Daily Archives: September 30, 2019

Managing and monitoring privileged access to cloud ecosystems

Cloud data breaches are on the rise, demonstrating time and again the need for a different approach and strategy when it comes to managing and monitoring privileged access to cloud ecosystems. Privilege access management (PAM) should: Be risk-aware and intelligent Reduce sprawl of infrastructure, accounts, access and credentials Use continuous identity analytics. Just-in-time management of privileged accounts According to Gartner’s 2018 Magic Quadrant for PAM report, by 2022 more than 50% of organizations with PAM … More

The post Managing and monitoring privileged access to cloud ecosystems appeared first on Help Net Security.

Five questions every CEO should be asking about cybersecurity

Estimated reading time: 3 minutes

As the captain of the ship, the Chief Executive Officer (CEO) plays a very important role in how an enterprise addresses cybersecurity issues and concerns. When the CEO provides a buy-in towards making enterprise security safer, it trickles down as a new mindset for the entire organization.

The 9th Annual Cost of Cybercrime Study 2019 revealed a significant statistic – the average cost of cybercrime for an organization increased by $1.4 million to $13 million in 2019.

More than anything else, this is the most important statistic which illustrates why cybersecurity is one of the most important issues that a modern organization must deal with. It is no longer a question of IT or Information Security – it is a business issue as important as anything else which leaders need to deal with urgently.

But to create that mindset, what kind of questions should a CEO be asking? Here are five important ones:

  1. How prepared is the enterprise right now to handle cyber risks?

The CEO, as the most important leader in the company, must know and that too, in minute detail, about his company’s preparedness to current threats. The leadership must have detailed visibility of how the enterprise is dealing with these risks, what measures they are taking and also, what threats are slipping through the net. This question is the first starting point for the CEO and the answer to this question will provide a complete understanding of where the enterprise is currently placed when it comes to cybersecurity. On the basis of that, plans for the future can be made.

  1. Does the senior leadership buy into the current cybersecurity framework? If not, why?

CEOs head organizations but they can never be a one-person army. Great organizations surround CEOs with a team of competent leaders who come together to form one unified front. It is in the same way that a company’s senior leadership team comprising the C-suite must also showcase a united stand towards cybersecurity measures taken by the enterprise. This helps in better compliance and inculcation of a security-first mindset among employees. However, this is easier said than done and that is why a CEO must ask this question.

If the CEO finds out that this is not the case, the first step is to get the entire leadership team on board.

  1. What is our plan for responding to cybersecurity incidents? How regularly has it been tested?

Cybersecurity is not a zero-sum game – there is always a scope for malware to sneak through despite the best possible measures. This is why an Incident Response Plan comes in handy as it details the actions to be taken for different kind of incidents. The CEO must be aware of every intricate detail of this plan as in times of a crisis, they will need to show that they are in control. CEOs must also keep themselves abreast of how regularly this plan is tested so that they are aware of any shortcomings in it.

  1. Do the employees have a cybersecurity mindset?

Employees are the single biggest factor in cybersecurity preparedness for an enterprise. The CEO must be aware of the current culture of cybersecurity in the organization – are employees aware of the dangers that cyber threats may pose or do they still remain blissfully unaware? If the answer is the latter, the CEO must immediately put in place a plan to create a mindset of cybersecurity in the entire organization.

  1. How does the enterprise handle insider threats?

Cybersecurity is not always an external affair – in many cases, danger lurks within the enterprise in the form of insider threats and disgruntled employees. It is not just the InfoSec team that has to be aware of this  – the CEO must ask leading questions about this dangerous type of threat and the kind of the measures the company is taking to tackle this threat.

Creating a cybersecurity culture in an enterprise is not easy but investing in a strong enterprise solution goes a long way in protecting an organization from the varied threats that exist. Seqrite’s range of solutions enables security and greater productivity in the cybersecurity journey.  

The post Five questions every CEO should be asking about cybersecurity appeared first on Seqrite Blog.

38% of the Fortune 500 do not have a CISO

To uncover whether the world’s leading companies are committed to enhancing their cybersecurity initiatives, Bitglass researched the members of the 2019 Fortune 500 and analyzed public-facing information such as what is available on their websites. 77% of the Fortune 500 make no indication on their websites about who is responsible for their security strategy. Additionally, 52% do not have any language on their websites about how they protect the data of customers and partners (beyond … More

The post 38% of the Fortune 500 do not have a CISO appeared first on Help Net Security.

Email is an open door for malicious actors looking to exploit businesses

There’s an alarming scale of risks businesses are up against in a time when email is proving an open door for cybercriminals and malicious actors looking to disrupt, exploit and destroy businesses, according to Wire. The report is developed in collaboration with global poker champion and astrophysicist, Liv Boeree. P​oker is a game of making calculated, strategic decisions in high-stakes situations. As such, Liv is able to draw parallels between the poker table and the … More

The post Email is an open door for malicious actors looking to exploit businesses appeared first on Help Net Security.

Employee negligence can be a leading contributor to data breaches

Two thirds (68%) of businesses reported their organization has experienced at least one data breach in the past 12 months, and nearly three in four (69%) of those data breaches involved the loss or theft of paper documents or electronic devices containing sensitive information, according to the Shred-it report conducted by the Ponemon Institute. According to the report, typical workplace occurrences may be at the root of the problem as 65% of managers are concerned … More

The post Employee negligence can be a leading contributor to data breaches appeared first on Help Net Security.

Tolly report: Evaluating the evolution of network traffic analysis technology

Network Traffic Analysis has been rapidly evolving to counter the increased sophistication of threats experienced by organizations worldwide. Test methodologies and tools are not yet available which provide security professionals with the ability to test how well the products currently on the market perform. Awake Security has partnered with the Tolly Group and a current Darktrace customer to develop and execute just such a test and has published a report detailing the methodology and the … More

The post Tolly report: Evaluating the evolution of network traffic analysis technology appeared first on Help Net Security.

Anomali Altitude automates detection, analysis, and threat response

Anomali, a leader in intelligence-driven cybersecurity solutions, unveiled the Anomali Altitude platform. The Anomali Altitude platform delivers Anomali Lens, Anomali ThreatStream, and Anomali Match. The integrated product suite allows customers to automate detection, analysis, and response for high-priority external and internal threats. Anomali Lens This first-of-its-kind technology allows anyone, from security operations staff to board members, to automatically and immediately know if their organizations are being attacked, who adversaries are, and if the attacks have … More

The post Anomali Altitude automates detection, analysis, and threat response appeared first on Help Net Security.

Cyber Threats to Medical Imaging Systems and How to Address Them

Healthcare continues to see staggering growth in breaches to patient health information. In the first half of 2019 alone, 32 million health records were breached, compared to 15 million records in the entire year of 2018. However, this trend of growing cyber breaches in healthcare is likely to persist due to the following characteristics of […]… Read More

The post Cyber Threats to Medical Imaging Systems and How to Address Them appeared first on The State of Security.

2019-129: File Disclosure Vulnerability in Pulse Connect Secure VPN Software

Overview The Australian Signals Directorate’s Australian Cyber Security Centre is aware of a vulnerability that exists in the Pulse Connect Secure Virtual Private Network (VPN) solution. We advise users to ensure their systems are patched and up to date. The Pulse VPN Vulnerability, also known as CVE-2019-11510, was initially disclosed in April 2019 but has resurfaced after multiple reports of exploitation and the disclosure of working exploits available for use on Pastebin and GitHub.

BlackBerry creates BlackBerry Advanced Technology Development Labs

BlackBerry announced the creation of BlackBerry Advanced Technology Development Labs (BlackBerry Labs), a new business unit operating at the forefront of research and development in the cybersecurity space. Led by CTO Charles Eagan, BlackBerry Labs will include a team of over 120 software developers, architects, researchers, product leads and security experts, each working toward the common goal of identifying, exploring and creating new technologies to ensure BlackBerry is on the cutting edge of security innovation. … More

The post BlackBerry creates BlackBerry Advanced Technology Development Labs appeared first on Help Net Security.

Red Hat shares rising interest for hybrid cloud in APAC

Red Hat, the world’s leading provider of open source solutions, shared that there is a rising interest for hybrid cloud in Asia Pacific (APAC), evident from the increasing number of cloud and managed services providers joining the Red Hat Certified Cloud and Service Providers program in Australia, China, India, Japan, Korea, Singapore, Thailand, The Philippines and Vietnam. The Red Hat Certified Cloud and Service Provider program includes more than 300 cloud, system integrator and managed … More

The post Red Hat shares rising interest for hybrid cloud in APAC appeared first on Help Net Security.

Loop1 Systems expands to the UK with the acquisition of Kenson

Loop1 Systems, an Austin-based enterprise IT service organization, proudly announces the acquisition of Kenson, one of the U.K.’s most respected suppliers of network management tools, expertise, and support. Kenson has served the market for more than 15 years and in 2017, the company received the SolarWinds Channel Renewal Partner of the Year Award. “The [Loop1] commitment to SolarWinds is steadfast and evident in the 10-year track record they have with SolarWinds,” said John Woolford, COO … More

The post Loop1 Systems expands to the UK with the acquisition of Kenson appeared first on Help Net Security.

Kenna Security raises $48M to accelerate its international expansion and drive further innovation

Kenna Security, the enterprise leader in risk-based vulnerability management, announced a $48 million series D funding round that adds Sorenson Capital and Citi Ventures as new investors. Ken Elefant, Managing Director of Sorenson Capital will join Kenna Security’s board of directors. The investment brings Kenna’s total raised to $98 million. “This round of funding demonstrates significant confidence in Kenna’s continued growth potential as the global market for risk-based vulnerability management expands,” said Karim Toubba, CEO … More

The post Kenna Security raises $48M to accelerate its international expansion and drive further innovation appeared first on Help Net Security.

Monitoring Application Security with SIEM


It always seems like the clichéd image of a security expert is them sitting in a dark room with upwards of four to six bright monitors displaying different complex tasks. Regardless of how many monitors they use, we know security teams are using just as many, if not more, complex tools. According to analyst firm EMA’s Security Megatrend Report, 75% of respondents use more than six consoles to do their jobs. While the stereotypical cybersecurity expert at work may seem thrilling, the reality is that having so many tools to monitor can be overwhelming and virtually impossible.

Security Information and Event Management (SIEM) solutions provide security staff relief and insights with a centralized analysis of security data pulled from a variety of systems. Read on to learn about the large variety of information a SIEM can consolidate, becoming your organization’s primary security monitoring tool.

Typical Information

Universally, SIEMs monitor standard datasources, which include operating systems like Windows and Linux, routers and switches, firewalls, databases, and servers. SIEMs monitor these assets not only for unusual behavior, but can also ensure that planned activities, like addition or deletion of users or data, occurred without incident. Having all of these sources monitored in one place also allows for event correlation. Event correlation shows how a single event can be related to other logged events, assisting in forensic analysis and providing an audit trail. This can provide powerful insights about your environment.  For example, if a user engages in unusual behavior on your server, you can bring up all activity from that user, capturing security events more quickly and seeing if there is a pattern on other devices, warranting suspicion.

Diverse Datastreams

While standard datasources are critical to monitor, each organization brings unique sources to the table that also need monitoring, like a homegrown database or third-party applications. Connecting things like a CRM streamlines your environment even further, reducing the number of consoles your security team has to look at.

This is particularly important for things like financial applications, in which capturing events real-time can be especially crucial. For example, if a credentialed user was created, performed several actions, and was then deleted, this suspicious behavior can mean that both confidential data and money could be at risk. Without a SIEM monitoring events and sending an alert in real time, this activity may not be spotted until it’s too late to do anything about it. Additionally, if an unauthorized user attempts or is able to download confidential data, a SIEM can immediately disable that user’s access, preventing any further risk while the event is investigated. Types of action taken depend on the event and can be configured to suit the needs of each organization.

Most importantly, enabling application security can bring further insight into event relationships. The more a SIEM monitors, the easier it is to find correlating events, providing a new angle from which to view your security picture. For example, integrating an antivirus solution can allow you to not only get alerts about thwarted breaches, it can also allow you to isolate where the infection attempt originated, providing further insight.

Expanding the SIEM Network

A SIEM is only as good as the data streams it can assess. As mentioned above, while there are typical sources that most environments have, many organizations have needs outside of the normal scope. Simply put, a SIEM can’t generate alerts for an application it isn’t monitoring. Instead, a data source not filtered by a SIEM will require special attention, increasing not only your security team’s workload, but also the likelihood of suspicious activity slipping through the cracks. The more sources you connect, the more insights you can gain. 

Powertech Event Manager provides a holistic view of your entire environment. It not only provides out-of-the-box-templates for easy implementation for standard datasources, it can also be used with in-house applications, third party software or connected devices, providing a full audit trail and real-time monitoring for non-mainstream applications that still provide access to your critical systems. Our experts will be readily available to work with your security team to develop a plan for connecting any necessary data streams and provide ongoing support.


Vulnerability Management
Big text: 
Resource type: 
Are you ready to reduce the risk of insider threats in your organization?

Get a live demo of our cybersecurity solutions from one of our solution experts today.

What Tesla’s Cryptojack Attack Means for the Rest of Us


In February, Fortune, Wired, and other media outlets reported that hackers worked their way into automaker Tesla’s Amazon Web Services (AWS®) cloud account to mine for cryptocurrency. These so-called “cryptojacking” attacks are on the rise in concert with escalating cryptocurrency prices, prompting hackers to gain access to company networks to generate these virtual forms of tender. It’s yet another facet of cybersecurity to keep IT experts up at night, wondering who will be hit next.

Cryptocurrency…What Is That Again?

As a refresher, a cryptocurrency is a digital or virtual currency secured through cryptography, which makes it hard to counterfeit. Bitcoin is probably the most well-known example. Cryptocurrencies are decentralized, can be used anonymously in transactions, and aren’t subject to government regulation. Because of this lack of oversight, they are perfect for illegal activities such as tax evasion and money laundering. Cryptocurrencies make use of blockchain, a secure, online ledger technology for recording and verifying transactions in a permanent way.  

From Bad to Worse

Fortunately for Tesla, researchers from cybersecurity firm RedLock discovered the intrusion. However, the attack itself was possible because Tesla’s credentials were available on an unsecured IT administrative console—with no password protection. Said another way, Tesla forgot to lock the door. In addition to mining for cryptocurrency, the attackers were able to access other sensitive information such as vehicle servicing and mapping data. The researchers couldn’t determine how long the hackers had access to Tesla’s account, or the amount of cryptocurrency they were able to mine, but they found evidence that the cryptocurrency software Stratum had been used.

An Ounce of Prevention

Tesla acted quickly to secure its files, but the fact that this intrusion happened at all is a major red flag. Although cybersecurity threats are everywhere, and ingenious hackers seem to think up new ways to get into sensitive information every day, this is one of those cases where it was all too easy to commit a crime. Why? Because the information was essentially sitting out there for anyone to find and use for their own purposes.

Avoiding this type of scenario takes a proactive approach to your IT infrastructure. Powertech Security Auditor automatic cloud system discovery and auditing would have found additional AWS systems as they were deployed. In addition, Tesla administrators would have received alerts of those findings, thwarting this or any similar type of attack. The solution works by automatically applying security controls on the systems it discovers. It reports on any audits that fail to meet corporate standards. Incorrect configurations, unapproved users, and any non-approved running services would have been reported.

In concert with Security Auditor, Powertech Event Manager provides centralized logging and auditing of security alerts and events within IT environments. By normalizing the various data streams and prioritizing the criticality of security events, you can quickly and clearly identify security incidents and take appropriate action to resolve the issues and secure your environment.


Vulnerability Management
Big text: 
Resource type: 
Is your organization protected against ransomware?

Watch our on-demand webinar to discover steps to reduce your risk.

Ransomware Hits the City of Atlanta


On March 22, the city of Atlanta was brought to its knees by a ransomware attack. CNN reported that the malicious incident affected at least five of the city’s municipal departments, effectively locking down key functions for the police, courts, and more. The attackers asked for the $51,000 ransom to be paid in the bitcoin cryptocurrency. According to the Atlanta Journal-Constitution, the city had declined to say whether it had made this payment as of April 12, and the overall estimated cost of the breach was at $2.7 million and climbing.

Not If, But When

In coverage of the incident, news sources indicated the city had known for years of its security vulnerabilities and lack of a solid approach to business continuity and disaster recovery planning. The reality of these concerns is now upon municipal employees and citizens as everyone struggles to complete everyday tasks without computer access. The fact that Atlanta had just begun to address the recommendations from its January cybersecurity audit is especially heartbreaking.

What Happened Behind the Scenes

The vulnerabilities in the city’s infrastructure were no match for the SamSam ransomware, which tag teams with tools such as Mimikatz to detect weak passwords and take control of networks. In this way, SamSam can move throughout a network quickly without the need to propagate via employee’s email accounts, as occurs in some ransomware schemes. SamSam also interfaces with tools including JexBoss to find unpatched servers running Red Hat® JBoss® solutions. Once inside these locations, the hackers can implement scripts that cull credentials and other information. Finally, the ransomware encrypts files, and the hackers demand their payment.

It Could Have Been Prevented

Disruptive and costly ransomware attacks like what the city of Atlanta is experiencing are all too common. No doubt the cybersecurity issues the city was in the process of addressing would have included solutions such as those HelpSystems customers rely on every day.

Powertech Antivirus runs natively on Red Hat and other major Linux distributions to detect and clean ransomware and malware like SamSam and Mimikatz. HelpSystems risk assessment engagements do a full patch audit on your Linux systems and identify any missing updates which can leave your organization vulnerable to attack.

Powertech Security Auditor has a feature for automatically detecting unapproved system services. The solution discovers unwanted programs running in your environment and immediately terminates them, limiting the chance of damage and data leaks.

Powertech Event Manager provides centralized logging and auditing of the security alerts and events within your environment. By normalizing the various data streams and prioritizing the criticality of security events, you can quickly and clearly identify security incidents and take the appropriate steps to secure your environment and resolve the issue.


Identity and Access Management
Big text: 
Resource type: 
Try Powertech Event Manager for Free

Avoid a ransomware attack with our one-size-fits-all SIEM solution

Cryptoviral Extortion: The Enduring Problem of Ransomware


In 1989, the first instance of ransomware was delivered to thousands of people on floppy disks and demanded that money be sent in the form of a cashier’s check or international money order to a P.O. box in Panama. These days, ransomware has become increasingly more streamlined. Just about anyone can purchase a ransomware strain off the dark web and deploy it without needing to be all that tech savvy. Additionally, using cryptocurrency like Bitcoin helps attackers stay anonymous and untraceable. Though modern ransomware is simple to use, its effects can be far reaching and long lasting. Read on to learn about the long arms of ransomware, and how to protect your organization from its grasp.

Ransomware can set you back decades

Attackers have found a particularly vulnerable victim in small towns and businesses, which often lack the financial resources it takes to recover from a ransomware attack. For example, the Alaskan borough of Matanuska-Susitna nearly had to shut down after a strain swept through their systems, affecting everyone from the purchasing department to the library. Those assets that were not infected were taken offline to prevent further spread. Staff were forced to return to the use of pen, paper, and typewriters for days. Though the attack took place in July 2018, the borough is still recovering.

While successful ransomware attacks don’t always completely cripple organizations, they almost always cause significant disruption. For example, last year’s attack on the city of Atlanta using the SamSam strain of ransomware cost millions, and also took months to get productivity back to normal levels.

Unfortunately, organizations remain far too overconfident in their ability to recover quickly. In a comprehensive survey of cybersecurity professionals conducted by Cybersecurity Insiders, 79% of respondents thought they could recover from an attack in less than a week. Though initial information about attacks is constantly in the news, more follow ups to demonstrate the long-lasting effects may still be needed.

Data backup plans may not be enough

Ransomware can be fast acting and incredibly thorough, as Apex Human Capital Management just discovered. Recently, a ransomware attack spread through their network. However, they had just completed an exhaustive recovery plan with an off-site system that mirrored their live system intended to protect them from exactly this type of situation. Regrettably, since the live-site had an ongoing connection to the backup site, the ransomware was quickly able to hold both sets of data hostage.

Sadly, the path to the retrieval of their data was not a smooth one. They paid the ransom but were given a decryption key that did not work as promised. The decryption process broke a number of directories and made some of the other files completely unopenable. In the end, they were left with a half recovered set of files.

In order to have a truly secure backup, it’s important to have a secondary system that is disconnected from the network when it isn’t backing up data. In fact, it’s best to have multiple backups in place, with at least one of them off-site.

Paying the ransom is no guarantee of recovery

Apex’s desire to simply get it over with and pay the ransom to quickly get data back and return to business as usual is an instinct everyone can sympathize with.  Regardless, experts almost universally advise not to pay the ransom. The fact is, you simply cannot trust that attackers will return your data once you’ve paid. Once you’ve paid, they have what they want, and face zero consequences for not holding up their end of the bargain. For example, XBash malware poses as ransomware, but is programmed merely to destroy Linux databases, and contains no restoration mechanism.  

Despite this, according to a survey by CyberEdge Group, 38.7% of organizations paid the ransom, and only half of these victims recovered their data. Of the 61.3% that did not pay the ransom, 53.3% were able to recover some of their data. It’s far better to invest the ransom payment into recovering the data through other means. Ultimately, paying ransom is bad for everyone. You’re unlikely to get your data back and giving into demands only encourages either a repeat attack, or further attacks on other organizations.

Preparedness and prevention

Realistic expectations, multiple backups, informed employees, and a policy to not pay ransoms are all necessary components to being prepared for a ransomware attack. However, the best way to prepare for ransomware attacks is to prevent them from succeeding in the first place.

Security Event Information Management (SIEM) solutions provide centralized logging and auditing of the security alerts and events within your environment. SIEM software can help provide context to events and clearly identify security incidents, like indicators of ransomware, in real-time. This allows security teams to take action to secure your environment to lock down systems before it spreads.

Implementing robust anti-malware with predictive analysis not only catches existing strains of malware, it can also detect new viruses before they become widespread. It’s also important that you don’t only have anti-malware for just workstations, but also provide protection for other endpoints like servers, preventing ransomware from entering elsewhere in your environment.

By taking a proactive approach to ransomware, organizations have a much better chance of never having to recover from it.


Vulnerability Management
Big text: 
Resource type: 
Is your organization protected against ransomware?

Watch out on-demand webinar to discover steps to reduce your risk.

eGobbler Malvertiser Bypassed Browser Protections Using Obscure Bugs

A malvertising actor known as “eGobbler” used obscure browser bugs to bypass built-in browser protections and expand the scope of its attacks. Confiant observed eGobbler exploiting the first vulnerability back on April 11, 2019. In that particular attack, the threat actor leveraged a Chrome exploit to circumvent the browser’s pop-up blocker built into iOS devices. […]… Read More

The post eGobbler Malvertiser Bypassed Browser Protections Using Obscure Bugs appeared first on The State of Security.

eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions

A recently observed a malvertising campaign carried out by a threat group dubbed eGobbler that hijacked roughly 1.16 billion ad impressions.

Researchers at Confiant observed a malvertising campaign carried out by a threat actor dubbed eGobbler hijacked roughly 1.16 billion ad impressions to redirect victims to websites hosting malicious payloads.

The campaign was observed between August 1 and September 23.

The eGobbler group was first observed by security firm Confiant in April when it was exploiting a security flaw in the Google Chrome browser to target millions of iOS users. At the time, Cofiant experts estimated that more than 500 million malicious ads had been served to iOS users.

This time eGobbler hackers extended their attacks to Windows, Linux, and macOS desktop devices.

“Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections.” reads the analysis published by Confiant.

“This blog post will provide overviews and proof of concepts for both browser exploits. The first exploit that we reported on April 11, 2019 impacts Chrome versions prior to 75 on iOS. The second, which we reported on Aug. 7 was fixed in iOS 13 / Safari 13.0.1 on Sept. 19, impacts WebKit based browsers.”

In recent campaign, attackers used an exploit that targets WebKit based browsers, the researchers observed redirections on WebKit browsers upon the ‘onkeydown’ event.”

“The nature of the bug is that a cross-origin nested iframe is able to “autofocus” which bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame.” continues the analysis. “With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”

Experts also discovered that the payload used in this campaign had specifically targeted some web applications using text areas and search forms in order to maximize the chances of hijacking these keypresses.

