Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

Erebus Resurfaces as Linux Ransomware

On June 10, South Korean web hosting company NAYANA was hit by Erebus ransomware (detected by Trend Micro as RANSOM_ELFEREBUS.A), infecting 153 Linux servers and over 3,400 business websites the company hosts. 

AdGholas Malvertising Campaign Employs Astrum Exploit Kit

At the end of April this year, we found Astrum exploit kit employing Diffie-Hellman key exchange to prevent monitoring tools and researchers from replaying their traffic. As AdGholas started to push the exploit, we saw another evolution: Astrum using HTTPS to further obscure their malicious traffic.

The World’s Leading Bug Bounty Program Shares Inside Scoop

Customers of the TippingPoint Intrusion Prevention Systems and Threat Protection Systems know the ZDI as the group that buys 0-days so they have protections before the affected vendor releases a patch. Outside of those communities, there may be misconceptions about what happens behind the scenes. 

Cyber Attack at Honda Stops Production after WannaCry Worm Strikes

The WannaCry worm is still alive. Honda said this week that it was forced to halt production for one day at its Sayama plant near Tokyo after finding the WannaCry ransomware in its computer network. This virus is the same one that infected over one million machines worldwide. 

Follow the Trail of BlackTech’s Cyber Espionage Campaigns

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. 

Servers Are Different When it comes to Ransomware and Advanced Attacks

Ransomware and other advanced attacks are the scourge of the modern IT security team. If allowed to gain access to your IT environment, these attacks could shut down the organization, denying access to mission critical applications & data for potentially days, or even indefinitely. 

Meet 5 of the World’s Most Dangerous Hacker Groups

Hacking has come a long way from the days of maladjusted teenagers wreaking digital havoc from their basements. Today the biggest and baddest hacker groups are backed by nation-states. They’re called “advanced persistent threats” or APTs. 

Bring Data Center Security to Cloud Speed

Trend Micro knew releasing Deep Security 10.0 was a milestone in many ways. The server security solution that stands the test of time was also the end of the traditional monolithic release cycle for our important software users. 

Traffic Cameras in Victoria Have Been Infected by WannaCry Ransomware

Approximately 55 traffic cameras in Victoria have been infected with the WannaCry ransomware, according to the Victorian department of justice. Intersection and highway cameras across the state have been affected by the malware, which caused chaos around the world.

Cybersecurity Job Market to Suffer Severe Workforce Shortage

The global cybercrime epidemic – predicted to cost the world $6 trillion annually by 2021 – is creating an unprecedented shortage of cybersecurity workers. These 10 facts, figures, statistics, and observations sum up the employment crisis – and offer a few ideas and programs that may help solve the problem. 

Girl Scouts Will Soon Earn Badges in Cybersecurity

Girl Scouts as young as 5 are to be offered the chance to earn their first-ever cyber security badges. U.S. Girl Scouts who master the required skills can attach to their uniform’s sash the first of 18 cybersecurity badges that will be rolled out in September 2018.

Please add your thoughts in the comments below or follow me on Twitter; @JonLClay.

Yesterday I celebrated my 29^th birthday (again) and it was great to celebrate with friends, family, and coworkers. They say age is just a number, and I truly believe that. Unfortunately, we live in a world where laws require us to count numbers so that it can be determined if we can vote, drink, rent a car, and even retire from the workforce.

In our cyber security world, we love to count. In the world of the Zero Day Initiative (ZDI), the number of vulnerabilities disclosed so far in 2017 is just a number, but it’s a really big number! Last year, the ZDI publicly disclosed a record 690 vulnerabilities covering almost 50 vendors. As of the publishing of this blog, the number currently stands at 441! Is this the year we hit 1,000? Only time will tell. In the meantime, I invite you to take a sneak peek into the inner workings of the ZDI by reading Dustin Child’s blog: The Inside Scoop on the World’s Leading Bug Bounty Program. 

Adobe Security Updates

This week’s Digital Vaccine (DV) package includes coverage for Adobe updates released on or before June 13, 2017. The following table maps Digital Vaccine filters to the Adobe updates. Filters marked with an (*) shipped prior to this DV package, providing zero-day protection for our customers. You can get more detailed information on this month’s security updates from Dustin Childs’ June 2017 Security Update Review from the Zero Day Initiative:

Zero-Day Filters

There are 24 new zero-day filters covering four vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (16)

Hewlett Packard Enterprise (3)

Microsoft (2)

Trend Micro (3)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

TrendMicro

Today, more urban centers than ever are implementing a range of advanced technological systems. These sensors and networks used in combination with citizens' mobile devices create smarter cities capable of reduced pollution, increased safety, better engagement with residents and more accessible transportation options. As the majority of the world's population – 65 percent – will call a city home by 2040, these IoT-centered, city-wide initiatives are well worth the investment.

At the same time, however, as cities grow more intelligent, so do malicious actors – there are now a plethora of threats that must be considered and addressed in order to ensure that smart city systems remain secure. Local governments and city planners must work to bolster their digital security alongside their technological capabilities.

What exactly are 'smart cities?'

It's a question worth asking, especially as smart city initiatives continue to be publicized around the world. A smart city is an urban area that leverages technological devices and strategies – including sensors, automation, monitoring systems, video and audio recording, wireless communications, and other IoT platforms – to streamline the management and government of the municipality and its citizens. These technologies work in conjunction with traffic lights, water and other utility systems, transportation and social media.

According to eGovInnovation, there are several cities around the world that fall under the smart city umbrella, including London, Singapore, Seoul and Barcelona. What's more, smart city projects are popping up in other metropolitan areas around the world.

Gartner predicted that by 2020, smart cities will include 9.7 billion connected IoT devices, including those for use in health care, public services, commercial buildings, smart homes, transportation and other areas.

Sao Paulo paves the way for South American smart cities

One of the most recent developments in the smart city sector comes out of Sao Paulo, Brazil. In early June 2017, ZDNet contributor Angelica Mari reported that the city's mayor, Joao Doria Jr., presented plans that would make Sao Paulo the largest smart city in the country.

"We aim to make Sao Paulo a global capital, not a province – and that includes making it a digital city," Doria said of his smart city vision. "Public services provision will be completely digital … People will no longer have to physically be there to ask for any kind of service as they will be able to request what they need via their computer or smartphone."

Streamlining access to city services is only the first step in creating Sao Paulo's digitized future. Doria and the city's government also created a new position – Secretary of Innovation and Technology – to help ensure smart city initiatives remain a top priority. In addition to other tasks critical to the overall strategy, this individual will spearhead the process of digitizing the official government gazette. Doria noted that while this is a small step, it is definitely an impactful one that will enable the city to save $3 million each year.

Sao Paulo will also see the installation of 10,000 advanced surveillance cameras throughout the city. The first phase of deployment included 1,560 new cameras placed in high-crime areas. There are also plans for drone investments to support the city's police.

"These are high-quality drones … with high-resolution cameras, these are not toys," Doria said.

Smart cities see rising digital threats

Although these advanced systems can support tangible and impactful advantages – such as higher security, reduced response times to crime and emergencies, as well as overall savings of cities' often tight financial resources – a greater number of connected systems also results in more digital threats.

In fact, according to Dark Reading contributor Todd Thibodeaux, only 12 percent of city governments feel strongly about the resources they have in place to respond to cyber crime. The examples of what can go wrong have been earning public attention for years now – including the hack of an emergency siren system in Dallas in early 2017 and the infiltration of a water dam in New York in 2015.

Securing smart cities

In order to ensure the smart systems cities investments in are able to deliver the benefits they promised, government officials must work to put the right security precautions in place during the installation, configuration and launch processes. These efforts begin with the underlying network that smart city IoT devices and other systems will be connected to.

"Protection begins with building a resilient infrastructure," Thibodeaux wrote. "Including additional layers of security can help mitigate the fallout from a cyber attack on one system and ensure associated services continue to function. Steps like incorporating end-to-end encryption, using blockchain technology, or deploying decentralized applications are also strategies to consider using when securing essential municipal services."

In addition, those in charge of the smart city initiative should heavily investigate the service level agreements of the vendors they work with. This includes checking that service providers are able to guarantee data privacy – especially where it concerns the personal information of citizens – and that the provider has a dedicated response team that can assist in the event of an issue.

Furthermore, before smart city devices are rolled out, in-depth inspection and penetration testing must be completed. This proactive step ensures that, if there are any security issues present within a system, they can be pinpointed and addressed before the system goes live throughout the city. Government officials can hire independent contractors to perform these tests, and should create a schedule for tests to take place on a regular basis.

