DDoS attacks and Botnets
Attacks on mobile software almost doubled in 2018
Kaspersky Labs has released an interesting report entitled "Mobile malware evolution 2018", available at this address, which takes stock of the spread of malware on mobile devices in the past year, offering a useful tool to try to understand the future trend and react now.
Among the results highlighted by the report, which was conducted on the basis of data collected by devices with installed Kaspersky applications, the most important regards the number of attacks recorded: from 66.4 million in 2017 to 116.5 in 2018; on the other hand, the number of compromised installation packages has decreased (5,321,142 in 2018, almost 500 thousand less than the previous year).
Compromised apps include droppers (drop-down trojans that bypass checks and "drop the actual malicious package), adware (invasive advertising), risktool (apps that can cause physical damage) and spyware, including home banking systems, given their increasingly widespread use.
StealthWorker uses Windows and Linux to puncture sites
Fortiner researchers have identified a botnet that uses StealthWorker, a malware discovered a few weeks earlier by Malwarebytes.
Compared to the first version that focused only on Windows, this version of the malware has as its goal Linux, thus becoming a multi-platform threat; not only: by analyzing the open directories available on the C2 servers (Command & Control) indicated in the Malwarebytes report, evidence has been found that even the Mips and ARM architectures - therefore IoT devices - are involved. In both cases an automatic execution is scheduled to survive the restarts that releases the malware payload. Each infected machine is used to attach CMS installations like Joomla, Magento, Drupal and WordPress with brute force login attempts, and if the attack succeeds, not only are the credentials sent to the C2 server, but the compromised host becomes a zombie, creating a real botnet.
New decryption tools for different ransomware available
If on the one hand the world of ransomware sees new threats every month, it is also true that thanks to the work of volunteers and researchers tools are developed to decipher the data encrypted by ransomware: if you do not have backups ready to restore, the advice is to keep the encrypted files waiting for a special tool. The untiring Michael Gillespie continues to work and now his ID-Ransomware ransomware identification service covers more than 700 ransomware families, F-Secure has released a tool for Mira, Emsisoft for PewDiePie, aurora, BigBobRoss (Avast has also released a tool for this ransomware) and Planetary, Bitdefender has created a tool for GandCrab (versions 1, 4 and 5).
The NoMoreRansom project dedicated page remains the reference point, and the MalwareHunter Team Ransomware ID service allows you to identify which ransomware encrypted your files among the 500 in the catalog.
Clourborne is a vulnerability that installs backdoors in Cloud environments
Eclypsium researchers have identified a type of vulnerability renamed Cloudborne that allows you to install backdoors directly on physical servers used to manage virtual servers in Cloud environments; currently only IBM's SoftLayer technology is being studied, similar criticalities for other Cloud providers have not yet been analyzed.
The structure underlying the virtual part of a Cloud is naturally composed of physical servers, which have systems called BMC (Baseboard Management Control) - based on IPMI - which allow remote management of the server itself for the initial phases of installation and deployment; a vulnerability that affects BMC survives reboots and obviously will affect customers (even new ones) assigned to the server. The attacks obtainable include permanent DoS, server corruption, data theft, ransomware creation.
IBM has released a note mentioning the vulnerability and suggests a manual reset of the firmware before assigning the server to another client, although it is impractical to do this on a large scale.
Vulnerabilities get patched in Cisco and WebEx RV series routers
Cisco has released a patch for RV110W, RV130W and RV215W router vulnerabilities.
The vulnerabilities have Critical rank since I allow unauthenticated users to remotely execute commands on these routers; the person responsible for this is an incorrect management of the memory buffers; Updates are available in the cisco.com Software Center.
WebEx is the Cisco conferencing system; SecureAuth researchers have discovered a vulnerability that involves Webex and allows a local attacker (but in Active Directory environments the attack can be remote using remote management tools) without privileges to elevate privileges and launch arbitrary commands using a particular DLL library.
Cisco has released updated versions of the desktop app that correct this problem.
The risks of IoT in the medical field according to Check Point
Check Point researchers have published an interesting report on the risks of IoT in the medical field: not only the new devices associated with the current IoT boom, but also traditional machines connected to the network. The report is called "UltraHack: The Security Risks of Medical IoT".
The risks are more than current and involve a particularly sensitive sphere such as health. For example, the report cites an ultrasound machine running on Windows 2000, which has been without support for more than a decade; and of course it is vulnerable to attacks that allow you to read and modify the analysis results or infect it with a ransomware.
The suggested behaviors include an effective updating policy and a correct network segmentation and access policy.
News from the vendors
Microsoft Tuesday Patch
As every second Tuesday of the month, Microsoft has released the cumulative package of updates for Windows systems known as Patch Tuesday. It is installed automatically if automatic updates are enabled, otherwise it is available via Windows Update. Among the 64 problems being fixed (of which 15 marked as critical) in 12 different products, we mention those related to Office, Edge, Internet Explorer, Office and Office Services and Web Apps, ChakraCore, Adobe Flash Player, .NET Framework, ASP.NET , Skype for Business and Visual Studio. In no case have vulnerabilities been previously exploited for attacks.
Individual update packages can be selected and additional patch information can be found via the Security Update Guide.