Bookmark this page

• Facebook Takes $3 Billion Hit, Anticipating FTC Fine (InfoRiskToday)
  Source: SANS ISC InfoSec News FeedPublished on 2019-04-25
• Confidence in the internet is wobbling: Here’s how to fix it, says cyber chief (ZDNet)
  Source: SANS ISC InfoSec News FeedPublished on 2019-04-25
• Microsoft wants to kill Windows password expiration policy (TechRepublic)
  Source: SANS ISC InfoSec News FeedPublished on 2019-04-25
• Businesses hit with 235% more cyberthreats this year (TechRepublic)
  Source: SANS ISC InfoSec News FeedPublished on 2019-04-25
• Microsoft’s Edge on Apple’s macOS? It’s more likely than you think for new browser
  Chromium base should ease porting pains substantially Microsoft may be closer to its first Mac browser in 14 years.…
  Source: The RegisterPublished on 2019-04-25
• Blochainbandit stole $54 million of Ethereum by guessing weak keys
  Someone has been quietly pilfering Ethereum (ETH) cryptocurrency worth millions of dollars without anyone noticing or, apparently, caring.
  Source: Naked SecurityPublished on 2019-04-25
• Emotet Adds New Evasion Technique and Uses Connected Devices as Proxy C&C Servers
  by Marco Dela Vega, Jeanne Jocson and Mark Manahan Over the years, Emotet, the banking malware discovered by Trend Micro in 2014, has continued to be a prevalent and costly threat. The United States government estimates that an Emotet incident takes an organization US $1 million to remediate. Unfortunately, it is a widespread and particularly resilient malware. Its authors have continuously updated it with new capabilities, new distribution techniques, and more. Recently, an analysis of Emotet traffic has revealed that new samples use a different POST-infection traffic than previous versions. It is also attempting to use compromised connected devices as proxy command and control (C&C) servers that redirect to the real Emotet C&Cs. These changes may seem trivial at first, but the added complexity in command and control traffic is an attempt by Emotet authors to evade detection. These discoveries also show that the malware is being used to compromise and collect vulnerable connected devices, which could become resources for other malicious purposes. Arrival via spam Emotet typically arrives on a victim’s system via spam mail. In the beginning of April, samples of Emotet show that the malware still spreads via spam, but with the help of the trojan downloader Powload. The spam messages trick users into downloading malicious files by claiming that an invoice is attached in the email. The attachment is a ZIP file that can be opened with the 4-digit password included in the body of the email. A look into the ZIP file shows that it contains variants of Powload (detected as Trojan.W97M.POWLOAD). If the user enters the password, the file uses Powershell to download an executable file, which is Emotet’s payload. Figure 1. Example of an Emotet spam mail; samples show mail written in many different languages Changes in POST-infection traffic The wave of Emotet samples using new POST-infection traffic has been monitored since March 15, 2019. As mentioned previously, Emotet has undergone many changes since it was first discovered; but this is the first time we have seen this particular POST-infection traffic technique. Figure 2. New Emotet post-infection HTTP Post request traffic Previous connections from Emotet did not use a URI path, but the newer samples show randomized words and a randomized number used as a URI directory path (see Figure 2). These random words in the URI path help the malware evade network-based detection. An empty URI path is a red flag, so this technique helps the traffic appear more legitimate to security solutions. Below is a list of random words used in the URI path, found in the new sample. We can also see these same words in the Emotet executable file. Figure 3. Decrypted dump with list of words to be used in the URI Apart from the URI path, the data in the HTTP POST message body has also changed. Previous Emotet samples typically used an HTTP GET request to send victim information to the C&C server, and the data is stored in the Cookie header. The data
  Source: TrendLabs Security Intelligence BlogPublished on 2019-04-25
• Court enforces need for warrant before police can access your real-time phone location (ZDNet)
  Source: SANS ISC InfoSec News FeedPublished on 2019-04-25
• Windows 10: Microsoft ditches its ‘ancient, obsolete’ expiring password policy (ZDNet)
  Source: SANS ISC InfoSec News FeedPublished on 2019-04-25
• It’s your what in a box? Here’s a thing to make your bosses think about malware responses (The Register)
  Source: SANS ISC InfoSec News FeedPublished on 2019-04-25