• Tidak ada hasil yang ditemukan

Security Report

N/A
N/A
Info
Unduh - Bebas
Protected

Academic year: 2024

Membagikan "Security Report"

Copied!
7
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 7 Halaman )

Teks penuh

(1)

PwC Weekly

Security Report

This is a weekly digest of security news and events from around the world. News items are summarised and web links are provided for further information.

Security architecture

Compromised RDP servers used in corporate ransomware attacks

Threats and vulnerabilities

Phony Google update spreads data-stealing Android malware

Identity and access

Serious flaw exposed Microsoft Office 365 accounts

Top story

PCI Standard adds multi-factor

authentication requirements

(2)

Compromised RDP servers used in

corporate ransomware attacks

Researchers from Fox-IT have discovered a new attack vector for ransomware aimed at the enterprise. The attack itself is not new, but the combination of this attack combined with

persistence and network analysis prior to activating the ransom is new to Fox-IT.

The NCC Group-owned IT security company said in a blog post today that there are three common methods for distributing ransomware: in

weaponized attachments, through phishing links to poisoned sites, and via malvertising. However, the company says it has found a new method:

"activating ransomware from a compromised remote desktop server.“

Attackers can leverage this approach by brute forcing their way into remote desktop servers that are connected to the Internet – or simply buying compromised credentials from the underground.

Once in, they can use privilege escalation methods to seek domain admin status (if they haven't

already got it). However, Fox-IT notes that this isn't always necessary "as the compromised user account might have access to all kinds of network shares with sensitive data."

Once in, the attackers have the normal possibilities:

data exfiltration, recruiting into a botnet, delivering spam – and now holding the company hostage with ransomware. If internal defenses and network segmentation can limit the reach of the

compromised workstation, then the effect of the ransom will be similarly limited. However, if the attacker can get access to more company servers, then the effect and harm of the ransomware will be more critical.

Source:

http://www.securityweek.com/compromi sed-rdp-servers-used-corporate-

ransomware-attacks

The key, suggests Fox-IT, is the victim's 'time to detect' – and this depend on the effectiveness of the victim's detection systems. The longer it takes, the more devastating the attack. In one instance investigated by Fox-IT, the attackers had been inside the network for weeks.

(3)

Android users are being warned of a phony Google update that is pushing malware onto devices.

The attackers behind this scheme are domain squatting URLs that are similar to ones used by Google for legitimate updates, hoping to snare less- than-vigilant users.

Researchers at Zscaler said yesterday in a report that the attackers invested heavily in this tactic to sidestep URL monitoring and security software in place on the device.

“These URLs are observed to be very short lived,”

Zscaler said. “And are regularly replaced with newer ones to serve the malware and effectively evade URL based filtering.”

Zscaler also shared a list of the malicious domains:

• http[:]//ldatjgf[.]goog-

upps.pw/ygceblqxivuogsjrsvpie555/

• http[:]//iaohzcd[.]goog-

upps.pw/wzbpqujtpfdwzokzcjhga555/

• http[:]//uwiaoqx[.]marshmallovw.com/

• http[:]//google-market2016[.]com/

• http[:]//ysknauo[.]android-update17[.]pw/

• http[:]//ysknauo[.]android-update16[.]pw/

• http[:]//android-update15[.]pw/

• http[:]//zknmvga[.]android-update15[.]pw/

• http[:]//ixzgoue[.]android-update15[.]pw/

• http[:]//zknmvga[.]android-update15[.]pw/

• http[:]//gpxkumv.web-

app.tech/xilkghjxmwvnyjsealdfy666/

Phony Google update spreads data-stealing Android malware

Source:

https://threatpost.com/phony-google- update-spreads-data-stealing-android- malware/117742/

Once on the device, the malware connects to a remote site, before sending stolen call logs, SMS data, browser history and any stored banking data, Zscaler said. It also looks for mobile antivirus products on the devices and tries to disable them.

The file name of the malware is

Update_chrome.apk and once it’s installed, it asks the user to grant it admin permissions. It then registers the device with a command-and- control server,

http[:]//varra.top/tapas/gtgtr[.]php, and begins monitoring activity on the device, harvesting call and SMS data in particular.

(4)

Researchers discovered a severe cross-domain authentication bypass vulnerability that could have been exploited by malicious actors to gain access to Office 365 accounts, including email and files.

Microsoft patched the issue within 7 hours after learning of its existence.

The vulnerability, identified by Klemen Bratec and Ioannis Kakavas, is related to the Security

Assertion Markup Language (SAML), a standard used for exchanging authentication and

authorization data. Microsoft uses SAML for single sign-on (SSO), an authentication process that allows users to access multiple services with a single username and password.

The SAML authority that holds information about the users is called the identity provider. The identity provider issues assertions (XML structures that contain user security information) that are consumed by the service provider when users access a resource.

Microsoft’s implementation of the SAML service provider did not perform adequate checks, allowing an attacker to provide assertions declaring that one identity provider has authenticated the users of a different identity provider.

