• New Cobalt Gang PDF Attack Avoids Traditional Static Analysis Tools
    An attack campaign conducted by the Cobalt Gang used a specially crafted PDF document to evade detection by static analysis tools.Palo Alto Networks’ Unit 42 threat intelligence team observed the operation near the end of October 2018. The analyzed example used an email containing the subject line “Confirmations on October 16, 2018” to target employees at several banking organizations.Attached to the email was a PDF document that didn’t come with an exploit or malicious code. Instead, an embedded link within the PDF document redirected recipients to a legitimate Google location which, in turn, redirected the browser to a Microsoft Word document containing malicious macros.How Does the Cobalt GangAt the time of discovery, the PDF attack bypassed nearly all traditional antivirus software. These characteristics prevented the PDF from raising red flags with most static analysis tools.Using specially crafted PDF documents isn’t the only way that digital attackers can fly under the radar.Read More
  • Researchers discover powerful new nation-state APT
    The Belgian locksmith was just a pawn in a global game of cyberespionage fought by a new nation-state hacking group, and while the target in this operation was Pakistan — both nuclear-armed and a haven for terrorists in the region — the incredibly sophisticated layers of misdirection used by the malware to mislead and delay forensics analysis worries security researchers, who say these attack tools could be deployed against anyone else in the world at any time. Additional layers of obfuscation and misdirection led Cylance researchers to dub the group the White Company. What makes the White Company especially dangerous, however, is its keen understanding of how security researchers study malware, and their sophisticated attempts to foil automated forensics analysis. The White Company's malware evades such systems by including anti-debugging code inside their shellcode — an extreme measure rarely seen. The White Company also used commodity malware to confuse security researchers looking for exotic nation-state malware. The White Company is a new nation-state APT, Cylance tells CSO, likely a Middle Eastern country, and is not a U.S. or Five Eyes threat group.Read More
  • The Weakest Link in Cybersecurity Isn't Human, It’s the Infrastructure
    The Weakest Link is Motherboard's third, annual theme week dedicated to the future of hacking and cybersecurity. The business models of many companies rely on monetizing and selling user data; internet of things and new startups rarely take security as seriously as they should; massive hacks of companies like Equifax and T-Mobile make our social security numbers less private than they ever have before. With that in mind, our third annual hacking week explodes that weakest link—the point of failure in the hacks we see in the news. The slate we have this year is extraordinary: We’ll have some scoops and features we’ve been planning and reporting for months, as well as opinion pieces by infosec professionals who explain how the internet’s design is failing users. With that in mind, we did a big refresh of The Motherboard Guide to Not Getting Hacked, our comprehensive infosec guide. This week we’ll also be publishing subject specific how-to guides every day; we’ll explain why the iPod Touch is one of the most secure devices you can possibly buy, how to wipe your devices clean before selling or recycling them, how to tell if you’ve been hacked, and more.Read More
  • Norway’s IT industry must tackle security vulnerabilities
    The primary and most vulnerable targets are government administration, defence, finance and high-tech companies.” Worryingly for IT network security, the NSM report identified an emerging threat to unnerve business and industry leaders. The organisation’s updated intelligence revealed that an increasing number of foreign malicious actors are criminal organisations bent on not only taking control of IT systems, but using hijacked IT systems and networks to establish “command hubs” to conduct criminal activities. In its examination of poor IT system defences and network vulnerabilities, the NSM has identified a range of digital threats posed by both foreign intelligence agencies and criminal organisations.Read More
  • 'CARTA': A New Tool in the Breach Prevention Toolbox
    Gartner's continuous adaptive risk and trust assessment for averting a data breach addresses the shortcomings of static security programs. The root of this data breach emanates from an old way of thinking about implementing security — one that relies on static risk and vulnerability management. Research firm Gartner has defined this new approach as Continuous Adaptive Risk and Trust Assessment (CARTA). In a nutshell, Gartner sees CARTA as a way for organizations to manage the risks that come with the digital world by deploying security that moves at the speed of digital business. Under CARTA, all systems and devices are considered potentially compromised and their behaviors are continuously assessed for risk and trust. If the risk score of a specific device or user gets too high and outweighs the trust (for example, a user who tries to download a massive amount of sensitive data to an unmanaged device), an organization has two choices: reduce the risk score or increase the trust score.Read More
  • What’s new in TrickBot? Deobfuscating elements
    This post will be an analysis of the updated obfuscation used by TrickBot’s main module. Encrypted modules are stored in the Data folder (old name: Modules), along with their configuration: Obfuscation In the first edition, TrickBot was not at all obfuscated – we could even find all the strings in clear. Apart from the mentioned obfuscation methods, on the way of its evolution, TrickBot is going in the direction of string randomization. Before the data is passed to the AES, it is first XORed with a 64 character long, dynamically generated string, that we will refer as a the bot key: The elements: 1. the BotKey (generated per machine) 2. a checksum of a test string: (0-256 bytes encoded with the same charset) – used for the purpose of a charset validation 3. three random numbers The whole line is base64 encoded using a custom charset, that is generated basing on the hardcoded one: “HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o12467MEDyzQjT”.Read More
  • Cyber attacks are the biggest risk, companies say
    Cyber-attacks are the biggest concern for businesses in Europe, Asia and North America, according to a new survey of executives by the World Economic Forum (WEF).  The report, which included responses from more than 12,000 business leaders from 140 countries, found companies fear the action of hackers will threaten their businesses over the next ten years.  The concern over cyber attacks has been growing in the last two years following a string of high profile attacks on companies such as BA, Ticketmaster and HSBC. “Cyber-attacks are seen as the number one risk for doing business in markets that account for 50pc of global GDP,”  said Lori Bailey, a member of the WEF’s Global Future Council on Cyber-security. “This strongly suggests that governments and businesses need to strengthen cyber security and resilience in order to maintain confidence in a highly connected digital economy." When WEF conducted the survey last year, cyber-attacks was the top risk in only two regions, East Asia and the Pacific and North America. In 2016, only North America was concerned by the risks.Read More
  • IBM Network Performance Insight (CVE-2018-11771) - IBM PSIRT Blog
    Nov 12, 2018 8:01 am EST Categorized: Low Severity Share this post: Apache Commons Compress is vulnerable to a denial of service, caused by the failure to return the correct EOF indication after the end of the stream has been reached by the ZipArchiveInputStream method. By reading a specially crafted ZIP archive, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. IBM Network Performance Insight has addressed this. CVE(s): CVE-2018-11771 Affected product(s) and affected version(s): IBM Network Performance Insight: 1.2.1, 1.2.2, 1.2.3. Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10739173X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148429Read More
  • How UK Public Sector Organizations Can Craft an Effective Cyber Security Strategy
    Organizations in the United Kingdom’s public sector face several challenges in terms of their digital security. For instance, a 2018 report published by the Joint Committee on the National Cyber Security Strategy found that the public sector in the United Kingdom lacks sufficient cyber security skills to uphold the country’s vibrant digital economy. The challenges discussed above have prohibited many UK public sector organizations from taking a proactive approach to their cyber security. Tripwire observed in its State of Cyber Hygiene report that two-thirds of organizations don’t use hardening benchmarks like the Center for Internet Security’s Critical Security Controls. Organizations in the United Kingdom’s public sector can turn things around and build a solid foundation for themselves using critical security controls.Read More
  • 51 states pledge support for global cybersecurity rules
    Fifty-one states, including all EU members, have pledged their support for a new international agreement to set standards on cyberweapons and the use of the internet, the French government said Monday. The states have signed up to a so-called "Paris Call for Trust and Security in Cyberspace", an attempt to kickstart stalled global negotiations. "We need to move these norms forward," Microsoft president Brad Smith said on Monday at the Paris Peace Forum, being held to mark the centenary of the end of World War I. He said 2017 was a "wake-up call for the world" because of the WannaCry and NotPetya attacks. The text of the Paris call will be presented by French President Emmanuel Macron as he opens UNESCO's Internet Governance Forum in Paris on Monday. "To respect people's rights and protect them online as they do in the physical world, states must work together, but also collaborate with private-sector partners, the world of research and civil society," according to the text.Read More