ANCHOR CYBER FEED

A few weeks ago a vulnerability was publicized in the VPN functionality of Cisco PIX firewalls, along with a tool to exploit it. This exploit was part of the Shadow Brokers dump of tools allegedly stolen from the NSA; in this case it was the BENIGNCERTAIN tool. This exploit was viewed as being of limited impact, since Cisco discontinued support for the PIX firewall years ago in favor or their newer ASA firewall line. This weekend it was announced that the same vulnerability exists in the IOS software that powers the vast majority of Cisco devices. This means that Cisco routers and routing switches with VPN functionality can be exploited with the BENIGNCERTAIN tool as well, rendering their VPN sessions subject to snooping. The vulnerability affects all versions of IOS going back to 12.2, as well as most versions IOS XR and IOS XE. Cisco has not yet released updated software to fix this issue, and they say there are no work-arounds; they have, however, published intrusion detectio...

Microsoft "Patch Tuesday" Includes Six Critical Updates Last Tuesday, on their regular monthly day to issue patches, Microsoft released thirteen security bulletins, six of them rated as "critical." Two of these (MS16-037 and MS16-038) are for Microsoft's browsers, Internet Explorer and Edge, respectively. MS-039 and MS16-040 are for core components of Windows, and affect nearly every supported version of the operating system for both servers and workstations. MS16-042 is for Microsoft Office, and affects every currently-supported version (even those for Mac). This is a particularly urged update to install, given that malicious documents attached to email are a common source of malicious software infections. Organizations are urged to test and install these updates as soon as possible. http://www.symantec.com/connect/blogs/microsoft-patch-tuesday-april-2016 https://technet.microsoft.com/library/security/ms16-apr?f=255&MSPPError=-2147217396 High Risk...

Zero-Day Flash Vulnerability Announced, Patch Available A new vulnerability (CVE-2016-1019) in Adobe Flash was announced last week; the vulnerability is being actively exploited to install malware on vulnerable computers. Adobe stated that their latest update released in March prevents the worst type of damage from this vulnerability, such that most exploitations attempts will result only in a crash rather than remote code execution. On Thursday, Adobe released a patch to fix the vulnerability. The patched version is 21.0.0.213, and you can check if you have the latest version installed by visiting <a href=" flash="" http:="" products="" www.adobe.com=""> this link . Keep in mind that different browsers may have separate installations of Flash, so you should check with all browsers on your system(s). http://www.eweek.com/security/adobe-working-on-zero-day-pwn2own-patches-for-flash.html https://helpx.adobe.com/security/products/f...

Ransomware Continues to Grow as a Threat to Organizations of all Types and Sizes Ransomware, malicious software that encrypts digital files and demands a payment for the ability to decrypt them, continues to grow as a threat to organizational computer systems. Due to the profitable and (so far) low-risk nature of these attacks for criminals, the variety and frequency of attacks using ransomware has increased greatly over the past year. Several hospitals and other health care organizations have been targeted and even crippled by such attacks recently. According to a recent DHS report, the federal government faced at least 321 such attacks in 2015. While the variety of such malware makes it impossible to prescribe a single technology or method for avoiding or stopping such attacks, it is widely agreed that frequent, complete, and reliable backups are an essential step for avoiding being crippled by such attacks. http://www.computerworld.com/article/3050018/security/medstar-health-pa...

"Maktub Locker" Ransomware Stands Out for Evasiveness and Design A new strain of ransomware was discovered last week, and is called "Maktub Locker." This ransomware is characterized by its evasive properties once installed; many file locations and even extensions are different on every victim. The ransom demanded to decrypt victims' files is set on a sliding scale so that the ransom increases the longer you wait to pay. This malware is able to function with or without its being able to access any external command & control server, which is unusual and eliminates a common method of limiting the damage from ransomware. Despite all the sophistication, the primary delivery mechanism to date for this scourge has been as a ".scr" file attached to emails, sometimes inside a ".zip" file. Please test your organizational email system to ensure that ".scr" files cannot be received in emails, whether in the form of a zip file or not...

Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a...

Adobe Issues Three Updates, Including an Emergency Update for Flash Adobe had a rough week last week. They issued updates for their Acrobat/Reader and Digital Editions software on Tuesday, their regular monthly day for issuing patches. They announced at that time that there would be a Flash update forthcoming soon. That Flash update was released on Thursday, and includes fixes for 18 critical vulnerabilities. One of these, CVE-2016-1010, is already being used in attacks in the wild, and the release of the update was likely delayed in order to incorporate a fix for this issue. Given that the vulnerability is already being exploited, this is an update that should definitely be installed as soon as possible. http://arstechnica.com/security/2016/03/adobe-issues-emergency-patch-for-actively-exploited-code-execution-bug/ http://www.scmagazine.com/adobes-patch-tuesday-update-handles-four-vulnerabilities/article/481813/ http://www.computerworld.com/article/3042589/security/emergency-fla...

Verizon Releases Data Breach Digest with Detailed Accounts of Breaches Verizon's annual Data Breach Investigations Report is a highly-anticipated annual read for those with an interest in information security. This year Verizon has also issued a breach "digest," which, instead of recounting data from thousands of breaches, instead focuses on providing more detailed stories of eighteen specific breach investigations. The breaches have been chosen as exemplars of typical breach patterns, and the in-depth details are helpful for anyone involved in planning and executing security strategy. At 84 pages, it is a long read but well worth the time. http://www.csoonline.com/article/3039555/investigations-forensics/verizon-releases-first-ever-data-breach-digest-with-security-case-studies.html http://www.verizonenterprise.com/verizon-insights/data-breach-digest/2016/ Microsoft Announces New Windows Defender Advanced Threat Protection to Debut Later This Year In his Tue...

We are at RSA Conference in San Francisco this week, keeping current with the latest developments in the information security industry. We'll be summarizing the developments here in daily blogs, as well as live-tweeting the high points at our Twitter account @Path2Protection Day 1 - Tuesday Keynotes (just hitting the high points) Amit Yoran - CEO, RSA - "The Sleeper Awakes" ( @ayoran ) “If your security program is focused on compliance, you’re doing it wrong.”​ We need to be doing more proactive hunting for active threats already inside our networks. Cybersecurity is as much a human problem as a technological one. Advanced artificial intelligence technologies are an important tool, but will not be a panacea; we still need more competent, trained technical people to use these tools. "In cyber security, our opponent isn't playing by the same game and they don't play by our rules: they don't even have rules." Brad Smith - President ...

Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser...

Vulnerability in Key Unix/Linux System Library Potentially Puts Millions of Computers at Risk Last Tuesday, Google's engineering team released details on a vulnerability they had found and had been working on in cooperation with Red Hat. The vulnerability is in a ubiquitous Unix/Linux system library, in the function that handles DNS lookups. A malicious DNS server could potentially send replies in response to DNS requests that would run arbitrary code to run on the requesting machine. See our blog post from last week for full details: http://www.anchortechnologies.com/blog/vulnerability-in-dns-affects-wide-range-of-systems VMWare Issues New Patch to Replace One from Last Fall That Didn't Quite Fix the Problem VMWare issued a patch last October for CVE-2015-2342, a very serious issue in vCenter running on Windows. Last Friday VMWare issued a replacement for that patch, explaining in the new advisory that the original patch "did not address the issue." The vu...

This is a complex one. Google announced on Tuesday their discovery of a serious vulnerability in the function ("getaddrinfo") used by the GNU C library ("glibc") on Unix/Linux systems to do DNS lookups. The bug had actually been reported by other researchers back in July of last year, but the potentially serious way in which it could be exploited was not known until now. Google states that exploiting the vulnerability is "not trivial," but that a successful exploitation could enable an attacker to gain complete control of a vulnerable system. Given that the majority of servers on the Internet are Unix/Linux-based, as are modern Mac computers, Apple i-devices, and Android devices, a serious vulnerability in glibc affects a massive range of computer systems and mobile devices [update -- Apple iOS, Mac OS X, and Android all use different C libraries, not glibc, and are likely not affected]. Patches have started to be released by some vendors, but it may be ...

Major Vulnerability in Cisco ASA Firewalls Announced; Patch Available Cisco announced last Wednesday a major vulnerability that had been discovered in their ASA firewall platform. The flaw is found in the VPN service (specifically the IKE protocol for VPN authentication and setup) on the firewalls, and appears to affect every current version of the firewall. The flaw potentially allows an attacker to gain complete control of the firewall, and is already being actively exploited via the Internet. Cisco has an update available to fix the issue, and anyone running a Cisco firewall is urged to update as soon as possible. If it is not possible to update the firewall software immediately, disabling the VPN services on the firewall would appear to render the firewall invulnerable in the meantime. See Anchor's blog post from earlier this week for more details: http://www.anchortechnologies.com/blog/very-serious-cisco-asa-firewall-vuln-patch-asap Microsoft Issues Twelve Security Bu...

Multiple Critical Vulnerabilities in Malwarebytes Disclosed; Still no Patch Available Last week Google's Project Zero disclosed several serious vulnerabilities in Malwarebytes' anti-malware software. Project Zero researcher Tavis Ormandy informed Malwarebytes of the issues back in November, and Malwarebytes says they were able to fix several of the reported bugs in the intervening months. They say that they should have a patch for the remainder in the next 3-4 weeks. Malwarebytes is advising customers to enable the "self-protection" setting on their software to mitigate the reported vulnerabilities. http://www.scmagazine.com/malwarebytes-says-sorry-for-multiple-av-bugs-still-unpatched/article/470738/ http://tps//blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulnerability-disclosure/ https://code.google.com/p/google-security-research/issues/detail?id=714 Oracle Announces Java Browser Plugin to be Discontinued Oracle has announced plans to d...

Houston Company lost $480k to Email-based Wire Fraud, Sues Insurer Over Denied Claim Ameriforge Group, Inc., of Houston is suing their cyber insurance provider, Federal Insurance, over Federal's denial of a claim. Ameriforge's CFO wired the amount to a bank in China as instructed in an email that purported to be from the company's CEO. The insurer contends that because the incident centered around a voluntary transfer of funds (though prompted by a fraudulent email), the incident is not covered by the policy. The lesson for organizations is two-fold: a) ensure that adequate checks and balances are present in all processes involving transfers of funds, particularly of large amounts, and b) ensure you know exactly what any cyber insurance policy will and will not cover, and check closely into the history of the insurer before purchasing coverage. http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/ Austrian Aircraft Company Loses $54M to Cyber F...