A Review of the Best News of the Week on Cyber Threats & Defense

Saks, Lord & Taylor Hit by Data Breach Impacting 5M Cardholders (eWEEK, Apr 02 2018)
High-end retailers Saks Fifth Avenue and Lord & Taylor are the latest victims of a data breach, though it’s currently unclear how attackers were able to steal the data.

The SamSam Ransomware That Hit Atlanta Will Strike Again (Wired, Mar 30 2018)
Atlanta isn’t the SamSam ransomware strain’s first victim—and it won’t be the last.

Who and What Is Coinhive? (Krebs on Security, Mar 26 2018)
Multiple security firms recently identified cryptocurrency mining service Coinhive as the top malicious threat to Web users, thanks to the tendency for Coinhive’s computer code to be used on hacked Web sites to steal the processing power of its visitors’ devices. This post looks at how Coinhive vaulted to the top of the threat list less than a year after its debut, and explores clues about the possible identities of the individuals behind the service.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Coinhive Exposé Prompts Cancer Research Fundraiser (Krebs on Security, Mar 30 2018)
A story published by Krebs revealed the real-life identity behind the original creator of Coinhive — a controversial cryptocurrency mining service that several security firms have recently labeled the most ubiquitous malware threat on the Internet today. In an unusual form of protest against that story, members of a popular German language image-posting board founded by the Coinhive creator have vented their dismay by donating tens of thousands of euros to local charities that support cancer research.

Adding Backdoors at the Chip Level (Schneier on Security, Mar 26 2018)
Interesting research into undetectably adding backdoors into computer chips during manufacture

Forgot About Default Accounts? No Worries, GoScanSSH Didn’t (Cisco Talos, Mar 29 2018)
During a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet.

Another Branch Prediction Attack (Schneier on Security, Mar 29 2018)
When Spectre and Meltdown were first announced earlier this year, pretty much everyone predicted that there would be many more attacks targeting branch prediction in microprocessors.

One Year Later, Hackers Still Target Apache Struts Flaw (SecurityWeek, Mar 26 2018)
One year after researchers saw the first attempts to exploit a critical remote code execution flaw affecting the Apache Struts 2 framework, hackers continue to scan the Web for vulnerable servers.

Attackers Shift From Adobe Flaws to Microsoft Products (Dark Reading, Mar 27 2018)
Seven of the Top 10 most commonly exploited vulnerabilities in 2017 were Microsoft-related – not Adobe Flash as in years past, Recorded Future found.

MITRE Evaluates Tools for APT Detection (Dark Reading, Mar 30 2018)
A new service from MITRE will evaluate products based on how well they detect advanced persistent threats.

Hackers hit 911 system, emergency dispatch affected (Naked Security – Sophos, Mar 29 2018)
We don’t know what the attackers were after, but they managed to knock down one server that supported Baltimore’s emergency dispatching.

New Sanny info-stealer campaign targets government agencies with evolved malware (SC Magazine, Mar 27 2018)
Researchers this month discovered a new spear phishing campaign targeting government agencies with an evolved version of Sanny malware, a five-year-old information-stealer that now features a multi-stage infection process, whereby each stage is downloaded from the attacker’s server.

Hackers using tiny malware PinkKite to steal credentials from POS machines (SC Magazine, Mar 29 2018)
Point-of-Sale endpoint malware PinkKite – less than 6k – has memory-scraping & data validation tools, steals credentials and credit card data.

Deconstructing a Business Email Compromise Attack (Dark Reading, Mar 29 2018)
How a tech-savvy New Jersey couple outwitted a German hacker group and saved their home and life savings.

“Fauxpersky” Credential Stealer Spreads via USB Drives (SecurityWeek, Mar 29 2018)
A recently discovered credential stealing malware is masquerading as Kaspersky Antivirus and spreading via infected USB drives, according to threat detection firm Cybereason.

MuslimCrypt Steganography App Helps Jihadists Send Secret Messages (Wired, Mar 29 2018)
The unfortunately named MuslimCrypt uses steganography to pass discreet messages through images online.

Cloudflare Launches Free Secure DNS Service (SecurityWeek, Apr 02 2018)
Cloudflare launched a new free service, designed to improve both the speed and the security of the internet, on April Fool’s Day (4/1/2018). But this is no joke. The idea is that 4/1 is geekery four ones, or — the name and heart of the new service.

VMware Acquires Threat Detection and Response Firm E8 Security (SecurityWeek, Mar 30 2018)
VMware announced this week that it has acquired threat detection and response company E8 Security, whose technology will be used to improve the Workspace ONE digital workspace platform. This is the third acquisition made by VMware in less than two months.

Drupal releases patch fixing “highly critical” flaw (WeLiveSecurity, Mar 30 2018)
The update plugs a security hole that exposes a million Drupal websites to attacks

The current state of USB data protection (Help Net Security, Mar 30 2018)
This is not surprising considering only 48 percent of employees surveyed are required to seek permission for external USB use and only 15 percent surveyed actually ask for permission. And while 50 percent of companies have a policy requiring reporting of lost / stolen USB devices, an astounding 87 percent of employees have lost a USB drive and failed to notify their employer.