Daily NCSC-FI news followup 2019-11-12

BlueKeep freakout had little to no impact on patching, say experts

www.theregister.co.uk/2019/11/11/bluekeep_didnt_boost_patching/ According to SANS, those reports did not do much to get people motivated. The security institute says that the rate of BlueKeep-vulnerable boxes it tracks on Shodan has been on a pretty steady downward slope since May, and the media’s rush to sound alarms over active attacks did not change that.

Ransomware attack at Mexico’s Pemex halts work, threatens to cripple computers

www.reuters.com/article/us-mexico-pemex-idUSKBN1XM041 MEXICO CITY (Reuters) – A ransomware attack hit computer servers and halted administrative work on Monday at Mexican state oil firm Pemex, according to employees and internal emails, in hackers latest bid to wring ransom from a major company.. An internal email seen by Reuters said Pemex was targeted by Ryuk, a strain of ransomware that experts say typically targets companies with annual revenue between $500 million and $1 billion.. Pemex said in a statement late on Monday that attempted cyber attacks the day before were neutralized in a timely matter and affected less than 5% of its computers.

Researchers Find New Approach to Attacking Cloud Infrastructure

www.darkreading.com/cloud/researchers-find-new-approach-to-attacking-cloud-infrastructure/d/d-id/1336327?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple Cloud APIs’ accessibility over the Internet opens a new window for adversaries to gain highly privileged access to cloud assets.. At this year’s Black Hat Europe, Gofman and Shani plan to demonstrate an alternative new approach to attacking cloud infrastructure in a talk titled “Inside Out The Cloud Has Never Been So Close.” Their methodology involves using a graph to show permission relationships between different entities,. revealing risky choke points that need to be addressed and eliminated. The outcome of this graph, they say, can be used by red and blue teams to gain deeper understanding of permission relationships in cloud environments. After explaining the connections, they’ll show how attackers can abuse features to gain privileges.

Google brings its secret health data stockpiling systems to the US

www.theregister.co.uk/2019/11/12/google_brings_its_secret_health_data_stockpiling_systems_to_the_us/ Updated Google is at it again: storing and analyzing the health data of millions of patients without seeking their consent – and claiming it doesnt need their consent either.. Following a controversial data-sharing project within the National Health Service (NHS) in the UK, the search engine giant has partnered with the second-largest health system in the United States, St Louis-based Ascension, to collect and analyze the health records of millions of patients.. Also

www.wsj.com/articles/google-s-secret-project-nightingale-gathers-personal-health-data-on-millions-of-americans-11573496790

www.wired.com/story/google-is-slurping-up-health-dataand-it-looks-totally-legal/

TrickBot Malware Uses Fake Sexual Harassment Complaints as Bait

www.bleepingcomputer.com/news/security/trickbot-malware-uses-fake-sexual-harassment-complaints-as-bait/ Fake sexual harassment complaints appearing to come from the U.S. Equal Employment Opportunity Commission are the latest baits used by attackers to disseminate TrickBot banking Trojan payloads onto computers of unsuspecting employees of large companies.. Original at

www.malcrawler.com/awesome-spear-phish-techniques-from-those-tricky-tricksters-from-trickbot/

Can regulations improve cybersecurity? In APAC, opinions vary

www.welivesecurity.com/2019/11/12/can-regulations-improve-cybersecurity-apac-opinions-vary/ An ESET-commissioned survey among enterprises also shows that while respondents in most countries agree on the need to bolster cyber-defenses, some are reluctant to adopt cybersecurity solutions

