WTB: German Spy Agency Warns of Chinese LinkedIn Espionage

The intelligence in this week’s iteration discuss the following threats: APT, Banking trojan, Botnet, Data leak, Malspam, Malvertising, Pre-installed keylogger, Ransomware, Targeted attacks, Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

German Spy Agency Warns of Chinese LinkedIn Espionage (December 10, 2017)
The German intelligence agency, the Federal Office for the Protection of the Constitution (BfV), has stated that Chinese intelligence is using the networking website “LinkedIn” to target approximately 10,000 Germans. The BfV released information regarding multiple fake LinkedIn profiles it discovered and believes that the accounts are evidence of China’s efforts to spy on, and possibly recruit German individuals and subvert German politics.
Tags: Targeted attacks, LinkedIn
Click here for Anomali Recommendation

Pre-Installed Keylogger Found On Over 460 HP Laptop Models (December 8, 2017)
A security researcher going by the name “ZwClose” has released information regarding a pre-installed keylogger located in the “Synaptics” touchpad driver. The Synaptics driver is shipped with HP machines, and approximately 460 HP models were observed to contain this keylogging feature. Researchers note that the keylogger feature is disabled by default, however, threat actors could use open source tools for bypassing the User Account Control to enabled the keylogger “by setting a registry value.”
Tags: Pre-Installed threat, Keylogger, HP
Click here for Anomali Recommendation

A Peculiar Case of Orcus RAT Targeting Bitcoin Investors (December 7, 2017)
As the value of the “Bitcoin” cryptocurrency continues to increase (approximately $17,740 USD as of this writing) threat actors are subsequently increasing their efforts to target Bitcoin investors. Fortinet researchers have found that actors are targeting Bitcoin investors with a Remote Access Trojan (RAT) called “Orcus” via a phishing campaign. The phishing emails purport to be an announcement of a new, legitimate bitcoin trading bot called “Gunbot.” The email attachment contains a VB script that, when executed, will download a file impersonating a .jpeg. The .jpeg file is actually a portable executable binary file. The executable was found to be a trojanized version of an open source inventory tool called “TTJ-Inventory System.” Inside this malicious versions, researcher discovered the presence of the “Orcus” RAT, which is advertised as a Remote Access Tool created by Orcus Technologies. Orcus has numerous features and commands that it can run, however, researcher note that what separates Orcus is the ability to load custom plugins.
Tags: Targeted attacks, Bitcoin investors, Malspam, Orcus RAT
Click here for Anomali Recommendation

New Targeted Attack in the Middle East by APT34, A Suspected Iranian Threat Group, Using CVE-2017-11882 (December 7, 2017)
FireEye researchers have published a report regarding a new Advanced Persistent Threat (APT) group they have dubbed “APT34.” The group is believed to be based in Iran, and has been observed exploiting a Microsoft Office vulnerability (CVE-2017-11882) that Microsoft patched on November 14, 2017. The vulnerability was exploited while attacking an unnamed government organization in the Middle East. Researchers believe that the APT group has been conducting a long-term cyber espionage campaign to benefit Iranian national interests. The group is believed to have been active since at least 2014. The group was observed using spear phishing emails that attempt to drop public and custom malicious tools, such as the group’s custom PowerShell backdoor to achieve its goals.
Tags: APT, APT34, Targeted attacks
Click here for Anomali Recommendation

Master Channel: The Boleto Mestra Campaign Targets Brazil (December 7, 2017)
Palo Alto Unit 42 researchers have discovered a new malspam campaign, dubbed “The Boleto Mestre Campaign” because the links and attachments in the emails masquerade as “Boleto Bancário.” Boleto Bancário is an official payment method that is regulated by the Central Bank of Brazil. Researchers have observed over 260,000 emails that fall under this theme since June 2017. The objective of this campaign is trick a user into following a malicious link or open a document that will infect the recipient with an information stealing trojan.
Tags: Malspam, Boleto Bancario-themed, Data theft
Click here for Anomali Recommendation

Mailsploit: It’s 2017, and You Can Spoof The “From” in Email to Fool Filters (December 6, 2017)
Penetration tester, Sabri Haddouche, has discovered that more than 30 email clients are vulnerable to email source spoofing. The vulnerability has been dubbed “Mailsploit.” The email clients are vulnerable to spoofing because of improper implementation of the Request For Comments (RFC) 1342 (which dates back to 1992) that can allow source spoofing to bypass spam filters and security features such as Domain-based Message Authentication, Reporting and Conformance (DMARC). RFC 1342 has to do with the representation of non-ASCII character in Internet message headers. Haddouche identified that the mail client interfaces do not properly sanitize a non-ASCII string after it is decoded.
Tags: Vulnerability, Mailsploit, Email clients
Click here for Anomali Recommendation

StorageCrypt Ransomware Infecting NAS Devices Using SambaCry (December 5, 2017)
A new ransomware, dubbed “StorageCrypt,” is targeting Network-Attached Storage (NAS) devices, according to Bleeping Computer researchers. The threat actors behind this campaign are using the Linux Samba vulnerability “SambaCry,” Samba is a Windows suite of programs for Linux and Unix. Exploitation of the vulnerability allows an actor to open a command shell on the affected machine that can be used to download file and execute commands. The actors are demanding a ransom from anywhere between 0.4 (approximately $6,356 USD) to 2 (approximately $31,779 USD) bitcoins for the decryption key.
Tags: Ransomware, StorageCrypt, Vulnerability, SambaCry
Click here for Anomali Recommendation

Quantize or Capitalize (December 5, 2017)
Forcepoint researchers have found that the “Quant” trojan loader, usually used to distribute “Locky” ransomware and the information stealing malware “Pony,” has added new features to its malicious capabilities. Quant is now able to steal credentials as well as various cryptocurrencies including Bitcoin, Peercoin, Primecoin, and Terracoin. The credential stealing feature is accomplished via the Delphi based library that is capable of stealing operating systems and application login credentials.
Tags: Malware, Downloader, Quant, Credential theft
Click here for Anomali Recommendation

Virtual Keyboard Developer Leaked 31 Million of Client Records (December 5, 2017)
A MongoDB database that appears to belong to the Tel Aviv-based startup company “AI.Type” was configured for public access which exposed approximately 31 million user records, according to the Kromtech Security Center. The company designed a virtual keyboard that works on mobile devices for both Android and iOS. The exposed database contained 557 gigabytes of data that consists of user registration records in addition to information that was entered onto the keyboard.
Tags: Misconfigured database, MongoDB, Data leak
Click here for Anomali Recommendation

Dridex is Back, Baby! – Necurs Botnet Malspam Pushes Dridex (December 4, 2017)
Researchers have discovered that “Necurs” botnet has resumed its distribution of the “Dridex” banking malware. Researchers note that the last occurrence of Necurs Dridex distribution was identified in June 2017, and that this Necurs campaign is separate from the “Globeimposter” ransomware campaign. The emails purport to be discussing a credit card payment and provides a link to receive the confirmation of the payment. If the link if followed, it will retrieve a malicious Word document. Inside the document is an embedded object that generates up to four URLs to retrieve the Dridex installer.
Tags: Malspam, Botnet, Necurs, Banking trojan, Dridex
Click here for Anomali Recommendation

Apache Software Foundation Releases Security Updates (December 4, 2017)
An alert has been released by the United States Computer Emergency Readiness Team (US-CERT) concerning vulnerabilities in Apache products. Specifically, the vulnerabilities are located in Apache Struts versions 2.5 through 2.5.14. The US-CERT states that an actor could exploit one of these vulnerabilities to take control of an affected system. One of the vulnerabilities can be exploited by an actor via a custom JSON request that can be used to conduct a Denial-of-Service (DoS) when using an outdated json-lib with Struts REST plugin. The second vulnerability is located in the Jackson JSON library, however, the impact of the issue is, as of this writing, still being researched further.
Tags: Alert, Vulnerabilities, Apache
Click here for Anomali Recommendation

Mozilla Releases Security Update for Firefox (December 4, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities located in the Mozilla Firefox web browser. The US-CERT states that a remote threat actor could exploit these vulnerabilities to take control of an affected system. The vulnerabilities, registered as “CVE-2017-7843” and “CVE-2017-7844,” involves Private Browsing mode storing data across multiple private browsing mode sessions. The latter vulnerability includes an external SVG image referenced on one page, and the coloring of anchor links stored within the image that can be used to determine which pages a user has in their history.
Tags: Alert, Vulnerabilities, Mozilla, Firefox web browser
Click here for Anomali Recommendation

Necurs Botnet Malspam Pushed Globeimposter Ransomware (December 4, 2017)
Researchers have observed that the “Necurs” botnet, known for distributing “Locky” ransomware, is currently distributing the “Globeimposter” ransomware. The ransomware is being distributed via malspam that contain malicious attachments. The emails purport that a message is ready to be sent with the following file or link attachments, or that an attached file is a confirmation of a credit card payment per the recipient’s request. Opening the attachment will begin the infection process for Globeimposter. The threat actors behind this campaign are demanding 0.088 Bitcoin (approximately $1,037 USD) for the decryption key.
Tags: Malspam, Botnet, Necurs, Ransomware, Globeimposter
Click here for Anomali Recommendation

Seamless Campaign Serves RIG EK via Punycode (December 4, 2017)
Malwarebytes Labs researchers have published information regarding the history and current activity regarding the “Seamless” malvertising campaign. The Seamless campaigns are known for almost exclusively distributing the “Ramnit” banking trojan via the RIG exploit kit. Threat actors are currently running two Seamless campaigns simultaneously; one that use static strings and IP literal URLs (URLs that skip DNS), and another that uses special characters. In the latter campaign, actors are using a Cryllic-based domain name that is then transcribed via “Punycode” (encoding used to convert Unicode characters to ASCII). According to researchers, the malvertisements are typically distributed via adult portals that redirect to malicious domains to begin the infection process for Ramnit.
Tags: Malvertising, Seamless campaign, RIG EK, Trojan, Ramnit
Click here for Anomali Recommendation

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

RIG exploit kit Tool Tip
The RIG exploit kit is a framework used to exploit client side vulnerabilities in web browsers. The RIG exploit kit takes advantage of vulnerabilities in Internet Explorer, Adobe flash, Java and Microsoft Silverlight. The RIG exploit kit was first observed in early 2014. The RIG exploit kit’s objective is to upload malicious code to the target system. The RIG exploit kit is known to distribute ransomware, spambots and backdoors. Victims are redirected to the RIG exploit kit with a landing page coming from malvertising or compromised sites.
Tags: RIG, exploitkit

Source: Honeypot Tech

Wi-Fi Maintenance Update

Hello WatchGuard Wi-Fi Cloud Users,

We are planning a brief maintenance on Friday December 8, 2017 between 7:00PM and 8:00PM Pacific Time to deploy improvements to the Wi-Fi Cloud.

During the maintenance window, access to the Wi-Fi Cloud Dashboard will be down for maintenance (approximately 15 minutes). Your access points and splash pages will continue to pass client traffic and will not be interrupted. 

If you have any questions regarding the update, please visit www.watchguard.com/support


WatchGuard Wi-Fi Cloud Team

Source: WatchGuard

What Slugs in a Garden Can Teach Us About Security

Design principles observed in nature serve as a valuable model to improve organizations’ security approaches.
Source: Vulnerabilitys & Threats

Rutkowska: Trust Makes Us Vulnerable

Offensive security researcher Joanna Rutkowska explains why trust in technology can put users at risk.
Source: Vulnerabilitys & Threats

What is Threat Intelligence?

Written by Steve Miller and Payton Bush

Threat intelligence is a subset of intelligence focused on information security. Gartner (sorry, people) defines threat intelligence as “evidence-based knowledge…about an existing or emerging menace or hazard…to inform decisions regarding the subject’s response to that menace or hazard.” In short, threat intelligence is curated information intended to inform you and help you make better decisions about how to stop bad things from happening to you.

There are a few schools of thought and several sets of vernacular used to describe cyber threat intelligence. But there are generally three “levels” of cyber threat intelligence: strategic, operational and tactical. Some of the similarities and differences between these kinds of intelligence are summarized below:

Collecting each flavor of intelligence is important because they serve different functions.

 Type  Tagline  Half life of utility (for good guys and bad guys)  Focus  Built on the analysis of  Output data types



 Long (multiyear)  Non-technical   Big campaigns, groups, multi victim intrusions (and operational intel)  Long form writing about: victimology, YoY methodology, mapping intrusions and campaigns to conflicts, events and geopolitical pressures



 Medium (one year plus)  Mixed (both really)   Whole malware families, threat groups, human behavior analysis (and tactical intel)  Short form writing, bulleted lists, about: persistence and comms techniques, victims, group profiles, family profiles, TTP descriptions, triggers, patterns, and methodology rules
 Tactical  What?   Short (months)   Technical   Security events, individual malware samples, phishing emails, attacker infrastructure  Atomic and machine-readable indicators such as IPs, domains, IOCs, “signatures”

Analysts deal with a lot of alerts. Alerts enriched with tactical intelligence provide more context and help analysts determine which threats are worth worrying about and which can safely be ignored. These atomic indicators are often changed quickly though, making it important to also incorporate operational and strategic intelligence into decisions.

Operational intelligence helps fuel meaningful detection, incident response and hunting programs. For example, it can help identify patterns in attacks with with we can create logical rules in tech systems that will detect malicious activity specific indicators.

Strategic intelligence can help with assessing and mitigating current and future risks to organizations. For example, a corporation releasing a new product or completing a merger will want to understand not only the potential impact but also the associated risks. This intelligence is particularly useful for people in leadership roles such as CISOs and executive leadership who must justify budgets and make better informed investment decisions.

The sum of these different kinds of threat intelligence is the ability to make informed decisions on how to proactively and reactively respond to threats. This includes what solutions to use, how they should be leveraged, and even just who to keep tabs on.

Check back in January for a deeper look into what these three kinds of intelligence look like and how they’re used.

Source: Honeypot Tech

6 Personality Profiles of White-Hat Hackers

From making the Internet safer to promoting their security careers, bug bounty hunters have a broad range of motivators for hacking – most just like the challenge.
Source: Vulnerabilitys & Threats

Improve Signal-to-Noise Ratio with 'Content Curation:' 5 Steps

By intelligently managing signatures, correlation rules, filters and searches, you can see where your security architecture falls down, and how your tools can better defend the network.
Source: Cyber Monitoring

WTB: Phishers Target Panicking PayPal Users with Fake “Failed Transaction” Emails

The intelligence in this week’s iteration discuss the following threats: Backdoor, Data breach, Data theft, Malspam, Misconfigured bucket, Phishing, RAT, Spyware, Trackers, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

PayPal Says 1.6 Million Customer Details Stolen in Breach at Canadian Subsidiary (December 3, 2017)
The American-based online payment company, “PayPal,” has confirmed that a Canadian-based subsidiary suffered a data breach in November 2017. The subsidiary, “TIO Networks,” was purchased by PayPal in July 2017, and is responsible for running a network of over 60,000 utility bills payment kiosks across North America. The unknown threat actors were able to gain access to Personally Identifiable Information (PII) associated with approximately 1.6 million TIO customers and customers of TIO billers. In addition, PayPal stated that some financial details were also likely accessed, however, the specific details of all of the data that was accessed has not yet been released
Recommendation: The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measure to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data. Furthermore, TIO is offering its customers free credit monitoring services, and users should visit TIO’s website (http://www.tionetworks.com/) for additional details.
Tags: Data breach, Data theft, TIO Networks

