10 Reasons to be Thankful for a Security Analyst

The global number of internet users hit 3.8 billion in 2017, and is expected to reach 6 billion by 2022. We’re rapidly approaching the point where people without access to the internet will be in the minority, and where the internet is not only accessible but also ingrained into daily life. Succinctly stated, this is a pretty exciting time for humans.

However, with these technological advancements also comes the sobering realization that more access for the layman means more access for cyber criminals. These people are responsible for over $5 billion in damages in 2017 alone, as well as countless other non-financially related incidents.

Luckily, we have people out on the front lines already – Security Analysts. The title covers a range of specific job functions, but each one contributes in some way to the defense of individuals, organizations, and nations. This Thanksgiving we’d like to give thanks to these hardworking individuals. There are as many reasons to be thankful for an analyst as there are threat alerts in a day, but for the sake of brevity here are ten of our favorites:

1) They’re incredible detectives – Working as an analyst is a mix of technical research, intelligence analysis, and communicating results. They’re responsible for investigating tiny, seemingly inconsequential clues so they can piece together a larger underlying scheme. All of this depends on a strong foundational core of deductive reasoning and logical rigor. They’re the modern-day Sherlock Holmes.

2) They’re great researchers – Security analysts have a penchant for attention to detail, problem solving, and thorough research. Much of this work may take place on their own time and dime, but it’s critical in helping to spur technological innovations and identifying areas that need improvement. Researchers Billy Rios and and Jonathan Butts published findings this year identifying how to weaponize a car wash, proving that even the most unsuspecting of items can be dangerous.

3) They balance between two worlds – Working as an analyst doesn’t just mean understanding what’s going on in the security stack. It also means being able to effectively communicate critical events to executives and security leadership like CISOs. This can be a challenge considering the general lack of understanding not only for security best practices but also for core aspects of the internet and technologies themselves. There’s no Google translate for tech (yet).

4) Their work never, ever ends – One of the key functions of a security analyst is to triage as many alerts as possible in a day to determine whether they’re benign or truly dangerous. Sounds easy enough, right? Perhaps, were it not for the fact that these alerts come in the thousands each and every day. No matter how many tools you deploy and staff you employ, your analysts are volunteering to deal with more red flashing lights than America sees at any given Christmas. Alerts aren’t the end of it though – other tasks include conducting research for customers to determine what’s going on in their infrastructure, hiding in underground forums gathering information, or working to piece together security programs.

5) They operate under pressure – Speaking of triaging events, there’s a constant pressure to catch each and every malicious event. Any deescalated alert may prove to be the one that lets a threat actor in. On the flip side, any false positive may be wasting someone’s time. It’s a constant balancing act. No matter if your organizations is large or small, the target or the gateway, or simply collateral damage in a global attack, your analysts know that they’re going to be held accountable for the eventual impact.

6) They work crazy hours – Security analysts aren’t likely to get a lot of sleep. Hours can be painful, particularly if you’re at a security center operating on a 24×7 schedule. Research and requests for information typically have tight turnaround schedules due to the unknown nature of threats. Any investigation is also unlikely to have a clear “end,” because there’s always the possibility that something was missed. More alarming still is the possibility that on any given workday a zero-day exploit could occur, in which case they’re really not going to get to go home and sleep.

7) They’re vocationally oriented – It’s not about the money. Cybersecurity as an industry is vastly underfunded and even more understaffed. Ask an analyst why they’re in the industry and the response will typically be “because they’re passionate about what they’re doing.”

8) They’re crime fighters – Analysts sign up to deal with crazy hours, pressure, and task lists because they’re truly passionate about finding evil and stopping bad guys. Many are responsible for keeping critical infrastructure like our electricity, energy, and public health systems safe. The dangers of these sectors being targeted are very real, and have the potential to seriously harm untold numbers of people.

9) They’re willing to accept risk – The dangers of cyber threats aren’t limited to the masses. Analysts themselves can be targeted by threat actors. Earlier this year a researcher from FireEye was hacked by unknown attackers, who defaced his social media sites and published private data. In a move reminiscent of Richard Connell’s “The Most Dangerous Game,” threat hunters might find themselves the hunted.

