One of the things that shouldn't surprise me but does is the level of effort that malware authors take to continually improve their code, making it more virulent and potent. There are several examples in today's newsletter, including a new version of Spectre that can operate across networks, a new Trojan that improves its ability to hide from detection, improvements to the Hide 'N Seek botnet and a new adware delivery tool that is making its way across European websites. Yes, you always have to be on the alert.
-- David Strom, editor of Inside Security, St. Louis MO, @dstrom
1. Academic researchers have discovered a more virulent form of the Spectre attack. This one can be launched across network connections, rather than direct physical contact as was previously found. It is a cacheless version which relies on AVX state and instructions to create a covert channel. You can read a pre-print of their paper here. It is being called NetSpectre, and could allow attackers to extract data from CPU memory. The team worked with Intel back this spring and patches have already been available to fix the issue. Lots more background in the link here. -- ARS
2. A new remote access trojan is now available for sale on the dark web. Called Parasite HTTP, it comes with a variety of tools to evade detection and analysis such as sandbox detection, anti-debugging, anti-emulation and a built-in sleep timer. While it has only been seen in a small malware campaign that targets internal corporation email distribution lists, it has the huge potential to do some major damage. The sandbox detector is notable in how it can crash the malware later, making it harder for researchers to track its sneakiness.-- PROOFPOINT
3. A French security researcher has stumbled upon a new adware delivery scheme. It involves clone websites that use legitimate-looking domain names to trick victims into downloading famous apps, but which are actually laced with adware. The malware mimics French and Spanish versions of Keepass, 7Zip, Audacity and numerous others. – BLEEPING COMPUTER
4. Here is research about the P2P-centric Hide ‘N Seek botnet. It now also includes exploits to target home automation systems and devices. As you can see from the above timeline, it has been continuously improved since its first discovery. What makes this botnet interesting is that its authors are careful to test new features to make sure they actually work as intended. – FORTINET BLOG
5. If you get caught up in infosec jargon, this book might be useful for your internal clients. Called The Language of Cybersecurity, it covers 52 different terms that every businessperson should know. Each term (such as zero days, social engineering and sandboxing) is defined and has an accompanying essay that explains its context and why it is important to understand the term. The book covers vulnerabilities, defenses, and compliance terms. You can purchase the book now or subscribe to the site’s RSS feed and get a new term each week if you don’t mind waiting.
6. Researchers have found a new hacking group called Leafminer. Their target is mostly government organizations in the MidEast and they make use of a variety of tools, including watering holes (with details shown here), brute-force and dictionary password attacks to steal confidential data. – SYMANTEC BLOG
7. Here is a free auditing tool that can discover unsecured Windows service accounts, Active Directory domain and local administrator accounts. Called Discovery Tool, it comes from Bomgar, which also has paid security solutions in this market. You can see a selected sample report below. -- BOMGAR (reg. req.)
8. You have probably heard that the WPA protocol is going through a major update. This post provides a few things you should know about this v3, including better security for public wireless networks, and backward compatibility with earlier WPA versions. It will be available later this year. – SECURITY BOULEVARD
9. Last year this firm introduced a project to make pentesting more approachable. This is the second such report called Under the Hoodie. It shows that they are able to gain access to networks two-thirds of the time using a variety of techniques, almost always via some kind of server misconfiguration. The report highlights a few of their engagements to show you how they penetrated a client's network and what data they found. -- RAPID 7 (pdf)
10. There were three notable acquisitions last week:
Swift on Security reminds us to be careful about those “quick” fixes that can have rolling implications more than a decade later. – SWIFTONSECURITY @ TWITTER