C410 A2BE CB73 EF77 746E 9682 E2C4 91CE D20D 800F

Bad Rabbit

Roderick Mooi

  1. Bad Rabbit also utilised EternalRomance – NSA leaked / Microsoft SMB / Patch: MS17-010
    - Ever get pop-ups saying Flash / Java, etc. needs to be updated when you browse to a site?
    - “The majority of servers and websites that supported Bad Rabbit activity appear to have been shut down, just a day after reports of the ransomware campaign emerged. Bad Rabbit affected computers in Russia and Ukraine earlier this week. The malware was spread largely through watering hole attacks that pushed out phony Flash updates that execute a dropper on infected machines. According to several research firms, there is evidence that suggests Bad Rabbit may have a connection to Petya and NotPetya.” – www.sans.org/newsletters/newsbites/xix/85#304
    - One more reason why we should be happy that flash is dying – RIP
    - Further reading:
    1. Rough summary of developing BadRabbit info
    2. Bad Rabbit: Ten things you need to know about the latest ransomware outbreak
    3. Kaspersky: Bad Rabbit ransomware
    4. Reuters Exclusive: Ukraine hit by stealthier phishing attacks during BadRabbit strike

Infosec bits for week 44/17

Roderick Mooi

  1. If your standard organisational image isn’t Windows 10 – here’s another good reason why it should be ;)
    - Windows 10 tip: Turn on the new anti-ransomware features in the Fall Creators Update
    - Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta
  2. 59% of Employees Hit by Ransomware at Work Paid Ransom Out of Their Own Pockets!
    - Note: “31% of respondents also admitted to not knowing about ransomware before participating in cyber threat training sessions” – now is the time to educate
    - Includes a guide to ransomware protection
  3. D-Link MEA Site Caught Running Cryptocurrency Mining Script—Or Was It Hacked?
    - Use browser plugins like NoScript and RequestPolicy to add an extra layer of end user protection
  4. Hacking Cryptocurrency Miners with OSINT Techniques
    - What is lurking on your infrastructure?
  5. Understanding the General Data Protection Regulation – Free MOOC by University of Groningen (starts 13 November)!
  6. Securing SSH on Cisco IOS
  7. How I Socially Engineer Myself Into High Security Facilities
  8. Project Loon Bringing Emergency Internet to Puerto Rico
    (while not directly infosec related – this is cool! :))
    - Turning on Project Loon in Puerto Rico

Infosec chews for geeks 43/17

Roderick Mooi

  1. Bypassing Intel Boot Guard
  2. Someone Created a Tor Hidden Service to Phish my Tor Hidden Service
  3. Testing Security Keys
  4. Investigating Security Incidents with Passive DNS
  5. Macro-less Code Exec in MSWord / Abusing Microsoft Office DDE (incl reg entries to disable DDEAUTO)
    - reports of “in the wild” exploitation 15/10/2017 and new crypto worm 24/10/2017!
    - e.g. securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/ (7/11)
    - Microsoft advisory (incl KB3123630) 10/10/2017 for patches
    - 0patching the Office DDE / DDEAUTO Vulnerability… ehm… Feature
    — (note that, similar to the MS advisory “workarounds”, this might break functionality – e.g. Excel auto-updating of externally linked cells)
  6. Peeking into .msg files
  7. It’s in the signature
  8. Attacking a co-hosted VM: A hacker, a hammer and two memory modules
  9. Microsoft VulnScan – Automated Triage and Root Cause Analysis of Memory Corruption Issues
  10. (Ok so Google is picking on all the competition but these are still interesting…)
    1. Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs
    2. Over The Air – Vol. 2, Pt. 3: Exploiting The Wi-Fi Stack on Apple Devices

Enjoy and feel free to share your own with csirt AT sanren . ac za

Infosec bits for week 42/17

Roderick Mooi

  1. Master Deeds data leak – our very own Equifax!
    1. www.iafrikan.com/2017/10/18/south-africas-govault-hacked-over-30-million-personal-records-leaked/
    2. Find out whether your PII is included on (odds are good considering 66 million records):
      - haveibeenpwned.com/ (try all your past and present email addresses)
      (Compromised data includes: Government issued IDs, Dates of birth, Deceased statuses, Email addresses, Employers, Ethnicities, Genders, Home ownership statuses, Job titles, Names, Nationalities, Phone numbers, Physical addresses)
    3. Interesting follow up: www.iol.co.za/business-report/real-estate-company-admits-to-being-source-of-dataleaks-11627034
    4. Now what? Will we all get new IDs? (we should! – maybe we should ask…)
    5. SA Data Leak Survival Guide (courtesy of Wolfpack Information Risk)
  2. Key Reinstallation Attack
    - “KRACK affects both WPA and WPA2 in both Pre-Shared Key and Enterprise modes. While the attack is damaging to clients by delivering a MiTM attack, no “official” attack tools have been seen. The methods for delivering the KRACK attack require technical expertise, rely on specific timing, and can be subject to failure due to the operation of 802.11 as a whole. Now is the time to get our “houses in order” by patching access points (APs) and clients (especially Android) when they are available, enabling robust wireless rogue AP detection, WIPS, and leveraging secure MiTM resistant protocols such as SSL/TLS and IPSEC VPNs in addition to WiFi encryption such as continued use of WPA2.” – Larry Pesce (SANS NewsBites Vol. 19 Num. 083)
    1. What to communicate?
    2. Vendor advisories / patches
    3. More info:
      1. What You Should Know About the ‘KRACK’ WiFi Security Weakness
        - Key takeaways: “To my mind, those most at risk from this vulnerability are organizations that have not done a good job separating their wireless networks from their enterprise, wired networks.
        I don’t see this becoming a major threat to most users unless and until we start seeing the availability of easy-to-use attack tools to exploit this flaw…
        From reading the advisory on this flaw, it appears that the most recent versions of Windows and Apple’s iOS are either not vulnerable to this flaw or are only exposed in very specific circumstances. Android devices, on the other hand, are likely going to need some patching, and soon.” – Brian Krebs
      2. WPA2 Key Reinstallation Vulnerabilities (KRACK) Explained
      3. eduroam advisory: Key Reinstallation Attack and WPA2
  3. Google Home Mini spying 24/7
  4. Beware of sketchy iOS popups that want your Apple ID
  5. What’s in a cable? The dangers of unauthorized cables
  6. DoubleLocker: Innovative Android Ransomware
  7. Fake Crypto: Microsoft Outlook S/MIME Cleartext Disclosure
  8. “If you haven’t implemented DMARC you are missing a chance to become a hero in your organization.” – “It’s a game changer in stopping people from spoofing email from your site.” – Paller

Infosec bits for week 40/17

Roderick Mooi

  1. Cyber Security Awareness month – SANS Resources
    1. 2017 Security Awareness report: It’s time to communicate – “Learn the latest trends and lessons learned in building mature awareness programs from over 1,000 security awareness professionals.”
    2. Selected issues from SANS OUCH!
      - Lessons from wannacry
      - Passphrases
  2. Vulnerabilities in Dnsmasq – update now
    - “Dnsmasq provides functionality for serving DNS, DHCP, router advertisements and network boot… Dnsmasq is widely used both on the open internet and internally in private networks.” [*BSD / Linux / Android]
  3. Cloud (In)Security Surprise
    - see opening note by Alan on the considerations and responsibilities. So, who wants to be a “CAO” :-#
  4. Encrypted Web (HTTPS) traffic interception
    - consider the implications…
  5. How I hacked hundreds of companies through their helpdesk
    - (/support portal/Yammer/Slack/others)
  6. The easy way to analyze huge amounts of PCAP data – using Moloch and ElasticSearch
    - “When you are investigating a security incident, there are chances that, at a certain point, you will have to dive into network traffic analysis. If you’re lucky, you’ll have access to a network capture.” Read on for how to analyse it…
  7. security@xyz.ac.za, abuse@xyz.ac.za…
    - Do you have/need these addresses and who monitors?
    - What about the necessary processes, etc.?
    ref: www.ietf.org/rfc/rfc2142.txt – [Page 2]
    ref: www.ietf.org/id/draft-foudil-securitytxt-00.txt (A Method for Web Security Policies – draft)
  8. 7 in 10 smartphone apps share your data with third-party services
    - An interesting read and nice tool to track what PII is being shared from your own device

Cyber Security Awareness Month Resources

Roderick Mooi

Infosec bits for weeks 36,37/17

Roderick Mooi

  1. MongoDB Databases Targeted in Ransomware Attacks [again] , facilitated by unprotected admin accounts
    - “According to MongoDB’s Senior Director of Product Security, the ransomware attacks that recently targeted MongoDB databases were successful because administrator account passwords had not been set. MongoDB plans to strengthen security policies in the upcoming MongoDB 3.6.0 release.”
    ref: www.sans.org/newsletters/newsbites/xix/71#300 , www.sans.org/newsletters/newsbites/xix/72#301
    - And advice from the MongoDB themselves on what to do about it and how to secure your installation:
    1. www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data
    2. www.mongodb.com/blog/post/update-how-to-avoid-a-malicious-attack-that-ransoms-your-data
  2. NIST SP 1800-11 – Data Integrity: Recovering from Ransomware and Other Destructive Events
    - This 3-volume special publication “demonstrates how organizations can develop and implement appropriate actions following a detected cybersecurity event” and includes: a. Executive summary, b. Approach, architecture and security characteristics, and c. How-to guides
    ref: www.sans.org/newsletters/newsbites/xix/71#301
  3. ‘;—have i been pwned?
    - Verify if your email/username was in LinkedIn, Dropbox, MySpace, etc. breaches and your need to change your password (or take other appropriate action)

Next month (October) is Cyber Security Awareness Month. Look out for our next post with more information and resources…

Infosec bits for week 35/17

Roderick Mooi

  1. Massive Email Campaign Sends Locky Ransomware to Over 23 Million Users
    - New variants of Locky – A reminder that ransomware mitigation needs to be high up on our risk/threat priorities
    thehackernews.com/2017/08/locky-ransomware-emails.html
    www.zdnet.com/article/locky-ransomware-is-back-from-the-dead-again-with-new-diablo-variant/
    - See also: csirt.sanren.ac.za/posts/160302-rm-locky.html
  2. POPI and GDPR worthwhile reads from IT News Africa:
    1. PoPI will enable better information management
      www.itnewsafrica.com/2017/08/popi-will-enable-better-information-management/
    2. SA’s POPI Act has a bigger, foreign brother you must meet
      www.itnewsafrica.com/2017/08/sas-popi-act-has-a-bigger-foreign-brother-you-must-meet/
    3. South Africa Prepares For The Big Data Protection Shake Up
      www.itnewsafrica.com/2017/08/south-africa-prepares-for-the-big-data-protection-shake-up/
  3. Event: 5th CyberCon Africa – 16-17 Oct 2017, Joburg – “Africa Under Attack!”
    - How prepared are we? Real-life scenarios and simulations to test and improve our readiness to large scale cyber attacks structured according to the NIST Cybersecurity Framework.
    www.cyberconafrica.org/
    - “This is the definitive event for all cyber security industry professionals, which will leave delegates equipped to prepare for cyber attacks. The theme for this year is Africa Under Attack. The focus is to unite all industry sectors as well as skills and resources in order to protect Africa’s Critical Infrastructure from a large scale cyber attack. This year we are utilising a more hands on, interactive approach, with real life scenarios and simulations being played out.”
  4. Oops! WikiLeaks Website Defaced By OurMine
    - Important takeaway: “There is no indication of WikiLeaks servers and website been compromised, instead it seems their website has been redirected to a hacker-controlled server using DNS poisoning attack.”
    thehackernews.com/2017/08/ourmine-wikileaks.html
    - See also: Global Measurement of DNS Manipulation (research paper)
    people.eecs.berkeley.edu/~pearce/papers/dns_usenix_2017.pdf
  5. How to prepare for and what to do if your laptop is stolen
    - A reminder of good practices such as: using full drive encryption, regular and secure backups, resetting all passwords (if stolen) and less obvious ones like turning it off while stored/travelling
    www.htxt.co.za/2017/08/14/when-thieves-strike-tips-and-tricks-on-what-can-be-done-if-your-laptop-is-ever-stolen/ (hope you’re using an ad blocker :#)
    - See also NIST revised password recommendations @: csirt.sanren.ac.za/posts/news-for-week-33-17.html (top post)

Infosec bits for week 34/17

Roderick Mooi

  1. EDUCAUSE – Security Matters
    - Everything related to information security, privacy, and risk in higher education.
    Including:
    1. GDPR: A Data Regulation to Watch
    2. Creating an Anti-Phishing Campaign on a Small Budget
    3. Stay Ahead of Security Threats with a 7-Step Incident Response Plan
  2. DNSSEC Key Signing Key Rollover
    - DNS admins remember: “On October 11, 2017, the Internet Corporation for Assigned Names and Numbers (ICANN) will be changing the Root Zone Key Signing Key (KSK) used in the domain name system (DNS) Security Extensions (DNSSEC) protocol.”
    ref: www.us-cert.gov/ncas/current-activity/2017/08/21/DNSSEC-Key-Signing-Key-Rollover-0
  3. Cybersecurity: the Hottest New Major In College
    ref: SANS NewsBites Vol. 19 Num. 65
  4. Drupal Security Update, Fixes 3 Vulnerabilities
    - “Because a CMS runs with the permissions to update and configure the web site, it contains the keys to its own destruction. When using one, you also need a corresponding proactive update, monitoring and minimal extension posture to reduce the risks of exploit. “ – Neely (ed.)
    ref: SANS NewsBites Vol. 19 Num. 66
  5. SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension
    - Images with Embedded Ransomware Evade Antivirus Detection
  6. It’s not an invoice…
    - Step-by-step analysis of a malicious word doc
  7. Why It’s Still A Bad Idea to Post or Trash Your Airline Boarding Pass

Till next week Stop.Think.Connect :)

Infosec bits for week 33/17

Roderick Mooi

  1. NIST releases revised strong password recommendations
    - The new guidelines recommend passphrases over shorter passwords with special characters, and changing them only if there is evidence of compromise.
    nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
    pages.nist.gov/800-63-3/sp800-63-3.html
    www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118 (sign-in required)
    xkcd.com/936/
    Choosing strong passwords
    Generating Rememberable Passwords
  2. Implementing the NIST Security Framework? Consider looking at these.
    - The Australian “Essential Eight” or Critical Security Controls “Top 5” will help to prioritise your first actions.
    asd.gov.au/publications/protect/essential-eight-maturity-model.htm
    www.cisecurity.org/controls/
  3. Phishing
    - From SANS NewsBites Vol. 19 Num. 064: “Both the 2016 and 2017 SANS Threat Landscape Surveys found phishing, including spearphishing and whaling, was the top way threats enter organizations. While the most common response to reduce the risk is enhanced user training, technical countermeasures are also needed. Google added anti-phishing features to Gmail earlier this year and are now extending them to the mobile user…” – Neely
  4. Windows Search Bug worth watching, and squashing
    - Apply the patch now for a critical Windows Search privilege escalation and RCE vulnerability (or disable the WSearch service)
    threatpost.com/windows-search-bug-worth-watching-and-squashing/127434/
    portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8620
  5. Outlook Web Access based attacks
    - Multi-factor authentication can help
    isc.sans.edu/forums/diary/Outlook+Web+Access+based+attacks/22710/
  6. Checking for Breached Passwords in Active Directory
    - Utility using lists from HaveIBeenPwned to verify whether passwords have been breached
    jacksonvd.com/checking-for-breached-passwords-in-active-directory/
  7. Microsoft Joins Google/Mozilla in Banishing WoSign and StartCom From Trusted CA List
    - Microsoft to remove WoSign and StartCom certificates in Windows 10
    blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/
  8. Compromise On Checkout – Vulnerabilities in SCM Tools
    - RCE utilising ssh:// links in Git, SVN and Mercurial
    blog.recurity-labs.com/2017-08-10/scm-vulns
  9. The Good Phishing Email
    - Proper email headers for phishing awareness exercises
    isc.sans.edu/forums/diary/The+Good+Phishing+Email/22712/
  10. Beware of Security by Press Release
    - On “smoke and mirrors” vulnerabilities…
    krebsonsecurity.com/2017/08/beware-of-security-by-press-release/