Critical Vulnerability in Flash Player, (Wed, Nov 21st)

This post was originally published on this site

Adobe released a patch for a critical vulnerability in Flash Player [1]. According to Adobe, details about the vulnerability have already been made public. Succesful exploitation does allow arbitrary code execution. Widespread exploitation may be imminent. This is of course, in particular, worrying ahead of the long weekend (in the US) with many IT shops running on a skeleton crew. Try to patch this before you head out on Wednesday, or maybe the weekend shift can take care of it.

Of course, over the weekend you may be asked to look at issues with relative’s systems. I recommend that you first apply all patches, including this one, then disable Flash. By first patching, and later disabling, you increase your chances of a patched version being installed once the user decides to re-enable Flash.

Google Chrome and Microsoft’s Edge browser also need to be updated. Both include Flash by default and are vulnerable.

[1] https://helpx.adobe.com/security/products/flash-player/apsb18-44.html

 


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Securing Mobile Devices During Holiday Travel

This post was originally published on this site

Original release date: November 20, 2018

As the holiday season begins, many people will travel with their mobile devices. Although these devices—such as smart phones, tablets, and laptops—offer a range of conveniences, users should be mindful of potential threats and vulnerabilities while traveling with them.

NCCIC encourages users to review the NCCIC Tips on Holiday Traveling with Personal Internet-Enabled Devices and Cybersecurity for Electronic Devices. The suggested security practices in these tips will help travelers secure their portable devices during the holiday season and throughout the year.


This product is provided subject to this Notification and this Privacy & Use policy.

VMware Affected by Dell EMC Avamar Vulnerability, (Tue, Nov 20th)

This post was originally published on this site

VMware notified us that they released a new security bulletin[1] (rated as “critical”) which affects vSphere Data Protection (VDP).

VDP is vulnerable because it is based on Dell EMC Avamar Virtual Edition. Multiple vulnerabilities have been disclosed today in this solution:

  • A remote code execution vulnerability (%%cve:2018-11066%%): A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.
  • An open redirection vulnerability (%%cve:2018-11067%%): A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.

Patches are available for both products.

This is a perfect example of how a product ‘A’ can affect a product ‘B’ when technologies are reused across multiple solutions.

[1] https://www.vmware.com/security/advisories/VMSA-2018-0029.html
[2] https://seclists.org/fulldisclosure/2018/Nov/49

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

VMware Releases Security Updates

This post was originally published on this site

Original release date: November 20, 2018

VMware has released security updates to address vulnerabilities in vSphere Data Protection. An attacker could exploit some of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review the VMware Security Advisory VMSA-2018-0029 and apply the necessary update.


This product is provided subject to this Notification and this Privacy & Use policy.

Adobe Releases Security Updates

This post was originally published on this site

Original release date: November 20, 2018

Adobe has released security updates to address a vulnerability in Adobe Flash Player. An attacker could exploit this vulnerability to take control of an affected system.  

NCCIC encourages users and administrators to review Adobe Security Bulletin APSB18-44 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Quering DShield from Cortex, (Tue, Nov 20th)

This post was originally published on this site

Cortex is a tool part of the TheHive project[1]. As stated on the website, it is a “Powerful Observable Analysis Engine”. Cortex can analyze observables like IP addresses, emails, hashes, filenames against a huge (and growing) list of online services. I like the naming convention used by Cortex. We have “observables” that can be switched later to an “IOC” later if they are really relevant for us. Keep in mind that an interesting IOC for you could be totally irrelevant in another environment.

What makes Cortex so powerful and convenient is the long list of “analysers” (that’s how they call the plugins). Though those small pieces of code, you can, in one click, search for observables in many sources. Cortex is available through a web interface but its REST API makes it easy to interconnect with other tools to enrich the data. Two popular tools that can interact with Cortex are MISP[2] and TheHive[3]. From their web interface, I can easily enrich data using the following analyzers (they are enabled in my own instance of TheHive):