“eGobbler’s preference for desktop platforms during this period supports their latest WebKit exploit, as the ‘onkeydown’ event is less likely to spawn organically during mobile browsing,” states Confiant.

Experts reported the bug to both the Chrome and Apple security teams, the latter answered within the hour while on August 9 the former responded that they were investigating.

On August 12, the Chrome team provided an update that a patch was submitted to WebKit on August 9:

Apple addressed the issue in iOS 13 on September 19 and in Safari 13.0.1 on September 24.

The analysis published by the experts includes Indicators of Compromise for the recent campaign, including a list of content delivery network (CDNs) used by eGobbler threat actor to delivery the malicious payloads.

Pierluigi Paganini

(SecurityAffairs – eGobbler, hacking)

The post eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions appeared first on Security Affairs.

Five Malicious Insider Threat Indicators and How to Mitigate the Risk


With the prevalence of cyber attacks from individuals and groups looking to exploit corporate vulnerabilities and sensitive information assets, companies sometimes overlook another common threat: their own employees. It’s incredibly disheartening to think of trusted current or former colleagues looking to exploit sensitive information for their own monetary gain, but it’s increasingly common. Luckily, there are some telltale signs of this malicious activity that can enable you to identify and rectify problems as quickly as possible using the strategies detailed.

Indicators: Increasing Insider Threat Awareness

Keep an eye out for the following suspicious occurrences, and you’ll have a far better chance of thwarting a malicious insider threat, even if it’s disguised as an unintentional act.

1. Unusual logins

At many companies there is a distinct pattern to user logins that repeats day after day. Logins happening remotely, from unusual locations, or during odd hours could be a sign of trouble. Likewise, your authentication logs may start filling up with numerous unexplained occurrences of “test” or “admin” username attempts that fail to pass muster. Anything that strikes you as out of the ordinary warrants investigation.

2. Use or repeated attempted use of unauthorized applications

No doubt you maintain a dizzying number of mission-critical systems such as your CRM, financial management applications, ERP, and others, each of which should have a strictly defined set of users. If you’re structuring your access privileges properly, you’ll have particular people or roles that are granted access to necessary applications. When unauthorized people gain access to these applications and the sensitive data they house, it could mean a breach of disastrous proportions for your business. An increase in attempts to log in to these systems could be a red flag.

3. An increase in escalated privileges

Anyone with heightened system access is an inherent threat to your business simply because they are likely privy to sensitive information that should never fall into the wrong hands. Sometimes, a person with administrative rights (a trusted individual) will start granting privileges to others who shouldn’t have them. An increase in the number of people with this sort of escalated access could mean they’re wandering unencumbered around your servers, looking for just the right data to sell on the dark web. These insider threats could also be using these privileges to access unauthorized applications as mentioned above.

4. Excessive downloading of data

Your IT team probably has a good handle on your organization’s bandwidth usage and data downloading patterns when it comes to data accessed from your onsite network or cloud infrastructure and copied onto computers or external drives. Perhaps it’s normal for the sales team to download large marketing files or for HR to save large employee or payroll databases on a regular basis. But if you begin to see significant downloads of data that can’t be explained, or that occur during odd times of the day or from strange locations in which you don’t typically do business, something is likely amiss.

5. Unusual employee behavior

The behavior indicator is a good one, and it requires some intuition and a keen eye. If someone who is normally a high performer who gets along well with others starts to act differently, take notice. While it’s certainly possible there are extenuating personal circumstances behind the scenes, unexplained poor performance or disagreements with coworkers or superiors over policies could mean this person is someone to keep an extra close eye on for the foreseeable future. Particularly if he or she seems to indicate some sort of financial distress or unexplained financial gain—or resigns unexpectedly—they may have or be planning to make improper use of your corporate assets.

Strategizing and Implementing an Insider Threat Program

The strategies and tools available to round out your insider threat program are becoming more sophisticated to keep up with—and often stay ahead of—cybercriminals out for financial gain or to cause destruction.

1. Make sense of event data with a SIEM solution

security information and event management (SIEM) solution can become your eyes and ears by aggregating, normalizing, and interpreting the vast data feeds from your cybersecurity monitoring solutions. This can include changes to user profiles and system values, invalid login attempts, intrusion detections, and changed or deleted objects. It will spot abnormalities beyond the typical ‘noise’ happening within the data and send alerts to indicate issues. This enables your team to assess disturbances and act on them swiftly to minimize the potential impact.

2. Limit user access with a privileged access management (PAM) solution

It is well worth the effort to develop and implement a thorough approach to user privileges and access rights. Most employees only require access to a few key network locations and applications, and even these need to be curated by their role and also as job-specific requirements change. In general, users should only be able to access precisely what’s needed to perform their jobs on a daily basis (keeping in mind their productivity if workaround processes are cumbersome). Doing this effectively requires a privileged access management solution. This helps you assign the lowest level of privileges required to minimize exposure, more commonly known as the principle of least privilege..  

3. Maintain vigilance

Malicious insider threats are an unfortunate reality today, and there’s no substitute for ongoing attention to what’s happening across your network. This means you need to check in on a consistent basis, track unusual behavior, and take comments and complaints about an employee’s unusual behavior seriously. Always remember that in addition to implementing the appropriate cybersecurity tools and procedures to help you keep up with your environment monitoring and bolster your security posture, your intuition is often a guide when something’s wrong.


Vulnerability Management
Big text: 
Resource type: 
Want to learn more about keeping your organization safe?

Discover the latest trends and key challenges surrounding insider threats by downloading the 2019 Insider Threat Report today.

BlackBerry launches BlackBerry Labs to develop cybersecurity solutions

BlackBerry Ltd. is looking to ramp up its cybersecurity research and development by today announcing the launch of a new business unit entitled BlackBerry Advanced Technology Development Labs (BlackBerry Labs).

The unit will be headed by BlackBerry’s chief technology officer, Charles Eagan, and will include a team of over 120 software developers, architects, researchers, product leads and security experts.

“The establishment of BlackBerry Labs is the latest in a series of strategic moves we’ve taken to ensure our customers are protected across all endpoints and verticals in the new IoT,” said Eagan in a press release. “Today’s cybersecurity industry is rapidly advancing and BlackBerry Labs will operate as its own business unit solely focused on innovating and developing the technologies of tomorrow that will be necessary for our sustained competitive success, from A to Z; Artificial Intelligence to Zero-Trust environments. We believe this highly experienced team will allow us to remain nimble, engaged and, above all else, proactive in our efforts to be the most trusted security software leader in the market.”

While the overarching scope will be researching and developing security solutions, BlackBerry said initial work will be specifically focused on machine learning approaches to security in partnership with the company’s existing Cylance, Enterprise, and QNX business units.

Cloudflare’s WAF rule to protect against vBulletin RCE (CVE-2019-16759)

Cloudflare’s WAF rule to protect against vBulletin RCE (CVE-2019-16759) VBulletin RCE (CVE-2019-16759): Cloudflare is a well-known company that offers a wide range of internet services aimed at keeping your website safe. Cloudflare has recently added a new managed rule to its WAF firewall to help protect against vBulletin Remote Code Execution exploit (CVE-2019-16759). RCE (Remote ... Read moreCloudflare’s WAF rule to protect against vBulletin RCE (CVE-2019-16759)

The post Cloudflare’s WAF rule to protect against vBulletin RCE (CVE-2019-16759) appeared first on HackingVision.

German Police Bust Dark Web Hosting Cyber-Bunker Business

German Police Bust Dark Web Hosting Cyber-Bunker Business

Hundreds of servers used to support child pornography, cybercrime, and the sale of illegal drugs have been seized in a police raid on a former NATO bunker in Germany.

German authorities arrested thirteen people between the ages of 20 and 59 on Friday after busting up a dark web hosting operation being run from a heavily fortified five-floor military bunker in the peaceful riverside town of Traben-Trarbach. 

After breaking through an iron door to gain access to the temperature-controlled bunker, 600 police searched the 1.3-acre premises and found around 200 servers stored in stacks together with disks, mobile phones, documents, and a large sum of cash. 

A 59-year-old Dutchman, who purchased the bunker in 2013, is thought to be the owner and operator of the business, which offered secured "bulletproof" website hosting to illegal businesses and concealed their activities from authorities. Sites linked to the bunker include illegal online drug stores Cannabis Road, Orange Chemicals, and Wall Street Market, formerly the second-largest global marketplace for drugs, where users could also buy hacking tools and financial-theft ware.

Suspects arrested in connection with the raid are thought to have links to organized crime and are likely to be named as accessories to over 250,000 offenses involving money counterfeiting, drugs, data mining, forged documents, and the distribution of child pornography.

Seven of the people arrested are being held in custody, with two thought to hold previous convictions for running a similar business out of a former military bunker in the Netherlands, which was sold as CyberBunker. 

Regional criminal police chief Johannes Kunz said, "I think it’s a huge success . . . that we were able at all to get police forces into the bunker complex, which is still secured at the highest military level. We had to overcome not only real, or analog, protections; we also cracked the digital protections of the data center."

Since the operation of the bunker hosting service isn't illegal per se, German authorities must prove the suspects arrested were aware of the illegal behavior of the hosted businesses to secure a conviction. Evaluating the stored data to determine this could take anywhere from months to years. 

Commenting on the raid, Vectra's head of security, Chris Morales, said: "We need to see more collaboration like this which involves the coordination between digital forensics and investigation and physical police enforcement. I applaud all of the German law enforcement agencies involved on a job well done."

How to Explore Autonomous Systems in Business Network and the Way Hackers use it

The’ net’ in’ internet’ is a network. It’s also technically an internet network— a computer network. Are you still confused?

We refer to these independent computer networks as autonomous systems when we talk about routing. A single, independent system routes packets internally, while packets traveling through the internet typically pass through many autonomous systems.

Think of it: Internet routing occurs on independent systems and not on single pcs. Each AS receives its own distinctive 16-digit identity number or ASN, thanks to the Internet Assigned Numbers Authority (IANA).

Smaller networks like your home have much easier network-internet interactions. When you purchase an internet service plan, the ISP provides you with a DSL or one of those old school cable modems which allow you to reach the “total web” on the router, the only thing about the router is that you have your local computers + machines on one side, and you have the whole internet on the other.

So why build Autonomous systems?

This is enough for mere mortals to explain how the internet operates. But if you want to prevent getting bound to a single internet provider or your internet connection is not as great as you need it, you build your own AS if you want to’ expand your possible parameters,’ as they say.

The fact that you have your own AS can be useful to your network in various respects, including:

  • IP address portability
  • Achieving flexible network administration
  • Direct interaction with IXP’s
  • Individual network identity for external and internal purposes
  • Full traffic control
  • Ability to set your BGP with ASN No.

How to build an Autonomous system

It is not that hard to create an autonomous system and only requires a few measures. If you want to develop an independent system, you do this:

Step 1: Found a company–you need to set up an AS by a legal entity, so begin brainstorming on a business name.

Step 2: Get yourself a public address –this might be the toughest step. You must obtain a government IP address block that is sufficiently big to advertise over BGP. Three IPv4 addresses are no longer left, so you must purchase an IPv6 address, which can be quite expensive.

Step 3: Find colleagues–The difficult aspect of the web is that you need to be connected to one side of it in order to achieve anything. If you’re looking at only one other AS, you don’t have to operate BGP. However, if you did, you can use a personal autonomous system number that can readily be replaced by your upstream supplier. Then they will transfer the remainder of the internet along your paths.

Step 4: Get a router that can handle the entire Internet routing table–This is a strong router that you are not able to purchase at your local store. One alternative would be to create a router yourself from a server running the operating system of the router.

How AS is used by Hackers

When a business expands and invests in its own AS, safety issues come into play over your network and traffic. You likely have lots of personal data that you want to maintain private. Hackers are hunting for data, and can access your network with sufficient ability, intercept your packages and have remote access to all your pcs to install malicious code on your server.

It is not difficult to locate the own IP range owner. Many services provide extensive data about organisations like WHOIS, CIDR, etc. Knowing this information can assist you identify links between businesses, figure out the attack surface and perform a nasty target DDoS attack.

This is where the cyber security industry enters. There are instruments that display vulnerabilities and assist remove malware from your network. However, few of these instruments are effectively designed to prevent attacks.

