BF-SIRT Newsletter 2017-48

This weeks top stories is that half of the Internet’s email servers was vulnerable to a remote code execution, half the planets inhabitants seemingly wondered how blank password could give privilege escalation in the latest version of macOS.

Financially focused Cobalt criminal group exploited Microsoft Office’s Equation Editor in its latest campaign, patched was released in November.

A classified toolkit for potentially accessing US military intelligence networks was left in an unsecured AWS S3 silo.

Less news, but input worth considering, Linus Torvalds has offered a calmer lengthy explanation of his thoughts on security, after a classic expletive-laden first version.

Top 5 Security Links
No Patch Available for RCE Bug Affecting Half of the Internet’s Email Servers
Why <blank> Gets You Root
Older Office Cybersecurity Vulnerability Exploited by Cobalt Attackers
US intelligence blabs classified Linux VM to world via leaky S3 silo
Linus Torvalds on security: ‘Do no harm, don’t break users’

BF-SIRT Newsletter 2017-44

This weeks top stories is that the Reaper IoT Botnet is not fully mobilized according to report, and that Heathrow Airport Security Plans was found on memory stick on a street in London.

European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war.

If you are looking for some in-depth reading, Sophos has released its 2018 Malware Forecast report concluding that ransomware-as-a-service will see the insidious malware spread rapidly beyond personal computers in the year ahead. Proofpoint researchers uncovered a long-running malvertising campaign and has a nice write up and threat actor profile: KovCoreG, The Kovter Saga.

Top 5 Security Links
Reaper IoT Botnet Not Fully Mobilised, Says Report
Heathrow Airport Security Plans Found on Memory Stick
EU to Declare Cyber-Attacks “Act of War”
Threat Actor Profile: Kovcoreg, The Kovter Saga
Sophos: 2018 Malware Forecast Report

Recent weeks spam\malware trends; refunds or delay complaints

Greetings good people!

I wanted to share with you the latest trends of spam and\or malware I see coming in to Basefarm this last week. Thanks to everyone who is spamming me making this possible. 🙂

The latest trend is sending a mail with very little detail, complaining about a delay in shipping, lacking tracking information, anything really. And then attaching a .doc file with a simple name like “order-confirmation.doc” or “invoice.doc”.

We, as good people, want people to be happy with our service, so we get a little worried that there has been something we have missed and rush to open the .doc-file to see how we can correct this misunderstanding. The .doc file is loaded with a bunch of macros, and upon opening it downloads whatever malware recently paid the last bid to the spammer. Mostly I have seen botnet installs, and no more crypto-software so far, but this can be changed on the fly by the malware authors.

The purpose of the botnet-infection is the traditional proxying of malicious mail or web traffic, participating in DDOS or to the more modern mining of crypto currency. Also have in mind that it is not uncommon for them to exfiltrate any address books, stored passwords and passwords typed during the infection.

Unfortunately, having an up-to-date antivirus is not enough these days, so to keep yourself from enjoying a borrowed computer from Internal-IT while yours is getting reinstalled and you changing all the passwords you have in fear it might be captured, slow down and think about what files you are opening. Being more security aware is the best solution to this challenge.

As always, if you are not sure about something, talk to your closest internal-IT or SIRT person about your concerns. It is much easier to handle this while it is still in your inbox.