Category: Threat Brief

France Seeks Global Talks on Cyberspace Security

The French government announced on Monday a “Paris Call” for talks to lay out a common framework for ensuring internet security, following a surge in cyberattacks which has dented confidence in global networks. The move aims to relaunch negotiations on a “code of good conduct” which have stalled since last year.

Officials said the text, to be presented by President Emmanuel Macron as he opens UNESCO’s Internet Governance Forum in Paris on Monday, has been signed by most European countries. China, Russia and the United States have not yet joined, although a source in Macron’s office said a “critical mass” of US players support the call, including Microsoft and the NGO Internet Society.

Read more about the Paris Call for cybersecurity talks on SecurityWeek.

What You Should Know About Grayware (and What to Do About It)

Everyone has seen them: applications that come on many new systems offering services with unfamiliar names, or apps that have familiar names but are offered on sites that aren’t from their publishers. They’re grayware – or “potentially unwanted applications” – and they’re an ongoing issue for computer security.

Grayware’s nature makes it difficult for organizations to keep it away from their systems. “It’s not a technical problem, it’s a classification problem. There is a thin line being malicious or not and the operators play with the line. Which limits what researchers and law enforcement can do,” says Vitor Ventura, senior security researcher at Cisco Talos.

Read everything you need to know about  grayware on DarkReading.

Recently-Patched Adobe ColdFusion Flaw Exploited By APT

An Adobe ColdFusion vulnerability, patched two months ago, was being exploited in the wild by a China-linked APT group, researchers found. The vulnerability, CVE-2018-15961, is a critical unrestricted file upload bug that could also lead to arbitrary code-execution, researchers at Volexity, who discovered the exploitation, have said.

“Volexity recently observed active exploitation of a newly patched vulnerability in Adobe ColdFusion, for which no public details or proof-of-concept code exists,” researchers said in a post. “In the attack detected by Volexity, a suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell.”

Read more about the exploited vulnerability on Threatpost.

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

As the popularity of cryptocurrency rises, so does the amount of cryptominer Trojans that are being created and distributed to unsuspecting victims. One problem for cryptominers, though, is that the offending process is easily detectable due to their heavy CPU utilization. To make it harder to spot a cryptominer process that is utilizing all of the CPU, a newly discovered Linux variant attempts to hide its presence by utilizing a rootkit.

According to a new report by TrendMicro, this new cryptominer+rootkit combo will still cause performance issues due to the high CPU utilization, but administrators will not be able to detect what process is causing it.

Read more about the new cryptominer Trojan on BleepingComputer.

Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress

A critical security flaw affecting a GDPR compliance plugin for WordPress has been exploited in the wild to take control of vulnerable websites, users have been warned. The WordPress GDPR Compliance plugin, which has over 100,000 active installations, is designed to help the administrators of websites become compliant with the EU’s General Data Protection Regulation (GDPR).

Malicious hackers discovered recently that the plugin is affected by some flaws that can be exploited to hijack vulnerable websites. According to researchers in Defiant’s Wordfence team, the vulnerabilities can be exploited by unauthenticated attackers to obtain privileged access to targeted websites.

Read more about the vulnerabilities of the plugin on SecurityWeek.

This banking malware just added password and browser history stealing to its playbook

The Trickbot banking malware has added yet another tool to its arsenal, allowing crooks to steal passwords as well as steal browser data including web history and usernames.

The malware first appeared in 2016, initially focused on stealing banking credentials — but Trickbot is highly customisable and has undergone a series of updates since then. The latest trick — picked up by researchers at both Trend Micro and Fortinet — is the addition of a new module designed to steal passwords. This new Trickbot variant first emerged in October.

Read more about the latest version of the Trickbot malware on ZDNet.

“Inception Attackers” Combine Old Exploit and New Backdoor

A malicious group known as the “Inception attackers” has been using a year-old Office exploit and a new backdoor in recent attacks, Palo Alto Networks security researchers warn. Active since at least 2014, the group has used custom malware and against targets spanning various industries worldwide, with a special interest in Russia.

In October 2018, the threat actor was observed hitting various European targets in attacks employing an exploit for a vulnerability (CVE-2017-11882) that Microsoft patched in November 2017. Furthermore, the hackers were using a new PowerShell backdoor dubbed POWERSHOWER, which revealed high attention to detail in terms of cleaning up after infection.

Read more about the Inception attackers on SecurityWeek.

258,000 encrypted IronChat phone messages cracked by police

Police in the Netherlands have announced that they’ve broken the encryption used on a cryptophone app called IronChat. The Dutch police made the coup a while ago. They didn’t say when, exactly, but they did reveal that they’ve been quietly reading live communications between criminals for “some time.”

At any rate, it was enough time to read 258,000 chat messages: a mountain of information that they expect to lead to hundreds of busts. Already, the breakthrough has led to the takedown of a drug lab, among other things, according to Aart Garssen, Head of the Regional Crime Investigation Unit in the east of the Netherlands.

Read more about this story on Naked Security.

This is how artificial intelligence will become weaponized in future cyberattacks

Artificial intelligence has the potential to bring a select set of advanced techniques to the table when it comes to cyber offense, researchers say. According to Darktrace (.PDF) researchers, the current threat landscape is full of everything from script kiddies and opportunistic attacks to advanced, state-sponsored assaults, and in the latter sense, attacks continue to evolve.

However, for each sophisticated attack currently in use, there is the potential for further development through the future use of AI. Within the report, the cybersecurity firm documented three active threats in the wild which have been detected within the past 12 months.

Read more about the findings of the report on ZDNet.

Nearly 4,000 Breaches Disclosed in 2018

While it is likely that the breach activity of 2018 won’t reach the level of 2017, a look back at the first nine months suggests that 2018 is on pace to be another significant year for breaches, according to Risk Based Security.

The 2018 Q3 Data Breach QuickView Report found that 3,676 data compromise events were disclosed between 1 January and 30 September, exposing 3.6 billion records. However high those numbers might seem, and despite the consistent pace at which disclosures are reported, 2018 is not expected to see the record number of breaches reported in 2017.

Read more about the findings of the new report on Infosecurity Magazine.