On the market, the upcoming cyber security business Spyse is creating a solution based on mass information collection from the internet. Spyse utilizes these information to produce a comprehensive network vulnerability map. This instrument helps safety experts to predict vulnerabilities, to stay ahead of hackers and to prevent future system threats.

Spyse recently published various instruments for safety technicians, penters, sysadmins and company analysts in beta-test mode. ASlookup is one of their most latest creations that enables you to monitor the infrastructure of your organization, network or company.

The Spyse team is aware that it is best to avoid threats in advance; their services thus help you determine the attack surface and recognize vulnerabilities prior to exposure. Moreover, they give all fresh users 3 free credits.

The post How to Explore Autonomous Systems in Business Network and the Way Hackers use it appeared first on .

Getting Started With AppLocker

John Strand // I have quite a few calls with customers who do not know where to begin when it comes to application whitelisting. Often, the approach some organizations take is to try and implement full application whitelisting on every single application across their entire environment.  While this goal is fun and seems like a […]

The post Getting Started With AppLocker appeared first on Black Hills Information Security.

Hiding a Data Breach Can Derail an Acquisition

Hiding a Data Breach Can Derail an Acquisition

Companies can drive down their value by hiding or mishandling data breaches, according to research by the world's largest nonprofit association of certified cybersecurity professionals, (ISC)².

Researchers questioned 250 mergers and acquisitions (M&A) experts based in the US to determine how important a company's cybersecurity program and breach history is in deciding its value ahead of a potential purchase. 

Findings shared in the Cybersecurity Assessments in Mergers and Acquisitions report, released today, revealed that 49% of M&A experts have seen deals derailed after due diligence brought an undisclosed breach to light. 

Researchers also found that 86% of respondents said if a company publicly reported a breach of customer or other critical data in its past, it would detract from the acquisition price assigned. However, if that breach was satisfactorily addressed and fixed, and any potential fines were already paid, 88% said it would minimize the negative impact to the overall valuation.

"While every company needs to make their own decisions regarding proper data breach disclosure policies, the research clearly shows that in the context of a possible sale, not being transparent about past breaches can literally kill a potential deal, or can seriously affect the ultimate sale price," John McCumber, director of cybersecurity advocacy, North America, for (ISC)², told Infosecurity Magazine.

Having strong cybersecurity can give a company the edge over a competitor. Researchers found that 77% of experts had recommended a particular company be acquired over another because of the strength of its cybersecurity program.

The report is a reality check for companies who think a lackluster approach to cybersecurity won't diminish their stock. All respondents stated that cybersecurity audits are now a standard practice in arriving at a dollars and cents valuation, and 96% said that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.

"While most companies would rather not experience a breach in the first place, the study shows that those who deal with one, handle it well, and make adjustments to policies in order to limit their chances of a recurrence are looked at more favorably by potential buyers than those who seem doomed to repeat their mistakes," McCumber told Infosecurity Magazine.

"Each deal is different. But what our report indicates is that in order to maximize the value of a deal, the acquisition target should ideally self-audit their cybersecurity program and readiness level in advance."

The FireEye OT-CSIO: An Ontology to Understand, Cross-Compare, and Assess Operational Technology Cyber Security Incidents

The FireEye Operational Technology Cyber Security Incident Ontology (OT-CSIO)

While the number of threats to operational technology (OT) have significantly increased since the discovery of Stuxnet – driven by factors such as the growing convergence with information technology (IT) networks and the increasing availability of OT information, technology, software, and reference materials – we have observed only a small number of real-world OT-focused attacks. The limited sample size of well-documented OT attacks and lack of analysis from a macro level perspective represents a challenge for defenders and security leaders trying to make informed security decisions and risk assessments.

To help address this problem, FireEye Intelligence developed the OT Cyber Security Incident Ontology (OT-CSIO) to aid with communication with executives, and provide guidance for assessing risks. We highlight that the OT-CSIO focuses on high-level analysis and is not meant to provide in-depth insights into the nuances of each incident.

Our methodology evaluates four categories, which are targeting, impact, sophistication, and affected equipment architecture based on the Purdue Model (Table 7). Unlike other methodologies, such as MITRE's ATT&CK Matrix, FireEye Intelligence's OT-CSIO evaluates only the full aggregated attack lifecycle and the ultimate impacts. It does not describe the tactics, techniques, and procedures (TTPs) implemented at each step of the incident. Table 1 describes the four categories. Detailed information about each class is provided in Appendix 1.

Table 1: Categories for FireEye Intelligence's OT-CSIO

The OT-CSIO In Action

In Table 2 we list nine real-world incidents impacting OT systems categorized according to our ontology. We highlight that the ontology only reflects the ultimate impact of an incident, and it does not account for every step throughout the attack lifecycle. As a note, we cite public sources where possible, but reporting on some incidents is available to FireEye Threat Intelligence customers only.





Impacted Equipment

Maroochy Shire Sewage Spill





Zone 3






Zones 1-2






Zone 4-5

Ukraine Power Outage




Disruption, Destruction

Zone 2

Ukraine Power Outage





Zones 0-3

WannaCry Infection on HMIs





Zone 2-3

TEMP.Isotope Reconnaissance Campaign




Data Theft

Zones 2-4





Disruption (likely building destructive capability)

Zone Safety, 1-5

Cryptomining Malware on European Water Utility





Zone 2/3

Financially Motivated Threat Actor Accesses HMI While Searching for POS Systems





Zone 2/3

Portable Executable File Infecting Malware Impacting Windows-based OT assets





Zone 2-3

Table 2: Categorized samples using the OT-CSIO

The OT-CSIO Matrix Facilitates Risk Management and Analysis

Risk management for OT cyber security is currently a big challenge given the difficulty of assessing and communicating the implications of high-impact, low-frequency events. Additionally, multiple risk assessment methodologies rely on background information to determine case scenarios. However, the quality of this type of analysis depends on the background information that is applied to develop the models or identify attack vectors. Taking this into consideration, the following matrix provides a baseline of incidents that can be used to learn about past cases and facilitate strategic analysis about future case scenarios for attacks that remain unseen, but feasible.

Table 3: The FireEye OT-CSIO Matrix

As Table 3 illustrates, we have only identified examples for a limited set of OT cyber security incident types. Additionally, some cases are very unlikely to occur. For example, medium- and high-sophistication non-targeted incidents remain unseen, even if feasible. Similarly, medium- and high-sophistication data compromises on OT may remain undetected. While this type of activity may be common, data compromises are often just a component of the attack lifecycle, rather than an end goal.

How to Use the OT-CSIO Matrix

The OT-CSIO Matrix presents multiple benefits for the assessment of OT threats from a macro level perspective given that it categorizes different types of incidents and invites further analysis on cases that have not yet been documented but may still represent a risk to organizations. We provide some examples on how to use this ontology:

  • Classify different types of attacks and develop cross-case analysis to identify differences and similarities. Knowledge about past incidents can be helpful to prevent similar scenarios and to think about threats that have not been evaluated by an organization.
  • Leverage the FireEye OT-CSIO Matrix for communication with executives by sharing a visual representation of different types of threats, their sophistication and possible impacts. This tool can make it easier to communicate risk despite the limited data available for high-impact, low-frequency events. The ontology provides an alternative to assess risk for different types of incidents based on the analysis of sophistication and impact, where increased sophistication and impact generally equates to higher risk.
  • Develop additional case scenarios to foresee threats that have not been observed yet but may become relevant in the future. Use this information as support while working on risk assessments.


FireEye Intelligence's OT-CSIO seeks to compile complex incidents into practical diagrams that facilitate communication and analysis. Categorizing these events is useful for visualizing the full threat landscape, gaining knowledge about previously documented incidents, and considering alternative scenarios that have not yet been seen in the wild. Given that the field of OT cyber security is still developing, and the number of well-documented incidents is still low, categorization represents an opportunity to grasp tendencies and ultimately identify security gaps.

Appendix 1: OT-CSIO Class Definitions


This category comprises cyber incidents that target industrial control systems (ICS) and non-targeted incidents that collaterally or coincidentally impact ICS, such as ransomware.

Table 4: Target category


Sophistication refers to the technical and operational sophistication of attacks. There are three levels of sophistication, which are determined by the analyst based on the following criteria.

Table 5: Sophistication category


The ontology reflects impact on the process or systems, not the resulting environmental impacts. There are five classes in this category, including data compromise, data theft, degradation, disruption, and destruction.

Table 6: Impact category

Impacted Equipment

This category is divided based on FireEye Intelligence's adaptation of the Purdue Model. For the purpose of this ontology, we add an additional zone for safety systems.

Table 7: Impacted equipment

Darknet ‘Cyber Bunker’ Server Hosted in Germany

The German authorities said on Friday they had bust a network hosting illegal trading platforms called Darknet on servers in the old NATO bunker, stolen information and child pornography online.

In a series of raids Thursday, seven suspects were arrested targeting the operators of the service “Bulletproof Hoster,” located in so-called the “Cyber Bunker,” the police and the prosecutors said.

The servers host, or provide internet architecture for, illegal websites which also stored stolen information and falsified records and used large-scale cyber attacks.

Thirteen suspected participants— 12 males and one female, aged 20 to 59 — reportedly set up and run strong servers inside a NATO bunker in the Rhineland-Palatinate city of Traben-Trarbach.

Four Dutch, two Germans, and one Bulgarian were held in custody.

In Germany and other European nations several hundred police operators engaged in raids, networking 200 servers, countless information carriers and mobile telephones and a considerable amount of money.

The websites included the once second biggest Darknet medicines market place in the world, the’ Wall Street Market ‘ e-commerce platform, which researchers broke down previously this year.

A server situated within a cyber bunker was also monitored by an internet assault affecting 1,25 million routers of the German supplier Deutsche Telekom in November 2016, the national Public Prosecutor’s Office said.

The servers also included “Fraudsters” and “lifestylepharma” as well as “Cannabis Road.”

The post Darknet ‘Cyber Bunker’ Server Hosted in Germany appeared first on .

Our World in Transition and Our Future Demands

October is Cybersecurity Awareness Month and for me, it’s a time to reflect on where we’ve been and how far we’ve come, study the trends and challenges we face today, and look ahead to the next generation of opportunities facing not only the security community, but society at large.

In my more than 30 years in the security industry, it’s been interesting to see how technology has evolved and changed the world. Security started off as a ‘systems’ conversation. Now, technology touches everyone’s lives, and as a result, cybersecurity affects us all – individuals, businesses, cities, countries, our global community.

From Use to Reliance

During our lifetimes, we’ve shifted from using technology to, in very subtle ways, becoming reliant on it. Whether we realize it or not, these subtleties have made us dependent on technology. The notion of ‘always on’ access to data is highly disruptive to us when we don’t have it. Take maps for example: using a printed map is foreign to us today, and when the maps on our devices don’t work, we’re lost, literally.

When technology is unavailable, in many respects we feel ‘out of the loop’ and behind in knowing what’s going on. There’s a lagging indicator that says, ‘Now that we have access to current information, we always expect this level of connectivity – we depend on it.’ That reliance makes securing the data and the systems that deliver it to us that much more vital.

A Confluence of Change – All in Three Years

Since 2017, three major transitions have occurred that illustrate how complicated cybersecurity has become for us all globally. These transitions have caused security professionals to feel the pressure and scrutiny from a number of organizations that have upped their games. They’re having to catch up to a confluence of changes, all occurring at the same time:

1. Technology

Prior to 2017, IT predominantly built and ran an organization’s technology infrastructure, spending on security and hoping it works, relying on best-of-breed products, and managing it all reactively.

We all needed cybersecurity, but how could we net the best results – the greatest level of efficacy – from the solutions we purchased? Exactly how much value are we getting when spending on a solution? Is it all integrated as a best strategy or are we simply buying technology from the leading brand name or best advertised?

Today, leading IT teams build, buy and run security, use a ‘best-of-integrated’ architecture approach and emphasize visibility, controls, measures and proactive approaches to security that drive efficacy and value.

2. Laws, Regulations, and Customer Requirements

This transition shows the increasing influence that laws, regulations and customer requirements have on a technology or service provider to its clients, and in turn, to their customers, citizens, colleagues, families and friends.

