DDoS attacks and Botnets

The FortiNet Threat Landscape Report Q1 2018 report is now available

FortiNet has published the Threat Landscape Q1 2018 report, which analyzes data collected between January and March 2018.

The report shows that most (55%) of infections due to a botnet lasted less than a day, 18% less than two days and only less than 5% more than a week, a sign that botnets are constantly evolving.

The infection due to the Mirai botnet is the one that lasts longer: on average 5 and a half days; but Ghost is the prevailing botnet.

Although 268 different botnets have been identified, their number and activity is declining in the analyzed period; the activity of crypto-jacking, that is generation of cryptocurrencies, is the main one.

 Ransomware

Ransomware affects HP iLOs

A malware has been detected -researcher M. Shahpasandi being the first- attacking iLOs, the remote management consoles of HP servers.

The malware could be a ransomware since it asks for a ransom, but technically it should be a less sophisticated attack carried out manually; in any case, iLO interfaces directly exposed on the network are to be considered vulnerable. More details can be found in this BleepingComputer article.

iLOs should be updated to the latest version, and in any case not exposed on the network: the common practice is to access them via secure VPN connections.

New decryption tools are available

Despite every month the list of ransomware grows, fortunately some researchers and volunteers bless us with decryption tools: if you happen to get hit by a ransomware and don’t have a backup, then don’t despair and store encrypted files somewhere, as a decryption tool might be available sooner or later.
Relentless researcher Michael Gillespie released a tool for CryptConsole (contact him), SepSis and Everbe (developed with Maxime Meignan); the Polish CERT Polksa has released a tool for Vortex, while Sigrun  allows to decrypt the data encrypted by itself, but only for Russian users, following a pattern that is spreading among Russian ransomware (ie not to do damage in Russia, so as to avoid penal sanctions and persecutions).

MalwareHunter Team’s Ransomware ID service identifies which ransomware encrypted your files, then head to the dedicated NoMoreRansom page and look for an encryption tool: most of them are listed here. The NoMoreRansom Project is the point of reference.

Vulnerabilities

Some SuperMicro server products are vulnerable to attacks

Eclypsium researchers have found that some SuperMicro products contain firmware vulnerabilities that expose them to attack by means of easy exploits.
A first security flaw is caused by the "Region Descriptor", which is used by Intel processors to work: permissions set incorrectly allow the descriptor software to be executed directly by the processor; malware with administrative permissions can act on this and get directly to the processor.

Another flaw resides in the UEFI update mechanism, which requires the firmware to be written temporarily; in this case too the security settings are permissive and allow unauthenticated updates to be performed. Moreover, there is no update rollback mechanism that allows to undo the update if it is older than the previous version (as an old update can contain those changes necessary to exploit the vulnerabilities).
The CHIPSEC framework tells if the firmware of your server is protected or not with a simple command (in this case, chipsec_main -m common.spi_access).

SuperMicro is actively collaborating with the Eclypsium team, and updates are already available for some products.

Vulnerability allows logging on HP iLO

A recently published paper shows an exploit based on the CVE-2017-12542 vulnerability and makes it easy to gain access (just the cURL command and 29 'A' for authentication) to the console without authorization and obtain data on the users present ; all iLOS accessible from the Network are to be considered at risk.

Only version 4 is affected by the vulnerability, we recommend upgrading to a version with firmware 2.54 or higher. Versions 3 and 5 are not affected.

News from the vendors

Chrome 67 is now available

Chrome updates to version 67, while waiting for the 68 version which will contain important news on the treatment of sites without SSL certificate.

One of the major news is the introduction of APIs for generic sensors that, as the name suggests, allow sites to use sensors of devices, in particular gyroscope, accelerometer, orientation and movement sensors. The new WebXR Device APIs allow to use Chrome in VR with headset like Oculus Rift and the like.
On the security side, in addition to 34 bug-fixes, Strict Site Isolation mitigates the risks of the Spectre attack.

Office365 won’t support Flash, Shockwave and Silverlight no more

Microsoft announces the end of support for Flash, Shockwave and Silverlight.
The block will take place in January 2019 and will interest only Office365 subscriptions, but not the individual installations of Office 2016, Office 2013 and Office 2010.
The reasons for this are the EOL date for Flash (2020) and the risks posed by these obsolete and fallacious technologies.

Microsoft Patch Tuesday

As every second tuesday of the month, Microsoft released the cumulative package of systems updates for Windows OS that is known as Patch Tuesday.
It’s installed automatically if automatic updates are enabled, otherwise it’s available with Windows Update.
This month features 53 updates, including ones related to Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, ChakraCore, Adobe Flash Player, .NET Framework, ASP.NET, Skype for Business and Visual Studio. No vulnerabilities have been exploited.
This GFI blog post recaps the updates container in Patch Tuesday.
You can also download single updates and find further information in the Security Update Guide.

banner eng

fb icon evo twitter icon evo

Word of the Day

In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

>

The acronym GDPR indicates the new General Data Protection Regulation, which will come into force on 25 May 2018. This...

>

The acronym DPO (Data Protection Officer) indicates the person or persons who, within the company context, are responsible for the...

>

InfiniBand is an input / output architecture for the transmission of data between high performance systems composed of CPUs, processors...

>

A Zero Day Exploit describes a situation in which specific and unknown vulnerabilities are disclosed to the public simultaneously with...

>
Read also the others...

Download of the Day

Netcat

Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...

>

Fiddler

Fiddler is a proxy server that can run locally to allow application debugging and control of data in...

>

Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.

>

DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...

>

SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

>
All Download...

Issues Archive

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • GURU advisor: issue 13 - March 2017

    GURU advisor: issue 13 - March 2017

  • GURU advisor: issue 12 -  January 2017

    GURU advisor: issue 12 - January 2017

  • GURU advisor: issue 11 -  October 2016

    GURU advisor: issue 11 - October 2016

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1