10) They’re just plain fun –  Despite the ever-present dangers to themselves and the systems they’re responsible for, analysts are an incredibly eclectic and entertaining community. All the proof you need comes from this year’s Derbycon 7.0. A participant by the name of Grifter found a cockroach in his milkshake at a nearby restaurant, later tweeting out a warning to others and naming him Trevor. As the restaurant was fumigated, fellow Derbycon participants created a memorial outside in Trevor’s honor. Trevor was later inducted as a Saint in the Church of WiFi, starred in a commemorative film about himself, and made an appearance on Twitter. Funds have even been raised in his honor for disaster relief in Puerto Rico. RIP Trevor.

#TrevorForget  (Photo credit to Steve Ragan @SteveD3)

Source: Honeypot Tech

WTB: Cobalt Strikes Again: Spam Runs macros and CVE-2017-8759 Exploit Against Russian Banks

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: APT, Brute force attacks, Holiday scams, Malspam, Phishing, Preinstalled features, Ransomware, Targeted attacks, Threat group, and Vulnerabilites. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Cobalt Strikes Again: Spam Runs macros and CVE-2017-8759 Exploit Against Russian Banks (November 20, 2017)
The financially motivated Advanced Persistent Threat (APT) group “Cobalt,” is behind a new spear phishing campaign targeting European financial organizations, according to Trend Micro researchers. The group tailors their spear phishing emails for different target banks. Researchers note that Cobalt previously used spam emails to target banking customers and these new spear phishing emails represents a change in tactics. The emails were observed to exploit a code injection/remote code execution vulnerability, registered as “CVE-2017-8759,” located in Microsoft’s .NET Framework. The RTF file attachment requires a user to enable macros to run a PowerShell command that will eventually download and execute a backdoor from a remote server.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Tags: Threat group, Cobalt, Spear phishing, Targeted attacks, Financial institutions

0000 Cryptomix Ransomware Variant Released (November 17, 2017)
The Security researcher, known as “MalwareHunterTeam,” has discovered a new variant of the “Cryptomix” ransomware. The new variant is dubbed “0000” because of the extension added to encrypted files. As of this writing, researchers have not published the distribution method used by the actors behind this ransomware, however, they do note that users should be cautious when opening attachments from unverified senders.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection.
Tags: Ransomware, Cryptomix variant, 0000

Holiday Scams and Malware Campaigns (November 16, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert to remind user to be vigilant while shopping online this holiday season. The US-CERT warns that threats will come in various forms such as emails and ecards that may contain malicious links, and fake advertisements or shipping notifications that may have attachments infected with malware. In addition, spoofed emails addresses and fake social media posts are also expected to be present during the upcoming holiday season.
Recommendation: Users should be aware that the holiday season represents the potential for threat actors to generate illicit revenue because of the significant increase in online shopping. The threats mentioned by the US-CERT can result in sensitive data theft, such as Personally Identifiable Information (PII) and credit card information, as well as identity theft and security breaches. Users should avoid following links or downloading attachments from unknown sources and make note of known email addresses if they begin sending messages or attachments that does not align with typical behavior.
Tags: Alert, Holiday scams, Malware, US-CERT

Ransomware-Spreading Hackers Sneak in Through RDP (November 15, 2017)
Sophos researchers have discovered that threat actors are exploiting weak passwords for Microsoft Windows machine’s Remote Desktop Protocol (RDP) feature to install ransomware. RDP is often used by IT staff because they are often an outsourced part of a company. Threat actors are using a tool called “NLBrute” to try numerous passwords against an RDP account in a brute-force attack. Actors could also use social media to find out common password combinations such as a birthday or a pet’s name.
Recommendation: Compromised RDP accounts is by no means a new tactic used by threat actors. Therefore, it is crucial that RDP accounts have strong passwords and use of the accounts should be restricted via firewalls and network level authentication.
Tags: Ransomware, Brute force attacks, Microsoft RDP

New Emotet Hijacks a Windows API, Evades Sandbox and Analysis (November 15, 2017)
A new variant of the banking trojan “Emotet” is being distributed by threat actors via phishing emails, according to Trend Micro researchers. The phishing emails attempt to trick the recipient into following a provided link which leads to a document with a malicious macro. If macros are enabled, a user will begin the infection process for Emotet. Researchers note that this Emotet variant also includes an anti-analysis technique includes checking when an analysis platform scans for malicious activity to avoid detection.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack.
Tags: Phishing, Trojan, Emotet

