Week in review 22 September 2019: traditional user awareness not working, destructive malware returns, Microsoft patched Defender bug, top human hacks, vulnerabilities in IOT devices double in 6 years
Round up of the most significant open source stories of the last week
This week includes tools, tips and resources from around the web.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Traditional user awareness model is doomed to fail
CISOmag have some hard truths around the ways traditional user awareness is training is failing. If current user awareness is still relevant today, why is every security event full of CISOs complaining about users or passwords? After 20 years of user awareness, discussing passwords, and not clicking on links in emails the security industry is still talking about these as if they are new requirements. Where are the results which prove that the current model has worked, and will continue to work?
The full article can be read here: https://www.cisomag.com/traditional-user-awareness-model-is-doomed-to-fail/
World’s most destructive botnet returns with stolen passwords and email in tow
If you've noticed an uptick of spam that addresses you by name or quotes real emails you've sent or received in the past, you can probably blame Emotet. It's one of the world's most costly and destructive botnets—and it just returned from a four-month hiatus.
Emotet started out as a means for spreading a bank-fraud trojan, but over the years it morphed into a platform-for-hire that also spreads the increasingly powerful TrickBot trojan and Ryuk ransomware, both of which burrow deep into infected networks to maximize the damage they do. A post published on Tuesday by researchers from Cisco's Talos security team helps explain how Emotet continues to threaten so many of its targets.
Microsoft Patches Severe Windows Defender Bug
Microsoft patched a serious flaw in the Windows Defender security utility today that resulted in certain malware scans failing after just a few minutes.
https://www.tomshardware.co.uk/microsoft-patches-windows-defender-bug,news-61709.html
The Top 'Human Hacks' to Watch For Now
Social engineering is as old as mankind. But its techniques have evolved with time. DarkReading.com has info on the latest tricks criminals are using to dupe end users, including Social Media ‘Pretexting’, Vishing and SMiShing.
https://www.darkreading.com/edge/theedge/the-top-human-hacks-to-watch-for-now/b/d-id/1335845
Akamai speaks out on uptick of Distributed Denial of Service (DDoS) attacks
Akamai released some findings on Wednesday following checks they had conducted on new Distributed Denial of Service vector leverages a UDP Amplification technique known as WS-Discovery (WSD). Without getting too technical UDP (User Datagram Protocol) is an alternative communications protocol to TCP (Transmission Control Protocol), used for establishing low-latency and loss-tolerating connections between applications on the internet). Since UDP is a stateless protocol, requests to the WSD service can be spoofed.
According to the report from Akamai the situation now is such that "multiple threat actors" are leveraging this DDoS method to ramp up attacks.
More: https://techxplore.com/news/2019-09-akamai-uptick-ddos.html
Global cryptomining attacks use NSA exploits to earn Monero
Security researchers tracked a very active threat group launching cryptomining attacks around the world against organizations in banking, IT services, healthcare and more, using exploits from the National Security Agency to spread its malware.
The new threat group, dubbed 'Panda,' was revealed this week in a new report from Cisco Talos. The report’s authors wrote that although the group is "far from the most sophisticated" it has been very active and willing to "update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts."
The NSA exploits include EternalBlue, which attacks a vulnerability in Microsoft's Server Message Block (SMB) protocol. The researchers first became aware of Panda's cryptomining attacks in the summer of 2018 and have reported that over the past year they've seen daily activity in the organisation's honeypots.
If You Have a Smart TV or IoT Devices, Your Home is Leaking Data.
Researchers at Northeastern University and the Imperial College London have recently conducted a thorough analysis of 81 different IoT products to characterize what services they attempt to connect with, what communications can be inferred from these connections, and the degree of encryption used to protect customers. 72/81 devices have at least one destination that is not a first party (i.e., belonging to the device manufacturer), 56% of the US devices and 83.8% of the UK devices contact destinations outside their region, all devices expose information to eavesdroppers via at least one plaintext flow, and a passive eavesdropper can reliably infer user and device behavior from the traffic (encrypted or otherwise) of 30/81 devices.
Vulnerabilities in IoT Devices Have Doubled Since 2013
Sticking with IoT devices for a minute, a follow-up study into the security of IoT devices has revealed more than twice the number of vulnerabilities as were detected six years ago.
In the 2013 study, researchers at Independent Security Evaluators (ISE) highlighted 52 vulnerabilities across 13 SOHO wireless routers and network-attached storage (NAS) devices made by vendors including Asus and Belkin.
An examination of routers and NAS products by ISE published yesterday has flagged 125 common vulnerabilities or exposures (CVEs). The vulnerabilities captured by the new research could affect millions of IoT devices.
For their latest study, the researchers tested 13 contemporary IoT devices created by a range of manufacturers. Modern versions of several devices tested in the original 2013 study were also studied to determine whether manufacturers had upped their security game.
The reported results were fairly disappointing, with researchers able to obtain remote root-level access to 12 of the 13 devices tested. Among the weaknesses identified were buffer overflow issues, command injection security flaws, and cross-site scripting (XSS) errors.
Read the original article here: https://www.infosecurity-magazine.com/news/vulnerabilities-in-iot-devices/
Some IT teams move to the cloud without business oversight or direction
27% of IT teams in the financial industry migrated data to the cloud for no specific reason, and none of them received financial support from management for their cloud initiatives, according to Netwrix.
Moreover, every third organization that received no additional cloud security budget in 2019 experienced a data breach.
Other findings revealed by the research include:
· 56% of financial organizations that had at least one security incident in the cloud last year couldn’t determine who was at fault.
· 31% of organizations would consider moving data back on premises due to concerns about security, reliability and performance, and high costs.
· Interest in broader cloud adoption has faded in the financial sector since last year. The number of organizations ready to adopt a cloud-first approach dropped by 16% and the number eager to move their entire infrastructure to the cloud fell by 12%.
https://www.helpnetsecurity.com/2019/09/20/financial-industry-cloud/
Most Small to Medium Sized Business Cyber Attacks Focus on Just Three TCP Ports
Small to mid-sized businesses can keep safe from most cyber attacks by protecting the ports that threat actors target the most. Three of them stand out in a crowd of more than 130,000 targeted in cyber incidents.
A report from threat intelligence and defence company Alert Logic enumerates the top weaknesses observed in attacks against over 4,000 of its customers.
According to the report, the ports most frequently used to carry out an attack are 22, 80, and 443, which correspond to SSH (Secure Shell), the HTTP (Hypertext Transfer Protocol), and the HTTPS (Hypertext Transfer Protocol Secure).
Alert Logic says that these appear in 65% of the incidents, and it makes sense since they need to be open for communication, be it secured or plain text.
As basic guidance, security across all network ports should include defence-in-depth. Ports that are not in use should be closed and organisations should install a firewall on every host as well as monitor and filter port traffic. Regular port scans and penetration testing are also best practices to help ensure there are no unchecked vulnerabilities.
Standard recommendations to reduce potential risk from these ports is to maintain up-to-date and hardened devices, software or services that rely on these ports in order to close attack avenues.
https://www.bleepingcomputer.com/news/security/most-cyber-attacks-focus-on-just-three-tcp-ports/
Facebook announced on Friday that it suspended tens of thousands of apps amid privacy investigation in the wake of the Cambridge Analytica scandal.
The tens of thousands of apps Facebook has removed come from just 400 developers, Facebook said in its blogpost, and millions more have been investigated. The review is ongoing and comes from hundreds of contributors, including attorneys, external investigators, data scientists, engineers, policy specialists, and teams within Facebook, the company said.
Why charities can’t afford to ignore the risk from malware
The world of cyber crime can seem murky and mysterious – cyber criminals are, after all, a faceless threat and charities are focused on the here and now, running their day to day operations and making a difference. But weapons such as malware are indiscriminate, and anyone can be stung. A new article from charitydigitalnews.co.uk aims to shed some light on the world of malware, with help from cyber security experts Avast in the form of a useful Q&A. The site has some other useful resources for charities and non-profits.
Black Arrow Cyber Consulting have a number of hours of free consulting time that charities and non-profits can apply to use.
Tools, tips and resources from around the web
How to encrypt and secure a website using HTTPS
The web is moving to HTTPS. SearchSecurity have released a guide to help firms find out how to encrypt websites using HTTPS to stop eavesdroppers from snooping around sensitive and restricted web data.
More info can be found here: https://searchsecurity.techtarget.com/tip/How-to-encrypt-and-secure-a-website-using-HTTPS
Ransomware: 11 steps you should take to protect against disaster
Falling victim to ransomware could put your vital business or personal data at risk of being lost forever. ZDNet have put together a list of steps that can help bolster your defences.
Read the article for the full list but the usual rules apply; user education and awareness, good patch management and ensuring you have good online and offline backups such that you can recover your data if the worst was to happen.
https://www.zdnet.com/article/ransomware-11-steps-you-should-take-to-protect-against-disaster/