A Review of the Best News of the Week on Cyber Threats & Defense

Iranian Hackers Targeted Presidential Campaign, Microsoft Says (The New York Times, Oct 04 2019)
Microsoft said in a security report Friday that journalists and other government officials were also targeted. It did not name the campaign.

Casbaneiro: Dangerous cooking with a secret ingredient (WeLiveSecurity, Oct 03 2019)
Número dois in our series demystifying Latin American banking trojans

New Research into Russian Malware (Schneier on Security, Oct 02 2019)
“There’s some interesting new research about Russian APT malware: The Russian government has fostered competition among the three agencies, which operate independently from one another, and compete for funds. This, in turn, has resulted in each group developing and hoarding its tools, rather than sharing toolkits with their counterparts, a common sight among Chinese and North Korean state-sponsored hackers.”

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Hackers Are Impersonating Each Other to Hide Their Real Agendas (Infosecurity Magazine, Oct 02 2019)
New report reveals threat actors don cyber-disguises to mask their true intentions

#VB2019: Magecart Attack Groups Move to More Targeted Efforts (Infosecurity Magazine, Oct 02 2019)
How Magecart attack groups have succeeded, and are moving forwards in attack tactics

FBI Investigates Mobile Voting Intrusion (Dark Reading, Oct 04 2019)
A group tried to access West Virginia’s mobile voting app in 2018; now, the FBI is looking into what actually happened.

#VB2019: Endpoints Remain Vulnerable to WannaCry Two Years On (Infosecurity Magazine, Oct 04 2019)
Two and a half years on from WannaCry, endpoints remain unpatched and vulnerable

FBI alert: Ransomware attacks becoming increasingly targeted and costly (SC Magazine, Oct 03 2019)
The FBI issued a new public service announcement regarding the ongoing ransomware epidemic, emphasizing that attacks are becoming more targeted since early 2018, with losses increasingly significantly in that time.

Researcher Shows How Adversaries Can Gather Intel on U.S. Critical Infrastructure (SecurityWeek, Oct 03 2019)
A researcher has used a free tool that he created and open source intelligence (OSINT) to demonstrate how easy it is for adversaries to gather intelligence on critical infrastructure in the United States.

PcShare Backdoor Attacks Targeting Windows Users with FakeNarrator Malware (ThreatVector, Oct 01 2019)
BlackBerry Cylance researchers have uncovered a suspected Chinese APT group conducting attacks against technology companies located in south-east Asia.

New Malware Campaign Targets US Petroleum Companies (Dark Reading, Oct 01 2019)
Attackers are using an obfuscated version of Adwind Remote Access Trojan for stealing data, Netskope says.

Email is an open door for malicious actors looking to exploit businesses (Help Net Security, Oct 01 2019)
There’s an alarming scale of risks businesses are up against in a time when email is proving an open door for cybercriminals and malicious actors looking to disrupt, exploit and destroy businesses, according to Wire.

The Impact of Recycling on Industrial Cyber Security (SecurityWeek, Oct 01 2019)
In the decade since the Stuxnet worm was discovered, multiple attacks that have been launched against operational technology (OT) networks including Shamoon, Havex, Wannycry, and Lockergoga. Looking back, a disturbing trend has emerged. Industrial attacks are being recycled.

Browser-hijacking Ghostcat malware haunts online publishers (SC Magazine, Oct 02 2019)
An infection starts when a user visits a website and is delivered a malicious advertisement. At this point, the Ghostcat malware fingerprints the browser to determine if the ad is running on a genuine web page (as opposed to a sandbox environment) and if it’s running on one of over 100 specifically targeted publishers. If the answer to both questions is yes, then a malicious concatenated URL is served.

Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC (VICE, Oct 03 2019)
A new threat actor Kaspersky calls SandCat, believed to be Uzbekistan’s intelligence agency, is so bad at operational security, researchers have found multiple zero-day exploits used by the group, and even caught malware the group was still developing.

New ‘Reductor’ malware compromises machines’ encrypted TLS traffic (SC Magazine, Oct 04 2019)
In that weren’t clever enough, the actors also found what Kaspersky called a “clever” way to compromise and spy on the HTTPS communications of infected hosts without ever touching the network packets. Their solution, as it turns out, is to use an embedded Intel instruction length disassembler to install malicious patches on the victims’ Firefox or Chrome browsers, in order to sabotage their pseudo random number generation (PRNG) functions.

APTs Exploiting Enterprise VPN Vulnerabilities, UK Govt Warns (SecurityWeek, Oct 04 2019)
Advanced persistent threat (APT) actors have been exploiting recently disclosed vulnerabilities affecting enterprise VPN products from Fortinet, Palo Alto Networks and Pulse Secure, the UK’s National Cyber Security Centre (NCSC) warns.