Security Posts

Infocon: green

ISC Stormcast For Friday, October 18th 2019 https://isc.sans.edu/podcastdetail.html?id=6714
Categorías: Security Posts

Best Practices for Network Security Threat Hunting

BreakingPoint Labs Blog - Hace 35 mins 8 segs
Security threats continually change. New forms of malware and ransomware appear every year. The…
Categorías: Security Posts

The Network Makeover Overview

BreakingPoint Labs Blog - Hace 35 mins 8 segs
The Network Makeover is here! Wondering what it’s all about? This online event features >50…
Categorías: Security Posts

Hardware reverse engineering: Hack TP-Link AC1750 router root password using JTAG

BreakingPoint Labs Blog - Hace 35 mins 8 segs
Here at the Application and Threat Intelligence (ATI) Research Center, we are in the business of…
Categorías: Security Posts

Insider Threats - What Do You Need To Know?

BreakingPoint Labs Blog - Hace 35 mins 8 segs
Introduction This post is adapted (by which I mean stolen wholesale) from a piece posted by a…
Categorías: Security Posts

Fighting malware. What’s in your arsenal?

BreakingPoint Labs Blog - Hace 35 mins 8 segs
Ransomware, or as we call it during the Halloween season, “Boo!”, is indeed a terrifying situation…
Categorías: Security Posts

How network security is evolving—Behavior is the new signature

BreakingPoint Labs Blog - Hace 35 mins 8 segs
It is said that “Habits make the man.” True to this popular adage, the cybersecurity industry is…
Categorías: Security Posts

Four tips to ensure optimal SD-WAN performance

BreakingPoint Labs Blog - Hace 35 mins 8 segs
While the adoption of SD-WAN brings significant cost-savings and flexibility to the enterprise, it…
Categorías: Security Posts

Own IT. Secure IT. Protect IT. Ixia and NCASM 2019

BreakingPoint Labs Blog - Hace 35 mins 8 segs
Once again Ixia is proud to participate in National Cybersecurity Awareness Month. We were proud…
Categorías: Security Posts

Introducing IxProbe: Scalable SLA Monitoring For Your Network's Edge

BreakingPoint Labs Blog - Hace 35 mins 8 segs
Stop me if you've heard this before. "You can't manage what you don't measure." I'm guessing that…
Categorías: Security Posts

Ransomware and Getting Out of Difficult Decisions

BreakingPoint Labs Blog - Hace 35 mins 8 segs
Estimates put the cost of the City of Baltimore’s recent ransomware breach at $18 million, $10…
Categorías: Security Posts

ISC Stormcast For Friday, October 18th 2019 https://isc.sans.edu/podcastdetail.html?id=6714, (Fri, Oct 18th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts

DNC Hackers Resurface, Zuckerberg Talks Free Speech, and More News

Wired: Security - Hace 6 horas 4 mins
Catch up on the most important news from today in two minutes or less.
Categorías: Security Posts

Apple's Good Intentions on Privacy Stop at China's Borders

Wired: Security - Jue, 2019/10/17 - 22:16
As pro-democracy protests continue in Hong Kong, the tech giant’s troubling relationship with an authoritarian regime has come into focus.
Categorías: Security Posts

Vulnerability Spotlight: Multiple vulnerabilities in YouPHPTube

Cisco Talos - Jue, 2019/10/17 - 20:32


Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities. Post by Jon Munshaw.

YouPHPTube contains multiple vulnerabilities that could allow an attacker to carry out a variety of malicious activities. Specially crafted, attacker-created web requests can allow an attacker to inject SQL code into the application in some of these cases. YouPHPTube is an open-source program that can allow users to create their own, custom video sites. The software is meant to mimic popular websites such as YouTube, Netflix and Vimeo, according to its website. If successful, an attacker could use these vulnerabilities to gain the ability to exfiltrate files in the database, steal user credentials and, in some configurations, access the underlying operating system.

In accordance with our coordinated disclosure policy, Cisco Talos worked with YouPHPTube to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details
YouPHPTubeEncoder base64Url multiple command injections (TALOS-2019-0917/CVE-2019-5127, CVE-2019-5129)

Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3, a plugin for providing encoder functionality in YouPHPTube . Specially crafted web requests can cause commands to be executed on the server. An attacker can send a web request with parameters containing specific parameters to trigger these vulnerabilities, potentially allowing exfiltration of the database, user credentials and compromise the underlying operating system. Unlike the other vulnerabilities outlined in this blog, an attacker does not need credentials to log in to exploit this bug.

Read the complete vulnerability advisory here for additional information.

YouPHPTube /objects/pluginSwitch.json.php multiple SQL injection vulnerabilities (TALOS-2019-0911/CVE-2019-5121, CVE-2019-5123)

Exploitable SQL injection vulnerabilities exist in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configuration, access the underlying operating system.

Read the complete vulnerability advisory here for additional information.

YouPHPTube/plugin/AD_Server/view/campaignsVideos.json.php id SQL injection vulnerability (TALOS-2019-0910/CVE-2019-5120)

An exploitable SQL injection vulnerability exists in the authenticated part of YouPHPTube 7.6 Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and in certain configurations, access the underlying operating system.

Read the complete vulnerability advisory here for additional information.

YouPHPTube /objects/subscribeNotify.json.php user_id SQL injection vulnerability (TALOS-2019-0909/CVE-2019-5119)

An exploitable SQL injection vulnerability exist in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and,in certain configuration, access the underlying operating system.

Read the complete vulnerability advisory here for additional information.

YouPHPTube /objects/subscribe.json.php SQL injection vulnerability (TALOS-2019-0908/CVE-2019-5117)

Exploitable SQL injection vulnerabilities exist in the authenticated portion of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configuration, access the underlying operating system.

Read the complete vulnerability advisory here for additional information.

YouPHPTube /objects/videoAddNew.json.php SQL injection vulnerability (TALOS-2019-0907/CVE-2019-5116)

An exploitable SQL injection vulnerability exists in the authenticated part of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configuration, access the underlying operating system.

Read the complete vulnerability advisory here for additional information.

YouPHPTube /objects/commentAddNew.json.php comments_id SQL injection vulnerability (TALOS-2019-0906/CVE-2019-5114)

Exploitable SQL injection vulnerabilities exist in the authenticated portion of YouPHPTube 7.6. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configuration, access the underlying operating system. 

Read the complete vulnerability advisory here for additional information.

Versions testedResearchers tested and confirmed that versions 6.2, 7.6 are affected by TALOS-2019-0908, TALOS-2019-0907 and TALOS-2019-0906, TALOS-2019-0909, TALOS-2019-0910 and TALOS-2019-0911. Version 7.6 is affected by TALOS-2019-0917.

CoverageThe following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 51587 - 51592, 51597 - 51599, 51600 - 51602, 51608 - 51610, 51924 - 51928
Categorías: Security Posts

Threat Source newsletter (Oct. 17, 2019)

Cisco Talos - Jue, 2019/10/17 - 20:00

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s rare that iOS jailbreaks make it onto the scene. Apple is usually able to patch them out quickly. But a recent exploit is actually unpatchable, and researchers are racing to release tools that can allow users to jailbreak their phone. But malicious attackers are also trying to capitalize on this opportunity. We recently discovered a malicious site that promises to offer a jailbreaking tool, but it actually just conducts click fraud and installs a malicious profile onto the user’s device.

This week, Adobe released its third patch for a vulnerability we discovered earlier this year in Acrobat Reader. An attacker could exploit this bug to gain the ability to execute arbitrary code on the victim machine.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with TalosEvent: Talos at BSides Belfast 
Location: Titanic Belfast, Belfast, Northern Ireland
Date: Oct. 31
Synopsis: Several researchers from Talos will be on hand at BSides Belfast to deliver four different talks. Martin Lee will provide a general overview of the benefits of threat hunting, Nick Biasini and Edmund Brumaghin will walk through a recent wave of supply chain attacks, then, Brumaghin and Earl Carter will deliver their “It’s Never DNS....It Was DNS” talk, and, finally, Paul Rascagneres walks through his recent research into attacks on iOS.

Event: “It’s Never DNS…. It Was DNS: How Adversaries Are Abusing Network Blind Spots”  at SecureWV/Hack3rCon X
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Nov. 15 - 17
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review
  • Postage service provider Pitney Bowes was hit with the Ryuk ransomware, briefly taking some of their systems offline. The attack also impacted some U.S. Postal Service services. 
  • Baltimore plans to buy a $20 million cyber insurance policy in the wake of a ransomware attack earlier this year. The policy includes incident response coverage, business interruption loss and ransom payments.  
  • The U.S. reportedly carried out a cyber attack against Iran on Sept. 14 in response to an attack on a Saudi Arabian oil facility. Military officials say the attack was meant to reduce Iran’s ability to spread what they called “propaganda.” 
  • Two Moroccan activists were targeted by the Pegasus spyware. The human rights defenders received numerous SMS messages containing links to malicious websites, relying on zero-days in iOS to exploit their devices. 
  • Google’s new line of Pixel phones will allow its AI to automatically transcribe voice notes — even if the device is offline. The company said all translation happens directly on the device. 
  • An ATM malware that forces the machines to spit out all the cash they contain is spreading across the globe. A new report suggests that these so-called “jackpotting” attacks are on the rise this year, though they are not widely reported on. 
  • Mozilla says it is beefing up Firefox’s security to protect users from code injection attacks. The web browser will no longer utilize inline scripts, improving the “about” protocol. 
  • The Chinese government is promoting a mobile app that may allow them to spy on more than 100 million citizens. The app is even mandatory among government workers and communist party officials. 
  • An underground, online marketplace selling stolen credit card numbers was hacked. Roughly 26 million credit card numbers were rescued from “BriansClub,” 8 million of which were uploaded this year. 
Notable recent security issuesTitle: Apple WebKit opens users up to malicious advertising 
Description: Multiple vulnerabilities in Apple's WebKit are allowing attackers to serve users' malicious advertisements. This campaign affected the Google Chrome and Safari web browsers on iOS and MacOS, but the vulnerabilities were all patched out in Apple's latest series of security updates. All the ads centered around the user's specific mobile carrier, hoping to entice them to visit malicious websites. The vulnerabilities would allow the ads to break out of any sandboxes in place.
Snort SIDs: 51821 - 51824, 51831, 58132 (By John Levy)

Title: Remote code execution bug in vBulletin 
Description: A now-patched vulnerability in the popular service vBulletin is allowing attackers to completely take over sites that use the software. vBulletin powers the commenting functions for many popular sites. An attacker could exploit this vulnerability to gain the ability to remotely execute malicious code on any vBulletin server running versions 5.0.0 through 5.5.4. This bug was initially dropped as a zero-day by an anonymous user, but has since been patched by the company. The Snort rules below prevent any attempt to inject code into the server using this bug. Marcos Rodriguez wrote these rules.
Snort SIDs: 51834 – 51837 (By Marcos Rodriguez)
Most prevalent malware files this weekSHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5 
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A 
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f 
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG 
Categorías: Security Posts

The risks of public Wi-Fi and how to stay safe

AlienVault Blogs - Jue, 2019/10/17 - 15:00
Photo by laura kelly on Unsplash In a bid to entertain their customers, airports, coffee shops, shopping malls - and literally all public places- provide free Wi-Fi. And because the traffic in and around these places is exceedingly high, their Wi-Fi networks aren’t as secure as you’d imagine. For what it is worth, your privacy can never be sufficiently protected by a 5 or even 10-digit login password that you are given. Data thieves are wittier and more determined to mine your data than ever before; they will bypass that password protection in a heartbeat! If you are a lover of public Wi-Fi, you should always know that hackers are hunting for your browsing information. The intention of this post isn’t to scare you, though. We want to share with you tips on how to adequately protect your online identity and possibly your money. The risks of using public Wi-Fi Cyber-criminals love to spy on unsuspecting internet users on shared public Wi-Fi because it is not only easy and effortless but also untraceable. They mostly gain access to your browser through these two main ways: 1.      Creating fake Wi-Fi Many internet users will log into a network without caring who set it up and for what purpose. You just happen to be in the subway and a Wi-Fi network that you’ve never heard of pops up on your phone and boom! You are in without thinking twice. What you don’t know is that hackers are tech-savvy people who can create a fake Wi-Fi that steals your data in a heartbeat. Before you know it, your personal, financial, and social information is gone. The most unfortunate thing, however, is that even after the hackers steal your most sensitive information through a fake Wi-Fi hotspot, you may never suspect a thing until after the damage is done. 2.      Taking over a legit network If a hacker gains entry into a Wi-Fi, it doesn’t matter if whoever set it up was legitimate or not; all the users connected to that network are in for it. Once in the network, the criminal takes control of the server, meaning that he/she has all the data and communication anyone sends over that network is at the palm of his hand. How he uses that data is up to them. 3.       Sending you malware If your computer’s file-sharing feature is enabled, a hacker with whom you share a public Wi-Fi network can effortlessly send a file containing malware to your computer. Depending on how advanced the malware is, it can turn your webcam on and start spying on you, or simply lie low and be stealing your data behind the curtains. 3 Tips for staying safe when using a public Wi-Fi Even as vulnerable as you could be when using public Wi-Fi, it is possible to limit the extent of the probable damage that hackers pose. Here are a few safety measures that will keep you safe(r). 1.      Avoid hotspots that require too much sign-up or login information If you accidentally find yourself in the hackers’ den, suffocate them with a lack of information. Don’t be quick to give away your phone number, your email address, your location, and such personal data to a network just because you are required to before you are allowed in. Not many legitimate networks will ask for that much information. 2.      Encrypt your data with a VPN With a VPN (Virtual Private Network), you are guaranteed that your data is safe regardless of the network you are in. if you are often logged on to public networks, then it would help if you could afford to use a VPN and use it to encrypt your data traffic. VPNs work by acting as a protected avenue that your browser connects to a secure remote server, such that any data that goes through that avenue is hidden from the spying eyes of the hackers. And because your browser isn’t visible to them, they cannot access your information or monitor your online activity. 3.      Turn off file sharing If the file-sharing feature is off, a hacker will have no means of sending a harmful malware to your mac, smartphone, or computer. This feature makes file sharing between devices on a shared network effortless and frictionless. While at it, ensure that your device is running on the newest software that is least likely to be infiltrated.
Categorías: Security Posts

Inside Olympic Destroyer, the Most Deceptive Hack in History

Wired: Security - Jue, 2019/10/17 - 12:00
The untold story of how digital detectives unraveled the mystery of Olympic Destroyer—and why the next big cyberattack will be even harder to crack.
Categorías: Security Posts

Phishing e-mail spoofing SPF-enabled domain, (Thu, Oct 17th)

SANS Internet Storm Center, InfoCON: green - Jue, 2019/10/17 - 11:54
On Monday, I found what looked like a run-of-the-mill phishing e-mail in my malware quarantine. The "hook" it used was quite a common one – it was a fake DHL delivery notification inserted as an image into the body of the e-mail in an attempt to make user open its attachments.   There were two attachments (see hashes bellow). RTF file masquerading as a Word Document ("SHIPPING DOCUMENT..doc"), which tried to exploit the famous %%cve:2017-11882%% vulnerability in Equation Editor used by Microsoft Office[1]. The second was an ACE archive ("INVOICE & AWB..ace"), containing a malicious executable ("mk.exe"). Although the executable was kind of interesting – it was an info stealer using Delphi packer[2] – the phishing turned out to be notable for a different reason. The spoofed sender domain had a Sender Policy Framework (SPF)[3,4] record set.
That, by itself, might not be that surprising – contrary to popular belief, setting a SPF record for a domain doesn’t mean that it will be impossible to use the domain in spoofed e-mail messages. Basically, SPF checks themselves cover only the "MAIL FROM" address (i.e. whether the sending server may send e-mails for the domain used in the "MAIL FROM" address) but don’t deal with contents of a "From" field in the e-mail header. This means that the following spoofing attempt will fail, providing that a SPF record for the "sender.tld" domain is correctly set. HELO sender.tld MAIL FROM:<sender@sender.tld> RCPT TO:<receiver@receiver.tld> DATA From: "Sender" <sender@sender.tld> To: "Receiver" <receiver@receiver.tld> Date: Thu, 17 October 2019 10:15:00 +0100 Subject: Phishing?   However even with SPF record correctly set for the sender.tld domain, the following attempt at spoofing will pass SPF checks if the non-spf-domain.tld doesn’t have such record as well (although that doesn’t mean the spoofed e-mail won’t be blocked by some other security mechanism): HELO non-spf-domain.tld MAIL FROM:<sender@non-spf-domain.tld> RCPT TO:<receiver@receiver.tld> DATA From: "Sender" <sender@sender.tld> To: "Receiver" <receiver@receiver.tld> Date: Thu, 17 October 2019 10:15:00 +0100 Subject: Phishing?   Due to its simplicity and effectiveness (to a user, sender seems to be the address in the "From" header of the message, not the address which was specified in "MAIL FROM"), this technique is often used by phishing authors when they send spoofed e-mail messages.
One could therefore expect that the same technique was used in the case of our e-mail, however this was not the case. The sender appears to be dhlexpress@shipping.com and if we take a look at the headers, we’ll see that the same e-mail was used as the "MAIL FROM" address. We may also discover that although a SPF check took place, it ended in "Neutral" result. This means that the SPF record doesn’t state whether the sending IP is or is not authorized to send e-mails for the domain. To understand the last line of the header and the reason for the result, one only needs to know that SPF enables us to use qualifiers to specify from which hosts should e-mails be accepted/passed (+), from which hosts they should be dropped/failed (-), from which they should be marked as suspicious/softfailed (~) and for which hosts the policy isn’t specified (?). The record for shipping.com which we see above therefore basically specifies that several servers are permitted to send e-mails for the domain and for all others may do so as well. Benefits of such SPF records are disputable at best.
Although it is not too usual to see such records and related phishing e-mails, this was not the first time I’ve come across such a case… And after having a look at the Alexa top 100 domains and finding two cases of SPF records containing "?all" even there, it seems that these are actually more common than one might think.
If you use such a SPF record on any of your domains, consider whether the more traditional "~all" or "-all" really isn’t an option for you.
And if you don’t have SPF set up yet, please do so – it will take you only a minute (all you need to do is create a new DNS TXT record) and although it’s not a silver bullet against phishing, it definitely won't hurt. SHIPPING DOCUMENT..doc
MD5 - bc759db68c1f1611745216a4e0431201
SHA1 - 22e77a3ee9acc597500dbda6a82b7bd2d13d50b7 INVOICE & AWB..ace
MD5 - 673e823b66bce777f37377bd4aa07f71
SHA1 - 73f7a10fefa04432b18d9af9d4c774ecca815d5c mk.exe
MD5 - 3c9aa414308ec74eb24b30875c755241
SHA1 - 06fba1adac357a7d338cc3a9a7eb2c68282d260b
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882
[2] https://www.fireeye.com/blog/threat-research/2018/09/increased-use-of-delphi-packer-to-evade-malware-classification.html
[3] https://tools.ietf.org/html/rfc4408
[4] https://tools.ietf.org/html/rfc7208 -----------
Jan Kopriva
@jk0pr
Alef Nula (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts

Russia’s Cozy Bear Hackers Resurface With Clever New Tricks

Wired: Security - Jue, 2019/10/17 - 11:30
Largely out of the spotlight since 2016, Cozy Bear hackers have been caught perpetrating a years-long campaign.
Categorías: Security Posts
Distribuir contenido