This week, Paul reports on malicious Google Chrome extensions affecting 500K users, configuration errors in Intel workstations being labeled a security hole, VMware releases security updates for Workstation, Fusion, and Oracle still silent on Meltdown! Jason Wood joins us for the expert commentary on testing detection tools, and more on this episode of Hack Naked News!
- Flaw in Popular Transmission BitTorrent Client Lets Hackers Control Your PC Remotely – A critical vulnerability has been discovered in the widely used Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users’ computers and take control of them. The vulnerability has been uncovered by Google’s Project Zero vulnerability reporting team, and one of its researchers Tavis Ormandy has also posted a proof-of-concept attack—just 40 days after the initial report. Usually, Google give the vendor 90 days, but Tavis has not gotten a reassurance that a patch will be released, hence the publication of the PoC. A fix is “coming soon” however other, unnamed, Torrent clients are also vulnerable. So, beware!
- Configuration errors in Intel workstations being labeled a security hole – F-Secure has discovered a new vulnerability in Intel’s AMT, and according to researchers this is pretty bad: “The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures,” said Harry Sintonen, the F-Secure security consultant who found the bug in a blog post. This is an implementation flaw and requires that the Motherboard manufacturers change their process to requiring a BIOS password to access select functionality, and with all the Meltdown and Spectre, this one will fly under the radar.
- New Mirai Okiru Botnet targets devices running widely-used ARC Processors – ARC (Argonaut RISC Core) embedded processor is the world’s second-most-popular CPU core that’s being shipped in more than 2 billion products every year, including cameras, mobile, utility meters, televisions, flash drives, automotive and the Internet of Things. And according to reports, this is the first time we’ve seen malware targeted at this platform. There is also speculation that we will see a mass DDoS attack using these devices, however this is always the speculation, only time will tell.
- VMware Releases Security Updates for Workstation, Fusion – VMware Workstation and Fusion contain a use-after-free vulnerability in VMware NAT service when IPv6 mode is enabled. This issue may allow a guest to execute code on the host. Patches are available, and you should apply them.
- Meltdown-Spectre Patches Causing Issues With Industrial Companies – Several industrial-equipment manufacturers have reported problems with the fixes for the recently disclosed Meltdown and Spectre attacks. Rockwell Automation has reported a dozen errors that are appearing in its FactoryTalk-based products after installing Microsoft’s Meltdown and Spectre patches for Windows systems. No different than anyone else I suppose.
- Oracle Still Silent On Meltdown, But Lists Patches For x86 Servers Among 233 New Fixes – Oracle still has nothing to say about whether the Meltdown or Spectre vulnerabilities are a problem for its hardware.Big Red today offered The Register another “no comment”, making it a notable absentee from the Intel’s list of x86 vendors’ advisories on how to handle the twin problems. Thanks Oracle!
Testing Your Detection Tools
I was doing some reading and ran across a blog post by Jack Crook that really resonated with me. Jack started it off by making the point that at some point during an intrusion a attacker starts working on moving laterally and usually starts using builtin tools of the Windows operating system. His main point was to ask “if the tools you have in place are capable of alerting you as to what may be happening”. This statement really jumped out at me because I’ve been on a number of penetration tests that illustrated this problem.
A lot of our security tools are built around the idea of catching things like port scans, exploit attempts, malware being copied in and/or run. However they start to fall down when the attacker starts living off of the land. One of my favorite penetration tests I worked on turned into a much more collaborative assessment than I expected. Basically, we were in a room testing and one person from the security team would pop in and out of the assessment. His role that week was to be the liaison between us and the blue team. The blue team would see something happening, describe it to this individual, and then he would run into our room to confirm that was us. It didn’t impact our testing much, but during the debrief meeting at the end of the assessment he made the comment that it was really interesting to see where they could watch what we doing and then see where we disappeared from view. That week it really felt like we had helped this organization improve and it was awesome!
Let’s jump back to Jack’s blog post. His post goes on to give a number of batch files to run on test machines to test endpoint detection and response tools. If we are deploying these tools, shouldn’t we validate what is being captured and whether it meets our needs? His scripts provide some very safe activity to use to see whether your tools are capturing and alerting appropriately. You can use this determine whether you need to adjust the configuration or to see if they are even capable of detecting the activity. The scripts do things like emulate beaconing for C2, execution of cmd.exe, net commands that attackers use to query the network and more. None of them do anything damaging or potentially harmful. However, I read through them and thought, “Yup, I’ve done that on a test. And that, and that…” You could also adapt these scripts to use to help train new analysts on how to detect bad guys. Very useful stuff. I highly recommend checking out Jack’s post and seeing how you can apply this to your own environment.