Unprotected Government Server Exposes Years of FBI Investigations

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

“A massive government data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a storage server for at least a week, exposing a whopping 3 terabytes of data containing millions of sensitive files.

The unsecured storage server, discovered by Greg Pollock, a researcher with cybersecurity firm UpGuard, also contained decades worth of confidential case files from the Oklahoma Securities Commission and many sensitive FBI investigations—all wide open and accessible to anyone without any password.”

Read more

Top 5 Security News

DNSpionage and how to mitigate DNS tunneling

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Cisco Talos has published details regarding an APT campaign using DNS redirection and a malware they call DNSpionage. The malware supports both regular HTTP and also DNS tunneling as a way of communicating back with the attackers.

The DNS redirection part of the attack was done by compromising nameservers, and then pointing hostnames under the nameservers control to IPs of the attackers choosing. The attacker used LetsEncrypt and was in that way able to set up perfectly valid HTTPS copies of any sites.

DNS tunneling is where data are encapsulated within a DNS query and its reply, often using base64 encoding. As long as a server is able to perform domain name lookups it is able to exfiltrate data in this manner. This can also be used, with some preparation, if you find yourself in an airports WIFI or such, to proxy legitimate traffic and bypass and “signup”-requirement the WIFI might have.

This covert channel can be hard to detect, if the malware minimize the bandwidth used. If used as a proxy for larger amounts of data it will be possible to detect a significant change in the amount of DNS-queries and the size of the queries. A modern IDS or next generation firewall should be able to detect this out of the box today. Another way of mitigating is to use the split horizon DNS concept, resolving internal IPs normally, but external IPs resolving to a proxy server that can have the capability of checking the DNS information further.

Top 5 Security News

Russia accused of Energy Sector Siege

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Advanced attackers, most likely from Russia, seem to be in the reconnaissance phase of a cyber war, according to a research report from threat hunting firm Vectra. The attackers are using stealthy tactics seemingly to prepare and position themselves for possible future of cyber warfare, using Energy and Utilities as important elements.

Typically over the course of several months the attackers patiently use already installed tools on systems, living off the land, to grab documentation and observe operator behaviors. Performing lateral movement to expand access, while take care to not set of common alarm bells.

United States DHS computer emergency readiness team released an alert known as TA18-074A in March 2018 regarding this.


Top 5 Security links

Dynamic Content Attacks and How to Mitigate them

This blog post is a summary of this weeks Information Security News put together by our Security Incident Response Team (SIRT).

“Most dynamic content attacks are launched against content delivery networks. The attacker uses networks of infected hosts or botnets to request non-cached content from the target. If enough of these requests are made, the server will be overloaded and crash.”

“Taking the right precautions is essential. Here are some steps that you can take to protect your CDN from a dynamic content attack.”

Read more …

Top 5 Security Links


5 tips for better cloud security

This blog post is a summary of this weeks Information Security News put together by our Security Incident Response Team (SIRT). Read more

Blocking cyber attacks; Why you should understand adversary playbooks

This blog post is a summary of this weeks Information Security News put together by our Security Incident Response Team (SIRT).

It’s time to get off the treadmill: Why you should understand adversary playbooks

“Flipping the equation on known adversaries by developing and deploying controls at locations on the intrusion kill chain designed specifically for these known playbooks will increase a company’s ability to block an attack. The cybersecurity industry must collaborate to identify all know adversary playbooks and share this knowledge with each other and the public.”

Read more..


Top 5 Security links

Security is Not a One-Person Job

Security is not a one-person job. It can’t be accomplished with one person, it can’t be accomplished with one company.

“Security is not a one-person job. It can’t be accomplished with one person, it can’t be accomplished with one company,” says Walls. “So we need partners, and we need friends in the industry to work together.” No statement could better summarize what building a culture of security looks like. Learn more about how Walls and Prime Therapeutics implemented DLP to protect highly sensitive data for millions of people.

