More than 1,000 security employees in as many as 17 countries participated in the survey. Most said the biggest hurdle to mounting an adequate defense against cyber threats today is the lack of skilled personnel. (Poor security awareness and an inability to sift through enormous piles of data tied for second place.)

The survey, which included 1,200 respondents working in 19 industries, was compiled by CyberEdge Group, a research and marketing firm serving high-tech vendors and service providers.

More interesting is the feedback collected from respondents who said their organizations were infected with ransomware in the last year. (Ransomware tied with phishing attacks for the second most crucial security concern; the first, as per usual, is malware.)

Slightly more than half of the respondents’ organizations that actually paid a ransom to recover stolen or encrypted data—either in Bitcoin or some other anonymous currency—were unable to recover their data. In total, the report says, a little under 39 percent of the organizations resolved to pay.

“Flip a coin once to determine whether your organization will be affected by ransomware,” CyberEdge suggests. “If it will be, flip it again to determine whether paying the ransom will actually get your data back.”

Source: Major Survey of IT Pros Reveals Why Everything Gets Hacked All the Damn Time

On a Samba 4 AD DC the LDAP server in all versions of Samba from
4.0.0 onwards incorrectly validates permissions to modify passwords
over LDAP allowing authenticated users to change any other users'
passwords, including administrative users and privileged service
accounts (eg Domain Controllers).

The LDAP server incorrectly validates certain LDAP password
modifications against the "Change Password" privilege, but then
performs a password reset operation.

Source: Samba – Security Announcement Archive

The hardcoded password issue affects Cisco’s Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers.

Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password.
Flaw considered critical despite “local” attack vector

The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as “critical.”
Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

The reasons are that an attacker can infect another device on the same network and use it as a proxy for his SSH connection to the vulnerable Cisco PCP instance, allowing for remote, over-the-Internet exploitation.

Source: Hardcoded Password Found in Cisco Software

Highly painful

Tal Be’ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer’s browser and go to a web address that does not use https—that is, a web address that does not encrypt traffic between a user’s machine and the website. The attacker’s malicious network adapter then intercepts the web session to send the computer to a malicious site instead, where malware downloads to the machine, all while the computer owner believes his or her machine is protected.

Source: Researchers Bypassed Windows Password Locks With Cortana Voice Commands – Motherboard

When the mysterious entity known as the “Shadow Brokers” released a tranche of stolen NSA hacking tools to the internet a year ago, most experts who studied the material homed in on the most potent tools, so-called zero-day exploits that could be used to install malware and take over machines. But a group of Hungarian security researchers spotted something else in the data, a collection of scripts and scanning tools that the National Security Agency uses to detect other nation-state hackers on the machines it infects.

It turns out those scripts and tools are just as interesting as the exploits. They show that in 2013 — the year the NSA tools were believed to have been stolen by the Shadow Brokers — the agency was tracking at least 45 different nation-state operations, known in the security community as advanced persistent threats, or APTs. Some of these appear to be operations known by the broader security community — but some may be threat actors and operations currently unknown to researchers.

The scripts and scanning tools dumped by Shadow Brokers and studied by the Hungarians were created by an NSA team known as Territorial Dispute, or TeDi. Intelligence sources told The Intercept that the NSA established the team after hackers, believed to be from China, stole designs for the military’s Joint Strike Fighter plane, along with other sensitive data, from U.S. defense contractors in 2007; the team was supposed to detect and counter sophisticated nation-state attackers more quickly, when they first began to emerge online.

“As opposed to the U.S. only finding out in five years that everything was stolen, their goal was to try to figure out when it was being stolen in real time,” one intelligence source told The Intercept.

But their mission evolved to also provide situational awareness for NSA hackers to help them know when other nation-state actors are in machines that they’re trying to hack.

Source: Leaked Files Show How the NSA Tracks Other Countries’ Hackers

Earlier this month, we published our first article of our Internet of Things series, “IoD – Internet of Dildos“. As promised, we expanded our research and would like to present you with the first results of our “IoB – Internet of Babies” research.

Baby monitors serve an important purpose in securing and monitoring our loved ones. Unfortunately, the investigated device “Mi-Cam” from miSafes (and potentially further devices) is affected by a number of critical security vulnerabilities which raise serious security and privacy concerns. An attacker is able to access and interact with arbitrary video baby monitors and hijack other user accounts. Based on observed user identifier values extracted from the cloud API and Google Play store data, an estimated total number over 52000 user accounts and video baby monitors are affected (implying a 1:1 distribution of user accounts to video baby monitors). Even worse, neither the vendor nor the CNCERT/CC could be reached for the coordination for our responsible disclosure process. Hence the issues are (up until the publication of this article) not patched and our recommendation is to keep the video baby monitors offline until further notice.

Source: Internet of Babies – When baby monitors fail to be smart | SEC Consult

IBM X-Force Incident Response and Intelligence Services (IRIS) assesses that threat groups of likely Nigerian origin are engaged in a widespread credential harvesting, phishing and social engineering campaign designed to steal financial assets. Beginning in the fall of 2017, X-Force IRIS experienced a significant increase in clients reporting instances of fraud or attempted fraud via wire transfer payments. These threat groups successfully used business email compromise (BEC) scams to convince accounts payable personnel at some Fortune 500 companies to initiate fraudulent wire transfers into attacker-controlled accounts, resulting in the theft of millions of dollars.
[…]
Business email compromise scams involve taking over or impersonating a trusted user’s email account to target companies that conduct international wire transfers with the goal of diverting payments to an attacker-controlled account.

These attacks are almost entirely based on phishing and social engineering, and are thus attractive to cybercriminals due to their relative simplicity. In most cases, BEC scams involve little to no technical knowledge, malware or special tools.

A recent report by Trend Micro predicted that BEC attacks will comprise over $9 billion in losses in 2018, up from $5.3 billion at the end of 2016. According to the FBI, BEC scams have been reported in every U.S. state and across 131 nations, and have resulted in high-profile arrests.
[…]
The following tactics were common to the attacks examined by X-Force IRIS researchers:

Phishing emails were sent either directly from or spoofed to appear to be from known contacts in the target employee’s address book.

Attackers mimicked previous conversations or inserted themselves into current conversations between business email users.

Attackers masqueraded as a known contact from a known vendor or associated company and requested that wire payments be sent to an “updated” bank account number or beneficiary.

Attackers created mail filters to ensure that communications were conducted only between the attacker and victim and, in some cases, to monitor a compromised user’s inbox.

In cases in which additional approval or paperwork was needed, the attackers found and filled out appropriate forms and spoofed supervisor emails to get required approvals.

Without the use of any malware, and with legitimate stakeholders performing the actual transactions, traditional detection tools and spam filters failed to identify evidence of a compromise.
[…]
The BEC scams identified by IBM incident responders consist of two separate but connected goals. The first is to harvest mass amounts of business user credentials, and the second is to use these credentials to impersonate their rightful owners and ultimately trick employees into diverting fund transfers to bank accounts the attackers control.

To achieve the first goal, the attackers used credential sets they had already compromised to send a mass phishing email to the user’s internal and external contacts. The phish was often sent to several hundred contacts at a time and was engineered to look legitimate to the spammed contacts.
[…]
To accomplish the second goal, the attackers focused on stolen credentials from companies that use single-factor authentication and an email web portal. For example, companies that only require a username and password for employees to access their Microsoft Office 365 accounts were compromised. Using email web portals ensured the attackers’ ability to complete these attacks online and without compromising the victim’s corporate network. The attackers specifically targeted personnel involved in the organization’s accounts payable departments to ensure that the victim had access to the company’s bank accounts.

Before engaging with any employee, the attackers likely undertook a reconnaissance phase, looking through activity within the user’s email folders in search of subjects and opportunities to exploit and, eventually, creating or inserting themselves into relevant conversations.
[…]
Since the attackers conducted correspondence from a victim user’s email, they created email rules to keep the victim unaware of the compromise. In cases in which the attackers impersonated the user, the attackers auto-deleted all emails delivered from within the user’s company. They likely did this to prevent the user from seeing any fraudulent correspondence or unusual messages in his or her inbox. Additionally, the attacker auto-forwarded email responses to a different email to read the responses without logging in to the compromised account.

Separately, when attackers used stolen credentials to send mass phishing emails, they simultaneously set up an email rule to filter all responses to the phish, undelivered messages, or messages containing words such as “hacked” or “email” to the user’s RSS feeds folder and marked them as read.

Source: IBM X-Force IRIS Uncovers Active Business Email Compromise Campaign Targeting Fortune 500 Companies