Using ThreatStream Indicators of Compromise with AWS GuardDuty

It has been a busy week for AWS at their re:Invent 2017 conference in Las Vegas. One of the new product launches that caught my eye yesterday was GuardDuty, a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help protect AWS accounts and workloads.

One way GuardDuty protects AWS environments is through the use of trusted IP lists and threat lists, the latter being particularly useful from a ThreatStream perspective. GuardDuty identifies suspected attackers by comparing threat lists against VPC Flow Logs, AWS CloudTrail event logs, and DNS logs in an AWS account. When a potential threat is detected, the service delivers a detailed security alert to the GuardDuty console and AWS CloudWatch Events. This makes alerts actionable and easy to integrate into existing event management and workflow systems.

GuardDuty threat lists allow ThreatStream users to import known malicious IP addresses from the ThreatStream platform to generate findings of threats in their AWS account. Let me show you how.

Step One: Select and Export Indicators

Using ThreatStream’s search functions it is possible to isolate specific indicators. For instance, you can use basic and advanced search operators to pick specific indicators based on information such as confidence, indicator type, ASN, or a specific tag. In the screenshot above I’ve used filters to limit the results to known malware IP’s recently identified by PhishMe with a high confidence score. Currently GuardDuty only considers IP based indicators, therefore it is important to use a filter that only considers IP based indicator types.

After the results are returned you can export the results from ThreatStream. GuardDuty accepts either a simple list of IP’s in a text file or structured IP lists in STIX 1.x format. As ThreatStream supports STIX 1.2 export, use this option.

Step Two: Upload Indicators to S3

Upload the downloaded XML file of indicators in STIX format to an S3 bucket in your AWS account. I created a new S3 bucket named “threatlists” to manage multiple threat list files. You might want to consider a static filename like “threatstream-indicators.xml” (versus the dynamic one created by the ThreatStream export) so that the S3 URL remains static if you append or modify the list of indicators within the file. Currently GuardDuty can support up to 6 threat lists. As a result it makes sense to update a single file where possible. Make a note of the S3 URL as it will be required during step three.

Step three: Add the Threat List to GuardDuty

Adding new threat lists can be done simply inside the GuardDuty console under “Lists”. Creating a new threat list from the STIX file in the S3 bucket is simple; give the threat list an appropriate name, paste the S3 URL into the location field (why using a static URL is recommended), and select “Structured Threat Information Expression (STIX)” as the format.

Once the threat list is added successfully, GuardDuty will begin using the contents of the file in the S3 bucket to compare against events in your AWS environment to deliver “findings” when a threat is observed.

Anomali x AWS

As GuardDuty grows you can expect to see much tighter integration with ThreatStream. If you’re considering using GuardDuty alongside ThreatStream, or any Anomali products, please do send any questions you have my way via email: dgreenwood [-at-] anomali [-dot-] com


Source: Honeypot Tech

The Critical Difference Between Vulnerabilities Equities & Threat Equities

Why the government has an obligation to share its knowledge of flaws in software and hardware to strengthen digital infrastructure in the face of growing cyberthreats.
Source: Vulnerabilitys & Threats

Bitcoinradar en bitcoins in 2018 – Nieuwe goud op horizon

Bitcoinradar.nl toont als eerst waarde van BTC boven 9000 euro!

Buy Bitcoins with Credit Card

Zojuist sprak ik mijn vriend over de bitcoin. Hij vergeleek het met de waarde ontwikkeling met de tulpenmanie uit de 17e eeuw. Toen werden tulpenbollen verkocht voor bizar hoge prijzen. Mensen vroegen zich in eerste instantie niet af wat de bol echt waard was, maar kocht voor de investering.

Het grote verschil echter is dat de bitcoin een valuta is. Japan erkend de valuta inmiddels, waardoor je in Japen binnenkort bij ruim 300.000 winkels met de bitcoin kunt betalen. Doordat de acceptatie groeit wordt het ook steeds makkelijker om de virtuele munt te gebruiken.

Wat de bitcoin waard gaat zijn in 2018 weer niemand. Ik verwacht persoonlijk dat het voor het eind van dit jaar al boven de 10.000 euro per bitcoin zal zijn. Om die reden heb ik een heel klein bedrag geïnvesteerd. Niet door het kopen van bitcoin, maar door computers te kopen die als de centrale computer dienen van de munt.

Bitcoin Radar - Veilig investeren in cryptomunt

Met bitcoinradar.nl mis geen kans met bitcoins in 2018

  • Instellen in een handomdraai
  • Coinbase-betalingen in twee klikken
  • Alle bitcoinbetalingen accepteren

Begin vandaag met Etherium, Bitcoin of Monero. Meld je hier aan en ontvang 10euro bitcoins als kado.

 


Source: Zologic

FTSE 100 Report: Targeted Brand Attacks and Mass Credential Exposures

The Anomali Labs team conducted research to identify suspicious domain registrations and potentially compromised credentials that could be used as part of an attack against the Financial Times Stock Exchange 100 (FTSE 100). Both methods of attack pose a significant threat not only to corporate brands but also to the corporations themselves. As referenced in Global Finance and Banking Review and Infosecurity, the number of stolen credentials for FTSE 100 employees has nearly tripled since last year’s analysis

With a deceptive domain malicious actors have the potential to:

  • Orchestrate phishing schemes to collect customer credentials
  • Install malware onto visitor devices
  • Coerce the targeted company into paying for the domain
  • Redirect traffic to competing or malicious sites
  • Embarrass the company by displaying inappropriate messaging

Threat actors with compromised credentials may gain the capability to infiltrate an organization’s defenses. From there they can steal data, damage systems, or orchestrate more complex attacks.

The data from this report spans a three month period within 2017. Below are a few key statistics from the report. 

Malicious Domains

  • Eighty-two percent of FTSE 100 companies had at least one potentially suspicious domain registration and thirteen percent had 10 or more suspicious domains.
  • The vertical hit hardest with suspicious domain registrations was Banking at 83 registrations, which was more than double of the next industry, Energy, at 41 registrations.

Mass Credential Exposures

  • An average of 165.83 exposed credentials were identified across all companies. Of the 77% of companies that had credentials exposed, an average of 218 exposed credentials were found.
  • Five companies had more than 1,000 credential exposures.

DOWNLOAD THE REPORT


Source: Honeypot Tech

The Looming War of Good AI vs. Bad AI

The rise of artificial intelligence, machine learning, hivenets, and next-generation morphic malware is leading to an arms race that enterprises must prepare for now.
Source: Cyber Monitoring

WTB: Imgur hackers stole 1.7 million email addresses and passwords

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: Account Checking, Android Malware, BankBot Trojan, Imgur Database Breach, IRAFAU, Lazrus Group, Microsoft Office Vulnerabilities, Mirai Botnet, Necurs Botnet, Scarab Ransomware, Trickbot Banking Trojan, and WordPress malware. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Imgur hackers stole 1.7 million email addresses and passwords (November 27, 2017)
On November 23, the researcher Troy Hunt notified the popular image-hosting website Imgur that it suffered a data breach in 2014. The account details of approximately 1,700,000 users was accessed including emails and passwords. Imgur does not store any other personally identifiable information and has begun the process of resetting passwords. At the time the passwords were hashed with SHA-256, but in 2016 they switched over to using bcrypt.
Recommendation: It is important that you use different passwords for the different accounts that are being used. Previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts. If you are possibly affected by this breach, immediately change your password.
Tags: Breach, Imgur

Early Warning: A New Mirai Variant is Spreading Quickly on Port 23 and 2323 (November 24, 2017)
Netlab researchers have detected a new Mirai variant after noticing 100,000 new unique scanning IP addresses. The botnet is spreading by abusing two credentials: “admin/CentryL1nk” and “admin/QwestM0dem”. The “CentryL1nk” credential first appeared in an exploit for the ZyXEL PK5001Z modem in exploit-db less than a month ago. Most of the new infections have been detected in Argentina.
Recommendation: The Mirai botnet takes advantage of internet connected devices which have been lazily configured, leaving the door wide open to the world. Any device that connects to the internet must be treated as a security liability, and default usernames/passwords must be disabled. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.
Tags: Mirai, BotNet, Exploit

Necurs botnet malspam delivering a new Ransomware via fake scanner /copier messages (November 23, 2017)
After a short break from distributing the “Locky” ransomware, the Necurs botnet is spamming out a new type of ransomware in time with the Thanksgiving holiday. The emails are being sent from the email “copier@”; it is typical of Necurs to spoof the email of a target organization. The emails have an empty body of text with the subject line “Scanned from “. The names observed being used are “Lexmark”, “Canon”, “HP”, and “Epson”. The new ransomware is being labeled as “Scarab” ransomware.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and anti-virus protection. Even if the email appears to come from within the company, still exercise caution as emails are easily spoofed.
Tags: Scarab, Necurs, Ransomware, Malspam

A Hacking Group Is Already Exploiting the Office Equation Editor Bug (November 22, 2017)
Approximately a week after details of a new Microsoft Office vulnerability came to light, at least one threat actor is now exploiting “CVE-2017-11882”. The issue has been present in Office for 17 years. The “Cobalt” hacking group have been using Rich Text Format (RTF) files that exploit the vulnerability to download malware.
Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don’t rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
Tags: Microsoft Office, Cobalt, RTF

CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document (November 22, 2017)
Fortinet researchers have discovered new documents, of a political theme, that exploit “CVE-2017-11826”. The Rich Text Format (RTF) documents are themed around the political situations in Saudi Arabia and Rohingya (Myanmar). The exploit executes shellcode which downloads a backdoor dubbed “IRAFAU”. IRAFAU can execute files, create/remove files, download/upload files and execute a remote shell.
Recommendation: Themed malspam emails are a common tactic among threat actors, therefore, it is crucial that users are aware of their institution’s policies regarding electronic communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.
Tags: RTF, IRAFAU, Exploit

Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model (November 22, 2017)
According to Flashpoint researchers the Trickbot gang, creators of the Trickbot banking Trojan, have incorporated account checking operations. Account checking utilizes credentials stolen from database breaches and compromises to try to gain unauthorized access to accounts belonging to the same victims. In order to avoid their activities getting automatically blocked by IP address, they use already infected Trickbot hosts as a stream of new and “clean” proxies.
Recommendation: Trickbot heavily targets the financial industry. It is important that your company and employees use different passwords for the different accounts that are being used. As this story portrays, previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts. Furthermore, policies should be in place that require your employees to change their passwords on a frequent basis. Ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Tags: Trickbot, Trojan, Account Checking

Uber suffered massive data breach, then paid hackers to keep quiet (November 21, 2017)
New news reveals that Uber, the transportation company, suffered a large data breach in October 2016. According to Bloomberg, the data of approximately 57,000,000 drivers and customers was stolen. The leaked data included names, email addresses, and phone numbers. The personal information of 7,000,000 drivers was accessed too, including 600,000 US driver’s license numbers. Uber paid the actors $100,000 to delete the data.
Recommendation: Personal should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Always monitor your accounts and use identity prevention/fraud prevention services to add an additional layer of security to your accounts. If data has been stolen, never pay any demanded ransom, as there is no guarantee that the data will actually be deleted by the actors.
Tags: Uber, Breach, Ransom

Symantec Releases Security Update (November 21, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding a vulnerability located in the “Symantec Management Console.” The US-CERT states that a remote threat actor could exploit this vulnerability, registered as “CVE-2017-15527,” to take control of an affected system. Symantec rates this vulnerability as a highest severity issue.
Recommendation: Symantec users should review the security advisory, located at “https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20171120_00” and apply the necessary update as soon as possible if it has not been applied already.
Tags: Alert, Vulnerability, Symantec

Mobile Banking Trojan Sneaks Into Google Play Targeting Wells Fargo, Chase and Citibank Customers (November 20, 2017)
A new variant of the mobile banking malware “BankBot” has been identified to be located in applications in the Google Play store, according to collaboration report by Avast, ESET, and SfyLabs researchers. This version of the BankBot trojan is being hidden in applications that purport to be flashlight applications. Other applications identified to contain BankBot are solitaire games and a cleaner application; researchers note that these applications were observed to distribute other malware besides BankBot. BankBot is targeting the applications associated with banks such as Chase, Diba, Citibank, and WellsFargo. In addition, Google has since removed the malicious applications, however, some of the applications were found to be active until November 17, 2017.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: BankBot, Android, Trojan

Wp-Vcd WordPress Malware Campaign Is Back (November 20, 2017)
Researchers are warning “WordPress” website administrators of the malware called “wp-vcd,” which is capable of adding secret administrator users and can allow actors control of the affected websites. The malware was discovered by security researcher, Manuel D’Orso, in the summer of 2017. Now researchers have discovered a new variant of the malware that, in addition to features mentioned above, will inject malicious code into the default themes in WordPress CMS 2015 and 2016. Researchers note that even though said default themes are often disabled on a large amount of websites, this does not affect the potential malicious activity that can still occur.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: WordPress, wp-vcd

Operation Blockbuster Goes Mobile (November 20, 2017)
Unit 42 researchers from Palo Alto Networks have discovered new malware samples targeting Samsung devices and Korean language speakers. It is believed the malware comes from the Lazarus Group, from North Korea. The malware samples are backdoors and have the ability to record microphone, capture from camera, download/upload files, record GPS, read contact information, read texts, and capture WiFi information. It is not currently known how the malware is being delivered.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and never install software from unverified sources.
Tags: Lazarus Group, Backdoor, Android


Source: Honeypot Tech

8 Low or No-Cost Sources of Threat Intelligence

Here’s a list of sites that for little or no cost give you plenty of ideas for where to find first-rate threat intelligence.
Source: Vulnerabilitys & Threats

10 Reasons to be Thankful for a Security Analyst

The global number of internet users hit 3.8 billion in 2017, and is expected to reach 6 billion by 2022. We’re rapidly approaching the point where people without access to the internet will be in the minority, and where the internet is not only accessible but also ingrained into daily life. Succinctly stated, this is a pretty exciting time for humans.

However, with these technological advancements also comes the sobering realization that more access for the layman means more access for cyber criminals. These people are responsible for over $5 billion in damages in 2017 alone, as well as countless other non-financially related incidents.

Luckily, we have people out on the front lines already – Security Analysts. The title covers a range of specific job functions, but each one contributes in some way to the defense of individuals, organizations, and nations. This Thanksgiving we’d like to give thanks to these hardworking individuals. There are as many reasons to be thankful for an analyst as there are threat alerts in a day, but for the sake of brevity here are ten of our favorites:

1) They’re incredible detectives – Working as an analyst is a mix of technical research, intelligence analysis, and communicating results. They’re responsible for investigating tiny, seemingly inconsequential clues so they can piece together a larger underlying scheme. All of this depends on a strong foundational core of deductive reasoning and logical rigor. They’re the modern-day Sherlock Holmes.

2) They’re great researchers – Security analysts have a penchant for attention to detail, problem solving, and thorough research. Much of this work may take place on their own time and dime, but it’s critical in helping to spur technological innovations and identifying areas that need improvement. Researchers Billy Rios and and Jonathan Butts published findings this year identifying how to weaponize a car wash, proving that even the most unsuspecting of items can be dangerous.

3) They balance between two worlds – Working as an analyst doesn’t just mean understanding what’s going on in the security stack. It also means being able to effectively communicate critical events to executives and security leadership like CISOs. This can be a challenge considering the general lack of understanding not only for security best practices but also for core aspects of the internet and technologies themselves. There’s no Google translate for tech (yet).

