DERUUA

Latest news about information security threats and incidents

information security incidents

Prevention of security threats and incidents described below is wiser and cheaper than forensic investigations and mitigation of the consequences of a cyber attack.

You can get evidence of this fact from the news below.

Use our services to find and mitigate your security vulnerabilities before the security threat agents find them.




Vigil@nce - F5 BIG-IP APM: information disclosure via Enumerated Web Page, analyzed on 26/02/2019

F5 BIG-IP APM: information disclosure via Enumerated Web Page Synthesis of the vulnerability An attacker can bypass access restrictions to data via Enumerated Web Page of F5 BIG-IP APM, in order to obtain sensitive information. Vulnerable products: Severity of this weakness: 2/4. Consequences of an attack: data reading. (more)

Posted on 26 April 2019 7:01 pm


Beapy Cryptojacking campaign leverages EternalBlue exploit to spread

Security experts uncovered a new cryptojacking campaign tracked as Beapy that leverages the NSA’s DoublePulsar backdoor and the EternalBlue exploit. Security experts at Symantec have uncovered a new cryptojacking campaign tracked as Beapy that leverages the NSA’s DoublePulsar backdoor and the.... (more)

Posted on 26 April 2019 6:25 pm


BIND DNS Software Vulnerability Let Remote Attackers to Cause a Denial-of-service Condition

Internet Systems Consortium (ISC) published security updates for vulnerabilities in BIND DNS software that allows an remote attacker to cause a denial-of-service condition. BIND stands for “Berkeley Internet Name Domain” is the most popular Domain Name System used to resolve DNS queries for users. (more)

Posted on 26 April 2019 6:25 pm


P2P Weakness Exposes Millions of IoT Devices

Marrapese said a proof-of-concept script he built identified more than two million vulnerable devices around the globe (see map above). He found that 39 percent of the vulnerable IoT things were in China; another 19 percent are located in Europe; seven percent of them are in use in the United States. (more)

Posted on 26 April 2019 5:50 pm


NSA recommends dropping massive phone surveillance operation due to overwhelming burdens

NSA recommends dropping surveillance program collecting information about millions of phone calls and text messages because of technical and legal burdens The National Security Agency (NSA) has told the White House it does not recommend continuing with widespread surveillance of US communications;.... (more)

Posted on 26 April 2019 5:50 pm


Reports Huawei to Supply UK Networks Draw Criticism

British officials downplayed reports that Prime Minister Theresa May will allow China’s Huawei to supply parts of the U.K.’s new internet network, a decision that goes against U.S. pleas to ban the firm as it could help Beijing’s spying efforts. British media reported Wednesday that the government.... (more)

Posted on 26 April 2019 5:48 pm


Fort Bragg cut power for thousands to test ‘real-world reactions’ to a cyber-attack

This story was updated at 6:30 a.m. Friday to note Fort Bragg issued an apology. Fort Bragg in North Carolina says the Army base had a “blackout” for more than 12 hours overnight Wednesday as part of a cyber-attack military exercise that came as a complete surprise to its tens of thousands of residents. (more)

Posted on 26 April 2019 4:50 pm


Protiviti enters partnership with RiskLens to offer cyber risk quantification - CISO MAG

PRNewswire: Global consulting firm Protiviti has launched a Cyber Risk Quantification as a Service offering in alliance with RiskLens, the leading provider of quantitative cyber risk management software. Through quantitative risk analysis using hard data, the offering enables CIOs and CISOs to.... (more)

Posted on 26 April 2019 4:43 pm


AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining

By Augusto II Remillano. Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J ) exploiting a server-side template injection vulnerability ( CVE-2019-3396 ) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by professionals. (more)

Posted on 26 April 2019 3:17 pm


NSA asks to end mass phone surveillance

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. The NSA has asked the White House to end its mass phone surveillance program because the work involved outweighs its intelligence value. (more)

Posted on 26 April 2019 3:13 pm


Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension

If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store. A WordPress security company—called “Plugin Vulnerabilities”—that recently gone.... (more)

Posted on 26 April 2019 3:13 pm


UK Cybersecurity Agency Won't Tip Regulator on Breaches (1) - Bloomberg Law

The U.K.’s cybersecurity agency said it won’t automatically share information about data breaches with the country’s data privacy regulator. The decision, which the National Cyber Security Centre and the Information Commissioner’s Office jointly announced Thursday, is designed to prevent new data.... (more)

Posted on 26 April 2019 3:06 pm


Security Vulns in Microsoft Products Continue to Increase

The good news: Removing admin privileges can mitigate most of them, a new study by BeyondTrust shows. A new analysis of Microsoft's security updates in 2018 suggests the company's long-standing efforts to build more secure products continue to be very much a work in progress. (more)

Posted on 26 April 2019 2:13 pm


China link alleged in hacking - Hong Kong Standard

Amnesty International's Hong Kong office has been hit by a years-long cyber attack from hackers with known links to the Chinese government, the human rights group said yesterday. The hackers attempted to collect information on the group in order to obstruct its humanitarian work. (more)

Posted on 26 April 2019 2:13 pm


Cybercriminals are becoming more methodical and adaptive

Cybercriminals are deviating towards a more focused approach against targets by using better obfuscation techniques and improved social engineering skills as organizations improve in areas such as time to detection and response to threats, according to Trustwave. (more)

Posted on 26 April 2019 10:27 am


Accenture Facing Lawsuit to Repay $32M+ for Failing to Deliver the Project On Time – Poorly Written Code For Security

Car rental Firm Hertz Corporation is suing to repay $32M and filed a Lawsuit against Accenture that failed to deliver the website redesign project on time. is one of the most familiar vehicle rental company that requires to redesign their website and begins the project in order to improve the customer experience on Hertz’s digital platforms. (more)

Posted on 26 April 2019 9:50 am


NSA: That ginormous effort to slurp up Americans’ phone records that Snowden exposed? Ehhh, we don’t need that no more

. An attack of conscience or have the super-snoops got something better now? The NSA’s mass-logging of people’s phone calls and text messages, at home and abroad – a surveillance program introduced after the September 11, 2001 terror attacks – is set to end as it’s no longer worth the hassle. (more)

Posted on 26 April 2019 5:42 am


HCL Technologies Expands US Operations, Launches CyberSecurity Fusion Center in Frisco - dallasinnovates.com

Global technology company HCL Technologies announced Thursday the launch of its CyberSecurity Fusion Center (CSFC) in Frisco. The CSFC — a state of the art automation-driven security operations center — aims to detect cyber threats faster and respond better. (more)

Posted on 26 April 2019 5:35 am


Acronis expands developer access to cyber platform APIs

Acronis is opening up its core platform and its APIs to third-party developers, allowing them to build and integrate applications with its cyber protection solutions. The level of access was previously only available to Acronis and certain integration partners such as ConnectWise, Microsoft and.... (more)

Posted on 26 April 2019 4:38 am


Fiserv unveils enhanced authentication capabilities for financial institutions

, a leading global provider of financial services technology solutions, has launched capabilities that enable financial institutions to enhance cybersecurity while improving the customer experience. The company has launched SecureNow: Login Defense from Fiserv to facilitate accurate recognition of.... (more)

Posted on 26 April 2019 3:50 am


Sex website shuts down in U.S, blaming 'dumb' trafficking laws

LOS ANGELES: A popular sex classified website said this week that it was shutting down its services in the United States, citing the likelihood that legal challenges would fail to overturn a landmark package of federal sex trafficking laws passed by Congress a year ago. The decision by MassageRepublic. (more)

Posted on 26 April 2019 2:31 am


CVE-2018-14559

Description. An issue was discovered on Tenda AC7 devices with firmware through V15.03.06.44_CN(AC7), AC9 devices with firmware through V15.03.05.19(6318)_CN(AC9), and AC10 devices with firmware through V15.03.06.23_CN(AC10). A buffer overflow vulnerability exists in the router's web server (httpd). (more)

Posted on 26 April 2019 2:18 am


Crooks abuse GitHub platform to host phishing kits

Experts at Proofpoint discovered that free code repositories on GitHub have been abused since at least 2017 to host phishing websites. Researchers at Proofpoint reported that crooks are abusing free code repositories on GitHub to host phishing websites and bypass security defenses. (more)

Posted on 26 April 2019 12:55 am


CVE-2019-2658 (weblogic_server)

Current Description. Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. (more)

Posted on 26 April 2019 12:44 am


TA505 Group Hides Malware in Legitimate Certificates

, a sophisticated advanced persistent threat group, is now using legitimately signed certificates to disguise malware that can penetrate banking networks, security researchers warn in a new report. See Also: Webinar | The Future of Adaptive Authentication in Financial Services The signed and.... (more)

Posted on 25 April 2019 11:37 pm


Russian Speaking Hacker Compromises and Gains the Full Control of the Government Network Systems

Another rush of cyber-attacks from a Russian speaking hacker has been recently discovered by researchers and distinguished as one who utilizes the weaponized TeamViewer, the most mainstream and popular device used for remote desktop control, desktop sharing, online gatherings, web conferencing as.... (more)

Posted on 25 April 2019 11:19 pm


Sierra Wireless AirLink ES450 ACEManager Embedded_Ace_Get_Task.cgi Information Disclosure Vulnerability

Summary. An exploitable Information Disclosure vulnerability exists in the ACEManager Embedded Ace Get_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an information disclosure, resulting in the exposure of confidential information,.... (more)

Posted on 25 April 2019 9:19 pm


Leaked Carbanak Source Code Reveals No New Exploits (SecurityWeek)

FireEye’s analysis of the Carbanak source code that emerged on VirusTotal recently found no use of new exploits. Their review of the code also verified previous assumptions on the group behind a series of cyberattacks that used the malware. Associated with the financially-motivated threat actor.... (more)

Posted on 25 April 2019 9:05 pm


Emotet Adds New Evasion Technique and Uses Connected Devices as Proxy C&C Servers

by Marco Dela Vega, Jeanne Jocson and Mark Manahan. Over the years, Emotet, the banking malware discovered by Trend Micro in 2014 , has continued to be a prevalent and costly threat. The United States government estimates that an Emotet incident takes an organization US $1 million to remediate. (more)

Posted on 25 April 2019 8:44 pm


France - Scam ads displayed on Microsoft games and services to target French users’ personal information

Microsoft games and services are displaying ads that redirect users to scam surveys, scam polls, and spin-the-wheel scams. These scam surveys claim to reward winners with a new Samsung Galaxy S10, iPhone XS or iPad Pro, and request users to fill out these surveys. (more)

Posted on 25 April 2019 8:25 pm


Special-Purpose Vehicle Maker Aebi Schmidt Hit by Malware

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Swiss-based special-purpose vehicle maker Aebi Schmidt informed customers and business partners on Thursday that some of its.... (more)

Posted on 25 April 2019 8:09 pm


Operation ShadowHammer: Hackers planted malware code in video games

Operation ShadowHammer: Hackers planted malware code in video Operation ShadowHammer: Hackers planted malware code in video games. Last month the world was reminded once again of the danger of supply chain attacks, as it was revealed that hackers had compromised the network of Taiwanese technology.... (more)

Posted on 25 April 2019 6:06 pm


Cybersecurity Job Openings Boom, Pool of U.S. Job-Seekers Shrinks

Recruitment site Indeed has good news for cybersecurity professionals: Demand is booming around the world. After a relatively flat period between 2016 and 2017, 2018 saw job postings up 7 percent in the United States, 18 percent in Ireland, and 39 percent in India, recently ranked as one of the least cyber-secure countries in the world . (more)

Posted on 25 April 2019 5:52 pm


Researchers flag new Oracle WebLogic zero-day RCE flaw

Attackers looking to compromise Oracle WebLogic servers for their own needs have a new zero-day RCE flaw at their disposal. “Oracle WebLogic wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability. This vulnerability affects all Weblogic versions (including.... (more)

Posted on 25 April 2019 5:28 pm


Intelligence Agencies Seek Fast Cyber Threat Dissemination

Jeremy Fleming, director of GCHQ, speaks at CyberUK in Glasgow, Scotland. (Photo: Mathew Schwartz) When a cyberattack begins, Canada's intelligence establishment can get essential threat information to a critical infrastructure provider in just seven minutes. (more)

Posted on 25 April 2019 5:17 pm


'Democracy at stake': Parties warned Australia at risk of US-style cyber manipulation - The Age

Former privacy tsars and technology experts have warned the major political parties they must dramatically strengthen their cybersecurity to protect the growing mountains of private data gathered on voters that could be used by foreign adversaries to manipulate elections. (more)

Posted on 25 April 2019 4:51 pm


Hacker could locate thousands of cars and kill their engines remotely via poorly-secured GPS tracking apps

Over a relatively short of period of time, computers changed from something you kept on your desk, to something you carried in your pocket, to something you sat inside as you drove to work. As technology moves on, we’re going to be thinking more and more about mobile computing not being being just.... (more)

Posted on 25 April 2019 4:29 pm


GCHQ to share real-time data with banks to fight cyber crime

GCHQ director Jeremy Fleming has said the agency will begin sharing real-time intelligence with banks in a bid to help fight cyber crime. The decision will ensure that banks have more tools in their arsenal when it comes to protecting customers against card and account fraud while also helping the.... (more)

Posted on 25 April 2019 4:26 pm


Critical security bug in Qualcomm chipsets can let attackers retrieve private encryption keys from QSEE

The vulnerable Qualcomm chipsets are primarily used in smartphones and tablets. Tracked as CVE-2018-11979, the vulnerability impacts how the Qualcomm chips handle data processed inside the QSEE. A new security bug in Qualcomm chipsets can let attackers retrieve private data and encryption keys from Qualcomm Secure Execution Environment (QSEE). (more)

Posted on 25 April 2019 3:53 pm


IRS’ Outdated App Security Leaves Taxpayers at Risk of Identity Theft, Watchdog Says

A recent audit by the Treasury Inspector General for Tax Administration (TIGTA) concluded that many of the IRS’ web applications that people can use to pay taxes or access tax-related services are relying on outdated security controls. In order to properly secure taxpayers, the apps should.... (more)

Posted on 25 April 2019 3:49 pm


Microsoft is ditching those pointless self-expiring passwords that everyone hates

MICROSOFT HAS ADMITTING something we've all know for years - expiring passwords don't help anyone. Beloved by IT administrators, the idea that changing your password once a month will protect you from internet nasties has been a mainstay option for corporate Windows users for as long as there have been corporate Windows users. (more)

Posted on 25 April 2019 3:38 pm


Vuln: Atlassian Confluence Server and Confluence Data Center Directory Traversal Vulnerability

Atlassian Confluence Data Center 6.14.2 Atlassian Confluence Data Center 6.14 Atlassian Confluence Data Center 6.13.3 Atlassian Confluence Data Center 6.13 Atlassian Confluence Data Center 6.12.3 Atlassian Confluence Data Center 6.12 Atlassian Confluence Data Center 6.11 Atlassian Confluence Data Center 6. (more)

Posted on 25 April 2019 3:33 pm


Skills shortage hampering development.

The cyber security skills shortage is hampering Internet of Things development, according to new research from Experis. Cyber security and IoT — the two should go hand in hand. But, UK businesses are struggling to find the right blend of security skills to harness the power of the Internet of Things (IoT). (more)

Posted on 25 April 2019 3:22 pm


GandCrab ransomware claims another healthcare firm

A medical billing service headquartered in Massachusetts has notified patients of a data breach, saying hackers may have exposed their data. The attack involved the infamous GandCrab ransomware. Cyber crooks have developed a taste for healthcare institutions and their affiliates in recent years,.... (more)

Posted on 25 April 2019 2:57 pm


Vuln: TIBCO Active Matrix Service Grid CVE-2019-8991 Multiple Security Vulnerabilities

TIBCO Silver Fabric for ActiveMatrix Service Grid Distribution 3.3 TIBCO Silver Fabric for ActiveMatrix BPM Distribution 4.2 TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid 1.3.1 TIBCO Silver Fabric Enabler for ActiveMatrix BPM 1.4.1 TIBCO Silver Fabric Enabler for ActiveMatrix BPM 1.4 TIBCO ActiveMatrix Service Grid 3. (more)

Posted on 25 April 2019 2:00 pm


Local authorities and emergency services told to check ‘cyber fitness’

Vulnerable local authorities, emergency services and small businesses are being urged to beef up their online defences by using a new cyber fitness tool to better prepare for potentially crippling attacks. Prime Minister Theresa May’s de-facto deputy David Lidington will announce the new initiative.... (more)

Posted on 25 April 2019 1:51 pm


Cyber attacks against business on the rise –– Malwarebytes cybercrime report - Information Age

The cybercrime report from Malwarebytes has detailed the latest tactics employed by cybercriminals, based on proprietary data collected from millions of business and consumer users worldwide between January 1 and March 31, 2019 — Q1. Alarmingly, but perhaps unsurprisingly, this cybercrime report for.... (more)

Posted on 25 April 2019 1:39 pm


Banking on Customer Trust

Do you keep your money under a mattress or in your sock drawer? I’m going to venture a guess and say you do not. Neither do I. Nor do most other people. Most of us put our trust in banks and other financial institutions to hold and protect our money. A Position of Trust. (more)

Posted on 25 April 2019 10:48 am


Legacy infrastructures and unmanaged devices top security risks in the healthcare industry

The proliferation of healthcare IoT devices, along with unpartitioned networks, insufficient access controls and the reliance on legacy systems, has exposed a vulnerable attack surface that can be exploited by cybercriminals determined to steal personally identifiable information (PII) and protected.... (more)

Posted on 25 April 2019 10:35 am


Hackers Behind DNSpionage Created a New Remote Admin Tool for C2 Server Communication Over HTTP and DNS

Threat actors behind the new malware campaign DNSpionage created a new remote administrative tool that supports HTTP and DNS communication with C&C Server that operates by attackers. Based on a recent incident, the DNSpionage campaign which is developed and operates by APT 34 hacking group to.... (more)

Posted on 25 April 2019 10:35 am


Employers should develop cybersecurity protocols and invest more in employee training programs

Organizations want to trust their employees when it comes to cybersecurity, but to do so, they need to better leverage technology. The ObserveIT global survey of 600 IT leaders across various industries found that employers should develop clear cybersecurity protocols and invest more in employee.... (more)

Posted on 25 April 2019 10:02 am


TA505 Spear Phishing Campaign Uses LOLBins to Avoid Detection

The TA505 hacking group ran a spear phishing campaign targeting a financial institution during April with the help of a signed version of the ServHelper backdoor and a number of LOLBins designed to help the operation evade detection. TA505 is a threat group known to have been active since at least.... (more)

Posted on 25 April 2019 9:19 am


Qbot Malware Dropped via Context-Aware Phishing Campaign

A phishing campaign dropping the Qbot banking Trojan with the help of delivery emails camouflaging as parts of previous conversations was spotted during late March 2019 by the JASK Special Operations team. Qbot (also known as QakBot and Pinkslipbot) is a quite old yet still active and continuously.... (more)

Posted on 25 April 2019 7:57 am


Organisations agree to clarify roles dealing with cyber attacks - ITV News

Two organisations have announced steps to make it easier for people and organisations to know which authority to deal with if they are the victim of a cyber attack. The National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) have agreed a new understanding aimed at clarifying their distinct roles in such events. (more)

Posted on 25 April 2019 2:29 am


Sizing Up Revised Model for National Health Data Exchange

Healthcare stakeholders and security and privacy experts are sizing up the second draft of the government's proposed Trusted Exchange Framework and Common Agreement, which is designed to promote secure, interoperable nationwide See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To.... (more)

Posted on 25 April 2019 1:18 am


Former DHS head took up cyber despite White House aversion - The Associated Press

WASHINGTON (AP) — A top White House official told Kirstjen Nielsen, then Homeland Security secretary, not to bring up election security with President Donald Trump, steering her away from discussing a critical national security threat with a president who bristles at suggestions that Russian.... (more)

Posted on 24 April 2019 11:18 pm


'ShadowHammer' Spreads Across Online Gaming Supply Chain

On Tuesday, Kaspersky Lab, which first took note of ShadowHammer in March, released new research that shows the threat group targeting at least three video game suppliers in Asia as well as a three other firms, including another online gaming supplier, a conglomerate holding company and a pharmaceutical firm based in South Korea. (more)

Posted on 24 April 2019 10:40 pm


Lieutenant General (ret) William C. Mayville, Jr Joins Korn Ferry, Bolstering Firm's Cyber Security Expertise - Business Wire

)--Korn Ferry (NYSE: KFY) today announced that Lieutenant General (ret) William C. Mayville, Jr, a leader in U.S. national security cyber capabilities, former Director of Operations for the Chairman of the Joint Chiefs and former Vice Commander, US Cyber Command, has joined the firm in the Cyber Security Practice. (more)

Posted on 24 April 2019 9:42 pm


Cisco: DNSpionage attack adds new tools, morphs tactics

Cisco's Talos security group says DNSpionage tools have been upgraded to be more stealthy The group behind the Domain Name System attacks known as DNSpionage have upped their dark actions with new tools and malware to focus their attacks and better hide their activities. (more)

Posted on 24 April 2019 9:18 pm


Bodybuilding.com Security Breach, All Customer Passwords Reset

Bodybuilding.com fitness and bodybuilding fan website notified its customers of a security breach detected during February 2019 which was the direct result of a phishing email received back in July 2018. As detailed in the data incident notification published on the company’s help center, the.... (more)

Posted on 24 April 2019 8:59 pm


Attackers Aren't Invincible & We Must Use That to Our Advantage

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and ... (more)

Posted on 24 April 2019 8:22 pm


Bodybuilders beware! One of the world’s largest online fitness stores hit by security breach

Fitness fanatics are being advised to change their passwords after one of the world’s largest and most popular online fitness stores admitted that it had suffered a security breach that might have exposed customer data. Bodybuilding.com says that it first suspected it might have a problem in.... (more)

Posted on 24 April 2019 8:18 pm


Rockwell Controller Flaw Allows Hackers to Redirect Users to Malicious Sites

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. A serious vulnerability affecting some of Rockwell Automation’s MicroLogix and CompactLogix programmable logic controllers.... (more)

Posted on 24 April 2019 6:39 pm


Maintaining Privacy in the Cloud by

Maintaining Privacy in the Cloud by. It’s been about 10 years since I worked with Brian at Imperva. Since those days , I’ve found that industry conversations have changed, but the need to solve the ever-changing cybersecurity challenges has not, especially as it relates to application security, data security, and data privacy. (more)

Posted on 24 April 2019 6:33 pm


Flashpoint Strengthens Intelligence Platform with New Dashboards and Analytics, Expanded Collections and Tailored Alerting by Industry

Company Significantly Expands Use-Case Driven Business Risk Intelligence (BRI) Offerings. London - 24th April 2019 - Flashpoint, the global leader in Business Risk Intelligence (BRI), today announced new innovations and enhancements that help multiple teams bolster cybersecurity, confront fraud,.... (more)

Posted on 24 April 2019 5:34 pm


Securing the 5G future - what's the issue?

Britain plans to allow Huawei access to non-core parts of fifth-generation, or 5G, networks on a restricted basis and block it from all so-called core parts, sources told Reuters. The core is where the network’s most critical controls are located and the most sensitive information is stored, while.... (more)

Posted on 24 April 2019 5:00 pm


Apple edges closer to cursory code review for all Mac apps

Apple will soon make a code review mandatory for all applications distributed outside its own Mac App Store by new developers, a first step towards requiring all Mac software to pass similar reviews. The Cupertino, Calif. company argued that the process, which it calls "notarization," would build a more secure macOS environment. (more)

Posted on 24 April 2019 3:30 pm


Israeli IoT cybersecurity co VDOO raises $32m - Globes

The Tel Aviv-based company aims to become the industry’s first end-to-end security solution for embedded devices of any type. Israeli IoT cybersecurity company VDOO Connected Trust Ltd. today announced it has raised $32 million in Series B financing round led by WRVI Capital and GGV Capital, with.... (more)

Posted on 24 April 2019 3:19 pm


Britain 'approves' Huawei role in 5G network

British Prime Minister Theresa May has given the go-ahead for China's Huawei to help build a 5G network in the UK, shrugging off security warnings from senior ministers and Washington surrounding the telecoms giant, media reported Wednesday. Britain's National Security Council, which is chaired by.... (more)

Posted on 24 April 2019 3:17 pm


Facebook leaks millions of Instagram passwords

2018 – What a year was it for Facebook! Data scandals and security leaks, issues from Cambridge Analytica and trails by authorities, Facebook have gone under every shit it’s connected with. And the problems just keep coming in 2019. And in this year, it seemed to have enough already by internal.... (more)

Posted on 24 April 2019 1:50 pm


FBI Internet Crime Center Reports $2.7B in 2018 Fraud

Business Email Compromise scams continue to grow as one of the leading categories of internet fraud, though there is a glimmer of hope, as the FBI's efforts to recover assets are seeing some success. The FBI's Internet Crime Center (IC3) released its annual Internet Crime Report on April 22,.... (more)

Posted on 24 April 2019 12:25 pm


UK cyber boss downplays threat of Five Eyes security rift over Huawei

LONDON, April 24 (Reuters) - The head of Britain's cyber centre said governments in the Five Eyes intelligence alliance had not always been aligned over Huawei, downplaying any threat of a rift as the UK prepares to give the Chinese company access to 5G networks. (more)

Posted on 24 April 2019 11:42 am


Hackers Hosting Malware On Google Sites To Steal Data and Share It to the Remote Server

Cybercriminals abusing Google sites via drive-by download attack to host dubbed “LoadPCBanker” banking malware to steal various sensitive data from compromised victims. Threat actors abusing Google sites file cabinets template and use it as a delivery medium and SQL as an exfiltration channel to share the stolen data to the remote server. (more)

Posted on 24 April 2019 9:07 am


Google Releases Security Update for Chrome

News and articles about cyber security, information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, trojans. Original release date: April 23, 2019. Google has released Chrome version 74.0.3729.108 for Windows, Mac, and Linux. (more)

Posted on 24 April 2019 5:59 am


Four new incident response and forensic investigators join the Arete Advisors team

Arete Advisors announced the addition of four of the world’s foremost incident response and forensic investigators to its elite group of cybersecurity experts: Michael Stewart, Rae Jewell, Peter Hubert, and Matt Hanyok. Together, the group brings decades of experience leading challenging, cyber.... (more)

Posted on 24 April 2019 4:25 am


Symantec joins the DIB CS program to share threat information between DOD and industry

Symantec, the world’s leading cyber security company, announced it has become a member of the United States’ Department of Defense’s (DOD) Defense Industrial Base (DIB) Cybersecurity (CS) program. The DIB CS program is a voluntary cyber threat information-sharing initiative established by the DOD to.... (more)

Posted on 24 April 2019 4:25 am


Stuxnet Family Tree Grows

What a newly discovered missing link to Stuxnet and the now-revived Flame cyber espionage malware add to the narrative of the epic cyber-physical attack. (more)

Posted on 24 April 2019 4:02 am


CACI | Press Release

CACI Wins Prime Position on $898 Million Multiple-Award Contract to Provide Cyber Engineering and Electronic Warfare Solutions to U.S. Navy. ARLINGTON, Va.--(BUSINESS WIRE)-- CACI International Inc ( NYSE: CACI ) announced today it has won a prime position on the multiple-award, indefinite.... (more)

Posted on 24 April 2019 3:46 am


Exploits for Social Warfare WordPress Plugin Reach Critical Mass

Active exploits for a recently disclosed bug in a popular WordPress plugin, Social Warfare, are snowballing in the wild – potentially putting more than 40,000 websites at risk. The vulnerability, CVE-2019-9978, tracks both a stored cross-site scripting (XSS) vulnerability and a remote code-execution (RCE) bug. (more)

Posted on 24 April 2019 3:46 am


Applications open for second Federal Cyber Reskilling Academy cohort

. FedScoop: The White House Office of Management and Budget and the Federal CIO Council announced Tuesday that they have opened applications for the second round of the new, and popular, Federal Cyber Reskilling Academy. “With over 1,500 applications to the first cohort, there clearly is an interest.... (more)

Posted on 24 April 2019 2:54 am


Government, business should guard Internet together: British intelligence chief

GLASGOW, Scotland: The head of Britain's GCHQ spy agency on Wednesday will call on businesses and the finance sector to work with intelligence officials to help secure the internet and protect customers online. In extracts of a speech to be given at a cyber security conference in Scotland, GCHQ head.... (more)

Posted on 24 April 2019 2:51 am


NA - CVE-2019-2698 - Vulnerability in the Java SE component of...

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. (more)

Posted on 24 April 2019 2:26 am


Active Exploitation of Confluence Vulnerability CVE-2019-3396 Dropping Gandcrab Ransomware

Overview. Exploit code for a new vulnerability in Confluence (CVE-2019-3396) has been rapidly deployed by attackers and successfully used to breach hosts. We have observed attempts by these campaigns to execute Gandcrab ransomware on the victim hosts via PowerShell and usage of standard toolsets to avoid detection. (more)

Posted on 24 April 2019 2:15 am


Hackers Actively Exploiting Widely-Used Social Share Plugin for WordPress

Hackers have been found exploiting a pair of critical security vulnerabilities in one of the popular social media sharing plugins to take control over WordPress websites that are still running a vulnerable version of the plugin. The vulnerable plugin in question is Social Warfare which is a popular.... (more)

Posted on 23 April 2019 11:40 pm


Dutch NCSC Releases Updated TLS Guidelines

Original release date: April 23, 2019. The Dutch National Cyber Security Centre (NCSC) has published an update to their Transport Layer Security (TLS) protocol guidelines, which aim to improve TLS configuration security. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users.... (more)

Posted on 23 April 2019 11:40 pm


Malicious lifestyle apps found on Google Play, 30 million installs recorded

A total of 50 malicious apps have managed to bypass Google's security checks and land on the Google Play store, leading to millions of installs on Android devices. It was only last week that researchers from Check Point uncovered a total of six apps laden with the PreAMo ad fraud malware on Google Play which had been installed 90 million times. (more)

Posted on 23 April 2019 10:10 pm


WannaCry hero pleads guilty to malware charges

Marcus Hutchins who authors the popular blog MalwareTech, the famous British cybersecurity expert credited with stopping the WannaCry attack in 2017, now faces up to 10 years in prison after pleading guilty on Monday to writing malware to steal banking information in the years prior to his prodigious career as a malware researcher. (more)

Posted on 23 April 2019 9:58 pm


'Silence' Cybercrime Gang Targets Banks in More Regions

A cybercrime gang that has targeted banks and ATMs in Russia and other Eastern European countries is beginning to expand its reach to other regions, security researchers warn. The gang, known as Silence because of the long period of time between its attacks, was first spotted in 2016. (more)

Posted on 23 April 2019 9:40 pm


DNSpionage brings out the Karkoff

authored this post. Executive summary Paul Rascagneres In November 2018, Cisco Talos discovered an attack campaign, called DNSpionage , in which threat actors created a new remote administrative tool that supports HTTP and DNS communication with the attackers' command and control(C2). (more)

Posted on 23 April 2019 9:32 pm


Vietnam-Linked Hackers Use Atypical Executables to Avoid Detection

. OceanLotus, a Vietnam-linked cyber-espionage group, has been using atypical executable formats in an attempt to avoid detection and hinder analysis, according security firm Malwarebytes. This is experimental project, which search automatically antivirus, security, malware, etc. news and alerts. (more)

Posted on 23 April 2019 8:59 pm


Cybercrime’s Total Earnings Skyrocketed to $2.7 Billion Says the FBI

FBI’s Internet Crime Complaint Center (IC3) published its 2018 Internet Crime Report which shows that cybercrime was behind $2,7 billion in total losses during 2018 as shown by 351,936 complaints received during the last year. […] Source:: Like most websites GIXtools uses cookies. (more)

Posted on 23 April 2019 8:24 pm


RedHat: RHSA-2019-0818:01 Important: kernel security and bug fix update

An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability.... (more)

Posted on 23 April 2019 7:28 pm


Fujifilm FCR Capsula X/Carbon X

Advisory Document (more)

Posted on 23 April 2019 7:05 pm


Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers

Advisory Document (more)

Posted on 23 April 2019 7:00 pm


Delta Industrial Automation CNCSoft

Advisory Document (more)

Posted on 16 April 2019 5:10 pm


WAGO Series 750-88x and 750-87x

Advisory Document (more)

Posted on 16 April 2019 5:05 pm


PLC Cycle Time Influences

Advisory Document (more)

Posted on 16 April 2019 5:00 pm


Siemens SIMOCODE pro V EIP

Advisory Document (more)

Posted on 9 April 2019 5:25 pm


Siemens Spectrum Power 4.7

Advisory Document (more)

Posted on 9 April 2019 5:20 pm


Siemens Industrial Products with OPC UA

Advisory Document (more)

Posted on 9 April 2019 5:15 pm


Siemens SINEMA Remote Connect

Advisory Document (more)

Posted on 9 April 2019 5:10 pm


Siemens RUGGEDCOM ROX II

Advisory Document (more)

Posted on 9 April 2019 5:05 pm


Siemens CP, SIAMTIC, SIMOCODE, SINAMICS, SITOP, and TIM

Advisory Document (more)

Posted on 9 April 2019 5:00 pm


Omron CX-Programmer

Advisory Document (more)

Posted on 4 April 2019 5:15 pm


Rockwell Automation Stratix 5400/5410/5700 and ArmorStratix 5700

Advisory Document (more)

Posted on 4 April 2019 5:10 pm


Rockwell Automation Stratix 5400/5410/5700/8000/8300 and ArmorStratix 5700

Advisory Document (more)

Posted on 4 April 2019 5:05 pm


Rockwell Automation Stratix 5950

Advisory Document (more)

Posted on 4 April 2019 5:00 pm


Advantech WebAccess/SCADA

Advisory Document (more)

Posted on 2 April 2019 5:00 pm


Rockwell Automation PowerFlex 525 AC Drives

Advisory Document (more)

Posted on 28 March 2019 4:00 pm


Siemens SCALANCE X

Advisory Document (more)

Posted on 26 March 2019 4:15 pm


PHOENIX CONTACT RAD-80211-XD

Advisory Document (more)

Posted on 26 March 2019 4:10 pm


ENTTEC Lighting Controllers

Advisory Document (more)

Posted on 26 March 2019 4:00 pm


AA19-024A: DNS Infrastructure Hijacking Campaign

Original release date: January 24, 2019 | Last revised: February 13, 2019 Summary The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks. See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below: IOCs (.csv) IOCs (.stix) Note: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses: 107.161.23.204 192.161.187.200 209.141.38.71 Technical Details Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings. Mitigations NCCIC recommends the following best practices to help safeguard networks against this threat: Update the passwords for all accounts that can change organizations’ DNS records. Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records. Audit public DNS records to verify they are resolving to the intended location. Search for encryption certificates related to domains and revoke any fraudulently requested certificates. References Cisco Talos blog: DNSpionage Campaign Targets Middle East CERT-OPMD blog: [DNSPIONAGE] – Focus on internal actions FireEye blog: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale Crowdstrike blog: Widespread DNS Hijacking Activity Targets Multiple Sectors Revisions January 24, 2019: Initial version February 6, 2019: Updated IOCs, added Crowdstrike blog February 13, 2019: Updated IOCs This product is provided subject to this Notification and this Privacy & Use policy. (more)

Posted on 24 January 2019 10:01 pm


AA18-337A: SamSam Ransomware

Original release date: December 03, 2018 Summary The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation. The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms. The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point. After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection. Analysis of tools found on victims’ networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces. FBI analysis of victims’ access logs revealed that the SamSam actors can infect a network within hours of purchasing the credentials. While remediating infected systems, several victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible indicator that the victims’ credentials were stolen, sold on the darknet, and used for other illegal activity. SamSam actors leave ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network. Technical Details NCCIC recommends organizations review the following SamSam Malware Analysis Reports. The reports represent four SamSam malware variants. This is not an exhaustive list. MAR-10219351.r1.v2 – SamSam1 MAR-10166283.r1.v1 – SamSam2 MAR-10158513.r1.v1 – SamSam3 MAR-10164494.r1.v1 – SamSam4 For general information on ransomware, see the NCCIC Security Publication at https://www.us-cert.gov/security-publications/Ransomware . Mitigations DHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes before implementation to avoid unwanted impacts. Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes. Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system. Enable strong passwords and account lockout policies to defend against brute force attacks. Where possible, apply two-factor authentication. Regularly apply system and software updates. Maintain a good back-up strategy. Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts. When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access. Ensure that third parties that require RDP access follow internal policies on remote access. Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices. Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices. Restrict users' ability (permissions) to install and run unwanted software applications. Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header). Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication. Additional information on malware incident prevention and handling can be found in Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops , from the National Institute of Standards and Technology. [1] Contact Information To report an intrusion and request resources for incident response or technical assistance, contact NCCIC, FBI, or the FBI’s Cyber Division via the following information: NCCIC NCCICCustomerService@hq.dhs.gov 888-282-0870 FBI’s Cyber Division CyWatch@fbi.gov 855-292-3937 FBI through a local field office Feedback DHS strives to make this report a valuable tool for our partners and welcomes feedback on how this publication could be improved. You can help by answering a few short questions about this report at the following URL: https://www.us-cert.gov/forms/feedback . References [1] NIST SP 800-83: Guide to Malware Incident Prevention and Handling for Desktops and Laptops Revisions December 3, 2018: Initial version This product is provided subject to this Notification and this Privacy & Use policy. (more)

Posted on 3 December 2018 6:18 pm


TA18-331A: 3ve – Major Online Ad Fraud Operation

Original release date: November 27, 2018 Systems Affected Microsoft Windows Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window. Description Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses.  Boaxxe/Miuref Malware Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs. Kovter Malware Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser. Impact For the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are included here for completeness. Boaxxe/Miuref Malware Boaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following locations: %UserProfile%\AppData\Local\VirtualStore\lsass.aaa %UserProfile%\AppData\Local\Temp\<RANDOM>.exe %UserProfile%\AppData\Local\<Random eight-character folder name>\<original file name>.exe The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the executables created above. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<Above path to executable>\ Kovter Malware Kovter malware is found mostly in the registry, but the following files may be found on the infected machine: %UserProfile\AppData\Local\Temp\<RANDOM> .exe/.bat %UserProfile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\<RANDOM>\<RANDOM FILENAME>.exe %UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.lnk %UserProfile%\AppData\Local\<RANDOM>\<RANDOM>.bat Kovter is known to hide in the registry under: HKCU\SOFTWARE\<RANDOM>\<RANDOM> The customized CEF browser is dropped to: %UserProfile%\AppData\Local\<RANDOM> The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run There are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit websites. The following are regex rules for these URL patterns: /?ptrackp=\d{5,8} /feedrs\d/click?feed_id=\d{1,5}&sub_id=\d{1,5}&cid=[a-f0-9-]*&spoof_domain=[\w\.\d-_]*&land_ip=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} /feedrs\d/vast_track?a=impression&feed_id=\d{5}&sub_id=\d{1,5}&sub2_id=\d{1,5}&cid=[a-f\d-] The following is a YARA rule for detecting Kovter: rule KovterUnpacked {   meta:     desc = "Encoded strings in unpacked Kovter samples."   strings:     $ = "7562@3B45E129B93"     $ = "@ouhKndCny"     $ = "@ouh@mmEdctffdsr"     $ = "@ouhSGQ"   condition:     all of them } Solution If you believe you may be a victim of 3ve and its associated malware or hijacked IPs, and have information that may be useful to investigators, submit your complaint to www.ic3.gov and use the hashtag 3ve (#3ve) in the body of your complaint. DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter: Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.) Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks .) Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords .) Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates  for more information.) Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection... (more)

Posted on 27 November 2018 7:09 pm


AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide

Original release date: October 11, 2018 Summary This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States. [1] [2] [3] [4] [5] In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are: Remote Access Trojan: JBiFrost Webshell: China Chopper Credential Stealer: Mimikatz Lateral Movement Framework: PowerShell Empire C2 Obfuscation and Exfiltration: HUC Packet Transmitter To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network. The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense. Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals. The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution. Experience from all our countries makes it clear that, while cyber threat actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated threat actor groups use common, publicly available tools to achieve their objectives. Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses. Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for a threat actor to gain access. The tools detailed in this Activity Alert come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim’s systems. How to Use This Report The tools detailed in this Activity Alert fall into five categories: Remote Access Trojans (RATs), webshells, credential stealers, lateral movement frameworks, and command and control (C2) obfuscators. This Activity Alert provides an overview of the threat posed by each tool, along with insight into where and when it has been deployed by threat actors. Measures to aid detection and limit the effectiveness of each tool are also described. The Activity Alert concludes with general advice for improving network defense practices. Technical Details Remote Access Trojan: JBiFrost   First observed in May 2015, the JBiFrost RAT is a variant of the Adwind RAT, with roots stretching back to the Frutas RAT from 2012. A RAT is a program that, once installed on a victim’s machine, allows remote administrative control. In a malicious context, it can—among many other functions—be used to install backdoors and key loggers, take screen shots, and exfiltrate data. Malicious RATs can be difficult to detect because they are normally designed not to appear in lists of running programs and can mimic the behavior of legitimate applications. To prevent forensic analysis, RATs have been known to disable security measures (e.g., Task Manager) and network analysis tools (e.g., Wireshark) on the victim’s system. In Use JBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors. Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors. Threat actors have repeatedly compromised servers in our countries with the purpose of delivering malicious RATs to victims, either to gain remote access for further exploitation, or to steal valuable information such as banking credentials, intellectual property, or PII. Capabilities JBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android. JBiFrost RAT allows threat actors to pivot and move laterally across a network or install additional malicious software. It is primarily delivered through emails as an attachment, usually an invoice notice, request for quotation, remittance notice, shipment notification, payment notice, or with a link to a file hosting service. Past infections have exfiltrated intellectual property, banking credentials, and personally identifiable information (PII). Machines infected with JBiFrost RAT can also be used in botnets to carry out distributed denial-of-service attacks. Examples Since early 2018, we have observed an increase in JBiFrost RAT being used in targeted attacks against critical national infrastructure owners and their supply chain operators. There has also been an increase in the RAT’s hosting on infrastructure located in our countries. In early 2017, Adwind RAT was deployed via spoofed emails designed to look as if they originated from Society for Worldwide Interbank Financial Telecommunication, or SWIFT, network services. Many other publicly available RATs, including variations of Gh0st RAT, have also been observed in use against a range of victims worldwide. Detection and Protection Some possible indications of a JBiFrost RAT infection can include, but are not limited to: Inability to restart the computer in safe mode, Inability to open the Windows Registry Editor or Task Manager, Significant increase in disk activity and/or network traffic, Connection attempts to known malicious Internet Protocol (IP) addresses, and Creation of new files and directories with obfuscated or random names. Protection is best afforded by ensuring systems and installed applications are all fully patched and updated. The use of a modern antivirus program with automatic definition updates and regular system scans will also help ensure that most of the latest variants are stopped in their tracks. You should ensure that your organization is able to collect antivirus detections centrally across its estate and investigate RAT detections efficiently. Strict application whitelisting is recommended to prevent infections from occurring. The initial infection mechanism for RATs, including JBiFrost RAT, can be via phishing emails... (more)

Posted on 11 October 2018 6:19 pm


TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers

Original release date: October 03, 2018 Systems Affected Network Systems Overview The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. This Technical Alert (TA) provides information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA includes an overview of TTPs used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents. Description MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk. Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks. Note: NCCIC previously released information related to this activity in Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors published on April 27, 2017, which includes indicators of compromise, signatures, suggested detection methods, and recommended mitigation techniques. Technical Details APT APT actors use a range of “living off the land” techniques to maintain anonymity while conducting their attacks. These techniques include using legitimate credentials and trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks. Pre-installed system tools, such as command line scripts, are very common and used by system administrators for legitimate processes. Command line scripts are used to discover accounts and remote systems. PowerSploit is a repository of Microsoft PowerShell and Visual Basic scripts and uses system commands such as netsh . PowerSploit, originally developed as a legitimate penetration testing tool, is widely misused by APT actors. These scripts often cannot be blocked because they are legitimate tools, so APT actors can use them and remain undetected on victim networks. Although network defenders can generate log files, APT actors’ use of legitimate scripts makes it difficult to identify system anomalies and other malicious activity. When APT actors use system tools and common cloud services, it can also be difficult for network defenders to detect data exfiltration. APT actors have been observed using Robocopy—a Microsoft command line tool—to transfer exfiltrated and archived data from MSP client networks back through MSP network environments. Additionally, APT actors have been observed using legitimate PuTTY Secure Copy Client functions, allowing them to transfer stolen data securely and directly to third-party systems. Impact A successful network intrusion can have severe impacts to the affected organization, particularly if the compromise becomes public. Possible impacts include Temporary or permanent loss of sensitive or proprietary information, Disruption to regular operations, Financial losses to restore systems and files, and Potential harm to the organization’s reputation. Solution Detection Organizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Properly configured logs enable rapid containment and appropriate response. Response An organization’s ability to rapidly respond to and recover from an incident begins with the development of an incident response capability. An organization’s response capability should focus on being prepared to handle the most common attack vectors (e.g., spearphishing, malicious web content, credential theft). In general, organizations should prepare by Establishing and periodically updating an incident response plan. Establishing written guidelines that prioritize incidents based on mission impact, so that an appropriate response can be initiated. Developing procedures and out-of-band lines of communication to handle incident reporting for internal and external relationships. Exercising incident response measures for various intrusion scenarios regularly, as part of a training regime. Committing to an effort that secures the endpoint and network infrastructure: prevention is less costly and more effective than reacting after an incident. Mitigation Manage Supply Chain Risk MSP clients that do not conduct the majority of their own network defense should work with their MSP to determine what they can expect in terms of security. MSP clients should understand the supply chain risk associated with their MSP. Organizations should manage risk equally across their security, legal, and procurement groups. MSP clients should also refer to cloud security guidance from the National Institute of Standards and Technology to learn about MSP terms of service, architecture, security controls, and risks associated with cloud computing and data protection. [1] [2] [3] Architecture Restricting access to networks and systems is critical to containing an APT actor’s movement. Provided below are key items that organizations should implement and periodically audit to ensure their network environment’s physical and logical architecture limits an APT actor’s visibility and access. Virtual Private Network Connection Recommendations Use a dedicated Virtual Private Network (VPN) for MSP connection... (more)

