Starwood Guest Reservation Database Security Incident – Marriott

30 November 2018

Marriott values our guests and
understands the importance of protecting personal information. We have taken
measures to investigate and address a data security incident involving the
Starwood guest reservation database. The investigation has determined that
there was unauthorized access to the database, which contained guest
information relating to reservations at Starwood properties on or before
September 10, 2018. This notice explains what happened, measures we have taken,
and some steps you can take in response.

On September 8, 2018, Marriott
received an alert from an internal security tool regarding an attempt to access
the Starwood guest reservation database. Marriott quickly engaged leading
security experts to help determine what occurred. Marriott learned during the
investigation that there had been unauthorized access to the Starwood network
since 2014. Marriott recently discovered that an unauthorized party had copied
and encrypted information, and took steps towards removing it. On November 19,
2018, Marriott was able to decrypt the information and determined that the
contents were from the Starwood guest reservation database.

Marriott has not finished
identifying duplicate information in the database, but believes it contains
information on up to approximately 500 million guests who made a reservation at
a Starwood property. For approximately 327 million of these guests, the
information includes some combination of name, mailing address, phone number,
email address, passport number, Starwood Preferred Guest (“SPG”) account
information, date of birth, gender, arrival and departure information,
reservation date, and communication preferences. For some, the information also
includes payment card numbers and payment card expiration dates, but the
payment card numbers were encrypted using Advanced Encryption Standard
encryption (AES-128). There are two components needed to decrypt the payment
card numbers, and at this point, Marriott has not been able to rule out the
possibility that both were taken. For the remaining guests, the information was
limited to name and sometimes other data such as mailing address, email
address, or other information. Marriott reported this incident to law
enforcement and continues to support their investigation. We have already begun
notifying regulatory authorities.

Go here
for more information

Major Online Ad Fraud Operation

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

 

11/27/2018 12:09 PM EST

 

Original
release date: November 27, 2018

Systems Affected

Microsoft Windows

Overview

This joint Technical Alert (TA) is the result of analytic efforts between
the Department of Homeland Security (DHS) and the Federal Bureau of
Investigation (FBI). DHS and FBI are releasing this TA to provide
information about a major online ad fraud operation—referred to by the U.S.
Government as “3ve”—involving the control of over 1.7 million
unique Internet Protocol (IP) addresses globally, when sampled over a
10-day window.

Description

Online advertisers desire premium websites on which to publish their ads and
large numbers of visitors to view those ads. 3ve created fake versions of both
(websites and visitors), and funneled the advertising revenue to cyber
criminals. 3ve obtained control over 1.7 million unique IPs by
leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as
well as Border Gateway Patrol-hijacked IP addresses. 

Boaxxe/Miuref
Malware

Boaxxe malware is spread through email attachments and drive-by downloads.
The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a
data center. Hundreds of machines in this data center are browsing to
counterfeit websites. When these counterfeit webpages are loaded into a
browser, requests are made for ads to be placed on these pages. The machines in
the data center use the Boaxxe botnet as a proxy to make requests for these
ads. A command and control (C2) server sends instructions to the infected
botnet computers to make the ad requests in an effort to hide their true data
center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by
downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden
Chromium Embedded Framework (CEF) browser on the infected machine that the user
cannot see. A C2 server tells the infected machine to visit counterfeit
websites. When the counterfeit webpage is loaded in the hidden browser,
requests are made for ads to be placed on these counterfeit pages. The infected
machine receives the ads and loads them into the hidden browser.

Impact

For the indicators of
compromise (IOCs) below, keep in mind that any one indicator on its own may not
necessarily mean that a machine is infected. Some IOCs may be present for legitimate
applications and network traffic as well, but are included here for
completeness.

Boaxxe/Miuref
Malware

Boaxxe malware leaves several executables on the infected machine. They may
be found in one or more of the following locations:

  • %UserProfile%AppDataLocalVirtualStorelsass.aaa
  • %UserProfile%AppDataLocalTemp lt;RANDOM>.exe
  • %UserProfile%AppDataLocal lt;Random eight-character folder
    name> lt;original file name>.exe

The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the
executables created above.

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun lt;Above path
    to executable>

Kovter Malware

Kovter malware is found mostly in the registry, but the following files may
be found on the infected machine:

  • %UserProfileAppDataLocalTemp lt;RANDOM> .exe/.bat
  • %UserProfile%AppDataLocalMicrosoftWindowsTemporary Internet
    FilesContent.IE5 lt;RANDOM> lt;RANDOM FILENAME>.exe
  • %UserProfile%AppDataLocal lt;RANDOM> lt;RANDOM>.lnk
  • %UserProfile%AppDataLocal lt;RANDOM> lt;RANDOM>.bat

Kovter is known to hide in the registry under:

  • HKCUSOFTWARE lt;RANDOM> lt;RANDOM>

The customized CEF browser is dropped to:

  • %UserProfile%AppDataLocal lt;RANDOM>

The keys will look like random values and contain scripts. In some values, a
User-Agent string can be clearly identified. An additional key containing a
link to a batch script on the hard drive may be placed within registry key:

  • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

There are several patterns in the network requests that are made by Kovter
malware when visiting the counterfeit websites. The following are regex rules
for these URL patterns:

  • /?ptrackp=d{5,8}
  • /feedrsd/click?feed_id=d{1,5}&sub_id=d{1,5}&cid=[a-f0-9-]*&spoof_domain=[w.d-_]*&land_ip=d{1,3}.d{1,3}.d{1,3}.d{1,3}
  • /feedrsd/vast_track?a=impression&feed_id=d{5}&sub_id=d{1,5}&sub2_id=d{1,5}&cid=[a-fd-]

The following is a YARA rule for detecting Kovter:

rule
KovterUnpacked {

  meta:
    desc = "Encoded strings in unpacked Kovter
samples."

  strings:
    $ = "7562@3B45E129B93"
    $ = "@ouhKndCny"
    $ = "@ouh@mmEdctffdsr"
    $ = "@ouhSGQ"
  condition:
    all of them
}

Solution

If you believe you may be a victim of 3ve and its associated malware or
hijacked IPs, and have information that may be useful to investigators, submit
your complaint to
www.ic3.gov and use the
hashtag 3ve (#3ve) in the body of your complaint.

DHS and FBI advise users to take the following actions to remediate malware
infections associated with Boaxxe/Miuref or Kovter:

  • Use
    and maintain antivirus software.
    Antivirus software recognizes and protects your
    computer against most known viruses. Security companies are continuously
    updating their software to counter these advanced threats. Therefore, it
    is important to keep your antivirus software up-to-date. If you suspect
    you may be a victim of malware, update your antivirus software definitions
    and run a full-system scan. (See
    Understanding Anti-Virus
    Software
    for more information.)
  • Avoid
    clicking links in email.
    Attackers have become very skilled at making phishing
    emails look legitimate. Users should ensure the link is legitimate by
    typing the link into a new browser. (See
    Avoiding Social
    Engineering and Phishing Attacks
    .)
  • Change
    your passwords.
    Your
    original passwords may have been compromised during the infection, so you
    should change them. (See
    Choosing and Protecting
    Passwords
    .)
  • Keep
    your operating system and application software up-to-date.
    Install software patches
    so that attackers cannot take advantage of known problems or
    vulnerabilities. You should enable automatic updates of the operating
    system if this option is available. (See
    Understanding Patches and
    Software Updates 
    for more information.)
  • Use
    anti-malware tools.
    Using a legitimate program that identifies and removes
    malware can help eliminate an infection. Users can consider employing a
    remediation tool. A non-exhaustive list of examples is provided below. The
    U.S. Government does not endorse or support any particular product or
    vendor.

References

There are many frameworks that you can use to protect a company infrastructure

They are many different
approaches to helping a company look at protection of assets and data for a repeatable
process.

There is Cobit
by ISACA, COBIT stands for Control Objectives for Information and Related
Technology. It is a framework created by the ISACA (Information Systems Audit
and Control Association) for IT governance and management. It was designed to
be a supportive tool for managers—and allows bridging the crucial gap between
technical issues, business risks, and control requirements. You can learn about
COBIT
here.

