Event Tracker

New Apache Struts 0Day Exploit: (March 8, 2017) Cisco Talos group has identified attacks against a 0Day vulnerability in Apache Struts, which is a popular Java app framework. An advisory was issued Monday, stating the problem exists in the Jakarta Multipart parser. An attacker could perform a RCE attack with a malicious contenttype value. Users were advised to upgrade or switch to a different implementation of the parser. Numerous attacks appeared to be taking advantage of a publicly released proof of concept to run assorted commands. Struts was previously compromised by Chinese hackers in 2014, who exploited known vulnerabilities to install a backdoor. Message here: keep patches current. Source: http://www.csoonline.com/article/3178744/security/cisco-and-apache-issue-warnings-over-zero-day-flaw-being-targeted-in-the-wild.html#tk.twt_cso

Verifone Breach: (March 7, 2017) The credit and debit payment company Verifone is investigating reports of a breach of its internal computer networks. The payment processing giant is the largest maker of credit card terminals being used in the USA. This has impacted some of the companies who run its POS or point of sales offerings. However, Verifone has stated that “the extent of the breach was limited to its corporate network and that its payment services network was not impacted.” An urgent email was issued back in January 23 to all company staff and contractors urging them to change company passwords. An intrusion had been detected in the corporate network. Forensic examination reveal the cyber incident was at two dozen gas stations only, and for a very limited period of time. The attackers deployed CARBANAK or Anunak to compromise the Oracle ticketing portal for MICROS POS. From here they siphoned credentials when customers logged into the support site.  Source: https://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-breach/

FIN7 Spear Phishing, Carbanak and the SEC: (March 7, 2017): FireEye identified a spear phishing campaign in late February that targeted people who were filing with the US SEC. They were able to identify the group as FIN7, who are financially motivated and use spear phishing to spread malware. Often they target retail and hospitality through POS malware. The attack involves a malicious document dropped by a VBS script. This installs a PowerShell backdoor which is a new malware family dubbed POWERSOURCE by FireEye. It is heavily obfuscated and a modified version of the current tool DN_TXT_Pwnage. This uses DNS TXT records which make detection and hunting for C+C harder, a rising trend. FireEye does not yet have the objective of FIN7 in this current campaign, but they have previously used Carbanak in their engagements.

Sources: https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html

Update on Shamoon: Ransomware and New Wiper Malware Discovered: March 6, 2017) Wiper malware is rare – just a handful of occurrences have been documented. However, in the latest appearance of Shamoon, a new ransomware component was uncovered in addition to the disk wiping capability. Because you can’t have too much of a bad thing it would seem. Kaspersky has now identified another wiper malware in the wild. Dubbed “StoneDrill”, it has targeted organizations in Saudi Arabia, but it also went after a petrochemical organization in Europe. At this stage, it seems StoneDrill is similar to the APT group NewsBeef or Charming Kitten, who was linked to the latest Shamoon endeavours.  

Source: https://threatpost.com/destructive-stonedrill-wiper-malware-on-the-loose/124090/

DNSMessenger: Malicious PowerShell Continues Its Reign: 
(March 6, 2017): PowerShell has surged as an attack tool. Cisco’s elite threat research group, Talos, have identified yet another form of malware that is hard to detect because it leverages the power of Powershell. The code hides itself in memory using PowerShell scripts, then connects directly to a command and control server using the Domain Name Service port on the compromised machine. It’s spread via – no surprise – phishing via an MSWord doc that passes itself off as from a reputable source. The document claims to be protected and secured by McAfee Security and asks the victim to click to view the content in the file. Boom! We know what happens next. The twist here is everything gets done in memory, so the second state is stored in registry, while another PowerShell script sets up communications for the third stage with the C+C via DNS. Why? HTTP and HTTPS gateways are monitored by security software, but not so much for DNS. Attackers know this. Attackers are willing to put the time and effort into staying hidden as long as possible. We need to be inspecting and filtering network protocols like HTTP/HTTPS, SMTP/POP3 etc. DNS networks are a risk.

Sources: https://blog.knowbe4.com/scary-new-malware-hides-in-memory-uses-dns-to-communicate-and-spreads-through-phishing
Bad Backups Expose Spammers: (March 6, 2017):Security researcher Chris Vickery discovered a massive cache of information because a spam operation failed to properly configure their backup. The company, RCM, had their backups exposed for over a month. Vickery found chat logs, domain registrations, accounting details, details on infrastructure planning, production and business affiliations. That is a breach no company wants to report. But worse, Vickery found 1.34 BILLION email account, marked to receive spam. And these records held personal information. Many of these were from a process known as CoReg, when people sign up for something online and get their emails shared with a third party or partner. Whats been uncovered is the shady underbelly of “Free gift with …” We are trusting souls.

Sources: http://www.csoonline.com/article/3176433/security/spammers-expose-their-entire-operation-through-bad-backups.html?utm_content=bufferadf82&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

Massive AWS Outage – Got A Backup Plan?: (March 1, 2017) Last week it was hard not to be caught up in the massive Amazon Web Services and Simple Storage Solution (S3) outage. And some painful lessons were learned by many. What do you do when the service based on reliable uptime goes down? Having a backup plan or failover in place seems obvious, but you need to make sure that it works, that there are no surprises. Here’s a term for you: “chaos engineering” which means “We need to identify weaknesses before they manifest in system-wide, aberrant behaviors,”. This is by a company, Chaos Monkey, who actually put people through the painful paces of testing their plans.
Source: http://www.bankinfosecurity.com/blogs/kill-your-darlings-for-better-disaster-recovery-p-2406
It’s Back! Return of CryptoLocker: (March 2, 2017): There are a spate of reports now about a resurgence of CryptoLocker ransomware. Attacks were predominantly in Europe, the staging ground for Russian cybercriminals before they launch their malware on America. What is interesting is the heavy concentration on Italy. The attack vehicle was a carefully crafted email featuring a digital signature to appear very trustworthy. Attackers utilized Italy’s Certified Electronic Email which legally is like a registered letter, to deliver invoices hiding spam. And it worked. Attacks are now heavy in the Netherlands, and have landed on American shores as confirmed by Microsoft’s Malware Protection Center. Sources: https://www.scmagazine.com/cryptolocker-bursts-onto-scene-again-targeting-europe-and-us/article/641731/

The Philadelphia Story – Putting the Service in RaaS (March 1, 2017): Cybercrime is big business, and ransomware has been steadily growing in the As-A-Service realm. In a recent blog post, security reporter Brian Krebs reported on the latest offering, “Philadelphia”. For $400 you too can claim your stake as a cybercrime impresario with this point and click money maker. It comes with a very slick promo video on YouTube that touts its numerous features: charts of victims; track your campaign; generate PDF reports; use Google Maps to chart your global victims. “Everything just works,” claim the proprietors of Philadelphia. “Get your lifetime copy. One payment. Free updates. No monthly fees.” The future is bright and shiny and loaded with bitcoin. Sources: https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/

Rise in CryptoLocker Ransomware In Italy, Europe (March 1, 2017) Just because it’s dormant doesn’t mean it’s dead. CryptoLocker is back. Attacks have been steadily climbing since January. And what is interesting is how attackers are leveraging the Certified Electronic Email in Italy to spread the joy. This service is sued by people who want the assurance they are getting a high level of security. So emails are signed with a digital signature to look official. And this parallels the similar rise in Dridex in Switzerland reported mid February, again leveraging trusted email providers. As we know, phishing works. “Trust” works. Put the two together …Source: https://www.bleepingcomputer.com/news/security/crypt0l0cker-ransomware-is-back-with-campaigns-targeting-europe/

Shh – They’re Listening (February 28, 2017): If you ever have that feeling someone is listening, you’re right. The audio built into our smart tv’s, tablets, mobile devices etc. is equipped to listen and transmit. And unfortunately, not just Google gets the details. You may remember the story about the little girl who used “Alexa”, Amazon’s virtual assistant, to order a doll house. Apparently, a radio host was retelling the story and “Alexa” was enabled in numerous locations and picked up on the line about ordering a dollhouse. The tech behind the audio receives information through noise that makes it hard for humans to hear. Convenience comes at a cost, and sometimes we don’t realize that. For example, people who dictate payment card info when they fill in forms online. Yes, that happens more than you think. The human element will always be the most challenging to secure.
Sources: https://blog.kaspersky.com/voice-recognition-threats/14134/
Barts Health Trust UK hit by new strain of Malware (March 2, 2017): In January we reported how the largest hospital group in the UK was knocked offline by a cyber incident. Investigation reveals the malware evaded detection and bypassed AV because it is “a new virus not seen previously”. The fact is, even if your AV is up to date, it won’t catch all the things. Details aren’t being released at this time as the investigation is still underway. The virus hit four of the five hospital sites. Two other UK hospitals were hit by Globe2 ransomware in November 2016. Sources: http://www.zdnet.com/article/previously-unseen-malware-behind-cyberattack-against-uks-biggest-hospital-group/

