News

CCleaner Compromise http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html http://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users Word INCLUDEPICTURE Feature Abuse https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/ security.txt file https://www.ietf.org/id/draft-foudil-securitytxt-00.txt https://www.ietf.org/rfc/rfc2142.txt

Bashware: Bypassing Windows Security via Linux (WSL) https://research.checkpoint.com/beware-bashware-new-method-malware-bypass-security-solutions/ Javascript Rogue Crypto Currency Miner https://www.welivesecurity.com/2017/09/14/cryptocurrency-web-mining-union-profit/ NodeJS Hash Table DoS https://medium.com/@ahmadbamieh/nodejs-constant-hashtables-seeds-vulnerability-f03bf70e3593 HTTPS Interception https://blog.cloudflare.com/understanding-the-prevalence-of-web-traffic-interception/

Another Webshell; Another Backdoor https://isc.sans.edu/forums/diary/Another+webshell+another+backdoor/22826/ D-Link Vulnerability https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html Chrome To Label FTP As Insecure https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/HknIAQwMoWo/xYyezYV5AAAJ More Google Play Store Malware https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/ Elasticsearch Botnet https://mackeepersecurity.com/post/kromtech-discovers-massive-elasticsearch-infected-malware-botnet

This week it's time to look at another pillar in the Office 365 stack.  This week is an Introduction to Exchange Online!  Exchange online could easily take several episodes if you go into any great depth, so we'll start off with just a high level overview.  Expect some future episodes Read More

No IPv6? Challenge Accepted https://isc.sans.edu/forums/diary/No+IPv6+Challenge+Accepted+Part+1/22820/ Exploiting CVE-2017-8759 https://www.mdsec.co.uk/2017/09/exploiting-cve-2017-8759-soap-wsdl-parser-code-injection/ Wordpress Plugin Found With Backdoor https://www.pluginvulnerabilities.com/2017/09/11/wordpress-poor-handling-of-plugin-security-exacerbates-malicious-takeover-of-display-widgets/

Microsoft Patch Tuesday https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html https://technet.microsoft.com/security/advisories BlueBorne Bluetooth Vulnerability http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf

Cisco Struts Updates https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce Google Chrome Warning Users of Anti-Malware SSL Interception https://twitter.com/sashaperigo/status/906263091624591360 Machinelearning To Identify Malicious TLS Connections https://arxiv.org/pdf/1607.01639.pdf Comodo Breaking CAA Standard https://www.mail-archive.com/[email protected]/msg08027.html

Analyzing JPEG Files https://isc.sans.edu/forums/diary/Analyzing+JPEG+files/22806/ Auditing Windows With WINspect https://isc.sans.edu/forums/diary/Windows+Auditing+with+WINspect/22810/ Windows PSSetLoadImageNotifyRoutine Vulnerability https://breakingmalware.com/documentation/windows-pssetloadimagenotifyroutine-callbacks-good-bad-unclear-part-1/ IOTA Cryptocurrency Vulnerable Hash Function https://medium.com/@neha/cryptographic-vulnerabilities-in-iota-9a6a9ddc4367

Yet Another Struts RCE Vulnerability https://struts.apache.org/docs/s2-053.html Equifax Compromise https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack Hash Extension Flaws https://isc.sans.edu/forums/diary/Modern+Web+Application+Penetration+Testing+Hash+Length+Extension+Attacks/22792/ Matt Hosburgh: Offensive Intrusion Analysis: Uncovering Insiders with Threat Hunting and Active Defense

We're back with your Microsoft Cloud news for August 2017. This month we've got some exciting updates on Microsoft Ignite, where Microsoft stands in the collaboration space, and a bunch of platform updates! Microsoft Cloud IT Pro Podcast Live from Ignite! Microsoft OneDrive recognized as a Leader in Gartner Magic Quadrant Read More

Struts2 Metasploit Module https://github.com/rapid7/metasploit-framework/pull/8924/commits/5ea83fee5ee8c23ad95608b7e2022db5b48340ef Google Docs Table With Hacked MongoDB Databases https://docs.google.com/spreadsheets/d/1QonE9oeMOQHVh8heFIyeqrjfKEViL0poLnY8mAakKhM/edit#gid=1781677175 Bypassing Cloudflare https://rhinosecuritylabs.com/cloud-security/cloudflare-bypassing-cloud-security/

A Look Back At Nira and What's Next https://isc.sans.edu/forums/diary/The+Mirai+Botnet+A+Look+Back+and+Ahead+At+Whats+Next/22786/ New Struts Vulnerability and Patch https://isc.sans.edu/forums/diary/Struts+vulnerability+patch+released+by+apache+patch+now/22788 Mastercard Internet Gateway Service Flaw http://tinyhack.com/2017/09/05/mastercard-internet-gateway-service-hashing-design-flaw/ Mac OS X High Sierra Insecure Kernel Module Loading https://objective-see.com/blog/blog_0x21.html

Locky Ransom Ware is Back and This Time Pretents to Be a Font https://isc.sans.edu/forums/diary/Malspam+pushing+Locky+ransomware+tries+HoeflerText+notifications+for+Chrome+and+FireFox/22776/ When is a PDF Just a PDF? https://isc.sans.edu/forums/diary/It+is+a+resume+Part+1/22780/ Asterisk Vulnerable to RTPBleed https://github.com/EnableSecurity/advisories/tree/master/ES2017-04-asterisk-rtp-bleed Arris AT&T Modems With Backdoor https://www.nomotion.net/blog/sharknatto/

Is Remote Work Feasible in a SOC? https://isc.sans.edu/forums/diary/Remote+SOC+Workers+Concerns/22772/ Linux Random Number Generator Reviewed https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/LinuxRNG/LinuxRNG_EN.pdf?__blob=publicationFile&v=5 Adobe Acrobat and Reader Security Patch https://blogs.adobe.com/psirt/?p=1484 Turning Speakers into Microphones https://www.usenix.org/system/files/conference/woot17/woot17-paper-guri.pdf

Episode 20, Scott and I are already approaching 6 months of our podcast! To celebrate the big two-zero, we wanted to do an episode on getting started with Skype for Business Online.  In this episode, we walk through getting up and running on Skype for Business, things to be aware Read More

IoT Gear Affected by ConnMan Vulnerablity http://connmando.nri-secure.co.jp/index.html Trickbot Going After Coinbase https://blogs.forcepoint.com/security-labs/trickbot-goes-after-cryptocurrency Pacemakers Need Patch https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm Inaudible Voice Commands https://arxiv.org/pdf/1708.07238.pdf

Another Chrome Extension Banking Malware https://isc.sans.edu/forums/diary/Second+Google+Chrome+Extension+Banker+Malware+in+Two+Weeks/22766/ Vulnerable Docker VM https://www.notsosecure.com/vulnerable-docker-vm/ Large Spam E-Mail and Password List Discovered https://www.troyhunt.com/inside-the-massive-711-million-record-onliner-spambot-dump/

Survey of Recent DVR Attacks https://isc.sans.edu/forums/diary/An+Update+On+DVR+Malware+A+DVR+Torture+Chamber/22762/ Disabling Intel ME http://blog.ptsecurity.com/2017/08/disabling-intel-me.html Wire-X Takedown https://blogs.akamai.com/2017/08/the-wirex-botnet-an-example-of-cross-organizational-cooperation.html

Analyzing 7zip Malware https://isc.sans.edu/forums/diary/Malware+analysis+searching+for+dots/22758/ Worldwide DNS Manipulation Survey https://people.eecs.berkeley.edu/~pearce/papers/dns_usenix_2017.pdf Sophos Withdraws UTM Update https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released Crypto Currency Malware https://resources.netskope.com/h/i/361264722-coin-mining-malware-heads-to-the-cloud-with-zminer

Critical HPE iLo Vulnerability http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us Facebook Messenger Spam Leads to Malware https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-messenger/81590/ iOS 10.3.1 Kernel Exploit Released https://blog.zimperium.com/ziva-video-audio-ios-kernel-exploit/ Samsung Bricks Smart TVs With Update https://eu.community.samsung.com/t5/TV-Audio-Video/Samsung-MU-Series-2017-Smart-TV-s-will-do-nothing-after-Samsung/td-p/250277 John Bambenek's DGA Feeds http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt