Malvertisement evolution - Perform three checks before forwarding the victim to a malicious website.

1. The user agent must be mobile-specific - Sites being targeted by the malware are all optimized to be viewed primarily via mobile device.
2. Battery level must be between 20 and 76 percent - To avoid detection from scanners
3. HTTP referrer must be specified - avoid detection by known security vendors

https://www.scmagazine.com/home/security-news/assault-and-battery-malvertising-campaign-checks-user-device-charge-as-anti-detection-technique/

Do you have a process to decom your old apps/websites? - Don't worry, even some Fortune 500 companies forget it. Here are some scary stats.

• 70% of FT Global 500 firms have access to a portion of their websites being sold on the internet black market. 
• 92% of external web applications have exploitable security flaws or weaknesses.
• 19% percent of the companies examined have external unprotected cloud storage.
• 27%of the U.S. companies have at least one external cloud storage (e.g. AWS S3 bucket) accessible without any authentication from the internet.
• WordPress- 94% have a default admin location (on /wp-admin URL) not protected by any additional means.

https://threatpost.com/threatlist-dead-web-apps-haunt-70-percent-of-ft-500-firms/138659/

MISCONFIGURATION (in the cloud) - Leads to "data breach" That was yesterday's news, today, Threat actors have exploited misconfigured Docker containers to deliver cryptomining malware

The attacks weren’t the result of the Docker engine being compromised or problems within Docker’s enterprise platform but instead were the result of misconfiguration set up at the administrator level

The attackers often exploited the misconfigurations to create Docker containers    through exposed API ports and then installing a wget package using system package manager, using wget to download an auto-deployment script, converting the script from DOS to Unix format, setting the executable permissions for the script, and running the script.

In order to prevent similar attacks researchers recommend organizations: harden their security posture; ensure that container images are authenticated, signed, and from a trusted registry; enforce the principle of least privilege; properly configure how much resources containers are allowed to use; and enable Docker’s built-in security features to help defend against threats.

https://www.scmagazine.com/home/security-news/cybercriminals-exploit-misconfigured-container-to-deliver-cryptominer/

Why is "Security in the cloud" (your responsibility) important? (Don't confuse it with "security of the cloud", which is the vendor's responsibility)

Nearly half – 46 percent – of 37,000 Twitter users polled by Armor over a 13-week period said they’ve put sensitive data in the cloud, while 41 percent said they’d do so in the next two years.

In addition, 47 percent did not understand what shared responsibility means in the realm of cloud security.

https://www.scmagazine.com/home/security-news/armoru-poll-finds-46-of-37k-twitter-users-have-put-sensitive-data-in-cloud/

Is it time to move away from "AppSec" to "Software Security"?

If , you agree with the following statements are true:

1. Software is the umbrella for anything written in code; an application is a component of software and just as vulnerable.
2. Applications allow a user to perform a task or activity while software executes that task or activity.
3. Application security came about as initial security testing focused on testing a running application, much like quality assurance testing, and ignored the back-end software components.
4. If something is written in a coding language, then it needs to be tested to ensure it is secure. All software is written in a coding language.
5. Software is the ecosystem of technology while applications are the entry point into that ecosystem.

These four priorities are a good place to start:

1. Organizations need to move beyond the barriers and limitations of traditional gated security approaches and move to a new era of full visibility and control over their software exposure at any stage of the development life cycle.
2. Proper and consistent training should be funded and provided across entire organizations.
3. Remediation efforts need to be made into actionable insights that address vulnerabilities within the entire SDLC.
4. Everyone that touches software and participates in the security of it needs to be forward thinking, forgetting the typical nuances of the past.

https://www.darkreading.com/attacks-breaches/appsec-is-dead-but-software-security-is-alive-and-well/a/d-id/1333096

Good News for windows 10 users - Microsoft has built Windows Defender to run in a sandboxed environment.

With Windows Defender running in a restrictive process execution environment, attackers who break in are stuck inside the isolated environment and can't affect the rest of the system.

The feature is now available to Windows Insiders to test in upcoming versions of Windows 10. If you are not in the program and can't wait for Microsoft to release it in full, you can force-enable Windows Defender to run in a sandbox on Windows 10 version 1703 and later.

Windows Defender runs with high privileges to scan systems for malicious content; because of this, it's already a prime target for cyberattacks. If someone successfully exploits a bug in Windows Defender, an entire system can be taken over.



https://www.darkreading.com/analytics/windows-defender-first-full-antivirus-tool-to-run-in-a-sandbox/d/d-id/1333141

Can you rely on that little "green lock" in your browser - Not any more if the following is true.

By the end of 2016, less than 1% of phishing attacks leveraged Web certificates, he continues. By the end of 2017, that number had spiked to 30%. 
"We expect by the end of this year more than half of attacks are [going to be] done using Web certificates," 

Web certificates provide a low-cost means for attackers to convince victims their malicious sites are legitimate, explains Alejandro Correa


https://www.darkreading.com/attacks-breaches/deepphish-simulating-malicious-ai-to-act-like-an-adversary/d/d-id/1333135

Third party apps may be reading our Gmail. If this message does not bother you then,ignore this message.