Bluetooth Ingenico Overlay Skimmers (February 26, 2017) Security researcher Brian Krebs has done a lot of digging into the shady underworld of card skimmers. Recently, he uncovered a Bluetooth skimmer, as shown below. It steals both the card data when the customer swipes and then records the PIN thru the PIN pad overly. Bluetooth lets the thieves wirelessly get stolen data if they are within 30 meters of the device. The devices do not have on board data storage, so the data is taken in real time, meaning the thieves are right there. Skimmers are an enormous problem both in the US and Mexico. Krebs has done a series of pieces on his blog and travellers are well advised to learn what they can before heading south.
Source: https://krebsonsecurity.com/2017/02/more-on-bluetooth-ingenico-overlay-skimmers/
It’s Childsplay  (February 28, 2017): This just gets worse. Beyond the voice recordings, emails, and passwords left open and exposed on the Internet. Because the CloudPet’s manufacturer did not use any standard security features for Bluetooth like pairing encryption. So anyone within range, as little as 10 metres, could connect to that toy and upload a message. Worse, they could effectively take control over the toy and turn it into a remote surveillance device by activating the toy’s recording feature without detection then download whatever audio was recorded, or make the device say whatever the person now controlling it wants. CEO of CloudPets, Mark Meyers, hasn’t responded to the situation aside from this “you don’t respond to some random person about a data breach.” Right. I’ll leave that with you.Sources: https://motherboard.vice.com/en_us/article/how-this-internet-of-things-teddy-bear-can-be-remotely-turned-into-a-spy-device
Update: Multiple Groups Involved in Shamoon Attacks (February 27, 2017) According to researchers at Symantec, there have been thre waves of attacks by the destructive malware, Shamoon. Two were in November 2016 and the latest was on January 23. Organizations targeted were predominantly in Saudi Arabia, and others were in the Persian Gulf. The actors identified are: Greenbug, who may have helped obtain credentials to facilitate the attack; Timberworm, the group responsible for Magic Hound, a campaign that targets the energy, gov’t and tech sector, delivered a RAT and aided with domains; and two Iranian APT actors, Charming Kitten and Rocket Kitten. Timberworm was responsible for orchestrating the Shamoon attacks in January. According to Symantec, they are the group to watch because “Timberworm appears to be a much larger operation, infiltrating a much broader range of organizations beyond those affected by the recent Shamoon attacks.”
Source: http://www.securityweek.com/multiple-groups-cooperated-shamoon-attacks-symantec

Ransomware, IoT and Teddy Bears: It’s Childsplay  (February 27, 2017): This is wrong on every level. Researcher Troy Hunt has revealed a massive breach involving kids’ toys that connected and recorded kids’ voices. After the VTech scandal and breach last Christmas, then Barbie, you would think we’d know better. Even Germany removed Cayla the talking doll after enough reports about her leaks. This is worse. Apparently, the data sent in was being stored on – those Mongo databases we’ve been tracking. The ones left wide open on the internet and ransacked by ransomware. Yes. And worse still, the company, CloudPets, owned by Spiral Toys, was approached several times by people who are tech savvy and found the open databases. The company failed to respond. Now, if Troy Hunt tells you there’s a problem, believe me, there is a problem. Yet, again, there was no response. And the data – it’s been wiped from those databases but who knows where it is now. While no payment information was contained, there is plenty of PII. All about kids. Sources: https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/

GhostAdmin (February 27, 2017) The Mirai botnet demonstrated the power of DDoS and control over unsecured devices with devastating effectiveness last fall. What if you applied a botnet to data theft? The researchers at MalwareHunterTeam discovered a new botnet known as GhostAdmin, which “quietly siphons data from infected devices while it masquerades as a legitimate antivirus tool and obscures the symptoms of its attack with specialized features.” The tools GhostAdmin mimics include Symantec Endpoint protection. The botnet can wipe internet history, remove log files and self-terminate, as well as impersonate Windows files. Worse, rebooting the device does not remove the malware. Already this botnet has stolen hundreds of gigabytes from major companies. The threat is real.
Source: https://www.alienvault.com/blogs/security-essentials/ghostadmin-the-invisible-data-thief-notes-from-the-underground?utm_medium=Social&utm_source=Twitter&utm_content=Awareness
Why Cybersecurity ranks last with Boards  (February 27, 2017): A recent report by Harvard Business Review shows that most boards “lack the expertise” to rank cybersecurity as a priority. Even though 2016 broke records for breaches and attacks, the commitment shown to cybersecurity by boards is less than wan. While directors see it as a top “political issue”, akin to the economy and global issues, they fail to understand it in terms of their own business vulnerabilities. Instead, regulatory and reputational risks took precedence. Cybersecurity was not seen as a threat that would limit an organization’s ability to achieve its strategic objectives, whereas “retaining top talent” and “global competitive threats” were. The impact of a long-term or even a one-time devastating cyberattack was something boards could not conceptualize or relate to, because it isn’t their expertise. There’s an easy way to change that… Sources: https://hbr.org/2017/02/why-boards-arent-dealing-with-cyberthreats
Attackers: 12 Hours or Less and They Are In (February 23, 2017): We know that if someone wants to break in, they will. What we may not appreciate is how little time it takes. This is why penetration testing or pen testing is a vital component to doing effective and regular security assessments. We’re talking over and above automated scans and vulnerability assessments. According to a study of pentesting by Nuix, most attackers need under 12 hours to achieve compromise. 40% of those they surveyed were able to do it in six hours. Once in a network, most attackers could begin siphoning off data within 6-12 hours. The grim reality, according to Chris Pogue, CISO, is “You are squared off against a dynamic enemy whose technical capabilities are likely far beyond that of your security staff, and whose tool development has far outpaced your own.” Many companies choose to forego pentesting, yet in over 66% of cases of those tested, clients did not detect the pentest. Which means they would not detect an attacker. Scans are automated and predictable. Attackers are not.
Source: http://www.darkreading.com/threat-intelligence/survey-most-attackers-need-less-than-12-hours-to-break-in/d/d-id/1328256

Holy CloudBleed Batman! (February 24, 2017) Be warned and be ready to change your passwords. This is just getting bigger and uglier by the hour. Popular service provider Cloudflare has been leaking: chat messages, encryption keys, cookies, password manager data, hotel bookings. The list is extensive. And very very scary for anyone caught up in this. This impacts an enormous number of people who rely on Cloudflare to protect their sites. Major sites like Uber, 1Password, FitBit, OKCupid are just some of those bleeding client data.
Security researcher Tavis Ormandy approached Cloudflare on Feb 17 to warn them of the bug he had found that is responsible, and which had apparently been leaking that data for months. Now, when Tavis O knocks, you need to be afraid. He catches the bad stuff. Cloudflare had a massive cleanup on their hands with all the data spilled. But reports now are that all search engines have removed the content.
Source: http://www.databreachtoday.com/cloudflare-coding-error-spills-sensitive-data-a-9742

BigMac Ransomware  (February 24, 2017): Let it not be said that Macs don’t get malware or ransomware. After KeLocker struck last year, we have another player in that game. As I am quoted saying in the blogpost “For those who torrent, be careful. If you torrent on a Mac, be very careful.” ESET had found new ransomware, dubbed “Patcher” or Filecoder.E, which is served off BitTorrent sites to those seeking unlicensed versions of Adobe Premiere Pro and Microsoft Office 2016. The code isn’t well written, so that those who pay the ransom never get their files back. Reasons not to go after pirated software and not to pay the ransom. One word: backups! Sources: http://www.databreachtoday.com/blogs/macs-feel-more-crypto-locker-ransomware-love-p-2399

Spora Ransomware and Customer Service (February 23, 2017): You may have heard how ransomware offers better customer service than most security vendors. It’s true. These gangs know the value of a bitcoin and are prepared to go the distance to get it.
Spora is a new family of crypto-ransomware that appeared in January. It features excellent encryption, works offline, generates no network traffic to C+C servers, and is unique in offering four tiered payment options: full restore $79, immunity $50, removal $20 and file restore $30. I kid you not. .
Source: https://threatpost.com/spora-ransomware-offers-victims-unique-payment-options/123130/

Malware Helps Drone Steal Data via Blinking Computer LED (February 22, 2017) One of the great myths in security is that air gap provides complete protection. As Stuxnet first demonstrated, air gap can be bypassed, and nothing is ever completely kept separated. Now, researchers in Israel are using malware to send secret data out to a drone via the blinking LED on hard drives to access information. It’s complicated, but of course it is if you are going to defeat an impenetrable security solution. Once attackers have crossed into this ultra-secured space, they can try a range of tactics to get the data out sans internet or wifi, including electromagnetic emanations, heat signalling, but now “exploiting the computer’s hard drive indicator LED has the potential to be a stealthier, higher-bandwidth, and longer-distance form of air-gap-hopping communications”. The data can move at 4000 bits per second, which could deliver up an encryption key within several seconds. Another bonus of the HD LED is that it still works even when the computer is asleep. And the malware accessing it does not require admin level privilege.
Source: https://www.wired.com/2017/02/malware-sends-stolen-data-drone-just-pcs-blinking-led/

