Cyber Security January 2018

This posting is here to collect security alert news in January 2018.

I post links to security vulnerability news to comments of this article.

144 Comments

  1. Tomi Engdahl says:

    Hawaii Panics After Alert About Incoming Missile Is Sent in Error
    https://mobile.nytimes.com/2018/01/13/us/hawaii-missile.html

    An early-morning emergency alert mistakenly warning of an incoming ballistic missile attack was dispatched to cellphones across Hawaii on Saturday

    The alert, sent by the Hawaii Emergency Management Agency, was revoked 38 minutes after it was issued, prompting confusion over why it was released — and why it took so long to rescind

    Officials said the alert was the result of human error and not the work of hackers or a foreign government.

    Reply
  2. Tomi Engdahl says:

    January 12, 2018 | Business Security
    https://press.f-secure.com/2018/01/12/intel-amt-security-issue-lets-attackers-bypass-login-credentials-in-corporate-laptops/

    Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptops
    Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to backdoor almost any corporate laptop in a matter of seconds.

    Helsinki, Finland – January 12, 2018: F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally.

    The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

    To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT’s user opt-in to “None.” The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

    Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called “evil maid” scenario. “You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.” Sintonen points out that even a minute of distracting a target from their laptop at an airport or coffee shop is enough to do the damage.

    Sintonen stumbled upon the issue in July 2017, and notes that another researcher* also mentioned it in a more recent talk.

    Reply
  3. Tomi Engdahl says:

    Islamic State Retreats Online to ‘Virtual Caliphate’
    http://www.securityweek.com/islamic-state-retreats-online-virtual-caliphate

    On the brink of defeat in Iraq and Syria, the Islamic State group has been taking refuge in its “virtual caliphate” — but even online, experts say it is in decline.

    Back in 2015, when the jihadists held territory the size of Italy, they also commanded a huge digital presence, flooding the web with slick propaganda lionising their fighters and romanticising life under their rule.

    Today, with many of the top IS leaders either dead or on the run, what remains of the group’s once-sophisticated propaganda machine is also a shadow of its former self.

    Their media centres destroyed, remaining propagandists find themselves struggling to maintain an internet connection while battling surveillance from international intelligence services.

    The jihadist group is less and less vocal on the web, largely leaving supporters whom it cannot control to speak in its name.

    – Pushed to the ‘dark web’ -

    Back in March as Iraqi forces were ousting IS from their long-held bastion Mosul, an AFP journalist was able to pick through the wreckage of what was once a jihadist media centre.

    Such wannabe jihadists need look no further than the internet for abundant advice that has been available online for years — and will merely pop up again after any attempt to remove it.

    Reply
  4. Tomi Engdahl says:

    Microsoft Brings End-to-End Encryption to Skype
    http://www.securityweek.com/microsoft-brings-end-end-encryption-skype

    Microsoft this week announced that end-to-end encrypted communications are now available for preview to Skype insiders.

    Called Private Conversations, the newly introduced feature secures both text chat messages and audio calls, Microsoft Program Manager Ellen Kilbourne revealed.

    Furthermore, end-to-end encryption is also applied to any files users send to their conversational partners, including images, audio files, and videos. Not only will the contents of these conversations be hidden in the chat list, but they won’t appear in notifications either, to keep user’s information private.

    Private Conversations, Kilbourne explains in a post, is using the industry standard Signal Protocol by Open Whisper Systems. The protocol is already providing end-to-end encryption to users of popular messaging applications such as Signal, WhatsApp, and Facebook Messenger.

    Reply
  5. Tomi Engdahl says:

    ‘MaMi’ Mac Malware Hijacks DNS Settings
    http://www.securityweek.com/mami-mac-malware-hijacks-dns-settings

    Researcher Patrick Wardle has analyzed what seems to be a new piece of malware designed to hijack DNS settings on macOS devices. The threat has other capabilities as well, but they do not appear to be active.

    Reply
  6. Tomi Engdahl says:

    Risky Business (Part 2): Why You Need a Risk Treatment Plan
    http://www.securityweek.com/risky-business-part-2-why-you-need-risk-treatment-plan

    Performing a Risk Analysis and Taking Due Care Are No Longer Optional

    Now hear this: You will always have exposure.

    No company has the ability to mitigate all risks at all times. No company I’ve ever visited has even had all of its identified risks treated at any given point.

    Yet so many companies lead their security strategy with controls. They’ll make sizable investments in security appliances without fully understanding why the appliance is required. They’ll implement their controls without documentation of what the actual risks are and how they’re being treated.

    You may have learned about due diligence and due care, but this situation amounts to omitting both. To bridge that gap, you need a risk treatment plan.

    The objective of a risk treatment plan is to document your exposure and show that the organization is applying appropriate resources to mitigate it in a reasonable timeframe.

    Not only does this tie your mitigation efforts to the actual business risks being addressed, but the RTP is really a form of risk treatment in itself. Even if you can’t mitigate every risk, you’re documenting that you have a plan to deal with those risks — and having your efforts documented provides some recourse to prove due care.

    Reply
  7. Tomi Engdahl says:

    CRUNCH NETWORK
    The state of Israel’s cybersecurity market
    https://techcrunch.com/2018/01/14/the-state-of-israels-cybersecurity-market/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    The Equifax breach, WannaCry, NotPetya, the NSA leak, and many more cyber incidents – 2017 was certainly a busy year for hackers, illustrating yet again just how vital innovative cybersecurity solutions are in the fight against cyber threats.

    Second only to the U.S., in terms of cybersecurity investment 2017 was another excellent year for Israeli cybersecurity startups

    Reply
  8. Tomi Engdahl says:

    Ransomware attack drives Indianapolis hospital back to pen and paper
    https://hotforsecurity.bitdefender.com/blog/ransomware-attack-drives-indianapolis-hospital-back-to-pen-and-paper-19444.html?utm_source=SMGlobal&utm_medium=Facebook&utm_campaign=H4S

    A hacker out to make a fast buck last week decided to hit an Indianapolis hospital with a ransomware attack, demanding a ransom payment to his Bitcoin wallet in exchange for de-crippling the facility’s computer network.

    Hancock Health fell victim to the attack sometime last week, when employees noticed the network started running more slowly than normal, according to local newspaper The Greenfield Reporter.

    One of the hospital’s computers then flashed a message indicative of a typical ransomware attack – that the facility’s data was being held “hostage” until a ransom was paid to the attacker.

    Reply
  9. Tomi Engdahl says:

    Fake Meltdown/Spectre Patch Installs Malware
    http://www.securityweek.com/fake-meltdownspectre-patch-installs-malware

    Cybercriminals are already taking advantage of the massive attention the recently detailed Meltdown and Spectre CPU flaws have received, in an attempt to trick users into installing malware instead, Malwarebytes warns.

    Made public in early January, Meltdown and Spectre are two new side-channel attack methods against modern processors and are said to impact billions of devices. Based on vulnerabilities at the CPU level, the flaws allow malicious apps to access data as it is being processed, including passwords, photos, documents, emails, and the like.

    Chip makers and vendors were alerted on the bugs last year, and some started working on patches for their users several months ago, but waited for a coordinated public disclosure set for last week. Apple, Microsoft, Google, Canonical, and IBM are just a few of the vendors that have already deployed patches.

    Soon after the patches began rolling out, however, attacks taking advantage of the Meltdown/Spectre fever surfaced. One of them, Malwarebytes reports, is targeting German users with the SmokeLoader malware.

    The attack was spotted soon after the German authorities issued a warning on phishing emails trying to take advantage of infamous bugs started to appear.

    Reply
  10. Tomi Engdahl says:

    Backdoor Found in Lenovo, IBM Switches
    http://www.securityweek.com/backdoor-found-lenovo-ibm-switches

    A high severity vulnerability described as a backdoor has been patched in several Flex System, RackSwitch and BladeCenter switches from Lenovo and IBM.

    The flaw, tracked as CVE-2017-3765, affects the Enterprise Network Operating System (ENOS) running on affected devices. The vulnerability allows an attacker to gain access to the management interface of a switch.

    “An authentication bypass mechanism known as ‘HP Backdoor’ was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions,” Lenovo said in its advisory.

    The problematic feature, introduced by Nortel in 2004 at the request of a customer, can be found in Lenovo devices and IBM Flex System, BladeCenter and RackSwitch switches that still use the ENOS firmware.

    Reply
  11. Tomi Engdahl says:

    “PowerStager” Tool Employs Unique Obfuscation
    http://www.securityweek.com/powerstager-tool-employs-unique-obfuscation

    A malicious tool that has managed to fly under the radar since April 2017 is showing great focus on obfuscation, in an attempt to evade detection, Palo Alto Networks warns.

    Dubbed PowerStager, the tool has shown an uptick in usage for in-the-wild attacks around December 2017. Developed as a Python script that generates Windows executables using C source code, it uses multiple layers of obfuscation to launch PowerShell scripts to execute a shellcode payload.

    PowerStager uses a unique obfuscation technique for PowerShell segments, while also offering increased flexibility, due to multiple configuration options.

    Some of these options include the ability to target both x86 and x64 platforms, support for additional obfuscation on top of defaults, support for customized error messages/executable icon for social engineering, and the ability to use Meterpreter or other built-in shellcode payloads. The tool can also fetch remote payloads or embed them into the executable and can escalate privileges using UAC.

