Ready to Start Your Career?Create Free Account
October 13, 2017
UNM4SK3D: Kaspersky, Equifax, and Microsoft
October 13, 2017
October 13, 2017
#spiesSpies spying on spies? A recent article from the New York Times describes Israeli intelligence officers visibility into Kaspersky's network in 2015 where they witnessed Russian government hackers hacking US government hackers. This may sound like the complicated plot of a Hollywood movie, but the story that's unfolding is real. And very frightening, as it appears antivirus software made by Russian company, Kaspersky Lab, used by 400 million people worldwide was infiltrated by Russia, who was discovered by a later intrusion by Israel. Although unreported, the Israeli government alerted the United States to the broad Russian intrusion of Kaspersky. This prompted US officials to remove Kaspersky software for government computers. Despite the removal of the software, the Russian operation was previously able to steal "classified documents from a National Security Agency employee who had improperly stored them on his home computer, on which Kaspersky’s antivirus software was installed." Because Kaspersky Lab’s products require access to everything stored on a computer in order to scour it for viruses or other dangers, this allowed Russian intelligence to exploit the contents of computers and retrieve information.“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts,” the company said in a statement Tuesday afternoon. Kaspersky Lab also said it “respectfully requests any relevant, verifiable information that would enable the company to begin an investigation at the earliest opportunity.” There has been speculation that Kaspersky’s popular antivirus software might provide a back door for Russian intelligence. Unfortunately, their products are used by the State Department, the Department of Defense, Department of Energy, Justice Department, Treasury Department and the Army, Navy and Air Force, among others.
The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security. -statement from Department of Homeland SecurityFor more on the removal of Kaspersky products from government computers, read the KnowBe4 blog.
#adwareThe Equifax blunder can't get any worse, right? Wrong. Security Analyst Randy Abram discovered that an Equifax service designed for obtaining free and discounted credit reports had been redirecting users to websites infested with adware. Palm meet face. Abrams himself was looking for his credit report on Equifax when he was redirected to a website with a Flash Player installation pop-up. He reported that the browsing session took him through multiple domains before the final page was reached, hosted at aa.econsumer.equifax.com. According to Security Week, "An analysis of the domains involved in the redirection chain shows that they can lead not only to adware. The final destination depends on the type of device and the geographical location of the user."After news of this issue began to circulate, an Equifax spokesperson stated, “We are aware of the situation identified on the equifax.com website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will.” In related news, Equifax has also announced on October 10th that sensitive data on some "700,000 consumers was exposed from 15.2 million hacked client records in Britain."
The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor's code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor's code was removed from the webpage and we have taken the webpage offline to conduct further analysis. -Equifax spokespersonTo get caught up on all of the happenings with Equifax, read last week's version of 'UNM4SK3D.'
#patchesMicrosoft was busy plugging security holes this week, including the patching of critical Windows DNS client vulnerabilities and a Microsoft Office vulnerability which has been exploited in the wild. Discovered by researcher Nick Freeman of Bishop Fox, the DNS vulnerabilities could allow an attack on a local network or in a man-in-the-middle position to insert a malicious payload into a DNS response to a Windows machine’s DNS request and trigger the vulnerability. These bugs affects Windows 8 and Windows 10 clients, and Windows Server 2012 and 2016. Fortunately, it does not appear as though any attacker has exploited the vulnerabilities, but admins are urged to patch their systems. “These are the sorts of vulnerabilities attackers love because they can give them keys to the kingdom for an entire organization. Rather than attacking individuals’ laptops or desktops, an attacker can go after entire companies and their infrastructures,” said Bishop Fox Senior Security Associate, Dan Petro.The other Microsoft vulnerability, CVE-2017-11826, is already being exploited in the wild and could allow remote code execution if a user opens a specially crafted Office file. Researchers from Qihoo 360 Core Security were the first to detect the vulnerability in which the attacker embedded malicious .docx in the RTF files. Then, by reversing analysis of the sample C&C, they discovered that the attack was initiated in August. As with the DNS vulnerabilities, administrators are urged to patch immediately as an attacker could overtake a system.
If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. -MicrosoftHow can poor patch management effect your organization? Read 'Poor Patch Management: A Cyber Security Risk' for insight.