Security Leftovers

posted by Roy Schestowitz on Jan 21, 2023

• Gone Phishing: Hunting for Malicious Industrial-Themed Emails to Prevent Operational Technology Compromises [Ed: Microsoft Windows TCO]

• Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) | Mandiant

  Mandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet's FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa.

• Malicious Google Ad --> Fake Notepad++ Page --> Aurora Stealer malware, (Wed, Jan 18th) [Ed: Microsoft Windows TCO]

  Google ads are a common vector for malware distribution. Do a Google search for any popular free software download. Review any search results marked "Ad" or "Sponsored," then check the link to see if anything is unusual.

  [...]

  Shown above: Windows Defender doesn't like this type of downloaded EXE file.

• 5 Email Best Practices to Mitigate the Rising Threat of Cyber Attacks

  One of the more unfortunate trends that have been taking shape in recent years is the increasing prevalence of cyber attacks. As businesses have become more reliant on digital platforms, hackers and other malicious actors have been quick to take advantage of any weakness they can find in a company’s system.

• Some weird effects you can get from shared Let's Encrypt accounts

  To get TLS certificates from Let's Encrypt, you must create and register an 'account', which is really a keypair and some associated information. The normal practice is to have a separate LE account for each machine that you use to get TLS certificates, and I think this is a good idea, because authorization to issue TLS certificates for a given name is tied to the account, not to a host. If you move a (HTTPS) website from one host to another, there are two interesting effects that can happen.

• Security Advisory 2023-01 for PowerDNS Recursor 4.8.0 | PowerDNS Blog

  Today we have released PowerDNS Recursor 4.8.1 due to a high severity issue found.

  Please find the full text of the advisory below.

• Navigating the Trade-Offs of Cyber Attribution | Mandiant

  Attribution matters, but to what extent? The game of cyber whodunit is often perceived as a clean and binary question, where threat activity is either attributed or it is not. Yet, it is typically a more complex process that regularly involves difficult trade-offs.

  Different forms of attribution—ranging from simply linking threat clusters together to identifying the names and faces of an adversary—present vastly different challenges and resource requirements. Analysts making attribution judgements must also weigh up several competing priorities, including the deadlines set by stakeholders, the completeness of data, and the confidence level behind their assessments.