Popular Android phones can be tricked into snooping on their owners

techcrunch.com/2019/11/08/android-baseband-flaws/ Baseband firmware accepts special commands, known as AT commands, which control the devices cellular functions. These commands can be used to tell the modem which phone number to call. But the researchers found that these commands can be manipulated. The researchers developed a tool, dubbed ATFuzzer, which tries to find potentially problematic AT commands.. Paper at

www.documentcloud.org/documents/6543391-ATFuzzer.html

Eksote käynyt läpi tietoturva-aukon tietovuoto koskee yli 700 asiakasta

www.eksote.fi/eksote/ajankohtaista/2019/Sivut/Eksote-käynyt-läpi-tietoturva-aukon–tietovuoto-koskee-yli-700-asiakasta.aspx Etelä-Karjalan sosiaali- ja terveyspiiri (Eksote) on käynyt läpi tietoturva-aukon kautta vaarantuneet dokumentit. Tietovuodon kautta on ollut mahdollista saada selville yli 700 asiakkaan hallinnollisiin prosesseihin liittyneitä henkilötietoja. Eksote on tehnyt M-Files asianhallintajärjestelmää koskeneesta tietovuodosta tutkintapyynnön poliisille. . Myös

www.tivi.fi/uutiset/tv/309f06a4-a268-49ad-8c96-eaf20189570b

www.bbc.com/news/election-2019-50388879 BBC: General election 2019: ‘Cyber-attack’ on Labour Party digital platforms. Also

uk.reuters.com/article/uk-britain-election-labour-cyber-website/cyber-attack-on-labour-party-was-short-lived-attempt-to-take-down-websites-source-idUKKBN1XM1D3 An initial investigation indicated the attack was not particularly sophisticated, the official said. It was really very everyday, nothing more than what you would expect to see on a regular basis..

www.theregister.co.uk/2019/11/12/labour_party_reports_cyber_attack/.

yle.fi/uutiset/3-11064685?origin=rss

Payment security backslides for second straight year, says Verizon

www.zdnet.com/article/payment-security-backslides-for-second-straight-year-says-verizon/ Verizon’s 2019 Payment Security Report found that full compliance with the Payment Card Industry Data Security Standard (PCI DSS) fell to 36.7% globally, down from 52.5% in 2018. PCI DSS was launched by Visa in 2004 and organizations were supposed to be in compliance within 5 years. Compliance improved gradually from 2010 to 2016 and then started to decline. The lack of payment compliance raises a . lot of security issues.

YouTube BitCoin Videos Pushing Predator Info-Stealing Trojan

www.bleepingcomputer.com/news/security/youtube-bitcoin-videos-pushing-predator-info-stealing-trojan/ A new scam is underway on YouTube that uses videos to promote a tool that can allegedly generate the private key for a bitcoin address. The attackers then claim this key would then allow you to gain access to the bitcoins stored in the bitcoin address, when in reality the victims will be infected with a password and data stealing Trojan.

Specially Crafted ZIP Files Used to Bypass Secure Email Gateways

www.bleepingcomputer.com/news/security/specially-crafted-zip-files-used-to-bypass-secure-email-gateways/ Attackers are always looking for new tricks to distribute malware without them being detected by antivirus scanners and secure email gateways. This was illustrated in a new phishing campaign that utilized a specially crafted ZIP file that was designed to bypass secure email gateways to distribute the NanoCore RAT.. When examining the file, the Trustwave researchers discovered that the ZIP archive contained two distinct archive structures, each marked by their own EOCD record.

Ransomware forces New Mexico school district to scrub 30,000 devices

edscoop.com/ransomware-forces-new-mexico-school-district-scrub-30000-devices/ A New Mexico school district that had its systems infected by ransomware last month is now having to scrub the hard drives of about 30,000 devices, district officials announced Thursday.

Blueprint For Securing Industrial Control Systems

blog.checkpoint.com/2019/11/12/blueprint-for-securing-industrial-control-systems/ In order to secure Critical Infrastructure environments, it is vital to keep a holistic view and look at every part of the network, both the IT and OT parts and investigate the systems and processes in each zone, analyze the attack vectors and risk and provide recommended security controls.. Applying Security to ICS should dissect the 6 different Purdue layers and how they map to different areas in the network. The idea is to explain the communication flows between the different levels in the Purdue model and how they should be secured.