Tests conducted by Bratec and Kakavas showed that an attacker could have logged in to a targeted user’s account by adding an entry matching the victim’s account to their own user directory. The attacker could then connect to the victim’s account by starting the authentication process on login.microsoftonline.com with their own username, and finishing the login process on the identity provider with the target’s username.

Bratec and Kakavas initially believed the flaw was limited to Microsoft’s SAML 2.0

implementation, which is mostly used in the education sector. However, further tests revealed that even domains federated using Active Directory Federation Services (ADFS) are affected.

Serious flaw exposed

Microsoft Office 365

accounts

(5)

Source:

http://www.securityweek.com/serious- flaw-exposed-microsoft-office-365-accounts This meant that all federated domains (i.e.

domains with SSO enabled) were vulnerable, excepting those using multi-factor authentication.

The list of major organizations exposed by this flaw included Microsoft, Cisco, IBM, Intel, the International Monetary Fund, Verizon, Vodafone, BT, British Airways, and the City of Chicago.

“It was pretty easy to automate this and check against company domain name lists to identify potential targets, but we did not have the time nor the inclination to do so,” the researchers

explained in a blog post detailing the vulnerability.

(6)

The PCI Security Standards Council (PCI SSC) has published a new version of its data security standard (DSS), used to safeguard payment data before, during and after a purchase is made. PCI DSS version 3.2 replaces version 3.1, which will expire on Oct. 31.

One significant change in PCI DSS 3.2 is that it includes multi-factor authentication as a

requirement for any personnel with administrative access into environments handling card data.

Previously this requirement applied only to remote access from untrusted networks.

“A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information,” said PCI Security Standards Council CTO Troy Leach. “We’ve seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected and to compromise card data.”

Additionally, service providers, specifically those that aggregate large amounts of card data, continue to be at risk. PCI DSS 3.2 includes a number of updates to help these entities demonstrate that good security practices are active and effective. This includes new requirement 6.4.6, which mandates that organizations ensure security controls are in place following a change in their cardholder data environment. Building this validation into change management processes helps ensure that device inventories and configuration standards are kept up to date and security controls are applied where needed.

Also, new requirements 10.8 and 10.8.1 outline that service providers need to detect and report on failures of critical security control systems, and new requirement 11.3.4.1 indicates that service providers need to perform penetration testing on segmentation controls every six months. Previously, it was required at least annually for all entities to demonstrate that their segmented environment was truly isolated.

The update also has added the PCI DSS Supplemental Designated Entities Validation (DESV) criteria as an appendix to the standard, as well as expanded a few existing PCI DSS requirements (3, 10, 11, 12) to include DESV controls for service s specifically.

PCI Standard adds multi- factor authentication requirements

Source:

http://www.infosecurity-

magazine.com/news/pci-standard-adds- multifactor/

(7)

services. Find out more and tell us what matters to you by visiting us at www.pwc.com

In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in

PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity in separate lines of service. Please see www.pwc.com/structure for further details.

©2016 PwC. All rights reserved

pwc.in

Data Classification: DC0

This document does not constitute professional advice. The information in this document has been obtained or derived from sources believed by PricewaterhouseCoopers Private Limited (PwCPL) to be reliable but PwCPL does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of PwCPL at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. PwCPL neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.

© 2015 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.

AG6345

For any queries, please contact:

Sivarama Krishnan

[email protected] Amol Bhat

[email protected]

Referensi

Unduh sekarang ( PDF - 7 Halaman - 482.10 KB )

Dokumen terkait

sect7 net security part1

g-8) Threats to active or mobile code g-9) Scripted and complex attacks.. h) Summary of

Ten Deadly Cyber Security Threats Amid COVID-19 Pandemic

Ten Deadly Cyber Security Threats Amid COVID-19 Pandemic DDoS Attack Malicious Domains Malicious Websites Malware Ransomware Spam Emails Malicious Social Media Messaging

Cyber Security of The Golf House Holding Limited

In order to detect the threat of cyber- crimes which includes-malware, crypto-jacking, Man-in-the-middle MitM attacks, Ransomware and many more, the organization has undergone processes

Security Report

Cyberspies Hong Kong government hacked by Chinese cyberspies, FireEye says Zero day Malware Cyberspies Top stories Zero day MySQL zero-day exploit puts some servers at risk of

Information security threats encountered by Malaysian public sector data centers

The results revealed that the technical threats, spyware, phishing, bluesnarfing threats, social engineering and virus, trojan, malware, ransomware, viral websites threats are the

The Evolution of Endpoint Security From Antivirus to EDR Solutions

The progression of endpoint security underscores the growing necessity to defend against increasingly complex cyber threats. Conventional antivirus software is no longer capable of addressing advanced dangers such as ransomware or zero-day attacks. Endpoint Detection and Response (EDR) solutions have risen as a more robust defense, providing real-time threat detection, quick incident response, and continuous monitoring. This evolution enables organizations to stay ahead of emerging threats, offering stronger protection and mitigating risks. Stay secure, stay ahead of the