For more information about the security measures smart cities should have in place, check out this checklist from Trend Micro.

Hot on the heels of the global WannaCry outbreak in May, yesterday saw a wave of what looked like copycat malware sweeping the globe again. However, on closer inspection there may more to this than meets the eye, more than a simple new variant of an already established ransomware borrowing propagation techniques from WannaCry.

The attack itself certainly seems to have been originally planned as a targeted attack, originating with a compromise of Ukrainian accounting software MEDoc’s update infrastructure (seemingly admitted on their website but categorically denied by MEDoc on facebook). This island-hopping attack starting with a smaller software vendor, whose product is mandated for companies paying taxes in Ukraine, may well have been targeted specifically at that country. However, as with every notionally targeted attack there has been collateral damage.

The fact that the malware was set to wait five days before triggering on the 27^th June, a day before a Ukrainian public holiday celebrating the ratification of its new constitution in 1996, also lends circumstantial weight to the proposition that the attack was targeted primarily at victims in Ukraine.

Disruption?

Some of the names of prominent global victims, WPP, Maersk and Saint-Gobain for example all have offices and operations in Ukraine and are likely users of MEDoc, some have even posted job ads for accounting specialists with MEDoc skills. Also Rosneft, Russia’s state-owned oil company, although not necessarily corporate users of MEDoc, still have a presence in Ukraine and thus may be exposed to MEDoc within their network.

It seems that this cyber-attack is following the law of unintended consequences, with the victim population very rapidly spreading outside of Ukraine and encompassing organisations and partners of organisations who have a presence in Ukraine.

Money?

The creators of this particular malware, borrowing code from Petya, reusing exploits abused by WannaCry, adding password hash harvesting and two further network propagation techniques, using code obfuscation and fake Microsoft certificates are clearly skilled and experienced. The possibility of this latest outbreak being traditional financially-motivated online crime, at least at surface level, seem obvious but for one thing; the ransom payment mechanism.

Why does the payment mechanism rely on a single hard-coded Bitcoin wallet, and the transmission of an email containing the victim’s bitcoin wallet ID and “personal installation key” (a handy 69 characters that can’t be copy/pasted) to an email address that was always going to be rapidly shut down by the entirely reputable hosting company Posteo based in Berlin?  It’s almost as if the creators never intended to reap the financial rewards…

Am I vulnerable?

So far, all the highly-effective propagation mechanisms are finely-tuned for internal network-based spread at a rapid pace. There does not appear to have been a major external facing campaign to deliver this payload beyond the user base of MEDoc software.

If your organisation has a presence in Ukraine, or has immediate partners who do business in Ukraine, then you should consider yourselves directly at risk. Outside of this immediate group, while your risk level from this particular attack drops significantly, there’s no such thing as a cast iron guarantee and it only takes on device on your network to start a devastating outbreak. The six degrees of Kevin Bacon after all demonstrates how few links apart we all are (my own Bacon number is 3).

For technical details about this outbreak and advice on how best to mitigate please see our constantly updated Petya (2017) Ransomware Attack Information and our FAQ. For a technical analysis of the malware in question, have a look at our Security Intelligence blog.

For general advice on ransomware and access to free industrywide decryption tools, please visit nomoreransom.org.

The late 70s/early 80s American television show Three’s Company was one of my favorite shows growing up. The central theme of the show revolved around the lives of three roommates. Each episode usually involved a misunderstanding, then chaos would ensue. In the end, everything would turn out okay. Unfortunately, this week’s episode of “ransomware in the news” isn’t over – there are still misunderstandings about the latest attack named “Petya,” even on what to call it!

This past Tuesday, a ransomware attack similar to WannaCry shut down computers all over the world. It was initially thought that this new attack was an updated version of Petya from 2016. Others said it was a whole new malware that had Petya characteristics. Even further, now there is speculation that it’s not ransomware at all – that its objective was to permanently destroy data. No extortion – just destruction – and no happy ending to this week’s episode.

Trend Micro TippingPoint continues to actively review the situation in order to recommend coverage for customers using TippingPoint solutions. As of this blog posting, we have verified the following vulnerability Digital Vaccine® (DV) filters that protect against the propagation of the Petya ransomware listed in the table below:

Customers who wish to enforce generic policy at the network perimeter can use the following security policy filter to block all inbound SMBv1 traffic:

Customers with questions or who need technical assistance can contact the TippingPoint Technical Assistance Center (TAC). For further information related to Trend Micro’s response and our recommendations as a whole, please visit https://success.trendmicro.com/solution/1117665.

Zero-Day Filters

There are nine new zero-day filters covering three vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative web site.

Foxit (4)

• 28746: ZDI-CAN-4721: Zero Day Initiative Vulnerability (Foxit Reader)
• 28747: ZDI-CAN-4722: Zero Day Initiative Vulnerability (Foxit Reader)
• 28748: ZDI-CAN-4723: Zero Day Initiative Vulnerability (Foxit Reader)
• 28749: ZDI-CAN-4855: Zero Day Initiative Vulnerability (Foxit Reader)

Hewlett Packard Enterprise (1)

• 28898: ZDI-CAN-4869: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)

Quest (4)

• 28751: ZDI-CAN-4224,4225,4229-4235,4237,4286,4316: Zero Day Initiative Vulnerability(Quest NetVault Backup)
• 28893: ZDI-CAN-4226-4228: Zero Day Initiative Vulnerability (Quest NetVault Backup)
• 28894: ZDI-CAN-4238,4287,4289,4292,4294: Zero Day Initiative Vulnerability (Quest NetVault Backup)
• 28896: ZDI-CAN-4752: Zero Day Initiative Vulnerability (Quest NetVault Backup)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

Petya Wreaks Havoc in the Wake of WannaCry

Hot on the heels of the global WannaCry outbreak in May, there’s been a wave of what looks like copycat malware sweeping the globe again. However, there may more to this than meets the eye, more than a simple new variant of an already established ransomware borrowing propagation techniques. 

As Cities Get Smarter, So Should Their Security

Today, more urban centers than ever are implementing a range of advanced technological systems. These sensors and networks used in combination with citizens’ mobile devices create smarter cities with a multitude of capabilities.

Large-Scale Petya Ransomware Attack Hit Europe

A large-scale ransomware attack caused by a variant of the Petya ransomware is currently hitting various users, particularly in Europe. This variant, which Trend Micro already detects as RANSOM_PETYA.SMA, is known to use both the EternalBlue exploit and the PsExec tool as infection vectors.

Information Stealer Found Hitting Israeli Hospitals

The abuse of shortcut (LNK) files is steadily gaining traction among cybercriminals. We’ve seen a plethora of threats that leverage malicious LNK files: from well-known-ransomware families, backdoors typically deployed in targeted attacks, banking Trojans to spam emails and more.

Global Cyberattack Demanding Ransom Had Nothing to do with Money

Despite infecting thousands of computers, Petya, the so-called ransomware has generated just over $10,000 for the hackers, a tiny fraction of the cost of the damage inflicted on the affected companies. Experts believe the real attack is being camouflaged to deflect attention.

The Amount of Malware for Macs Is Continuing to Surge

Macs have always enjoyed a reputation as being virus-free. Apple’s famous “I’m a Mac” adverts played on it, comparing the constant security fears on Windows to the ease and safety of its OS X (now called MacOS) operating system. But that’s no longer the case.

It Costs About $400,000 to Influence an Election

About $400,000 is the sum it takes to buy followers on social media platforms like Facebook and Twitter, hire companies to write and disseminate fake news postings over a period of 12 months, and run sophisticated web sites to influence public opinion.

Bankers Are Hiring Cybersecurity Experts to Help Get Deals Done

Companies and investment funds are adding an extra layer of scrutiny to acquisitions by screening targets for cybersecurity risks, as global attacks raise awareness. Michael Bittan, head of Deloitte’s Cyber Risk Services unit in France said, “Cybersecurity is not about getting technical, it’s about business impact.”

There are 5 Things You Could Be Doing If You’re Failing at Cybersecurity

Cyberattacks are happening in every industry and organization size. Just read through your Twitter feed or turn on the news on any given day and you’ll see. It’s obvious that these attacks are increasing in number and sophistication, and I think we can all agree that this trend will continue. 

Please add your thoughts in the comments below or follow me on Twitter; @JonLClay.

