04-08

Weekly Awareness Report (WAR)

April 8, 2019

The Cyber Intelligence Report is an Open Source Intelligence AKA OSINT resource focusing on advanced persistent threatsand other digital dangers received by over ten thousand individuals. APTs fit into a cybercrime category directed at bothbusiness and political targets. Attack vectors include system compromise, social engineering, and even traditionalespionage. Included are clickable links to news stories, vulnerabilities, exploits, & other industry risk.

Summary

Symantec ThreatCon Low: Basic network posture

This condition applies when there is no discernible network incident activity and no maliciouscode activity with a moderate or severe risk rating. Under these conditions, only a routinesecurity posture, designed to defeat normal network threats, is warranted. Automated systemsand alerting mechanisms should be used.

Sophos: last 10 Malware* Troj/Spy-AVQ* Troj/Remcos-HJ* Troj/Agent-BBAS* Troj/Fareit-HHQ* Troj/Bladabi-OT* Troj/BokBot-R* Troj/Miner-SK* VBS/Drop-AVG* Troj/DocPh-EO* Troj/Agent-BBEI

Last 10 PUAs* Spy Agent* Download Assistant* InstallCore* AdvancedMacCleanerDownloader* AdvancedMacCleaner* BitCoinMiner* Pirrit* Genieo* Ulbi* Refog Keylogger

Interesting News

* Roaming Mantis, part IVOne year has passed since we published the first blogpost about the Roaming Mantis campaign, and this February wedetected new activity by the group. Here we follow up on our earlier reporting about the group with updates on their toolsand tactics.

* * The I.W.C. Academy is currently updating thier practice test simulators for the CEH and CySA. The online training forthe CEH beta should be completed by the end of the week and the CySA shortly after. Stay tuned for more info. If you areinterested, we have an active FaceBook Group and YouTube Channel. As always, if you have any suggestions, feel free tolet us know. Subscribe if you would like to receive the CIR updates by sending us an email: CIR@informationwarfarecenter.com

Index of Sections

Current News

* Packet Storm Security

* Dark Reading

* Krebs on Security

* The Hacker News

* Infosecurity Magazine

* Threat Post

* Naked Security

* Quick Heal - Security Simplified

Hacker Corner: Tools, Hacked Defacements, and Exploits

* Security Conferences

* Packet Storm Security Latest Published Tools

* Zone-H Latest Published Website Defacements

* Packet Storm Security Latest Published Exploits

* Exploit Database Releases

Advisories

* Secunia Chart of Vulnerabilities Identified

* US-Cert (Current Activity-Alerts-Bulletins)

* Symantec's Latest List

* Packet Storm Security's Latest List

Credits

News

Packet Storm Security

* DHS Secretary Nielsen Resigns* Windrush: Home Office Admits Data Breach In Compensation Scheme* FIN6 Evolves From POS Malware To Ransomware* Senate Floats Russia-Busting Election Law* Chinese Firms Leak More Than A Half Billion Resumes* Focus Falls On Crypto's Flaws As Puzzlement Over Bitcoin's Jump Reigns* Pharma Firm Bayer Hit With WINNTI Malware* How Excess Speed, Hasty Commands, And Flawed Software Doomed An Ethiopian Airlines 737 Max* Serious Apache Server Bug Gives Root To Baddies In Shared Environments* Hackers Broke Into University Networks In Just Two Hours* Computer Virus Alters Cancer Scan Images* Nvidia Fixes 8 High-Severity Flaws* App Developers Left 540 Million Facebook Users' Records On The Public Internet* Georgia Tech Stung With 1.3 Million Person Data Breach* Mystery Of The Chinese Woman Who Allegedly Tried To Sneak Into Trump's Mar-A-Lago With A USB StickOf Malware* Games Of Thrones Has The Most Malware Of Any Pirated TV Show* This New Malware Is Scanning The Internet For Targets* Researchers Trick Tesla Autopilot Into Steering Into Oncoming Traffic* Study Maps Extensive Russian GPS Spoofing* White House Overruled Security Clearance Denials* Financial Apps Are Ripe For Exploit Via Reverse Engineering* What Is A Honeypot? A Trap For Catching Hackers* What Sony's Robot Dog Teaches Us About Biometric Data Privacy* Malware May Have Stolen 2 Million Diners' Credit Card Details* Saudi Arabia Hacked Amazon Boss's Phone, Investigator Says

Dark Reading

* $20 Million Investment Round Shows Growth of Risk Assessment Market* 'Exodus' iOS Surveillance Software Masqueraded as Legit Apps* Credential-Stuffing Attacks Behind 30 Billion Login Attempts in 2018* 8 Steps to More Effective Small Business Security* Microsoft Products Under EU Investigation About Data Collection* Ignore the Insider Threat at Your Peril * Phishing Campaign Targeting Verizon Mobile Users * Ongoing DNS Hijack Attack Hits Consumer Modems and Routers* Advanced Persistent Threat: Dark Reading Caption Contest Winners* The Matrix at 20: A Metaphor for Today's Cybersecurity Challenges* Python-Based Bot Scanner Gorging on Recon Intel* Threat Group Employs Amazon-Style Fulfillment Model to Distribute Malware* Third Parties in Spotlight as More Facebook Data Leaks* New, Improved BEC Campaigns Target HR and Finance* Patched Apache Vulnerability Could Still Cause Problems* 3 Lessons Security Leaders Can Learn from Theranos* True Cybersecurity Means a Proactive Response* How iOS App Permissions Open Holes for Hackers

News

Krebs on Security

* A Year Later, Cybercrime Groups Still Rampant on Facebook* Alleged Chief of Romanian ATM Skimming Gang Arrested in Mexico* Canadian Police Raid 'Orcus RAT' Author* Annual Protest Raises $250K to Cure Krebs* Man Behind Fatal 'Swatting' Gets 20 Years* A Month After 2 Million Customer Cards Sold Online, Buca di Beppo Parent Admits Breach* Alleged Child Porn Lord Faces US Extradition* Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years* Why Phone Numbers Stink As Identity Proof* Ad Network Sizmek Probes Account Breach

The Hacker News

* Microsoft Releases First Preview Builds of Chromium-based Edge Browser* Unpatched Flaw in Xiaomi's Built-in Browser App Lets Hackers Spoof URLs* Hackers Could Turn Pre-Installed Antivirus App on Xiaomi Phones Into Malware* NSA Releases GHIDRA Source Code — Free Reverse Engineering Tool* 540 Million Facebook User Records Found On Unprotected Amazon Servers* WordPress iOS App Bug Leaked Secret Access Tokens to Third-Party Sites* Georgia Tech Data Breach Exposes 1.3 Million Users' Personal Data* Cynet Offers Free Threat Assessment for Mid-Sized and Large Organizations* In-Depth Analysis of JS Sniffers Uncovers New Families of Credit Card-Skimming Code* Facebook Caught Asking Some Users Passwords for Their Email Accounts

Security Week

* Leap in Cyber Attacks Against Elections in OECD Countries: Canada* SEC Allows Shareholder Votes on Amazon Facial "Rekognition"* Apple Device Management Firm Fleetsmith Raises $30 Million* Cyber Risk Company RiskLens Raises $20 Million* With $600 Million Cybersecurity Budget, JPMorgan Chief Endorses AI and Cloud* Cost of Data Breach in UK Increases More Than 41% in Two Years* NSA Releases Reverse Engineering Tool's Source Code* Chat Services: Be Diligent With This Must-Have Data Source for Intelligence Programs* Most OT Organizations Hit by Damaging Cyberattacks: Survey* Payment Card Data Stolen From AeroGrow Website* Ex-Senate Employee Pleads Guilty to Theft of Personal Data* Hackers Can Add, Remove Cancer From CT Scans: Researchers* Ongoing DNS Hijacking Campaign Targets Gmail, PayPal, Netflix Users* Foreign Interference in Canadian Election 'Very Likely', Says Minister * Unofficial Patch Released for Java Flaws Found by Google Researcher* Rockwell Patches Stratix Switch Flaws Introduced by Cisco Software* US Colleges Halt Work With Huawei Following Federal Charges* NVIDIA Patches High Severity Flaws in Tegra Drivers* New 'Xwo' Malware Looks for Exposed Services, Default Passwords* Hundreds Targeted in Recent Roaming Mantis Campaign

News

Infosecurity Magazine

* Fake Malware Tricks Radiologists Diagnosing Cancer* TrickBot Used in Tax Season Email Spoofing* Nielsen Resigns Post as DHS Secretary* Nine in 10 CNI Providers Damaged by Cyber-Attacks* Senators' Bill Aims Swift Sanctions at Election Meddlers* London Council Fined £145K For Leaking Gangs Info* Attackers Target Home Routers with DNS Hijacking* Facebook Home to 74 Black Market Groups* Australia Law Bans Violent Content on Social Media* US Web Servers Hosted 10 Malware Families

Threat Post

* TP-Link Routers Vulnerable to Zero-Day Buffer Overflow Attack* New Mirai Samples Grow the Number of Processor Targets* Spam Campaigns Spread TrickBot Malware with Tax Lure* SAS 2019: Exodus Spyware Found Targeting Apple iOS Users* Podcast: Chris Vickery on UpGuard's Discovery of Millions of Facebook Records* Cisco Finally Patches Router Bugs As New Unpatched Flaws Surface* Facebook Boots 74 Cybercrime Groups From Platform* Hackers Abuse Google Cloud Platform to Attack D-Link Routers* LokiBot Trojan Spotted Hitching a Ride Inside .PNG Files* Preinstalled Mobile Security App on Xiaomi Handsets Delivered Vulnerabilities, Not Protection

Naked Security

* Bootstrap supply chain attack is another attempt to poison the barrel* Microsoft lets Windows users off the update leash* Firefox draws battle lines against push notification spam* Myspace songs come back from the dead* Monday review - the hot 25 stories of the week* Serious Security: GPS week rollover and the other sort of "zero day”* Patch now! Magento e-commerce sites targeted by SQLi attacks* Hoax! Nope, hackers aren't posting invisible sexual videos on your wall* Nvidia patches severe bugs in edge computing modules* New law will punish social media companies for users' violent content

Quick Heal - Security Simplified

* This summer vacation let your kids explore the internet with safety of parental control* 3059 android malware detected per day in 2018 - Are you still counting on free android antivirus forprotection?* Essential cyber safety tips every woman should follow* Quick Heal Threat Report - Cryptojacking rising but Ransomware still #1 threat for consumers* GandCrab Riding Emotet's Bus!* This Valentine fall for true love not for fake online dating apps* 28 Fake Apps removed from Google Play Store post Quick Heal Security Lab reports* 3 essential ways to strengthen your business data security* Anatova, A modular ransomware

Security Conferences* This Months Upcoming Events in the United States* This Months Upcoming Events in Europe* Cybersecurity Conferences and Events in New Mexico* Cybersecurity Conferences and Events in South Dakota* Cybersecurity Conferences and Events in the United States

Tools & Techniques* Stegano 0.9.2* Faraday 3.7.0* PHPGGC unserialize() Payload Tool* SQLMAP - Automatic SQL Injection Tool 1.3.4* Clam AntiVirus Toolkit 0.101.2* GNU Privacy Guard 2.2.15* DNS Spider Multithreaded Bruteforcer 1.1* I2P 0.9.39* Lynis Auditing Tool 2.7.3* GNU Privacy Guard 2.2.14* CHAOS : PoC that Allow Generate Payloads & Control Remote OS* ISeeYou : Tool To Get Exact Location of The Users During Social Engineering or Phishing Engagements* Instainsane : Multi-threaded Instagram Brute Forcer* Evillimiter : Tool that Limits Bandwidth of Devices on the Same Network Without Access* Osmedeus : Fully Automated Offensive Security Tool for Reconnaissance & Vulnerability Scanning* Top 5 SQL Injection Tools for PenTest & Hacking* Mimikatz : A little Tool to Play with Windows Security* CommandoVM : Windows-Based Security Distribution for Penetration Testing* FFM : Freedom Fighting Mode Open Source Hacking Harness* IDArling : Collaborative Reverse Engineering Plugin for IDA Pro & Hex-Ray

Latest Zone-H Website Defacements* http://zkdch.gov.tr* http://iguatu.ce.gov.br/AjobPola.php* http://www.vialidad.gba.gov.ar/webabm/fotos/201904080615360.dev19feb.jpg* http://pn-bangko.go.id/pwn.html* http://ville-unieux.fr* http://mairie-chamousset.fr/_index.html* https://phedmanipur.gov.in/rx.html* http://www.liceocanossa.gov.it/eg.htm* http://skm.balangankab.go.id/test.htm* http://satpolpp.balangankab.go.id/test.htm* http://rsud.balangankab.go.id/test.htm* http://perbaikan.balangankab.go.id/test.htm* http://diskominfo.balangankab.go.id/test.htm* https://rpcc.gov.bd/G.html* http://camarapesqueira.pe.gov.br/a.php* https://kel-bantargebang.bekasikota.go.id* https://kel-bojongrawalumbu.bekasikota.go.id* https://kel-bintara.bekasikota.go.id* https://kel-bintarajaya.bekasikota.go.id

