Today’s Advisories

CISCO scores a perfect 10 on vulnerability. Fixes available. DO IT NOW!

This vulnerability is critical.  CVE-2018-0101 is ranked 10 out of 10 for severity. That means it can be easily exploited, remotely exploited and no authentication required. There are no workarounds “so customers must either disable the ASA VPN functionality or install updated OS versions”.  Get yer patches up now!

Cisco says that an attacker can send malformed XML packets to such devices and execute malicious code on the device. Depending on the code’s nature, an attacker can gain control over the device.

It affects any devices running ASA Adaptive Security Appliance software only if they have the “webvpn” feature is enabled in the OS settings. You can find more information about  ASA Software version numbers for fixed releases in Cisco’s CWE-415 security advisory.

Per Bleeping Computer https://www.bleepingcomputer.com/news/security/cisco-fixes-remote-code-execution-bug-rated-10-out-of-10-on-severity-scale/

New Ransomware GandCrab being delivered by RIG exploit kit. 

This one requests DASH cryptocurrency which is apparently harder to trace by law enforcement. Ransom is 1.54 DASH or $1170 USD. It apends .GDCB to files it encrypts. Here’s how victims will know it’s too late:

At some point, the ransomware will relaunch itself using the command “C:\Windows\system32\wbem\wmic.exe” process call create “cmd /c start %Temp%\[launched_file_name].exe”. If a user does not respond Yes to the below prompt, it will continuously display the UAC prompt.

Be advised: there is NO decryptor currently available for GandCrab.  Follow the standard security protocols to keep your data and systems safe.

  1. Use antimalware security software that incorporates behavioral detections to combat ransomware like Malwarebytes or Emsisoft Antimalware
  2. Scan attachments with tools like VirusTotal.
  3. Have all current updates, especially for Java, Adobe, Windows

Per Bleeping Computer https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/

Advertisements

Happy New Year 2018 – Let the Dumpster Fires Begin

Just three days into 2018,  two massive security warnings were issued for Meltdown and Spectre. About those names – for an industry that claims to hate FUD, we need to work on this. But all kidding aside, these are perhaps the biggest inherent vulnerabilities to be brought to light that I am aware of. For good reason. When almost every device we use in our online and connected lives contains the problem at hand, it’s a top-tier event. Rather than jump on the “sky is falling” bandwagon, I chose to wait things out and read all that I could. There are far more experienced and knowledgeable people who have been weighing in on this from the start, and I will share links to their excellent insights and explanations. Also, as dust settles we can seee things more clearly, which is very relevant when dealing with a situation as massive and impactful as this. More details come available; facts are verified; information about what to do is tested and shared. Worth waiting for given that there was no immediate fix and panic is never a solution.

Here is the simplest breakdown of what both are by Daniel Miessler.  What everyone is worried about is that both of these enable attackers to access information and processes that we had all thought were inherently secured, like privacy keys we use to protect our data. Daniel lays it all out here:

Both Meltdown and Spectre allow low-privilege users who execute code on your system to read sensitive information from memory via Speculative Execution.  The basic concept for these two attacks is that you should consider secrets to be attackable any place you’re allowing someone else’s code to run on an affected system.

In Meltdown that means “any secret a computer is protecting (even in the kernel) is available to any user able to execute code on the system.” (Miessler) Spectre is worse in that it “works by tricking processors into executing instructions they should not have been able to, granting access to sensitive information in other applications’ memory space.” (Miessler)    

What I have been listening for is how this may impact Cloud computing, which we only think we understand, and we need to remember is just somebody else’s server.  Jerry Bell has written a piece on his blog, “Thoughts on Cloud Computing in the Wake of Meltdown”. He happens to be one of my go-to sources as part of the Dynamic Duo on the Defensive Security Podcast. First, the good news.  As managed service providers running largely out of datacenters, these operations will have likely been told to patch ahead of most, and done so in the best interests of running their business. As well, since datacenters are large organizations managing many clients, they will be using automation to help the patching process. And patching is complicated, especially when it comes to these critical issues.

And that brings us to the not so good news. Patching virtual machines isn’t always straightforward or successful.

spec2spec1

As Jerry presents:

Meltdown provided an apparent possibility for a guest in one virtual machine to read the memory of a different virtual machine running on the same physical server.  This is a threat that doesn’t exist on private servers, or is much less concerning for private cloud.  This vulnerability existed for many years

And then there are performance issues. Interestingly, as Jerry points out, not as hard to mitigate on cloud as they would be for physical servers.

