Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Correction: Campaign 2016-Foreign Hacking story
Beckley Register-Herald
"This exceeded traditional lobbying and public diplomacy." Jonathan Lampe with InfoSec Institute, a private information security company in Chicago, said security hasn't improved significantly since then. In October, he evaluated the security of 16 ...

and more »
 

JFrog Introduces Xray -- Makes DevOps Omniscient
EIN News (press release)
The announcement -- made at swampUP, JFrog's annual user conference -- represents a major advancement in improving development and DevOps and InfoSec teams' effectiveness, and accelerating the continuous delivery (CD) pipeline. JFrog Xray is the ...

and more »
 

Infosecurity Magazine

UK Certifies 6 New Cybersecurity Masters' Degrees
Infosecurity Magazine
Due to the predicted increase in demand for information security personnel outpacing the supply, the global workforce shortage will reach 1.5 million within five years, the not-for-profit certification body predicts in its 2015 Global Information ...

and more »
 

Enlarge (credit: FBI)

FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards.

The FBI's Private Industry Notification is dated April 29, more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices.

"If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."

Read 2 remaining paragraphs | Comments

 
[RCESEC-2016-002] XenAPI v1.4.1 for XenForo Multiple Unauthenticated SQL Injections
 

Hackers donate $20000 worth of air miles to charity
SYS-CON Media (press release)
AMSTERDAM, May 23, 2016 /PRNewswire-iReach/ -- Hackers of the globally recognized IT security company Offensi, who are known for reporting security vulnerabilities to Microsoft and AT&T in the recent past, have now discovered a security vulnerability ...

and more »
 

RUAGis a Swiss based company that participatesin the aerospace, defense, and space industries. In January of 2016 they detected an external compromise in their network. Further investigation revealed that they had been compromised since at least September of 2014.

The most interesting thing,in my mind, is that this attack was not particularly advanced or stealthy but demonstrated an almost textbook attack profile. From the report summary:

The attackers showed great patience during the infiltration and lateral movement. They only attacked victims they were interested in by implementing various measures, such as a target IP list and extensive fingerprinting before and after the initial infection. After they got into the network, they moved laterally by infecting other devices and by gaining higher privileges.

They went after high profile targets:

One of their main targets was the active directory, as this gave them the opportunity to control other devices, and to access the interesting data by using the appropriate permissions and group memberships

Command and Control (CC) and exfiltrationwas over HTTP on port 80, a port almost every organization will have open.

The malware sent HTTP requests to transfer the data to the outside, where several layers of Command-and-Control (CC) servers were located. These CC servers provided new tasks to the infected devices.

This report is good reading for system and network defenders because itdescribes the various components of the attack. It is interesting to read and ask if you have the instrumentation and controls in your network to prevent or at least detect a similar compromise.

The recommendations are not ground-breaking. They are things we have all heard before and should be doing in our own networks, but inevitably get push back when recommend or try to implement due to the perceived impact on users. Here is a high level summary of the recommendations:

System level

  • blacklisting and whitelisting
  • minimizing privilege
  • restricting common hacker tool usage
  • up to date patching and updates

Active Directory

  • closely monitor your crown jewels
  • two factor authentication
  • have AD externally audited regularly

Network Level

  • all Internet traffic through onechoke point
  • proxy and log all Internet access
  • internal network segregation
  • internal network instrumentation (netflow data logging)
  • DNS logging

Logging

  • long term log archives (2 years or more) of crucial systems such as
  • centralized logging
  • continuous log analysis againstknown IOCs

The summary reportis available here. The detailed reportis availablehere.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

JFrog Introduces Xray -- Makes DevOps Omniscient
SYS-CON Media (press release)
The announcement -- made at swampUP, JFrog's annual user conference -- represents a major advancement in improving development and DevOps and InfoSec teams' effectiveness, and accelerating the continuous delivery (CD) pipeline. JFrog Xray is the ...

and more »
 

Correction: Campaign 2016-Foreign Hacking Story
ABC News
"This exceeded traditional lobbying and public diplomacy." Jonathan Lampe with InfoSec Institute, a private information security company in Chicago, said security hasn't improved significantly since then. In October, he evaluated the security of 16 ...

and more »
 
 
[slackware-security] curl (SSA:2016-141-01)
 
[RCESEC-2016-001] Postfix Admin v2.93 Generic POST Cross-Site Request Forgeries
 
[SECURITY] [DSA 3585-1] wireshark security update
 
Internet Storm Center Infocon Status