV LX-4000T/LX-8020S
  • Neoscale CryptoStor
  • Neopost Security Devices
  • Renesas AE57C1
  • TechGuard PoliWall-CCF
  • Tendyron OnKey193
  • ViaSat FlagStone Core
  • Vocera Cryptographic Module

Bad Rabbit

  1. Bad Rabbit also utilised EternalRomance – NSA leaked / Microsoft SMB / Patch: MS17-010
    - Ever get pop-ups saying Flash / Java, etc. needs to be updated when you browse to a site?
    - “The majority of servers and websites that supported Bad Rabbit activity appear to have been shut down, just a day after reports of the ransomware campaign emerged. Bad Rabbit affected computers in Russia and Ukraine earlier this week. The malware was spread largely through watering hole attacks that pushed out phony Flash updates that execute a dropper on infected machines. According to several research firms, there is evidence that suggests Bad Rabbit may have a connection to Petya and NotPetya.” – www.sans.org/newsletters/newsbites/xix/85#304
    - One more reason why we should be happy that flash is dying – RIP
    - Further reading:
    1. Rough summary of developing BadRabbit info
    2. Bad Rabbit: Ten things you need to know about the latest ransomware outbreak
    3. Kaspersky: Bad Rabbit ransomware
    4. Reuters Exclusive: Ukraine hit by stealthier phishing attacks during BadRabbit strike

Infosec bits for week 44/17

  1. If your standard organisational image isn’t Windows 10 – here’s another good reason why it should be ;)
    - Windows 10 tip: Turn on the new anti-ransomware features in the Fall Creators Update
    - Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta
  2. 59% of Employees Hit by Ransomware at Work Paid Ransom Out of Their Own Pockets!
    - Note: “31% of respondents also admitted to not knowing about ransomware before participating in cyber threat training sessions” – now is the time to educate
    - Includes a guide to ransomware protection
  3. D-Link MEA Site Caught Running Cryptocurrency Mining Script—Or Was It Hacked?
    - Use browser plugins like NoScript and RequestPolicy to add an extra layer of end user protection
  4. Hacking Cryptocurrency Miners with OSINT Techniques
    - What is lurking on your infrastructure?
  5. Understanding the General Data Protection Regulation – Free MOOC by University of Groningen (starts 13 November)!
  6. Securing SSH on Cisco IOS
  7. How I Socially Engineer Myself Into High Security Facilities
  8. Project Loon Bringing Emergency Internet to Puerto Rico
    (while not directly infosec related – this is cool! :))
    - Turning on Project Loon in Puerto Rico

Infosec chews for geeks 43/17

  1. Bypassing Intel Boot Guard
  2. Someone Created a Tor Hidden Service to Phish my Tor Hidden Service
  3. Testing Security Keys
  4. Investigating Security Incidents with Passive DNS
  5. Macro-less Code Exec in MSWord / Abusing Microsoft Office DDE (incl reg entries to disable DDEAUTO)
    - reports of “in the wild” exploitation 15/10/2017 and new crypto worm 24/10/2017!
    - e.g. securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/ (7/11)
    - Microsoft advisory (incl KB3123630) 10/10/2017 for patches
    - 0patching the Office DDE / DDEAUTO Vulnerability… ehm… Feature
    — (note that, similar to the MS advisory “workarounds”, this might break functionality – e.g. Excel auto-updating of externally linked cells)
  6. Peeking into .msg files
  7. It’s in the signature
  8. Attacking a co-hosted VM: A hacker, a hammer and two memory modules
  9. Microsoft VulnScan – Automated Triage and Root Cause Analysis of Memory Corruption Issues
  10. (Ok so Google is picking on all the competition but these are still interesting…)
    1. Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs
    2. Over The Air – Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices

Enjoy and feel free to share your own with csirt AT sanren . ac za