Active Threats
- “In a new report shared with The Hacker News, cybersecurity firm RiskIQ said it identified three compromised websites belonging to Endeavor Business Media last month that are still hosting JavaScript skimming code — a classic tactic embraced by Magecart, a consortium of different hacker groups who target online shopping cart systems.” https://thehackernews.com/2020/06/magecart-skimmer-amazon.html
- “Scammers have hijacked three YouTube channels to display bitcoin scams impersonating Elon Musk’s SpaceX channel. So far, these scams have raked in close to $150,000 in bitcoins in two days. For years, scammers have been impersonating Elon Musk and SpaceX to perform cryptocurrency giveaways and other scams promising you significant returns if you send them a little bitcoin. Since yesterday, three YouTube channels that were previously known as ‘Juice TV,’ ‘Right Human,’ and ‘MaximSakulevich‘ have been hijacked and renamed to ‘SpaceX Live’ or ‘SpaceX.'” https://www.bleepingcomputer.com/news/security/fake-spacex-youtube-channels-scam-viewers-out-of-150k-in-bitcoin/
Data Breaches/Ransomware
- “Singapore-based ST Engineering Aerospace’s United States subsidiary has suffered a massive ransomware attack, resulting in the exposure of confidential data such as contract details with various governments, government-related organisations and airlines. Cyber security firm Cyfirma said in a report this month that hackers exfiltrated about 1.5TB of data, which could have been stolen as early as March.” https://www.straitstimes.com/singapore/st-engineering-aerospaces-us-subsidiary-suffers-massive-data-breach
- “As per our research team, the actor R3dr0x (seem to be a Pakistan actor) has targeted the part of the BEML website detailing about their Indigenisation Levels, which seem to be a warning for the extremist government of Indian that they would face in the near future for their actions.” https://securityaffairs.co/wordpress/104495/data-breach/beml-data-leak.html
- “In late May, KrebsOnSecurity alerted numerous officials in Florence, Ala. that their information technology systems had been infiltrated by hackers who specialize in deploying ransomware. Nevertheless, on Friday, June 5, the intruders sprang their attack, deploying ransomware and demanding nearly $300,000 worth of bitcoin. City officials now say they plan to pay the ransom demand, in hopes of keeping the personal data of their citizens off of the Internet.” https://krebsonsecurity.com/2020/06/florence-ala-hit-by-ransomware-12-days-after-being-alerted-by-krebsonsecurity/
Vulnerabilities
- “A vulnerability in the Universal Plug and Play protocol implemented in billions of devices can be exploited to exfiltrate data, turn them into bots for distributed denial-of-service attacks (DDoS), and scan internal networks. The bug got the name CallStranger and it affects all devices that run a UPnP version earlier than April 17. Included are all versions of Windows 10, routers, access points, printers, gaming consoles, doorphones, media applications and devices, cameras, television sets.” https://www.bleepingcomputer.com/news/security/callstranger-upnp-bug-allows-data-theft-ddos-attacks-lan-scans/
- “Adobe Warns of Critical Flaws in Flash Player, Framemaker” https://threatpost.com/adobe-warns-critical-flaws-flash-player-framemaker/156417/
- “Intel processors are vulnerable to a new attack known as SGAxe that breaches the security guarantees of Intel Software Guard eXtensions (SGX) enclaves. It is designed to specifically target and leak data from Intel processors. SGAxe is an evolution of the CacheOut attack (also known as L1D Eviction Sampling) previously disclosed by researchers at the University of Michigan, University of Adelaide, and Data61 in January 2020. CacheOut is tracked as CVE-2020-0549 and it may allow authenticated attackers with local access to the targeted machines to potentially enable information disclosure due to cleanup errors in some data cache evictions for some Intel processors.” https://www.bleepingcomputer.com/news/security/new-sgaxe-attack-steals-protected-data-from-intel-sgx-enclaves/
Patching & Remediation
- “Two Critical Remote Code Execution flaws fixed in IBM WebSphere” https://securityaffairs.co/wordpress/104504/security/ibm-websphere-rces.html
- “Intel addressed 25 vulnerabilities today as part of its June 2020 Patch Tuesday, with two of them affecting Intel’s Active Management Technology (AMT) being rated as critical security flaws after receiving CVSS scores of 9.8. These issues were detailed in the five security advisories Intel published on its Product Security Center, with fixes addressing them having been delivered to users through the Intel Platform Update (IPU) process before public disclosure.” https://www.bleepingcomputer.com/news/security/intel-patched-22-vulnerabilities-in-the-june-2020-platform-update/
- “Today is Microsoft’s June 2020 Patch Tuesday, and as many Windows administrators will be routinely screaming at computers, please be nice to them! With the release of the June 2020 Patch Tuesday security updates, Microsoft has released one advisory for an Adobe Flash Player update and fixes for 129 vulnerabilities in Microsoft products. Of these vulnerabilities, 11 are classified as Critical, 109 as Important, 7 as Moderate, and 2 as Low.” https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2020-patch-tuesday-largest-ever-with-129-fixes/
- “Microsoft has fixed a vulnerability in all current Windows versions that allows an attacker to exploit the Windows Group Policy feature to take full control over a computer. This vulnerability affects all Windows versions since Windows Server 2008. Windows administrators can remotely manage all of the Windows devices on a network through the Group Policy feature. This feature allows administrators to create a centralized global configuration policy for their organization that is pushed out to all of the Windows devices on their network. These policies allow an administrator to control how a computer can be used, such as disabling settings in apps, prohibiting apps from running, enabling and disabling Windows features, and even deploying the same wallpaper on every Windows computer.” https://www.bleepingcomputer.com/news/security/windows-group-policy-flaw-lets-attackers-gain-admin-privileges/
