Kazuar, Windows Defender and Worst-Case Scenarios
But from Microsoft issuing an emergency patch for Windows Defender to the NSA director sharing his cyber fears to Gizmodo phishing for Trump administration officials, last week didn’t disappoint in delivering a rich trove of other security news. In case you missed it, here are some other stories that got our attention.
From the pages of “Oh great, they’re doing that now?” comes an analysis of the cyber-espionage malware dubbed Kazuar that incorporates an API to reverse C&C communications flow. Detailed over at BleeptingComputer – crediting research from Fox-IT and Palo Alto Networks – the highlights are:
… the most notable and original feature is in Kazuar’s C&C server communications… Kazuar has the ability to reverse the flow of normal C&C server communications. Instead of infected hosts pinging the C&C server for new commands, an attacker can ping the victim whenever he wants and send new instructions.
Patch Windows Defender… Like Right Now!
Google’s Project Zero discovered a vulnerability in the malware protection engines of Windows 7, 8, 8.1, 10 and Server 2016. Microsoft quickly responded by issuing an emergency patch. According to Ars Technica:
The exploit (officially dubbed CVE-2017-0290) allows a remote attacker to take over a system without any interaction from the system owner: it’s simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender. Likewise, anything else that is automatically scanned by Microsoft’s malware protection engine—websites, file shares—could be used as an attack vector.
Government Cyber attacks Double, Trump Signs New Order
As reported by GCN, Dimension Data research found that cyber attacks on government agencies – as a proportion of total attacks – doubled from 7% in 2015 to 14% in 2016, ranking the government sector as a #1 target alongside the financial services industry.
According to GCN:
Government agencies were increasingly hit with ransomware attacks, coming in at 19% of attacks. (Business and professional services sustained 28% of all ransomware attacks.) Phishing and social engineering schemes, which delivered 73% of malware, were less likely to target governments, going after the manufacturing industry primarily.
On a related note, U.S. President Trump signed an executive order on cybersecurity. Subtitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” the order covers a wide array of security policies, issues, risk management and cyber initiatives. Paul Rosenzweig, breaks down the EO for Fifth Domain.
According to reporting by Bloomberg:
The order seeks to improve the often-maligned network security of U.S. government agencies, from which foreign governments and other hackers have pilfered millions of personal records and other forms of sensitive data in recent years.
You’d Better Listen to This Guy
The Washington Times reported on recent cybersecurity remarks from NSA Director Adm. Mike Rogers to the Senate Armed Services Committee.
…Adm. Rogers also raised eyebrows by discussing a “worst-case scenario” cyberattack on critical infrastructure that instead of revealing data – such as a WikiLeaks hack – would entail the manipulation of vital national data on a “massive scale.”
“Advanced states continue to demonstrate the ability to combine cyber effects, intelligence, and asymmetric warfare to maintain the initiative just short of war, challenging our ability to react and respond…”
From the Washington Post:
Ethical Questions Emerge When Journalists Turn Pen Testers
Steve Ragan’s column at CSO raises some interesting ethical questions about Gizmodo’s effort to see if they could get Trump administration officials to click on phishing emails. The article Here’s How Easy It Is to Get Trump Officials to Click on a Fake Link in Email can fill you. Using tactics similar to those that compromised the Democratic National Committee, Gizmodo manufactured a phishing campaign targeting Trump advisors and administration officials and advisors, including then FBI Directory James Comey, Rudy Giuliani and Newt Gingrich, to see how many recipients they could get a click on a fraudulent link. About of half the links sent were clicked.
Ragan’s column asks, “does it cross a line when a news organization creates a Phishing simulation in order to develop news?” His analysis and consideration is worth checking out here.
No Basic Training for Military Cyber Operators
As we have noted often, the cyber skills gap continues to accelerate across all sectors, including the military. Ars Technica recently reported on a Senate Armed Services Committee hearing during which the Department of Defense discussed broadening its thinking when it comes to quickly onboarding and retaining cyber talent:
One of the possible solutions that the DOD has looked at is bringing people with experience and skills essential to offensive and defensive cyber operations into the service “laterally.” That means giving them ranks (and pay grades) commensurate to their skills and entirely bypassing the normal recruitment and advancement process.
…And What Else?
Naked Security shared details on how to hack a Jeep Cherokee.
Schneier on Security discussed Securing Elections.
BleepingComputer reported using digitally created fingerprints to unlock smartphones.