- Email: [email protected]
Insider threat grows
NEWS/THREATWATCH
Threatwatch Modular malware Barracuda Networks says it has seen a spike in the use of modular malware, which is more effective than most document-based malware in evading detection and gaining persistence on infected PCs. The initial payload is usually small and basic and the malware downloads the main payload only after becoming fully established. That payload can be anything, and can be selected according to the infected machine, making modular malware a favourite of cyber criminals. A recent analysis of email attacks targeting Barracuda customers identified more than 150,000 unique malicious files in the first five months of the year. Mobile adware Security firm Lookout has discovered a strain of adware, dubbed BeiTaAd, present in at least 238 apps being distributed via Google’s Play store for Android. The well-hidden code is capable of forcing advertisements on to the user’s screen, even running video and audio ads while the device is supposed to be in sleep mode and displaying out-of-app ads that can interfere with how the user interacts with the device. It can render devices virtually unusable. After being alerted by Lookout, Google removed the apps from the store, but they have already been
gies. Although it got off to a slow start, the current strategy, started in 2016 and designed to run until 2021, is felt to have made some progress in meeting its strategic goals. But there seems to be some confusion and lack of definition that have led to concerns about whether it’s capable of meeting all of its objectives. “We welcome the National Cyber Security Strategy but are concerned that the programme designed to deliver it is insufficient. As it currently stands, the strategy is not supported by the robust evidence the Department needs to make informed decisions and accurately measure progress,” said committee chair, Meg Hillier MP. “On top of this, neither the strategy nor the programme were grounded in business cases – despite being allocated £1.9bn funding.” She added: “Looking longer term, we are disappointed that the Department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy. In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk June 2019
downloaded around 440 million times. There’s more information here: http://bit.ly/2Iy9z5o. Exim bug Another critical security vulnerability has been discovered in Exim, one of the most popular email servers for Linux. The flaw (CVE-2019-10149) was discovered by Qualys and affects Exim versions 4.87 to 4.91 inclusive. The next release, 4.92, fixes the issue. The vulnerability allows for remote command execution, allowing an attacker to execute commands without needing to install malware on the target system. Exploiting the weakness is relatively easy from another machine on the same network. For remote attacks, Qualys has identified one method that requires keeping a connection to the Exim server open for at least seven days – for example, by sending one packet every few minutes – but the firm has ruled out the existence of faster methods. There’s more information here: http://bit.ly/2XIOkEJ. SandboxEscaper is back A developer going by the name SandboxEscaper – who has been publishing exploits for flaws in Windows without following responsible disclosure practices – has struck again, with a second bypass exploit that negates Microsoft’s patch
of cyber attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money and strategic outcomes and objectives should be clearly defined.” The National Cyber Security Centre (NCSC), established in October 2016, has had some notable successes, claiming to have dealt with over 1,100 incidents. But these have been largely fire-fighting actions and the concern is more about the UK Government developing capabilities to deal with the threats of the near future, rather than those of today. One issue is whether the Cabinet Office has correctly assessed the budget needed and how the money assigned should be spent. “The Department acknowledges that it was not absolutely confident that the funding was at the right level and that the estimated funding relied on a judgement about the resources required, the level of risk involved and the impact intended,” said the Public Accounts Committee statement. There’s more information here: http://bit.ly/2QU6zEl.
(CVE-2019-0841) for her previously released permissions-overwrite, privilege-escalation attack. It allows a local attacker to run processes, including installing programs, in an elevated context. Microsoft issued its first patch in April. SandboxEscaper then issued bypass code as part of four exploits published in late May. Now a further exploit works by deleting files and running the Edge browser. SandboxEscaper said she is looking to sell her zero-day exploits for $60,000 to non-Western buyers. Siemens PLC flaw The Logo programmable logic controller (PLC) from Siemens, which is aimed at small projects in industrial, commercial and home automation applications, has been found to have three critical flaws that would allow it to be controlled remotely. Discovered by German pen-testing outfit SySS, they are: CVE-201910919, which involves missing authentication for critical functions, which could allow an attacker to perform device reconfigurations and obtain project files; CVE-2019-10920, which involves the use of a hard-coded cryptographic key; and CVE-2019-10921, where cleartext passwords are stored in project files. There’s more here: https://sie.ag/2WUWUmx.
Insider threat grows
T
wo-thirds of businesses worldwide believe they’ve suffered a breach due to misused or abused employee access in the past year, according to research by BeyondTrust. And 62% believe they’ve had a breach due to compromised vendor access.
In the UK, poor security hygiene by employees continues to be a challenge for most organisations. Employees sending files to personal email accounts, for example, was cited as a problem for 64% of organisations, while colleagues sharing passwords was also an issue for 65%, a significant increase from 49% in 2018. The report also shows that more than a third (35%) of UK businesses are concerned over unintended data loss when employees are using unsecured devices. Globally, businesses report an average of 182 vendors logging in to their systems every week. Of UK organisations, 46% say they have more than 100 vendors logging in regularly, with 83% admitting they trust third-party vendors accessing their networks. Trust in employee privileged access was cited at 87%, however – a decrease from last year’s 91%.
Network Security
3
Threatwatch Modular malware Barracuda Networks says it has seen a spike in the use of modular malware, which is more effective than most document-based malware in evading detection and gaining persistence on infected PCs. The initial payload is usually small and basic and the malware downloads the main payload only after becoming fully established. That payload can be anything, and can be selected according to the infected machine, making modular malware a favourite of cyber criminals. A recent analysis of email attacks targeting Barracuda customers identified more than 150,000 unique malicious files in the first five months of the year. Mobile adware Security firm Lookout has discovered a strain of adware, dubbed BeiTaAd, present in at least 238 apps being distributed via Google’s Play store for Android. The well-hidden code is capable of forcing advertisements on to the user’s screen, even running video and audio ads while the device is supposed to be in sleep mode and displaying out-of-app ads that can interfere with how the user interacts with the device. It can render devices virtually unusable. After being alerted by Lookout, Google removed the apps from the store, but they have already been
gies. Although it got off to a slow start, the current strategy, started in 2016 and designed to run until 2021, is felt to have made some progress in meeting its strategic goals. But there seems to be some confusion and lack of definition that have led to concerns about whether it’s capable of meeting all of its objectives. “We welcome the National Cyber Security Strategy but are concerned that the programme designed to deliver it is insufficient. As it currently stands, the strategy is not supported by the robust evidence the Department needs to make informed decisions and accurately measure progress,” said committee chair, Meg Hillier MP. “On top of this, neither the strategy nor the programme were grounded in business cases – despite being allocated £1.9bn funding.” She added: “Looking longer term, we are disappointed that the Department was not able to give us a clear idea of what the strategy will deliver by 2021. This does not represent a resilient security strategy. In the interest of national security, the Cabinet Office need to take a long-term approach to protecting against the risk June 2019
downloaded around 440 million times. There’s more information here: http://bit.ly/2Iy9z5o. Exim bug Another critical security vulnerability has been discovered in Exim, one of the most popular email servers for Linux. The flaw (CVE-2019-10149) was discovered by Qualys and affects Exim versions 4.87 to 4.91 inclusive. The next release, 4.92, fixes the issue. The vulnerability allows for remote command execution, allowing an attacker to execute commands without needing to install malware on the target system. Exploiting the weakness is relatively easy from another machine on the same network. For remote attacks, Qualys has identified one method that requires keeping a connection to the Exim server open for at least seven days – for example, by sending one packet every few minutes – but the firm has ruled out the existence of faster methods. There’s more information here: http://bit.ly/2XIOkEJ. SandboxEscaper is back A developer going by the name SandboxEscaper – who has been publishing exploits for flaws in Windows without following responsible disclosure practices – has struck again, with a second bypass exploit that negates Microsoft’s patch
of cyber attacks: future plans should be based on strong evidence, business cases should be rigorously-costed to ensure value for money and strategic outcomes and objectives should be clearly defined.” The National Cyber Security Centre (NCSC), established in October 2016, has had some notable successes, claiming to have dealt with over 1,100 incidents. But these have been largely fire-fighting actions and the concern is more about the UK Government developing capabilities to deal with the threats of the near future, rather than those of today. One issue is whether the Cabinet Office has correctly assessed the budget needed and how the money assigned should be spent. “The Department acknowledges that it was not absolutely confident that the funding was at the right level and that the estimated funding relied on a judgement about the resources required, the level of risk involved and the impact intended,” said the Public Accounts Committee statement. There’s more information here: http://bit.ly/2QU6zEl.
(CVE-2019-0841) for her previously released permissions-overwrite, privilege-escalation attack. It allows a local attacker to run processes, including installing programs, in an elevated context. Microsoft issued its first patch in April. SandboxEscaper then issued bypass code as part of four exploits published in late May. Now a further exploit works by deleting files and running the Edge browser. SandboxEscaper said she is looking to sell her zero-day exploits for $60,000 to non-Western buyers. Siemens PLC flaw The Logo programmable logic controller (PLC) from Siemens, which is aimed at small projects in industrial, commercial and home automation applications, has been found to have three critical flaws that would allow it to be controlled remotely. Discovered by German pen-testing outfit SySS, they are: CVE-201910919, which involves missing authentication for critical functions, which could allow an attacker to perform device reconfigurations and obtain project files; CVE-2019-10920, which involves the use of a hard-coded cryptographic key; and CVE-2019-10921, where cleartext passwords are stored in project files. There’s more here: https://sie.ag/2WUWUmx.
Insider threat grows
T
wo-thirds of businesses worldwide believe they’ve suffered a breach due to misused or abused employee access in the past year, according to research by BeyondTrust. And 62% believe they’ve had a breach due to compromised vendor access.
In the UK, poor security hygiene by employees continues to be a challenge for most organisations. Employees sending files to personal email accounts, for example, was cited as a problem for 64% of organisations, while colleagues sharing passwords was also an issue for 65%, a significant increase from 49% in 2018. The report also shows that more than a third (35%) of UK businesses are concerned over unintended data loss when employees are using unsecured devices. Globally, businesses report an average of 182 vendors logging in to their systems every week. Of UK organisations, 46% say they have more than 100 vendors logging in regularly, with 83% admitting they trust third-party vendors accessing their networks. Trust in employee privileged access was cited at 87%, however – a decrease from last year’s 91%.
Network Security
3