Muddying the Water: Targeted Attacks in the Middle East (November 14, 2017)
A new campaign has been found to be targeting Middle Eastern countries, according to Unit 42 researchers. The malicious activity is attributed to a new threat group dubbed “MuddyWater.” While researchers found that Middle Eastern nations were primarily targeted, other countries such as India and the U.S. were also identified to be targeted. Researchers discovered that the group’s initial infection vector is a Powershell-based first stage backdoor dubbed “PowerStats” that is delivered via malicious documents. The documents vary depending on which country is being targeted to include images that would be familiar to the recipient such as government branches which may entice a recipient to be more willing to enable macros.
Recommendation: The impersonation of government agencies continues to be an effective malware distribution tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. In the case of infection, the affected system should be wiped and reformatted. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
Tags: Targeted Attacks, Threat group, MuddyWater

17-Year-Old MS Office Flaw Lets Hackers Install Malware Without User Interaction (November 14, 2017)
Researchers are warning Microsoft Office users to be extra cautious when opening Office file attachments because of a 17-year-old vulnerability. Specifically, the vulnerability is a memory corruption flaw, registered as “CVE-2017-11882,” that resides in ”EQNEDT32.exe” located in all versions of Windows Office and the Windows operating system released in the past 17 years. EQNEDT32.exe is a Microsoft component responsible for the insertion of equations (OLE objects) in documents. Threat actors can exploit this vulnerability to remotely install malware on target machines without any user interaction required, such as enabling macros.
Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Vulnerability, Microsoft office

Microsoft November Patch Tuesday Fixes 53 Security Issues (November 14, 2017)
Microsoft has issued security updates as part of its November Patch Tuesday that affects the following products: ASP.NET Core, ChakraCore, Internet Explorer, Microsoft Edge, .NET Core, several Office offerings, and the Windows operating system. Researchers note two vulnerabilities, registered as “CVE-2017-11830” and “CVE-2017-11887,” that stand out in this month’s Patch Tuesday. CVE-2017-11830 can be exploited to allow an actor to bypass Windows Device Guard, and CVE-2017-11887 can be exploited to bypass macro execution protection in Microsoft Excel. The latter is expected to be exploited by actors in the near future because of the frequency of malicious macro documents used in phishing attacks.
Recommendation: Your company should have policies in place to prepare for Patch Tuesday every month because as this iteration portrays, sometimes the patched vulnerabilities will be used in common attack vectors.
Tags: Vulnerabilities, Patch Tuesday, Microsoft

Adobe Patches Security Bugs in Flash Player and Eight Other Products (November 14, 2017)
Adobe has released its monthly security updates for November that affect nine products. Overall, Adobe issued patches for 85 vulnerabilities, multiple of which could be exploited to allow remote code execution. The affected products are Adobe Acrobat and Reader, Adobe Connect, Adobe DNG Converter, Adobe Digital Editions, Adobe Experience Manager, Adobe Flash Player, Adobe InDesign, Adobe Photoshop CC, and Adobe Shockwave Player.
Recommendation: Patch Tuesday should be expected every month in order to apply the latest security patches to software utilized by your company. In Adobe’s case, it is common for new vulnerabilities to be identified quite regularly. Utilizing the automatic update feature in Flash Player is a good mediation step to ensure that your company is always using the most recent version.
Tags: Vulnerabilities, Patch Tuesday, Adobe

OnePlus Phones Come Preinstalled With a Factory App That Can Root Devices (November 14, 2017)
A mobile security researcher, known by the alias “Elliot Alderson,” discovered an application located on some, if not all, “OnePlus” devices. The application, called “EngineerMode,” is reported to be vulnerable to exploitation by threat actors in a way that could result in the application to function as a backdoor. Researchers believe that the features located in EngineerMode are the same features one would find in a diagnosis application engineers use to test phones prior to shipping them out. An actor with physical access to a OnePlus device could run a command to take full control of the device. In addition, researchers say that this is the first batch of information regarding OnePlus devices and more information will be released in the near future.
Recommendation: The threat of preinstalled features has the ability to hide from even the most cautious of users. If the devices affected by this feature are being used by your company, they should be properly inspected and the unwanted feature removed.
Tags: Mobile, Presinstalled threat, OnePlus

XZZX Cryptomix Ransomware Variant Released (November 13, 2017)
A new variant of the “XZZX Cryptomix,” dubbed so because of the file appending to encrypted files, has been identified in the wild, according to Bleeping Computer researchers. In addition to the change in file extensions added to encrypted files, this variant has also been updated in regards to actor email addresses used to contact for payment information. The ransomware is able to function with no network communication because it contains 11 public RSA-1024 encryption keys that are used to then encrypt the AES key used to encrypt a user’s files.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Furthermore, your company should have a business continuity policy in place in the case of a ransomware infection.
Tags: Ransomware, Cryptomix variant, XZZX

Source: Honeypot Tech

Anomali Provides Threat-Sharing Expertise Before Congress

Cyber Threat Intelligence provider Anomali appeared before Congress on Wednesday, November 15th to provide threat-sharing expertise before the U.S. House of Representatives Homeland Security Committee. The purpose of this hearing was to discuss methods for improving the value of cyber threat information shared by the government and increasing participation of threat-sharing with the private sector.

