My information Resource (blog.mir.net)

Malicious documents have been discovered in the inboxes of several organizations involved in the Winter Olympics in Pyeongchang, South Korea. The initial target of the email was [email protected], but several other organizations also involved with the event were included in the BCC line of the email. The email contained a document titled “Organized by Ministry of Agriculture and Forestry and Pyeongchang Olympics.doc” written out in Korean, which upon opening initialized a macro that opens a PowerShell script containing malware. The script was hidden in the document as an image file by using an open source steganography tool. Upon analysis of the PowerShell script, it was determined that the code allowed a set schedule to occur at certain times to initialize certain tasks and establish an encrypted channel from the victim’s computer to the attacker’s server, which was located remotely.

As of right now, no perpetrator has been discovered, but researchers believe that the attackers’ motive was mainly to gather intelligence about any information regarding the Olympics and the organizations behind the event. Despite no confirmed suspect, it is found to be suspicious that these attacks have occurred in the wake of Russia’s hacks of Olympic emails. A Russian hacking organization associated with the Russian government had hacked and released emails associated with the International Olympic Committee in what is believed to be a response to the Olympic ban Russia was given, keeping them from participating in the 2018 Olympics taking place in Pyeongchang.


Going by the name Fancy Bear, the hacker group gathered fame from attacking the World Anti-Doping Agency back in 2016 in response to their country being banned from the Olympics after several Russian Olympians were discovered to be using banned substances. Fancy Bear posted medical information on their website of non-Russian athletes who were also taking substances in the pretense that allowing countries to have athletes take prescription medications such as anti-inflammatory medication as a double standard.


The hacks on the Winter Olympics came in the form of phishing campaigns to target very specific people, including Canadian lawyer Richard McLaren and Colorado lawyer Richard Young. Both worked together in investigating Russian cheating techniques. With the Olympics only a month away, more attacks from Russia and other countries with motive to disrupt the games are expected, and the International Olympic Committee is keeping a close eye on possible breaches and attack vectors.

Sources:

 https://www.zdnet.com/article/hackers-target-winter-olympics-with-new-custom-built-fileless-malware/


 https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/


 https://www.buzzfeed.com/kevincollier/russia-banned-from-the-winter-olympics-apparently-is?utm_term=.nia1j99okQ#.jt57IDDBbr

Article was originally posted on CIP report produced by PERATON

This post is a little different than my normal but this is a good tool for Security professionals.

WISER 5.1 is now available on all platforms! Take a quick
look at the what’s included in this release:

• CHEMM (“CHEMM 2.0”) has extensive new and updated
  content, e.g., guidance and reference materials.
• New Acute Exposure Guideline Levels for airborne
  chemicals (AEGL) data from the EPA
• Data updates based on the latest Hazardous
  Substances Data Bank (HSDB) content.
• Android 
• Upgrades for KitKat. OS 4.4 is now required.
• Protective distance “point into the wind” feature added
  for devices with a compass.
• Windows 
• Completely new installer.
• Leverages new features of .NET. Version 4.6.1 is
  now required.
• Fixes to Emergency Response Guide UN searches
  (duplicates now displayed) across all platforms
• Many smaller updates and bug fixes

Tutorial Videos


Check out WISER’s new series of YouTube videos. These
videos introduce WISER’s functionality, walk through a known substance
scenario, and explore WISER’s protective distance mapping feature in detail.
Take a look!


Coming Soon


WebWISER enhancements and WISER 5.2, which adds three
toxic syndromes (toxidromes) and related content to CHEMM’s Intelligent
Syndromes Tool (CHEMM-IST) to all WISER platforms.


Also of Interest

Radiation Emergency Medical Management (REMM) is a great
resource for medical management of radiation events, and contains information for First Responders.
A mobile version is also available on the Apple App Store and the Google Play Store.

    Intel has been taking a beating lately for the Meltdown and Spectre vulnerabilities discovered in its processor chips. As if that wasn’t enough, a new
security flaw was recently discovered in Intel’s Active
Management Technology (AMT) that can cause a full system compromise. Even
worse, it can bypass many strong security measures.

   AMT is Intel’s technology for allowing IT
departments to remotely monitor access and perform maintenance on corporate
computers. It allows a system administrator full control of the system,
intended for performing IT-related tasks. The system doesn’t even need to be on
as long as it is connected to a network and a power source. Systems with Intel
vPro-enabled processors, as well as many with Xeon processors, have AMT
included.

    The flaw in AMT, discovered by researchers at
Finnish cyber security company F-Secure, can be exploited with under a minute
of physical access to the machine. A reboot is required and then the Intel
Management Engine Bios Extension (MEBx), which handles manual AMT
configuration, is entered by pressing CTRL-P. Most AMT instances are not
provisioned by IT departments and the default password of “admin” will allow
access to change the password and disable user notification for remote access.
After this is complete, the system can be accessed remotely as long as the
attacker is on the same network as the target and provides full control.
 

