DDoS attacks and Botnets

The FortiNet Threat Landscape Report Q1 2018 report is now available

FortiNet has published the Threat Landscape Q1 2018 report, which analyzes data collected between January and March 2018.

The report shows that most (55%) of infections due to a botnet lasted less than a day, 18% less than two days and only less than 5% more than a week, a sign that botnets are constantly evolving.

The infection due to the Mirai botnet is the one that lasts longer: on average 5 and a half days; but Ghost is the prevailing botnet.

Although 268 different botnets have been identified, their number and activity is declining in the analyzed period; the activity of crypto-jacking, that is generation of cryptocurrencies, is the main one.


Ransomware affects HP iLOs

A malware has been detected -researcher M. Shahpasandi being the first- attacking iLOs, the remote management consoles of HP servers.

The malware could be a ransomware since it asks for a ransom, but technically it should be a less sophisticated attack carried out manually; in any case, iLO interfaces directly exposed on the network are to be considered vulnerable. More details can be found in this BleepingComputer article.

iLOs should be updated to the latest version, and in any case not exposed on the network: the common practice is to access them via secure VPN connections.

New decryption tools are available

Despite every month the list of ransomware grows, fortunately some researchers and volunteers bless us with decryption tools: if you happen to get hit by a ransomware and don’t have a backup, then don’t despair and store encrypted files somewhere, as a decryption tool might be available sooner or later.
Relentless researcher Michael Gillespie released a tool for CryptConsole (contact him), SepSis and Everbe (developed with Maxime Meignan); the Polish CERT Polksa has released a tool for Vortex, while Sigrun  allows to decrypt the data encrypted by itself, but only for Russian users, following a pattern that is spreading among Russian ransomware (ie not to do damage in Russia, so as to avoid penal sanctions and persecutions).

MalwareHunter Team’s Ransomware ID service identifies which ransomware encrypted your files, then head to the dedicated NoMoreRansom page and look for an encryption tool: most of them are listed here. The NoMoreRansom Project is the point of reference.


Some SuperMicro server products are vulnerable to attacks

Eclypsium researchers have found that some SuperMicro products contain firmware vulnerabilities that expose them to attack by means of easy exploits.
A first security flaw is caused by the "Region Descriptor", which is used by Intel processors to work: permissions set incorrectly allow the descriptor software to be executed directly by the processor; malware with administrative permissions can act on this and get directly to the processor.

Another flaw resides in the UEFI update mechanism, which requires the firmware to be written temporarily; in this case too the security settings are permissive and allow unauthenticated updates to be performed. Moreover, there is no update rollback mechanism that allows to undo the update if it is older than the previous version (as an old update can contain those changes necessary to exploit the vulnerabilities).
The CHIPSEC framework tells if the firmware of your server is protected or not with a simple command (in this case, chipsec_main -m common.spi_access).

SuperMicro is actively collaborating with the Eclypsium team, and updates are already available for some products.

Vulnerability allows logging on HP iLO

A recently published paper shows an exploit based on the CVE-2017-12542 vulnerability and makes it easy to gain access (just the cURL command and 29 'A' for authentication) to the console without authorization and obtain data on the users present ; all iLOS accessible from the Network are to be considered at risk.

Only version 4 is affected by the vulnerability, we recommend upgrading to a version with firmware 2.54 or higher. Versions 3 and 5 are not affected.

News from the vendors

Chrome 67 is now available

Chrome updates to version 67, while waiting for the 68 version which will contain important news on the treatment of sites without SSL certificate.

One of the major news is the introduction of APIs for generic sensors that, as the name suggests, allow sites to use sensors of devices, in particular gyroscope, accelerometer, orientation and movement sensors. The new WebXR Device APIs allow to use Chrome in VR with headset like Oculus Rift and the like.
On the security side, in addition to 34 bug-fixes, Strict Site Isolation mitigates the risks of the Spectre attack.

Office365 won’t support Flash, Shockwave and Silverlight no more

Microsoft announces the end of support for Flash, Shockwave and Silverlight.
The block will take place in January 2019 and will interest only Office365 subscriptions, but not the individual installations of Office 2016, Office 2013 and Office 2010.
The reasons for this are the EOL date for Flash (2020) and the risks posed by these obsolete and fallacious technologies.

Microsoft Patch Tuesday

As every second tuesday of the month, Microsoft released the cumulative package of systems updates for Windows OS that is known as Patch Tuesday.
It’s installed automatically if automatic updates are enabled, otherwise it’s available with Windows Update.
This month features 53 updates, including ones related to Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, ChakraCore, Adobe Flash Player, .NET Framework, ASP.NET, Skype for Business and Visual Studio. No vulnerabilities have been exploited.
This GFI blog post recaps the updates container in Patch Tuesday.
You can also download single updates and find further information in the Security Update Guide.