Anomali was the first company to automatically share threat intelligence with the Department of Homeland Security’s Automated Indicator Sharing program (AIS), and the only cybersecurity vendor invited by the Homeland Security Committee to testify before Congress. Anomali was represented by Patricia Cagliostro, Federal Solutions Architect Manager.

Ms. Cagliostro began by explaining the current state of cyber threat intelligence sharing in the private sector, citing the 2017 Ponemon Institute Report, The Value of Threat Intelligence: A Study of North American and United Kingdom Companies that included over 1000 respondents. According to the report, 80% of organizations use threat intelligence, with 84% identifying threat intelligence as essential to a strong security posture.

Ms. Cagliostro continued by describing two key factors noted within the study that deter cyber threat intelligence sharing, excessive volumes of threat data (70% of respondents) and a lack of threat intelligence expertise. In regard to the first issue, Ms. Cagliostro noted the benefits of utilizing a threat intelligence platform to manage mass quantities of data and streamline the process of sharing. The second issue, a lack of threat intelligence expertise, was identified as the primary reason organizations do not share intelligence. The following statistics from the report detail a concerning trend for government-led initiatives such as the DHS’ AIS.

Organizations that reported sharing intelligence – 62%
Organizations that reported sharing intelligence with trusted security vendors – 50%
Organizations that reported sharing with trusted peer groups – 43%
Organizations that reported sharing with the government – 30%

Organizations are often unaware of what constitutes useful intelligence, Ms. Cagliostro explained, and are afraid of looking immature for sharing irrelevant information. This is especially true in the small and mid-sized market. Many are concerned with providing “net-new indicators,” although providing additional context for existing indicators could prove useful for companies within the same industry verticals. Many organizations already participate in same-industry or region sharing initiatives such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). Anomali acts as the trusted partner for many of these ISACs and Information Sharing and Analysis Organizations (ISAOs).

In regard to the DHS’ sharing program, Ms. Cagliostro explained that “the level of effort to share intelligence within the program and lack of expertise in threat intelligence act as barriers to entry through AIS.”

Organizations connecting to AIS must:

1) Sign a terms of use document
2) Set up a TAXII client
3) Purchase a PKI certificate from a commercial provider
4) Provide their IP address to the DHS
5) Sign an Interconnection Security Agreement

This process can take private organizations weeks to complete due to legal reviews and change control processes. In the public sector this can be even more time consuming because additional processes and requirements can cause delays due to the time required to get new technologies online.

Once connected to AIS, organizations often find it difficult to share intelligence. There are a variety of methods available for sharing within the program, but each adds an additional task for overburdened analysts outside of their typical workflow. Organizations that already struggle with limited resources are not likely to expend further time and effort to stand up additional technology for little perceived gain.

Beyond the operational aspects, these analysts and security personnel such as Chief Information Security Officers (CISOs) must justify sharing intelligence to executives. Ms. Cagliostro explained, “Information sharing is a cost like any other process, new tool, or technique that is brought online. In order for that cost to make sense we have to empower organizations with the answer for the ROI question.”

The answer to that ROI could one of the government’s unique advantages – unmatched visibility. This is something that cannot be developed by companies internally, nor bought from a vendor. Up until now though the DHS has struggled to supply large quantities of high-quality and high-context indicators. Information is declassified at a slow rate, and context that would make intelligence actionable is often missing. Ms. Cagliostro offered the acceleration and increase of declassification of information as a possible solution for the DHS, as well as conversion of the process from manual to machine-to-machine. Part of accelerating the declassification process could include aggregating publicly available information to determine what indicators currently exist in the public domain. Such intelligence (barring more sensitive information such as the association to an actor and how the information was obtained) could then be released.

Throughout her testimony and responses, Ms. Cagliostro encouraged the DHS to make threat sharing as simple and mutually beneficial a process as possible.  

“When I first started at Anomali, people often asked how we forced people to share intelligence.  People assumed that when we talked about sharing, we had to be forcing people because no one would choose to share unless they had to.  Our approach wasn’t to force people to share, but to create an environment where sharing was easy and organizations received value.

The AIS program has come a long way since its inception and, as the barriers to entry are reduced, more organizations will participate and increase the quality of the data provided.”   

Source: Honeypot Tech

Death of the Tier 1 SOC Analyst

Say goodbye to the entry-level security operations center (SOC) analyst as we know it.
Source: Cyber Monitoring

Deception Technology: Prevention Reimagined

How state-of-the-art tools make it practical and cost-effective to identify and engage attackers in early lateral movement stages to prevent them from reaching critical systems and data.
Source: Cyber Monitoring

WTB: New Banking Trojan IcedID Discovered

The intelligence in this week’s iteration discuss the following threats: Business Email Compromise, Financial theft, Malspam, Phishing, Ransomware, Threat group, Trojan, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

New Banking Trojan IcedID Discovered (November 13, 2017)
IBM X-Force researchers have published information regarding a newly identified banking trojan, dubbed “IcedID,” that was first found in September 2017. Researchers note that the malware has similar banking trojan capabilities as the notorious “Zeus Trojan.” At the time of this writing, the malware is targeting banks, mobile services providers, payment card providers, payroll, in addition to ecommerce and webmail websites. IcedID has been observed being distributed via the “Emotet” trojan, which is distributed via malspam emails that typically contain files with malicious macros.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Tags: Malspam, Malware, Emotet, Banking trojan, IcedID

Windows Movie Maker Scam Spreads Massively due to High Google Ranking (November 13, 2017)
Threat actors are distributing malicious versions of the “Windows Movie Maker,” Windows free video editing software, with the objective of stealing money, according to ESET researchers. The actors are distributing the malicious Movie Maker, which was discontinued in January 2017, via search engine optimization of the actor’s website in Google search results. As of this writing, the website responsible for distributing the malicious Movie Maker version appears on the first page of a Google search for “movie maker,” and is also located on the first page of results from the “Bing” search engine. If the fake Movie Maker is downloaded, users receive a functioning product, however, this version claims that the user needs to upgrade to the full version for $29.95 USD.
Recommendation: Any free product should be researcher carefully prior to installation, thus features that should not be in the product, such as a paid version of Movie Maker, will be easier to identify. Furthermore, search engine results should not be taken at face value because as this story portrays, search engine results can sometimes display malicious locations. User should navigate to the official website of the creator/owner of the product for download and installation.
Tags: Impersonation, Microsoft Movie Maker, Financial theft

New Cobra Crysis Ransomware Variant Released (November 10, 2017)
Researchers have found what appears to be a new variant of the “Crysis/Dharma” ransomware. As of this writing, it is unknown how the actors are distributing this malware. However, researchers note that previous Crysis variants were distributed by compromising Remote Desktop Services and a subsequent manual installation of the ransomware. Encrypted files have an extension appended in the format “.id-[unique_id].[cranbery@colorendgrace[.]com].cobra”. It will also encrypt mapped network drives and unmapped network shares.
Recommendation: As shown in this story, it is important to make sure corporate network shares are locked down and only those who need files have access. Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Furthermore, a business continuity plan should be created to assist in dealing with ransomware infections.
Tags: Ransomware, Cobra Crysis, Remote Desktop Services

Eavesdropper: The Mobile Vulnerability Exposing Millions of Conversations (November 9, 2017)
Appthority researchers have identified a vulnerability, dubbed “Eavesdropper,” that affects approximately 700 applications. The vulnerability resides in developers hard coding credentials in applications that use the “Twilio Rest API” or “Twilio SDK.” Researchers state that “the developers have effectively given global access to the text/SMS messages, call metadata, and voice recording from every app they’ve developed with the exposed credentials.” The applications affected by this vulnerability consist of 44% Android, and 56% iOS and are associated with 85 Twilio developer accounts. The credentials in vulnerable apps were found by using YARA to find the string “twilio” which was listed beside the plaintext account ID and token.
Recommendation: This vulnerability is worrying because it has the potential to expose sensitive information that could be stolen and subsequently sold by threat actors, or potentially lead to an information ransom scenario. This vulnerability arose because of developers failing to follow the documented guidelines set out by Twilio. Developers should always follow secure guidelines and avoid hard coding any form of credentials in an application. This vulnerability affects many applications, of which 33% are business related. Companies should identify applications that are used internally, and cease the use of the applications until the vulnerability has been addressed. Furthermore, companies should have policies that disallow employees from using applications for company-related work that have not been approved by the company.
Tags: Vulnerability, Mobile, Data leak

LockCrypt Ransomware Spreading via RDP Brute-Force Attacks (November 9, 2017)
The threat actors behind the ransomware “LockCrypt,” which was first discovered in June 2017, have increased their malicious activity to target business-owned servers, according to Alien Vault researchers. At the time of this writing, LockCrypt has infected businesses in India, South Africa, the U.K., and the U.S. One business reported that it was infected via a Remote Desktop Protocol (RDP) brute-force attack from a compromised mail/VPN server. The actors are demanding anywhere from 0.5 (approximately $3,443 USD) to 1 (approximately $6,887 USD) Bitcoin for the decryption key per server.
Recommendation: It is crucial that your company ensure that servers are always running the most current software version. In addition, your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Furthermore, a business continuity plan should be in place in the case of a ransomware infection.
Tags: Brute-force attacks, RDP, Ransomware, LockCrypt

Toast Overlay Weaponized to Install Several Android Malware (November 9, 2017)
Trend Micro researchers have discovered a new Android malware family, dubbed “TOASTAMIGO,” that is capable of installing other malware via the “Toast Overlay” attack. Toast is a feature in Android used to display notifications over other applications. The Toast Overlay vulnerability, registered as “CVE-2017-0752,” was issued a patch in September 2017 and affects all Android versions except “Oreo.” The malware that exploits the vulnerability was discovered inside applications impersonating legitimate application lockers that protect apps with a PIN code, one of which was found to have been downloaded approximately 500,000 times, as of this writing. The malicious applications request Accessibility permissions upon installation which will allow it to download additional malware.
Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. The two malicious applications on the app store had a high number of positive, fake reviews. When choosing an application to download, check the reviews with substantive wording in it, as it is common for the fake positive reviews to have little context in support of a positive rating. Also check the application description for correct grammar and spelling, the malicious applications in this case had many errors in their descriptions.
Tags: Android, Vulnerability, Toast Overlay

OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan (November 8, 2017)
The threat group “OilRig” is using a new version of their malicious “Clayside” delivery document to distribute a new custom trojan dubbed “ALMA Communicator,” according to Unit 42 researchers. The Clayside document was also observed to drop the credential stealing tool “Mimikatz.” This Clayside version is similar to past iterations in that if opened, it will display a worksheet that states that the file was created with a newer version of Excel. The document requests that the user clicks “Enable Content” to properly view the document. If Enable Content is clicked, a malicious macro will run to display the content of the decoy document, while also creating an HTML Application (.HTA) file in which HTML will run a VBScript to download ALMA Communicator.
Recommendation: Files that request content to be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown sender should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
Tags: Threat group, OilRig

Hijackers Deface 800 School Websites with Pro-Islamic State Messages (November 8, 2017)
Jim Brogan, the director of technology services for school in Gloucester County, Virginia, has confirmed that approximately 800 school websites were directing users to an iFramed YouTube page depicting an Islamic State recruitment video. The attack was accomplished by injecting a file into one of the web hosting company’s, SchoolDesk, websites. The redirection caused the user to see a picture of Saddam Hussein, and an audible message in Arabic.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Compromised websites, Defacement

Linux Has a USB Driver Security Problem (November 7, 2017)
Google security researcher, Andrew Konovalov, has discovered 79 Linux USB-related vulnerabilities. The vulnerabilities can be exploited via a maliciously crafted USB device. Some of the vulnerabilities can be exploited for Denial-of-Service (DoS) attacks, and others can be exploited to allow an actor to elevate privileges and execute arbitrary code. Researchers note that not all of the 79 vulnerabilities have been reported or patched.
Recommendation: Vulnerabilities that can be exploited via a USB drive are in a state of increasing demand because of the corresponding increase the use of air-gapped systems. Therefore, the use of USB drives is a security risk, and the use of such devices should be limited to only the appropriate personnel who may need to use such equipment.
Tags: Vulnerability, Linux, USB

BEC Scammer Stealing Millions From Home Buyers (November 7, 2017)
In early May 2017, the U.S. Federal Bureau of Investigation (FBI) warned homebuyers that threat actors were targeting their email accounts, and now the agency reports that throughout 2017 threat actors have diverted or attempt to divert approximately $1 billion USD. This malicious activity was accomplished by compromising real estate email accounts, monitor them until a transaction was underway, and then send a fraudulent request to change the payment type. The payment type was typically changed from check to wire transfer, or change the account to one controlled by the actors.
Recommendation: It is important that your employees use different password for business-related accounts because actors will often test other accounts with previously stolen passwords. In addition, it is crucial that business accounts use a form of two-factor, or multi-factor authentication to make it difficult for actors to compromise accounts.
Tags: Business Email Compromise, Theft

KRACK Whacked, Media Playback Holes Packed, Other Bugs Go Splat in Android Patch Pact (November 7, 2017)
Google has released it security update for November that addresses multiple vulnerabilities in the Android operating system. Among the vulnerabilities addressed is the critical “KRACK” Wi-Fi key reinstallation flaw that could allow actors to monitor nearby wireless traffic. Overall, 31 vulnerabilities were patched by Google. Nine of said vulnerabilities could be exploited to allow an actor to execute code remotely.
Recommendation: As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow, or can be exploited by malicious actors.
Tags: Vulnerabilities, Android, Security updates

Phishing Emails Are Being Sent to The Users of Netflix by Hackers (November 6, 2017)
Researchers have found that threat actors are targeting Netflix users with phishing emails. The objective of the campaign is to steal billing data by claiming that the recipient needs to update said information. If the recipient follows a link provided in the phishing email, they will be directed to a fake Netflix page that asks the user to log in and enter their information such as credit card data.
Recommendation: Netflix has stated that it will never contact ask its customer for personal information in an email. Therefore, if an email purporting to be Netflix requests personal data needs to changed or updated, it is likely a sign of a scam. If a user is curious, they should visit Netflix’s official website to check their account status.
Tags: Phishing, Netflix, Data theft

Watch Out: GIBON Enters The Ransomware Space (November 6, 2017)
Proofpoint researcher, Matthew Mesa, has discovered a new strain of ransomware, dubbed “GIBON.” Threat actors are distributing this ransomware via phishing campaigns. The malicious attachments contain macros that will download and execute the ransomware if they are enabled. GIBON targets every file that is not located in the Windows folder. At the time of this writing, there are minimal details discussing the technical features of this new malware, in addition to the ransom demanded for the encryption key.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. In addition, as shown in this story, employees should also be cautious of opening suspicious attachments in emails even if they appear to have been sent from within the company as the Necurs botnet is easily able to spoof email addresses. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection.
Tags: Phishing, Ransomware, GIBON

Google Releases Security Update for Chrome (November 6, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert warning Google Chrome users to update their web browser as soon as possible. A vulnerability resided in Chrome for Linux, Mac, and Windows operating systems that has been addressed in Chrome version 62.0.3202.89. The vulnerability could be exploited by threat actors to take control of an affected system, according to the US-CERT.
Recommendation: The US-CERT recommends that users and administrators review the Chrome releases page located at “https://chromereleases.googleblog.com/search/label/Stable%20updates” and apply the necessary update.
Tags: Alert, Vulnerability, Google Chrome

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

TrickBot Tool Tip
TrickBot is a modular Bot/Loader malware family which is primarily focused on harvesting banking credentials. It shares heavy code, targeting, and configuration data similarities with Dyreza. It was first observed in September 2016 and both the core bot and modules continue to be actively developed. Both x86 and x64 payloads exist. It has been distributed using traditional malvertising and phishing methods. [Flashpoint](https://www.flashpoint-intel.com/blog/trickbot-targets-us-financials/) recently (2017-07-19) observed TrickBot operators leveraging the NECURS Botnet for distribution. Previously, Anomali Labs released a [Threat Bulletin](https://ui.threatstream.com/tip/17137) detailing the unpacking of this malware family.
Tags: TrickBot, Family-Trickbot, victim-Financial-Services

Source: Honeypot Tech

Frequent Software Releases, Updates May Injure App Security

The more frequently you release apps, the more security vulnerabilities you are likely to introduce in the code, a new study confirms.
Source: Vulnerabilitys & Threats

Smart Public Kiosks Enhance Livability, Connect Communities

Cities are busy places, and they’re getting busier. Thankfully, many of them are also getting smarter by enabling smarter parking, better transportation and better air quality management for better citizen experiences. Among the most groundbreaking of innovations contributing to those experiences are smart public kiosks — replacing outdated infrastructure, such as phone booths and static signage, with smart kiosks. From providing environmental sensors and smart lighting to boosting cell reception and serving as a free Wi-Fi hotspot, kiosks enhance quality of life, equity, sustainability and security in a city. They are able to generate new revenue streams for cities through advertising — which can help them to become self-funded —and provide valuable services, such as wayfinding, transit routes, free Wi-Fi, and emergency alerts for more connected experiences between citizens and the services provided by their local governments and businesses.

A person stands in front of a smart public kiosk.

Connecting Citizens to Local Government

Smart public kiosks, such as Intel technology enabled CIVIQ Smartscapes, Intersection and CityBeacon, offer tremendous opportunities to enhance and ease citizens’ quality of life by enabling citizens to more easily access information and connect to the world around them. CityBeacon is an Intel IoT Market Ready Solution — it’s a proven, commercially available today solution that bridges digital and physical worlds providing reliable connectivity and maximum flexibility for smarter city management. For public kiosks, those connections include speakers, large digital signage screens and flashing lights can broadcast public service announcements or missing child alerts. Interactive transit route maps can make navigating public transit easier with wayfinding features. Under the hood, kiosks can also provide powerful Wi-Fi hotspots and strengthen cell phone signals. As kiosks expand their reach, citizens and local governments alike are only beginning to realize the full potential of the technology to empower communities.

A person's finger touches a smart public kiosk.

Enhancing Safety in Public Spaces

From a community health and safety standpoint, kiosks can brighten dark spaces with smart lighting that adjusts to current conditions for better lit, and safer, public spaces. Built-in incident and facial detection features can further enhance safety and enable public safety officers and EMTs to more quickly respond to incidents. Kiosks can even monitor air pollution, helping to contribute to healthier communities.

Growing Local Economies

For local businesses, kiosks are scaling out their digital and interactive display offerings are even more convenient because they have facial detection — they can detect emotions, demographic information and more while maintaining the privacy of consumers. These kinds of cognitive analytics enable the display to engage in a real-time feedback loop, refining messaging in response to the reactions, in order to reach the right consumers with even more precise messaging in the future. From purchasing tours and event tickets, to paying for parking or bus fare, kiosks enable businesses to connect with customers wherever they are, creating amazing experiences along the way.

Engaging and interactive, kiosks support smart city initiatives delivering real-time information, services and alerts to citizens and visitors—quickly and cost-effectively. To learn more, check out the smart kiosk at the village during Smart City Expo World Congress in Barcelona, Nov. 14-16, or visit intel.com/publickiosks.

Learn more about Intel IoT Market Ready Solutions at www.intel.com/iotmarketready. Visit intel.com/retail to learn more about how Intel technology is shaping the future of responsive retail. To stay informed about Intel IoT developments, subscribe to our RSS feed for email notifications of blog updates, or visit intel.com/IoTLinkedInFacebook and Twitter.



Source: Network News

Access Point Support Subscriptions

WatchGuard access points provide secure, reliable wireless connectivity to businesses around the world. At WatchGuard, we are passionate about mobility and security and are dedicated to keeping wireless environments updated with the latest software features to keep people safe and their businesses running smoothly. For example, at the time of our public announcement of the WPA/WPA2 key reinstallation (KRACK) vulnerability, corrective software was already available online. Additional details about KRACK and software updates for WatchGuard products can be found in this knowledge base article.

Support Subscriptions for Access Points

Standard Support for access points is included in our Wi-Fi service subscriptions: Basic, Secure, and Total Wi-Fi. See this FAQ for more information on the Wi-Fi SKUs. Maintaining active support subscriptions for your access points is recommended to continue to receive important software updates, RMA replacement, and support.

Basic, Secure, and Total Wi-Fi Subscriptions include Standard Support:

  • 24×7 support
  • Unlimited number of support cases per annual subscription
  • Targeted response times:
    • 4 Hour – Critical, High
    • 8 Hours – Medium
    • 24 Hours – Low
  • Web-based support
  • Phone-based support
  • Software updates and patches for:
    • Gateway Wireless Controller
    • Access point firmware
    • Wi-Fi Cloud
  • Advanced hardware replacement
  • Product documentation and guides
  • Technical Training Materials
  • Moderated Customer Forum

At this time, premium four hour RMA is not available for access points.  Please remember to maintain an active Basic, Secure, or Total Wi-Fi subscription with each access point in order to maintain support.

Total Wi-Fi Program Chart


Ryan Orsi
Director, Product Management, Secure Wi-Fi
WatchGuard Technologies

Source: WatchGuard