Third-party developers often reading a Gmail message content, once relevant authorization is available to them.

To increase your privacy, use Security Checkup

To get access to this tool, you will need to sign in to your Google Account (Myaccount.google.com) and manage specific settings.
(There is one feature to be noted above the others as it shows the number of applications having access to the data)
In order to proceed, click the squares at the right upper corner, and choose Account in the drop-down list. Continue with finding Security Checkup tab. This option enables viewing the number of devices used for signing in your Account. It also informs whether any security issues have occurred over recent 28 days.

https://www.hackread.com/third-party-apps-may-read-your-email-learn-how-to-protect/

When was the last time you verified your file backups? - There is a new Windows zero-day flaw that could help attackers delete your files

When was the last time you verified your file backups? - There is a new Windows zero-day flaw that affects Microsoft Data Sharing on All versions of Windows 10, including the most recent update,in addition to Server 2016 and Server 2019

The PoC shows once they have that access, an attacker would be able to eliminate files that typically require administrative privilege to delete.

https://www.darkreading.com/vulnerabilities---threats/twitter-user-discloses-second-microsoft-zero-day/d/d-id/1333115

Malware evolution - New (sLoad) downloaders can perform reconnaissance and then determine what malware to install

 The new SLoad Banking Trojan downloader gathers information about the infected system, including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. It will also take screenshots of the target machine.


Current targets are banks in Canada, the UK and Italy (this can expand)

https://threatpost.com/sload-banking-trojan-downloader-displays-sophisticated-recon-and-targeting/138542/

Here is something to consider during your next security awareness training

Top-Clicked Phishing Email Subjects for Q3 2018 

Holiday (Active scam/Phishing) Season - Time for Awareness re-training. Here is another useful article from Europol that you could use

TIPS

• Your bank  (or most organizations for that matter) will never ask you for sensitive information such as your online account credentials over the phone or email.
• If an offer sounds too good to be true, it’s almost always a scam.
• Check your online accounts regularly.
• Check your bank account regularly and report any suspicious activity to your bank.
• Perform online payments only on secure websites (check the URL bar for the padlock and https) and using secure connections (choose a mobile network instead of public Wi-Fi).
• Keep your personal information safe and secure.
• Be very careful about how much personal information you share on social network sites. Fraudsters can use your information and pictures to create a fake identity or to target you with a scam.
• If you think that you have provided your account details to a scammer, contact your bank immediately.
• Always report any suspected fraud attempt to the police, even if you did not fall victim to the scam.

https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/take-control-of-your-digital-life-don’t-be-victim-of-cyber-scams

It is the start of holiday season which also means, we will see an increase in SCAMS and Phishing attacks. It is time to re-educate all employees (mock phishing, awareness training). The link has an useful SANS "ouch" newsletter that you could circulate to your staff.

Get it Here:
https://www.sans.org/security-awareness-training/resources/shopping-online-securely

iPhone and cryptomining Malware infection!! - Nearly 400% rise in iPhone attacks has been recorded in only the last two weeks of September

Surprised , why? - After all smartphones are also computers (and probably, a good attack surface)

Cybercriminals are using the Coinhive mining malware for attacking iPhones.

According to Check Point’s latest Global Threat Index, the company is being targeted more frequently in cryptomining malware attacks.

The inclusion of Safari browser raises concerns that this may not be an iPhone related phenomenon only and could very well be a mining script. The report also mentions Coinhive, which further intensifies these concerns.

These attacks definitely serve as a reminder to all that mobile devices are quite vulnerable to attack but are often ignored by organizations as probable attack surface. It is therefore imperative that mobile devices are comprehensively protected with a reliable threat prevention solution.

https://www.hackread.com/hackers-hit-iphones-with-cryptomining-malware/

Do you know how cybercriminals steal your personal info? - Here are five common — but unexpected —ways that cybercriminals try to get this information from you, and how to stop them.

1.  Surveys and Games - if you give this information to unknown sites or post it publicly on social media, you’re actually sharing some of your answers to typical security questions used by banks (for example). 
2.  Old Devices - When you get rid of or give away outdated equipment, make sure you delete all your personal information first by wiping it clean. 
3.  Fake Job Postings
4.  Social Media and Dating Sites - Beware of “friend” requests from people you don’t know.
5.  Offline Shenanigans - shoulder surfing, listening, access your mailbox

https://www.getcybersafe.gc.ca/cnt/blg/pst-20181016-en.aspx

FreeRTOS riddled with severe vulnerabilities - Why care, becuase, there is a high possibility that you own one of the IoT Devices (includes those from Amazon) that is running this OS.

The bugs could allow hackers to crash connected devices in smart homes or critical infrastructure systems, leak information from the devices’ memory, and take them over.


FreeRTOS and SafeRTOS, for their part, “have been used in a wide variety of industries: IoT, Aerospace, Medical, Automotive, and more,” according to the company’s post. “Due to the high risk nature of devices in some of these industries, zLabs decided to take a look at the connectivity components that are paired with these OS’s. Clearly, devices that have connectivity to the outside world are at a higher degree of risk of being attacked.”


https://threatpost.com/aws-freertos-bugs-allow-compromise-of-iot-devices/138455/

Medical Marijuana - The Infographic might surprise you

https://informationisbeautiful.net/visualizations/snake-oil-cannabis-the-scientific-evidence-for-medical-marijuana/

Collaboration is good but, are you aware of some of the risks these integrations bring?