    PowerStager Analysis
    https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/

    Reply
  12. Tomi Engdahl says:

    New KillDisk Variant Spotted in Latin America
    http://www.securityweek.com/new-killdisk-variant-spotted-latin-america

    A new variant of the disk-wiper malware known as KillDisk has been spotted by Trend Micro researchers in attacks aimed at financial organizations in Latin America.

    Early versions of KillDisk were designed to wipe hard drives in an effort to make systems inoperable. The malware was used by the Russia-linked threat actor BlackEnergy in the 2015 attack aimed at Ukraine’s energy sector.

    Roughly one year after the Ukraine attack, researchers reported that its developers had turned KillDisk into file-encrypting ransomware. However, the samples analyzed at the time used the same encryption key for all instances, making it possible for victims to recover files.

    Experts later reported seeing a KillDisk ransomware designed to target Linux machines, but the malware did not save encryption keys anywhere, making it impossible to recover files.

    Reply
  13. Tomi Engdahl says:

    Half Million Impacted by Four Malicious Chrome Extensions
    http://www.securityweek.com/half-million-impacted-four-malicious-chrome-extensions

    Four malicious Chrome extensions managed to infect over half a million users worldwide, including employees of major organizations, ICEBRG reports.

    The extensions were likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, but they could have also been used by threat actors to gain access to corporate networks and user information, the security company warns.

    The malicious extensions were discovered after observing an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider, ICEBRG reveals. The HTTP traffic was associated with the domain ‘change-request[.]info’ and was generated from a Chrome extension named Change HTTP Request Header.

    Malicious Chrome Extensions Enable Criminals to Impact Over Half a Million Users and Global Businesses
    https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses

    ICEBRG has battled this threat in the wild and worked with our customers to understand the risk browser extensions pose. Recently, ICEBRG detected a suspicious spike in outbound network traffic from a customer workstation which prompted an investigation that led to the discovery of four malicious extensions impacting a total of over half a million users, including workstations within major organizations globally. Although likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, these extensions provided a foothold that the threat actors could leverage to gain access to corporate networks and user information.

    Reply
  14. Tomi Engdahl says:

    Canadian Man Charged Over Leak of Three Billion Hacked Accounts
    http://www.securityweek.com/canadian-man-charged-over-leak-three-billion-hacked-accounts

    An Ontario man made his first court appearance Monday to answer charges of running a website that collected personal and password data from some three billion accounts, and sold them for profit.

    Jordan Evan Bloom, 27, of Thornhill earned some Can$247,000 ($198,800 US) by selling the data for a “small fee” via leakedsource.com, the Royal Canadian Mounted Police said in a statement.

    The information was stolen during massive hacks of websites including LinkedIn and the Ashley Madison online dating service.

    Some of the data could also be used to access other popular websites if the hacked user used the same password and username combination, according to police.

    Reply
  15. Tomi Engdahl says:

    Flaws Allowed Facebook Account Hacking via Oculus App
    http://www.securityweek.com/flaws-allowed-facebook-account-hacking-oculus-app

    Facebook recently patched a couple of vulnerabilities that could have been exploited by malicious hackers to hijack accounts by abusing integration with the Oculus virtual reality headset.

    Franjkovic discovered that a malicious actor could have used specially crafted GraphQL queries to connect a targeted user’s Facebook account to the attacker’s Oculus account. GraphQL is a query language created by Facebook in 2012 and later released to the public.

    According to the researcher, a specially crafted query allowed an attacker to obtain the victim’s access token, which under normal circumstances should not be accessible to third-party apps, and use it to take control of their Facebook account.

    Reply
  16. Tomi Engdahl says:

    North Korean Hackers Prep Attacks Against Cryptocurrency Exchanges: Report
    http://www.securityweek.com/north-korean-hackers-prep-attacks-against-cryptocurrency-exchanges-report

    Researchers Say a North Korea-Linked Hacking Campaign is Ready to Go Against South Korean Cryptocurrency Exchanges

    North Korean hackers, loosely categorized as the Lazarus Group, have continued their attacks against South Korean interests, with particular emphasis on cryptocurrency exchanges.

    Recorded Future said they discovered a spear-phishing campaign that uses the CVE-2017-8291 Ghostscript vulnerability triggered from within a Hangul Word Processor (popular in South Korea) document.

    Earlier this month, McAfee described a separate attack against North Korean defectors from a group — almost certainly North Korean — that does not appear to be related to any known cybercrime group.

    The Lazarus targets are users of the Coinlink cryptocurrency exchange, other exchanges, and a group known as ‘Friends of MOFA (Ministry of Foreign Affairs)’.

    The cryptocurrency target is typical Lazarus.

    In December 2017, the South Korean Youbit cryptocurrency exchange went bankrupt following its second hack of the year. In the first attack it lost 4000 bitcoin or around 40% of its reserves (around $5 million at the time), and a further 17% of its assets in the December breach. Some reports suggest that the attacks were undertaken by BlueNoroff, a sub-group of Lazarus.

    South Korean exchanges have been strengthening their network defenses, while the government has been considering regulations to tighten control over cryptocurrencies.

    “This campaign relies on multiple payloads fashioned out of the Destover infostealer code to collect information about the victim system and exfiltrate files,” reports Recorded Future. Destover further implicates Lazarus in the campaign. It was used in the Sony Pictures Entertainment attack in 2014, the Polish banking attacks in January 2017, and in the first WannaCry victim discovered by Symantec.

    Reply
  17. Tomi Engdahl says:

    Kaspersky: Malware disguised as Android apps from carriers can steal your WhatsApp messages
    https://thenextweb.com/insider/2018/01/17/kaspersky-malware-disguised-as-android-apps-from-carriers-can-steal-your-whatsapp-messages/

    Security firm Kaspersky has discovered a new piece of malware doing the rounds that’s capable of spying on your Android phone like nothing else before it.

    The company says that the malware is called Skygofree (named after one of the domains on which it was first spotted), and is usually disguised as a downloadable app on fake sites designed to resemble those of mobile carriers, and promises to increase your internet speeds.

    Skygofree: Following in the footsteps of HackingTeam
    https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

    At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.

    Reply
  18. Tomi Engdahl says:

    DNS Servers Crash Due to BIND Security Flaw
    http://www.securityweek.com/dns-servers-crash-due-bind-security-flaw
    Updates released by the Internet Systems Consortium (ISC) for BIND patch a remotely exploitable security flaw that has caused some DNS

    servers to crash.
    The vulnerability, discovered by Jayachandran Palanisamy of Cygate AB, affects BIND versions 9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6,

    9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1. It has been patched with the release of

    BIND 9.9.11-P1, 9.10.6-P1, 9.11.2-P1 and 9.12.0rc2.
    “Once exhausted, the server will not accept additional connections, potentially denying access to legitimate connections from the server operator.”

    CVE-2017-3145: Improper fetch cleanup sequencing in the resolver can cause named to crash
    https://kb.isc.org/article/AA-01542

    While this bug has existed in BIND since 9.0.0, there are no known code paths leading to it in ISC releases prior to those containing the fix for CVE-2017-3137.  Thus while all instances of BIND ought to be patched, only ISC versions [9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6, 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1] acting as DNSSEC validating resolvers are currently known to crash due to this bug.  The known crash is an assertion failure in netaddr.c.

    Reply
  19. Tomi Engdahl says:

    Bots could influence the Finnish presidential election by many means – “Only imagination is a limit”

    According to Professor Kybert Security, the number of bots in the presidential candidates is still too small to influence the election.

    As the presidential election approaches, questions about possible external influences on elections, for example through automated bots following the social media accounts of candidates, have increased.

    IT House eCraft Marketing Director Maria Heimonen says that external influencing companies in the Finnish presidential election through the bots are a relevant concern, especially when recalling Russia’s influence in the US presidential election 2016.

    - It is worrying if the world is trying to influence people’s opinions under elections. The bottoms that divide and love certain types of tattoos create an illusion that this is a big part of people really, heimonen says.

    - Making far-reaching conclusions is too early on the basis of current information. We must remember that, according to the present, we are talking about a fairly small number of potentially automated followers, “Limnéll says.

    The amounts are still small

    Presidential candidate Pekka Haavisto (vihr) has informed about 1700 unspeakable Twitter followers at the end of December that they have since been abolished. According to F-Secure’s expert Andy Patel ‘s analysis, both the Haavisto and Sauli Niiniti’s Twitter accounts would have just under 400 new potential buyers.

    Limnéll does not like these bottoms even more significant. He also remarks that there is still no assurance that at least all the vague Followers of the candidates would be automated bots.

    - If you really want to influence the elections by such measures, the number of followers should be considerably higher.

    However, the professor considers it worthwhile to investigate the matter, as the vigilance of citizens and their preparedness for social media influence is growing.

    - Only imagination is a limit when talking about possible ways of influencing.

    As a practical example, Limnéll mentions the possibility that bots would strengthen some kind of political messages on Twitter. The counter-argument put forward by the candidate to point out the argument could get a disproportionate amount of likes and re-references from the world, which would make the counter-argument more powerful than the original.

    In addition, bots may, for example, “capture” Twitter tag names, for example, the much-used # presidential elections2018. Bots could fill the aptitude tag with irrelevant information that would give a distorted picture of the debate under the election.

    Source: http://www.iltalehti.fi/digi/201801122200663812_du.shtml

    Reply
  20. Tomi Engdahl says:

    Zyklon Malware Delivered via Recent Office Flaws
    http://www.securityweek.com/zyklon-malware-delivered-recent-office-flaws

    A piece of malware known as Zyklon has been delivered by cybercriminals using some relatively new vulnerabilities in Microsoft Office, FireEye reported on Wednesday.

