BF-SIRT Newsletter 2015-17

Welcome to the newsletter! This week you can read about how Cash register maker used same password – 166816 – non-stop since 1990, and multiple stories about APTs such as The CozyDuke APT.

In other news, you can find articles about how Taking Down Fraud Sites is Whac-a-Mole, and that Google shuts off NPAPI in Chrome.

Top 5 Security links
The CozyDuke APT
Pawn Storm cyberspies still at work, target NATO and the White House
Your city’s not smart if it’s vulnerable, says hacker
Russian APT group actively exploiting Flash, Windows 0-day flaws
Cash register maker used same password – 166816 – non-stop since 1990

Top 5 Business Intelligence links
Taking Down Fraud Sites is Whac-a-Mole
Iran Increasing Both Sophistication and Frequency of Cyber Attacks
Google Shuts Off NPAPI in Chrome
Netflix’s house of cards to be fortified with HTTPS appliance
Nork hackers no pantomime villains, but a hugely unpredictable menace

BF-SIRT Newsletter 2015-16

Head news this week is of course MS15-034, which we’ve also covered in our own blog. Those who still haven’t patched are advised to do so as soon as possible to avoid falling victim to this attack. There’s also been Patch Tuesday for April 2015 this month, with patches from Microsoft, Oracle and Adobe.

In other news, Majority of Orgs Anticipate Attacks, But One-Third Can’t Find Security Talent, and security companies have also started releasing their yearly threat reports; amongst them Verizon’s which states how Phishing, RAM scrapers and web app insecurity were the main sources of data breaches during 2014.

Top 5 Security links
MS15-034: HTTP.sys (IIS) DoS And Possible Remote Code Execution. PATCH NOW
Don’t Be Fodder for China’s ‘Great Cannon’
Police operation disrupts Beebone botnet used for malware distribution
Coordinated Takedown Puts End to Simda Botnet
Russia pulls alleged ‘Svpeng’ kingpin

Top 5 Business Intelligence links
Majority of Orgs Anticipate Attacks, But One-Third Can’t Find Security Talent
FireEye Uncovers Decade-Long Cyber Espionage Campaign Targeting South East Asia
Symantec 2015 Internet Security Threat Report
Verizon 2015 Data Breach Investigation Report
Microsoft MS15-034 (HTTP.sys DoS, Memory Disclosure and potential Remote Code Execution)
Patch Tuesday April 2015

Microsoft MS15-034 (HTTP.sys DoS, Memory Disclosure and potential Remote Code Execution)

As mentioned in our post for Patch Tuesday April 2015, the MS15-034 has now work a working exploit which causes a DoS for unpatched Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, if they’re running a service that’s using IIS (or any other service uding HTTP.sys) and have kernel caching turned on (which it is by default).

This DoS is extremely simple to cause (just a simple curl/wget), and will cause your server to have a BSOD.

Update: It seems like this issue also does information disclosure à la heartbleed. With small modifications to yesterdays published exploit one can disclose memory regions from a vulnerable server.
There has also been rumours that Exchange servers with autodiscovery turned on are vulnerable for DNS hijacking/corruption.

There are various ways to see if you are vulnerable, but they are not fool-proof and because of this it is extremely advised to just apply the patch.

It is just a matter of time now before a remote code execution exploit is released, which means someone would gain control of your server, so do not wait to patch your systems.

Patch Tuesday April 2015

Another month, another patch Tuesday!

Microsoft released a large amount of updates, some which require special attention. One of these deal with an issue in http.sys, meaning that a lot of Internet facing services may end up being exploited unless patched, as the vulnerability is a remote code execution vulnerability. Many other issues are also covered, with some additional ones also being remote code execution vulnerabilities. Due to this, we cannot stress highly enough the need to apply these patches without waiting too long.

Oracle has also released updates for their large software catalogue, which, for example fixes vulnerabilities in their java and database software. You’re highly advised to check the link below to see if any of the software you’re using is vulnerable.

Adobe also released patches, fixing critical issues that are currently being exploited in the wild. Fixes went out for Flash, ColdFusion and Flex. Make sure you keep your computers and servers up-to-date with these patches.

More information
Microsoft
Oracle
Adobe Flash
Adobe ColdFusion
Adobe Flex

BF-SIRT Newsletter 2015-15

Welcome back from the easter holidays! This week we cover stories such as how Silk Road investigators are being charged with stealing bitcoin, and how Islamist hackers take French broadcaster TV5Monde off air.

In other news, you can read how Hackers are selling Uber credentials on underground markets, and you can also read about what can happen with stolen data after a breach.

Top 5 Security links
Silk Road investigators charged with stealing bitcoin
Day FOUR of the GitHub web assault: Activists point fingers at ‘China’s global censorship’
Audit Concludes No Backdoors in TrueCrypt
Anonabox Analysis
Islamist hackers take French broadcaster TV5Monde off air

Top 5 Business Intelligence links
What happens to data after a breach?
Most top corporates still Heartbleeding over the Internet
Hackers Selling Uber Credentials on Underground Market
How the U.S. thinks Russians hacked the White House
Stuxnet Five Years Later: Did We Learn The Right Lesson?

BF-SIRT Newsletter 2015-13

Welcome to another edition of the newsletter! This week we cover stories such as how 15,435 vulnerabilities across 3,870 applications were recorded in 2014 and a hunt down malware lane on the Deep Web.

In other news, it is expected that monetizing medical data is becoming the next revenue stream for hackers, and a brief story on how cybercriminals trick their victims.

Top 5 Security links
15,435 vulnerabilities across 3,870 applications were recorded in 2014
Hunting Down Malware on the Deep Web
New BIOS Implant, Vulnerability Discovery Tool to Debut at CanSecWest
Operation Woolen-Goldfish: When Kittens Go Phishing
NYPD union website hacked

Top 5 Business Intelligence links
Monetizing medical data is becoming the next revenue stream for hackers
Hacking Humans: How Cybercriminals Trick Their Victims
Chinese Military Acknowledges Cyber Warfare Units
South Korea claims North hacked nuclear data
Kreditech Investigates Insider Breach

Demand for Information Security skills keep rising

A few days ago, InterQuest released an interesting report on how they are seeing the demand for skills in information security keep rising and rising.

They’ve predicted that for 2015, there will be an increasing demand for the development of the information security profession on a political, economic and organisational level. InterQuest are also noting that the security industry must change its model from being reactive to threats, to being proactive about developing to meet the security demands of organisations today.

InterQuest goes on to give an example of their own growth after putting resources into a security division of their company;
“Just over two years ago, InterQuest established a small information security recruitment division aimed at helping users of our specialist recruitment practices – analytics, digital and web technologies – connect with talent to support their information security requirements. This once small division has grown and been the source of significant investment by the Group, as it responds to the upswing in demand and professionally represents candidates in a market largely misunderstood by more generic recruiters.”

With the latest breaches that has happened, it’s no surprise that “Network and Information Security” is now on top 7 on sought after skills, and is set to climb higher and higher;
“The string of high profile breaches confirms that the information security industry has a significant task on its hands, a task which has become mission critical for many organisations and a source of growing urgency.
The information security industry has evolved predominantly in reaction to threats rather than proactively developing the profession leading to a generational gap. The Information Systems Securities Association (ISSA) estimates there are between 300,000 and 1,000,000 vacant cyber security positions. Further, LinkedIn recently released a list of the 25 most in demand skills. The list is based on hiring and recruiting activity, analysing the skills and experience data of over 330 million LinkedIn member profiles. “Network and information security” skills are 7th on the UK list and set to soar higher as demand increases further.”

The full story can be found at http://www.interquestgroup.com/corporate/blog/information-security-the-impact-of-the-breach-in-skills.

BF-SIRT Newsletter 2015-12

Welcome to another edition of the newsletter! This week we cover stories such as how Dark Web’s ‘Evolution Market’ Vanishes and of course the dreaded OpenSSL Security Advisory [19 Mar 2015] – and those using the EXPORT cipher and/or are running 1.0.2 should make sure they correct their systems as soon as possible.

In other news, health insurer Premera Blue Cross said on Tuesday it was a victim of a cyberattack that may have exposed medical data and financial information of 11 million customers, and a report showing how 71 percent of organizations were successfully attacked in 2014. To top that off, there’s also a study from insurance brokerage AON on how much said breach will cost your company.

Top 5 Security links
New BIOS Implant, Vulnerability Discovery Tool to Debut at CanSecWest
Apple iOS Hardware Assisted Screenlock Bruteforce
OpenSSL Security Advisory [19 Mar 2015]
‘AntiDetect’ Helps Thieves Hide Digital Fingerprints
Dark Web’s ‘Evolution Market’ Vanishes

Top 5 Business Intelligence links
Report: 71 percent of orgs were successfully attacked in 2014
This is how much a data breach will cost your company
Premera Blue Cross breached, medical information exposed
Security Pros Say the Pressure is On
Yeti still Crouching in the Forest

BF-SIRT Newsletter 2015-11

Welcome to another edition of the newsletter! This week we cover stories such as how google engineers created the Rowhammer Hardware Exploit and how two people have been indicted for stealing 1 billion email addresses in historic breach. We also cover things such as how CloudFlare Aims to Defeat Massive DDoS Attacks with Virtual DNS, and the ever growing market of using ad bidding networks to deliver ransomware.

Amongst the Windows Updates this month were a fix for FREAK, and it also turned out that the vulnerability STUXNET used previously and was thought to have been patched since 2010 actually wasn’t, so Microsoft updated this patch as well.

Top 5 Security links
Self-deleting malware targets home routers to gather information
Equation APT Group Attack Platform A Study in Stealth
Rowhammer Hardware Exploit Poses Threat to DRAM Memory in Many Laptops, PCs
UK: 57 arrested for cyber crime, including US DoD hacker
Two indicted for stealing 1 billion email addresses in historic breach

Top 5 Business Intelligence links
Mind-reading DNS security analysis offers early warning for APT attacks
Massive cyber-attack: what businesses can learn from major data breaches
CloudFlare Aims to Defeat Massive DDoS Attacks with Virtual DNS
Panda antivirus labels itself as malware
Cyber crooks take advantage of ad bidding networks to deliver ransomware

Basefarm posts
Patch Tuesday March 2015

Patch Tuesday March 2015

Another month, another patch Tuesday!

On this, the third Patch Tuesday of 2015, Microsoft pushed 14 update bundles to address at least 43 separate vulnerabilities in Internet Explorer, Exchange, Office and a host of other components.

Microsoft has released a large amount of updates (14 bundles which address at least 43 separate vulnerabilities) for Internet Explorer, Exchange, Office and Windows.

As some of these vulnerabilities are listed as critical and could allow elevation of privilege, denial of service, remote code execution, or security feature bypass that allows an attacker to take control of the affected system. It is advised to upgrade as soon as possible.

UPDATE 12/3/2015:
Adobe also released and update for Adobe Flash Player now. This update is rated as a 1 on Adobe’s Severity rating; “This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours).”

More information:
Microsoft
Adobe