Skip to main content

J2SECOPS WEEKLY NEWS: Everything from being and Enterprise of Anything to SWIFT not ready for blockchain

How many devices are misconfigured… or not configured?

I saw this blog that Anton Chuvakin posted over at Gartner stating that there’s a lot of security technology which is deployed yet misconfigured, not configured optimally, set to default, or deployed broken in other ways.

Having “played” with, again, recently it astounded me how many devices out there have default credentials, and were I inclined to do so, I could connect to devices within the “IOT” or as I like to call it the “Enterprise of Anything”.

SWIFT says blockchain not ready for mainstream use

SWIFT, the Brussels-based messaging system which handles around half of all high-value cross-border payments has been playing around with blockchain. It says that while the test went extremely well, it concluded that further progress is needed on the blockchain. Watch this space.

The secret life of your login credentials

When your data leaves your machine, where does it go? What happens to it along the way? And what systems have been put in place to ensure that your information is kept private as it travels, and after it arrives at its final destination?
The short answer is: quite a lot. So strap in as we take you on a tour of the secret life of your username and password in order to expose the trials and tribulations of keeping a secret on the web.

New Detection Technique – TSCookie

TSCookie malware has appeared in several targeted attacks since 2015. TSCookie is commonly spread by email, and has recently been observed in fake messages from the Ministry of Education and Sports in Japan. 

TSCookie serves as a downloader. It communicates with C&C servers using HTTP and downloads a module and its loader. The malware contains an encrypted DLL that is loaded on memory. The DLL performs core functions such as communicating with C&C servers in an RC4 encrypted channel.

TSCookieRAT is the final malware downloaded and executed on a TSCookie infection. It can perform actions such as executing arbitrary shell commands, sending system information, and retrieving browser passwords. All communications are performed over HTTP, and encrypted separately.

We've updated the 'Malware Infection – Trojan' correlation rule to detect TSCookie activity.

New Detection Techniques – Mobile Trojan Infection

We've added the 'Malware Infection – Trojan' correlation rule to detect recent malicious activity from Syricka.GEN6254, HiddenApp.EN, Agent.AMP, Arukas.A!tr, RiskTool/Dnotua.olg, SMS-Flooder/Agent.l, Trojan/Agent.on, and Trojan/ families.

New Detection Technique – Malware SSL Certificates

We've updated the ‘Malware Infection – Malicious SSL Certificate’ correlation rule to include the list of certificates identified to be associated with malware or botnet activities. 

Updated Detection Technique – AZORult

AZORult has made recent appearances in the crime cyberspace, spread in spam mail campaigns. Recent malicious emails have impersonated DHL deliveries.

The malicious emails contained a single RTF file, which carries three different exploits in form of .exe files and OLE objects. The vulnerabilities exploited are CVE 2017-8759, CVE 2017-11882, and CVE 2017-0199. These vulnerabilities affect several Microsoft Windows products, such as .NET framework and Office suites. If any of the exploits successfully execute, the system is infected with AzorUlt version 2.

AzorUlt is a trojan horse with spy and C&C capabilities. It can perform actions such as stealing passwords from web browsers and email inboxes, collect wallet.dat files from popular bitcoin clients, and gather other sensitive information like the Skype message history, list of installed programs, file extensions, etc. Applying the proper patches to the affected Windows modules is enough to prevent AZORult from infecting the machine in this campaign.

We've updated the 'Malware Infection – Trojan' correlation rule to detect AZORult activity.

  • Hits: 1160