(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge (credit: Patrick Wardle)

Malicious Microsoft Word documents that abuse macros have long been the bane of Windows users. Now, security researchers have found what may be the first such real-world attack to infect Macs.

The attack was found in a Word file titled "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace." When Mac users open the document in a Word application configured to allow macros and ignore a warning, an embedded macro automatically:

  • checks to make sure the LittleSnitch security firewall isn't running
  • downloads an encrypted payload from hxxps://www.securitychecking.org:443/index.asp
  • decrypts the payload using a hard-coded key and
  • executes the payload

The code contained in the macro is written in the Python programming language. It was taken almost verbatim from EmPyre, an open-source exploit framework for Macs. By the time the researchers found the booby-trapped document, the securitychecking.org was no longer serving the payload, so it wasn't possible to know precisely what it did. But the Empyre component the macro borrowed allowed for persistent infections that contained a wide range of capabilities, including monitoring webcams, stealing passwords and encryption keys stored in the keychain, and accessing browsing histories.

Read 3 remaining paragraphs | Comments

 

This is a guest diary contributed by Remco Verhoef. Interested in publishing a guest diary? Sent us your idea via our contact form.

Most cloud providers offer metadata using private urls. Those urls are used to retrieve metadata for the current configuration of the instance and passing userdata. The configuration contains data like security groups, public ip addresses, private addresses, public keys configured and event rotating secret keys. The userdata can contain everything like initialization scripts, variables, passwords etc.

The metadata urls will vary per cloud provider, Ive written a few down together with their metadata url and a link to the documentation.

Google
http://169.254.169.254/computeMetadata/v1/
https://cloud.google.com/compute/docs/storing-retrieving-metadata

Amazon
http://169.254.169.254/latest/meta-data/hostname
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

Openstack
http://169.254.169.254/2009-04-04/meta-data/instance-id
https://blogs.vmware.com/openstack/introducing-the-metadata-service/

Dreamhost
http://169.254.169.254/metadata/v1/hostname
https://developers.digitalocean.com/documentation/metadata/

Azure
http://169.254.169.254/metadata/v1/maintenance

The configuration and userdata is used by scripts, automating tasks and applications, but the danger is that it can be abused to leak information about the current instance. Information an attacker needs to elevate privileges or move laterally. This information can contain usernames, passwords, configuration, keys or scripts.

When your application accepts remote urls as data like a proxy server, vpn server or a web application (think about wordpress plugins for embedding remote content, web screenshotting applications and many more), you need to be sure the metadata url is not accessible. If you install a default squidproxy for example, just executing this command:

$ http_proxy=proxy:3128 curl http://169.254.169.254/latest/dynamic/instance-identity/document {
devpayProductCodes : null,
privateIp : 172.31.9.215,
availabilityZone : eu-west-1c,
version : 2010-08-31,
region : eu-west-1,
instanceId : i-*****,
billingProducts : null,
pendingTime : 2017-02-03T20:21:11Z,
instanceType : m3.medium,
accountId : *****,
architecture : x86_64,
kernelId : null,
ramdiskId : null,
imageId : ami-e31bab90
}

This will return all metadata of the proxy server.

Anyhow the metadata contains information you dont want to disclose. Youll be safe when the private ip has been blocked, but this is not always possible (in the case of the rotating secret keys for example). Blocking the requests can be done using good old iptables:

$ iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP

This will only allow root to access the metadata url, allowing the boot sequence to use the metadata and disallowing the web servers to use the metadata.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
MuPDF 'fitz/pixmap.c' Heap Based Buffer Overflow Vulnerability
 
OpenSSH CVE-2016-10009 Remote Code Execution Vulnerability
 

Enlarge / White House Press Secretary Sean Spicer takes questions on February 7. His home address, phone and personal e-mail were discovered in the domain registration data for his now-defunct personal blog. (credit: Alex Wong / Getty Images)

White House Press Secretary Sean Spicer has gotten a lot of grief from some quarters for a variety of reasons. Among them are his problems with information security—including his apparent posting of passwords to his Twitter account. But the latest privacy problem Spicer has on the Internet is one that thousands of others who have embraced the Internet have had, and it's mostly the fault of the Internet's archaic address book—the Domain Name System.

In 2009, Spicer registered a domain for his personal blog—seanspicer.com. He updated his domain registration data in March of 2010, apparently after moving into his home in Alexandria, Virginia. And when he did, he used his own personal home address, phone number, and e-mail account. That information, as Mashable reported on February 6, is still publicly accessible through a whois lookup against the Domain Name Service, as published by his domain registrar GoDaddy. The phone number matches one associated with Spicer present in the DNC e-mail breach posted by WikiLeaks.

Spicer's Yahoo e-mail account—which was part of data exposed in the MySpace, Dropbox and LinkedIn "mega-breaches" discovered in 2016—is also associated with a number of other domains, including those bearing the name of family members. These sites have largely been taken down (as in the case of theelephanttrunk.org, a Republican-themed online tie store), are still essentially blank template sites (including stateoftherace.org), or are parked. The parked domains include:

Read 7 remaining paragraphs | Comments

 
IBM Security Access Manager Products CVE-2016-3029 Cross Site Request Forgery Vulnerability
 
SendQuick Entera and Avera SMS Gateway Appliances Remote Command Injection Vulnerability
 
ZoneMinder CVE-2017-5368 Cross Site Request Forgery Vulnerability
 
IBM Security Access Manager Products CVE-2016-3022 Information Disclosure Vulnerability
 
Multiple Samsung Android Mobile Devices InputMethod Application Denial of Service Vulnerability
 
Trend Micro Control Manager Multiple SQL Injection Vulnerabilities
 
Alaris 8015 PC unit CVE-2016-9355 Information Disclosure Vulnerability
 
ZoneMinder CVE-2017-5367 Multiple Cross Site Scripting Vulnerabilities
 
Google Nexus Kernel File System CVE-2016-10044 Privilege Escalation Vulnerability
 
Linux kernel 'ip6_gre.c' Denial of Service Vulnerability
 
Google Android CVE-2016-8414 Information Disclosure Vulnerability
 
IBM Security Access Manager CVE-2016-3021 Information Disclosure Vulnerability
 

(credit: INVISIBLE-MAN_1933_James Whale)

Two years ago, researchers at Moscow-based Kaspersky Lab discovered their corporate network was infected with malware that was unlike anything they had ever seen. Virtually all of the malware resided solely in the memory of the compromised computers, a feat that had allowed the infection to remain undetected for six months or more. Kaspersky eventually unearthed evidence that Duqu 2.0, as the never-before-seen malware was dubbed, was derived from Stuxnet, the highly sophisticated computer worm reportedly created by the US and Israel to sabotage Iran’s nuclear program.

Now, fileless malware is going mainstream, as financially motivated criminal hackers mimic their nation-sponsored counterparts. According to research Kaspersky Lab plans to publish Wednesday, networks belonging to at least 140 banks and other enterprises have been infected by malware that relies on the same in-memory design to remain nearly invisible. Because infections are so hard to spot, the actual number is likely much higher. Another trait that makes the infections hard to detect is the use of legitimate and widely used system administrative and security tools—including PowerShell, Metasploit, and Mimikatz—to inject the malware into computer memory.

"What's interesting here is that these attacks are ongoing globally against banks themselves," Kaspersky Lab expert Kurt Baumgartner told Ars. "The banks have not been adequately prepared in many cases to deal with this." He went on to say that people behind the attacks are "pushing money out of the banks from within the banks," by targeting computers that run automatic teller machines.

Read 5 remaining paragraphs | Comments

 
Google Nexus Broadcom Wi-Fi Driver CVE-2017-0449 Privilege Escalation Vulnerability
 
Google Android Qualcomm Sound Driver CVE-2017-0451 Information Disclosure Vulnerability
 
Google Nexus Audioserver CVE-2017-0450 Privilege Escalation Vulnerability
 
LaLa Call App for Android CVE-2017-2103 SSL Certificate Validation Security Bypass Vulnerability
 
IBM Jazz for Service Management CVE-2016-5935 Information Disclosure Vulnerability
 
ESA-2017-001: EMC Isilon InsightIQ Authentication Bypass Vulnerability
 
Microsoft Windows VU#867968 Memory Corruption Vulnerability
 
Internet Storm Center Infocon Status