A Review of the Best News of the Week on Cyber Threats & Defense

That Bloomberg Supply-Chain-Hack Story (Schneier on Security, Nov 30 2018)
“Bloomberg has stood by its story — and is still standing by it. I don’t think it’s real. Yes, it’s plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.”

Elasticsearch Snafu Exposes Data on 82 Million Americans (Infosecurity Magazine, Nov 29 2018)
Personal info was left publicly accessible for at least two weeks

Best practice methodology for industrial network security: SEC-OT (Help Net Security, Dec 03 2018)
Secure Operations Technology (SEC-OT) is a methodology and collection of best practices inspired by a decade of experience working with secure industrial sites. The SEC-OT approach is counter-intuitive to many IT and even industrial control system (ICS) security practitioners. It turns out that secure industrial sites ask different questions and get different answers.

Compliance is necessary. Wasting money isn’t.
The Mosaic Security Research Market Intelligence Platform provides the tools you need for OWASP’s Cyber Defense Matrix. Build your threat defense systematically.

Ransomware Attack Forced Ohio Hospital System to Divert ER Patients (Dark Reading, Nov 26 2018)
Malware infection fallout sent ambulances away from East Ohio Regional Hospital and Ohio Valley Medical Center over the Thanksgiving weekend.

Southeby’s Site Infected with Magecart for Over a Year (Infosecurity Magazine, Dec 03 2018)
“The code was designed to target the data you entered into the payment information form on the Sotheby’s Home website,” it added. “This information would include your name, address, email address and payment card number, expiration date, and CVV code.”

MITRE Uses ATT&CK Framework to Evaluate Enterprise Security Products (SecurityWeek, Nov 30 2018)
MITRE Corporation’s ATT&CK framework has been used to evaluate enterprise security products from several vendors to determine how efficient they are in detecting and responding to attacks launched by sophisticated threat groups.

Why you shouldn’t be worried about UPnP port masking (Help Net Security, Nov 26 2018)
…attackers can use this technique to modify the port for UDP-based traffic before the victim receives it. Some DDoS mitigation tools look at just the port that traffic is arriving on before deciding to drop or throttle it. If you aren’t running an NTP server for example, your DDoS mitigation might be set up to block UDP/123 entirely. Randomizing the port can get around this type of protection.

Zoom Conferencing App Exposes Enterprises to Attacks (SecurityWeek, Nov 29 2018)
A potentially serious vulnerability discovered by researchers in the Zoom video conferencing application can allow external attackers or malicious insiders to hijack screen controls, spoof chat messages, and remove attendees from a session.

Threat Hunting: Improving Bot Detection in Enterprise SD-WANs (Dark Reading, Nov 30 2018)
How security researchers tracked down Kuai and Bujoi malware through multiple vectors including client type, traffic frequency, and destination.

The Return of Email Flooding (Dark Reading, Nov 29 2018)
An old attack technique is making its way back into the mainstream with an onslaught of messages that legacy tools and script writing can’t easily detect.

Threat Actor Targets Middle East With DNS Redirections (SecurityWeek, Nov 28 2018)
A previously undocumented threat actor has been targeting entities in the Middle East with new malware and DNS redirections, Cisco’s Talos security researchers say.

Russian Hackers Haven’t Stopped Probing the US Power Grid (Wired, Nov 28 2018)
Researchers warn that utilities hackers don’t need to cause blackouts to do damage.

New Report Details Rise, Spread of Email-based Attacks (Dark Reading, Nov 30 2018)
Criminals are diversifying their target list and tactics in a continuing effort to keep email a valuable attack vector against enterprise victims.

New PowerShell Backdoor Resembles “MuddyWater” Malware (SecurityWeek, Nov 30 2018)
A recently discovered PowerShell-based backdoor is strikingly similar to malware employed by the MuddyWater threat actor, Trend Micro reports.

Vulnerability discovered in safety controller configuration software (Help Net Security, Dec 03 2018)
The tool can be found on engineering workstations which are used to configure safety controllers. The software is commonly used in a range of industries such as Oil & Gas, Manufacturing, Chemicals, Power and any more.

Making it harder for attackers to know when a system begins to deceive a bad actor (Help Net Security, Dec 03 2018)
Although the deception consistency may make it more difficult for APT attackers to recognize the deception, the researchers were clear that their proposed method is not a cure-all for things like what happened to Target and Equifax.

Detecting malicious behavior blended with business-justified activity (Help Net Security, Dec 03 2018)
Detecting malicious behavior blended so well with business-justified activity is a challenge. Organizations have tried to address this challenge with solutions ranging from the traditional network forensic vendors like RSA NetWitness as well some of the first-generation network traffic analysis (NTA) tools like Darktrace.

Router attack exploits UPnP and NSA malware to target PCs (Naked Security – Sophos, Dec 03 2018)
The UPnProxy router compromise uncovered earlier in 2018 is now being used to attack computers on networks connected to the same gateways.

Russian Hackers Use BREXIT Lures in Recent Attacks (SecurityWeek, Dec 03 2018)
Infamous Russia-linked cyber-espionage group Sofacy used BREXIT-themed lure documents in attacks on the same day the United Kingdom Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU).