WPA and WPA2 Vulnerabilities Update

On October 16, 2017, a statement from the International Consortium for Advancement of Cybersecurity on the Internet (ICASI) was released alerting the industry to a series of vulnerabilities for WPA and WPA2. These vulnerabilities are at the protocol-level and affect a large number of wireless infrastructure devices and wireless clients, across many vendors. This security flaw means that, for vulnerable clients and access points, WPA and WPA2-encrypted Wi-Fi traffic is no longer secure until certain steps are taken to remediate the issue. The Wi-Fi data stream, including passwords and personal data, can be intercepted, decrypted, and modified without a user’s knowledge. WatchGuard’s Wi-Fi access points and Wi-Fi enabled appliances are affected by these vulnerabilities. Following is detailed information about the vulnerabilities, which WatchGuard products are affected, and timing for patches.

Who is affected by these vulnerabilities?
Any Wi-Fi client or access point that utilizes the wpa_supplicant or hostapd Open Source software packages in the authentication process may be affected by these vulnerabilities. These are widely used software packages across the industry, so the vast majority of devices will be affected. The ICASI statement linked above includes many, but not all, affected vendors. Organizations that use wireless access points (APs) relying on WPA or WPA2 encryption, and mobile users who connect to Wi-Fi networks with smartphones, tablets, laptops, and other devices, should implement the necessary patches applicable to these vulnerabilities.

How many/what type of vulnerabilities are there?
Refer to the ICASI list of vulnerabilities and Common Vulnerability and Exposure (CVE) identifiers here.

How do the WPA and WPA2 vulnerabilities work?
A malicious user could inject specially-crafted packets into the middle of the WPA/WPA2 authentication handshake, forcing installation of a key known to—or controlled by—the attacker. This results in the possibility of decrypting and/or modifying client traffic. Traffic already protected by a higher-level encryption protocol, such as HTTPS, VPNs, or application encryption would not be impacted.

Depending on the specific device configuration, successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network. This is accomplished by manipulating retransmissions of handshake messages.

When an adversary manipulates certain handshake messages over the air, the exploit results in reuse of some packet numbers when handshakes are performed. The reuse of packet numbers violates the fundamental principle on which the strength of WPA2 encryption and replay security is based. The principle is that for a given key hierarchy, PTK, GTK and IGTK, packet numbers in two original (non-retransmits) packet transmissions protected by them cannot be repeated. For packet pairs where this assumption is violated, it is possible to determine the content of one packet if the plaintext of the other packet is known or can be guessed. Packet number can also permit adversary to replay old packets to the receiver.

Do these vulnerabilities represent a protocol design failure of WPA2?
No, the failure is with the wpa_supplicant or hostapd Open Source software packages, and is not a protocol design failure of WPA2.

Which WatchGuard products were affected?

  • Access Points: AP100, AP102, AP120, AP200, AP300, AP320, AP322, AP420
  • Appliances: XTM 25-W, 26-W, 33-W; Firebox T10-W, T30-W, T50-W

How can WatchGuard partners and customers access patches / updates that address these vulnerabilities?
Patches will be available for Fireware, WatchGuard legacy and current APs, and for WatchGuard Wi-Fi Cloud via the following releases and estimated timing (subject to changes, monitor this blog for patch updates):
Sunday, October 15, 2017:

  • AP120, 320, 322, 420:  Release 8.3.0-657, Cloud mode only

Monday, October 30, 2017:

  • Fireware: Release 12.0.1
  • Legacy AP:
    • AP300: Release
    • AP100, 102, 200: Release
  • AP120, 320, 322, 420:  Release 8.3.0-657, Non-Cloud (GWC mode)

Have any of WatchGuard’s customers or partners been negatively impacted by these vulnerabilities?
No, we are not aware of any WatchGuard customers or partners who have been negatively impacted by these vulnerabilities.

What is WPA2?
WPA2 (802.11i) is currently the standard for link layer security in Wi-Fi networks. It uses either 802.1x (EAP) or shared key (PSK) based authentication. In 802.1x, the client is authenticated from a backend RADIUS server when setting up a wireless connection. During the authentication process, the client and the RADIUS server generate a common key called Pairwise Master Key (PMK). The PMK is sent from the RADIUS server to the AP over a secure wired network. In PSK, the PMK is statically installed in the client and the AP by entering the same passphrase (password) on both sides. The PMK is then used to generate a hierarchy of keys to be used for encryption and integrity protection for data sent over wireless link between the AP and the client.

The protocol to generate the key hierarchy from PMK is called an EAPOL 4-Way Handshake. It is used to derive the following keys:

  • Pairwise Transient Key (PTK), used to encrypt unicast communication between AP and client. PTK is derived and installed by the AP and the client at the time of setting up a wireless connection. It is refreshed during the connection after pre-configured time has passed. It is also refreshed when client roams between APs using fast transition (FT) protocol.
  • Group Transient Key (GTK), used for encrypting broadcast and multicast messages from APs to clients. A GTK is generated and maintained by the AP. It is securely delivered by the AP to the client at the time of setting up a wireless connection.
  • Integrity Group Transient Key (IGTK), used for providing integrity for broadcast and multicast management messages (called management frame protection or MFP) transmitted from the AP to the client. IGTK is generated and maintained by the AP. It is securely delivered by the AP to the client at the time of setting up a wireless connection.

The keys (GTK and IGTK) are refreshed when a client leaves the AP and the new keys are distributed to all remaining clients using a protocol called Group Key Handshake.

What is WPA?
Wi-Fi Protected Access (WPA) is a security protocol and security certification system developed by the Wi-Fi Alliance in response to weaknesses found in the previous system, Wired Equivalent Privacy (WEP). This was an intermediate measure taken in anticipation of the availability of the more complex and secure WPA2. WPA is obsolete and insecure, and WatchGuard recommends that all customers use WPA2, and not WPA.

Is there a method to protect patched devices against unpatched devices?
WatchGuard is providing patches for all of our affected products, and for non-WatchGuard appliances, users should refer to their Wi-Fi device vendor’s website or security advisories to determine if their device has been affected and has an update available.

Source: WatchGuard

HakTip 166 – How To Use ExFAT In Linux: Linux Terminal 201

Having problems mounting a flashdrive formatted in ExFAT on Ubuntu? Here’s how to fix that!

Use coupon code haktip at https://www.eero.com for free overnight shipping on your order to the US or Canada!

Props to HowToGeek for the awesome written directions! https://www.howtogeek.com/235655/how-to-mount-and-use-an-exfat-drive-on-linux/

Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ

Source: Security news

Source: Zologic

Dit jaar is de Week van de Veiligheid!

Zologic en CyberPrevent steunen de Week van de veiligheid want cybercrime komt veel meer voor dan je denkt!

Je hoopt dat je er nooit mee te maken krijgt, een diefstal, spookfacturen of erger nog: een cyberoverval . Als het je dan toch overkomt, wil je weten hoe jij en je personeel moeten handelen.

Elke vorm van cybercrime heeft specifieke aandachtspunten. Maar met een aantal algemene stelregels kunt u de kans om slachtoffer te worden van cybercrime al flink verkleinen.

Hoe kan ik voorkomen dat ik slachtoffer word van cybercrime?

  • Wees terughoudend met het geven van persoonsgegevens op het internet. Denk daarbij niet alleen aan uw eigen gegevens, maar ook aan die van klanten, leveranciers en personeel. Eenmaal op internet geplaatste gegevens blijven ‘voor eeuwig’ beschikbaar.
  • Geef nooit uw inlog- of pincode af, ook niet als het verzoek afkomstig lijkt van een betrouwbare afzender.
  • Verwijder verdachte e-mails direct en klik nooit op een link die in de e-mail staat.
  • Zorg voor een goed werkende firewall. Een CyberPrevent houdt al het inkomende en uitgaande dataverkeer in de gaten en beoordeelt of iets doorgelaten kan worden of niet.
  • Houd uw software up-to-date. Sommige softwarefouten worden laat ontdekt en vormen een serieus beveiligingsrisico. Softwareleveranciers brengen regelmatig updates van hun software uit, zorg dat u deze updates automatisch installeert.
  • Ga niet onbezonnen in op aanbiedingen per mail maar verifieer altijd eerst of u met een bonafide instelling te maken heeft.Controleer het webadres, voordat u een betaling doet. Als een site nieuw voor u is, check dan altijd bij wie u inkoopt. Of het nu om een bank, een leverancier of een klant gaat.
    Stelt u zichzelf de volgende vragen:
    – Is het een bestaand bedrijf?
    – Staan alle contactgegevens vermeld?
    – Staan er privacy-, leverings- en betaalvoorwaarden op de site?
  • Blijf alert bij online betalingen. Een veilige betaalomgeving herkent u aan:
    – een beveiligde webpagina begint altijd met https, waarbij de ‘s’ staat voor secure
    – een hangslotje. Hier kunt u op klikken om de details van de site te controleren.
  • Zorg voor een back-up van uw documenten.
  • Doe altijd aangifte bij de politie wanneer je bedrijf te maken heeft gehad met cybercrime.
  • Bespreek bovenstaande zaken ook met uw personeel.

Speciaal om jou hierover te informeren, is er de Week van de Veiligheid. Ben jij voorbereid op criminaliteit? Bekijk de veiligheidsmiddelen die je helpen om je business veiliger te maken .  Download dan de poster en hang deze op in de kantine van jouw onderneming.

Wil je nog meer doen om cybercriminaliteit te voorkomen? Kijk dan ook eens naar het menu aan de linkerkant van deze pagina, gebruik de materialen en ga van start. Organiseer bijvoorbeeld een groepstraining, doe een veiligheidsscan, volg samen met je personeel een van de online trainingen of bestel de brochures voor meer veilige gevoel binnen uw organisatie.


Hak5 2305 – Password Grabber Bash Bunny Payload

Check out the awesome password grabber payload for the Bash Bunny on Hak5!

Sign up for our October 20 Event where we’ll be giving away gear gifts to the first 100 attendees! – hak5.org/rsvp

Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ

Source: Security news

Source: Zologic

NCSAM – Dialing in on Cybersecurity Education

“The security aspect of cyber is very tough. And maybe, it’s hardly doable…We have so many things we need to be doing better…And certainly cyber is one of them.”

During the 2016 Presidential debates, Presidential candidate Donald Trump expressed his concern at the state of our Nation’s cyber readiness. It’s a concern shared by many government entities. In 2003, the Department of Homeland Security (DHS) partnered with organizations in the public and private sectors to create events and initiatives to educate the populace on the importance of cybersecurity. Every October since has been National Cyber Security Awareness Month (NCSAM), in which tools and resources are shared in the hopes of keeping people safer online.

Each week of the month has a theme aimed at different areas of cybersecurity. This year’s are listed below, along with some resources that we’ve created that fall under these categories.

Week 1 (Oct 2nd – 6th) – Simple Steps to Online Safety

Six Ways to Help Improve your Security Posture

Week 2 (Oct 9th – 13th) – Cybersecurity in the Workplace is Everyone’s Business

Improve Security Through People in Four Simple Steps

Why Brand Monitoring is a Security Issue – Compromised Credentials

Week 3 (Oct 16th – 20th) – Today’s Predictions for Tomorrow’s Internet

What the Equifax Breach means for the Social Security Number System

How Ransomware has become an ‘Ethical’ Dilemma in the Eastern European Underground

Week 4 (Oct 23rd – 27th) – The Internet Wants YOU: Consider a Career in Cybersecurity

Cybersecurity Talent Shortage

The Road Less Traveled – Building a Career in Cyberthreat Intelligence

Anomali Begins Education Outreach Initiative

This last one is perhaps the most challenging due to just how relatively new of a field cybersecurity is. There’s no direct path of education that leads to the careers within the industry and no common knowledge for how those career paths typically unfold. The more traditional avenues are to come from a computer science or networking background, but it’s not uncommon to hear that most people found their way here somewhat haphazardly.

However people may find themselves within the industry though, it’s clear that hiring and training isn’t happening quickly enough. By 2021 there will be 3.5 million unfilled jobs. Educational institutions, the private and public sectors, and government organizations can all do their part to help prevent such a drastic shortage. Universities, for example, could help streamline the hiring process by offering a dedicated cybersecurity major covering both the tactical (aimed at operations) and strategic (analysts) elements of the field.

At Anomali we’ve tried to bridge this career gap by reaching out beyond the confines of the internet and speaking at local high school computer sciences classes. We’d like to expand next to speaking at local colleges. Our employees asked students what they knew about security, spoke about how they came to the position they are currently at, and what benefits they saw for students if they chose to pursue a career in security.

It’s a message that we should all be trying to relate. Security positions can be practiced from any location, job security is ensured, and salaries can be high. What might help to inspire students and simultaneously educate the populace is for more organizations to provide real world examples to how cyber threats originate, advance, and are mitigated. It might not be easy to convince a company to explain how they were breached, but giving people concrete examples rather than the Hollywood, “I’m hacking the mainframe,” helps them to understand how real that threat may be in relation to how they interact with technology and the internet.

It’s not something that can be solved in a month or even a year, but every resource we contribute and all the time we invest in one another will help keep us safer. It’s up to all of us, at every level, to contribute.

Source: Honeypot Tech

Using Data to Create Personalized Experiences for a Better Bottom Line

The Need for Personalization

Today’s retail landscape is more competitive than ever. Brands have to rely and work with not only brick-and-mortar chains, but with websites around the world, many of which operate on thinner margins. Brands that are trying to break through are facing an increasingly difficult disrupted marketplace, where new competitors seem to appear almost every day.

Meanwhile, an array of new technologies enable brands to deliver personalized experiences to millions of individual customers in real time. Analytics, both on the web and in-store, provide detailed insights on customers’ interests and purchase patterns, along with increasingly accurate predictions about what they’re likely to buy next month. Brands and retailers are leveraging this data to streamline their sales funnels, achieving greater efficiently every year.

In this increasingly competitive marketplace, personalized customer experiences are no longer just a nice bonus. They’re the only thing preventing your customers from switching to another brand that seems to understand them better. With a tremendous amount of money being spent getting foot traffic in stores, personalized experiences can be used to point consumers towards desired products, in hopes of making a sale. Here’s how visual experiences can enable more engaging experiences, more empowered sales teams, and an improved bottom line for your brand.

A person looks at a mirror.

Personalized, connected, data smart experiences

Data comes from a wide range of sources – and ideally, you should be gathering it from all your store’s touchpoints. Interactions on the web, on mobile, and in brick-and-mortar stores can all combine to create customer insights you’d never have gotten from any single source. Add in volunteered data from loyalty programs, and you’ve got all the resources you need to build robust, 360-degree view of your store.

These deep customer insights enable you to deliver more tailored advertising, orchestrating continuously improved customer journeys that span all digital and physical touchpoints. Instead of showing all your customers the same ads, you’ll be able to show offers related to their individual tastes and preferences – both on the web and in your stores. This kind of interactive signage gets more than twice the engagement rate of social media and 24 percent more dwell time than Google’s benchmark.

Beyond advertising, these robust customer insights will enable you to provide best-in-class sales tools to your employees. The latest generation of in store technologies are helping sales associates get to know their customers via opt-in loyalty programs, allowing them to greet customers by name, purchase anywhere, make recommendations to customers, anticipate customer demand and optimize supply chain to meet demand.

With more informed salespeople comes faster, more streamlined, and personalized service. When your customers feel empowered to begin the purchase process on their own devices – and your sales staff can pick up and complete that process at the point of conversion – you’ll see shorter lines, faster checkouts, and smoother flow of foot traffic throughout your store. Since employees will be able to concentrate more on personal customer service, customers will leave happier than ever.


Raising your bottom line

Longer dwell time and shorter lines are all well and good – but how do all these changes perform in terms of return on investment (ROI)? Strikingly well, in fact. Personalized experiences have been shown to contribute to increased revenue and reduced loss in a variety of complementary ways.

Digital signage can also pick up on trends, demographics, patterns, and provide detailed analytics, allowing retailers to better decide how to promote certain items. With this data, retailers can better decide how to spend their advertising dollars. This creates targeted content that has a much better chance at effectively reaching the consumer, ultimately leading to a sale. This can all be done in real time, allowing retailers to minimize waste and spend money when and where it counts.

Personalized experiences are powerful tools for transforming unique spaces into new revenue streams. You could even transform your parking lots into showcases where customers can interact with personalized displays which can help draw them into your store. This may lead to new opportunities in capturing revenue by using these spaces to place digital signage, capture ad revenue and target an untapped audience.

Messaging at the right time is also crucial. Most customers perform their own product research, both at home and in-store. But when shopping in a store, a full 90 percent of shoppers make at least one impulse purchase per trip – often driven by ads or reviews they see on digital signs while at the store.

The more data you’re able to bring together from all channels, the more personalized experiences you’ll be able to serve up at the exact moment when each customer is most likely to consider a purchase. And along the way, your interactive displays will be gathering even more data on your customers’ preferences and behavior, so you can create more targeted, effective outreach, leading to a positive impact on the bottom line.

Visit intel.com/retail to learn more about how Intel technology is shaping the future of responsive retail. To stay informed about Intel IoT developments, subscribe to our RSS feed for email notifications of blog updates, or visit intel.com/IoTLinkedInFacebook and Twitter.

Source: Network News

3 Billion Yahoo Accounts Hacked; Disqus Hacked! – Threat Wire

The Yahoo breach was a lot worse than we thought, the Equifax ex-CEO sheds light on some questions, disqus was hacked, and Kaspersky is stuck in the middle of debates. All that coming up now on ThreatWire.

Hak5 Product Launch Event! October 20th: https://www.hak5.org/rsvp

Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ


2013 Yahoo Breach Affected All 3 Billion Accounts

Fear Not: You, Too, Are a Cybercrime Victim!



We aggressively protect our users and we’re proud of it.



Youtube Thumbnail credit:

Source: Security news

Source: Zologic

Unstructured Data: The Threat You Cannot See

Source: Cyber Monitoring

WTB: Every Single Yahoo Account Was Hacked 3 Billion In All

The intelligence in this week’s iteration discuss the following threats: Account compromise, Botnet, Data breach, Data theft, Malspam, Phishing, Ransomware, Targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Disqus Confirms 2012 Data Breach That Exposed Details for 17.5 Million Users (October 6, 2017)
Disqus, the U.S.-based blog comment hosting service company, has confirmed that it suffered a data breach in July 2012. Unknown threat actors were able to steal data associated with approximately 17.5 million user accounts. The stolen data consists of emails addresses, Disqus usernames, sign-up dates, and last logins in plaintext, according to the company. This breach appears to affect users who signed up between 2007 and 2012.
Recommendation: Your company should implement security policies on accounts that store any sensitive information. Multi-factor authentication can help protect trade secrets and other forms of sensitive data.
Tags: Data breach, Disqus

FreeMilk: A Highly Targeted Spear Phishing Campaign (October 5, 2017)
A new spear phishing campaign, dubbed “FreeMilk,” has been identified to have been ongoing since May 2017, according to Unit 42 researchers. The threat actors behind this campaign are compromising legitimate emails owned by various organization to then conduct the spear phishing attacks. The emails contain malicious documents that leverage the Microsoft Word CVE-2017-0199 vulnerability. Researchers observed that this campaign delivers different malware payloads together with the “PoohMilk” downloader.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from colleagues, management, and business partners. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Tags: Spear phishing, FreeMilk

SYSCON Backdoor Uses FTP as a C&C Channel (October 5, 2017)
Trend Micro researchers have found a botnet that uses an unusual method for its bots to communicate to a Command and Control (C2) server. A machine infected with the “SYSCON” backdoor has been identified to use an FTP server for communication as well as a C2 server. The SYSCON backdoor is distributed by actors via malicious documents with macros. Researchers note that all the observed documents mention North Korea. The FTP server tactics can potentially allow malicious activity to be overlooked, however, this method will also leave C2 traffic open to being monitored.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox.
Tags: Phishing, Malware, SYSCON

KnockKnock Campaign Targets Office 365 Corporate Email Accounts (October 5, 2017)
Researchers have identified a campaign, dubbed “KnockKnock,” in which actors from 16 countries are targeting Office 365 corporate email accounts in specific sectors. At the time of this writing, the campaign is ongoing and targets various organizations in multiple sectors such as, financial services, healthcare, and manufacturing around the globe. Researchers note that the actors are not targeting emails accounts owned by individuals, but instead are targeting automated corporate accounts because they may not have the same level of security.
Recommendation: As researchers noted in this story, sometimes automated email accounts represent a potential target to threat actors because the security on such accounts is weaker than one operated by a real person. Your company should institute security policies on all work-related email addresses, and include security measures such as two-factor authentication.
Tags: Email compromise, Office 365, KnockKnock

Password Leak Puts Online Radio Stations at Risk of Hijack (October 4, 2017)
Researchers have discovered that the New York-based broadcast site “SoniXCast” contains a vulnerability that leaks administrator passwords. The issue resides SonixCast’s API, which actors can exploit to expose the passwords that are stored in plaintext. The passwords could then potentially be used to gain full control of 50,000 radio stations that SonixCast has on its network. As of this writing, the vulnerability has not been discussed in great detail because of security researchers such as Troy Hunt, who said that this vulnerability is the fourth most critical on the web today.
Recommendation: Store a salted cryptographic hash of the SSN, preferably Bcrypt, and compare the hashes. Bcrypt is based off the Blowfish block cipher, which relies heavily on accesses to an alternating table which is not able to be efficiently implemented on a GPU. In comparison to something like SHA-256 which uses 32-bit logic operations and therefore able to be handled by GPUs much more efficiently giving attackers and edge in calculating hashes. This will reduce the risk of plain text Social Security Numbers from being leaked in the case of a breach, and also makes it difficult for threat actors to brute force the hashes.
Tags: Vulnerability, Radio station, Broadcast, SoniXCast, Password leak,

Every Single Yahoo Account Was Hacked 3 Billion In All (October 4, 2017)
Verizon Wireless, the parent company of the internet services company “Yahoo!,” has stated that the Yahoo! Breach of 2013 affected every single customer account that existed at the time. This includes Fantasy, Flickr, and Tumblr accounts. Verizon stated that, “The company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.”
Recommendation: It is important that your company and employees use different passwords for the different accounts that are being used. Previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts.
Tags: Account compromise

Apache Tomcat RCE if Readonly Set to False (CVE-2017-12617) (October 3, 2017)
The team behind the open source Java Servlet Container, “Apache Tomcat,” has announced that all version before 9.0.1 (beta), 8.5.23, 8.0.47, and 7.0.82 contain a Remote Code Execution (RCE) vulnerability. This vulnerability, registered as “CVE-2017-12617,” can be exploited on all operating systems if the default servlet is configured with the parameter “readonly” set to “false,” or if the WebDAV servlet is enabled with the parameter “readonly” set to “false.”
Recommendation: Tomcat users who have not set “readonly” to “false” on publicly accessible Tomcat servers should not be affected by this vulnerability. Additionally, administrators should check the default configuration of Tomcat products to ensure that they are not vulnerable to this CVE.
Tags: Vulnerability, Apache Tomcat

The Flusihoc Dynasty, A Long Standing DDoS Botnet (October 3, 2017)
Arbor Networks researchers have released a report detailing a Distributed Denial-of-Service (DDoS) botnet called “Flusihoc.” The botnet has potential origins in China due to geolocations of Command and Control (C2) servers and static attributes. Researchers have identified over 500 unique sample of Fluhisoc since 2015. In addition to conducting DDoS attacks, as of April 2017, Fluhisoc is also capable of downloading and executing a file using the Windows API.
Recommendation: Denial of service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. With the leak of the Mirai botnet source code in October, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. Mitigation technique can vary depending on the specifics of the attack. For example, in the case of BlackNurse, which can disrupt enterprise firewalls, ICMP type 3 traffic should be block, or at least rate limited.
Tags: Flusihoc, Botnet, DDoS

Tragic-Event-Related Scams (October 3, 2017)
The U.S. Computer Emergency Readiness Team (CERT) is warning individuals to be aware of potential scams related to the tragic event that took place in Las Vegas, Nevada. The US-CERT warns that the scams will likely be targeting individuals who wish to donate to assist victims, and victims themselves. The malicious activity could take shape in various forms such as calls, door-to-door solicitations, fraudulent websites, phishing emails, social media pleas, and texts.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful to inform employees that after a natural disaster or major political event threat actors will theme their malicious activity about what just occurred. Individuals should check for a registered charity number if they wish to donate, and do not enter banking information on dubious looking locations. Furthermore, always be cautious when reading email, particularly if the message urgently requests the recipient to visit a link or open an attachments.
Tags: Tragic event, Scams, Alert

Behind the Masq: Yet More DNS, and DCHP, Vulnerabilities (October 2, 2017)
Google researchers have discovered seven vulnerabilities in the Domain Name Server (DNS) software package, “Dnsmasq.” The vulnerabilities initial exploitation vectors are accomplished via DNS and Dynamic Host Configuration Protocol (DCHP), and affect the latest version at the project git server as of September 5, 2017. Furthermore, the vulnerabilities can result in denial of service, information leaks, and remote code execution.
Recommendation: Dnsmasq user should apply the appropriate patches as soon as possible. Additionally, this application usually runs on embedded devices, but only affects the LAN. Therefore, if no updates are available, the device could be disabled to avoid potential exploitation.
Tags: Vulnerabilities, Dnsmasq

Necurs Botnet Malspam Still Pushing “.YKCOL” Variant Locky Ransomware (October 2, 2017)
Researchers have released information discussing the ongoing malspam campaign from actors behind the “Locky” ransomware. This campaign is distributing the “.ykcol” Locky variant in malspam emails, some of which claim than an attached document is an invoice, or simply a new document. The emails are being sent by spoofed email addresses, according to researchers. The actors are requesting 0.6 bitcoins ($1,711.60 USD) for victims to decrypt their files.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Malspam, Ransomware, Locky variant, .ykcol

Etherparty Ethereum ICO Has Been Hijacked (October 2, 2017)
The smart contract creation tool company, “Etherparty,” has announced that their website was breached by unknown actors. The company stated the actors breached the address on their Initial Coin Offering (ICO) website to reroute funds to the actors instead of Etherparty. The actors had control of the website for approximately 95 minutes. Additionally, Etherparty has stated that it will refund any affected contributors with its proprietary FUEL token. As of this writing, it is unknown how many individuals may have inadvertently given funds to malicious actors.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Compromise, Website

Study Concludes an Additional 2.5 Million Americans Affected by Equifax Breach (October 2, 2017)
The U.S. credit bureau, “Equifax,” has acknowledge that an additional 2.5 million Americans were affected by the breach that was announced on September 7, 2017. The total number of individuals whose Personally Identifiable Information (PII) was exposed from the breach now comprises of approximately 145.5 million. The security firm, “Mandiant,” that was hired by Equifax to investigate the breach, also discovered that the amount of affected Canadian citizens is closer to eight thousand rather than 100 thousand.
Recommendation: With nearly half of the U.S. population affected by this breach, it is important for individuals to check to see if they are affected by using the following website “https://www.equifaxsecurity2017.com/potential-impact/”. Additionally, individuals should regularly check their credit statements in order to identify potential malicious activity.
Tags: Data Breach, Equifax, PII

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware

Source: Honeypot Tech

HakTip 165 – Monitoring System Resources Pt 2: Linux Terminal 201

Monitoring system resources via the Linux terminal!


Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ

Source: Security news

Source: Zologic