Remote Code Execution, Phishing, and More: Cato Research Labs Reviews January Security Events
POSTED on February 22, 2017
January started out with a bang as Check Point showed that pictures can be worth for more to hackers than just a 1,000 words. Embedding threats in images, though, wasn’t the only security story of significance last month. A number of other stories (and not of the political kind) also occupied the topics of conversation among researchers here at the Cato Research Labs.
January 4th
ImageGate: Check Point uncovers a new method for distributing malware through images
Check Point researchers identified a new attack vector, named ImageGate, which embeds malware in image and graphic files. Furthermore, the researchers have discovered the hackers’ method of executing the malicious code within these images (source: Check Point blog).
The attack is very smooth. The attackers managed to trick both Facebook and LinkedIn filetype filters, delivering embedded malicious code that executes on the operating system. The attack is related to the massive malware campaign of Locky ransomware spread via social network channels that we discussed here. Facebook ended up aggressively blocking any Scalable Vector Graphics (SVG) files. Nice work by Check Point researchers for managing to upload a file with embedded malicious code and then change the filename to .hta
Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates
msm1267 quotes a report from Threatpost: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar’s domain validation process (source: Slashdot).
On one hand, GoDaddy’s revoking that large number of web site certificates may seem like a very aggressive action. But GoDaddy engineers are probably aware that browsers do not validate certificates with CRLs by default as it may impact the browsing experience. So they decided to be on the safe side, in this case. Also, it’s surprising that GoDaddy was unable to trace back their logs and verify which websites were actually attacked.
January 13th
Crime Doesn’t Pay. Shadow Brokers Close Up Shop After Failing to Sell Stolen NSA Hacking tools
Call it a victory for the good guys. The Shadow Brokers who previously stole and leaked a portion of NSA’s hacking tool-set closed up shop this month, a few days after trying to sell another package of hacking tools, “Equation Group Windows Warez.” The new tools included Windows exploits and antivirus bypass tools, stolen from the NSA-linked hacking unit, The Equation Group (source: The Hacker News). In a farewell message posted Thursday morning, group members said they were deleting their accounts and making an exit after their offers to release their entire cache of NSA hacking tools in exchange for a whopping 10,000 bitcoins (currently valued at more than $8.2 million) were rebuffed (source: Ars Technica)
The mysterious group that was with us since September has “retired.” Many of the tools they published affected firewall vendors and shows vulnerability of appliances. The Shadow Brokers may no longer be with us but from a technical perspective, but they leave a huge impact (as well as many questions about proper upgrades and patching) on the appliance industry.
January 20th
Everyone Is Falling For This Frighteningly Effective Gmail Scam
Security researchers have identified a “highly effective” phishing scam that’s been fooling Google Gmail customers into divulging their login credentials. The scheme, which has been gaining popularity in the past few months and has reportedly been hitting other email services, involves a clever trick that can be difficult to detect (source: Fortune)
There’s still a buzz around the phishing scam that steals credentials from Gmail users. This one seems very effective, but frankly isn’t all that new. It’s been floating around at least since last June. Any enterprise with a properly-configured URL-filter or IPS (or subscribes to a service with one of those tools) can block the exfiltration site used in the attack.
January 25th
Widely used WebEx plugin for Chrome will execute attack code—patch now!
Publicly known “magic string” lets any site run malicious code, no questions asked (source: Ars Technica).
Very impressive. Google researchers found a vulnerability in the Cisco Webex Chrome extension used by about 20 million users. The vulnerability lets any website execute arbitrary code on a client with the extension. Cisco has already released a patch, but companies will want to encourage users to reboot Chrome to upgrade their extensions. Meanwhile, they should consider applying a virtual patch.
January 29th
Gmail will stop allowing JavaScript (.js) file attachments starting February 13, 2017
Google announced Gmail will soon stop allowing users to attach JavaScript (.js) files to emails for obvious security reason. JavaScripts files, could represent an insidious threat for the recipient, for this reason starting with February 13, 2017, .js files will no more be allowed (source: Security Affairs).
Looks like Google is picking up on the phishing scam. JavaScript (JS) attachments were the mechanism by which the attackers presented the phishing screen used in the scam. JS malware has been gaining popularity for the past several months in part because malicious JS files are saved on disk and can run outside the browser on the Windows operating system.
Blocking these attachments will definitely reduce the attack surface, but won’t address the full problem. Attackers may still utilize other types of files (e.g. zipped, docs, pdf) to deliver attacks. Although these files are sandboxed, attackers can still rely on social engineering techniques to break out and run on the PC.
Tags: Cato Networks, cato research lab, Checkpoint, Chrome, Code Execution, Gmail, Google, JavaScript, NSA Hacking tools, phishing, Shadow Brokers, SSL, WebEx