A Review of the Best News of the Week on Cyber Threats & Defense

DHS Issues Emergency Directive on DNS Security (Dark Reading, Jan 23 2019)
All government domain owners are instructed to take immediate steps to strengthen the security of their DNS servers following a successful hacking campaign.

After Eight Years, Metasploit Gets Its First Major Update (Dark Reading, Jan 24 2019)
Metasploit 5.0 offers a host of service-oriented features, along with a new commitment from Rapid7 for regular releases.

Hacking the GCHQ Backdoor (Schneier on Security, Jan 25 2019)
“Last week, I evaluated the security of a recent GCHQ backdoor proposal for communications systems. Furthering the debate, Nate Cardozo and Seth Schoen of EFF explain how this sort of backdoor can be detected:”

Compliance is necessary. Wasting money isn’t.
The Mosaic Security Research Market Intelligence Platform provides the tools you need for OWASP’s Cyber Defense Matrix. Build your threat defense systematically.

Rogue websites can turn vulnerable browser extensions into back doors (Naked Security – Sophos, Jan 22 2019)
A researcher has found that websites can use some extensions to bypass security policies, execute code, and even install other extensions.

Hackers Actively Scanning for ThinkPHP Vulnerability, Akamai Says (SecurityWeek, Jan 18 2019)
There is widespread scanning for a recently disclosed remote code execution vulnerability in the ThinkPHP framework, Akamai reveals.

Those Bashing Smart Locks Have Forgotten How Easy it is to Pick Regular Ones (Daniel Miessler, Jan 26 2019)
“There’s currently a major backlash in the InfoSec community against so-called ‘smart’ locks. And it’s not just by people who naturally overreact to change, or from people outside of InfoSec: there are plenty of smart people in our field—whom I respect greatly—that are making loud noises against this technology.”

Bug in widespread Wi-Fi chipset firmware can lead to zero-click code execution (Help Net Security, Jan 21 2019)
“This procedure is launched every 5 minutes regardless of a device being connected to some Wi-Fi network or not. That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network). For example, one can do RCE in just powered-on Samsung Chromebook,” Selianin noted.

How SD-WAN can improve your security strategy (Network World Security, Jan 25 2019)
SD-WAN introduces new security options, not previously available with legacy networking technologies, that make it easier to manage and secure network traffic.

Enterprise Malware Detections Up 79% as Attackers Refocus (Dark Reading, Jan 23 2019)
Emotet and Trickbot topped the threats of 2018 and found success in malspam, a technique that disguises the threats as a legitimate email. What made their attacks successful was how they spread.For Emotet, this meant infected attachments and embedded URLs, with social engineering tactics designed to make targets believe messages come from trusted sources.

Attackers used a LinkedIn job ad and Skype call to breach bank’s defences (Naked Security – Sophos, Jan 21 2019)
A Chilean Senator has taken to Twitter with alarming news – the company running the country’s ATM network suffered a serious cyberattack.

SSDP amplification attacks rose 639% (Help Net Security, Jan 22 2019)
– China advanced its lead of global attack origins, contributing more than 23 percent of worldwide campaigns
– 15 percent of attacks originated in the United States
– Simple Service Discovery Protocol (SSDP) amplification attacks rose 639.8 percent over Q2 2018, a result of the new pattern targeting CSPs.

GandCrab returns with trojans and redundency (SC Magazine, Jan 18 2019)
The info stealing malware is known to be used to steal log-in credentials and financial data although it is unclear if that is what the malware is used for in the GandCrab affiliated infections, researchers said. The AzorUlt variant data stealer malware is used to harvest cryptocurrency wallets saved on the machine, extract credentials saved in FTP/IM/ Email clients, and stay dormant while awaiting instructions from its command and control server.

Discover New Tools for Network Testing & Defense at Black Hat Asia (Dark Reading, Jan 23 2019)
Find yourself some of the latest and most exciting cybersecurity tools at the Arsenal, where you can meet and chat with their creators.

Apple delivers security patches, plugs an RCE achievable via FaceTime (Help Net Security, Jan 23 2019)
Apple has released a new set of updates for its various products, plugging a wide variety of vulnerabilities. WatchOS, tvOS, Safari and iCloud Let’s start with “lightest” security updates: iCloud for Windows 7.10 brings fixes for memory corruption, logic and type confusion issues in the WebKit browser engine, all of which can be triggered via maliciously crafted web content and most of which may lead to arbitrary code execution.

Researcher warns of privilege escalation flaw in Check Point ZoneAlarm (Help Net Security, Jan 25 2019)
“The application relies on code-signing to validate that code is legitimated and trusted before it is run. However, this measure is inherently flawed, because on Windows it is trivial for a low-privilege user to trust self-signed certificates and bypass these validation checks.”

Sneaky Malvertisers Target Apple Users with Hidden Malware (Infosecurity Magazine, Jan 25 2019)
“The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.”

Data of 100,000+ Alaskan households that applied for public assistance breached (SC Magazine, Jan 24 2019)
More than 100,000 households that had applied for public assistance services from the Alaskan State Department of Health and Social Services (DHSS) had their data breached last spring, the applicants just learned. The impact of a Zeus/Zbot Trojan virus attack discovered in late April was initially thought to affect only about 500 Alaskans, but further investigation…

Hackers Using RDP Are Increasingly Using Network Tunneling to Bypass Protections (SecurityWeek, Jan 25 2019)
Threat actors conducting Remote Desktop Protocol (RDP) attacks are increasingly using network tunneling and host-based port forwarding to bypass network protections, FireEye reports.

“Cobalt” Hackers Use Google App Engine in Recent Attacks (SecurityWeek, Jan 25 2019)
Infamous “Cobalt” hacking group has been using Google App Engine for the delivery of malware through PDF decoy documents, Netskope’s security researchers say.

MySQL Design Flaw Allows Malicious Servers to Steal Files from Clients (BleepingComputer, Jan 28 2019)
A design flaw in the file transfer interaction between a client host and a MySQL server allows the latter to request from the former any data the client user has read access to.