This week, Paul reports on malicious Google Chrome extensions, Lenovo releases security advisory, critical flaw in all Blizzard games, and Intel halts Spectre/Meltdown patching! Jason Wood joins us for the expert commentary on malware, and more on this episode of Hack Naked News!
- Malicious Chrome extension is next to impossible to manually remove – By creating a re-direct to the internal Chrome extensions page, a malicious extension was able to infect browsers and make it very difficult to remove. In fact, MalwareBytes recommends installing their own tool to remove the malicious extension. I mean, of course, they recommend installing their tool, however, on the flip side, I hear good things about MalwareBytes. Chrome extensions have emerged this year as a potent threat to browser security as there appears to be a number of ways to infect victims and bypass controls. Time to switch to Firefox? Perhaps, in the meantime, you may want to take a look at Chrome extention use in your environment.
- Lenovo Releases Security Advisory – The US-CERT has released an advisory for vulnerabilities in the firmware of Lenovo networking gear. Lenovo released the following advisory LEN-16095, stating “Enterprise Networking Operating System (ENOS) Authentication Bypass in Lenovo and IBM RackSwitch and BladeCenter Products with the Potential Impact being An attacker could gain access to the switch management interface, permitting settings changes that could result in exposing traffic passing through the switch, subtle malfunctions in the attached infrastructure, and partial or complete denial of service. This is the “HP Backdoor”, a type of common flaw we’ve seen in embedded systems where a set of credentials are hard-coded into the firmware, typically for “maintenance” purposes. A very easy flaw to fix, and make certain does not exist in your systems. Or is it?
- Critical Flaw in All Blizzard Games Could Let Hackers Hijack Millions of PCs – Google’s Project Zero team researcher Tavis Ormandy discovered that the Blizzard Update Agent is vulnerable to a hacking technique called the “DNS Rebinding” attack that allows any website to act as a bridge between the external server and your localhost. So, if you are a fan of World of Warcraft, Overwatch, Diablo III, Hearthstone or Starcraft II, there is a partial patch available, although there appears to still be an attack vector that remains exploitable. Be on the lookout for more updates.
- Triton Exploited Zero-Day Flaw To Target Industrial Systems – The Triton Trojan which targeted core industrial systems in the Middle East last year exploited a zero-day flaw in Triconex controllers to carry out its attack. I find it interesting that whoever orchestrated this attack found it important enough to burn a 0day for an ICS control system firmware. We frequently discuss patching and configuration mistakes, however if your adversaries have enough at stake, they will burn an 0day, and the big question is how well do you defend against it?
- Voting Box Makers Try To Get Gear Stripped From eBay And Out Of Hackers’ Hands – Speaking at the Shmoocon conference in the US capital last week, Finnish programmer and village organizer Harri Hursti said the team was having trouble getting voting machines to compromise for this year’s hackfest, in part because manufacturers weren’t keen to sell kit that could expose their failings. Despite the hurdles, hackers were able to purchase the equipment, and are begging the question “Why are there not more controls around this?” Which is a legit question.
- Intel Halts Spectre/Meltdown Patching for Broadwell and Haswell Systems – Intel is advising OEMs and partners to halt patching for the Spectre and Meltdown vulnerabilities amid numerous reports the updates are causing reboot issues on systems running the Broadwell and Haswell microprocessors. Yea, this is a hot mess. I’m not even certain what to recommend at this point, patch? Don’t patch? You are screwed either way. Sorry….
- Less than 10% of Gmail Users Employ Two-Factor Authentication – A Google software engineer told attendees of the Usenix Enigma conference in Santa Clara, Calif., this week that under 10% of active Google accounts have enabled two-factor authentication. It is clear, there has to be a better way.
Malware Campaign Goes Old School For Delivery
A security vendor named Forcepoint wrote up a blog post on a email campaign using a variant of the Dridex banking trojan that I thought was interesting. The malware itself seems pretty normal but the delivery mechanism is what seemed odd. The victim receives and email with a link to download a document. Instead of using HTTP to deliver the doc, the attackers decided to try an older method of delivery: FTP.
15 years ago it wasn’t too odd to see links in web pages referring to FTP sites to download something. Now it is much more unusual and that applies to malware delivery as well. Typically malware email campaigns use HTTP(S) for in emails to download the malware itself. Be that an EXE, spreadsheet or document, or whatever. Forcepoint notes that the FTP links in the email messages include the credentials to the FTP server. This comes out looking like fXp://username:firstname.lastname@example.org/targetfile. The document downloaded then uses Microsoft’s Dynamic Data Exchange (DDE) functionality to pull down an additional payload behind the scenes and execute it on the victim’s system.
Forcepoint stated that the volume of emails associated with this campaign appears to be fairly small. They were able to record about 9,500 emails that follow this pattern of using FTP. When I saw this, my first thought was perhaps this was a test campaign to see how it would do. It makes me picture a couple of bad guys sitting around discussing defenses and one tosses out the idea of using FTP instead. “Hey, maybe the software organizations are using is too used to HTTP. Let’s try something different to see if it works better!”
A related blog post on Threatpost commented that the user has to click on the link in the email and open the attachment. They said this to emphasize the need for user education. I’d like to add that there are at least three points where technical controls could prevent this. There is the initial email, the point where the user clicks the link and the request goes through proxy systems and when the document is opened on the desktop. That’s three points where different security controls can detect and halt the attack. It’s a great illustration of the need for defense in depth. If you are missing a control at any of these points, then you need to consider how to address that. Tools miss stuff, but by having multiple tools checking things at different points you can increase your chances of stopping it.