Cyber Weekly Roundup – March 24, 2017

Weekly Roundup

Cyber Weekly Roundup – March 24, 2017

1.) The Clever ‘DoubleAgent’ Attack Turns Antivirus Into Malware (March 23, 2017)

https://www.wired.com/2017/03/clever-doubleagent-attack-turns-antivirus-malware/

Summary: Your antivirus software might come with some annoyances. It might slow your computer down, or pop up so many alerts that you can’t tell when something is actually wrong. But researchers have discovered a more sinister downside: A well-intentioned debugging tool found in many versions of Microsoft Windows can be used maliciously to gain access to vulnerable antivirus programs, and weaponize them.

Why it matters: There’s a certain irony to antivirus – in order to patrol a system and protect it against threats, it has to have a deep level of access into the system and a high level of inherent trust from the OS. Because of this trust, attacks against antivirus can have serious consequences, as it will give the attackers a deep level of control over the victim’s device. While this would not be a problem if vulnerabilities were few and far between in antivirus software, the truth is that it is code like any other application, and vulnerabilities are often found.

That’s not to say that antivirus brings more risks than benefits, but in an age where the attackers can mutate their code faster than signature-based antivirus can keep up, and attacks often rely on tricking the user into giving the attacker the access they need, antivirus is no longer the silver bullet it once appeared to be.

2.) USB pen-testing stick: what happens if it falls into malicious hands? (March 22, 2017)

https://nakedsecurity.sophos.com/2017/03/22/usb-pen-testing-stick-what-happens-if-it-falls-into-malicious-hands/

Summary: Back in September, many tech publications highlighted a killer stick: a USB stick marketed to pen testers and law enforcement that could be used to test the surge protection circuitry of electronics. Test, or, as the case may be for devices lacking surge protection, zap to death. The so-called USB Killer – which comes from a Hong Kong company – looks like a standard USB drive, but it’s actually filled with capacitors.

Why it matters: Plugging random USB sticks into your devices can infect them, but the USB Killer ups the risk by destroying the device that’s powering it. This isn’t a Trojan, a root kit, or other malware – this is physically destroying a computer/cell phone by building up a charge from the power the device tries to provide the USB Killer, then dumping built up electrical charge back onto the device in a way it is not meant to receive power. The USB Killer is yet another example of the risks of using untrusted devices into personal/corporate computing environments.

3.) Shift your perspective on cybercrime to realize how well you’re doing (March 21, 2017)

http://www.csoonline.com/article/3183456/leadership-management/shift-your-perspective-on-cybercrime-to-realize-how-well-you-re-doing.html

Summary: A report recently surfaced placing the global impact of cybercrime at a staggering $450B. Naturally, it pressed on the tender wound and supplied further evidence that we are woefully unprepared, globally, to tackle such a complex challenge. But what if we’re looking at the numbers the wrong way?

Why it matters: This article provides an interesting spin on how to place cybersecurity losses into context. However, there are a few considerations worthy of further investigation.

For instance, a core tenant of cybersecurity is that the amount spent to mitigate risk should consider the cost of not mitigating the risk. Ideally, this is to make sure we don’t spend more to protect an asset than the asset is worth, but consider this: according to research released by the International Data Corporation in October 2016, businesses are expected to spend $101.6 billion on cybersecurity by 2020. A large number, but when placed in context of the amount being lost now (which is four times greater), one may think that it would be worth spending more in line with the cost of the risk itself.

In other words, knowing we are losing $450B annually and only spending a quarter of that is poor attribution of money. Rather than spend the money on these losses, it makes more sense to spend this money on protecting organizational assets before they are lost.

4.) Govt. Cybersecurity Contractor Hit in W-2 Phishing Scam (March 17, 2017)

https://krebsonsecurity.com/2017/03/govt-cybersecurity-contractor-hit-in-w-2-phishing-scam/

Summary: Just a friendly reminder that phishing scams which spoof the boss and request W-2 tax data on employees are intensifying as tax time nears. The latest victim shows that even cybersecurity experts can fall prey to these increasingly sophisticated attacks.

Why it matters: Nothing reminds us that tax season is coming to a close quite like the uptick in W-2 fraud. Phishing continues to be an effective means of compromising businesses, and cyber criminals have been using this social engineering technique for years to attack businesses at its weak points – its people. While the company affected may have been in the business of cybersecurity, all it takes is one employee to fall for the scam and have them hand over the tax info to the criminals. This risk is magnified as these attacks target finance and HR departments – those trained on providing good customer service, but aren’t necessarily required to be cybersecurity-conscious to effectively perform their job.

User training on the dangers of social engineering techniques is always money well spent – well secured systems are meaningless if users are not trained on the day-to-day risks expected in their position. In addition, organizations should investigate data loss prevention technologies that help prevent users from inadvertently emailing personally identifiable information (such as SSNs in W-2s) outside the corporate boundaries. Investing in multiple controls will provide defense-in-depth, and help businesses avoid embarrassment associated with leaking personal information.

5.) VM Escape Earns Hackers $105K at Pwn2Own (March 17, 2017)

https://threatpost.com/vm-escape-earns-hackers-105k-at-pwn2own/124397/

Summary: Hackers managed to take down Microsoft Edge and escape a virtual machine to boot on the third day of Pwn2Own early Friday. Members from Qihoo’s 360 Security Team carried out the VM exploit, earning the group $105,000, by far the highest amount awarded to a group at the hacking challenge this week.

Why it matters: Pwn2Own always offers a unique look at how hackers can chain a series of exploits together to cause much, much more serious vulnerabilities. Starting by escaping the Microsoft Edge Browser’s sandbox, which is used to keep the user safe from malicious content, these hackers were able to gain access to the windows kernel, giving them access to the system as a whole, then compromise the virtual machine running Windows to compromise the host of multiple virtual machines. This is a serious escalation of compromise, and escaping a virtual machine to access every other virtual instance on the host is a serious vulnerability, especially as more and more organizations move to cloud solutions that are heavily reliant on virtualization.

The reward for this attack is well-earned, and should serve as a reminder to security engineers and policy makers of how important it is to have good patch management and defense-in-depth. A single bug may not be a big deal, but mixed with other bugs, it can compromise an entire organization.