Anomali Weekly Threat Intelligence Briefing – March 21, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

McDonalds India’s App Was a Golden Honeypot (March 19, 2017)
McDonalds India has released that approximately 2.2 million users of its mobile application have had their Personally Identifiable Information (PII) leaked through a misconfigured server, according to researchers. The PII consists of email address, full name, home address and coordinates, phone number, and social profile links.
Recommendation: Identity theft is always a risk when user information is entered into any kind of account. Therefore, information should only be entered into services provided by trusted vendors, and careful monitoring of financial statements should always be practiced.
Tags: Data leak, PII

Google Points to Another POS Vendor Breach (March 17, 2017)
Security researcher Brian Krebs discovered that the organization Select Restaurants Inc., which owns multiple restaurants around the continental U.S., appears to have been compromised with Point of Sale (POS) malware. KrebsOnSecurity was contacted by financial institutions’ anti-fraud teams who were attempting to identify the source of numerous instances of fraudulent transactions. This prompted a quick Google search by Krebs which revealed that Select Restaurants’ website “may be hacked.” As of this writing, the company has not commented on the purported breach.
Recommendation: POS systems need to be carefully maintained, and kept up-to-date with the newest software patches because they are frequent target of threat actors. Especially in the U.S. where chip and pin technology has taken longer to become commonplace in comparison to other countries and regions around the world. In the case of POS infection, all systems that process financial data should be taken offline and reformatted to ensure the malware has been properly removed before reconnecting to the network.
Tags: POS malware, Credit card theft

Star Trek Themed Kirk Ransomware Brings us Monero and a Spock Decryptor! (March 16, 2017)
An Avast malware researcher has discovered a new Star Trek themed malware dubbed “Kirk Ransomware.” The Kirk Ransomware is written in Python and uses Monero, which is similar to the Bitcoin system, for its victims to submit payments for decryption. Researchers note that this malware may be the first of its kind to use Monero currency for payment. Kirk Ransomware increases the ransom payment the longer a victim waits. At the time of this writing, one Monero (XMR) is equivalent to $23.27; the first ransom demand is 50 XMR ($1,163.84).
Recommendation: Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted, and other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors, and prevent ransom from being a profitable business for cyber criminals.
Tags: Ransomware

Trend: Ransomware Hidden in NSIS Installers Harder to Detect (March 16, 2017)
Researchers have discovered a trend among ransomware threat actors in that they are beginning to pack their malware inside a Nullsoft Scriptable Install System (NSIS). Actors are using the legitimate service, combined with encryption, to hide their malicious code. The malware will load into a Windows computer’s memory, decrypt, and then execute. NSIS ransomware is primarily being distributed through spam campaigns that contain JavaScript downloaders (some are also contained inside ZIP files), malicious Office documents, and .LNK files that contain PowerShell scripts which all lead to downloads of malicious NSIS installers.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the official website of the provider/developer.
Tags: Ransomware, NSIS Installers

MajikPOS Combines PoS Malware and RATs to Pull Off its Malicious Tricks (March 15, 2017)
A new Point of Sale (POS) malware dubbed “MajikPOS” has been observed attacking targets in the wild with unique features, according to Trend Micro researchers. MajikPOS is capable of using Remote Access Trojans (RATs) to attack its target endpoints. The malware has been identified attacking Remote Desktop Protocols (RDPs) and Virtual Network Computing (VNC) by testing generic credentials, and brute force attacking accounts. MajickPOS scrapes Random Access memory for the presence of credit card data by multiple vendors, which is then sent to a C2 and posted for sale on underground markets.
Recommendation: POS security relies on the same type of preventative measures as all others, as they are a specific type of computer. In the case of a confirmed MajickPOS infection, the POS system should be taken offline until it can be completely wiped and restored to its original factory settings.
Tags: MajickPOS, Malware, Credit card theft, RATs

Blank Slate Malspam Campaign Spreading Cerber Ransomware (March 15, 2017)
A spam campaign dubbed “Blank Slate” because of the lack email subject lines, has increased its botnet activity to primarily deliver Cerber ransomware; Sage 2.0 and Locky ransomware were also observed. The emails contain malicious Word documents that warns the recipient to enables macros to properly view the document. If a user enable macros, or opens a .js file, the Word macro or .js file will reach out to web server to receive the malware and begin the infection process.
Recommendation: Your company should have policies in place that remind your employees to be meticulous and skeptical while reading emails. Anti-spam and antivirus protection should always be employed, and employees should always observe failed financial transactions, poor grammar, and urgent label subject lines with the utmost caution.
Tags: Malspam, Cerber, Ransomware, Phishing

NexusLogger: A New Cloud-based Keylogger Enters the Market (March 15, 2017)
A new keylogger malware dubbed “NexusLogger,” that was first discovered in late 2016, has been identified to be currently targeting individuals via phishing attacks, according to Unit 42 researchers. NexusLogger masquerades as a “Parental Monitoring Software Solution,” and is offered for purchase on underground markets for prices ranging from $7 to $199 depending on the length of subscription. Interestingly, the ransomware also specifically targets online game credentials for Minecraft, Origin, Steam, and UPlay.
Recommendation: The impersonation of legitimate services continues to be an effective phishing tactic to deliver malware. All employees should be informed of the threat phishing poses, how to identify such attempts, and inform the appropriate personnel when they are identified. In the case of NexusLogger infection, the affected systems should be wiped and reformatted.
Tags: Keylogger, Malware, Phishing

U.S. Charges Two Russian Spies and Two Hackers for Hacking 500 million Yahoo Accounts (March 15, 2017)
U.S. prosecutors claim that approximately 30 million yahoo email accounts were targeted in a massive spam campaign in order to gather information on their owners. The targeted individuals consist of journalists, government officials, and technology company employees. Yahoo had previously reported in 2016 that they believed that the 2014 incident that compromised over 500 million Yahoo accounts was conducted by a state-sponsored group. The four defendants include two officers from the Russian Security Service (FSB), and two threat actors identified as Alexesey Alexseyvich Belan and Karim Baratov.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security, as well as having prevention and detection capabilities in place. Furthermore, all employees should be educated on the risks of phishing, and how to identify such attempts.
Tags: Malspam, Yahoo, APT

Massive Data Leak in the U.S. Air Force Exposes Details of Over 4,000 Officers (March 15, 2017)
Researchers have discovered than an unnamed U.S. Air Force (USAF) Lieutenant Colonel’s backup drive was misconfigured in a way that could allow anyone to access sensitive information it contained. An unspecified amount of gigabytes was found to be accessible that included Personally Identifiable Information (PII) of over 4,000 USAF officers consisting of full names, home addresses, list of security clearances, phone numbers and contact information of staff and their spouses, and social security numbers.
Recommendation: Identity theft and fraud risks are always present for individuals who do not carefully monitor their credit card statements and online banking activity. Bank accounts and credit card numbers should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Always monitor your accounts and use identity prevention / fraud prevention services to add an additional layer of security to your accounts.
Tags: Compromise, PII, Identity theft

PetrWrap: The New Petya-Based Ransomware Used in Targeted Attacks (March 14, 2017)
A new campaign has been discovered to be targeting organizations networks in order to download ransomware, according to Kaspersky researchers. The threat actors are targeting servers with unprotected Remote Desktop Protocol (RDP) access. The actors have created a trojan dubbed Petrwrap that is written in C and compiled in MS Visual Studio and carries version three of Petya ransomware inside. The PetrWap trojan waits approximately 90 minutes before decrypting the Dynamic Link Library (DLL) of Petya calling the function that prepares the ransomware for further instructions.
Recommendation: Ensuring that your server is always running the most current software version is vitally important. Additionally, maintaining secure passwords for RDP and other remote access systems is paramount, and passwords should be changed on a frequent basis. Furthermore, always practice Defense in Depth (don’t rely on single security mechanisms – security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, and other machines on the same network should be scanned for other potential infections.
Tags: PetrWrap, Ransomware, Trojan

Adobe Fixes Six Code Execution Bugs in Flash (March 14, 2017)
Adobe has once again released patches for vulnerabilities found in their Flash Player on “Patch Tuesday.” Seven vulnerabilities were patched, six of which could be exploited by threat actors to execute malicious code. The patch covered the following vulnerabilities: one regarding buffer overflow, two concerning memory corruption, and three that could be used after initial exploitation that can trigger code execution.
Recommendation: Patch Tuesday should be observed every week in order to apply the latest security updates to software used by your company. In Adobe’s case, it is common for new vulnerabilities to be identified quite regularly. Utilizing the automatic update feature in Flash Player is a good mediation step to ensure that your company is always using the most recent version.
Tags: Adobe, Vulnerabilities

Actively Exploited Struts Flaw Affects Cisco Products (March 13, 2017)
Cisco products have been identified to affected by a newly discovered vulnerability dubbed “CVE-2017-5638.” The vulnerability affects Cisco Identity Services Engine (ISE), specifically Apache Struts versions 2.3.5 through 2.3.31, 2.5 through 2.5.10, as well as 2.3.32 and 2.5.10. CVE-2017-5638 is a remote code execution vulnerability that has been actively exploited by threat actors in the wild, however Cisco researchers report that they have not seen attackers specifically target their products.
Recommendation: Zero day based attacked can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to attack with vulnerabilities even after they have been patched by the affected company. Therefore it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.
Tags: Vulnerabilities

Cyberattacks Hits The Dutch After Erdogan Speech (March 13, 2017)
Websites based in the Netherlands have been defaced by a team of threat actors identifying themselves as “PrivateHackers.” These defacements appear to have occurred because of tensions between the Dutch and Turkish governments. The tension has arisen because of the Dutch government barring Turkish officials from holding rallies in Rotterdam. Turkish President Recep Tayyip Erdoğan then accused the Dutch of contributing to the Srebrenica massacre in Bosnia, 1995, in regards to Dutch United Nations’ peacekeepers failure to protect Muslim men who were killed.
Recommendation: This story represents potential threats and attacks that can arise based on current political developments. Therefore, awareness of tension between countries and governments can potentially grant some insight as to where attacks may originate. It is crucial that server software be kept up-to-date with the most current versions, and that all external facing assets are carefully monitored and scanned for unusual activity and vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Defacements

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Cerber Ransomware Tool Tip
Cerber is ransomware that surfaced in January of 2016. Cerber is sold on hacking forums and criminal bulletin board systems. Cerber has been in constant development with version 4 being released around the month of October of 2016. Cerber has been distributed through phishing lures, exploit kits and malvertisement.
Tags: cerber, ransomware


Source: Honeypot Tech

Cisco Issues Advisory on Flaw in Hundreds of Switches

Vulnerability was discovered in WikiLeaks’ recent data dump on CIA’s secret cyber-offensive unit.
Source: Vulnerabilitys & Threats

Zelda-inspired ocarina-controlled home automation

Allen Pan has wired up his home automation system to be controlled by memorable tunes from the classic Zelda franchise.

Zelda Ocarina Controlled Home Automation – Zelda: Ocarina of Time | Sufficiently Advanced

With Zelda: Breath of the Wild out on the Nintendo Switch, I made a home automation system based off the Zelda series using the ocarina from The Legend of Zelda: Ocarina of Time. Help Me Make More Awesome Stuff! https://www.patreon.com/sufficientlyadvanced Subscribe! http://goo.gl/xZvS5s Follow Sufficiently Advanced!

Listen!

Released in 1998, The Legend of Zelda: Ocarina of Time is the best game ever is still an iconic entry in the retro gaming history books.

Very few games have stuck with me in the same way Ocarina has, and I think it’s fair to say that, with the continued success of the Zelda franchise, I’m not the only one who has a special place in their heart for Link, particularly in this musical outing.

Legend of Zelda: Ocarina of Time screenshot

Thanks to Cynosure Gaming‘s Ocarina of Time review for the image.

Allen, or Sufficiently Advanced, as his YouTube subscribers know him, has used a Raspberry Pi to detect and recognise key tunes from the game, with each tune being linked (geddit?) to a specific task. By playing Zelda’s Lullaby (E, G, D, E, G, D), for instance, Allen can lock or unlock the door to his house. Other tunes have different functions: Epona’s Song unlocks the car (for Ocarina noobs, Epona is Link’s horse sidekick throughout most of the game), and Minuet of Forest waters the plants.

So how does it work?

It’s a fairly simple setup based around note recognition. When certain notes are played in a specific sequence, the Raspberry Pi detects the tune via a microphone within the Amazon Echo-inspired body of the build, and triggers the action related to the specific task. The small speaker you can see in the video plays a confirmation tune, again taken from the video game, to show that the task has been completed.

Legend of Zelda Ocarina of Time Raspberry Pi Home Automation system setup image

As for the tasks themselves, Allen has built a small controller for each action, whether it be a piece of wood that presses down on his car key, a servomotor that adjusts the ambient temperature, or a water pump to hydrate his plants. Each controller has its own small ESP8266 wireless connectivity module that links back to the wireless-enabled Raspberry Pi, cutting down on the need for a ton of wires about the home.

And yes, before anybody says it, we’re sure that Allen is aware that using tone recognition is not the safest means of locking and unlocking your home. This is just for fun.

Do-it-yourself home automation

While we don’t necessarily expect everyone to brush up on their ocarina skills and build their own Zelda-inspired home automation system, the idea of using something other than voice or text commands to control home appliances is a fun one.

You could use facial recognition at the door to start the kettle boiling, or the detection of certain gasses to – ahem!– spray an air freshener.

We love to see what you all get up to with the Raspberry Pi. Have you built your own home automation system controlled by something other than your voice? Share it in the comments below.

 

The post Zelda-inspired ocarina-controlled home automation appeared first on Raspberry Pi.


Source: RaspberryPi – IOT Anonimo

Source: Privacy Online


Source: Zologic

Advancing security levels for the connected car : the SAFERtec project

Automated vehicles have the potential to revolutionise our day-to-day lives, but these kind of cyber-physical systems are vulnerable to attack by criminals. “Hackers could blackmail owners of self-driving cars” says Dr Alexander Kröller of TomTom and of the EU-funded SAFERtec project.
Source: Cybersecurity and digital privacy newsletter

Source: Privacy Online


Source: Zologic

The European Reference Network for Critical Infrastructure Protection: an important part of the EU response to cyber threats

Critical infrastructures such as railway networks, power stations and telephone grids are under daily attack by cyber criminals, according to Georg Peter, who is responsible for the European Reference Network for Critical Infrastructure Protection (ERNCIP).
Source: Cybersecurity and digital privacy newsletter

Source: Privacy Online


Source: Zologic

Getting Beyond the Buzz & Hype of Threat Hunting

When harnessed properly, threat hunting can be one of the most useful techniques for finding attackers in your network. But it won’t happen overnight.
Source: Cyber Monitoring

Advancing cooperation on the data economy – Joint EU – Japan press statement

Andrus Ansip, Vice President of the European Commission, Věra Jourová, Commissioner for Justice, Consumers and Gender equality, Hiroshige Seko, Minister of Economy, Trade and Industry (METI), Japan Naoki Ota, Special Advisor to the Minister, Ministry of Internal Affairs and Communications (MIC), Japan, and Haruhi Kumazawa, Commissioner of the Personal Information Protection Commission, Japan, met in Hannover on 20th March 2017 with a view to advancing cooperation on the data economy.
Source: Know your digital rights – respect your privacy

Source: Privacy Online


Source: Zologic

ICT Proposers' Day 2017

This networking event centres on European ICT Research and Innovation with a special focus on the Horizon 2020 Work Programme for 2018-20.
Source: Cybersecurity and digital privacy newsletter

Source: Privacy Online


Source: Zologic

JavaWatch automated coffee replenishment system

With the JavaWatch system from Terren Peterson, there’s (Raspberry Pi) ZERO reason for you ever to run out of coffee beans again!

By utilising many of the Amazon Web Services (AWS) available to budding developers, Terren was able to create a Pi Zero-powered image detection unit. Using the Raspberry Pi Camera Module to keep tabs on your coffee bean storage, it automatically orders a fresh batch of java when supplies are running low.

JavaWatch Sales Pitch

Introducing JavaWatch, the amazing device that monitors your coffee bean supply and refills from Amazon.com.

Coffee: quite possibly powering Pi Towers’ success

Here at Pi Towers, it’s safe to say that the vast majority of staff members run on high levels of caffeine. In fact, despite hitting ten million Pi boards sold last October, sending two Astro Pi units to space, documenting over 5,000 Code Clubs in the UK, and multiple other impressive achievements, the greatest accomplishment of the Pi Towers team is probably the acquisition of a new all-singing, all-dancing coffee machine for the kitchen. For, if nothing else, it has increased the constant flow of caffeine into the engineers…and that’s always a positive thing, right?

Here are some glamour shots of the beautiful beast:

Pi Towers coffee machine glamour shot
Pi Towers coffee machine glamour shot
Pi Towers coffee machine glamour shot

Anyway, back to JavaWatch

Terren uses the same technology that can be found in an Amazon Dash button, replacing the ‘button-press’ stimulus with image recognition to trigger a purchase request.

JavaWatch flow diagram

Going with the JavaWatch flow… 
Image from Terren’s hackster.io project page.

“The service was straightforward to get working,” Terren explains on his freeCodeCamp blog post. “The Raspberry Pi Camera Module captures and uploads photos at preset intervals to S3, the object-based storage service by AWS.”

The data is used to calculate the amount of coffee beans in stock. For example, the jar in the following image is registered at 73% full:

A jar which is almost full of coffee beans

It could also be 27% empty, depending on your general outlook on life.

A second photo, where the beans take up a mere 15% or so of the jar, registers no beans. As a result, JavaWatch orders more via a small website created specifically for the task, just like pressing a Dash button.

JavaWatch DRS Demo

Demonstration of DRS Capabilities with a project called JavaWatch. This orders coffee beans when the container runs empty.

Terren won second place in hackster.io’s Amazon DRS Developer Challenge for JavaWatch. If you are in need of regular and reliable caffeine infusions, you can find more information on the build, including Terren’s code, on his project page.

The post JavaWatch automated coffee replenishment system appeared first on Raspberry Pi.


Source: RaspberryPi – IOT Anonimo

Source: Privacy Online


Source: Zologic

HakTip 149 – Linux Terminal 201: Installing and Updating Packages

Today on HakTip we’re discussing packages in Linux: how to install and update packages for software!

——————————-
Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999

——————————

Packages come as .deb’s for Debian style distros, like Ubuntu. A Package consists of it’s package files, repositories, and dependencies.

Commands used in this episode:
dpkg
apt-get
apt-get update
sudo apt-get install firefox
sudo apt-cache search firefox
dpkg –install name.deb
sudo apt-get install -f
sudo apt-get install package1 package2 package3
sudo apt-get remove package
dpkg –list
dpkg –status firefox
apt-cache show firefox
dpkg –search thefile

Make sure to subscribe at https://www.youtube.com/hak5

Source: Security news

Source: Zologic