(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

On Monday, The Washington Post reported one of the most stunning breaches of security ever. A former NSA contractor, the paper said, stole more than 50 terabytes of highly sensitive data. According to one source, that includes more than 75 percent of the hacking tools belonging to the Tailored Access Operations. TAO is an elite hacking unit that develops and deploys some of the world's most sophisticated software exploits.

Attorneys representing Harold T. Martin III have previously portrayed the former NSA contractor as a patriot who took NSA materials home so that he could become better at his job. Meanwhile, investigators who have combed through his home in Glen Burnie, Maryland, remain concerned that he passed the weaponized hacking tools to enemies. The theft came to light during the investigation of a series of NSA-developed exploits that were mysteriously published online by a group calling itself Shadow Brokers.

Investigators have floated several theories. One holds that Martin directly provided the tools to the person or group responsible for the leak. An alternate theory is that the leakers obtained the software by hacking Martin. As reported in October, Martin was charged with felony theft of government property and unauthorized removal and retention of classified material. Monday's Washington Post article says that prosecutors will likely file charges of "violating the Espionage Act by 'willfully' retaining information that relates to the national defense, including classified data such as NSA hacking tools and operational plans against 'a known enemy' of the United States."

Read 2 remaining paragraphs | Comments

 

While developing a tool for evaluating mobile application security, researchers at Sudo Security Group Inc. found out something unexpected. Seventy-six popular applications in Apple's iOS App Store, they discovered, had implemented encrypted communications with their back-end services in such a way that user information could be intercepted by a man-in-the-middle attack. The applications could be fooled by a forged certificate sent back by a proxy, allowing their Transport Layer Security to be unencrypted and examined as it is passed over the Internet.

The discovery was initially the result of bulk analysis done by Sudo's verify.ly, a service that performs bulk static analysis of application binaries from Apple's App Store. Will Strafach, president of Sudo, verified the applications discovered by the system were vulnerable in the lab, using a network proxy configured with its own Secure Socket Layer certificate.

In the post about his findings being published today, Strafach wrote:

Read 9 remaining paragraphs | Comments

 
NetApp OnCommand Insight Data Warehouse CVE-2017-5600 Security Bypass Vulnerability
 
Exponent CMS CVE-2017-5879 SQL Injection Vulnerability
 
Spice CVE-2016-9577 Buffer Overflow Vulnerability
 
SanaCMS CVE-2017-5882 Cross Site Scripting Vulnerability
 
Jenkins CVE-2017-2608 Remote Code Execution Vulnerability
 

Vizio, one of the world's biggest makers of Smart TVs, is paying $2.2 million to settle charges that it collected viewing habits from 11 million devices without the knowledge or consent of the people watching them.

According to a complaint filed Monday by the US Federal Trade Commission, Internet-connected TVs from Vizio contained ACR—short for automated content recognition—software. Without asking for permission, the ACR code captured second-by-second information about the video the TVs displayed. The software collected other personal information and transmitted it, along with the viewing data, to servers controlled by the manufacturer. Vizio then sold the data to unnamed third-parties for purposes of audience measurement, analysis, and tracking.

"For all of these uses, Defendants provide highly specific, second-by-second information about television viewing," FTC lawyers wrote in Monday's complaint. "Each line of a report provides viewing information about a single television. In a securities filing, Vizio states that its data analytics program, for example, 'provides highly specific viewing behavior data on a massive scale with great accuracy, which can be used to generate intelligent insights for advertisers and media content providers.'"

Read 5 remaining paragraphs | Comments

 
Hawtio CVE-2017-2617 Arbitrary File Upload Vulnerability
 
 
SendQuick Entera & Avera SMS Gateway Appliances Multiple Security Vulnerabilities
 
libplist Multiple Local Heap Buffer Overflow and Denial-of-Service Vulnerabilities
 

On of the hardest tasks in security, and probably fundamentally an impossible task is to figure out if something is not malicious. Even the code you wrote yourself, once it exceeds a certain complexity, could include backdoors that you as theauthor missed. They may come in the form of vulnerabilities, or maybe it was bad advice that you followed (ever copied code from Stackoverflow?). Never mind malicious libraries or compilers.

