Estée Lauder Exposes 440M Records, with Email Addresses, Network Info

Middleware data was exposed, which can create a secondary path for malware through which applications and data can be compromised.

A non-password protected cloud database containing hundreds of millions of customer records and internal logs for cosmetic giant Estée Lauder has been found exposed online, according to researchers.

In all, 440,336,852 individual data pieces were exposed, according to researcher Jeremiah Fowler at Security Discovery. Many of the records importantly contained plaintext email addresses (including internal email addresses from the @estee.com domain). There were also reams of logs for content management systems (CMS) and middleware activity. Fortunately, there was no payment data or sensitive employee information included in the records that Fowler saw.

“This company has been a household name for over 70 years and had an annual revenue of $14.863 billion in 2019 – [so] it seems logical that there would be a large dataset associated with the business,” Fowler wrote in a report on his discovery, published Tuesday. He added that while he saw that there were “massive” numbers of consumer email addresses involved, he didn’t calculate the total number because he immediately pivoted to notifying the company.

“I can only speculate or assume that the email addresses were from digital commerce or online sales,” he said.

As for the other data, most of it could be used as reconnaissance for a larger network attack, Fowler noted. The logs for instance contained IP addresses, ports, pathways and storage information that could be used to map out the company’s internal LAN or WAN; and, middleware used by the company to connect different data-generating software packages was also detailed.

Middleware typically handles tasks like providing a consistent front-end for data management across different internal systems; application services; messaging; authentication; and API management.

“Middleware can create a secondary path for malware, through which applications and data can be compromised,” Fowler explained. “In this instance, anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network.”

After making several phone calls and sending several emails over the course of a few hours, Fowler was able to get a message through to the security team at Estée Lauder, and the database was closed the same day. It’s unclear how long the Estée Lauder database was exposed or who else may have accessed the records during that time, he noted, so customers should be on the alert for phishing emails.

“This an example of how a simple error such as setting permissions on a shared drive or a database can have significant consequences,” said Erich Kron, security awareness advocate at KnowBe4, via email. However, he praised the company for its quick action: “This is also a lesson in how large organizations can improve on the process of reporting potential data exposure quickly in order to rapidly resolve the issue, especially in the modern electronic age where millions of records can be stored in a single place and be accessed from nearly anywhere in the world. I give Estée Lauder credit for quickly resolving the issue once they were informed about it, as many organizations move far too slowly in this respect.”

Misconfigured, internet-exposed databases continue to be a common problem, including for very big, brand-name companies with years’ worth of data. In January for instance, it was revealed that misconfigured Microsoft cloud databases containing 14 years of customer support logs had exposed 250 million records to the open internet for 25 days. The account info dates back as far as 2005 and is as recent as December 2019 — and exposes Microsoft customers to phishing and tech scams.

Source :
https://threatpost.com/estee-lauder-440m-records-email-network-info/152789/

Emotet Now Hacks Nearby Wi-Fi Networks to Spread Like a Worm

The new tactic used by Emotet allows the malware to infect nearby insecure Wi-Fi networks – and their devices – via brute force loops.

A newly uncovered Emotet malware sample has the ability to spread to  insecure Wi-Fi networks that are located nearby to an infected device.

If the malware can spread to these nearby Wi-Fi networks, it then attempts to infect devices connected to them — a tactic that can rapidly escalate Emotet’s spread, said researchers. The new development is particularly dangerous for the already-prevalent Emotet malware, which since its return in September has taken on new evasion and social engineering tactics to steal credentials and spread trojans to victims (like the United Nations) .

“With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities,” said James Quinn, threat researcher and malware analyst for Binary Defense, in a Friday analysis. “Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords.”

While researchers noticed the Wi-Fi spreading binary being delivered for the first time on Jan. 23, they said that the executable has a timestamp of 4/16/2018, hinting that the Wi-Fi spreading behavior has been running unnoticed for almost two years. This may be in part due to how infrequently the binary is dropped, researchers said, as this is the first time they’ve seen it despite tracking Emotet since its return in 2019.

The Emotet sample first infects the initial system with a self-extracting RAR file, containing two binaries (worm.exe and service.exe) used for the Wi-Fi spreading. After the RAR file unpacks itself, Worm.exe executes automatically.

The worm.exe binary immediately begins profiling wireless networks in order to attempt to spread to other Wi-Fi networks. Emotet makes use of the wlanAPI interface to do this. wlanAPI is one of the libraries used by the native Wi-Fi application programming interface (API) to manage wireless network profiles and wireless network connections.

Once a Wi-Fi handle has been obtained, the malware then calls WlanEnumInterfaces, a function that enumerates all Wi-Fi networks currently available on the victims’ system. The function returns the enumerated wireless networks in a series of structures that contain all information related to them (including their SSID, signal, encryption and network authentication method).

Once the data for each network has been obtained, the malware moves into the connection with “brute-forcing loops.” Attackers use a password obtained from “internal password lists” (it’s not clear how this internal password list has been obtained) to attempt to make the connection. If the connection is not successful, the function loops and moves to the next password on the password list.

