Inside Security: Inside

Dec 19, 2017

Share with Your Network

If you aren’t yet a Premium subscriber, you missed yesterday’s analysis about the zero trust extended platform, and what you should do about it. Go to our Premium page and sign up, subscription plans start at $10/month with multiple newsletters and corporate plans available. Premium subscribers get an additional Thursday newsletter, usually with a single analysis topic.

Iran has been encouraging more of its businesses to get online, and it has built a “halal Internet” that restricts what is available, similar to China’s Great Firewall. However, Iran has struggled with both supporting and at the same time blocking particular Internet apps, such as encrypted messaging app Telegram, that is useful for business as well as personal communications. This report describes the evolution of Iran’s censorship activities and the conflict between being open and controlling information access.

Security asa 5505 frnt rt 1000

Attacks and vulnerabilities

There is a vulnerability in the Cisco Adaptive Security Appliance firewall productthat can allow remote code execution. A variety of ASA products (such as this unit shown) are affected along with the FTD v6.2.2 firmware, and there is an update to fix this. – CISCO TOOLS BLOG


Researchers have found seven different vulnerabilities on various Zoho ManageEngine applications, which have been fixed by the company. They range from authentication issues to script injections that can result in remote code executions. – DIGITAL DEFENSE BLOG



Before deploying behavioral analytics, there are a few key things every security team should consider in maximizing their effectiveness, such as a unified security data set, having pre-set workflows to act on attacks in progress, and analytics based in the cloud for quick delivery.  – SECURITY WEEK

Microsoft is updating how it categorizes scareware, or programs that try to coerce users into purchasing them to “improve” their security posture. Often, this software is really malware with better marketing messages. Beginning next month, Windows Defender will detect and remove these programs. – MICROSOFT CLOUDBLOGS




Pentagon report from April 2001 was remarkably prescient about the growing danger and nature of cyber attacks. This post describes what it said, now that it has been declassified. “A lot of people told us we were being too alarmist at the time,” Stuart Staniford, the lead author of the report shown here, feels vindicated about its conclusions, such as segregating critical infrastructure controls from the public Internet, using white hat hackers, and mandating breach reports. — NEXTGOV


Email x1 powers bill

The Docket

Britain’s Court of Appeals has ruled on Tuesday that the current UK mass digital surveillance program is illegal. The program, called the Data Retention and Investigatory Powers Act, was passed in 2014. The court said it did not lawfully restrict government agencies’ access to personal citizen information, including phone records and web browsing history, and didn’t contain adequate oversight safeguards.  – THE GUARDIAN


New products and services

The Munich airport authority launched its Information Security Hub, a competency center where IT specialists with the airport operating company will work together with experts from the European aviation industry to develop strategies for defending against cyberattacks and new approaches to the fight against cybercrime.

COMPTIA has created an early version of a new pentest certification exam this week. Called PenTest+, it is designed for security professionals who want to prove their vulnerability assessment and management skills in a series of hands-on simulations using open source tools and testing frameworks. It joins other COMPTIA cybersecurity analyst exams and is scheduled to go into production in the fall. The test costs $50 and takes almost three hours.

Kaspersky Security for Microsoft Office 365 offers a SaaS-based tool to protect Exchange Online installations. Included are protections from malware and phishing threats and is managed from a web-based console. Pricing is $22.90 per protected mailbox per month, with quantity discounts available.



Just for fun

What if tech support writers worked for our federal government? Hilarity ensues. – THE NEW YORKER


David’s Take

Today’s newsletter is a grab-bag of numerous cryptocurrency-related exploits, with our top story showing how patient one attacker can be to rob victims of their virtual wallets. But that’s not all we have for you.

I am a big fan of data visualizations, and this story about how the fitness trackers of various active duty military members can show the downsides. It points out where some secret bases are located and gives me pause. The data collected by the Strava app has been analyzed and given how often military exercise and in dense numbers can make spotting these locales fairly easy. This is just one more IoT issue to worry about.

If the annual Pwn2Own hacking contest isn’t on your radar, the increased prize purses and the opportunity to try to find weaknesses in a new Windows 10 preview build might whet your appetite. This year Microsoft and VMware are upping the ante at the CanSecWest conference in Vancouver held in March. Contestants these days need to do a lot more than just find a single vulnerability to win money. Rewards typically require researchers to string together multiple exploits.

