Inside | Real news, curated by real humans
Inside Security

Inside Security (Mar 9th, 2018)

David’s take

It has been another busy week for attackers, with sightings of two oldie malware families, Dofoil and GranCrab, showing that malware authors continue to dust off old code and try to reuse it for new attacks. Micorosft managed to stop most of the Dofoil attacks with its own AV tool. One flyer reports issues with the FlyFi wireless service on JetBlue planes, thanks to malformed SSL certs. Issues with Jive and Exim server code means that you will want to ensure you have the latest versions running, and lots more in today’s edition.

Also, if you aren’t yet a premium subscriber, you would have missed my analysis of the latest trends in phishing and security awareness. Given all the various acquisitions in this space by larger companies, it may be time to pay more attention. Go to our Premium page and sign up, subscription plans start at $10/month with multiple newsletters and corporate plans available. Premium subscribers get an additional Thursday newsletter, usually with a single analysis topic.

-- David Strom, editor of Inside Security

  • Email gray
  • Permalink gray

Top Story: Government watchdogs aren’t happy, both here and overseas

Two reports from government watchdog agencies here and in the UK are both finding fault with security practices. Let’s start here. The Homeland Security IG auditors found dozens of antiquated systems that were running old OS versions and software and hadn’t been patched in years. The systems were on both classified and unclassified networks. Three Windows Server 2003 systems hadn’t been updated since July 2015, which is when Microsoft ended official support. Homeland is supposedly taking corrective steps.

Moving across the pond, a new report by the UK Department for Culture Media and Sport, written in conjunction with the National Cyber Security Center, includes guidelines on how manufacturers, industry and government should work together to improve the resilience of IoT connected devices. The report recommends a coordinated approach by both government and industry to build in security by design. This isn’t a new concept, but one worth spending some time understanding, particularly if you are an IoT developer. “There is a need to move away from placing the burden on consumers to securely configure their devices and instead insure that strong security is built in by design.” The report includes a recommended code of practice for IoT vendors.  

  • Email gray
  • Permalink gray

Attacks

A new strain of the GranCrab ransomware has been discovered by researchers. It comes with new command and control servers, new file extension markers, and new information in its ransom note (shown here). – BLEEPING COMPUTER

  • Email gray
  • Permalink gray

Apparently, the vendor who operates many of the in-flight Wifi systems has a certificate problem, requiring an IT tech to manually update each plane’s server with the correct credentials. This screen shot was taken on a recent JetBlue flight. – JASON ROABINOWITZ@ TWITTER

  • Email gray
  • Permalink gray

The open source mailing server software Exim has a serious vulnerability that can help attacks gain remote code execution. The issue goes back to the first version of Exim, which means that more than 400,000 mail servers (some sources say in the millions) are at risk. Users are urged to upgrade to v 4.90.1 as soon as possible. – DEVCO BLOG

  • Email gray
  • Permalink gray

Refund fraud is a pervasive form of merchant abuse in which a threat actor purchases a product online. After delivery, the actor falsely claims that there was an issue in the delivery of the product, prompting the company to issue a refund, often getting the item at no cost. Criminals offer fake receipts for sale on the dark web. -- FLASHPOINT

  • Email gray
  • Permalink gray

A new series of attacks of the Dofoil botnet were found by Microsoft earlier this week. Up to 80,000 PCs were infected with a crypto miner. Windows Defender blocked these infections, most of which hit Turkish and Russian machines.

  • Email gray
  • Permalink gray

Jive Software’s Jive-n Intranet platform has an XML external entity injection bug in the file upload function. Attackers can leverage this to increase application privileges. After working with researchers, Jive has fixed the issue. – RHINO LABS

  • Email gray
  • Permalink gray

The Docket

Japan’s financial regulator will slap several cryptocurrency exchanges with administrative punishment notices and is considering forcing some to suspend their business. The have found issues that appear to be money laundering and lax procedures in protecting consumers' funds. – REUTERS

  • Email gray
  • Permalink gray

Tools

This post is recently updated and useful for Windows admins that aren’t aware of the numerous utilities that can help lock down your Active Directory and Windows domains properly. It is a long list of to-do items to be sure, including how to use group policies, EMET, AppLocker, LAPS and other tools for the maximum security. – ADSECURITY

  • Email gray
  • Permalink gray

Researchers have developed a tool called CIGslip which bypasses Microsoft’s internal security mechanisms while mimicking natural Windows DLL loading from the disk. The technique abuses a non-Code Integrity Guard enabled process, to inject code into a protected target. This serves as an entry point for an attacker to load any kind of code, malicious or benign, into Microsoft Edge. It could have serious hacking potential. – MORPHISEC BLOG

  • Email gray
  • Permalink gray

The interactive malware analysis sandbox service called Any.Run announced that its free community version is open to the public. With Any.Run you can upload a file and in real-time interact with the sandbox while analyzes your file. This allows you to upload programs that require you to click on buttons or malicious documents that require you to enable content or macros. The sandbox will capture all network interactions and process calls, aiding in understanding what a piece of malware is actually doing. -- ANY.RUN

  • Email gray
  • Permalink gray

Reports

A survey of 1,200 IT managers from 17 countries found that only half of those who paid the ransoms recovered their data. Those that didn’t pay fared better: 87 percent were able to recover their data. Insider threats decreased substantially, compared to last year. Respondents said their biggest obstacles were lack of skilled personnel, low infosec awareness and too much data to analyze. – IMPERVA REPORT

  • Email gray
  • Permalink gray

SonicWall issued its 2018 Cyber Threat Report. It found 9.3B total malware attacks were recorded last year, an 18.4 percent year-over-year increase. Ransomware attacks fell from 638M to 184M between 2016 and 2017. The pattern of infected apps changed somewhat from 2016 to 2017, as shown here—SONICWALL

  • Email gray
  • Permalink gray

Just for fun

Agreed —TECHBYTOM @ TWITTER

  • Email gray
  • Permalink gray

 

Many thanks to Inside Security's corporate supporters.  Please go check them out!

Endgame

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

 

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

 

[YOUR LOGO HERE – click for details]
 
   




 

Subscribe to Inside Security

MORE NEWSLETTERS

The best source of in-depth news and analysis about Amazon

Inside Amazon

The best source of in-depth news and analysis about Amazon

DAILY
The best source of in-depth news and analysis about Amazon

Inside Amazon

DAILY

SUBSCRIBED!

Share via

Financial, legislative, agricultural, and all the other most important news about the cannabis industry

Inside Cannabis

Financial, legislative, agricultural, and all the other most important news about the cannabis industry

DAILY
Financial, legislative, agricultural, and all the other most important news about the cannabis industry

Inside Cannabis

DAILY

SUBSCRIBED!

Share via

Facebook's mission is to connect the world's people. Ours is to keep an eye on them.

Inside Facebook

Facebook's mission is to connect the world's people. Ours is to keep an eye on them.

TWICE WEEKLY
Facebook's mission is to connect the world's people. Ours is to keep an eye on them.

Inside Facebook

TWICE WEEKLY

SUBSCRIBED!

Share via

For those in the business of buying, selling, and developing real estate.

Inside Real Estate

For those in the business of buying, selling, and developing real estate.

DAILY
For those in the business of buying, selling, and developing real estate.

Inside Real Estate

DAILY

SUBSCRIBED!

Share via