    Zyklon has been around since early 2016 and it allows attackers to conduct a wide range of malicious activities, including launch distributed denial-of-service (DDoS) attacks, log keystrokes, steal passwords, and mine cryptocurrency.

    A recent campaign observed by FireEye has been aimed at organizations in the telecommunications, insurance and financial services sectors. The malware has been delivered as a ZIP archive attached to spam emails.

    The ZIP file contains a specially crafted Word document that exploits one of three weaknesses in Microsoft Office to deliver a PowerShell script that downloads the final Zyklon payload from a remote server.

    One of the vulnerabilities exploited by the malicious documents is CVE-2017-8759, a flaw patched by Microsoft in September 2017

    Another flaw exploited to deliver Zyklon is CVE-2017-11882, a 17-year-old vulnerability in the Equation Editor component that Microsoft patched in November. CVE-2017-11882 has been leveraged by Iranian cyberspies, the Cobalt hacking group, and others.

    Cybercriminals have also abused the Dynamic Data Exchange (DDE) feature in Office to spread the malware.

    If the malicious documents successfully exploit one of these weaknesses, they download a PowerShell script that injects code and fetches the final payload from a server.

    The malware uses the Tor network to communicate with its command and control (C&C) server. Once a connection has been established, the attacker can instruct the malware to provide information about the infected system, launch DDoS attacks, mine cryptocurrency, and upload harvested data.

    Reply
  21. Tomi Engdahl says:

    Crypto-Mining Attack Targets Web Servers Globally
    http://www.securityweek.com/crypto-mining-attack-targets-web-servers-globally

    A new malware family is targeting web servers worldwide in an attempt to ensnare them into a crypto-mining botnet, security researchers have discovered.

    Dubbed RubyMiner, the threat was discovered last week, when it started launching massive attacks on web servers in the United States, Germany, United Kingdom, Norway, and Sweden. Within a single day, the attackers behind this malware attempted to compromise nearly one third of networks globally, Check Point revealed last week.

    The purpose of the attack, which is targeting both Windows and Linux servers, is to install a Monero miner by exploiting old vulnerabilities that have been published and patched in 2012 and 2013. The attackers weren’t looking for stealth compromise, but attempted to compromise a large number of vulnerable HTTP web servers as quickly as possible.

    The infection campaign is targeting vulnerabilities in PHP, Microsoft IIS, and Ruby on Rails. Despite the large number of compromise attempts observed, only 700 servers worldwide have been successfully enslaved within the first 24 hours of attacks.

    The deployed malware – on all infected servers – is XMRig, a Monero miner that was used in September 2017 in an attack exploiting a vulnerability in Microsoft IIS 6.0, the webserver in Windows Server 2003 R2.

    Reply
  22. Tomi Engdahl says:

    Threat Actors Quickly Adopt Effective Exploits
    http://www.securityweek.com/threat-actors-quickly-adopt-effective-exploits

    Cybercriminals and nation state groups were quick to adopt the most effective exploits last year, a new AlienVault report reveals.

    Not only do the most effective exploits proliferate quickly between cybercriminals, but some of them remain popular for years after their initial discovery.

    The top 10 list of exploits – by number of occurrences in vendor reports – is dominated by Microsoft Office and Microsoft Windows, data from AlienVault’s Open Threat Exchange (OTX) platform reveals. Adobe Flash, Microsoft .NET, and Android/Linux were also present on the list, with one exploit each.

    The exploit to appear most often in vendor reports last year was CVE-2017-0199, a code execution bug affecting Microsoft Office. Detailed in April 2017, when it was already being abused in attacks, the vulnerability started being adopted almost immediately, and the trend continued toward the end of the year as well.

    Reply
  23. Tomi Engdahl says:

    Found: New Android malware with never-before-seen spying capabilities
    https://arstechnica.com/information-technology/2018/01/found-new-android-malware-with-never-before-seen-spying-capabilities/

    Skygofree is among the most powerful spy platforms ever created for Android.

    Last year, researchers found what at the time was quite possibly the world’s most sophisticated espionage app ever written for the Android mobile operating system. Now, in a discovery that underscores the growing arms race among competing malware developers, researchers have uncovered a new Android spying platform that includes location-based audio recording and other features that have never been seen in the wild before.

    According to a report published Tuesday by antivirus provider Kaspersky Lab, “Skygofree” is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares.

    Reply
  24. Tomi Engdahl says:

    Found: New Android malware with never-before-seen spying capabilities
    Skygofree is among the most powerful spy platforms ever created for Android.
    https://arstechnica.com/information-technology/2018/01/found-new-android-malware-with-never-before-seen-spying-capabilities/

    Last year, researchers found what at the time was quite possibly the world’s most sophisticated espionage app ever written for the Android mobile operating system. Now, in a discovery that underscores the growing arms race among competing malware developers, researchers have uncovered a new Android spying platform that includes location-based audio recording and other features that have never been seen in the wild before.

    According to a report published Tuesday by antivirus provider Kaspersky Lab, “Skygofree” is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares. With 48 different commands in its latest version, the malware has undergone continuous development since its creation in late 2014. It relies on five separate exploits to gain privileged root access that allows it to bypass key Android security measures. Skygofree is capable of taking pictures, capturing video, and seizing call records, text messages, geolocation data, calendar events, and business-related information stored in device memory.

    Skygofree: Following in the footsteps of HackingTeam
    https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

    Reply
  25. Tomi Engdahl says:

    VTech fondleslabs for kids ‘still vulnerable’ despite sanctions
    Researchers claim flaws remain more than two years later
    https://www.theregister.co.uk/2018/01/18/innotab_kid_tech_still_vulnerable/

    New InnoTab child learning devices still have the same security flaw first found by researchers at Pen Test Partners two years ago.

    The issues persist even after manufacturer VTech was fined $650,000 by US watchdogs at the Federal Trade Commission (FTC) via a ruling published earlier this week. The settlement deal came after the FTC scolded the children’s toymaker for both unnecessarily collecting kids’ personal information and (worse) failing to protect this sensitive data before a massive breach in November 2015.

    As well as paying the fine, VTech agreed to apply privacy and security requirements so that it complied with the Children’s Online Privacy Protection Act (COPPA) and the FTC Act, as previously reported.

    Tests by UK security consultancy Pen Test Partners at the time found it was possible to lift data from its InnoTab tablet, as El Reg reported at the time.

    The same tests on a newly purchased InnoTab reveal that the same hack is still possible and nothing had been done to address the problem, according to Pen Test Partners’ Ken Munro.

    The FTC settlement resulted in VTech promising to improve its security. More specifically the deal means that VTech is “required to implement a comprehensive data security program, which will be subject to independent audits for 20 years” as well as “misrepresenting its security and privacy practices”.

    In response to queries from El Reg, VTech said it was working hard to fulfil its security obligations.

    Munro wasn’t impressed by what he described as a “carefully caged non-answer”.

    Reply
  26. Tomi Engdahl says:

    Intel Forms New Security Group to Avoid Future Meltdowns
    https://hackaday.com/2018/01/17/intel-forms-new-security-group-to-avoid-future-meltdowns/

    Intel just moved some high level people around to form a dedicated security group.

    When news of Meltdown and Spectre broke, Intel’s public relations department applied maximum power to their damage control press release generators. The initial message was one of defiance, downplaying the impact and implying people are over reacting. This did not go over well. Since then, we’ve started seeing a trickle of information from engineering and even direct microcode updates for people who dare to live on the bleeding edge.

    All the technical work to put out the immediate fire is great, but for the sake of Intel’s future they need to figure out how to avoid future fires.

    Intel reorganizes amid tumult over computer chip flaw
    http://www.oregonlive.com/silicon-forest/index.ssf/2018/01/intel_reorganizes_amid_fervor.html

    “Security is Job No. 1 for Intel and our industry,” Intel CEO Brian Krzanich said during his keynote address Monday night at the Consumer Electronics Show in Las Vegas.

    Reply
  27. Tomi Engdahl says:

    North Korea linked to new cryptocurrency attacks
    http://money.cnn.com/2018/01/17/technology/north-korea-cryptocurrency-attacks/

    North Korea-linked hackers targeted cryptocurrency investors and exchanges just as bitcoin started to soar to record highs, according to a new report.

    Cybersecurity firm Recorded Future said malware used in the attacks was similar to that used in the Sony Pictures hack, the global WannaCry ransomware attack and the major cyberheist that hit Bangladesh’s central bank.

    North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign
    https://www.recordedfuture.com/north-korea-cryptocurrency-campaign/

    Reply
  28. Tomi Engdahl says:

    ‘Text bomb’ is latest Apple bug
    http://www.bbc.com/news/technology-42728336

    A new “text bomb” affecting Apple’s iPhone and Mac computers has been discovered.

    Abraham Masri, a software developer, tweeted about the flaw which typically causes an iPhone to crash and in some cases restart.

    Simply sending a message containing a link which pointed to Mr Masri’s code on programming site GitHub would be enough to activate the bug – even if the recipient did not click the link itself.

    Mr Masri said he “always reports bugs” before releasing them. Apple has not yet commented on the issue.

    On a Mac, the bug reportedly makes the Safari browser crash, and causes other slowdowns.

    But users should not be alarmed.