4) Their work never, ever ends – One of the key functions of a security analyst is to triage as many alerts as possible in a day to determine whether they’re benign or truly dangerous. Sounds easy enough, right? Perhaps, were it not for the fact that these alerts come in the thousands each and every day. No matter how many tools you deploy and staff you employ, your analysts are volunteering to deal with more red flashing lights than America sees at any given Christmas. Alerts aren’t the end of it though – other tasks include conducting research for customers to determine what’s going on in their infrastructure, hiding in underground forums gathering information, or working to piece together security programs.

5) They operate under pressure – Speaking of triaging events, there’s a constant pressure to catch each and every malicious event. Any deescalated alert may prove to be the one that lets a threat actor in. On the flip side, any false positive may be wasting someone’s time. It’s a constant balancing act. No matter if your organizations is large or small, the target or the gateway, or simply collateral damage in a global attack, your analysts know that they’re going to be held accountable for the eventual impact.

6) They work crazy hours – Security analysts aren’t likely to get a lot of sleep. Hours can be painful, particularly if you’re at a security center operating on a 24×7 schedule. Research and requests for information typically have tight turnaround schedules due to the unknown nature of threats. Any investigation is also unlikely to have a clear “end,” because there’s always the possibility that something was missed. More alarming still is the possibility that on any given workday a zero-day exploit could occur, in which case they’re really not going to get to go home and sleep.

7) They’re vocationally oriented – It’s not about the money. Cybersecurity as an industry is vastly underfunded and even more understaffed. Ask an analyst why they’re in the industry and the response will typically be “because they’re passionate about what they’re doing.”

8) They’re crime fighters – Analysts sign up to deal with crazy hours, pressure, and task lists because they’re truly passionate about finding evil and stopping bad guys. Many are responsible for keeping critical infrastructure like our electricity, energy, and public health systems safe. The dangers of these sectors being targeted are very real, and have the potential to seriously harm untold numbers of people.

9) They’re willing to accept risk – The dangers of cyber threats aren’t limited to the masses. Analysts themselves can be targeted by threat actors. Earlier this year a researcher from FireEye was hacked by unknown attackers, who defaced his social media sites and published private data. In a move reminiscent of Richard Connell’s “The Most Dangerous Game,” threat hunters might find themselves the hunted.

10) They’re just plain fun –  Despite the ever-present dangers to themselves and the systems they’re responsible for, analysts are an incredibly eclectic and entertaining community. All the proof you need comes from this year’s Derbycon 7.0. A participant by the name of Grifter found a cockroach in his milkshake at a nearby restaurant, later tweeting out a warning to others and naming him Trevor. As the restaurant was fumigated, fellow Derbycon participants created a memorial outside in Trevor’s honor. Trevor was later inducted as a Saint in the Church of WiFi, starred in a commemorative film about himself, and made an appearance on Twitter. Funds have even been raised in his honor for disaster relief in Puerto Rico. RIP Trevor.

#TrevorForget  (Photo credit to Steve Ragan @SteveD3)


Source: Honeypot Tech

WTB: Cobalt Strikes Again: Spam Runs macros and CVE-2017-8759 Exploit Against Russian Banks

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: APT, Brute force attacks, Holiday scams, Malspam, Phishing, Preinstalled features, Ransomware, Targeted attacks, Threat group, and Vulnerabilites. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Cobalt Strikes Again: Spam Runs macros and CVE-2017-8759 Exploit Against Russian Banks (November 20, 2017)
The financially motivated Advanced Persistent Threat (APT) group “Cobalt,” is behind a new spear phishing campaign targeting European financial organizations, according to Trend Micro researchers. The group tailors their spear phishing emails for different target banks. Researchers note that Cobalt previously used spam emails to target banking customers and these new spear phishing emails represents a change in tactics. The emails were observed to exploit a code injection/remote code execution vulnerability, registered as “CVE-2017-8759,” located in Microsoft’s .NET Framework. The RTF file attachment requires a user to enable macros to run a PowerShell command that will eventually download and execute a backdoor from a remote server.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Tags: Threat group, Cobalt, Spear phishing, Targeted attacks, Financial institutions

0000 Cryptomix Ransomware Variant Released (November 17, 2017)
The Security researcher, known as “MalwareHunterTeam,” has discovered a new variant of the “Cryptomix” ransomware. The new variant is dubbed “0000” because of the extension added to encrypted files. As of this writing, researchers have not published the distribution method used by the actors behind this ransomware, however, they do note that users should be cautious when opening attachments from unverified senders.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection.
Tags: Ransomware, Cryptomix variant, 0000

Holiday Scams and Malware Campaigns (November 16, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert to remind user to be vigilant while shopping online this holiday season. The US-CERT warns that threats will come in various forms such as emails and ecards that may contain malicious links, and fake advertisements or shipping notifications that may have attachments infected with malware. In addition, spoofed emails addresses and fake social media posts are also expected to be present during the upcoming holiday season.
Recommendation: Users should be aware that the holiday season represents the potential for threat actors to generate illicit revenue because of the significant increase in online shopping. The threats mentioned by the US-CERT can result in sensitive data theft, such as Personally Identifiable Information (PII) and credit card information, as well as identity theft and security breaches. Users should avoid following links or downloading attachments from unknown sources and make note of known email addresses if they begin sending messages or attachments that does not align with typical behavior.
Tags: Alert, Holiday scams, Malware, US-CERT

Ransomware-Spreading Hackers Sneak in Through RDP (November 15, 2017)
Sophos researchers have discovered that threat actors are exploiting weak passwords for Microsoft Windows machine’s Remote Desktop Protocol (RDP) feature to install ransomware. RDP is often used by IT staff because they are often an outsourced part of a company. Threat actors are using a tool called “NLBrute” to try numerous passwords against an RDP account in a brute-force attack. Actors could also use social media to find out common password combinations such as a birthday or a pet’s name.
Recommendation: Compromised RDP accounts is by no means a new tactic used by threat actors. Therefore, it is crucial that RDP accounts have strong passwords and use of the accounts should be restricted via firewalls and network level authentication.
Tags: Ransomware, Brute force attacks, Microsoft RDP

New Emotet Hijacks a Windows API, Evades Sandbox and Analysis (November 15, 2017)
A new variant of the banking trojan “Emotet” is being distributed by threat actors via phishing emails, according to Trend Micro researchers. The phishing emails attempt to trick the recipient into following a provided link which leads to a document with a malicious macro. If macros are enabled, a user will begin the infection process for Emotet. Researchers note that this Emotet variant also includes an anti-analysis technique includes checking when an analysis platform scans for malicious activity to avoid detection.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack.
Tags: Phishing, Trojan, Emotet

Muddying the Water: Targeted Attacks in the Middle East (November 14, 2017)
A new campaign has been found to be targeting Middle Eastern countries, according to Unit 42 researchers. The malicious activity is attributed to a new threat group dubbed “MuddyWater.” While researchers found that Middle Eastern nations were primarily targeted, other countries such as India and the U.S. were also identified to be targeted. Researchers discovered that the group’s initial infection vector is a Powershell-based first stage backdoor dubbed “PowerStats” that is delivered via malicious documents. The documents vary depending on which country is being targeted to include images that would be familiar to the recipient such as government branches which may entice a recipient to be more willing to enable macros.
Recommendation: The impersonation of government agencies continues to be an effective malware distribution tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. In the case of infection, the affected system should be wiped and reformatted. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
Tags: Targeted Attacks, Threat group, MuddyWater

17-Year-Old MS Office Flaw Lets Hackers Install Malware Without User Interaction (November 14, 2017)
Researchers are warning Microsoft Office users to be extra cautious when opening Office file attachments because of a 17-year-old vulnerability. Specifically, the vulnerability is a memory corruption flaw, registered as “CVE-2017-11882,” that resides in ”EQNEDT32.exe” located in all versions of Windows Office and the Windows operating system released in the past 17 years. EQNEDT32.exe is a Microsoft component responsible for the insertion of equations (OLE objects) in documents. Threat actors can exploit this vulnerability to remotely install malware on target machines without any user interaction required, such as enabling macros.
Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Vulnerability, Microsoft office

Microsoft November Patch Tuesday Fixes 53 Security Issues (November 14, 2017)
Microsoft has issued security updates as part of its November Patch Tuesday that affects the following products: ASP.NET Core, ChakraCore, Internet Explorer, Microsoft Edge, .NET Core, several Office offerings, and the Windows operating system. Researchers note two vulnerabilities, registered as “CVE-2017-11830” and “CVE-2017-11887,” that stand out in this month’s Patch Tuesday. CVE-2017-11830 can be exploited to allow an actor to bypass Windows Device Guard, and CVE-2017-11887 can be exploited to bypass macro execution protection in Microsoft Excel. The latter is expected to be exploited by actors in the near future because of the frequency of malicious macro documents used in phishing attacks.
Recommendation: Your company should have policies in place to prepare for Patch Tuesday every month because as this iteration portrays, sometimes the patched vulnerabilities will be used in common attack vectors.
Tags: Vulnerabilities, Patch Tuesday, Microsoft

Adobe Patches Security Bugs in Flash Player and Eight Other Products (November 14, 2017)
Adobe has released its monthly security updates for November that affect nine products. Overall, Adobe issued patches for 85 vulnerabilities, multiple of which could be exploited to allow remote code execution. The affected products are Adobe Acrobat and Reader, Adobe Connect, Adobe DNG Converter, Adobe Digital Editions, Adobe Experience Manager, Adobe Flash Player, Adobe InDesign, Adobe Photoshop CC, and Adobe Shockwave Player.
Recommendation: Patch Tuesday should be expected every month in order to apply the latest security patches to software utilized by your company. In Adobe’s case, it is common for new vulnerabilities to be identified quite regularly. Utilizing the automatic update feature in Flash Player is a good mediation step to ensure that your company is always using the most recent version.
Tags: Vulnerabilities, Patch Tuesday, Adobe

OnePlus Phones Come Preinstalled With a Factory App That Can Root Devices (November 14, 2017)
A mobile security researcher, known by the alias “Elliot Alderson,” discovered an application located on some, if not all, “OnePlus” devices. The application, called “EngineerMode,” is reported to be vulnerable to exploitation by threat actors in a way that could result in the application to function as a backdoor. Researchers believe that the features located in EngineerMode are the same features one would find in a diagnosis application engineers use to test phones prior to shipping them out. An actor with physical access to a OnePlus device could run a command to take full control of the device. In addition, researchers say that this is the first batch of information regarding OnePlus devices and more information will be released in the near future.
Recommendation: The threat of preinstalled features has the ability to hide from even the most cautious of users. If the devices affected by this feature are being used by your company, they should be properly inspected and the unwanted feature removed.
Tags: Mobile, Presinstalled threat, OnePlus

XZZX Cryptomix Ransomware Variant Released (November 13, 2017)
A new variant of the “XZZX Cryptomix,” dubbed so because of the file appending to encrypted files, has been identified in the wild, according to Bleeping Computer researchers. In addition to the change in file extensions added to encrypted files, this variant has also been updated in regards to actor email addresses used to contact for payment information. The ransomware is able to function with no network communication because it contains 11 public RSA-1024 encryption keys that are used to then encrypt the AES key used to encrypt a user’s files.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Furthermore, your company should have a business continuity policy in place in the case of a ransomware infection.
Tags: Ransomware, Cryptomix variant, XZZX


Source: Honeypot Tech