Stats & Trends
The Barkly Team
Jun 2018

This Week in Security: What's New and What to Do About It (6.11.18)

infosec-news-6-11-18

What security news this week is actually urgent and what's just hype? Introducing Barkly's Tragic Quadrant.

There’s so much happening in the world of security on a week-to-week basis that it’s difficult to know what to focus on and determine what actually matters.

Rather than just hitting you with another “week-in-review” recap, we want to provide something that helps you separate what’s interesting from what’s actionable and a true priority. Enter: The Barkly "Tragic Quadrant." 

How the Tragic Quadrant works

tragic-quadrant-working-template

The purpose of the quadrant is to help you quickly determine priorities by seeing the week’s security news organized by likelihood (chances it could impact your organization) and impact (potential magnitude of the fallout if it does).

The four quadrants

Each of the news stories we're highlighting will fall into one of four quadrants:

  • Urgent (high likelihood, high impact): You should investigate this news and, if possible, act on it right away.

  • Important/Mitigate (low likelihood, high impact): The odds of being exposed to this threat aren't as high, but the high cost of being caught unprepared makes these stories worth reading. 

  • Important/Monitor (high likelihood, low impact): Chances are, you may have direct exposure to this threat. Because the consequences aren't as high, however, you may want to simply monitor for them rather than treating them as top priorities.

  • Deprioritize (low likelihood, low impact): We're not saying these stories aren't worth reading, we're just saying start with the others first. 

How we decide what goes where

First, we understand other people may choose to put these stories and events in different places. We're positioning them based on our assessment of potential impact and the likelihood that an organization will be hit.

As an example, you might find a campaign in the top right that has already been seen frequently, spreads without human interaction, and wipes all data on a target. That makes it high likelihood (seen frequently, spreads quickly) and high impact (destroyed data).  

In the top left are those attacks that are being seen frequently, or that spread easily, but that aren’t destroying anything, stealing credentials, or generally blowing up the organizations they affect. Think cryptojacking.

Bottom right? Big impact, but not very likely. Think recent potential vulnerability as yet unproven with no exploit or proof of concept available. It may be important and be in the press, but it isn’t an urgent threat yet.

These positions, along with other indicators, provide a quick view of our impressions of priority, actionability, and hype. The goal is to help you sort through the week's security news and understand at a glance what is critical and what may just be generating a lot of noise. 

To that end, in addition to quadrant placement, we'll also be labeling news items based on two additional factors:

  • Is it actionable?
    • If yes and there’s a patch, we label it green.
    • If yes and there’s some form of mitigation, we label it orange.
    • If no, we label it black.
  • How much hype is this story getting?
    • The more attention and headlines (as determined by Google search results and Feedly popularity count), the bigger the dot.


With all that laid out, let's take a look at this week's quadrant.

This week’s Tragic Quadrant

barkly-tragic-quadrant-week-6-11-18

Click for an interactive PDF version here

Status: Urgent

IQY Files Used to Evade AV, Download Malware via Excel

Source: Barkly

New Necurs spam campaigns have been spotted using a little-known file type to infect victims with the FlawedAmmy remote access trojan (RAT). Once opened, these .iqy files automatically launch Excel and attempt to download a malicious PowerShell script, which triggers additional downloads. Because .iqy files are essentially simple text files that contain no malicious content, AVs don’t do a good job of scanning or blocking them. With these campaigns ramping up, admins are advised to block .iqy files as soon as possible.

Status: Important/Mitigate 

Adobe Patches Flash Zero-Day (CVE-2018-5002)

Source: Bleeping Computer

Researchers from Chinese security company Qihoo 360 discovered this vulnerability being used to conduct targeted attacks in the wild prior to a patch being available. The targeted campaigns utilized Office files that loaded SWF files, which in turn exploited the Flash vulnerability to gain code execution on the victim’s machine. Adobe has fixed the vulnerability with the release of Flash Player 30.0.0.113, but now that the exploit has been disclosed, it’s only a matter of time before other attackers add it to their own repertoire. In other words, time to patch.
 

VPNFilter Update: Exploits Endpoints, Targets New Devices

Source: Talos

Turns out VPNFilter, the malware that infected 500,000 routers and network storage devices worldwide and triggered a warning from the FBI, is actually worse than initially thought. In addition to targeting more makes and models of devices than originally reported, the malware also has further capabilities, including the ability intercept and inject malicious code into network traffic. That extends the threat beyond the compromised network devices to other endpoints on the network.

Status: Important/Monitor

VBScript RCE Vulnerability CVE-2018-8174 Headed for Widespread Abuse

Source: Barkly

CVE-2018-8174 was a zero-day flaw originally spotted in the wild in late April, prompting Microsoft to include a fix in its May 2018 Security Update. Working PoC exploit code for the vulnerability was posted on GitHub two weeks later, and in a matter of days it was already being incorporated into the RIG exploit kit as well as the Threadkit exploit builder, which provides weaponized Word documents that take advantage of the flaw.

Additional quick take: The good news is Microsoft has provided a patch for this. The bad news is this year has been a patching nightmare following the disclosure of Meltdown and Spectre and all the update snafus that have followed. A lot of admins are (wisely) being cautious and taking more time rolling out patches — 72% according to a recent survey we did.

Exposure to this exploit is magnified because there are actually two ways of deploying it: Users with unpatched systems can get infected either by drive-by-downloads (via the RIG EK, for example), or by opening Word documents delivered via malicious emails (the original infection vector researchers spotted in the wild and one that’s now being fueled by Threadkit).

As far as impact goes, the RIG campaigns are currently deploying a cryptominer, which means potential damage is comparatively low. That could change, however, as RIG payloads are constantly being cycled in and out.

Status: Deprioritize

“Zip Slip” Vulnerability Affects Thousands of Projects Across Many Ecosystems

Source: Snyk

Discovered by researchers at Snyk, this flaw essentially gives attackers the ability to create Zip archives that let them overwrite legitimate files and potentially replace them with malicious versions. The problem is the flaw isn’t a Zip file format issue. Instead, it’s a much broader vulnerability that affects a multitude of open source software libraries and their ecosystems. The good news is Snyk has posted a list of the affected libraries and projects and many of them have updates available that fix this issue.

Prowli Malware Targeting Servers, Routers, and IoT Devices

Source: The Hacker News

As if one massive botnet wasn’t enough, news of VPNFilter has now been accompanied by reports of “Operation Prowli,” a collection of more than 40,000 compromised servers, modems, and IoT devices. Researchers have estimated victims include over 9,000 businesses across numerous verticals, including finance, education, and government organizations. Attackers behind Prowli are abusing infected devices to mine cryptocurrency, install malicious browser extensions, and redirect them to malicious websites.

Before you go — we want your feedback!

The Tragic Quadrant is a new feature we're trying out and we want to know what you think. Is it helpful? Are there any changes we should make? Would you be excited to see it become a weekly post? If not, we're hoping you'll let us know that, too!

Please take 2min to share your feedback in a survey we created here

Any and all feedback and questions are welcome!

The Barkly Team

The Barkly Team

Providing the latest security alerts and updates with context that makes them useful.

lock-white.png

Stay up-to-date on the latest threats

Join a group of 7,000 IT and security pros who get clear, actionable takes on malware and infosec news.

Subscribe

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.