Author: Blog

It’s another day-late weekly update courtesy of another hectic week. Scott and I were at NDC Sydney doing a bunch of talks and other events and I just simply didn’t get time to push this out until sitting at the airport waiting for the plan home.

The threat landscape is changing once again, now that the ocean of cryptocurrency miners has shrunk to a small lake. Over the last couple months, we’ve seen cybercriminals lean back on tried and true methods of financial theft and extortion, with the rise of a familiar Banking Trojan: Emotet.

However, over the last few days, we’ve noticed a large increase in malicious spam spreading Emotet, as well as a higher number of detections from our customers. Looks like we’re in the middle of an active Emotet campaign.

What is Emotet?

For those who are unfamiliar, Emotet is a nasty piece of malware that has had numerous purposes over the years, including stealing data and eavesdropping on network traffic. For its latest trick, Emotet is spreading other banking Trojans, or malware that steals your financial information, bank logins, and in some cases, Bitcoin wallets.

Emotet has the ability to propagate through a network by using the popular EternalBlue vulnerability, first seen in use in the famous WannaCry ransomware outbreak. This functionality makes the malware even more dangerous to businesses, which have numerous endpoints linked together.

Once a system is infected, Emotet can then spread itself outside the network via built-in spam module. Imagine an Emotet-infected endpoint as a flower. Emotet’s spam module, then, would be the bees that spread pollen from flower to flower. The spam module sends new infections to other systems, which (if the users fall victim) creates even more new infections, which then blast spam to even more systems. And the process continues again.

Now, accelerate our metaphorical pollination process by at least 1000x, and you can begin to see how Emotet is quickly making a lot of…um, flowers…for businesses.

Spam campaign

Recently, the security community noticed an increase in malicious spam either spreading Emotet or coming from systems infected with Emotet. In addition to Emotet, this malspam campaign is also pushing Trickbot, a popular information-stealing malware that we spoke about last year when unused code was discovered using the same exploit as WannaCry.

We’re seeing a large #Emotet spam campaign with maldocs, originally spewing malicious Word documents, but now sending out PDFs. At its peak, we blocked over 300k spam emails in 3 hrs. Detection name: TrojanDownloader:PDF/Domepidief.A https://t.co/pWja45EInR pic.twitter.com/8uAdQ6d7v3

— Windows Defender Security Intelligence (@WDSecurity) September 18, 2018

This spam campaign is pushing malicious documents to users: first Microsoft Word documents with malicious macro scripts and then PDFs with built-in malicious scripts. This method of attack (malspam), using these specific file types (malicious documents), has become the de-facto default method of spreading malware today.

Malicious spam emails that are spreading Emotet and Trickbot right now have similar subject lines. Below is a list of common subject lines for this campaign:

Sales Invoice Account September Invoice **** from **** Statement 20/09/2018 for customer **** Your Invoice: **** - Our Ref: **** Account Alert - Your recent Wellsfargo payment notice Activity Alert: Money transfer details Activity Alert: Your recent payment notification Payment details Your recent payment notice August Invoice **** Invoice **** from **** Invoice for August Invoice **** - **** Invoice No - **** Invoice number **** Invoice **** from **** for Order : **** Invoices from **** INV-**** **** Complete invoice **** **** report: Complete invoice Q7370 - 21 September 2018 OVERDUE INVOICE Re: Your recent invoice request for your account Sales invoice from **** **** Invoice Ready To View September Invoice INV-B58986 from **** SERVICE INVOICE **** Invoice/Credit **** Statements/Invoices Ready To View Your **** Invoice for billing period 08/2018

Despite headlines now at least a couple years old, the InfoSec world is still (largely) playing lip-service to the lack of security talent and the growing skills gap.

So far this year I think I’ve attended 20+ security conferences around the world – speaking at many of them. Along the way I got to chat with hundreds of attendees and gather their thoughts on what they hoped to achieve or learn at each of these conferences.

The Canadian government is seeking a company that will scour social media and the dark web for data on Canadians’ use of cannabis. The request comes just weeks before recreational pot use becomes legalized on October 17.

account owner used the Account Activity API (AAAPI) to allow other developers access to that account’s data

HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute arbitrary code via a dial-in session that provides a FAX page with the JPEG bit enabled, which is mishandled in FaxModem::writeECMData() in the faxd/CopyQuality.c++ file.

A security researcher has publicly disclosed an unpatched zero-day vulnerability in all supported versions of Microsoft Windows operating system (including server editions) after the company failed to patch a responsibly disclosed bug within the 120-days deadline.

The rise of credential stuffing attacks globally is made possible by the tendency of customers’ re-using the same credentials across different websites and attackers’ easy access to stolen credential lists.

A zero day vulnerability in the Microsoft Windows Jet Database Engine has been disclosed by TrendMicro’s Zero Day Initiative even though a security update is not currently available from Microsoft.

This vulnerability was discovered by Lucas Leong of the Trend Micro Security Research team and could allow attackers to perform remote code execution on a vulnerable machine. To initiate this attack, a specially crafted Jet database file would need to be opened, which would then perform an out-of-bounds write to the program’s memory buffer. This would then lead to remote code execution on the targeted Windows computer.

This vulnerability has been assigned the ZDI-18-1075 ID and is stated to affect “Windows”. It is not known if all versions of Windows are affected by this vulnerability.

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the management of indexes in the Jet database engine. Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.”

As Microsoft has not released a security update for this vulnerability, the disclosure states that the only way to prevent this attack is to only open trusted Jet database files.

“Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application to trusted files.”

After publishing the article, we were notified that 0Patch have released 3rd party micropatches that resolve this vulnerability. They have also confirmed that this vulnerability affects Windows 10, Windows 8.1, Windows 7, and Windows Server 2008-2016.

We’re happy to announce general availability of two free micropatches for the Jet Engine Out-Of-Bounds Write vulnerability disclosed yesterday by @thezdi. These micropatches apply to fully updated 32bit and 64bit:

– Windows 10
– Windows 8.1
– Windows 7
– Windows Server 2008-2016 pic.twitter.com/Du1cTFafiM

— 0patch (@0patch) September 21, 2018

Disclosed without available update

When the Zero Day Initiative (ZDI) reports a vulnerability to a vendor, they allow the vendor 4 months (120 days) to fix the vulnerability and release a patch. If a vendor does not release a fix within that time frame or provide a reasonable reason for not doing so, ZDI will publicly disclose the vulnerability. 

“If a vendor response is received within the timeframe outlined above, ZDI will allow the vendor 4-months (120 days) to address the vulnerability with a security patch or other corrective measure as appropriate,” is stated in the ZDI disclosure policy. “At the end of the deadline, if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigation in an effort to enable the defensive community to protect the user. We believe that by taking these actions, the vendor will understand the responsibility they have to their customers and will react appropriately. Extensions to the 120-day disclosure timeline will not be granted. “

This policy is in place to basically force the vendor to release a patch in a timely manner.

According to ZDI, this vulnerability was disclosed to Microsoft on 05/08/18 and Microsoft confirmed receipt on 05/14/18. T

he timeline below, shows that Microsoft began working on a patch but had an issue with it. Due to this they were not able to get the fix released as part of the September 2018 Patch Tuesday updates.

05/08/18 - ZDI reported the vulnerability to the vendor and the vendor acknowledged the report 05/14/18 - The vendor replied that they successfully reproduced the issue ZDI reported 09/09/18 - The vendor reported an issue with the fix and that the fix might not make the September release 09/10/18 - ZDI cautioned potential 0-day 09/11/18 - The vendor confirmed the fix did not make the build 09/12/18 - ZDI confirmed to the vendor the intention to 0-day on 09/20/18

Simple Authentication and Security Layer (SASL) is an authentication layer used in Internet protocols. SASL is not a protocol, but rather a framework that provides developers of applications and shared libraries with mechanisms for authentication, data integrity–checking, and encryption.

Advertisement

Editor’s Picks

Pig farmers want human diners to bite into the delicious pork they produce, not for swine to bite each other. (Yes, it happens.) Now, using 3D cameras and machine-vision algorithms, scientists are developing a way to automatically detect when a pig might be about to chomp down on another pig.

As enterprises around the world deal with legislative backlash following years of unfettered data collection, companies are confused about how to achieve compliance not only with the General Data Protection Regulation (GDPR), but also with California’s Consumer Privacy Act (CCPA). If you are one of them, rest assured that you are not alone in your confusion — and you’d better believe there’s more to come.

Executive Summary

Developed during World War II, CARVER is a tool for assessing and ranking threats and opportunities. It can be both offensive and defensive, meaning it can be used for identifying your competitors’ weaknesses and for internal auditing. CARVER can help risk management professional think through an asset’s criticality, accessibility, recoverability, vulnerability, effect, and recognizability. Since it draws on both qualitative and quantitative data, CARVER can be applied in almost any scenario that is analyzed and discussed in an organized, logical way. It can be highly useful if you need to, for example, defend a budget request or a strategic plan to company leadership. Because it helps you articulate an efficient story using numeric values, CARVER can be used to clarify mission objectives — whether on the battlefield or in the boardroom.

The Trump administration’s new cyber strategy out this week isn’t much more than a stringing together of previously considered ideas.

Detect ‘18 began this year with keynote addresses from Hugh Njemanze and General Colin L. Powell, USA (Ret.). Anomali announced in their keynote the launch of a new Threat Platform and developer SDKs. The Anomali Threat Platform delivers a comprehensive threat detection, analysis, and response suite and is comprised of five core capabilities:

Executive Summary

Corporate directors and executives alike recognize that today’s pace of change continues to accelerate and that firms need to innovate to stay ahead. But are boards doing enough to support innovation, as they should? We conducted a survey of over 5,000 board members from around the world to find out. We found that, overall, innovation does not rank as a top strategic challenge for the majority of boards. Although directors in certain industries are more cognizant of the threat of disruption, the widespread lack of board-level engagement in innovation processes could be a major blind spot and a potential liability. Fewer than one-third (30%) of respondents see innovation as one of the top three challenges their company faces in achieving its strategic objectives, and just 21% think that technology trends are a major strategic challenge. Innovation ranks fifth, after more-conventional concerns such as attracting and retaining top talent and the regulatory environment. Boards’ abilities to foster innovation clearly fall short when compared with their other activities.

Tech Bureau which is a well-known Japanese cryptocurrency exchange has been hacked by criminals. The results of infiltration is a theft of $60M worth of digital assets. This is a e yet another report of a successful operation against such targets.

The use of AI and machine learning in cybersecurity is on the rise. These technologies can deliver advanced insights that security teams can use to identify threats accurately and in a timely fashion. But these very same systems can sometimes be manipulated by rogue actors using adversarial machine learning to provide inaccurate results, eroding their ability to protect your information assets.

[unable to retrieve full-text content]