AttackWise cyber security round-up 26 January 2019

//AttackWise cyber security round-up 26 January 2019

FireEye has an interesting article on how attackers prefer to use an interactive RDP session to move laterally within an organisation over non graphical interfaces. To circumvent firewalls that block RDP, attackers leverage SSH which is often allowed, to then successfully tunnel RDP sessions. Prevention includes using central jump boxes for RDP initiation, and detection includes monitoring of unusual source/ target connections.

Malware authors have been employing stenography with image files to evade detection as part of malvertising campaigns. In isolation, the plainly visible advertisement JavaScript and related image file are harmless, but once the JavaScript extracts additional code from the image file a malicious outcome is achieved by prompting the user to download an executable disguised as a flash update. A reminder of the innovation employed by attackers.

New Zealand’s Computer Emergency Response Team (CERT), CERT NZ, has released its top 10 critical controls list for organisations. New controls for this year of “implementing network segmentation” and “manage cloud authentication” have replaced “removing legacy systems” and “managing BYOD devices”. Their number 1 control recommendation is enforcing MFA.

CISA has issued its first Emergency Directive to US Federal agencies to mitigate DNS infrastructure tampering. The directive is in response to research from FireEye that CISA explains as “roughly equivalent to someone lying to the post office about your address, checking your mail, and then hand delivering it to your mailbox”. The directive requires, amongst other things, a relatively new protection measure to monitor certificate transparency logs to detect unauthorised SSL certs (see the free monitoring tool from Facebook as a guide).

A researcher has provided details related to Microsoft Exchange Server and how to “escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange”. The report also includes mitigation options.

Apple has released iOS 12.1.3. The update resolves a number of vulnerabilities that include vulnerabilities that are credited to the person who claims to have remotely jailbroken the iPhoneX. I wonder if the $2 million bounty specifically for this hack was of interest. Either way, update your iOS devices.

Industry Events

7-8 March 2019, London, Identity and Access Management Summit

12-13 March 2019, London, Cloud and Cyber Security Expo

14 March 2019, London, CRESTCon

24-25 April 2019, Glasgow, CYBERUK

25-26 April 2019, London, Cyber Security and Cloud Expo

4-6 June 2019, London, Infosecurity Europe

June 2019, London, Security BSides

October 2019, London, FT Cyber Security Summit Europe

20 November 2019, London, Cyber Security Summit