Read more..


Top 5 Security links


BF-SIRT Newsletter 2018-28

Botnet built with one exploit only

A malware author has built a huge botnet comprised of over 18,000 routers in the span of only one day.

This new botnet has been spotted this week by security researchers from NewSky Security, and their findings have been confirmed by Qihoo 360 Netlab, Rapid7, and Greynoise.

The botnet has been built by exploiting a vulnerability in Huawei HG532 routers, tracked as CVE-2017-17215.

Botnet author is a known threat actor

The botnet herder identified himself with the pseudonym “Anarchy.” Answering inquiries from both Anubhav and Bleeping Computer, Anarchy did not provide a reason why he created the botnet.

But Anubhav believes Anarchy may actually be a hacker who previously identified as Wicked, which Anubhav interviewed on NewSky’s blog and Fortinet featured in a report here.

But the real problem here is not a malware author doing what he does best. The problem is the relative ease with which Anarchy built a gigantic botnet within one day.

He didn’t do it with a zero-day or some vulnerability that had not been exploited before. He did so with a high-profile vulnerability that many botnets have exploited before.

Top 5 Security links

Public By Default: What Venmo (and the Whole World) Knows About You

Microsoft Identity Bounty Program Pays $500 to $100,000 for Bugs

Sextortion scam knows your password, but don’t fall for it

Director of National Intelligence warns of devastating cyber threat to US infrastructure

Google User Content CDN Used for Malware Hosting

BF-SIRT Newsletter 2018-27

Chrome Now Features Site Isolation to Defend Against Spectre

A new feature called site isolation is being tapped to protect Chrome users against Spectre.

Google introduced new security mitigations for its Chrome browser to defend against recently discovered Spectre variants.

The new security feature, called site isolation, essentially isolates different browser work processes between various browser tabs. That means one tab’s webpage rendering and functions won’t interfere with what is happening in another. It has now been pushed out to most users of Chrome 67, released in May, for platforms Windows, Mac, Linux and ChromeOS, said Google.

“Speculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers,” said Google software engineer Charlie Reis in a Wednesday post. “A website could use such attacks to steal data or login information from other websites that are open in the browser.”

Site Isolation is nothing new. It’s been optionally available as an experimental enterprise policy since Chrome 63 for customers. But, said Reis, many known issues have been resolved since then, making it practical to enable by default for all desktop Chrome users.

On Tuesday, more Spectre variants were disclosed –  dubbed Spectre1.1 and a subset, Spectre1.2, collectively referred to as Variant 4 of Spectre by Intel and ARM.

Top 5 Security links

Default router password leads to spilled military secrets
The next generation of WI-FI security will save you from yourself
Update Flash (and Adobe Acrobat) NOW!
Thermanator attack steals passwords by reading thermal residue on keyboardss
Stolen D-Link certificate used to digitally sign spying malware

Photo by Charles Deluvio ???????????????? on Unsplash

BF-SIRT Newsletter 2018-26

Gentoo shows off prompt and professional security response after minor breach

A weak administrator password allowed an unknown attacker to gain access to the Gentoo Linux distribution’s GitHub account and lock developers out of it. The GitHub repositories of Gentoo are only downstream mirrors from the self-hosted infrastructure.

From an organizational standpoint, Gentoo’s handling of the incident was prompt and professional. Gentoo released official statements promptly detailing the nature of breach. This should be considered the standard against which organizations are judged for handling security breaches.

Top 5 Security links

Programmer tried to sell cyberweapon on dark web for $50M: Reminder to secure employees
Gartner Identifies the Top Six Security and Risk Management Trends
UK Banks Told To Show Their Backup Plans For Tech Shutdowns
Google tries to calm controversy over app developers having access to your Gmail
Why LTE and 5G networks could be affected by these new security vulnerabilities


(Blogpost image by Charles Deluvio ????????????????, “Front-End Development“, “Do whatever you want”-license by Unsplash)