David Strom, editor of Inside Security


Network requests

Top Story: The long-term Iota attack explained

Usually, when we think about attacks on particular destination sites, we tend to focus on a point in time when the breach occurs, and how a company should have done a better job at defending themselves leading up to that moment. The story over the past week about the Iota attack is very different, and we learned that a hacker systematically spent the last several months working to steal four million dollars from other people’s cryptocurrency wallets, using a combination of misdirection, bad random-number generators, social media come-ons, and phished emails. The research into how this happened is described in detail here, where Alex Studer (who is a Dalton high school student with some mad skills) concludes by saying, “You should never rely on online services, like seed generators or web wallets, for holding any amount of currency you care about, and you should make sure that you use software that is open source and has been carefully reviewed and audited by the community.” Wise words to heed. – BLEEPING COMPUTER


Cryptocurrency attacks

eSentire has observed an unknown threat actor attempting to deploy a Monero cryptocurrency miner to multiple customers. The threat leveraged Kaseya’s Virtual Systems Administrator agent to gain unauthorized access to multiple customer assets


Youtube cryptocurrency mining 800x425

YouTube was recently caught displaying ads that covertly leach off visitors’ CPUs and electricity to generate digital currency on behalf of anonymous attackers, who were abusing Google’s DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain. The malware also contained malicious JavaScript that also displayed ads for fake AV programs. — ARS




AppRiver has published its year-end report summarizing exploits it has tracked across its security infrastructure. For example, they observed a major increase in phishing efforts, reaching peak levels over the summer. Some of this they attribute to a very clever phishing attack using a Docusign-based infected PDF (illustrated here). There are other attacks including filing up your inbox with spam to distract you from seeing financial account transaction notification messages and a summary of various ransomware campaigns.  — APPRIVER


Email x1 swift

Just for Fun

All the hub-bub over a simple black square. That is being an influencer! — SWIFTONSECURITY @ TWITTER


David’s Take

The U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States. According to Brian Krebs, accomplices stand near ATMs and remove the cash when an attacker issues the right sequence of commands. Apparently, the targeted stand-alone ATMs are routinely located in pharmacies, big box retailers, and drive-thru ATMs. The thieves typically need physical access to the inside of the ATM to make this exploit work. For some reason, jackpotting has been seen more in other countries, including Mexico.

David Strom, editor of Inside Security

Email x1 sqrrlTop Stories: Amazon and Google make strides in security

Two major announcements from last week deserve additional commentary. The first is the purchase of Sqrrl by Amazon. The Cambridge, Mass.-based company helps analyze a variety of sources to track and understand security threats quickly using machine learning. Its main product is called the Threat Hunting Platform, a system designed for cybersecurity teams which connects link analysis, machine learning algorithms, and multi-petabyte scalability to assist them in detecting and tracking down enterprise threats. Sqrrl will continue to work with its existing customers as its technology gets folded into yet another AWS offering. The company was founded by former NSA employees and has raised $26M since 2012. While terms of the deal were not disclosed, Axios reported in December a potential deal estimate of at least $40 million. — ZDNET

The second noteworthy announcement last week was Alphabet (Google’s parent) and a new service called Chronicle. The service is designed to help companies more quickly make sense of and act on the mountains of threat data produced each day by cybersecurity tools. Stephen Gillett will be the new venture’s CEO. The announcement is short on details, although it will leverage Google’s other property, Virus Total. One security researcher says this new company could be a meteor aimed at planet Threat Intel.

Funding and M&A news of the week

Tigera, a Kubernetes-focused startup in Silicon Valley that specializes in secure application connectivity, has raised an additional $10M in funding to further improve secure application connectivity across all cloud environments. Their lead investor is Madrona Venture Group and their CEO is Ratan Tipirneni.

HackerOne, a hacker-powered security platform, has acquired Breaker 101, an online web security course designed to educate the next generation of ethical hackers. The interactive content and coursework, now known as Hacker101, is available for free on GitHub.

Allure Security has raised $5.3M in seed funding from Glasswing Ventures to drive R&D for the company’s data loss detection and response platform. The Boston-based company’s CEO is Salvatore Stolfo.

Dominode has raised a $1.3M round with Blockchange Ventures in the lead. The Boca  Raton-based company has a new digital ID solution, and its CEO is John Toohey.

Centrallo has raised a $1.5M seed round with Responder in the lead. It’s developing new emergency response techniques, is based in NYC and its CEO is Michael Sher.

Cylus has raised a $4.7M seed round led by Zohar Zisapel of The RAD Group. The company is based in Tel Aviv and its CEO is Amir Levintal and it is working on cybersecurity geared towards railways and metro systems.

Hysolate has raised an $8M round led by Team8. It’s also based in Tel Aviv and is developing another endpoint protection solution, this time using air gap technologies. Its CEO is Tal Zamir.

SheerID has raised an $18M B round led by Centana Growth Partners for a new digital verification enterprise platform. It’s based in Portland, Ore. and its CEO is Jake Weatherly.

Crossrat malware detecctionAttacks and vulnerabilities

Windows, Linux and Mac systems are subject to a new piece of malware called CrossRAT, which appears to come from the Dark Caracal hacking group. The malware can enable remote access (hence its name), run arbitrary executables, and doesn’t rely on any zero day exploits. It is written in Java and contains an inactive keylogger, perhaps for future enhancements. – THE HACKER NEWS

Passwords loggedSecurity researchers have discovered more than 2,000 WordPress sites are infected with a keylogger that’s being loaded on the WordPress backend login page and an in-browser cryptocurrency miner being installed on their frontends. The result is that what is typed in the forms is sent to the hackers even before the user has clicked on the log in button. –BLEEPING COMPUTER


© 2022 Kenna Security. All Rights Reserved. Privacy Policy.