Do not pass ‘Go’

Readers who managed to read this blog to the end last week will have read this:

Finally, if you have implemented HTTP/2 services for public consumption, be aware that there are a number of network level bugs which can very simply take your servers off the air (the same servers that can be easily identified using Shodan for instance). The Hacker News has a decent write up here. If you are using HTTP/2 in a public facing capacity, it would be a good place to start if availability is critical for your business.

Those of you who clicked through to the article will have seen that the bugs exist in the HTTP/2 transport layer which enable small, crafted packets to initiate a Denial of Service condition in HTTP/2 servers.

While everyone was trying to get their heads around the implications of this announcement, possibly pondering whether or not their own estate actually runs HTTP/2, out come Kubernetes with an announcement that all servers hosted under the cuddly containerisation platform are vulnerable to two of the eight vulnerabilities and need to be patched forthwith, providing they have a HTTP or HTTPS listener running.

The implications of this announcement are huge. Millions of Web servers are running under Kubernetes (it means Captain in Greek apparently). Not only this, but vulnerable servers can be identified using our old pal Shodan and other tools.

Once again the ever watchful ITC SOC team have produced a timely Threat Horizon which provides full details, obviously recommending patching as soon as possible.

Back in July we wrote about the slow and dastardly (mwahahaha) spread of the ATM robbing, Russian speaking, ‘Silence’ hacking group. At the time we reported that according to excellent investigatory work by Russian cyber security firm Group-IB, not only were Silence spreading out of Russia (into Bangladesh), but they were accumulating increasingly sophisticated and stealthy tooling.

Well, it appears that the Silence Group are now on a World Tour (probably not as much fun as Spinal Tap) with a fivefold increase in activity, under the noses of the investigating Group-IB.

As reconnaissance, Silence send out a huge number of emails with benign content (benign other than identifying the vulnerable that is), this is followed up with one of many nefarious droppers and nasty content, all of which is documented in the Group-IB report and makes interesting reading if you are that way inclined.

Once again we see phishing emails as the primary vector. Although tools and technology can be very useful in identifying and eradicating these, user education remain the number one best defence against phishing. If you have a few quiet weeks while everyone is lounging in the sun, you could do a lot worse than planning some awareness training for your users because after the summer, the floodgates will be open!

Just after we polished last week, the European Central Bank (ECB) announced that it’s ‘Banks’ Integrated Reporting System’ aka BIRD had been accessed by ‘unauthorised parties’. Word on the street is that the vector is via SAP Hana. It looks like a very professional job with nation-state written all over it. We will update you as this story develops. In the meantime, if you have SAP Hana, check the status of your patching and have a look for unusual outbound traffic.

As usual ITC Secure would be more than happy to help you with your security posture. If you would like some assistance, or just a chat about security, please contact us at: [email protected] or call 020 7517 3900.

Enjoy the rest of the summer. Winter is coming.