9283 8B4A 87FE DC6E C327 EF05 70A8 B78D 1623 3FB5

Infosec bits for week 13/18

Roderick Mooi

  1. Iranian Hackers Charged For Spree Of Attacks On Hundreds Of Universities
    - www.wired.com/story/iran-cyberattacks-us-universities-indictment/
    - Iranian Hackers Charged Last Week Were Actually Pretty Damn Good Phishers
  2. Facebook and Cambridge Analytica – What’s Happened So Far
    - How Cambridge Analytica used your Facebook data to help elect Trump* – the lesson here is what’s important – your convenience / privacy…
    - What lies beneath: The things Facebook knows go beyond user data
    - Facebook denies it collects call and SMS data from phones without permission
    - The Facebook Privacy Setting That Doesn’t Do Anything at All
    - Mozilla’s new Firefox extension keeps your Facebook data isolated to the social network itself
    - The Complete Guide to Facebook Privacy [or how to properly delete your account ;)]
  3. Facebook CISO Alex Stamos May Be Leaving the Company Later This Year
    - Here’s the key takeaway: “[Editor Comments] [Paller] I know of no other conflict that has caused as many CISOs to leave or be terminated than the question of how much to disclose in the aftermath of a breach. The only survival strategy we have seen is to find a way to keep the lawyer (and sometimes the communications director) out of the meetings. If that is possible, the CISO’s key job is to encourage senior executives to understand how little chance there is that the company will be able to keep a lid on the information and how much worse late disclosure is than early disclosure.”
  4. AMD Acknowledges Vulnerabilities, Will Roll Out Patches In Coming Weeks
    - community.amd.com/community/amd-corporate/blog/2018/03/21/initial-amd-technical-assessment-of-cts-labs-research
  5. Administrator’s Password Bad Practice [something to pass on to your admins] – note tips at end
  6. Automatic Hunting for Malicious Files Crossing your Network – featuring useful tools like MISP, Bro, Splunk and TheHive
  7. Hackers Infect Linux Servers With Monero Miner via 5-Year-Old [Cacti] Vulnerability
  8. Did the FBI engineer its iPhone encryption court showdown with Apple to force a precedent? Yes and no, say DoJ auditors
  9. DMARC 2.0? New BIMI standard will help fight spoofing and phishing
    - Universities Lag in DMARC Adoption sadly
  10. With cryptojacking rising, exploit kits rapidly decline
    - Monero cryptocurrency: Malware’s rising star
  11. And if you made it this far, you deserve something special – 780 Days in the Life of a Computer Worm

Infosec bytes for week 10/18

Roderick Mooi

  1. Information security tops the EDUCAUSE Top 10 IT Issues list for the third year in a row.
    - Find out what higher education IT leaders are saying about it.
  2. Developing a Risk-Based Security Strategy in Higher Education
  3. How to protect Office 365 data from ransomware attacks
  4. The Trouble with Phishing
  5. Cisco Report Finds Organizations Relying on Automated Cyber-Security
    - “There are a number of different things that organizations can do to improve cyber-security, including regular patching to mitigate known threats. Artes [Security Business Group Architect] said that organizations need to get the basic “blocking and tackling” of cyber-security in place, which includes patching, to form a basis for risk mitigation.”
    - www.cisco.com/c/en/us/products/security/security-reports.html
  6. Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions
    - securityintelligence.com/xmrig-father-zeus-of-cryptocurrency-mining-malware/
  7. How Did This Memcache Thing Happen?
    - blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
  8. It’s Hard To Change The Keys To The Internet And It Involves Destroying HSM’s
  9. Why Blockchain Will Serve New IT Purposes in 2018
  10. Encryption 101: a malware analyst’s primer

Infosec bits for week 02/18

Roderick Mooi

  1. Meltdown and Spectre Updates Causing Problems for Some Users
    - Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers
    - Warning: Microsoft Fix Freezes Some PCs With AMD Chips
    - Important: Windows security updates released January 3, 2018, and antivirus software
    - “We’ll display this in red so it sticks out. Do not run the .reg file unless you’ve confirmed with your AV vendor that they’re compatible with the Meltdown and Spectre patches.”
    - Intel Releases Linux CPU Microcodes To fix Meltdown & Spectre Bugs
    - Qualcomm joins Intel, Apple, Arm, AMD in confirming its CPUs suffer hack bugs, too
    - List of Meltdown and Spectre Vulnerability Advisories, Patches, & Updates + see the US-CERT advisory
    - How to Protect Your Devices Against Meltdown and Spectre Attacks
    - You could resort to running everything on Raspberry Pi’s ;) jaxenter.com/spectre-meltdown-not-raspberry-pi-140201.html
    - And for the curious… Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw At the Same Time
  2. WPA3 announced
    - With WPA3, Wi-Fi security is about to get a lot tougher
    - WPA3 WiFi Standard Announced After Researchers KRACKed WPA2 Three Months Ago
  3. MADIoT – The nightmare after XMAS
  4. The Week in Ransomware – January 5th 2018 – Slow For The Holidays
  5. Monero going after just about everything…
    - New sophisticated Malware campaign Leveraging NSA Exploits to Mine Monero on Windows and Linux Systems
    - Massive Brute-Force Attack Infects WordPress Sites with Monero Miners
    - WebLogic Flaw Used to Install Monero Crypto Coin Miner + Hackers Make Whopping $226K Installing Monero Miners on Oracle WebLogic Servers
    - Miner blacklist
  6. Python-Based Botnet Targets Linux Systems with Exposed SSH Ports
  7. Hundreds of GPS Location Tracking Services Leaving User Data Open to Hackers
  8. Some news from December (worth mentioning):
    1. Stanford University executive leaves job after huge data breach
      - Stanford U. official ousted after keeping quiet about huge exposure of sensitive data
    2. Firewall Bursting: A New Approach to Better Branch Security
    3. Microsoft Word slams the door on DDEAUTO malware attacks
    4. Three More WordPress Plugins Found Hiding a Backdoor
      - www.wordfence.com/blog/2017/12/backdoor-captcha-plugin/

Infosec bits for weeks 48-49/17

Roderick Mooi

  1. US-CERT TA14-017A: UDP-Based Amplification Attacks – updated
    - Good background, detection methods and mitigation advice
    - CLDAP attacks have moved up to no. 3
  2. Google study finds phishing attacks more efficient than data breaches
    - www.scmagazine.com/google-study-finds-250000-web-credentials-stolen-every-week/article/706810/
    - www.zdnet.com/article/google-our-hunt-for-hackers-reveals-phishing-is-far-deadlier-than-data-breaches/
  3. Intel Releases Firmware Updates for Multiple Vulnerabilities
    - www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability
    - www.theregister.co.uk/2017/11/23/intel_firmware_fixes_slow_to_arrive/
    - www.bleepingcomputer.com/news/hardware/dell-other-vendors-start-shipping-laptops-with-intel-me-firmware-disabled/
  4. Patches Available for Samba Vulnerabilities
    - Patch your embedded devices (or any others using samba) and/or disable SMB1
    - blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
    - redmondmag.com/articles/2017/05/18/more-advice-on-disabling-windows-smb-1.aspx
    - Remember to check your printers!
  5. Microsoft Office Equation Editor Flaw is Already Being Exploited
  6. Malicious Document Turns Off Word Macro Protections
  7. GitHub: Introducing security alerts on GitHub
  8. AWS Bucket Misconfiguration Exposes Classified NSA Data
    - Key takeaway: Use Amazon’s free vulnerability assessment service for the first 90 days while you implement a plan to extend your own vulnerability management solution to include the new AWS bucket
  9. Enable First-Party Isolation (FPI) on FireFox to further block trackers from adding to your online profile
  10. FaceID Beaten By Mask
  11. ‘Pop-Unders’ used to Launch Hidden, Persistent Cryptocurrency Miners
    - www.bleepingcomputer.com/news/security/cryptojacking-script-continues-to-operate-after-users-close-their-browser/
    - isc.sans.edu/forums/diary/9+Fast+and+Easy+Ways+To+Lose+Your+Crypto+Coins/23071/
  12. Prison hacker who tried to free friend now likely to join him inside!

Infosec bits for week 45/17

Roderick Mooi

  1. A look into the global ‘drive-by cryptocurrency mining’ phenomenon
  2. New Amazon S3 Encryption & Security Features
    - including Default Encryption, Permission Checks, Cross-Region Replication ACL Overwrite, Cross-Region Replication with KMS and Detailed Inventory Report
  3. Google releases KRACK patches for Android
  4. Microsoft Provides Guidance on Mitigating DDE Attacks
    - technet.microsoft.com/library/security/4053440
    - Note A: “Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry”
    - Note B: “Users of the Windows 10 Fall Creator Update can leverage Windows Defender Exploit Guard to block DDE-based malware with Attack Surface Reduction (ASR). Attack Surface Reduction is a component within Windows Defender Exploit Guard that provides enterprises with a set of built-in intelligence that can block the underlying behaviors used by malicious documents to execute attacks without hindering product operation. By blocking malicious behaviors independent of what the threat or exploit is, ASR can protect enterprises from never-before-seen zero-day attacks like these recently discovered vulnerabilities: CVE-2017-8759, CVE-2017-11292, and CVE-2017-11826.”
  5. Half of people plug in USB drives they find in the parking lot
    - scary, but a nice (safe and non-intrusive) way to test how many get plugged in
  6. Stop relying on file extensions
  7. Honey Accounts
    - an interesting (and easy to implement) approach for early detection of malicious activity utilising AD
  8. Factsheet Post-quantum cryptography – start planning today!
    - TL;DR : use min 256 bit keys for AES; RSA, ECDSA and DH not secure when quantum comes into play; use SPHINCS-256/XMSS for stateless/stateful digital signatures

Infosec chews for geeks 45/17

Roderick Mooi

  1. High-Level Approaches for Finding Vulnerabilities
  2. Reverse Engineering & Exploitation of a “Connected Alarm Clock”
    - “This article describes my journey into the Aura, from firmware image grabbing to remote buffer overflow exploitation.”
  3. Detecting CrackMapExec (CME) with Bro, Sysmon, and Powershell logs
  4. An (un)documented Word feature abused by attackers
  5. How I hacked Google’s bug tracking system itself for $15,600 in bounties
  6. Defeating Google’s audio reCaptcha with 85% accuracy
  7. Analysing a Cryptocurrency phishing attack that earns $15K in two hours
  8. Hacking Cryptocurrency Miners with OSINT Techniques
  9. CryptoShuffler: Trojan stole $140,000 in Bitcoin
  10. Linux kernel: multiple vulnerabilities in the USB subsystem
    - should be fun to try…
  11. Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB
  12. YARA: The pattern matching swiss knife for malware researchers
  13. PoC||GTFO PASTOR LAPHROAIG RACES THE RUNTIME RELINKER

WordPress 4.8.3 Security Release

Roderick Mooi

  1. WordPress 4.8.3 Security Release
    - Fixes an issue leading to potential SQL injection (SQLi) (via themes/plugins)
    - “Ferrara … disputes that the WordPress core is not directly affected”
    - While you’re here:
    1. Check your WordPress site for vulnerabilities: wpscans.com/
    2. Enable/Verify automatic updates of WordPress and plugins (or at least email you when updates are available)
      1. WordPress.org: Configuring Automatic Background Updates – note: only minor updates by default
      2. WordPress Upgrade shell Script – plugins, themes, crontab and more! (at own risk – review the code before use)
    3. Other ideas for securing WordPress

DUHK Attack

Roderick Mooi

  1. Don’t Use Hard-coded Keys
    - “DUHK is a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key…DUHK allows attackers to recover secret encryption keys from vulnerable implementations and decrypt and read communications passing over VPN connections or encrypted web sessions.”
    - If you are using any of the following, ensure you’re on the latest firmware to mitigate:
  • Fortinet FortiOS v4 (v5 is not vulnerable)
  • Cisco Aironet
  • BeCrypt Cryptographic Library
  • DeltaCrypt FIPS Module
  • MRV LX-4000T/LX-8020S
  • Neoscale CryptoStor
  • Neopost Security Devices
  • Renesas AE57C1
  • TechGuard PoliWall-CCF
  • Tendyron OnKey193
  • ViaSat FlagStone Core
  • Vocera Cryptographic Module

Bad Rabbit

Roderick Mooi

  1. Bad Rabbit also utilised EternalRomance – NSA leaked / Microsoft SMB / Patch: MS17-010
    - Ever get pop-ups saying Flash / Java, etc. needs to be updated when you browse to a site?
    - “The majority of servers and websites that supported Bad Rabbit activity appear to have been shut down, just a day after reports of the ransomware campaign emerged. Bad Rabbit affected computers in Russia and Ukraine earlier this week. The malware was spread largely through watering hole attacks that pushed out phony Flash updates that execute a dropper on infected machines. According to several research firms, there is evidence that suggests Bad Rabbit may have a connection to Petya and NotPetya.” – www.sans.org/newsletters/newsbites/xix/85#304
    - One more reason why we should be happy that flash is dying – RIP
    - Further reading:
    1. Rough summary of developing BadRabbit info
    2. Bad Rabbit: Ten things you need to know about the latest ransomware outbreak
    3. Kaspersky: Bad Rabbit ransomware
    4. Reuters Exclusive: Ukraine hit by stealthier phishing attacks during BadRabbit strike