Plus: The spambot that actually DOES record screens of pr0n users
Roundup Here is your friendly summary of recent news from the front lines of information security beyond everything else we’ve already reported.
Our vultures have also spent the past week or so flying around Las Vegas, keeping a close eye on what is essentially hacker comic con. Follow these links for our Black Hat, DEF CON, and Bsides coverage, and stay tuned for more this week.
Printers still a security weak point
Xerox printers are rife with security bugs that can put the rest of the network at risk.
This from bug-hunters at the NCC Group, who this week disclosed a pack of eight CVE-listed security flaws in the popular line-of-business printers. The flaws range from a lack of cross-site request forgery protections to buffer overflow errors that could allow for remote code execution via the web interface.
While a printer getting pwned is not the worst of scenarios, it could become one should the printer be used as the starting point for a larger network breach. Additionally, printers have been popular targets for botnets.
ESET warns of porn-peeping malware infection
A newly discovered piece of malware looks to catch its victims in compromising situations.
ESET says that “Varenyky”, a spam and spyware combo that infects French-language systems, includes a set of instructions that will activate the system’s screen recording tools when the user searches for specific terms used while crawling porn sites (we’ll leave it to you readers to figure out what those are).
“It will start two threads: one that’s in charge of sending spam and another that can execute commands coming from its Command and Control server on the computer,” said Alexis Dorais-Joncas of the ESET Montreal R&D center.
“One of the most dangerous aspects is that it looks for specific keywords such as bitcoin and porn-related words in the applications running on the victim’s system. If any such words are found, Varenyky starts recording the computer’s screen and then uploads the recording to the C&C server.”
Avaya phones dial “P” for pwnage
Bug-hunters at McAfee have found a decade-running security vulnerability in a popular line of Avaya VoIP phones.
The team said the Avaya 9600 series uses a specific open-source component in the H.232 software stack that Avaya branched for its own use back in 2009.
Shortly after the code was copied, someone found a vulnerability in the open-source tool that would allow for remote code execution. While the original component was updated to fix the bug, Avaya’s copy was not, and for the last 10 years the phones have been operating with an exploitable RCE bug.
Avaya has since issued an update to patch the flaw once and for all.
US government seeks contractor to help short-handed DHS security teams
The US Department of Homeland Security is looking to hire an outside contractor help its agencies manage their information security operations.
A Federal Business Opportunities posting first spotted by NextGov outlines a program that would see the contractor help to staff the 17 unclassified security operation centers (SOCs) across its agencies.
That contractor, if the deal were to come about, would be charged with doing things like helping fill out staffing shortfalls in areas like vulnerability assessment, email security monitoring, and incident response.
“DHS envisions a multiple award contract vehicle under which each awardee is capable of delivering the full scope of services described in this statement of work,” the posting reads.
The DHS is still in the process of deciding the specifics of the contract, so would-be bidders have plenty of time to get their pitches together.
Ellucian off the hook for university hacks
Last month, the US Department of Education issued an alert warning that a flaw in the Ellucian Banner System software had been exploited to get into the networks of more than 60 US colleges and universities.
Now, however, the department is walking that claim back, now saying that something else was responsible for the breaches, which implies the Ellucian software was not.
“Our ongoing research with targeted institutions has led us to a broader concern regarding the front-end registration portals used by institutions,” the education bod says.
“Specifically, some institutions are using third-party software as front-end access points to the Ellucian Banner System and similar administrative tools.”
F-Secure uncovers BIG-IP vulnerability
Finnish security folks at F-Secure have issued an warning to companies using some F5 Networks load balancers following the discovery of a command injection flaw.
F-Secure said the vulnerability is present in the BIG-IP balancers, which use the Tcl programming language for their iRules commands. Apparently, Tcl contains a flaw that would let an attacker slip arbitrary commands into scripts.
“Adversaries that successfully exploit such insecurely configured iRules can use the compromised BIG-IP device as a beachhead to launch further attacks, resulting in a potentially severe breach for an organization,” F-Secure warned.
“They could also intercept and manipulate web traffic, leading to the exposure of sensitive information, including authentication credentials and application secrets, as well as allowing the users of an organization’s web services to be targeted and attacked.”
VPNs (still) behaving badly
Last year, a report from Metric Labs’ Top10VPN found that many VPN apps are shady at best and a privacy nightmare in the worst case. An updated report from the same research team has found that, a year on, not much has changed.
Top10VPN’s Simon Migliano told El Reg that when he followed up the report six months on, 75 per cent of the offending apps were not only still being offered on the App Store and Google Play, but several were actually surging in popularity.
“Apple and Google ignored my request so I have published my findings in a comprehensive new report,” Migliano explained. “Since the publication, Apple have now agreed to look at the report but have yet to take any action.”
Cloud Atlas attack goes polymorphic
A long-running government hacking campaign called “Cloud Atlas” or “Inception” (depending on your taste in bad movies) has armed itself with a new set of capabilities in its efforts to get into machines in Eastern Europe and the Middle East.
Kaspersky reports that the hacking crew has added a new layer of polymorphic (self-changing) malware that not only shifts around its codebase to avoid detection, but also wipes the files used in previous stages to make its activity harder to detect.
If you’re one of the handful of governments in the area in and around Russia who are subject to this operation, you’ll want to give the report a close look. Everyone else, meanwhile, should probably be more concerned about the upcoming Patch Tuesday.
Study probes the *other* AWS data exposure trap
We all know by now that AWS S3 buckets are a treasure trove for data leaks thanks to incorrectly-configured storage instances. It turns out another AWS service, Elastic Block Storage, can also betray corporate data.
A Defcon presentation from Bishop Fox showed that EBS instances can also be crawled to find sensitive corporate information and leave the door open for other data theft, with things like encryption keys, passwords, and in some cases entire backups all left sitting out in the open.
Admins would be well-advised to double-check their EBS configurations and make sure public access is severely restricted. Â®