If the password is correct and the connection is successful, the malware sleeps for 14 seconds before sending an HTTP POST to its command-and-control (C2) server on port 8080, and establishes the connection to the Wi-Fi network.

Then, the binary begins enumerating and attempting to brute-force passwords for all users (including any Administrator accounts) on the newly-infected network. If any of these brute forces are successful, worm.exe then installs the other binary, service.exe, onto the infected devices. To gain persistence on the system, the binary is installed under the guise of “Windows Defender System Service” (WinDefService).

“With buffers containing either a list of all usernames successfully brute-forced and their passwords, or the administrator account and its password, worm.exe can now begin spreading service.exe to other systems,” said researchers. “Service.exe is the infected payload installed on remote systems by worm.exe. This binary has a PE timestamp of 01/23/2020, which was the date it was first found by Binary Defense.”

After service.exe is installed and communicates back to the C2, it begins dropping the embedded Emotet executable. In this manner, the malware attempts to infect as many devices as possible.

Emotet, which started as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, can install a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware.

Researchers, for their part, recommend blocking this new Emotet technique with the use of strong passwords to secure wireless networks.

“Detection strategies for this threat include active monitoring of endpoints for new services being installed and investigating suspicious services or any processes running from temporary folders and user profile application data folders,” they said. “Network monitoring is also an effective detection, since the communications are unencrypted and there are recognizable patterns that identify the malware message content.”

Source :
https://threatpost.com/emotet-now-hacks-nearby-wi-fi-networks-to-spread-like-a-worm/152725/

Trend Micro Creates Factory Honeypot to Trap Malicious Attackers and Microsoft Leaves 250M Customer Service Records Open to the Web

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, dive into a research study that explores the risks associated with common cybersecurity vulnerabilities in a factory setting. Also, read about how misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records.

Read on:

Don’t Let the Vulnera-Bullies Win. Use Our Free Tool to See If You Are Patched Against Vulnerability CVE-2020-0601

Last week, Microsoft announced vulnerability CVE-2020-0601 and has already released a patch to protect against any exploits stemming from the vulnerability. Understanding how difficult it can be to patch systems in a timely manner, Trend Micro created a valuable tool that will test endpoints to determine if they have been patched against this latest threat or if they are still vulnerable.

Ransomware, Snooping and Attempted Shutdowns: See What Hackers Did to These Systems Left Unprotected Online

Malicious hackers are targeting factories and industrial environments with a wide variety of malware and cyberattacks including ransomware and cryptocurrency miners. All of these incidents were spotted by researchers at Trend Micro who built a honeypot that mimicked the environment of a real factory. The fake factory featured some common cybersecurity vulnerabilities to make it appealing for hackers to discover and target.

Defend Yourself Now and In the Future Against Mobile Malware

Recently, 42 apps were removed from the Google Play Store after being installed eight million times over the period of a year, flooding victims’ screens with unwanted advertising. Trend Micro blocked more than 86 million mobile threats in 2018, and that number is expected to continue to increase. To learn how to protect your mobile device from hackers, read this blog from Trend Micro.

Trend Micro Joins LOT Network to Fight ‘Patent Trolls’

Trend Micro announced this week that it has joined non-profit community LOT Network in a bid to combat the growing threat posed to its business and its customers by patent assertion entities (PAEs). The community now has more than 500 members, including some of the world’s biggest tech companies such as Amazon, Facebook, Google, Microsoft and Cisco.

Blocking A CurveBall: PoCs Out for Critical Microsoft-NSA Bug CVE-2020-0601

Security researchers have released proof-of-concept (PoC) codes for exploiting CVE-2020-0601, a bug that the National Security Agency (NSA) reported. The vulnerability affects Windows operating systems’ CryptoAPI’s validation of Elliptic Curve Cryptography (ECC) certificates and Public Key Infrastructure (PKI) trust. Enterprises and users are advised to patch their systems immediately to prevent attacks that exploit this security flaw.

Microsoft Leaves 250M Customer Service Records Open to the Web

Misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records to the open internet for 25 days. The account information dates back as far as 2005 and as recent as December 2019 and exposes Microsoft customers to phishing and tech scams. Microsoft said it is in the process of notifying affected customers.

Microsoft Releases Advisory on Zero-Day Vulnerability CVE-2020-0674, Workaround Provided

On January 17, Microsoft published an advisory (ADV200001) warning users about CVE-2020-0674, a remote code execution (RCE) vulnerability involving Microsoft’s Internet Explorer (IE) web browser. A patch has not yet been released as of the time of writing — however, Microsoft has acknowledged that it is aware of limited targeted attacks exploiting the flaw.

Google to Apple: Safari’s Privacy Feature Actually Opens iPhone Users to Tracking

Researchers from Google’s Information Security Engineering team have detailed several security issues in the design of Apple’s Safari anti-tracking system, Intelligent Tracking Prevention (ITP). ITP is designed to restrict cookies and is Apple’s answer to online marketers that track users across websites. However, Google researchers argue in a new paper that ITP leaks Safari users’ web browsing habits.

Hacker Publishes Credentials for Over 515,000 Servers, Routers, and IoT Devices

A hacker has published the credentials of over 515,000 servers, routers, and IoT devices on a well-known hacking website. ZDNet reported that the list consists of IP addresses and the usernames and passwords used by each for unlocking Telnet services, the port that allows these devices to be controlled through the internet.

Pwn2Own Miami Contestants Haul in $180K for Hacking ICS Equipment

The first Pwn2Own hacking competition that exclusively focuses on industrial control systems (ICS) has kicked off in Miami. So far, a total of $180,000 has been awarded for pwning five different products. The contest hosts at Trend Micro’s Zero Day initiative (ZDI) have allocated more than $250,000 in cash and prizes for the contest, which is testing eight targets across five categories.

Sextortion Scheme Claims Use of Home Cameras, Demands Bitcoin or Gift Card Payment

A new sextortion scheme has been found preying on victims’ fears through social engineering and follows in the footsteps of recent sextortion schemes demanding payment in bitcoin. Security researchers at Mimecast observed the scheme during the first week of the year. The scheme reportedly sent a total of 1,687 emails on Jan. 2 and 3, mostly to U.S. email account holders.

NetWire RAT Hidden in IMG Files Deployed in BEC Campaign

A recent business email compromise (BEC) campaign, purportedly coming from a small number of scammers in Germany, targets organizations by sending them emails with IMG file attachments hiding a NetWire remote access trojan (RAT). The campaign was discovered by IBM X-Force security researchers and involves sending an employee of the targeted organization an email masquerading as a corporate request.

 

Source :
https://blog.trendmicro.com/this-week-in-security-news-trend-micro-creates-factory-honeypot-to-trap-malicious-attackers-and-microsoft-leaves-250m-customer-service-records-open-to-the-web/

Cybersecurity Terms and Threats You Need to Know in 2020

Let’s do a show of hands — who loves jargon? Anyone?

I didn’t think so.

Face it, aside from trivia champions, jargon doesn’t make life any easier for us. If you’re attending your first security conference this year, you might feel like you need an interpreter to make sense of the technical terminology and acronyms you’ll find around every corner.

At Cisco Umbrella, we’re fluent in cybersecurity – and we want to help you make sense of the often-confusing security landscape! In this post, we define key cybersecurity terms that everyone should know in 2020 — and beyond.

Part 1: Threats

Backdoor: A backdoor is an access point designed to allow quick and undetected entrance to a program or system, usually for malicious purposes. A backdoor can be installed by an attacker using a known security vulnerability, and then used later to gain unfettered access to a system.

Botnet: A botnet is a portmanteau for “robot network.” It’s a collection of infected machines that can be used for any number of questionable activities, from cryptomining to DDoS attacks to automated spam comments on blogs.

Command-and-control (C2) attacks: Command-and-control attacks are especially dangerous because they are launched from inside your network. Security technologies like firewalls are designed to recognize and stop malicious activity or files from entering your network. However, a command-and-control attack is trickier than a standard threat. A file doesn’t start out showing any malicious behavior, so it is deemed harmless by your firewall and permitted to enter your network. Once inside, the file stays dormant for a set period of time or after being triggered remotely. Then, the file reaches out to a malicious domain and downloads harmful data, infecting your network.

Denial of Service (DoS) Attack: This type of attack consumes all of the resources of a target so that it can no longer be used or reached, effectively taking it down. DoS attacks are designed to take a website or server offline, whether for monetary, political, or other reasons. A DDoS, or Distributed Denial of Service attack, is a subcategory of DoS attack that is carried out using two or more hosts, often via a botnet.

Drive-by download: A drive-by download installs malware invisibly in the background when the user visits a malicious webpage, without the user’s knowledge or consent. Often, drive-by downloads take advantage of browser or browser plug-in vulnerabilities that accept a download under the assumption that it’s a benign activity. Using an up-to-date secure browser can help protect you against this type of attack.

Exploit: An exploit is any attack that takes advantage of a weakness in your system. It can make use of software, bits of data, and even social engineering (like pretending to be someone from your IT team who needs your password to perform a security update). To minimize exploits, it’s important to keep your software up-to-date and to be aware of social engineering techniques (see below).

Malware: Malware is a generic term for any program installed on a system with the intent to corrupt, damage, or disable that system. Razy, TeslaCry, NotPetya, and Emotet are a few recent examples.

  • Cryptomining malware: Cryptomining by itself is not necessarily malicious — many people mine crypto currency on their own systems. Malicious cryptomining, however, is a browser- or software-based threat that enables bad actors to hijack system resources to generate crypto currencies. Cryptomining malware is an easy way for bad actors to generate cash while remaining anonymous and without having to use their own resources. Learn more about the cryptomining malware threat.
  • Ransomware: Ransomware is malware used to encrypt a victim’s data with an encryption key that is known only to the attacker. The data becomes unusable until the victim pays a ransom to decrypt the data (usually in cryptocurrency). Ransomware is a fast-growing and serious threat — learn more in our newly updated guide to ransomware defense.
  • Rootkits: A rootkit is a malicious piece of code that hides itself in your system, prevents detection, and enables bad actors to gain continued access to your system. If attackers gain full access to your system once, they can use rootkits to continue that access over a long period of time.
  • Spyware: Malicious code that gathers information about you and your browsing habits, and then sends that information to a third party.
  • Trojans: A trojan is a seemingly innocuous program that acts as a front for malicious code hiding inside. Trojans can do any number of things, from stealing data to allowing remote system control.  These programs take their name from the famous Grecian “Trojan Horse” that took advantage of a similar vulnerability.
  • Viruses: Often used as a blanket term, a virus is a piece of code that attaches itself to files, such as email attachments or files you download online. Once it infects your system, it can cause all kinds of problems, whether that means deleting system files or corrupting your data. Computer viruses also replicate and spread across networks – just like viruses in the physical world.
  • Worms: A worm is a type of malware that clones itself in order to spread to other computers, performing various damaging actions on whatever system it infects. Unlike a virus, a worm exists as a standalone entity — it isn’t hidden inside something else like an attachment.

