J2SECOPS WEEKLY NEWS: This week in the J2 CSC, Human error, data breach investigations reports and poor hygiene; Oh and Ransomware has doubled year over year again!

In this week’s news roundup I am always intrigued and mildly bemused by the  annual Verizon reports. Information security, Data breaches, firmly on the board agenda, is the problem everyone has to deal with and not the only problem that IT and security professionals have to deal with anymore. Ongoing impacts are continuously felt across the whole business and its eco systems—from Business Continuity and Disaster Recovery Planning to legal teams, tied up in perpetual firefighting mode in term of advisory, seeking external opinion in terms of litigation, to your coalface employees, who can’t execute on the day to day operational activities they need to do their jobs. Everyone is an integral part in managing the risks and issues, people make mistakes and are not always malicious in intent. Visibility is key to understanding the problem, and then, and only then, can decisive action can be taken!

Verizon 2018 Data Breach Investigations Report

Verizon released the 11th version of their Data Breach Investigations Report (DBIR) for 2018 on the 10th of April.
The headline for this year’s report is ransomware, present in 39% of malware related cases.
Beyond ransomware, other highlights from the report include:

  • 53,308 reported security incidents, 2,216 data breaches, 65 countries, 67 contributors
  • 76% of reported breaches were financially motivated
  • 72% of reported attacks were perpetrated by outsiders
  • 50% of reported attacks were perpetrated by organized crime groups
  • Pretexting incidents nearly tripled from last year
  • Companies are 3x more likely to be breached by social attacks than vulnerabilities

2018 Data Breach Investigations Report | Verizon


Unpatched Vulnerabilities Are The Source Of Most Data Breaches

It is all and well that we are all in the same boat in terms of keeping the lights on within all our own respective enterprises; by 2018 I had an expectation, as a starry eyed kid, that we would be commuting for home to work in flying cars and have automatons as personal assistants enhancing every aspect of our daily lives. The reality for most of the aforementioned enterprises, is that we cannot get the basics right, like patch management, let alone focus on innovation.

Here is an insightful report that the Ponemon Institute and ServiceNow put together detailing how much of a problem we are all facing.
Some of the insights include the concept of “patching paradox”, whereby the idea of hiring more people will improve security hygiene. Though in reality it doesn’t. 64% of companies are planning to hire more dedicated people to handle
vulnerabilities, accounting for a 50% increase in headcount – this alone will not improve their security posture if they don’t fix broken patching processes. The study shows that firms struggle with patching because they use manual processes and can’t prioritize what needs to be patched first. As stated previously due to the manual patching process 61% admit that this manual approach to patching puts them at a disadvantage, and 55% note that they spend more time dealing with internal processes than managing the vulnerabilities. All agree that more than 12 days are lost coordinating between teams to get patches applied. Some key Insights include:

  • 73% have no common view of assets and applications across security and IT
  • 57% admit that patches slip through the cracks due to emails and spreadsheets used to manage the process
  • 62% have no easy way to track whether vulnerabilities of being patched in a timely manner
  • 65% say they find it difficult to prioritize what needs to be patched first

Today’s state of vulnerability response: patch work demands attention | Ponemon Institute and ServiceNow


Brian Krebs angers userbase of pr0gramm.com for a good cause


Your Old Bitcoin addresses can be stolen so move now!

All Bitcoin addresses generated using the BitAddress client-side wallet pre-2013 and Bitcoinjs pre-2014 are affected.
Bitcoin users who generated Bitcoin addresses using affected tools are advised to generate new Bitcoin addresses with a new tool and move funds from old accounts to the new ones.

Old JavaScript Crypto Flaw Puts Bitcoin Funds at Risk | Bleeping Computer


How does Facebook make money anyway?

Revenues from Facebook’s two largest markets – North America and Europe - are expected to be affected as a result of the fallout from the Cambridge Analytica scandal. Both are extremely lucrative markets for Facebook. In 2017, Facebook earned an average of $84.41 from each North American user and $27.26 from each user in Europe. In contrast, each user in Asia was worth $7.61. Good news for Facebook investors is that the company is making significant inroads into new markets, such as Africa and Asia. While it does not contribute much to overall revenue, WhatsApp has become a runaway hit with users in Asia and South America. Other services, such as Instagram, are also making inroads into new markets.

How Does Facebook Make Money? | Rakesh Sharma

  • Hits: 584

J2SECOPS WEEKLY NEWS

 J2SECOPS WEEKLY NEWS:

This week in the J2 CSC, Most things are grey as gamers, at least according to some, will save cybersecurity

The fast pace of our daily goings on; does not afford us the time to think and read as much as we should. The past couple of weeks have afforded me the slightly higher than normal opportunity to think, and catch up on all outstanding reading, and think and read I did… all while performing the usual monthly cybersecurity threat analysis for our client base…
A few stories have been swimming around my mind and I thought I would take you on the journey.

Let’s get to it then!

Blacklist, Greylists and Whitelists

Blacklists in general terms are items on a list that denies access. The opposite is a whitelist, which means only items on the list are let through whatever gate is being used.
A Greylist contains items that are temporarily blocked (or temporarily allowed) until an additional step is performed.
Looking for a free blacklist of domains? The Anti-Social engineer has a great start.

The Anti-Social Engineer Blacklist | The Anti-Social Engineer


Gamers, the Saviours of Cybersecurity

As an avid enthusiast of the RTS genre I enjoyed the insights that Grant Bourzikas, McAfee's chief information security officer (CISO), swore by and how gamification as one of the key ways to invest in and retain security talent. His own companys adoption of building out its security operations centre in the wake of its spin-off from Intel, and new data from a study by Vanson Bourne on behalf of McAfee found that nearly three-quaters of organizations believe hiring experienced video gamers is a solid option for filling cybersecurity skills and jobs in their organizations.

How gamers could save the Cybersecurity skills gap | Dark Reading


“AI AI, Captain!”

Microsoft in its quest for staying ahead of the curve, is establishing training courses available to the public for anyone wanting to learn how to AI.

Microsoft’s AI training efforts range from internal offerings tailored to employees on specific teams and product groups, such as software engineers at LinkedIn, to external ones designed for a variety of expertise levels.

The Microsoft AI Residency Program and Microsoft NERD Artificial Intelligence Program recruit people to learn AI by working alongside researchers, designers and engineers who are developing AI capabilities and serve as a pipeline of talent into the company.

Aiming to fill skills gap in AI, Microsoft makes training courses available to the public | Microsoft


Ransomware impacting incident response

The report, which is based on the analysis of data from hundreds of millions of protected endpoints and servers across nearly 100 countries, also reveals that there was a 424% increase in breaches related to misconfigured cloud infrastructure, largely due to human error.

Ransomware puts pressure on incident response | Computer Weekly


 

  • Hits: 276

J2SECOPS WEEKLY NEWS: This week in the J2 CSC, we bring you everything from IP Theft to the Cloud that rains data…

Intellectual Property Stolen! Again…

Too often I hear of intellectual property being stolen by competitors. A far less common practice is the theft of IP from an IT Security vendor – becoming more and more common...

I found this developing story of interest and thought you might enjoy it. CyberByte was using Malwarebytes’ IP to augment its AV engine. So Malwarebytes laid a trap to prove its theory.

Key take-away: how “honey” -tokens, -words and -pots can be used to catch someone with their hand in the proverbial cookie jar.

CyberByte steals Malwarebytes’ intellectual property | Malwarebytes


Why I (still) don’t trust Self-Driving Cars

March 18th, a dark day for Humanity and AI; when an Uber self-driving car struck and killed a woman pedestrian in Tempe, Arizona.
The accident took place while the car was in autonomous (self-driving) mode, marking this the first death caused by a self-driving vehicle in the world.

Uber Self-Driving Car Strikes and Kills Arizona Woman | Bleeping Computer


(In)security (Mis)conceptions

I’ve been in the industry for a while now, and although sloppy security reporting is far too common, with common sense far too uncommon these days, nothing riles me more than idiots with opinions.

I discovered this little gem by one of my favourite bloggers, Javvad Malik on CSO Online.

Information Security Misconceptions | CSO Online


♪ I Can See Clearly now that the Rain is Gone ♫ – with my data…

The Cloud, it brings convenience, rain and plenty of storms; in this case it was used to store unprotected database files containing sensitive customer data online in the form of a vulnerable Amazon S3 bucket, which in 2018 is astonishing, and it is completely inconceivable that a company would store passwords in plain text instead of encrypting them…

Open AWS S3 bucket managed by Walmart jewellery partner exposes info on 1.3M customers | SC Magazine


Protecting Diddums aka DNS

When DNS is brought up in polite conversation, or in the hushed catacombs of the bowels of the IT dungeons, words like: “address protocol”, “packet priority”, “DNSSEC” and “Net Neutrality” are used in hushed tones. So, why do we care about “Diddums” - DNS?
DNS basically runs the Internet. Imagine, your mobile address book only with numbers in it without any names, strings of numbers are just simply not how humans identify information. They help, but in reality, words linked to numbers are what separate us from our impending “AI” masters.


Here is the definitive DNS Checklist to assist in slowing the AI advance

  • Set up and maintain your own internal DNS.
  • Block external DNS requests on port 53 (or any port).
  • Created exceptions to DNS requests only to port 53, with RNDC keys. Revolving them often.
  • Set low TTL value; like 30 minutes. A poisoned cache will only impact you for the duration of time you have selected.
  • Protect the “Hosts File” wherever you use it and make sure its disabled if not used.
  • SMTP traffic must be protected, don’t ever use defaults. Create and properly maintain your PTR zones, especially the local zones.
  • Use STUB zones for commonly accessed domains.
  • Use DNS forwarders ONLY to verified DNS servers. Learn how to use “dig” and use it often.
  • Block DHCP on the firewall, obviously other than yours - Prevent "rogue" proxies with DHCP and DNS on your network.
  • Skill yourself up on DNS, this is still one of the weakest links I a vast IT ecosystem and still one of the least understood.
  • Protect your DNS from DDOS attacks by subscribing to an online service that also comes with built-in load-balancing, automatic failover, rate-limiting, and filtering.
  • Hits: 329

J2SECOPS WEEKLY NEWS: This week in the J2 CSC, Cyber being a domain of conflict, Cold war “And they’re both correct.” as we explore unique perspectives.

During one of my binge-induced Netflix comas I discovered an “interesting” show: “The Same Sky” which basically plays out in East Berlin and West Berlin during the Cold War, whereby the premise of the story being the Soviets sending over an undercover officer who does nothing but seduce, steal information and manipulate information against the west. This made me think about how everyone knew this was happening and played many political games, almost tongue in cheek, at the cost of many lives; fast forward to today, the same is happening virtually everywhere with the same disregard, nay, contempt of peoples ignorance of todays version of the “Digital Berlin Wall”.

With this in mind, enjoy our roundup of stories for this week…


Cyber, is a domain of conflict

@thegrugq recently posted a tweet highlighting “A very succinct version of my keynote on cyber conflict”, I found this to be a very engaging perspective.

Cyber, the short version | the grugq, Medium


Nothing is at it seems

Netflix seems to be one of those companies that always seems to find its way into the technology news for the right reasons. They have been running, with some level of success, their private vulnerability disclosure program since 2013, resulting in 190+ issues being discovered and addressed. Recently the public at large have been invited to participate through the Bugcrowd bug bounty program.

Launching the Netflix Public Bug Bounty Program | Netflix, Medium
Netflix bug bounty program | Bugcrowd


Security scammers

There are many different types of scammers that operate on the internet. Security scammers approach website owners with claims that their website is infected or vulnerable and offer to fix the issues for a fee. A Scammer Tried to Scare Troy Hunt into Buying Their Security Services - Here's How It Went Down

A Scammer Tried to Scare Me into Buying Their Security Services - Here's How It Went Down | Troy Hunt


YARA!

Speak to any security professional, that does any searching, analysing, and alerting.  It underpins almost any keyword that can be uses to describe the actions taken during security work. Outlining what it can do at a high level is simple to express, but it’s unreasonable to expect that you are as familiar with YARA as I am.  If you are up for a little exploration, dive into the details for a minute or two.

YARA Rules for Finding and Analysing in InfoSec | Monty St John


Spotlight: John McLoughlin, Managing Director, J2 Software

Get to know our commander in chief, whom has made much personal sacrifice to change the perception of our industry over the past 15 years.
Having worked with many Titans of industry, I am yet to meet anyone more knowledgeable and experienced with a passion or dedication to the ideology of “Doing things differently” and “Getting it Done!” -  Meet John McLoughlin…

Get to Know: John McLoughlin, Managing Director, J2 Software | Paul Rogers, Intelligent CIO

 

  • Hits: 388

J2SECOPS WEEKLY NEWS: Everything from Déjà vu; Facebook and on to numbers of J2 CSC tracked breaches so far for 2018…

Et Tu, Déjà vu?

Data Breach, Hack, Disclose, Repeat - Many late nights and Honest Hot Chocolates and pouring over the latest blogs posted by the various bloggers I follow and found this little gem at peerlyst by Kim Crawley stating that these 1.5 Billion Credentials were found via a torrent and not on the Darknet as one would expect! not even behind some secret encrypted firewall hinged between a missing service and loose vowel. No way! Not even remotely guarded like a teenager’s snapchat…

My worry is that we are becoming desensitised by the words, “breach”, “hack”, “leak” and “exploit” and that the use of these words have become synonymous with modern cliché and are considered passé.

Jawdropping data breach involves 1.5 BILLION passwords and email addresses | Crawley


Facebook, at the face of it - you get what you pay for…

Now this is an interesting and developing story that I’ve been tracking since the Friday the 16th of March; “The Story of Facebook”, which is not actually a “hack”, and deals with between 30 and 50 Million Facebook user accounts, which has been consumed by Cambridge Analytica for “research purposes”. I suppose the argument is that many of the user account owners “were not aware” until this become public knowledge through the press. Basically, Cambridge created a targeted marketing orchestration engine that used all the data available online, and I’m sure Facebook is not the only source, to offer profiled systems and data to political campaigns.

Welcome to the future folks! This is monetization of data subject analytics using AI and Big Data territory, this has been happening for ages and I expect to see users accepting this a common practice as time progresses. Watch this Space.


Dark Web and Corporate Records

The So Called Cybersecurity Experts talk about  protecting your assets, and how awesome they are at solving your problems and charge vast amounts of money, for you to purchase products with products and service to protect your business interests which through your budget cycles Never Make it to the Premier League and are invariably relegated to not even the First Division but the substitution bench of the Second Division… If Cybersecurity companies, their products and services were so Awesome as they claim, then why so many Data Breaches and successful exploits?

Here are some statistics for major companies that we have observed: “Year to Date” with some home truths.

Just looking at a sample of 15 Major Domains e.g. “.gov.za”, “.net”, “.com” and “.co.za” across the top brands within South Africa we Discovered the Following:

  • Of the 15 Domains, only 1 has a detected breach within the last 3 days.
  • Of the 15 Domains, the highest number of breached Corporate Records is at 17,200 with 17 Infected User Records.
  • Of the Top 4 Domains within the 15, roughly 58K Corporate Records are available with 43 actively Infected User Records, this is alarming as all these domain owners have some level of security in place.
  • Of the 15 Domains the bottom 4, have roughly 25 breached Corporate Records and no Infected user Records.

What types of information was found during our sample:

Internal and external systems infected with keyloggers that are logging into servers.

Corporate computers infected while being used for personal use.

Intellectual property that is stolen and actively advertised Underground

Any compromised credentials (username and password) associated with any domain login

Backdoors on corporate servers used by hackers

Compromised credentials unreported to the press from private as well as public data breaches.

Cloud login credentials.


New Detection Technique – Apache CouchDB RCE (CVE-2017-12636)

We have observed significant targeting of Apache CouchDB servers recently, exploiting two known vulnerabilities: CVE-2017-12635 and CVE-2017-12636.

These attacks deliver Monero cryptocurrency miners. The vulnerabilities were patched back in November 2017, so keeping the software up to date should be sufficient to prevent these attacks from succeeding.

The vulnerability is used to access CouchDB as the administrator. During the attack, a file (logo6.jpg) is downloaded, which is then executed as a shell script. 
The script kills any competing mining activities that are already running on the machine, and downloads the actual cryptomining executable together with a configuration file.

Finally, it configures cron jobs to ensure persistence after the system reboots.

CouchDb is a popular DB management system, so attackers still have a wide range of possible targets.

We've updated the 'Client Side Exploit – Known Vulnerability' correlation rule to detect Apache CouchDB RCE activity.


New Detection Technique – APT15 BS2005 RoyalAPT/DNS/CLI

APT15 is a group of well know attackers that continue to be active for a number of years now.
Recent reporting has identified new backdoors such as RoyalAPT, RoyalDNS and RoyalCLI.
Using this malware, they recently penetrated a government contractor and stole information about military technology.

RoyalCLI and RoyalAPT appear to be an evolution of APT15's earlier BS2005 malware. Also, they have C&C domain names in common.
Evidence of compromise was found in the disk drives of the affected machines, where the C&C left traces of its activity.
During the attack, they also used Mimikatz to dump some Windows credentials and generate Kerberos golden tickets to ensure persistence, leaving traces of this activity behind as well.

APT15 also deployed a DNS-based backdoor called RoyalDNS. This maintains persistence through a service called 'Nwsapagent.' C&C is performed using the TXT record of the DNS protocol.

After compromising initial machines, lateral movements were conducted via a combination of network commands and Windows RCE tools applied inside the LAN. 

We've updated the 'Malware infection - Trojan' correlation rule to detect RoyalAPT/DNS/CLI activity.


New Detection Techniques – Trojan Infection

We've added the 'Malware Infection – Trojan' correlation rule to detect recent malicious activity from Arkei Stealer, Grobios, MSIL/Safen, Win32/Configer, and Win32/QQWare.AA families.


New Detection Techniques

Additional correlation rules were added as a result of recent malicious activity.


Updated Detection Technique – GandCrab

GandCrab ransomware appeared in the wild since January 2018. Distribution continues via, fake Chrome HoeflerText popup windows, spam mails, and the Rig exploit kit.
The attack vector is initiated with a PDF linking a Word file download, which launches a PowerShell script that later downloads and executes a DLL file.

Campaigns evolved between January and March. Earlier infections deployed the Dridex banker trojan instead of the GandCrab ransomware. GandCrab first appeared  as a Windows executable with .exe extension. 

One of the most identifiable characteristics of GandCrab is that it asks for Dash cryptocurrency instead of Bitcoin for the ransom payment.
It also uses NameCoin .BIT top-level domains for command and control activity.

We've updated the 'Malware Infection – Ransomware' correlation rule to detect GandCrab activity.


Updated Detection Technique – Malware SSL Certificates

We've updated the ‘Malware Infection – Malicious SSL Certificate’ correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities.

  • Hits: 411

Copyright © 2019 J2 Software