Running the world’s largest vendor agnostic bug bounty program has afforded us the unique opportunity to purchase bugs of all varieties. The submissions to the Zero Day Initiative (ZDI) program range in severity from slightly annoying to hugely impactful. We wouldn’t have it any other way. Generally speaking, the goal of a bug bounty program is to acquire as many bugs as possible. What happens with the bugs once acquired changes depending on the bounty program. At the ZDI, we work not just to kill bugs, which is something we do at a higher rate than other organizations, but we also aim to disrupt the use of exploits used in advanced attacks.

Of course, detecting and defending against advanced persistent threats provides its own challenges. It’s rare that real-world scenarios are laid bare without a time of crisis response. Recently, the WikiLeaks dump of tools reportedly used by U.S. government agencies offered a prime example of the ZDI program altering attack methods. In fact, if the data provided by WikiLeaks is to be believed, the Central Intelligence Agency was forced to change their operational toolset for exploiting targets based on actions taken by the ZDI.

In 2010, the world was introduced to the Stuxnet virus after it caused substantial damage to centrifuges in the Iranian nuclear program. At its core, Stuxnet had three parts: a rootkit to hide itself, a worm to execute the main payload of its attack, and a link file that automatically executed to spread copies of the worm. Microsoft released several different security patches in response, including MS10-046, to address the vulnerability in link files. The patch enabled a whitelist check to ensure only approved files could be used, and many thought the implementation succeeded. However, according to the documents published on WikiLeaks, a tool called “EZCheese” exploited a similar bug in link files until 2015. That change resulted from a set of bugs coming through the ZDI program that showed the MS10-046 patch had failed. This forced a change of operational tactics to what was then an “unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system.” Although not explicitly stated by Microsoft, this other link file bug was likely corrected with the release of CVE-2017-8464.

According to the released documents, both EZCheese and its successor Brutal Kangaroo were designed to attack air-gapped networks similar to Stuxnet. What some may not realize is that the link file could also be hosted on a remote drive viewable by the target.

When the ZDI acquires a bug, it isn’t just reported to the vendor for remediation. Information about the bug is provided to Digital Vaccine® Labs (DVLabs) within Trend Micro. They produce a DV filter for the vulnerability that allows TippingPoint customers to protect themselves while the vendor develops a patch for broader release. And yes, after deploying this filter (Digital Vaccine Filter 19340), hits were seen in Europe, South America, and Singapore. While it’s impossible to know the intent or full circumstances surrounding these filters being triggered, the low quantity indicates these were likely targeted attacks.

Earlier dumps from ShadowBrokers show this isn’t the first case of this happening. The vulnerability used by the exploit referred to as “Ewok Frenzy” was submitted to the ZDI program back in 2007. Even though a patch was made available for the exploit, it was reportedly used for almost a decade after our initial disclosure. Bug bounties show their value when they successfully kill vulnerabilities. Without a doubt, the ZDI program kills bugs. In fact, we’ve released 452 advisories this year (as of July 5) with 413 more in our upcoming queue. Each one represents a bug exposed to the light. In some cases, the exploit techniques required to exploit a bug can also be filtered. For example, another vulnerability listed in the documents, EasyBee, worked in the same manner as Ewok Frenzy, so the implemented DV filter covered both attacks.

You can question the veracity of these dumps or whether these exploits were ever actually in the wild, but the scramble by vendors to produce patches has been undeniable. The dumps show adversaries have a complexity and sophistication that requires constant vigilance from network defenders. It also shows how dedicated vulnerability research combined with a world-class bug bounty program increases security for everyone by changing the attack surface. While it’s true there is a difference between zero-day vulnerabilities and zero-day attacks, the value of having protection against bugs prior to their disclosure can’t be measured. The number of software bugs disclosed globally continues to increase year after year. The Zero Day Initiative will continue acquiring and researching zero-day vulnerabilities and working with vendors to increase the overall security posture of their products. We might not ever eliminate all government sponsored, marsupial-based exploits, but we sure can make it harder on them.

It has been quoted by Albert Einstein, Benjamin Franklin, and others that insanity is “doing the same thing over and over again and expecting different results.” I could say that in our world of cyber security, despite all the headlines about data breaches and ransomware, there is no “insanity.” Products we used 25 years ago probably can’t protect against the latest malware. Someone will reverse-engineer someone’s code and ultimately figure out how to evade a product’s protection mechanisms for detecting or blocking an attack. Entire segments of the cyber security industry exist because there is no insanity. Those who create malware or tools that exploit bugs don’t do the exact same thing over and over again. Once we’ve figured them out, they adjust, and then we adjust by making our products smarter – until the cycle starts again.

When Stuxnet hit in 2010, it made headlines as a new kind of attack with massive geopolitical consequences. Microsoft released several different security patches in response, including MS10-046, to address the vulnerability in link files. Now, with the WikiLeaks documents exposure, it appears that a tool called “EZCheese” exploited a similar bug in link files until 2015. That tool change resulted from a set of bugs discovered through the Zero Day Initiative program that showed the original MS10-046 patch had failed. This forced a change of operational tactics to what was then an “unknown link file vulnerability” in Microsoft, which was likely corrected with the release of CVE-2017-8464. According to the WikiLeaks released documents, both EZCheese and its successor Brutal Kangaroo were designed to attack air-gapped networks similar to Stuxnet. You can learn more on Brutal Kangaroo and the impact the Zero Day Initiative has had on the industry by reading Brian Gorenc’s commentary on his blog: The Real-World Impact of Bug Bounties and Vulnerability Research.

Zero-Day Filters

There are 23 new zero-day filters covering six vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative web site.

Adobe (3)

• 28916: ZDI-CAN-4887: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
• 28917: ZDI-CAN-4895: Zero Day Initiative Vulnerability (Adobe Flash)
• 28924: ZDI-CAN-4756: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)

Foxit (1)

• 28921: ZDI-CAN-4518: Zero Day Initiative Vulnerability (Foxit Reader)

Hewlett Packard Enterprise (11)

• 28727: HTTPS: HPE Network Automation PermissionFilter Authentication Bypass Vulnerability (ZDI-17-332)
• 28906: ZDI-CAN-4870: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)
• 28907: ZDI-CAN-4871: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)
• 28908: ZDI-CAN-4872: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)
• 28909: ZDI-CAN-4873: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)
• 28910: ZDI-CAN-4874: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)
• 28911: ZDI-CAN-4875: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)
• 28912: ZDI-CAN-4876: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)
• 28913: ZDI-CAN-4877: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)
• 28914: ZDI-CAN-4878: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)
• 28915: ZDI-CAN-4880: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)

MIcrosoft (6)

• 28897: ZDI-CAN-4777: Zero Day Initiative Vulnerability (Microsoft Edge)
• 28918: ZDI-CAN-4886: Zero Day Initiative Vulnerability (Microsoft Chakra)
• 28919: ZDI-CAN-4888: Zero Day Initiative Vulnerability (Microsoft Edge)
• 28925: ZDI-CAN-4894: Zero Day Initiative Vulnerability (Microsoft Chakra)
• 28981: ZDI-CAN-4910: Zero Day Initiative Vulnerability (Microsoft Chakra)
• 28982: ZDI-CAN-4884: Zero Day Initiative Vulnerability (Microsoft Edge)

Schneider Electric (1)

• 28920: HTTP: Schneider Electric U.motion Builder loadtemplate.php SQL Injection Vulnerability (ZDI-17-374)

Trend Micro (1)

• 28900: HTTPS: Trend Micro InterScan Web Security delete_pac_files Command Injection (ZDI-17-229)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

Managed service providers (MSPs) offer a broad set of services to their customers, including configuring, managing, maintaining, monitoring and securing increasingly complex IT environments. In addition, they also have a business to run, employees to manage, technician utilization to monitor, profits to grow, expenses to keep in check … the list goes on and on.

In working with our partners on a regular basis, we notice that a significant number of them are missing a huge opportunity by not partnering with or joining available MSP programs their vendors may offer. Just like the list above, there are countless reasons why you should already be doing so. However, for the sake of time, let’s look at five of the top benefits of joining an MSP program today.

1. Better margins

It is not uncommon for our partners to earn in excess of 100% profit margin on the security solutions they are providing to their customers as part of their managed service agreements, which is probably a much higher percentage than what you are earning now if you are just buying annual licenses when your customers’ licenses expire.

Let me explain how in two words: aggregate pricing. Put simply, MSP programs typically offer pricing on an aggregate seat count basis, which means that you are paying for licenses based on the total number of clients you currently manage. This can be a significant difference as business grows and you move in to cheaper and cheaper seat bands. To figure out just how much margin you are missing out on ask your vendor how much it costs per seat in the lowest price band (typically five to 25 seats) vs. the cost per seat in the price band that represents your entire customer base. That number is the extra margin you are missing out on.

2. Predictable revenue stream

Compared to the feast-or-famine nature of revenue in a break-fix business model, predictability is one of the primary benefits of being a managed service provider. Joining an MSP program helps you further streamline and predict both the revenue from your customers, as well as your service delivery costs.

This one is a bit of a twofer since you can more easily calculate revenue projections and do forecasting into the future. You can also calculate cost projections and get a much better understanding of the health and future growth potential of your business. The icing on the cake is that the value of your business increases as well as your revenue streams–a critical component of your exit strategy.

3. Multiple recurring revenue streams

The great thing about being an MSP is that you are forced to heavily focus on automation and repeatability since controlling costs directly impacts your bottom line. Once you’ve joined an MSP program, you will generally have the ability to create multiple recurring revenue streams if they have a broad product portfolio. Once you have created processes and trained your staff around the tools provided as part of the MSP program it’s very easy to “turn on” any additional products your vendor may offer across your entire customer base. This can be done in a very efficient and cost-effective manner, with each of these products representing an additional recurring revenue stream and more profit.

4. Moving from CapEx to OpEx

There may be some tax and accounting benefits to joining an MSP program and moving from purchasing annual licenses upfront for your customers to paying for licenses monthly or quarterly — or moving from CapEx to OpEx. The main benefit is the ability to recognize deductions completely in the current period vs. recognizing them over the useful life of an asset (that is, if you buy a three-year license and deduct it over those three years).

Disclaimer: We are a cybersecurity company, not tax experts. Therefore, we highly recommend discussing this with your accountant or tax professional to weigh the pros and cons and how it may affect your business specifically.

5. Elimination of renewals

Lastly, a good MSP program will give you complete control over license management and provisioning from a self-service portal. This allows you not only to provision licenses when you need them (think evening or weekend deployment when you forgot to place an order three days in advance), but also to eliminate all the hassles, complexity and costs associated with renewals. In essence, since you have complete control over the licenses, an expiration date is no longer necessary–you can simply cancel the license when you need to.

If you’ve never figured out what it costs you to track disparate expiration dates across your entire customer base for every product, to request quotes from your vendors, to create invoices for your customers, to follow-up on payments from your customers, and to submit payments to your vendors just to renew a product, then you probably should! Most partners we  meet who go through this exercise are shocked to find out they often lose money on smaller customers because they did not factor the costs of renewing into their pricing or business model.

Although there are so many more reasons to join an MSP program as soon as possible, these are our top five reasons you should be seriously considering becoming part of one whenever and wherever possible amongst your vendors. Talk to your security vendor today to discuss the programs they have available to improve your margin, profit and growth.

Ever since the law enforcement takedown of the Silk Road underground marketplace in 2013, there has been increasing interest in the depth and breadth of the Deep Web. This portion of the internet has been largely shrouded from the public eye, representing an environment in which hackers can converse, share malicious code and strategies and make a profit from the information stolen during the ever-increasing cyber attacks taking place.

According to gathered statistics, the Deep Web contains an incredible amount of data – 7,500 terabytes, which, when compared with the surface web's 19 terabytes, is almost unbelievable. Thanks to a sharp increase in cyber criminal activity in recent years, this shadowy portion of the internet encompasses as much as 550 times more public information than that of the surface web. Trend Micro discovered 576,000 unique URLs during a two-year analysis of the Deep Web, collecting details on over 38 million individual events.

While the Deep Web is known as a haven for hacker activity, this isn't the only purpose it can serve. By studying the Deep Web, the types of users that leverage it and the processes and information they share, organizations can get a better sense of the overall threat environment – and be more prepared to guard against emerging vulnerabilities and attacks.

Start at the beginning: What is the Deep Web?

Before we delve any further into the lessons this section of the internet can teach us, it's important to understand what, exactly, the Deep Web is. Much of the public initially learned about the Deep Web after the arrest of Ross Ulbricht, who went by the name Dread Pirate Roberts within the Silk Road underground community. Trend Micro noted that Ulbricht had built a billion-dollar digital marketplace wherein money laundering and illegal drug trade took place. Due to these activities, Ulbricht was charged with narcotics trafficking and computing hacking conspiracy – among other things – and received double life sentences.

This headline-grabbing story drew considerable attention to the Deep Web, and many individuals and businesses were quick to learn as much as they could about a growing section of the internet not accessible through traditional means. As Trend Micro noted in the paper "Below the Surface: Exploring the Deep Web," while the Deep Web – or Dark Web, as it is sometimes called – was initially established to help provide users with a safe space away from censorship that hindered free speech, it eventually became a refuge for cyber crime.

What takes place within the Deep Web?

Drug trafficking like that which occurred through the Silk Road market wasn't the only example of nefarious activity happening within the Deep Web. After all, with more than 200,000 websites containing 550 billion individual documents, it's clear the Deep Web is used for more than just trading illegal substances.

Through its analysis, Trend Micro discovered hackers take part in a whole host of other activities, including:

• Selling and purchasing firearms.
• Obtaining stolen identity information for fraudulent purposes.
• Launching cyber crime operations through created malware samples.
• Hiring contract hackers or even killers.

In this way, while activities and transactions range, all are considered very dangerous pursuits.

Stolen data finds a home

Today, we're focusing on activities that can harm the enterprise community, especially the theft and sale of stolen information. When a data breach takes place within a company's infrastructure, the end goal is typically to steal as much information as possible. This can encompass details about the business's intellectual and playical property, as well as data about its employees and customers, such as their banking, health and other credentials. After this data is stolen, hackers seek out underground marketplaces through which to sell the information, and the Deep Web represents the perfect place for those transactions to take place.

What's more, cyber criminals can choose the ways in which they'd like to sell their stolen data. This can include pricing items according to individual files or grouping documents into groups – stolen credit card numbers, for instance, can be sold per piece or as a package. In some cases, hackers prefer to gather as much information as possible and create profiles. This is typically preferred with stolen identities, where it's helpful to have a name, Social Security number, physical and email address alongside other details to complete the profile.

Studying the malware trade

In addition to selling the data gathered through malicious breaches, hackers also sell the infections through which a breach can take place. Learning about these activities is particularly helpful, as it can help researchers and business leaders discover emerging trends in hacking. Finding out the top-selling malware samples currently trending in the Deep Web, for example, can enable an organization to work proactively to guard against the specific risks cyber criminals are currently trading in.

Trend Micro discovered that not only are malware samples being bought and sold within the Deep Web, some even leverage the TOR network underpinning this portion of the internet to support launched attacks. Such was the case with banking malware VAWTRAK, which spread through phishing emails. The malware was able to communicate with certain C&C servers connected to hard-coded TOR sites in order send stolen information.

CryptoLocker represents another major malware family that hinges upon the Deep Web. This ransomware was particularly dangerous due to its ability to adjust the ransom notification page to different languages according to victims' locations.

As Trend Micro pointed out, VAWTRAK and CryptoLocker represent a pattern that is likely to continue into the future.

"Unfortunately, given all the benefits cyber criminals reap by hosting the more permanent parts of their infrastructures on TOR-hidden services, we believe we'll see more and more malware families shift to the Deep Web in the future," Trend Micro stated.

The Deep Web includes platforms for the sale and purchase of dangerous malware samples.

No one is off limits

Through its extensive research, Trend Micro also discovered that no single user or entity is considered prohibited when it comes to cyber attacks. In addition to selling and launching the malware needed for large-scale enterprise attacks, the Deep Web also offers up the tools necessary to attack prominent persons like celebrities, government leaders and other high-profile people. And the malicious activity doesn't stop there.

Trend Micro Senior Threat Researcher Marco Balduzzi explained that in order to best study cyber criminal happenings within the Deep Web, researchers simulated a malicious installation within TOR that leveraged an array of honeypots. These honeypots were created to expose certain vulnerabilities and hacker operations taking place within the created environment.

Researchers discovered several important insights, including that the Deep Web wasn't as guarded as some may believe – despite setting up a simulated environment only available to invited members, Trend Micro found that hackers had made the honeypot available through search engine queries.

What's more, cyber criminals began attacking those in their own circle.

"Our private marketplace was compromised nine times out of ten," Balduzzi reported. "The majority of these attacks added web shells to the server, giving the attacker the ability to run the system commands on our honeypot. This allowed the addition of other files, such as web mailers, defacement pages and phishing kits. Our key finding is that organizations operating in the Dark Web seem to be attacking each other."

Key takeaways from the Deep Web: Securing the enterprise

Overall, there are numerous insights the Deep Web can teach institutions about security:

• The path from attack to profit: For some, it's difficult to understand the motivations that drive hackers' malicious activity. Taking a closer, yet safe look at the deep web helps show the financial portion of this puzzle, including how cyber criminals are able to trade in malware samples, stolen data and a whole host of other items. The Deep Web provides a place for hackers to buy up the infectious code needed to launch an attack, as well as a platform to sell the information gathered from that event.
• Trends in malware trade: Because malware marketplaces abound within the Deep Web, studying this activity can help organizations be better prepared to protect themselves. A trend in ransomware sample sales, for instance, can demonstrate a need for improved monitoring to guard against the kind of suspicious activity that can point to an attack.
• Law enforcement takes notice: Circling back to the story of the Silk Road, the time of unchecked malicious activity with the Deep Web is no more. Now, law enforcement officials across the globe are working harder than ever to catch the perpetrators responsible for the illicit and dangerous activities within the Deep Web.

From an enterprise standpoint, the Deep Web is a worthy arena for threat intelligence, as Dark Reading contributor Jason Polancich pointed out.

"In other words, the Dark Web can be thought of as a small pond rich with prized game fish for an organization trying to bolster its defenses," Plancich wrote. "Find out what may have been stolen or used against you and improve your overall security posture to close that infiltration hole."

To find out more, contact the security experts at Trend Micro today.

While the cyber security industry noticed a reduction in exploit kit attacks during 2016 as well as early into 2017, these are still veritable threats that organizations must be aware of. Exploit kits typically follow a four-stage attack scenario, resulting in dangerous infections such as ransomware, Trojans and other malware.

The decline in exploit kit usage among hackers took an interesting turn recently with the resurgence of an older kit used to attack Windows system vulnerabilities. With this renewed attention on exploit kit attacks, now is the time for enterprises to shore up their protections and ensure overall security.

Attention on Astrum 

According to Trend Micro Fraud Researcher Joseph C. Chen, a powerful exploit kit known as Astrum, or Stegano, recently made its way back into the cyber attack limelight. What's more, due to the recent activity surrounding exploit kits – which we'll delve more into later – Astrum could be the infection strategy that fills the current vacuum in this attack landscape.

Researchers first spotted Astrum in late 2014, when it was used to target vulnerabilities in Adobe Flash, Microsoft Silverlight and, briefly, Java, cyber attack researcher and Trend Micro colleague Kafeine reported. Chen noted that during peak usage, Astrum was mainly leveraged by the AdGholas malvertising campaign, which spread an array of malicious infections, including banking Trojans.

Astrum is particularly dangerous due to its encrypted payload. The kit leverages a secret key for encryption, which not only harms the victim's system, but has recently been used to prevent researchers from replaying malicious attack traffic. This makes the infection harder to spot, and also puts a serious wrinkle in efforts to prevent attacks and create a better proactive solution.

A lull in exploit kits: A look at the current landscape

As noted, Astrum's reappearance marks yet another interesting shift in the overall exploit kit landscape. While exploit kit attacks were taking place heavily during 2015 and the first half of 2016, the latter half of last year saw a significant change. Not only had well-known kits like Angler suddenly fallen off the map, there were no exploit kit attacks at all during the later quarters of 2016.

At their height, exploit kits claimed responsibility for a total of 27 million detected attacks in 2015, where only a third of this level – 8.8 million – were identified by researchers last year.

One of the main reasons behind this shift is the rising efforts of law enforcement to cease exploit kit and other malicious activity. According to Trend Micro Technical Communications Researcher Giannina Escueta, law enforcement has proven to be one of the most powerful forces in the disruption of exploit kits.

After Russian authorities captured the author of the BlackHole exploit kit in 2013, Angler was established to fill the void. Angler topped the list for malicious exploit kits in 2015, with researchers noting that more than half of all attacks that year – 57.25 percent – could be traced back to the Angler kit.

Escueta noted the landscape saw a similar shift last year with widespread arrests by Russian authorities. After this event, recorded instances of Angler attacks dropped significantly. By 2016, exploit kit-dependent zero-day attacks dropped considerably, even with preferred targets like Internet Explorer and Java.

"Currently, most kits rely on outdated exploits, which translates to lower success rates," Escueta wrote in early 2017. "Although there is a lack of potent zero-days and slower integration of new vulnerabilities, exploit kits still remain a threat."

Astrum resurfaces

After an initial surge in 2014, Astrum activity was pretty quiet in recent years, especially as advanced, alternative kits like Angler, Nuclear and Rig became favored in the cyber attack community. However, as Chen pointed out, this doesn't mean that Astrum – or exploit kits in general – "are throwing in the towel."

In fact, it appears the opposite is true. Astrum was again identified by security researcher Kafeine on March 23, 2017, and was used to target a Windows vulnerability that had been patched a mere nine days earlier. That attack enabled cyber criminals to determine the specific antivirus protections being used, enabling them to improve Astrum to avoid these safeguards.

Astrum resurfaced again toward the end of April 2017, and did so with a purpose. Changes were made to this new version of the exploit kit, preventing security researchers from replaying malicious traffic.

"We found that this anti-replay feature was designed to abuse the Diffie-Hellman key exchange – a widely used algorithm for encrypting and securing network protocols," Chen wrote. "Implementing the Diffie-Hellman key exchange prevents malware analysts and security researchers from getting a hold of the secret key Astrum uses to encrypt and decrypt their payloads. Consequently, obtaining the original payload by solely capturing its network traffic can be very difficult."

Installing patches in a timely manner is a critical part of protecting against exploit kit attacks.

Laying the foundation: A need for enhanced protection

Although Astrum has only been observed a few times recently, this does not mean enterprises should be lax with their knowledge of and protection against exploit kit attacks. In fact, Chen predicted these initial Astrum attacks are likely the beginning of something bigger, and could represent test runs for future, more dangerous attacks.

In this way, enterprises must be especially vigilant when it comes to their cyber security. Exploit kits, and Astrum in particular, can result in an array of negative consequences for a business, including damage to the brand's reputation and high expenses related to extended downtime.

Thankfully, there are a few things companies can do to strengthen their security posture in this area. The first step is simply awareness – by being well-informed about the current exploit kit landscape, those in charge of the business's security are in a better position to identify and mitigate an attack.

It's also imperative that all identified system vulnerabilities are patched as soon as possible. As researchers observed with recent Astrum attacks, many hinge upon weaknesses that already have patches available. Regular updates can help keep exploit kits like Astrum at bay.

While it can be difficult to keep up with continuous updates, virtual patching is a helpful strategy to fill the gap. Virtual patching is a beneficial way to offset the time it takes to fully patch a system, keeping infrastructure and the enterprise safeguarded in the meantime. 

To find out more about safeguarding your organization against exploit kit attacks, contact the experts at Trend Micro today.

In today’s world, security teams are bombarded constantly with security events and threat information from multiple sources, making it impossible to address each threat with the same amount of urgency. Where does one even start? We know every threat should be addressed, but not all threats are created equal. How do we determine which ones should be taken care of first? Your ability to close the loop from initial detection to enforcement and remediation can be difficult, if not impossible, without visibility into prioritized threat information you need to take action to protect your most valuable assets.

The Trend Micro TippingPoint Security Management System (SMS) Threat Insights, powered by XGen™ Security, aggregates threat data from multiple sources and compiles it to help you prioritize security response measures, increase visibility into current and potential threats impacting your network, and provide insight into preemptive protection actions that may have already been taken.

SMS Threat Insights, working with the TippingPoint Next-Generation Intrusion Prevention System (NGIPS), Threat Protection System (TPS), and the TippingPoint Advanced Threat Protection Analyzer, enables network security professionals to:

If you are a TippingPoint customer using the Security Management System (SMS), you already have access to Threat Insights. The SMS Threat Insights interface is HTML5 based and available for both desktop and mobile device access using SMS v4.6.0. If you need help upgrading to the latest version, you can contact your account team or the Threat Management Center for assistance.

For more information on TippingPoint SMS Threat Insights, please visit here.

Right now, we’re living through a period of almost unprecedented technological change. It can be easy sometimes to get caught up in the excitement of this change and miss the bigger picture; the wider themes that tie our past to our future. That’s why at Trend Micro we’re proud to have been able to execute on a consistent and unwavering vision over the past 29 years: to make the world a safer place in which to exchange digital information.

It was a great honor for me to be invited last week to speak to attendees at Mobile World Congress Shanghai about this vision, our formula for success, and how the Internet of Things (IoT) and Artificial Intelligence (AI) are redefining our modern world.

A changing landscape 

The challenges faced in cybersecurity today are well known, and they closely mirror the changes in the IT landscape. One of the most impactful transitions in IT infrastructure is related to IoT, which is already radically redefining the way we live and work. Some estimates claim there’ll be 50 billion connected devices in operation by 2020, powering everything from baby monitors to smart kettles, and connected cars to life-saving medical pumps.

As with any major technological shift, the bad guys are more than ready and able to exploit any gaps in our cyber protection. Sadly, many of the threat scenarios we predicted in our end-of-year report based on this trajectory been borne out.

Think about the Mirai botnet DDoS attacks last year. With one vulnerability found on some IP cameras, half the internet in the US was taken down in just a few short hours. This was not an isolated threat, but one that could easily be replicated utilizing any number of vulnerabilities in connected devices – anywhere from the manufacturing floor to people’s home networks.

The power of AI 

The introduction of AI is also impacting the changing technology and security landscape. The combination of AI with IoT results in immense benefits, including personalizing healthcare, improving agriculture productivity, increasing supply chain agility in manufacturing, reducing accidents on the road, and much more. Customization and personalization is the name of the game in the Fourth Industrial Revolution.

All of these changes are great – unless it falls into the wrong hands. Unfortunately, the personalization that comes from AI and IoT can turn into large scale attacks with even greater impacts than ever before. The IoT is an ecosystem riddled with vulnerabilities, including bugs in software code, poor authentication, insecure network protocols, open ports, and undetected file changes.

A formula for success 

With so much rapid digital transformation, it pays to keep a calm head. That’s why at Trend Micro we’ve come up with a formula for success.

Anticipate shifts in IT infrastructure, embrace changes in user behavior and adapt protection to take account of new threats – and what do you have? XGen™: a cross-generational approach to security combining multiple layers of protection, ranging from standard tools such as signature-based detection to more advanced techniques including behavioral analysis, application control, and high-fidelity machine learning.

There’s no silver bullet claims here. The sheer breadth and variety of modern cyber threats require a comprehensive cross-generational approach to tackle them effectively, with each layer sharing intelligence with the others to provide a truly connected threat defense.

As our world continues to change at an extraordinary pace, we think this formula for success will keep the Trend Micro vision reassuringly consistent and our customers safe and secure.

Before the world of laptops, tablets and smart phones, some of us had to use paper-based solutions to keep track of our calendars and to-do lists. I used a Franklin Planner, where I kept track of my calendar as well as my never-ending to-do list. The Franklin Planner used the “ABC” system to help you prioritize your tasks. If you use Microsoft Outlook, you can see this same approach in the Tasks section where you can assign your items with a high, normal, or low priority.

If you have a large number of tasks on your plate, it’s a nice and easy way to prioritize what you need to work on first.

Now imagine using a Franklin planner to prioritize thousands of security events in your network every 30 seconds? It’s inconceivable! Even if you have an arsenal of security tools at your disposal, how do you determine what to focus on first? To help our customers make sense of what’s going on in their network, we recently announced SMS Threat Insights, a new feature in our TippingPoint Security Management System (SMS). SMS Threat Insights aggregates threat data from multiple sources and compiles it to help you prioritize security response measures, increase visibility into current and potential threats impacting your network, and provide insight into preemptive protection actions that may have already been taken. You can learn more about SMS Threat Insights from my blog: Not All Threats Are Created Equal. If you want to see SMS Threat Insights in action, get a quick demo here.

Microsoft Update

This week’s Digital Vaccine (DV) package includes coverage for Microsoft updates released on or before July 11, 2017. Microsoft released patches for Windows, Internet Explorer, Edge, Office, SharePoint, .NET Framework, Exchange, and HoloLens. A total of 19 of these CVEs are rated Critical. The following table maps Digital Vaccine filters to the Microsoft updates. You can get more detailed information on this month’s security updates from Dustin Childs’ July 2017 Security Update Review from the Zero Day Initiative:

End of Sale/End of Life Announcement for TippingPoint N-Series (S660N and S1400N)

Last week, we announced the end-of-sale (EOS) and end-of-life (EOL) dates for the TippingPoint N-Series solutions (S660N and S1400N). The last day to order the affected products is September 30, 2017 while quantities last. Customers with active maintenance contracts will continue to receive support from TippingPoint’s Technical Assistance Center (TAC) for five years after the end-of-sale date. Maintenance contracts can continue to be purchased to cover the five years of support following the end-of-sale date, however, they must be purchased during the first two years following the end-of-sale date as described in the table below. Maintenance contracts cannot be extend beyond the end-of-support date.

Impacted Product SKUs and Descriptions

Product End of Life Dates

We recommend that customers upgrade to the most current TippingPoint security platforms. At the time of this bulletin, the Threat Protection System (TPS) models 440T, 2200T and vTPS are the most comparable models to the 660N and 1400N. Contact your sales representative for more information:

Customers with concerns or questions regarding this issue can contact the Trend Micro TippingPoint Technical Assistance Center (TAC).

Zero-Day Filters

There is one new zero-day filter covering one vendor in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Linksys (1)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind

Cybercriminals are opportunists. As other operating systems (OS) are more widely used, they, too, would diversify their targets, tools, and techniques in order to cash in on more victims. That’s the value proposition of malware that can adapt and cross over different platforms. 

Exploit Kit Attacks Are on the Rise as Astrum Emerges

While the cybersecurity industry noticed a reduction in exploit kit attacks during 2016 and early into 2017, these are still veritable threats that organizations must take seriously. Exploit kits typically follow a four-stage attack scenario, resulting in dangerous infections. 

A Free Tool Lets You Decrypt Files Locked by Common Malware

Victims of the latest version of one of the most common forms of ransomware, Nemucod, could now be able to get their files back without giving into cybercriminals’ demands thanks to the release of a new decryption tool. 

CopyCat Malware Infects Android Devices Worldwide

A new piece of adware dubbed CopyCat has infected 14 million Android devices around the world, according to researchers. CopyCat netted its distributors approximately $1.5 million in fake ad revenues in just two months. 

NHS Systems Are Being Strengthened after Cyberattack

The government has announced action to make the NHS more resilient to cyberattacks, including some further investment and steps to make hospital chief executives more accountable for the strength of their computer systems. 

The Dark Web Teaches Us About Enterprise Security

Ever since the law enforcement takedown of the Silk Road underground marketplace in 2013, there has been increasing interest in the depth and breadth of the Deep Web. This portion of the internet has been largely shrouded from the public eye, representing an environment in which hackers thrive. 

Not All Threats Are Created Equal

In today’s world, security teams are bombarded constantly with security events and threat information from multiple sources, making it impossible to address each threat with the same amount of urgency. Where does one even start?

Look Beyond Job Boards to Fill Cybersecurity Jobs

The cybersecurity staffing shortage is reaching crisis proportions, and companies are looking beyond the traditional channels of job boards and headhunters to find and hire new talent. Here are some of the unconventional ways companies are identifying talent. 

There Are 4 Ways to Avoid the Next Petya or WannaCry Attack

Businesses and individuals have been hit by waves of ransomware in the last few months. The WannaCry attack alone affected more than 230,000 computers in over 150 countries.  Ransomware is malware that locks down an infected computer. 

Please add your thoughts in the comments below or follow me on Twitter; @JonLClay.

Picking a security vendor for your managed service business should be about business model alignment, not product cost. If you’re a seasoned managed service provider (MSP), you are already very familiar with the benefits of the pay-as-you-go business model. In fact, it’s most likely how you sell your services to your customers. But, have you ever stopped to consider if all your partners are aligned with your business model?

Many security vendors that claim to cater to the MSP market likely don’t facilitate licensing in a way that aligns with your business model. They also may impose purchase restrictions on you, which can have a direct impact on your productivity and profitability. It’s imperative to partner with a security vendor that closely aligns with your business model and how you bill your customers.

Avoid pre-purchasing in bulk

In the “pre-purchase in bulk” model, the security vendor may insist that you pre-purchase a block of licenses up front. The risks of this model are:

Avoid term commitments

In the “term commitments” model, the security vendor requires committing to specific terms, such as one, two or three years. The risks of this model are:

Avoid minimum spending requirements

Some vendors impose minimum annual spend requirements, for instance requiring you to spend $100,000 per year just to participate in the program. The risks of this are:

Find vendors that “get it”

Conversely, security vendors that “get it” and cater to MSP partners offer a licensing model that directly aligns with the pay-as-you-go business model. In addition to providing self-provisioning licensing tools that give you complete control over license creation, management and termination, you will also get the following benefits:

Maximization of cash flow

In a true pay-as-you-go program, licenses are consumed during a time period, a month for instance, and then you are responsible for paying for the use of those licenses in arrears, or after they have been consumed. This ensures that as a MSP, you are only paying for exactly what you were able to get, and you are paying after the service or license has already been consumed.

Depending on how you are billing your customers, there is the possibility of always having a positive cash-flow when it comes to your standardized security solution. For instance, if you bill your customers at the beginning of the month and then pay your vendor at the end of the month, you’ll never have to dip into your own cash.

Minimization of upfront investment

Minimizing your upfront investment is a benefit that is easier to quantify. In a true pay-as-you-go program, you don’t have to pre-purchase any licenses or make any significant investments to get started. You’ve already invested in RMM and PSA tools, rent/real estate, employees, hardware, software, etc. Why should you have to effectively finance your security vendor by making a significant up-front purchase just so you can offer your customers a comprehensive security solution to protect their businesses and yours?

Flexibility

Flexibility is a benefit that can’t easily be offered by most security vendors because most lack any kind of tool that gives you complete control over license provisioning and management. With a vendor like Trend Micro that provides a licensing management tool, not only do you eliminate renewals and all the associated costs (tracking renewal dates, generating invoices, requesting quotes, mailing checks, etc.), but you can instantly provision licenses as well as increase and decrease seat counts on-demand. This ensures that you are utilizing exactly the number of licenses you need–no more, no less.

Multiple recurring revenue stream opportunities

An established security vendor like Trend Micro offers a number of different security products that can be leveraged by an MSP to create multiple recurring revenue streams.  As technology changes and customers shift from on-premise solutions to the cloud, you need a vendor who can offer products to keep your customers protected.  Many security vendors that dabble in the MSP space are one trick ponies that can only protect endpoints or email but not both.  This means the MSP ends up spending more money, and eating in to slim profit margins, cobbling solutions together from multiple vendors, and missing out on any cost savings from standardization.

To sum it all up, choosing a security vendor to partner with is a much bigger decision than the cost of the product. It’s critical that you choose a partner that aligns with your business model to maximize productivity and profitability, and one that can help you grow your business.

This year’s Black Hat® conference is right around the corner. Now, amazingly, in its 20^th year, Black Hat is one of the world’s top gathering of information security professionals. Friends in the industry refer to this as “Security Summer Camp” and it’s true, between the training, briefings, arsenal, and business hall, Black Hat is chocked full of the latest information security trends.

We were pleased to be interviewed for the Black Hat newsletter about our focus on securing the hybrid cloud and our theme for this year’s show.

Q1. What are some of the unique security challenges that enterprises face in implementing and managing a hybrid-cloud environment? 

When adopting a hybrid-cloud strategy, the first challenge for an enterprise is inevitably tooling. Organizations have always been used to hardware compensating controls, like firewall and IPS, at the perimeter of their datacenter. Even some software based security can be challenged by the diversity and pace of change in the cloud. Tools often don’t account for the diversity and rapid update of Linux-based operating systems, or agile features like auto scaling.

Once they overcome this challenge and adopt cloud friendly tools, the perennial issue of security skills shortage still stands in the way. There are often too many tools, too few skilled resources and not enough budget to meet the complex compliance, identity, and data protection requirements that come from adopting a hybrid environment.

The other challenge comes from a rather unexpected place… procurement. Organizations move to the cloud partially for the agility and shift to an OpEx model. Too often, security is still stuck in the past, failing to provide options that fit the swift movements of a modern cloud environment. Today’s savvy security buyer expects per-hour, zero-commitment options that allow them to burst and vary the number of workloads every hour.

Ultimately adopting a hybrid environment can mean reevaluating organizational structures, policies, procedures and how security is integrated into the fabric of a deployment. This challenge presents an incredible opportunity to innovate, streamline and reduce the overall cost of securing modern hybrid environments.

Q2. How does Trend Micro help address some of these challenges? What do you see as the fundamental value add that Trend Micro brings in this space?

Trend Micro has always been at the forefront of technology and infrastructure change. We saw the rise of virtualization and were the first to offer agentless security for virtual environments. We anticipated the development of the cloud and invested heavily very early in the birth of public cloud.

Now hybrid environments are the new normal. Most organizations have not just one cloud provider, but a set of trusted cloud providers in addition to on premise resources that form an overall cloud of clouds. This unified cloud needs a unified approach to security in order to reap its true benefits.

Trend Micro offers tools designed to meet the complex security and compliance requirements of these environments and treat a diverse hybrid environment as a single entity. This means a consistent policy and unilateral visibility across the hybrid cloud, from a tool designed to fit platforms like a glove.

What we uniquely offer this space is a single security control with a cross-generational blend of threat defense techniques. Our solutions, powered by XGen™ security, apply the right security controls based on the context of the environment. Most importantly, we ensure the tools fit cloud environments by offering per-hour pricing with no commitment, full automation and the broadest coverage for cloud environments.

We recognize the industry-wide shortage of skills and have designed our solutions to operate with minimal time spend configuring and monitoring. Automation is critical to overcoming the challenges of skill shortage and put the focus back on proactive security (rather than reactive, detect only security). After all, a customer once told me “I don’t want to be told when I have been breached, I never want to be breached in the first place!”

Q3. Trend Micro has often used Black Hat as a platform for highlighting trends, discussing new threats or demonstrating various things. As a Platinum Sponsor at Black Hat USA 2017, what do you expect your main focus to be at the event?

The information security field is fast paced! Our research has shown that there are now 500K new unique threats are created every day to get at valuable information! What may be surprising is that 90 percent of malware variants only impact a single device. There are more network-facing vulnerabilities than ever and attacks, like the recent Struts 2 flaw, cause a high impact on servers worldwide. Unfortunately, the user is often the weakest point in any organization with 74 percent of attacks begin with a simple phishing email. According to Verizon, it only takes 60 seconds from the time of successful phishing attempt to encrypt endpoints with ransomware – creating a major productivity hit for any organization, big or small, around the globe. That is just the threats today…

When it comes to emerging threats, our international team of researchers predicts an increase in challenges with API’s being compromised for command and control, and a growing trend in threats to IoT and ISC/SCADA. No matter if it is smart homes, smart factories, smart cities or smart vehicles, as more devices are connected, security becomes more critical to organizational success than ever. With a strategy that is all about anticipating and adapting to the evolving IT and threat landscape, Trend Micro is in a unique position to protect against these threats before they reach your business. 

At the show, our focus will be on our XGen™ security, a new class of security software that addresses the full range of ever-changing threats—now and in the future. We believe that there is no silver bullet when it comes to protecting your organization, so XGen™ security delivers a cross-generational blend of threat defense techniques that includes high fidelity machine learning, app control, behavioral analysis and custom sandboxing, and intelligently applies the right technique at the right time. Also, instead of using separate, siloed security solutions that lack essential information sharing, XGen™ security provides a connected threat defense with centralized visibility that can protect your organization from unseen threats. We introduce this concept with a fun new theme.

Our show theme this is out of this world…literally. We take our visitors on a trip through deep space, using metaphors to show how a blend of security controls is the answer to creating a strong information security practice.

Find out more at www.trendmicro.com

If you have questions or comments, please post them below or follow me on Twitter: @justin_foster.

Interview reprinted with permission from https://www.blackhat.com/sponsor-interview/

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

ProMediads Malvertising and Sundown-Pirate Exploit Kit Combo Drops Ransomware and Info Stealer

There’s been a new exploit kit uncovered in the wild through a malvertising campaign that has been dubbed “ProMediads.” The new exploit kit is called Sundown-Pirate, as it’s indeed a bootleg of its precursors and actually named so by its back panel. 

Millions of IoT Devices Hit by ‘Devil’s Ivy’ Bug in Open Source Code Library

A flaw in a widely-used code library known as gSOAP has exposed millions of IoT devices, such as security cameras, to a remote attack. Researchers discovered the Devil’s Ivy flaw, a stack buffer overflow bug, while probing the remote configuration services of the M3004 dome camera from Axis Communications. 

Android Backdoor GhostCtrl Can Silently Record Your Audio, Video and More

The information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that turned out to be bigger than first thought—at least in terms of impact. It was accompanied by an even more dangerous threat: an Android malware that can take over the device. 

New IBM Mainframe Encrypts All the Things

In the first major mainframe announcement by IBM in a decade, the company unveiled its next-generation Z series that supports full-blown encryption for data via applications, cloud, and databases rather than today’s more common practice of pockets of crypto. 

Linux Users Urged to Update as a New Threat Exploits SambaCry 

A seven-year old vulnerability in Samba was patched last May but continues to be exploited. According to a security advisory, the vulnerability allows a malicious actor to upload a shared library to a writable share, causing the server to load and execute it. 

Hackers Steal $32 Million Worth of Ethereum

Ethereum has become a top target for hackers. The promising cryptocurrency that’s also a platform for decentralized applications has skyrocketed in value over the last six months. But hacker attacks and theft of ether have become commonplace, and the last one is one of the worst so far. 

Cyberattack on Medical Software Shows Industry Vulnerability

The computer virus, called Petya, has sent ripples through health care, among the last industries to make the switch to digital record keeping and one of the most frequently targeted by hackers, said Michael Ebert, a partner with KPMG who advises health and life-science companies on cybersecurity. 

The Man Who Helped Develop Citadel Malware Receives 5 Years Imprisonment

Vartanyan helped to develop, improve and maintain Citadel, which was offered for sale on invite-only, Russian-language internet forums frequented by cybercriminals. Prosecutors estimate the malware infected about 11 million computers worldwide and caused more than $500 million in losses. 

Major Cloud Service Cyberattack Could Cost Global Economy $53 Billion

The understanding Insurance companies have of cyber liability is under developed compared to other insurance types which could lead to insurance companies underestimating the potential loss a cyberattack could cause on a customer.

Stop Self-Driving Cars from Becoming Cybersecurity Weapons

At Black Hat 2015, the talk of the gathering of cybersecurity experts was the remote hacking into and subsequent control of a Jeep Cherokee driving 70 mph on a public highway. At the upcoming 20th annual Black Hat Conference, Billy Rios and Jonathan Butts will present “When IoT Attacks.” 

Picking a Security Vendor for Your Managed Service Business Is about Business Model Alignment

If you’re a seasoned managed service provider (MSP), you are already very familiar with the benefits of the pay-as-you-go business model. In fact, it’s most likely how you sell your services to your customers. But, have you ever stopped to consider if all your partners are aligned with your business model? 

Teen Girls Are Learning about Protecting the Nation at Cybersecurity Camp

Talk to the teenage girls studying cybersecurity at New York University this summer, and you’ll get an earful about their determination to protect their country, safeguard privacy, and conquer their fair share of a male-dominated field. 

Please add your thoughts in the comments below or follow me on Twitter; @JonLClay.

If you conduct a search on the Web for the number of languages spoken around the world, you’ll see numbers ranging anywhere from 6,000-7,000. I figure I’m doing okay since I can speak English and Spanish, sign the English alphabet, recite the Greek alphabet, and read music. There are roughly over 1.2 billion web sites on the Internet, yet, a large majority of those sites share the same programming language.

Earlier this week, Zero Day Initiative (ZDI) vulnerability researcher Simon Zuckerbraun published a blog discussing how JavaScript grew from a simple scripting language to become the assembly language of the web. According to the results of the 2016 StackOverflow Developer Survey, “JavaScript is the most commonly used programming language on Earth.” In addition to its role as a programming language, JavaScript often serves as the intermediate representation for dozens of other compiled languages. So you can imagine what can happen. A new class of security risk is emerging in connection with JavaScript – the danger of vulnerabilities in the execution engine itself. Simon’s blog is the first in a series on JavaScript vulnerabilities and how the broad implementation of the language affects the enterprise attack surface. You can read his blog here: Understanding Risk in the Unintended Giant: JavaScript.

Adobe Security Update

This week’s Digital Vaccine (DV) package includes coverage for Adobe updates released on or before July 11, 2017. The following table maps Digital Vaccine filters to the Adobe updates. Filters marked with an (*) shipped prior to this DV package, providing zero-day protection for our customers. You can get more detailed information on this month’s security updates from Dustin Childs’ July 2017 Security Update Review from the Zero Day Initiative:

Zero-Day Filters

There is one new zero-day filter covering one vendor in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (1)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

Hide your phones, hide your laptops ‘cause they’re hackin’ everyone out here! For the 20^th year, on July 26 and 27, thousands of cybersecurity executives, researchers and enthusiasts will descend upon Las Vegas for Black Hat 2017, including some of Trend Micro’s finest. Throughout the week, Trend Micro experts and researchers can be found sharing insight during two briefings and one arsenal session, visiting with industry professionals at our booth and meeting with reporters, analysts and potential customers.

With so much going on in only two days it can be difficult to decipher where to begin, but if you’re hoping to spend time with our team we’ve outlined below where you can scout us out during the conference. Additionally, we’ve provided some helpful #ProTips to navigating the conference and keep your personal information secure – let’s not kid ourselves now, this is a security conference after all.

Go Beyond Next-Gen with XGen™ 

#ProTip: Don’t forget to eat a substantial breakfast and pack snacks for energy! Two full back-to-back days will require sustenance to keep you going. 

Without a doubt, you can always find someone at the Trend Micro booth, No. 532. For this year’s event we will continue showcasing our XGen™ approach by taking visitors on a space shuttle ride through the world of security. Members of our team will also be available to meet with current and prospective partners, share our offerings and provide information on how to ensure personal and enterprise security. Additionally, those visiting the booth will receive a free Trend Micro t-shirt.

Class is in [Briefing] Session 

#ProTip: Bring a pencil and paper to your briefing sessions. You’re going to be surrounded by professional hackers, so this probably isn’t the best time to be taking notes on a device. You might as well stick a sign to your back reading, “Hack me! Hack me!” 

Several of our senior threat researchers, including Federico Maggi, Marco Balduzzi, Vincenzo Ciancaglini, Ryan Flores and Lion Gu, have the opportunity to present during two briefing sessions and one arsenal session during the conference. The team will be sharing research on the recently published Industrial Robots report, as well as ShieldSF and DefPloreX. For more information on each session, check out the brief descriptions below.

Briefing Session – Breaking the Laws of Robotics: Attacking Industrial Robots
Presenter: Federico Maggi and colleagues from Politecnico di Milano

Date/Time: Thursday, July 27, 11 – 11:50 a.m.

Location: Mandalay Bay AB 

Description: Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory.

Briefing Session – ShieldFS: The Last Word in Ransomware Resilient File Systems
Presenter: Federico Maggi and colleagues from Politecnico di Milano

Date/Time: Wednesday, July 26, 2:40 -3:30 pm

Location: Mandalay Bay AB

Description: In this talk, we will present ShieldFS, a drop-in driver that makes the Windows native filesystem immune to ransomware attacks.

Arsenal Session – DefPloreX: A Machine-Learning Toolkit for Large-scale eCrime Forensics
Presenters: Marco Balduzzi, Federico Maggi, Vincenzo Ciancaglini, Ryan Flores & Lion Gu

Date: Thursday, July 27, 1:00pm-2:20pm

Location:  Business Hall, Level 2, Station 3

Description: DefPloreX ingests plain CSV inputs about web incidents to analyze, explores their resources with headless browsers, extracts features from deface pages, and uploads the resulting data to an Elastic index. 

You’re Invited! 

#ProTip: Be sure to bring a bottle of water. You’ll be mingling in the Vegas heat all day and night, so you’ll need to remain hydrated! 

As always, Trend Micro will be hosting its VIP guests on Tuesday, July 25, from 6-9 p.m. in true Las Vegas fashion with treats, cocktails and billiards. Those in attendance will be entered for a chance to win one of three Phantom 3 Drones being awarded every hour during the reception. This event is a chance for us to meet with press, colleagues and partners in a casual, yet luxurious setting. If you’re interested in attending, please register here.

Follow Along

#ProTip: Dress for comfort from head to toe! You’re sure to get your 10,000 steps in before noon – pack a reliable pair of shoes so you can stay focused on the information you’re hearing and not that blister on your heel.

Whether you’ll be at Black Hat or not, be sure to follow along with everything we’re doing by following us @TrendMicro or keeping up with this blog throughout the week. We will share what we’re learning, our favorite sessions and general event info.