    Wireless access can also be configured at this point
by browsing to http://TARGETIP:16992/wlan.htm” and logging in as
“admin” with the new password. Changing the “Wireless Management” option to “Enabled in S0, Sx/AC” will
allow remote access over a Wi-Fi network, once again provided the attacker is
on the same network. AMT can also be configured to allow remote access from
anywhere as long as the system is connected to the internet. Intel’s Client Initiated Remote Access (CIRA)
enables systems to connect back to IT management rather than the other way
around and can be configured to point to a server controlled by the attacker
instead.  
   The severity of this flaw is that AMT can be
accessed even with a BIOS password enabled, local firewalls, Bitlocker encryption, and strong
password policies. While the physical access needed to initiate the attack is a
limiting factor, some clever social engineering or the possibility of an insider
threat can still lead to compromise. Basic IT security practices, such as never
leaving systems unattended in unsecure locations can help mitigate this attack.
Also, it is recommended to disable or set a
strong password for AMT on all systems
during the provisioning process.

 Article was originally posted on CIP report produced by PERATON

Cisco has released security updates to address vulnerabilities affecting
multiple products. An attacker could exploit one of these vulnerabilities to
take control of an affected system.

NCCIC/US-CERT encourages users and administrators to review the following
Cisco Security Advisories and apply the necessary updates:

• Email Security and Content Security Management
  Appliance Privilege Escalation Vulnerability cisco-sa-20180117-esasma
  
• NX-OS Software Pong Packet Denial of Service
  Vulnerability cisco-sa-20180117-nx-os
  
• Unified Customer Voice Portal Denial of Service
  Vulnerability cisco-sa-20180117-cv
  

News Release about DRAFT NISTIR 7511 Rev. 5 document from
the CSRC website
https://csrc.nist.gov/News/2018/NIST-Releases-Draft-NISTIR-7511-Rev-5

To view the Draft NISTIR 7511 Rev. 5 document details:
https://csrc.nist.gov/publications/detail/nistir/7511/rev-5/draft

The NIST Security Content Automation Protocol (SCAP) Validation Program
tests the ability of products and modules to use the features and
functionality available through SCAP and its components.  SCAP 1.3
consists of a suite of specifications for standardizing the format and
nomenclature by which security software communicates information about
software flaws and security configurations. The standardization of
security information facilitates interoperability and enables
predictable results among disparate SCAP enabled security software. The
SCAP Validation Program provides vendors an opportunity to have
independent verification that security software correctly processes SCAP
expressed security information and provides standardized output. NISTIR
7511 Revision 5 describes the test requirements for SCAP version 1.3.

Send comments to:  <[email protected]>

Deadline to submit comments: February 19, 2018.

If you are having trouble viewing the link to the Draft
NISTIR 7511 document, you can use this link below:
<https://csrc.nist.gov/publications/detail/nistir/7511/rev-5/draft>

You always could kill some applications and services by
using task manager and clicking on end task but that does not always work. 

Parameters

/s   Computer
  : Specifies the name or IP address of a remote
computer (do not use backslashes). The default is the local computer.

/u   Domain
User   : Runs the
command with the account permissions of the user specified by User or DomainUser.
The default is the permissions of the current logged on user on the computer
issuing the command.

/p   Password
  : Specifies the password of the user account
that is specified in the /u parameter.

/fo { TABLE |
LIST | CSV } : Specifies
the format to use for the output. Valid values are TABLE, LIST,
and CSV. The default format for output is TABLE.

/nh   : Suppresses
column headers in the output. Valid when the /fo parameter is
set to TABLE or CSV.

/fi   FilterName
  : Specifies the types of process(es) to include
in or exclude from the query. The following table lists valid filter names,
operators, and values.

/m [ ModuleName ] : Specifies
to show module information for each process. When a module is specified, all
the processes using that module are shown. When a module is not specified, all
the processes for all the modules are shown. Cannot be used with the /svc
or the /v parameter.

/svc   : Lists all
the service information for each process without truncation. Valid when the /fo
parameter is set to TABLE. Cannot be used with the /m
or the /v parameter.

/v   : Specifies
that verbose task information be displayed in the output. Cannot be used with
the /svc or the /m parameter.

/? : Displays help at the command prompt.

Remarks

Examples

The following examples show how you can use the tasklist
command:

tasklist /v /fi “PID gt 1000” /fo csv
tasklist /fi “USERNAME ne NT AUTHORITYSYSTEM” /fi
“STATUS eq running”
tasklist /v /fi “STATUS eq running”
tasklist /s srvmain /nh
tasklist /s srvmain /s srvny
tasklist /s srvmain /u maindomhiropln /p p@ssW23 /nh