A Review of the Best News of the Week on Cyber Threats & Defense

Attack tools and techniques used by major ransomware families (Help Net Security, Nov 15 2019)
Ransomware is typically distributed in one of three ways: as a cryptoworm, which replicates itself rapidly to other computers for maximum impact (for example, WannaCry); as ransomware-as-a-service (RaaS), sold on the dark web as a distribution kit (for example, Sodinokibi); or by means of an automated active adversary attack, where attackers manually deploy the ransomware following an automated scan of networks for systems with weak protection.

Over 100,000 Fake Domains With Valid TLS Certificates Target Major Retailers (SecurityWeek, Nov 15 2019)
Venafi, a company that helps organizations secure cryptographic keys and digital certificates, says it has uncovered over 100,000 typosquatted domains with valid TLS certificates that appear to target major retailers.

Security of North American Energy Grid Tested in GridEx Exercise (SecurityWeek, Nov 18 2019)
A major exercise whose goal was to test the cyber and physical security of North America’s grid has enabled the energy industry and governments to review and improve incident response plans and collaboration.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’ (Dark Reading, Nov 11 2019)
Cheap labor, frequent data breaches, and better fraud detection technology are fueling frustrating changes in attackers’ methods.

US-CERT warns of critical flaws in Medtronic equipment (Naked Security – Sophos, Nov 13 2019)
Medtronic’s latest problem is in their Valleylab electrosurgical generators used by surgeons things like cauterisation during operations.

State of the Firewall’ Report: Automation Key to Preventing Costly Misconfigurations (SecurityWeek, Nov 13 2019)
This is a human problem, not a firewall problem. Gartner also posits that “99% of firewall breaches will be caused by misconfigurations, not firewall flaws.”

New PureLocker ransomware built for targeted attacks, linked to MaaS dealer (SC Magazine, Nov 14 2019)
A newly discovered ransomware called PureLocker is targeting the production servers of enterprises, while exhibiting some behavior that’s very unusual for most malicious encryptors. Among its quirky features: it’s written in the PureBasic programming language, which helps it avoid conventional anti-malware detection engines…

Microsoft Patches IE Zero-Day Among 74 Vulnerabilities (Dark Reading, Nov 12 2019)
The November Patch Tuesday update fixed 13 critical flaws, including a zero-day bug in Internet Explorer.

DLL Hijacking Flaw Impacts Symantec Endpoint Protection (SecurityWeek, Nov 14 2019)
Symantec Endpoint Protection is the latest antivirus product found to unsafely load DLLs into a process that runs with SYSTEM privileges.

Vulnerability in McAfee Antivirus Products Allows DLL Hijacking (SecurityWeek, Nov 13 2019)
A vulnerability in McAfee antivirus software could allow an attacker to evade self-defense mechanisms and achieve persistence, SafeBreach security researchers have discovered.

The FBI multi-factor authentication notification that should have never been (Help Net Security, Nov 12 2019)
“While reviewing the recent Private Industry Notification from the FBI about using social engineering and technical attacks to circumvent multi-factor authentication, I was floored at how each of these account takeover scenarios seemed completely preventable. That’s because SIM swap and session hijacking were at the center of each account takeover scenario.”

Phishing emails spoof WebEx invites, abuse Cisco open redirect (SC Magazine, Nov 12 2019)
That WebEx meeting invite you just received may actually be a phishing email that spreads the WarZone remote access trojan by abusing a Cisco open redirect.

Researchers Disclose New Vulnerabilities in Windows Drivers (Dark Reading, Nov 12 2019)
Attackers could take advantage of simple design flaws in widely distributed drivers to gain control over Windows systems.

Visa Warns of New JavaScript Skimmer ‘Pipka’ (SecurityWeek, Nov 14 2019)
A new JavaScript skimmer targets data entered into the payment forms of ecommerce merchant websites, Visa Payment Fraud Disruption (PFD) warns. Dubbed Pipka, the skimmer was discovered on an ecommerce website previously infected with the JavaScript skimmer known as Inter, but it has infected at least sixteen other merchant websites as well.

Threat actor impersonates German, Italian and American gov’t agencies to spread malware (SC Magazine, Nov 14 2019)
Since October, a threat actor has been impersonating governmental agencies in phishing emails designed to infect American, German and Italian organizations with various forms of malware, including the Cobalt Strike backdoor, Maze ransomware and the IcedID banking trojan.

AnteFrigus ransomware leaves C alone, goes after other drives (SC Magazine, Nov 14 2019)
Security researchers have come across and analyzed an oddly behaving ransomware variant that bypasses the victim’s C drive instead targeting the device’s other drives. An analyst who tweets under Mol69 and Bleeping Computer took a look at the odd behavior presented by AnteFrigus ransomware.

But Actually, How Scary Is Critical Infrastructure Hacking? (VICE, Nov 15 2019)
From nation states or black hats hacking the power grid to water filtration plants, the threats are both real and overblown.

TPM-Fail Attacks Against Cryptographic Coprocessors (Schneier on Security, Nov 15 2019)
“Really interesting research: TPM-FAIL: TPM meets Timing and Lattice Attacks, by Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger.”

Undocumented Access Feature Exposes Siemens PLCs to Attacks (SecurityWeek, Nov 15 2019)
Siemens is working on addressing a vulnerability that can be exploited by a skilled attacker to execute arbitrary code on its SIMATIC S7-1200 programmable logic controller (PLC) by abusing a hardware-based access mode.