15 March 2018
Adobe patches 7 critical flaws
Flash Player included updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS to address critical vulnerabilities in Adobe Flash Player 188.8.131.52 and earlier versions. This patch remediates two critical vulnerabilities and should be prioritised for workstation-type devices. There are currently no active attacks against these vulnerabilities. The vulnerabilities included a user after free and type confusion vulnerability which could both result in remote code execution if exploited. Adobe Connect addressed an OS Command Injection vulnerability that could lead to arbitrary file deletion and an Unrestricted SWF File Upload that could result in Information disclosure. The vulnerabilities could lead to unintended arbitrary local file removal, forced uninstall of the application or be exploited to conduct cross-site scripting attacks and affected version 9.7 and earlier. Adobe Dreamweaver released a security update that resolves a critical OS command injection vulnerability in the URI handler on Windows.
Microsoft patches Remote Desktop Protocol exploit
This month's Microsoft patch Tuesday included more than 70 patches 15 of which were marked as critical and one that could exploit authentication in Microsoft Remote Desktop Protocol. Microsoft released updates for products including, ASP.NET Core, .NET Core, PowerShell Core, ChakraCore, Microsoft Office, Microsoft Office Services, Web Apps, Internet Explorer, Microsoft Edge, Microsoft Windows, and Microsoft Exchange Server. One of the most significant patches was a vulnerability in Microsoft's Credential Security Support Provider protocol (CredSSP) which could allow a hacker to gain control of a domain server and other systems in the network. The vulnerability affects all Windows versions to date (starting with Windows Vista) and Preempt researchers found that an attacker could exploit the flaw in a man-in-the-middle attack that would allow them to abuse the protocol and remotely run code on the compromised server on behalf of a user. Nathan Wenzler, chief security strategist at AsTech called the vulnerability an example of how dangerous it can be to rely on security or administration tools without locking them down with hardened configurations.
AMD processors are riddled with critical flaws
Researchers at CTS Labs are accusing computer chip manufacturer Advanced Micro Devices (AMD) of disregarding "fundamental security principles" and overlooking "poor security practices and insufficient quality controls," after reportedly finding serious vulnerabilities in the company's Zen line of processors. However, some independent researchers and security professionals have reportedly criticised the Israel-based cyber-security firm for apparently only giving AMD 24 hours advance notice of the vulnerabilities before going public with them. Reports have also noted that CTS issued a disclaimer that it "may have, either directly or indirectly, an economic interest in the performance” of AMD, which suggests at least the possibility that the company could stand to financially benefit from revealing news about AMD. According to an advisory issued by the CTS Labs, several of the flaws could allow attackers to permanently install malicious code into, or steal network credentials from the AMD Secure Processor, which sits beside the main CPU inside the processing chip and is responsible for creating, monitoring and maintaining the security environment. "These vulnerabilities could expose AMD customers to industrial espionage that is virtually undetectable by most security solutions," warns the advisory.
Trojanized BitTorrent Software Update Hijacked 400,000 PCs Last Week
A massive malware outbreak that last week infected nearly half a million computers with cryptocurrency mining malware in just a few hours was caused by a backdoored version of popular BitTorrent client called MediaGet. Dubbed Dofoil (also known as Smoke Loader), the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mine Electroneum digital coins for attackers using victims' CPU cycles. Dofoil campaign that hit PCs in Russia, Turkey, and Ukraine on 6th March was discovered by Microsoft Windows Defender research department and blocked the attack before it could have done any severe damages. At the time when Windows Defender researchers detected this attack, they did not mention how the malware was delivered to such a massive audience in just 12 hours. However, after investigation Microsoft today revealed that the attackers targeted the update mechanism of MediaGet BitTorrent software to push its trojanized version (mediaget.exe) to users' computers. "A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability," the researchers explain in a blog post published today. Researchers believe MediaGet that signed update.exe is likely to be a victim of the supply chain attack, similar to CCleaner hack that infected over 2.3 million users with the backdoored version of the software in September 2017.
BlackTDS Emerges as an As-a-Service Drive-By Kit for Malware Distribution
A new traffic distribution system called BlackTDS has reared its head in the criminal underground, marketing itself as an as-a-service tool for malware distribution. The privately held BlackTDS was spotted by Proofpoint researchers in late December 2017. It offers a variety of services to its “clients” that it collectively refers to as a Cloud TDS; these include hosting and configuring the components of sophisticated drive-by attacks, like social engineering and redirection to exploit kits (EKs), while preventing detection by researchers and sandboxes. Cloud TDS also includes access to fresh domains with clean reputations over HTTPS. Threat actors drive traffic to BlackTDS via spam, malvertising, and other means, set up the malware or EK API of their choice, and then allow the service to handle all other aspects of malware distribution via drive-by. Researchers observed BlackTDS infection chains several times in the wild, distributing malware via fake software updates and other social engineering schemes. There’s evidence that BlackTDS is allowing known threat actors to branch into new realms. For instance, a large spam campaign was observed on 19 February from the actor TA505, using PDF attachments containing links to a chain involving BlackTDS. The chain ended with a fraud website purporting to sell discount pharmaceuticals.
The real reason you’re failing at PCI DSS compliance
For nine years, Verizon has released its annual Payment Security Report about the state of Payment Card Industry Data Security Standard (PCI DSS) compliance. For nine years, the pattern has remained the same: Many companies don't comply with the standard, and many companies that do comply fall out of compliance not long after their audit. IT organizations don't struggle with PCI DSS compliance due to a lack of knowledge or technology; the problem is proficiency. "Proficiency is the main theme," says Ciske van Oosten, lead author of the report since 2013 and senior manager of global intelligence for security assurance consulting at Verizon Enterprise Solutions. "With 10 years of data breach investigation reports, you start to recognize patterns." "It's not a knowledge problem," Van Oosten adds. "There's an abundance of knowledge out there. People are almost inundated with it. It's not really technology failure. It is really proficiency: that level of confidence, skills and experience."
How the Right PSIM Can Take Security Careers from the Basement to the Boardroom
Not too long ago, security operations centers (SOCs) and the enterprise security executives and the staff who ran them were relegated to airless basement offices with little security equipment that did no more than monitor video and manage guards. Today’s SOCs have evolved into large financial investments that include surveillance and security technologies that enable an enterprise security executive to monitor global threats in real-time, tie in video feeds from other business units, employ analysts who monitor social media, share data with other enterprises, and more. They can form the heart of an enterprise’s operational defense against advanced physical and cyber-attacks. With this growing importance and role of a SOC, the enterprise security executive’s role is changing as well. Many of today’s security executives may come from IT backgrounds as well as from law enforcement, and they have direct experience of using technology as it relates to security. This naturally leads them to look for solutions that leverage technology to automate processes and build efficiencies in response. To achieve these types of efficiencies, the IT industry has always looked towards solutions that have the power to aggregate multiple disparate systems into a single operational view. To fully realize and effectively implement the best security solution for their SOC, the selected approach now frequently includes a Physical Security Information Management (PSIM) solution.
More than 700,000 apps were also removed from the Play Store over security fears
Google has issued its latest report on bad ads, revealing a new high in terms of removals. According to the report, Google has removed 3.2 billion ads that violated its policies and promoted harmful content, malvertising, phishing scams - amounting to 100 bad ads every second. Aside from removing ads, the company also said it had blocked 320,000 publishers from its ad network, blacklisted 90,000 websites and 700,000 mobile apps. It also changed the way it analyses sites. It no longer looks at the entire site and decides either “this can go” or “this can’t go”. Now, it is looking at individual pages within a site and if it decides the page does not comply with its policies, it will block advertising on that particular page. The rest of the site can stay monetised, if it complies with Google’s policies. Google has also stressed that it had changed its policies both for publishers, and advertisers. Thus, advertisers have to comply with 28 new policies, while publishers need to tackle 20 new ones. The report states that all numbers are up – there has been many more ads blocked, publishers removed, websites and apps blacklisted, compared to the year before.
Cyber Security training from QA
QA have uniquely positioned themselves to help solve the Cyber skills gap from our CyberFirst and Cyber Apprenticeship programmes and Cyber Academies to Cyber Challenges, Training and Certifications and Consultancy for Cyber Security.
They offer end-to-end Cyber training and certifications from Cyber Awareness to deep dive Cyber Programmes and solutions; from Cyber Investigations, Cyber Crisis Management, Proactive Security to Offensive Defence. QA only employ world leading Cyber trainers who have the expertise to deliver bespoke Cyber solutions, GCHQ accredited courses and proudly the CyberFirst programme. This is all to support in tackling the UK's National Cyber Security skills shortage.
QA also have state-of-the-art CyberLabs, where companies can simulate real-life Cyber-attacks on their infrastructure, helping them to prevent & combat breaches without risking their own network.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.