A Review of the Best News of the Week on Cyber Threats & Defense

Critical RCE Vulnerability Found in Palo Alto Networks VPN Product (SecurityWeek, Jul 22 2019)
A critical remote code execution vulnerability has been found and patched in Palo Alto Networks’ GlobalProtect product.

Is ‘REvil’ the New GandCrab Ransomware? (Krebs on Security, Jul 15 2019)
The cybercriminals behind the GandCrab ransomware-as-a-service (RaaS) offering recently announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims. But a growing body of evidence suggests the GandCrab team have instead quietly regrouped behind a more exclusive and advanced ransomware program

Microsoft demos vote verification tool, warns of ongoing foreign meddling (SC Magazine, Jul 18 2019)
Microsoft Corporation yesterday began publicly demonstrating its free and open-source secure electronic voting solution, ElectionGuard, warning that such innovations are necessary as adversarial nations continue to target the American people and U.S. businesses.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

How DNS firewalls can burn security teams (Help Net Security, Jul 22 2019)
Compromised devices can, and often do, act locally to perform reconnaissance or hoover up data before communicating out. These internal queries, to private DNS, are not seen at all by most external facing DNS firewalls.

TrickBot adds new spam module, harvests 250M email addresses (SC Magazine, Jul 15 2019)
Millions of these harvested addresses are linked to government agencies and employees in the U.S., according to Deep Instinct, whose researchers uncovered the new module and the giant database. In all likelihood, these addresses were collected for the purpose of targeting them in future TrickBot operations

Lenovo NAS Firmware Flaw Exposes Stored Data (Dark Reading, Jul 16 2019)
More than 5,100 vulnerable devices containing multiple terabytes of data are open to exploitation, researchers found.

NCSC in DNS Warning as Hijackers Focus on Home Routers (Infosecurity Magazine, Jul 16 2019)
New campaigns have already compromised 180,000 in Brazil

800K Systems Still Vulnerable to BlueKeep (Dark Reading, Jul 17 2019)
Organizations with systems exploitable via the RDP flaw pose an increasing risk to themselves and other organizations, BitSight says.

New Malware Samples Resemble StrongPity (Infosecurity Magazine, Jul 17 2019)
A publicly reported adversary engaged in ongoing malware campaign.

RDP Bug Takes New Approach to Host Compromise (Dark Reading, Jul 18 2019)
Researchers show how simply connecting to a rogue machine can silently compromise the host.

NSS Labs test exposes weaknesses in NGFW products (Help Net Security, Jul 19 2019)
Test results showed that block rates for simple clear-text attacks remain strong (over 96%) for nine out of twelve products. However, while known/published exploits were frequently blocked, test engineers were able to bypass protection in all devices with minor modifications to known and blocked exploits.

APT Targets Diplomats in Europe, Latin America (Infosecurity Magazine, Jul 18 2019)
New versions of malware families are believed to be the work of Ke3chang group.

Shapeshifting Morpheus chip aims to baffle hackers (Naked Security – Sophos, Jul 19 2019)
Morpheus aims to make hacking so difficult at microprocessor level that attackers will give up long before they can do any damage.

Drupal patches access bypass vulnerability (SC Magazine, Jul 18 2019)
Drupal released a security update to patch an access bypass vulnerability in Drupal Core which could allow an attacker to take control of an affected website.

How securing DER smart grids differs from securing traditional energy grids, and why it matters (SC Magazine, Jul 18 2019)
For an industry historically slow to change, the ongoing transformation of the power grid is remarkable. However, with this transformation comes a dramatic increase in the risks of the grid being hacked and disabled.

Why Incident Response Must Adopt a Kill Chain Perspective (SecurityWeek, Jul 19 2019)
Taking a kill chain-based perspective is the obvious next step in the evolution of IR, because serious cyber attacks are rarely single events. They are more likely to look like timelines of events that are connected in ways that are not always obvious.

Malware in PyPI Code Shows Supply Chain Risks (Dark Reading, Jul 19 2019)
A code backdoor in a package on the Python Package Index demonstrates the importance of verifying code brought in from code repositories.

Best Practices for Remote Workers’ Endpoint Security (Infosec Island, Jul 22 2019)
One of an IT admin’s most important jobs is to secure that data while it’s stored on and accessed by corporate and personal endpoints.

Iranian Hackers Use New Malware in Recent Attacks (SecurityWeek, Jul 19 2019)
The Iran-linked cyber-espionage group OilRig has started using three new malware families in campaigns observed over the past month, FireEye reports.