Here are 7 of them

1. API - APIs are the programming glue that holds collaboration systems together in cohesive architectures for specific groups and applications. The trouble is, history shows that this glue can develop cracks that allow hackers to attack the components at the point where they're joined. Consider a zero-trust architecture in which every component and API must authenticate at each transaction. 
2. Encrpytion Errors - A zero-trust architecture requires encryption within the collaboration application, rather than simply around the application. And the storage systems where data from the collaboration system are stored should be encrypted if that data is at all sensitive to the organization.
3. Mobile Apps - Even when the software is legitimate, the actions of the user may not be. Phishing, smishing (credential-hunting via SMS), and whishing (the same, via WhatsApp) are all threats that can hit companies that have taken care with all of the app-based vulnerabilities of their mobile devices. While these may not directly use the collaboration system, once credentials are compromised through one of the "-ishing" methods, the credentials for the collaboration system should be considered compromised, as well.
4. Privilege Escalation -  Users inherit their privilege level from the AD, LDAP, or other directory system in use by the organization. That works well in many situations, but the nature of projects and collaboration means there can be privilege mismatch. Worse, a privilege escalation attack on one side of the application/OS equation can mean an increased vulnerability on the other side, as well.
5. 3rd Party vulnerability - Every third-party integration comes access to the vulnerabilities that may exist within those third-party tools. The issue for the IT department may well be creating rules for expansion that cover ad-hoc employee experiments and conditions for their safe deployment.
6. Voice Control -  voice assistants are always listening, which means they are always vulnerable to exploits that let unauthorized listeners hear privileged conversations.
7. Web - Where there are Web browsers there are Web applications, and where there are Web applications there are vulnerabilities. 

https://www.darkreading.com/application-security/7-ways-a-collaboration-system-could-wreck-your-it-security/d/d-id/1333064?image_number=1

20 Ways to block Mobile attacksc

Could be useful since, we are spending more and more time with our mobile phones

https://www.knowbe4.com/hubfs/NCSAM2018/RedFlags.pdf

Time to update whatsapp? - WhatsApp has patched a vulnerability it its smartphone code that could have been exploited by miscreants to crash victims' chat app simply by placing a call.

"This issue can occur when a WhatsApp user accepts a call from a malicious peer," Silvanovich explained. "It affects both the Android and iPhone clients."

The bad news –  is that Google unsealed the bug details before the 90 days were up because it thought a patch was readily available.

https://www.theregister.co.uk/2018/10/09/whatsapp_patches_security_bug/

Chinese spy chips are found in hardware used by Apple, Amazon? - Both vendors say "NO"

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design.

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines.

Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China


https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

What do you do when you are a victim of Identity Theft?

Do you know www.identitytheft.gov can help you report and recover from identity theft.


 https://www.identitytheft.gov/

Apple iOS 12 - An attacker with physical access to a user’s device could partially unlock the person’s content as long as Siri is enabled and Face ID is either disabled or physically covered.(Luckily, it is a complex process and involves more than 30 steps)

Those who fear their device may be vulnerable to this and other attacks can increase their security by disabling Siri from the lock screen by going into Settings/Touch ID & Passcode, scrolling down to the “Allow access when locked” section and ensuring that Siri is disabled.


https://www.scmagazine.com/home/news/apple-ios-12-passcode-bypass-allows-unauthenticated-access-to-iphone-features/

Be vigilant - Voice phishing scams are becoming harder to differentiate. However, old school best practices still help. Never, give out your PIN or any security information over the Phone

Fraudsters can use a variety of open-source and free tools to fake or “spoof” the number displayed as the caller ID, lending legitimacy to phone phishing schemes. Often, just sprinkling in a little foreknowledge of the target’s personal details — SSNs, dates of birth, addresses and other information that can be purchased for a nominal fee from any one of several underground sites that sell such data — adds enough detail to the call to make it seem legitimate.

https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/

Beware - The FBI and DHS issued a joint warning to consumers and businesses on the increasing use of the Remote Desktop Protocol (RDP) administration tool as an attack vector.

The two law enforcement agencies said CrySIS, CryptON and SamSam ransomware have all been spread through RDP attacks. CrySiS has mainly been used against U.S. businesses that have computers with open RDP ports. Here attackers use brute-force and dictionary attacks to gain unauthorized remote access and then CrySiS is dropped onto the device and a ransom is demanded.


Recommendations to protect a system included:

• Enable strong passwords and account lockout policies to defend against brute-force attacks.
• Apply two-factor authentication, where possible.
• Apply system and software updates regularly.
• Maintain a good back-up strategy.
• Disable the service if unneeded or install available patches.
• Enable logging and ensure logging mechanisms capture RDP logins.
• Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.

https://www.scmagazine.com/home/news/rdp-attacks-on-the-rise-warns-fbi-dhs/