Expired domain names and malvertising

September 5, 2017 – 4:17 PM

In Q1 and Q2 of 2017, we noticed a sharp decline in drive-by downloads coming from compromised websites. The campaigns of the past are either gone (Pseudo Darkleech) or have changed focus (EITest using social engineering techniques).

Malvertising – which has remained steady and is currently the main driving force behind some of the most common malware and scam distribution operations- not only stems from various publishers but also from ‘abandoned’ websites. Those related domains once served a legitimate purpose but were never renewed by their owners and fell into the hands of actors looking to make a quick profit using questionable practices.

In this post, we take a look at how malicious redirections from expired domains work and what kind of traffic they lead to.

The life, death, and resurrection of a domain name

Most issues when it comes to web security don’t usually come from the platforms themselves but from the people that run them or from properties that have simply been relinquished. The folks over at Sucuri have written about this extensively and in a recent post, they showed how expired domains and outdated plugins in popular CMS were a deadly mix, resulting in malicious redirects.

Source:
https://blog.malwarebytes.com/threat-analysis/2017/09/expired-domain-names-and-malvertising/

Hardcoded Credentials Expose Customers of AT&T U-Verse

September 1, 2017 – 6:30 PM

On August 31, 2017, Nomotion released five vulnerabilities for two Arris modems used by AT&T U-Verse customers in the US. The vulnerabilities are of the following types:

The hardcoded credentials give attackers access to the device via SSH or HTTP/HTTPS. On certain devices, when logged into the modem, the attacker can then leverage the authenticated command injection vulnerabilities to get a root shell. This vulnerability is especially bad for users whose devices are exposed to the internet.

The firewall bypass vulnerability is particularly worrisome. After successfully gathering the list of hosts behind the firewall using the port 61001 information exposure, an unauthenticated remote attacker can then connect to any device behind the firewall by using the firewall bypass. Effectively opening the internal network to attack.

Source:
https://www.tenable.com/blog/hardcoded-credentials-expose-customers-of-att-u-verse

uBlock Origin released as a pure WebExtension for Firefox

September 1, 2017 – 8:09 AM

A new WebExtension version of the popular content blocker uBlock Origin was just uploaded to Mozilla’s official add-ons repository for Firefox.

The new version is compatible with Firefox’s new WebExtensions standard for extensions, and will as such continue to work when Firefox 57 gets released.

This first official release of the WebExtensions version of uBlock Origin works for the most part just like the legacy add-on version.

Users may experience issues however when they upgrade from the legacy version of the add-on to the new version.

Raymond Hill, the developer of uBlock Origin suggests that 32-bit users of Firefox stay on version 1.13.8 of the add-on until these issues are resolved.

Source:
https://www.ghacks.net/2017/08/31/ublock-origin-pure-webextension/

Microsoft bringing EMET back as a built-in part of Windows 10

June 27, 2017 – 4:37 PM

The Windows 10 Fall Creators Update will include EMET-like capabilities managed through a new feature called Windows Defender Exploit Guard.

Microsoft’s EMET, the Enhanced Mitigation Experience Toolkit, was a useful tool for hardening Windows systems. It used a range of techniques—some built in to Windows, some part of EMET itself—to make exploitable security flaws harder to reliably exploit. The idea being that, even if coding bugs should occur, turning those bugs into actual security issues should be made as difficult as possible.

With Windows 10, however, EMET’s development was essentially cancelled. Although Microsoft made sure the program ran on Windows 10, the company said that EMET was superfluous on its latest operating system. Some protections formerly provided by EMET had been built into the core operating system itself, and Windows 10 offered additional protections far beyond the scope of what EMET could do.

But as more mitigation capabilities have been put into Windows, the need for a system for managing and controlling them has not gone away. Some of the mitigations introduce application compatibility issues—a few even require applications to be deliberately written with the mitigation in mind—which means that Windows does not simply turn on every mitigation for every application. It’s here that Exploit Guard comes in.

Exploit Guard will be able to control the operating system-wide mitigation capabilities, as well as more individual, tailored protections. For example, with Exploit Guard, certain kinds of macros in Office documents can be blocked, and access to websites known to host lots of malware can be prevented.

Source:
https://arstechnica.com/information-technology/2017/06/microsoft-bringing-emet-back-as-a-built-in-part-of-windows-10/

Linux Systems in the Hackers’ Cross Hairs

June 27, 2017 – 4:02 PM

Security experts have warned IT teams to improve protection for Linux servers and IoT devices after observing an increase in threats targeting these systems.

WatchGuard Technologies’ latest quarterly Internet Security Report is based on analysis of over 26,500 active UTM appliances round the world.

It revealed that overall malware detection dropped by 52% from Q4 2016 to the first three months of this year as seasonal campaigns ceased.

However, despite that fall in detected malware volumes, Linux malware comprised more than a third (36%) of the top threats observed by WatchGuard during the period.

Among the top 10 threats detected by the firm were “Linux/Exploit”, “Linux/Downloader” and “Linux/Flooder”, the latter related to generic DDoS tools.

Linux Exploit is a generic detection rule used by WatchGuard to catch Linux trojans which usually infect devices before scanning related networks for others hosting Telnet or SSH services, attempting to log in using default credentials or via brute force. This was the MO of the infamous Mirai malware.

Jonathon Whitley, director at WatchGuard Technologies, argued that IoT devices are not designed with security in mind and frequently run on unsupported legacy operating systems

“Consequently it is essential that they are protected by robust IPS and AV to ensure any vulnerabilities are addressed before the IoT device is accessed,” he told Infosecurity.

“We recommend that these devices be protected with strong firewall policies ensuring that access privileges are only granted where essential. Access can be further controlled by enabling application control, which will allow users to, for example, stop any access via a TOR Network, a common tool used by hackers. Visibility of traffic is critical to allow users to view who and how these devices have been accessed, allowing you to shape and tighten your policies.”

Source:
https://www.infosecurity-magazine.com/news/linux-systems-in-the-cross-hairs/

Page 2 of 35012345...102030...Last »