Phishers Target Panicking PayPal Users with Fake “Failed Transaction” Emails (December 1, 2017)
A new phishing campaign has been discovered to be targeting PayPal customers, according to Malwarebytes researchers. The emails purport that the recipient’s transaction cannot be verified, or that the recipient’s payment process cannot be completed. The text of the email attempts to scare the recipient by claiming that the account password has been changed, or that changes have been identified that are different than the recipient’s typical selling activities. The emails provide a link that directs a recipient to a fake PayPal landing page which then attempts to direct the user to a “resolution center.” The resolution center page requests various data be entered such as city, country, date of birth, mother’s maiden name, name, street address, and zip code. Other requested information includes credit card data such as expiration code, name, number, and security code.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack.
Tags: Data breach, PII, National Credit Federation

Credit Crunch: Detailed Financial Histories Exposed for Thousands (November 30, 2017)
On October 3, 2017, UpGuard Director of Cyber Risk Research Chris Vickery, discovered an Amazon Web Services (AWS) S3 bucket cloud storage bucket that contained sensitive information that was configured for public access. The bucket was found to be owned by the United States credit repair service the National Credit Federation (NCF). The data that was publicly available for download consists of addresses, bank account numbers, credit card numbers, credit card reports (from Equifax, Experian, and TransUnion), date of birth, driver’s license image, full names, personalized credit reports, and social security card image. Overall the data consists of 111 gigabytes of data and is believed to be associated to approximately 40,000 individuals.
Recommendation: The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measure to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data. As of this writing, it is unknown if threat actors downloaded the data, however, appropriate precautions should be made to assist in mitigating the possibly of malicious activity.
Tags: Misconfigured AWS bucket, Data leak, PII

Uber Breach Affected 2.7 Million UK Users (November 30, 2017)
The global transport company, “Uber,” has released additional information regarding a security breach that took place in late-2016. Uber only just confirmed that a breach had occurred in late November 2017. After the breach took place in 2016, Uber reportedly paid the threat actors responsible for the breach, which affected approximately 57 million riders and drivers, $100,000 USD to destroy the stolen data instead of contacting the appropriate authorities. The stolen data consists of email addresses, full names, and phone numbers, in addition to approximately 600,000 Uber driver’s licenses numbers. The new information bodes more bad news for the company as it now states that approximately 2.7 million U.K. residents are also affected by the breach.
Recommendation: At the time of this writing, Uber has not confirmed whether financial data may have been stolen during this incident. However, as Uber has proven, it is not best to rely on a company that does not inform its users of a breach so that they may take steps to protect themselves. Uber users should change their passwords for their accounts as soon as possible, and any other account that uses the same password (every account should use a different password). Furthermore, regular credit card statement monitoring should be common practice to assist in identifying potentially malicious activity.
Tags: Data breach, Data theft, Uber

Fake Windows Troubleshooting Scam Uploads Screen Shots & Uses PayPal (November 29, 2017)
Researchers have discovered a new technical support scam that is targeting Windows operating system users. Threat actors are distributing this scam via a cracked software installer, according to Malwarebytes researcher, Djordje Lukic. The scam begins by showing a Windows user a fake Blue Screen of Death (BSOD), followed by displaying an application that purports to be a Troubleshooter for Windows. The “troubleshooter” application will then present a user with a screen that states that the computer cannot be fixed. It will also block the user from using Windows. Lastly, the actors behind this scam will then prompt the user to purchase a program via PayPal for $25 USD to fix the “issues” that were detected.
Recommendation: Technical support scams are common threats facing individuals and companies alike. However, this scam is a screen locker rather than the often observed phone number provided to contact an individual to assist in “fixing” the “issue.” Often times there are research blogs that provide instructions to remove malware related to these type of scams from an infected machine. This story also depicts the potential dangers in downloading software installers. All downloads should be carefully vetted prior to installation, particularly free versions.
Tags: Tech support scam, Windows

Cisco Releases Security Updates (November 29, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities in Cisco’s online meeting software “WebEx.” Specifically, in WebEx Network Recording Players for Advanced Recording Format (ARF) and Recording Format (WRF). The US-CERT states that a remote threat actor could exploit these vulnerabilities to take control of an affected system.
Recommendation: The US-CERT recommends that WebEx users and administrators visit Cisco’s security advisory located at “https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171129-webex-players” and apply the necessary updates.
Tags: Alert, Vulnerabilities, Cisco

UBoatRAT Navigates East Asia (November 28, 2017)
Palo Alto Networks Unit 42 researchers have identified attacks in which actors are using a new, custom Remote Access Trojan (RAT) dubbed “UBoatRAT.” The first discovery of UBoatRAT occurred in May 2017, and in this iteration the actors behind the malware have added new malicious features. This variant is distributed via links that direct to a Google Drive, followed by executables masquerading as a folder, a Microsoft Excel spread sheet, or Microsoft Word files. While researchers have not yet been able to pinpoint specific targets for this malware, they have discovered that individuals and organizations that are targeted typically are associated to South Korea or the video games industry.
Recommendation: Malware authors are always implementing different methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
Tags: Malware, RAT, UBoatRAT, Google Drive

Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection (November 28, 2017)
A newly observed Ursnif variant has been observed employing Thread Local Storage (TLS) callbacks in an attempt to avoid sandbox and analyst detection. TLS allows Microsoft Windows to define data objects that are not placed on the stack. It is stored in the PE header. Ursnif has TLS callback functions which initialize and clear TLS data, executing code before the “start” of the program to unpack DLL files stealthily. The malware is delivered by spear phishing emails containing a link which downloads the malware from a compromised Sharepoint account.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label. As shown in this story, if the email suggests you access a resource that is meant to be viewed through the browser, but downloads a file instead, delete the file immediately. If the message appears to come from a person within the company, check with them first to make sure they sent the email. Employ email signing techniques for authentication. This technique is meant to evade sandboxes and signatures, use up-to-date anti-spam and antivirus protection.
Tags: Malware, Ursnif variant

Pro Tip: You Can Log Into macOS High Sierra as Root With No Password (November 28, 2017)
Developer Lemi Orhan Ergin has released information via Twitter regarding a security issue that affects macOS High Sierra. The issue can be exploited by anyone who has physical access to the machine. An individual simply needs to navigate to System Preferences, Users & Groups, click the lock to make changes, and then use “root” as the username while leaving the password field blank. After clicking “Unlock” several times an individual can gain administrator rights to that machine.
Recommendation: Researchers note that this vulnerability cannot be exploited in High Sierra if a user has set a root password for the machine. Users who have not set a root passwords are vulnerable. It is crucial that your company has policies in place in regards to administrator accounts. All work-related machines should have complex root passwords in place. In addition, employees should be in the habit of putting their work machines into sleep mode when not in use to prevent unauthorized access to potentially sensitive data. Furthermore, Apple has a released a patch for this vulnerability that should be applied as soon as possible if it has not been already.
Tags: Vulnerability, macOS, High Sierra

No Patch Available for RCE Bug Affecting Half of the Internet’s Email Servers (November 28, 2017)
The team behind “Exim,” a Mail Transfer Agent (MTA), has issued an alert on their website warning that its product contains two vulnerabilities. The vulnerabilities reside in Exim’s most recent versions in 4.88 and 4.89. The critical vulnerability, registered as “CVE-2017-16943,” is a “use-after-free” (attempt to access memory after it has been freed) vulnerability and can be exploited to allow arbitrary code execution on affected servers. Security researchers believe that as many as 400,000 email servers may be affected.
Recommendation: The Exim team have released a patch that addresses both these vulnerabilities. Immediately update to version 4.89.1 or apply the teams workaround to block an attack from being performed; in the main section of the Exim configuration, set “chunking_advertise_hosts=”. The empty value disables advertising the ESMTP Chunking extension, thus allowing an attacker apply the logic. According to a survey conducted in March 2017, 56% of the entire Internet’s email servers run Exim. Furthermore, a public proof-of-concept code for this exploit has been released which increases the likelihood that threat actors will attempt to exploit this vulnerability.
Tags: Vulnerability, RCE, Email servers, Exim

Researchers Identify 44 Trackers in More Than 300 Android Apps (November 28, 2017)
Researchers from Yale Privacy Club and Exodus Privacy have released information from their collaborative report regarding third-party tracking in Android mobile applications. The two teams identified tracking scripts in both popular and less popular Android applications, which sometimes track a user without his/her consent. Overall it was discovered that over 300 Android applications contain 44 different forms of trackers. Researchers note that some of application’s trackers contain trackers that only collect application crash reports, such as Google’s CrashLytics, while other trackers collect application usage information of which some was noted to be sensitive in nature.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Android, Mobile, Trackers, Applications

Phishing Scam Cashing in on Water Refunds (November 28, 2017)
A phishing campaign is targeting customers of the Irish water services company “Irish Water,” according to ESET researchers. The actors behind this campaign are attempting to generate illicit revenue by using phishing emails that purport to be Irish Water requesting the recipient to perform account maintenance. The email provides a link for the recipient to “log in” to their Irish Water account. If the link is followed, a prompt will appear that requests a user to “update” their credit and debit card information.
Recommendation: Impersonation of legitimate entities is a commonly used tactic by threat actors in malspam and phishing campaigns. It is important to educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened.
Tags: Phishing, Theft, Irish Water

Tizi: Detecting and Blocking Socially Engineered Spyware on Android (November 27, 2017)
The Google Play Protect security team has discovered a new form of Android malware, dubbed “Tizi,” which was first found in September 2017. Tizi is a fully featured backdoor that is used by threat actors to install other malware designed to steal sensitive information from popular social media applications. Additionally, Tizi is also capable of exploiting multiple vulnerabilities to root a device. Worryingly, researchers also found that the malware goes back until at least October 2015, indicating that some users could have been infected with Tizi for nearly two years. The Tizi creator also created a website and social media accounts to advertise malicious applications. This malware primarily targets African countries, specifically Kenya, however other countries such as the U.S. were also found to have Tizi infections.
Recommendation: Google has since disabled Tizi-infected applications, and have stated that they have also notified users of all known affected devices. Users should carefully review all permission that application will request prior to installation. In addition, applications should be downloaded from official locations to better avoid potentially malicious applications.
Tags: Android, Mobile, Spyware, Malware, Backdoor, Tizi

Source: Honeypot Tech

Fireware 12.0.2 is now available

Fireware 12.0.2 General Availability
We are pleased to announce the General Availability (GA) of Fireware 12.0.2 and WSM 12.0.2 today. These releases, which are now available at the software download center, resolve several issues that had been reported from the field. Since these are maintenance releases, there are no new features included. Please review the Release Notes for a comprehenisve list of issues that are addressed. Notable highlights include: 

  • A fix for an issue that caused some websites to fail to load correctly when using Microsoft Internet Explorer 11 or Edge browser.
  • An option to mitigate the KRACK WPA2 vulnerability for client connections to wireless Fireboxes. 

WatchGuard partners and customers should review the Release Notes and What’s New presentations prior to upgrading. 

Does this release pertain to me?
The Fireware release applies to all Firebox T, Firebox M, and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W, XTM 505, 510, 520, and 530 which have reached the End of Life.

AV Signatures in 11.x releases
WatchGuard will discontinue support for AV signatures for the older AVG engine in Fireware 11.x by April 2018. Customers with active Gateway Antivirus subscriptions should update to a 12.x release before then. 

Software Download Center
Firebox and XTM appliance owners with active support subscriptions can obtain this update without additional charge by downloading the applicable packages from the WatchGuard Software Download Center. 

For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.

Source: WatchGuard

Deception: Why It's Not Just Another Honeypot

The technology has made huge strides in evolving from limited, static capabilities to adaptive, machine learning deception.
Source: Vulnerabilitys & Threats