- “Dubbed “SMBleed” (CVE-2020-1206) by cybersecurity firm ZecOps, the flaw resides in SMB’s decompression function — the same function as with SMBGhost or EternalDarkness bug (CVE-2020-0796), which came to light three months ago, potentially opening vulnerable Windows systems to malware attacks that can propagate across networks. The newly discovered vulnerability impacts Windows 10 versions 1903 and 1909, for which Microsoft today released security patches as part of its monthly Patch Tuesday updates for June.” https://thehackernews.com/2020/06/SMBleed-smb-vulnerability.html“
Bug Bounty
- No updates
Privacy
- “Facebook last week began slapping “state controlled” labels on media outlets that it’s determined are under the thumb of a government. With the labels, Facebook is enacting a policy it announced in October. That’s when the platform introduced new election security measures, including a promise to increase transparency by showing the confirmed owner of a Page and by labeling state-controlled media on their Page and in the platform’s Ad Library.” https://nakedsecurity.sophos.com/2020/06/09/facebook-labels-state-controlled-russian-chinese-iranian-media/
- “The New York SHIELD Act,[1] officially titled the Stop Hacks and Improve Electronic Data Security Act, amends New York’s existing data breach notification law in several significant ways and adds a number of data security protection requirements. The amended data breach notification obligations went into effect on Oct. 23, 2019, with the data security requirements going into effect on Mar. 21, 2020. Though consumers do not have a private right of action[2] to enforce its mandates, the SHIELD Act is enforceable by the New York Attorney General.” https://www.dataprivacymonitor.com/data-breach-notification-laws/key-changes-to-new-york-breach-notification-and-data-security-protection-requirements-from-the-new-york-shield-act/
Darkweb
- “A second ransomware gang, ragnar locker, has partnered with Maze Ransomware to use their data leak platform to extort victims whose unencrypted files were stolen. Before encrypting a victim’s network, most network-targeting ransomware operations will steal a victim’s unencrypted files. These files are then used as leverage by threatening to release them publicly on data leak sites if a ransom is not paid.” https://www.bleepingcomputer.com/news/security/maze-ransomware-adds-ragnar-locker-to-its-extortion-cartel/
- “Ransomware gangs are teaming up to extort victims through a shared data leak platform, and the exchange of tactics and intelligence. In November 2019, the Maze Ransomware operators transformed ransomware attacks into data breaches after they released unencrypted data of a victim who refused to pay. Soon after, they launched a dedicated “Maze News” site used to shame their unpaid victims by publicly releasing stolen data.” https://www.bleepingcomputer.com/news/security/ransomware-gangs-team-up-to-form-extortion-cartel/
- “A hack-for-hire group, called Dark Basin, has been outed after targeting thousands of individuals and organizations worldwide – including advocacy groups and journalists, elected and senior government officials, and hedge funds — over the course of seven years” https://threatpost.com/dark-basin-hack-hire-group/156407/
Standards, Guidelines, Best Practices
- “Email Oops, and How to Avoid Them” https://www.sans.org/security-awareness-training/resources/email-oops-and-how-avoid-them>
- “Are you struggling to hire skilled digital security talent in 2020? If so, you’re not alone. According to a Tripwire study on the infosec skills gap, 82% of security experts said that their teams were understaffed; nearly the same proportion (83%) indicated that they were feeling more overworked going into 2020 than they were a year prior.” https://www.tripwire.com/state-of-security/security-data-protection/expertops-can-help-address-infosec-skills-gap/
- “It’s notable that these FlowCloud campaigns were occurring at the same time as the LookBack campaigns that Proofpoint has previously documented. Both the FlowCloud and LookBack campaigns targeted utility providers in the United States. Both used training and certification-themed lures. And both used threat actor-controlled domains for delivery. In some cases, both FlowCloud and LookBack campaigns targeted not only the same companies but also the same recipients.” https://www.tripwire.com/state-of-security/security-data-protection/u-s-utilities-targeted-with-flowcloud-malware-by-lookback-attackers/
- “The sad news is that about 80% of data breaches can be prevented with basic actions; such as vulnerability assessments, patching, and proper security configurations. The specific reasons vary; but include staffing and resource issues, lack of expertise to optimize complex, multi-vendor security systems, and a host of other reasons. Whatever the specific cause, the common theme is that security lagged either internal IT changes or changes in the external threat landscape.” https://thehackernews.com/2020/06/security-drift-silent-killer.html
- “We’re going to ask more of the ICS community, but we’re also going to deliver more to you,” Chris Krebs, head of DHS’s Cybersecurity and Infrastructure Security Agency, said at a virtual meeting of the ICS Joint Working Group, a government-industry initative.” https://www.cyberscoop.com/dhs-cisa-industrial-control-system-security-strategy/
Red/Blue Teaming
- “Adversaries may modify file or directory permissions/attributes to evade intended DACLs. Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions such as Administrator/root depending on the file or directory’s existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files/directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files.” https://www.threathunting.se/2020/06/09/detect-file-directory-permissions-modification-free-splunk-detection-rules/
- “A persistence method that takes advantage of some of the wonderful telemetry that Microsoft has included in Windows versions for the last decade. The process outlined here affects Windows machines from 2008R2/Windows 7 through 2019/Windows 10.” https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
#security #cybersecurity #itsecurity #privacy #risk #compliance #callstranger #upnp #ransomware #ragnarlocker #lockbit #magecart #r3dr0x #darkbasin #ics #sgaxe #cacheout #patchtuesday #youtube