DataDwarf    About    Archive    Feed
Hacker, coder, tinkerer, brewer, recovering sysadmin, and infosec professional.

InfoSec News Highlights - Cisco Layoffs, Locky Ransomware, and Cisco and Foritgate Shadowbroker Exploits

Cisco Layoffs

Well the “shortage” of IT and InfoSec Professionals made have just been solved by Cisco. Yesterday Cisco announce it is planning to cut 5,500 jobs from its workforce. The layoffs will supposedly allow the company to invest in key priorities such as security, IoT, collaboration, next generation data center and cloud.

Locky Ransomware

A massive email campaign distributing Locky ransomware has been detected by FireEye. The ransomware is being distributed via .DOCM macro-enabled Office 2007 Word documents. There are not a lot of differences between this campaign and ones from earlier in the month. Mainly changing the keys used to encode the macro and payload. The big difference being seen in campaigns distribution Locky this month is the switch from a JavaScript downloader to a DCOM. This latest campaign is targeting mainly the Healthcare Industry in the US and Japan. With the recent new guidelines about ransomware from the U.S. Department of Health and Human Services I’m betting we’re going to seeing some breach notifications in the coming months.

Cisco and Foritgate Shadowbroker Exploits

More developments out of The Shadow Brokers dump of the NSA exploits. While researchers are pretty confident that the dump is from 2013 it appears that it does still contain zero days. Both Cisco and Foritgate have confirmed that there are real exploits against their platforms in the dump. Cisco identified two exploits, EPICBANANA and EXTRABACON, in the dump can allow remote code execution against its firewall products. The vulnerability that is exploited by EPICBANANA has been patched, but there is no fix currently for the vulnerability exploited by EXTRABACON. Now the attacker must know the SNMP community string to successfully use EXTRABACON, but honestly how many are “public” or very easily guessable? I would expect to see a huge spike in attacks using EXTRABACON in the coming days. Now Cisco has released Snort rules to detect EXTRABACON. Fortigate is faring a little better. The EGREGIOUSBLUNDER exploit only impacts Fortigate firmware Versions 4.x and lower released before Aug 2012. Firmware 5.x is not affect. There are other exploits for Watchguard and TOPSEC products. While those companies have not released any information, I would not be surprised that there are zero-days against these platforms in the dump.