MitM or Man-in-the-Middle Attack: A MitM attack is pretty much what it sounds like. An attacker will intercept, relay, and potentially change messages between two parties without their knowledge. MitM can be used to break encryption, compromise account details, or gain access to systems by impersonating a user.

Phishing: Phishing is a technique that mimics a legitimate communication (like an email from your online bank) to steal sensitive information. Like fishermen with a lure, attackers will attempt to take your personal information by using fake emails, forms, and web pages to coax you to provide it to them.

  • Spear phishing is a form of phishing that targets one specific individual by using publicly accessible data about them, like from a business card or social media profile.
  • Whale phishing goes one step further than spear phishing and describes a targeted attack on a high-ranking individual, like a CEO or government official.

Social engineering: A general term for any activity in which an attacker is trying to manipulate you into revealing information, whether over email, phone, web forms, or social media platforms. Passwords, account credentials, social security numbers — we often don’t think twice about giving this information away to someone we can trust, but who’s really on the other end of the line? Protect yourself, and think twice before sharing. It’s always OK to verify the request for information in another way, like calling an official customer support number.

Zero-day (0day): A zero day attack is when a bad actor exploits a new, previously unknown software vulnerability for which there is no patch. It’s a constant struggle to stay ahead of attackers, but you don’t have to do it alone — you can get help from the security experts at Cisco Talos.

Part 2: Solutions

Anti-malware: Anti-malware software is a broad category of software designed to block, root out, and destroy viruses, worms, and other nasty things that are described in this list. These products need to be updated regularly to ensure that they remain effective against new threats. They can be deployed at various points in the network chain (email, endpoint, data center, cloud) and either on-premises or delivered from the cloud.

Cloud access security broker (CASB): This is software that provides the ability to detect and report on the cloud applications that are in use across your environment. It provides visibility into cloud apps in use as well as their risk profiles, and the ability to block/allow specific apps. Read more about securing cloud apps here.

Cloud security: this is a subcategory of information security and network security. It is a broad term that can include security policies, technologies, applications, and controls that are used to protect sensitive company and user data wherever it is exposed in a public, private, or hybrid cloud environment.

DNS-layer security: This is the first line of defense against threats because DNS resolution is the first step in establishing a connection to the internet. It blocks requests to malicious and unwanted destinations before a connection is even established — stopping threats over any port or protocol before they reach your network or endpoints. Learn more about DNS-layer security here.

Email security: This refers to the technologies, policies, and practices used to secure the access and content of email messages within an organization. Many attacks are launched via email messages, whether through targeted attacks (see note on phishing above) or malicious attachments or links. A robust email security solution protects you from attacks whether email is in transit across your network or when it is on a user’s device.

Encryption: This is the process of scrambling messages so that they cannot be read until they are decrypted by the intended recipient. There are several types of encryption, and it’s an important component of a robust security strategy.

Endpoint security: if DNS-layer security is the first line of defense against threats, then you might think of endpoint security as the last line of defense! Endpoints can include desktop computers, laptop computers, tablets, mobile phones, desk phones, and even wearable devices — anything with a network address is a potential attack path. Endpoint security software can be deployed on an endpoint to protect against file-based, fileless, and other types of malware with threat detection, prevention, and remediation capabilities.

Firewall: Imagine all the nasty, malicious stuff on the Internet without anything to stop it. A firewall stands between your trusted entities and whatever lies beyond, controlling access based on security rules. A firewall can be hardware or software, a standalone security appliance or a cloud-delivered solution.

Next-generation firewall (NGFW): This is the industry’s new solution for an evolved firewall.  It is typically fully integrated with the rest of the security stack, threat-focused, and delivers comprehensive, unified policy management of firewall functions, application control, threat prevention, and advanced malware protection from the network to the endpoint.

Security information and event management (SIEM): This is a broad term for products that deal with security information management (SIM) and security event management (SEM). These systems allow for aggregation of information and events into a single “pane of glass” for security teams to use.

Secure web gateway (SWG): This is a proxy that can log and inspect all of your web traffic for greater transparency, control, and protection. It allows for real-time inspection of inbound files for malware, sandboxing, full or selective SSL decryption, content filtering, and the ability to block specific user activities in select apps.

