Daily NCSC-FI news followup 2019-11-06

BlueKeep RDP Attacks are Starting Patch CVE-2019-0708 Now

www.fortinet.com/blog/threat-research/bluekeep-rdp-attacks-starting-patch-now.html Microsoft patched a critical Remote Desktop Services Remote Code Execution Vulnerability this past May, 2019. Identified as CVE-2019-0708, and also known as BlueKeep, this remote code execution vulnerability can be exploited when an unauthenticated attacker connects to a target system using RDP and then sends specially crafted requests. This vulnerability exists pre-authentication and requires no user interaction. An attacker who successfully exploits this vulnerability could then execute arbitrary code on the target system.

Smarter Devices, Smarter Fraud: Overlooked Threats in IoT Security

securityintelligence.com/posts/smarter-devices-smarter-fraud-overlooked-threats-in-iot-security/ X-Force Red, IBM Securitys team of hackers, is hired by a variety of companies to find and help fix vulnerabilities exposing their most important assets to potential attacks. One sector that is increasingly looking into the security of their products is internet of things (IoT) manufacturers that build and sell IoT technologies such as smart home kits, cameras, appliances, televisions, security systems and even smart light bulbs.

U.S. Cyber Command Shares Seven New Malware Samples

www.us-cert.gov/ncas/current-activity/2019/11/06/us-cyber-command-shares-seven-new-malware-samples U.S. Cyber Command has released seven malware samples to the malware aggregation tool and repository, VirusTotal. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review U.S. Cyber Commands VirusTotal page to view the samples.

More malspam pushing Formbook

isc.sans.edu/forums/diary/More+malspam+pushing+Formbook/25492/ Formbook is an information stealer that has been active since early 2016. My previous diary about Formbook was in February 2018, and not much has changed since then. We still see malicious spam (malspam) pushing Formbook through malicious attachments. A quick check through Twitter or URLhaus reveals several items tagged as Formbook in recent weeks.

Explained: How New ‘Delegated Credentials’ Boosts TLS Protocol Security

thehackernews.com/2019/11/delegated-credentials-for-tls.html Mozilla, in partnership with Facebook, Cloudflare, and other IETF community members, has announced technical specifications for a new cryptographic protocol called “Delegated Credentials for TLS.”. Delegated Credentials for TLS is a new simplified way to implement “short-lived” certificates without sacrificing the reliability of secure connections.

DarkUniverse APT Emerges to Deliver Sophisticated, Targeted Spy Attacks

threatpost.com/darkuniverse-apt-targeted-spy-attacks/149927/ A sophisticated espionage APT that was active for at least eight years before receding into the shadows has been uncovered and researchers said that it may still be active. In April 2017, ShadowBrokers published one of their many leaks of cyberweapons used by the National Security Agency (NSA) and other tools. This cache contained a script that hunted for the fingerprints of other APTs within a compromised network.. Also:


Kamerka OSINT tool shows your country’s internet-connected critical infrastructure

www.zdnet.com/article/kamerka-osint-tool-shows-your-countrys-internet-connected-critical-infrastructure/ Kamerka lets you see what a hacker sees. It plots maps with SCADA equipment, webcams, and printers that have been left exposed on the internet inside any given country. A Polish security researcher has created an open-source intelligence (OSINT) gathering tool that indexes information about sensitive internet-connected devices and plots their approximate location on a map. The researcher says he created the tool as a way to allow organizations to scan their networks and identify vulnerable equipment, but the tool also has its dark side, as it can be used by attackers to target organizations with less effort than ever before.

Päätös irrottaa valtio verkosta tehtiin sekunneissa “vaihtoehdot ovat joko huonoja tai vielä huonompia

www.tivi.fi/uutiset/tv/cb8e7210-fb4e-41c7-9a84-cba6e7366d90 Microsoftin piti katkaista kokonainen maa verkkopalveluistaan kiristyshaittaohjelmisto NotPetyan takia kesäkuussa 2017. CISO Brett Arsenaultin mukaan hänen tietoturvapomon uransa pahin paikka on ollut tuon päätöksen tekeminen muutamassa sekunnissa.

New Megacortex Ransomware Changes Windows Passwords, Threatens to Publish Data

www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/ A new version of the MegaCortex Ransomware has been discovered that not only encrypts your files, but now changes the logged in user’s password and threatens to publish the victim’s files if they do not pay the ransom. For those not familiar with MegaCortex, it is a targeted ransomware installed through network access provided by trojans such as Emotet. Once the MegaCortex actors gain access, they then push the ransomware out to machines on the network via an active directory controller or post-exploitation kits.

Emotet is a modular malware, first reported in 2014 as a banking trojan that quickly evolved into its current modular form which supports everything from spamming to theft of emails, propagation using worm-like exploits, and even incorporates the notorious Trickbot malware as a module.

www.netscout.com/blog/asert/emotet-whats-changed Emotet, a banking trojan turned downloader, continues to make waves in the downloader scene despite recent hibernations

Trend Micro: Our super-duper security software will keep you safe from everyone except our staff who go rogue

www.theregister.co.uk/2019/11/06/trend_micro_leak/ Trend Micro today revealed one of its staff went rogue and illegally sold the personal information of roughly 120,000 of its customers. The security software vendor said names, email addresses, ticket support numbers, and in some cases phone numbers, of around one per cent of Trend’s 12 million customers, were copied from an internal database by the worker and sold off to an outside scammer.. Also:


German Dridex spam campaign is unfashionably large

www.virusbulletin.com/blog/2019/11/german-malspam-campaign-unfashionably-large/ On this blog we have regularly reported on the tendency among malicious spam campaigns to be smaller in scale and more targeted, thus improving their chances of evading spam filters indeed, we described exactly this strategy two days ago when writing about Emotet. However, there are always exceptions to such trends: yesterday morning we spotted two fairly large spam campaigns with Excel attachments. The campaigns, which were in German, were everything that most malspam campaigns are not: large in scale, sent to many older spam traps, and with the same attachment shared by all emails in the campaign.

Actively exploited bug in fully updated Firefox is sending users into a tizzy

arstechnica.com/information-technology/2019/11/scammers-are-exploiting-an-unpatched-firefox-bug-to-send-users-into-a-panic/ Fraudulent tech-support sites cause Firefox to freeze while displaying scary message. Scammers are actively exploiting a bug in Firefox that causes the browser to lock up after displaying a message warning the computer is running a pirated version of Windows that has been hacked.

Facebook Privacy Breach: 100 Developers Improperly Accessed Data

threatpost.com/facebook-privacy-breach-developers-group-data/149930/ Facebook said that 100 third-party app developers have improperly accessed the names and profile pictures of members in various Facebook groups data that was restricted in 2018 by the platform after its Cambridge Analytica privacy snafu. Also:




A hidden feature in some newer models of the vendor’s programmable logic controllers leaves the devices open to attack. Siemens says it plans to fix it

www.darkreading.com/vulnerabilities—threats/siemens-plc-feature-can-be-exploited-for-evil—and-for-good/d/d-id/1336277 An undocumented access feature in some newer models of Siemens programmable logic controllers (PLCs) can be used as both a weapon by attackers as well as a forensic tool for defenders, researchers have discovered.

For over two decades, the firewall has been the de-facto tool that facilitated secure connectivity between different networks. Firewalls were traditionally designed around the idea that internal traffic and users were inherently trustworthy and external traffic wasnt

blogs.cisco.com/security/the-death-of-the-network-perimeter-and-the-firewall-not-so-fast Thus, the firewall was deployed to create a trust boundary or perimeter between networks. This network perimeter became the logical security control point to protect an organizations network, data, users, and devices.

Vulnerability hunting with Semmle QL: DOM XSS

msrc-blog.microsoft.com/2019/11/06/vulnerability-hunting-with-semmle-ql-dom-xss/ n two previous blog posts ( part 1 and part 2), we talked about using Semmle QL in C and C++ codebases to find vulnerabilities such as integer overflow, path traversal, and those leading to memory corruption. In this post, we will explore applying Semmle QL to web security by hunting for one of­­­ the most common type of client-side vulnerabilities: DOM-based cross-site scripting (XSS).

You might be interested in …

Daily NCSC-FI news followup 2019-06-17

Bloomberg: Argentina Isnt Ruling Out a Cyberattack in Major Power Outage www.bloomberg.com/news/articles/2019-06-16/massive-power-failure-sweeps-across-argentina-and-uruguay Though a cyberattack isnt the primary hypothesis, it cant be ruled out, Argentine Energy Secretary Gustavo Lopetegui told reporters in Buenos Aires. A technical issue or simple humidity could have triggered the breakdown, said Carlos Garcia Pereira, head of Transener, Argentinas largest power-transmission […]

Read More

Daily NCSC-FI news followup 2020-04-26

Hackers are exploiting a Sophos firewall zero-day www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/ Read also: community.sophos.com/kb/en-us/135412 and www.theregister.co.uk/2020/04/26/security_roundup_240420/. As well as: www.bleepingcomputer.com/news/security/hackers-exploit-zero-day-in-sophos-xg-firewall-fix-released/ Reopen Domains: Shut the Front Dorr www.domaintools.com/resources/blog/reopen-domains-shut-the-front-dorr Update: We noticed that while working on this piece Brian Krebs posted an excellent article on the same. What can we say, but great minds think alike? Since we dug into […]

Read More

Daily NCSC-FI news followup 2020-08-01

Offense and Defense A Tale of Two Sides: Group Policy and Logon Scripts www.fortinet.com/blog/threat-research/offense-defense-a-tale-of-two-sides-group-policy-and-logon-scripts In this blog, we will look at Group Policy Objects (GPO) in Windows operating systems. Specifically, how they can be used to deploy and execute malicious payloads on target machines within an Active Directory environment. We will also look at ways […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.