BF-SIRT Newsletter 2018-19

Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw

Don’t panic! But you should stop using PGP for encrypted email and switch to a different secure communications method for now.

A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days.

Top 5 Security links

Critical Linux flaw opens the door to full root access

Multi-stage email word attack without macros

GDPR phishing scam targets apple accounts

Hardcoded password found in Cisco Enterprise software, again

Another severe flaw in Signal desktop app

BF-SIRT Newsletter 2018-18

TWITTER URGES USERS TO CHANGE PASSWORDS DUE TO GLITCH

Twitter said Thursday that a glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling  to change their passwords.

The social media company said that it found and has fixed the glitch, and its investigation shows no indication of a breach or misuse by anyone. While the company did not specify how many passwords were impacted, a Reuters report pegged the number at more than 330 million.

“I’d emphasize that this is not a leak and our investigation has shown no signs of misuse,” a Twitter spokesperson told Threatpost. “We’re sharing this information so everyone can make an informed decision on the security of their account.

Top 5 Security links
Meow, click me , Meow
Facebook’s getting a clear history button
Medical devices vulnerable to KRACK Wi-Fi attacks
Security Trade-Offs in the new EU privacy law
Glitch: new ‘Rowhammer’ attack can remotely hijack Android phones

BF-SIRT Newsletter 2018-01

Meltdown and Spectre, two security flaws said to be affecting almost all CPUs released since 1995, was announced this week, and will probably haunt us for years to come.

Exploit code used in the Mirai malware variant called Satori, which was used to attack hundreds of thousands of Huawei routers over the past several weeks, is now public. We might see more of this in near future botnets.

A researcher released details of a local privilege escalation attack against macOS that dates back to 2002, totally ignoring any responsible disclosure process.

Top 5 Security Links
Meltdown and Spectre – Bugs in modern computers leak passwords and sensitive data.
Mozilla Patches Critical Bug in Thunderbird
Attention, vSphere VDP backup admins: There is a little remote root hole you need to patch…
MacOS LPE Exploit Gives Attackers Root Access
Code Used in Zero Day Huawei Router Attack Made Public

BF-SIRT Newsletter 2017-50

This weeks top stories begins with the ROBOT attack, a bug in the implementation of RSA key exchange for products using PKCS #1 v1.5. This includes SSL\TLS if RSA is used for for exchanging keys. The bug can let an adversary decrypt traffic and even sign messages with someones else private key. The vulnerable products include F5, Citrix, and Cisco and many vendors has released patches.

A database containing over 1.4 Billion clear text passwords was discovered by security firm 4iQ while looking for passwords on the “dark web”. The full database contains over 41GB of cleartext passwords and user-names aggreated from previos leaks from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in.

Security researcher discovered that a lot of HP models comes pre-installed with a keylogger that could be used to spy on user by malware or hackers. The kyelogger is disabled by default, but can be turned on by making changes to the registry in windows machines. Since this is built into the drivers by HP, this keylogger can be turned on bypassing . HP.

Tennable released Nessus Professional v7, removing API and multi-user support. These two components are looked to as essential by many security professionals and is met with criticism in the security community. But it gets even worse. When notifying its user about the new version, they added all users to a support-forum that sent out as much as 150 emails a minute for over an hour, effectively creating a spam-storm for all its users.

A new attack-framework “TRITON” is targeting Industrial Control Systems (ICS)and caused operational disruption to critical infrastructure according to Mandiant. This looks to be Nation-state sponsored attack, and could lead to physical damage of critical systems producing gas, power and other national critical infrastructure.

And don’t forget that this Tuesdays was Microsoft s patch Tuesday, with fixes for over 30 vulnerabilities, including 19 Critical browser issues.

Top 5 Security links
ROBOT attack
1.4 Billion Clear Text Credentials Discovered in a Single Database
Pre-installed keylogger found in over 460 HP laptops
Tennable released Nessus Professional v7, removing features and spaming users
TRITON Attacker Disrupts ICS Operations

BF-SIRT Newsletter 2017-49

This weeks top stories is that Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability that could lead to remote code execution in Microsoft’s own

TeamViewer Rushes Fix for Permissions Bug that let the controlled machine to take control over the controlling machine. The bug impacts Windows, macOS and Linux versions of TeamViewer.

Bugs in over 30 mail clients found letting a phisher craft perfectly spoofed emails, defeating DMARC, Sender Policy Framework(SPF) and Domain Keys Identified Mail (DKIM) showing the mail as legit in the client.
This collection of bugs has been named “Mailsploit” by the researcher that discovered it, and a list of vulnerable devices can be found here.

Two researchers from enSilo described a new code injection technique called “Process Doppelgänging”  at blackhat 2017. This new attack works on all Windows versions and researchers say it bypasses most of today’s major security products. This is a file-less attack and it is impossible to patch since it exploits core designs of Microsoft process loading mechanism. The good news is that its a very technically challenging exploit to run.

In malware news FBI, Europol, Microsoft and ESET Team teamed up to dismantle the longest running botnet to date, the Andromeda network of botnets that has been active since 2011.

Top 5 Security links
Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability
TeamViewer Rushes Fix for Permissions Bug
‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs
Patch for apples blank password bug released
“Process Doppelgänging” Attack Works on All Windows Versions

BF-SIRT Newsletter 2017-48

This weeks top stories is that half of the Internet’s email servers was vulnerable to a remote code execution, half the planets inhabitants seemingly wondered how blank password could give privilege escalation in the latest version of macOS.

Financially focused Cobalt criminal group exploited Microsoft Office’s Equation Editor in its latest campaign, patched was released in November.

A classified toolkit for potentially accessing US military intelligence networks was left in an unsecured AWS S3 silo.

Less news, but input worth considering, Linus Torvalds has offered a calmer lengthy explanation of his thoughts on security, after a classic expletive-laden first version.

Top 5 Security Links
No Patch Available for RCE Bug Affecting Half of the Internet’s Email Servers
Why <blank> Gets You Root
Older Office Cybersecurity Vulnerability Exploited by Cobalt Attackers
US intelligence blabs classified Linux VM to world via leaky S3 silo
Linus Torvalds on security: ‘Do no harm, don’t break users’

BF-SIRT Newsletter 2017-44

This weeks top stories is that the Reaper IoT Botnet is not fully mobilized according to report, and that Heathrow Airport Security Plans was found on memory stick on a street in London.

European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war.

If you are looking for some in-depth reading, Sophos has released its 2018 Malware Forecast report concluding that ransomware-as-a-service will see the insidious malware spread rapidly beyond personal computers in the year ahead. Proofpoint researchers uncovered a long-running malvertising campaign and has a nice write up and threat actor profile: KovCoreG, The Kovter Saga.

Top 5 Security Links
Reaper IoT Botnet Not Fully Mobilised, Says Report
Heathrow Airport Security Plans Found on Memory Stick
EU to Declare Cyber-Attacks “Act of War”
Threat Actor Profile: Kovcoreg, The Kovter Saga
Sophos: 2018 Malware Forecast Report

Recent weeks spam\malware trends; refunds or delay complaints

Greetings good people!

I wanted to share with you the latest trends of spam and\or malware I see coming in to Basefarm this last week. Thanks to everyone who is spamming me making this possible. 🙂

The latest trend is sending a mail with very little detail, complaining about a delay in shipping, lacking tracking information, anything really. And then attaching a .doc file with a simple name like “order-confirmation.doc” or “invoice.doc”.

We, as good people, want people to be happy with our service, so we get a little worried that there has been something we have missed and rush to open the .doc-file to see how we can correct this misunderstanding. The .doc file is loaded with a bunch of macros, and upon opening it downloads whatever malware recently paid the last bid to the spammer. Mostly I have seen botnet installs, and no more crypto-software so far, but this can be changed on the fly by the malware authors.

The purpose of the botnet-infection is the traditional proxying of malicious mail or web traffic, participating in DDOS or to the more modern mining of crypto currency. Also have in mind that it is not uncommon for them to exfiltrate any address books, stored passwords and passwords typed during the infection.

Unfortunately, having an up-to-date antivirus is not enough these days, so to keep yourself from enjoying a borrowed computer from Internal-IT while yours is getting reinstalled and you changing all the passwords you have in fear it might be captured, slow down and think about what files you are opening. Being more security aware is the best solution to this challenge.

As always, if you are not sure about something, talk to your closest internal-IT or SIRT person about your concerns. It is much easier to handle this while it is still in your inbox.