Earlier today, a reader sent me a file asking just that question. Carlos received an anti-malware warning flagging a file as malicious. According to Virustotal, ESET-NOD32 flags it as a variant of Win32/KingSoft.D potentially unwanted. This is a pretty weak signature. Virustotal also stated that the file is Probably harmless and that There are strong indicators suggesting that this file is safe to use.

Next, I uploaded it to hybrid-analysis. Hybrid-Analysis returned the following risk assessment:

This looks quite a bit more malicious.

Some additional Google searches revealed that the file is likely part of WPS Office, a free Chinese office suite that appears to be included for free with some HP Laptops.

My advice to Carlos was that the file is likely not malicious, but as long as he doesnt need WPS Office, he is probably better off deleting it to save some disk space. In short: bloatware.

What would your advice be? Here are the links to the results from Hybrid Analysis and Virustotal:

https://www.hybrid-analysis.com/sample/e3d74b6eb7f941125c35ae0ab2c5bd8d7116e6794f38b3879bddeb4b1570a433?environmentId=100

https://virustotal.com/en/file/e3d74b6eb7f941125c35ae0ab2c5bd8d7116e6794f38b3879bddeb4b1570a433/analysis/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Citrix License Server for Windows and License Server VPX CVE-2017-5571 Open Redirect Vulnerability
 
libXpm CVE-2016-10164 Heap Based Buffer Overflow Vulnerability
 
iucode-tool CVE-2017-0357 Heap Buffer Overflow Vulnerability
 

I am seeing a steady trickle of scans for %%port:110%% against my honeypot. Initially, I believed that the goal was brute forcing e-mail passwords. But instead, when setting up a quick netcat listener, I am seeing binary content without any obvious purpose. Various POP3 daemons have had vulnerabilities in the past, so maybe there is a way this is exploited? Or someone looking for backdoors that happen to listen on port 110 to disguise themselves. Can anybody help out with any ideas what this is about?

Here is a typical payload:

00000000 16 03 01 01 22 01 00 01 1e 03 03 a2 33 18 56 3f ....... ....3.V?
00000010 b9 9a 05 1c 33 24 0c 83 03 bf 62 29 a6 37 22 da ....3$.. ..b).7.
00000020 33 e2 ac 9c 3c 44 28 bd 4d 8b d8 00 00 88 c0 30 3...D(. M......0
00000030 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a3 00 9f 00 6b .,.(.$.. .......k
00000040 00 6a 00 39 00 38 00 88 00 87 c0 32 c0 2e c0 2a .j.9.8.. ...2...*
00000050 c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 12 ....... .=.5....
00000060 c0 08 00 16 00 13 c0 0d c0 03 00 0a c0 2f c0 2b ........ ...../.+
00000070 c0 27 c0 23 c0 13 c0 09 00 a2 00 9e 00 67 00 40 ..#.... [email protected]
00000080 00 33 00 32 00 9a 00 99 00 45 00 44 c0 31 c0 2d .3.2.... .E.D.1.-
00000090 c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00 96 .).%.... ..../..
000000A0 00 41 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 .A...... ........
000000B0 00 12 00 09 00 ff 01 00 00 6d 00 0b 00 04 03 00 ........ .m......
000000C0 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b .....4.2 ........
000000D0 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 ........ ........
000000E0 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00 01 ........ ........
000000F0 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00 0d ........ ...#....
00000100 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 . ...... ........
00000110 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 ........ ........
00000120 02 03 00 0f 00 01 01 .......

UPDATE

ok.. this was a bit too easy. After a bit of staring at the payload, it looked familiar. Turns out that this is an SSL Client hello (the 0x16 0x03 0x01 preamble gave it away). So now back to giving the attacker an SSL-enabled server to play with.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
TigerVNC CVE-2016-10207 Denial of Service Vulnerability
 
Linux Kernel 'EXT4 image' Local Denial of Service Vulnerability
 
Microsoft Windows CVE-2017-0016 Memory Corruption Vulnerability
 
ZoneMinder - multiple vulnerabilities
 
[SECURITY] [DSA 3781-1] svgsalamander security update
 
Teleopti WFM <= 7.1.0 Multiple Vulnerabilities
 
Internet Storm Center Infocon Status