Cyber Security Institute

Tuesday, April 21, 2015

Newsalert - 2015 Apr 21

**Pushdo spamming botnet gains strength again** 
Computers in more than 50 countries are infected with a new version of Pushdo, a spamming botnet that has been around since 2007 and survived several attempts to shut it down. 
The latest version has been pushing Fareit, which is malware that steals login credentials, and Cutwail, a spam engine module. It has also been used to distribute online banking menaces such as Dyre and Zeus. 
Using an elaborate algorithm, the secondary system generates 30 domains names a day that an infected computer can try to contact, according to an advisory on Fidelis’s blog. Fidelis reverse-engineered the algorithm that generates those domain names, allowing it to register some of the domains. 
**Link:** [  http://www.itworld.com/article/2912535/pushdo-spamming-botnet-gains-strength-again.html#tk.rss_news  ] (  http://www.itworld.com/article/2912535/pushdo-spamming-botnet-gains-strength-again.html#tk.rss_news  ) 

**Study Uncovers Fears of Potential Domino Effect from Cyberattacks** 
RedSeal (redseal.co) unveiled its comprehensive survey of high-ranking executives that vividly illustrates widespread concern regarding the potential effects of cyberattacks in corporate America. Most of the C-level professionals surveyed readily acknowledge that a coordinated assault launched by sophisticated cybercriminals would wreak ongoing havoc on business operations, cause considerable harm to a brand, and potentially affect related companies, even entire industries. In addition, many also point out that in the networked economy, containing the problems caused by a sustained network attack will be very difficult. In fact, a major network disruption at a single company or network can easily disrupt or even wreak havoc on a local, state, national and even global level.
The vast majority of the executives surveyed, 74%, acknowledge that cyberattacks on networks of U.S. organizations can cause “serious damage or disruption,” and most of the rest, 21%, admit to fears of “significant damage or disruption.” More specifically, almost 80% admit that such attacks can inflict “serious impacts to business profitability and growth,” and bring about “serious brand damage.” A large number, 45%, also related personnel concerns, saying such events will lead to a “big hit on employee productivity.” More than 43% also predict business downtime, while more than 41% fear “internal/organizational disruption or chaos.” 
In fact, the idea of a domino effect—one successful attack on one network leading directly to attacks on different networks in diverse but connected sectors of the economy—clearly resonated strongly with the executives surveyed. More than half the respondents, 52%, singled out “defense systems” as being potentially affected by a cyber-criminal incident or data breach, while 45% cited “border security.” And taking a big picture approach, a significant 59% said such attacks will take their toll on “economic security.” 
Link:  [ http://www.darkreading.com/attacks-breaches/study-uncovers-fears-of-potential-domino-effect-from-cyberattacks/d/d-id/1320053 ] (http://www.darkreading.com/attacks-breaches/study-uncovers-fears-of-potential-domino-effect-from-cyberattacks/d/d-id/1320053 )

**Investment Advisers: Six Areas of Focus for SEC Cybersecurity Exams** 
The U.S. Securities and Exchange Commission (SEC), in an effort to consistently reinforce its expectations in the area of cyber risk management, last year issued a cybersecurity-dedicated Risk Alert, as well as other communications to address the growing number and complexity of cybersecurity risks facing investment advisers (IAs). The alert, issued by the Office of Compliance Inspections and Examinations (OCIE)¹, highlights the SEC’s cybersecurity initiative, including a sweep of more than 50 registered IAs and broker-dealers focusing on cybersecurity.² 
he alert also provides a sample document request that lists six primary areas that the OCIE plans to evaluate during cybersecurity exams and the processes and controls examiners expect IAs to have in place to address threats, including those related to networks and information, remote customer access and vendors and other third parties.   
**Link:** [  http://deloitte.wsj.com/riskandcompliance/2015/04/21/investment-advisers-six-areas-of-focus-for-sec-cybersecurity-exams-3/  ] (  http://deloitte.wsj.com/riskandcompliance/2015/04/21/investment-advisers-six-areas-of-focus-for-sec-cybersecurity-exams-3/  ) 

**U.S. plans a cybersecurity center in Silicon Valley** 
The center will function as a satellite office of the National Cybersecurity and Communications Integration Center (NCCIC), a day-and-night operation that acts as an information and threat clearing house for government and private entities. 
**Link:** [  http://www.computerworld.com/article/2912468/cybercrime-hacking/us-plans-a-cybersecurity-center-in-silicon-valley.html?phint=newt%3Dcomputerworld_dailynews&phint=idg_eid%3Dd5d8326c323742a4ed7bf4fd3dac54c4#tk.CTWNLE_nlt_pm_2015-04-21&siteid=&phint=tpcs%3D&phint=idg_eid%3Dd5d8326c323742a4ed7bf4fd3dac54c4  ] (  http://www.computerworld.com/article/2912468/cybercrime-hacking/us-plans-a-cybersecurity-center-in-silicon-valley.html?phint=newt%3Dcomputerworld_dailynews&phint=idg_eid%3Dd5d8326c323742a4ed7bf4fd3dac54c4#tk.CTWNLE_nlt_pm_2015-04-21&siteid=&phint=tpcs%3D&phint=idg_eid%3Dd5d8326c323742a4ed7bf4fd3dac54c4  ) 

**New fileless malware found in the wild** 
Since the discovery of the Poweliks fileless Trojan in August 2014, researchers have been expecting other similar malware to pop up. 
The wait over: Phasebot malware, which also has fileless infection as part of its routine, is being sold online. 
Phasebot seems to be a direct successor of Solarbot. 
Its detection evasion tactics include rootkit capabilities, encryption of communications with its C&C server by using random passwords, virtual machine detection. 
**Link:** [  http://www.net-security.org/malware_news.php?id=3021  ] (  http://www.net-security.org/malware_news.php?id=3021  ) 

**“Buhtrap” Malware Targeting Russian Banks And Businesses** 
ESET has discovered a malware campaign targeting Russian banks and the accounting departments of Russian businesses, nicknamed Operation Buhtrap. Apparently, the malware has been active for more than a year, and 88 percent of the attacks have been in Russia and 10 percent in the Ukraine. 
Analysts at ESET uncovered CVE-2012-0158 late in 2014, which is a buffer overflow vulnerability in the ListView/TreeView Active X controls found in the MSCOMCTL.OCX library. The malicious code can be activated using a specially modified DOC or RTF file for MS Office 2003, 2007, or 2010, according to Security Affairs. 
**Link:** [  http://www.bsminfo.com/doc/buhtrap-malware-targeting-russian-banks-businesses-0001  ] (  http://www.bsminfo.com/doc/buhtrap-malware-targeting-russian-banks-businesses-0001  ) 

**Lieberman Software’s Security Double-Tap(TM) Defeats Golden Ticket Cyber Attacks** 
LOS ANGELES, CA—(Marketwired - April 21, 2015) - Lieberman Software Corporation today announced Security Double-Tap, a solution to block the destructive Golden Ticket cyber attack. This new feature is included in Enterprise Random Password Manager™ (ERPM)—the company’s privilege management platform—and is being exhibited for the first time at RSA Conference 2015 in San Francisco, CA.
Today’s enterprises are under assault from sophisticated cyber attacks like pass-the-hash (PTH) and pass-the-ticket (PTT). These advanced persistent threats—at the core of some of the most notorious recent data breaches—operate at nearly a 100% success rate.  While PTH is a more widely known threat, the related PTT attack is just as dangerous. PTT attacks target Kerberos, the default authentication protocol in Windows domains. 
ERPM now provides an automated double password reset specifically designed to combat the Golden Ticket attack. The two password resets—a Security Double-Tap—force rapid replication of the changed credentials throughout the domain, to block the use of compromised accounts. In conjunction with this process, ERPM can also force an automatic chained reboot of target system to clear memory of hashes and passwords, and prevent memory scraping. 
**Link:** [  http://www.reuters.com/article/2015/04/21/idUSnMKWDwJzFa+1ea+MKW20150421  ] (  http://www.reuters.com/article/2015/04/21/idUSnMKWDwJzFa+1ea+MKW20150421  ) 

**RSA supremo rips ‘failed’ security industry a new backdoor, warns of ‘super-mega hack’** 
RSA 2015 RSA president Amit Yoran tore into the infosec industry today, telling 30,000 attendees at this year’s RSA computer security conference that they have failed. 
He said security bods should drop “legacy approaches” that have led to a false sense of security. Such approaches are akin to building “higher walls” and “deeper moats,” which will not help address the shortcomings in security. 
**Link:** [  http://www.theregister.co.uk/2015/04/21/rsa_boss_rips_failed_security_industry/  ] (  http://www.theregister.co.uk/2015/04/21/rsa_boss_rips_failed_security_industry/  )