Several research labs have been releasing their finding on a new take of DNSChanger.  A new router-based exploit known as GhostDNS seems to be made up of three variations of DNSChanger.  By using Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger, GhostDNS can infect over 70 different router models. However, GhostDNS is more than the sum of its DNSChanger components. Analysts have also identified that it also is made up of a web admin module, a RougeDNS module, and a phishing module. 

GhostDNS scans the internet looking for routers that it can exploit due to vulnerability or weak security by using its scripts to attack poorly secured Web Administration consoles via Shell, Java, Python, PHP to deploy its payload. The primary purpose is to change the devices’ DNS setting to forward traffic to RougeDNS servers. Once this is done the unsuspecting user is redirected to the phishing landing pages of online services when they attempt to go to various web services. Banking portals, Telecom’s, ISP’s and Netflix seem to be among the most common phishing targets of this malware.   

While there has been some disagreement about the time frame this campaign has been running, it is widely agreed the campaign has infected over 100,000 routers with 86% located in Brazil. The other 24% have been reported across other South American countries. The DNS redirection service know as Rouge has been detected on many notable cloud services like Amazon, OVH, Google, Telefonica, and Oracle but researchers have been in contact with larger networks and ISP’s to shut down the network. 

The GhostDNS payload can deliver over 100 scripts via remote access or utilizing exploits, and can attack hardware from older HP (3Com), A-Link, Alcatel / Techicolor, Antena, C3-Tech, Cisco, D-Link, Elsys, Fibrehome, Fiberlink, Geneko, Greatek, Huawei, Intelbras, Kaiomy, LinkOne, MikroTik, MPI Networks, Multilaser, OIWTECH, Perfect, Qtech, Ralink, Roteador, Sapido, Secutech, Siemens, Technic, Tenda, Thomson, TP-Link, Ubiquiti, Viking, ZTE, and Zyxel routers. 
Analysts have some advice to not become a victim this kind of attack. It is recommended that you update your firmware to the latest version available for your router and use complex and strong passwords. Consider disabling any web administration on your device. Finally, hardcode your DNS setting to use only trusted DNS servers in both your Router and OS. 

Sources
https://thehackernews.com/2018/10/ghostdns-botnet-routerhacking.html https://www.theregister.co.uk/2018/10/02/ghostdns_router_hacking/ 
http://blog.netlab.360.com/70-different-types-of-home-routers-alltogether-100000-are-being-hijacked-by-ghostdns-en/ h

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

The Federal Trade Commission (FTC) has released an alert to provide Facebook
users with recommended precautions against identity theft after the recent
breach of the Facebook social media platform.

NCCIC encourages users and administrators to review the FTC
Alert and the NCCIC Tip on Preventing and Responding to
Identity Theft. If you believe you are a victim of identity theft, visit
the FTC’s identity theft website
to make a report.

October 18th
WEBINAR

The 2018 NY Metro Joint Cyber Security WEBINAR will take place on Thursday October 18^th.
NYMJCSC is now in its fifth year; featuring keynotes, panels and
sessions aimed at various aspects of information security and
technology.

This year will feature a webinar format allowing NYMJCSC to reach and educate a broader audience.

Register Here for the Webinar on Thursday, October 18th

icrosoft is pleased to announce the draft release of the
security configuration baseline settings for Windows 10 version 1809
(a.k.a., “Redstone 5” or “RS5”), and for Windows Server 2019. Please
evaluate these proposed baselines and send us your feedback via blog
comments below.

Download the content here: Windows-10-1809-Security-Baseline-DRAFT.zip

The downloadable attachment to this blog post includes importable
GPOs, a PowerShell script for applying the GPOs to local policy, custom
ADMX files for Group Policy settings, documentation in spreadsheet form
and as a Policy Analyzer file
(MSFT-Win10-v1809-RS5-WS2019-DRAFT.PolicyRules). In this release, we
have changed the documentation layout in a few ways:

• MS Security Baseline Windows 10 v1809 and Server 2019.xlsx –
  multi-tabbed workbook listing all Group Policy settings that ship
  in-box with Windows 10 v1809 or Windows Server 2019. Columns for
  “Windows 10 v1809,” “WS2019 Member Server,” and “WS2019 DC” show the
  recommended settings for those three scenarios. A small number of cells
  are color-coded to indicate that the settings should not be applied to
  systems that are not joined to an Active Directory domain. Cells in the
  “WS2019 DC” columns are also highlighted when they differ from the
  corresponding cells in the “WS2019 Member Server” column. Another change
  from past spreadsheets is that we have combined tabs that used to be
  separate. Specifically, we are no longer breaking out Internet Explorer
  and Windows Defender AV settings into separate tabs, nor the settings
  for LAPS, MS Security Guide, and MSS (Legacy). All these settings are
  now in the Computer and User tabs.
• BaselineDiffs-to-v1809-RS5-DRAFT.xlsx – This Policy
  Analyzer-generated workbook lists the differences in Microsoft security
  configuration baselines between the new baselines and the corresponding
  previous baselines. The Windows 10 v1809 settings are compared against
  those for Windows 10 v1803, and the Windows Server 2019 baselines are
  compared against those for Windows Server 2016.
• Windows 10 1803 to 1809 New Settings.xlsx – Lists all the
  settings that are available in Windows 10 v1809 that were added since
  Windows 10 v1803. (We used to highlight these settings in the big
  all-settings spreadsheets.)
• Server 2016 to 2019 New Settings.xlsx – Lists all the
  settings that are available in Windows Server 2019 that were added since
  Windows Server 2016. (We used to highlight these settings in the big
  all-settings spreadsheets.)

