It’s the beginning of a new year, a new decade — and a new era of cyberthreats. Update your security plan to address these new vulnerabilities, new attack variants, and new trends.
SafeBreach Discovers New Vulnerabilities
SafeBreach Labs announced major vulnerabilities this fall:
- Intel Rapid Storage Technology Service: SafeBreach Labs was able to load arbitrary DLL files and execute code within IAStorDataMgrSvc.exe. This vulnerability could be used to achieve defense evasion and persistence.
- ASUS ATK Package: This package, pre-installed on ASUS computers, allowed researchers to target the ASDR Service. After it was started, the AsLdrSrv.exe signed process was executed as NT AUTHORITY\SYSTEM. A hacker needs administrator privileges to exploit this vulnerability.
- Acer Quick Access: Once started, Acer Quick Access executed QAAdminAgent.exe as NT AUTHORITY\SYSTEM. It can allow a hacker to achieve persistence, defense evasion, and possibly privilege escalation by loading arbitrary unassigned DLL.
- Lenovo System Interface Foundation service: This service, pre-installed on Windows-based Lenovo PCs executes Lenovo.Modern.ImController.PluginHost.Device.exe as NT AUTHORITY\SYSTEM after start. The service allowed researchers to load an arbitrary DLL and execute code.
Action Items:
- Identify workstations or devices that have these vulnerabilities
- Access vendor security advisories and CVEs and apply patches.
HydSeven Phishing Scam Moves from Mac OS X to Windows and Linux
HydSeven targeted Cambridge University Mac OS X users during the summer of 2019, using Cambridge’s own domain against victims. Prevailion researchers identified two new variants this fall that attack Windows and Linux users. The attacks delivered remote access tools that allow hackers to run commands and send and receive data.
Action Items:
Prevailion recommends:
- Using a personal firewall
- Mitigating risk with NoScript
- Updating incident response plans
- Training employees
- Investigating the entire network after an incident, not just the machine where the attack was detected
Dridex Malware
US-CERT issued an alert about Dridex Malware, a prevalent financial trojan. Dridex is usually distributed via phishing email campaigns that include a combination of legitimate business names, domains, and language that trick recipients into opening attachments.
Once it’s downloaded, Dridex can download additional software, establish a virtual network, or delete data. US-CERT says the primary threat to financial activity is its ability to detect access to online banking applications and website, inject keylogging software and steal customer logins.
Action Items:
US-Cert recommends:
- Making sure systems do not default to execute macros
- Training employees
- Updating intrusion detection and prevention systems
- Performing regular backups
- Updating antivirus signatures and engines
- Enabling personal firewalls
- Disabling unnecessary services
- Scanning for potentially malicious downloads and email attachments
- Keeping patches up to date
- Disabling file sharing services or enforce strong passwords and authentication
Cybercriminals Charged
There have been some major wins for law enforcement in the area of cybercrime:
On December 5, 2019, the U.S. Department of Justice announced that Maksim Yakubets of Moscow, Russia, known online as “aqua,” was charged in two international computer hacking and bank fraud schemes that took place from May 2009 to present. A second person, Igor Turashev of Yoshkar-Ola, Russia, was also indicted for his role in the Bugat, aka Cridex or Dridex, malware campaign. The pair are allegedly leaders in one of the most sophisticated transnational cybercrime syndicates. Charges include capturing banking credentials and making unauthorized electronic bank transfers. A second criminal complaint charges Yakubets with conspiracy to commit bank fraud using the Zeus malware, with attempted theft of $220 million and losses of about $70 million.
On December 21, 2019, a 22-year-old hacker who attempted to blackmail Apple for $100,000 pleaded guilty in London. Kerem Albayrak of North London claimed to have access to more than 300 million iCloud accounts and threatened to remotely wipe users’ devices if the ransom was not paid. He was sentenced to a two-year suspended jail term, 300 hours of unpaid work and six months of electronic curfew.
Malware Activity Update
Symantec reports that overall malware activity decreased in November 2019 by 2.5 percent, and Ransomware activity was also down by 18 percent from the previous month. Symantec also reports Ramnit remains the most prevalent financial trojan, accounting for 73.8 percent of all activity; Zbot is second with 14.3 percent.
For more security updates and insights, visit DevPro Journal’s Security resources page. 