Crypto Collisions are Bad News (February 23, 2017): It runs behind the scenes, part of our daily world, and it’s essential to our security. Cryptography is the basis of authentication, integrity checks, verification, and has been updated in different varieties over the years. One of these, SHA-1, is considered obsolete due to known weaknesses, but it is still pervasive, and especially relied upon in legacy systems. Big orgs are slow to change but now, the final warning bell has sounded. Researchers have succeeded in an attack on SHA-1 using a technique that lets an attacker control the crypto algorithm and output two identical “hashes” as opposed to two distinct ones. That is not supposed to happen and essentially breaks the crypto. Like two identical fingerprints. Five years ago NIST advocated moving past SHA-1. It’s time.
Source: https://www.wired.com/2017/02/common-cryptographic-tool-turns-majorly-insecure/

Developing Countries See Rise in Cyber Attacks (February 21, 2017) Defending against cyber attack comes at a cost. And for developing countries, that is more than most can afford. The same email phishes, DDoS attacks and malware we face are now being redirected at nations that lack the resources, regulations and infrastructure to adequately defend themselves. Webroot cybersecurity reported that “increased cybersecurity and data privacy regulations throughout the developed countries … is causing the bad guys to move to the easier places to launch cyber attacks”. Nations like Vietnam and Ukraine don’t have strong data protection in place nor enforcement. They are becoming “the happy hunting ground” for cybercrime.
Source: https://www.bna.com/developing-countries-show-b57982084142/

Not all Breaches get Reported  (February 21, 2017): This joint article by KPMG and Forbes reveals that while companies comply with regulations to disclose breaches leaking consumer information, they are less likely to do so if the breach involves compromised sensitive corporate data. Infact, one third of data breaches leak corporate data. Greg Bell, co-leader of global cybersecurity at KPMG Int. said there were losses in billions of dollars because “When unique intellectual property, the basis of competitive advantage, disappears overnight, the outcomes can be disastrous.” Although 30% of CEOs report their top risk is cybersecurity, 72% admit they are not ready for a cyberattack. Unless corporations are willing to disclose and share learning, these types of attacks will continue, as will the losses – all to safeguard secrets and strategy. There is the irony. While business is working harder than ever to achieve innovation and disruption, they are not moving forward in terms of security best practices, meaning acknowledgement of corporate data attacks. Per John Scott, deputy chairman at KPMG Int “Cybersecurity cannot be the last thing on the checklist”.. Sources: http://www.pymnts.com/news/b2b-payments/2017/forbes-kpmg-enterprise-corporate-security-cybersecurity-data-breach-attack/

Update: Banking Malware Used on Polish Banks (February 20, 2017): In an interesting twist, there are reports that malware samples from the attacks on Polish banks had evidence planted to make it look like Russian hackers were the source. These are called false lags, and were uncovered by BAE Systems. The actual attackers made a lot of mistakes in their attempt to embed Russian language. Of note is that this same malware was used against banks and private companies in Mexico and Uruguay at the end of 2016. Symantec, BAE and ESET now confirm that the Polish bank malware shares distinct similarities with malware used by the Lazarus Group, an established cybercrime organization tied to the SWIFT bank heists of 2016.
Source: https://www.bleepingcomputer.com/news/security/malware-used-to-attack-polish-banks-contained-false-flags-blaming-russian-hackers/
Windows Botnet Spreading Mirai Variant (February 21, 2017) A few weeks ago there were reports of Windows spreading Mirai. Now, Kaspersky reports that there is a Chinese based variant based on a repurposed Windows botnet. What matters here is this is a crossover between the Linux and Windows platforms. Researchers liken their concern over the leak of the Mirai source code to what happened when the source code for the Zeus banking Trojan was leaked a few years ago. Currently, Mirai can spread to Linux “by running a brute force attack against a remote telnet connection on a device. It can also spread over SSH, SMI, SQL injection attacks and IPC techniques and targets IP-based cameras, connected DVRs and media center appliances, as well as various Raspberry Pi and Banana Pi devices.” Also of concern is that this is the work of a more experienced “bot herder”, and someone new.
Source: https://threatpost.com/windows-botnet-spreading-mirai-variant/123805/

Polish Bank Attacks Tied to Wider Campaign – Lazarus Group possible (February 14, 2017): The recent series of targeted malware attacks against Polish banks is part of a wider campaign that has gone after financial institutions in over 30 countries. According to researchers from both BAE Systems and Symantec, the malware used in Poland can be linked to similar attacks around the globe, and there are marked similarities to tools used by the cybercrime group Lazarus, although no confirmation has been made. Targets were led to compromised sites of interest to them, watering holes, which were malicious sites that injected code and directed the targets to a customized exploit kit. This kit contained exploits against known vulnerabilities in Flash Player and Silverlight. What’s interesting is that the exploits were only activated for certain visitors: those with IP addresses from specific ranges. This is when a standard attack is elevated to sophistication at the APT level. Per Symantec, “The IP addresses belong to 104 different organizations located in 31 different countries … The vast majority of these organizations are banks, with a small number of telecoms and internet firms on the list.” 15 of these are from the US. The infection downloaded enables recon on the compromised system. Again, this tool is similar to those used in past by the Lazarus group. Sources: http://metbuat.az/news/636656/recent-malware-attacks-on-polish-banks-tied-to-wider-hacking.html?utm_source=dlvr.it&utm_medium=twitter

Proof of Concept Ransomware for PLCs – the future is now (February 14, 2017): ICS and SCADA run our critical infrastructure: power, energy, water systems, traffic. The systems are proprietary and increasingly at risk due to lack of security around increasing connectivity. Thanks to Stuxnet, we know they can be attacked, and nothing is ever completely segregated. Researchers at Georgia Institute of Tech created a proof-of-concept ransomware strain that targets specificially PLS, programmable logic controllers. Similar to PCs, these are the user interface, that aquire data from physical systems, and relay information to the network. They run valves, motors, sensors, pumps etc. A ransomware attack on these systems could have devastating consequences. Think of a water filtration plant that serves a city, delivering water that’s unsafe to drink. While this new development has not yet been seen in the wild, researchers warn it is just a matter of time. Source: https://www.bleepingcomputer.com/news/security/researchers-create-poc-ransomware-that-targets-ics-scada-systems/

New ASLR busting JavaScript Opens Huge Risks for CPUs (February 15, 2017):.ASLR stands for Address Space Layout Randomization, and this technique is used as a first line of defence against malware attacks. Randomizing computer memory locations where data and code are limits the ability of attackers to execute their malicious payloads when they use vulnerabilities like buffer overflow. But this may no longer apply as researchers have found a way to use JavaScript to identify memory addresses and locate system and application components. In combination with malicious code to exploit vulnerabilities in browsers or the OS, the JavaScript “can reliably eliminate virtually all of the protection ASLR provides”. This constitutes a side channel exploit in the memory cache of modern CPUs. It is now dubbed AnC or ASLR cache. The concern is that little can be done to prevent or mitigate this kind of attack because of the existing architecture: CPU caching and strong address space randomization are mutually exclusive. Unless you prevent JavaScript from running in a browser, which would greatly reduce a site’s useability.
Source: https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/

Monday Jan 23 2017

Massive Twitter Botnet Discovered: We know this can’t be good.  Two researchers have found a huge but dormant Twitter botnet of 350,000 bots. Active, this could spread spam or malicious links, or be used to spread – gasp – fake news. The researchers claim to have found an even larger botnet of over 500K. Just think of the Mirai botnet and outages along the eastern seaboard. While details on that are not being released just yet, the Twitter botnet was apparently created in 2013 and stayed hidden til recently. The content consists of harmless quotes from Star Wars and no URLs are involved. The users attached to the bots seem believably human and unaggressive. The researchers are encouraging people to research these bots, and have created two Twitter accounts to report bots: @thatisabot and @website.  https://threatpost.com/massive-twitter-botnet-dormant-since-2013/123246/

Locky Ransomware – Awaken the Kraken?:  2016 started with a ransomware bang and ended with a botnet boom. The pairing of ransomware and botnets should make anyone nervous. And the minds at Cisco are warning that we should expect a massive spam campaign with a return of the near-dormant Locky ransomware.   Locky was spread via the Necrus botnet, which had 500K devices under its control to deliver spam, which contained the unbreakable Locky payload. Researchers are seeing a subtle increase in attacks via Necrus and Locky this month. It is possible attackers are exercising caution rather than risk getting caught.  I say batten down those hatches.  http://www.theregister.co.uk/2017/01/20/locky_ransomware_horrorshow_returns/

How to Secure Your Bank – in 3 Easy Steps!: OK. It’s not that easy. But these are good principle for any organization to follow, including banks. After last year’s massive financial attacks and heists, and the return of Carbanak, financial organizations need to get their houses in order to face the year ahead. And it isn’t just the gold or currency that holds value in the vault. It’s all. That. Data. Those mainframes are no longer as segregated as they once were. And banks are more at risk of Advanced Persistent Threats and targeted attacks. Recommendations are to train everyone on security practices and awareness.  Then, make sure controls are in place and that people are aware of them. Finally, make sure that all outside parties, or trusted partners, understand and adhere to these rules to maximize security.   http://www.networkworld.com/article/3157555/security/new-game-new-rules-3-steps-to-secure-your-bank-in-the-digital-age.html#tk.twt_nww

Satan Ransomware as a Service (January 20, 2017): This marks a continuing trend in the ongoing evolution of ransomware. Given how lucrative it is, and the increasing range of attack venues, simplifying this as an attack was a natural next step. Would-be attackers can find Satan ransomware as a service on the Darkweb. For 30% of the take, those who sign up can profit from those who have gone before them to craft the code and then make it available with customizable options on amount, delivery etc. Unfortunately, this ransomware does not have any decryptors currently available, so unless your files are backed up, consider them gone or pay the price (but not literally please).  http://www.zdnet.com/article/satan-ransomware-as-a-service-starts-trading-in-the-dark-web/

Carbanak is Back and Using Google Services (January 18, 2017): Carbanak is more than an advanced persistent threat, or a Russian crime campaign, or a prolonged and very lucrative attack against banks across the globe. It’s a case study in the efficiency of cybercrime, going undetected for over a year and bringing in over a billion dollars. This week researchers found Carbanak had been using hosted Google services, likes Forms and Sheets, for command and control. By taking over these recognized and trusted services, and hiding amongst the other Google traffic, Carbanak was able to operate “in plain sight”. Google hasn’t made any official comment except to say they know and are “taking the appropriate actions”. So heads up: check your enterprise networks, servers, POS terminals and client workstations more thoroughly than you have been. The actors behind Carbanak are masters of stealth; their malware and tactics are cutting edge.  https://threatpost.com/carbanak-using-google-services-for-command-and-control/123169/

RIG Exploit Kit delivering Cerber Ransomware (January 18, 2017): Exploit kits keep evolving along with the nasty packages they deliver. In this case, RIG has been updated to carry a payload of Cerber ransomware. Per Heimdal Security, there has been a spike in attacks using this exploit kit. They also noted Neutrino exploit kit was as popular as ever. Advice: keep patches and updates current. The vulnerability is exploited in outdated ones. The current tactic is using drive-by attacks via malicious domains. Malicious scripts are injected into insecure systems, like Flash, Silverlight, IE, and Edge.  http://www.cyberdefensemagazine.com/new-campaign-leverages-rig-exploit-kit-to-deliver-the-cerber-ransomware/?platform=hootsuite


When Ransomware Takes A Holiday (January 16, 2017): An interesting trend is being observed with regard to certain groups of malware, and ransomware. Case in point is Locky. The virulent strain took a couple of noted breaks, or ”went quiet” last year, In June and in October.  Over the last three weeks, attacks have almost stopped. Now, ransomware has made an interesting pivot into attacking Mongo databases.  This could likely be the lull before that storm, as an new exploit kit is being developed to deliver the lucrative payload cybercriminals are literally banking on.

MongoDB Ransomware Spreads (January 16, 2017):  In the wake of the tens of thousands of Mongo databases being exploited, and Elasticsearch being attacked we are faced with the question: do we need to shut off databases from internet access?  The fact is, for all the security you implement, humans will always be your weakest link. Moreover “human fallibility when it comes to cutting corners for expediency.”  Authentication, authorization and accounting need to be enforced. Whose responsibility is it to make this better? Cloud providers, as the MSP for IaaS, could turn on activity controls at the front door of the database by default to help users protect themselves.  But the database and applications remain the responsibility of the client, and their fate rests in the users’ hands. Literally. http://www.zdnet.com/article/should-the-cloud-close-the-front-door-to-the-database/

Elasticsearch now hit by DB Ransomware sweep (January 13, 2017): The recent and alarming increase in ransomware attacks on MongoDB instances has escalated. Now, attackers are using ransomware on Elasticsearch clusters.  Elasticsearch is a popular Java-based search engine for enterprise environments.  It’s used in log collction, data analytics, and visualization.  But the clusters are being wiped and ransom notes left in place. So far, over 600 clusters have been hit. The targets are typically unprotected and accessible on the internet.   http://www.csoonline.com/article/3157032/security/after-mongodb-ransomware-groups-hit-exposed-elasticsearch-clusters.html#tk.twt_cso

One Quarter of all MongoDBs Attacked (January 9, 2017): This week began with some mondo warnings about the number of MongoDB servers being exploited. 27,000 databases as of Monday were in a recent tally of those hit by online extortionists. This is up from 2000 on January 3, and 8,542 on January 5. Key word here: ransom. And this is an ongoing litany of poor security and low-hanging fruit.  An apparent surge in attacks is being reported.  Vulnerable databases are being wipes then replaced with an empty one that is labeled “Warning. PWNED”. Of the estimated 99, 000 known instances of MongoDB open to the internet, over 25% have been compromised.  Why?  Try admin accounts that are not password protected, or outdated patches. Or attitude. http://www.zdnet.com/article/mongodb-ransacked-now-27000-databases-hit-in-mass-ransom-attacks/#ftag=RSSbaffb68

Jan 6 2016 There’s a New APT in town: BaneChant or “MM Core,” was discovered in April 2013 by FireEye researchers who then noticed some of its interesting features. The Trojan was designed to collect information about the infected computer and set up a backdoor for remote access. New versions have been identified recently in the Middle east, Asia, Africa and US. Targets are media, government, telecommunications and energy. Keynotes: this malware evades sandboxing by detecting mouse clicks. As well, it has a shortened URL to avoid blacklisting. To be expected it has shared certificates, likely stolen. According to Forcepoint’s Nicholas Griffin, “Ultimately this suggests that MM Core may be a part of a larger operation that is yet to be fully uncovered”. What’s also interesting – the name Bane comes from, yes, Bane from Batman, because of where the URL is supposedly tied to.Per Fireeye, the malware attempts to:

  1. Evade sandbox by detecting human behaviors (multiple mouse clicks);
  2. Evade network binary extraction technology by performing multi-byte XOR encryption on executable file;
  3. Social engineer user into thinking that the malware is legitimate;
  4. Avoid forensic and incidence response by using fileless malicious codes; and
  5. Prevent automated domain blacklisting by using redirection via URL shortening and Dynamic DNS services.



FireCrypt Ransomware:  Would you like a side of DDoS with that? This is another recent discovery as ransomware continues to evolve.  This variant launches a DDoS attack against a URL hardcoded in the source code by continuously connecting to the URL and downloading junk from it to fills up the machine’s %Temp% folder.  Features: this code can be disguised under PDF or DOC icons; attackers can slightly modify the binary for a different hash; this can create polymorphic malware that evades AV.  Note that this is very similar to the “deadly with a good purpose” ransomware released in Oct 2016.  The opinion is that this is that variety just rebranded.  DDoS activities appear to currently target Pakistan’s Telco Authority. However, the attack is relatively ineffective in this configuration as DDoS requires massive mobilization.


Ransomware on Android Smart TVs: You can’t change the channel
This is not the added feature you were looking for. Ransomware has been on Android phones for a few years, so this is the extension, and was discovered a year ago in the wild. This Christmas, it was reported when someone downloaded ransomware with a movie-watching app on a three year old TV. And the screen locker does not work the same on TVs as it does on phones and computers. So any attempt to click and comply to free the screen doesn’t work. In this story, LG was able to give the victim a solution that worked, and the ransomware only was a screenlocker, not a file encrypter.  But Smart tv’s have USB ports so folks can load pics and personally valuable files. These can become infected through that connection.


FTC files suit against D-Link – Strike 1 IoT:  There has been much talk about trying to regulate the lack of security released with the ever-growing Internet of Things. Now, we may have a precedent. The US FTC has filed a lawsuit against well-known manufacturer D-Link, whose SOHO devices are in many homes. The charge is that D-Link put “thousands of customers at risk of unauthorized access by failing to secure its IP cameras and routers”. And there have been plenty of security issues written up for their products. The suit claims the company “repeatedly have failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws”.


Thursday Jan 5

Whoa! Mongo DataBase Security Risks:  If you look at breaches over the past 18 months, the inclusion of Mongo databases has been consistently rising. Lax security, poor configurations. Security researcher Victor Gever warns of global attacks on these databases. An attacker known as harak1r1 has been going after servers since late December, and issuing demands for 0.2 Bitcoin or $220 US.  While these are ransom demands, instead of encrypting files on target systems, data is being replaced using what may be a Python script.  Gevers cites that legacy MongoDBs deployed on the cloud are typically unpatched and have default configurations that leave them open to external connections via the internet, which enable attacks.  Recommendations: update software, disable remote access, enable authentication.  And check those log files. https://www.scmagazine.com/mongodb-databases-under-attack-worldwide/article/629601/

Did someone hack Google.Brazil?:  Now this caught my attention, because I’m watching Brazil. We all should be. I know. I need to write that post and I will. Apparently  www.google.com.br was compromised two days ago when someone redirected users to another site. Initial reports that the site was inaccessible were discounted, but then opinion changes because it was true. Infact, Google issued this statement: “Some internet users in Brazil faced problems accessing google.com.br due to compromised DNS servers: that means, the malicious change of the routing configuration of those DNS servers, taking the user to a different website than the desired one”.  The IP address issued for www.google.com.br belonged to a Bulgarian entity.  Content wasn’t changed or tampered. But the attacker was able to manipulate the domain via the domain registrar. As has been noted, this could have been far more serious, with users becoming infected from malware via the malicious redirect. Or credentials could have been taken. An excellent analysis was done in this article here by Renato Marinho.

You’re Out – Topps Playing Cards Breached:  We all loved the trading cards with gum packs we got as kids. But buying that at the corner store has morphed into an online business. And unfortunately for many sports fans, more than bases could be stolen. Security researcher Chris Vickery discovered possible breachesand advised Topps.  Topps has had to notify customers the breach exposed names, emails, phone numbers and worse – payment card details. Credit and debit card numbers, expiration dates, verification numbers, from between July 30 and Oct 12 2016.  Given all we know from the mega breaches of last year, there is no excuse for payment card details to be accessible and Topps may be looking at some serious penalty time.

Was that Hydro One IP address targeted by Russians? There’ve been non-stop news reports with allegations of Russian hacking. And then retractions.  My head is spinning. However, the story went that Ontario’s main electricity distributor allegedly had an IP address compromised by Russian hackers. According to reports, U.S. Homeland Security and the FBI found an IP address from Hydro One during an investigation into malicious cyber-activity allegedly linked to the hacking of the Democratic National Committee. As well, six other Canadian computer addresses were swept up in the digital search. This includes an IP address from an Alberta-based internet provider. The concern is that IP addresses once hacked could become “zombies” uses in an army of botnets that are remotely controlled to execute malicious acts. While Hydro One has openly denied they were compromised, a tech analyst has declared “this is “a wake-up call” and should put Canadians on high alert for their personal cyber security”.


SOCOM US Army Doctor data breach:  After OPM, how could this even happen? Sensitive details regarding US military health workers were found by security researcher Chris Vickery in an unprotected cache. These included 11GB of data with social security numbers, names, addresses and salaries of some Socom staff. A misconfigured data backup may have exposed details on nurses, doctors and mental health support staff as well as unit assignments and postings dating back to 1998. All the workers, including some with top secret clearances, were employed by subcontractor Potomac Healthcare, subcontractors with Booz Allen Hamilton. As has been noted “This breach is different. It is not about stolen data but what appears to be, from Vickery’s post, a classic case of incompetence. Vickery says the data was exposed by: “an unprotected remote synchronization (rsync) service active at an IP address tied to Potomac.” ” The data, apparently, was not even protected by so much as a username or password. Nor did Potomac respond to Vickery’s warnings when he alerted them.


Check your site – PHP at risk to RCE :  Over the past couple of weeks there have been some major warnings around critical vulnerabilities to PHP, including 0days. A LOT of sites have PHP working alongside the CMS. WordPress being my biggest case in point. Security expert Dawid Golunski of Legal Hackers  reported a critical RCE vulnerability, tracked as CVE-2016-10033, in the popular open source PHP library, PHPMailer. This exposes millions of sites to remote code execution. Analysts note that “Web services running on WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla, are potentially exposed to remote code execution attacks”. Adding to this risk is that similar issues were discovered in other two PHP libraries, SwiftMailer, and ZendMail. Both libraries are affected by remote code execution vulnerabilities.


SYNOPSIS: Week ending Dec. 23

Ransomware and  A New Hope?: Tis the season of hope. And in the fight against ransomware, security firm Cyberreason is offering a new and free tool for all. RansomFree works differently than what we’ve been using, which is signature detection. This tool uses real time detection, and “behavioural and proprietary deception” techniques.  It watches for patterns to help distinguish friend from foe. The security firm has analyzed more than 40 ransomware strains to build this, including Locky, TeslaCrypt, Cerber and Cryptowall. It can effectively detect and then stop “never before seen ransomware”. Based on behavioural analysis. If something looks iffy, the tool stops suspicious activity.  RansomFee is being touted as being able to detect 99% of all ransomware strains and offering protection against future strains.

It’s beginning to look a lot like DDoS:It just isn’t Christmas without a Grinch launching a DDoS attack shutting down all the new Playstations and Xboxes.  Fair warning that the group who recently went after Tumblr this past week has plans to do just that. R.I.U Star Patrol are responsible for launching a DDoS attack against Tumblr, for fun, and it’s likely they used the Mirai malware, which is now infamous for the massive internet outage experienced round the world a few weeks ago. According to a gaming news site, Star Patrol has plans to launch coordinated attacks against Xbox on Christmas Day, “because they can”.  Which was proven when they went after both League of Legends and Warframe on Dec. 19.  For those of you who remember the outages on Christmas 2014, be prepared. <https://nakedsecurity.sophos.com/2016/12/23/group-that-attacked-tumblr-threatens-to-ddos-xbox-for-christmas/

Stegano Exploit Kit and poisoned pixels: Steganography is a cool tool that has been around a long time and entails hiding things in plain sight. In October, ESET researchers discovered a new exploit kit that spreads via malicious ads on reputable news websites. Attackers have been targeting users of Internet Explorer and scanning their computers for vulnerabilities in Flash Player, which they then exploit to download and execute various types of malware. The malicious code has been distributed through advertising banners which is known as malvertising.  Only this time, they got sneakier. The advertising banners with “poisoned pixels” lead to the new exploit kit. “The victim doesn’t even need to click on the malicious ad content; all it takes is to visit a website displaying it,” per Eset.  Some of the payloads analyzed include banking trojans, backdoors and spyware, but this could also include ransomware. Recommendations are  to have your software fully patched and to be protected by a reputable security solution. http://www.welivesecurity.com/2016/12/06/stegano-exploit-kit/

More details on the Yahoo Breach: The story inside the story here is about structured and unstructured data. And the questions around compromise that need to be asked. Everyone wants to know why it happened, and why it took so long to notify users. Details are now coming out.

Stolen passwords were hashed with MD5, an outdated mode seen as “cryptographically broken and unsuitable for further use.” Worse, security questions were stored unencrypted on the company’s systems. Basically, anyone in possession of this information could breach users’ accounts.

Time for a review on best practices when storing data: salting, hashing and stretching your users’ passwords. Very often in large breaches there is a failure in the coordination of people, processes and tools . The tools are there to detect, respond and report automatically to events that occur in the environment, but they also need capable people to spot the types of anomalies that machines are unable to detect. Finally, processes need to be put in place that allow the information gathered by the tools, and analyzed by the people, to be shared with relevant stakeholders in the business.

Takeaways from the Yahoo breach show a growing trend that finds hackers “breaching user accounts, not necessarily to infiltrate corporate networks and applications, but to grab highly sensitive data hiding in email and other unstructured file stores,” per Kevin Cunningham, president and co-founder of SailPoint. He goes on to add that “Yahoo email accounts are likely chock full of sensitive files, such as tax or financial documents and healthcare information.  And that’s what hackers are after today: sensitive data that is ripe for the taking.” The challenge faced is in protecting unstructured data, which Cunningham etsimates could comprise 80 percent of enterprise data, particularly for organizations that don’t have “proper” visibility into that stored data. “Not only do companies struggle to understand what data even lives in these unstructured data stores, but because hackers often steal copies, it’s sometimes impossible to know what data was even taken …And, even if you identify and stop an attack, the data is still in the hands of the bad guys.” It’s time to move on from poor or outdated security strategies and certain established practices by cloud storage SaaS companies


A malware called Alice: We’ve seen a lot of activity around ATM malware, especially in the last half of this year. None of it good. This latest entry is described as lightweight and compact by the researchers at Trend Micro who discovered it last month while working with Europol on ATM malware. Infact, it is the “Most stripped down” they have encountered. Alice is designed for one purpose: it solely empties the safe of ATMs. It cannot be controlled via the numeric pad of ATMs, and has no information stealing features. Alice appears to run on any vendor’s hardware that uses MS Extended Financial Services middleware SFX. It  looks for the file extensions to show it is on an ATM eg XFS.  Otherwise, it terminates itself. ATM malware has been around since 2007, and til now has been very much a niche offering with only 8 unique families including Alice. This surge in development is key as it shows “a clear tendency for malware writers to attack an ever-increasing variety of platforms. This is especially acute against ATMs”.  As ATM malware becomes mainstream look for attackers to create custom packing and more obfuscation.

Large pepperoni and hold the password: Now this is customer service! Domino’s UK is advising customers to change their passwords. An email was sent out recommending users choose something “strong and unique to avoid fraudulent account activity, owing to recent large-scale data breaches and password reuse across multiple websites”.  This is seen as a preventative measure and no, Domino’s has not been hacked.  However, customers of the pizza chain have been caught up in the mega breaches and used passwords on multiple accounts including Dominos.

Methbot: Russian botnet steals from US companies: Russian cybercrime continues to prove why it is so efficient. This highly lucrative botnet has been taking $5 million daily from US brands and media companies.  According to researchers from White Ops, the op watches 300 million video based adverts daily. These show on legit domains owned by Fortune, ESPN, CBS sports etc to generate revenue.  Methbot goes after the most expensive advertising on the web. It shows signs of engagement to fool the ad providers into thinking content is being watched. The scammers make it look like someone is actually watching with mouse clicks and by posting on fake sites. They know what the key signals are to send. And they are making serious money. While based in Russia, data centers in Texas and Amsterdam are being used along with forged IP records. The zombie PCs in the botnet are registered to major US ISPs to look legitimate. http://www.zdnet.com/article/methbot-5-million-a-day-stolen-from-us-companies/#ftag=RSSbaffb68


No Tidings of  Joy as Lights go out again in the Ukraine: This past Saturday, the Ukraine had a power outage. Almost a year to the date there was an attack on the powergrid last December. And now, it’s looking like this may have been a cyberattack. Ukrenergo says that outage at the North substation Petritsi caused blackout in the capital city Kiev and region. Power was restored after an hour. The main culprit is cited as “external interference through the data network” and cybersecurity experts are investigating.  Attribution is a dangerous game; we’ll need to follow reports as they develop.

Hailstorm: New attack method in malware: According to researchers at Cisco Talos, attackers are using new spam tactics. Dubbed “Hailstorm”, attacks evade defenses online, and spread malware via phishing.  The methodology involves sending large busts of spam over very short periods of time, per the Talos Dec. 19 blog.  Using IP addresses from around the world, the spam is sent to throw off anti-spam filters looking at reputation or volume-base. Spam is more than a nuisance. It can lead to drive-by downloads, fraud and identity theft, and the compromise of business emails.https://www.scmagazine.com/hailstorm-spam-tactics-used-to-deliver-malware-in-phishing-emails/article/580143/

SWIFT attacks continue: We’re just not in the loop anymore. Apparently the attacks are evolving, and SWIFT has told member bank, in an undisclosed letter from Nov. 2, that “attacks on its systems have only become more sophisticated in their strategies”.  “The threat is very persistent, adaptive and sophisticated – and it is here to stay”.  This is despite the work by regulators globally to toughen bank security measures. And the word is the “a fifth of them are hitting paydirt for the attackers”, per Stephen Gilderdale, head of SWIFT’s Customer Security Programme. Noww the hackers exploit tech support software to gain access. Then send victims phony payment instructions via SWIFT network.  SWIFT emphasizes that all those attacks detected “exploited SWIFT interfaces used by its customers” but that the SWIFT communications network itself was not impacted. In light of this, warnings are being issued to small businesses to realize the threat to them is real.  Scams have become more sophisticated and will continue to evolve.


SYNOPSIS: Week ending Dec. 9

Companies need to tighten social media: Think dynamic, unstructured and unregulated datasets. Now think of how many employees are accessing these freely from corporate accounts and on corporate networks. 40% of organizations have been spearphished via social media. Infact, it outpaces all other web-based attacks. Yes – even email, at 10 to 1. Any level of C account is a prime target. Be mindful of corporate accounts caught up in breaches. Those credentials are often reused and make other accounts vulnerable. 2FA may just become your BFF in this case. Establish and enforce corporate policies for social media on company time and company devices.

Netgear routers compromised – severe flaw: Another day, another SOHO router flaw. This time, Netgear’s R7000 and R6400 routers are at risk of arbitrary command injection flaws. Which would let attackers run commands with root privilege status. Worse, the code to exploit the vulnerability is now public, and appears quite easy to do. There is no fix at this time and CERT has advised users not use the routers for the time being. Yes, that bad.

Bigger, badder botnets? Cloudflare has spotted a very large botnet in the wild that launched huge DDoS attacks at the US west coast for days. Although sources say the botnet is not related to Mirai, it has the potential to become as powerful. The strongest attack peaked at more than 480 Gbps, sending large Layer 3 and Layer 4 floods aimed at the TCP protocol. This comes on the heels of recent attacks in Germany that knocked over 900K users off their connections. Akamai has warned gamers to expect more Christmas fear instead of cheer with game systems being DDoS’d as in past.
Experian says database for sale on darknet isn’t theirs: Ah the irony. Last week Experian issued a white paper on their predications for data breaches next year. (You can check that out here https://www.experianplc.com/media/news/2016/what-will-the-data-breach-landscape-look-like-in-2017/) This week, someone on the darkweb is offering up what they claim to be Experian’s database. 203,419,083 accounts. At the price of $600. Experian denies that they have been compromised and the claim is “unsubstantiated.”

Retro Linux Kernel Flow: Another week, another longstanding Linux vulnerability comes to light. This time, it’s a five year old privilege escalation vulnerability that affects most distributions of the Linux OS. An unprivileged local user could gain root privileges by exploiting a race condition. The exploit created by a security researcher defeats the SMEP/SMAP protection to gain kernel code execution abilities. The result: this exploit can cause a denial of service and crash the server, or run arbitrary malicious code.

August Malware uses Powershell for fileless infection, targets retail: Powershell is heart and soul of Windows 10. It has also been trending in the exploit charts for obvious reasons. This new malware contains malicious macros and is distributed by TA530, which has been involved in very personalized campaigns. This new campaign targets customer service and managerial staff in retails to steal credentials and sensitive documents. The victims are presented with a problem seeking their assistance. Upon opening the document, they are prompted to enable the macros, which launch Powershell and then August. “The malicious payload is downloaded from a remote site as a PowerShell byte array, along with a few lines of code to deobfuscate the array through an XOR operation.”

Hackers and Canada’s Energy Depts: It’s no secret. We’ve been hacked. Reports show that since January 2016, Canada’s Communications Security Establishment (CSE) had detected 4,571 instances when government systems were compromised by hackers. What is noteworthy is that many of these were in natural resources, energy, and environmental agencies. After that was industry and business development, and then government administration. Data was exfiltrated but only in 3 cases of the 4,571 system compromises —once in the natural resources, energy, and environment sector. The stolen information was apparently unclassified. This report is new and these statistics are the first of their kind for Canada. The results verify Canada is at real risk, especially with regard to critical infrastructure, and are higher than the same sectors in the USA.

No Antibiotics for Hospital Ransomware: In another recent hospital ransomware attack in October , systems belonging to the Northern Lincolnshire and Goole NHS Foundation Trust were impacted to the point that operations were interrupted for four days, cancelling 2800 appointments. . According to Pam Clipson, director of strategy and planning at Northern Lincolnshire and Goole NHS Foundation Trust, “ransomware reached several systems and forced the security department to knock them offline for cleaning”. Systems were infected with Globe2 ransomware, and not by a USB which had initially been suspected. The hospital chose not to pay the ransom, but instead took systems offline to remove the ransomware themselves. Globe2 is a variant of Jigsaw crypto virus for which a decryption tool was built soon after.

It’s beginning to look a lot like DDoS: Another day, another dangerous device. Adding to the count of potential botnet recruits are these two cameras. Researchers in Austria found a pair of backdoor accounts in at least 80 different IP camera models made by Sony Corp. The Sony IPELA Engine IP Cameras are used by enterprises and authorities. The backdoor accounts could be used by remote attackers take over the web server built into the devices and then enable “telnet” on them for remote logons, which Mirai could then access via the backdoor accounts and factory default passwords. Users will need to manually update the firmware. But wait, there’s more. Israeli security experts have found exploitable weaknesses in almost 500K white-labeled IP camera models. These devices all have the default password 888888, which in the consumer models will likely remain untouched. What’s uber-scary is that these cameras have a factory-default peer-to-peer communications ability. This enables remote cloud access via the manufacturer’s site, and using a little reverse engineering, the cameras can be taken over via the company’s own cloud network. Unlike the Sony cameras, these currently are not being sought out by Mirai.

SYNOPSIS: Week ending Dec. 2

BE ON THE WATCH FOR:  Shamoon Wiper malware returns in Saudi attacks: This marks a disturbing trend in the recent and damaging cyber attacks in Saudi Arabia.  Palo Alto Networks and Symantec spotted the attack using Shamoon, or Disstrack,  on a Saudi company.  Shamoon laid waste to data from hard drives in over 30k computers and rewrote the master boot ring in the attacks back in 2012against Saudi Aramco. The threat is back but there is no clear motive, however it is believed to be the original group from  2012 given key similarities. “According to Symantec, this is a carefully planned operation. The malware was configured with passwords that appear to have been stolen from the targeted organizations. Attackers used these credentials to rapidly spread the threat across the targeted organization’s network”

Destructive attacks against Saudi Arabia: It appears state-sponsored hackers have gone after Saudi Arabia in a series of destructive attacks. What is of note is that these have erased data, and affected critical infrastructure in the computers running the country’s airports.  Apparently several government agencies were targeted. Digital evidence indicated Iran was involved but no statements have been made.  The attack on Saudi Aramco in 2012 is another example of the rare case in which cyber weapons are deployed. This case differs in that the weapn was detonated inside the networks of several targets at once. Thousands of computers were destroyed at the HQ of the General Suthority of Civil Aviation for Saudi Arabia, erasing critical data and stopping operations for several days.  However, any indications were not made clear to the outside world and travel was not disrupted. Given the recent election of Trump and the volatility of the region, especially regarding Iran and the nuclear deals, similar attacks could be expected.

NIST releases new security guidelines for the IOT
Yes! This is a great starting point and we need them.  The NIST Special Publication 800-160 has been released and is 260 pages worth of hopefully how not to have a repeat of the DYN DDoS outage. The guidelines are “strictly voluntary” for the 7 billion items currently connected online.  That number may well triple by 2020.  A key objective is to “use established engineering processes to ensure that needs, concerns and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner.” I say “Make it so!”

Busted! Major cyber crime ring taken down: Good news for the good guys. The Avalanche network which served as a delivery platform for global malware attacks and money mule recruiting campaigns has been taken down by an international group effort across 30 countries.  The group netted hundreds of millions of euros through malware attacks. This counts as “the largest ever use of sinkholing to combat botnet infrastructures and is unprecedented in scale, with over 800K domains seized, sinkholed or blocked.” Over one million fraudulent emails were sent and 20 different malware families were involved.


