A Review of the Best News of the Week on Cyber Threats & Defense

As Phishing Kits Evolve, Their Lifespans Shorten (Dark Reading, Oct 30 2019)
Most phishing kits last less than 20 days, a sign defenders are keeping up in the race against cybercrime.

The First BlueKeep Mass Hacking Is Finally Here—but Don’t Panic (Wired, Nov 02 2019)
After months of warnings, the first successful attack using Microsoft’s BlueKeep vulnerability has arrived—but isn’t nearly as bad as it could have been.

US grounds Chinese-made drones as part of security review (Naked Security – Sophos, Nov 04 2019)
The exception: drones being used in emergencies, such as fighting wildfires, search and rescue, and dealing with natural disasters.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

PHP team fixes nasty site-owning remote execution bug (Naked Security – Sophos, Oct 29 2019)
The PHP development team has fixed a bug that could allow remote code execution in some setups of the programming language.

Bed Bath & Beyond Blames Password Reuse for Hacked Accounts (SecurityWeek, Oct 31 2019)
Retail giant Bed Bath & Beyond revealed in a recent filing with the U.S. Securities and Exchange Commission (SEC) that some online customer accounts were accessed by a third party.

Cisco Firewall Exploited in Attack on U.S. Renewable Energy Firm (SecurityWeek, Nov 01 2019)
More details have emerged on the March denial-of-service (DoS) attack that disrupted firewalls and caused interruptions to electrical system operations at a power utility in the United States.

Head Fake: Tackling Disruptive Ransomware Attacks (FireEye, Nov 01 2019)
Example of FakeUpdate landing page after HTTP redirects:
The redirect process used numerous subdomains, with a limited number of IP addresses. The malicious subdomains are often changed in different parts of the initial redirects and browser validation stages.
After clicking the ‘Update’ button, we observed the downloading of one of three types of files:
– Heavily-obfuscated HTML applications (.hta file extensions)
– JavaScript files (.js file extensions)
– ZIP-compressed JavaScript files (.zip extensions)

Free Tools Boost 2020 Election Security, But Not Enough (Wired, Nov 03 2019)
More companies than ever are offering low-cost security services for election bureaus and campaigns. It’s still not clear how much they’ll actually help.

How a months-old AMD microcode bug destroyed my weekend (Ars Technica, Oct 29 2019)
AMD shipped Ryzen 3000 with a serious microcode bug in its random number generator.

Current and Future Hacks and Attacks that Threaten Esports (TrendMicro, Oct 29 2019)
Cybercriminals will increasingly target the esports industry over the next three years. Many underground forums already have sections dedicated to gaming or esports sales, and the goods and services offered in these forums generate a lot of interest.

#BSidesBelfast: Supply Chain Attacks Will Hit Code Repositories Next (Infosecurity Magazine, Nov 01 2019)
Supply chain attacks continue to be a reality for businesses

Old RAT, New Moves: Adwind Hides in Java Commands to Target Windows (Dark Reading, Oct 29 2019)
The Adwind remote access Trojan conceals malicious activity in Java commands to slip past threat intelligence tools and steal user data.

Controlling PowerShell with zero trust microsegmentation (SC Magazine, Oct 29 2019)
Unfortunately, PowerShell is difficult to control, i.e., allow legitimate use but prevent malicious exploitation. Code signing allows PowerShell to execute only signed scripts, and, while whitelisting operations can help, it can be tricky to manage in practice, because managers typically create either overly permissive access that can be exploited or overly restrictive policies that lead to complaints from IT admins.

New GlitchPOS credit card stealer malware found for sale (SC Magazine, Oct 29 2019)
An experienced malware developer is hawking a new POS malware strain called GlitchPOS on crimeware forums, and even created and posted a marketing video promoting its ease of use to potential buyers.

32,000+ WiFi Routers Potentially Exposed to New Gafgyt Variant (Dark Reading, Oct 31 2019)
Researchers detect an updated Gafgyt variant that targets flaws in small office and home wireless routers from Zyxel, Huawei, and Realtek.

NordVPN users’ passwords exposed in mass credential-stuffing attacks (Ars Technica, Nov 01 2019)
Many of the dumps have been pulled off public webpages, but at least one remains.

Europol: Spear phishing the most prevalent cyber threat affecting orgs across the EU (Help Net Security, Nov 04 2019)
As reflected in this year’s Internet Organised Crime Threat Assessment (IOCTA), spear phishing is the number one attack vector and enabler for the vast majority of cybercrime.

Feds warn against Hidden Cobra’s Hoplight malware (SC Magazine, Nov 04 2019)
A consortium of U.S. federal agencies released a notification on Hoplight, a new data collector malware being used by the North Korean cyberespionage group Hidden Cobra (aka Lazuras). The Department of Homeland Security, FBI, and Department of Defense in its malware analysis report on Hoplight noted it obfuscation plays a large role in the malware’s…

Chinese APT group Calypso hacked state institutions in six countries (SC Magazine, Nov 04 2019)
A Chinese-speaking APT group, Calypso, has actively been targeting state institutions in six countries, hacking systems and injecting a program to gain access to internal networks, according to a report from researchers at Positive Technologies Expert Security Center.

Microsoft Office for Mac Users Exposed to Macro-Based Attacks (SecurityWeek, Nov 04 2019)
Microsoft Office for Mac does not properly disable XLM macros, thus exposing users to code execution attacks, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University warns.