A Review of the Best News of the Week on Cyber Threats & Defense

The Inside Story of Equifax’s Massive Data Breach (Bloomberg, Oct 02 2017)
The intruders broke in and then handed off to a more sophisticated team of hackers, the hallmarks of a state-sponsored operation.

Here’s What to Ask the Former Equifax CEO (Krebs on Security, Sep 29 2017)
Richard Smith — who resigned as chief executive of big-three credit bureau Equifax this week in the wake of a data breach that exposed 143 million Social Security numbers — is slated to testify in front of no fewer than four committees on Capitol Hill next week. If I were a lawmaker, here are some of the questions I’d ask when Mr. Smith goes to Washington.

Critical EFI Code in Millions of Macs Isn’t Getting Apple’s Updates (Wired, Sep 29 2017)
Researchers dug into the deep-seated, arcane code in Apple machines known as EFI, and found it’s often dangerously neglected.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Cloudflare CEO: DDOS Attacks Will Now Be ‘Something You Only Read About In The History Books’ (Motherboard, Sep 26 2017)
Starting today, Cloudflare is making protection against DDoS attacks free, regardless of how bad they are.

Cloudflare’s Unlimited DDoS Protection Won’t Kill Off Botnets For Good (Wired, Sep 25 2017)
Cloudflare’s unlimited DDoS protection should help the internet, but its broader ambitions of killing off DDoS for good remain out of reach.

Sophisticated threats? It’s usually the basic ones that get you (Help Net Security, Sep 27 2017)
Why are so many companies still facing the same security challenges? For one thing, it’s hard that security had to come at the expense of usability.

Malware Investigation Leads To Sophisticated Mideast Threat Network (Dark Reading, Sep 27 2017)
The infrastructure behind a web shell used in an attack earlier this year suggests methodical and purposeful threat actors, Palo Alto Networks says.

Exposing the inner-workings of the ransomware economy (Elie on Internet Security and Performance, Sep 09 2017)
Elie Bursztein (on Google’s anti-abuse team) sheds light on the inner workings of ransomsphere economics and expose which cybercriminal groups are the biggest earners.

Behind the Masq: Yet more DNS, and DHCP, vulnerabilities (Google Online Security Blog, Oct 02 2017)
Dnsmasq provides functionality for serving DNS, DHCP, router advertisements and network boot. This software is commonly installed in systems as varied as desktop Linux distributions (like Ubuntu), home routers, and IoT devices. Dnsmasq is widely used both on the open internet and internally in private networks. Google discovered seven distinct issues over the course of their regular internal security assessments.

FBI’s secret iPhone hacking tool must stay under wraps, court rules (Naked Security – Sophos, Oct 02 2017)
That’s it, case closed: the media companies that filed a Freedom of Information Act request can’t appeal

Splunk steps up its enterprise security game (CSO Online, Sep 29 2017)
Splunk made several enterprise security announcements at its annual user conference.

Threat Analysis: Don’t Forget About Kangaroo Ransomware (Carbon Black, Oct 02 2017)
With advanced samples taking up most of the media bandwidth, it’s easy to forget there are many other ransomware families out there with more being written every day. The Kangaroo family of Ransomware is one of those. While this variant may not be using sophisticated APT exploits like other notorious families such as WannaCry and NotPetya, there are some unique factors that should be noted.

Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112 (McAfee Blogs, Oct 02 2017)
A memory corruption bug in UDP fragmentation offload (UFO) code inside the Linux kernel can lead to local privilege escalation. In this post, McAfee examines this vulnerability and its accompanying exploit.

The Phishing Kill Chain – Reporting (PhishMe, Oct 02 2017)
Part 5 in a series on being “Left of Breach” in the Phishing Kill Chain. In part 4, PhishMe looked at Simulation Delivery, and stress the importance of utilizing methods that model malicious actors and advanced persistent threats. This post now takes a closer look at developing reporters in your company environment. This point in The Phishing Kill Chain is where we break from the standard model. It is where we switch from defensive mode to proactive threat management.