Posted on 3 October 2018 2:47 pm


TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation

Original release date: October 03, 2018 Systems Affected Network Systems Overview This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover. Description APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access. Impact APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth. Solution Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response. Using a defense-in-depth strategy is likely to increase the odds of successfully disrupting adversarial objectives long enough to allow network defenders to detect and respond before the successful completion of a threat actor’s objectives. Any organization that uses an MSP to provide services should monitor the MSP's interactions within their organization’s enterprise networks, such as account use, privileges, and access to confidential or proprietary information. Organizations should also ensure that they have the ability to review their security and monitor their information hosted on MSP networks. APT TTPs and Corresponding Mitigations The following table displays the TTPs employed by APT actors and pairs them with mitigations that network defenders can implement. Table 1: APT TTPs and Mitigations APT TTPs Mitigations Preparation Allocate operational infrastructure, such as Internet Protocol addresses (IPs). Gather target credentials to use for legitimate access. Protect: Educate users to never click unsolicited links or open unsolicited attachments in emails. Implement an awareness and training program. Detect: Leverage multi-sourced threat-reputation services for files, Domain Name System (DNS), Uniform Resource Locators (URLs), IPs, and email addresses. Engagement Use legitimate remote access, such as virtual private networks (VPNs) and Remote Desktop Protocol (RDP). Leverage a trusted relationship between networks. Protect: Enable strong spam filters to prevent phishing emails from reaching end users. Authenticate inbound email using Sender Policy Framework; Domain-Based Message Authentication, Reporting and Conformance; and DomainKeys Identified Mail to prevent email spoofing. Prevent external access via RDP sessions and require VPN access. Enforce multi-factor authentication and account-lockout policies to defend against brute force attacks. Detect: Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses. Scan all incoming and outgoing emails to detect threats and filter out executables. Audit all remote authentications from trusted networks or service providers for anomalous activity. Respond and Recover: Reset credentials, including system accounts. Transition to multifactor authentication and reduce use of password-based systems, which are susceptible to credential theft, forgery, and reuse across multiple systems. Presence Execution and Internal Reconnaissance: Write to disk and execute malware and tools on hosts. Use interpreted scripts and run commands in shell to enumerate accounts, local network, operating system, software, and processes for internal reconnaissance. Map accessible networks and scan connected targets. Lateral Movement: Use remote services and log on remotely. Use legitimate credentials to move laterally onto hosts, domain controllers, and servers. Write to remote file shares, such as Windows administrative shares. Credential Access: Locate credentials, dump credentials, and crack passwords. Protect: Deploy an anti-malware solution, which also aims to prevent spyware and adware. Prevent the execution of unauthorized software, such as Mimikatz, by using application whitelisting. Deploy PowerShell mitigations and, in the more current versions of PowerShell, enable monitoring and security features. Prevent unauthorized external access via RDP sessions. Restrict workstations from communicating directly with other workstations. Separate administrative privileges between internal administrator accounts and accounts used by trusted service providers. Enable detailed session-auditing and session-logging. Detect: Audit all remote authentications from trusted networks or service providers. Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems. Log use of system administrator commands, such as net, ipconfig, and ping. Audit logs for suspicious behavior. Use whitelist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system. Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses. Respond and Recover: Reset credentials. Monitor accounts associated with a compromise for abnormal behaviors, including unusual connections to nonstandard resources or attempts to elevate privileges, enumerate, or execute unexpected programs or applications... (more)

Posted on 3 October 2018 2:00 pm


TA18-275A: HIDDEN COBRA – FASTCash Campaign

Original release date: October 02, 2018 | Last revised: December 21, 2018 Systems Affected Retail Payment Systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Department of the Treasury (Treasury), and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS, Treasury, and FBI identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash.” The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IOCs listed in this report to maintain a presence on victims’ networks to enable network exploitation. DHS, FBI, and Treasury are distributing these IOCs to enable network defense and reduce exposure to North Korean government malicious cyber activity. This TA also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the malware families associated with FASTCash, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. NCCIC conducted analysis on 10 malware samples related to this activity and produced a Malware Analysis Report (MAR). MAR-10201537, HIDDEN COBRA FASTCash-Related Malware, examines the tactics, techniques, and procedures observed in the malware. Visit the MAR-10201537 page for the report and associated IOCs. Description Since at least late 2016, HIDDEN COBRA actors have used FASTCash tactics to target banks in Africa and Asia. At the time of this TA’s publication, the U.S. Government has not confirmed any FASTCash incidents affecting institutions within the United States. FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation. According to a trusted partner’s estimation, HIDDEN COBRA actors have stolen tens of millions of dollars. In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries.   HIDDEN COBRA actors target the retail payment system infrastructure within banks to enable fraudulent ATM cash withdrawals across national borders. HIDDEN COBRA actors have configured and deployed malware on compromised switch application servers in order to intercept and reply to financial request messages with fraudulent but legitimate-looking affirmative response messages. Although the infection vector is unknown, all of the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions beyond the end of their service pack support dates; there is no evidence HIDDEN COBRA actors successfully exploited the AIX operating system in these incidents. HIDDEN COBRA actors exploited the targeted systems by using their knowledge of International Standards Organization (ISO) 8583—the standard for financial transaction messaging—and other tactics. HIDDEN COBRA actors most likely deployed ISO 8583 libraries on the targeted switch application servers. Malicious threat actors use these libraries to help interpret financial request messages and properly construct fraudulent financial response messages. Figure 1: Anatomy of a FASTCash scheme A review of log files showed HIDDEN COBRA actors making typos and actively correcting errors while configuring the targeted server for unauthorized activity. Based on analysis of the affected systems, analysts believe that malware—used by HIDDEN COBRA actors and explained in the Technical Details section below—inspected inbound financial request messages for specific primary account numbers (PANs). The malware generated fraudulent financial response messages only for the request messages that matched the expected PANs. Most accounts used to initiate the transactions had minimal account activity or zero balances. Analysts believe HIDDEN COBRA actors blocked transaction messages to stop denial messages from leaving the switch and used a GenerateResponse* function to approve the transactions. These response messages were likely sent for specific PANs matched using CheckPan() verification (see figure 1 for additional details on CheckPan() ). Technical Details HIDDEN COBRA actors used malicious Windows executable applications, command-line utility applications, and other files in the FASTCash campaign to perform transactions and interact with financial systems, including the switch application server. The initial infection vector used to compromise victim networks is unknown; however, analysts surmise HIDDEN COBRA actors used spear-phishing emails in targeted attacks against bank employees. HIDDEN COBRA actors likely used Windows-based malware to explore a bank’s network to identify the payment switch application server. Although these threat actors used different malware in each known incident, static analysis of malware samples indicates similarities in malware capabilities and functionalities. HIDDEN COBRA actors likely used legitimate credentials to move laterally through a bank’s network and to illicitly access the switch application server. This pattern suggests compromised systems within a bank’s network were used to access and compromise the targeted payment switch application server. Upon successful compromise of a bank’s payment switch application server, HIDDEN COBRA actors likely injected malicious code into legitimate processes—using command-line utility applications on the payment switch application server—to enable fraudulent behavior by the system in response to what would otherwise be normal payment switch application server activity. NCCIC collaborated with Symantec cybersecurity researchers to provide additional context on existing analysis [1] . Malware samples analyzed included malicious AIX executable files intended for a proprietary UNIX operating system developed by IBM. The AIX executable files were designed to inject malicious code into a currently running process... (more)

Posted on 2 October 2018 6:45 pm


TA18-201A: Emotet Malware

Original release date: July 20, 2018 Systems Affected Network Systems Overview Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. This joint Technical Alert (TA) is the result of Multi-State Information Sharing & Analysis Center (MS-ISAC) analytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC). Description Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment. Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules. Figure 1: Malicious email distributing Emotet Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator. NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts. WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients). Figure 2: Emotet infection process To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.” Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server. Emotet artifacts are typically found in arbitrary paths located off of the AppData\Local and AppData\Roaming directories. The artifacts usually mimic the names of known executables. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares. Note: it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware. Example Filenames and Paths: C:\Users\<username>\AppData \Local\Microsoft\Windows\shedaudio.exe C:\Users\<username>\AppData\Roaming\Macromedia\Flash Player\macromedia\bin\flashplayer.exe Typical Registry Keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run System Root Directories: C:\Windows\11987416.exe C:\Windows\System32\46615275.exe C:\Windows\System32\shedaudio.exe C:\Windows\SysWOW64\f9jwqSbS.exe Impact Negative consequences of Emotet infection include temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation. Solution NCCIC and MS-ISAC recommend that organizations adhere to the following general best practices to limit the effect of Emotet and similar malspam: Use Group Policy Object to set a Windows Firewall rule to restrict inbound SMB communication between client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. At a minimum, create a Group Policy Object that restricts inbound SMB connections to clients originating from clients. Use antivirus programs, with automatic updates of signatures and software, on clients and servers. Apply appropriate patches and updates immediately (after appropriate testing). Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall... (more)

Posted on 21 July 2018 12:24 am


TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

Original release date: May 29, 2018 | Last revised: May 31, 2018 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government: a remote access tool (RAT), commonly known as Joanap; and a Server Message Block (SMB) worm, commonly known as Brambul. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on how to report incidents. If users or administrators detect activity associated with these malware families, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. See the following links for a downloadable copy of IOCs: IOCs (.csv) IOCs (.stix) NCCIC conducted analysis on four malware samples and produced a Malware Analysis Report (MAR). MAR-10135536.3 – RAT/Worm examines the tactics, techniques, and procedures observed in the malware. Visit MAR-10135536.3 – HIDDEN COBRA RAT/Worm for the report and associated IOCs. Description According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors. Users and administrators should review the information related to Joanap and Brambul from the Operation Blockbuster Destructive Malware Report [1] in conjunction with the IP addresses listed in the .csv and .stix files provided within this alert. Like many of the families of malware used by HIDDEN COBRA actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes. Each malware tool has different purposes and functionalities. Joanap malware is a fully functional RAT that is able to receive multiple commands, which can be issued by HIDDEN COBRA actors remotely from a command and control server. Joanap typically infects a system as a file dropped by other HIDDEN COBRA malware, which users unknowingly downloaded either when they visit sites compromised by HIDDEN COBRA actors, or when they open malicious email attachments. During analysis of the infrastructure used by Joanap malware, the U.S. Government identified 87 compromised network nodes. The countries in which the infected IP addresses are registered are as follows: Argentina Belgium Brazil Cambodia China Colombia Egypt India Iran Jordan Pakistan Saudi Arabia Spain Sri Lanka Sweden Taiwan Tunisia Malware often infects servers and systems without the knowledge of system users and owners. If the malware can establish persistence, it could move laterally through a victim’s network and any connected networks to infect nodes beyond those identified in this alert. Brambul malware is a brute-force authentication worm that spreads through SMB shares. SMBs enable shared access to files between users on a network. Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks. Technical Details Joanap Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. Other notable functions include file management, process management, creation and deletion of directories, and node management. Analysis indicates the malware encodes data using Rivest Cipher 4 encryption to protect its communication with HIDDEN COBRA actors. Once installed, the malware creates a log entry within the Windows System Directory in a file named mssscardprv.ax. HIDDEN COBRA actors use this file to capture and store victims’ information such as the host IP address, host name, and the current system time. Brambul Brambul malware is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks. Analysts suspect the malware targets insecure or unsecured user accounts and spreads through poorly secured network shares. Once the malware establishes unauthorized access on the victim’s systems, it communicates information about victim’s systems to HIDDEN COBRA actors using malicious email addresses. This information includes the IP address and host name—as well as the username and password—of each victim’s system. HIDDEN COBRA actors can use this information to remotely access a compromised system via the SMB protocol. Analysis of a newer variant of Brambul malware identified the following built-in functions for remote operations: harvesting system information, accepting command-line arguments, generating and executing a suicide script, propagating across the network using SMB, brute forcing SMB login credentials, and generating Simple Mail Transport Protocol email messages containing target host system information. Detection and Response This alert’s IOC files provide HIDDEN COBRA IOCs related to Joanap and Brambul... (more)

Posted on 29 May 2018 3:18 pm


TA18-145A: Cyber Actors Target Home and Office Routers and Networked Devices Worldwide

Original release date: May 25, 2018 | Last revised: June 07, 2018 Systems Affected Small office/home office (SOHO) routers Networked devices Network-attached storage (NAS) devices Overview Cybersecurity researchers have identified that foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide [1]   [2] [3] . The actors used VPNFilter malware to target small office/home office (SOHO) routers. VPNFilter malware uses modular functionality to collect intelligence, exploit local area network (LAN) devices, and block actor-configurable network traffic. Specific characteristics of VPNFilter have only been observed in the BlackEnergy malware, specifically BlackEnergy versions 2 and 3. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) recommend that owners of SOHO routers power cycle (reboot) SOHO routers and networked devices to temporarily disrupt the malware. DHS and FBI encourage SOHO router owners to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field . CyWatch can be contacted by phone at 855-292-3937 or by email at CyWatch@fbi.gov. Each submitted report should include as much informaiton as possible, specifically the date, time, location, type of activity, number of people, the type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Description The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilter malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices. The initial exploit vector for this malware is currently unknown. The malware uses a modular functionality on SOHO routers to collect intelligence, exploit LAN devices, and block actor-configurable network traffic. The malware can render a device inoperable, and has destructive functionality across routers, network-attached storage devices, and central processing unit (CPU) architectures running embedded Linux. The command and control mechanism implemented by the malware uses a combination of secure sockets layer (SSL) with client-side certificates for authentication and TOR protocols, complicating network traffic detection and analysis. Impact Negative consequences of VPNFilter malware infection include: temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation. Solution DHS and FBI recommend that all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware. Network device management interfaces—such as Telnet, SSH, Winbox, and HTTP—should be turned off for wide-area network (WAN) interfaces, and, when enabled, secured with strong passwords and encryption. Network devices should be upgraded to the latest available versions of firmware, which often contain patches for vulnerabilities. Rebooting affected devices will cause non-persistent portions of the malware to be removed from the system. Network defenders should ensure that first-stage malware is removed from the devices, and appropriate network-level blocking is in place prior to rebooting affected devices. This will ensure that second stage malware is not downloaded again after reboot. While the paths at each stage of the malware can vary across device platforms, processes running with the name "vpnfilter" are almost certainly instances of the second stage malware. Terminating these processes and removing associated processes and persistent files that execute the second stage malware would likely remove this malware from targeted devices. References [1] New VPNFilter malware targets at least 500K networking devices worldwide [2] Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage [3] VPNFilter Update - VPNFilter exploits endpoints, targets new devices Revision History May 25, 2018: Initial Version June 7, 2018: Added link to June 6, 2018 Cisco Talos blog update on VPNFilter This product is provided subject to this Notification and this Privacy & Use policy. (more)

Posted on 25 May 2018 9:22 pm



What we do and what we offer.

About penetration tests and about our news.