Has your Google Account been hacked? The Gooligan malware attack targets Android devices, and has infected more than a million, at a rate of 13,000 new additions daily.  If you run Android 4 which is Jelly Bean or KitKat, or Android 5, Lollipop, consider yourself at risk.  The infection comes via third party apps and malicious links from phishing. A rootkit is downloaded to steal authentication tokens. These can breach data from Google Play, Gmail, Google Photos, Docs, Drives etc. And it installs an app that steals your account info to post ratings that boost the crap apps. You can check your account at the Check Point website. https://gooligan.checkpoint.com


Heads UP. US may be next. ATM jackpotting: The FBI has issued a heads up to the US about a recent cybercrime trend where infected ATMS spit out millions of dollars literally into the waiting hands of thieves.  The crime syndicate Buhtrap has netted a small fortune from countries on the other side of the ocean including the UK.  The attackers use phishing emails to launch the malware and access the network.  With admin privileges, they can access the ATMs and workstations of those who control the ATMs.


Critical router flaw knocks 900K Germans offline Almost a million Deutsche Telekom customers lost their connections on Sunday and Monday because of an attempt to hijack broadband routers into a botnet. Yes, DDoS.  The routers of choice were Zyxel and Speedport, and the attackers exploited vulnerability in two  protocols used by the ISP to manage devices remotely.  In this case, the attack had the routers downloading and executing malicious code, which would let the attackers crash or exploit them and then commandeer them.  A patch is available now.


Hacker Behind the San Fran Mass Tran Ransomware gets hacked According to security researcher Brian Krebs, the party behind the attack wasn’t as careful as they thought, and now his email has been accessed, revealing some interesting details, including the many other businesses, mostly construction-based, who were targets.  Of note is that the attacker was looking for common vulnerabilities, one of which was the “weblogic unserialize exploit, targeting Oracle Corp server product” per Brian Krebs on his website.  The java derserialization vulnerability was made known almost 18 months ago, and is believed to have been an underlying factor in the hospital ransomware attacks earlier this year, which went after system vulnerabilities as opposed to access via phishing emails. Many systems run older, unpatched versions of JBoss middleware and are exploitable. Also noteworthy, and impressive, is that SFMTA is not paying the ransom and will restore their systems from backups. “Considering paying that ransom was never an option,” per Paul Rose, MTA spokesman.

Carleton U Ransomware attack Tuesday of this week, Carleton University in Ottawa, Canada was the latest Canadian university to be hit by ransomware. In June, University of Calgary was hit and paid $20,000 to get back up and running. Hackers have demanded a payment of $39K or 39 bitcoin.  Any Windows-based systems accessible from the main network may have been compromised.  Students were advised to shut down their computers, and stay off the wireless network, as well as to ignore any ransomware demand pop up messages and report them. The impact, however, is ongoing. Research is halted while computers are either shut down or infected. There is no confirmation as yet about who is responsible or if the ransom will be paid. Services impacted include email, Carleton Central and the MyCarleton Portal, as well as library services.

Tech support scammers serve up Ransomware We are familiar about the calls from “Windows” to inform us our computers are at risk. These are scams, but in this case, victims are notified to call “Windows support” at the number provided after their computers have become infected with VindowsLocker ransomware. In an interesting twist, the scammers demand valuable personal information  including Social security numbers, credit card details, etc that can be used in future. Decryption keys were being stored in Pastebin and then expiring before they could be used. However, Malwarebytes was able to create a decryptor tool. The delivery method for the ransomware has not yet been determined. Since the ransomware only uses symmetric crypto, all the files are encrypted using the same key.

Kangaroo Ransomware It’s not cute but will make you hopping mad.  From the developer of Apocalypse, Fabian and Esmeralda ransomwares, comes this new variant. Not only does it encrypt your data, but it also locks victims out of Windows.  This is done by the ransomware terminating Explorer processes on startup and preventing the launch of Task Manager.  Apparently, the screenlocker can be disabled in Safe Mode or by pressing ALT+F4.  What’s interesting is that this variant does not spread by the usual means. Instead, it is triggered via certain RDP sessions.

SYNOPSIS: Week ending Nov. 26

BE ON WATCH FOR: 2017: Combined Social Media/Botnet Attack Vectors:  The now infamous Mirai botnet has raised awareness to our increasing exposure and risk from the Internet of Things. And racing alongside that threat is our ever-increasing use of social media. Botnets for hire, as deployed by gangs of script kiddies like Lizard Squad, are nothing new. However, leveraging social media to increase the strength of these botnets is.  A recent example being Linux/Moose, and the use of Linux-based routers to command enslaved devices to commit fraud and spread the malware on social media. Twitter, Facebook, Instagram  – all can be used to push malware. And we can’t get enough of them. So what do you think will happen when we combine our obsession for all gadgets tech with all things online and social?


Personal Data of US Navy Leaked:  The personal data of more than 134,000 current and former Navy sailors has been leaked via a compromised laptop. Names and social security numbers were stored in the laptop that was used by an HP Enterprise Services staffer, and reportedly “accessed by unknown individuals”.  No further details have been released since the Navy first learned of the breach on Oct 27th but an NCIS investigation is ongoing.

Hackers Harvest Credit Card Data From Madison Square Gardens:  For more than a year, millions of attendees may have been caught up in this latest payment card breach.  On Tuesday this week, MSG warned customers that data on the magnetic strip of credit cards had been exposed. This data included: card numbers, names, expiration dates and internal verification codes.  Confirmation of the infection came in late October, and now there is question as to the delay in revealing this information. The breach is similar to other payment card breaches at large hotel chains and retailers, due to malware targeting data from transactions at point of sale terminals. It did not affect cards used on MSG websites or ticket sales.

You know this is one of my key areas, given my talks on SWIFT, banking insecurities and organized cybercrime groups like Lazarus and Carbanak.

Follow Up to the Bangladesh Bank Heist:  Remember the attack that took $100 million dollars from the bank in Bangladesh early this year?  Charges have been filed against 5 officials of RCBC bank and a former treasurer, Rau Tan who had “willfully ignored” suspicious activity.  The Anti-money Laundering Council found the parties guilty “because they should have noticed something was wrong and intervened immediately.” Only $15 million has been recovered and returned. $2.7 million more has been frozen. The remainder has apparently changed hands several times and is somewhere in the Philippines casino industry. No other arrests have been made despite investigations by the FBI, Interpol, local police and authorities. The bulk of the blam in a recent report falls on Tan as being able to “enhance due diligence … convene the anti-money laundering committee” etc.

Inpage Zero Day Used in Attacks Against Banks:  Attacks against banks in the Middle East has been attributed to a zero day vulnerability in InPage publishing software, popular in the region.  Kaspersky made the disclosure after numerous attempts to privately report the bug apparently went ignored.  Kaspersky says “it’s possible a number of criminal or nation-state actors are using this exploit” based on the attacks it has recorded against banks and government agencies in Asia and Africa.  The exploit spreads via phishing, and builds off several Office exploits.  An interesting comparison is attacks against governments in South Korea via vulnerabilities in the Hangul Word Processor, which FireEye traced back to North Korea.

Hacker Group COBALT hits ATMs Across Europe:  We know ATMs are risky business. This year, there have been some major attacks and coverage on these as a favoured target. The latest siege, Cobalt, covers a wide swath across the UK, Spain, Russia, Romania, the Netherlands, much of Eastern Europe and Malaysia.  According to Group IB researchers, a large number of machines are attacked at once, and Cobalt appears to be linked to cybercrime syndicate Buhtrap.  The malware used causes infected machines to spit out cash in an attacks known as “jackpotting”.  Noteworthy is how this is being described as “the new model of organized crime”.  Earlier this month the FBI issued warnings to US banks following those ATM heists,  and taking into account the attacks in Taiwan and Thailand, when thieves grabbed over 260,000 pounds from Thailand’s Government savings bank and $2.5 million from Taiwan. The world’s two largest ATM manufacturers, NCR and Diebold Nixdorf, are working to manage the threat. More heists are expected.

Lessons From the TESCO Bank Attack:  2016 brought banking insecurities to the forefront via massive heists, new Trojans, ATM attacks and shutdowns. The recent attack on Tesco online bank in the UK, which is a good parallel to our PC Bank here in Canada, serves as a reminder that banks, and all business in general, need to know their environments. That means having controls in place to alert on changes to key files and configurations. Because as humans, we are fallible. Mistakes will be made. And that is what the attackers are literally “banking on”.  File monitoring integrity and Configuration Management Security ensure that if and when changes are made, they are valid and validated. This blog is a good run through of the how and why.


Chinese Company Backdoors on Cheap Android Phones:  Don’t say I didn’t warn you. According to security firm Kryptowire, Shanghai AdUps technologies, designed the backdoor to track customer behavior for Chinese phone manufacturers and carriers.  The software runs updates on over 700 million devices globally. While this was intended for the Chinese market, mistakes were made and it got onto BLU devices sold through Amazon and Best Buy. Sorry not sorry? The backdoor was delivered as an upgrade via FOTA, firmware over the air.  What info is being sent: full-body text messages; contact listings;  call histories and numbers; IMSI. Yes. Applications can be remotely installed without user consent. Reports are that this has since been addressed via a self-update to 120,000 devices.

