BF-SIRT Newsletter 2017-51

Google’s Project Zero released details of a local proof-of-concept attack against a fully patched Windows 10 PC that allows an adversary to execute untrusted JavaScript outside a sandboxed environment on targeted systems. These vulnerabilities was patched this month, and they have a great technical write up.

Dutch security firm Fox-IT has gone public about a cyber attack it suffered in September after not protecting its DNS entries with two-factor authentication. This seems like, different from many other examples, a good example of how to handle incidents like this.

Using publicly known information, a team of researchers from the University of Melbourne have claimed to re-identify seven prominent Australians in an open medical dataset. In theses days of GDPR this should be something to take note of when talking about “anonymization” of big data sets.

Brian Krebs has a great post where he looks at the price of stolen credentials and provides a glimpse into the fortunes that a credential thief can earn, this goes to show that leaked credentials is a bigger issue than each individual, it is a part of the criminal economy and fosters more cybercrime.

Top 5 Security Links
Project Zero Chains Bugs for ‘aPAColypse Now’ Attack on Windows 10
Fox-IT reveals hackers hijacked its DNS records, spied on clients’ files
Re-identification possible with Australian de-identified Medicare and PBS open data
The Market for Stolen Account Credentials
Attack Attribution Tricky Say Some as US Blames North Korea for WannaCry

BF-SIRT Newsletter 2017-50

This weeks top stories begins with the ROBOT attack, a bug in the implementation of RSA key exchange for products using PKCS #1 v1.5. This includes SSL\TLS if RSA is used for for exchanging keys. The bug can let an adversary decrypt traffic and even sign messages with someones else private key. The vulnerable products include F5, Citrix, and Cisco and many vendors has released patches.

A database containing over 1.4 Billion clear text passwords was discovered by security firm 4iQ while looking for passwords on the “dark web”. The full database contains over 41GB of cleartext passwords and user-names aggreated from previos leaks from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in.

Security researcher discovered that a lot of HP models comes pre-installed with a keylogger that could be used to spy on user by malware or hackers. The kyelogger is disabled by default, but can be turned on by making changes to the registry in windows machines. Since this is built into the drivers by HP, this keylogger can be turned on bypassing . HP.

Tennable released Nessus Professional v7, removing API and multi-user support. These two components are looked to as essential by many security professionals and is met with criticism in the security community. But it gets even worse. When notifying its user about the new version, they added all users to a support-forum that sent out as much as 150 emails a minute for over an hour, effectively creating a spam-storm for all its users.

A new attack-framework “TRITON” is targeting Industrial Control Systems (ICS)and caused operational disruption to critical infrastructure according to Mandiant. This looks to be Nation-state sponsored attack, and could lead to physical damage of critical systems producing gas, power and other national critical infrastructure.

And don’t forget that this Tuesdays was Microsoft s patch Tuesday, with fixes for over 30 vulnerabilities, including 19 Critical browser issues.

Top 5 Security links
ROBOT attack
1.4 Billion Clear Text Credentials Discovered in a Single Database
Pre-installed keylogger found in over 460 HP laptops
Tennable released Nessus Professional v7, removing features and spaming users
TRITON Attacker Disrupts ICS Operations

Defining digitalization: Industry 4.0 or Internet of Things?

The digitalization of the economy and society marches on relentlessly – sometimes slower, sometimes faster. In a recent blog post we fundamentally defined digital transformation and digital development. Now let’s turn to two key terms that were coined to describe the increasing digitalization and are even shaping how it is being reported: Industry 4.0 (the Industrial Internet) and the Internet of Things (IoT). The two are often used synonymously, and therefore often incorrectly. It’s time to clarify the difference.

BF-SIRT Newsletter 2017-49

This weeks top stories is that Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability that could lead to remote code execution in Microsoft’s own

TeamViewer Rushes Fix for Permissions Bug that let the controlled machine to take control over the controlling machine. The bug impacts Windows, macOS and Linux versions of TeamViewer.

Bugs in over 30 mail clients found letting a phisher craft perfectly spoofed emails, defeating DMARC, Sender Policy Framework(SPF) and Domain Keys Identified Mail (DKIM) showing the mail as legit in the client.
This collection of bugs has been named “Mailsploit” by the researcher that discovered it, and a list of vulnerable devices can be found here.

Two researchers from enSilo described a new code injection technique called “Process Doppelgänging”  at blackhat 2017. This new attack works on all Windows versions and researchers say it bypasses most of today’s major security products. This is a file-less attack and it is impossible to patch since it exploits core designs of Microsoft process loading mechanism. The good news is that its a very technically challenging exploit to run.

In malware news FBI, Europol, Microsoft and ESET Team teamed up to dismantle the longest running botnet to date, the Andromeda network of botnets that has been active since 2011.

Top 5 Security links
Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability
TeamViewer Rushes Fix for Permissions Bug
‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs
Patch for apples blank password bug released
“Process Doppelgänging” Attack Works on All Windows Versions

BF-SIRT Newsletter 2017-48

This weeks top stories is that half of the Internet’s email servers was vulnerable to a remote code execution, half the planets inhabitants seemingly wondered how blank password could give privilege escalation in the latest version of macOS.

Financially focused Cobalt criminal group exploited Microsoft Office’s Equation Editor in its latest campaign, patched was released in November.

A classified toolkit for potentially accessing US military intelligence networks was left in an unsecured AWS S3 silo.

Less news, but input worth considering, Linus Torvalds has offered a calmer lengthy explanation of his thoughts on security, after a classic expletive-laden first version.

Top 5 Security Links
No Patch Available for RCE Bug Affecting Half of the Internet’s Email Servers
Why <blank> Gets You Root
Older Office Cybersecurity Vulnerability Exploited by Cobalt Attackers
US intelligence blabs classified Linux VM to world via leaky S3 silo
Linus Torvalds on security: ‘Do no harm, don’t break users’

Data Architects and System Architects – The roles and their importance

The core focus of architecture, and of those who practice it as a profession, is to plan the design, layout, and construction of buildings. The Data Architects and System Architects employed in the planning and building of business-critical data infrastructures have a similarly vital role to play in their industries. Read on to find out more about these intriguing professions.

BF-SIRT Newsletter 2017-47

This weeks top stories is that Intel fixes critical bugs in Management Engine, its secret CPU-On-Chip, and that F5 announces a critical BIG-IP SSL vulnerability.

You should also read about the new OWASP Top 10 that has been released, and a forecast from ISF about security threats in 2018.

Top 5 Security links
Intel Fixes Critical Bugs in Management Engine, Its Secret CPU-On-Chip
F5 DROWNing, not waving, in crypto fail
Four Years Later, We Have a New OWASP Top 10
5 information security threats that will dominate 2018
Uber concealed massive hack that exposed data of 57m users and drivers

Forrester study confirms: Data engineers set to rock 2018

With the end of the year fast approaching, we’ve all been wondering what 2018 has in store. Forrester Research has provided the answers in its latest report, entitled “Predictions 2018: The Honeymoon for AI is over”. The study predicts that artificial intelligence (AI) will finally become more than just hype. Companies will increasingly start to realize that AI requires significant effort in terms of planning, delivery, and management – and the profession of aata engineere will become ever-more critical to the implementation of the technology.

BF-SIRT Newsletter 2017-46

This weeks top stories is that research by Google and the University of California found that phishing attacks are more efficient than data breaches at getting criminals into victim’s account and that the average person still has can’t pick a good password, and security researchers described a proof-of-concept exploit dubbed AVgater that affects multiple antivirus products and can lead to a full system takeover.

Github has announced a new feature to their dependency graph that will warn developers about vulnerable dependencies in their projects.

You can also read about Malwarebytes researchers warning IT workers seeking love online to beware “CatPhishing” scams, and in an interview Premera Blue Cross CISO and vice president sizes up healthcare security threats for 2018.

Top 5 Security links
Google study finds phishing attacks more efficient than data breaches
AVGater abuses antivirus software for local system takeover
Github Will Warn Developers About Vulnerable Dependencies in Their Projects
Beware Catphishing attacks targeting the hearts of security pros
A CISO Sizes Up Healthcare Security Threats for 2018

BF-SIRT Newsletter 2017-45

This weeks top stories is that the recent Intel Chips running Minix for their Management Engine have debugging ports that can be reached over USB, USB is also a theme in Linux Kernel patching these days with more than 40 security issues discovered.

Amazon has updated their AWS Dashboard to warn admins when they are exposing S3 buckets.

Researchers at Volexity has been tracking the Vietnamese threat actor APT32 group since May 2017 and claim they are one of the most advanced APTs in the threat landscape.

Top 5 Security links
Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB
Don’t worry about those 40 Linux USB security holes. That’s not a typo
Amazon Updates AWS Dashboard to Warn Admins When They’re Exposing S3 Buckets
Misconfigured Amazon S3 Buckets Expose Users, Companies to Stealthy MitM Attacks
Vietnamese APT32 Group is One of the Most Advanced APTs in the Threat Landscape