Information security round up
Justin Bellinger analyses the latest threats to our infrastructure and livelihoods and shares fixes and patches for them. In wider news he takes a look at points of interest from hacking conference DefCon 2018.
Software
Microsoft has rolled out some 60 patches in the latest Patch Tuesday release, including two zero-day patches in the 19 critical flaws that were fixed in the releases. A further 39 important flaws were also fixed in the cumulative updates. All fixes are covered off in updates for all versions of Windows including; Microsoft Edge, Internet Explorer, Microsoft Office, Visual Studio, .NET Framework, Microsoft SQL Server, Microsoft Exchange Server, and Adobe Flash Player.
Apple’s latest releases are iOS 11.4.1 for iPhone, iPad, or iPod touch, while macOS is now on 10.13.6, tvOS is 11.4.1 and watchOS is on 4.3.2. Some 12 security patches were included in iOS 11.4.1, the majority of which addressed flaws in WebKit.
The good news is that USB Restricted Mode made it into iOS 11.4.1 making it much harder for anyone who has misappropriated your device to crack it through the lightning port. The feature is disabled by default but you’ll find it in the Touch ID and Passcodes section in settings.
An interesting tip is that if you need to enable this mode in a hurry, pressing the power button on your phone five times in quick succession will enable the mode irrespective of the switch in the settings.
Updates to macOS 10.13.6 also address some 12 security flaws in the operating system. Since the update was released news has emerged from DefCon 2018 that it is possible to dupe the macOS, through synthetic mouse clicks, into bypassing security prompts.
Digita Security's chief research officer Patrick Wardle accidentally discovered the flaw after pasting two consecutive synthetic “down” clicks into some code and compiling it, these synthetic clicks were misinterpreted by High Sierra as a manual legitimate click.
It is expected that new features in macOS 10.14 Mojave, due out later this year, that block all synthetic events completely will prevent such attacks from occurring at all.
Linux: Redhat and Ubuntu among other variants of Linux have been affected by two bugs known as ‘FragmentSmack’ and ‘SegmentSmack’. Both the bugs could trigger a denial of service attack on the device through very small amounts of data, not requiring the volumetric power of a distributed denial of service attack. Keep an eye out with your maintainer for any information on mitigation or patches for affected kernel versions.
Oracle has urged users to install a critical patch as soon as possible. Oracle Database versions 11.2.0.4, 12.1.0.2 and 12.2.0.1, are all affected by an attack that can be executed remotely which can result in complete compromise of the Oracle Database and shell access to the underlying server. This patch takes the company outside of its normal quarterly patch release schedule, further details can be found under CVE-2018-3110.
Network and Hardware
Intel is reeling from yet another security flaw discovered on some of its chips, the third time this year after Meltdown and Spectre in January. The company has released security updates for a long list of processors going back to 2015.
The new attack dubbed Foreshadow by researchers is similar in make up to Meltdown and Spectre. Intel has named them L1 Terminal Fault (L1TF) bugs. Fixes for the bugs should be sought through hardware and software suppliers and should be applied as soon as possible.
The fixes involve disabling some of the chip’s features, much in the same way as speculative operations were disabled to mitigate prior chip flaws. There should be little discernible impact on performance for any tasks outside of extreme data centre type loads but bear in mind that the features were introduced to increase performance in the first place.
Note that all OS instances on cloud and virtual machines need to have the patches applied to fully protect the underlying hardware. Intel is expected to release a new range of silicon that does not suffer from the flaws discovered over the last few months a little later in 2018.
Cisco have released three patches preventing denial of service attacks in some of its product range. Two of the patches cover a reload condition that can be executed in Cisco AsyncOS Software for Cisco Web Security Appliances and Cisco Adaptive Security Appliances.
The third issue affects XCP Router service of the Cisco Unified Communications Manager IM and Presence Service and the Cisco TelePresence Video Communication Server and Expressway. If exploited a malicious actor could cause a temporary service outage.
Malware
AZORult Stealer has received an update and is once again proving to be a problem, the malware is regularly altered, one of the reasons that it is so persistent. The latest variant seems to be targeting a North American audience at the moment and typically delivers a password protected word doc.
Once the doc is opened using the password contained in the email and the macros are enabled, the AZORult payload is downloaded. The malware both collects information and can also be used in ransomware attacks.
Emails typically come out within a day of the malware being updated, naturally any unsolicited email, or emails with attachments in general, should be treated with caution. These latest AZORult mails seem to be on an employment related theme, containing resumes and job candidate type attachments.
Marap is a new downloader malware being delivered through the Necurs botnet. Recently discovered from researchers at Proofpoint, the malware currently contains fingerprinting modules, looking for information such as username, domain name, IP address and so on – common fingerprinting information that could be used in future attacks. The researchers warn us that Marap is capable of delivering additional payloads in the future.
In the news
DefCon 2018 has thrown up some interesting developments; from the smartphones that ship with malware out of the box through to an attack on Amazon Echo and the first concept piece of malware powered by artificial intelligence.
DeepLocker is a truly worrying piece of research brought to us by the people at IBM Research. The researchers have designed malware powered by artificial intelligence, creating what they call a “highly targeted and evasive” piece of malicious code.
DeepLocker can leverage several attributes to identify its target, including visual, audio, geolocation and system-level features. In an example given by the researchers these triggers could be set to only deliver the malicious payload to a specific individual that the malware recognises through facial recognition. It could bury itself in video conferencing code for example and compare the feed to publicly available images of the targeted individual before unleashing the malware.
DeepLocker is extremely difficult for analysts to detect as it does not reveal what kind of target it is looking for; a person or organisation, or indeed who the target is if it is a person. Finally, as the attack remains fully encrypted until the target is found it is impossible for analysts to figure out how the attack will be executed.
Phones shipping with malware out of the box: Security researchers from US Mobile and IoT security firm Kryptowire highlighted some 25 andriod phones that they had discovered shipped with malware in their default applications. The researchers presented a list of these, mainly lesser known, devices at DefCon, there were models from LG, Nokia and Sony in the list however.
Amazon Echo was demonstrated to be compromised by security researchers Wu Hui Yu and Qian Wenxiang. The pair demonstrated how the Echo could be used to eavesdrop on conversations without users knowing the device was recording. Don’t panic just yet if you have an Echo however as the researchers have already passed their knowledge on to Amazon and the attack also requires the attacker to have compromised the WiFi network that the Echo is on.
As always please stay vigilant, apply patches and updates vigorously and, above all, stay safe.