Tampereen it-järjestelmät kyykkäsivät taas samantyyppinen vika kuin viime viikolla

www.tivi.fi/uutiset/tv/d0c2e8c2-fd5a-45e0-bea4-2715d0ed11a9 Tampereen kaupungin tietoliikenteessä oli laajalti häiriöitä myös viime viikon keskiviikkona. Tällöin häiriöiden syyksi kerrottiin järjestelmiin tehdyt tietoliikennepäivitykset.

cyberstability.org/report/ [T]he Global Commission on the Stability of Cyberspace (GCSC) was convened to make recommendations for advancing cyberstability.. […] the Commission crafted eight norms designed to better ensure the stability of cyberspace and address technical concerns or gaps in previously declared norms. [T]he Commission makes six recommendations which focus on strengthening the multistakeholder model, promoting norms adoption and implementation, and ensuring that those who violate norms are held accountable.. For the members and supporters of the GCSC, however, as well as all those who support its goals, the hard work required to implement these principles, norms, and recommendations is just beginning. Begin it must, as the benefits of cyberspace will be lost if its stability is not ensured.

Don’t trust the Trusted Platform Module it may leak your VPN server’s private key (depending on your configuration)

www.theregister.co.uk/2019/11/12/don/ In a paper [PDF] published on Tuesday, “TPM-FAIL: TPM meets Timing and Lattice Attacks,” researchers Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger describes how they successfully conducted black-box timing analysis of TPM 2.0 devices to recover 256-bit private keys for ECDSA (Elliptic Curve Digital Signature Algorithm) and ECSchnorr signatures that are supposed to remain . Website at tpm.fail/, paper at tpm.fail/tpmfail.pdf

PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers

www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/ We have found a new and undetected ransomware threat that is being used for targeted attacks against production servers of enterprises. Using code reuse analysis, we discovered this threat is closely related to the more_eggs backdoor malware, which is sold on the dark web by a veteran MaaS provider and has been used by the Cobalt Gang, FIN6, and other threat groups.. We have named this ransomware PureLocker because its written in the PureBasic programming language.. Its worth noting that the ransom note does not ask for the payment type or for the monetary amount inside of the note itself, instead instructing the victim to contact the attacker via email. The attackers use the anonymous and encrypted Proton email service.

Page Cache Attacks paper, new version at CCS 19

misc0110.net/web/files/pagecacheattacks.pdf We systematically analyze the side channel by demonstrating different hardware-agnostic local attacks, including a sandbox-bypassing high-speed covert channel, an ASLR break on Windows 10, and various information leakages that can be used for targeted extortion, spam campaigns, and more directly for UI redressing attacks.. We also show that, as with hardware cache attacks, we can attack the generation of temporary passwords on vulnerable cryptographic implementations. Our hardware-agnostic attacks can be mitigated with our proposed security patches, but the basic side channel remains exploitable via timing measurements.

TAA and other RIDL issues

mdsattacks.com/#ridl-ng On Nov 12, 2019, we (VUSec) disclose TSX Asynchronous Abort (TAA), a new speculation-based vulnerability in Intel CPUs as well as other MDS-related issues, as described in our new RIDL addendum. In reality, this is no new vulnerability. We disclosed TAA (and other issues) as part of our original RIDL submission to Intel in Sep 2018. Unfortunately, the Intel PSIRT team missed our submitted . proof-of-concept exploits (PoCs), and as a result, the original MDS mitigations released in May 2019 only partially addressed RIDL. You can read the full story below.. Addendum at

mdsattacks.com/files/ridl-addendum.pdf

Update: New Variant of ZombieLoad enables attacks on MDS-resistant CPUs

zombieloadattack.com/ With November 14th, 2019, we present a new variant of ZombieLoad that enables the attack on CPUs that include hardware mitigations against MDS in silicon. With Variant 2 (TAA), data can still be leaked on microarchitectures like Cascade Lake where other MDS attacks like RIDL or Fallout are not possible. Furthermore, we show that the software-based mitigations in combinations with microcode updates . presented as countermeasures against MDS attacks are not sufficient.. Updated paper at zombieloadattack.com/zombieload.pdf diff to previous at regmedia.co.uk/2019/11/12/zombieload_diff.pdf. Also www.theregister.co.uk/2019/11/12/zombieload_cpu_attack/

2019.2 IPU TSX Asynchronous Abort Advisory

www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html A potential security vulnerability in TSX Asynchronous Abort (TAA) for some Intel® Processors may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability.. Intel would like to thank the following individuals for finding and reporting the vulnerability to us via coordinated disclosure.. Intel thanks VU Amsterdam, CISPA to coordinate disclosure of TAA after the initial publication of their RIDL paper. . Intel thanks TU Graz and KU Leuven to coordinate disclosure of TAA after the initial publication of their ZombieLoad paper.

MOTHER OF ALL DRIVERS NEW VULNERABILITIES FOUND IN WINDOWS DRIVERS

eclypsium.com/2019/11/12/mother-of-all-drivers/ As part of our previous research, released in August 2019, Eclypsium researchers detailed how simple design flaws in widely distributed drivers can be abused by attackers to gain control over Windows-based systems including the underlying system and component firmware of the device. We originally named 17 vendors affected by these vulnerable drivers. . Now, as part of our ongoing analysis, we have discovered additional vulnerable drivers that are some of the most feature-rich we have seen to date, and which directly affect Intel-based devices. In this update, we detail the latest findings on these drivers and share ongoing industry response to our previous disclosures.. Also

www.theregister.co.uk/2019/11/12/bad_intel_drivers_eclypsium/.

www.darkreading.com/threat-intelligence/researchers-disclose-new-vulnerabilities-in-windows-drivers/d/d-id/1336338

Manual code review finds 35 vulnerabilities in 8 enclave SDKs

www.zdnet.com/article/manual-code-review-finds-35-vulnerabilities-in-8-enclave-sdks/#ftag=RSSbaffb68 A team of British and Belgium academics looked at eight open-source enclave SDKs and found 35 vulnerabilities that can be exploited to run malicious code inside a computer’s most secure area.. The research team’s work involved auditing all eight projects by performing manual code reviews of possibly vulnerable SDK functions that could be exploited for attacks.. In total, researchers said their manual code audit found 35 vulnerabilities across all the eight SDKs, of which, five received a CVE identifier.. Paper at

people.cs.kuleuven.be/~jo.vanbulck/ccs19-tale.pdf. Source code at github.com/jovanbulck/0xbadc0de

Facebook bug shows camera activated in background during app use

www.cnet.com/news/facebook-bug-has-camera-activated-while-people-are-using-the-app/ “We recently discovered our iOS app incorrectly launched in landscape,” Rosen said. “In fixing that last week in v246 we inadvertently introduced a bug where the app partially navigates to the camera screen when a photo is tapped. We have no evidence of photos/videos uploaded due to this.”

Telegram MTProxy Servers Used to DDoS Iranian Cloud Provider

www.bleepingcomputer.com/news/security/telegram-mtproxy-servers-used-to-ddos-iranian-cloud-provider/ As Telegram continues to be banned in Iran, users in this country route their messenger communication through MTProxy servers, which make the traffic look random through encryption. This makes restricting it difficult, allowing servers to fulfill their anti-censorship purpose.. The company notes that these distributed attacks are different from what was seen before. They targeted Arvan Cloud edge servers, had no domain defined in the requests, traffic was recorded at layer two (data link) and did not use a common protocol.

As 5G Rolls Out, Troubling New Security Flaws Emerge

www.wired.com/story/5g-vulnerabilities-downgrade-attacks/ At the Association for Computing Machinery’s Conference on Computer and Communications Security in London today, researchers are presenting new findings that the 5G specification still has vulnerabilities. And with 5G increasingly becoming a reality, time is running out to catch these flaws.. Paper at

delivery.acm.org/10.1145/3360000/3354263/p669-hussain.pdf

Plugging the Data Leak in Manufacturing

threatpost.com/plugging-data-leak-manufacturing/150132/ Increasingly, manufacturers are deploying IoT technology to better facilitate automation and help increase productivity. Car manufacturers, railways and even companies in the food and beverage space are using families of networked sensors, actuators and other devices to collect production data and feed it to the cloud to gather further insight into their systems efficiency.. However, IIoT-generated data calibrations, measurements and other parameters still need to be stored, managed and shared securely to provide a company with maximum impact. Failing to do so could have a drastic outcome and result in service disruptions, the loss of intellectual property and data leaks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.