Hack Naked News #155
Recorded January 2, 2018 at G-Unit Studios in Rhode Island!
- Go to itpro.tv/hacknaked and use the code HN30 to try it FREE for 7 days, and receive 30% off your monthly membership for the lifetime of your active subscription. To learn more about ITProTV's team solution, sign up for a free demo of their supervisor portal.
- Also check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at: securityweekly.com/ondemand. Currently On-Demand we have webcasts with: Cybereason, Onapsis, Signal Sciences, and Stealthbits!
- Critical "Same Origin Policy" Bypass Flaw Found in Samsung Android Browser - A critical vulnerability has been discovered in the browser app comes pre-installed on hundreds of millions of Samsung Android devices that could allow an attacker to steal data from browser tabs if the user visits an attacker-controlled site. This represents quite a few devices in the wild. I wonder how many will actually get updates?
- 15-Year-Old Apple macOS 0-Day Kernel Flaw Disclosed, Allows Root Access - A privilege escalation vulnerability has been discovered in Apple OS X, reportedly existing in the codebase for 15 years according to public reports. It does require that the user is logged out, or force a reboot, to be successful. The researcher has released the code, rather than report this flaw to Apple. This is a potentially controversial disclosure, however, it underscores the lack of a public bug bounty program for Apple's OS X operating system.
- Automatic autofill of your username and password? Not a good idea - Researchers at Princeton's Center for Information Technology Policy have uncovered two third-party tracking scripts, that can scoop up information provided by your browser's login manager to create a persistent identifier, tracking you as you move between webpages. LastPass or some other 3rd party password manager is always a better option than what is included in the browser. I believe its a matter of focus, web browser development teams have a ton on their plate, whereas password managers can focus on protecting your credentials. And two-factor, that helps.
- Security Flaws Found in Sonos Internet Connected Speakers - Sonos has already responded to Trend Micro about the findings and has issued an update for its users. According to Trend Micro, the company also reached out to Bose but has not yet received a response to its findings. The Sonos flaws, in particular, could have enabled an attacker to gain information about Sonos users as well as potentially enabling limited control of a device to play songs. This has been around for some time, even just running vulnerability scanners you can see Sonos and similar systems are very leaky with information.
- Code Used in Zero Day Huawei Router Attack Made Public - Exploit code used in the Mirai malware variant called Satori, which was used to attack hundreds of thousands of Huawei routers over the past several weeks, is now public. Researchers warn the code will quickly become a commodity and be leveraged in DDoS attacks via botnets such as Reaper or IOTrooper. Given we've seen similar code posted online for free, and my previous researcher, I've come to the conclusion that this is not difficult to write and will be available for the world to see. I don't think this is news, but a fact about the state of IoT security, it still stinks.
Malware Attribution Difficulties and Code Reuse
Today I thought I would do something a bit more technical in nature. I’ve been learning more about analyzing malware recently and a blog post by Marco Ramilli caught my attention. In this post, Marco goes through different stages of a malware attack and noticed some interesting changes in the tools as he did his analysis. First off, he picked up a sample of some malware from one of his email addresses. The malware was a Microsoft Word document with a macro embedded in it. (It still amazes me that macro malware works.) The macro used four rounds of character substitutions and UTF-8 encodings to get it back to the infection command. The resulting Powershell command pulled down an exe from the internet and then executed it. Stage 1 complete.
The exe is stage 2 for this attack. The binary was a .NET executable and Marco was able to disassemble that back to the source code and analyze that. This gave him a feel for the coding style of the original developer. What I think Marco means by coding style is just how someone goes about formatting and commenting their code. If you’ve spent any time looking through source code by different developers, I’m sure you know what I mean. He also noticed that the comments were written in Japanese characters. So perhaps we have a Japanese attacker behind this? Well, let’s wait and see what the full results are. The exe actually attempts to appear to be written by the Coca-Cola company. So there’s an odd attempt at appearing reputable. What the exe primarily does though, is extract yet another exe from itself and execute that. Stage 2 complete and on to stage 3!
The last exe is stage 3 and it is yet another .NET executable. Marco went through the same drill of disassembling it back to it’s source code and analyzing that. What he noticed was that the style of coding was very different than the exe in stage 2. How the attacker went about writing and implementing his attack was a noticeable departure from the previous sample. The comments were also in English now. So we appear to have a new developer for this file. Overall the malware attempted to fingerprint the system it infected, look for other computers and check in with a web based C2 server.
What is interesting about this is that attribution would be difficult in this situation. It appears to be a reasonable theory that we have an attacker who has pulled together different executables by different authors and strung them together in a single attack. Or perhaps they have written one of the three stages and then re-used other tools to add on to their attack. There’s no clear path (at least on one sample) to figure out what area of the world the attacker may be in. It’s also interesting to see that they are using several different tools that they were not the authors of. It’s not a shocker that attackers using malware would use code reuse in their activities. We do it in development, systems administration and security testing. I’m sure they do it for the same reasons we do. They have limited time, resources and perhaps just don’t want to make the effort to write a new tool to do what one already does.
If you are interested in malware analysis, then you might be interested in checking out the blog post. You can get the link off the show notes for this episode.