A Review of the Best News of the Week on Cyber Threats & Defense

Google: Software is never going to be able to fix Spectre-type bugs (Ars Technica, Feb 23 2019)
Researchers also devise a Spectre-like attack with no known mitigation.

To Mitigate Advanced Threats, Put People Ahead of Tech (Dark Reading, Feb 22 2019)
Preventative technologies are only part of the picture and often come at the expense of the humans behind them.

Critical Drupal Vulnerability Allows Remote Code Execution (SecurityWeek, Feb 21 2019)
Security updates released on Wednesday for the Drupal content management system (CMS) patch a “highly critical” vulnerability that can be exploited for remote code execution.

Compliance is necessary. Wasting money isn’t.
The Mosaic Security Research Market Intelligence Platform provides the tools you need for OWASP’s Cyber Defense Matrix. Build your threat defense systematically.

Mandatory update coming to Windows 7, 2008 to kill off weak update hashes (Ars Technica, Feb 19 2019)
Microsoft is phasing out SHA-1 hashes on its patches.

Formjacking’ Compromises 4,800 Sites Per Month (Dark Reading, Feb 20 2019)
Formjacking attacks are simple: Cybercriminals input malicious code onto retailers’ websites and lift customers’ payment card details. Conservative estimates indicate they collected tens of millions of dollars last year by using stolen data in credit card fraud or selling consumers’ records on the Dark Web. Ten stolen cards from each compromised website could generate up to $2.2 million total in profit for attackers, Symantec reports. A single card can fetch up to $45 in underground forums.

Insights on modern adversaries and their tactics, techniques, and procedures (Help Net Security, Feb 20 2019)
This ranking offers organizations unprecedented insight into how fast they need to be at detecting, investigating and remediating intrusions (also known as the 1-10-60 rule) to thwart adversaries they are most likely to face targeting their networks.

Third decryption tool for GandCrab ransomware released to public (SC Magazine, Feb 20 2019)
A new free decryption tool for counteracting the effects of GandCrab ransomware is now available to the public.  This latest decryptor is effective against versions 1, 4 and 5.x up through 5.1, which means GandCrab variants released as recently as October 2018 can now be defeated.

WordPress 5.1 Improves Security With Site Health Mechanism (eWEEK, Feb 22 2019)
The new version of the open-source blogging and content management system improves performance and warns administrators about outdated versions of PHP.

Privilege Escalation Vulnerability Found in LG Device Manager (SecurityWeek, Feb 18 2019)
A privilege escalation vulnerability that allows attackers to elevate permissions to SYSTEM has been found in the LG Device Manager application provided by the tech giant for its laptops.

Nasty code-execution bug in WinRAR threatened millions of users for 14 years (Ars Technica, Feb 20 2019)
The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn’t been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator’s choosing rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there was little preventing exploits.

Facebook tracks users it thinks may harm its employees (Naked Security – Sophos, Feb 20 2019)
Threat makers are sometimes geolocated to determine how credible their threats are, as in, are they near enough to really attack?

Reitspoof mysterious multistage malware makes its rounds (SC Magazine, Feb 19 2019)
A multi-staged malware dropping multiple payloads is infecting its victims without a clear purpose and has shown a significant uptick in activity since January 2019. Dubbed Reitspoof, the malware has bot capabilities although Avast researchers believe it was primarily designed as a dropper, according to a Feb. 16 blog post.

Siegeware: When criminals take over your smart building (WeLiveSecurity, Feb 20 2019)
Siegeware is what you get when cybercriminals mix the concept of ransomware with building automation systems: abuse of equipment control software to threaten access to physical facilities

Cisco fixes risky flaws in HyperFlex and Prime infrastructure (Help Net Security, Feb 21 2019)
Cisco has released another batch of fixes for many of its products, including HyperFlex, Prime infrastructure, WebEx, and Firepower devices.

Misconfigured database exposes 974,000 University of Washington Medicine patients (SC Magazine, Feb 21 2019)
Almost one million University of Washington (UW) Medicine personal health information files were exposed for most of December 2018 due to a misconfigured database.

139 US bars, restaurants and coffeeshops infected by credit-card stealing malware (Graham Cluley, Feb 21 2019)
North Country Business Products (NCBP), a provider of point-of-sales systems, has revealed that 139 of its clients have been hit by a malware infection that stole the payment card details of consumers.

Accidental data breaches are often compounded by a failure to encrypt (Help Net Security, Feb 25 2019)
83 percent of security professionals believe that employees have accidentally exposed customer or business sensitive data at their organization.