Security Week 35: nothing personal, just business

The industry (if you can call it that) of information security news, although it rarely slips to the level of the yellow press about TV stars, is still always waiting for some kind of sensation. So, the most popular news on Threatpost last year was a rather trivial note about vulnerabilities in PNG format . And not even the vulnerability, just the technology of hiding malicious code in image metadata. And why? Someone (not us), without understanding, announced it as "you can get infected just by downloading a picture with cats !! 11".



Of course, if you find some kind of super-hole that allows you to infect millions of computers around the world with minimal effort, I’m happy to write about it, but for now there aren’t such plans. Since the time of the Slammer worm, which could have been infected by simply connecting the machine on Windows XP to the Internet and having waited half an hour, a lot of time has passed, and for just so modern software is (not yet) given. But you want to, you know, to make something like that! For everyone to gasp and say that you can’t live like this anymore, and you need to do something with the security of computers, phones and refrigerators. Otherwise, they all at once can turn into a pumpkin by the will of some evil maniac. The whole world is in danger! Mamma Mia! Spanking Madonna! Ributtati alleta affairs pietra con solo map e penn per arkiviare e condividere informationi!



Khm Epic failure in security is still possible (in the same refrigerators and other IoT, for example), but you should not wait for it. While we wait, it is possible to overlook quite routine gaps, on which some earn a lot, others lose. Without anguish and a special genius, business as usual. In today's collection of important news: three topics about how to exploit rather banal vulnerabilities in IT. I remind the rules: each week the editors of the news site Threatpost selects the three most significant news, to which I add an extended and merciless comment. All episodes of the series can be found here .



Hacked Wordpress sites are used to deliver the Neutrino exploit whale.

News ZScaler study.

')

This news should be divided into two parts. The first is about thousands of websites and blogs on the Wordpress engine, which is extremely vulnerable. The second is how distributors of exploit whales use it, infect users and earn money.



First about wordpress. This is such a modern web-based Windows. A very popular engine, a well-developed plugin system, a lot of attention from cybercriminals. Just look at the news background associated with it. This is not all for this year:



Zero-day vulnerability in plugin

The problem is in the generator (not very) random numbers, which allows, in theory, to guess the token to change the password

SQL injection in plugin

Another SQL injection is also in the plugin.

XSS , also in the plugin.

Zero-day in Wordpress itself , the introduction of JavaScript through comments. Patched in version 4.2.1.

Vulnerabilities in two plugins

XSS in Wordpress itself , closed in version 4.2.3.

Three vulnerabilities in three plugins .







Somehow like this. Researchers at Zscaler have discovered a massive hack of vulnerable sites on Wordpress version 4.2 and below. Version 4.2, for a minute, was released in April of this year, which suggests how bad things are for those who have not updated their site for a year or more. Hacking these sites, the attackers injected them with an iframe into which the Neutrino exploit pack was installed, and through it, after entering the system, all the muck was delivered to the victims' computers. In total, there are more than 2.5 thousand such zombie sites - a little on the Internet scale, but enough to provide tens of thousands of people a headache.



We go further. The exploit pack involved a vulnerability in Adobe Flash, leaked during the theft of data from the infamous company Hacking Team . Having obtained with its help the ability to execute an arbitrary code on the victim's machine, the attackers deliver Cryptowall Cryptowall, an extortionist that has been in force for over a year and requires payment of up to $ 500 for decrypting data.





All your files are belong to us. Read more about extortionists.



Well, now put yourself in the shoes of a small business owner who, a couple of years ago, ordered a turnkey website store for himself and even didn’t quite know what engine he had there. Compared with dragging malicious code through banners on some Yahoo, it’s bullshit, but a few hundred of these sites generate losses (well, and profits) of millions of dollars. From the point of view of security, nothing extraordinary happened, America was not discovered. There are many fairly small events: vulnerabilities are constantly found in one engine for sites (or in plugins for it); someone hacks into these sites and injects an exploit pack, someone else does this pack using data from a company that was involved in a dubious hole trading business, but could not really save her own secrets. Someone uses the old version of Flash, and someone else collects money from those who have lost access to important files. Separately, nothing particularly interesting, but together it all looks at least bleak.



Interestingly, researchers have already noted that Neutrino's exploit whale has already seen an increase in traffic, to the detriment of the current leader in this sad ranking - Angler, although there was no understanding from the very beginning, due to which. That is, in addition to purely monetary things, the people behind all these operations also underwent some sort of disassembly with finding out who was in charge.



Github again didosyat

News Previous news .



Reducing the number of software vulnerabilities is actually easy. It is enough to prohibit programmers from coding. OK, a dubious way, but it seems exactly what someone was trying to do by temporarily disrupting the GitHub DDoS attack. The news is actually so-so: an attack began early in the morning, it was discovered and repulsed three hours later, who was behind it is unknown. In general, boredom. Why did the news attract attention? The fact is that in March of this year GitHub was under the most powerful didos for almost a week. Not surprisingly, everyone reacted to the August news in a classic way:







Here is the March attack was interesting. The experts then had the full feeling that the malicious traffic was somehow connected with the most popular Chinese search engine Baidu. It is as if an i-frame appeared on the Google homepage, which would redirect users to the victim's site. This way you can drop anyone, but this is impossible. Impossible, right? Most likely, Baidu had nothing to do with the March attack, but the Chinese users had a “present” hooked up to a search engine somewhere else.



But in what and how - there are different opinions. Whether it was the standard way - well, we infect users, we slip them an extra script when entering popular sites. Whether the method is more complicated - the substitution took place where the Great Firewall passes between the normal Internet and the Chinese. In this case, the unwitting accomplices of the attackers are those who go to Chinese resources outside of China: the response from the server goes with an extra script that “breaks” from the victim’s computer to certain pages of GitHub projects.



And they are very definite: two projects turned out to be under attack, directed, one way or another, to bypassing the great firewall and accessing prohibited content in the country. This type of attack even came up with the name of the original: Man-on-the-Side. The conclusion from this story is one: HTTPS is awesome.



US hotel chain held responsible for data leakage

News



News about legal casuistry, but important. Seven years ago, the infrastructure of the hotel chain Wyndham was hacked, having stolen the data of 600 thousand guests, including credit cards, from which more than 10 million dollars were later withdrawn. They broke it quite simply: they found a vulnerable computer in one of the hotels, and already with its help they picked up the network administrator's password, gaining access ... well, everything.



From a technical point of view, such a hack looks like a complete failure - ok, customer data, but why keep credit card numbers in the open? Wyndham was offended by the Federal Trade Commission, accusing the company of not fulfilling its own privacy agreement. They promised to protect customer data according to "industry standards" - there firewall encryption - and did not. Judging by the details of the hacking, there was no firewall or encryption. Passwords were defaulted on computers that looked at the network, there was no audit, and there was no plan for a rainy day. The FTC tried to impose a penalty on the company, and the essence of the trial was whether the Commission had the right to do it or not. So, after going through many iterations, we decided that yes, yes, it can.



Interesting topic. Suppose that a company is called an attack of the Advanced Persistent Threat type, that is, some kind of advanced hacking technology is used, which allows you to keep unauthorized access for a very long time. Everything is clear: the company took all possible measures of protection, but they got around, nothing can be done. And if the attack was never advanced, but very persistent, because the infrastructure itself was open to all winds, then this is wrong. Such a court decision adds a headache to US companies regarding compliance - compliance with data protection requirements. Such requirements are most often used for processing credit cards and the like, but will apparently be extended to other cases of processing of private data.



Maybe for the better, although if technologies and methods of protection are being created somewhere, then definitely not in the courts. In the courts, so to speak, the formulations are perfected. And further. Data must be encrypted. It sounds trivial, something like "you need to make backups." But it is nevertheless necessary to encrypt.



By the way, the company Target, whose customers suffered much more, the Securities and Exchange Commission decided not to fine.



What else happened:

American scientists scanned 400,000 applications on Google Play, and 7.6% of them found it potentially dangerous. This is somewhat different from the statements of Google itself that if you download applications only from Google Play, then the chances of getting infected are 0.15%. However, the method is also immediate for scientists: we analyze the code, if we see a non-standard code, we write it down into potentially dangerous ones.



In Russia, cryptographs are sent by e-mail. This is not news, the news is that now they use fake messages about the allegedly existing debt in the bank.



Apple has closed a vulnerability that allows an application to track a user even in the background, ignoring system-defined time limits. It is noteworthy that pushing an application with such a bug through the slingshots of Apple Store moderators is much easier than a purely malicious app.



Antiquities:

"Den-Zuk"

Very dangerous virus, length - 9 sectors. It infects the boot sector of floppy disks when accessing them (int 13h, ah = 2,3,4,5). When the second part of the virus is saved to disk, no checks are performed, so the virus can destroy part of the information on the disk (located on track 40).



Intercepts int 9 and 13h. In the case of a “warm” reboot in large letters, it displays its name: “Den Zuk”. Changes the label of the infected disk to "YC1ERP". It has no destructive function, but it is very dangerous, since it can destroy information on the 40th track of the infected disk. It contains the texts "Welcome to the C lub - The HackerS - Hackin 'All The Time", "The HackerS".



Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 99.



Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.