— Hello, and welcome to Security Soup’s first in a series of posts covering news highlights from the previous week. This list is not intended to be an exhaustive source, but simply a collection of items I found significant or interesting throughout my weekly research. Quick, bulleted summaries are provided with links for the reader to drill down into particular topics according to their own interests.
Vulnerabilities and Exploits
Highlights/Comments: Microsoft’s Patch Tuesday this week brought a notable fix for the PrivExchange Proof of Concept (POC) attack against Active Directory by researcher Dirk-jan Mollema, which had likely caused more than a few sleepless nights for sysadmins and blue teams alike.
- Coverage of Microsoft’s February 2019 Patch Tuesday Updates
- Patch Tuesday includes fix for the Active Directory PrivExchange vulnerability
- “Dirty_Sock” vulnerability in the REST API for Canonical’s snapd daemon allows root access in Linux distros
- CVE-2019-5736: A container vulnerability that could allow sandbox escapes in Docker and Kubernetes
Threats in the Wild – Malware, Phishing, and other campaigns
Highlights/Comments: This week brought several items related to TrickBot and its continued development with the addition of new capabilities. Researchers note that it continues to be delivered as a follow-up payload in Emotet Infections, and CrowdStrike also takes a look at its relationship to IcedID (aka BokBot). In other news, legit infrastructure such as cloud storage and online repos continue to be popular for staging payloads.
- New TrickBot variant adds RDP and PuTTY password grabbing capabilities
- Astaroth Trojan updates with new evasion techniques in South American campaigns
- GandCrab as a payload in targeted attack on a Healthcare organization
- CrowdStrike examines cooperation of IcedID and TrickBot affiliate operations
- Phishing campaign’s fake credential stealing sites hosted on Microsoft’s Azure blob storage.
- Emotet delivers IcedID and TrickBot as secondary payloads.
- ISC Handler takes a look at a Houdini (aka H-Worm) payload staged on GitHub.
- A technical analysis from Yoroi researchers that reveals code similarities between Gootkit and an AZORult variant.
- Sophos researchers deliver a technical write up of the “Old Phantom Crypter” – a malicious document builder kit.
Breaches, Government, and Law Enforcement
- Alleged “Apophis Squad” members indicted for bomb threats, web defacement, and DDoS attacks.
- Theatpost reports on a handful of data breach and data exposure related stories.
- Email services vendor, VFEmail, compromised in “catastrophic” destructive attack wiping nearly all company and client data.
- A former US Air Force intelligence officer indicted for conspiring to deliver national defense information to a foreign government.
- Two U.S. Senators send letter to Director of the DHS Cybersecurity and Infrastructure Security Agency requesting an investigation into foreign-based VPN service providers.
- Twelve Romanian nationals extradited to the US for being members of a crime ring involved in phishing, BEC, and other online fraud schemes.
- Risk Based Security’s end of year report claims more than 5 billion records exposed in 2018 (email registration required for access)
- A Russian news agency reports on plans for a 2019 test of “RuNet,” a “sovereign internet” running on a back up DNS system
Industry News and Reports
Highlights/Comments: Many vendors are releasing their end of year reports. Proofpoint’s quarterly reports are required reading in my opinion and offer fantastic insight into the email threat landscape. Dragos’ work here is also excellent and despite their focus on ICS, their analysis and methodology is frequently applicable beyond critical infrastructure.
- An AlienVault report on managed service trends and usage (email registration required for access)
- AppSec News Roundup by Barracuda for January 2019
- Threat Report by Perch Security for Thursday February 14, 2019
- Proofpoint’s end of year review and Q4 2018 threat report
- NATO alliance announces new information sharing hub for member nations
- Dragos releases 2018 year in review reports
- FireEye revisits an epic Twitter thread in response to recent podcast episode
Tools and Tips
Highlights/Comments: Eric Zimmerman releases another cool tool for forensicators. It would be hard to overstate his amazing contributions to the field.
- KAPE is the latest forensic tool from Eric Zimmerman, that parses artifacts for quick triage while systems are being imaged.
- Crowdstrike guide for hardening Secure Boot Chain in Fedora 29
- Malware Hunter: a free tool that matches hashes against a database of Yara rules
- Justniffer: A network protocol analyzer
- A new USB Cable is like a rubber ducky with embedded Wi-Fi Controller, allowing remote code execution
- Black Hills InfoSec blog about “Getting PowerShell Empire Past Windows Defender”