Security Bulletin

Security Bulletin #122 – 7 June 2017

  • Text Hover
2017 / 06 / 07

  • Text Hover
  • Text Hover

InfoSec 2017: a look at the family album of ransomware

Ransomware is among the topics at this week’s InfoSec Europe 2017 gathering in London. It’s been with us for some time and is considered old news by many security practitioners. But it remains a vexing problem for companies and continues to dominate many a conference agenda. SophosLabs recently looked at the most prolific ransomware families and attack vectors over a six-month period. The data was collected using lookups from customer computers. First, labs looked at specific ransomware families and found that Cerber and Locky were by far the most active. Cerber accounted for half of all activity during the period, and Locky made up a quarter of it. The countries seeing the most ransomware activity are Great Britain, Belgium, the Netherlands and the US, and the biggest spike of activity came in early- to mid-March. Activity dropped for a short time but spiked again around April 5. Next, labs reviewed malware delivery methods and evolution for the past year (April 2016-April 2017) and discovered, among other things, that the malware came from different attack angles – email spam, web malvertisements and drive-by downloads. The most prevalent attack vector for ransomware was email attachments, particularly PDFs and Office documents. The most popular ransomware can be found above.

  • Text Hover

Experts shut down tens of thousands of subdomains set up with a domain shadowing campaign

GoDaddy and RSA Security, with the support of other security companies and researchers, have shut down tens of thousands of illegally established subdomains used by crooks to host the RIG Exploit Kit. The cyber criminals set up the subdomains, most of them used GoDaddy as the primary domain registrar, by obtaining domain account credentials with phishing attacks (so-called domain shadowing). In March, experts shut down the subdomains along with hundreds of IP addresses used by crooks to spread malware. According to RSA, hackers used a data-stealing malware as part of a phishing campaign to steal GoDaddy domain account credentials. Crooks used the account credentials to create new subdomains to use as gates in attacks to redirect visitors to IP addresses hosting the exploit kit. The RSA researchers mapped domains to registrars and discovered that a most of them were registered with GoDaddy. The RIG operation allowed the identification of 40,000 network subdomains and 2,000 IP addresses. According to RSA, the Shadow domains were kept alive 24 hours on average and DNS records were cleaned up before new shadow domains were created. RSA also helped GoDaddy in building some automation to monitor and detect shadowing attacks.

Application security trends: What you need to know

High-Tech Bridge released a summary report on application security trends for Q1 – Q2 2017 at the Infosecurity Europe 2017. Statistical data mentioned in the report largely comes from the ImmuniWeb application security testing platform and High-Tech Bridge’s free web security services, but also leverages a wealth of data from various open sources. 1) Bug Bounty trend is one that will continue: 9/10 web applications in the scope of a private or public bug bounty program, running for a year or longer, contained at least two high-risk vulnerabilities undetected by the crowd security testing. 2) Mobile backends are the vulnerable point of the corporate defense perimeter: 83% of mobile apps within banking, financial and retail sectors have a mobile backend (web services and APIs) that is vulnerable to at least one high-risk security vulnerability. 3) Risks related to mobile applications are highly exaggerated: Over 95% of vulnerabilities residing in mobile application code are not easily exploitable and do not pose a major risk. 4) Web interfaces of IoT devices represent an enormous risk: 98% of web interfaces and administrative panels of various IoT devices had fundamental security problems. Among them: hardcoded and unmodifiable admin credentials, outdated software (e.g. web server) without any means to update it “from the box”, lack of HTTP traffic encryption, various critical vulnerabilities in the interface, including RCE (Remote Command Execution) in the login interface directly. 5) DevSecOps cannot protect from human negligence: 2/3 companies that leverage a DevSecOps approach to application development, had at least one high or critical risk vulnerability in their external web applications due to lack of internal coordination, human negligence or a business reason. 6) XSS, CSRF and information disclosure are still the most popular vulnerabilities: Globally, these three OWASP Top Ten vulnerabilities may easily pass the 80% bar. However, in banking, financial, insurance and e-commerce sectors, they represent just 50.9% of flaws. 7) OWASP Top Ten becomes harder to detect: Despite the overwhelming popularity, 53% of simple flaws from OWASP Top Ten, such as XSS, are no longer detectable by vulnerability scanners and other fully automated solutions. 8) Web server security hardening is massively ignored: a Content Security Policy (CSP), various security-related HTTP headers and other options of web server security hardening are currently fully implemented only on 2.4% of global web servers. 9) WAFs mitigate simple OWASP Top Ten flaws, but fail to protect from sophisticated flaws: Only 22% of SQL injections in web applications protected by a commercial WAF were fully exploitable. 58% of these vulnerabilities were partially exploitable using different WAF bypass techniques. 10) Growth of HTTPS encryption reliability is stagnating

CERT-FR Weekly News Alert

Patches CERTFR-2017-AVI-168           : Multiples vulnerabilities in Google Chrome (06 June 2017) Link: CERTFR-2017-AVI-167           : Multiples vulnerabilities in Google Android (Nexus) (06 June 2017) Link: