15.4 C
London
Thursday, August 24, 2017

How to Integrate Threat Intel & DevOps

Automating intelligence can help your organization in myriad ways.

Report: IT Professionals Far Removed From Reality On Security

Lumeta research says 90% want to detect cyber incidents that may cause breaches within one day. A new survey of 5,000 US IT executives found 90% of respondents want to detect within one day cyber incidents that could lead to breaches, while 7% were willing to settle for less than one week, and 3%, less than one month. The study, conducted by LTM Research on behalf of Lumeta, says enterprises are far removed from reality because industry data shows average duration of a breach to be more than six months.
In support of this, a Mandiant report of 2015 found only 31% of companies are able to detect a cyber breach using internal resources while the rest find out through a third party.  Nearly half the respondents said they face several obstacles to attaining network visibility including inability to keep a check on every device on the network. Lumeta’s Reggie Best thinks the surveyed executives are misplaced in believing they have good security programs in place to protect their data since they lacked real-time network visibility. For full survey, click here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Rootkits (Symantec)

Computer security has become a hot topic for the news industry. Hardly a week passes without some new threat or data breach making headlines. Increased...

Russian Hackers Focused on Election Systems in 21 States

A Department of Homeland Security official testified today that hackers tied to the Russian government attempted to infiltrate election systems in nearly two dozen states.

How Attackers Use Machine Learning to Predict BEC Success

Researchers show how scammers defeat other machines, increase their success rate, and get more money from their targets.

Trusted IDs Gain Acceptance in Smart Building Environment

A majority of survey respondents believe identities can be connected across multiple systems and devices through a single ID card or mobile phone.

Talking Cyber-Risk with Executives

Explaining risk can be difficult since CISOs and execs don't speak the same language.

The key is to tailor your message for the audience.

Internet Society Takes On IoT, Website Security, Incident Response via OTA...

What happens now that the Online Trust Alliance - which includes Microsoft, Symantec, Twitter, and other big names - will be under the umbrella of the global Internet organization?

The Growing Danger of IP Theft and Cyber Extortion

The recent hacks of Disney and Netflix show the jeopardy that intellectual property and company secrets are in, fueled by cheap hacking tools and cryptocurrencies.

Nation-State Hackers Go Open Source

Researchers who track nation-state groups say open-source hacking tools increasingly are becoming part of the APT attack arsenal.

WordPress Hacks Silently Deliver Ransomware To Visitors

If you're a gamer (or anyone else), this is not a screen you want to see.Bromium LabsIt's still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users. In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites.

The attack sites host code from the Nuclear exploit kit that's available for sale in black markets across the Internet. People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them. "WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit." According to a Monday blog post published by website security firm Sucuri, the compromised WordPress sites he observed have been hacked to include encrypted code at the end of all legitimate JavaScript files.

The encrypted content is different from site to site, but once decrypted, it looks similar to that shown in the image below: EnlargeSucuri To prevent detection by researchers visiting the compromised site, the code takes pains to infect only first-time visitors.

To further conceal the attack, the code redirects end users through a series of sites before delivering the final, malicious payload. Sucuri said Google's Safe Browsing mechanism—which browser makers use to help users avoid malicious websites—had blacklisted some of the Internet domains used in the ruse.

A post published Thursday by Heimdal Security, however, listed a different domain, leaving open the possibility that the attackers are regularly refreshing as old ones get flagged. Heimdal Security also warned that antivirus programs may do little to protect end users.

During the latest leg of the campaign, for instance, the exploit code was detected by just two of the 66 leading AV packages, while the payload it delivered was also limited (the blog post didn't provide specifics). Driveby attacks not just on porn sites anymore The attacks are the latest reminder that people can be exposed to potent malware attacks even when visiting legitimate websites they know and trust.

The best defense against such driveby attacks is to install security updates as soon as they become available. Other measures include running Microsoft's Enhanced Mitigation Experience Toolkit on any Windows-based computers and using the 64-bit version of Google's Chrome browser if possible. It's not yet clear how the WordPress sites are getting infected in the first place.
It's possible that administrators are failing to lock down the login credentials that allow the site content to be changed.
It's also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that's causing many hacked sites to be repeatedly reinfected.

As Sucuri researcher Denis Sinegubko wrote: The malware tries to infect all accessible .js files.

This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination.
It’s not enough to clean just one site (e.g. the one you care about) or all but one (e.g. you don’t care about a test or backup site) in such situations – an abandoned site will be the source of the reinfection.
In other words, you either need to isolate every site or clean/update/protect all of them at the same time! People running WordPress sites should take time to make sure their servers are fully patched and locked down with a strong password and two-factor authentication.

This post will be updated if researchers uncover a cause of this ongoing hack campaign. Until then, admins and end users alike should stay vigilant for signs one of their systems is being targeted and follow the usual best practices listed earlier.

Adobe Flash Flaws Dominate Exploit Kits In 2016

The top 10 vulnerabilities this year were mostly Adobe Flash, followed by Internet Explorer, according to a Recorded Future study. Six of the top 10 vulnerabilities found in cyberattack exploit kits in 2016 were bugs in Adobe Flash Player – including one Flash flaw that was packaged with a whopping seven different exploit kits, new research found. Recorded Future studied the contents of 141 exploit kits from Nov. 16, 2015 to Nov. 15 of this year, and found that Flash for the second year running led as the application whose vulns were used most in exploit kits; Flash comprised 8 of the top 10 last year. "A large majority of exploit kits have Adobe Flash Player vulnerabilities, so at the end of the day, not a whole lot has changed" with Flash's prevalence in exploit kits since last year's study, says Scott Donnelly, director of technical solutions at Recorded Future. Interestingly, the Flash vulnerability found in the most exploit kits by Recorded Future's research, CVE-2015-7645 - which lives in seven exploit kits - was the first zero-day Flash flaw discovered in the wake of Adobe's efforts over the past year to better secure its software with code-structure updates and mitigation features.

Adobe worked with Google's Project Zero team to add attack mitigation features to Flash last year. Meanwhile, Microsoft Internet Explorer, Silverlight, and Windows vulnerabilities also made the top 10 list, with IE's CVE-2016-0189 as the number one flaw found in exploit kits overall. "CVE-2016-0189's impact is tied to multiple version of IE it affects as well as its link to three active exploit kits including Sundown and RIG, which have helped fill the void left by the Angler Exploit Kit," according to Recorded Future's report published today, "New Kit, Same Player: Top 10 Vulnerabilities Used by Exploit Kits in 2016." Recorded Future also found that the exploit kits that have stepped up to fill the gap of the now-defunct Angler exploit are Sundown, RIG, and Neutrino. Flash-yThe Flash CVE-2015-7645 flaw affects Windows, Mac, and Linux operating systems, which Recorded Future said makes it especially attractive and "versatile" for attackers.

The flaw, which Trend Micro had dubbed a "method confusion" bug, was used by the Russian state hacking group known as Pawn Storm/APT 28/Fancy Bear.

The attack group sent spear phishing emails to foreign affairs ministers in various nations and rigged the URLs with exploits that the flaw, which allows an attacker to wrest control of the victim's machine. Its dominance among exploit kits came as a bit of surprise to researchers since Adobe had been working on better securing its apps. "Theoretically, that was the more secure version" of Adobe software, Donnelly says. But the vuln is fairly simple to exploit, and isn't always patched, according to Recorded Future. "While the vulnerability was patched by Adobe fairly quickly, its ease of exploitation and the breadth of operating systems affected have kept it active. Unfortunately, slow enterprise patching and lack of knowledge by home users mean the vulnerability still manages to help kits infect machines," the report says. None of the vulnerabilities that made the top 10 in last year's report were found this year in exploit kits. "These were all new" vulnerabilities, Donnelly says. Another key finding of the report was that the new exploit kit on the block, Sundown, is making inroads.
Sundown, which reuses other kits' exploits, appears to be the handiwork of less sophisticated authors, experts say. "It's not like Angler and Neutrino, which were written from scratch by sharp guys," says CW Walker, a Recorded Future researcher. "It's gaining a lot of popularity, but it doesn't require the same support as Tier 1, AAA-level exploit kits in the past." ChecklistRecorded Future says the best bet is to patch the vulns it cites in the report, as well as get rid of any of these affected apps that aren't needed by the business.

The security firm in its report also recommends: Enable "click to play" for Flash Take a look at running Google Chrome, which benefits from Google Project Zero's work and study of Flash flaws Deploy browser ad-blockers to protect from malvertisting attacks Run regular backups, especially for shared files Related Content:   Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights