Daily NCSC-FI news followup 2019-07-16

Commando VM: The Complete Mandiant Offensive VM

isc.sans.edu/diary/Commando+VM%3A+The+Complete+Mandiant+Offensive+VM/25136 Penetration testers commonly use their own variants of Windows machines when assessing Active Directory environments. Commando VM was designed specifically to be the go-to platform for performing these internal penetration tests. The benefits of using a Windows machine include native support for Windows and Active Directory, using your VM as a staging area for C2 frameworks, browsing shares more easily (and interactively), and using tools such as Pow

Google to remove Chrome’s built-in XSS protection (XSS Auditor)

www.zdnet.com/article/google-to-remove-chromes-built-in-xss-protection-xss-auditor/ Google engineers plan to remove a Chrome security feature that has not been living up to par with the protections with was supposed to provide for years.

Analysis: Server-side polymorphism & PowerShell backdoors

www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors While the URL of the file SkypeApp64.exe was already down as of analysis, the sample remains malicious even without the executable. The CNC server that hosts the file SearchI32.js has server-side polymorphism, in which the hosted JavaScript (JS) files are modified each time they are accessed, making static detection difficult.

Salakuuntelevista älylaitteista spekuloitu jo pitkään silti jopa kyberturvallisuuden professori yllättyi hieman: “Tähän tullaan varmasti palaamaan”


Amadeus! Amadeus! Pwn me Amadeus! Airline check-in bug may have exposed all y’all boarding passes to spies

www.theregister.co.uk/2019/07/16/amadeus_bug_light_pass/ Specifically, Stubley explained, when a traveler went to view their boarding pass, Amadeus presented the paperwork on a page with a URL that includes the passenger’s ID number. This ID number could be changed to another number to call up other boarding passes from other Amadeus customers, such as British Airways, Air France, and United Airlines, without any further authentication. Just change the number in the web address bar and hit enter to fetch the

Meet Extenbro, a new DNS-changer Trojan protecting adware

blog.malwarebytes.com/trojans/2019/07/extenbro-a-new-dns-changer-trojan-protecting-adware/ Recently, we uncovered a new DNS-changer called Extenbro that comes with an adware bundler. These DNS-changers block access to security-related sites, so the adware victims cant download and install security software to get rid of the pests.

Hackers Hit Bulgaria Sending Data From Russian Email

www.themoscowtimes.com/2019/07/16/hackers-hit-bulgaria-sending-data-from-russian-email-a66431 Hackers stole thousands of Bulgarians’ personal financial data and distributed it from a Russian-based email in an attack possibly related to the purchase of new F-16 fighter jets from the United States, the government said on Tuesday.

ENISA Management Board selects new Executive Director

www.enisa.europa.eu/news/enisa-news/enisa-management-board-selects-new-executive-director Today 16 July 2019, the Management Board of the European Union Agency for Cybersecurity (ENISA) selected Mr. Juhan Lepassaar to be the new Executive Director of the Agency.

Meet the Worlds Biggest Bulletproof Hoster

krebsonsecurity.com/2019/07/meet-the-worlds-biggest-bulletproof-hoster/ In a talk given at the Black Hat security conference in 2017, researchers from cyber intelligence firm Intel 471 labeled Yalishanda as one the top tier bulletproof hosting providers worldwide, noting that in just one 90-day period in 2017 his infrastructure was seen hosting sites tied to some of the most advanced malware contagions at the time, including the Dridex and Zeus banking trojans, as well as a slew of ransomware operations.. His current bulletproof hosting service is called Media Land LLC. This finding is supported by documents maintained by Rusprofile.ru, which states that an Alexander Volosovik is indeed the director of a St. Petersburg company by the same name.. However, occasionally big-time bulletproof hosters from those CIS countries do get disrupted and/or apprehended. On July 11, law enforcement officials in Ukraine announced theyd conducted 29 searches and detained two individuals in connection with a sprawling bulletproof hosting operation.. [Upcoming paper on this, Platforms in Everything: Analyzing Ground-Truth Data on the Anatomy and Economics of Bulletproof Hosting, to be presented in the Usenix conference on 2019-08-15]

Active Cyber Defence (ACD) – The Second Year

www.ncsc.gov.uk/report/active-cyber-defence-report-2019 The second report examining how the NCSC’s ACD programme is improving the security of the UK public sector and the wider UK cyber ecosystem.


www.wired.com/story/medtronic-insulin-pump-hack-app/ TWO YEARS AGO, researchers Billy Rios and Jonathan Butts discovered disturbing vulnerabilities in Medtronic’s popular MiniMed and MiniMed Paradigm insulin pump lines. An attacker could remotely target these pumps to withhold insulin from patients, or to trigger a potentially lethal overdose. And yet months of negotiations with Medtronic and regulators to implement a fix proved fruitless. So the researchers resorted to drastic measures. They built an And. The FDA’s Schwartz says, though, that while the relevant models of MiniMed pump are not widely used in the US anymore, they have “a lot of usage worldwide.” Part of the reason it took time to announce the voluntary recall, she says, was the difficulty of coordinating with regulatory agencies around the world to coordinate the voluntary recall on an international level.

Topinambour & Windows event logs

www.cert.at/services/blog/20190716140317-2501_en.html “Now let me raise a question: “Is it normal for a standard user to run ‘cmd.exe /c net use \\$IP-ADDRESS\…’?” I would say it’s not and therefore seeing this in an event log can be considered an investigative hint, or can be an event triggering an investigation in a SOC team.. ” I’m not saying building up a centralized monitoring of Windows client event logs including relevant events is easy or that using event logs is the only way for detection. What I’m saying is: if you don’t do it, you are missing a lot of incredibly useful information for SOC teams as well as client administrators.

Zoom RCE Flaw Also Affects Its Rebranded Versions RingCentral and Zhumu

thehackernews.com/2019/07/zoom-ringcentral-vulnerabilities.html The same security vulnerabilities that were recently reported in Zoom for macOS also affect two other popular video conferencing software that under the hood, are just a rebranded version of Zoom video conferencing software.

You might be interested in …

Daily NCSC-FI news followup 2020-11-20

Inside the Cit0Day Breach Collection www.troyhunt.com/inside-the-cit0day-breach-collection/ It’s increasingly hard to know what to do with data like that from Cit0Day. If that’s an unfamiliar name to you, start with Catalin Cimpanu’s story on the demise of the service followed by the subsequent leaking of the data. . I was curious as to how much of […]

Read More

Daily NCSC-FI news followup 2020-11-10

With Great Power comes Great Leakage platypusattack.com/ With PLATYPUS, we present novel software-based power side-channel attacks on Intel server, desktop and laptop CPUs. We exploit the unprivileged access to the Intel RAPL interface exposing the processor’s power consumption to infer data and extract cryptographic keys. Lisäksi: www.zdnet.com/article/new-platypus-attack-can-steal-data-from-intel-cpus. Lisäksi: arstechnica.com/information-technology/2020/11/intel-sgx-defeated-yet-again-this-time-thanks-to-on-chip-power-meter/. Lisäksi: www.theregister.com/2020/11/10/intel_sgx_side_channel/ Microsoft Releases November 2020 […]

Read More

Daily NCSC-FI news followup 2020-08-01

Offense and Defense A Tale of Two Sides: Group Policy and Logon Scripts www.fortinet.com/blog/threat-research/offense-defense-a-tale-of-two-sides-group-policy-and-logon-scripts In this blog, we will look at Group Policy Objects (GPO) in Windows operating systems. Specifically, how they can be used to deploy and execute malicious payloads on target machines within an Active Directory environment. We will also look at ways […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.