Latest news about information security threats and incidents
Prevention of security threats and incidents described below is wiser and cheaper than forensic investigations and mitigation of the consequences of a cyber attack.
You can get evidence of this fact from the news below.
Use our services to find and mitigate your security vulnerabilities before the security threat agents find them.
Avast fights off cyber-espionage attempt, Abiss | Avast
21 October 2019. Avast deploys hardened self-defense and wider intelligence industry collaboration Global software companies are increasingly being targeted for disruptive attacks, cyber-espionage and even nation-state level sabotage, as evidenced by the many reports of data breaches and supply chain attacks over the last few years. More details.
Posted on 22 October 2019 2:22 am
ATTK of the Pwns: Trend Micro's antivirus tools 'will run malware – if its filename is cmd.exe'
Video A flaw in the Trend Micro Anti-Threat Toolkit can be exploited by hackers to run malware on victims' Windows computers. Bug-hunter John "hyp3rlinx" Page took credit for uncovering CVE-2019-9491, an arbitrary code execution flaw in the security tool. More details.
Posted on 21 October 2019 10:58 pm
EU Cybersecurity Certification Schemes Will Surprise U.S. Businesses
A Cybersecurity a href="Union’s (EU) Network and Information Systems Directive ( NIS Directive ) and the cybersecurity and notification requirements it imposes on critical infrastructure companies and digital service providers powers. The second part of the EU’s march to take the global lead on.... More details.
Posted on 21 October 2019 6:49 pm
Best Practices for Evaluating and Vetting Third Parties
The global and interconnected nature of business today means that no company or organization is an island. Every modern business relies on many others, either as part of the supply or distribution chain, or for value-added services like accounting and social media marketing. More details.
Posted on 21 October 2019 4:26 pm
Network traffic analysis for incident response
The Home of the Security Bloggers Network. Network traffic analysis for incident response Network traffic analysis for incident response. Introduction Sophisticated cybercriminals understand the techniques and tools that they need to employ to move undetected throughout a victim network until they.... More details.
Posted on 21 October 2019 4:24 pm
Train to be a certified cyber security professional for just $39
Shopping links may be manually or programmatically inserted into this content, and our site may receive payment for activity generated through them. They should not be interpreted as editorial endorsements. Cyber crime is responsible for a staggering amount of damage and chaos around the world. More details.
Posted on 21 October 2019 4:19 pm
Assange Denied Delay for US Extradition Hearing
Wikileaks Founder Julian Assange (Photo: David G. Silvers) WikiLeaks founder Julian Assange and his legal team returned to court on Monday to argue for a delay in a hearing to consider his extradition to the U.S., where he faces an 18-count indictment for violations of the Espionage Act. More details.
Posted on 21 October 2019 4:18 pm
Microsoft announces Secured-core PCs to counter firmware attacks
Microsoft today announced a new initiative to combat threats specifically targeted at the firmware level and data stored in memory: Secured-core PCs . Microsoft partnered with chip and computer makers to apply “security best practices of isolation and minimal trust to the firmware layer, or the.... More details.
Posted on 21 October 2019 4:17 pm
Researchers Expose Operations Of Three Sodinokibi Affiliate Groups
All of the three affiliates (Group 1, affiliate #34, and affiliate #19) use mass port scanning tools to find accessible RDP servers. They then use the NLBrute RDP brute-forcing tool with custom password lists to gain access to servers and spread laterally throughout the network. More details.
Posted on 21 October 2019 4:04 pm
Trend Micro would like you to fall in line and become a victim of Cloud Conformity
Sorin Mustaca's IT Security news and articles about information security, vulnerabilities, exploits, patches, releases, software, features, hacks, laws, spam, viruses, malware, breaches. Security biz to slurp Aussie compliance outfit. Infosec giant Trend Micro is buying Australian compliance biz.... More details.
Posted on 21 October 2019 3:55 pm
#cybersecurity | hacker | Leaky Autoclerk database exposes info on travelers, including military and gov’t personnel
acquired by the Western Hotel & Resorts Group, exposed personal and travel information on hotel guests, including members of the U.S. government, military and Department of Homeland Security. “Our team viewed highly sensitive data exposing the personal details of government and military personnel,.... More details.
Posted on 21 October 2019 3:41 pm
Popular VPN Service NordVPN Says it Was Hacked
NordVPN, a virtual private network provider that promises to "protect your privacy online," . From a report: has confirmed it was hacked The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private keys exposed, potentially.... More details.
Posted on 21 October 2019 3:05 pm
Zappos' Offer to Breach Victims: A 10 Percent Discount
Photo: Zappos. Zappos is close to settling a long-running class action lawsuit filed by consumers over a 2012 data breach. See Also: Live Webinar | Empowering Your Human Firewall: The Art and Science of Secure Behavior The case against the Las Vegas-based online shoe and clothing retailer has been.... More details.
Posted on 21 October 2019 3:04 pm
Banks deny compensation when hackers steal customers' money
Sunjit Lidhar was awoken by a phone call from Scotiabank last February, informing him that $3,000 had been transferred out of his savings account and was gone. "My heart pretty much dropped to my stomach," Lidhar told Go Public from his home in Surrey, B.C. "We just assume our money's safe." Soon after, the cybercriminals stole another $2,000. More details.
Posted on 21 October 2019 2:39 pm
Russian Hackers Coopted Iranian APT Group's Infrastructure
A Russian hacking team stole cyberattack tools from Iran and used them against dozens of targets to exfiltrate data, U.K. and U.S. intelligence agencies say. See Also: Webinar | The Future of Adaptive Authentication in Financial Services On Monday, Britain's National Cyber Security Center and the U.S. More details.
Posted on 21 October 2019 2:22 pm
Hashtag Trending – Oracle’s Hurd dies, Zuckerberg talks free speech, Air Force ditches floppy disks
Oracle co-CEO Mark Hurd passes away, Facebook’s CEO gives a talk about how Facebook promotes and regulates free speech, and the U.S. Air Force finally retires its 8-inch floppies from its missile launch control system. Mark Hurd, co CEO of Oracle, has died at age 62. More details.
Posted on 21 October 2019 2:06 pm
Avast fends off hacker who breached its internal network in copycat CCleaner attack
In August 2017, millions of users of the popular clean-up tool CCleaner were automatically updated with a version of the software which had been Now Czech anti-virus firm Avast, which distributes CCleaner, has revealed that hackers appear to have tried the same type of supply chain attack again. More details.
Posted on 21 October 2019 2:03 pm
#cybersecurity | #hackerspace | Managing and Responding to Advanced Cyber Risks in the Oil and Gas Industry
Category: cyber security To protect the integrity and safety of their business-critical assets, cybersecurity must be a top priority for the oil and gas industry. Although they operate some of the nation’s most critical systems, securing these complex infrastructures can be a huge challenge. More details.
Posted on 21 October 2019 2:03 pm
Czech police, intelligence bust Russian spy network
Czech police and intelligence services said on Monday they had busted a Russian espionage network operating through its Prague embassy. It was allegedly set up to attack Czech and foreign targets through computer servers. "The network was completely destroyed and decimated," Michal Koudelka, head of.... More details.
Posted on 21 October 2019 1:06 pm
US, UK: Russian Hackers Hijacked Iranian Malware, Infrastructure
The U.S. National Security Agency (NSA) and Britain’s National Cyber Security Centre (NCSC) reported on Monday that the Russia-linked threat group known as Turla has hijacked malware and infrastructure from Iranian hackers. This is experimental project, which search automatically antivirus, security, malware, etc. More details.
Posted on 21 October 2019 1:03 pm
Security spending soars
Worldwide spending on security products and services will enjoy solid growth over the next five years according to beancounters at IDC. According to the (IDC) Worldwide Semiannual Security Spending Guide, worldwide spending on security-related hardware, software, and services will be $106.6 billion in 2019, an increase of 10. More details.
