(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs. But their virtual counterparts are alive and well, and they can be used for some exciting things. (credit: Ericf)

When you're a bad guy breaking into a network, the first problem you need to solve is, of course, getting into the remote system and running your malware on it. But once you're there, the next challenge is usually to make sure that your activity is as hard to detect as possible. Microsoft has detailed a neat technique used by a group in Southeast Asia that abuses legitimate management tools to evade firewalls and other endpoint-based network monitoring.

The group, which Microsoft has named PLATINUM, has developed a system for sending files—such as new payloads to run and new versions of their malware—to compromised machines. PLATINUM's technique leverages Intel's Active Management Technology (AMT) to do an end-run around the built-in Windows firewall. The AMT firmware runs at a low level, below the operating system, and it has access to not just the processor, but also the network interface.

The AMT needs this low-level access for some of the legitimate things it's used for. It can, for example, power cycle systems, and it can serve as an IP-based KVM (keyboard/video/mouse) solution, enabling a remote user to send mouse and keyboard input to a machine and see what's on its display. This, in turn, can be used for tasks such as remotely installing operating systems on bare machines. To do this, AMT not only needs to access the network interface, it also needs to simulate hardware, such as the mouse and keyboard, to provide input to the operating system.

Read 6 remaining paragraphs | Comments


Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / Qatari Foreign Minister Sheikh Mohammed bin Abdulrahman bin Jassim Al-Thani delivers a speech during a press conference. (credit: Mohamed Farag/Anadolu Agency/Getty Images)

Two weeks after an alleged cyber attack on Qatar's state news agency resulted in the publishing of a fake news story, the Qatari-funded broadcasting company Al-Jazeera claims that the company's "websites and digital platforms" are being targeted in "systematic and continual hacking attempts." The attack comes as officials from the Federal Bureau of Investigation continue to assist the Qatari government in Doha in investigations into an April breach of systems at the Qatar National Bank, as well as the previous media breach.

The fake news story was apparently aimed at further escalating tensions in Qatar's ongoing diplomatic crisis. On Wednesday, CNN reported that unnamed US officials had linked Russian hackers to planting it. That story falsely reported comments by Qatar Emir Sheikh Tamim bin Hamad Al Thani at a military graduation ceremony, saying that President Trump might not last long in office, criticizing escalation of animosity toward Iran, and praising Hezbollah and Hamas as resistance organizations.

However, multiple sources Ars has spoken with have disputed the Russia connection claim. No clear evidence has surfaced yet of who was involved, but Qatar's relationship with the US and its funding of the Al-Jazeera news service have been sources of concern for other governments in the region.

Read 3 remaining paragraphs | Comments

CVE update - fixed in Apache Ranger 0.7.1
[security bulletin] HPESBGN03758 rev.1 - HPE UCMDB, Remote Code Execution
[SYSS-2017-018] OTRS - Access to Installation Dialog
[security bulletin] HPESBHF03757 rev.1 - HPE Network Products including Comware 5 and Comware 7 running NTP, Remote Denial of Service (DoS)

Health IT's security problems run deep. (credit: Sean Gallagher)

A congressionally mandated healthcare industry task force has published the findings of its investigation into the state of health information systems security, and the diagnosis is dire.

The Health Care Industry Cybersecurity Task Force report (PDF), published on June 1, warns that all aspects of health IT security are in critical condition and that action is needed both by government and the industry to shore up security. The recommendations to Congress and the Department of Health and Human Services (HHS) included programs to drive vulnerable hardware and software out of health care organizations. The report also recommends efforts to inject more people with security skills into the healthcare work force, as well as the establishment of a chain of command and procedures for dealing with cyber attacks on the healthcare system.

The problems healthcare organizations face probably cannot be fixed without some form of government intervention. As the report states, "The health care system cannot deliver effective and safe care without deeper digital connectivity. If the health care system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs. Our nation must find a way to prevent our patients from being forced to choose between connectivity and security."

Read 20 remaining paragraphs | Comments

Webkit Cross Site Scripting and Arbitrary Code Execution Vulnerabilities
WebKit CVE-2017-2530 Memory Corruption Vulnerability
WebKit CVE-2017-2521 Unspecified Memory Corruption Vulnerability
WebKit CVE-2017-2415 Remote Code Execution Vulnerability
Apple macOS APPLE-SA-2017-03-27-3 Multiple Security Vulnerabilities
Internet Storm Center Infocon Status