The National Institute of Standards and Technology  (NIST) SP 800
The NIST SP 800 documents are a series of publications put forth by the
National Institute of Standards and Technology (NIST), which is a
non-regulatory agency of the United States Department of Commerce. The SP 800
series was established in 1990 and has grown quite a bit since then,
encompassing a large, in-depth, and ever-growing set of computer security
documents seen by many as industry leading. Additionally, the NIST SP 800
documents have been well-known to many professionals within the field of
information technology – particularly that of information security -as they
gained additional recognition with the Federal Information Security Management
Act of 2002, known as FISMA. You can see the SP 800 files
here.

Cybersecurity Framework Version 1.1 CSF. This voluntary
Framework consists of standards, guidelines, and best practices to manage
cybersecurity-related risk.  The Cybersecurity Framework’s prioritized,
flexible, and cost-effective approach helps to promote the protection and
resilience of critical infrastructure and other sectors important to the
economy and national security. You can learn about CSF
here.

The ISO/IEC 27000 family of standards helps organizations
keep information assets secure. Using this family of standards will help your
organization manage the security of assets such as financial information,
intellectual property, employee details or information entrusted to you by
third parties. ISO/IEC 27001 is the best-known standard in the family
providing requirements for an information security management system (ISMS). There
are more than a dozen standards in the 27000 family, you can see them
here.

Most of us know about MITRE CVE’s
who sole purpose is to provide common vulnerability identifiers called “CVE
Entries.” CVE does not provide severity scoring or prioritization ratings for
software vulnerabilities. However, while separate, the CVSS standard can be
used to score the severity of CVE Entries.        

One you might not know about is MITRE ATT&CK™

MITRE also has the ATT&CK™ is a globally-accessible
knowledge base of adversary tactics and techniques based on real-world
observations. The ATT&CK knowledge base is used as a foundation for the
development of specific threat models and methodologies in the private sector,
in government, and in the cybersecurity product and service community.  With the creation of ATT&CK, MITRE is
fulfilling its mission to solve problems for a safer world — by bringing
communities together to develop more effective cybersecurity. ATT&CK is
open and available to any person or organization for use at no charge. You can
find out more
here.

Windows 10 shortcuts

Keyboard
shortcuts are keys or combinations of keys that provide an alternative
way to do something that you’d typically do with a mouse.

Copy, paste, and other general keyboard shortcuts

Press this key To do this
Ctrl + X Cut the selected item
Ctrl + C (or Ctrl + Insert) Copy the selected item
Ctrl + V (or Shift + Insert) Paste the selected item
Ctrl + Z Undo an action
Alt + Tab Switch between open apps
Alt + F4 Close the active item, or exit the active app
Windows logo key  + L Lock your PC
Windows logo key  + D Display and hide the desktop
F2 Rename the selected item
F3 Search for a file or folder in File Explorer
F4 Display the address bar list in File Explorer
F5 Refresh the active window
F6 Cycle through screen elements in a window or on the desktop
F10 Activate the Menu bar in the active app
Alt + F8 Show your password on the sign-in screen
Alt + Esc Cycle through items in the order in which they were opened
Alt + underlined letter Perform the command for that letter
Alt + Enter Display properties for the selected item
Alt + Spacebar Open the shortcut menu for the active window
Alt + Left arrow Go back
Alt + Right arrow Go forward
Alt + Page Up Move up one screen
Alt + Page Down Move down one screen
Ctrl + F4 Close the active document (in apps that are full-screen and let you have multiple documents open at the same time)
Ctrl + A Select all items in a document or window
Ctrl + D (or Delete) Delete the selected item and move it to the Recycle Bin
Ctrl + R (or F5) Refresh the active window
Ctrl + Y Redo an action
Ctrl + Right arrow Move the cursor to the beginning of the next word
Ctrl + Left arrow Move the cursor to the beginning of the previous word
Ctrl + Down arrow Move the cursor to the beginning of the next paragraph
Ctrl + Up arrow Move the cursor to the beginning of the previous paragraph
Ctrl + Alt + Tab Use the arrow keys to switch between all open apps
Alt + Shift + arrow keys When a group or tile is in focus on the Start menu, move it in the direction specified
Ctrl + Shift + arrow keys When a tile is in focus on the Start menu, move it into another tile to create a folder
Ctrl + arrow keys Resize the Start menu when it’s open
Ctrl + arrow key (to move to an item) + Spacebar Select multiple individual items in a window or on the desktop
Ctrl + Shift with an arrow key Select a block of text
Ctrl + Esc Open Start
Ctrl + Shift + Esc Open Task Manager
Ctrl + Shift Switch the keyboard layout when multiple keyboard layouts are available
Ctrl + Spacebar Turn the Chinese input method editor (IME) on or off
Shift + F10 Display the shortcut menu for the selected item
Shift with any arrow key Select more than one item in a window or on the desktop, or select text in a document
Shift + Delete Delete the selected item without moving it to the Recycle Bin first
Right arrow Open the next menu to the right, or open a submenu
Left arrow Open the next menu to the left, or close a submenu
Esc Stop or leave the current task
 

Windows logo key keyboard shortcuts

Press this key To do this
Windows logo key  Open or close Start
Windows logo key  + A Open Action center
Windows logo key  + B Set focus in the notification area
Windows logo key  + C
Open Cortana in listening mode

Notes

  • This shortcut is turned off by default. To turn it on, select Start  > Settings  > Cortana, and turn on the toggle under Let Cortana listen for my commands when I press the Windows logo key + C.
  • Cortana is available only in certain countries/regions, and some
    Cortana features might not be available everywhere. If Cortana isn’t
    available or is turned off, you can still use search.
Windows logo key  + Shift + C Open the charms menu
Windows logo key  + D Display and hide the desktop
Windows logo key  + Alt + D Display and hide the date and time on the desktop
Windows logo key  + E Open File Explorer
Windows logo key  + F Open Feedback Hub and take a screenshot
Windows logo key  + G Open Game bar when a game is open
Windows logo key  + H Start dictation
Windows logo key  + I Open Settings
Windows logo key  + J  Set focus to a Windows tip when one is available.

When a Windows tip appears, bring focus to the Tip.  Pressing the
keyboard shortcuts again to bring focus to the element on the screen to
which the Windows tip is anchored.

Windows logo key  + K Open the Connect quick action
Windows logo key  + L Lock your PC or switch accounts
Windows logo key  + M Minimize all windows
Windows logo key  + O Lock device orientation
Windows logo key  + P Choose a presentation display mode
Windows logo key  + R Open the Run dialog box
Windows logo key  + S Open search
Windows logo key  + T Cycle through apps on the taskbar
Windows logo key  + U Open Ease of Access Center
Windows logo key  + V Cycle through notifications
Windows logo key  + Shift + V Cycle through notifications in reverse order
Windows logo key  + X Open the Quick Link menu
Windows logo key  + Y Switch input between Windows Mixed Reality and your desktop
Windows logo key  + Z Show the commands available in an app in full-screen mode
Windows logo key  + period (.) or semicolon (;) Open emoji panel
Windows logo key  + comma (,) Temporarily peek at the desktop
Windows logo key  + Pause Display the System Properties dialog box
Windows logo key  + Ctrl + F Search for PCs (if you’re on a network)
Windows logo key  + Shift + M Restore minimized windows on the desktop
Windows logo key  + number Open the desktop and start the app pinned to the taskbar in the
position indicated by the number. If the app is already running, switch
to that app.
Windows logo key  + Shift + number Open the desktop and start a new instance of the app pinned to the taskbar in the position indicated by the number
Windows logo key  + Ctrl + number Open the desktop and switch to the last active window of the app pinned to the taskbar in the position indicated by the number
Windows logo key  + Alt + number Open the desktop and open the Jump List for the app pinned to the taskbar in the position indicated by the number
Windows logo key  + Ctrl + Shift + number Open the desktop and open a new instance of the app located at the given position on the taskbar as an administrator
Windows logo key  + Tab Open Task view
Windows logo key  + Up arrow Maximize the window
Windows logo key  + Down arrow Remove current app from screen or minimize the desktop window
Windows logo key  + Left arrow Maximize the app or desktop window to the left side of the screen
Windows logo key  + Right arrow Maximize the app or desktop window to the right side of the screen
Windows logo key  + Home Minimize all except the active desktop window (restores all windows on second stroke)
Windows logo key  + Shift + Up arrow Stretch the desktop window to the top and bottom of the screen
Windows logo key  + Shift + Down arrow Restore/minimize active desktop windows vertically, maintaining width
Windows logo key  + Shift + Left arrow or Right arrow Move an app or window in the desktop from one monitor to another
Windows logo key  + Spacebar Switch input language and keyboard layout
Windows logo key  + Ctrl + Spacebar Change to a previously selected input
Windows logo key  + Ctrl + Enter Open Narrator
Windows logo key  + Plus (+) Open Magnifier
Windows logo key  + forward slash (/) Begin IME reconversion
Windows logo key  + Ctrl + V Open shoulder taps

 

Command Prompt keyboard shortcuts

Press this key To do this
Ctrl + C (or Ctrl + Insert) Copy the selected text
Ctrl + V (or Shift + Insert) Paste the selected text
Ctrl + M Enter Mark mode
Alt + selection key Begin selection in block mode
Arrow keys Move the cursor in the direction specified
Page up Move the cursor by one page up
Page down Move the cursor by one page down
Ctrl + Home (Mark mode) Move the cursor to the beginning of the buffer
Ctrl + End (Mark mode) Move the cursor to the end of the buffer
Ctrl + Up arrow Move up one line in the output history
Ctrl + Down arrow Move down one line in the output history
Ctrl + Home (History navigation) If the command line is empty, move the viewport to the top of the
buffer. Otherwise, delete all the characters to the left of the cursor
in the command line.
Ctrl + End (History navigation) If the command line is empty, move the viewport to the command
line. Otherwise, delete all the characters to the right of the cursor in
the command line.

 

Dialog box keyboard shortcuts

Press this key To do this
F4 Display the items in the active list
Ctrl + Tab Move forward through tabs
Ctrl + Shift + Tab Move back through tabs
Ctrl + number (number 1–9) Move to nth tab
Tab Move forward through options
Shift + Tab Move back through options
Alt + underlined letter Perform the command (or select the option) that is used with that letter
Spacebar Select or clear the check box if the active option is a check box
Backspace Open a folder one level up if a folder is selected in the Save As or Open dialog box
Arrow keys Select a button if the active option is a group of option buttons

 

File Explorer keyboard shortcuts

Press this key To do this
Alt + D Select the address bar
Ctrl + E Select the search box
Ctrl + F Select the search box
Ctrl + N Open a new window
Ctrl + W Close the active window
Ctrl + mouse scroll wheel Change the size and appearance of file and folder icons
Ctrl + Shift + E Display all folders above the selected folder
Ctrl + Shift + N Create a new folder
Num Lock + asterisk (*) Display all subfolders under the selected folder
Num Lock + plus (+) Display the contents of the selected folder
Num Lock + minus (-) Collapse the selected folder
Alt + P Display the preview panel
Alt + Enter Open the Properties dialog box for the selected item
Alt + Right arrow View the next folder
Alt + Up arrow View the folder that the folder was in
Alt + Left arrow View the previous folder
Backspace View the previous folder
Right arrow Display the current selection (if it’s collapsed), or select the first subfolder
Left arrow Collapse the current selection (if it’s expanded), or select the folder that the folder was in
End Display the bottom of the active window
Home Display the top of the active window
F11 Maximize or minimize the active window

 

Virtual desktops keyboard shortcuts

Press this key To do this
Windows logo key  + Tab Open Task view
Windows logo key  + Ctrl + D Add a virtual desktop
Windows logo key  + Ctrl + Right arrow Switch between virtual desktops you’ve created on the right
Windows logo key  + Ctrl + Left arrow Switch between virtual desktops you’ve created on the left
Windows logo key  + Ctrl + F4 Close the virtual desktop you’re using

 

Taskbar keyboard shortcuts

Press this key To do this
Shift + click a taskbar button Open an app or quickly open another instance of an app
Ctrl + Shift + click a taskbar button Open an app as an administrator
Shift + right-click a taskbar button Show the window menu for the app
Shift + right-click a grouped taskbar button Show the window menu for the group
Ctrl + click a grouped taskbar button Cycle through the windows of the group

 

RID Hijacking

Relative Identifier (RID) Hijacking has recently gained public attention as a simple, novel, and effective technique to maintain persistence on a Windows system after initial compromise. As information security awareness continues to rise in many organizations their overall security posture also increases, especially in larger organizations that can afford it. As a result, many attackers are forced to leverage stealth techniques when targeting these types of companies to bypass security mechanisms.
RID Hijacking effectively allows attackers to assign higher level administrative privileges to lower level accounts that they might have direct access to after initial system compromise. What makes this method so attractive to attackers is that it leverages strictly Windows native commands to execute the technique, does not require installing any additional software, and is a relatively simple process. Therefore, it does not make much noise on a system and in many cases is difficult to detect unless defenders are carefully monitoring the Security Account Manager ( SAM) registry.
Since Windows XP, Windows uses the SAM to store security descriptors for user accounts. These Windows systems store most of this information in the ‘HKLMSAMSAMDomainsAccountUse rs’ key, which does require SYSTEM level privileges to access. This key contains a variety of structured information representing user privilege information. The ‘Names’ subkey contains all the local user account names and looking at the ‘F’ value within this structure is a long number that contains the RID value at hex offset 30 within it along with other interesting information such as whether the account is enabled or disabled. According to security researcher, Sebastian Castro the RID copy stored in the ‘F’ value hex number is the value that is used by the Local Security Authority Subsystem Service (LSASS) and the Security Reference Monitor (SRM) to generate the primary access token used when translating from username to security identifier (SID). This token essentially is used on the system when users are attempting to access system services and applications. So if an attacker can modify the RID value to hex 0x1f4 or 500 in decimal of a guest user account as an example, they can give that guest account system level access. This technique is known as RID hijacking.
Sebastian Castro, the security researcher investigating this vulnerability also published an exploit which automates this attack in Metasploit, which is a popular open source exploit framework used by many worldwide. The exploit can be found at ‘post/windows/manage/ rid_hijack’ within the framework. This exploit has been tested on Windows XP, Windows Server 2003, Windows 8.1, and Windows 10. The best-recommended way to defend against this attack is by monitoring the system registry and looking for inconsistencies within the SAM.
  Sources:
https://threatpost.com/trivial-postintrusion-attack-exploits-windowsrid/138448/  https://csl.com.co/en/rid-hijacking/

Zero-day jQuery Exploit

A zero-day exploit in the jQuery file upload tool may have had an open secret for years. A security researcher at Akamai Security Intelligence Response Team (SIRT) by the name of Larry Cashdollar found the exploit designated CVE-20189206. The vulnerability affects the plugin authored by Sabastian Tschan commonly known as “blueimp”. The jQuery File upload is one of the most starred plugins on github next to the jQuery framework itself. The tool appears to have been forked over 7800 times and has most likely been integrated on thousands of other projects. 
The vulnerability affects Apache web servers that have the plugin and has existed since Apache 2.3.9 when Apache disabled support for .htaccess security configuration files. Unfortunately, jQuery’s file upload relied on .htaccess, and Apache made the change only five days before Sabastian’s plugin was first published. Worse yet it seems that this exploit has been an open secret in the hacker community for years. An attacker can use the vulnerability to upload files without any validation required. This would allow attackers to upload back doors, key loggers, and even execute a web shell on the server. Cashdollar was able to get in touch with Sabastion, and together they were able to work to get the vulnerability fixed in the latest version for the jQuery file upload. However, both noted that it is unlikely to get deployed in all the other projects and/or servers that use the plugin. They stated that there is no accurate way to determine how many projects that have forked from the jQuery file upload and if they are being maintained by applying changes to the master project. Additionally, there are no good ways to determine how many production environments that possibly have the plugin integrated in them.
Cashdollar has also noted that he doubts that he is the only person to find the videos that demonstrate this vulnerability. The videos on YouTube indicate that this exploit has been known and used in some circles for years, so it is possible that hackers have been able to quietly utilize this method to execute remote code on webservers that are using the plugin. However, now that the code has been patched and the exploit has been made public, there is concern that that the risk has increased. With an unknown number of potential forked projects and environments that might use the tool the likelihood that the patch will not entirely eliminate the potential threat. If you want to test your environment for this vulnerability this link will help Https://gethub.com/lcashdol/treee/Exploits/ tree/master/CVE-2018-9206. There you will find the files that will test for three of the most commonly used variations of the exploit software.
Sources:
 https://www.theregister.co.uk/2018/10/22/jquery_file_flaw/
https://searchsecurity.techtarget.com/news/252451045/Zero-day-jQueryplugin-vulnerability-exploited-for-3-years
 https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-activelyexploited-for-at-least-three-years/  

Windows 10, version 1809 Features removed or planned for replacement

Here is a Blog from Microsoft about changes to Windows 10 1809.

Features we removed in this release

We’re removing the following features and functionalities from the
installed product image in Windows 10, version 1809. Applications or
code that depend on these features won’t function in this release unless
you use an alternate method.

Feature Instead you can use…
Business Scanning, also called Distributed Scan Management (DSM) We’re removing this secure scanning and scanner management capability – there are no devices that support this feature.
FontSmoothing setting in unattend.xml The FontSmoothing setting let you specify the font antialiasing
strategy to use across the system. We’ve changed Windows 10 to use ClearType
by default, so we’re removing this setting as it is no longer
necessary. If you include this setting in the unattend.xml file, it’ll
be ignored.
Hologram app We’ve replaced the Hologram app with the Mixed Reality Viewer.
If you would like to create 3D word art, you can still do that in Paint
3D and view your art in VR or Hololens with the Mixed Reality Viewer.
limpet.exe We’re releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.
Phone Companion When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the Phone page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.
Future updates through Windows Embedded Developer Update for Windows Embedded Standard 8 and Windows Embedded 8 Standard We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the Microsoft Update Catalog.

Features we’re no longer developing

We’re no longer actively developing these features and may remove
them from a future update. Some features have been replaced with other
features or functionality, while others are now available from different
sources.

If you have feedback about the proposed replacement of any of these features, you can use the Feedback Hub app.

Feature Instead you can use…
Companion device dynamic lock APIS The companion device framework (CDF) APIs enable wearables and other
devices to unlock a PC. In Windows 10, version 1709, we introduced Dynamic Lock,
including an inbox method using Bluetooth to detect whether a user is
present and lock or unlock the PC. Because of this, and because third
party partners didn’t adopt the CDF method, we’re no longer developing
CDF Dynamic Lock APIs.
OneSync service The OneSync service synchronizes data for the Mail, Calendar, and
People apps. We’ve added a sync engine to the Outlook app that provides
the same synchronization.
Snipping Tool The Snipping Tool is an application included in Windows 10 that is
used to capture screenshots, either the full screen or a smaller, custom
“snip” of the screen. In Windows 10, version 1809, we’re introducing a new universal app, Snip & Sketch,
that provides the same screen snipping abilities, as well as additional
features. You can launch Snip & Sketch directly and start a snip
from there, or just press WIN + Shift + S. Snip & Sketch can also be
launched from the “Screen snip” button in the Action Center. We’re no
longer developing the Snipping Tool as a separate app but are instead
consolidating its functionality into Snip & Sketch.

macOS 10.12 Draft NIST Security Configuration Checklist

NIST invites
comments on Draft Special Publication (SP) 800-179 Revision 1, Guide to Securing macOS 10.12 Systems
for IT Professionals: A NIST Security Configuration Checklist
. This
publication assists IT professionals in securing macOS 10.12 desktop and laptop
systems within various environments. It provides detailed information about the
security features of macOS 10.12 and security configuration guidelines. The
publication recommends and explains tested, secure settings with the objective
of simplifying the administrative burden of improving the security of macOS
10.12 systems in three types of environments: standalone, managed, and
specialized security-limited functionality.

A public comment period for this document is open until November 16, 2018.
We strongly encourage you to use the comment template for submitting your
comments.

CSRC Update:
https://csrc.nist.gov/news/2018/nist-releases-draft-sp-800-179-rev-1-for-comment

Publication Details:
https://csrc.nist.gov/publications/details/sp/800-179/rev-1/draft

SSH ISSUE

For the past four years, thousands of servers may have been subject to an  extremely simple authentication bypass vulnerability. CVE-2018-10933 affects libssh versions since 0.6.0, an implementation library for Secure Shell (SSH) that was released in 2014. It is limited only to certain implementations of SSH and does not affect the widely-used OpenSSH. 
Still, all the attacker has to do is send the server the message SSH2_MSG_USERAUTH_SUCCESS” instead of “SSH2_MSG_USERAUTH_REQUEST” and they have full access. Experts are saying that the overall impact is small, given that OpenSSH is not impacted and a libssh patch has already been released. So how many systems are actually at risk? A quick Shodan search by one researcher returned 6,351 servers just by looking for “libssh”. Another researcher added port 22 to the search, bringing the number down to 3,004. But this doesn’t tell us how many systems are running vulnerable versions of of libssh. And really, pinning down an accurate number is not easy. Shodan doesn’t cover everything that’s out there and what’s out on the internet can change in the blink of an eye. 


Figure 1. Shodan Search for libssh 0.6.0 Source: https://shodan.io

We ran our search anyway and excluded the two patch versions that fix CVE-2018-10933, 0.7.6 and 0.8.4. Our total, 2,973, was only reduced by three for a total of 2,970 systems. Searching only for the first impacted version, 0.6.0, returned 1,259 systems. It’s not a large number, but that’s still over a thousand systems that have not been properly patched in four years. These systems can also easily be found in a matter of minutes.
 

Figure 2. Shodan Search Result Details https://shodan.io
If that isn’t enough, take a second look at the figure above. Most of the identified systems are based in the United States and belong to major communications companies. Sure, the footprint of this vulnerability is pretty small, but it’s exactly the type of low-hanging fruit attackers look for – made all the more enticing by the organizations that appear to be most affected. 
Sources:
 
Thanks to Peraton for this information

APT Group TeleBots Linked to Three Major Cyber Attacks

Advanced Persistent Threats (APT) are being recognized as one of the biggest cyber threats in the industry today. There are many groups globally behind the numerous attacks of this type in recent history. Three major cyber incidents that garnered global attention were the BlackEnergy power grid attack, the Industroyer power grid attack, and the NotPetya malware outbreak. However, what if the same APT group was behind all three of these attacks?
The BlackEnergy attack caused blackouts in the Ukranian power grid in December 2015. Industroyer, also known as CrashOverride, also attacked the Ukranian power grid in December 2016 and is the first case of malware designed to specifically target a power grid. After the BlackEnergy attack, the group behind it (also called BlackEnergy) became known as TeleBots and carried out attacks against the Ukranian financial sector, eventually culminating in the outbreak of the NotPetya malware. There was speculation in the cybersecurity community that the BlackEnergy and Industroyer attacks were both perpetrated by the TeleBots group but no evidence to support these claims. However, the discovery of another TeleBots malware, Exramel, by the ESET security group in April 2018 provided the missing link.
Exramel uses a backdoor that appears to be an upgraded version of the backdoor used by Industroyer. There are many similarities in the code, especially the list of available commands it can receive from its Command and Control (C&C) servers and the way each handles reporting and redirecting output streams. Each backdoor also disguises itself as an antivirus service for detection avoidance and groups targets based on their security solutions being used. The similarity between the two led the ESET researchers to conclude that it is unlikely to be a case of coincidental code sharing between threat actors.
Linking TeleBots to Industroyer shows just how much of a threat the group can pose, being the single entity behind three of the most groundbreaking and devastating cyberattacks in history. In addition, the recent claims from multiple governments that Russian military intelligence groups are behind TeleBots throws even more intrigue into the mix and leaves a daunting question: what could TeleBots be up to next?
Sources:

 https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraineenergy-grid/138287/
 https://www.zdnet.com/article/security-researchers-find-solid-evidencelinking-industroyer-to-notpetya/
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoorlinking-industroyer-notpetya/