Weekly Infosec News Brief: 5-11 June 2017


OneLogin Breach -- Attackers May Be Able to Decrypt Data

A consistent recommendation of most security professionals has been for users and organizations to adopt single sign-on and secure password management programs. These programs, many of them cloud-based, reduce the need for users to remember a host of different passwords, thus making it easier for them to choose strong, unique passwords. While this is generally good advice, it is crucial to choose a provider with a strong security track record of their own. OneLogin, a single sign-on provider popular with corporate users, was compromised two weeks ago, and revealed last week that the attackers also obtained keys that may allow them to decrypt the stolen data. In the past, major breaches of password managers (such as LastPass) have apparently led to no true data loss, because the stolen data was strongly encrypted, and the keys were securely stored separately from the data. OneLogin users are advised to update their master passwords and all other passwords protected by their OneLogin account.
https://www.scmagazine.com/onelogin-hacker-swiped-aws-keys-can-decrypt-stolen-data/article/666112/
https://www.onelogin.com/blog/may-31-2017-security-incident

The ETERNALBLUE Vulnerability Exploited by WannaCry is Being Used by Other Malware as Well

The exploit that enabled the rapid spread of the headline-grabbing WannaCry ransomware last month was the ETERNALBLUE exploit discovered by, and later stolen from, the US National Security Agency. It was this powerful exploit that made that malware so dangerous, and that same exploit is now being used by other malware to install in systems. The exploit works against the Microsoft Server Message Block (SMB) file-sharing service, which is commonly used for sharing file and folder access in Windows-based networks. Two steps are recommended to avoid this issue:

  • Ensure that the MS017-010 update is installed on all of your MS Windows systems.
  • Ensure that the SMB service is not exposed outside your organizational firewall or otherwise accessible via the Internet. This service typically runs on TCP port 445, but can also use TCP port 139 (and UPD 137-138). 

https://www.scmagazine.com/eternalblue-used-in-wannacry-now-with-nitol-backdoor-and-gh0st-rat/article/666426/

Mouse-hovering Malware-delivery Links in Malicious PowerPoint Document Represent a Game-changer

One thing that users are often told about avoiding phishing attacks is to hover over links to see where they go. A recently-spotted malware campaign turned this advice on its head by creating links in a malicious PowerPoint document that run a PowerShell script when the user simply hovers over them, downloading a malware payload. It remains to be seen whether this method will become widely adopted or if Microsoft will issue an update to prevent this kind of behavior in scripts embedded in MS Office files.

Federal Task Force on Improving Infosec in Healthcare Releases Report

A federally-convened task force working for nearly two years to address the problems of information security in the healthcare industry has released its conclusions. Among the key recommendations:

  • Healthcare providers should have greater leeway to share information and resources in order to enable smaller providers to develop adequate cybersecurity programs
  • Healthcare providers should obtain assessments aligned to the NIST Cybersecurity Framework
  • NIST should issue a new guideline specific to the healthcare industry

http://thehill.com/policy/cybersecurity/336394-federal-healthcare-cybersecurity-task-force-releases-report
https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf


Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Critical Vulnerability Discovered in IIS 6.0 Web Services

Image
IIS 6, the version that runs on Windows 2003 Server, was revealed this week to have a serious vulnerability that could allow an attacker to run malicious code on the server. The vulnerability has apparently been known to some malicious groups for some time, as attacks exploiting this vulnerability have been observed as far back as summer of 2016. But last week a proof-of-concept exploit for the vulnerability was posted to GitHub, bringing public attention to the problems and providing potential attackers with a head start on developing their own exploit code.  That is likely to take this from a secretive exploit used by a few actors to one that will be widely used by many attackers, meaning anyone running a vulnerable server is a likely victim. Vulnerability announcements are common, but this one is especially problematic for several reasons: IIS 6.0 is a part of the Windows 2003 Server operating system, which aged out of support from Microsoft almost two years ago. There are an
Read more