TrendLabs: XTRAT and DUNIHI Backdoors Bundled with Adwind in Spam Mails

Figure 1. Adwind detections between January 1 and April 17, 2018

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/xtrat-and-dunihi-backdoors-bundled-with-adwind-in-spam-mails/

Google GDPR policy

---------- Forwarded message ----------
From: Google
Subject: Important updates about the General Data Protection Regulation (GDPR)

In August last year, we announced our commitment to comply with Europe’s new General Data Protection Regulation (GDPR). Last month, we shared more about our GDPR policy, contract and product changes and today, we wanted to share new Help Center articles for DFP/AdX, AdMob, AdSense which provide more information on these changes. The articles cover:

Controller responsibilities Consent support Choice and control over ads personalisation

If you have any questions about this update, please don't hesitate to reach out to your account team or contact us through the Help Center.

Thanks, The Google Team

TrendLabs: Not Only Botnets: Hacking Group in Brazil Targets IoT Devices With Malware

Figure 6. List of proxy addresses

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/not-only-botnets-hacking-group-in-brazil-targets-iot-devices-with-malware/

RememBear Official Launch

If you’ve never used a password manager, RememBear will happily walk you through setting your account up with straightforward instructions and animations.

REF: https://www.remembear.com/blog/remembear-official-launch/

TrendLabs: Necurs Evolves to Evade Spam Detection via Internet Shortcut File

Figure 1.  A diagram of a previous version of the Necurs malware.

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/

[USN-3632-1] Linux kernel (Azure) vulnerabilities

It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could use this to cause a denial of service (system crash) in the host OS.
(CVE-2017-1000407)

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
  https://usn.ubuntu.com/usn/usn-3632-1
  CVE-2017-0861, CVE-2017-1000407, CVE-2017-15129, CVE-2017-16994,
  CVE-2017-17448, CVE-2017-17450, CVE-2017-17741, CVE-2017-17805,
  CVE-2017-17806, CVE-2017-17807, CVE-2018-1000026, CVE-2018-5332,
  CVE-2018-5333, CVE-2018-5344, CVE-2018-8043

[USN-3629-1] MySQL vulnerabilities

In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-22.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

References:
  https://usn.ubuntu.com/usn/usn-3629-1
  CVE-2018-2755, CVE-2018-2758, CVE-2018-2759, CVE-2018-2761,
  CVE-2018-2762, CVE-2018-2766, CVE-2018-2769, CVE-2018-2771,
  CVE-2018-2773, CVE-2018-2775, CVE-2018-2776, CVE-2018-2777,
  CVE-2018-2778, CVE-2018-2779, CVE-2018-2780, CVE-2018-2781,
  CVE-2018-2782, CVE-2018-2784, CVE-2018-2786, CVE-2018-2787,
  CVE-2018-2810, CVE-2018-2812, CVE-2018-2813, CVE-2018-2816,
  CVE-2018-2817, CVE-2018-2818, CVE-2018-2819, CVE-2018-2839,
  CVE-2018-2846

TrendLabs: Monero-Mining RETADUP Worm Goes Polymorphic, Gets an AutoHotKey Variant

Figure 3. Components of RETADUP’s AutoHotKey version
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/

Azure Virtual Machines—Ubuntu Advantage support service generally available

If you use Ubuntu Linux with your Azure subscription, you can now opt in to receive enterprise-grade support for your Ubuntu VMs through Ubuntu Advantage, the support package from Canonical. Complete a one-time prepay for standard and advanced tiers that will cover the first 30 days of support from Ubuntu. The first month of coverage is billed as a one-time charge, and subsequent months are billed per hour.

REF:  https://azure.microsoft.com/en-us/services/virtual-machines/linux-and-open/

TrendLabs: XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing

Figure 2. XLoader’s infection chain
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/

[USN-3628-1] OpenSSL vulnerability

Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis
Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA
key generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private RSA keys.

References:
  https://usn.ubuntu.com/usn/usn-3628-1
  CVE-2018-0737

Using Trello At Home

The official Trello Playbook for Home rounds up five essential boards that you can copy and customize for everything from vacation planning and chores to meal prep and more:

TrendLabs: Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner

Figure 1. Infector code showing Coinhive injection; another variant even contains its own XMR configuration and miner binary

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-xiaoba-repurposed-as-file-infector-and-cryptocurrency-miner/

Proxmox VE is 10 years old

this week marks the tenth anniversary of the first public release of our Proxmox VE. We released version 0.9 on April 15, 2008 as a management GUI for KVM and OpenVZ. We wanted to keep it flexible and easy-to-use.

Today, Proxmox VE has grown into a powerful but still easy-to-use open-source management platform for enterprise virtualization with so many users, developers, customers, and partners in 142 countries worldwide.

Happy Birthday Proxmox VE Discount

To celebrate this 10th birthday with you we have a special "Happy Birthday Proxmox VE" promotion: We're giving you a special discount for the next 10 days on your new subscription. Use the code PVE-10-M1EN31 on the Proxmox online shop for a 10% discount rate on Proxmox VE subscriptions.
(Promo is valid 10 days from April 15 to April 25, 2018 for new and existing customers. Valid only on new subscriptions.)

Read more on "Proxmox VE celebrates 10":

• Press release: https://www.proxmox.com/en/news/press-releases/proxmox-ve-turns-10
• Forum announcement: https://forum.proxmox.com/threads/proxmox-ve-is-10-years-old.43001/

TrendLabs: A Closer Look at Unpopular Software Downloads and the Risks They Pose to Organizations

Table 1. A list of major websites that offer malicious content and the number of unique downloads for each
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-unpopular-software-downloads-and-the-risks-they-pose-to-organizations/

The bsdly.net traplist dumps are now served https only

---------- Forwarded message ----------
From: Peter N. M. Hansteen
Date: Sat, Apr 14, 2018 at 5:55 PM
Subject: The bsdly.net traplist dumps are now served https only (forced redirect)
To: OpenBSD general usage list

While looking for something else entirely in my webserver logs I notice
that there are several hosts that try to fetch the hourly traplist dumps
https://www.bsdly.net/~peter/bsdly.net.traplist but via http and ignore
the redirect to https.

Both sites (https://www.bsdly.net/~peter/bsdly.net.traplist and the
slightly better connected
https://home.nuug.no/~peter/bsdly.net.traplist) now force https, so if
you are running some kind of out of date fetching setup, please update
to something modern.

I also notice that there are fetches from other operating systems, but
hopefully anyone interested in OpenBSD spamd(8) will check here
occasionally.

All the best,
Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

BSD magazine 2018 March

REF: https://bsdmag.org/download/table-level-security-postgresql/

TrendLabs: How Machine Learning Detects Cryptocurrency-mining Malware

Table 1. A sample of five out of the 123 cluster members with TLSH values that have very close distance scores when compared to the center TLSH value

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/cluster-of-coins-how-machine-learning-detects-cryptocurrency-mining-malware/

Trello: 5 Future Lessons To Learn From Today’s Remote Workers

REF: https://blog.trello.com/5-future-lessons-to-learn-from-todays-remote-workers

TrendLabs: Microsoft’s April Patch Tuesday Fixes Remote Code Execution Vulnerabilities in Fonts and Keyboard

Microsoft has rolled out its Patch Tuesday for April to address security issues in Internet Explorer (IE), Edge, ChakraCore, Visual Studio, Microsoft Office and Office Services and Web Apps, and Malware Protection Engine. Of the 67 listed vulnerabilities, 24 were rated critical. Eight of these were disclosed through Trend Micro’s ZDI program:

• CVE-2018-1011
• CVE-2018-1008
• CVE-2018-1004
• CVE-2018-1001
• CVE-2018-1000
• CVE-2018-0996
• CVE-2018-0987
• CVE-2018-0981

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/microsofts-april-patch-tuesday-fixes-remote-code-execution-vulnerabilities-in-fonts-and-keyboard/

[openssh-unix-announce] Announce: OpenSSH 7.7 released

---------- Forwarded message ----------
From: Damien Miller
Date: 2018-04-03 8:15 GMT+08:00
Subject: [openssh-unix-announce] Announce: OpenSSH 7.7 released
To: openssh-unix-announce@mindrot.org

OpenSSH 7.7 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

TrendLabs: Challenges in Securing Connected Hospitals

Figure 2. Exposed graphical user interface (GUI) for patient record maintenance containing various PII

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/challenges-in-securing-connected-hospitals/

Caddy Web Server On FreeBSD

Caddy Web Server On FreeBSD

Dear Readers,

I hope this finds you well and in a happy mood since the start of Spring. Today, I am pleased to announce the release of the BSD Magazine issue. I hope it will bring lots of joy, happiness, and fulfilment to you. This is also a special time for those who are waiting for Easter celebration like me. I am optimistic that the holiday period brings hope and faith to sustain us in the coming days. Thus, take delight during this period. If any question arises in your mind during or after reading the articles, please feel free to contact me. We hope you enjoy reading this issue and develop your new skills with our magazine!

Thank you and Happy Easter,

Ewa & the BSD team

INSIDE

In Brief
Ewa & The BSD Team

How to Manage Multiple Perl 6 Installations with Rakudobrew
Luca Ferrari

Quickstart with Kubernetes and GKE (Part 1/2)
Leonardo Neves

Kubernetes..! Era of Innovation
Moustafa Nabil El-Zeny

Open vSwitch Overview
Albert Hui

How to Add a New System Tunable to FreeBSD
Carlos Neira

Caddy Web Server On FreeBSD
Abdorrahman Homaei

OpenBSD and The State of Gaming
David Carlier

Presentation
How to Assist the Business World with OTRS?
María Polett Ramos

Column
With the latest chemical attack in the UK that has critically injured two individuals and seriously injured a serving police officer, what are the geopolitical, media, and technical implications of this latest outrage?
Rob Somerville

REF: www.bsdmag.org

TrendLabs: Cryptocurrency Web Miner Script Injected into AOL Advertising Platform

Figure 1. Detection for unique web miners rising steeply from March 24 to 25

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-web-miner-script-injected-into-aol-advertising-platform/

[Check_mk Announce] New Check_MK stable release 1.4.0p29

---------- Forwarded message ----------
From: Check_mk Announcements
Date: Mon, Apr 9, 2018 at 10:16 PM
Subject: [Check_mk Announce] New Check_MK stable release 1.4.0p29
To: checkmk-announce@lists.mathias-kettner.de

Dear friends of Check_MK,

the new stable release 1.4.0p29 of Check_MK is ready for download.

This maintenance release ships with 4 changes affecing all editions of Check_MK,
0 Enterprise Edition specific changes and 0 Managed Services Edition specific changes.

Changes in all Check_MK Editions:

User interface:
* 5957 FIX: LDAP: Locking of users using "Authentication Expiration" plugin was not unlocking users

Checks & agents:
* 5961 FIX: nfsmounts, cifsmounts: Fixed the blemish "Invalid parameter" displayed in service discovery dialog
* 5921 FIX: mk_logwatch frozen binary for Windows was broken

Other components:
* 5956 FIX: Updated NagVis to 1.9.7

Changes in the Check_MK Enterprise Edition:

    NO CHANGES

Changes in the Check_MK Managed Services Edition:

    NO CHANGES

You can download Check_MK from our download page:
 * http://mathias-kettner.de/check_mk_download.html

Please mail bug reports and qualified feedback to feedback@check-mk.org.
We greatly thank you for using Check_MK and wish you a successful monitoring,

Your Check_MK Team

--
Mathias Kettner GmbH
Kellerstraße 29, 81667 München, Germany
Registergericht: Amtsgericht München,  HRB 165902
Geschäftsführer: Mathias Kettner
http://mathias-kettner.de
Tel. +49 89 1890 435-0
Fax. +49 89 1890 435-29

Plex: We're on Gear VR for Oculus!

With a Gear VR for Oculus headset and your Galaxy S7/S8/S9, you’re ready for one of the coolest virtual reality experiences out there! Enjoy your shows and movies in a luxurious loft apartment, the void of outer space, or a drive-in theater (with support for 360° and 3D videos). You can even interact with your environment, from drawing the curtains, to picking up and throwing items, and more. With Plex VR, you’re going to look forward to rainy days to spend in another virtual world.

TrendLabs: Uncovering Unknown Threats With Human-Readable Machine Learning

Through a system of classification that uses machine learning technology to analyze unknown files, we can determine whether they are benign or malicious in nature. This human-readable machine learning system, as well as other pertinent findings on large-scale global download events, is discussed in more detail in our research paper titled Exploring the Long Tail of (Malicious) Software Downloads.

REF: https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-unknown-threats-with-human-readable-machine-learning/

Improve Your PostgreSQL Skills

(Course #10) Improve Your PostgreSQL Skills

This course will allow readers to get a better understanding of PostgreSQL. The course aims to present the readers with a solid knowledge of PostgreSQL building blocks, including the plpgsql language and how it can be used to build stored procedures and triggers. Advanced features like Common Table Expression and Window Functions will be presented, allowing the user to improve her SQL skills and know how to write better and more readable queries.
The reader will know how to manage and understand its database cluster thanks to glance at the PostgreSQL catalog and statistic collector. Last, readers will learn how to handle master-slave replication, a core feature of PostgreSQL.

Module 1

Stored procedures
The plpgsql language
The DO block
Glance at plperl
Triggers
DML Trigger Types
Implementing triggers with plpgsql
Cursors
Introduction of cursors
Example of usage of a cursor

Module 2

Users and Permission Management
Users, Groups and Roles
Allowing permissions and denying permissions
Row Level Security
Rules
Introduction to the Query Rewrite System
An example of rule
Views
Dynamic views
Materialized Views
Test your skills

Questions

• How is a group of users implemented in PostgreSQL?
• What is the difference between a DO INSTEAD and a DO ALSO rule?
• How many type of views does PostgreSQL support?

Exercises

• Create a table foo with exactly two columns: pk an interger auto-increment primary key and t as unlimited string. Fill the table with a couple of records and then create a dynamic view and a materialized one. Populate the materialized view, then delete the contento of foo and see what changes in the views.
• Open a transaction, place a couple of records into foo and revert the changes.
• Create a user group developers, and the following users into the group: dev_a, dev_b, dev_c. Configure PostgreSQL to allow all developers but dev_c to connect to your database.

Module 3

Common Table Expression
Introduction to CTEs
An example of move
Recursive CTEs
Window Functions
Introduction to Window Functions
A few useful window functions

Module 4

Indexes
Configuring the Server
Monitor the database activity
pg_stat_activity
pg_locks
Autovacuum
Test your skill

Questions

• What is the purpose of a recursive CTE?
• What does the OVER clause does?
• What information does the pg_stat_activity contain?

Exercises

• Suppose you have the table dir defined and populated as follows:

pk | name | child_of | dir
—-+———+———-+—–
1 | / | | t
2 | bin | 1 | t
3 | tmp | 1 | t
4 | home | 1 | t
5 | luca | 4 | t
6 | Desktop | 5 | t
7 | emacs | 2 | f
8 | cat.png | 6 | f

• Write a recursive CTE that builds the full path of each entry where dir = f.
• Begin a transaction on a terminal, without closing such transaction open a new terminal and extract the start time and backend pid of the opened transaction.
• Create a CTE that deletes the content of the above dir directory showing thru a SELECT the deleted rows.

Module 5

Point in Time Recovery
Streaming Replication
Glance at Logical Replication
Test your skills

Questions

• What is a physical backup and what do you need to get it working?
• Beginning a base/physical backup with pg_base_backup() is dangerous with respect to normal operativity of the cluster?
• What is the main difference between physical and logical replication?

Exercises

• Set up a base backup of the cluster with pg_basebackup command line tool.
• Configure a streaming replication from your main cluster to another instance running on a different TCP/IP port on the very same machine.

Instructor: Luca Ferrari

REF: www.bsdmag.orgbsd

TrendLabs: Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure

Figure 1. Screenshot for one Monero wallet address’s status
REF: https://blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-hiddenminer-android-malware-can-potentially-cause-device-failure/

XG-7100 pfSense® Security Gateway

If you've pre-ordered an XG-7100 pfSense® Security Gateway Appliance, you're no doubt anxious for its delivery. We've encountered a supply chain issue with system boards, but that is now resolved. Back order shipments are expected to start in about two weeks.

Initial throughput testing looks very compelling. Test data will be published on the Netgate blog soon.

REF: https://www.netgate.com/solutions/pfsense/xg-7100-1u.html