One of the big downsides to cloud therefore, seems to the risk of a sudden change in the operating environment that results in higher cloud service costs.  As problematic as that might be, firing an API to increase the execution cap or add CPUs to a cloud server is logistically much simpler than private physical servers experiencing the same performance hit and needing to be replaced, which requires the arduous process of obtaining approval for a new server, placing the order, waiting, racking, cabling, set up, and so on.

Based on this, and what has been occurring across 2016 and 2017, I predict we will see more of these events where something we did in the past comes back to “haunt” us, from a time when we did not have any idea of how technology would develop. We are now uncovering what lies beneath the surface of frameworks we rely on that others laid down before us. Simon Segars is CEO of ARM Holdings, which designs mobile chips. He warned at CES 2018 in Vegas last week that we need to expect more of these discoveries. He states one of my chief concerns here:

“The reality is there are probably other things out there like it that have been deemed safe for years.. Somebody whose mind is sufficiently warped toward think about security threats may find other ways to exploit systems which had otherwise been considered comletely safe.”

We don’t know what we don’t know unfortunately in this case, so we need to be prepared for similar discoveries. More importantly, we need to be ready to assess, then share the information in a controlled and constructive fashion while we mobilize immediate and long term responses to the event. My watchword now is “prudence”, both in terms of patching, and then in terms of vigilance as we watch over all our systems with new eyes and insights. Haste makes waste. Because as time has borne out, and is once again, patches can go sideways very badly. Whether you brick a device or you brick an enterprise, both outcomes are severe.

UPDATE ON PATCHES

Per Steve Ragan’s piece in CSO Online, Microsoft has suspended Windows security updates related to this issue on systems with older AMD CPUs, after a documentation mix-up led to the systems being unable to boot after patches were applied.

In order to “prevent AMD customers from getting into an unbootable state,” Microsoft  has temporarily paused sending the following Windows updates to devices with impacted AMD processors:

  • January 3, 2018—KB4056897 (Security-only update)
  • January 9, 2018—KB4056894 (Monthly Rollup)
  • January 3, 2018—KB4056888 (OS Build 10586.1356)
  • January 3, 2018—KB4056892 (OS Build 16299.192)
  • January 3, 2018—KB4056891 (OS Build 15063.850)
  • January 3, 2018—KB4056890 (OS Build 14393.2007)
  • January 3, 2018—KB4056898 (Security-only update)
  • January 3, 2018—KB4056893 (OS Build 10240.17735)
  • January 9, 2018—KB4056895 (Monthly Rollup)

 

There are some excellent writeups out there. Here are some suggestions:

https://www.csoonline.com/article/3245770/security/spectre-and-meltdown-what-you-need-to-know-going-forward.html

https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/

https://www.renditioninfosec.com/2018/01/meltdown-and-spectre-vulnerability-slides/

https://infosec.engineering/thoughts-on-cloud-computing-in-the-wake-of-meltdown/

Quickhits: Friday Dec 29 2017

2018 is wrapping up. Here are a couple things to watch over.

Bitcoin mining: Coinhive malware has been found on the Movistar website, who are a major telecom unit owned by telefonica in Spain. Cryptojackers are using Google Tag Manager to mine the bitcoin currency Monero on hi-jacked machines. Tag Manager enables marketers or anyone who has a website to create code that then lets them inject JavaScript snippets dynamically. So since it isn’t hard-coded in source files on a webserver, it doesn’t get detected. And affected users do not know these tags are serving up malware. But good news: most ad blockers and many A: tools can id and shutdown Coin Hive code.

http://www.zdnet.com/article/opera-just-added-a-bitcoin-mining-blocker-to-its-browser/

https://www.theregister.co.uk/2017/11/22/cryptojackers_google_tag_manager_coin_hive/

Ransomware Updates: Tastylock Cryptomix has been discovered by Michael Gillespie. It appends “.tastylock” as an extension to encrypted files and changes contact emails used by the ransomware.

Recommendations to protect your files: current, offline backups; malware detection software that looks for behavioural changes over signature detection; scan attachments before you open them using tools like VirusTotal.

