[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
Finding information on these threats is a dynamic, moving target and there isn’t any one-stop source or service that gives you all you need to know. Worse, the details are full of irrelevant, noisy information, nearly impossible to decipher.
When you go looking, the data found in the Dark Web is almost always highly relevant to you and your business. Because you (presumably) know you, your employees, your products, your customers, your IT, your supply chain, you have all the information you need to begin filtering through Dark Web data looking for things that really matter.
Setting up your own Dark Web mining environment using TOR, private browsing on air gapped terminals via sequestered virtual machine clusters (VMs), is something that’s well-understood among cybersecurity professionals already on your team. When you pair them with the security analysts and intelligence personnel you’re hiring to staff up your cyber intelligence initiatives, it becomes something you can start almost in complete logistic (and fiscal) parallel with these other efforts.
Further, once you’re up and running, collecting and storing this information in a standard way — the same way you do other cyber event, incident and alert data — means it’s possible to begin creating a long-term data repository that can be mined and analyzed to perform forensics, predictive analysis, root-cause analysis, and other analytic activities that help you get better organized in your other, more traditional cyber defense operations. Those who don’t are losing out.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d5a280610f&e=20056c7556
Adobe releases emergency Flash zero-day patch
According to the Adobe bulletin, the update addresses a critical vulnerability (CVE-2015-3113) that could potentially allow an attacker to take control of the affected system. Adobe noted the vulnerability is being actively exploited in the wild via “limited, targeted attacks,” but did not give details on the attacks.
According to FireEye, the way the Flash Player parses Flash Video files gives rise to the vulnerability. The phishing emails are fairly generic and look like spam messages offering Apple computer discounts. The exploit uses common vector corruption techniques to bypass address space layout randomization security, and uses return-oriented programming to bypass data execution prevention.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=078752ca23&e=20056c7556
Elusive HanJuan EK Drops New Tinba Version (updated)
Update: Dutch security firm Fox-IT has identified the payload as a new version of Tinba, a well-known banking piece of malware.
The exploit kit pushed here looked different than what we are used to seeing (Angler EK, Fiesta EK, Magnitude EK, etc.). After some analysis and comparisons, we believe it is the HanJuan EK.
Every encounter with HanJuan EK is interesting because it happens so rarely. As always the exploit kit only targets the pieces of software that have the highest return on investment (read: most deployed and with available vulnerabilities): Internet Explorer and the Flash Player.
The malvertising component was a little bit out of place for such a stealthy exploit kit. This is also true for the site hosting the kit, a genuine Joomla! website in the Netherlands. We have passed on the information about that server so that a forensic analysis and full investigation can be conducted.
The dropped binary, which we nicknamed Fobber, has the ability to steal valuable user credentials and is also fairly resistant to removal by receiving updates to both itself and command servers. While our research teams have not observed Fobber stealing any banking information, it certainly seems possible considering the flexibility offered by the malware’s update model. We will continue to provide any updates on Fobber in our blog as we see any improvements made in the malware.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cfd255f114&e=20056c7556
Fake Bank of America Twitter Feed Leads to Phishing Page
Over the last day or so, a Twitter feed claiming to be a support channel for Bank of America has been sending links and messages to anybody having issues with their accounts.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1515c4299d&e=20056c7556
Firms track Dyre’s rise to top financial malware threat
On Tuesday, Symantec released a whitepaper (PDF) on Dyre and its impact on the financial fraud landscape, noting that the malware targets all three major browsers (Internet Explorer, Firefox, and Chrome), and that it has been configured to target customers at more than 1,000 banks and other firms around the globe. Users in the U.S. and UK have primarily been targeted by the trojan, Symantec added in a blog post covering its research.
Earlier this month, Trend Micro found that there were nearly 9,000 Dyre infections in the first quarter of 2015, up from 4,000 infections seen in the previous quarter. At the time, 39 percent of infections were attributed to European users, while North American users accounted for another 38 percent of malware attacks.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f76fa6ab38&e=20056c7556
Dyre Banking Malware Uses 285 Command and Control Servers
Cybercriminals running Dyre banking Trojan have built an impressive infrastructure that counts hundreds of servers, researchers found, tasked with assignments designed to maintain and expand the activity of the malware.
But unlike malware of the same feather, this one has moved to superior levels, with no less than 285 command and control (C&C) servers and 44 other machines that deliver plugins and additional payloads, or execute (MitB) attacks.
Most of the C&C servers (227 of them) have been pinpointed in Ukraine and Russia, but the infrastructure also spreads to Poland, Bulgaria, Andorra, Netherlands, Serbia, Moldova, Hungary, Germany, France, Czech Republic, Austria, Bulgaria, Slovakia, and the US.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=12a7c15c1e&e=20056c7556
Report Template for Threat Intelligence and Incident Response
When handling a large-scale intrusion, incident responders often struggle with obtaining and organizing the intelligence related to the actions taken by the intruder and the targeted organization. Examining all aspects of the event and communicating with internal and external constituents is quite a challenge in such strenuous circumstances.
The following template for a Threat Intelligence and Incident Response Report aims to ease this burden. It provides a framework for capturing the key details and documenting them in a comprehensive, well-structured manner.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=30dad68bcd&e=20056c7556
Killer ChAraCter HOSES almost all versions of Reader, Windows
Get patching: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defences.
The nastiest vulnerabilities for 32-bit (CVE-2015-3052) and 64-bit (CVE-2015-0093) systems exist in the Adobe Type Manager Font Driver (ATMFD.dll) module which has supported Type 1 and Type 2 fonts in the Windows kernel since Windows NT 4.0
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=12427bf6d5&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=ea5c7f010d)
** Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)