A Review of the Best News of the Week on Cyber Threats & Defense

Hotel Rooms Around the World Susceptible to Silent Breach (SecurityWeek, Apr 25 2018)
“This was not some Joe-average researcher, and we have always been 100% sure that the laptop was stolen.” Hirvonen explained the process of developing a master card to access a room.

How many threats hit the mainframe? No one really knows (Help Net Security, Apr 24 2018)
Mainframes can run 1.1 million transactions per second and are at the core of the technology strategies within the worldwide financial markets. In 2017, IBM launched a new mainframe capable of running 12 billion encrypted transactions a day. Why, despite the fact that businesses can’t afford a costly breach, is mainframe security still not getting enough attention?

RSAC 2018: Dynamic? Dead? Disappearing? What’s Up With the Perimeter (The Duo Blog, Apr 23 2018)
Overheard at RSAC 2018: The disappearing perimeter. The data perimeter. The shifting perimeter. A dynamic perimeter. The death of the concept of a trusted network. Software-defined perimeters. Zero-trust security model.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

Threat Intel: Finding Balance in an Overcrowded Market (Dark Reading, Apr 23 2018)
Industry insiders discuss how threat intelligence has changed and what may happen as the market becomes increasingly saturated.

It’s Time to Take GitHub Threats Seriously (Dark Reading, Apr 24 2018)
There’s a good chance your company has projects on the source code management system, but the casual way many developers use GitHub creates security issues.

Non-Malware Attacks: What They Are and How to Protect Against Them? (Infosec Island, Apr 26 2018)
Basically, hackers have found a way to turn Windows against itself and carry out fileless attacks using built-in Windows tools.

BGP leaks and cryptocurrencies (Cloudflare, Apr 24 2018)
The broad definition of a BGP leak would be IP space that is announced by somebody not allowed by the owner of the space. When a transit provider picks up Cloudflare’s announcement of and announces it to the Internet, we allow them to do so. They are also verifying using the RIR information that only Cloudflare can announce it to them.

New Crossrider variant installs configuration profiles on Macs (Malwarebytes Labs, Apr 24 2018)
A new variant of the Crossrider adware has been spotted that is infecting Macs in a unique way. For the most part, this variant is still quite ordinary, doing some of the same old things that we’ve been seeing for years in Mac adware. However, the use of a configuration profile introduces a unique new method for maintaining persistence.

PyRoMine Uses NSA Exploit for Monero Mining and Backdoors (Threatpost, Apr 26 2018)
Not just a miner, the malware also sets up a hidden default account with system administrator privileges, to be used for re-infection and further attacks.

Why Information Integrity Attacks Pose New Security Challenges (Dark Reading, Apr 25 2018)
To fight information integrity attacks like the ones recently perpetrated by bots on the FCC’s website, we need to change our stance and look for the adversaries hiding in plain sight.

Golden Galleon Raids Maritime Shipping Firms (Dark Reading, Apr 24 2018)
A new Nigerian criminal gang is launching attacks on the maritime industry.

Hackers Go After X-Ray, MRI Machines for Corporate Espionage (PCMag, Apr 24 2018)
The hacking group Orangeworm has been secretly delivering the Windows-based malware to about 100 different organizations across the world, Symantec said.

Mysterious “double kill” IE zero-day allegedly in the wild (Naked Security – Sophos, Apr 24 2018)
Chinese security company announces Internet Explorer zero-day exploit that’s triggered by Word. So far… that’s all she wrote.

CCleaner attackers gained access to app developer’s network via TeamViewer (SC Magazine, Apr 24 2018)
The adversaries who infected 2.27 million machines last year using a modified version of the computer maintenance app CCleaner were able to pull off the supply chain attack by gaining unauthorized access to the developer’s network using the remote desktop access program TeamViewer.

Europol Smacks Down World’s Largest DDoS-for-Hire Market (Threatpost, Apr 25 2018)
Criminal fantasy dream-site Webstresser[.]org, a DDoS-for-hire market believed to be behind at least 4 million cyberattacks around the world, has served up its last internet-paralyzing traffic tsunami.

“SamSam” ransomware – a mean old dog with a nasty new trick (Naked Security – Sophos, Apr 27 2018)
Rather than snatching away your files, like ransomware does, cryptojackers steal your processing power and your electricity instead. This means that the crooks earn a tiny bit of money from every victim for as long as they’re infected, rather that taking the all-or-nothing approach of ransomware, where victims face a stark choice: pay and win, or refuse and lose.

New Necurs variant uses internet shortcuts, Quant Loader to deliver payloads (SC Magazine, Apr 26 2018)
An evolved variant of Necurs botnet malware is using .URL files — known as internet shortcuts — as part of its infection chain in order to bypass conventional detection methods.

Hackers Target Poorly Patched Oracle WebLogic Flaw (SecurityWeek, Apr 30 2018)
Hackers have been scanning the Internet for Oracle WebLogic Server installations that can be taken over using a recently addressed vulnerability. While patched systems should be protected against attacks, experts claim the fix implemented by Oracle can be bypassed.