US Govt Warns Critical Industries After Ransomware Hits Gas Pipeline Facility
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) earlier today issued a warning to all industries operating critical infrastructures about a new ransomware threat that if left unaddressed could have severe consequences.
The advisory comes in response to a cyberattack targeting an unnamed natural gas compression facility that employed spear-phishing to deliver ransomware to the company’s internal network, encrypting critical data and knocking servers out of operation for almost two days.
Source: The hacker news / Bleeping computer / Threatpost / Dark reading / Securityweek / BBC / Infosecurity magazine / Helpnet Security
Link: https://thehackernews.com/2020/02/critical-infrastructure-ransomware-attack.html
Link: https://threatpost.com/pipeline-disrupted-ransomware-attack/153049/
Link: https://www.securityweek.com/operations-us-natural-gas-facilities-disrupted-ransomware-attack
Link: https://www.bbc.com/news/technology-51564905
Link: https://www.infosecurity-magazine.com/news/us-gas-pipeline-shut-after/
Link: https://www.helpnetsecurity.com/2020/02/19/gas-pipeline-ransomware/
Critical Bug in WordPress Theme Plugin Opens 200,000 Sites to Hackers
A popular WordPress theme plugin with over 200,000 active installations contains a severe but easy-to-exploit software vulnerability that, if left unpatched, could let unauthenticated remote attackers compromise a wide range of websites and blogs.
The vulnerable plugin in question is ‚ThemeGrill Demo Importer‘ that comes with free as well as premium themes sold by the software development company ThemeGrill.
ThemeGrill Demo Importer plugin has been designed to allow WordPress site admins to import demo content, widgets, and settings from ThemeGrill, making it easier for them to quickly customize the theme.
Source: The hacker news / Bleeping computer / Threatpost / Securityweek / Trendmicro / Infosecurity magazine / Webarx Security
Link: https://thehackernews.com/2020/02/themegrill-wordpress-plugin.html
Link: https://threatpost.com/active-exploits-hit-vulnerable-wordpress-themegrill-plugin/152947/
Link: https://www.securityweek.com/flaw-wordpress-themes-plugin-allowed-hackers-become-site-admin
Link: https://www.securityweek.com/wordpress-websites-hacked-vulnerabilities-two-themes-plugins
Link: https://www.infosecurity-magazine.com/news/remote-wipe-plugin-bug-200000/
Link: https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/
Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide
A new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years.
Dubbed „Fox Kitten,“ the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors.
Source: The hacker news / Threatpost / Securityweek / Infosecurity magazine / Clearsky Cyber Security
Link: https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html
Link: https://threatpost.com/iranian-apts-fox-kitten-global-spy-campaign/152974/
Link: https://www.securityweek.com/iranian-hackers-exploited-enterprise-vpn-flaws-major-campaign
Link: https://www.infosecurity-magazine.com/news/iranian-hackers-backdoored-vpns/
Link: https://www.clearskysec.com/fox-kitten/
A Dozen Vulnerabilities Affect Millions of Bluetooth LE Powered Devices
A team of cybersecurity researchers late last week disclosed the existence of 12 potentially severe security vulnerabilities, collectively named ‚SweynTooth,‘ affecting millions of Bluetooth-enabled wireless smart devices worldwide—and worryingly, a few of which haven’t yet been patched.
All SweynTooth flaws basically reside in the way software development kits (SDKs) used by multiple system-on-a-chip (SoC) have implemented Bluetooth Low Energy (BLE) wireless communication technology—powering at least 480 distinct products from several vendors including Samsung, FitBit and Xiaomi.
Source: The hacker news / Securityweek / ASSET Group
Link: https://thehackernews.com/2020/02/hacking-bluetooth-vulnerabilities.html
Link: https://www.securityweek.com/sweyntooth-bluetooth-vulnerabilities-expose-many-devices-attacks
Link: https://asset-group.github.io/disclosures/sweyntooth/
Swiss Govt Says Ransomware Victims Ignored Warnings, Had Poor Security
Switzerland’s Reporting and Analysis Centre for Information Assurance (MELANI) today warned of ongoing ransomware attacks targeting the systems of Swiss small, medium-sized, and large companies. According to the alert issued in collaboration with the Swiss Government Computer Emergency Response Team (GovCERT), the attackers have asked for ransoms ranging from thousands of Swiss Francs to millions — 1 million CHF is just over $1 million. Over a dozen of such ransomware attacks that resulted in systems being encrypted and rendered unusable have been reported in recent weeks.
Source: Bleeping computer / MELANI
Dharma Ransomware Attacks Italy in New Spam Campaign
Threat actors are distributing the Dharma Ransomware in a new spam campaign targeting Windows users in Italy. The Dharma Ransomware has been active for many years and is based on another ransomware family called Crysis. It is not common, though, to see this ransomware family distributed through malspam as it is more commonly installed via hacked remote desktop services.
Source: Bleeping computer
Link: https://www.bleepingcomputer.com/news/security/dharma-ransomware-attacks-italy-in-new-spam-campaign/
SMS Attack Spreads Emotet, Steals Bank Credentials
A new Emotet campaign is spread via SMS messages pretending to be from banks and may have ties to the TrickBot trojan. Attackers are sending SMS messages purporting to be from victims’ banks – but once they click on the links in the text messages, they are asked to hand over their banking credentials and download a file that infects their systems with the Emotet malware. Emotet has continued to evolve since its return in September, including a new, dangerous Wi-Fi hack feature disclosed last week that can let the malware spread like a worm. Now, this most recent campaign delivers the malware via “smishing,” a form of phishing that relies on text messages instead of email. While smishing is certainly nothing new, researchers say that the delivery tactic exemplifies Emotet’s operators constantly swapping up their approaches to go beyond mere malspam emails – making it hard for defense teams to keep up.
Source: Threatpost
Link: https://threatpost.com/sms-attack-spreads-emotet-bank-credentials/153015/
Hackers Were Inside Citrix for Five Months
Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords.
Source: Krebs on security
Link: https://krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months/
44% of Security Threats Start in the Cloud
Amazon Web Services is a top source of cyberattacks, responsible for 94% of all Web attacks originating in the public cloud. Cloud-enabled cyberattacks are ramping up, as indicated in a new Netskope study that found 44% of security threats use cloud services in various stages of the kill chain. Attackers are targeting popular cloud apps and services to exploit the growing trust in commonly used enterprise platforms. Microsoft Office 365 for Business, Box, Google Drive, Microsoft Azure, and GitHub are the most-targeted cloud apps, researchers discovered in the February 2020 Netskope Cloud and Threat Report. Most (89%) enterprise users operate in the cloud, and 33% of them work remotely.
Source: Dark reading
Link: https://www.darkreading.com/cloud/44–of-security-threats-start-in-the-cloud/d/d-id/1337088
Hacking McDonald’s for Free Food
This hack was possible because the McDonald’s app didn’t authenticate the server, and just did whatever the server told it to do: “McDonald’s receipts in Germany end with a link to a survey page. Once you take the survey, you receive a coupon code for a free small beverage, redeemable within a month. One day, David happened to be checking out how the website’s coding was structured when he noticed that the information triggering the server to issue a new voucher was always the same. That meant he could build a programme replicating the code, as if someone was taking the survey again and again.”
Source: Bruce Schneier on security
Link: https://www.schneier.com/blog/archives/2020/02/hacking_mcdonal.html
Link: https://www.vice.com/en_au/article/4agvdw/mcdonalds-hack-free-food
Building a bypass with MSBuild
Living-off-the-land binaries (LoLBins) continue to pose a risk to security defenders.
We analyzed the usage of the Microsoft Build Engine by attackers and red team personnel.
These threats demonstrate techniques T1127 (Trusted Developer Utilities) and T1500 (Compile After Delivery) of MITRE ATT&CK framework.
Source: TALOS Intelligence Blog
Link: https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html
MGM hack exposes personal data of 10.6 million guests
The personal information of 10.6 million guests who stayed at MGM Resorts hotels was hacked last summer. The hack was first reported by ZDNet on Wednesday, which said the stolen information was posted to a hacking forum this week. MGM confirmed the attack took place to the BBC. The data exposed included names, address, and passport numbers for former guests.
Source: BBC
Link: https://www.bbc.com/news/technology-51568885
Squeeze Volume 13 – Voting, Blockchain, DDoS, Malware, & more!
Welcome to the 13th edition of the Secjuice Squeeze, where we present a curated selection of (last weeks) interesting infosec articles for your reading pleasure, just in case you missed them!
Source: Secjuice
Link: https://www.secjuice.com/infosec-news-squeeze-vol-13/
Make Your Own Custom OSINT Bookmarklet Tools
Bookmarklets are small snippets of Javascript code that can be placed in the “Location” section of a traditional bookmark. When utilized, rather than navigating to a favorite website, these bits of code will execute tasks within the browser. Bookmarklets can be used in lots of useful ways, to manipulate source code, pull hidden information from a page, or automate multiple queries all at once.
Source: Secjuice
Link: https://www.secjuice.com/osint-bookmarklet-tools/
The top four Office 365 security pain points
Companies get themselves into trouble when they do not fully understand the way data moves through O365 or they apply on-premise security practices to their cloud strategy. While the O365 platform comes with some security features and configuration options – that all customers should take advantage of – native or built-on tools do not address many vulnerabilities or other security issues.
Source: Helpnet Security
Link: https://www.helpnetsecurity.com/2020/02/19/o365-security/
Are CISOs ready for zero trust architectures?
“Every request to access a resource starts from a position of zero trust. Access decisions are then made and enforced based on a set of trust metrics selected by the organization. These trust metrics could relate to the user, their access device, the resource to be accessed, or a combination thereof.”
Source: Helpnet Security
Link: https://www.helpnetsecurity.com/2020/02/20/zero-trust-architectures/
Ring Makes 2-Factor Authentication Mandatory Following Recent Hacks
Smart doorbells and cameras bring a great sense of security to your home, especially when you’re away, but even a thought that someone could be spying on you through the same surveillance system would shiver up your spine.
Following several recent reports of hackers gaining access to people’s internet-connected Ring doorbell and security cameras, Amazon yesterday announced to make two-factor authentication security feature mandatory for all Ring users.
Source: The hacker news / Bleeping computer / Threatpost / Ring blog
Link: https://thehackernews.com/2020/02/ring-cameras-cybersecurity.html
Link: https://threatpost.com/ring-mandates-2fa-hacks/152971/
Link: https://blog.ring.com/2020/02/18/extra-layers-of-security-and-control/