Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Table of Contents Technology news and Security updates: .............................................................2 1. 1.1 South African government “securing cyberspace” ..........................................2 1.2 New Shadow Brokers Message Teases Data From Nuke Programs, Windows 10 Exploits ..............................................................................................................2 1.3 Phishing emails may not be the reason for Wannacry global havoc ...........3 1.4 What you need to know about the WannaCry Ransomware ..........................4 1.5 Cyber security standards not doing enough ......................................................4 1.6 Password days are over ...........................................................................................5 1.7 Wannacry shares code with Lazarus APT samples ..........................................6 1.8 Chrome browser hack opens door to credential theft .....................................6 1.9 Apple issues security updates for macOS, iDevices........................................7 Cyber crime and Intelligence in the news: ...........................................................8 2. 3. 2.1 hack Security researchers link North Korea to massive WannaCry ransomware 8 2.2 Cockpit codes of United Airlines accidentally leaked to public ....................8 2.3 Database with 560 Million Passwords Leaked ...................................................9 Technical Security Alerts:.......................................................................................11 3.1 Vulnerabilities, Malware and exploits .....................................................................11 1. Technology news and Security updates: 1.1 South African government “securing cyberspace” Government is making inroads in putting in place policy and legislative measures that will secure South Africa’s cyberspace. These include the Cybercrime and Cybersecurity Bill, which is currently before Parliament, after having gone through a process of consultation with the relevant stakeholders. The Bill seeks to ensure that the country has the relevant legislative framework in place. In partnership with institutions of higher learning, government has also launched capacity building programmes that will bolster the State Security Agency’s capacity to respond to the problem of cyber insecurity. Source: https://mybroadband.co.za/news/government/210966-south-african-governmentsecuring-cyberspace.html 1.2 New Shadow Brokers Message Teases Data From Nuke Programs, Windows 10 Exploits Today, the Shadow Brokers have published a new message teasing new exploits for people who register for a new membership program the group has announced for next month, June 2017. The announcement comes on the heels of a very virulent ransomware outbreak that has used one of the exploits previously leaked by the group. That exploit is ETERNALBLUE, a supposed hacking tool developed by the Equation Group, a codenamed usually given to NSA cyber-operations. The Shadow Brokers leaked ETERNALBLUE in April 2017, as part of a larger data trove they started advertising in August 2016. Shadow Brokers tease new exploits Trying to capitalize on the success of the WannaCry ransomware, which used ETERNALBLUE for a self-spreading SMB worm, The Shadow Brokers are now announcing the "TheShadowBrokers Data Dump of the Month" service, a monthly subscription plan. The group claims it will release new exploits through this new monthly membership program. According to the group, these are the types of exploits we can expect: o web browser exploits o router exploits o mobile handset exploits and tools o items from newer Ops Disks o exploits for Windows 10 o compromised network data from more SWIFT providers and central banks o compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs Source: https://www.bleepingcomputer.com/news/security/new-shadow-brokers-message-teasesdata-from-nuke-programs-windows-10-exploits/ 1.3 Phishing emails may not be the reason for Wannacry global havoc Vladimir Putin has blamed the US for the global cyber attack that has crippled computer systems around the world since Friday. Putin said Russia had “nothing to do” with the attack and blamed the US for creating the hacking software that affects Microsoft computers. “Malware created by intelligence agencies can backfire on its creators,” said Putin, speaking to media in Beijing. He added that global leaders needed to discuss cyber security at a “serious political level” and said the US has backed away from signing a cyber security agreement with Russia. Authorities fear a second wave of the “WannaCry” ransomware could hit systems as people return to work and switch on their computers on Monday morning. Source: https://latesthackingnews.com/2017/05/16/phishing-emails-may-not-reason-wannacryglobal-havoc/ 1.4 What you need to know about the WannaCry Ransomware ymantec has uncovered two possible links that loosely tie the WannaCry ransomware attack and the Lazarus group: o Co-occurrence of known Lazarus tools and WannaCry ransomware: Symantec identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry. These earlier variants of WannaCry did not have the ability to spread via SMB. The Lazarus tools could potentially have been used as method of propagating WannaCry, but this is unconfirmed. o Shared code: As tweeted by Google’s Neel Mehta, there is some shared code between known Lazarus tools and the WannaCry ransomware. Symantec has determined that this shared code is a form of SSL. This SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen across Lazarus tools (including Contopee and Brambul) and WannaCry variants. While these findings do not indicate a definite link between Lazarus and WannaCry, we believe that there are sufficient connections to warrant further investigation. We will continue to share further details of our research as it unfolds. A virulent new strain of ransomware known as WannaCry (Ransom.Wannacry) has hit hundreds of thousands of computers worldwide since its emergence on Friday, May 12. WannaCry is far more dangerous than other common ransomware types because of its ability to spread itself across an organization’s network by exploiting a critical vulnerability in Windows computers, which was patched by Microsoft in March 2017 (MS17-010). The exploit, known as “Eternal Blue,” was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group. Source: https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacryransomware 1.5 Cyber security standards not doing enough Cyber security standards are not doing enough to protect organisations from cyber crime. That was the word from Manuel Corregedor, chief operations officer at Telspace Systems, speaking during the ITWeb Security Summit 2017 today. Corregedor, who joined information Telspace last month, says although organisations are implementing standards such as ISO/IEC 27001, among others, they are still being breached. The main problem with standards, he said, is that they can't keep up with the rapid changes the technology space is going through. Faced with ever more frameworks, policies and documents, organisations often adopt a tick box approach to pass an audit, but lack the knowledge for it to be meaningful. Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=161788:Cybersecurity-standards-not-doing-enough&catid=234&securityportal=t 1.6 Password days are over In a world in which the physical and the virtual are increasingly integrated, biometric digital identities will become critical for safeguarding identities and data, and for policing and counter- cybercrime initiatives. Walter Lee, evangelist for global safety solutions at NEC Corporation, told delegates at day one of the ITWeb Security Summit 2017, that the digital world held the promise of great strides in convenience, service delivery and safety for everyone. The connected future vision was making the world a better place to live, he said. But at the same time, the level of risk was growing. "The World Wide Web has become the Wild, Wild, Web, and best way to be safe on the Internet is not to be on the Internet," he said. "We are seeing the democratisation of threats: now, hackers are as young as 12 and anyone can become a hacker because the Dark Web makes it easy to get any tools you need to commit cybercrime. Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=161786:Password-daysare-over&catid=234&securityportal=t 1.7 Wannacry shares code with Lazarus APT samples As the first inkling of attribution emerged in the WannaCry ransomware outbreak, researchers found another attack using the same leaked NSA attack tools to spread the Adylkuzz cryptocurrency miner. Kafeine, a well-known exploit researcher who works for Proofpoint, said Monday that this attack could be greater in scale than WannaCry, which spread worldwide on Friday infecting Windows machines still unpatched against the SMBv1 vulnerabilities exploited by the NSA’s EternalBlue exploit and DoublePulsar rootkit and backdoor. Once Adylkuzz infects a machine, it mines the open source Monero cryptocurrency, which goes to great lengths to obfuscate its blockchain information, making it a challenge to trace activity. Kafeine said the Adylkuzz attacks pre-date WannaCry with the first samples going back to April 24. More than 20 virtual private servers are scanning the internet for targets running port 445 exposed, the same port used by SMB traffic when connected to the internet, and the same port abused by EternalBlue and DoublePulsar.. Source: https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/ 1.8 Chrome browser hack opens door to credential theft A vulnerability in Google’s Chrome browser allows hackers to automatically download a malicious file onto a victim’s PC that could be used to steal credentials and launch SMB relay attacks. Bosko Stankovic, information security engineer at DefenseCode, found the flaw in the default configuration of the latest version of Chrome running on an updated version of Microsoft’s Windows 10 operating system. “Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his website to be able to proceed and reuse victim’s authentication credentials,” he wrote Monday in a description of the vulnerability. The technique allows an attacker to gain access to a victim’s username and Microsoft LAN Manager (NTLMv2) password hash. That leaves victims open to a variety of attacks including a Server Message Block (SMB) relay attack. A SMB relay attack allows an adversary to use a victim’s credentials to authenticate to a PC or network resource such as email or remote server. Attacks could also use this vulnerability to attempt to crack the target’s hashed password. Source: https://threatpost.com/chrome-browser-hack-opens-door-to-credential-theft/125686/ 1.9 Apple issues security updates for macOS, iDevices It’s time to patch your Mac, iDevices and software again: Apple has released security updates for MacOS (all the way back to Yosemite), iOS, watchOS, tvOS, iTunes, iCloud for Windows, and Safari. The iTunes and iCloud for Windows updates fix one vulnerability in WebKit each. But both of these are critical, as they can be triggered by maliciously crafted web content and could lead to arbitrary code execution. One of these flaws also affects Safari, but the Apple security team fixed also a bucketload of other WebKit memory corruption issues that can be exploited in the same way and lead to either arbitrary code execution or universal cross site scripting. The watchOS and the tvOS updates fix pretty much the same vulnerabilities, but Apple Watch users also get fixes for many of the aforementioned WebKit flaws, and a WebKit Web Inspector that could allow an application to execute unsigned code. Source: https://www.helpnetsecurity.com/2017/05/16/apple-issues-security-updates-macosidevices/ 2. Cyber crime and Intelligence in the news: 2.1 Security researchers link North Korea to massive WannaCry ransomware hack Top security researchers believe there’s a connection between North Korean-affiliated cybercriminals and the global WannaCry ransomware hack. Google security researcher Neel Mehta pointed out in a Monday afternoon tweet that code used in WannaCry bore similarities to code used by the Lazarus Group, a cadre of cybercriminals believed to be responsible for the 2014 Sony hack and a recent $81 million heist of the Bangladeshi central bank. Hours after Mehta’s tweet, leading cybersecurity firms Kaspersky Lab and Symantec both confirmed the similarities. The WannaCry hack, which surfaced on Friday, allows hackers to encrypt the data on infected machines, which it then holds hostage for about $300 in bitcoin. One researcher found a “kill switch” for WannaCry over the weekend that has helped control the damage, but the ransomware creators have already released a new variant without the fix.. Source: https://news.vice.com/story/security-researchers-link-north-korea-to-massive-wannacryransomware-hack 2.2 Cockpit codes of United Airlines accidentally leaked to public The confidential codes required to access United Airlines’ cockpits have been accidentally leaked to the public in what the airline calls a mistake, rather than a data breach. On Sunday, the Wall Street Journal reported that the airline sent out a blast alert to employees over the weekend warning them of the inadvertent code leak, caused by a flight attendant who posted the information online. Within the email sent to employees, the airline said that a “corrective action plan” had been launched, but by following flight deck security procedures already in place the risk of a breach of the flight deck door is “strongly mitigated.” The incident has been reported to the Federal Aviation Administration (FAA) as the use of the cockpit codes could give individuals unauthorized access to pilot compartments, and in today’s world of terrorism and the risk of planes being attacked or hijacked, such an information leak could be dangerous to crew and passengers. Source: https://latesthackingnews.com/2017/05/16/united-airlines-cockpit-codes-accidentallyleaked/ 2.3 Database with 560 Million Passwords Leaked As if we weren't having a bad enough week in terms of digital security with WannaCry running wild across global computers, it has now been revealed that a new database containing passwords has been dumped online - all 560 million of them. Dubbed the "mother of all leaks" by folks over at the security research center MacKeeper, the database contains more than 560 million passwords. After running the set against Troy Hunt's Have I Been Pwned platform, it was also discovered that over 243 million unique emails were also in the database, almost every single one appearing in other breaches. According to MacKeeper, this seems to be just another giant database containing passwords collected from a variety of sources, including previous data breaches. It's what could be known as a "combo list' since it mixes information from multiple sources. The fact that this data was floating around the Internet somewhere isn't new, but putting all this together, having it readily available for anyone curious to have a look is worrisome. "During our research we were surprised to see as many as 313 large databases, with size over 1GB, with several terabytes of data, hosted in US, Canada and Australia. The database in question is hosted on a cloud-based IP, and it is unclear who actually owns it. We sent notification email to the hosting provider, but usually it is not the quickest way to shut it down," the researchers explain. The database has over 75 GB in size and contains data structured in readable json format. It includes data from at least 10 previous leaks, including LinkedIn, Dropbox, MySpace, Neopets, RiverCityMedia, Tumblr, MySPace and Lastfm, to name a few. Source: http://news.softpedia.com/news/database-with-560-million-passwords-leaked515779.shtml 3. Technical Security Alerts: Technical security alerts are the current security issues, vulnerabilities, malware and exploits provided proactively to provide timely information about their impact, propagation and remediation. This information is sourced to provide to technical teams to protect their infrastructure environments. 3.1 Vulnerabilities, Malware and exploits The table below lists all the recent vulnerabilities, malware and exploits identified by ICT Security Monitoring Services team for today. Technologies and Name Description Propagation Software’s affected Remedy Severity Adobe Flash Player A vulnerability in Adobe Flash The vulnerability is due to Adobe Flash Player 20.0 Adobe has released High risk Memory Corruption Player could allow an improper memory (Base, .0.228, .0.235, software updates at the Vulnerability unauthenticated, remote operations performed by .0.267, .0.286, .0.306) | 21.0 following links: attacker to execute arbitrary the affected software. An (.0.197, .0.213, .0.226, code. attacker could exploit this .0.242) | 22.0 (.0.192, Flash Player Desktop https://tools.cisco.com/securit vulnerability by persuading .0.211) | 23.0 (.0, .0.162, Runtime version y/center/viewAlert.x?alertId=5 a user to open a web page .0.185, .0.205, .0.207) | 24.0 25.0.0.171 for Windows 3842 that contains crafted Flash (.0.0, 0.186, .0.194, .0.221) | and Macintosh content. A successful 25.0 (.0, .0.127, 0.148, Vendor Announcements exploit could trigger 0.163) Adobe has released a memory corruption, which security bulletin at the could allow the attacker to following link: APSB17-15 execute arbitrary code on Source: Flash Player version 25.0.0.171 for Linux Flash Player for Google the targeted system. Chrome versions 25.0.0.171 for Windows, Macintosh, Linux, and ChromeOS Flash Player for Microsoft Edge and Internet Explorer 11 versions 25.0.0.171 for Windows 10 and Windows 8.1 Git git-shell Escape A vulnerability in the git- The vulnerability is due to Git 2.4 (.0, .1, .2, .3, .4, .5, The vendor has released Privilege Escalation shell feature of Git could insufficient validation of .6, .7, .8, .9, .10, .11) | 2.5 software updates Vulnerability allow an authenticated, user supplied input. An (.0, .1, .2, .3, .4, .5) | 2.6 (.0, available in tarballs at remote attacker to gain attacker could exploit this .1, .2, .3, .4, .5, .6) | 2.7 (.0, the following link: Index elevated privileges. vulnerability by sending a .1, .2, .3, .4) | 2.8 (.0, .1, .2, of /pub/software/scm/git https://tools.cisco.com/securit repository name that starts .3, .4) | 2.9 (.0, .1, .2, .3) | y/center/viewAlert.x?alertId=5 with a dash to a targeted 2.10 (.0, .1, .2) | 2.11 (.0, .1) 3840 system. An exploit could | 2.12 (.0, .1, .2) Source: allow the attacker to break out of the restricted gitshell and gain elevated privileges on the system. High risk End: