Latest cyber threats, vulnerabilities, data breaches and security updates
Sunday June 24, 2018:
Cisco security updates for ASA, NX-OS Software, CPU side-channel vulnerabilities

Cisco released new security updates on Friday, two rated high severity and two medium severity, to address ASA, NX-OS and CPU side-channel vulnerablities that impact multiple products. 

One of the high rated patches addresses a vulnerability (CVE-2018-0296) in the web interface of the Cisco Adaptive Security Appliance (ASA) that could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly and result in a denial of service (DoS) condition. 

The other high severity update fixes a vulnerability (CVE-2018-0292) in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software. If unpatched, an unauthenticated attacker could execute arbitrary code and gain full control of an affected system.

Cisco also released two medium rated security updates for five (5) CPU Side-Channel Information Disclosure Vulnerabilities. The first side channel vulnerability (CVE-2018-3639) is also known as Spectre Variant 4 or SpectreNG. The second vulnerability (CVE-2018-3640) is known as Spectre Variant 3a

Both of these side channel attacks are variants of the attacks first disclosed in January 2018 and leverage cache-timing attacks to potentially steal sensitive data.

The last three vulnerabilities adress Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754).

These latest Spectre/Meltdown updates included an updated vulnerable products table, new products under investigation and newly confirmed products not vulnerable to the flaws. 

Friday June 22, 2018:
New SamSam ransomware threat  

Attackers are using a new variant of the SamSam ransomware to compromise and take down users of their choosing. 

As discovered by Malwarebytes, the new SamSam variant requires direct human interaction from the attacker to execute the payload. 

Malwarebytes said the most important point of the latest ransomware campaign is the use of a password that has to be manually entered by the attacker.

"Without knowing the password, we cannot analyze the ransomware code. But what is more important to note is that we cannot even execute the ransomware on a victim or test machine. This means that only the author, (or someone who has intercepted the author’s password) can run this attack," Malwarebytes said. 

An analysis of the SamSam workflow is described in figure below: 

SamSam attack method workflow diagram (source: Malwarebytes)

In conclusion, this SamSam malware campaign threat isn't being used to spread automatically to other systems, like other forms of ransomware.

Since SamSam requires human involvement from the attacker, it is used for targeted attacks of specifically chosen victims. With the use of a password, the author can keep the payload a secret and more easily take down future victims. 

Thursday June 21, 2018:
Cisco security updates in FXOS and NX-OS software

Cisco released security updates to address vulnerabilities in multiple products on Wednesday as part of its June 2018 Cisco FXOS and NX-OS Software Security Advisory Collection.

Five (5) of the bugs were rated critical and 18 rated high severity. Another 10 Medium severity updates were also released this week. 

Four of the critical updates address arbitrary execution vulnerabilities in Cisco FXOS Software and Cisco NX-OS Software. The other critical patch fixes a vulnerability in the NX-API feature of Cisco NX-OS Software. 

Each of the critical vulnerabilities are rated 9.8 CVSS score (10 being the highest possible).

A number of the affected products addressed in the critical security advisories include: 
  • Firepower 4100 Series Next-Generation Firewalls
  • Firepower 9300 Security Appliance
  • MDS 9000 Series Multilayer Switches
  • Nexus 2000 Series Fabric Extenders
  • Nexus 3000 Series Switches
  • Nexus 3500 Platform Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches
  • Nexus 7700 Series Switches
  • Nexus 9000 Series Switches in standalone NX-OS mode
  • Nexus 9500 R-Series Line Cards and Fabric Modules
  • UCS 6100 Series Fabric Interconnects
  • UCS 6200 Series Fabric Interconnects
  • UCS 6300 Series Fabric Interconnects

Firepower eXtensible Operating System (FXOS) software runs on Firepower firewalls and NX-OS software runs on Nexus switches.

See the complete listing of Cisco security advisories and alerts. 

Wednesday June 20, 2018:
Mylobot Malware - sophisticated botnet in the wild

Security researchers from Deep Instinct have discovered a new strain of sophisticated malware dubbed "Mylobot" that targets Windows systems in the wild. 

"This tool presents three different layers of evasion techniques, including usage of command and control servers to download the final payload. the combination and complexity of these techniques were never seen in the wild before," says Tom Nipravsky, Security Researcher from Deep Instinct. 

Deep Instinct provided a summary of different malicious techniques used by the botnet: 
  • Anti VM techniques
  • Anti-sandbox techniques
  • Anti-debugging techniques
  • Wrapping internal parts with an encrypted resource file
  • Code injection
  • Process hollowing – a technique where an attacker creates a new process in a suspended state, and replaces its image with the one that is to be hidden
  • Reflective EXE – executing EXE files directly from memory, without having them on disk. This kind of reflection is not very common and was first published by Deep Instinct in Blackhat USA 2016
  • It also has a delaying mechanism of 14 days before accessing its command and control servers.

The potential damage inflicted by the malware was also described in the blog post: 

"Once installed, the botnet shuts down Windows Defender and Windows Update while blocking additional ports on the Firewall. It also shuts down and deletes any EXE file running from %APPDATA% folder, which can cause loss of data. The main functionality of the botnet enables an attacker to take complete control of the user’s system – it behaves as a gate to download additional payloads from the command and control servers," Nipravsky said.

Tuesday June 19, 2018:
"Operation Main Street" aims to stop small business scams 

The  Federal Trade Commission (FTC) announced Operation Main Street: Stopping Small Business Scams, a coordinated joint effort with the Better Business Bureau (BBB), law enforcement and state/federal partners, to help stop scams that target small businesses.

The guidelines describes common scams that target small businesses and non-profit organizations, describes scammers’ tactics, and provides safeguards users can take to protect their organizations from scams.

Small businesses can protect their businesses by following these safeguards: 
  • Train your employees: Make sure your employees are informed of potential scams; have co-workers talk to each other if they spot a scam to spread the word.
  • Password protections: Don't send or ask for passwords (or sensitive information) via email, even if it comes from a manager. 
  • Verify Invoices and Payments: Check carefully all invoices and make sure products/services were ordered and delivered; Limit number of authorized employees allowed to approve invoices/expenditures; Be wary of unexpected calls/voicemails or requests for payment using a wire transfer, reloadable card, or gift card (as these are likely scams that are also hard to trace back payments). 
  • Be Tech-Savvy: Don't believe caller ID; Be wary of emails and links to websites as scammers can fake websites and make them look legitimate; Secure your organization’s files, passwords, and financial information. 

The FTC also adds that users can search for an unknown company name and "scam" or "complaint" and read what others say about the company. Also, don't pay for "free" information. 

Some common scams to be on the lookout for and used against small businesses include: 

  • Fake invoices
  • Unordered Office Supplies and Other Products
  • Directory Listing and Advertising Scams
  • Utility Company Imposter Scams
  • Tech Support Scams
  • Social Engineering, Phishing, and Ransomware
  • Business Promotion and Coaching Scams
  • Changing Online Reviews
  • Credit Card Processing and Equipment Leasing Scams
  • Fake Check Scams.

"When scammers go after your organization, it can hurt your reputation and your bottom line. Your best protection? Learn the signs of scams that target businesses. Then tell your employees and colleagues what to look for so they can avoid scams," FTC stated. 

Organizations can contact the FTC to order free brochures to help spread awareness and share with their employees.