A Review of the Best News of the Week on Cyber Threats & Defense

French Hotel Giant Leaks 1TB+ of Client Data (Infosecurity Magazine, Nov 22 2019)
Unsecured Elasticsearch database once again to blame

Web Skimmers Use Phishing Tactics to Steal Data (Infosecurity Magazine, Nov 25 2019)
“This skimmer is interesting because it looks like a phishing page copied from an official template for CommWeb, a payments acceptance service offered by Australia’s Commonwealth Bank,” he explained. “The attackers have crafted it specifically for an Australian store running the PrestaShop Content Management System (CMS), exploiting the fact that it accepts payments via the Commonwealth Bank.” The fake payments page even alerts users if any fields they fill in are invalid.

Cloudflare Open-Sources Network Vulnerability Scanner (SecurityWeek, Nov 22 2019)
Security and web performance services provider Cloudflare this week announced the open source availability of Flan Scan, its lightweight network vulnerability scanner.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

New NextCry ransomware targets NextCloud sync and share solution (SC Magazine, Nov 18 2019)
Attackers are reportedly targeting an NGINX/php-fpm vulnerability to infect users of the NextCloud file sync and share service with a recently discovered ransomware called NextCry. Infecting a NextCloud instance is doubly damaging to victims because the affected service begins replacing files stored on their synced-up machines with the newly encrypted versions.

Microsoft says yes to future encrypted DNS requests in Windows (Ars Technica, Nov 19 2019)
In highly hedged post, Microsoft pledges support for DoH and other schemes, eventually.

Microsoft Denies Bluekeep Ransomware Rumors (Infosecurity Magazine, Nov 21 2019)
Redmond also says no Teams link to recent Spanish outages

Louisiana was hit by Ryuk, triggering another cyber-emergency (Ars Technica, Nov 21 2019)
From Nunavut to Campeche, ransomware rolls along.

CISA Announces Open Source Post-Election Auditing Tool (SecurityWeek, Nov 22 2019)
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) this week announced the release of an open source post-election auditing tool in preparation for the 2020 elections.

Midwest Gets First Cybercrime-Fighting Dog (Infosecurity Magazine, Nov 20 2019)
Nebraska police welcome Quinn, an electronic storage device K-9

Vishing Attacks to Become Commonplace in 2020 (Infosecurity Magazine, Nov 20 2019)
Experts warn voice phishing attacks will soon be an everyday occurrence

Attacker Mistake Botches Cyborg Ransomware Campaign (Dark Reading, Nov 19 2019)
Cybercriminals attempted to install Cyborg ransomware on target machines by deceiving victims with a fraudulent Windows update.

Iran’s APT33 Hackers Are Targeting Industrial Control Systems (Wired, Nov 20 2019)
The recent focus on ICS raises the possibility that Iran’s APT33 is exploring physically disruptive cyberattacks.

What’s in a WAF? (Dark Reading, Nov 20 2019)
Need a 101 lesson on Web application firewalls? Here’s your crib sheet on what a WAF is, how it works, and what to look for when you’re in the market for a new solution.

Why Multifactor Authentication Is Now a Hacker Target (Dark Reading, Nov 20 2019)
SIM swaps, insecure web design, phishing, and channel-jacking are four ways attackers are circumventing MFA technology, according to the FBI.

#Irisscon: Ransomware Shifts to use Affiliate Distributors, and Infect via RDP (Infosecurity Magazine, Nov 21 2019)
Ransomware is far from dead, as developers now use professional outfits to distribute and infect

GitHub repository exposes WeWork customer contracts (SC Magazine, Nov 21 2019)
Data belonging to clients of shared workspace company WeWork was reportedly left exposed and accessible to the public via GitHub, while a web portal separately leaked information on prospective customers.

The NSA Warns of TLS Inspection (Schneier on Security, Nov 22 2019)
“The NSA has released a security advisory warning of the dangers of TLS inspection: Transport Layer Security Inspection (TLSI), also known as TLS break and inspect, is a security process that allows enterprises to decrypt traffic, inspect the decrypted content for threats, and then re-encrypt the traffic before it enters or leaves the network. Introducing this capability into an enterprise enhances visibility within boundary security products, but introduces new risks. These risks, while not inconsequential, do have mitigations.”

Preventing insider threats, data loss and damage through zero trust (Help Net Security, Nov 25 2019)
There is no such thing as a traditional security perimeter anymore
There is virtually no difference between internal and external threats.