  • Abuse_Finder_2_0
  • CIRCLPassiveDNS_2_0
  • CIRCLPassiveSSL_2_0
  • Censys_1_0
  • Cymon_Check_IP_2_1
  • DShield_lookup_1_0
  • DomainTools_ReverseIP_2_0
  • DomainTools_ReverseNameServer_2_0
  • DomainTools_ReverseWhois_2_0
  • DomainTools_Risk_2_0
  • DomainTools_WhoisHistory_2_0
  • DomainTools_WhoisLookup_2_0
  • DomainTools_WhoisLookup_IP_2_0
  • EmlParser_1_0
  • FileInfo_3_0
  • Fortiguard_URLCategory_2_0
  • HybridAnalysis_GetReport_1_0
  • MISPWarningLists_1_0
  • MISP_2_0
  • MaxMind_GeoIP_3_0
  • Msg_Parser_2_0
  • OTXQuery_2_0
  • Onyphe_Forward_1_0
  • Onyphe_Geolocate_1_0
  • Onyphe_Ports_1_0
  • Onyphe_Reverse_1_0
  • Onyphe_Threats_1_0
  • PassiveTotal_Enrichment_2_0
  • PassiveTotal_Malware_2_0
  • PassiveTotal_Osint_2_0
  • PassiveTotal_Passive_Dns_2_0
  • PassiveTotal_Ssl_Certificate_Details_2_0
  • PassiveTotal_Ssl_Certificate_History_2_0
  • PassiveTotal_Unique_Resolutions_2_0
  • PassiveTotal_Whois_Details_2_0
  • Robtex_Forward_PDNS_Query_1_0
  • Robtex_IP_Query_1_0
  • Robtex_Reverse_PDNS_Query_1_0
  • Shodan_Host_1_0
  • Shodan_Search_1_0
  • URLhaus_1_0
  • VirusTotal_GetReport_3_0
  • VirusTotal_Scan_3_0
  • WOT_Lookup_1_0

Writing new analyzers is very simple, an API is provided and any language can be used (by most of them are written in Python). Some analyzers query open services, others query private services (you need an API) or commercial services (you need a subscription). As you can see, there is an analyzer called “DShield_lookup”. That’s my contribution to the project. From Cortex, MISP, TheHive, you can query our DShield database to get more information about an IP address:

When if you click on the DShield tag, you can more details:

The DShield analyzer has been added to the official repository by the developers a few weeks ago. Just deploy Cortex and enable it to benefit from our DShield database!

[1] https://thehive-project.org/#section_cortex
[2] http://misp-project.org/
[3] https://thehive-project.org/#section_thehive

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Holiday Scams and Malware Campaigns

This post was originally published on this site

Original release date: November 19, 2018

As the holidays approach, NCCIC reminds users to be aware of seasonal scams and malware campaigns. Users should be cautious of unsolicited emails that contain malicious links or attachments with malware, advertisements infected with malware, and requests for donations from fraudulent charitable organizations, which could result in security breaches, identify theft, or financial loss.

NCCIC recommends the following actions:

If you believe you are a victim of a scam or malware campaign, consider the following actions:


This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Updates for Chrome

This post was originally published on this site

Original release date: November 19, 2018

Google has released Chrome version 70.0.3538.110 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system.

NCCIC encourages users and administrators to review the Chrome Releases page and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity and Infrastructure Security Agency

This post was originally published on this site

Original release date: November 19, 2018

On November 16, 2018, the President signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. This Act elevates the mission of the former Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) and establishes the Cybersecurity and Infrastructure Security Agency (CISA). CISA is responsible for protecting the Nation’s critical infrastructure from physical and cyber threats, a mission that requires effective coordination and collaboration among a broad spectrum of government and private sector organizations. 

NCCIC encourages all parties to review the DHS announcement on CISA for more information.


This product is provided subject to this Notification and this Privacy & Use policy.

The Challenge of Managing Your Digital Library, (Mon, Nov 19th)

This post was originally published on this site

How do you manage your digital library on a daily basis? If like me, you are receiving a lot of emails, notifications, tweets, [name your best technology here], they are chances that you’re flooded by tons of documents in multiple formats. This problem is so huge that, if I’m offline for a few days or too busy to handle the information in (almost) real time, it costs me a lot of extra time to process the waiting queue. While surfing, there are also a lot of documents that are not immediately useful but “could be”. Do you also have a bad feeling when you delete a document “that could be very interesting in the future?”. In fact, it’s like people who store everything in their home and that can’t trash them.

Here is a small list of data that I like to keep:

  • Emails (from mailing lists)
  • Tweets
  • PDF/papers from security conferences
  • Studies, white papers
  • Software, firmware, …
  • Configuration samples
  • Collected data (pasties, DB dumps, Darkweb data, screenshots, …)

With electronic documents, we also have another dilemma: which kind of storage? Local or in the cloud? It’s easy to store documents in the cloud. They are indexed, they are available from everywhere. Plenty of tools and services provide this but… for how long? What if you upload a few TB of data in the cloud and the service disappear? Local storage has also caveats: how to handle the amount of data across years? How to backup? How to migrate to new or more powerful technologies? How to manage your NAS, patch them, etc.

Today, I still did not found the best way to complete this task. What I’m using at the moment:

  • Splunk to index tweets, emails
  • Evernote for documents (including PDF)
  • Local NAS
  • Cloud services with buckets like B2, C2, Amazon for long retention of data files
  • Private Gitlab for configuration files, lists, pieces of code

And you? How do you manage your digital library? Please share your stories!

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.