Week 20 In Review – 2017

Events Related

• Converge 2017 Videos – www.irongeek.com
  These are the videos from the Converge Information Security Conference.

• BSides Detroit 2017 Videos – www.irongeek.com
  These are the videos from the BSides Detroit 2017 Conference. 

Resources 

• Intel Active Management Technology
  On May 1, Intel published a security advisory regarding a firmware vulnerability in certain systems that utilize Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM) or Intel® Small Business Technology (SBT). The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies.
  • Important Security Information Intel Manageability Firmware – newsroom.intel.com
  • INTEL-SA-00075 Detection Guide – downloadcenter.intel.com
  • Intel’s Management Engine is a security hazard, and users need a way to disable it – www.eff.org
  • intel amt bypass – github.com
  • AMT Script – svn.nmap.org
  • Intel AMT on Wireless Networks – mjg59.dreamwidth.org

• New Whitepaper: Aligning to the NIST Cybersecurity Framework in the AWS Cloud – aws.amazon.com
  Today, we released the Aligning to the NIST Cybersecurity Framework in the AWS Cloud whitepaper. Both public and commercial sector organizations can use this whitepaper to assess the AWS environment against the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and improve the security measures they implement and operate (also known as security in the cloud).

Techniques

• Reverse Engineering Apple Location Services Protocol – appelsiini.net
  While working on Whereami I got interested on how Apple location services actually work. I know it is handled by locationd since Little Snitch keeps blocking it. Usual way of inspecting traffic with proxychains did not work since macOS now has something called System Integrity Protection (SIP).

• Sending AM-OOK using Metasploit and rftransceiver – sensepost.com
  Towards the end of last year, I found myself playing around with some basic amplitude modulation (AM)/On-off keying (OOK) software defined radio. That resulted in ooktools being built to help with making some of that work easier and to help me learn. A little while ago, the Metasploit project announced new ‘rftransceiver’ capabilities that were added to the framework with a similar goal of making this research easier.

Tools 

• AMT status checker for Linux – github.com
  A simple tool that tells you whether AMT is enabled and provisioned on Linux systems. Requires that the mei_me driver (part of the upstream kernel) be loaded. 

• WiFi-Pumpkin – github.com
  Framework for Rogue Wi-Fi Access Point Attack 

Vendor/Software Patches 

• Windows Defender vulnerability discovered and fixed – www.ghacks.net
  The Microsoft Malware Protection Engine is used by various Microsoft products, including Windows Defender and Microsoft Security Essentials on consumer PCs, and products such as Microsoft Endpoint Protection, Microsoft Forefront, Microsoft System Center Endpoint Protection, or Windows Intune Endpoint Protection on the business side. 

• Microsoft Released Guidance for WannaCrypt – isc.sans.edu
  Microsoft released information what can be done to protect against WannaCry which includes deploying MS17-010 if not already done (March patch release), update Windows Defender (updated 12 May) and if not using SMBv1 to disable it. 

Vulnerabilities

• Multiple Vulnerabilities in ASUS Routers [CVE-2017-5891 and CVE-2017-5892] – seclists.org
  Various models of ASUS RT routers have several CSRF vulnerabilities allowing malicious sites to login and change settings in the router; multiple JSONP vulnerabilities allowing exfiltration of router data and an XML endpoint revealing WiFi passwords.

• A Security Analysis of Over 500 Million Usernames and Passwords – duo.com
  We at Duo Labs recently got our hands on the so-called Anti Public Combo List, a dump of 562,077,487 usernames and passwords aggregated from a variety of large-scale data breaches and password dumps.

• HP Laptops Covert Keystrokes
  HP is selling more than two dozen models of laptops and tablets that covertly monitor every keystroke a user makes, security researchers warned Thursday. The devices then store the key presses in an unencrypted file on the hard drive.
  • HP laptops covertly log user keystrokes, researchers warn – arstechnica.com
  • MZ-17-01-Conexant-Keylogger – www.modzero.ch 

• Ransomware Virus known as ‘WannaCry’
  A ransomware virus is spreading aggressively around the globe, with over 100,000 computers in 99 countries having been targeted, according to the latest data. The virus infects computer files and then demands bitcoins to unblock them.
  • Ransomware virus plagues 100k computers across 99 countries – www.rt.com
  • Massive Wave of Ransomware Ongoing – isc.sans.edu
  • NHS seeks to recover from global cyber-attack as security concerns resurface – www.theguardian.com
  • NHS cyber-attack: GPs and hospitals hit by ransomware – www.bbc.com
  • WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm – gist.github.com
  • Player 3 Has Entered the Game: Say Hello to ‘WannaCry’ – blog.talosintelligence.com
  • WanaCrypt0r ransomware hits it big just before the weekend – blog.malwarebytes.com
  • WannaCry — The largest ransom-ware infection in History – blog.comae.io 

Other News

• Analyzing a counter intelligence cyber operation: How Macron just changed cyber security forever – hackernoon.com
  Up until today I could only look up to Russia (whether I agree with them or not) for conducting advanced information operations in cyber. Now, I can look up to Macron and the anonymous security professionals behind him and admire them.

• Trump’s cybersecurity executive order met with mixed reviews – www.zdnet.com
  President Trump has signed a long-delayed executive order, which sets up a number of cybersecurity reviews across the federal government, but does not make any immediate sweeping changes to US policy.

• US District Court Rules GNU GPL is an Enforceable Contract – www.xda-developers.com
  GPL projects are used in many free and commercial applications. The GNU GPL license requires developers that use the GPL-licensed software to adhere to its licensing. A developer modifying GPL-licensed code must release a source if he or she releases a project to the public.