Per Lawrence Abrams

https://www.bleepingcomputer.com/news/security/tastylock-cryptomix-ransomware-variant-released/

Quickhits: Thursday Dec 21 2017

Emotet Malware Sightings: Emotet originated as a banking trojan, and has continued to evolve into more pernicious malware.  It goes after banking credentials and sensitive information. Remember, data is the new gold.  Typically, the malware is conveyed via a malicious macro hidden in attachments that are very well disguised as legitimate business communications like invoices. Once Emotet is downloaded, it gets activated, goes looking for the data to harvest, and then exfiltrates that back to the command and control servers. This follows each step in the Cyber Kill Chain: Recon, Weaponize, Deliver, Exploit, Install, Command and control. Followed by Actions, meaning the attacker’s true intent. In this case, that can involve the sale of information and the continued spread of Emotet across systems to harvest more.

emotet

https://www.cylance.com/en_us/blog/threat-spotlight-emotet-infostealer-malware.html

GoAhead Remote Exploit:  This is a biggie. CVE-2017-17562: Remote LD_PRELOAD exploitation of GoAhead web server. Remote exploitation of anything isn’t good, but as it happens GoAhead runs a hell of a lot of things: printers, network gear, CC cameras. Users of telecoms hosting stuff. I took a look on Shodan to see how many connections there are and found over 400K.

goaheadserver

Per their website:

GoAhead is the world’s most popular, tiny embedded web server. It is compact, secure and simple to use. GoAhead is deployed in hundreds of millions of devices and is ideal for the smallest of embedded devices.

goahead1

Welcome to our security nightmare of convenience without proper configuration.  This isn’t something new, however. It’s been around awhile. And there is a patch here: https://www.elttam.com.au/blog/goahead/

Botnets and Bitcoins:  Bitcoin mining has become an issue, given the rapid rise in value of this volatile commodity.  Because it takes so much energy to produce this intangible product, miners resort to harnessing other people’s equipment through sketchy downloads not from the Apple or Google playstores, via keyloggers through malware, and via botnets. At the moment, organized cybercrime is going after database services using a new botnet in the “Hex-Men” attacks.  These are based out of China, and the reach is global. Why you should care: according to GuardiCore researcher Daniel Goldberg, these boxes are sensitive production Web servers, running MS SQL, ElasticSearch etc. Daniel has co-authored a report for GuardiCore on this with Ofri Ziv, who warns:

The fact that they are targeting databases is pretty amazing to me and it’s something that people need to really, really pay more attention to

https://www.darkreading.com/attacks-breaches/new-database-botnet-leveraged-for-bitcoin-mining/d/d-id/1330674

https://www.guardicore.com/2017/12/beware-the-hex-men/

Quickhits: Tuesday Dec. 19 2018

Lexmark Printers: Well this can’t be good. Apparently there are over a thousand Lexmark printers ready for the taking, due to misconfiguration. They are sitting open and acessible on public internet. Researchers from Newsky Security reported finding these printers in businesses, universities and government offices. These printers have no passwords.  Which makes them easy pickings for a variety of attacks. A remote attackers can

” view the printer’s firmware version, ink levels, and network configuration that allows them to enable proxies, change administrator passwords, modify sound volume, contact information, device status, time, and date, create a self-signed certificate and private key and even upload documents and send jobs to the printer.”

Android Malware:  We know Android is the choice of attackers everywhere. Recommendations to purchase appas solely through Google Playstore don’t guarantee safety, but at least they lower the odds of infection. Now there’s anew trojan in town. Loapi hides behind adult content sites or antivirus solutions. The trojan forces users into a loop seeking device admin istrator privileges. It’s also equipped to defend itself against removal and blocks attempts.  According to Kaspersky, the malware creators

“have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time.”

Quickhits: Monday Dec 18 2018

New attack on Apache Struts: We’ve seen patches issued in March, May and agin this fall for exploits against vulnerabilities in this widespread open source web development  framework used to build JAVA web applications. In this report by F5 labs,  a sophisticated new campaign, “Zealot”, is leveraging ShadowBroker exploits EternalBlue and EternalSynergy.  Zealot is described as a “highly obfuscated and multi-staged attack”, in keeping with these exploits, and utilizes Powershell in Windows attacks, and Python in Linux attacks. Zealot mines the cryptocurrency Moneris, popular amongst cybercriminals.

Potential for Uptick in Iranian-based attacks:  The nuclear deal between Iran and the US seems tenuous at best. There is growing concern that should Trump end things, there will be a corresponding response from Iranian-based hackers. Iranian attacks are state-sponsored, so these won’t be cybercrime cash-grabs, but targeted espionage or worse, damaging attacks against infrastructure, like Shamoon wiperware. And since the attackers do the recon well in advance of the big event, I’d be watching IP addresses and any data exfil carefully.

Banking Trojan Emotet:  There is an increase in banking trojan activity. Malware hunters are sharing reports on new activity for Emotet, which made a resurgence in July this year.  A dedicated group of researchers has been steadily updating and sharing their findings on Pastebin here. 

VirusBulletin and Critical Flaws:  VirusBulletin is a very widely used forum for security analysts to test and share malware or suspect findings. Two researchers claim there are unpatched critical flaws that have yet to be remediated and that VirusBulletin has been advised.