[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
New APT Duqu 2.0 Hits High-Value Victims, Including Kaspersky Lab
The Duqu attackers, who are considered by researchers to be at the top of the food chain of APT groups and are responsible for attacking certificate authorities and perhaps spying on Iran’s nuclear program, have resurfaced with a new platform that was used to compromise high-profile victims, including some related to the Iran nuclear talks last fall.
The key difference with the Duqu 2.0 attacks is that the malware platform that team uses has modules that reside almost entirely in memory.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6be4d52623&e=20056c7556
Poweliks malware targets 200,000 computers with covert Windows registry attacks
Hackers have targeted almost 200,000 computers using a dangerous ‘file-less’ version of the Poweliks malware over the past six months, according to researchers at Symantec.
“As a file-less threat, Poweliks does not exist as a file on a disk but instead resides solely in the registry. This means that it cannot be deleted from the compromised computer in the traditional sense,” read the advisory.
“The threat also uses several other novel techniques to compromise infected computers. Poweliks uses a special naming scheme to hide in the registry and has consistently used CLSID [Class ID] hijacking as runtime load points in the registry.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=923b8440c2&e=20056c7556
Macro malware attacks gather pace as criminals look to cut costs
At first it’s hard to believe that the old-world macro ‘virus’ could once again pose a significant threat but that’s what appears to be happening, driven largely by campaigns to distribute two families of banking malware, Dridex and Dyre.
Proofpoint said the phenomenon reached its peak in late April and early May when macro malware was being used to distribute no fewer than 56 different Dridex campaigns, eclipsing malicious URLSs in terms of absolute volumes.
The reason appears to be a combination of small advantages rather than one big over-arching reason, starting with the fact that any platform that can run Office can be attacked, Macs as well as Windows PCs. Macros can be re-purposed across platforms very easily.
A second reason is that the technique is cheap and requires very little infrastructure to pull off. Macros are as simple a malware type as it is possible to imagine and can be programmed very quickly as well as tweaked to beat what defences they encounter.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b9810cc771&e=20056c7556
1. Upgrade host security
Backoff is the trending malware that has infected more than 1,000 US businesses. Reports reveal that this malware is now dubbed as ‘ROM’, and it has been fine-tuned with upgrades that can encrypt connections between command-and-control servers controlled by attackers and infected systems. The changes are made to make the malware difficult to detect or eradiate. Dairy Queen is one of the popular retail chains that was a victim of this malware.
vSkimmer is a botnet-like malware that was first detected by McAfee researchers. It targets POS machines running Windows OS to steal credit card data for card payments and financial transactions. After infecting itself in the file ‘iexplorer.exe’, it stays active by rewriting in the registry key, and then hijacks credit card data and transfers it to a command-and-control server. The malware also provides offline data capture through a USB connected to the compromised system.
BlackPOS malware infects POS systems running Windows OS and featuring card readers. The machines are discovered with automated internet scans, and weak remote administration credentials or unpatched vulnerabilities is the main cause of compromise. It scans running processes to search for Track 1 and Track 2 formatted data, and stores it in a file called ‘output.txt’, before using FTP to upload it to a compromised server. This malware was discovered on Target’s point-of-sale systems.
Dexter differs from POS breaches that rely on phishing attempts or skimmers installed on endpoints. The Dexter malware infects files on Windows OS servers and then scraps credit card information as it is entered on the compromised machine. It also parses memory dumps of specific software processes and searches for Track 1 and Track 2 credit card data, according to Seculert.
Alina looks for running processes for tracking credit card data. It can run updates on the infected computer and use HTTP to upload data about the infected machine and compromised payment card information to the attacker’s command-and-control server. It also dumps memory by adopting a blacklist approach to neglect important processes that may be active on the system.
1. Upgrade host security
2. Use point-to-point encryption (p2pe)
3. Restrict or disallow remote access
4. Secure the cash and point-of-sale register
5. Secure the network
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ba6175a126&e=20056c7556
Europol inks MoU with European ATM Security Team
Cybercrime Centre (EC3) signed a Memorandum of Understanding (MoU) with the European ATM Security Team (EAST) in order to further strengthen the cooperation in combating all types of payment crime, including card-not-present fraud, card present fraud, hi-technology crime, as well as ATM malware and physical attacks.
The MoU allows Europol and EAST to exchange strategic data and other non-operational information.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2cd259bfe8&e=20056c7556
Breach Defense Playbook, Part 1: Assessing Your Cybersecurity Engineering
To assess the engineering of your cybersecurity infrastructure, you need to use a security-controls-based and systematic approach, focusing on critical data systems and information. This is called a Cybersecurity Engineering Assessment, or CEA. The methodology for assessing your cybersecurity engineering needs to take into account not only industry-wide accepted information security practices, but also the threat to critical business processes and sensitive data. Thieves target public and private sector organizations for their intellectual property, and some such as hacktivist groups do so for the sole purpose of making this information public. Most companies have some type of intellectual property that they do not want “out in the open.”
The CEA should provide a gap analysis to understand where gaps currently exist in your security posture. A common framework for analyzing gaps is the 20 Critical Controls as outlined in the Consensus Audit Guidelines. The CAG provides a relevant technical baseline from which organizations can glean strategic and tactical cybersecurity planning and budgeting. The CAG identifies specific guidelines that focus on the most critical baseline security controls, and the list was derived from guides, standards, and requirements put forth by some of the first organizations to tackle this type of problem. Organizations such as the NSA, US-CERT, DC3, Federal CIOs and CISOs, DoE, DoD, GAO, MITRE, and SANS all contributed to the creation of the CAG.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6de3a7b108&e=20056c7556
Mac malware can survive hard disk formatting
Portuguese researcher and self-described “Mac malware hunter” Pedro Vilaca discovered that a bug in the energy conservation functionality left flash protections unlocked after waking from sleep mode.
“This means that an attacker can reflash the computer’s firmware to install Extensible Firmware Interface (EFI) rootkit malware,” said an announcement from Symantec last week.
The security vendor found that the Mac Mini 5.1 and MacBook Pro 9.2 were vulnerable, with Vilaca also discovering that MacBook Pro Retina 10.1, MacBook Pro 8.2, MacBook Air 5.1 and Mac Pro 9.1 were affected.
“Affected Mac users are advised to keep their software up to date since remote exploit of this vulnerability needs to be performed in conjunction with another vulnerability that will provide remote root access. Updating software will prevent attacks using known exploits.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a15dfa71c4&e=20056c7556
Lawyers Need to Know these 10 Myths about Cyberthreats
Myth 1: Threat intelligence is just another term for data.
Myth 2: Only big companies have a need for threat intelligence.
Myth 3: It’s impossible to develop a business case and show ROI for threat intelligence.
Myth 4: The volume of sources and data outside our perimeter is too overwhelming to be useful.
Myth 5: Threat intelligence is only useful for the information security department.
Myth 6: I deal with guns and guards, so I don’t need cyber threat intelligence.
Myth 7: Our network is already protected by firewalls, IDS, and anti-virus solutions.
Myth 8: Threat intelligence is only useful before a breach or a security event.
Myth 9: We already have an in-house cyber security team, so we don’t need threat intelligence from a third-party.
Myth 10: We can’t afford to hire more analysts to process, review, and act upon threat intelligence.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f882fe8070&e=20056c7556
Botnets for hire mean anyone can launch a DDoS attack
The latest DDoS Threat Landscape Report from security specialist Incapsula reveals that whilst 71 percent of network layer attacks last under three hours, 20.4 percent last for more than five days.
At an estimated cost of $40,000 per hour according to Incapsula, the total cost of these attacks can run into millions of dollars. The longest attack recorded lasted for 64 days.
The report finds that once a site has been the target of an attack it’s likely to be hit again, on average once every 10 days. 20 percent of websites are being attacked more than five times.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4f10d73925&e=20056c7556
Dozens arrested in European cyber crime sweep: Europol
AMSTERDAM (Reuters) – Police have arrested 49 suspected members of a cyber crime syndicate in Spain, Poland and Italy who are suspected of stealing million of euros from European bank accounts, Europol said on Wednesday.
The suspects, mainly from Nigeria and Cameroon, transferred the illicit profits outside of the European Union through a sophisticated network of money laundering transactions.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c7fe3748c2&e=20056c7556
Adobe issues patch update for 13 security vulnerabilities in Flash Player
Adobe has issued a relatively small security update which patches a total of 13 vulnerabilities in Flash Player.
On Tuesday, Adobe issued the firm’s latest set of security updates, specifically for the Adobe Flash Player. The updates for Windows, Mac and Linux users address “vulnerabilities that could potentially allow an attacker to take control of the affected system,” according to the tech giant.
In addition, Windows and Mac-based Adobe AIR Desktop Runtime 17.0.0.172 and earlier versions, Adobe AIR SDK and SDK & Compiler 17.0.0.172 and earlier, and Adobe AIR for Android 17.0.0.144 and earlier versions are all been affected by this update.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=706edf2a9d&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=c0383dea12)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)