Information Security News (Nov-29-2016)
--Malware attacking Facebook, LinkedIn users via malicious images--(Nov-28-2016)
Attackers are infecting social media users with malware by embedding malicious code into image and graphic files and uploading them onto major websites and social networks including Facebook and LinkedIn.
Researchers at Check Point Software Technologies discovered the attack vector – dubbed ImageGate – which exploits a “misconfiguration on the social media infrastructure to deliberately force... victims to download the image file,” according to a company blog post last week. Clicking on the downloaded file results in the actual infection.
“Check Point's research team uncovered a few methods that could be used by this new attack vector. Our primary finding is embedding an .HTA format into an image file (could be a JPEG too), which is relevant to all browsers,” explained Oded Vanunu, head of products vulnerability research at Check Point, in an email to SC Media. “It can also be executed with a .SVG file that is embedded into Java Script. This method is limited to Internet Explorer.” Based on a YouTube demo posted by Check Point, it appears as if in at least some instances, the malicious images appear in a potential victim's Facebook's chat box.
Also in its blog post, Check Point suggests that members of the security industry have recently been on high alert over the rapid spread of Locky ransomware via social media, and postulated that ImageGate may be the conduit through which attackers are executing this campaign. In that regard, Check Point's report shares certain commonalities with other research, disclosed independently last week, which warned of a Facebook spam campaign that features instant messages containing .SVG images designed to trick recipients into installing a Trojan that in some cases may have downloaded Locky. Vanunu confirmed to SC Media that the two campaigns are not related.
Just as Facebook denied that Locky was being spread through the spam campaign, the company also disputed Check Point's findings. "This analysis is incorrect. There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook…” said a Facebook spokesperson in a statement emailed to SC Media.
LinkedIn also addressed ImageGate via a company spokesperson: "We investigated this report and believe this method is not especially effective,” read a statement emailed to SC Media. “While we have not found any exploitation of our platform using this vulnerability, we are taking additional steps to ensure our members are protected."
According to Check Point, both Facebook and LinkedIn were alerted to ImageGate prior to the vulnerability's public disclosure, and the company is waiting for impacted websites to patch the flaws in their respective infrastructures before further reporting any specific technical details on the open attack vector.
To avoid infection, Check Point recommended that social media users avoid opening files that are downloaded as a result of clicking on an image, or that contain unusual file extensions such as .SVG, .SJ or .HTA.
--Apple silently uploads iPhone call logs to iCloud Drive--(Nov-18-2016)
Researcher at the Russia proactive software firm Elcomsoft found that iPhones silently upload call logs to iCloud.
Apple automatically uploads iPhone call logs to Apple's remote servers where the data may be stored on Apple servers for months with no option for the end user entirely disable the feature on their device, according to a Nov. 17 press release.
The feature is available on all devices running on iOS 9.x and 10.x and there is no official way to disable to feature other than to disable the iCloud Drive functionality. Elcomsoft researched that disabling the feature would greatly affect the usability of the device since Apple delivers a number of features via iCloud Drive.
An individual's communication history can reveal a lot about a user life including sexual preferences, medical issues, infidelities, illegal activities, business dealings, and more, Tripwire Cybersecurity Researcher Craig Young told SC Media.
“Unlike the encryption employed on an iPhone's local memory storage, data stored within iCloud is encrypted in such a way that it can be retrieved with the assistance of Apple or through the use of an authentication token such as what might be stored on the device owner's computer,” Young said via emailed comments. “A compromise of Apple's servers could therefore expose the data from a large number of users thereby enabling social engineering attacks as well as extortion schemes.”
He went on to say Apple has stated that a third party would need to know a person's username and password to extract this information but this is not entirely correct for a variety of reasons.
“Apple should have a granular set of options allowing users to have complete control over what data is sent off of their device,” he said. “While it is entirely likely that many consumers may prefer to have this data backed up, it is important that they are able to make an informed decision about how and where their data is stored.”
Young said users concerned that their information can be remotely accessed should strongly consider disabling the iCloud Drive feature.
--Google issues latest fixes for Chrome desktop version--(Nov-11-2016)
Google on Wednesday has updated its Chrome browser desktop version to fix three vulnerabilities discovered by external researchers, including two high-severity flaws.
This newest stable-channel release – version 54.0.2840.99 for Windows, 54.0.2840.98 for Mac and 54.0.2840.100 for Linux – will roll out over the coming days and weeks, the company announced on its Chrome Releases blog.
--DDoS attack Friday hits Twitter, Reddit, Spotify and others--(Oct-21-2016)
The East Coast was under siege on Friday morning from a large-scale distributed denial of service (DDoS) attack that brought down more than a dozen prominent websites, including Twitter, Spotify, Netflix, GitHub, Amazon and Reddit. The initial attack was followed later in the day by at least two more waves of attack.
The attack against Dyn DNS shuttered a number of widely used sites. Most have returned to normal as of noon EST, although Amazon said it was weakened by a "hostname" issue. It wasn't clear whether that glitch was related to the DDoS attack that hit Dyn, a Manchester, N.H.-based internet performance management company that also offers domain registration services and email products.
