In the Sept 2017 edition of our Cybersecurity Digest, we cover key threats and vulnerabilities we’ve observed in the past month. I am Souti Dutta, Lead Threat Analyst at Paladion’s Cyber Research Centre.
Based on Agari's research of public DNS records, 92 percent of all Fortune 500 companies have left their customers and business partners unprotected from domain name spoofing, one of the most common digital attack vectors. DMARC emerged as a standard in 2007 to minimize phishing threats. DMARC virtually eliminates domain name spoofing when it is set to quarantine or reject unverified email. However, only 39 of the companies in the Fortune 500 are enforcing DMARC with a quarantine or reject policy. An additional 124 have adopted a minimal DMARC policy that monitors, but does not prevent domain name spoofing, while 337 companies have not adopted DMARC at all. Implement DMARC with quarantine or reject to safeguard your users from spoofed mails.
Read More: https://goo.gl/4H1dYD
Last month, VMware announced the launch of AppDefense – a solution that uses the Hypervisor to introspect the guest VM application behavior. It involves analyzing the application (within guest VM) behavior, establishing its normal operational behavior and once verified to be the accurate, continuously measuring the current state against the normal state to control or remediate its behavior if non-conformance is detected.
Read More: https://goo.gl/XT4UT9
After a series of recent data breaches involving data stored in the Simple Storage Service (S3) bucket, last month, Amazon announced a new security service built to identify, classify, and protect sensitive data stored in AWS S3 from unauthorized access. The Security Service is known as Amazon Macie. It uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data such as personally identifiable information (PII), and provides visibility into how this data is being accessed or moved. The service continuously monitors data access activities for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks.
Read More: https://goo.gl/4ifmkT
A new malware family termed CoinMiner has been making its rounds. The new malware variant is proven hard to detect and stop using traditional security controls, because of its unique signatures and behavior. The malware is a cryptocurrency miner that uses the EternalBlue exploit to infect victims and the WMI toolkit to run commands on infected systems. In addition to it, CoinMiner runs in memory (fileless malware), and uses multiple layers of command and control servers. The simplest solution to avoid getting infected with CoinMiner is to patch Microsoft Vulnerabilities related to SMBv1. CoinMiner infections can also be avoided by disabling WMI on systems or at least restricting WMI access to only admin accounts.
Read More: https://goo.gl/JQP9Ug
Microsoft sounded an alert on increased Weaponised virtual machines on the Cloud. Based on a latest Security Intelligence Report, Microsoft Azure’s Security Center service witnessed a number of outbound attack attempts from Cloud servers that were trying to establish communications with malicious IP addresses (51 percent), and sending out SPAM mails (19 percent). Attackers also tried to use cloud-based virtual machines to do port-scans (3.7 percent) and attempted brute-force attacks on SSH and RDP.
Read More: https://goo.gl/bcRvqN
Hacks & Breaches
CeX, a second-hand technology goods chain that has over 350 shops in the UK and more than 100 overseas; including America, Australia, and India has reportedly notified two million customers about an online security breach that might have compromised their personal data. It is not known when the breach occurred, nor when it was discovered. From the information publicly available, the data appears to have been stolen from a database accessed via the company's WeBuy website rather than its in-store POS devices.
Read More: https://goo.gl/5YfgMk
Vulnerabilities & Patches
August 2017 Patch Tuesday updates from Microsoft included a critical Windows Search vulnerability, which if exploited could lead to WannaCry or NotPetya like epidemic. This bug, CVE-2017-8620, if exploited allows an attacker to elevate privileges and remotely run arbitrary code. It affects all supported versions of Windows and Windows Server, and it can use Server Message Block (SMB) to remotely trigger the vulnerability. Installing the latest MS patches will eliminate the issue. If patching is not feasible, it is recommended to disable the Wsearch service.
Read More: https://goo.gl/Yh5T3v
Read More: https://goo.gl/omRG31
Thank you for reading, folks. For the latest updates on new threats and vulnerabilities, follow us on
Twitter @ctacpaladion. Send us your feedback at firstname.lastname@example.org.