A Review of the Best News of the Week on Cyber Threats & Defense

How will WPA3 improve WiFi security? (WeLiveSecurity, Feb 09 2018)
For those who usually work remotely and use public WiFi networks in coffee shops, hotels or at airports, WPA3 will be a robust solution to privacy problems. This is because by applying individualized data encryption – where every connection between a device and a router will be encrypted with a unique key – it seeks to further mitigate the risk of Man-in-the-Middle (MitM) attacks.

New Zero-Day Ransomware Evades Microsoft, Google Cloud Malware Detection (Dark Reading, Feb 07 2018)
Google Drive and Microsoft Office 365, both of which have built-in malware protection, failed to identify a new form of Gojdue ransomware dubbed Shurl0ckr. The zero-day ransomware evaded most major antivirus platforms: only seven percent of 67 tested tools detected it.

U.S. Spies, Seeking to Retrieve Cyberweapons, Paid Russian Peddling Trump Secrets (The New York Times, Feb 12 2018)
After months of secret negotiations, a shadowy Russian bilked American spies out of $100,000 last year, promising to deliver stolen National Security Agency cyberweapons in a deal that he insisted would also include compromising material on President Trump…

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Covert Data Channel in TLS Dodges Network Perimeter Protection (Threatpost, Feb 05 2018)
Researchers have released a proof-of-concept framework for a new covert channel for data exchange using the Transport Layer Security (TLS) protocol. The method exploits the public key certificate standard X.509 and could allow for post-intrusion C2 communication and data exfiltration to go unnoticed despite network perimeter protections.

Air Gap Hacker Mordechai Guri Steals Data With Noise, Light, and Magnets (Wired, Feb 07 2018)
Researcher Mordechai Guri has spent the last four years exploring practically every method of stealthily siphoning data off of a disconnected computer.

Intel releases new Spectre microcode update for Skylake; other chips remain in beta (Ars Technica, Feb 07 2018)
Previous microcode update was reported to cause unwanted system reboots.

20 Signs You Need to Introduce Automation into Security Ops (Dark Reading, Feb 08 2018)
“How can organizations approach automation intelligently and identify areas that are good candidates for automation? To answer this question, I offer 20 additional questions…”

Water Utility in Europe Hit by Cryptocurrency Malware Mining Attack (eWEEK, Feb 08 2018)
Unauthorized cryptocurrency mining attacks come to industrial control systems for the first time, as cryptojacking attacks continue to grow.

99 percent of domains are not protected by DMARC (Help Net Security, Feb 08 2018)
Essentially every global domain is vulnerable to phishing and domain name spoofing. A new report incorporates data from Agari, revealing that 90 percent of its customers have been targeted by domain name fraud.

Researchers find malware samples that exploit Meltdown and Spectre (Network World Security, Feb 08 2018)
As of Feb. 1, antivirus testing firm AV-TEST had found 139 malware samples that exploit Meltdown and Spectre. Most are not very functional, but that could change.

Cryptomining script poisons government websites – What to do (Naked Security – Sophos, Feb 11 2018)
The infection source in this case seems to have been browsealoud DOT com, a service run by a company called Texthelp Limited. The browsealoud site serves up JavaScript that can convert pages on your website to speech, in order to help out visitors who aren’t fluent in English, or who aren’t good at reading.

Domain Theft Strands Thousands of Web Sites (Krebs on Security, Feb 12 2018)
Newtek Business Services Corp. [NASDAQ:NEWT], a Web services conglomerate that operates more than 100,000 business Web sites and some 40,000 managed technology accounts, had several of its core domain names stolen over the weekend. The theft shut off email and stranded Web sites for many of Newtek’s customers.

Winter Olympics Site Taken Out for 12 Hours (Infosecurity Magazine, Feb 12 2018)
Winter Olympics Site Taken Out for 12 Hours. Russia suspected of pre-ceremony cyber-attack

Flaw in Grammarly’s extensions opened user accounts to compromise (Help Net Security, Feb 06 2018)
A vulnerability in the Grammarly Chrome and Firefox extensions allowed websites to read users’ authentication tokes and use to them to log in to the users’ Grammarly accounts and access all the (potentially sensitive) information held in them.

One Computer Can Knock Almost Any WordPress Site Offline (SecurityWeek, Feb 06 2018)
As if there aren’t enough ways to attack a WordPress site, an Israeli researcher has published details of how almost anyone can launch a denial of service (DoS) attack against almost any WordPress with just one computer. That, he suggests, is almost 30% of all websites on the internet.

Cisco takes a second crack at fixing critical ASA bug (SC Magazine, Feb 06 2018)
Cisco Systems on Monday released a second fix for a critical vulnerability in the XML parser of its Adaptive Security Appliance (ASA) after finding additional attack vendors and learning that its previous repair job was insufficient.

Tennessee Hospital Hit With Cryptocurrency Mining Malware (Dark Reading, Feb 08 2018)
Decatur County General Hospital is notifying 24,000 patients of cryptocurrency mining software on its EMR system.

Hotspot Shield Vulnerability Could Reveal ‘Juicy’ Info About Users, Researcher Claims (Threatpost, Feb 07 2018)
While an argument can be made that attacks via this vulnerability would be limited to LANs since the server is installed on a user’s device, the technique known as DNS rebinding could be employed to attack via WANs, Yibelo added. “In a DNS rebinding, any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost or (making it accessible from the WAN),” he wrote.

Zerodium Offers $45,000 for Linux 0-Days (SecurityWeek, Feb 09 2018)
Hackers willing to find unpatched vulnerabilities in the Linux operating system and report them to exploit acquisition firm Zerodium can earn up to $45,000 for their findings, the company announced on Thursday.

How to automate threat hunting (CSO Online, Feb 08 2018)
For example, let’s say a file is created on a server. The name of the file might be quite conventional, earning that file-name factor a rating of 1. The fact that the file was created by a superuser might earn the file-creator factor a rating of 10. Because the file was created at 3 am on a Saturday morning when the data center was empty, analysts might decide to assign the factor of the time of file creation a rating of 10, as well.