Secure internet gateway (SIG): This is a cloud-delivered solution that unifies a variety of connectivity, content control, and access technologies to provide users with safe access to the internet, both on and off the network. By operating from the cloud, a SIG protects user access anywhere and everywhere, with traffic routing to the gateway for inspection and policy enforcement regardless of what users are connecting to, or where they’re connecting from. Because a SIG extends security beyond the edge of the traditional network — and without the need for additional hardware or software — thousands of enterprises have adopted it as a modern catch-all for ensuring that users, devices, endpoints, and data have robust protection from threats.

Secure access service edge (SASE): Gartner introduced an entirely new enterprise networking and security category called “secure access service edge.” SASE brings together networking and security services into one unified solution designed to deliver strong security from edge to edge — in the data center, at remote offices, with roaming users, and beyond. By consolidating a variety of powerful point solutions into one solution that can be deployed anywhere from the cloud, SASE can provide better protection and faster network performance, while reducing the cost and work it takes to secure the network.

Cybersecurity is always evolving, and it can be hard to keep up with the rapid pace of changes. Be sure to bookmark this blog post – we’ll keep it up to date as new threats and technologies emerge. To learn more, check out our recent blog posts about cybersecurity research, or come chat with our security experts in person in Barcelona at Cisco Live EMEA this month. Don’t be shy!

 

Source :
https://umbrella.cisco.com/blog/2020/01/14/cybersecurity-terms-and-threats-you-need-to-know-in-2020/

How DNS-Layer Security Can Improve Cloud Workloads

More organizations are adopting the public cloud for their enterprise workloads. Gartner has forecasted1 that by 2020, less than 5% of enterprise workloads will be running in true on-premises private clouds. As workloads move to public clouds, it is crucial that security architectures evolve to protect those workloads, wherever they are.

Like with on-premises applications, a layered security approach works better than point solutions for cloud workloads. But the security challenges in the cloud are different. Without a physical data center in which you build your security stack to protect your data, it’s difficult to know if you’re fully protected everywhere your enterprise data is exposed.

That’s where DNS-layer security comes in. Since DNS is built into the foundation of the Internet, security at the DNS-layer can be simple to deploy and highly effective, whether your enterprise uses on-premises architecture or the public cloud. Cisco Umbrella provides DNS-based security that blocks requests to malware, phishing, and botnets before a connection is even established. It can prevent cloud workloads from being leveraged for malicious cryptomining by blocking requests to suspicious domains. Content category blocking can also be configured to prevent cloud workloads from being used by employees to circumvent on-premises content filtering rules.

One of the simplest approaches to enable DNS-based security for cloud-native workloads is to point the DNS server used by these workloads to Cisco Umbrella. This enables DNS-level blocking of malicious domains and provides an added layer of security. However, since most cloud workloads tend to access the Internet through an ephemeral public IP address, it is difficult to define policy or to view reporting of DNS activity in the public cloud.

Another approach is to deploy the Cisco Umbrella Virtual Appliance in a Virtual Private Cloud (VPC) in the public cloud. Workloads in that VPC can use the Virtual Appliance as their DNS server. The Virtual Appliance forwards DNS requests for external domains to Umbrella and includes the source IP of the requesting workload in the DNS metadata. Virtual Appliances include a customer identifier in each outgoing DNS request, which enables them to be used for environments with ephemeral public IP addresses. With the Virtual Appliance approach, subnet-based content filtering policies can be defined for cloud workloads. Umbrella can also provide visibility into the source of malicious domain requests, allowing administrators to quickly remediate these workloads.

The Cisco Umbrella Virtual Appliance now supports deployment in the three major public cloud platforms: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). With many organizations now adopting a multi-cloud strategy2, deploying Umbrella Virtual Appliances in the respective public cloud VPCs can provide a highly effective added layer of security for workloads deployed in any of these platforms, as well as improved visibility into activity.

What are you waiting for? Sign up for a free trial of Cisco Umbrella, and start leveraging the power of DNS-layer security to protect your cloud workloads.

  1. Modernize IT infrastructure in a hybrid world, Gartner, Mar 2019. Retrieved from https://www.gartner.com/smarterwithgartner/modernize-it-infrastructure-in-a-hybrid-world/
  2. Why organizations choose a Multicloud strategy, Gartner, May 2019. Retrieved from https://www.gartner.com/smarterwithgartner/why-organizations-choose-a-multicloud-strategy/

Source :
https://umbrella.cisco.com/blog/2020/01/23/how-dns-layer-security-can-improve-cloud-workloads/

What is DNSSEC and Why Is It Important?

If you’re like most companies, you probably leave your DNS resolution up to your ISP. But as employees bypass the VPN, and even more organizations adopt direct internet access, it’s more than likely that you have a DNS blind spot. So what steps can you take to ensure your visibility remains free and clear?

One simple and easy thing you can start doing right away is to mine your DNS data. Each time a browser contacts a domain name, it has to contact the DNS server first. Since DNS requests precede the IP connection, DNS resolvers log requested domains regardless of the connection’s protocol or port. That’s an information gold mine! Just by monitoring DNS requests and subsequent IP connections you will eliminate the blind spot and easily gain better accuracy and detection of compromised systems and improve your security visibility and network protection.

But what about those pesky cache poisoning attacks, also known as DNS spoofing?