The global denial-of-service attack on Dyn's “Managed DNS” infrastructure was so impactful because it went after the basic internet architecture that ties all those sites together – the domain name system, or DNS, which redirects internet users from simple web addresses, such as amazon.com, to the companies' actual web servers.
"Because DNS is vital to every person, business and website across the entire internet for system stability and performance, online businesses commonly outsource DNS management to third-party providers who have better and more reliable infrastructures to operate on behalf of their customers," Jeremiah Grossman, chief of security strategy at SentinelOne, told SCMagazine.com on Friday.
Historically, he said, this has worked to everyone's benefit. "However, what we're now seeing is that in light of the way the infrastructure works in the security landscape, they are attractive targets for large-scale DDoS attacks – because if you take out one of these DNS service providers, you can disrupt a large number of popular online services, which is exactly what we're seeing today."
Given the drastic increase lately in the size and scope of DDOS attacks, Grossman said that DNS providers are scrambling to increase bandwidth capacity to withstand the latest attacks. That's why we have these providers, he said. They do it so that the rest of us that use them don't have to incur the cost of doing so.
“This is a reminder of how effective an attack on one can be an effective attack on many," Intel Security CTO Steve Grobman, told SCMagazine.com on Friday. "DNS is one of those internet infrastructure capabilities upon which we all rely. An attacker seeking to disrupt services to multiple websites may be successful simply by hitting one service provider such as this, a DNS provider, or providers of multiple other internet infrastructure mechanisms."
It's also a reminder of the risk of relying on multi-tenant service providers, be they DNS or a variety of many other managed cloud service providers, Grobman added.
"Delegating service capabilities to such multi-tenant service providers has tremendous benefits over traditional architectures where you're responsible for running your own capabilities," Grobman said. "But it also means that if those services are targeted with attacks of significant scale, all tenant services relying on a provider could be impacted."
Given how much of our connected world must increasingly rely upon such cloud service providers, we should expect more such disruptions, Grobman said. "We must place a premium on service providers that can present backup, failover and enhance security capabilities allowing them to sustain and deflect such attacks."
"As these types of attacks continue to grow in size, frequency and complexity, we must ask ourselves, how can companies prepare for attacks of this astounding new scope and size?,” Steve McGregory, senior director of application and threat intelligence at Ixia, told SCMagazine.com on Friday. One solution he offered was that companies must test to prevent these attacks. "The size of these DDoS attacks have increased by exponential amounts due to the availability of IoT botnets, which are easily used to attack security cameras, routers, and other connected devices."
The availability of these services and large-scale botnets-for-hire makes it relatively easy to launch an attack that can even disrupt the operations of large, robust public websites that are designed to handle high traffic volumes, McGregory said.
“Organizations can mitigate the impact of these attacks by reducing their attack surface – blocking web traffic from the large numbers of IP addresses that are known to be bot-infected, or are known sources of malware and DoS attacks," he stated. "Using an appliance specifically for line-speed IP address filtering can deliver this protection by simply eliminating the malicious traffic, helping to keep resources running.”
DDoS is not a new form of attack in and of itself, but methods and strategies around DDoS continue to evolve in the form of larger and more orchestrated attacks, Paul Calatayud, CTO of FireMon, told SCMagazine.com. "Often, the measure of the level of sophistication of a DDoS attack comes in the form of measured throughput. The attack details are not known in this particular attack, but recent attacks against [security researcher Brian] Krebs are reported to be upwards of 620 Gbps. That is a tremendous amount of data coming at a target at once."
What causes Calatayud to pause and reflect most in regard to this breaking news is that Dyn DNS is a DNS SaaS provider whose core job is to host and manage DNS services for its clients. "The impact and harm has a ripple effect attributed to the various clients Dyn services. As attackers evaluate their targets, and organizations run to the proverbial cloud for various reasons, it introduces interesting targets for the bad guys."
So, what can be done? First, evaluating dependency on cloud providers remains a risk you cannot outsource, said Calatayud. "Begin to plan for situations where cyberattacks against you may never be directed at you, but rather organizations you come to rely upon."
In the case of this attack and DNS, having a secondary DNS service operating at the same time may have mitigated the impact to organizations even when a primary provider goes down, Calatayud said. "Cloud governance becomes an element of a CISO security program.”
Will Gragido, director of advanced threat protection at Digital Guardian, agreed that DDoS attacks have become increasingly problematic over the last several years, particularly owing to the rise of botnets. "Organizations all over the world fall prey to them as do individuals," he told SCMagazine.com on Friday. "In many instances, the underlying attack infrastructure is tied directly to botnets, a type of malicious code and content ecosystem family which the threat research and mitigation community has been attempting to mitigate globally for more than a decade."
Further, with the advent of the internet of things, Gragido said the potential for a botmaster to expand their botnet's size is now greater than ever before. "Increased size and diversity aids in not only allowing the botmaster to remain in business but also ensures that they are able to carry out their desired outcome when those resources are called upon to do so."
Organizations, he added, need to consider mitigative solutions (services or point products) designed to provide protection against complex, volumetric DDoS attacks on a global basis in order to withstand such attacks.
While this particular attack may not have been motivated by extortion, a new model of ransom-based attacks – infrastructure ransom as a service (IRaaS) – could be on the horizon, motivated to pay off threats for fear of infrastructure-wide customer outages, Thomas Pore, director of IT at Plixer, told SCMagazine.com.
"An infrastructure outage, such as DNS, against a service provider impacting both the provider and customers may prompt a quick ransom payoff to avoid unwanted customer attrition or larger financial impact," Pore said.
Should a provider come under attack, customers suffering from the extortion impact may start looking to move their services to another provider capable of mitigating the attacks, Pore said. "This prediction model could suggest a greater financial impact from customer attrition than paying off a few bitcoin to avoid the attack to begin with."
Then what happens if these extortion attempts begin to arrive regularly? This may emerge into a new business model, with a consistent revenue stream, Pore said.
“Despite decades of facing outages due to malformed traffic and data flooding, websites remain highly vulnerable to legacy attack vectors," Mike Ahmadi, global director – critical systems security at Synopsys, told SCMagazine on Friday. "Website providers need to constantly test their implementations with rigor in order to ensure that they can remain viable in an increasingly hostile environment."
The avalanche of IoT devices has created an environment where software and implementation flaws can be exploited at previously unseen levels, effectively turning them into widely distributed information weapons, Ahmadi said, adding that what may have been adequate robustness in the past no longer holds true.
As with most software designs from the 1980s, security was generally not considered when creating DNS, Craig Young, security researcher at Tripwire, told SCMagazine.com. Rather, the infrastructure was originally designed for early networks like ARPANET to allow human-friendly names in place of traditional network addresses, Young pointed out. "Because the web is so dependent on this system, it becomes a very visible point of failure as is the case today with service provider Dyn. Without DNS, there is essentially no internet from the perspective of all but the most sophisticated users."
Young hopes that service providers will take this as a cue that they need to distribute their DNS across multiple providers to avoid this as a single point of failure.
“They're innovating," Chase Cunningham, director of cyber operations at A10 Networks, told SCMagazine.com on Friday. "This is a new spin on an old attack, as the bad guys are finding new and innovative ways to cause further discontent."
It was an interesting point to see that the bad guys are moving upstream for DDoS attacks on the DNS providers, instead of just on sites or applications, Cunningham said.
“Threat actors are leveraging unsecure IoT devices to launch some of history's largest DDoS attacks,” said Cunningham. “The immediate solution is for manufacturers to eliminate the use of default or easy passwords to access and manage smart or connected devices."
Consumer adoption will be tricky, he admitted, but this change is critical for the greater security of all. "This response will hinder many of the global botnets that are created and deployed for malicious use.”
One thing is certain, Plixer's Pore added, DDoS attacks are not going away anytime soon.
--Mirai botnets linked to massive DDoS attacks on Dyn DNS, Flashpoint says--(Oct-21-2016)
Mirai botnets like the ones recently used in distributed denial of service (DDoS) attacks on a French internet service provider and a well-known security researcher were at least partly responsible for the waves of DDoS attacks against Dyn DNS that took down Twitter, Spotify, Netflix, GitHub, Amazon and Reddit and other websites Friday, according to a Flashpoint blog post.
Mirai does its dirty work on Internet of Things (IoT) devices and “Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks,” the post said.
Flashpoint noted that while “Mirai botnets were used in the October 21, 2016 attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and [French Internet provider] OVH.”
After “Anna_Senpai,” the hacker behind the Mirai botnet used to attack Krebs, released the malware's source code online, “copycat hackers have used the malware to created botnets of their own in order to launch DDoS attacks,” making it difficult to draw a relationship between Friday's DDoS attacks, which were still ongoing well into the evening, and previous attacks where Mirai botnets were used.
Chris Sullivan, general manager of Intelligence/Analytics at Core Security Inc., said “the really frightening part” of the Friday attacks, which he called a “new breed of very high volume DDoS,” is not that organizations “will be struggling with these new attacks for some time, but that the underlying weakness which makes them successful can and will be used to unleash more serious attacks that steal credit cards and weapons designs, manipulate processes like the SWIFT global funds transfers, and even destroy physical things the 30,000 PCs at Saudi Aramco.”
Current defenses don't cut it against attacks that exploit the security shortcomings of devices like baby monitors and thermostats. “IoT devices don't have the memory and processing to be secured properly, so they are easily compromised by adversaries and it's very difficult to detect when that happens,” Sullivan said in comments emailed to SCMagazine.com.
Justin Fier, director of cyber intelligence and analysis at Darktrace, said that while IoT makes life easier “it's also putting us at risk—as it's become painfully apparent how easy it is to hack them.” In comments emailed to SCMagazine.com, Fier called for “better visibility into new technology and the environment in which it's becoming entrenched” otherwise, “we'll continue seeing a pool of vulnerable devices that can be harnessed for these malicious botnet attacks.”