A Review of the Best News of the Week on Cyber Threats & Defense

Signed Malware (Schneier on Security, Feb 02 2018)
Stuxnet famously used legitimate digital certificates to sign its malware. A research paper from last year found that the practice is much more common than previously thought.

AutoSploit: Automated Hacking Tool Set to Wreak Havoc or a Tempest in a Teapot? (SecurityWeek, Feb 01 2018)
AutoSploit is a tool designed to automate the use of Metasploit exploits. It was announced on Twitter on Wednesday. “I just released AutoSploit on #Github. #Python based mass #exploit #tool. Gathers targets via #Shodan and automatically invokes selected #Metasploit modules to facilitate #RCE,” announced Twitter user VectorSEC, Wednesday. Just to be clear, this tool automatically finds vulnerable targets and uses Metasploit exploits to provide remote code execution for the user.

Google’s DoubleClick network exploited to serve cryptominers (SC Magazine, Jan 29 2018)
A malvertising campaign was observed exploiting Google’s DoubleClick network to deliver silent cryptominers on high-traffic sites.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Now even YouTube serves ads with CPU-draining cryptocurrency miners (Ars Technica, Jan 30 2018)
Word of the abusive ads started no later than Tuesday, as people took to social media sites to complain their antivirus programs were detecting cryptocurrency mining code when they visited YouTube. The warnings came even when people changed the browser they were using, and the warnings seemed to be limited to times when users were on YouTube.

Smominru! Half a million PCs hit by cryptomining botnet (The State of Security, Feb 05 2018)
A Monero-mining botnet called Smominru is said to have infected 526,000 Windows PCs since May 2017 and is earning millions of dollars for its operators.

Mac crypto miner distributed via MacUpdate, other software download sites (Help Net Security, Feb 05 2018)
Software download site/aggregator MacUpdate has been spotted delivering a new Mac crypto miner to users.

Achieving zero false positives with intelligent deception (Help Net Security, Jan 30 2018)
There are four kinds of breadcrumbs that can combine to thwart an attacker as they seek evidence of credential and connection that they require to complete their mission of theft and destruction. These are:
1) Credential and Active Directory breadcrumbs, 2) File and data breadcrumbs, 3) Network breadcrumbs, and 4) Application breadcrumbs.

Trend Micro: Beware Digital Extortion Attacks This Year (Infosecurity Magazine, Jan 30 2018)
Cyber-criminals will find new ways to blackmail and extort organizations and individuals in 2018, supercharging ransomware, launching online smear campaigns and firing out targeted attacks aimed at key facilities, according to Trend Micro.

Widespread API use heightens cybersecurity risks (Help Net Security, Jan 31 2018)
A new Imperva survey showed a heightened concern for cybersecurity risk related to API use. Specifically, 63 percent of respondents are most worried about DDoS threats, bot attacks, and authentication enforcement for APIs.

Evolving to Security Decision Support: Visibility is Job #1 (Securosis Blog, Feb 01 2018)
“What you need is a better way to assess your organizational security posture, determine when you are under attack, and figure out how to make the pain stop. This requires a combination of technology, process changes, and clear understanding of how your technology infrastructure is evolving toward the cloud. This is no longer just assessment or analytics – you need something bigger and better. It’s what we now call Security Decision Support (SDS). Snazzy, huh?”

Oracle patches POS vulnerability affecting 300,000 systems (SC Magazine, Feb 05 2018)
Oracle recently patched a Micros point-of-sale vulnerability which could have allowed an unauthenticated attacker to read any file and receive information.

Cisco plugs critical hole in many of its enterprise security appliances (Help Net Security, Jan 30 2018)
There’s an eminently exploitable remote code execution flaw in the Adaptive Security Appliance (ASA) Software running on a number of Cisco enterprise appliances, and admins are advised to plug the hole as soon as possible.

5 Open Source SIEM Tools Worth Checking Out (DevOps, Jan 26 2018)
There are a number of SIEM tools on the market, both open source and commercial. With the rise of DevOps, containers and other modern application development methods, the open source solutions are seeing a resurgence of interest.

Poor Visibility, Weak Passwords Compromise Active Directory (Dark Reading, Feb 01 2018)
Security experts highlight the biggest problems they see putting Microsoft Active Directory at risk.

Hospital MRI and CT scanners at risk of cyberattack (Naked Security – Sophos, Feb 01 2018)
In total, 81 NHS health trusts were affected by WannaCry ransomware, resulting in cancelled operations, thousands of missed appointments, and staff being locked out of computers.

Attackers Exploiting Unpatched Flaw in Flash (Krebs on Security, Feb 02 2018)
Adobe warned on Thursday that attackers are exploiting a previously unknown security hole in its Flash Player software to break into Microsoft Windows computers. Adobe said it plans to issue a fix for the flaw in the next few days, but now might be a good time to check your exposure to this still-ubiquitous program and harden your defenses.

Look Out: Chrome Extension Malware Has Evolved (Wired, Jan 30 2018)
You already know to be wary of third-party Android apps, and even to watch your back in the Google Play Store. A flashlight app with only 12 reviews might be hiding some malware as well. But your hyper-vigilant download habits should extend beyond your smartphone. You need to keep an eye on your desktop Chrome extensions as well.

Threat Intelligence: Putting It All Together (Recorded Future, Jan 29 2018)
New features in Recorded Future’s offering: First — the ability for users to write their own notes, research, conclusions right inside Recorded Future, completely integrated within the end-user environment. Second — the ability to integrate external data streams with Recorded Future — such as FS-ISAC, Verizon DBIR, various commercial and open source feeds, or for that sake, internal corporate feeds.

AMD plans silicon fix for Spectre vulnerability (Network World Security, Feb 02 2018)
AMD intends to have a silicon fix for the variant 2 of the Spectre exploit, the only one of the Meltdown and Spectre exploits it’s vulnerable to, by 2019.

Phishing emails impersonate FBI’s Internet Crime Complaint Center (SC Magazine, Feb 02 2018)
The FBI has issued a warning that scammers are crafting phishing emails that impersonate the agency’s Internet Crime Complaint Center, claiming recipients were recently defrauded, and in some cases offering restitution if the individuals provide personal information.