Embed Size (px)
Citation preview
PwC Weekly Security Report
This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information.
Threat andvulnerabilities
Top storyMalwareThreat and
vulnerabilities
Threat and vulnerabilities
Linux flaw allows Sudo users to gain root privileges
Top story
Unprotected Hadoop servers expose 5 PB of data: Shodan
Malware
Chinese ‘Fireball’ malware infects 250 million computers
Threat and vulnerabilities
Chrome bug allows websites to stealthily record audio and video
Chrome bug allows websites to stealthily record audio and video
Threat and vulnerabilities
There’s a bug in Google Chrome that reportedly allows websites to record audio and video without providing any visual indicators.
Ran Bar-Zik, a web developer at AOL, discovered the bug and was quick to sound the alarm bells. He claims that while the bug, which he discovered at work while dealing with a website that ran WebRTC code, requires user permission to access audio and video features, the flaw could allow websites to stealthily spy on users.
When audio or video is usually recorded on Chrome, a red dot and circle typically appears on the tab to indicate that the streaming is live. However, Bar-Zik discovered that the code that allows recording doesn't always need to run on the Chrome tab where the permission was granted and found he was able to launch a Chrome pop-up where he could commence recording audio and video without any visual indicator.
Bar-Zik was quick to report the flaw to Google, but the firm ain't all that fussed, and has said it isn't a problem.
"This isn't really a security vulnerability - for example, WebRTC on a mobile device shows no indicator at all in the browser," a Google spokesperson said. "The dot is a best-first effort that only works on desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation."
Bar-Zik disagrees, though, and in an interview with Bleeping Computer argued that many people are affected by UI fatigue and tend to click on many permissions without reading what they agreed to.
He added that once a user has granted permissions to a website, hackers could potentially launch more sophisticated attacks and could potentially open up a surveillance channel on the victim's PC.
"Real attacks will not be very obvious," Bar-Zik said.
Source: https://www.theinquirer.net/inquirer/news/3010995/chrome-bug-allows-websites-to-stealthily-record-audio-and-video
Top storyMalwareThreat and
vulnerabilities
Chinese ‘Fireball’ malware infects 250 million computers
Malware
The security firm Check Point says it has found a malware infection of staggering scope and destructive potential. Originating in China, the "Fireball" malware package is believed to have infected more than 250 million computers worldwide and is present on 20% of corporate networks, with major infection centers in India, Brazil, and Mexico.
Check Point calls it "possibly the largest infection operation in history."
The malevolent software appears to be mainly intended to generate fake clicks and traffic for its creator, a Beijing advertising firm called Rafotech. When installed, the software redirects a user’s browser to websites that mimic the look of the Google or Yahoo search homepages. The fake pages surreptitiously gather private information on the user using so-called tracking pixels.
But Fireball also has the ability to execute commands remotely—including downloading further malicious software. Fireball’s creators (or third-party hackers who find a way to take control) could theoretically transition from ad-scamming to selling harvested data, or even harness infected machines into a globe-spanning botnet of immense destructive power.
Top story
Many botnets much smaller than Fireball’s collection of 250 million compromised machines have been involved in major DDoS (for "distributed denial of service"), spam, or other campaigns. The Mirai botnet that knocked out Internet service for millions of people last December was estimated to have included as few as 120,000 devices—and those were mostly connected cameras and routers with far less power than the PCs targeted by Fireball.
According to Check Point, another scenario would simply see Rafotech mass-harvest data from infected machines and sell it—from credit card numbers to business plans and patents—to the highest bidder.
The San Carlos, Calif. security company describes Fireball as "a pesticide armed with a nuclear bomb." Rafotech, Check Point warns, "holds the power to initiate a global catastrophe." It adds: "The potential loss is indescribable."
According to Check Point, the Fireball package is mostly surreptitiously inserted into free software downloads and installed without the user’s knowledge. Check Point provides a few examples of software found to contain the Fireball package, including Soso Desktop and FVP Imageviewer. The clearest sign of an infection is finding your browser has been redirected to a new homepage. Checkpoint’s post provides detailed instructions for detecting and eliminating infections.
Threat andvulnerabilities
Threat and vulnerabilities
Chinese ‘Fireball’ malware infects 250 million computers (contd)
"According to our analysis, Rafotech’s distribution methods appear to be illegitimate and don’t follow the criteria which would allow these actions to be considered naïve or legal," Check Point writes. "The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user, and they conceal their true nature."
Rafotech’s homepage, Rafotech.com, is currently offline, but archived versions from 2016 tout the company’s ability to sell “creative ads” for website operators. The site also makes thoroughly ironic claims about a “strong anti-spamming system.”
Top story
Source:
http://fortune.com/2017/06/03/chinese-fireball-malware-infection/
Threat andvulnerabilities
Threat and vulnerabilitiesMalware
The archived site also touts Rafotech’s role in publishing mobile apps including games like Cutie Clash and Casual Warrior. Considering recent revelations about the potential for Android apps to load malicious software onto phones, it's worth steering clear of these and any other Rafotech products.
Rafotech's LinkedIn page describes the company as a unit of “one of the premium publisher powering over 6 billion monthly impressions” and touts its “deep understanding of what it means to monetize more.”
