The most commonly observed threat category for the week is vulnerabilities. Security researchers keeps identifying new vulnerabilities that exists in various products. Once identified, they report it to the corresponding vendors, who then releases the updates with patches. It is important to keep up-to date with the patches to be protected against these vulnerabilities.
Figure 1: Threat Categories
The following graph represents the trend in different cyber threats as compared to previous week.
Windows Systems Vulnerable to FragmentSmack, 90s-Like DoS Bug (September 15, 2018)
Microsoft released a security advisory about a denial-of-service vulnerability that could render multiple versions of Windows completely unresponsive and has no mitigation factors, the company says. The vulnerability affects all versions of Windows 7 through 10 (including 8.1 RT), Server 2008, 2012, 2016, and Core Installations that don’t have the latest set of security updates released as part of the September 2018 Patch updates. Tagged with the identification number CVE-2018-5391, the bug received the moniker FragmentSmack because it responds to IP fragmentation, a process that adjusts the packet size to fit the maximum transmission unit (MTU) at the receiving end.
Recommendation: Microsoft recommends disabling packet reassembly if the latest patches are not available.
New CSS Attack Restarts an iPhone or Freezes a Mac (September 15, 2018)
A new attack has been discovered that will cause iOS to restart or respring and macOS to freeze simply by visiting a web page that contains certain CSS & HTML. Windows and Linux users are not affected by this bug. This new attack was discovered by Sabri Haddouche, a security researcher at Wire, who was able to devise a way to quickly use up an Apple device’s resources so that it crashes when visiting a web page.
Recommendation: There is no fix for this bug at the current time, so be careful on clicking random links.
Files Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs (September 12, 2018)
A security researcher has discovered a serious vulnerability that could allow attackers to spoof website addresses in the Microsoft Edge web browser for Windows and Apple Safari for iOS. While Microsoft fixed the address bar URL spoofing vulnerability last month as part of its monthly security updates, Safari is still unpatched, potentially leaving Apple users vulnerable to phishing attacks.
Recommendation: Wait for the patches and update as when it is available.
References: The Hacker News
Tags: Vulnerabilities, Spoofing
Files With 42 Million Emails and Passwords Found On Free Hosting Service (September 13, 2018)
A huge database with email addresses, passwords in clear text, and partial credit card data has been uploaded to a free, public hosting service. The total number of unique email addresses and plain text passwords in the collection is 41,826,763 and they were uploaded to the anonymous file hosting service kayo.moe. The operator of the sharing service sent the set to Troy Hunt, Australian security researcher and creator of the Have I Been Pwned data breach index site, to compare it and check whether it was the result of an unknown data breach.
Recommendation: Change passwords and recycling periodically helps to protect against these types of attacks. Using a password manager that can generate strong unique passwords for every site you visit and turning on two-factor authentication (where possible) are certain other recommendations.
Feedify Hacked with Magecart Information Stealing Script (September 12, 2018)
Recommendation: Keep your system updated with latest patches.
Mirai, Gafgyt IoT Botnets Reach To the Enterprise Sector (September 11, 2018)
Mirai and Gafgyt, two of the best known IoT botnets, have forked once again, with the new variants peeking at the enterprise sector for creating or replenishing their denial-of-service resources for distributed attacks. The code for both malware pieces reached the public space a few years back and aspiring cybercriminals began spawning their own revisions. Most of the times there is nothing interesting about the mutations, but the latest alternatives show a predilection for business devices.
Recommendation: Keep your system updated with latest patches; Periodically scan for vulnerabilities.
Mongo Lock Attack Ransoming Deleted MongoDB Databases (September 11, 2018)
An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, wiping them, and then demanding a ransom in order to get the contents back. While this new campaign is using a name to identify itself, these types of attacks are not new and MongoDB databases have been targeted for a while now. These hijacks work by attackers scanning the Internet or using services such as Shodan.io to search for unprotected MongoDB servers. Once connected, the attackers may export the databases, delete them, and then create a ransom note explaining how to get the databases back.
Recommendation: Enable authentication and to not allow these databases to be remotely accessible.
References: Bleeping Computer
Tags: Database, Campaign
CTI (Cyber Threat Intelligence) Labs @ Marlabs continuously strives to improve its products and services. You can help by sending your valuable feedback at the following email: firstname.lastname@example.org
Weekly Threat Briefing
DISCLAIMER: This product is provided “as is” for informational purposes only. Marlabs does not provide any warranties of any kind regarding any information contained within. Marlabs does not endorse any commercial product or service referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a community. TLP: GREEN information may not be released outside of the community.