A Review of the Best News of the Week on Cyber Threats & Defense
PoC exploit for critical Apache Struts flaw found online (Help Net Security, Aug 27 2018)
The Apache Software Foundation revealed last week the existence of a critical Apache Struts flaw (CVE-2018-11776) similar to the one exploited in the Equifax breach and urged organizations and developers to upgrade their installations to versions 2.3.35 or 2.5.17.
Millions of Texas voter records exposed online (TechCrunch, Aug 27 2018)
The data — a single file containing an estimated 14.8 million records — was left on an unsecured server without a password. Texas has 19.3 million registered voters.
Future Cyberwar (Schneier on Security, Aug 27 2018)
A report for the Center for Strategic and International Studies looks at surprise and war. One of the report’s cyberwar scenarios is particularly compelling. It doesn’t just map cyber onto today’s tactics, but completely re-imagines future tactics that include a cyber component…
Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.
Microsoft Shuts Down Six APT28 Phishing Domains (Infosecurity Magazine, Aug 22 2018)
Russian espionage attempts continue
Turla: In and out of its unique Outlook backdoor (WeLiveSecurity, Aug 22 2018)
The backdoor’s more recent iterations target Microsoft Outlook, although its older versions also took aim at the The Bat! email client, which is used mostly in Eastern Europe. Importantly, Turla’s operators don’t exploit any vulnerabilities either in PDF readers or Microsoft Outlook as attack vectors. Unusually, the backdoor subverts Microsoft Outlook’s legitimate Messaging Application Programming Interface (MAPI) to access the targets’ mailboxes.
Reevaluate “low-risk” PHP unserialization vulnerabilities, researcher says (CSO Online, Aug 22 2018)
Over nearly a decade, PHP unserialization vulnerabilities have become a popular route for cyber-criminals to plant remote code execution or deliver other malware into systems. But new research, introduced at Black Hat this month, shows that malevolent hackers can introduce this vulnerability, even in environments that were previously considered low-risk for this attack.
Attackers Using ‘Legitimate’ Remote Admin Tool in Multiple Threat Campaigns (Dark Reading, Aug 22 2018)
Researchers from Cisco Talos say Breaking Security’s Remcos software allows attackers to fully control and monitor any Windows system from XP onward.
Lazarus Group Builds its First MacOS Malware (Dark Reading, Aug 23 2018)
This isn’t the first time Lazarus Group has infiltrated a cryptocurrency exchange as the hacking team has found new ways to achieve financial gain.
Google shuts down nation-state activity, thwarts phishing, names Iran (SC Magazine, Aug 27 2018)
The company, working with FireEye, found technical and IP information related to the Islamic Republic of Iran Broadcasting.
A Monitor’s Ultrasonic Sounds Can Reveal What’s on the Screen (Wired, Aug 23 2018)
Researchers have demonstrated that they can discern individual letters on a display based only on the ultrasonic whine it emits.
How an uploaded image could take over your website, and how to stop it (Naked Security – Sophos, Aug 22 2018)
Bugs in the widespread graphics system Ghostscript could be exploited remotely by crooks – so here’s how to keep attackers at bay.
PHP exploit flaw puts WordPress and other CMS sites at risk of remote code execution (SC Magazine, Aug 20 2018)
A severe PHP exploit proof-of-concept attack could allow remote code execution attacks on several content management platforms including Typo3 and WordPress.
WordPress redirection campaign uses .js file, fake plug-ins to send victims to scam sites (SC Magazine, Aug 20 2018)
A URL shortener, a fake plug-in and a malicious popuplink.js file are the three key ingredients found in a WordPress website infection campaign that since July has been redirecting victimized site visitors to various scam and ad sites.
North Korean Hackers Exploit Recently Patched Zero-Day (SecurityWeek, Aug 20 2018)
North Koren hackers are exploiting a recently patched vulnerability in Microsoft’s VBScript engine vulnerability in live attacks, security researchers say.
Smart irrigation systems vulnerable to attacks, warn researchers (WeLiveSecurity, Aug 21 2018)
Internet-connected irrigation systems suffer from security gaps that could be exploited by attackers aiming, for example, to deplete a city’s water reserves, researchers warn
Latin America Served with ‘Dark Tequila’ Banking Malware (Dark Reading, Aug 21 2018)
The complex operation packs a multistage payload and spreads via spear-phishing emails and infected USB devices.
How often are users’ DNS queries intercepted? (Help Net Security, Aug 21 2018)
These interceptions can be made for various purposes: censorship, displaying ads, collecting statistics, blocking malware connections, etc. But they are not authorized by users and are difficult for them to spot.
Supply chain attack targets South Koreans with 9002 RAT; separate phishing campaign delivers GandCrab ransomware (SC Magazine, Aug 21 2018)
Researchers from Trend Micro have exposed two criminal cyber campaigns targeting South Korean organizations – one, a supply chain attack delivering a remote access tool under the guise of a software update, and two, a ransomware attack leveraging malicious .egg files.
Updated AZORult Stealer used in Hermes ransomware campaign (SC Magazine, Aug 21 2018)
An updated version of AZORult Stealer is being used to distribute Hermes ransomware.
Vulnerability in OpenSSH “for two decades” (no, the sky isn’t falling!) (Naked Security – Sophos, Aug 23 2018)
An OpenSSH bug that was reclassified as a vulnerability after it was fixed has made scary headlines – but the sky isn’t falling