Wednesday, November 29, 2017

Some Sites where you can get great Security Information


FBI InfaGard a connection between the Public and private sectors to share information, Chapter are all over the USA go to here  for More information

DNSstuff performs forensic analysis of name and email servers, path analysis, authenticate and locate domains.. Go here

 Internet Storm Center great information about current issues go here
 
Verizon Data Breach Investigations report – go here  

Cisco Threat Research Blog go here

FireEye lots of information about security issues go here  

Microsoft Security Blog go here

Microsoft Security Intelligence Report (SIR), great read on state of security go here
 
NCI Sector-based Information Sharing and Analysis Centers (ISACs) collaborate and coordinate with each other via the National Council of ISACs (NCI). Formed in 2003, the NCI today comprises 24 organizations designated by their sectors as their

MacOS 10.13.1 - Root vulnerability allows new ADMIN account without password


Apple is in process of building an emergency patch to lock down the “root” account where a preset password does not exist.  In certain settings, the "MacOS 10.13.1 Root vulnerability" allows a missing password challenge to be fully worked around.  That allows user accounts to be reset, allowing full compromise of vulnerable systems.  This bug is serious and believe Apple with quickly rectify with an expedient “patch now” update  


The hack is easy to pull off. It can be triggered through the Mac’s System Preferences application when “Users & Groups” is selected, and the lock icon on the window is clicked. After that, a new login window will appear. Anyone who types “root” as the username, leaves the password field empty, and clicks unlock (once or twice) is on their way to a new account that has system admin privileges to the computer.

 

Amit Serper, a security researcher with Cybereason, replicated the result and said the bug “is as serious as it gets.”  Hackers are always crafting malware that can gain greater system privileges into a computer. Now they have a new way, which can also be triggered via a Mac’s command line function. Imagine a piece of malicious code designed to attack Macs using the same flaw. Users wouldn’t even know they were compromised, Serper said.

 

WORKAROUND – Allocate & preset “ROOT” account to password ahead of time instead of leaving unset as null value


 

Tuesday, November 28, 2017

IcedID: A Hot New Item


 
In September of 2017 X-Force researchers from IBM discovered a new banking Trojan called IcedID. IcedID primarily targets financial institutions such as banks, payment card providers, and e-commerce sites. IcedID utilizes Emotet for delivery to target hosts.
 
Emotet is most commonly linked to small cybercrime organizations in Eastern Europe targeting western countries
and is known as a successor of the Dridex malware that was designed to amass and maintain botnets. Emotet itself is most often delivered by opening a macro-enabled malicious file usually delivered by spam mail. Once executed, the malware embeds itself within normal machine processes, connects home, and installs additional modular components as directed. Of the components installed consists of spamming modules, network worm modules, and data stealers.
 
The main known tactics and techniques of IcedID consist of common network propagation, victim monitoring, and web URL tampering. More specifically the malware leverages a local web proxy which listens to web traffic and based on what it sees can unknowingly redirect or inject parameters to the victim which causes them to browse to malicious web content controlled by the attacker instead of the original content they wanted to see. Reverse engineering of the malware revealed a PropagationThroughNetwork function, which enumerated the network propagation module that allows the malware to affect local, or remote connected end points as a way of spreading to other systems. Additionally, IcedID can query LDAP looking for other users to attack and can look for other important information to send back to the command and control server.
 
As a way of hiding itself IcedID utilizes a full reboot after storing start up files to the Windows %LocalAppData% folder to evade sandboxes and other defenses on victim hosts. Additionally, the malware uses SSL to communicate home and launch its attacks to avoid intrusion detection systems planted within the victim infrastructure. The malware also uses a random value as the RunKey to establish persistence on the target host. As an example, the startup file would be “C:\Users\User\AppData\Local\ewonlia rl\ewonliarl.exe” and the Runkey would be at “HKCU\Software\Microsoft\Windows\C urrentVersion\Run\ewonliarl”. IcedID listens on local network port 49157 and exfiltrates victim information of its choosing to its command and control server. Interestingly enough IcedID can still be identified by its original process IcedID which continues to run even after reboot which researchers think will likely change in the future.
Sources:
 
Thanks to  Peraton  and their Cyber Intelligence Program (CIP) for this information.
 

 
 

 

Almost 200.000 Cisco switches exposed to malicious attacks

here information from Talos http://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html

Cisco Coverage for Smart Install Client Protocol Abuse
Summary

Talos has become aware of active scanning against customer infrastructure with the intent of finding Cisco Smart Install clients. Cisco Smart Install is one component of the Cisco Smart Operations solution that facilitates the management of LAN switches. Research has indicated that malicious actors may be leveraging detailed knowledge of the Smart Install Protocol to obtain copies of customer configurations from affected devices. The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands.

We are aware that a tool to scan for affected systems, called the Smart Install Exploitation Tool (SIET), has been publicly released and is available here. This tool may be being used in these attacks.
Protection
 
To assist customers in understanding their exposure to this issue, we have released our own scanning tool as well as preliminary Snort rules which can be used to identify affected systems and detect SIET activity.

Talos Scanning Utility


Talos has produced a scanning utility which all users can run against their infrastructure to determine if they could be affected by abuse of the Smart Install Client Protocol. This tool can be found here.


Coverage


Snort Rules


Talos has created coverage for this issue in the form of sids 41722-41725. These rules are being provided immediately as part of the community rule set and can be downloaded here:

Cisco FirePOWER and Snort Subscriber Rule Set customers should ensure they are running the latest rule update in order to receive coverage. 

Additionally, generic TFTP activity rules sid:518 and sid:1444 are available but these are not issue specific and must be explicitly enabled.


Further Information


Cisco PSIRT has published a blog post related to the issue here:

Further guidance on Smart Install security practices here:

Additional third-party research about Smart Install is available here:

Talos encourages all partners to quickly take steps to protect their systems in accordance with the published security guidelines. 

If you have a network security emergency, contact the Cisco Technical Assistance Center (TAC) at the following phone numbers:
Inside the United States or Canada: +1 800 553-2447
Outside the United States: Worldwide Contacts

Cisco responds quickly to attacks in progress and works with your staff to develop an incident response plan that minimizes the effect of current and future attacks.

Security Warning OFFICE 365 Bogus Bill

I have started seeing this kind of attack.

Look at the email address !! Be careful on any of you emails and think before you click because the link sends you to  a bogus site.

Here some new Technology that i have come across


PuriFile


PuriFile’s software suite provides market-leading inspection and sanitization of digital files, preventing the loss of critical data and ensuring business continuity for government and commercial customers. Built to protect your inbox and halt release of sensitive information, PuriFile inherently understands your email, Microsoft Word, PowerPoint, Excel, PDF, and image files, so it can provide thorough email and file inspection and sanitization while maintaining the integrity of your network and information.

Microsoft Exchange Server (MXS) is a collaborative enterprise server application designed by Microsoft to run on Windows Servers. MXS supports organizational email, contacts and tasks, calendar, data storage and web based and mobile information access. By residing on an organizational endpoint - the Exchange Server, PuriFile can provide email security through identification and remediation of content entering and exiting through your organizations communication lifeline, provide Data Loss Prevention and mitigate Zero-Day attacks.

How it Works


Exchange Server Plugins - Microsoft provides an Application Programming Interface (API), as well as information and resources to extend Microsoft Exchange Server allowing for the customization of a unique customer focused email environment.

PuriFile Exchange Plugin - Using the Exchange Server API, the PuriFile plugin provides Data Loss Prevention, limits Zero-Day attacks and controls content leaving an organization.  Highly configurable, PuriFile is capable of identifying content within email and attachments based on well-defined policies and takes corrective action to alert the recipient and sender to remediate violations.

Message Scanning – Residing on a corporate exchange server, PuriFile is capable of scanning incoming and outgoing email to identify suspect content based on an organizational policy. When an individual receives an email or attempts to send email to a recipient, the PuriFile engine scans the content and attachments checking for violations. In the event a violation is detected, the recipient/sender is alerted and is able to take corrective action to accept or modify the content prior to it being received or sent to the recipient:


Figure 1: Scan Mode
Removing Attachments – In addition to the normal email message scanning, PuriFile is able to provide scanning and insight into content residing in email attachments. When an individual receives or completes an email and attempts to send it to the recipient, PuriFile scans the message along with any attachments and checks for violations. In the event of a violation in the attachment, the PuriFile engine replaces the content with a text file identifying the violations. A return notification is sent back to the sender along with the text file of violations.  The user will then be given an opportunity to review the violations and address as appropriate. Once all violations are addressed, the email is reprocessed for reading or sent on to the recipient:



Figure 2: Attachment Mode

 Message Cleansing – The Message Cleansing mode is similar to Replacing Attachments mode. Rather than alerting the recipient/sender of content in violation, the Message Cleansing capability cleanses the offending content from the document. When an individual receives or completes an email and attempts to send it to the recipient, PuriFile scans the message along with any attachments and checks for violations. In the event of a violation in the attachment, the PuriFile engine removes the content from the file prior to reading or sending the offending file.



Figure 3 - Cleanse Mode

 

The added effect of the cleansing operation removes any malicious content, effectively halting in excess of 90% of zero-day attacks. Combined with an effective Anti-Virus/Anti-Malware solution organizations will have gained the upper hand on virulent viruses and malware.
 
Here is a cool offer if you interested  in testing this let me know i will forward you info to the Beta test team. They are offering   to get the software for 12 months (plus support) for doing the beta test for us.
 
Send email to Jferron @ Interactive Security Training.com (NO spaces)

 

 

Free eBooks from Microsoft Press


Free Microsoft eBooks are available in PDF, EPUB and Mobi for Kindle formats.

Find more training eBooks & books at The Microsoft Press Store.

 You can go here
 

Also check one a week Microsoft offers deals on selected eBook Deal of the Week go here