Posts

BF-SIRT Newsletter 2018-28

Botnet built with one exploit only

A malware author has built a huge botnet comprised of over 18,000 routers in the span of only one day.

This new botnet has been spotted this week by security researchers from NewSky Security, and their findings have been confirmed by Qihoo 360 Netlab, Rapid7, and Greynoise.

The botnet has been built by exploiting a vulnerability in Huawei HG532 routers, tracked as CVE-2017-17215.

Botnet author is a known threat actor

The botnet herder identified himself with the pseudonym “Anarchy.” Answering inquiries from both Anubhav and Bleeping Computer, Anarchy did not provide a reason why he created the botnet.

But Anubhav believes Anarchy may actually be a hacker who previously identified as Wicked, which Anubhav interviewed on NewSky’s blog and Fortinet featured in a report here.

But the real problem here is not a malware author doing what he does best. The problem is the relative ease with which Anarchy built a gigantic botnet within one day.

He didn’t do it with a zero-day or some vulnerability that had not been exploited before. He did so with a high-profile vulnerability that many botnets have exploited before.

Top 5 Security links

Public By Default: What Venmo (and the Whole World) Knows About You

Microsoft Identity Bounty Program Pays $500 to $100,000 for Bugs

Sextortion scam knows your password, but don’t fall for it

Director of National Intelligence warns of devastating cyber threat to US infrastructure

Google User Content CDN Used for Malware Hosting

BF-SIRT Newsletter 2018-27

Chrome Now Features Site Isolation to Defend Against Spectre

A new feature called site isolation is being tapped to protect Chrome users against Spectre.

Google introduced new security mitigations for its Chrome browser to defend against recently discovered Spectre variants.

The new security feature, called site isolation, essentially isolates different browser work processes between various browser tabs. That means one tab’s webpage rendering and functions won’t interfere with what is happening in another. It has now been pushed out to most users of Chrome 67, released in May, for platforms Windows, Mac, Linux and ChromeOS, said Google.

“Speculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers,” said Google software engineer Charlie Reis in a Wednesday post. “A website could use such attacks to steal data or login information from other websites that are open in the browser.”

Site Isolation is nothing new. It’s been optionally available as an experimental enterprise policy since Chrome 63 for customers. But, said Reis, many known issues have been resolved since then, making it practical to enable by default for all desktop Chrome users.

On Tuesday, more Spectre variants were disclosed –  dubbed Spectre1.1 and a subset, Spectre1.2, collectively referred to as Variant 4 of Spectre by Intel and ARM.

Top 5 Security links

Default router password leads to spilled military secrets
The next generation of WI-FI security will save you from yourself
Update Flash (and Adobe Acrobat) NOW!
Thermanator attack steals passwords by reading thermal residue on keyboardss
Stolen D-Link certificate used to digitally sign spying malware

Photo by Charles Deluvio 🇵🇭🇨🇦 on Unsplash

BF-SIRT Newsletter 2018-26

Gentoo shows off prompt and professional security response after minor breach

A weak administrator password allowed an unknown attacker to gain access to the Gentoo Linux distribution’s GitHub account and lock developers out of it. The GitHub repositories of Gentoo are only downstream mirrors from the self-hosted Gentoo.org infrastructure.

From an organizational standpoint, Gentoo’s handling of the incident was prompt and professional. Gentoo released official statements promptly detailing the nature of breach. This should be considered the standard against which organizations are judged for handling security breaches.

Top 5 Security links

Programmer tried to sell cyberweapon on dark web for $50M: Reminder to secure employees
Gartner Identifies the Top Six Security and Risk Management Trends
UK Banks Told To Show Their Backup Plans For Tech Shutdowns
Google tries to calm controversy over app developers having access to your Gmail
Why LTE and 5G networks could be affected by these new security vulnerabilities

 

(Blogpost image by Charles Deluvio 🇵🇭🇨🇦, “Front-End Development“, “Do whatever you want”-license by Unsplash)

BF-SIRT Newsletter 2018-23

New Vulnerability Found in All Modern Intel CPUs

Another security vulnerability has been discovered in Intel chips that affects the processor’s speculative execution technology. Dubbed Lazy FP State Restore, the vulnerability (CVE-2018-3665) within Intel Core and Xeon processors has just been confirmed by Intel, and vendors are now rushing to roll out security updates in order to fix the flaw.

Unlike other chip vulnerabilities, this one does not reside in the hardware layer, so this can be fixed by new microcode from Intel. As always, keep your software up to date.

Top 5 Security links
Startup Working on Contentious Pentagon AI Project Was Hacked
Tens of Thousands of Android Devices Are Exposing Their Debug Port
Citation needed: Europe claims Kaspersky wares ‘confirmed as malicious’
Feds Bust Dozens of Email Scammers, but Your Inbox Still Isn’t Safe
What got breached this week? Ticket portals, DNA sites, and Atlanta’s police cameras

 

(Blogpost image by Alexandru-Bogdan Ghita, “CPU in Socket”, “Do whatever you want”-license by Unsplash)

San Francisco Airport (SFO) at night

BF-SIRT Newsletter 2018-16

State-Sponsored Cyber Actors do State-Sponsored Cyber Actor stuff

US-CERT published a joint Technical Alert (TA) resulting from efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC) providing information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. And they provide some nice concrete information that can be reacted to. The fact that this happens is not new, and there is no reason to think Russia is the only ones who does this, they are not doing anything spectacular or fancy either. Check for the indicators provided, keep calm and carry on.

 

In a separate note, Oracle announces 250 security fixes in quarterly patch update, Cisco published important and critical security advisories for Firepower, ASA and WebEx.

 

Top 5 Security links
RSA 2018 Keynote – The Five Most Dangerous New Attack Techniques
PCI Council Releases Guidelines for Cloud Compliance
Hacking charge for URL-manipulation in Canada
Drupalgeddon 2 Vulnerability Used to Infect Servers With Backdoors & Coinminers
Tech Firms Sign ‘Digital Geneva Accord’ Not to Aid Governments in Cyberwar

 

(Blogpost image by Andrew Choy from Santa Clara, California, “San Francisco International Airport at night“, Creative Commons Attribution-Share Alike)

Russian State-Sponsored Cyber Actors Targeting Network Infrastructure

Yesterday, US-CERT posted a bulletin about Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices ( https://www.us-cert.gov/ncas/alerts/TA18-106A ).
Our take on this is that this is something one must always assume to be happening, and if the bulletin is accurate then it’s not something Russia is alone in doing:
https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/
https://www.engadget.com/2016/08/21/nsa-technique-for-cisco-spying/

It is vital to have critical controls in place to protect against these types of attacks, and to be prepared to take action based on concrete Indicators of Compromise provided in alerts and threat intelligence. Basefarm is a member of FIRST.org, TF-CSIRT and Swedish CERT-Forum, which helps us gather intelligence such as this in a timely manner.

 

(Blogpost image by Erik Mandre, “Karu-Ursus arctos-Erik Mandre.jpg“, Creative Commons Attribution-Share Alike)

BF-SIRT Newsletter 2018-15

Facebook

On Tuesday and Wednesday this week, Mark Zuckerberg took part of congressional hearings regarding Cambridge Analytica and privacy concerns regarding Facebook. There are multiple news outlets covering the story, and KrebsonSecurity also wrote an article about how one should not trust these type of quizzes and such may receive data about you and your friends when you do them (which is how Cambridge Analytica got a hold of information about more than 50 million users when they approved access to the app “This is your digital life”).

Facebook has since added a website that allows you to check if your information was leaked or not, and they have also added additional privacy information on what type of data you have uploaded to Facebook with regards to Contacts, Call and Text history if you allowed Messenger or Facebook on your mobile to do so.

