ElevenPaths Cyber Security Weekly Briefing January 16-22 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (II) As a continuation of the first article in which we saw both the regulation of homeworking and the security and privacy measures in this modality, in this second issue...
ElevenPaths #CyberSecurityPulse: Google’s project to fight election attacks On the night of the primary elections in May, the residents from the county Knox, Tennessee, did not know who had won for about an hour. They did not...
Innovation and Laboratory Area in ElevenPaths DIARIO: Our Privacy-Friendly Document Malware Detector DIARIO makes possible to scan and analyse documents for malware detection with no need to know the content of those files.. Find out more in this post.
ElevenPaths Cyber Security Weekly Briefing January 16-22 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called...
Gonzalo Álvarez Marañón Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found...
ElevenPaths #CyberSecurityPulse: The Boom of JavaScript Miners The most common question in recent months derived from the rebound in the value of numerous cryptocurrency is: Do I invest or not invest? However, as we know, there...
ElevenPaths #CyberSecurityPulse: The Attack Against the WPA2 Encryption that Poses a Threat to Our Wireless Security On October 16, a research has been published about an attack to the current recommended encryption standard for WiFi networks, WPA2. Although the risks to these networks are not...
ElevenPaths Cyber Security Weekly Briefing January 16-22 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (II) As a continuation of the first article in which we saw both the regulation of homeworking and the security and privacy measures in this modality, in this second issue...
ElevenPaths Cybersecurity Weekly Briefing September 12-18 PoC for Critical Vulnerability on Netlogon Secura researchers have published a tool to check whether a domain controller is vulnerable to the CVE-2020-1472 vulnerability on Netlogon. Last month, Microsoft patched...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Cybersecurity Weekly Briefing October 24-30ElevenPaths 30 October, 2020 Critical vulnerability in Hewlett Packard Enterprise SSMC Hewlett Packard Enterprise has fixed a critical authentication evasion vulnerability (CVE-2020-7197, CVSS 10) affecting its StoreServ Management Console (SSMC) storage management software. HPE SSMC is present in the HPE Primera and HPE 3PAR StoreServ storage platforms. The flaw has been classified by the company as highly critical because it is an easily exploitable vulnerability, which does not require user interaction and can be exploited by an unprivileged attacker. In addition, HPE has corrected 64 vulnerabilities affecting HPE Intelligent Management Center (iMC). HPE strongly recommends updating SSMC to 3.7.1.1 version or higher. More details: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbst04045en_us KashmirBlack Botnet attacks content management systems Imperva security researchers, after analysing the KashmirBlack botnet, have discovered that it would be infecting thousands of websites by attacking their content management systems (CMS). KashmirBlack controls hundreds of bots, each of which communicates with the C&C to receive new targets and perform brute-force attacks, install backdoors and expand the size of its network. According to researchers, the main objective of this botnet would be to infect websites and then use their servers to mine cryptocurrencies or redirect legitimate traffic to spam sites, among others. To spread, KashmirBlack looks for websites with CMSs such as WordPress, Magento or Joomla that run vulnerable software and use known exploits to exploit these bugs. All the info: https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-i/ TrickBot extends its activity to Linux devices On October 12th, Microsoft reported that a conglomerate of technology companies had participated in a joint action to eliminate the TrickBot botnet. Days later, Redmond company published that 94% of the infrastructure had been eliminated, but warned that the threat agents behind the botnet would reactivate its operations. As a result, Netscout research team has shared new findings where they explain who TrickBot authors have extrapolated parts of their code to Linux, in order to extend the reach of their victims. To do so, they are using a new TrickBot backdoor called Anchor, discovered in late 2019 by Cybereason researchers, which would now be used on Linux devices to allow communication with their Command & Control. Anchor stands out for using the DNS protocol to communicate with C2 servers in a stealthy way, and each part of the communication made to C2 follows a sequence of 3 different DNS queries, the last one being in charge of sending commands to the bot to execute a payload. According to researchers, these characteristics show great complexity in terms of communication with Anchor’s C2, and in addition, the payloads that the bot can execute reflect a constant capacity for innovation, as evidenced by its change to Linux. More: https://www.netscout.com/blog/asert/dropping-anchor Attempts to exploit a recent critical bug in Oracle WebLogic On October 20th, Oracle published its security newsletter correcting a critical bug in Oracle WebLogic servers that would allow remote code execution without authentication, CVE-2020-14882 (CVSS 9.8). Shortly after the code of exploitation of this vulnerability was made public, the SANS Institute of Technology detected attacks against its honeypots in which this bug was to be exploited. In these actions, the threat agents only verified whether the system was vulnerable. As a result, the application of the corresponding patches is strongly recommended to correct this vulnerability which would affect the following versions of Oracle WebLogic Server: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0. The attacks came from 4 IP addresses – 114,243,211[.]18 (China Unicom), 139,162,33[.]228 (Linode, USA), 185,225,19[.]240 (MivoCloud, Moldova) and 84,17,37[.]239 (DataCamp Ltd, Hong Kong) – and according to SANS, the exploit they used was based on the technical specifications of a Vietnamese blog post posted on Wednesday by security researcher @testanull. Info: https://isc.sans.edu/diary/26734 Malware campaigns lead to ransomware infection FireEye security researchers have made a publication compiling new campaigns from malware families that always work as droppers to end up with a ransomware infection. One of the characteristics is their methodology of action, since the threat agents carry out their attack within the first 24 hours of the initial compromise. It should also be noted that the different malware used, like Kegtap/Beerbot, Singlemalt/Stillbot and Winekey/Corkbot, use the same Command & Control infrastructure. The operators of these campaigns have so far targeted individuals from organisations in different sectors and geographical locations. The entry vector for these campaigns starts with the forwarding of malicious emails that simulate generic corporate communications and provide links to documents hosted on Google Docs, which include a new URL from which the malware is downloaded. Once this is executed in the host of the initial victim, the authors use useful loads such as Powetrick and/or Cobalt Strike to carry out network and host reconnaissance. In this way they can get to know the affected organisation internally and facilitate lateral movements, scale privileges, and in some cases, download and execute ransomware such as Ryuk. More: https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html Telefónica, Gradiant and Incibe Improve Companies’ Cyber SecurityZoomEye: Extending TheTHE With More Plugins
ElevenPaths Cyber Security Weekly Briefing January 16-22 SolarWinds Update New details have been released about the software supply chain compromise unveiled in December. FireEye researchers have published an analysis that puts the focus on the threat actor called...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (II) As a continuation of the first article in which we saw both the regulation of homeworking and the security and privacy measures in this modality, in this second issue...
Gonzalo Álvarez Marañón Plausibly Deniable Encryption or How to Reveal A Key Without Revealing It When the secret police arrested Andrea at the airport checkpoint, she thought it was a mere formality reserved for all foreign citizens. When they searched her luggage and found...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (I) At this point in time and looking back on 2020, nobody would have imagined the advance in the digitalisation of organisations and companies due to the irruption of homeworking...