Sherlock-threatThis entry is the monthly continuation of Anitian’s series of threat intelligence insights from our Sherlock Managed Threat Intelligence team.  

Spring has sprung, which means we are deep in the flowers here in Portland. There is also plenty of rain, buzzing bees, and a healthy crop of malware popping up everywhere. Extortion season is in full swing, with a continued uptick in ransomware via exploit kits, and also a recent spate of DDoS threats that ask for protection money.  It seems the hackers are moving to “easy money” hits.

Unfortunately, there’s a lot more going on than just these big headlines. Let’s dig into some of the variety that we’ve been following from the last month.

Breaking! ImageMagick Remote Code Execution

WHAT: ImageMagick is widely deployed image processing library used to manipulate or convert image data. It has a full-on exciting remote code execution vulnerability in the scope of the affected service user. It is being called ImageTragick. There are presently mitigation steps and a partial patch available, but there is also a proof of concept exploit in the wild and the possible implication it’s already been used in some 0-day attacks.

WHY:  ImageMagick is not the only image manipulation library for web servers around, but it is widespread. So the reach and impact of this vulnerability is significant. We’ll also inevitably see it months from now during pentests from organizations that neither keep up on their patches or implement mitigations. We’re recommending immediate config file mitigation steps provided by the ImageTragick website and patching as available. This could hit affected sites very hard.

The Dangers of Convenience – Shortened URLs

WHAT:  Maintaining a healthy sense of outside-of-the-box thinking is critical to coping with the constantly evolving threat landscape. Here is a timely example.  What really is a shortened URL? It is just a redirect to a long complex URL, right?  Some researchers at Freedom to Tinker wondered what could be done with shortened URLs.  Their findings are a little disturbing.  They found all manner of confidential data, using some rudimentary scanning.

WHY: Short URLs are a convenient way for people to more easily share links. However, there is perhaps an implicit belief that perhaps a complex URL is safe, that making a short link of it to text to your coworker has no ramifications. But instead it provides a potential vector for people to scrape and obtain confidential information. Our Sherlocks watching for URL shortening use is easy given access to web proxies. However, the real challenge is to educate your employees on where confidential data can and cannot be shared.  Moreover, using shortened links is fine, provided the data being shared in not sensitive.  .

SSL Inspection

WHAT: From the hubbub over the FBI iPhone decryption, WhatsApp implementing end-to-end encryption, and the ever-growing preponderance of ransomware, the concern over the sanctity of data privacy is widespread.  However, with the proliferation of default SSL on many communications, enterprises are in a bind from a threat detection perspective. As much as 60% of the outbound traffic is encrypted, including a lot of malware command and control traffic.

Considering the number of issues that are visible from merely looking at unencrypted connections, the idea that could be doubled should be tempting for information security professionals (and leaders.)  However, many organizations are reluctant to use technologies to intercept encryption, citing privacy worries.

WHY: While it is difficult to recommend breaking privacy to ensure integrity, enterprise security must address the security of the entire enterprise, not only the plain text parts.  It is funny that IT departments cling to the idea of privacy, when practically, there is no such thing as privacy on a corporate-owned network. Ideally, we would have technologies that can differentiate between the good and bad without jeopardizing privacy.  However, that is not realistic.  There are ways to implement SSL inspection and provide some level of personal privacy.  Ultimately, we must get inside the encrypted traffic if we want to protect the entire enterprise.

From our perspective, any time we can get access to data, we increase our ability to hunt down attackers.


Sometimes the threat landscape, like Pacific Northwest springtime weather, is not very consistent. While some headlines catch our attention, there are still exploit kits, bugs and vulnerabilities being discovered. Anything can, and does happen. Threat intelligence needs to encapsulate all of the landscape and not just the hottest bits of it. Our Sherlocks keep that “whole” in mind to spot things now or later when they might come back around.

Check back next month for our June Sherlock report.


Share This