Security daily (09-07-2021)

Configure SAML single sign-on for Kibana with AD FS on Amazon Elasticsearch Service

It’s a common use case for customers to integrate identity providers (IdPs) with Amazon Elasticsearch Service (Amazon ES) to achieve single sign-on (SSO) with Kibana. This integration makes it possible for users to leverage their existing identity credentials and offers administrators a single source of truth for user and permissions management. In this blog post, […] (AWS Security Blog)

Jack Cable, Stanford student and cyber whiz, aims to crowdsource ransomware details

Ransomware has never been more of a national security concern after a string of hacks against the fuel supplier Colonial Pipeline, meat giant JBS and perhaps thousands of others compromised after breach at a large IT firm. Few people, if any, seem to grasp the breadth and cost of the scourge, as there are no legal requirements for victims to disclose when they pay hackers to unlock their network.  That, combined with the suspicious that most victims don’t, report their digital extortion payments, makes it harder for law enforcement and security firms to combat attacks, or even understand how to fight them. That’s the impetus behind a project that Stanford University student and security researcher Jack Cable launched on Thursday, dubbed “Ransomwhere,” a plan to track payments to bitcoin addresses associated with known ransomware gangs. “Having public transparency around the impact of ransomware, especially as we’re proposing and considering different […] The post Jack Cable, Stanford student and cyber whiz, aims to crowdsource ransomware details appeared first on CyberScoop. (CyberScoop)

Biden again urges Putin to disrupt ransomware gangs operating inside Russia

President Joe Biden pushed Russian President Vladimir Putin to disrupt ransomware groups operating within Russian borders in a phone call Friday, according to a White House statement. “I made it very clear to him that the United States expects [that] when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect [Russia] to act if we give them enough information to act on who that is,” Biden told reporters after the call. The call came on the heels of the latest major cyberattack against a U.S. company. REvil, a ransomware group believed to be in Russia, hit Florida-based IT software company Kaseya last week. Researchers have suggested that the hack affected between 1,500 to 2000 companies. The Kremlin says it has not received any official requests from U.S. law enforcement to take action regarding recent cyberattack. A senior White House official responded by […] The post Biden again urges Putin to disrupt ransomware gangs operating inside Russia appeared first on CyberScoop. (CyberScoop)

Critical 'PrintNightmare' bug in Microsoft's Windows tech is still causing headaches

More than a week later, Microsoft is still trying to shake off its PrintNightmare. That’s the nickname for a bug for a proof-of-concept exploit accidentally published online on June 30. Microsoft on Tuesday issued an emergency update for the critical flaw, which affects all versions of Windows’ Print Spooler that manages interactions between computers and printers. The vulnerability could allow hackers to take over computers remotely. But on Thursday Microsoft had to fend off claims from researchers that its patch didn’t work. “Our investigation has shown that the … security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare,” the company wrote. “All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.” Previously, the patch had encountered other problems, such as breaking connections […] The post Critical 'PrintNightmare' bug in Microsoft's Windows tech is still causing headaches appeared first on CyberScoop. (CyberScoop)

Where do all those cybercrime payments go?

Yes, the headline is a rhetorical question. But sometimes we get literal answers, and they're well worth remembering. (Naked Security)

Morgan Stanley Discloses Data Breach That Resulted From Accellion FTA Hacks

(News ≈ Packet Storm)

Kroger Reaches $5M Settlement With Breach Victims

(News ≈ Packet Storm)

Lazarus Targets Job-Seeking Engineers With Malicious Documents

(News ≈ Packet Storm)

The FBI's Fake Encrypted Honeypot Phones Are Showing Up Online

(News ≈ Packet Storm)

Here's How Much Microsoft Paid In Bug Bounties Last Year

(News ≈ Packet Storm)

Magecart Hackers Hide Stolen Credit Card Data Into Images for Evasive Exfiltration

Cybercrime actors part of the Magecart group have latched on to a new technique of obfuscating the malware code within comment blocks and encoding stolen credit card data into images and other files hosted on the server, once again demonstrating how the attackers are continuously improving their infection chains to escape detection. "One tactic that some Magecart actors employ is the dumping of (The Hacker News)

New SaaS Security Report Dives into the Concerns and Plans of CISOs in 2021

For years, security professionals have recognized the need to enhance SaaS security. However, the exponential adoption of Software-as-a-Service (SaaS) applications over 2020 turned slow-burning embers into a raging fire.  Organizations manage anywhere from thirty-five to more than a hundred applications. From collaboration tools like Slack and Microsoft Teams to mission-critical applications (The Hacker News)

Critical Flaws Reported in Philips Vue PACS Medical Imaging Systems

Multiple security vulnerabilities have been disclosed in Philips Clinical Collaboration Platform Portal (aka Vue PACS), some of which could be exploited by an adversary to take control of an affected system. "Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install (The Hacker News)

Hackers Use New Trick to Disable Macro Security Warnings in Malicious Office Files

While it's a norm for phishing campaigns that distribute weaponized Microsoft Office documents to prompt victims to enable macros in order to trigger the infection chain directly, new findings indicate attackers are using non-malicious documents to disable security warnings prior to executing macro code to infect victims' computers. In yet another instance of malware authors continue to evolve (The Hacker News)

Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability

Even as Microsoft expanded patches for the so-called PrintNightmare vulnerability for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the fix for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code (The Hacker News)

Microsoft Office Users Warned on New Malware-Protection Bypass

Word and Excel documents are enlisted to disable Office macro warnings, so the Zloader banking malware can be downloaded onto systems without security tools flagging it. (Threatpost)

Cisco BPA, WSA Bugs Allow Remote Cyberattacks

The high-severity security vulnerabilities allow elevation of privileges, leading to data theft and more. (Threatpost)

Lazarus Targets Job-Seeking Engineers with Malicious Documents

Notorious North Korean APT impersonates Airbus, General Motors and Rheinmetall to lure potential victims into downloading malware. (Threatpost)


/security-daily/ 10-07-2021 23:44:23