Source: http://fortune.com/2017/06/03/chinese-fireball-malware-infection/
Linux flaw allows Sudo users to gain root privileges
Threat and vulnerabilities
Top story
A vulnerability affecting the manner in which Sudo parsed tty information could have resulted in the user gaining root privileges and being able to overwrite any file on the filesystem on SELinux-enabled systems.
Tracked as CVE-2017-1000367, the vulnerability was discovered by Qualys Security in Sudo'sget_process_ttyname() for Linux. The issue resides in how Sudo parses tty information from the process status file in the proc filesystem.
The vulnerability could be exploited by a local user with privileges to execute commands via Sudo and could result in the user being able to escalate their privileges to root. Featuring a CVSS3 Base Score of 7.8, the issue is considered High severity.
In their advisory, Qualys Security explains that Sudo's get_process_ttyname() function opens"/proc/[pid]/stat" (man proc) and reads the device number of the tty from field 7 (tty_nr). Although these fields are space-separated, it is possible for field 2 (comm, the filename of the command) to contain spaces, the security researchers explain.
Thus, Sudoer users on SELinux-enabled systems could escalate their privileges to overwrite any file on the filesystem with their command's output, including root-owned files.
To successfully exploit the issue, a Sudo user would have to choose a device number that doesn’t exist under "/dev". Because Sudo performs a breadth-first search of /dev if the terminal isn’t found under the /dev/pts directory, the user could allocate a pseudo-terminal between the two searchers and create a “symbolic link to the newly-created device in a world-writable directory under/dev, such as/ dev/shm,” an alert on Sudo reads.
The attacker then uses the file as the command's standard input, output and error when a SELinux role is specified on the sudo command line. If the symbolic link is replaced with another file before Sudo opens it, it allows the overwriting of arbitrary files by writing to the standard output or standard error.
“If SELinux is enabled on the system and Sudo was built with SELinux support, a user with sudo privileges may be able to overwrite an arbitrary file. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers,” the alert on Sudo reveals.
The issue was found to affect all Sudo versions from 1.8.6p7 through 1.8.20 and was resolved in Sudo 1.8.20p1.
Source:
http://www.securityweek.com/linux-flaw-allows-sudo-users-gain-root-privileges
Threat andvulnerabilities
Malware
Unprotected Hadoop servers expose 5 PB of data: Shodan
Hadoop servers that are not securely configured expose vast amounts of data, according to an analysis conducted using the Internet search engine Shodan.
A Shodan search uncovered nearly 4,500 servers with the Hadoop Distributed File System (HDFS), the primary distributed storage used by Hadoop applications. These servers were found to expose 5,120 TB (5.12 PB) of data.
Making a comparison to MongoDB deployments, which are also known to expose a lot of data, Shodan found 47,820 servers, but only 25 TB of exposed data.
Of all the Hadoop servers that expose data, 1,900 are located in the United States and 1,426 in China. The next on the list are Germany and South Korea, with 129 and 115 servers, respectively. A majority of the HDFS instances spotted by Shodan are hosted in the cloud, mainly Amazon (1,059 instances) and Alibaba (507).
Late last year, researchers started seeing ransom attacks aimed at unprotected MongoDB databases. Attackers either erased or stole data and asked victims to pay a ransom if they wanted to recover it. These types of attacks later began targeting Elasticsearch, CouchDB and Hadoop servers.
According to Shodan founder John Matherly, these ransom attacks are still being launched against both Hadoop and MongoDB installations, and a majority of the Internet-exposed MongoDB servers appear to have already been compromised.
When researchers first reported seeing attacks targeting HDFS installations, they pointed out that, in some cases, attackers erased most directories and created a single directory named “NODATA4U_SECUREYOURSHIT,” without asking for a ransom.
Shodan searches for the “NODATA4U_SECUREYOURSHIT” string show that, currently, there are more than 200 such HDFS clusters.
Top story
Source:http://www.securityweek.com/unprotected-hadoop-servers-expose-5-pb-data-shodan
Threat andvulnerabilities
MalwareThreat and
vulnerabilities
Matherly has shared detailed instructions on how to replicate the searches on Shodan for those who want to conduct their own investigations.
About PwC
For any queries, please contact:
Sivarama Krishnan [email protected]
Amol [email protected]
This report presents the highlights of security news and events from around the world that have been published on external websites.
This publication has been prepared for a general guidance on matters of interest only, and does not constitute professional advice.
You should not act upon the information contained in this publication without obtaining specific professional advice. No representation
or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PwC, its partners, employees and agents do not accept any liability, responsibility or duty of care for any
consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any
decision based on it. PwC is however available for follow-up on any queries you may have regarding information and IT security. The
views, opinions and interpretation shared in the newsletter are strictly of the individual's collating this newsletter and is not necessarily
a representation of the firm's views. All images, information, references in this presentation are protected by copyright, trademark,
patent, trade secret and other intellectual property laws of the respective publisher. Our sharing of this presentation along with such
protected images with you does not authorise you to copy, republish, frame, link to, download, transmit, modify, adapt, create
derivative works.
© 2017 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers
Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a
member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.
MA/June2017-9868
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 2,23,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
In India, PwC has offices in these cities: Ahmedabad, Bangalore, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in
PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity. Please see www.pwc.com/structure for further details.
©2017 PwC. All rights reserved
