Cyber Intelligence Report - February 4, 2019€¦ · 4/2/2019 · * Bitcoin Miner Interesting News...
12
02-04
Transcript of Cyber Intelligence Report - February 4, 2019€¦ · 4/2/2019 · * Bitcoin Miner Interesting News...
February 4, 2019
The Cyber Intelligence Report is an Open Source Intelligence AKA OSINT resource focusing on advanced persistent threatsand other digital dangers received by over ten thousand individuals. APTs fit into a cybercrime category directed at bothbusiness and political targets. Attack vectors include system compromise, social engineering, and even traditionalespionage. Included are clickable links to news stories, vulnerabilities, exploits, & a list of active hackers.
Summary
Symantec ThreatCon Low: Basic network posture
This condition applies when there is no discernible network incident activity and no maliciouscode activity with a moderate or severe risk rating. Under these conditions, only a routinesecurity posture, designed to defeat normal network threats, is warranted. Automated systemsand alerting mechanisms should be used.
Zone-H last 10 defacements* http://www.teknolojitransferi.gov.tr* http://seawyai-omp.rid.go.th/joomla/tmp/f3r.html* http://upperchi-omp.rid.go.th/website/images/f3r.html* http://nongbualumphu.rid.go.th/main/wp-content/f3r.html* http://suratthani.rid.go.th/home/tmp/f3r.html* http://premiodejornalismo.pa.gov.br* http://belemmeubem.pa.gov.br* http://jeps.pa.gov.br* http://surfnapororoca.pa.gov.br* http://semanameioambiente.pa.gov.br
Sophos: last 10 Malware* Troj/BokBot-M* Troj/Trickbo-NU* Troj/Trickbo-NT* Troj/Trickbo-NS* Troj/Qbot-EQ* Troj/PDFUri-GWV* Troj/DocPh-DM* Troj/Agent-BAQU* VBS/Dwnldr-XFU* Troj/Recam-DI
Last 10 PUAs* InstallCore* SoftPulse* AirInstaller* Adposhel* IStartSurfInstaller* Remo Repair Zip* NSIS_mod* Bundlore* VidAdBlock* Bitcoin Miner
Interesting News
* Razy in search of cryptocurrencyLast year, we discovered malware that installs a malicious browser extension on its victim’s computer or infects analready installed extension. To do so, it disables the integrity check for installed extensions and automatic updates for thetargeted browser. Kaspersky Lab products detect the malicious program as Trojan.Win32.Razy.gen.
* * If you are interested, we have an active FaceBook Group and YouTube Channel. As always, if you have anysuggestions, feel free to let us know. Subscribe if you would like to receive the CIR updates: [email protected]
Index of Sections
Current News
* Packet Storm Security
* Dark Reading
* Krebs on Security
* The Hacker News
* McAfee
* Threat Post
* Naked Security
* Quick Heal - Security Simplified
Critical Infrastructure
* Security Magazine's Latest Published
Tools
* Packet Storm Security's Latest Published
Exploits
* Packet Storm Security's Latest Published
Advisories
* Secunia Chart of Vulnerabilities Identified
* US-Cert (Current Activity-Alerts-Bulletins)
* Symantec's Latest List
* Packet Storm Security's Latest List
Credits
News
Packet Storm Security
* SpeakUp Linux Backdoor Sets Up For Major Attack* Police Raids Target Hundreds Of UK Web Attackers* Two Hacker Groups Responsible For 60 Percent Of All Publicly Reported Attacks* Sign Systems Allowed Hacker Access Through Default Passwords* More Nest Camera Hacking Continues* Security Firm Identifies Hacker Behind Massive Collection Leaks* Cybercriminals Aim For The Super Bowl Goal Posts* $145 Million Funds Frozen After Death Of Cryptocurrency Exchange Admin* Hacker Who Stole $5 Million By SIM Swapping Gets 10 Years* Court Hears Challenge To FCC Net Neutrality Appeal* Everything To Know About Facebook, Google's App Scandal* US Pulling Out Of Nuclear Treaty With Russia* Bullish On Cybercrime* Breached Airbus Employee Data Gets Released On The Dark Web* Hacker Discloses Magyar Telekom Vulnerabilities, Faces Jail Time* Apple To Issue Fix For Facetime Bug* Inside The UAE's Secret Hacking Team Of US Mercenaries* Team America Tries To Crash Little Rocket Man's Joanap Botnet* Insider Trading Schemes Appear To Be The New Hacker Hotness* Apple Leaves Facebook Offices In Disarray After Revoking App Permissions* Google Pulls Data-Chugging App From iOS Devices* Discover Notifies Customers Of Data Breach Incident* Judge Rules Against Yahoo! Settlement Offer* This Is How YouTube Influencer Scam Artists Operate* Facebook Paid Teenagers To Mine Device Data
Dark Reading
* New Botnet Shows Evolution of Tech and Criminal Culture* Exposed Consumer Data Skyrocketed 126% in 2018* 6 Security Tips Before You Put a Digital Assistant to Work* Researchers Devise New Method of Intrusion Deception for SDN* Facebook Struggles in Privacy Class-Action Lawsuit* IoT Security's Coming of Age Is Overdue* Nest Hack Leaves Homeowner Sleepless in Chicago* How Hackers Could Hit Super Bowl LIII * KISS, Cyber & the Humble but Nourishing Chickpea * Study the Cutting Edge of Cybersecurity at Black Hat Asia* Cisco Router Vulnerability Gives Window into Researchers' World* 8 Cybersecurity Myths Debunked* Airbus Employee Info Exposed in Data Breach* Dell, CrowdStrike, Secureworks Join Forces to Secure Endpoints* For a Super Security Playbook, Take a Page from Football* Justice Dept. Alerting Victims of North Korean Botnet Infections* Rubrik Data Leak is Another Cloud Misconfiguration Horror Story* Massive DDoS Attack Generates 500 Million Packets per Second* Iran Ups its Traditional Cyber Espionage Tradecraft
News
Krebs on Security
* Crooks Continue to Exploit GoDaddy Hole* 250 Webstresser Users to Face Legal Action* Three Charged for Working With Serial Swatter* How the U.S. Govt. Shutdown Harms Security* Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com* 773M Password ‘Megabreach’ is Years Old* “Stole $24 Million But Still Can’t Keep a Friend―* Courts Hand Down Hard Jail Time for DDoS* Secret Service: Theft Rings Turn to Fuze Cards* Patch Tuesday, January 2019 Edition
The Hacker News
* Cryptocurrency Firm Losses $145 Million After CEO Dies With Only Password* Several Popular Beauty Camera Apps Caught Stealing Users' Photos* First Hacker Convicted of 'SIM Swapping' Attack Gets 10 Years in Prison* Hacker who reported flaw in Hungarian Telekom faces up to 8-years in prison* New Mac Malware Targets Cookies to Steal From Cryptocurrency Wallets* Airbus Suffers Data Breach, Some Employees' Data Exposed* FBI Mapping 'Joanap Malware' Victims to Disrupt the North Korean Botnet* Facebook Paid Teens $20 to Install 'Research' App That Collects Private Data* iCloud Possibly Suffered A Privacy Breach Last Year That Apple Kept a Secret* How to Recover Lost or Deleted Files?
Security Week
* New Backdoor Targets Linux Servers* Researchers Identify Hacker Behind Massive Data Breach Collection* Why Fighting Card-Not-Present Fraud Remains an Ongoing Challenge* New Canon Printers Bring SIEM Integration, Other Security Features* Flaw Possibly Affecting 500,000 Ubiquity Devices Exploited in the Wild* Extreme Networks Launches IoT Defense Solution For Enterprises* Attackers Use CoAP for DDoS Amplification* Senators Reintroduce DHS Cyber Hunt and Incident Response Teams Act* U.S. Energy Firm Fined $10 Million for Security Failures* Malicious Hackers Can Abuse Siri Shortcuts: IBM* Industrial Internet Consortium and OpenFog Consortium Merge* UK Data Watchdog Fines Leave.EU, Eldon Insurance* Apple Partially Fixes FaceTime Spying Bug* Israel Seeks to Beat Election Cyber Bots* Home Design Website Houzz Alerts Users of Data Breach* New York Investigating Apple's Response to FaceTime Spying Bug* Minnesota Department of Human Services Reports Data Breach* Facebook Takes Down Vast Iran-led Manipulation Campaign* GitHub Helps Developers Keep Dependencies Secure via Dependabot* Firms That Sold Fake Social Media Activity Settle With New York State
News
McAfee
* Safer Internet Day 2019 – Together for a Better Internet* MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years ofDevelopment* California Consumer Privacy Act* Customer Support Scams Are Popping up in Social Media Ads: How to Stay Secure* What You Need to Know About DNS Flag Day* Teach Kids The 4Rs Critical for Online Safety on Safer Internet Day* Apple Users: Here’s What to Do About the Major FaceTime Bug* Privacy and Security by Design: Thoughts for Data Privacy Day* Sharing Isn’t Always Caring: 3 Tips to Help Protect Your Online Privacy* #PrivacyAware: Will You Champion Your Family’s Online Privacy?
Threat Post
* Spy Campaign Spams Pro-Tibet Group With ExileRAT* ‘Collection #1’ Data Dump Hacker Identified* SpeakUp Linux Backdoor Sets Up for Major Attack* Houzz Urges Password Resets After Data Breach* Chafer APT Takes Aim at Diplomats in Iran with Improved Custom Malware* Threatpost News Wrap Podcast For Feb. 1* Cybercriminals Aim for the Super Bowl Goal Posts* Facebook Boots Hundreds of Iran-Linked Accounts For Spreading Misinformation* TheMoon Rises Again, With a Botnet-as-a-Service Threat* Prepare to Defend Your Network Against Swarm-as-a-Service
Naked Security
* Security weaknesses in 5G, 4G and 3G could expose users’ locations* Chrome’s hidden lookalike detection feature battles URL imposters* FBI burrowing into North Korea’s big bad botnet* Selling fake likes and follows is illegal, rules New York* Monday review – the hot 28 stories of the week* FaceTime bug, eavesdropping and digital snooping – what to do? [VIDEO]* Linux user? Check those patches! Public exploit published for systemd security holes…* Credential dump contains another 2.2 billion pwned accounts* Hacker talks to baby through Nest security cam, jacks up thermostat* Microsoft Azure data deleted because of DNS outage
Quick Heal - Security Simplified
* Anatova, A modular ransomware* Mongolock Ransomware deletes files and targets databases* GandCrab Ransomware along with Monero Miner and Spammer* Malspam email – Jack of all malware, master of none.* Drone Safety – Flying Tips, Policies & Regulations* Applying Deep Learning for PE-Malware Classification* Ransomware displaced by cryptojacking as the most trending cyberthreat but it is not dead yet* Beware! Your website might be delivering Emotet malware* Beware!! PDF Attachments Launching Android malware
Critical Infrastructure* Senators Introduce Legislation to Protect Electric Grid from Cyber Attack * How to Protect Sub-Perimeters with Advanced IP Technology* Miami Airport Launches New Biometric Boarding Process* New York is Top Business Travel Destination* Study Says Manufacturers Struggle with IoT and Finding Skilled Cybersecurity Staff * Workforce Drug Positivity Rises by Double-Digits in Almost One-Third of U.S. Industry Sectors Examined
Tools* SQLMAP - Automatic SQL Injection Tool 1.3.2* Lynis Auditing Tool 2.7.1* Logwatch 7.5.1* I2P 0.9.38* Flawfinder 2.0.8* Faraday 3.5.0* Falco 0.13.1* Scapy Packet Manipulation Tool 2.4.2* Amazon Releases New C++ Friendly Features* Acunetix Vulnerability Scanner Now Also on Linux
Exploits* BEWARD N100 H.264 VGA IP Camera M2.1.6 Root Remote Code Execution* BEWARD N100 H.264 VGA IP Camera M2.1.6 Arbitrary File Disclosure* BEWARD N100 H.264 VGA IP Camera M2.1.6 Cross Site Request Forgery* BEWARD N100 H.264 VGA IP Camera M2.1.6 Unauthenticated RTSP Stream Disclosure* devolo dLAN 550 duo+ 3.1.0-1 Starter Kit Remote Code Execution* devolo dLAN 550 duo+ 3.1.0-1 Starter Kit Cross-Site Request Forgery* devolo dLAN Cockpit 4.3.1 Unquoted Service Path Privilege Escalation* WordPress Ultimate-Member 2.0.38 Cross Site Request Forgery / Shell Upload* Joomla Jumi 3.0.5 Database Disclosure / SQL Injection* Joomla JoomLeague 2.x Database Disclosure / SQL Injection* Joomla Jomres 9.16.1 SQL Injection* Joomla FacileForms 1.4.7 SQL Injection* Joomla Acajoom 5.1.5 SQL Injection* Joomla WebMapPlus 1.0 SQL Injection* Joomla RedShop 2.0.0.3 Database Disclosure / SQL Injection* Joomla PhotoMapGallery 1.0 SQL Injection* Joomla PhocaDownload 3.1.7 Database Disclosure / SQL Injection* Joomla Ninja RSS Syndicator 2.0.5 SQL Injection* Joomla Mailto 1.2.2.2 SQL Injection* Joomla K2 2.9.0 Database Disclosure / SQL Injection* Joomla DocMan 3.3.4 SQL Injection* Joomla BF Survey Pro 2.13.1 SQL Injection* Joomla ActivityManager 5.3 SQL Injection* Joomla RSForm 1.5 Database Disclosure / SQL Injection* Joomla FSF FreeStyle FAQs 1.11.18 Database Disclosure / SQL Injection
Advisories
US-Cert Alerts & bulletins
* AA19-024A: DNS Infrastructure Hijacking Campaign* AA18-337A: SamSam Ransomware
Symantec - Latest List
* Multiple CPU Hardware CVE-2017-5753 Information Disclosure Vulnerability* Microsoft Internet Explorer CVE-2018-8373 Remote Memory Corruption Vulnerability* Adobe Flash Player CVE-2018-15982 Use After Free Remote Code Execution Vulnerability* Microsoft Internet Explorer VBScript Engine CVE-2018-8174 Arbitrary Code Execution Vulnerability* Adobe Flash Player CVE-2018-4878 Use After Free Remote Code Execution Vulnerability* Microsoft Skype for Android CVE-2019-0622 Local Privilege Escalation Vulnerability* Microsoft Exchange Server CVE-2019-0588 Information Disclosure Vulnerability* Microsoft SharePoint Server CVE-2019-0562 Remote Privilege Escalation Vulnerability* Microsoft Exchange CVE-2019-0586 Remote Memory Corruption Vulnerability* Microsoft Outlook CVE-2019-0559 Information Disclosure Vulnerability* Microsoft Edge Chakra Scripting Engine CVE-2019-0568 Remote Memory Corruption Vulnerability* Microsoft Edge Chakra Scripting Engine CVE-2019-0567 Remote Memory Corruption Vulnerability* Microsoft Windows CVE-2019-0555 Local Privilege Escalation Vulnerability* Microsoft Edge CVE-2019-0566 Remote Privilege Escalation Vulnerability* Microsoft Edge CVE-2019-0565 Remote Memory Corruption Vulnerability* Microsoft Visual Studio CVE-2019-0537 Information Disclosure Vulnerability* Microsoft ASP.NET CVE-2019-0564 Denial Of Service Vulnerability* Microsoft Office SharePoint CVE-2019-0557 Cross Site Scripting Vulnerability* Microsoft Office SharePoint CVE-2019-0556 Cross Site Scripting Vulnerability* Microsoft ASP.NET Core CVE-2019-0548 Denial of Service Vulnerability* Microsoft ASP.NET Core CVE-2019-0545 Information Disclosure Vulnerability* Microsoft Windows Hyper-V CVE-2019-0551 Remote Code Execution Vulnerability* Microsoft Internet Explorer CVE-2019-0541 Remote Code Execution Vulnerability* Microsoft Chakra Scripting Engine CVE-2019-0539 Remote Memory Corruption Vulnerability* Microsoft Windows Hyper-V CVE-2019-0550 Remote Code Execution Vulnerability* Microsoft Word CVE-2019-0561 Information Disclosure Vulnerability
Packet Storm Security - Latest List
Ubuntu Security Notice USN-3880-1Ubuntu Security Notice 3880-1 - It was discovered that the CIFS client implementation in the Linux kernel didnot properly handle setup negotiation during session recovery, leading to a NULL pointer exception. Anattacker could use this to create a malicious CIFS server that caused a denial of service. Jann Horn discoveredthat the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect thekernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. Various otherissues were also addressed.Ubuntu Security Notice USN-3871-3
Ubuntu Security Notice 3871-3 - Wen Xu discovered that a use-after-free vulnerability existed in the ext4filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 imagethat, when mounted, could cause a denial of service or possibly execute arbitrary code. Wen Xu discoveredthat a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could usethis to construct a malicious ext4 image that, when mounted, could cause a denial of service or possiblyexecute arbitrary code. Various other issues were also addressed.Ubuntu Security Notice USN-3879-1Ubuntu Security Notice 3879-1 - Wen Xu discovered that the ext4 file system implementation in the Linuxkernel could possibly perform an out of bounds write when updating the journal for an inline file. An attackercould use this to construct a malicious ext4 image that, when mounted, could cause a denial of service. VasilyAverin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properlyinitialize new files in some situations. A local attacker could use this to expose sensitive information. Variousother issues were also addressed.Ubuntu Security Notice USN-3878-1Ubuntu Security Notice 3878-1 - It was discovered that a race condition existed in the vsock address familyimplementation of the Linux kernel that could lead to a use-after-free condition. A local attacker in a guestvirtual machine could use this to expose sensitive information. Cfir Cohen discovered that a use-after-freevulnerability existed in the KVM implementation of the Linux kernel, when handling interrupts in environmentswhere nested virtualization is in use. A local attacker in a guest VM could possibly use this to gainadministrative privileges in a host machine. Various other issues were also addressed.Ubuntu Security Notice USN-3879-2Ubuntu Security Notice 3879-2 - USN-3879-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS.This update provides the corresponding updates for the Linux Hardware Enablement kernel from Ubuntu 16.04LTS for Ubuntu 14.04 LTS. Wen Xu discovered that the ext4 file system implementation in the Linux kernelcould possibly perform an out of bounds write when updating the journal for an inline file. An attacker could usethis to construct a malicious ext4 image that, when mounted, could cause a denial of service. Various otherissues were also addressed.Ubuntu Security Notice USN-3871-4Ubuntu Security Notice 3871-4 - USN-3871-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS.This update provides the corresponding updates for the Linux Hardware Enablement kernel from Ubuntu 18.04LTS for Ubuntu 16.04 LTS. Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystemimplementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, whenmounted, could cause a denial of service or possibly execute arbitrary code. Various other issues were alsoaddressed.Red Hat Security Advisory 2019-0271-01Red Hat Security Advisory 2019-0271-01 - The systemd packages contain systemd, a system and servicemanager for Linux, compatible with the SysV and LSB init scripts. It provides aggressive parallelismcapabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, andkeeps track of processes using Linux cgroups. Issues addressed include a stack overflow vulnerability.Red Hat Security Advisory 2019-0269-01Red Hat Security Advisory 2019-0269-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. Thisupdate upgrades Thunderbird to version 60.5.0. Issues addressed include a use-after-free vulnerability.Red Hat Security Advisory 2019-0270-01Red Hat Security Advisory 2019-0270-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. Thisupdate upgrades Thunderbird to version 60.5.0. Issues addressed include a use-after-free vulnerability.Red Hat Security Advisory 2019-0265-01Red Hat Security Advisory 2019-0265-01 - Red Hat Gluster Storage Web Administration includes a fullyautomated setup based on Ansible and provides deep metrics and insights into active Gluster storage pools byusing the Grafana platform. Red Hat Gluster Storage WebAdministration provides a dashboard view which
allows an administrator to get a view of overall gluster health in terms of hosts, volumes, bricks, and othercomponents of GlusterFS. Issues addressed include open redirection and other vulnerabilities.Debian Security Advisory 4383-1Debian Linux Security Advisory 4383-1 - Pavel Cheremushkin discovered several vulnerabilities in libvncserver,a library to implement VNC server/client functionalities, which might result in the execution of arbitrary code,denial of service or information disclosure.Debian Security Advisory 4381-1Debian Linux Security Advisory 4381-1 - Alex Infuehr discovered a directory traversal vulnerability which couldresult in the execution of Python script code when opening a malformed document.Debian Security Advisory 4382-1Debian Linux Security Advisory 4382-1 - Nick Cleaton discovered two vulnerabilities in rssh, a restricted shellthat allows users to perform only scp, sftp, cvs, svnserve (Subversion), rdist and/or rsync operations. Missingvalidation in the rsync support could result in the bypass of this restriction, allowing the execution of arbitraryshell commands.Slackware Security Advisory - mariadb UpdatesSlackware Security Advisory - New mariadb packages are available for Slackware 14.1 and 14.2 to fix securityissues.Debian Security Advisory 4380-1Debian Linux Security Advisory 4380-1 - A vulnerability was discovered in the implementation of the P-521 andP-384 elliptic curves, which could result in denial of service and in some cases key recovery.Debian Security Advisory 4379-1Debian Linux Security Advisory 4379-1 - A vulnerability was discovered in the implementation of the P-521 andP-384 elliptic curves, which could result in denial of service and in some cases key recovery.Ubuntu Security Notice USN-3871-2Ubuntu Security Notice 3871-2 - USN-3871-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS.Unfortunately, that update introduced regressions with docking station displays and mounting ext4 file systemswith the meta_bg option enabled. This update fixes the problems. Various other issues were also addressed.Ubuntu Security Notice USN-3877-1Ubuntu Security Notice 3877-1 - It was discovered that LibVNCServer incorrectly handled certain operations. Aremote attacker able to connect to applications using LibVNCServer could possibly use this issue to obtainsensitive information, cause a denial of service, or execute arbitrary code.Red Hat Security Advisory 2019-0237-01Red Hat Security Advisory 2019-0237-01 - The etcd packages provide a highly available key-value store forshared configuration. Issues addressed include an improper authentication vulnerability.Red Hat Security Advisory 2019-0230-01Red Hat Security Advisory 2019-0230-01 - The polkit packages provide a component for controllingsystem-wide privileges. This component provides a uniform and organized way for non-privileged processes tocommunicate with privileged ones. Issues addressed include an auth hijacking vulnerability.Red Hat Security Advisory 2019-0229-01Red Hat Security Advisory 2019-0229-01 - The Ghostscript suite contains utilities for rendering PostScript andPDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can bedisplayed or printed. Issues addressed include bypass and use-after-free vulnerabilities.Red Hat Security Advisory 2019-0231-01Red Hat Security Advisory 2019-0231-01 - The Simple Protocol for Independent Computing Environments is aremote display system built for virtual environments which allows the user to view a computing 'desktop'environment not only on the machine where it is running, but from anywhere on the Internet and from a widevariety of machine architectures. Issues addressed include an off-by-one error.Red Hat Security Advisory 2019-0232-01Red Hat Security Advisory 2019-0232-01 - The Simple Protocol for Independent Computing Environments is a
remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server fromthe local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linuxfor viewing virtualized guests running on the Kernel-based Virtual Machine hypervisor or on Red Hat EnterpriseVirtualization Hypervisors. Issues addressed include an off-by-one error.
