The Weekly Ink #35
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate and entertain on security happenings and culture.
If you have links that you think would be interesting for inclusion and commentary, send them our way at firstname.lastname@example.org.
What do Spiderman and QEMU have in common? They both get pwned by Venom
CrowdStrike have released a hot new vulnerability in virtualization software relying on QEMU for floppy drive emulation -- meaning things like Xen, KVM, VirtualBox, and the native QEMU client.
Since we're living in the Age of Brands where every company wants to be your best friend on Twitter with a friendly logo and social media manager-approved tweets, the infosec crowd has taken note and now everyone's busting their ass to have the hippest logo and marketing sites and blogs for their vulnerabilities, for the maximum social-economy payout.
the official VENOM logo
The vulnerability itself is pretty cool, and we should see some full exploit PoC code within the next couple days allowing for VM escape. The exploitability is someone mitigated by the fact that root permissions are required in the guest VM, but it's well-known best practice to always run your buggy PHP web apps as root. The greater danger is in cloud-hosting solutions that rely on virtualization that haven't patched; a bad actor could theoretically get a virtualized server of their own on one of these environments, escape to the host, and wreak havoc.
Putin On The Ritz
The ominous APT28 group, suspected by FireEye to be sponsored by the Russian government has been accused in a new report by security firm root9b of targeting international banks including TD Bank, Bank of America, UAE Bank, and other organizations including the United Nations Children's Fund, United Bank for Africa and Regions Bank.
Beyond the implications for national security and international relations, I'm not sure that the output of government-sponsored hacking groups is particularly notable. While such groups exist and try to compromise both private and public institutions, their main strength is in having the funding and personnel to be incredibly persistent. Their computers obey the same rules as anyone else's, and most breaches are going to be caused by human error or oversight on the part of service operators.
In other words, they probably won't burn 0-day on you if there's a glaring hole elsewhere in your security, and root9b's study even confirmed that advanced groups like APT28 use the same techniques any teenaged nerd knows about, such as spearphishing.
Annoyed by scanning? Maybe try a firewall.
Whether it's benign fingerprinting, possibly CFAA-violating scans that attempt to run code on your servers "totally just to see if you're vulnerable or not, for research", or an attacker performing reconnaissance, your networks are going to be scanned.
Every time some UM-affiliated ZMap developers come to our local ARBSEC meetup, they share more funny stories of network and service operators angry about their scanning.
A couple of the developers were interviewed by Brian Krebs and they present strong arguments against the unrealistic security-by-obscurity perspective they often encounter in their work, as well as share some surprising findings from their research and thoughts on the success of their Heartbleed notification program and the future of their work.