July 2018 Summer Edition
Images containing malicious malware script found on Google servers
Images available for download hosted on a GoogleUserContent server that hosts images available for download were discovered to have malware hidden inside. Malware discovered inside a file “pacman.jpg” hosted on the GoogleUserContent platform was decoded and found to possess capabilities such as bypassing PayPal authentication mechanisms. The attackers were able to launch code from the EXIF metadata field “UserComment”. This isolated instance raises concern for a larger problem. As it currently stands, Google appears to have limited options for addressing malware, thus requiring users to instead flag items for removal. Web surfers should take some basic precautions against potentially harmful files hosted on trusted sites. For one, viewing the image in lieu of downloading will likely prove to be your strongest defense against the effects of hidden payloads in downloadable images. Second, would be to ensure that your antivirus is scanning image files. And finally, UMBC Cybersecurity students can learn additional introductory information on hiding content within images through techniques such as steganography discussed in UMBC’s CYBR 620 – Introduction to Cybersecurity course.
Source: Sucuri Blog. (2018, July 18). Hiding Malware Inside Images on GoogleUserContent. [Blog post]. Retrieved from https://blog.sucuri.net/2018/07/hiding-malware-inside-images-on-googleusercontent.html
Remote Access bought on the Dark Web
McAfee Advanced Threat Research team has discovered access credentials for RDP for sale, some as low as 10USD. RDP, a proprietary protocol developed by Microsoft that allows a user to access another computer through a graphical interface, is a powerful tool. Mainly used by system administrators for accessing their employees/clients workstations, it could be a devastating tool in the wrong hands. An Attacker could pay for the login credentials, access the workstations remotely, and inject malicious code or establish themselves as users with high-level permissions. These “markets” have been popping up more frequently on the Dark Web. “The McAfee Advanced Threat Research team looked at several RDP shops, ranging in size from 15 to more than 40,000 RDP connections for sale…”, with these sites originating across the globe. John Fokker states, “In addition to selling RDP, some of these shops offer a lively trade in social security numbers, credit card data, and logins to online shops.” With markets like these, hackers from Script Kiddies to APTs can continue to gain access for malicious activities.
Krebs’s 3 Basic Rules for Online Safety
Brain Krebs, an investigative reporter with a focus on Cyber, has reported on his share of incidents. Some of which directly involved him, like when his system was attacked by “the Lion Worm… and locked me out of my system. Twice.” Krebs has a short rules list on ways anyone can help keep secure while browsing the internet. First, “If you didn’t go looking for it, don’t install it!” When trying to keep your system secure, make sure you only have files and programs needed. Keeping your system organized will help to ensure things don’t get overlooked. Second, “If you installed it, update it.” Patching is the preventive measure required to stay secure through the life of your system. With Patch Tuesday and automated system updates, this step for private users could not be easier. Thirdly, “If you no longer need it, remove it.” A forgotten application can easily turn into an access point for an attacker. Removing unneeded programs will keep your system running optimally and securely.
Source: https://krebsonsecurity.com/2011/05/krebss-3-basic-rules-for-online-safety/
May 2018 Edition#2
More than 1000 Cyber Experts From 30 Nations Took Part in Locked Shields
Locked Shields is a major live-fire cyber defense competition hosted by Cooperative Cyber Defense Centre of Excellence (CCDCOE), which took place late April this year. With 30 nations producing 22 Blue Teams, the participants were charged with protecting a virtual cities’ critical infrastructure. These exercises help to showcase the many skills needed by Cyber Security professionals. Best explained by Cdr Michael Widmann, Chief of NATO CCDCOE Strategy Branch, teams must “address complex cyber incidents, both internally and internationally… what level the information should be shared, who has the authority to make a decision and give guidelines, what are the potential legal implications”. The ability for Cyber Security professionals to plan, implement, monitor, and maintain a complex cyber defense is a critical aspect, especially when presented with advanced-persistent threats. These exercises help to promote coordinated defenses between nations and proved the Cyber Security community with shared knowledge.
Further information on the event can be found at: https://ccdcoe.org/more-1000-cyber-experts-30-nations-took-part-locked-shields.html
Newly Uncovered Servers Used by Hidden Cobra APT
Thailand’s Computer Emergency Response Team (ThaiCERT) has seized a server operated by the North Korea-linked Hidden Cobra APT, which is used to control the global GhostSecret espionage campaign. ThaiCERT along with McAfee and law enforcement are analyzing the control server, which was located at Thammasat University in Bangkok. Researchers said that the server has the same IP address as the one used in the infamous 2014 Sony Pictures hack, known to be linked to Hidden Cobra (a.k.a. the Lazarus Group) and North Korea. “The Hidden Cobra APT uses multiple implants, tools and malware variants, which together have established a covert network to gather data and create the capability to launch further attacks”. The malware includes Bankshot, which is a “remote access tool that gives an attacker full capability on a victim’s system with the functionality to wipe files and content, and gather data”. Researchers uncovered two previously unknown malware variants, one which resembles the Destover malware and the other is Proxysvc, “a unique data-gathering and implant-installation component that listens on port 443 for inbound control server connections”. McAfee states “Proxysvc is part of a covert network of Secure Sockets Layer listeners that allow the attackers to gather data and install more complex implants or additional infrastructure; it essentially lets attackers know which systems were infected in order to connect to them”. This is most likely just one of a number of servers being used by the group however; being able to look at the tools they have allows for better protection plans to be put in place.
Further information can be found at: https://threatpost.com/thaicert-seizes-hidden-cobra-server-linked-to-ghostsecret-sony-attacks/131498/
Protecting Users and Customers Everywhere
Microsoft, Facebook, and SAP were among the 34 companies that signed the Cybersecurity Tech Accord, an agreement to not assist any government in launching cyberattacks. The pledge outlines principles companies should follow to protect their users, including strengthening cybersecurity protections and encouraging global information sharing to prevent and respond to cyberattacks.
Click here for the Accord https://cybertechaccord.org/accord/?utm_source=&utm_medium=email&utm_campaign=14961
FTC Provides Tips on Use of VPN Apps
In a blog post published in February, the FTC cautions consumers about potential privacy and security risks associated with using virtual private network (VPN) tools to connect to the internet and provides several tips on how to choose among the many apps available on the market.
Click here for the article https://www.consumer.ftc.gov/blog/2018/02/shopping-vpn-app-read
April 2018 Edition#1
FTC Releases Report on Mobile Device Security
The FTC issued a report last month highlighting practices that it believes would help assure that mobile devices used by consumers are reasonably secure. This report, which is in part based on information gathered from eight major mobile device manufacturers via a Commission Order, among other things recommends that manufacturers inform consumers of how long devices will receive security updates and when update support would end.
Click here to read the report.
Click here for the announcement.
FBI Director Promises Not to Disclose Data Breaches to Regulators
At a cybersecurity conference at Boston College last month, FBI Director Christopher Wray stated that the FBI will “treat victim companies as victims” by withholding potentially damaging information from other regulatory agencies following a data breach. Noting that companies may be reluctant to promptly alert law enforcement officials after an attack also, he stated that it is not the responsibility of the FBI to share information about breaches with other authorities.
Click here for the report.
Yahoo to Pay Investors $80M to Settle Securities Class Action
Yahoo announced last month that it will pay $80 million to settle a class action suit brought by investors following the company’s massive data breaches in 2013 and 2014 that together compromised the personal information of all of its 3 billion users. The investors alleged Yahoo intentionally misled them about its cybersecurity practices on corporate filings while failing to disclose the breaches.
Click here for the settlement.
New EU Guidelines Give Online Platforms One Hour to Remove Illegal Content
In guidelines released late last month, the European Union said online platforms, including Google, Facebook, and Twitter, should remove illegal content from their sites within one hour of it being flagged by local law enforcement or Europol. While the guidelines are currently voluntary and non-binding, they can be used as a legal reference in court. If the guidelines prove ineffective, the EU said it would pursue formal regulation.
Click here for the guidelines.
FTC Provides Tips on Use of VPN Apps
In a blog post published in February, the FTC cautions consumers about potential security risks associated with using virtual private network (VPN) tools to connect to the internet and provides several tips on how to choose among the many apps available on the market.
Click here for the post.