Relative Identifier (RID) Hijacking has recently gained public attention as a simple, novel, and effective technique to maintain persistence on a Windows system after initial compromise. As information security awareness continues to rise in many organizations their overall security posture also increases, especially in larger organizations that can afford it. As a result, many attackers are forced to leverage stealth techniques when targeting these types of companies to bypass security mechanisms.
RID Hijacking effectively allows attackers to assign higher level administrative privileges to lower level accounts that they might have direct access to after initial system compromise. What makes this method so attractive to attackers is that it leverages strictly Windows native commands to execute the technique, does not require installing any additional software, and is a relatively simple process. Therefore, it does not make much noise on a system and in many cases is difficult to detect unless defenders are carefully monitoring the Security Account Manager ( SAM) registry.
Since Windows XP, Windows uses the SAM to store security descriptors for user accounts. These Windows systems store most of this information in the ‘HKLM\SAM\SAM\Domains\Account\Use rs’ key, which does require SYSTEM level privileges to access. This key contains a variety of structured information representing user privilege information. The ‘Names’ subkey contains all the local user account names and looking at the ‘F’ value within this structure is a long number that contains the RID value at hex offset 30 within it along with other interesting information such as whether the account is enabled or disabled. According to security researcher, Sebastian Castro the RID copy stored in the ‘F’ value hex number is the value that is used by the Local Security Authority Subsystem Service (LSASS) and the Security Reference Monitor (SRM) to generate the primary access token used when translating from username to security identifier (SID). This token essentially is used on the system when users are attempting to access system services and applications. So if an attacker can modify the RID value to hex 0x1f4 or 500 in decimal of a guest user account as an example, they can give that guest account system level access. This technique is known as RID hijacking.
Sebastian Castro, the security researcher investigating this vulnerability also published an exploit which automates this attack in Metasploit, which is a popular open source exploit framework used by many worldwide. The exploit can be found at ‘post/windows/manage/ rid_hijack’ within the framework. This exploit has been tested on Windows XP, Windows Server 2003, Windows 8.1, and Windows 10. The best-recommended way to defend against this attack is by monitoring the system registry and looking for inconsistencies within the SAM.
Sources:
https://threatpost.com/trivial-postintrusion-attack-exploits-windowsrid/138448/ https://csl.com.co/en/rid-hijacking/
Friday, October 26, 2018
Zero-day jQuery Exploit
A zero-day exploit in the jQuery file upload tool may have had an open secret for years. A security researcher at Akamai Security Intelligence Response Team (SIRT) by the name of Larry Cashdollar found the exploit designated CVE-20189206. The vulnerability affects the plugin authored by Sabastian Tschan commonly known as “blueimp”. The jQuery File upload is one of the most starred plugins on github next to the jQuery framework itself. The tool appears to have been forked over 7800 times and has most likely been integrated on thousands of other projects.
The vulnerability affects Apache web servers that have the plugin and has existed since Apache 2.3.9 when Apache disabled support for .htaccess security configuration files. Unfortunately, jQuery’s file upload relied on .htaccess, and Apache made the change only five days before Sabastian’s plugin was first published. Worse yet it seems that this exploit has been an open secret in the hacker community for years. An attacker can use the vulnerability to upload files without any validation required. This would allow attackers to upload back doors, key loggers, and even execute a web shell on the server. Cashdollar was able to get in touch with Sabastion, and together they were able to work to get the vulnerability fixed in the latest version for the jQuery file upload. However, both noted that it is unlikely to get deployed in all the other projects and/or servers that use the plugin. They stated that there is no accurate way to determine how many projects that have forked from the jQuery file upload and if they are being maintained by applying changes to the master project. Additionally, there are no good ways to determine how many production environments that possibly have the plugin integrated in them.
Cashdollar has also noted that he doubts that he is the only person to find the videos that demonstrate this vulnerability. The videos on YouTube indicate that this exploit has been known and used in some circles for years, so it is possible that hackers have been able to quietly utilize this method to execute remote code on webservers that are using the plugin. However, now that the code has been patched and the exploit has been made public, there is concern that that the risk has increased. With an unknown number of potential forked projects and environments that might use the tool the likelihood that the patch will not entirely eliminate the potential threat. If you want to test your environment for this vulnerability this link will help Https://gethub.com/lcashdol/treee/Exploits/ tree/master/CVE-2018-9206. There you will find the files that will test for three of the most commonly used variations of the exploit software.