Posted on 21 October 2019 12:53 pm
How enterprises can benefit from Cybersecurity Awareness Month
Organizations are working with the US Department of Homeland Security to enhance their own security awareness training and promote it in their communities. Yakobchuk Olena / Your Photo / Metamorworks / Getty Images What is National Cybersecurity Awareness Month? An annual initiative launched 16.... More details.
Posted on 21 October 2019 12:31 pm
Yes, you can reap cost benefits from the cloud
As part of the strategy, the company has invested in four key cloud-first programs: digital workplace, modern telephony platforms, cloud storage gateway, and secure cloud solutions. “Together, these programs are improving scalability, cycle times, reliability, and security so our workforce can work.... More details.
Posted on 21 October 2019 11:37 am
Utah county moves to expand mobile voting through blockchain
Disabled voters in Utah County will be able to use their smartphones to vote in the November municipal election, an expansion of an earlier pilot test of the blockchain-based technology and anothert step toward allowing all voters to cast ballots with a mobile device. The county, which has more than a half million residents, is the third in the U. More details.
Posted on 21 October 2019 11:26 am
Hackers Penetrate Deep Into Antivirus Giant Avasts' Network
Avast has suffered a breach of its internal IT network thanks to what it calls a sophisticated hack. (Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images) LightRocket via Getty Images. Avast has become the victim of a cyberespionage campaign that saw hackers gain deep access to its network. More details.
Posted on 21 October 2019 11:09 am
Equifax used default 'admin' password to secure hacked portal
EQUIFAX STAFFERS used the default 'admin' username and password to secure a portal containing sensitive customer information. That's according to a class-action lawsuit launched against the company in the US , claiming securities fraud by the company over the 2017 data breach that spilled.... More details.
Posted on 21 October 2019 11:05 am
Malware hides as iOS jailbreak, Sucuri is insecuri, and China is about to get even worse
Malware hides as iOS jailbreak tool The team over at Cisco Talos has spotted a clever bit of trickery being used by an iOS click fraud operation. Researchers say a piece of malware called "Checkrain" has been making the rounds spoofing a popular iOS jailbreaking tool called "checkra1n". More details.
Posted on 21 October 2019 10:54 am
#cybersecurity | #hackerspace | Networking, engineering and education | Cyber Work Podcast
Tia Hopkins , Vice President of Global Sales Engineering at eSentire, and Cyber Work host Chris Sienko discuss Hopkins’ past in physical networking, her pursuit of education and how she advanced her career. Additional Resources. – View the transcript, additional episodes and promotional offers: https://www. More details.
Posted on 21 October 2019 10:46 am
The latest on the Trump impeachment inquiry
The DC Circuit's regard for congressional power was broadly cast and could influence other battles between Democrats and US President Donald Trump. The DC Circuit has long been at the center of disputes over potential White House wrongdoing -- and President Donald Trump may come to understand that more than most. More details.
Posted on 21 October 2019 9:54 am
Trump says next G7 summit won't be at his Miami golf resort - Arabnews
LONDON: Russian hackers piggy-backed on an Iranian cyber-espionage operation to attack government and industry organizations in dozens of countries while masquerading as attackers from the Islamic Republic, British and US officials said on Monday. The Russian group, known as “Turla” and accused by.... More details.
Posted on 21 October 2019 9:12 am
#cyberfraud | #cybercriminals | UK cybersecurity partnership to boost protection from online attacks
The government will partner with end-to-end cybersecurity provider Arm in a £36m (€41.7m) project developing new secure chip technologies designed to be resilient to an array of cyber-threats; with the goal of preventing cyber-attacks which enable hackers to take control of computer systems remotely. More details.
Posted on 21 October 2019 9:08 am
Canada vote too close to call as Trudeau hopes to cling on
OTTAWA: Canadians vote in a general election Monday (Oct 21) with polling predicting a minority government as Prime Minister Justin Trudeau's Liberal Party risks losing its majority or even being kicked out of office. The Liberals and the Conservatives, led by Andrew Scheer, could be set for a near.... More details.
Posted on 21 October 2019 9:05 am
#hacking | British spooks expose Russian-based cyber hacking gang Turla, that targeted UK organisation
Paul Chichester, the NCSC’s director of operations, said: ‘This has been a many months-long investigation, because we wanted to unpick and unpack what was going on between these two actors. ‘We saw Turla doing more development work and seeing APT34 as a target. Turla then sought to compromise the operational platforms that APT34 used themselves. More details.
Posted on 21 October 2019 7:29 am
'An open secret': Government urged to release Parliament cyber attack report
Centre Alliance has urged the government to release its detailed report on the Parliament cyber attack that is said to blame China's Ministry of State Security for the hack. Senate president Scott Ryan, who was handed the report last week, said he would await a "lay-person's briefing" before making.... More details.
Posted on 21 October 2019 6:29 am
‘Way More Fun Than A Lot Of Jobs’: Colorado Girl Scouts Take On Cyber Challenge - CBS Denver
LITTLETON, Colo. (CBS4) – Girl Scouts across the country took part in the first ever National Girl Scouts Cyber Challenge on Saturday, including more than 200 scouts in Colorado. At the Arapahoe Community College in Littleton, middle and high school aged Girl Scouts from around the state learned important cyber security skills. More details.
Posted on 20 October 2019 8:51 pm
Malicious Tor Browser Fleeces Darknet Users of Bitcoins
A newly uncovered criminal scheme is using a trojanized version of the anonymized Tor browser to fleece darknet users of their bitcoins, according to research released Friday from security firm See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance Between.... More details.
Posted on 20 October 2019 2:26 pm
China's propaganda chief says Cold War mentality hindering mutual trust in cyberspace
WUZHEN, China (Reuters) - A “Cold War mentality” and “bully behavior” are hindering mutual trust in cyberspace, China’s propaganda chief said on Sunday at the start of the World Internet Conference in the eastern Chinese town of Wuzhen. People walks in front of a screen at the World Internet.... More details.
Posted on 20 October 2019 5:34 am
#cyberfraud | #cybercriminals | Corporate investigations firm Kroll is opening an Irish business
Category: Cyber Criminal CYBER SECURITY AND risk management firm Kroll has announced its entry into the Irish market after reporting an uptick in demand for its commercial intelligence services. The outfit is a division of global adviser Duff & Phelps and was originally founded in 1972 by Jules.... More details.
Posted on 20 October 2019 1:51 am
Malware hackers using steganography in WAV audio files to hide malicious code
Beware the rogue .wav file. Two reports published in the last few months indicate that authors of malware programs are using an interesting technique in their attacks. Researchers report the bad guys are applying steganography techniques to hide malicious code inside .WAV audio files. More details.
Posted on 19 October 2019 9:31 pm
Ousted Communist leader Zhao Ziyang is buried: family
A former Chinese Communist Party leader ousted after he opposed the use of force to quell 1989 democracy protests was buried over a decade after he died, his family said, in a service ignored by state media. Zhao Ziyang, who is a revered figure among Chinese human rights defenders, is still a.... More details.
Posted on 19 October 2019 7:59 pm
38 people cited for violations in Clinton email probe
WASHINGTON (AP) â€” The State Department has completed its internal investigation into former Secretary of State Hillary Clinton's use of private email and found violations by 38 people, some of whom may face disciplinary action. The investigation, launched more than three years ago, determined that.... More details.
Posted on 19 October 2019 7:04 pm
What Assumptions Are You Making?
If my security agents were not working correctly, then I would get an alert. Since no one said there is a problem with my security agents, then everything must be ok with them. These are just a couple of the assumptions that we make as cybersecurity practitioners each day about the security agents that serve to protect our respective organizations. More details.
Posted on 19 October 2019 4:34 pm
Unpatched Linux Bug May Open Devices To Serious Attacks Over Wi-Fi
, a security researcher said. The flaw is located in the RTLWIFI driver , which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. More details.
Posted on 19 October 2019 3:22 pm
Medical Cyber Security Market SWOT Analysis by Key Players BAE Systems, Northrop Grumman, Raytheon, General Dynamics
Oct 18, 2019 (HTF Market Intelligence via COMTEX) -- Latest Study on Industrial Growth of Global Medical Cyber Security Market 2019-2025. A detailed study accumulated to offer Latest insights about acute features of the Medical Cyber Security market . The report contains different market predictions.... More details.
Posted on 19 October 2019 7:38 am
Meghan Markle says motherhood a ‘struggle’ under spotlight
The Duchess of Sussex and Prince Harry recently welcomed their first son, Archie. (AFP pic) LONDON: Meghan Markle has admitted becoming a mother while living under an intense media spotlight has been a “struggle”. The Duchess of Sussex gave birth to son Archie in May after marrying Prince Harry last year. More details.
Posted on 19 October 2019 4:58 am
AA19-290A: Microsoft Ending Support for Windows 7 and Windows Server 2008 R2
Original release date: October 17, 2019 | Last revised: October 18, 2019. Summary. Note : This alert does not apply to federally certified voting systems running Windows 7. Microsoft will continue to provide free security updates to those systems through the 2020 election. See Microsoft’s article, Extending free Windows 7 security updates to voting systems , for more information. On January 14, 2020, Microsoft will end extended support for their Windows 7 and Windows Server 2008 R2 operating systems.  After this date, these products will no longer receive free technical support, or software and security updates. Organizations that have regulatory obligations may find that they are unable to satisfy compliance requirements while running Windows 7 and Windows Server 2008 R2. Technical Details. All software products have a lifecycle. “End of support” refers to the date when the software vendor will no longer provide automatic fixes, updates, or online technical assistance.  For more information on end of support for Microsoft products see the Microsoft End of Support FAQ . Systems running Windows 7 and Windows Server 2008 R2 will continue to work at their current capacity even after support ends on January 14, 2020. However, using unsupported software may increase the likelihood of malware and other security threats. Mission and business functions supported by systems running Windows 7 and Windows Server 2008 R2 could experience negative consequences resulting from unpatched vulnerabilities and software bugs. These negative consequences could include the loss of confidentiality, integrity, and availability of data, system resources, and business assets. Mitigations. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and organizations to: Upgrade to a newer operating system. Identify affected devices to determine breadth of the problem and assess risk of not upgrading... More details.
Posted on 17 October 2019 4:36 pm
Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU (Update A)
This updated alert is a follow-up to the original alert titled ICS-ALERT-19-225-01 Mitsubishi Electric smartRTU and INEA ME-RTU that was published August 13, 2019, on the ICS webpage on us-cert.gov. CISA is aware of a public report of a proof-of-concept (PoC) exploit code vulnerability affecting Mitsubishi Electric smartRTU devices. According to this report, there are multiple vulnerabilities that could result in remote code execution with root privileges. CISA is issuing this alert to provide early notice of the report. More details.
Posted on 10 September 2019 2:30 pm
CAN Bus Network Implementation in Avionics
CISA is aware of a public report of insecure implementation of CAN bus networks affecting aircraft. According to this report, the CAN bus networks are exploitable when an attacker has unsupervised physical access to the aircraft. CISA is issuing this alert to provide early notice of the report. More details.
Posted on 30 July 2019 1:00 pm
AA19-168A: Microsoft Operating Systems BlueKeep Vulnerability
Original release date: June 17, 2019. Summary. The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this Activity Alert to provide information on a vulnerability, known as “BlueKeep,” that exists in the following Microsoft Windows Operating Systems (OSs), including both 32- and 64-bit versions, as well as all Service Pack versions: Windows 2000 Windows Vista Windows XP Windows 7 Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 An attacker can exploit this vulnerability to take control of an affected system. Technical Details. BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs listed above. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system. According to Microsoft, an attacker can send specially crafted packets to one of these operating systems that has RDP enabled.  After successfully sending the packets, the attacker would have the ability to perform a number of actions: adding accounts with full user rights; viewing, changing, or deleting data; or installing programs. This exploit, which requires no user interaction, must occur before authentication to be successful. BlueKeep is considered “wormable” because malware exploiting this vulnerability on a system could propagate to other vulnerable systems; thus, a BlueKeep exploit would be capable of rapidly spreading in a fashion similar to the WannaCry malware attacks of 2017.  CISA has coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep. Mitigations. CISA encourages users and administrators review the Microsoft Security Advisory  and the Microsoft Customer Guidance for CVE-2019-0708  and apply the appropriate mitigation measures as soon as possible: Install available patches... More details.
Posted on 17 June 2019 1:37 pm
DICOM Standard in Medical Devices
NCCIC is aware of a public report of a vulnerability in the DICOM (Digital Imaging and Communications in Medicine) standard with proof-of-concept (PoC) exploit code. The DICOM standard is the international standard to transmit, store, retrieve, print, process, and display medical imaging information. According to this report, the vulnerability is exploitable by embedding executable code into the 128 byte preamble. This report was released without coordination with NCCIC or any known vendor. More details.
Posted on 11 June 2019 4:15 pm
AA19-122A: New Exploits for Unsecure SAP Systems
Original release date: May 2, 2019 | Last revised: May 3, 2019. Summary. The Cybersecurity and Infrastructure Security Agency (CISA) is issuing this activity alert in response to recently disclosed exploits that target unsecure configurations of SAP components. [ 1 ] Technical Details. A presentation at the April 2019 Operation for Community Development and Empowerment (OPCDE) cybersecurity conference describes SAP systems with unsecure configurations exposed to the internet. Typically, SAP systems are not intended to be exposed to the internet as it is an untrusted network. Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed “10KBLAZE.” The presentation details the new exploit tools and reports on systems exposed to the internet. SAP Gateway ACL The SAP Gateway allows non-SAP applications to communicate with SAP applications. If SAP Gateway access control lists (ACLs) are not configured properly (e.g., gw/acl_mode = 0), anonymous users can run operating system (OS) commands.[ 2 ] According to the OPCDE presentation, about 900 U.S. internet-facing systems were detected in this vulnerable condition. SAP Router secinfo The SAP router is a program that helps connect SAP systems with external networks. The default secinfo configuration for a SAP Gateway allows any internal host to run OS commands anonymously. If an attacker can access a misconfigured SAP router, the router can act as an internal host and proxy the attacker’s requests, which may result in remote code execution. According to the OPCDE presentation, 1,181 SAP routers were exposed to the internet. It is unclear if the exposed systems were confirmed to be vulnerable or were simply running the SAP router service. SAP Message Server SAP Message Servers act as brokers between Application Servers (AS). By default, Message Servers listen on a port 39XX and have no authentication... More details.
Posted on 2 May 2019 10:54 pm
AA19-024A: DNS Infrastructure Hijacking Campaign
Original release date: January 24, 2019 | Last revised: February 13, 2019. Summary. The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks. See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below: IOCs (.csv) IOCs (.stix) Note: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses: 220.127.116.11 18.104.22.168 22.214.171.124 Technical Details. Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data... More details.
Posted on 24 January 2019 8:01 pm
AA18-337A: SamSam Ransomware
Original release date: December 3, 2018. Summary. The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of vulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides recommendations for prevention and mitigation. The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms. The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point. After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection... More details.
Posted on 3 December 2018 4:18 pm
TA18-331A: 3ve – Major Online Ad Fraud Operation
Original release date: November 27, 2018. Systems Affected. Microsoft Windows Overview. This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window. Description. Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses. Boaxxe/Miuref Malware Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs. Kovter Malware Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites... More details.
Posted on 27 November 2018 5:09 pm
AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide
Original release date: October 11, 2018. Summary. This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.      In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are: Remote Access Trojan: JBiFrost Webshell: China Chopper Credential Stealer: Mimikatz Lateral Movement Framework: PowerShell Empire C2 Obfuscation and Exfiltration: HUC Packet Transmitter To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network. The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense. Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals. The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution. Experience from all our countries makes it clear that, while cyber threat actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated threat actor groups use common, publicly available tools to achieve their objectives. Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses... More details.
Posted on 11 October 2018 3:19 pm
TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers
Original release date: October 3, 2018. Systems Affected. Network Systems Overview. The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. This Technical Alert (TA) provides information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA includes an overview of TTPs used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents. Description. MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk. Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e... More details.
Posted on 3 October 2018 11:47 am
TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation
Original release date: October 3, 2018. Systems Affected. Network Systems Overview. This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover. Description. APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access. Impact. APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth. Solution. Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response... More details.
Posted on 3 October 2018 11:00 am
TA18-275A: HIDDEN COBRA – FASTCash Campaign
Original release date: October 2, 2018 | Last revised: December 21, 2018. Systems Affected. Retail Payment Systems Overview. This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Department of the Treasury (Treasury), and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS, Treasury, and FBI identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash.” The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IOCs listed in this report to maintain a presence on victims’ networks to enable network exploitation. DHS, FBI, and Treasury are distributing these IOCs to enable network defense and reduce exposure to North Korean government malicious cyber activity. This TA also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the malware families associated with FASTCash, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. NCCIC conducted analysis on 10 malware samples related to this activity and produced a Malware Analysis Report (MAR). MAR-10201537, HIDDEN COBRA FASTCash-Related Malware, examines the tactics, techniques, and procedures observed in the malware. Visit the MAR-10201537 page for the report and associated IOCs. Description. Since at least late 2016, HIDDEN COBRA actors have used FASTCash tactics to target banks in Africa and Asia... More details.
Posted on 2 October 2018 3:45 pm
Meltdown and Spectre Vulnerabilities (Update J)
This updated alert is a follow-up to the updated alert titled ICS-ALERT-18-011-01 Meltdown and Spectre Vulnerabilities (Update I) that was published September 11, 2018, on the NCCIC/ICS-CERT website. More details.
Posted on 11 January 2018 5:51 pm
NCCIC is aware of a public report of an improper authentication vulnerability affecting WAGO PFC200, a Programmable Logic Controller (PLC) device. According to this report, the vulnerability is exploitable by sending a TCP payload on the bound port. This report was released after attempted coordination with WAGO. NCCIC has notified the affected vendor of the report and has asked the vendor to confirm the vulnerability and identify mitigations. NCCIC is issuing this alert to provide notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks. More details.
Posted on 7 December 2017 9:11 pm
Eaton ELCSoft Vulnerabilities
NCCIC/ICS-CERT is aware of a public report of buffer overflow vulnerabilities affecting Eaton ELCSoft, a PLC programming software for Eaton Logic Control (ELC) controllers. According to the public report, which was coordinated with ICS-CERT prior to its public release, researcher Ariele Caltabiano (kimiya) working with Trend Micro's Zero Day Initiative, identified that an attacker can leverage these vulnerabilities to execute arbitrary code in the context of the process. ICS-CERT has notified the affected vendor, who has reported that they are planning to address the vulnerabilities. No timeline has been provided. ICS-CERT is issuing this alert to provide notice of the report and to identify baseline mitigations for reducing risks to these and other cybersecurity attacks. More details.
Posted on 4 August 2017 7:11 pm
CAN Bus Standard Vulnerability
NCCIC/ICS-CERT is aware of a public report of a vulnerability in the Controller Area Network (CAN) Bus standard with proof-of-concept (PoC) exploit code affecting CAN Bus, a broadcast based network standard. According to the public report, which was coordinated with ICS-CERT prior to its public release, researchers Andrea Palanca, Eric Evenchick, Federico Maggi, and Stefano Zanero identified a vulnerability exploiting a weakness in the CAN protocol that allows an attacker to perform a denial-of-service (DoS) attack. More details.
Posted on 28 July 2017 7:34 pm
CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices. More details.
Posted on 25 July 2017 4:45 pm
Petya Malware Variant (Update C)
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-181-01B Petya Malware Variant that was published July 5, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk associated with this malware. More details.
Posted on 30 June 2017 9:09 pm
Indicators Associated With WannaCry Ransomware (Update I)
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01H Indicators Associated With WannaCry Ransomware that was published May 31, 2017, on the NCCIC/ICS-CERT web site. More details.
Posted on 15 May 2017 11:16 pm