Highlights of the differences from past baselines, which are listed in BaselineDiffs-to-v1809-RS5-DRAFT.xlsx:

• The MS Security Guide custom setting protecting against potentially
  unwanted applications (PUA) has been deprecated, and is now implemented
  with a new setting under Computer Configuration…Windows Defender
  Antivirus.
• We have enabled the “Encryption Oracle Remediation” setting we had considered for v1803.
  At the time we were concerned that enabling the newly-introduced
  setting would break too many not-yet-patched systems. We assume that
  systems have since been brought up to date. (You can read information
  about the setting hereand here.)
• Changes to Virtualization-Based Security settings (used by Credential Guard and Code Integrity):
  • “Platform Security Level” changed from “Secure Boot and DMA
    Protection” to “Secure Boot.” If system hardware doesn’t support DMA
    protection, selecting “Secure Boot and DMA Protection” prevents
    Credential Guard from operating. If you can affirm that your systems
    support the DMA protection feature, choose the stronger option. We have
    opted for “Secure Boot” (only) in the baseline to reduce the likelihood
    that Credential Guard fails to run.
  • Enabled the new System Guard Secure Launch setting which will enable
    Secure Launch on new capable hardware. Secure Launch changes the way
    windows boots to use Intel Trusted Execution Technology (TXT) and
    Runtime BIOS Resilience features to prevent firmware exploits from being
    able to impact the security of the Windows Virtualization Based
    Security environment.
  • Enabled the “Require UEFI Memory Attributes Table” option.
• Enabled the new Kernel DMA Protection feature described here.
  The “External device enumeration” policy controls whether to enumerate
  external devices that are not compatible with DMA-remapping. Devices
  that are compatible with DMA-remapping are always enumerated.
• Removed the BitLocker setting, “Allow Secure Boot for integrity
  validation,” as it merely enforced a default that was unlikely to be
  modified even by a misguided administrator.
• Removed the BitLocker setting, “Configure minimum PIN length for
  startup,” as new hardware features reduce the need for a startup PIN,
  and the setting increased Windows’ minimum by only one character.
• Enabled the new Microsoft Edge setting to prevent users from
  bypassing certificate error messages, bringing Edge in line with a
  similar setting for Internet Explorer.
• Removed the block against handling PKU2U authentication requests, as the feature is increasingly necessary.
• Removed the configuration of the “Create symbolic links” user rights
  assignment, as it merely enforced a default, was unlikely to be
  modified by a misguided administrator or for malicious purposes, and
  needs to be changed to a different value when Hyper-V is enabled.
• Removed the deny-logon restrictions against the Guests group as
  unnecessary: by default, the Guest account is the only member of the
  Guests group, and the Guest account is disabled. Only an administrator
  can enable the Guest account or add members to the Guests group.
• Removed the disabling of the xbgm (“Xbox Game Monitoring”) service,
  as it is not present in Windows 10 v1809. (By the way, consumer services
  such as the Xbox services have been removed from Windows Server 2019
  with Desktop Experience!)
• Removed Credential Guard from the Domain Controller baseline.
  (Credential Guard is not useful on domain controllers and is not
  supported there.)
• Created and enabled a new custom MS Security Guide setting for the
  domain controller baseline, “Extended Protection for LDAP Authentication
  (Domain Controllers only),” which configures the
  LdapEnforceChannelBinding registry value described here.
• The Server 2019 baselines pick up all the changes accumulated in the four Windows 10 releases since Windows Server 2016.

See the rest of the changes here

NIST announces the final public draft Special
Publication 800-37, Revision 2, Risk Management Framework for
Information Systems and Organizations–A System Life Cycle Approach for
Security and Privacy.

There are seven
major objectives for this update:

• To
  provide closer linkage and communication between the risk management
  processes and activities at the C-suite or governance level of the
  organization and the individuals, processes, and activities at the system
  and operational level of the organization;
• To
  institutionalize critical risk management preparatory activities at all
  risk management levels to facilitate a more effective, efficient, and
  cost-effective execution of the RMF;
• To
  demonstrate how the NIST Cybersecurity Framework can be aligned with
  the RMF and implemented using established NIST risk management processes;
• To
  integrate privacy risk management processes into the RMF to better support
  the privacy protection needs for which privacy programs are responsible;
• To
  promote the development of trustworthy secure software and systems by
  aligning life cycle-based systems engineering processes in NIST Special Publication 800-160, Volume 1, with the
  relevant tasks in the RMF;
• To
  integrate security-related, supply chain risk management (SCRM) concepts
  into the RMF to address untrustworthy suppliers, insertion of
  counterfeits, tampering, unauthorized production, theft, insertion of
  malicious code, and poor manufacturing and development practices
  throughout the SDLC; and
• To
  allow for an organization-generated control selection approach to
  complement the traditional baseline control selection approach and support
  the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5.

The addition of the
Prepare step is one of the key changes to the RMF—incorporated to achieve more
effective, efficient, and cost-effective security and privacy risk management
processes.

In addition to
seeking your comments on this final public draft, we are specifically
seeking feedback on a new RMF Task P-13, Information Life Cycle. The life
cycle describes the stages through which information passes, typically
characterized as creation or collection, processing, dissemination, use,
storage, and disposition, to include destruction and deletion. Identifying and
understanding all stages of the information life cycle have significant
implications for security and privacy. We are seeking comment on how
organizations would executive this task and how we might provide the most
helpful discussion to assist organizations in the execution.  

The public comment period
for the draft publication is
October 2 through October 31. Please submit comments using
the comment
template to [email protected].

Small businesses targeted by highly localized Ursnif campaign

• Content
  organized by learning path, experience level, role and product, for an
  end-to-end view of a technology area and ensuring a comprehensive skillset
• Learning paths consist of
  step-by-step tutorials with interactive coding environments that provide
  free fixed-time access to Azure resources – without requiring a credit
  card
• As you and your customers use
  Microsoft Learn, you can track progress, check knowledge, and validate
  deployments to earn points, levels, achievements, and trophies 

I don’t like writing breach stories because they occur far too often. On the other hand, when the breach is the fault of the sales merchant, one hopes exposure would cause a renewed interest in other merchants to better secure their retail websites to assure such data loss doesn’t happen to them.
With the numbers of breaches so large, how easily we forget that back in June, Magecart applied a kind of cross-site-scripting (XSS) attack to effectively digitally skim the credit card information from Ticketmaster buyers used for payment. In defense of Ticketmaster, the actual attack appeared to be a code insertion compromise against Inbenta, a thirdparty supplier for their website. Although obfuscated, and having no impact on the site’s functionality, the subtle change captured and diverted the information to Magecartowned servers with legitimate looking names.

 This attack was nothing new to Magecart, who’s been behind such malaise since 2015 and focuses on e-commerce. At the time of the Ticketmaster breach, RiskIQ believed that there were over 800 different commerce websites also targeted based on their analysis. Clearly Magecart continued with attacks as evidenced by the large compromise of British Airways (having lost over 380,000 transactions). One might imagine that other smaller sites are also being targeted based on the announcement that just this week ABC-CBN (who’s on-line store was compromised) may have lost information on 213 customers.

You’d think with such publicity, e-commerce sites, especially those with a large customer base would be watching for similar Magecart activity to assure they don’t fall victim. Or not. Per Threatpost yesterday, “Newegg is a top online merchant with tens of millions of registered users in 50 countries, according to its website. It sells a range of consumer electronics, entertainment, smart-home and gaming products, and is the 161st most popular site in the U.S. according to Alexa. In all, it receives more than 50 million site visitors per month. And between Aug. 14 and Sept. 18, a Magecart-linked payment skimmer was active on the Newegg site”. Like the attacks on the other e-commerce sites, with an eloquent injection of only 8 lines of code (similar to the code used in the British Airways incident but improved), Magecart diverted information to a domain with a legitimate Comodo-issued certificate called neweggstats[.]com. In the analysis of these attacks, RiskIQ further states: “Magecart attacks are surging—RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly.”

Who’s to blame for these breaches? Clearly web service providers in the e-commerce arena need to improve their approaches to security. How many sites have been compromised? Perhaps there are some we may never know about, but for many more, my guess is we will learn about them in the near future as e-commerce providers take a closer look at their websites for some unauthorized Magecart additions. 
Sources:
 https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/ https://www.computerworlduk.com/security/magecart-who-what-is-behindbritish-airways-attack-3683768/ https://threatpost.com/magecart-strikes-againsiphoning-payment-info-from-newegg/137576/

This article was created by Peraton

Draft
Cybersecurity Practice Guide SP 1800-14, Protecting the Integrity of
Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation, is
Available for Comment

It is difficult to overstate the importance of the
internet to modern business and society in general. The internet is not a
single network, but rather a complex grid of independent interconnected
networks that relies on a protocol known as Border Gateway Protocol (BGP) to
route traffic to its intended destination.

Comments for this draft are due by October
15, 2018. To review Draft Special Publication (SP) 1800-14, and for information
on submitting comments, please visit the links below.

CSRC Update: https://csrc.nist.gov/news/2018/nist-requests-comments-on-draft-sp-1800-14
 
Publication details: https://csrc.nist.gov/publications/detail/sp/1800-14/draft
 
Project Homepage: https://www.nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing