A take on the security news, week 34 2015

Mon 17 August 2015

A take on the security news, week 34 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
SSL Malvertising, Kaspersky Gate, SMB relay attack on Windows 10, Android vulnerabilities, OwnCloud analyzed and a couple of new DDoS reflector vectors.

Monday

SSL Malvertising Campaign

A large malvertising campaing that has been going on for a while is now moving from Yahoo to AOL. This post from malwarebytes track the recent changes, and it seems that a lot of the malware is hosted from new adresses inside the Microsoft Azure cloud. The malvertising is served through high-traffic sites like weather.com, drudgereport.com and more and is loaded via AdSpirit.de. The partiular exploit kit in use is known for dropping ransomware.

This is probably the best reason to use AdBlocking software nowadays.

https://blog.malwarebytes.org/malvertising-2/2015/08/ssl-malvertising-campaign-continues/

Kaspersky gate

Kaspersky has been accused of planting false positives on virustotal.

Kaspersky engineers manipulated harmless Windows system files so they looked like they contained malware, and uploaded the files to virustotal. Due to the amount of automation in the use of virustotal, the false positives would by a big chance get into competitors AV products, thus giving them a bad reputation because of false positives.

The accusation was put out by two former Karspersky employees, and Kaspersky is denying the whole story. The newstory also include some insight in how the AV vendors use virustotal, and other intrigues from the AV business.

http://www.theregister.co.uk/2015/08/14/kasperskygate/

Tuesday

New release of Kansa, a Powershell DFIR tool

Kansa is a modular incident response framework in Powershell. The tool let you run user-contributed modules across multiple hosts to collect data that you can use for incident repsonse, hunting breaches or create your own baseline.

For Linux users, Mozilla investigator is a similar tool.

https://github.com/davehull/Kansa

http://mig.mozilla.org

Hacking cars with OnStar to locate, unlock and remote start vehicles

From the excerpt:

OwnStar is a device that can locate, unlock and remote start any vehicle with OnStar RemoteLink after intercepting communication between the RemoteLink mobile app and OnStar servers. It can also unlock (and more) BMW Remote, Mercedes-Benz mbrace, Chrysler Uconnect, and Viper SmartStart.

Hacking automative seems like a new trend. In this particular case it is the App that is vulnerable, so you can stop using the app, or be sure that you only use it on trusted WiFi networks.

https://www.youtube.com/watch?v=3olXUbS-prU&feature=youtu.be

Portmapper is the DDoS reflector

In the list of not-commonly-used-services that can be used for reflection attacks, portmapper is the new kid on the block. Level3 is reporting that they have seen a rise of traffic indicating a new attack vector, portmapper.

The story cover a brief introduction to DDoS attack, portmapper, traffic statistics and some recomandation.

Disable portmapper along with NFS, NIS and all other RPC services if you can. If you need any of the services, configure your firewall to block connection from the Internet

http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/

Wednesday

Microsoft release patch-now fix for Internet Explorer

A vulnerability in IE allows for drive-by remote code execution attacks on Internet Explorer. Exploits are already seen in the wild, so this fix is a patch-now. Even if you dont use IE to browse the web, you should patch due to the libraries that are vulnerable are used by other software packages too, and they can therefore be vulnerable.

If you have Enhanced Mitigation Experience Toolkit (EMET) that can help prevent attacks on IE, if it's configured to work with IE.

https://technet.microsoft.com/library/security/MS15-093

Another vulnerability found in Android mediacenter

A flaw in the Android mediacenter component can lead to remote code execution. Google has published code to fix the vulnerability in the opensource Android code, but you probably need to wait for your carrier / modelmaker to push a update for your device.

Android versions 2.3 to 5.1.1 is affected.

http://blog.trendmicro.com/trendlabs-security-intelligence/mediaserver-takes-another-hit-with-latest-android-vulnerability/

BitTorrent as DDoS reflector

In the series of DDoS reflection attack researcher have found vulnerabilities in BitTorrent that can be used to amplify attacks by a ratio of 50 (BitTorrent) - 120 (BitTorrent Sync). The paper shows how to use BitTorrent protocols (Micro Transport Protocol (uTP), Distributed Hash Table (DHT) Message Stream Encryption (MSE)) and BitTorrent Sync (BTSync) to reflect and amplify traffic from peers.

https://www.usenix.org/conference/woot15/workshop-program/presentation/p2p-file-sharing-hell-exploiting-bittorrent

Thursday

Outsourcing your critical infrastructure

Pentesters see a trend with more DNS servers outsourced in the cloud. Cloud-based solutions can be a good thing when it comes to reliability and scalability (DNS servers are often subject to DDoS attacks) but there is also some security concerns when outsourcing your critical infrastructure.

Can you trust your cloud provider, and that they dont get breached?

If you outsource your DNS you should monitor and check your DNS zones often. Watch for attidions and changes to your authorative DNS zones.

https://isc.sans.edu/forums/diary/Outsourcing+critical+infrastructure+such+as+DNS/20057/

Operation and security of OwnCloud

The "Federal Office for Information Security Germany" published a paper about the "Operation and security of Owncloud". An english version is available in the link below if you are interested.

If you are planning to use OwnCloud in your organisation it might be worth reading the paper.

https://www.thierfreund.de/operations-and-security-of-owncloud/

CracMapExec, a tool for pentesting Windows / AD environments

If you are a Windows admin check out this tool that allow you to enumerate logged on users, spidering smb-shares, execute psexec attacks and auto-injecting Mimikatz into memory.

The claim to be a swiss army knife for pentesting Windows and Active Directory, its written in Python and its opensource.

https://github.com/byt3bl33d3r/CrackMapExec

Friday

Android Multitasking Flaw

Researchers investigating the Android multitasking found design flaws that make Android vulnerable to task hijacking attacks. The researchers have proof-of-concept examples showingUI spoofing, denialof-service and user monitoring attacks. Google's response at this point is that the flaw is not critical as it requires the user to install an malicious application on the device.

The paper also discuss some techniques to mitigate the problem.

https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-ren-chuangang.pdf

A old SMB relay attack get new life

A old SMB attack (dating back to 2001) that previous was believed to only work on local networks are found to also be working across Internet. The problems is traced down to a particular .dll file that is used by Internet Explorer and other applications that can handle URLs (Microsoft Outlook, Windows Media Player, as well as third-party programs).

When an URL is queried by the application, the .dll checks a registry setting related to authentication, but then ignore the setting. This hold true for all supported versions of Windows, including Windows 10 thus making it the first remote attack on Windows 10 and the new Microsoft edge browser.

Microsoft is aware of the issue. To prevent the attack block SMB packets on ports 137, 138, 139 and 445 from going out on the Internet. If you need SMB functionality on your local network you allow the ports for internal use only.

http://www.csoonline.com/article/2966120/security/researchers-find-way-to-steal-windows-active-directory-credentials-from-the-internet.html