Author Archives: admin

New Method of Attack Abuses PowerPoint Slide Show

A new threat has been discovered within the CVE-2017-0199 vulnerability. CVE-2017-0199 was originally a zero-day Remote Code Execution vulnerability using a flaw within Microsoft Office to allow the execution of malware embedded within an infected Rich Text Format (RTF) file. The original flaw existed within the Windows Object Linking and Embedding (OLE) interface of Microsoft Office.

A new method of exploit has been discovered using a PowerPoint slideshow. The exploit arrives as an email attachment on an email claiming to be an internet service provider as part of a spear-phishing campaign. When opened it shows the text “CVE-2017-8570” which is a different Microsoft Office vulnerability. CVE-2017-0199 is then exploited using a moniker script downloading a second-stage binary from a remote command and control server. This binary file finally downloads a Remote Access Trojan (RAT) and executes it.

Previously, the detection rate for this threat was high but attackers are able to evade detection through use of the new PPSX attack vector.

Affected Platforms:

Microsoft Windows – all versions

Resolution:

  • Ensure staff awareness of phishing attacks. Awareness campaigns should be provided and regularly refreshed to keep employees appraised of the latest phishing techniques.
  • Regular patching of systems with the latest security updates. Microsoft has already addressed this vulnerability back in April; users with updated patches are safe from these attacks.





Globe Imposter 2.0 Ransomware

A new version of the Globe Imposter ransomware has been identified (Globe Imposter 2.0). This new version is the second release of the encryption trojan. It has the same ransom note and encryption standards as the previous version. It aims to avoid detection by communicating via multiple email accounts and servers on the TOR network.

Globe Imposter is distributed via spam emails loaded with fake invoices and convinces the user to open a macro-enabled Microsoft Word file. Once opened, the Globe Imposter 2.0 ransomware is installed in a random folder within the AppData directory and begins searching for accessible memory storage devices and removable media to encrypt.

Affected Platforms:

Microsoft Windows – all versions

Recommended Action:

To avoid becoming infected with ransomware, ensure that:

  • A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
  • All operating systems, antivirus and other security products are kept up to date.
  • All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.





Javascript Backdoor – Bateleur

A new Javascript backdoor has been observed in recent attacks by Carbanak – an (APT) Advanced Persistent Threat group.

The backdoor is considered adaptable and versatile. Bateleur contains many features including anti-sandbox functionality, anti-analysis, retrieval of infected system information, the listing of running processes, execution of custom commands and Powershell scripts, loading of .exe and .dll (Dynamic Link Library) files, taking screenshots, uninstalling and updating itself.

Furthermore, it is possible Bateleur has the ability to steal passwords, although the latter requires an additional module from its C2 (command and control) server.

Affected Platforms:

Microsoft Windows – all versions

Recommended Action:

Ensure anti-virus is kept up to date.

As the backdoor has only just been detailed, detection may be low and will have been non-existent in the past, hence retrospective hunting on indicators in historic logs is recommended.

A full-spectrum IPS/IDS system would also mitigate the risk through active detection capabilities, as well as having a mature Security Operations Centre.

Network segregation is advisable, as it would prohibit lateral movement across corporate networks – hindering an attacker’s ability to access sensitive information from multiple parts of the business.





Microsoft Office Outlook Memory Corruption Vulnerability

Affected Platforms

All versions of Microsoft Office (Outlook) across all platforms

Description

A remote code execution vulnerability exists in the way that Microsoft Outlook parses specially crafted email messages. An attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.

The security update addresses the vulnerability by correcting the way that Microsoft Outlook parses specially crafted email messages.

Remediation

Review and apply the updates stated on Microsoft guidance on: CVE-2017-8663 – details here





Google Chrome Update 60.0.3112.80

Google has released Chrome OS version 60.0.3112.80 for Chrome devices to address multiple vulnerabilities. Exploitation of one these vulnerabilities could allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review the Google Chrome blog entry “Stable Channel Update for Chrome OS” and apply the necessary update.





New Variant Of The Feodo Banking Trojan – Emotet Trojan

A new variant of the Feodo banking trojan called Emotet has been identified. It has refined its operation in a number of areas including its ability to spread, prevent analysis and act as a backdoor to further malware installation.

This trojan is distributed through mass spam email campaigns which include an attached macro enabled Word document. The email and attachment are reportedly claiming to be an invoice but upon opening the document the malware is dropped onto the system.

Emotet is capable of intercepting encrypted communications by performing a Man-in-the Browser attack (MitB) capturing log-in credentials for banking and social media accounts, infecting the system with further malware and also stealing money from the compromised bank account(s). Email contacts on the infected system are harvested allowing for targeted campaigns against the contacts of the system’s owner.

It also attempts to spread laterally over the network by attempting to brute force the passwords of any accounts visible to it, including on network shares and locations, and then dropping a self-extracting RAR file onto a compromised host, thus spreading and starting the cycle again.

When the malware detects that it is operating in a sandbox or virtual environment it alters its behaviour to prevent proper analysis and research. It is reported that its behaviour also changes based on geographical location; in the UK it has been seen dropping the Dridex banking trojan on infected systems.

Affected Platforms:

Microsoft Windows – all versions

Recomended Action:

  • Monitor network and proxy logs for indicators of compromise.
  • Never open email attachments or links from untrusted sources. If an email looks suspicious the user should try to make contact with the sender by other means to verify their identity.
  • Ensure malware definitions are kept up-to-date.
  • Make sure that cyber-awareness training is kept up-to-date.
  • Ensure that macros are disabled by default.
  • Enforce strong password policies on all accounts.





SMBloris – Zero-Day SMB Vulnerability

There has been a new Zero-Day vulnerability found during research into the EternalBlue exploit released by the Shadow Brokers Team. It was discovered that SMBv1 handles allocation of the non-paged pool memory in a way that could be exploited. SMB allocation works by allowing the client to tell the server the size of the buffer it plans to send, the server will then reserve this size buffer within the memory.

The SMBloris exploit works by sending a request for a large buffer size but never sending the content, leaving the memory reserved. With enough of these connections being made, the memory pool will quickly fill up denying memory to other resources until a stage is reached where the memory is totally exhausted. At this point, the server will crash to the point that the device is not even capable of displaying a blue screen of death (BSoD) error. This is because there aren’t enough resources left to generate the error page so the server will simply freeze and be unable to recover.

Affected Platforms:

Microsoft Windows SMBv1

Recomended Actions:

Restrict access to TCP/445 from untrusted networks.

Disable SMBv1.





Blocking poneytelecom.eu

You may have found this page because your getting hacked from a rev.poneytelecom.eu address or your receiving spam from this address range, you may even have found it due to it hosting malicious content.

Poney Telecom is an internet server company run from France has been at the centre of multiple allegations of organised international criminal activity for a few years with all warnings, court summons and legal demands to be closed ignored.

I personally have have seen portscans that come from a rev.poneytelecom.eu address, I have also seen malware that has been hosted via them also.

Just take a look at the chat on Twitter againt the hashtage #poneytelecom here it is mostly people complaining about hacking attempts.

There is more info here and here

Hosts To Block

Although there maybe many genuine users on this system, I have taken action and blocked all their ranges.

62.210.0.0/16
195.154.0.0/16
212.129.0.0/18
62.4.0.0/19
212.83.128.0/19
212.83.160.0/19
212.47.224.0/19
163.172.0.0/16
51.15.0.0/16
2001:bc8::/32





55th Anniversary Of The First Public Satellite Television Broadcast

Sunday 23 July 2017 marks the 55th anniversary of the first public satellite television broadcast from the United States to Britain and mainland Europe.

The Telstar 1 communications satellite revolutionised popular entertainment and represented a turning point that would see us become reliant on space in ways that were unimaginable in 1962. From weather forecasting to banking to communications and navigating in our cars, space is now part of our everyday lives.

The first 20-minute broadcast started a couple minutes ahead of schedule as soon as Telstar came into range and opened with footage of a baseball game between the Philadelphia Phillies and the Chicago Cubs before switching to President John F. Kennedy’s press conference in Washington, D.C.

Although only operational for a few months and relaying brief television signals, Telstar captured the imagination of the world. The transmission in 1962, which was sent to the Goonhilly Satellite Earth Station in Cornwall, has evolved into the global communications network of today.

Space is now vital to our economy, security and well-being. In the UK the thriving space industry contributes over £13.7 billion to the economy and employs more than 38,000 workers. The UK is a global leader in satellite telecommunications, and in the growing commercial applications of space.




At the Council of Ministers in Lucerne, Switzerland, in December 2016, the UK pledged €319 million over the next four years to telecommunications projects with industry through ARTES, including partnerships with businesses on innovative telecoms services.

One of those partnerships, with UK company Inmarsat, saw €31 million invested in IRIS, which uses satellite communications to enable safer air traffic control across Europe while reducing CO2 emissions and airline costs.

Another €60 million was for developing the commercial use of space data through Integrated Applications. UK Space Agency funding will connect businesses across the economy with solutions for common problems that could benefit from the unique vantage point of space. UK companies have used IAP funding to develop telemedicine services to aircraft, to advise farmers on crop fertilization, and to guide energy providers to target waste collection in communities.

This investment ensures the UK remains at the forefront of new technologies and builds on the strength of the UK growing space industry.




Tech Innovators Urged To Use Their Skills To Tackle UK Terror Threat

Up to £2 million is to be made available to unlock innovation and fast track new technology to combat the next generation of terrorist threat.

The UK is already renowned for its world-leading academics, researchers, engineers and technology developers, but today the Government is urging these talented individuals to come together and further support our work to keep the public safe.

In his speech Security Minister Ben Wallace is expected to say:

“Society must come together to defeat terrorism which is why I am delighted to see representatives here from businesses from across the country who take seriously the need to protect the public.

“In light of the horrific attacks in London and Manchester, the Government has committed to review its counter-terror strategy and further to this I am announcing today that we are making up to £2 million available to fund research into cutting edge technology and behavioural science projects designed to keep people safe in crowds.

“The threat from terror does not stand still so neither will we, which is why we are calling on the best and the brightest from the science and technology sector to come forward with their ideas and proposals to support our ongoing work to keep people safe.”

The competition is being run in a partnership between the Home Office and Defence and Security Accelerator with support from the Royal Society. The competition is seeking research proposals from the country’s brightest talents for innovative or novel ideas to reduce the threat from terrorist attacks using weapons or explosives.

This competition forms part of the science and technology programme within the Government’s current counter-terrorism strategy.



Head of the Defence and Security Accelerator, Lucy Mason, said:

“The terrible terrorist attacks in London and Manchester shocked and appalled all of us. Protecting people from terrorism is something we can all do, industry and academics and public servants.

“We don’t have all the answers. So we must bring together the brightest minds from the private sector, and academia to help find solutions to help keep our country and people safe and secure.

“The Defence and Security Accelerator exists to help government find and exploit game-changing ideas to help the security services and police stay one step ahead of those who threaten our safety. By funding and fast tracking the development of real solutions, we help to bring the innovation community together, rapidly.

“So today I reach out to our innovation community to be part of something bigger and show their support for their country. I’d encourage anyone who feels they have a great idea that can help keep our crowded areas safe to visit our website for more information on this competition.”

Vice-President of the Royal Society, Professor Alex Halliday, said:

“Research and innovation are key to improving lives in so many ways. That includes finding new ways to fight terrorist threats.

“I am sure the ingenuity of the UK’s innovators will deliver new technologies that will help make us all safer.”