Threats and Threats and

Malware Top story

vulnerabilities vulnerabilities

PwC Weekly
Security Report
This is a weekly digest of security news and events from around the world. Excerpts
from news items are presented and web links are provided for further information.

Malware
Windows botnet spreads Mirai malware

Threats and vulnerabilities

Internet users urged to change passwords
after Cloudbleed

Threats and vulnerabilities

Google’s Project Zero reveals
vulnerability in Internet Explorer and
Microsoft Edge

Top story
Crypto specialists break SHA-1 security
standard
 Threats and Threats and
Malware vulnerabilities vulnerabilities
Top story

Windows botnet spreads

Mirai malware

Security researchers from Kaspersky Lab are

currently investigating the first Windows-based
spreader for the Mirai malware, something that can
have huge implications for companies that invested
heavily in IoT.

The spreader was apparently built by someone with

"more advanced skills" than those that had created
the original Mirai malware. This, Kaspersky Lab
says, has "worrying implications for the future use
and targets of Mirai-based attacks."

It is richer and more robust than the original Mirai

codebase, even though many of its components are
"several years old." Its spreading capabilities are
limited, as it can only deliver from an infected
Windows host to a vulnerable Linux-powered IoT
device. Even that -- if it can brute-force a remote
telnet.

It was also said that the author is likely Chinese-

speaking, more experienced, but probably new to
Mirai.

"The appearance of a Mirai crossover between the

Linux platform and the Windows platform is a real
concern, as is the arrival on the scene of more
experienced developers. The release of the source
code for the Zeus banking Trojan in 2011 brought
years of problems for the online community -- and
the release of the Mirai IoT bot source code in 2016
will do the same for the Internet. More experienced
attackers, bringing increasingly sophisticated skills
and techniques, are starting to leverage freely
available Mirai code. A Windows botnet spreading
IoT Mirai bots turns a corner and enables the spread
of Mirai to newly available devices and networks
that were previously unavailable to Mirai operators.
This is only the beginning," says Kurt Baumgartner,
principal security researcher, Kaspersky Lab.

Source:
https://betanews.com/2017/02/23/windows
-botnet-spreads-mirai-malware
 Malware
Threat and
vulnerabilities
Internet users urged to
change passwords after
Cloudbleed
Multiple high-profile apps including Uber and FitBit
have been leaking customer data for months due to
the Cloudbleed vulnerability discovered by Google
researchers last week.
The bug in the source code of internet services
company Cloudflare caused sensitive data to be
cached by search engines, potentially allowing
hackers to pose as legitimate customers. The
compromised data includes private messages and
authentication cookies.
“We've discovered (and purged) cached pages that
contain private messages from well-known services,
PII from major sites that use Cloudflare, and even
plaintext API requests from a popular password
manager that were sent over http,” said a cyber-
security researcher from Google’s Project Zero team.
“The examples we're finding are so bad, I cancelled
some weekend plans to go into the office on Sunday
to help build some tools to clean-up.”
Threats and
Top story
vulnerabilities
The researchers said the impact of the vulnerability
is potentially wide-reaching due to the massive
customer base of Cloudflare.
“I didn't realise how much of the internet was sitting
behind a Cloudflare CDN until this incident,” the
researcher said.
The Google team said that Cloudflare has responded
to the issue promptly but advises users to change
their passwords and switch to two-factor
authentication where possible.
“With the haemorrhaging from Cloudbleed first
reported on Friday, new data from Skyhigh
Networks indicates the wounds to IT are
widespread,” commented Kaushik Narayan, CTO of
cloud access security broker Skyhigh Networks.
“After analysing more than 30 million enterprise
users across the globe, Skyhigh found 99.7 per cent
of companies have at least one employee that used a
Cloudbleed vulnerable cloud application.”
 Malware
Threat and Threats and
Top story
vulnerabilities vulnerabilities

Internet users urged to

change passwords after
Cloudbleed

Even though few enterprise-ready cloud services

were themselves affected – fewer than four per cent
– there’s a very long list of potential consumer-
focused services that may have been vulnerable to
credential loss, Skyhigh Networks said.

Cloudbleed got its name after the Heartbleed

vulnerability in the Open SSL cryptographic
software library, discovered in 2014. The
researchers said Cloudbleed could be potentially as
serious as Heartbleed, which affected millions of
websites, enabling hackers to gain access to sensitive
user data.

According to Gizmodo, Cloudbleed is a result of a

coding error affecting a single character in
Cloudflare’s code.

Source:
https://eandt.theiet.org/content/articles/20
17/02/internet-users-advised-to-change-
passwords-after-cloudbleed-vulnerability-
discovered/

Our perspective
Cloudflare Inc. handles traffic for many
popular services, including Uber and Fitbit. It
also helps customers to protect and defend
themselves from denial-of-service attacks and
configure SSL encryption for their websites.
It is quite possible for an attacker to have
access to private web data along with
encryption keys, if the password is
compromised. After studying the
vulnerabilities and the impact of the exploit,
all readers are strongly advised to change
their password quickly to avoid any security
risks.
 Threats and
Malware
vulnerabilities
Google’s Project Zero
reveals vulnerability in
Internet Explorer and
Microsoft Edge
Google's Project Zero has exposed another security
flaw in Microsoft software — this time in Internet
Explorer and Microsoft Edge. As reported by The
Register, the flaw was first disclosed to Microsoft on
November 25, but has now gone public after
exceeding Project Zero's 90-day disclosure deadline
without a patch.
The bug in question could allow a website to crash
the browser and execute code with just 17 lines of
HTML. If you're into the nitty-gritty technical
details of the issue, you can dive into the full
explanation of the flaw at Project Zero's post.
This isn't the first time Google has publicly outed a
flaw in Microsoft software without a patch being
issued. Most recently, the two software giants butted
heads in late 2016 after Google disclosed a bug in
Windows just days after alerting Microsoft.
Similarly, January of 2015 saw Google publish a
Windows 8.1 vulnerability just days before a patch
was set to go live.
It's not clear when or how quickly Microsoft might
issue a fix for this particular flaw. The company
curiously delayed its usual monthly round of fixes
for February, noting that they'll arrive with March's
Patch Tuesday on March 14. However, the company
did issue a fix for a critical Adobe Flash bug just days
later, so there's a chance we could see a security fix
outside of the usual monthly schedule.
Threats and
Top story
vulnerabilities
Source:
http://www.windowscentral.com/googles-
project-zero-reveals-vulnerability-internet-
explorer-and-edge
Our perspective
The newly disclosed zero-day vulnerability,
which creates a type confusion flaw, affects
Microsoft Edge and Internet Explorer on fully
patched systems and can potentially allow
remote attackers to execute arbitrary code on
the underlying system. We understand that
researchers have confirmed the
unavailability of exploits. However, it is quite
possible for attackers to use PoC details to
develop working exploits which may
suddenly surface in the wild. Organisations
that have developed custom software with
inherent vulnerabilities may be more
susceptible to this exploit as a door may exist
for attackers to deploy this exploit. Given that
a fix has not been provided in the latest
patches, all Windows administrators are
advised to assess the criticality of the risk and
apply patches for this vulnerability as soon as
they become available.
 Threats and Threats and
Malware
vulnerabilities vulnerabilities Top story

Crypto specialists break

SHA-1 security standard

Researchers at the Dutch research institute CWI and

Google have broken the SHA-1 internet security
standard, which is widely used for digital signatures
and file integrity verification, including secure credit
card transactions.

According to CWI cryptanalyst Marc Stevens: “Many

applications still use SHA-1, although it was
officially deprecated by NIST in 2011 after exposed
weaknesses since 2005. Our result proves the
deprecation by a large part of the industry has been
too slow and that migration to safer standards
should happen as soon as possible.”

The team says it broke SHA-1 using a collision

attack. Google’s Elie Bursztein added: “Finding the
collision in practice took a lot of effort, both in
building the cryptanalytic attack and in its large
scale execution. It required more than 9.2 x
1018 SHA1 computations that took 6500 years of
CPU computation and 100 years of GPU
computations. We used the same infrastructure that
powers many Google AI projects, including Alpha
Go and Google Photo, as well as Google Cloud.”

Stevens said that, to defend against SHA-1 collision

attacks, systems must migrate to SHA-2 or SHA-3.
In the case of HTTPS, this process began in 2015
and, this year, browsers will mark SHA-1 based
certificates as insecure.
Source:
http://www.newelectronics.co.uk/electroni
cs-news/sha-1-security-standard-
broken/151987/
About PwC
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 At
PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157
countries with more than 2,23,000 people who are committed to delivering quality in assurance, advisory and
tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com

In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata,
Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in

PwC refers to the PwC International network and/or one or more of its member firms, each of which is a
separate, independent and distinct legal entity. Please see www.pwc.com/structure for further details.

©2017 PwC. All rights reserved

For any queries, please contact:

Sivarama Krishnan
sivarama.krishnan@in.pwc.com

Amol Bhat
amol.bhat@in.pwc.com

All images in this presentation are protected by copyright, trademark, patent, trade secret and other intellectual property laws and
treaties. Any unauthorised use of these images may violate such laws and shall be punishable under appropriate laws. Our sharing
of this presentation along with such protected images with you does not authorise you to copy, republish, frame, link to, download,
transmit, modify, adapt, create derivative works based on, rent, lease, loan, sell, assign, distribute, display, perform, license, sub-
license or reverse engineer the images. In addition, you should desist from employing any data mining, robots or similar data and/or
image gathering and extraction methods in connection with the presentation.

© 2017 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers
Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which
is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.

MB/March2017-8840