A Review of the Best News of the Week on Cyber Threats & Defense

‘Brazen’ nation-state actors behind ‘Sea Turtle’ DNS hijacking campaign (SC Magazine, Apr 18 2019)
Primarily targeting the Middle East and North Africa, the attackers are looking to harvest credentials that grant them access to sensitive networks belonging to national institutions such as intelligence agencies, military units and ministries of foreign affairs, as well as energy organizations. But in order to compromise these victims, the perpetrators typically first compromise their third-party internet and DNS service providers, such as telecommunications firms, ISPs, IT firms, registrars and registries.

Hacker Group Exposes Iranian APT Operations and Members (BleepingComputer, Apr 22 2019)
Hackers have revealed details about the inner workings of a cyber-espionage group mostly known in the security community as OilRig, APT34, and HelixKitten, linked to the Iranian government.

Cyber-security firm Verint hit by ransomware (ZDNet, Apr 17 2019)
The Israel offices of US cyber-security firm Verint have been hit by ransomware, according to a screenshot taken by a Verint employee that started circulating online earlier today.

Compliance is necessary. Wasting money isn’t.
The Mosaic Security Research Market Intelligence Platform provides the tools you need for OWASP’s Cyber Defense Matrix. Build your threat defense systematically.

Flood of exploits targetting ancient WinRAR flaw continues (Naked Security – Sophos, Apr 15 2019)
An ancient WinRAR vulnerability made public in February is now well on its way to becoming one of the most widely and rapidly-exploited security flaws of recent times.

Threat actors gaining admin rights before ransomware infections (SC Magazine, Apr 15 2019)
Similar to the Arizona Beverage ransomware attack earlier this month, a manufacturing company also appears to have been targeted in an attack in which the company’s name was explicitly mentioned in the ransom note. This lead Trend Micro Researchers to believe an account with administrative privileges may have been compromised to install BitPaymer via PsExec.

New Attacks (and Old Attacks Made New) (Dark Reading, Apr 16 2019)
Although innovation is critical, keeping costs under control while maximizing ROI ensures the lights stay on. That’s why genuinely new malware and zero-day attacks are reasonably rare and are vastly outnumbered by reconfigured malware and the regular return of old attacks.

Open Source Tool From FireEye Automates Analysis of Flash Files (SecurityWeek, Apr 16 2019)
Security company FireEye this week announced the release of an open source tool designed to automate the analysis of Adobe Flash files in order to identify malware and prevent infections.

Ransomware ravages municipalities nationwide this week (SC Magazine, Apr 19 2019)
Municipalities took a beating this week with at least four reporting being shut down from new ransomware attacks or struggling to recover from an older incident. Augusta, Maine; Imperial County, Calif.; Stuart, Fla.; and Greenville, N.C. were all in different stages of recovering from ransomware attacks over the last seven days.

Google to Block Logins From Embedded Browsers to Prevent Phishing (SecurityWeek, Apr 19 2019)
Google on Thursday announced that it will soon block login attempts from embedded browser frameworks in an effort to prevent man-in-the-middle (MitM) phishing attacks.

Bad Bots Steal Accounts, Content and Skew the Web Ecosystem (SecurityWeek, Apr 17 2019)
Distil Networks defines three levels of bad bot: simple, moderate and sophisticated. The latter two categories comprise ‘advanced persistent bots’ (APBs), which account for 73.6% of all bots. APBs cycle through random IP addresses, enter through anonymous proxies, change their identities, mimic human behavior, and are the most difficult to detect and block.

Dark Web Drug Seller Sinmed Goes Down—Thanks to ATM Withdrawals (Wired, Apr 17 2019)
To make their revenue more fluid, the three men allegedly worked out a simple system: Fund prepaid debit card accounts with bitcoin, and withdraw it as cash. The indictment details dozens of these ATM transactions; the trio collectively withdrew more than $1 million, in $700 increments, over the course of just over two years, according to Vance.

McAfee joins Sophos, Avira, Avast—the latest Windows update breaks them all (Ars Technica, Apr 19 2019)
A range of fixes and workarounds have been published.

Researchers Find Clues for Dramatically Reducing IDS Traffic Volume (Dark Reading, Apr 19 2019)
Research at military labs and Towson University shows that identifying malicious activity may require much less captured data than has been the case.

Man fried over 50 college computers with weaponized USB stick (Graham Cluley, Apr 18 2019)
Vishwanath Akuthota didn’t make it hard for authorities to prove that he was the person who destroyed $58,000 worth of college equipment using a USB stick.

Meet Scranos: New Rootkit-Based Malware Gains Confidence (Dark Reading, Apr 16 2019)
The cross-platform operation, first tested on victims in China, has begun to spread around the world.

New Variant of HawkEye Stealer Emerges (SecurityWeek, Apr 16 2019)
A new variant of HawkEye, a piece of malware used for keylogging and data theft, is being leveraged in ongoing malware distribution campaigns, Cisco’s Talos security researchers warn.

The perimeter is vanishing, how will you secure your network? (Help Net Security, Apr 18 2019)
“I want to start by being clear about what I mean when I say the perimeter is vanishing. It is the expansion of an organization’s network to include far more devices and locations, many of which are outside what used to be considered the perimeter, and many of which are outside the control of the security team.”

TA505 Targets Financial and Retail Using ‘Undetectable’ Methods (Infosecurity Magazine, Apr 18 2019)
CyberInt found TA505 is using tactics and a remote administration tool, developed by TektonIT.

It doesn’t matter if you don’t use Internet Explorer, you could still be at risk from this IE zero-day vulnerability (Graham Cluley, Apr 17 2019)
Even if you don’t use Internet Explorer any more, it may still be posing a potential risk by being installed on your Windows PCs.

Emsisoft used decrypter on CryptoPokemon ransomware… It’s super effective! (Emsisoft, Apr 22 2019)
CryptoPokemon is a new strain of ransomware that encrypts your files and demands a payment of 0.02 Bitcoin (about $104 at the time of writing) to decrypt them. If you have been infected with CryptoPokemon, do not pay the ransom!