Vulnerabilities in ImageMagick Library

hat2

 

A large majority of the applications running on the Web today rely on free, open-source libraries. These pieces of software are responsible for many of the features that we often take for granted. While these software suites enable developers to build web applications quickly, they can also be problematic.

When these libraries have vulnerabilities, all he servers that depend on their code become sitting ducks until a patch is made available. That’s what’s happening now with ImageMagick, which has been found to have multiple vulnerabilities.

 

What is ImageMagick?

ImageMagick is a commonly used library that enables applications to manipulate images in bulk. It supports a wide range of image formats (at least 200) including png, jpeg, bmp, cgm, ico, and many others. Through this library, applications can, for instance:

  • Convert images from one format to another;
  • Create thumbnails of uploaded images;
  • Reduce the number of colors in an image through color quantization or posterization;
  • Carry out dithering;
  • Resize, rotate, flip, and crop images; or
  • Generate animated GIFs out of a series of images

These are just the basics. It can also perform discrete Fourier transformations, morphology, pixel distortions, color management, and many other complex image-manipulation tasks.

 

Where is it used?

Because of its versatility, several major programming languages have implemented bindings for the ImageMagick library. For example, Java has JMagick, C++ has Magick++, Python has PythonMagick, PHP has IMagick, and so on.

Consequently, it has become ubiquitous and is usually the underlying code responsible for image-manipulation features in:

  • Content management systems like WordPress and Drupal (that means, over half of the blogs out there rely on it for image processing);
  • Social media sites;
  • Forums (e.g. phpBB); and
  • Wikis

Possible exploitsbad-bug

There are currently a handful of known vulnerabilities in ImageMagick. But the two most alarming are CVE-2016-3717, which allows remote attackers to read arbitrary files through a crafted image and CVE-2016-3714, which allows remote attackers to execute arbitrary code in a crafted image.

The latter, now dubbed ImageTragick, is the more serious of the two. In layman’s terms, that particular vulnerability, once successfully exploited, would allow attackers to remotely control a compromised web server.  The attackers could, for instance, gain access to all system files, spread malware, steal sensitive information, or cut the entire system off the network. In other words, they would be able to do practically anything they want to on a compromised system.

Early this month, a bug bounty hunter discovered the CVE-2016-3714 vulnerability on one of Yahoo’s domains and was awarded a $2000 bounty for it. If this security flaw managed to go unnoticed at one of the largest Internet companies in the world, how do smaller organizations fare?.

Even when the vulnerability was first discovered, security researchers already believed that it had already leaked to other individuals. And because the exploit is rather basic, the number of threat actors were expected to multiply quickly.

The developers at ImageMagick have released multiple patches, now the onus is on admins and security teams to make sure that their systems are up to date.

BillGates – The Botnet That Spares Windows Machines

Gone are the days when Linux machPenguin-ID11834-640x427ines had that reputation of being immune to malware. Today, Linux systems, like their Windows counterparts, can even be ensnared into botnets that launch highly disruptive DDoS attacks. One such botnet family has been gaining considerable attention of late, largely in part because of its name – BillGates.

Much to the chagrin of Linux zealots, the BillGates malware is designed to infect only Linux machines. BillGates, which is based on the Elknot’s malware source code, is believed to be aimed at the same targets as XOR DDoS, a trojan that gained notoriety in 2015 but was eventually subject to a takedown by the authorities.

Like XOR DDoS, BillGates infects Linux systems and then allows attackers to control the infected machines through one or more C2 (command-and-control) servers. In most cases, the zombie computers are directed to conduct DDoS attacks. This particular toolkit supports a variety of attack vectors, including: ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7), and DNS query-of-reflection flood.

 

How BillGates infects and attacks

Unlike most botnet malware, BillGates doesn’t use phishing to infect. Instead, its attackers carry out brute force attacks on Linux SSH services in order to acquire root login credentials. Once they’ve acquired the passwords and gained access, the attackers then execute a bash script that would in turn download and run the malware on the compromised machine.

As soon as the malware is installed, it then performs a handful of functions that include the following:

  • Carry out persistence mechanisms. This is to ensure that it’s able to infect the host for as long as it needs to;
  • Replace system tools with corrupted versions. BillGates replaces tools like /bin/netstat, /bin/lsof, /bin/ps, and others that may be used for checking the integrity of the system. If, for example, /bin/ps is replaced, you won’t be able to view the actual processes running on your system.
  • Check its own health and integrity. If it discovers that something’s amiss, BillGates re-executes the main program and re-infects the host.
  • Contacts its C2 and executes commands. Once everything is in place, the malware communicates with its C2 server, receives commands from the server, and then executes the commands, which range from launching DDoS attacks to executing shell commands.

Like many nefarious kits these days, BillGates comes with a “builder” which allows just about anyone to create their own version of the malware. Thus, several botnets running their own variations of BillGates could be attacking their own separate targets around the globe as we speak.

More details can be found in Akamai’s threat advisory

 

Countering botnets

Because botnets pose such a serious threat to business, it’s important to prevent, detect, and act on botnet infections. We can help you in that regard. Our deep understanding of botnets has enabled us to assist businesses in countering some of the deadliest botnets ever. Please visit us online for more details and to register for a free online session.

Stack Buffer Overflows – Old Exploits Never Die

Buffer overflows remain one of the most highly exploitable vulnerabilities on the Internet. Just last month (Feb 2016), researchers from Red Hat and Google discovered a bug in the GNU C Library a.k.a.  Glibc that made machines running the glibc package vulnerable to stack-based buffer overflow exploits.

The glibc package is found in several Linux distributions, including those running on servers as well as some routers and other network devices, so the potential scope of impact is quite extensive. Fortunately, a bug fix has already been released and hopefully the majority of the affected machines should have been patched by now. Nevertheless, it doesn’t change the fact that buffer overflows continue to be a threat to information security.

Continue reading Stack Buffer Overflows – Old Exploits Never Die

Shadow Puppets – Domain Shadowing 101

Earlier this year (2016), WordPress sites were attacked by a massive malvertising campaign that employed an evasion technique known as domain shadowing. Domain shadowing is becoming increasingly popular among cybercriminals who employ exploit kits because of its superior ability to avoid detection. In this post, we explain what domain shadowing is, how it’s employed, why it’s so effective, and some of the ways to counter it.

What is domain shadowing?
Domain shadowing basically refers to the cybercriminal exercise of infiltrating multiple domain registrant accounts in order to spew forth several subdomains for malicious purposes.

Cyber criminals are able to acquire login credentials to these registrant accounts through methods like phishing and keylogging. Once they’ve gained access, these malicious individuals then create a large number of subdomains. These subdomains could then allow the crooks to carry out attacks behind perfectly legitimate domains, which make the attacks both hard to detect and counter.

domain_shadowingIn the exploit kit campaign discovered by Cisco’s Talos Group during their initial encounters with domain shadowing, the hijacked subdomains were set up in two layers. The first layer of subdomains, mostly third level subdomains (e.g. letters.somedomain.com), received traffic from the malicious ads served on legitimate web pages and then redirected the traffic to the second layer.

This second group of subdomains, now mostly fourth level subdomains (e.g. abcfsaa.letters.somedomain.com), in turn hosted exploit kit landing pages. The exploit kit then scanned the victim’s system for vulnerabilities and infected it with malware that would in turn set the system up for more nefarious acts. The number of subdomains on this group is much larger than the first and are rotated rapidly.

Why domain shadowing is so effective

One of the reasons why this technique is so effective is that registrant accounts are rarely checked. Perhaps the only times they’re ever opened are when they’re created, i.e. when the owner registers his/her first domain, and when the owner adds new domains.

Thus, these accounts are only accessed by their real owners about once or twice a year. This gives the attackers ample time to create illegitimate subdomains without getting noticed.

Another reason is that when the subdomains are finally called into play in an attack, they’re rotated rapidly. In fact, each subdomain may not stay active for more than an hour, depriving security groups the time to gather enough information and come up with any meaningful analysis about the attack.

Thirdly, domain shadowing is immune to many of the countermeasures being used today. For instance, domain reputation systems, which assign scores to known domains and block or allow traffic from certain domains based on their scores, can have limitations when used against domain shadowing. If the malicious subdomains are built off of reputable domains like say cisco.com, they can easily slip through.

Some people are suggesting that since the fourth level subdomains used in domain shadowing are usually made up of random alphanumeric characters, these kind of subdomains might be used as a basis to issue red flags. Unfortunately, several cloud based services also use such random naming conventions for the subdomains they generate, so using this characteristic as a filter can cause problems with false positives.

Clearly, any effective way of countering domain shadowing would require a combination of several approaches. First of all, domain registrants’ accounts must secured. Strong authentication, preferably 2FA, must be required in order to access these accounts to prevent them from being compromised. Reputation-based systems can also help in detecting malicious subdomains but, as stated earlier, must not be the only method.

Defence Intelligence solutions can help you prevent, detect or counter domain shadowing. To learn how, contact us today.

