A Review of the Best News of the Week on Cyber Threats & Defense

BlueKeep exploitation activity seen in the wild (Kevin Beaumont, Nov 11 2019)
Back in May 2019, Microsoft released at patch for CVE-2019–0708, a Remote Desktop vulnerability I nicknamed BlueKeep — as exploitation…

Mac users warned that disabling all Office macros doesn’t actually disable all Office macros (Graham Cluley, Nov 07 2019)
Astonishingly, consumers and companies who believe they have protected their computers by configuring MS Office to “Disable all macros without notification” are actually opening themselves up to the possibility of being silently infected.

Inside the Microsoft team tracking the world’s most dangerous hackers (MIT Technology Review, Nov 11 2019)
From Russian Olympic cyberattacks to billion-dollar North Korean malware, how one tech giant monitors nation-sponsored hackers everywhere on earth.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Spyware Maker NSO Promises Reform but Keeps Snooping (The New York Times, Nov 11 2019)
Recent revelations in India show that the threat from the company’s spyware to activists and journalists isn’t limited to autocratic regimes.

Researchers: WP-VCD malware is No. 1 in WordPress infections since August (SC Magazine, Nov 11 2019)
Researchers at WordFence have eyed a recent uptick in attacks on WordPress involving WP-VCD backdoor malware. Since August 2019, no other WordPress-targeting malware has yielded a higher rate of new infections that WP-VCD, the company reported this week in a blog post and in-depth white paper.

Actively exploited bug in fully updated Firefox is sending users into a tizzy (Ars Technica, Nov 05 2019)
Fraudulent tech-support sites cause Firefox to freeze while displaying scary message.

Cybercriminals are testing exposed credentials for future account takeover attacks (Help Net Security, Nov 07 2019)
Digital account registration has become the identity testing mechanism for fraudsters, evidenced in the sharp increase in account creation attacks. Even when an account creation attack fails, it can provide valuable insight into the existence of an account with the business. This information is then used for more sophisticated account takeover attacks.

Phishing attacks at highest level in three years (Help Net Security, Nov 07 2019)
The total number of phishing sites detected in July through September 2019 was 266,387. This was up 46 percent from the 182,465 seen in the second quarter of 2019, and almost double the 138,328 seen in Q4 2018.

Building a Security Testing Plan (Infosecurity Magazine, Nov 07 2019)
Testing the effectiveness of your controls is imperative to knowing your true security posture

UK Government Spends £2M on Anti-Drone Projects (Infosecurity Magazine, Nov 08 2019)
Projects include developing methods to detect 4G and 5G-controlled drones, AI sensors to automatically identify aerial vehicles and low-risk ways of stopping drones through electronic interception.

IT services pro hacked former client’s email (Naked Security – Sophos, Nov 08 2019)
An IT project manager has pleaded guilty to accessing the email account of a former client’s CEO, said reports this week. According to the Register, 27-year-old Leeds resident, Scott Burns, was charged under the Computer Misuse Act for tinkering with systems owned by Dart Group, which owns the Jet2 airline.

MegaCortex ransomware variant threatens data breach, alters credentials (SC Magazine, Nov 08 2019)
A newly discovered variant of MegaCortex ransomware goes well beyond just encrypting victims’ files — it also changes their Windows passwords and threatens to publish their stolen data if they fail to pay.

Buran ransomware detailed, found to be based on VegaLocker (SC Magazine, Nov 07 2019)
Buran is delivered through the Rig EK, which in this case exploits the CVE-2018-8174, a Microsoft Internet Explorer VBScript engine, arbitrary code execution vulnerability. An examination of the code, written in Delphi, found Buran is actually an evolution of VegaLocker ransomware.

There are two versions of Buran currently in use with the newer one, Buran 2, capable of deleting shadow copies using WMI, backup catalog deletion, System state backup deletion and as a poor anti-evasion technique, Buran will use ping through a ‘for loop’ in order to ensure the file deletion system, the researchers said.

Hackers Can Target LEADTOOLS Users With Malicious Image Files (SecurityWeek, Nov 08 2019)
Cisco Talos security researchers have discovered multiple vulnerabilities in the LEADTOOLS imaging toolkits that could lead to code execution on the victim system.

Cisco Patches Vulnerabilities in Small Business Routers, RoomOS Software (SecurityWeek, Nov 07 2019)
A new set of security patches that Cisco released this week fixes multiple vulnerabilities across products such as Small Business Routers, TelePresence Collaboration Endpoint, RoomOS, and others.

Transitioning to a Security-Driven Networking Strategy (SecurityWeek, Nov 07 2019)
Security-Driven Networking is a new, strategic approach to security that enables the seamless expansion of network environments and services without ever compromising on security. Essentially, it begins by crafting a comprehensive security policy that covers the entire organization. It outlines the protocols, enforcement and inspection technologies, policies, and protections required to be in place before any new network environment or solution is even placed on the drawing board.

Attackers continue to leverage greater levels of social engineering and sophistication (Help Net Security, Nov 11 2019)
Despite a nearly four-month absence, the return of Emotet within the last two weeks of September accounted for nearly 12 percent of all malicious email samples in Q3, delivering millions of messages with malicious URLs or attachments, Proofpoint found.