Security Roundup

Around the end of each month (just before or just after) I will be reviewing some of the security issues that were important within the past month. The hope for this will be to get some of the information from the past month together onto the same page for a quick review.

Intel Management Engine

May 1st came with the announcement of an escalation of privileges vulnerability for Intel computers. The Management Engine includes Active Management Technology (AMT) that is designed to help system admins work on computers remotely. This vulnerability allows attackers to bypass the password requirement to access the management interfaces and control the computer. The vulnerability is only dangerous for those that have enabled and provisioned AMT. The attack can be carried out locally or over a network. This vulnerability affects Intel chipsets going back to 2008. Firmware updates and discovery tools have been posted by manufacturers and Intel.

For more information can be found on EFF Deeplinks.

To see if you were affected you can also look at Intel's Advisory.

Handbrake - Mac Attack

This month serves as another reminder that Mac OS is not impervious. Between May 2nd and May 6th, Handbrake's distribution systems were hacked and downloads through Homebrew and Handbrake's website were affected.

The malware spoofed the password prompt and sent it off to its command and control server. Other information such as browser data, keychains, and password vaults were targeted. Since the application had already grabbed the user's password, it is quite possible that they would be able to open the keychain and password vault.

Users that have the Mac version of Handbrake installed with version 1.0.7 that was downloaded online should follow the instructions on Malwarebytes' blog.

More information can be found on Malwarebytes' blog.

Google Docs Phishing Attack

The first week of may proved extremely troublesome for security. The third attack at the beginning of the month was a phishing attack that was meant to impersonate Google Docs emails. This email then took users that clicked on the included link to a separate application asking for authentication. Once this authentication was granted the application had direct access to the user's emails and contacts. Google responded very quickly to shut down the application and accounts that were related to the phishing attack.

For more information please read The Verge's article.

Wanna Cry

This month's biggest news maker in computer security was definitely Wanna Cry. Wanna Cry was targeted at the SMB service on Windows, which handles network drive connections. Wanna Cry used both local network port scanning and internet port scanning to propagate. Once installed it quickly encrypted files with known extensions.

The NSA originally discovered the SMB exploit that was used to infect computers and was leaked online by the ShadowBrokers in April. After getting into computers it also installed a backdoor called Double Pulsar. Due to the way that Wanna Cry was created, decryption efforts have been hit or miss.

A security researcher registered the domain that was listed in the code during the initial infection period for Wanna Cry. After this domain was registered to a server, new infections of the original variant of Wanna Cry stopped. Later variants had this kill switch domain removed to prevent this behavior.

Microsoft even broke its end of life on Windows XP and released a patch to help protect machines that were still using the OS. This action will hopefully help people who must still use XP for specific hardware or certifications.

These podcasts from TWiT cover the installation and some edge case testing very well: Know How Episode 312, Know How Episode 314

For quite a few more resources check out Malwarebytes' roundup.