Security Posts

US CERTS Top 10 Exploits in the Wild

BreakingPoint Labs Blog - Mon, 2020/07/06 - 22:46
We love to think about security in terms of dark geniuses with hoodies, face tats and piercings…
Categories: Security Posts

COVID-19 Late Testing a Lesson for Every Network Equipment Manufacturer

BreakingPoint Labs Blog - Mon, 2020/07/06 - 22:46
I was watching the TED talk by Bill Gates recorded in March 2020 about how humanity should have…
Categories: Security Posts

Android Users Hit with ‘Undeletable’ Adware

Threatpost - Mon, 2020/07/06 - 22:10
Researchers say that 14.8 percent of Android users who were targeted with mobile malware or adware last year were left with undeletable files.
Categories: Security Posts

WastedLocker Goes "Big-Game Hunting" in 2020

Cisco Talos - Mon, 2020/07/06 - 22:00
By Ben Baker, Edmund Brumaghin, JJ Cummings and Arnaud Zobec. Threat summary After initially compromising corporate networks, the attacker behind WastedLocker performs privilege escalation and lateral movement prior to activating ransomware and demanding ransom payment.The use of "dual-use" tools and "LoLBins" enables adversaries to evade detection and stay under the radar as they further operate towards their objectives in corporate environments.WastedLocker is one of the latest examples of...

[[ This is only the beginning! Please visit the blog for the complete entry ]]
Categories: Security Posts

Axiom – Pen-Testing Server For Collecting Bug Bounties

Darknet - The Darkside - Mon, 2020/07/06 - 21:09
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line. With Axiom, you just need to run a single command to get setup, and then you can use the Axiom toolkit scripts to spin up and down your new hacking VPS. Setting up your own ‘hacking vps’, to catch shells, run enumeration tools, scan, let things run in the background in a tmux window, used to be an afternoon project – running into a whole day sometimes if you hit some package isues or ‘dependency hell’. Read the rest of Axiom – Pen-Testing Server For Collecting Bug Bounties now! Only available at Darknet.
Categories: Security Posts

Admins Urged to Patch Critical F5 Flaw Under Active Attack

Threatpost - Mon, 2020/07/06 - 21:06
Security experts and the U.S. Cyber Command are urging admins to update a critical flaw in F5 Networks, which is under active attack.
Categories: Security Posts

Lazarus Group Adds Magecart to the Mix

Threatpost - Mon, 2020/07/06 - 19:18
North Korea-based APT is targeting online payments made by American and European shoppers.
Categories: Security Posts

US Secret Service reports an increase in hacked managed service providers (MSPs)

Zero Day | ZDNet RSS Feed - Mon, 2020/07/06 - 19:15
US Secret Service says hackers are breaching MSPs to orchestrate ransomware attacks, point-of-sale intrusions, and business email compromise (BEC) scams.
Categories: Security Posts

Hackers Are Exploiting a 5-Alarm Bug in Networking Equipment

Wired: Security - Mon, 2020/07/06 - 19:10
For companies that haven't patched their BIG-IP products, it may already be too late.
Categories: Security Posts

Purple Fox EK Adds Microsoft Exploits to Arsenal

Threatpost - Mon, 2020/07/06 - 17:21
Two exploits for Microsoft vulnerabilities have been added to the Purple Fox EK, showing ongoing development.
Categories: Security Posts

Email Sender Identity is Key to Solving the Phishing Crisis

Threatpost - Mon, 2020/07/06 - 16:07
Almost 90% of email attacks manipulate sender identity to fool recipients and initiate social engineering attacks.
Categories: Security Posts

VaultAge Solutions CEO goes into hiding to avoid cryptocurrency investors allegedly scammed out of $13 million

Zero Day | ZDNet RSS Feed - Mon, 2020/07/06 - 13:51
Roughly 2,000 investors have been left out of pocket by the alleged misappropriation of funds.
Categories: Security Posts

CVE-2020-5902: F5 BIG-IP RCE Vulnerability, (Mon, Jul 6th)

SANS Internet Storm Center, InfoCON: green - Mon, 2020/07/06 - 13:06
A remote code execution vulnerability %%cve:2020-5902%% in F5's BIG-IP with CVSS score 10 is actively exploited. Vulnerable versions are:
  • 11.6.1-11.6.5.1
  • 12.1.0-12.1.5.1
  • 13.1.0-13.1.3.3
  • 14.1.0-14.1.2.5
  • 15.0.0-15.1.0.3
A directory traversal in the Traffic Management User Interface (TMUI) allows upload and execution of scripts (as root) by unauthenticated attackers. F5 has released patched versions:
  • 11.6.5.2
  • 12.1.5.2
  • 13.1.3.4
  • 14.1.2.6
  • 15.1.0.4
F5's KB article K52145254: TMUI RCE vulnerability CVE-2020-5902. We have observed Internet scans for this vulnerability. Remark that an attack over the Internet requires that F5's BIG-IP control plane is exposed to the Internet (there are 8400+ F5 systems on the Internet according to Shodan). Several exploits and a Metasploit module for this vulnerability are public. There is also a sigma rule and an nmap script (remark: not released by nmap). We recommend to patch this vulnerability immediately if you expose the TMUI to the Internet, and if you can not do that, remove direct access to the TMUI from the Internet if you expose it. In any case, go over your logs to identify exploitation attempts (F5 published the KB July 1st, and first exploitation attempts on te Internet were observed starting July 3rd): look for "..;" in the URLs. If you use grep (or another tool with regular expressions) to search through your logs, remember that . matches any character: use a fixed string (option -F in grep). And let me close with Johannes closing remark on today's StormCast: "... certainly make sure that the management plane is not exposed to the public Internet, who knows when the next vulnerability in this feature will be found!" Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Improving workflows to speed security implementation

AlienVault Blogs - Mon, 2020/07/06 - 13:00
Introduction Limited budgets, limited staff, limited time. Any security professional will have dealt with all of these repeatedly while trying to launch new initiatives or when completing day-to-day tasks. They are possibly the most severe and dangerous adversaries that many cybersecurity professionals will face. They affect every organization regardless of industry, size, or location and pose an existential threat to even the most prepared company. There is no easy way to contain them either, since no company has unlimited funding or time, and the lack of cybersecurity professionals makes filling roles incredibly tricky. Even in major cities like Los Angeles, finding staff that meets your requirements is a challenge. According to the website Cyberseek, there are around 22,000 available jobs in the LA area with a supply/demand ration of 1.5. With a national average for all other positions at 4.9, you begin to see why staffing these roles can be a challenge. Resource prioritization So how can organizations cope with these natural limitations? The answer is resource prioritization, along with a healthy dose of operational improvements. By identifying areas where processes can be streamlined and understanding what the most significant risks are, organizations can begin to help protect their systems while staying within their constraints. This task is not quite as impossible as it seems. The first step is to make sure you understand the following components:
  • The goal of the organization
  •  Responsibilities and operations of the target department
  • Any regulatory or internal requirements
Once you know those points, you can begin the actual work. The best way to find areas to improve processes is to work directly with the specific departments. While the focus of this blog is IT or security departments, this process can be used pretty much anywhere. Through a mixture of interviews and process documentation, you can begin to assemble a picture of how departments operate. The graphic below outlines the basic review and improvement cycle that can be employed when conducting this type of work. Later in this blog is a more in-depth multi-level strategy that can be employed later down the line or immediately for companies that want to engage in a more long-term assessment and improvement cycle. As always these steps can also be integrated into any existing review or audit procedures as well. Working with frontline employees is one of the most effective ways to understand what occurs in your organization. These employees will almost always be able to provide ideas or suggestions on how to improve workflow and general operations. All proposals should be reviewed for accuracy and effectiveness but getting data straight from the source is a great way to develop actionable plans. It almost seems too simple to work. Can asking questions like "What can we do better" or "Where do we spend the most time" really lead to a better protected company? Of course! Freeing up your staff so they have more time to focus on security concerns is one of the most direct ways to combat the three-headed hydra introduced in the beginning. The hardest part of this process is finding the right employees and asking the right questions. When it comes to selecting the employee(s) you talk to, you must pick the ones responsible for the work in question. If, for instance, you wanted to streamline or improve the ticketing system, you should talk to the service desk staff and manager. The closer you get to the actual work being done, the more valuable the insight you gain. Below are some sample questions you can use in these interviews:
  • What are your primary day-to-day tasks?
  • What task takes the most time for you to complete?
  • Are there any repetitive tasks you conduct? (e.g., answering the same question, or resolving the same issue)
  • Do you need to interact with other departments regularly?
    • (If yes) Are there any issues in communication or response times for these tasks?
This method can help identify bottlenecks in your organization that is impacting your teams' ability to execute on their tasks. Implementing cybersecurity is quite a time-consuming task, so finding areas where you can save time or money allows you to reallocate those resources to security instead. Reducing the immediate cost impact of implementing cybersecurity programs can also aid in getting approval from management since adopting security would no longer add as many additional costs. Conclusion Implementing security is quickly becoming the top priority for organizations around the world. Trying to balance the need for protection against existing duties and budgets is difficult and, in some cases, impossible. By looking for ways to free up existing time, money, and staff security needs can be met without exceeding existing constraints. As security professionals, we must do our utmost to maintain our organizations to the best of our abilities. This means finding creative ways to solve problems while continuing to uphold existing responsibilities. In a perfect world, cybersecurity would be prioritized, with the necessary funding and staffing dedicated to it, but unfortunately, that is not the world we live we occupy. Hopefully, by following the steps above, you can identify areas that will not only improve the workflow of the organization but also free up the necessary resources to address additional requirements introduced by security initiatives.
Categories: Security Posts

Yahoo engineer gets no jail time after hacking 6,000 accounts to look for porn

Zero Day | ZDNet RSS Feed - Mon, 2020/07/06 - 12:53
Hacker sentenced to five years probation, with home confinement condition.
Categories: Security Posts

Boston bans government use of facial recognition

Naked Security Sophos - Mon, 2020/07/06 - 12:33
To help end systemic racism, we'll stay away from an error-prone technology that's been shown to have racial bias, the city council said.
Categories: Security Posts

Monday review – the hot 11 stories of the week

Naked Security Sophos - Mon, 2020/07/06 - 11:32
Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time.
Categories: Security Posts

iPhone & iPad con iOS 14 te avisarán cuando las apps usen tu micrófono o tu cámara

Un informático en el lado del mal - Mon, 2020/07/06 - 09:34
En un intento de mejorar la privacidad de sus tecnologías, y después de las quejas de muchos usuarios sobre el uso de conversaciones por parte de apps para poder anuncios o tener datos más relevantes de las personas, Apple ha decidido añadir una nueva alerta visual en iOS 14, aún por salir en producción, para avisar a los usuarios cuando una app está utilizando sus permisos para acceder a la cámara y/o el micrófono, con lo que puede estar capturando las conversaciones y la grabando imágenes.
Figura 1: iPhone & iPad con iOS 14 te avisarán cuando
las apps usen tu micrófono o tu cámara

Esta no es la primera medida visual que añade iOS de forma similar, y como veremos se parece mucho a la medida que tiene el Mac OS para avisar cuando la cámara está encendida, y desde luego es una buena idea para ayudar a las personas preocupadas por su seguridad.
La luz verde en el iPhone: La cámara está encendida
A partir de la versión iOS 14, los terminales iPhone - y suponemos que los terminales iPad también - avisarán con una luz verde cuando una app esté accediendo a la cámara de su dispositivo y, por tanto, accediendo a las grabaciones de imágenes. Esto es algo similar a lo que tiene Apple implementado desde hace años en los equipos Mac, donde se avisa con una luz verde cuando alguien utiliza tu cámara.
Figura 2: En iOS 14 si una app accede a la cámara se verá un punto verde
Desde hace años se puede controlar en los permisos de iOS qué apps tienen acceso a ellos, pero es una buena forma de avisar y recordar al usuario de que le dio permisos - consciente o inconscientemente - y que vea cómo están siendo utilizados.
La luz naranja en el iPhone: El micrófono está encendido
Esto no está implementado en Mac, y esperemos que lo hagan también, ya que permite saber si una app te está escuchando activamente en un determinado momento, lo que ayudará a reducir la paranoia que se ha generado con los "anuncios generados por conversaciones de voz", de los que ya hablamos por el blog.
Figura 3: Punto naranja para cuando se activa el micrófono
Así que si la luz naranja se enciende, te están escuchando, lo que también te permitirá descubrir cuándo una app puede ser maliciosa, o un troyano en tu sistema implantando para hackear tu iPhone o tu iPad y vulnerar tu privacidad.
Figura 4: Libro de Hacking iOS:iPhone & iPad (2ª Edicón) en 0xWord de
Chema Alonso, Ioseba Palop, Pablo Gonzáleez y Alejandro Ramos entre otros.

Pero nos quedan pruebas por hacer aún de cómo funcionan estos sistemas, ya que aún quedan escenarios peligrosos que hay que ver cómo se gestionan, como son el uso de los permisos de forma oportunista.
Figura 5: En rojo cuando se está grabando audio o pantalla

Actualmente, el sistema operativo avisa con códigos de colores cuando una app está grabando con la cámara o con el micrófono, pero no cuando está accediendo a ellos, lo que da muchos escenarios de inseguridad, y por eso el código de colores.
Permisos oportunistas en Gremlin Apps
Hablamos largo y tendido de esto en el artículo dedicado a las Gremlin Apps, pero para ser breve, se trata de que una app maliciosa haga uso de un permiso solo cuando un comportamiento natural de ese permiso dentro de la app se vaya a producir. Por ejemplo, utilizar el permiso de acceso al carrete de fotos cuando una de las características de la app justifique al usuario su uso, y en ese momento robar todas las fotografías. 

Figura 6: Gremlin Botnets: El club de los poetas muertos
La pregunta es si con el micrófono o con la cámara se podrá realizar algo similar o no, ya que dependerá de cómo se implemente el acceso a ellos, pero si está correctamente implementado, puede ser una medida muy eficaz para detectar a muchas Gremlin Apps. Supón que le das el acceso a la cámara a una app porque desde ella se hacen fotografías para cualquier cosa, pero en un determinado momento no estás haciendo uso de esa característica y ves la luz verde... pues algo turbio pasa.
Figura 7: Icono de acceso a localización desde esta app
Esta medida viene a acompañar la medida de información que teníamos con el icono de localización, que ya implemento en iOS 11, donde se avisa a los usuarios cuando una app está pidiendo el acceso a la ubicación del dispositivo, y que permite saber qué apps te están trackeando y cuando con un sistema de iconos que puedes ver en la barra de estado.
Figura 8: Significado de los iconos de localización
Por supuesto, todas estas opciones de acceso al micrófono, acceso a la cámara y acceso a la localización las puedes configurar y controlar desde las opciones de privacidad y seguridad del sistema operativo iOS, y cuantos menos permisos des a las apps que corres en tu iPhone, mejor que mejor. Menos datos de tu vida personal has dado, y menos accesos a tus datos privados das.
Saludos Malignos! 
Autor: Chema Alonso (Contactar con Chema Alonso)

Sigue Un informático en el lado del mal RSS 0xWord
Categories: Security Posts

North Korean hackers linked to web skimming (Magecart) attacks, report says

Zero Day | ZDNet RSS Feed - Mon, 2020/07/06 - 08:00
After hacking banks and cryptocurrency exchanges, orchestrating ATM cash-outs, and deploying ransomware, North Korean hackers have now set their sights on online stores.
Categories: Security Posts

ISC Stormcast For Monday, July 6th 2020 https://isc.sans.edu/podcastdetail.html?id=7066, (Mon, Jul 6th)

SANS Internet Storm Center, InfoCON: green - Mon, 2020/07/06 - 04:00
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts
Syndicate content