The formalization of laws and regulations – from the EU-NIS Directive to GDPR to the Australian Government Protective Security Policy Framework to the California Consumer Privacy Act, to name a few – have driven greater scrutiny and reform. It’s accelerated substantially in a short period of time, from ‘do-it-yourself’ disharmonious regulations and rule, to a set of country, inter-country and international use standards.

Now corporate and government leaders across the international community are being held accountable. This transition from varying self-rule and self-regulation to accountability, breach reporting and disclosure highlights the implications of mishandling data and privacy through significant fines and executive firings.

In many respects, it’s been a long time coming. What’s interesting is that now that it’s here, it’s caught many off-guard – and it’s by no means slowing down.

3. Internal Oversight

When I started in InfoSec, security was mainly an engineering or computer science discipline. The security team was often avoided so that they couldn’t suppress innovation because of security concerns. The business was self-governing with inconsistent levels of oversight.

Today, internal reporting to and oversight by executive leadership, the CEO, the board of directors and shareholders are becoming standard practice to ensure proper governance. In part, it is a response to the regulatory landscape and the need for higher levels of accountability and oversight from within. It’s also based on the criticality of technology moving from something we use to something we rely on to deliver a service.

All three of these transitions came to the fore in a very short period of time to know how to effectively react, govern and solve for it. By the way, we’re all going through this and determining our own strategies to face the challenges, net the value they deliver, and understand how to be safe and secure in and around it all.

Our Future Demands

Today, there are about 4 billion internet users globally – all told about 10X of what it was in 2000. We’re in a world where everything is being connected and generating data. This will have significant impact on the next few years in particular and even more substantially into the future.

By next year, there will be about 200 billion devices ‘on air,’ which includes cars, telemetry in cities, sensors and a multitude of other connected devices. Two-hundred billion is almost an ephemeral number, but it’s not to be underestimated because the number of vendors creating IoT-connected technology is growing probably 3-4X every year than the prior year. That’s a trend that I don’t see slowing down any time soon.

By 2021, cybercrime is estimated to be a $6 trillion industry – a very profitable industry, though I don’t recommend it as a career choice. It does illustrate the depth and breadth of the challenge – that it’s an international and global issue that we all have to work together to solve because it’s something that we all face.

Raising the Bar for a More Secure Future

Governments and businesses globally are raising the bar to meet the challenge around product assurance, cloud assurance, IoT, lawful intercept, data protection, privacy and the like. Some 30-odd countries are writing or revising their cybersecurity strategies and each can have profound implications on how data is shared and how systems are built.

So, during Cybersecurity Awareness Month, consider what you can do to make the world more safe and secure, and take action. What can you do as individuals? How are you protecting yourself online and helping your business, colleagues, friends and family to do the same? Each individual act, when taken together, can move us all to a more secure future.

We’re not looking for headlines that show ‘good’ or ‘bad.’ We need trend lines that show that what we’re doing collectively is moving us all towards lower risk. As long as the trend line is going in the right direction, we’re doing what we need to do – and we must all do our part.

For governments, companies and individuals alike, Cisco’s Cybersecurity Awareness Month site offers events, activities and educational content, and ways to get involved. The Cisco Trust Center also offers resources to help you with security, data protection and privacy. Both feature links to security reports, videos, threat intelligence, thought leadership and more that will keep you informed.

McAfee Receives the 2019 Security Excellence Award From IoT Evolution

If you’re like most users, you’ve probably adopted several smart devices into your home over the last few years. Whether it be voice assistants, smart TVs, thermostats, or gaming systems, IoT devices help make our lives easier. But with greater connectivity also comes greater exposure to online threats. However, that doesn’t mean users should avoid using IoT technology altogether. With the help of smart security, users can feel safe and protected as they bring new gadgets into their lives. Solutions like McAfee Secure Home Platform, which is now the winner of the IoT Security Excellence Award, can help users connect with confidence.

Here at McAfee, we know smart security is more important now than ever before. That’s why we work tirelessly to ensure that our solutions provide consumers with the best protection possible. For example, McAfee Secure Home Platform provides automatic protection for the entire home network by automatically securing connected devices through a router with McAfee protection. It’s through the proactive evolution of our products that McAfee Secure Home Platform has received this 2019 IoT Security Excellence Award from IoT Evolution World, the leading publication covering IoT technologies.

The IoT Security Excellence Award celebrates the most innovative products and solutions in the world of IoT. It honors technology empowered by the new availability of information being deduced, inferred, and directly gathered from sensors, systems, and anything else that is supporting better business and personal decisions. Winners of this award are recognized for their innovation in gathering and managing information from connected devices that often are not associated with IoT.

“We are thrilled that McAfee Secure Home Platform has been recognized by IoT Evolution World as a recipient of the 2019 IoT Evolution Security Excellence Award. We continue to prioritize creating solutions that lead with ease of use and first-class protection, in order for consumers to best protect every connected device in their homes.” – Gary Davis, Chief Consumer Security Evangelist at McAfee.

As long as technology continues to evolve, so will the threat landscape. This is what drives us to keep developing leading solutions that help you and your loved ones connect with confidence. Solutions like McAfee Secure Home Platform are leading the charge in providing top home network security while still empowering users to enjoy their smart devices.

To stay updated on the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post McAfee Receives the 2019 Security Excellence Award From IoT Evolution appeared first on McAfee Blogs.

Threats in encrypted traffic

There was a time when the web was open. Quite literally—communications taking place on the early web were not masked in any significant fashion. This meant that it was fairly trivial for a bad actor to intercept and read the data being transmitted between networked devices.

This was especially troublesome when it came to sensitive data, such as password authentication or credit card transactions. To address the risks of transmitting such data over the web, traffic encryption was invented, ushering in an era of protected communication.

Today more than half of all websites use HTTPS. In fact, according to data obtained from Cisco Cognitive Intelligence, the cloud-based machine learning engine behind Stealthwatch—Cisco’s network traffic analysis solution—82 percent of HTTP/HTTPS traffic is now encrypted.

The adoption of encrypted traffic has been a boon for security and privacy. By leveraging it, users can trust that sensitive transactions and communications are more secure. The downside to this increase in encrypted traffic is that it’s harder to separate the good from the bad. As adoption of encrypted traffic has grown, masking what’s being sent back and forth, it’s become easier for bad actors to hide their malicious activity in such traffic.

A brief history of encrypted traffic

The concerns around security and privacy in web traffic originally led Netscape to introduce the Secure Sockets Layer (SSL) protocol in 1995. After a few releases, the Internet Engineering Task Force (EITF) took over the protocol, which released future updates under then name “Transport Layer Security” (TLS). While the term SSL is often used informally to refer to both today, the SSL protocol has been depreciated and replaced by TLS.

TLS protocol works directly with existing protocols and encrypts the traffic. This is where protocols like HTTPS come from— the hypertext transfer protocol (HTTP) is transmitted over SSL/TLS. While HTTPS is by far the most common protocol secured by TLS, other popular protocols, such as SFTP and SMTPS can take advantage of the protocol. Even lower-level protocols like TCP and UDP can use TLS.

Threat actors follow suit

Attackers go to great pains to get their threats onto systems and networks. The last thing they want after successfully penetrating an organization is to have their traffic picked up by network-monitoring tools. Many threats are now encrypting their traffic to prevent this from happening.

Where standard network monitoring tools might be able to quickly identify and block unencrypted traffic in the past, TLS provides a mask for the communication threats utilize to operate. In fact, according to data taken from Cognitive Intelligence, 63 percent of all threat incidents discovered by Stealthwatch were discovered in encrypted traffic.

In terms of malicious functionality, there are a number of ways that threats use encryption. From command-and-control (C2) communications, to backdoors, to exfiltrating data, attackers consistently use encryption to hide their malicious traffic.


By definition, a botnet is a group of Internet-connected, compromised systems. Generally, the systems in a botnet are connected in a client-server or a peer-to-peer configuration. Either way, the malicious actors usually leverage a C2 system to facilitate the passing of instructions to the compromised systems.

Common botnets such as Sality, Necurs, and Gamarue/Andromeda have all leveraged encryption in their C2 communications to remain hidden. The malicious activity carried out by botnets include downloading additional malicious payloads, spread to other systems, perform distributed-denial-of-service (DDoS) attacks, send spam, and other malicious activities.

Botnets mask C2 traffic with encryption.


The core purpose of a RAT is to allow an attacker to monitor and control a system remotely. Once a RAT manages to implant itself into a system, it needs to phone home for further instructions. RATs require regular or semi-regular connections to the internet, and often use a C2 infrastructure to perform their malicious activities.

RATs often attempt take administrative control of a computer and/or steal information from it, ranging from passwords, to screenshots, to browser histories. It then sends the stolen data back to the attacker.

Most of today’s RATs use encryption in order to mask what is being sent back and forth. Some examples include Orcus RAT, RevengeRat, and some variants of Gh0st RAT.

RATs use encryption when controlling a computer.


Cryptocurrency miners establish a TCP connection between the computer it’s running on and a server. In this connection, the computer is regularly receiving work from the server, processing it, then sending it back to the server. Maintaining these connections is critical for cryptomining. Without it the computer would not be able to verify its work.

Given the length of these connections, their importance, and the chance that they can be identified, malicious cryptomining operations often ensure these connections are encrypted.

It’s worth noting that encryption here can apply to any type of cryptomining, both deliberate and malicious in nature. As we covered in our previous Threat of the Month entry on malicious cryptomining, the real difference between these two types of mining is consent.

Miners transfer work back and forth to a server.

Banking trojans

In order for a banking trojan to operate, it has to monitor web traffic on a compromised computer. To do that, some banking trojans siphon web traffic through a malicious proxy or exfiltrate data to a C2 server.

To keep this traffic from being discovered, some banking trojans have taken to encrypting this traffic. For instance, the banking trojan IcedID uses SSL/TLS to send stolen data. Another banking trojan called Vawtrak masks its POST data traffic by using a special encoding scheme that makes it harder to decrypt and identify.

Banking trojans encrypt the data they’re exfiltrating.



The best-known use of encryption in ransomware is obviously when it takes personal files hostage by encrypting them. However, ransomware threats often use encryption in their network communication as well. In particular, some ransomware families encrypt the distribution of decryption keys.

How to spot malicious encrypted traffic

One way to catch malicious encrypted traffic is through a technique called traffic fingerprinting. To leverage this technique, monitor the encrypted packets traveling across your network and look for patterns that match known malicious activity. For instance, the connection to a well-known C2 server can have a distinct pattern, or fingerprint. The same applies to cryptomining traffic or well-known banking trojans.

However, this doesn’t catch all malicious encrypted traffic, since bad actors can simply insert random or dummy packets into their traffic to mask the expected fingerprint. To identify malicious traffic in these cases, other detection techniques are required to identify the traffic, such as machine learning algorithms that can identify more complicated malicious connections. Threats may still manage to evade some machine learning detection methods, so implementing a layered approach, covering a wide variety of techniques, is recommended.

In addition, consider the following:

  • Stealthwatch includes Encrypted Traffic Analytics. This technology collects network traffic and uses machine learning and behavioral modeling to detect a wide range of malicious encrypted traffic, without any decryption.
  • The DNS protection technologies included in Cisco Umbrella can prevent connections to malicious domains, stopping threats before they’re even able to establish an encrypted connection.
  • An effective endpoint protection solution, such as AMP for Endpoints, can also go a long way towards stopping a threat before it starts.

Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published. 


TLS version enforcement capabilities now available per certificate binding on Windows Server 2019

At Microsoft, we often develop new security features to meet the specific needs of our own products and online services. This is a story about how we solved a very important problem and are sharing the solution with customers. As engineers worldwide work to eliminate their own dependencies on TLS 1.0, they run into the complex challenge of balancing their own security needs with the migration readiness of their customers. Microsoft faced this as well.

To date, we’ve helped customers address these issues by adding TLS 1.2 support to older operating systems, by shipping new logging formats in IIS for detecting weak TLS usage by clients, as well as providing the latest technical guidance for eliminating TLS 1.0 dependencies.

Now Microsoft is pleased to announce a powerful new feature in Windows to make your transition to a TLS 1.2+ world easier. Beginning with KB4490481, Windows Server 2019 now allows you to block weak TLS versions from being used with individual certificates you designate. We call this feature “Disable Legacy TLS” and it effectively enforces a TLS version and cipher suite floor on any certificate you select.

Disable Legacy TLS also allows an online or on-premise web service to offer two distinct groupings of endpoints on the same hardware: one which allows only TLS 1.2+ traffic, and another which accommodates legacy TLS 1.0 traffic. The changes are implemented in HTTP.sys, and in conjunction with the issuance of additional certificates, allow traffic to be routed to the new endpoint with the appropriate TLS version. Prior to this change, deploying such capabilities would require an additional hardware investment because such settings were only configurable system-wide via registry.

For a deep dive on this important new feature and implementation details and scenarios, please see Technical Guidance for Disabling Legacy TLS. Microsoft will also look to make this feature available in its own online services based on customer demand.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post TLS version enforcement capabilities now available per certificate binding on Windows Server 2019 appeared first on Microsoft Security.

Open Document format creates twist in maldoc landscape

By Warren Mercer and Paul Rascagneres.


Cisco Talos recently observed attackers changing the file formats they use in an attempt to thwart common antivirus engines. This can happen across other file formats, but today, we are showing a change of approach for an actor who has deemed antivirus engines perhaps “too good” at detecting macro-based infection vectors.  We’ve noticed that the OpenDocument (ODT) file format for some Office applications can be used to bypass these detections. ODT is a ZIP archive with XML-based files used by Microsoft Office, as well as the comparable Apache OpenOffice and LibreOffice software.

There have recently been multiple malware campaigns using this file type that are able to avoid antivirus detection, due to the fact that these engines view ODT files as standard archives and don’t apply the same rules it normally would for an Office document. We also identified several sandboxes that fail to analyze ODT documents, as it is considered an archive, and the sandbox won’t open the document as a Microsoft Office file. Because of this, an attacker can use ODT files to deliver malware that would normally get blocked by traditional antivirus software.

We only found a few samples where this file format was used. The majority of these campaigns using malicious documents still rely on the Microsoft Office file format, but these cases show that the ODT file format could be used in the future at a more successful rate. In this blog post, we’ll walk through three cases of OpenDocument usage. The two first cases targets Microsoft Office, while the third one targets only OpenOffice and LibreOffice users. We do not know at this time if these samples were used simply for testing or a more malicious context.

Read more at Talosintelligence.com

Pennsylvania Might Be Second State to Criminalize Cyber-Flashing

Pennsylvania Might Be Second State to Criminalize Cyber-Flashing

Pennsylvania could follow Texas to become the second US state to make cyber-flashing illegal. 

Philadelphia County state representative Mary Isaacson told Infosecurity Magazine that she plans to introduce a bill to ban the unsolicited electronic transmission of sexually explicit and obscene images in the Keystone State at the end of October.

Isaacson sent a memorandum to all 203 members of the Pennsylvania House of Representatives on September 20, calling for them to co-sponsor her proposed legislation. 

"Despite the success of the #MeToo movement, sexual harassment remains a serious problem in our society, particularly due to online forms of sexual harassment. 20% of women and 10% of men ages 18 to 29 report having been sexually harassed online," wrote Isaacson in the memorandum, before calling on members to "please join me in combatting online sexual harassment and ensuring the dignity of all Pennsylvanians."

Speaking to Infosecurity Magazine, Isaacson said that although she hadn't personally received any unsolicited sexually explicit images, she had heard stories from her children about cyber-flashing experienced by their peers. 

"I represent a lot of millennials, and I am a parent of two teens. I worry for my son and my daughter," said Isaacson. "With Air Dropping technology, if a group of teens are at a concert, someone there can send them obscene images that the teens will see whether they have given permission or not. Their privacy is being invaded when they are just trying to have a good time."

Asked what she thought drove people to become cyber-flashers, Isaacson said: "I think that it's their psychology, that they do it to bully and intimidate people and invade their privacy. It's a very serious societal problem that affects everyone, men as well as women."

Isaacson's proposed legislation follows the passage of House Bill 2789 into law in Texas on August 31 this year. Under the new law, the electronic transmission of sexually explicit material without the recipient's consent became a Class C misdemeanor, punishable by a fine of up to $500.

Describing how her bill will differ from what was passed in the Lone Star State, Isaacson said: "Right now, it's modeled after what was done in Texas, but it could possibly change."

Isaacson, who was on the road when speaking to Infosecurity Magazine, was unable to state exactly how many members had answered her co-sponsorship call. However, the state representative was able to confirm that her proposed legislation has secured bipartisan support.

A new critical flaw in Exim exposes email servers to remote attacks

Exim maintainers released an urgent security update to address a critical security flaw that could allow a remote attacker to potentially execute malicious code on targeted servers.

Exim maintainers released an urgent security update, Exim version 4.92.3, to address a critical security vulnerability that could allow a remote attacker to crash or potentially execute malicious code on targeted email servers.

The flaw is a heap-based buffer overflow, tracked as CVE-2019-16928, that resides in the string_vformat (string.c). An attacker could exploit the flaw using an extraordinary long EHLO string to crash the Exim process that is receiving the message.

“There is a heap-based buffer overflow in string_vformat (stringc). The currently known exploit uses extraordinary long EHLO string to crash the Exim process that is receiving the message. While this mode of operation Exim already dropped its privileges, other paths to reach the vulnerable code may exist.” reads the security advisory published by the maintainers.

The CVE-2019-16928 flaw was reported by Jeremy Harris of Exim Development Team, it affects all versions of the Exim email server software from 4.92 up to and the version 4.92.2. The expert also released a PoC exploit for this vulnerability.

Early September, the Exim development team has addressed another vulnerability in the popular mail server, tracked as CVE-2019-15846. The vulnerability could be exploited by local and remote attackers to execute arbitrary code with root privileges.

The vulnerability is a heap overflow that affects version 4.92.1 and prior of Exim mail server that accepts TLS connections. The vulnerability affects both GnuTLS and OpenSSL.

In mid-June, researchers observed several threat actors exploiting another flaw in the popular software, tracked as CVE-2019-10149, that resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server. The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February.

The flaw is easily exploitable by a local and a remote attacker in certain non-default configurations, experts believe that threat actors will start using it in attacks in the wild.

Exim also patched a severe remote command execution vulnerability (CVE-2019-10149) in its email software that was actively exploited in the wild by various groups of hackers to compromise vulnerable servers.

The major Linux distributions, including UbuntuArch LinuxFreeBSDDebian, and Fedora, already released security updates.

Pierluigi Paganini

(SecurityAffairs – Mail Server, hacking)

The post A new critical flaw in Exim exposes email servers to remote attacks appeared first on Security Affairs.

BlackBerry Launches New Cybersecurity Development Labs

BlackBerry Launches New Cybersecurity Development Labs

Security software and services company BlackBerry Limited has announced the launch BlackBerry Advanced Technology Development Labs (BlackBerry Labs), a new business unit operating at the forefront of research and development in the cybersecurity space.

The Labs will be led by CTO Charles Eagan and will include a team of over 120 software developers, architects, researchers, product leads and security experts working to identify, explore and create new technologies to ensure BlackBerry is on the cutting edge of security innovation.

The company stated that initial projects from BlackBerry Labs will focus on machine learning approaches to security in partnership with BlackBerry’s existing Cylance, Enterprise and QNX business units.

“The establishment of BlackBerry Labs is the latest in a series of strategic moves we’ve taken to ensure our customers are protected across all endpoints and verticals in the new IoT,” said Charles Eagan, BlackBerry CTO. “Today’s cybersecurity industry is rapidly advancing and BlackBerry Labs will operate as its own business unit solely focused on innovating and developing the technologies of tomorrow that will be necessary for our sustained competitive success, from A to Z; artificial intelligence to zero trust environments.”

Pay What You Wish — 9 Hacking Certification Training Courses in 1 Bundle

The greatest threat facing most nations is no longer a standing army. It's a hacker with a computer who can launch a crippling cyber attack from thousands of miles away—potentially taking down everything from server farms to entire power grids with a few lines of code. So it should come as no surprise that virtually every major company in both the public and private sector—as well as national

Social media manipulation as a political tool is spreading

Researchers say 'cyber troops' in 70 countries are using it to automate suppression, mount smear campaigns, or spread disinformation.

Opening up Europe’s Cyber Future

Europe will face a complex cocktail of cyber challenges in the coming five years, from safeguarding our critical infrastructure to protecting itself from election interference and disinformation whilst safeguarding citizen data privacy rights. A new set of leaders is preparing to take office in the European Commission’s headquarters in Brussels to take on these challenges. McAfee, at the cutting edge of cyber defence and mitigation, stands ready to help them embed the principles of open information exchange and interoperability that form the basis of a robust cybersecurity policy.

The principles of openness and interoperability have long been to key to the growth of the digital economy. But in the field of cybersecurity, these principles take on an even greater importance. Openness and interoperability are a precondition for vibrant competition and rapid innovation, and competition authorities should remain vigilant to ensure it remains in place even as the digital ecosystem begins to gravitate around the giants that best harness the network effects digital technologies can enable.

But openness and interoperability are not just about innovation. They have become cornerstones for keeping citizens safe as they go about their lives. This is because no single actor has all the information needed to prevent, mitigate or remedy a cyber incident. McAfee has a proud history of precisely such partnerships, sharing emerging threat information in real-time with authorities, and helping them keep the critical infrastructure that we all rely on up and running even as they become prime targets for cyberattacks. Hospitals, transport networks and energy grids are the lifeblood of our society, and we need to keep them safe. Hence, we think it’s right that this Commission focus on their needs and develop new rules to safeguard these vital assets.

When it comes to privacy, Europe has made enormous leaps to improve the trust of citizens in digital services, through more robust privacy rules and cybersecurity regulations and we hope that EU lawmakers continue to keep the safety of their constituents as a top priority. At McAfee, we believe you cannot have privacy without security, and that companies must proactively consider privacy and security on the drawing board and throughout the development process for products and services going to market.

But Cybersecurity is also about preparing for the future and in some cases, the best cyber-defences take a long time to develop, and nowhere is this more apparent than in the election interference and disinformation practices that sought to bring the recent EU elections, and our democratic foundations, to their knees.

The May 2019 elections may still be fresh in our memory, but Europe should not lose a second in starting to build its resilience for the next ones. At McAfee, we believe tackling disinformation requires robust cyber hygiene by all. But the best way to address it is using cyber intelligence and tradecraft to understand the adversary, so citizens can better understand the scale of the problem and our politicians can make the most informed decisions on how best to combat it.

McAfee has observed the growing prominence of Cybersecurity on the political agenda. This is a welcome and necessary development to ensure Europe is not taken off-guard by a cyber incident. Of course, Europe’s policymakers in the commission, parliament and council will pay attention to cyber threats when a crisis hits, but as John F Kennedy put it, they would also do well to repair the roof when the sun is shining. Whatever the cyber weather, McAfee will be a trusted partner to make Europe more cyber secure.

The post Opening up Europe’s Cyber Future appeared first on McAfee Blogs.

Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot

After 2 years of waiting, MalwareMustDie returns with an excellent page of malware analysis of a new IoT malware: Linux/AirDropBot.

Yes, I have to confess, it was hard to wait all this time, but the reward it was worth it: unixfreaxjp is return, with a new, great page of reverse engeeniring published on the MalwareMustDie blog post: “MMD-0064-2019 – Linux/AirDropBot

And this is not only “the” Odisseus’s opinion, just because I can be addressed as a member of  MalwareMustDie crew: this last post IT IS a masterpiece technically speaking, because here unixfreaxjp reveals some unique and undocumented best practices in order to reverse Linux malware binaries (Intel and not Intel platforms), providing to every whitehat reverser many references and howtos to deal with ELF Linux malware, mixing theory and practice and showing how is incredibly useful the use of Radare r2 and Tsurgi distribution.

Don’t know if is because I have asked to my friend unixfreaxjp many times to publicly show how Radare r2 can be be used with great results, but after this post we can definitively state that, once again, Radare r2 has nothing to envy of the best commercial tools used in many reverse engineering tutorials that are available on Youtube.

In fact this time we have not a “simple” blog post, but a rich, strong and powerful technical lesson on how stripped binaries can be reversed even if they are “indeed” stripped.

Unixfreaxjp step by step leads the reader to understand how a malware code is build, which are the methods, which are the secrets, with are the hidden techniques used by the coders to hide and encrypt as much as possible the C2 address, how the operative commands coming from the C2 are parsed, and how almost everything can be reconstructed to get the source code back from any stripped binary.

The beginning of the story: another IoT malware in the wild?

But let’s go back to the beginning of the story when my very good friend @0xrb found in his honeypot this new “Mirai like” Linux malware, which has important differences with the Mirai implementation. He understood immediately that there was something strange in this new “Mirai variant”, to proposing the sample to MalwareMustDie team: here it is his early tweet.

It is possible to give a look also to the logs of the malware that @0xrb published on Pastebin: here a lot of information is made available during the running phase. One of them, for example, is the C2 server.

The C2 of the botnet was:

As unixfreaxjp states in his post, @0xrb has successfully submitted the sample to MalwareMustDie team in order to better analyze it, and the result is another great page of Linux malware reversing, that every malware analyst should read and re-read.

We will overfly the technical analysis because the MalwareMustDie post is extremely clear and explanatory in every single part of its analysis.

Coming to the core topic: IoT botnet threat and their ecosystem

New Linux developed malware aiming internet of things is happening a lot, and as previously mentioned, it has been driven by the money scheme that is fueling its botnet ecosystem as per previously posted in Security Affairs, this is still the main reason why new freshly coded malware in this sector is always coming up.

First spotted in the internet on August 3rd, 2019, a new Linux/AirDropBot has been reported, is a malware that has been built to aim many embedded Linux OS platform, it is meant to propagate its botnet into several originally coded and built for aiming the IoT used platforms. It’s still not in the final stage of development judging from some uncoded functions,  but the adversary mission is clear, to get as much Linux IoT infected as possible and get rid of his competitors. It was first detected as Mirai or Gafgyt like during the detection spotted in the first series of samples, and this may make researchers in Linux malware ignored its first existence.

So many processors are aimed by the malware, but if CPU like ARC Cores, Renesas SH, Motorola m68000, Altera Nios II, Tensilica Xtensa and Xilinx MicroBlaze CPU is aimed along with other generic cross-compiled CPU (MIPS/ARM/PPC/SPARC/Intel), the herder meant serious business to “pwn” the reachable IoTs. The binary is having two categories, the one that acts as bots and meant to infect the small devices and for bigger systems it has the worm-like vulnerability scanner aims CGI page on routers (in this version is aiming HTTP port 8080 on specific product CGI file) that can infect itself in a worm-like style along with the telnet scanning basis (attacking TCP port 23 or 2323).

The analysis made in MalwareMustDie blog’s recent post “MMD-0064-2019 – Linux/AirDropBot” is showing the latest binary sets, used by the adversaries behind this botnet. Scanner function for exploiting a certain router’s vulnerability is hardcoded and this threat is also aiming at other exploit too on older samples delivery. The overall idea is a known ones but the code is newly made.

Final considerations on the behavior to take in order to face this threat.

Internet of things are on improvement for its security quality, and governments all over the globe are seriously handling this, for example in the US the “Security Feature Recommendations for IoT Devices” by NIST is a good recommended plan, in the UK a voluntary code of practice (CoP) to help manufacturers boost the security of internet-connected devices that make up the internet of things (IoT) has been published, or in Japan the Project to Survey IoT Devices and to Alert Users has been started. Yet, there are a lot of products to handle and vulnerabilities for these products which are also researched at the same time by adversaries.
This makes IoT threat is still making a lot of issues since day-by-day new exploit issue actually comes up, old issues are re-used, unpatched segments are revealed and aimed.

Are we the wrong track then? I don’t think so. Yes, the process takes time and what we can do is keep on improving the detection on a new threat, containment, and response as prevention to strengthen the defense scheme for the platform, along with the parallel legal works on stopping adversaries. If we are committing to keep on doing these steps the adversaries will find more demerits than merits to keep on hammering is with their botnets.

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

Pierluigi Paganini

(SecurityAffairs – AirDropBot, malware)

The post Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot appeared first on Security Affairs.

Supply-Chain Security and Trust

The United States government's continuing disagreement with the Chinese company Huawei underscores a much larger problem with computer technologies in general: We have no choice but to trust them completely, and it's impossible to verify that they're trustworthy. Solving this problem ­ which is increasingly a national security issue ­ will require us to both make major policy changes and invent new technologies.

The Huawei problem is simple to explain. The company is based in China and subject to the rules and dictates of the Chinese government. The government could require Huawei to install back doors into the 5G routers it sells abroad, allowing the government to eavesdrop on communications or ­-- even worse ­-- take control of the routers during wartime. Since the United States will rely on those routers for all of its communications, we become vulnerable by building our 5G backbone on Huawei equipment.

It's obvious that we can't trust computer equipment from a country we don't trust, but the problem is much more pervasive than that. The computers and smartphones you use are not built in the United States. Their chips aren't made in the United States. The engineers who design and program them come from over a hundred countries. Thousands of people have the opportunity, acting alone, to slip a back door into the final product.

There's more. Open-source software packages are increasingly targeted by groups installing back doors. Fake apps in the Google Play store illustrate vulnerabilities in our software distribution systems. The NotPetya worm was distributed by a fraudulent update to a popular Ukranian accounting package, illustrating vulnerabilities in our update systems. Hardware chips can be back-doored at the point of fabrication, even if the design is secure. The National Security Agency exploited the shipping process to subvert Cisco routers intended for the Syrian telephone company. The overall problem is that of supply-chain security, because every part of the supply chain can be attacked.

And while nation-state threats like China and Huawei ­-- or Russia and the antivirus company Kaspersky a couple of years earlier ­-- make the news, many of the vulnerabilities I described above are being exploited by cybercriminals.

Policy solutions involve forcing companies to open their technical details to inspection, including the source code of their products and the designs of their hardware. Huawei and Kaspersky have offered this sort of openness as a way to demonstrate that they are trustworthy. This is not a worthless gesture, and it helps, but it's not nearly enough. Too many back doors can evade this kind of inspection.

Technical solutions fall into two basic categories, both currently beyond our reach. One is to improve the technical inspection processes for products whose designers provide source code and hardware design specifications, and for products that arrive without any transparency information at all. In both cases, we want to verify that the end product is secure and free of back doors. Sometimes we can do this for some classes of back doors: We can inspect source code ­ this is how a Linux back door was discovered and removed in 2003 ­ or the hardware design, which becomes a cleverness battle between attacker and defender.

This is an area that needs more research. Today, the advantage goes to the attacker. It's hard to ensure that the hardware and software you examine is the same as what you get, and it's too easy to create back doors that slip past inspection. And while we can find and correct some of these supply-chain attacks, we won't find them all. It's a needle-in-a-haystack problem, except we don't know what a needle looks like. We need technologies, possibly based on artificial intelligence, that can inspect systems more thoroughly and faster than humans can do. We need them quickly.

The other solution is to build a secure system, even though any of its parts can be subverted. This is what the former Deputy Director of National Intelligence Sue Gordon meant in April when she said about 5G, "You have to presume a dirty network." Or more precisely, can we solve this by building trustworthy systems out of untrustworthy parts?

It sounds ridiculous on its face, but the Internet itself was a solution to a similar problem: a reliable network built out of unreliable parts. This was the result of decades of research. That research continues today, and it's how we can have highly resilient distributed systems like Google's network even though none of the individual components are particularly good. It's also the philosophy behind much of the cybersecurity industry today: systems watching one another, looking for vulnerabilities and signs of attack.

Security is a lot harder than reliability. We don't even really know how to build secure systems out of secure parts, let alone out of parts and processes that we can't trust and that are almost certainly being subverted by governments and criminals around the world. Current security technologies are nowhere near good enough, though, to defend against these increasingly sophisticated attacks. So while this is an important part of the solution, and something we need to focus research on, it's not going to solve our near-term problems.

At the same time, all of these problems are getting worse as computers and networks become more critical to personal and national security. The value of 5G isn't for you to watch videos faster; it's for things talking to things without bothering you. These things ­-- cars, appliances, power plants, smart cities --­ increasingly affect the world in a direct physical manner. They're increasingly autonomous, using A.I. and other technologies to make decisions without human intervention. The risk from Chinese back doors into our networks and computers isn't that their government will listen in on our conversations; it's that they'll turn the power off or make all the cars crash into one another.

All of this doesn't leave us with many options for today's supply-chain problems. We still have to presume a dirty network ­-- as well as back-doored computers and phones -- and we can clean up only a fraction of the vulnerabilities. Citing the lack of non-Chinese alternatives for some of the communications hardware, already some are calling to abandon attempts to secure 5G from Chinese back doors and work on having secure American or European alternatives for 6G networks. It's not nearly enough to solve the problem, but it's a start.

Perhaps these half-solutions are the best we can do. Live with the problem today, and accelerate research to solve the problem for the future. These are research projects on a par with the Internet itself. They need government funding, like the Internet itself. And, also like the Internet, they're critical to national security.

Critically, these systems must be as secure as we can make them. As former FCC Commissioner Tom Wheeler has explained, there's a lot more to securing 5G than keeping Chinese equipment out of the network. This means we have to give up the fantasy that law enforcement can have back doors to aid criminal investigations without also weakening these systems. The world uses one network, and there can only be one answer: Either everyone gets to spy, or no one gets to spy. And as these systems become more critical to national security, a network secure from all eavesdroppers becomes more important.

This essay previously appeared in the New York Times.

Ransomware attacks against small towns require collective defense

There is a war hitting small-town America. Hackers are not only on our shores, but they’re in our water districts, in our regional hospitals, and in our 911 emergency systems. The target du jour of ransomware hackers is small towns and they have gone after them with a vengeance. Last month, the governor of Texas, Greg Abbott, declared a “Level 2 Escalated Response” as 22 of Texas’s cities were hit simultaneously with ransomware attacks, crippling … More

The post Ransomware attacks against small towns require collective defense appeared first on Help Net Security.

Senate Passes Ransomware Law

Senate Passes Ransomware Law

A new law has passed the US senate which will demand the federal government ramp up its support for organizations hit by ransomware.

The DHS Cyber Hunt and Incident Response Teams Act would require the Department of Homeland Security (DHS) to build dedicated teams tasked with providing advice to organizations on how best to protect their systems from attack, as well as other technical support, including incident response assistance.

Although the new capabilities would be available to all public and private organizations on request — including businesses, police departments, hospitals, and banks — senate minority leader Chuck Schumer focused on protection for New York state schools in his comments on the legislation.

“The Senate passing the DHS Cyber Hunt and Incident Response Teams Act is an important step in protecting upstate New York school districts from the swaths of ransomware attacks that take hostage the personal information and vital data of our students, school employees and local governments,” he said in a statement.

“It’s critical that we use all available resources to protect New York students from cyber crooks, and enhance and increase our resiliency to these attacks. I’m proud of the role I played in pushing this sorely-needed legislation through the senate and won’t stop working until it’s signed into law.”

One security vendor calculated last week that ransomware attacks have disrupted operations at 49 US school districts and educational institutions in the first nine months of the year, compromising potentially 500 K-12 schools versus just 11 last year.

This makes the sector the second most popular for ransomware attackers after local municipalities.

These have been battered by attacks over the past few months, with one campaign in Texas hitting 23 local government entities simultaneously.

A similar piece of legislation to the DHS Cyber Hunt and Incident Response Teams Act has already passed in the House of Representatives, so the two will now begin the reconciliation process.

Iran’s oil minister orders ‘Full Alert’ for oil sector on against attacks

Iran ‘s oil minister on Sunday ordered representatives of the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

Iran’s oil minister, Bijan Namdar Zanganeh, ordered companies operating in the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

it is necessary for all companies and installations the oil industry to be on full alert against physical and cyber threats,” reads a statement published on the oil ministry’s Shana website.

Iran fears a retaliation of Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

Iran’s oil ministry said that the Government of Washington has launched a full-scale economic war” against the Islamic republic.

In the middle-September, drone attacks hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia, one of them is the Abqaiq site.

Iran-backed Houthi rebels in Yemen claimed responsibility for the attacks on the Abqaiq plant, according to a spokesman for the group in Yemen, it had deployed 10 drones in the attacks.

The group is threatening Saudi Arabia of further attacks. The Iran-aligned Houthi rebel movement fights the Yemeni government and a coalition of regional countries led by Saudi Arabia that fights the rebels since 2015, when President Abdrabbuh Mansour Hadi was was kicked out of Sanaa by the Houthis.

Secretary of State Mike Pompeo blamed Iran for coordinated the attacks, it added that we are facing an unprecedented attack on the world’s energy supply.

Riyadh, Berlin, London, and Paris also blame Teheran for attacks that caused severe damages to the Saudi oil sector on September 14.

Iran denied any involvement in the attacks. Immediately after the attacks, US President Donald Trump announced that his country was preparing a response. President Trump opted out for an intensification of economic sanctions against Teheran.

Military and intelligence experts believe that western coalition, driven by the US could carry out a series of cyber attacks against Iranian critical infrastructure. A few days after the drone attacks, some western media reported destructive cyber attacks against infrastructures in the Iranian oil sector, but Iran denied it.

“Contrary to Western media claims, investigations done today show no successful cyber attack was made on the country’s oil installations and other crucial infrastructure,” reads a statement published by the government’s cyber security office.

Despite the statement, security experts believe that a cyber offensive against Iranian infrastructure is onoing.

Pierluigi Paganini

(SecurityAffairs – Iran, oil sector)

The post Iran’s oil minister orders ‘Full Alert’ for oil sector on against attacks appeared first on Security Affairs.

Airbus Suppliers Hit in State-Sponsored Attack

Airbus Suppliers Hit in State-Sponsored Attack

Airbus has been forced to take action after a possible Chinese state-sponsored hacking operation was detected targeting multiple suppliers over the past year, according to reports.

The commercial and military aircraft-maker revealed in January that it suffered a cyber-attack resulting in unauthorized access to data, but this campaign is thought to be much bigger in scope.

Hackers have targeted UK engine-maker Rolls Royce and French tech supplier Expleo, as well as two other French Airbus suppliers, although none of the organizations confirmed the news to AFP.

Unnamed “security sources” told the newswire that the “sophisticated” attack on the companies focused on compromising the VPNs connecting them with Airbus networks.

The sources claimed that the hackers were after technical documentation regarding the certification process for parts of Airbus aircraft, while other stolen docs indicated interest in the A400M military transport plane, and the A350 propulsion and avionics systems.

These are areas Chinese aircraft manufacturers are thought to be relatively weak in, while state-backed Comac is said to be struggling to gain certification for its C919 commercial airliner.

The notorious APT10 and the Jiangsu outpost of the Ministry of State Security, known as JSSD, have both been pegged as possible perpetrators.

“Our national security is at risk and it's well past time to address this challenge with leadership and resources,” argued Jake Olcott, VP of government affairs at BitSight. “The entire defense supply chain has been under attack for years, and it's not just the small companies that are vulnerable. Defense agencies must gain visibility immediately. We can't afford to wait.”

Ilia Kolochenko, CEO of web security firm ImmuniWeb, added that third party risk management is still at an early stage in many organizations.

“The situation is largely exacerbated by different national and regional standards and best practices, often incompatible or contrariwise overlapping,” he argued.

“Globally recognized standards, such as ISO 27001, 27701 and 9001, can definitely ensure a baseline of security, privacy and quality assurance amid suppliers. One should, however, bear in mind that they are no silver bullet and some additional monitoring of suppliers handling critical business data is a requisite.”

Microsoft to block 40+ additional file extensions in Outlook on the web

Microsoft is planning to block by default 40+ new file types in Outlook on the web to improve the security for their customers. “We took the time to audit the existing blocked file list and update it to better reflect the file types we see as risks today,” the Exchange Team noted. Outlook on the web and blocked attachments Outlook on the web, formerly Outlook Web Access (OWA), is a personal information manager web app … More

The post Microsoft to block 40+ additional file extensions in Outlook on the web appeared first on Help Net Security.

Microsoft Launches CyberPeace Institute to Tackle Attacks

Microsoft Launches CyberPeace Institute to Tackle Attacks

Microsoft and others have launched a new non-profit which aims to reduce the “frequency, impact and scale” of cyber-attacks on citizens and critical infrastructure (CNI).

The Hewlett Foundation and Mastercard, alongside other unnamed “leading organizations,” have joined Microsoft as initial funders of the CyberPeace Institute.

Its three core functions are to: help and defend civilian victims of cyber-attacks, including by mobilizing a new CyberVolunteer Network, analyze and investigate attacks, to raise understanding and drive global accountability and promote cybersecurity norms of responsible behavior by nation states.

“The escalating attacks we’ve seen in recent years are not just about computers attacking computers – these attacks threaten and often harm the lives and livelihoods of real people, including their ability to access basic services like heath care, banking and electricity,” argued Microsoft corporate vice president, Tom Burt.

“For years, non-governmental organizations around the world have provided on-the-ground help and vocal advocacy for victims of wars and natural disasters, and have convened important discussions about protecting the victims they serve. It’s become clear that victims of attacks originating on the internet deserve similar assistance, and the CyberPeace Institute will do just that.”

The Geneva-based organization will be headed up by President Marietje Schaake, former member of the European Parliament and international policy director at Stanford university’s Cyber Policy Center and CEO Stéphane Duguin, head of the European Internet Referral Unit at Europol.

The institute joins other recent initiatives designed to tackle the global challenge of cybercrime and incidents impacting CNI, including: the Cybersecurity Tech Accord, which has signed up more than 100 companies and the Paris Peace Call for Trust & Security in Cyberspace, which now has signatories from 67 countries, 139 international and civil society organizations, and 358 private organizations.

Arcane Stealer V, a threat for lower-skilled adversaries that scares experts

Experts recently analyzed an information-stealing malware tracked as Arcane Stealer V that is very cheap and easy to buy in the Dark Web.

In July 2019, researchers at Fidelis Threat Research Team (TRT) analyzed a sample of Arcane Stealer V, a .net information-stealing malware that is easy to acquire in the dark web. The author of the malware is selling it on his own website and on the Lolzteam site on the Dark Web, the researchers also found cracked versions on multiple community discussion and file-sharing platforms.

The malware is quite cheap, it goes for just $9 on the Dark Web, and could be also used by lower-skilled adversaries. Due to the low-cost of the malware, experts believe that its popularity could rapidly increase.

“The Arcane Stealer is a .net information stealer. The malware is available as a graphical user interface (GUI) or users can purchase the code, making it easier for actors with novice skills to employ. It sells for 699 Rubles or approximately 9 US dollars.” reads the post published by the researchers. “There is also support available on Telegram along with other “helpful” bots.”

In early August, the researchers were able to track multiple instant messenger and social media accounts associated with a Russian-language actor that might be the author of the malware.

The malware is able to collect various data from victims, including operating system, browser information, cryptocurrency wallets and instant-messaging sessions from Telegram, Discord, and Pidgin, data (i.e. passwords, cookies and forms) from a several of browsers, including Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex.

Arcane Stealer V could be used to steal documents, collect Steam gaming community data, logs detected virtual machine IPs, and data from FileZilla servers.

The threat actor behind the Arcane Stealer V also provides dashboards and statistics to show crooks that buy the malware the potential earnings.

Arcane Stealer V

When the malware runs, it takes a screenshot and then it creates a text log file of what was collected.

“When ran, the file collects data, takes a screenshot and then it creates a text log file of what was collected. It stores all of the information in a folder in %appdata%/local/{hwid}/.” continues the post. ” It uses the assigned hardware ID that the malware generates as the folder name and zip folder name.”

Then the malware sends the zipped file to the C2 server.

The researchers identified multiple Telegram and Twitter accounts with the handles “@arcanee_bot,” “@es3n1n” and “@SakariHack,” that were used to discuss how to build and distribute the malware. These accounts were all associated with the same Russian-language actor, a 21-year-old man that says to suffer a form of epilepsy.

“The actor associated with the malware appears to be a native Russian speaker, however it is unclear if the actor is currently located in Russia,” continues the analysis. “The actor’s information-stealer does not appear to limit potential targets. Analysts have observed the capability of Russian sites to be targeted in the malware.”

Experts pointed out that the malware unlike other threats doesn’t discriminate geo-location of the victims and could be used against any target.

“Based off current observation and analysis, Arcane Stealer and its developer(s) appear to be low-level threats.” conclude the experts.

“Due to the lack of traversal, propagation, or destructive capabilities at the time of analysis, it is assessed with moderate confidence that this malware may not become popular with high-value and highly capable actors. However, because users can buy the source code, it is possible that we may see other threat actors reusing the malware and creating their own variant of Arcane V, as has been done with other popular malware families, like njRAT.”

Pierluigi Paganini

(SecurityAffairs – Arcane Stealer V, malware)

The post Arcane Stealer V, a threat for lower-skilled adversaries that scares experts appeared first on Security Affairs.

10 Respected Providers of IT Security Training

We at The State of Security are committed to helping aspiring information security professionals reach their full potential. Towards that end, we compiled a list of the top 10 highest paying jobs in the industry. We even highlighted the U.S. cities that tend to reward security personnel with the best salaries, amenities and other benefits. […]… Read More

The post 10 Respected Providers of IT Security Training appeared first on The State of Security.

Microsoft will add new file types to the list of blocked ones in Outlook on the Web

Microsoft announced last week it is going to expand the list of file extensions that are blocked in Outlook on the web.

Microsoft announced that it will immediately block other file extensions for its Outlook web users, it will impossible for them to download this type of attachments.

Microsoft pointed out that the newly blocked file types are rarely used, this means that most organizations will face no problems with the change.

The list of file types that will be blocked by Microsoft include ones used by popular programing languages such as “.py“, “.pyc“, “.pyo“, “.pyw“, “.pyz“, “.pyzw” (used by Python); “.ps1″, “.ps1xml”, “.ps2″, “.ps2xml”, “.psc1″, “.psc2″, “.psd1″, “.psdm1″, “.psd1″, “.psdm1″, “.cdxml” and “.pssc” (used by PowerShell); and “.jar” and “.jnlp” (used by Java).

Microsoft announced it will block also “.appcontent-ms“, “.settingcontent-ms“, “.cnt“, “.hpj“, “.website”, “.webpnp“, “.mcf“, “.printerexport“, “.pl“, “.theme”, “.vbp“, “.xbap“, “.xll“, “.xnk“, “.msu“, “.diagcab” and “.grp“.

Other file types that will be blocked by the tech giant are the ones having the “.appref-ms” extension used by Windows ClickOnce, the “.udl” extension used by Microsoft Data Access Components (MDAC), the “.wsb” extension used by Windows sandbox, and the “.cer“, “.crt” and “.der” extensions associated with digital certificates.

“The following extensions are used by various applications.” reads the post published by Microsoft.”While the associated vulnerabilities have been patched (for years, in most cases), they are being blocked for the benefit of organizations that might still have older versions of the application software in use:

“.appcontent-ms”, “.settingcontent-ms”, “.cnt”, “.hpj”, “.website”, “.webpnp”, “.mcf”, “.printerexport”, “.pl”, “.theme”, “.vbp”, “.xbap”, “.xll”, “.xnk”, “.msu”, “.diagcab”, “.grp”

In case organizations have to allow for the use of a particular file type, admins could add specific extensions to the AllowedFileTypes property of users’ OwaMailboxPolicy objects.

“If you want a particular file type to be allowed, you can add that file type to the AllowedFileTypes property of your users’ OwaMailboxPolicy objects.” continues the post. “To add a file extension to the AllowedFileTypes list:

$policy = Get-OwaMailboxPolicy [policy name]
$allowedFileTypes = $policy.AllowedFileTypes
Set-OwaMailboxPolicy $policy -AllowedFileTypes $allowedFileTypes

“Security of our customer’s data is our utmost priority, and we hope our customers will understand and appreciate this change. Change can be disruptive, so we hope the information here explains what we’re doing and why,” Microsoft concludes.

Pierluigi Paganini

(SecurityAffairs – Outlook, hacking)

The post Microsoft will add new file types to the list of blocked ones in Outlook on the Web appeared first on Security Affairs.

How long before quantum computers break encryption?

The verdict is in: quantum computing poses an existential threat to asymmetric cryptography algorithms like RSA and ECC that underpin practically all current Internet security. This comes straight from the National Academy of Science’s Committee on Technical Assessment of the Feasibility and Implications of Quantum Computing. The inevitable follow-up: OK, so how much time do we have before we’re living in a post-quantum world? The short answer is, nobody knows. That’s not for lack of … More

The post How long before quantum computers break encryption? appeared first on Help Net Security.