Proof of Concept (PoC) & Exploits

Packet Storm Security

Exploit Database

* [remote] WordPress 5.0.0 - Crop-image Shell Upload (Metasploit)* [webapps] WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery* [local] AIDA64 Extreme 5.99.4900 - 'Logging' SEH Buffer Overflow* [webapps] Manage Engine ServiceDesk Plus 9.3 - Privilege Escalation* [webapps] FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)* [local] AIDA64 Engineer 5.99.4900 - 'Load from file' Field Buffer Overflow (SEH)* [dos] Magic ISO Maker 5.5(build 281) - 'Serial Code' Denial of Service (PoC)* [remote] Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)* [remote] Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion* [dos] Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak TypeConfusion* [dos] Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion* [dos] WebKitGTK+ - 'ThreadedCompositor' Race Condition* [dos] WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free* [dos] WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Beforethe Bounds Check* [dos] iOS * [dos] WebKit JavaScriptCore - 'createRegExpMatchesArray' Type Confusion* [dos] SpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion)* [remote] PhreeBooks ERP 5.2.3 - Remote Command Execution* [webapps] PhreeBooks ERP 5.2.3 - Arbitrary File Upload* [webapps] Ashop Shopping Cart Software - SQL Injection

AdvisoriesUS-Cert Alerts & bulletins

* AA19-024A: DNS Infrastructure Hijacking Campaign* AA18-337A: SamSam Ransomware* SB19-098: Vulnerability Summary for the Week of April 1, 2019* SB19-091: Vulnerability Summary for the Week of March 25, 2019

Symantec - Latest List

* Microsoft Windows Win32k CVE-2019-0808 Local Privilege Escalation Vulnerability* Microsoft NuGet Package Manager CVE-2019-0757 Tampering Security Bypass Vulnerability* Microsoft Windows Common Control Library CVE-2019-0765 Remote Code Execution Vulnerability* Microsoft Internet Explorer CVE-2019-0763 Remote Memory Corruption Vulnerability* Microsoft Windows CVE-2019-0754 Local Denial of Service Vulnerability* Microsoft Edge CVE-2019-0612 Security Bypass Vulnerability* Microsoft Windows Active Directory CVE-2019-0683 Remote Privilege Escalation Vulnerability* Microsoft Windows Hyper-V CVE-2019-0690 Remote Denial of Service Vulnerability* Microsoft Windows JET Database Engine CVE-2019-0617 Remote Code Execution Vulnerability* Microsoft Azure CVE-2019-0816 Security Bypass Vulnerability* Microsoft Internet Explorer and Edge CVE-2019-0780 Remote Memory Corruption Vulnerability* Microsoft Edge CVE-2019-0678 Remote Privilege Escalation Vulnerability* Microsoft Edge CVE-2019-0779 Remote Memory Corruption Vulnerability* Microsoft Windows Print Spooler CVE-2019-0759 Information Disclosure Vulnerability* Microsoft Visual Studio CVE-2019-0809 Remote Code Execution Vulnerability* Microsoft Internet Explorer CVE-2019-0761 Security Bypass Vulnerability* Microsoft Windows CVE-2019-0766 Local Privilege Escalation Vulnerability* Microsoft Windows SMB Server CVE-2019-0704 Information Disclosure Vulnerability* Microsoft Windows SMB Server CVE-2019-0703 Information Disclosure Vulnerability* Microsoft Internet Explorer CVE-2019-0768 Security Bypass Vulnerability* Microsoft Windows Hyper-V CVE-2019-0701 Remote Denial of Service Vulnerability* Microsoft Windows Hyper-V CVE-2019-0695 Remote Denial of Service Vulnerability* Microsoft Windows Subsystem for Linux CVE-2019-0694 Local Privilege Escalation Vulnerability* Microsoft Windows Subsystem for Linux CVE-2019-0693 Local Privilege Escalation Vulnerability* Microsoft Windows Subsystem for Linux CVE-2019-0692 Local Privilege Escalation Vulnerability* Microsoft Windows GDI Component CVE-2019-0774 Information Disclosure Vulnerability

Packet Storm Security - Latest List

https://www.informationwarfarecenter.com