Sources:
https://www.theregister.co.uk/2018/10/22/jquery_file_flaw/
https://searchsecurity.techtarget.com/news/252451045/Zero-day-jQueryplugin-vulnerability-exploited-for-3-years
https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-activelyexploited-for-at-least-three-years/
The vulnerability affects Apache web servers that have the plugin and has existed since Apache 2.3.9 when Apache disabled support for .htaccess security configuration files. Unfortunately, jQuery’s file upload relied on .htaccess, and Apache made the change only five days before Sabastian’s plugin was first published. Worse yet it seems that this exploit has been an open secret in the hacker community for years. An attacker can use the vulnerability to upload files without any validation required. This would allow attackers to upload back doors, key loggers, and even execute a web shell on the server. Cashdollar was able to get in touch with Sabastion, and together they were able to work to get the vulnerability fixed in the latest version for the jQuery file upload. However, both noted that it is unlikely to get deployed in all the other projects and/or servers that use the plugin. They stated that there is no accurate way to determine how many projects that have forked from the jQuery file upload and if they are being maintained by applying changes to the master project. Additionally, there are no good ways to determine how many production environments that possibly have the plugin integrated in them.
Cashdollar has also noted that he doubts that he is the only person to find the videos that demonstrate this vulnerability. The videos on YouTube indicate that this exploit has been known and used in some circles for years, so it is possible that hackers have been able to quietly utilize this method to execute remote code on webservers that are using the plugin. However, now that the code has been patched and the exploit has been made public, there is concern that that the risk has increased. With an unknown number of potential forked projects and environments that might use the tool the likelihood that the patch will not entirely eliminate the potential threat. If you want to test your environment for this vulnerability this link will help Https://gethub.com/lcashdol/treee/Exploits/ tree/master/CVE-2018-9206. There you will find the files that will test for three of the most commonly used variations of the exploit software.
Sources:
https://www.theregister.co.uk/2018/10/22/jquery_file_flaw/
https://searchsecurity.techtarget.com/news/252451045/Zero-day-jQueryplugin-vulnerability-exploited-for-3-years
https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-activelyexploited-for-at-least-three-years/
Saturday, October 20, 2018
Windows 10, version 1809 Features removed or planned for replacement
Here is a Blog from Microsoft about changes to Windows 10 1809.
We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method.
We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources.
If you have feedback about the proposed replacement of any of these features, you can use the Feedback Hub app.
Features we removed in this release
We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method.
| Feature | Instead you can use... |
|---|---|
| Business Scanning, also called Distributed Scan Management (DSM) | We're removing this secure scanning and scanner management capability - there are no devices that support this feature. |
| FontSmoothing setting in unattend.xml | The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use ClearType by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored. |
| Hologram app | We've replaced the Hologram app with the Mixed Reality Viewer. If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer. |
| limpet.exe | We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source. |
| Phone Companion | When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the Phone page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features. |
| Future updates through Windows Embedded Developer Update for Windows Embedded Standard 8 and Windows Embedded 8 Standard | We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the Microsoft Update Catalog. |
Features we’re no longer developing
We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources.
If you have feedback about the proposed replacement of any of these features, you can use the Feedback Hub app.
| Feature | Instead you can use... |
|---|---|
| Companion device dynamic lock APIS | The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced Dynamic Lock, including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs. |
| OneSync service | The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization. |
| Snipping Tool | The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're introducing a new universal app, Snip & Sketch, that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch. |
macOS 10.12 Draft NIST Security Configuration Checklist
NIST invites comments on Draft Special Publication (SP) 800-179 Revision 1, Guide to Securing macOS 10.12 Systems for IT Professionals: A NIST Security Configuration Checklist. This publication assists IT professionals in securing macOS 10.12 desktop and laptop systems within various environments. It provides detailed information about the security features of macOS 10.12 and security configuration guidelines. The publication recommends and explains tested, secure settings with the objective of simplifying the administrative burden of improving the security of macOS 10.12 systems in three types of environments: standalone, managed, and specialized security-limited functionality.
A public comment period for this document is open until November 16, 2018. We strongly encourage you to use the comment template for submitting your comments.
CSRC Update:
https://csrc.nist.gov/news/2018/nist-releases-draft-sp-800-179-rev-1-for-comment
Publication Details:
https://csrc.nist.gov/publications/details/sp/800-179/rev-1/draft
SSH ISSUE
For the past four years, thousands of servers may have been subject to an extremely simple authentication bypass vulnerability. CVE-2018-10933 affects libssh versions since 0.6.0, an implementation library for Secure Shell (SSH) that was released in 2014. It is limited only to certain implementations of SSH and does not affect the widely-used OpenSSH.
Still, all the attacker has to do is send the server the message SSH2_MSG_USERAUTH_SUCCESS" instead of "SSH2_MSG_USERAUTH_REQUEST" and they have full access. Experts are saying that the overall impact is small, given that OpenSSH is not impacted and a libssh patch has already been released. So how many systems are actually at risk? A quick Shodan search by one researcher returned 6,351 servers just by looking for "libssh". Another researcher added port 22 to the search, bringing the number down to 3,004. But this doesn't tell us how many systems are running vulnerable versions of of libssh. And really, pinning down an accurate number is not easy. Shodan doesn't cover everything that's out there and what's out on the internet can change in the blink of an eye.
Figure 1. Shodan Search for libssh 0.6.0 Source: https://shodan.io
We ran our search anyway and excluded the two patch versions that fix CVE-2018-10933, 0.7.6 and 0.8.4. Our total, 2,973, was only reduced by three for a total of 2,970 systems. Searching only for the first impacted version, 0.6.0, returned 1,259 systems. It’s not a large number, but that's still over a thousand systems that have not been properly patched in four years. These systems can also easily be found in a matter of minutes.
Figure 2. Shodan Search Result Details https://shodan.io
Still, all the attacker has to do is send the server the message SSH2_MSG_USERAUTH_SUCCESS" instead of "SSH2_MSG_USERAUTH_REQUEST" and they have full access. Experts are saying that the overall impact is small, given that OpenSSH is not impacted and a libssh patch has already been released. So how many systems are actually at risk? A quick Shodan search by one researcher returned 6,351 servers just by looking for "libssh". Another researcher added port 22 to the search, bringing the number down to 3,004. But this doesn't tell us how many systems are running vulnerable versions of of libssh. And really, pinning down an accurate number is not easy. Shodan doesn't cover everything that's out there and what's out on the internet can change in the blink of an eye.
Figure 1. Shodan Search for libssh 0.6.0 Source: https://shodan.io
We ran our search anyway and excluded the two patch versions that fix CVE-2018-10933, 0.7.6 and 0.8.4. Our total, 2,973, was only reduced by three for a total of 2,970 systems. Searching only for the first impacted version, 0.6.0, returned 1,259 systems. It’s not a large number, but that's still over a thousand systems that have not been properly patched in four years. These systems can also easily be found in a matter of minutes.
Figure 2. Shodan Search Result Details https://shodan.io
If that isn't enough, take a second look at the figure above. Most of the identified systems are based in the United States and belong to major communications companies. Sure, the footprint of this vulnerability is pretty small, but it's exactly the type of low-hanging fruit attackers look for - made all the more enticing by the organizations that appear to be most affected.
Sources:
https://thehackernews.com/2018/10/libssh-ssh-protocol-library.html https://www.zdnet.com/article/security-flaw-in-libssh-leaves-thousands-of-servers-at-risk-ofhijacking/
Thanks to Peraton for this information
APT Group TeleBots Linked to Three Major Cyber Attacks
Advanced Persistent Threats (APT) are being recognized as one of the biggest cyber threats in the industry today. There are many groups globally behind the numerous attacks of this type in recent history. Three major cyber incidents that garnered global attention were the BlackEnergy power grid attack, the Industroyer power grid attack, and the NotPetya malware outbreak. However, what if the same APT group was behind all three of these attacks?
The BlackEnergy attack caused blackouts in the Ukranian power grid in December 2015. Industroyer, also known as CrashOverride, also attacked the Ukranian power grid in December 2016 and is the first case of malware designed to specifically target a power grid. After the BlackEnergy attack, the group behind it (also called BlackEnergy) became known as TeleBots and carried out attacks against the Ukranian financial sector, eventually culminating in the outbreak of the NotPetya malware. There was speculation in the cybersecurity community that the BlackEnergy and Industroyer attacks were both perpetrated by the TeleBots group but no evidence to support these claims. However, the discovery of another TeleBots malware, Exramel, by the ESET security group in April 2018 provided the missing link.
Exramel uses a backdoor that appears to be an upgraded version of the backdoor used by Industroyer. There are many similarities in the code, especially the list of available commands it can receive from its Command and Control (C&C) servers and the way each handles reporting and redirecting output streams. Each backdoor also disguises itself as an antivirus service for detection avoidance and groups targets based on their security solutions being used. The similarity between the two led the ESET researchers to conclude that it is unlikely to be a case of coincidental code sharing between threat actors.
Linking TeleBots to Industroyer shows just how much of a threat the group can pose, being the single entity behind three of the most groundbreaking and devastating cyberattacks in history. In addition, the recent claims from multiple governments that Russian military intelligence groups are behind TeleBots throws even more intrigue into the mix and leaves a daunting question: what could TeleBots be up to next?
Sources:
https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraineenergy-grid/138287/
https://www.zdnet.com/article/security-researchers-find-solid-evidencelinking-industroyer-to-notpetya/
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoorlinking-industroyer-notpetya/
The BlackEnergy attack caused blackouts in the Ukranian power grid in December 2015. Industroyer, also known as CrashOverride, also attacked the Ukranian power grid in December 2016 and is the first case of malware designed to specifically target a power grid. After the BlackEnergy attack, the group behind it (also called BlackEnergy) became known as TeleBots and carried out attacks against the Ukranian financial sector, eventually culminating in the outbreak of the NotPetya malware. There was speculation in the cybersecurity community that the BlackEnergy and Industroyer attacks were both perpetrated by the TeleBots group but no evidence to support these claims. However, the discovery of another TeleBots malware, Exramel, by the ESET security group in April 2018 provided the missing link.
Exramel uses a backdoor that appears to be an upgraded version of the backdoor used by Industroyer. There are many similarities in the code, especially the list of available commands it can receive from its Command and Control (C&C) servers and the way each handles reporting and redirecting output streams. Each backdoor also disguises itself as an antivirus service for detection avoidance and groups targets based on their security solutions being used. The similarity between the two led the ESET researchers to conclude that it is unlikely to be a case of coincidental code sharing between threat actors.
Linking TeleBots to Industroyer shows just how much of a threat the group can pose, being the single entity behind three of the most groundbreaking and devastating cyberattacks in history. In addition, the recent claims from multiple governments that Russian military intelligence groups are behind TeleBots throws even more intrigue into the mix and leaves a daunting question: what could TeleBots be up to next?
Sources:
https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraineenergy-grid/138287/
https://www.zdnet.com/article/security-researchers-find-solid-evidencelinking-industroyer-to-notpetya/
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoorlinking-industroyer-notpetya/
Thursday, October 18, 2018
KB4462928 - Critical Update for WS2016 Storage Spaces Direct Deployments
The 10C update for Windows Server 2016 has just been published,
it includes critical updates for Storage Spaces Direct deployments and we
recommend all customers aggressively adopt. This update addresses all top
known supportability issues.
October 18, 2018—KB4462928 (OS
Build 14393.2580)
Important Updates
Specifically, this update includes fixes for the following
issues:
"Event 5120" with
STATUS_IO_TIMEOUT c00000b5 after an S2D node restart on Windows Server 2016 May
2018 update or later
Virtual Disks resources are in No
Redundancy or Detached status in a Storage Spaces Direct cluster
2018 NY Metro Joint Cyber Security WEBINAR
The 2018 NY Metro Joint Cyber Security WEBINAR will take place on Thursday October 18th. NYMJCSC is now in its fifth year; featuring keynotes, panels and sessions aimed at various aspects of information security and technology.
This year will feature a webinar format allowing NYMJCSC to reach and educate a broader audience.
To register please go here
Conference
Agenda
| Time Slot |
Topic | Speaker | |
|---|---|---|---|
| 2:00 - 2:40 |
Behavior-based Internal Controls that Prevent Ransomware, Employee Theft, and Denial of Service attacks |
 |
Past President, ISACA New Orleans Chapter |
| 2:45 - 3:25 |
Cyber Risk: It's All About People |
 |
CISSP, CFE, CIPP/US, FAAFS Senior Managing Director, Cyber Risk, North America, Kroll (a division of Duff & Phelps) |
| 3:30 - 4:10 |
Cyber Dogfighting: Hacker Decision-Making and the Korean Air War |
 |
Assistant Professor, SUNY Delhi School of Business |
| 4:15 - 4:55 |
Assessing Legal and Contractual Risk and Uncertainty with Bug Bounty Programs, Vulnerability Disclosures and Information Sharing |
 |
Partner - Tech & Data, Holland & Knight |
| 4:50 - 5:30 |
"Not If but When?" - Leveraging AI to Jettison Mantras of the Past: How AI will Liberate Security of the Future |
 |
VP & Ambassador-At-Large, Cylance |
Free NYC Secure app
This new app from NYC
- Alerts you to unsecure Wi-Fi networks, unsafe apps in Android, system tampering & mor
- Helps you protect your phone and your privacy
- $0 to download, $0 to use, no in-app purchases, no ads
How does the app help protect me?
Free Credit Protection Information
f you haven’t frozen your credit reports yet, this could be your moment.
Under the Economic Growth, Regulatory Relief, and Consumer Protection Act, freezing your credit at all three major credit bureaus — Equifax(1-800-525-6285), Experian (1-800-397-3742) and TransUnion ( 1-800-680-7289). Now is for free, previously, states set prices for credit freezes, which typically cost about $10.
Other links of importance
•
Identity Theft Hotline 1-877-438-4338
•
Social Security 1-800-269-0271
•
In the United States, you can report tech
support scams with the Internet Crime
Complaint Center (IC3) or use the FTC Complaint Assistant form.
Another tool you might want to look at is Lock & Alert Equifax offers a Lock & Alert service allows you to lock and unlock your Equifax credit report for free, online or with the Equifax Lock & Alert app. By locking your credit report, you can restrict access to it by third parties, with certain exceptions. These exceptions, for instance, may include lenders and creditors where you have existing accounts. Federal, state and local government agencies are also exceptions.
Locking your Equifax credit file will prevent access to it by certain third parties. Locking your Equifax credit file will not prevent access to your credit file at any other credit reporting agency. Entities that may still have access to your Equifax credit file include: companies like Equifax Global Consumer Solutions which provide you with access to your credit report or credit score, or monitor your credit file; federal, state, and local government agencies; companies reviewing your application for employment; companies that have a current account or relationship with you, and collection agencies acting on behalf of those whom you owe; for fraud detection purposes; and companies that wish to make pre-approved offers of credit or insurance to you. To opt out of such pre-approved offers, visit www.optoutprescreen.com.
Draft of NIST’s Transport Layer Security (TLS) Guidance Now Available for Comment:(SP) 800-52 Rev. 2
NIST has released a second draft of
NIST Special Publication (SP) 800-52 Revision 2,Guidelines for the Selection, Configuration, and Use of
Transport Layer Security (TLS) Implementations. It provides
guidance for selecting and configuring TLS protocol implementations that
utilize NIST-recommended cryptographic algorithms and Federal Information
Processing Standards (FIPS). The document requires that government TLS servers
and clients support TLS 1.2 configured with FIPS-based cipher suites, and
recommends that agencies develop migration plans to support TLS 1.3 by January
1, 2024.
A public comment period for this document is
open until November 16, 2018.
CSRC Update:
Publication Details:
Disaster Relief: Don't be a victim of fraud
As a public Service announcement I am copy and posting this on my blog. The original content comes form CENTER FOR CYBER SAFETY AND EDUCATION,
We have all seen the devastation and trail of destruction that
events such as hurricanes, tornadoes, and earthquakes can cause. But
before you take out your credit card, make sure your donations are
really going to the victims and those that are helping provide them with
the materials to survive and start their lives over again. While our
hearts ache with helplessness, others’ fill with greed and see this as
the perfect opportunity to exploit your sympathies and deceive you into
sending money.
If you want to help by donating, make sure you know who you are really donating to before you give out your credit card number or write a check.
Any time you give to a charity, you want to do your homework, but in a crisis like this, we are often inspired by social media or by what we see on television and rush to make a donation. It is in times like these that we recommend you stick with the bigger, established organizations with proven track records. These organizations have the resources and structures to maximize your donation with minimal overhead, meaning more of your money will go to help victims. You can find a great list of them at https://www.nvoad.org/voad-members/national-members/. Some unknown “charities”, GoFundMe-style requests, and social media outreaches you come across may be legitimate, but many are not. Even if they are really trying to help, it is not uncommon for organizations like these to have high overhead and administrative cost that will result in only a small amount of your donation actually making its way to help the victims.
TIPS WHEN GIVING DURING A CRISIS:
Your help and support of others is greatly appreciated. Just make sure you don’t get scammed and become a victim yourself.
If you want to help by donating, make sure you know who you are really donating to before you give out your credit card number or write a check.
Any time you give to a charity, you want to do your homework, but in a crisis like this, we are often inspired by social media or by what we see on television and rush to make a donation. It is in times like these that we recommend you stick with the bigger, established organizations with proven track records. These organizations have the resources and structures to maximize your donation with minimal overhead, meaning more of your money will go to help victims. You can find a great list of them at https://www.nvoad.org/voad-members/national-members/. Some unknown “charities”, GoFundMe-style requests, and social media outreaches you come across may be legitimate, but many are not. Even if they are really trying to help, it is not uncommon for organizations like these to have high overhead and administrative cost that will result in only a small amount of your donation actually making its way to help the victims.
TIPS WHEN GIVING DURING A CRISIS:
- Don’t give over the phone or click on links found in emails or social media. Go directly to the official website for a charity that you are familiar with and donate on their page. Don’t give to any third party solicitations.
- Be skeptical of cash requests in front of your local grocery store or other establishments. Who are these people? Don’t be fooled by what they say or how they are dressed. Ask questions, or better yet, go back home, research them and then donate online.
- Don’t be fooled by celebrity names being attached to a campaign. The organization could be using someone’s name without their permission, or that celebrity could also have been duped and is unwittingly lending their name to what they think is a good cause.
- Don’t fall for all the sad stories you are going to see and read about where they ask you to give to help a specific victim. There will be hundreds of thousands of such stories. You can best help by supporting legitimate charities, not by sending them money directly.
- Give directly to your charity of choice and designate that you want the money to go to their Hurricane Michael Relief efforts. This will restrict them from using the money to fund their other ongoing programs.
Your help and support of others is greatly appreciated. Just make sure you don’t get scammed and become a victim yourself.
Friday, October 5, 2018
GhostDNS: 100,00 Infected Routers
Several research labs have been releasing their finding on a new take of DNSChanger. A new router-based exploit known as GhostDNS seems to be made up of three variations of DNSChanger. By using Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger, GhostDNS can infect over 70 different router models. However, GhostDNS is more than the sum of its DNSChanger components. Analysts have also identified that it also is made up of a web admin module, a RougeDNS module, and a phishing module.
GhostDNS scans the internet looking for routers that it can exploit due to vulnerability or weak security by using its scripts to attack poorly secured Web Administration consoles via Shell, Java, Python, PHP to deploy its payload. The primary purpose is to change the devices’ DNS setting to forward traffic to RougeDNS servers. Once this is done the unsuspecting user is redirected to the phishing landing pages of online services when they attempt to go to various web services. Banking portals, Telecom’s, ISP’s and Netflix seem to be among the most common phishing targets of this malware.
While there has been some disagreement about the time frame this campaign has been running, it is widely agreed the campaign has infected over 100,000 routers with 86% located in Brazil. The other 24% have been reported across other South American countries. The DNS redirection service know as Rouge has been detected on many notable cloud services like Amazon, OVH, Google, Telefonica, and Oracle but researchers have been in contact with larger networks and ISP’s to shut down the network.
The GhostDNS payload can deliver over 100 scripts via remote access or utilizing exploits, and can attack hardware from older HP (3Com), A-Link, Alcatel / Techicolor, Antena, C3-Tech, Cisco, D-Link, Elsys, Fibrehome, Fiberlink, Geneko, Greatek, Huawei, Intelbras, Kaiomy, LinkOne, MikroTik, MPI Networks, Multilaser, OIWTECH, Perfect, Qtech, Ralink, Roteador, Sapido, Secutech, Siemens, Technic, Tenda, Thomson, TP-Link, Ubiquiti, Viking, ZTE, and Zyxel routers.
Analysts have some advice to not become a victim this kind of attack. It is recommended that you update your firmware to the latest version available for your router and use complex and strong passwords. Consider disabling any web administration on your device. Finally, hardcode your DNS setting to use only trusted DNS servers in both your Router and OS.
Sources
https://thehackernews.com/2018/10/ghostdns-botnet-routerhacking.html https://www.theregister.co.uk/2018/10/02/ghostdns_router_hacking/
http://blog.netlab.360.com/70-different-types-of-home-routers-alltogether-100000-are-being-hijacked-by-ghostdns-en/ h
GhostDNS scans the internet looking for routers that it can exploit due to vulnerability or weak security by using its scripts to attack poorly secured Web Administration consoles via Shell, Java, Python, PHP to deploy its payload. The primary purpose is to change the devices’ DNS setting to forward traffic to RougeDNS servers. Once this is done the unsuspecting user is redirected to the phishing landing pages of online services when they attempt to go to various web services. Banking portals, Telecom’s, ISP’s and Netflix seem to be among the most common phishing targets of this malware.
While there has been some disagreement about the time frame this campaign has been running, it is widely agreed the campaign has infected over 100,000 routers with 86% located in Brazil. The other 24% have been reported across other South American countries. The DNS redirection service know as Rouge has been detected on many notable cloud services like Amazon, OVH, Google, Telefonica, and Oracle but researchers have been in contact with larger networks and ISP’s to shut down the network.
The GhostDNS payload can deliver over 100 scripts via remote access or utilizing exploits, and can attack hardware from older HP (3Com), A-Link, Alcatel / Techicolor, Antena, C3-Tech, Cisco, D-Link, Elsys, Fibrehome, Fiberlink, Geneko, Greatek, Huawei, Intelbras, Kaiomy, LinkOne, MikroTik, MPI Networks, Multilaser, OIWTECH, Perfect, Qtech, Ralink, Roteador, Sapido, Secutech, Siemens, Technic, Tenda, Thomson, TP-Link, Ubiquiti, Viking, ZTE, and Zyxel routers.
Analysts have some advice to not become a victim this kind of attack. It is recommended that you update your firmware to the latest version available for your router and use complex and strong passwords. Consider disabling any web administration on your device. Finally, hardcode your DNS setting to use only trusted DNS servers in both your Router and OS.
Sources
https://thehackernews.com/2018/10/ghostdns-botnet-routerhacking.html https://www.theregister.co.uk/2018/10/02/ghostdns_router_hacking/
http://blog.netlab.360.com/70-different-types-of-home-routers-alltogether-100000-are-being-hijacked-by-ghostdns-en/ h
Thursday, October 4, 2018
Supply Chain Issue
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
here a great article on Supply chain on the Bloomberg site. The article is here
Wednesday, October 3, 2018
Facebook Breach
10/03/2018 01:30 PM EDT
Original
release date: October 03, 2018
The Federal Trade Commission (FTC) has released an alert to provide Facebook users with recommended precautions against identity theft after the recent breach of the Facebook social media platform.
NCCIC encourages users and administrators to review the FTC Alert and the NCCIC Tip on Preventing and Responding to Identity Theft. If you believe you are a victim of identity theft, visit the FTC’s identity theft website to make a report.
Tuesday, October 2, 2018
2018 NY Metro Joint Cyber Security WEBINAR
October 18th
WEBINAR
The 2018 NY Metro Joint Cyber Security WEBINAR will take place on Thursday October 18th. NYMJCSC is now in its fifth year; featuring keynotes, panels and sessions aimed at various aspects of information security and technology.
This year will feature a webinar format allowing NYMJCSC to reach and educate a broader audience.
Register Here for the Webinar on Thursday, October 18th
The 2018 NY Metro Joint Cyber Security WEBINAR will take place on Thursday October 18th. NYMJCSC is now in its fifth year; featuring keynotes, panels and sessions aimed at various aspects of information security and technology.
This year will feature a webinar format allowing NYMJCSC to reach and educate a broader audience.
| Time Slot | Topic | Speaker |
|---|---|---|
| 2:00 - 2:40 | Behavior-based Internal Controls that Prevent Ransomware, Employee Theft, and Denial of Service attacks | Jeffrey Wagar |
| 2:45 - 3:25 | Cyber Risk: It's All About People | Alan Brill |
| 3:30 - 4:10 | Cyber Dogfighting: Hacker Decision-Making and the Korean Air War | Mathew J. Heath Van Horn |
| 4:15 - 4:55 | Assessing Legal and Contractual Risk and Uncertainty with Bug Bounty Programs, Vulnerability Disclosures and Information Sharing | Mark H. Francis |
| 4:50 - 5:30 | "Not If but When?" - Leveraging AI to Jettison Mantras of the Past: How AI will Liberate Security of the Future | John McClurg |
Register Here for the Webinar on Thursday, October 18th
Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019
icrosoft is pleased to announce the draft release of the
security configuration baseline settings for Windows 10 version 1809
(a.k.a., “Redstone 5” or “RS5”), and for Windows Server 2019. Please
evaluate these proposed baselines and send us your feedback via blog
comments below.
Download the content here: Windows-10-1809-Security-Baseline-DRAFT.zip
The downloadable attachment to this blog post includes importable GPOs, a PowerShell script for applying the GPOs to local policy, custom ADMX files for Group Policy settings, documentation in spreadsheet form and as a Policy Analyzer file (MSFT-Win10-v1809-RS5-WS2019-DRAFT.PolicyRules). In this release, we have changed the documentation layout in a few ways:
Highlights of the differences from past baselines, which are listed in BaselineDiffs-to-v1809-RS5-DRAFT.xlsx:
Download the content here: Windows-10-1809-Security-Baseline-DRAFT.zip
The downloadable attachment to this blog post includes importable GPOs, a PowerShell script for applying the GPOs to local policy, custom ADMX files for Group Policy settings, documentation in spreadsheet form and as a Policy Analyzer file (MSFT-Win10-v1809-RS5-WS2019-DRAFT.PolicyRules). In this release, we have changed the documentation layout in a few ways:
- MS Security Baseline Windows 10 v1809 and Server 2019.xlsx – multi-tabbed workbook listing all Group Policy settings that ship in-box with Windows 10 v1809 or Windows Server 2019. Columns for “Windows 10 v1809,” “WS2019 Member Server,” and “WS2019 DC” show the recommended settings for those three scenarios. A small number of cells are color-coded to indicate that the settings should not be applied to systems that are not joined to an Active Directory domain. Cells in the “WS2019 DC” columns are also highlighted when they differ from the corresponding cells in the “WS2019 Member Server” column. Another change from past spreadsheets is that we have combined tabs that used to be separate. Specifically, we are no longer breaking out Internet Explorer and Windows Defender AV settings into separate tabs, nor the settings for LAPS, MS Security Guide, and MSS (Legacy). All these settings are now in the Computer and User tabs.
- BaselineDiffs-to-v1809-RS5-DRAFT.xlsx – This Policy Analyzer-generated workbook lists the differences in Microsoft security configuration baselines between the new baselines and the corresponding previous baselines. The Windows 10 v1809 settings are compared against those for Windows 10 v1803, and the Windows Server 2019 baselines are compared against those for Windows Server 2016.
- Windows 10 1803 to 1809 New Settings.xlsx – Lists all the settings that are available in Windows 10 v1809 that were added since Windows 10 v1803. (We used to highlight these settings in the big all-settings spreadsheets.)
- Server 2016 to 2019 New Settings.xlsx – Lists all the settings that are available in Windows Server 2019 that were added since Windows Server 2016. (We used to highlight these settings in the big all-settings spreadsheets.)
Highlights of the differences from past baselines, which are listed in BaselineDiffs-to-v1809-RS5-DRAFT.xlsx:
- The MS Security Guide custom setting protecting against potentially unwanted applications (PUA) has been deprecated, and is now implemented with a new setting under Computer Configuration\...\Windows Defender Antivirus.
- We have enabled the “Encryption Oracle Remediation” setting we had considered for v1803. At the time we were concerned that enabling the newly-introduced setting would break too many not-yet-patched systems. We assume that systems have since been brought up to date. (You can read information about the setting hereand here.)
- Changes to Virtualization-Based Security settings (used by Credential Guard and Code Integrity):
- “Platform Security Level” changed from “Secure Boot and DMA Protection” to “Secure Boot.” If system hardware doesn’t support DMA protection, selecting “Secure Boot and DMA Protection” prevents Credential Guard from operating. If you can affirm that your systems support the DMA protection feature, choose the stronger option. We have opted for “Secure Boot” (only) in the baseline to reduce the likelihood that Credential Guard fails to run.
- Enabled the new System Guard Secure Launch setting which will enable Secure Launch on new capable hardware. Secure Launch changes the way windows boots to use Intel Trusted Execution Technology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits from being able to impact the security of the Windows Virtualization Based Security environment.
- Enabled the “Require UEFI Memory Attributes Table” option.
- Enabled the new Kernel DMA Protection feature described here. The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated.
- Removed the BitLocker setting, “Allow Secure Boot for integrity validation,” as it merely enforced a default that was unlikely to be modified even by a misguided administrator.
- Removed the BitLocker setting, “Configure minimum PIN length for startup,” as new hardware features reduce the need for a startup PIN, and the setting increased Windows’ minimum by only one character.
- Enabled the new Microsoft Edge setting to prevent users from bypassing certificate error messages, bringing Edge in line with a similar setting for Internet Explorer.
- Removed the block against handling PKU2U authentication requests, as the feature is increasingly necessary.
- Removed the configuration of the “Create symbolic links” user rights assignment, as it merely enforced a default, was unlikely to be modified by a misguided administrator or for malicious purposes, and needs to be changed to a different value when Hyper-V is enabled.
- Removed the deny-logon restrictions against the Guests group as unnecessary: by default, the Guest account is the only member of the Guests group, and the Guest account is disabled. Only an administrator can enable the Guest account or add members to the Guests group.
- Removed the disabling of the xbgm (“Xbox Game Monitoring”) service, as it is not present in Windows 10 v1809. (By the way, consumer services such as the Xbox services have been removed from Windows Server 2019 with Desktop Experience!)
- Removed Credential Guard from the Domain Controller baseline. (Credential Guard is not useful on domain controllers and is not supported there.)
- Created and enabled a new custom MS Security Guide setting for the domain controller baseline, “Extended Protection for LDAP Authentication (Domain Controllers only),” which configures the LdapEnforceChannelBinding registry value described here.
- The Server 2019 baselines pick up all the changes accumulated in the four Windows 10 releases since Windows Server 2016.
NIST final public draft Special Publication 800-37, Revision 2
NIST announces the final public draft Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations--A System Life Cycle Approach for Security and Privacy.
There are seven major objectives for this update:
- To
provide closer linkage and communication between the risk management
processes and activities at the C-suite or governance level of the
organization and the individuals, processes, and activities at the system
and operational level of the organization;
- To
institutionalize critical risk management preparatory activities at all
risk management levels to facilitate a more effective, efficient, and
cost-effective execution of the RMF;
- To
demonstrate how the NIST Cybersecurity Framework can be aligned with
the RMF and implemented using established NIST risk management processes;
- To
integrate privacy risk management processes into the RMF to better support
the privacy protection needs for which privacy programs are responsible;
- To
promote the development of trustworthy secure software and systems by
aligning life cycle-based systems engineering processes in NIST Special Publication 800-160, Volume 1, with the
relevant tasks in the RMF;
- To
integrate security-related, supply chain risk management (SCRM) concepts
into the RMF to address untrustworthy suppliers, insertion of
counterfeits, tampering, unauthorized production, theft, insertion of
malicious code, and poor manufacturing and development practices
throughout the SDLC; and
- To
allow for an organization-generated control selection approach to
complement the traditional baseline control selection approach and support
the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5.
The addition of the Prepare step is one of the key changes to the RMF—incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes.
In addition to seeking your comments on this final public draft, we are specifically seeking feedback on a new RMF Task P-13, Information Life Cycle. The life cycle describes the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion. Identifying and understanding all stages of the information life cycle have significant implications for security and privacy. We are seeking comment on how organizations would executive this task and how we might provide the most helpful discussion to assist organizations in the execution.
The public comment period for the draft publication is October 2 through October 31. Please submit comments using the comment template to sec-cert@nist.gov.
Subscribe to:
Posts (Atom)