Hackers Using Popular Mailchimp to Spread Malware:  Mailchimp is an email newsletter service that has now found itself in the employ of hackers looking to net more phish.  Outsourcing newsletter distribution saves time, money and admin hassles, especially for smaller organizations, which is why MailChimp is a popular service. It appears that individual accounts at MailChimp were hacked .  While MailChimp claims to have things in check, they are “strongly encouraging” users to setup 2FA.


Linux O-Day Unicorn: Scriptless Exploit: A scriptless exploit bypasses current protections built into Linux.  Infact, this exploit code gets past fully patched Linux distros with drive-by attacks that can install keyloggers, backdoors and other malware. The exploit uses a memory corruption vuln in the GStreamer framework which ships by default with mainstream Linux distributions. And, it does not rely on code to execute its memory manipulations. By eliminating the need for JavaScript or other code to work on the memory, the exploit carries out attacks “that would otherwise be impossible”.  Chris Evans is the security researcher who developed the code, and stresses the importance of understanding scriptless exploits are possible, even with excellent security provisions in place.


ESET Tool Offers Decryption Keys for Crysis Ransomware:  Master decryption keys for Crysis Ransomware now available thanks to the folks at ESET, who have made a free app available to anyone needing to free their files.  This should help take a bite out of the approximate $84 000 US monthly ransomware nets. And given that the profit margin is estimated at 1425%, the ROI only invites more players, and replacement variants are ready and waiting. Since a picture is worth a thousand words:



Be Wary! Facebook Messenger Being Used to Spread Locky Ransomware:  Stop! Do not click that image link in your Facebook messages. Regardless who sent it. There is an ongoing spam campaign downloading Locky Ransomware via .SVG image files, and using Nemucod to as the downloader. The .SVG format enabled attackers to load embedded content, like JavaScript, that can be opened in a web browser, contained within the image file itself.  Victims are taken to fake sites and asked to download malicious browser extensions to view the file.


Well Now … Oracle buys DYN:  This should be interesting.  On Nov. 21 Oracle announced it would be acquiring DYN, the cloud-based ISP and DNS provider we all now know from the recent and massive DDoS attack.  DYN is a global network that dries 40 billion traffic optimizations daily for 3500 enterprise customers like Twitter and Netflix. What added security will Oracle bring to this mix to ward off future DDoS attacks? Let’s just say they don’t hold the record for success in security patch management.

Symantec Buys LifeLock for $2.3 billion:  Will bigger be better? Time will tell. This newest arrangement will create “the world’s largest digital safety platform” for both consumers and business. The deal should close first quarter 2017. And with AV software increasingly being denounced as no longer relevant in the face of new threats and attack vectors, Symantec is looking to renew its brand and status. Given the explosion of data and commensurate boom of IoT insecurity, a whole lot of data, and identities, are at risk. Identity theft is just part of what security will need to address beyond diagnosis of the threat. The ongoing advancements in tech for data analytics afford security firms like Symantec a great opportunity to serve this purpose.

SYNOPSIS: Week ending Nov 19. Fair warning: with Trump at the helm, and Putin maneuvering unchecked in a global chess game, my political side will start showing.


Let the Phishing Games Begin!  Hours after Trump’s election, Russian hackers began their phishing pursuits anew against the US.  In a blog post by Steven Adair, security researcher with Volexity, there are reports that five different attacks took place on US-based think tanks and non-governmental organizations (NGOs) by APT29 and CozyBear, aka The Dukes, using compromised email accounts claiming to come from Harvard’s Faculty of Arts and Science. The Dukes malware employs stenography to hide their backdoor, and their anti-VM malware and Powershell scripts enable them to reduce bots and sandboxes and evade analysis. They are looking to gain long-term access into think tanks and NGOs and will continue to launch new attacks for the foreseeable future.


The Growing Risks of Free WiFi : Recently, a security researcher was able to exploit a buffer-overflow flaw in a network load balaner. The flaw was a reverse proxy device. And at risk: the data of thousands of in the city using that WiFi service.  The key point is how easy it would be for an attacker to capture even a single router through a design flaw, of which there are many, and about which most users are oblivious. Faulty configuration, vulnerable and unpatched firmware, these are what widen the attack surface for exploit so that connected devices can be hijacked. The recent and massive DDoS attacks herald what is coming via these devices and the IoT.

What we’re not thankful for… a word of warning on DDoS: With US Thanksgiving, Black Friday and Cyber Monday coming up, making a giant contribution to the IoT, be prepared for another DDoS attack using the Mirai botnet.  Akamai is warning now that based on attacks over previous holidays, we should expect more of the same, only worse. It says that malicious actors will be working to understand better how to capture their own huge botnet of IoT devices and build the largest DDoS ever.


Capgemini and Michael Page Recruitment Firm Breach: On Nov. 10 details were revealed of a massive data breach which affected UK-based recruitment firm Michael Page, which operates globally. Over 30 GB of data on that leaked ther personal details of millions of job seekers online.  Potentially 780,000 jobseeker records were in the dump, and data included phone numbers, locations, job type etc.  The breach is related to an underlying risk on the server end with .sql files exposed on a publicly facing website.

Lightning Strikes Twice – Adult Friend Finder Hacked Again: More than 400 million account were exposed in the latest attack on the adult website.  Many with plaintext passwords.  Compromise was with a local file inclusion exploit, so the site’s code allowed access to files on the server that were NOT supposed to be public. Interestingly, more than a million accounts have the password “123456” while more than 100,000 have the password “password”.

8 Million GitHub Profiles Leaked: Security researcher Troy Hunt received a MongoDB backup file that contains information on GitHub users and accounts.  Specifically at site known as GeekedIn  that matches developers with jobs. GitHub’s statement was the third parties often scrape public data for research etc, and so long as it isn’t being sold or abused, that is okay.  However, GeekedIn is actually selling this info, and a lot of people, including Troy Hunt, are included in that data for sale. He offers a link for people to check if they are among those offered up on his site https:/haveibeenpwned.com/NotifyMe. https://www.troyhunt.com/8-million-github-profiles-were-leaked-from-geekedins-mongodb-heres-how-to-see-yours/

UK Carrier Three Mobile Hacked:  Millions of customer records have been exposed through an attack on Three Mobile.  Hackers accessed a database containing info on six million customers. No payment data was there, but names, addresses, phone numbers and birthdays were. Hackers were targeting users eleigible for new handset updates so they could order and intercept the new units for resale. Three Mobile reports it has had an increase in phone thefts and upgrade scams.

Canadian Army Recruitment Website Hacked: On Thursday, the Canadian Armed Forces recruitment site was hacked, to redirect those interested in signing up to the Chinese government’s main page instead.  Officials confirmed the hack was real and worked rapidly to take the page down. This is part of the ongoing attack by foreign hackers against government sites, notably China, which was called out in 2014 by the Conservative government at the time.


Ransoc Ransomware: This new variant doesn’t lock down your files, but rather opens your personal details up. It targets Windows computers via a browser locker being distributed malvertising.  It scrapes SKYPE and social media profiles from Facebook, LinkedIn etc for personal items; it also looks for torrent files and other content that could be dubious. The malware uses this to point to “illegal” activity and posts a ransom note on the user’s screen. The threat performs an IP check and sends all traffic through Tor. Warning:  If you have downloaded media files through TOR, expect to get ransomed. http://www.securityweek.com/ransoc-ransomware-blackmails-victims

CrySis Ransomware Decryption Keys released to public:  A little good news. Kaspersky lab confirmed that master decryption keys for this ransomware family have been released, giving some folks hope of getting their files back. According to Lawrence Abrams of Bleeping Computer, “it could have been the ransomware developer who posted the key on the site’s CrySis support forum page; the post included a Pastebin link to a header file written in C that contains the master decryption keys and instructions on how to use them.”


Russian Banks Latest Target in DDoS Attacks: The attacks against major Russian banks last week should keep us mindful of where DDoS is heading. They were powered by compromised IoT devices, according to an unnamed Russian Central Bank official, and took the banks down for extended periods of time. At the root is the ongoing message around password management and removing default passwords from both consumer and industrial devices.


New Android Spyware Caught in the Wild: Malware hunters have bagged a rather nasty catch.  A la Hacking team, but not by the infamous group, this new spyware, made in Italy,  is marketed to governments and police forces.  The malware performs the usual functions: surreptitiously records video and audio, activates GPS, steals data from phones and takes screenshots. A new up and coming surveillance firm, Raxir, is likely the creator.  After the demise of Hacking team last year, other companies are seeking to fill the void.

More Android bad news: China helping itself to user info: According to the New York Times, a Chinese company. Adups, has been pre-loading Android phones with software that sends the user’s text messages, location information and call records to a Chinese server. While that may come as no surprise, neither should the fact the security researchers had already told Adups they knew what was going on, and then warned vendors about the backdoors, from several years ago. According to the researcher whistle-blowers, there were no device updates, save one, and downstream manufacturers didn’t push the updates.  What are the phones sending back: contact lists, and unique identifiers like IMSI.  The firmware collected and sent information about those apps being used on the phone, as well as bypassing the Android permission model, executing remote commence with escalated system privileges and remotely programming devices.