Facebook has also updated their bug bounty program and now offers a $40,000 bounty if you find evidence of Data Leaks.a

 

Top 5 Security links
Finland hit by a data breach affecting over 130,000 users
Drupal CVE-2018-7600 PoC is Public
Outlook bug allowed hackers to use .rtf files to steal windows passwords
Your Windows PC can get hacked by simply visiting a website if you don’t update
PowerHammer lets hackers steal data from air-gapped computers through power lines

 

BF-SIRT Newsletter 2018-14

Intel tells remote keyboard users to delete app after critical bug found.

On Tuesday, Intel warned of a critical escalation of privilege vulnerability (CVE-2018-3641) in all versions of the Intel Remote Keyboard that allows a network attacker to inject keystrokes as if they were a local user.

The vulnerability received a Common Vulnerabilities and Exposure (CVE) score of 9.0 out of 10.

As part of the same advisory, Intel shared two additional Remote Keyboard vulnerabilities, both rated high. The bugs (CVE-2018-3645 and CVE-2018-3638) allow an “authorized local attacker to execute arbitrary code as a privileged user” and had CVE scores of 8.8 and 7.2, according to Intel.

An Intel spokesperson told Threatpost the product had already been scheduled for discontinuation, and the discontinuation is not related to the security advisory. Despite being discontinued, Intel still maintains a Remote Keyboard product page for the app and it is still available for download via Apple’s App Store and Google Play. According to Google Play, the app has been installed over 500,000 times.

 

Top 5 Security links
https://blog.cloudflare.com/announcing-1111/
https://www.elastic.co/blog/gdpr-personal-data-pseudonymization-part-1
https://krebsonsecurity.com/2018/04/secret-service-warns-of-chip-card-scheme/
https://blog.infostruction.com/2018/04/02/feodo-banking-trojan-dropper-analysis/
https://www.commondreams.org/news/2018/04/05/not-50-million-not-87-million-facebook-admits-data-most-its-2-billion-users

 

BF-SIRT Newsletter 2018-12

Bitcoins blockchain poisoned

Researchers from the RWTH Aachen University and Goethe University, Germany, have uncovered images and links to child pornography in cryptocurrency Bitcoin’s blockchain. The analysis found that certain content, such as illegal pornography, would render the mere possession of a blockchain illegal, with data distributed to all Bitcoin participants.

Version 7 of CIS Controls released

“CIS Controls Version 7” was released Monday by the Center for Internet Security, including steps for mapping the well-known “high-priority short list” of defensive actions to the National Institute of Standards and Technology’s framework of cybersecurity standards.

 

Top 5 Security links
Pirate Websites Expose Users to More Malware, Study Finds
AMD Will Release the Patches for the Recently Discovered Flaws Very Soon
Dragonfly Compromises Core Router to Attack Critical Infrastructure
Firefox Master Password System Has Been Poorly Secured for the Past 9 Years
EXCLUSIVE: ‘Lone DNC Hacker’ Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer

 

 

(Blogpost image by Stefan Krause, “Glühlampe explodiert“, Free Art License)

BF-SIRT Newsletter 2018-11

AMD Vulnerabilities

This week, CTS-Labs sent out an advisory regarding AMD Vulnerabilities.
What’s worth noting about this is that the vulnerabilities all require local administrator access to exploit, and if an attacker already got that access it means that it’s basically game over in either case. There are also concerns that this was done in order to manipulate stock prices, and the fact that CTS-Labs only gave AMD a one day heads up before going public (instead of the regular 30 – 90 days) have set off red flags for some parties.

 

Top 5 Security links
Let’s have a sober look at these ‘ere annoying AMD chip security flaws
APT Hackers Infect Routers to Covertly Implant Slingshot Spying Malware
ISPs Caught Injecting Cryptocurrency Miners and Spyware In Some Countries
Pre-Installed Malware Found On 5 Million Popular Android Phones
Update Samba Servers Immediately to Patch Password Reset and DoS Vulnerabilities