DNS cache poisoning attacks locate and then exploit vulnerabilities that exist in the DNS, in order to draw organic traffic away from a legitimate server toward a fake one.This type of attack is dangerous because the client an be redirected, and since the attack is on the DNS server, it will impact a very large number of users.

Back in the early nineties, the era of the world-wide-web, Sony Discmans and beepers (we’ve come a long way kids!), the Internet Engineering Task Force, or  IETF started thinking about ways to make DNS more secure. The task force proposed ways to harden DNS and in 2005, Domain Name System Security Extensions, aka DNSSEC, was formally introduced.

DNS Security Extensions, better known as DNSSEC, is a technology that was developed to, among other things, protect against [cache poisoning] attacks by digitally ‘signing’ data so you can be assured [the DNS answer] is valid. DNSSEC uses cryptographic signatures similar to using GPG to sign an email; it proves both the validity of the answer and the identity of the signer. Special records are published in the DNS allowing recursive resolvers or clients to validate signatures. There is no central certificate authority, instead parent zones provide certificate hash information in the delegation allowing for proof of validity.

Cisco Umbrella now supports DNSSEC by performing validation on queries sent from Umbrella resolvers to upstream authorities. Customers can have the confidence that Cisco Umbrella is protecting their organization from cache poisoning attacks, without having to perform validation locally.

Cisco Umbrella supports DNSSEC

Cisco Umbrella delivers the best, most reliable, and fastest internet experience to every single one of our more than 100 million users. We are the leading provider of network security and DNS services, enabling the world to connect to the internet with confidence on any device.

Get the details on how Cisco Umbrella supports DNSSEC.

 

Source :
https://umbrella.cisco.com/blog/2020/01/28/what-is-dnssec-and-why-is-it-important/

Emotet Malware Now Hacks Nearby Wi-Fi Networks to Infect New Victims

Emotet, the notorious trojan behind a number of botnet-driven spam campaigns and ransomware attacks, has found a new attack vector: using already infected devices to identify new victims that are connected to nearby Wi-Fi networks.

According to researchers at Binary Defense, the newly discovered Emotet sample leverages a "Wi-Fi spreader" module to scan Wi-Fi networks, and then attempts to infect devices that are connected to them.

The cybersecurity firm said the Wi-Fi spreader has a timestamp of April 16, 2018, indicating the spreading behavior has been running "unnoticed" for close to two years until it was detected for the first time last month.

The development marks an escalation of Emotet's capabilities, as networks in close physical proximity to the original victim are now susceptible to infection.

How Does Emotet's Wi-Fi Spreader Module Work?

The updated version of the malware works by leveraging an already compromised host to list all the nearby Wi-Fi networks. To do so, it makes use of the wlanAPI interface to extract the SSID, signal strength, the authentication method (WPA, WPA2, or WEP), and mode of encryption used to secure passwords.

On obtaining the information for each network this way, the worm attempts to connect to the networks by performing a brute-force attack using passwords obtained from one of two internal password lists. Provided the connection fails, it moves to the next password in the list. It's not immediately clear how this list of passwords was put together.

Emotet malware cybersecurity

But if the operation succeeds, the malware connects the compromised system on the newly-accessed network and begins enumerating all non-hidden shares. It then carries out a second round of brute-force attack to guess the usernames and passwords of all users connected to the network resource.

After having successfully brute-forced users and their passwords, the worm moves to the next phase by installing malicious payloads — called "service.exe" — on the newly infected remote systems. To cloak its behavior, the payload is installed as a Windows Defender System Service (WinDefService).

In addition to communicating with a command-and-control (C2) server, the service acts as a dropper and executes the Emotet binary on the infected host.

The fact that Emotet can jump from one Wi-Fi network to the other puts onus on companies to secure their networks with strong passwords to prevent unauthorized access. The malware can also be detected by actively monitoring processes running from temporary folders and user profile application data folders.

Emotet: From Banking Trojan to Malware Loader

Emotet, which was first identified in 2014, has morphed from its original roots as a banking Trojan to a "Swiss Army knife" that can serve as a downloader, information stealer, and spambot depending on how it's deployed.

Over the years, it has also been an effective delivery mechanism for ransomware. Lake City's IT network was crippled last June after an employee inadvertently opened a suspicious email that downloaded the Emotet Trojan, which in turn downloaded TrickBot trojan and Ryuk ransomware.

Although Emotet-driven campaigns largely disappeared throughout the summer of 2019, it made a comeback in September via "geographically-targeted emails with local-language lures and brands, often financial in theme, and using malicious document attachments or links to similar documents, which, when users enabled macros, installed Emotet."

"With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet's capabilities," Binary Defense researchers concluded. "Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords."

Coronavirus Affecting Business as Remote Workforces Expand Beyond Expected Capacity

The novel coronavirus epidemic is a major global health concern. To help prevent the spread of the new virus, organizations, businesses and enterprises are protecting their workforce and allowing employees to work remotely. This practice helps limit individual contact with large groups or crowds (e.g., restaurants, offices, transit) where viruses can easily spread.

As such, ‘stay at home’ is a common phrase in many health-conscious regions this week. According to the BBC, the city of Suzhou said businesses would remain closed until Feb 8, if not longer. As of 2018, Suzhou had a population of more than 10.7 million people.

On Jan. 30, the World Health Organization labeled the outbreak as a global health emergency. In response, the U.S. Department of issued a Level 4 travel advisory to China (do not travel).

Precautions like these are causing unexpected increases in mobile workers; many organizations don’t have enough virtual private network (VPN) licenses to accommodate the increase of users. This is a serious risk as employees will either not have access to business resources or, worse, they will do so via non-secure connections.

Organizations and enterprises in affected areas should review their business continuity plans. The National Law Review published a useful primer for employers and organizations managing workforces susceptible to coronavirus outbreaks. In addition, leverage SonicWall’s ‘5 Core Practices to Ensure Business Continuity.”

What is the coronavirus?

Coronavirus (2019-nCoV) is a respiratory illness first identified in Wuhan, China, but cases have since been reported in the U.S., Canada, Australia, Germany, France, Thailand, Japan, Hong Kong, and nine other countries. In an effort to contain the virus, the Chinese authorities have suspended air and rail travel in the area around Wuhan.

According to Centers for Disease Control and Prevention (CDC), early patients in the outbreak in China “reportedly had some link to a large seafood and animal market, suggesting animal-to-person spread. However, a growing number of patients reportedly have not had exposure to animal markets, indicating person-to-person spread is occurring. At this time, it’s unclear how easily or sustainably this virus is spreading between people.”

The latest situation summary updates are available via the CDC: 2019 Novel Coronavirus, Wuhan, China.

Inside Cybercriminal Inc.: SonicWall Exposes New Cyberattack Data, Threat Actor Behaviors in Latest Report

For cybercriminals and threat actors, the digital frontier is a lawless panorama of targets and opportunity. Despite the best intentions of government agencies, law enforcement and oversight groups, the modern cyber threat landscape is more agile and evasive than ever before.

For this reason, SonicWall Capture Labs threat researchers work tirelessly to arm organizations, enterprises, governments and businesses with actionable threat intelligence to stay ahead in the global cyber arms race.

And part of that dedication starts with the 2020 SonicWall Cyber Threat Report, which provides critical threat intelligence to help you better understand how cybercriminals think — and be fully prepared for what they’ll do next.

Global Malware Dips, But More Targeted

For the last five years, cybercriminals overwhelmed organizations with sheer volume. But as cyber defenses evolved, more volume was not resulting in higher paydays. A change was in order.

In 2018, cybercriminals began to leverage more evasive and pointed attacks against “softer” targets. In 2019, global malware volume dipped, but attacks were more targeted with higher degrees of success, particularly against the healthcare industry, and state, provincial and local governments.

All told, SonicWall Capture Labs threat researchers recorded 9.9 billion malware attacks* in 2019 — a slight 6% year-over-year decrease.

Ransomware targets state, provincial and local governments

‘Spray and pray’ is over. Cybercriminals are using ransomware to surgically target victims that are more likely to pay given the sensitive data they possess or funds at their disposal (or both). Now it’s all about ‘big-game hunting.’

The report outlines the most egregious ransomware attacks of 2019, while also painting a picture of the evolution of ransomware families and signatures, including Cerber, GandCrab, HiddenTear and more.

Fileless malware spikes in Q3

Fileless malware is a type of malicious software that exists exclusively as a memory-based artifact (i.e., RAM). It does not write any part of its activity to the computer’s hard drive, making it very resistant to existing computer forensic strategies.

The use of fileless malware ebbed and flowed in 2019. But exclusive SonicWall data shows a massive mid-year spike for this savvy technique.

Encrypted threats growing consistently

Another year, another jump in the use of encrypted threats. Until more organizations proactively and responsibly inspect TLS/SSL traffic, this attack vector will only expand.

IoT malware volume rising

From hacked doorbell cameras to rogue nanny cams, 2019 was an alarming year for the security and privacy of IoT devices. Trending data suggests more IoT-based attacks are on the horizon.

Cryptojacking crumbles

In early 2019, the price of bitcoin and complementary cryptocurrencies created an untenable situation between Coinhive-based cryptojacking malware and the legitimate Coinhive mining service. The shuttering of the latter led to the virtual disappearance of one the year’s hottest malware.

 

Source :
https://blog.sonicwall.com/en-us/2020/02/sonicwall-exposes-new-cyberattack-data-threat-actor-behaviors-in-latest-report/

How to Minify HTML in WordPress Without a Plugin

What is HTML Minification?

When you minify HTML it removes the unnecessary characters and lines in the source code. Indentation, comments, empty lines, etc. are not required in HTML. They just make the file easier to read. Cutting out all this unnecessary stuff can shave down your file size considerably. When you minify HTML code on your website, the server will send a much smaller page to the client making your website load quicker.

WordPress creates pages on demand by executing PHP code to put together the HTML version of your site and querying your database to get the content to insert into that HTML. There is no physical file that we can download and minify ourselves, so we will need to use a bit of PHP code inside the functions.php file of your theme. This code will compress the output HTML before being sent to your visitors. Below are two screenshots that show a webpage before and after HTML Minification.

Before HTML Minification

Before HTML Minify

After HTML Minification

After HTML Minify

Step 1: Create a Child Theme

Before we edit the functions.php file, it’s always best to create a child theme. Using a child theme will allow you to revert back to the parent theme if there are problems. Also, any changes you make will not be deleted if your parent theme gets updated.

If you prefer not to create a child theme or you do not feel comfortable doing this on your own, there is a great lightweight plugin you can use called Code Snippets. Code Snippets is an easy, clean and simple way to add code snippets to your site. It removes the need to add custom snippets to your theme’s functions.php file.

Step 2: Edit your Child Theme functions.php File

There are 2 different ways we can edit the functions.php file in your child theme.

Inside WordPress Control Panel

While you are logged into WordPress you can access and edit the functions.php file of your theme by going to Appearance > Editor and selecting Theme Functions on the right hand side of the page.

Edit the File Directly in cPanel

Log into your cPanel File Manager. Go to the public_html/wp-content/themes/ and choose the folder of your current theme or child theme if you have created one. The functions.php file will be inside your theme folder.

Copy and paste the code below inside your functions.php file and save.

class FLHM_HTML_Compression
{
protected $flhm_compress_css = true;
protected $flhm_compress_js = true;
protected $flhm_info_comment = true;
protected $flhm_remove_comments = true;
protected $html;
public function __construct($html)
{
if (!empty($html))
{
$this->flhm_parseHTML($html);
}
}
public function __toString()
{
return $this->html;
}
protected function flhm_bottomComment($raw, $compressed)
{
$raw = strlen($raw);
$compressed = strlen($compressed);
$savings = ($raw-$compressed) / $raw * 100;
$savings = round($savings, 2);
return '<!--HTML compressed, size saved '.$savings.'%. From '.$raw.' bytes, now '.$compressed.' bytes-->';
}
protected function flhm_minifyHTML($html)
{
$pattern = '/<(?<script>script).*?<\/script\s*>|<(?<style>style).*?<\/style\s*>|<!(?<comment>--).*?-->|<(?<tag>[\/\w.:-]*)(?:".*?"|\'.*?\'|[^\'">]+)*>|(?<text>((<[^!\/\w.:-])?[^<]*)+)|/si';
preg_match_all($pattern, $html, $matches, PREG_SET_ORDER);
$overriding = false;
$raw_tag = false;
$html = '';
foreach ($matches as $token)
{
$tag = (isset($token['tag'])) ? strtolower($token['tag']) : null;
$content = $token[0];
if (is_null($tag))
{
if ( !empty($token['script']) )
{
$strip = $this->flhm_compress_js;
}
else if ( !empty($token['style']) )
{
$strip = $this->flhm_compress_css;
}
else if ($content == '<!--wp-html-compression no compression-->')
{
$overriding = !$overriding; 
continue;
}
else if ($this->flhm_remove_comments)
{
if (!$overriding && $raw_tag != 'textarea')
{
$content = preg_replace('/<!--(?!\s*(?:\[if [^\]]+]|<!|>))(?:(?!-->).)*-->/s', '', $content);
}
}
}
else
{
if ($tag == 'pre' || $tag == 'textarea')
{
$raw_tag = $tag;
}
else if ($tag == '/pre' || $tag == '/textarea')
{
$raw_tag = false;
}
else
{
if ($raw_tag || $overriding)
{
$strip = false;
}
else
{
$strip = true; 
$content = preg_replace('/(\s+)(\w++(?<!\baction|\balt|\bcontent|\bsrc)="")/', '$1', $content); 
$content = str_replace(' />', '/>', $content);
}
}
} 
if ($strip)
{
$content = $this->flhm_removeWhiteSpace($content);
}
$html .= $content;
} 
return $html;
} 
public function flhm_parseHTML($html)
{
$this->html = $this->flhm_minifyHTML($html);
if ($this->flhm_info_comment)
{
$this->html .= "\n" . $this->flhm_bottomComment($html, $this->html);
}
}
protected function flhm_removeWhiteSpace($str)
{
$str = str_replace("\t", ' ', $str);
$str = str_replace("\n",  '', $str);
$str = str_replace("\r",  '', $str);
while (stristr($str, '  '))
{
$str = str_replace('  ', ' ', $str);
}   
return $str;
}
}
function flhm_wp_html_compression_finish($html)
{
return new FLHM_HTML_Compression($html);
}
function flhm_wp_html_compression_start()
{
ob_start('flhm_wp_html_compression_finish');
}
add_action('get_header', 'flhm_wp_html_compression_start');
PHP

Step 3: Make Sure Everything is Working

After you have added the code, you can check to see if the HTML is being minified on Google Chrome by right clicking the page and selecting “View page source.” If everything is working correctly, it should look like the example picture I gave at the top of this page.

I highly recommend you check all aspects of your website after you add this code. Check and make sure all plugins and theme functionality is working properly.

If you enjoyed this tutorial, please be sure to follow us on Facebook and Twitter. You can also find us on Freelancer if you need some help with your WordPress website or web development issues.

Source :
https://zuziko.com/tutorials/how-to-minify-html-in-wordpress-without-a-plugin/