Google’s Latest Safe Browsing Update: The End of Fake Download Buttons?

You’ve probably browsed pages – some on well-known high traffic sites – that are full of ads with fake download buttons that took you further away from what you were actually searching for, to dark corners of the internet you’d never willingly visit and software you regret downloading. The real intent of these deceptive ads? Malware. Although they’ve been around for quite a while, they are becoming more prevalent. Some don’t even require a click to pass on an infection.

Here are some examples you probably recognize:

error1 error3error2

Good news for those of you who may not recognize these deceptive ads: Google’s Safe Browsing update aims to minimize your exposure to them. Recently, Google announced a new Chrome feature – as part of its Safe Browsing update – that warns users when they are about to visit sites with these call-to-malware ads. This means that any pages that mimic trusted entities (like your device, browser or the actual site) and trick you into disclosing sensitive information like passwords (that you’d typically only disclose to a trusted entity) will now be flagged by Google. Opening such site would give you the following warning:

error4

The update is turned on by default in Chrome. You can switch it on and off by checking or unchecking the “Protect you and your device from dangerous sites” box located under Preferences in Chrome (Preferences → Settings → Advanced → Privacy).

The ultimate question is: will Google’s latest update keep you completely safe from call-to-malware ads? The answer is most definitely “no.” Even when combined with ad blocking software or applications, Google’s Safe Browsing may not be able to completely keep these ads at bay.

For example, earlier this year, Forbes forced visitors to disable ad blocking software before they could read its content. Since Forbes serves a ‘quote of the day’ and an ad before directing visitors to main content, Google does not accurately cache the page’s content/data. The result was that users were immediately served malware after they disabled ad blockers. Other high profile sites like the New York Times have been victim to similar attacks.

It also looks like it will take a while for Google to compile a comprehensive list of flagged sites. If your site has been flagged, you can follow these instructions to fix the issue.

While Google’s latest Safe Browsing update is an important step towards making the internet a safer space for us, we certainly won’t see the end of malware ads just yet.

Why ‘EmailGate’ Isn’t Just a Problem for Clinton

The U.S. elections of 2016 have resulted in some of the most heated debates across a number of contentious issues. The personalities involved in the run up to the November presidential election are an explosive mix and the resulting accusations and mudslinging makes for great TV.  The accusations range in tone from almost playground jibes, such as the one made towards Cruz, by Trump, saying his Canadian birth could make the senator “vulnerable”, to serious accusations that could materially impact the candidate’s status. Jibes like this may muddy the electoral waters, but the more serious accusations that we’ve seen recently against Hillary Clinton, can have much further repercussions.

Hillary_Clinton_Testimony_to_House_Select_Committee_on_BenghaziHillary Clinton and ‘Those Emails…’

Around this time last year, there was a bit of a storm around Hillary Clinton, then secretary of state, who had been revealed as using a private, home-based, server to manage her emails. At the time, she was accused of using this system to prevent freedom of information requests and searches. Clinton defended herself by saying the emails were not deemed as ‘classified’, something that has since been hotly disputed. The press lambasted her for creating her own, ‘homebrew’ email system; the security of which was uncertain and which gave her powers of control over her emails that rankled those wanting transparency from their politicians. This level of irritation over the use of a personal server was not unfounded. If an issue of state security did occur, it would be vital to have full disclosure of emails. We would then have to rely on Clinton’s word that she had disclosed them, or that she could prove no malicious disclosure had occurred – not an ideal situation for any government to have to deal with. Just to give you an idea of the scale of this issue, so far 1200 emails from that homebrew sever have been checked and retro-actively marked as ‘classified’.

The truth of the matter may never fully come to light, but the story of Hillary Clinton’s ‘EmailGate’, rumbles on. We are now finding out that some of those emails Clinton originally stated were not classified, were in fact, top secret emails.

Trump, a master of marketing, has of course used this to his own advantage. He is using ‘EmailGate’ to damage Clinton’s reputation because of her poor handling of security. Clinton may also find more than her reputation damaged if any subsequent issues come to light, especially around security.

trump_twitter

Ignore Security at Your Peril

Poor security choices may well cost Clinton the presidency. But she isn’t the only one damaged by not taking security and privacy seriously. We are currently watching the world of cyber-crime explode; in fact, Senator John Kerry has described the situation as being, “…pretty much the wild west…” and stated that he fully expects the Russians and Chinese to be reading his emails.  In the last few years we have seen a general increase in the likelihood of a successful cyber-breach. Privacy Rights Clearinghouse which is a non-profit U.S. based organization, sets out to spot trends and quantifies breaches. You can go to their ‘data breaches timeline’ and see the level of breaches per year since 2005. In 2010 there were just fewer than 13 million records breached. In 2014 this figure had risen to almost 68 million breached records, and in 2015 there were a staggering 159, 436, 735 records compromised. This means an awful lot of organizations and the people who head them are seeing financial penalties and their reputations damaged.

Cyber-litigation On the Increase: Now it’s Personal

These cyber-breach figures are not only resulting in an awful lot of stolen data, they are translating into litigation. The Federal Trade Commission (FTC) can and does prosecute firms for poor security measures. In 2015 the FTC made a ruling that will impact all companies who are custodians of data, especially of customer data. The ruling came out of the case of the FTC vs. Wyndham Hotel and Resorts where Wyndham failed to give reasonable protection to personal customer details. The FTC can now more readily bring cybersecurity cases to court and prosecute businesses that do not put in place good measures to protect customer data.

The massive breach suffered by retailer Target has resulted not just in reputational damage, but major financial losses. Resulting lawsuits by banks and credit unions associated with the firm have amounted to $39 million; a class action by Target customers is also in progress against the retailer.

And now it’s also getting personal. There is a human impact too, above and beyond the affected customers and the class actions; Target’s CIO, Beth Jacob, ended up resigning over the cyber-breach debacle. Donna Seymour, CIO of the Office of Personnel Management (OPM), who experienced a breach of around 22 million employee records last year, is now being sued because she failed to protect those individuals’ identity data. If this lawsuit is successful and chances are it will be, then we should expect to see more personal lawsuits taken out against executives of breached companies.

Reputation and Security Go Hand-in-Hand

One thing that we can be sure of in the Hillary Clinton ‘EmailGate’ case is that her reputation has been irreversibly tarnished. Reputation on both a commercial and individual level is a very delicate matter and once lost is difficult to put right. Financial losses are one thing and very damaging they can certainly be, but to lose a reputation can mean a previously shining career is ruined. We can no longer hide behind our company lawyers. As executives we need to take control of our cybersecurity strategy and ensure that from the board level downwards, everyone takes security and privacy seriously.

Rotten to the Core – Thousands of Apps in Apple’s Store Infected

A multitude of apps in Apple’s Chinese App Store contained a form of malware that recently bypassed Apple’s code screening process. Researchers at FireEye have found approximately 4,000 apps to be infected with the XcodeGhost malware, affecting hundreds of millions iOS users worldwide. Once downloaded, these malicious applications have the potential to obtain and utilize device and user information, though Apple has saidthey’ve found nothing to suggest any malicious activity as of yet.

Xcode is an integrated development environment (IDE) which contains a suite of software development tools generated by Apple for the development of software for OS X and platforms. XcodeGhost is the malware found in unofficial versions of Xcode downloaded by Chinese rottenappledevelopers. It has the capability to modify Xcode and infects iOS applications. WeChat and Angry Birds 2 are just a couple of examples of popular infected applications that are now being updated in the App Store with malware free versions, while many other iOS applications identified as being infected with XcodeGhost are temporarily unavailable. In conjunction with this, Apple has sent email notifications to affected developers, thus instructing them to recompile their products by official Xcode, and to re-submit accordingly in order to prevent future breaches. Is it too late however? Has the damage been done?

Some are labelling this incident as a “first of its kind security breach” exposing a vulnerability and security gap in Apple’s mobile platform, which was once conceptualized as being the most secure of its kind. It is important to note that there was a failure to identify this malware prior to it infiltrating Apple and its users. How did this happen and how may this have been prevented? With modern day tools and technologies in place to protect against such occurrences, how will organizations such as Apple move forward in addressing this security gap?

What one can deduce from this incident is that, contrary to popular belief, Apple is not in fact more safe and secure than PC/Android. Does this incident mean reduced credibility and competitive advantage for Apple within the market? I suppose that is something yet to be determined. What we do know for certain, however, is that there is a security gap which is very much in existence today. Users, unfortunately, are not as aware as they should be when downloading files and applications, especially when the applications in question are being hosted by a “trustworthy” source such as the App Store.

Hackable Houses and Compromised Cars

The following is a guest post written by Lucy C., a co-op student from Lisgar Collegiate Institute in Ottawa.

The idea of having a smart home or a smart car is extremely tempting. Being able to live in a world that is fine tuned to exactly your needs seems like a sci-fi paradise. Cars that drive and park themselves, pre-programmed with GPS systems and traffic control, so you know exactly how long your drive to work each morning will be. A home that adjusts it temperature controls depending on your body heat and doesn’t require a key for entry as it recognizes your presence. A kitchen that can cook you breakfast each morning before you awake and a pillow that wakes you up at the exact right moment in your REM cycle.

All of these features and products sound great in theory, but in practice they do have a major downfall; your privacy and security will never be more at risk. All these useful devices will be collecting a slew of personal data about every aspect of your life and if any devices were hacked and controlled by an outside source, the ramifications would be unimaginable.

With your every action tracked and recorded, companies will have all the personal data they could ever want on every consumer. Even if the system is not compromised by a hack and the data is never stolen by an outside source, there is still the lurking possibility that the company will sell your data to other enterprises or to the government, who would then know the every movement of every citizen.

This lack of privacy is accompanied by a frightening lack of security. If someone were to gain control of your smart home or smart car, they could wreak havoc on your life. You could be unable to access your home or they could gain entry to your home by simply pressing a button. It would bring a new age to terrorism, imagine the power a group would hold if they had the capability to crash every car in a city in an instant. Or lock whole cities out of all their buildings.

And the scariest part of these new smart homes and cars? So far, they are surprisingly easy to hack. There are already stories of strangers gaining access to baby monitors and being able to speak through them. The Insteon home control system, a remote control system for turning on and off electronics and controlling temperature in your home, used to be based online with only occasionally password protection, so, if you discovered one of the sites, you could turn on and off any electronics in the home and have access to all the personal data that the system had gathered.

 

These potentially disastrous consequences of smart homes and cars bring about a burning question: are consumers ready to part with their security and privacy just to have all these cool new personalized gadgets?

Your Reputation after a Data Breach.

Whether you asked for it, had an active hand in making it, or even acknowledge it, you have a reputation. It can be built up, blown up, and is blended from both fact and fiction. It is a wild beast that is only tamed in the way an adult grizzly plucked from the forest can be tamed. Despite all volatility and fragility you must manage it as best you can, because when your reputation takes a hit the foundations of success begin to shudder.
A company’s reputation is the same. After Target’s data breach one year ago, their customer satisfaction and service reputation stayed in decline for many months after. S&P cut target’s credit rating due to the breach’s bigger than expected impact on traffic and sales. Their profits dropped 46% in Q4 of 2013 and their CEO was ousted five months after the breach went public.
There are plenty of tangible costs when a data breach occurs: lost productivity, forensic investigation, technical support, system availability, compliance and regulatory failure. Much of these costs, while significant, are manageable to an extent when the breach is kept under wraps. When word of a breach crosses over to the consumer side, the final tally of damage and cost is unpredictable.
42% of breached companies lost customers and business partners. 46% of a breached company’s clients would no longer recommend the organization.
Companies like Sony, Home Depot, P.F. Chang’s, Staples, Michaels, K-Mart have all been targets of data theft. Their damaged reputations will recover over time but the repair costs are significant. A Ponemon survey stated the average damage done to a brand ranges from $184 to more than $330 million and, at best, brands lost 12% of their value after a breach.

Every company needs to do more to keep their reputation secure. While some data breaches will be physical blunders, many of them will be malware forcefully or welcomely entering the network.

Defence Intelligence helps their clients keep their data and their reputation secure with their advanced malware protection services. Take a look at what we can do to help.
Don’t be the next victim.

The most interesting DDoS ever?

Those of you outside of Canada may not have been following this
story, but you might want to as this one seems to have it all:
  • Accusations of police ineptitude and overreach
  • Listening devices
  • Claims and counter-claims concerning Anonymous
  • Twitter sparring
  • Social engineering
  • Multiple DDoS attacks
  • Bureaucratic boilerplate statements aplenty

The abbreviated story goes something like this…

 
  • An Ottawa teenager is charged with 60 offences related to
    ‘swatting’ various targets across North America.
  • Hacker claims to have proof that said teen is innocent – identifies another as the culprit. 
  • Hacker contacts family of the accused and the media.  Listening devices apparently discovered at suspects home. 
  • Hacker takes down city, police and court websites to bring attention to the case. 
  • Officials assure the public that no data has been breached, but that hacker managed to get password from service provider via phone. 
  • Hacker continues to post via social media, promising proof. 
  • Father of the accused now says he is a ‘person of interest’ in the case.
We’ve seen hundreds of ddos attacks in the news over the years,
and thousands of them in the security community.  They usually aren’t all that noteworthy and barely get a second glance.  The attacks in Ottawa and Canada over the past couple of weeks are rather unique, however.  You can catch up on the saga via: