- Email: [email protected]
Presidential hopefuls vulnerable
NEWS/THREATWATCH
Threatwatch Sneaky Gandcrab Cybereason’s Nocturnus team has discovered a ransomware campaign employing the Gandcrab malware that has adopted a new, stealthy mechanism to ensure an infection. In an attack targeting an international manufacturing firm based in Japan, the hackers used multiple layers of obfuscation. The attack started with a Korean Word document delivered via phishing, but which also combined a number of mechanisms, such as a multi-stage fileless infection chain and the use of ‘living off the land’ binaries to bypass Windows AppLocker and fetch the ransomware payload, which was hosted on a legitimate text-sharing service. There are full details here: http://bit.ly/2HcB8Sk. Phishing Verizon A new phishing kit directly targets Verizon customers and shows an understanding of the company’s infrastructure, according to Jeremy Richards, the researcher at Lookout Security who discovered it. The kit generates messages that appear to come from Verizon Customer Support and uses fake domains that mimic the firm’s own, including adding ‘ecrm’ as a sub-domain – Verizon typically uses such sub-domains for its Electronic Customer Relationship Management units. Lookout has noted more than 50 Verizonrelated phishing domains being registered in the past 90 days. There’s more information here: http://bit.ly/2PYU0ah.
and access to the investor network of start-up accelerator Wayra, which is part of Telefonica and co-hosts the scheme. Meanwhile, the UK Government is proposing to enact a law to improve the security of Internet of Things (IoT) devices. It would do this by requiring every device to have a unique password and carry a label, aimed at consumers, explaining for how long security updates would be available and providing a point of contact should any security vulnerabilities be discovered. The proposals build on the existing code of practice, introduced in October 2018. And although the new rules would be voluntary to start with, there’s a suggestion that they could become mandatory. “This proposed new legislation would make that shift absolutely clear – manufacturers would have to meet minimum security standards on all IoT devices sold in the UK,” said Katie Vickery, partner at international
May 2019
Millions of IoT devices at risk A popular peer-to-peer (P2P) implementation that has been adopted by a large number of manufacturers has serious vulnerabilities, with no patches currently available. The iLnkP2P solution, developed by Shenzhen Yunni Technology, is currently in use by an estimated two million devices connected to the Internet, in products – primarily security cameras, but also baby monitors, ‘smart’ doorbells and other devices – made by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM. These are the ones that have been identified. Hundreds of other brands also use it, so the real risk may be much higher. The P2P solution has two flaws: one is an enumeration vulnerability (CVE-2019-11219) that enables attackers to discover exploitable devices online. The other is an authentication vulnerability (CVE2019-11220) that allows remote attackers to intercept user-to-device traffic in cleartext, including video streams and device credentials. There’s more information here: https://hacked. camera/. Spike in ransomware SophosLabs has released details of a new ransomware strain it has dubbed MegaCortex. Although it’s not entirely new, infections using the malware suddenly spiked on May 1. The firm has seen MegaCortex detections
law firm Osborne Clarke. “The use of voluntary labelling will also encourage compliance, as consumers seek out those devices that give them some added assurance.” Finally, the UK Government has appointed a cyber security ‘ambassador’, whose job will be to promote the country’s expertise and resources in this sector. Henry Pearson will work via the Department for International Trade (DIT) having previously been an adviser to the NCSC, the Ministry of Defence and BAE Applied Intelligence’s Detica. He’ll work closely with UK firms looking to secure overseas cyber security contracts.
Presidential hopefuls vulnerable
T
he campaigns for nearly all top-tier candidates running for President of the United States in 2020 are unprotected against the
in the US, Canada, Argentina, Italy, the Netherlands, France, Ireland, Hong Kong, Indonesia and Australia. The ransomware has manual components similar to Ryuk and BitPaymer, but the attackers behind MegaCortex use more automated tools to carry out the attack, which is unique. Until now, Sophos has seen automated attacks, manual attacks and blended attacks, which typically lean more towards using manual hacking techniques to move laterally; with MegaCortex, the firm is seeing heavier use of automation coupled with the manual component. This new formula is designed to spread the infection to more victims, more quickly. There’s more information here: http://bit. ly/2VQwodu. Git ransoms Developers are being hit with a very specialised form of ransomware. Repositories on a number of platforms, including GitHub, GitLab and Bitbucket, are having commits deleted, with the attackers leaving ransom notes in their place. Many of the coders mentioned using Sourcetree software by Atlassian, which also runs the Bitbucket Cloud service. Atlassian contacted affected programmers to tell them their repositories had been accessed using legitimate credentials, but didn’t mention whether the Sourcetree software was implicated in any way. Investigations are underway. kinds of email attacks, fraud and data breaches typically instigated by nation states, according to a new report from Agari.
The firm analysed the use by presidential campaigns of the DMARC standard for authenticating messages. Of the 12 Democratic and Republican candidates that top current polls, 11 have failed to implement email authentication that prevents acts such as candidate impersonation and donor fraud. Agari also analysed the campaigns’ use of advanced email security controls and found that 10 out of 12 have no additional protection beyond the basic security included in Microsoft Office 365 or Google Suite. Email is the primary vector through which 96% of data breaches occur and many believe that the spear-phishing attack that targeted John Podesta’s emails, and the subsequent WikiLeaks Continued on page 19...
Network Security
3
FEATURE/NEWS Citrix. Accessed May 2019. www. citrix.com/products/citrix-web-appfirewall/. 5. ModSecurity, home page. Accessed May 2019. https://modsecurity.org. 6. Malte Möser et al. ‘An Empirical Analysis of Traceability in the Monero Blockchain’. Proceedings on Privacy Enhancing Technologies, Vol.3, pp.143-163, Apr 2018. 7. ‘How does Google make its money: the 20 most expensive keywords in Google AdWords’. WordStream. Accessed May 2019. www.wordstream.com/articles/most-expensivekeywords. 8. Exploit Database, home page. Accessed May 2019. www.exploit-db. com. 9. Joomla : Vulnerability Statistics’.
CVE Details. Accessed May 2019. www.cvedetails.com/vendor/3496/ Joomla.html. 10. ‘Wordpress : Vulnerability Statistics’. CVE Details. Accessed May 2019. www.cvedetails. com/product/4096/WordpressWordpress.html. 11. ‘WordPress Plugin WP Super Cache – PHP Remote Code Execution’. Exploit Database. Accessed May 2019. www.exploit-db.com/ exploits/38494. 12. Nulled Scripts, home page. Accessed May 2019. www.nulledscripts.xyz. 13. Google Safe Browsing, home page. Accessed May 2019. https:// safebrowsing.google.com. 14. PhishTank, home page. Accessed
May 2019. www.phishtank.com. 15. ‘PayPal Phishing using JavaScript redirect’. My Online Security, 23 Sep 2017. Accessed May 2019. https://myonlinesecurity.co.uk/ paypal-phishing-using-javascriptredirect/. 16. Google Webmaster Tools console (requires account). Google. Accessed May 2019. www.google. com/webmasters/tools/sitemaplist?pli=1. 17. ‘Webattack’. Via BitBucket. Accessed May 2019. https://bitbucket.org/johnnguyenccu/webattack/src. 18. ‘GeoIP2 Country Database’. MaxMind. Accessed May 2019. www.maxmind.com/en/geoip2-country-database.
News continued from page 3... publication of those emails, influenced the 2016 election outcome. “Email, by far the most common communication medium, is being weaponised by advanced sophisticated attackers who find it far too easy to send targeted messages that do real harm to people and abuse the fundamental freedoms we enjoy as US citizens, like the right for our votes to decide election outcomes,” said Patrick Peterson, CEO at Agari. The results of the research appear in Agari’s ‘Q2 2019 Email Fraud and Identity Deception Trends’ report. Among other trends highlighted by the report are that, among phishing attacks, 34% impersonated trusted brands, 19% impersonated individuals and 20% used lookalike domains, while compromised accounts were used in the remaining 27% of attacks. A fifth of business email compromise (BEC) emails included personalisation, where the attacker included elements such as the name of the recipient and other customised details to make the
deceptive email seem legitimate. And individual display name deception is the most common technique used in phishing emails targeting C-suite executives. The vast majority of BEC attackers use free and temporary email accounts to launch their attacks. Roadrunner (rr. com) was the most common email provider used to launch BEC attacks during Q1, accounting for 15% of all BEC emails identified, followed by AOL (13%) and Gmail (10%). The report is here: http://bit.ly/2PRWbwo.
Synopsys Cyber security Research Centre (CyRC) also suggests that an inflection point has been reached, with many organisations improving their ability to manage open source risk, possibly due to heightened awareness and the maturation of commercial software composition analysis solutions. Serious problems remain, however, with 85% of codebases containing components that were more than four years out-of-date or had no development in the past two years. If a component is inactive and no-one is maintaining it, that means no-one is addressing its potential vulnerabilities. In addition, 68% of codebases contained some form of open source license conflict. There are patching problems, too. The average age of vulnerabilities was 6.6 years, slightly higher than in 2017, suggesting remediation efforts haven’t improved significantly. Some 43% of the codebases scanned in 2018 contained vulnerabilities over 10 years old. The report is here: http://bit. ly/2VZ0Gup.
May 2019
Risky open source
A
n annual audit of 1,200 commercial applications libraries has found that nearly all of them (96%) incorporate open source components, and that two-fifths (38%) use components with no identifiable license, putting organisations at risk.
The good news is that the ‘2019 Open Source Security and Risk Analysis’ (OSSRA) report, produced by the
Network Security
19
Threatwatch Sneaky Gandcrab Cybereason’s Nocturnus team has discovered a ransomware campaign employing the Gandcrab malware that has adopted a new, stealthy mechanism to ensure an infection. In an attack targeting an international manufacturing firm based in Japan, the hackers used multiple layers of obfuscation. The attack started with a Korean Word document delivered via phishing, but which also combined a number of mechanisms, such as a multi-stage fileless infection chain and the use of ‘living off the land’ binaries to bypass Windows AppLocker and fetch the ransomware payload, which was hosted on a legitimate text-sharing service. There are full details here: http://bit.ly/2HcB8Sk. Phishing Verizon A new phishing kit directly targets Verizon customers and shows an understanding of the company’s infrastructure, according to Jeremy Richards, the researcher at Lookout Security who discovered it. The kit generates messages that appear to come from Verizon Customer Support and uses fake domains that mimic the firm’s own, including adding ‘ecrm’ as a sub-domain – Verizon typically uses such sub-domains for its Electronic Customer Relationship Management units. Lookout has noted more than 50 Verizonrelated phishing domains being registered in the past 90 days. There’s more information here: http://bit.ly/2PYU0ah.
and access to the investor network of start-up accelerator Wayra, which is part of Telefonica and co-hosts the scheme. Meanwhile, the UK Government is proposing to enact a law to improve the security of Internet of Things (IoT) devices. It would do this by requiring every device to have a unique password and carry a label, aimed at consumers, explaining for how long security updates would be available and providing a point of contact should any security vulnerabilities be discovered. The proposals build on the existing code of practice, introduced in October 2018. And although the new rules would be voluntary to start with, there’s a suggestion that they could become mandatory. “This proposed new legislation would make that shift absolutely clear – manufacturers would have to meet minimum security standards on all IoT devices sold in the UK,” said Katie Vickery, partner at international
May 2019
Millions of IoT devices at risk A popular peer-to-peer (P2P) implementation that has been adopted by a large number of manufacturers has serious vulnerabilities, with no patches currently available. The iLnkP2P solution, developed by Shenzhen Yunni Technology, is currently in use by an estimated two million devices connected to the Internet, in products – primarily security cameras, but also baby monitors, ‘smart’ doorbells and other devices – made by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM. These are the ones that have been identified. Hundreds of other brands also use it, so the real risk may be much higher. The P2P solution has two flaws: one is an enumeration vulnerability (CVE-2019-11219) that enables attackers to discover exploitable devices online. The other is an authentication vulnerability (CVE2019-11220) that allows remote attackers to intercept user-to-device traffic in cleartext, including video streams and device credentials. There’s more information here: https://hacked. camera/. Spike in ransomware SophosLabs has released details of a new ransomware strain it has dubbed MegaCortex. Although it’s not entirely new, infections using the malware suddenly spiked on May 1. The firm has seen MegaCortex detections
law firm Osborne Clarke. “The use of voluntary labelling will also encourage compliance, as consumers seek out those devices that give them some added assurance.” Finally, the UK Government has appointed a cyber security ‘ambassador’, whose job will be to promote the country’s expertise and resources in this sector. Henry Pearson will work via the Department for International Trade (DIT) having previously been an adviser to the NCSC, the Ministry of Defence and BAE Applied Intelligence’s Detica. He’ll work closely with UK firms looking to secure overseas cyber security contracts.
Presidential hopefuls vulnerable
T
he campaigns for nearly all top-tier candidates running for President of the United States in 2020 are unprotected against the
in the US, Canada, Argentina, Italy, the Netherlands, France, Ireland, Hong Kong, Indonesia and Australia. The ransomware has manual components similar to Ryuk and BitPaymer, but the attackers behind MegaCortex use more automated tools to carry out the attack, which is unique. Until now, Sophos has seen automated attacks, manual attacks and blended attacks, which typically lean more towards using manual hacking techniques to move laterally; with MegaCortex, the firm is seeing heavier use of automation coupled with the manual component. This new formula is designed to spread the infection to more victims, more quickly. There’s more information here: http://bit. ly/2VQwodu. Git ransoms Developers are being hit with a very specialised form of ransomware. Repositories on a number of platforms, including GitHub, GitLab and Bitbucket, are having commits deleted, with the attackers leaving ransom notes in their place. Many of the coders mentioned using Sourcetree software by Atlassian, which also runs the Bitbucket Cloud service. Atlassian contacted affected programmers to tell them their repositories had been accessed using legitimate credentials, but didn’t mention whether the Sourcetree software was implicated in any way. Investigations are underway. kinds of email attacks, fraud and data breaches typically instigated by nation states, according to a new report from Agari.
The firm analysed the use by presidential campaigns of the DMARC standard for authenticating messages. Of the 12 Democratic and Republican candidates that top current polls, 11 have failed to implement email authentication that prevents acts such as candidate impersonation and donor fraud. Agari also analysed the campaigns’ use of advanced email security controls and found that 10 out of 12 have no additional protection beyond the basic security included in Microsoft Office 365 or Google Suite. Email is the primary vector through which 96% of data breaches occur and many believe that the spear-phishing attack that targeted John Podesta’s emails, and the subsequent WikiLeaks Continued on page 19...
Network Security
3
FEATURE/NEWS Citrix. Accessed May 2019. www. citrix.com/products/citrix-web-appfirewall/. 5. ModSecurity, home page. Accessed May 2019. https://modsecurity.org. 6. Malte Möser et al. ‘An Empirical Analysis of Traceability in the Monero Blockchain’. Proceedings on Privacy Enhancing Technologies, Vol.3, pp.143-163, Apr 2018. 7. ‘How does Google make its money: the 20 most expensive keywords in Google AdWords’. WordStream. Accessed May 2019. www.wordstream.com/articles/most-expensivekeywords. 8. Exploit Database, home page. Accessed May 2019. www.exploit-db. com. 9. Joomla : Vulnerability Statistics’.
CVE Details. Accessed May 2019. www.cvedetails.com/vendor/3496/ Joomla.html. 10. ‘Wordpress : Vulnerability Statistics’. CVE Details. Accessed May 2019. www.cvedetails. com/product/4096/WordpressWordpress.html. 11. ‘WordPress Plugin WP Super Cache – PHP Remote Code Execution’. Exploit Database. Accessed May 2019. www.exploit-db.com/ exploits/38494. 12. Nulled Scripts, home page. Accessed May 2019. www.nulledscripts.xyz. 13. Google Safe Browsing, home page. Accessed May 2019. https:// safebrowsing.google.com. 14. PhishTank, home page. Accessed
May 2019. www.phishtank.com. 15. ‘PayPal Phishing using JavaScript redirect’. My Online Security, 23 Sep 2017. Accessed May 2019. https://myonlinesecurity.co.uk/ paypal-phishing-using-javascriptredirect/. 16. Google Webmaster Tools console (requires account). Google. Accessed May 2019. www.google. com/webmasters/tools/sitemaplist?pli=1. 17. ‘Webattack’. Via BitBucket. Accessed May 2019. https://bitbucket.org/johnnguyenccu/webattack/src. 18. ‘GeoIP2 Country Database’. MaxMind. Accessed May 2019. www.maxmind.com/en/geoip2-country-database.
News continued from page 3... publication of those emails, influenced the 2016 election outcome. “Email, by far the most common communication medium, is being weaponised by advanced sophisticated attackers who find it far too easy to send targeted messages that do real harm to people and abuse the fundamental freedoms we enjoy as US citizens, like the right for our votes to decide election outcomes,” said Patrick Peterson, CEO at Agari. The results of the research appear in Agari’s ‘Q2 2019 Email Fraud and Identity Deception Trends’ report. Among other trends highlighted by the report are that, among phishing attacks, 34% impersonated trusted brands, 19% impersonated individuals and 20% used lookalike domains, while compromised accounts were used in the remaining 27% of attacks. A fifth of business email compromise (BEC) emails included personalisation, where the attacker included elements such as the name of the recipient and other customised details to make the
deceptive email seem legitimate. And individual display name deception is the most common technique used in phishing emails targeting C-suite executives. The vast majority of BEC attackers use free and temporary email accounts to launch their attacks. Roadrunner (rr. com) was the most common email provider used to launch BEC attacks during Q1, accounting for 15% of all BEC emails identified, followed by AOL (13%) and Gmail (10%). The report is here: http://bit.ly/2PRWbwo.
Synopsys Cyber security Research Centre (CyRC) also suggests that an inflection point has been reached, with many organisations improving their ability to manage open source risk, possibly due to heightened awareness and the maturation of commercial software composition analysis solutions. Serious problems remain, however, with 85% of codebases containing components that were more than four years out-of-date or had no development in the past two years. If a component is inactive and no-one is maintaining it, that means no-one is addressing its potential vulnerabilities. In addition, 68% of codebases contained some form of open source license conflict. There are patching problems, too. The average age of vulnerabilities was 6.6 years, slightly higher than in 2017, suggesting remediation efforts haven’t improved significantly. Some 43% of the codebases scanned in 2018 contained vulnerabilities over 10 years old. The report is here: http://bit. ly/2VZ0Gup.
May 2019
Risky open source
A
n annual audit of 1,200 commercial applications libraries has found that nearly all of them (96%) incorporate open source components, and that two-fifths (38%) use components with no identifiable license, putting organisations at risk.
The good news is that the ‘2019 Open Source Security and Risk Analysis’ (OSSRA) report, produced by the
Network Security
19