    Security expert Graham Cluley wrote on his blog that the bug does not present anything to be particularly worried about – it’s merely very annoying.

    “Something about the so-called ChaiOS bug’s code gives your Apple device a brainstorm,”

    Beware! A new bug can crash iOS and macOS with a single text message
    Resist the temptation to send this text bomb to anyone.
    https://www.grahamcluley.com/chaios-bug-crash-ios-macos-messages/

    Reply
  29. Tomi Engdahl says:

    WiFi Alliance Announces Upcoming Fixes to WPA2
    https://hackaday.com/2018/01/10/wifi-alliance-announces-upcoming-fixes-to-wpa2/

    Last October, before Intel’s Management Engine was completely broken and the Spectre and Meltdown exploits drove Intel’s security profile further into the ground, we had a problem with wireless networking. WPA2 was cracked with KRACK, the Key Reinstallation Attack. The sky isn’t falling quite yet, but the fact remains that the best WiFi security currently available isn’t very secure at all.

    This week, at the Consumer Electronics Show in Las Vegas, the WiFi Alliance announced they would introduce security enhancements in 2018. While it’s not said in the press release if this is a reaction to KRACK, the smart money says yes, this is indeed a reaction to KRACK.

    Reply
  30. Tomi Engdahl says:

    A password for the Hawaii emergency agency was hiding in a public photo, written on a post-it note
    http://nordic.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1?r=US&IR=T

    A false alarm was broadcast to Hawaii on Saturday warning of an inbound missile.
    In the days following the alert, people discovered that a photo taken in Hawaii’s Emergency Management Agency for a newspaper article in July includes a sticky note with a password on it.
    Hawaii says the false alarm was because an employee “pushed the wrong button,” not because it was hacked, but the photo sparked criticsm from the security industry about the general level of security at the agency.

    Reply
  31. Tomi Engdahl says:

    Raphael Satter / Associated Press:
    Researchers find hundreds of gigabytes of files online outlining Lebanon-linked effort to gain passwords and eavesdrop via bogus websites and malicious apps — LONDON (AP) — A major hacking operation tied to Lebanon’s main intelligence agency has been exposed after careless spies left hundreds …

    Report links hacking campaign to Lebanese security agency
    https://apnews.com/c78ef443167540cbbff2b1f8f3af2772/Researchers:-Hacking-campaign-linked-to-Lebanese-spy-agency

    Reply
  32. Tomi Engdahl says:

    Colin Lecher / The Verge:
    US Senate votes 65 to 34 to reauthorize Section 702 FISA surveillance program through 2023; bill now goes to Trump to sign

    Senate passes bill to renew controversial NSA spying powers
    https://www.theverge.com/2018/1/18/16893464/senate-vote-702-authorization-nsa-spying-trump

    Reply
  33. Tomi Engdahl says:

    Iain Thomson / The Register:
    Google software engineer Grzegorz Milka says in conference presentation that under 10% of active Gmail users have two-factor authentication enabled

    Who’s using 2FA? Sweet FA. Less than 1 in 10 Gmail users enable two-factor authentication
    Your daily dose of digital depression
    http://www.theregister.co.uk/2018/01/17/no_one_uses_two_factor_authentication/

    Usenix Enigma It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, but virtually no one is using it.

    In a presentation at Usenix’s Enigma 2018 security conference in California, Google software engineer Grzegorz Milka today revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services. He also said only about 12 per cent of Americans have a password manager to protect their accounts, according to a 2016 Pew study.

    Reply
  34. Tomi Engdahl says:

    Triton Malware Exploited Zero-Day in Schneider Electric Devices
    http://www.securityweek.com/triton-malware-exploited-zero-day-schneider-electric-devices

    The recently discovered malware known as Triton and Trisis exploited a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization.

    The malware, designed to target industrial control systems (ICS), was discovered after it caused a shutdown at an organization in the Middle East. Both FireEye and Dragos published detailed reports on the threat.

    Reply
  35. Tomi Engdahl says:

    Researchers Earn $100,000 for Hacking Pixel Phone
    http://www.securityweek.com/researchers-earn-100000-hacking-pixel-phone

    A team of researchers has earned more than $100,000 from Google for an Android exploit chain that can be used to hack the company’s Pixel phone remotely simply by getting the targeted user to access a malicious website.

    Google’s Pixel phone was the only device that was not hacked at last year’s Mobile Pwn2Own competition. However, researcher Guang Gong of Chinese security firm Qihoo 360 and his team did manage to find a couple of vulnerabilities that can be chained for a remote code injection exploit that works against Pixel and other Android smartphones.

    The exploit relies on two vulnerabilities: CVE-2017-5116 and CVE-2017-14904. The former is a type confusion flaw in the V8 open-source JavaScript engine and it can be exploited for remote code execution in a sandboxed Chrome render process. Google patched this security hole in September with the release of Chrome 61.

    Reply
  36. Tomi Engdahl says:

    Latvia’s e-health system hit by cyberattack from abroad
    https://phys.org/news/2018-01-latvia-e-health-cyberattack.amp?__twitter_impression=true

    Latvia said its new e-health system was on Tuesday hit by a large-scale cyberattack that saw thousands of requests for medical prescriptions pour in per second from more than 20 countries in Africa, the Caribbean and the European Union.

    No data was compromised, according to health officials, who immediately took down the site, which was launched earlier this month to streamline the writing of prescriptions in the Baltic state.

    “It is clear that it was a planned attack, a widespread attack—we might say a specialised one

    “We received thousands of requests in a very short space of time. That’s not the normal way the system works,”

    Reply
  37. Tomi Engdahl says:

    Apple’s San Francisco commuter buses are reportedly being attacked
    http://bgr.com/2018/01/18/apple-bus-attacks-pellet-gun/

    Companies like Google and Apple run commuter buses in the areas around their campuses, giving employees a way to commute to and from work for free. Some believe these buses have become a constant reminder of the gentrification in and around Silicon Valley, however, and they have been the focus of protests in the past.

    The Guardian reported on Wednesday afternoon that at least five commuter buses have been targeted in the suspected pellet gun attacks. Windows on all five buses were smashed according to the report

    Buses for Apple employees attacked with pellet guns, company suspects
    https://www.theguardian.com/technology/2018/jan/17/apple-bus-attack-pellet-guns-silicon-valley

    Corporate buses, which ferry workers from San Francisco to its Silicon Valley headquarters, have become symbols of gentrification

    Montiel said that he could not be sure that the attack was targeted at Apple as the buses are unmarked. “It could be Google, Apple or any other company,” he said.

    However, the buses of each of the tech firms are a distinct colour: Google’s are white, Apple’s are silver and Facebook’s are blue.

    The buses have become symbols of gentrification and the perception that the tech sector is responsible for pushing up housing prices in the city, making it unaffordable for those without six-figure salaries.

    Reply
  38. Tomi Engdahl says:

    Adult VR app SinVR exposed names and emails of thousands of users
    Security
    The vulnerability has now been fixed, after being raised by a UK security firm
    http://www.alphr.com/security/1008193/adult-vr-app-sinvr-exposed-names-and-emails-of-thousands-of-users

    https://www.digitalinterruption.com/single-post/2018/01/09/Attention-SinVR-users

    Reply
  39. Tomi Engdahl says:

    Health South East RHF data breach exposed health records for half of Norway’s Population
    http://securityaffairs.co/wordpress/67922/data-breach/health-south-east-rhf-databreach.html

    On January 8, the Health South East RHF, that is the healthcare organization that manages hospitals in Norway’s southeast region disclosed a major security breach.

    “Everything indicates that it is an advanced player who has the tools and ability to perform such an attack. It can be advanced criminals. There is a wide range of possibilities,”

    Reply
  40. Tomi Engdahl says:

    GhostTeam – Android Malware Stealing Your Facebook Credentials
    https://gbhackers.com/ghostteam-android-malware/

    A New Android Malware GhostTeam found in Google PlayStore that is capable of stealing Facebook credentials and also it used some social engineering technique to trick victims to download the malicious applications.

    Around 53 Malicious apps are discovered and most of the apps are Displaying malicious ads that contain a link to download aditional malicious apps and tricks victims to give up their Facebook credentials.

    Reply
  41. Tomi Engdahl says:

    China Is Tracking Citizens Using Facial Recognition Technology
    http://www.iflscience.com/policy/china-is-tracking-villagers-in-xinjiang-with-facial-recognition-technology/

    China is taking surveillance culture to a new level and incorporating AI facial recognition to its surveillance system in Xinjiang, a territory in the country’s far west bordering Afghanistan and Pakistan. The area is home to a large Muslim population, who are already subject to stringent security measures in what has been referred to as the “perfect police state”.

    Reply
  42. Tomi Engdahl says:

    British 15-year-old gained access to intelligence operations in Afghanistan and Iran by pretending to be head of CIA, court hears
    http://www.telegraph.co.uk/news/2018/01/19/british-15-year-old-gained-access-intelligence-operations-afghanistan/

    A 15-year-old gained access to plans for intelligence operations in Afghanistan and Iran by pretending to be the head of the CIA to gain access to his computers, a court has heard.

    Reply
  43. Tomi Engdahl says:

    Malicious Chrome extension is next to impossible to manually remove
    Extensions remain the Achilles heel for an otherwise highly secure browser.
    https://arstechnica.com/information-technology/2018/01/malicious-chrome-extension-is-next-to-impossible-to-manually-remove/

    Proving once again that Google Chrome extensions are the Achilles heel of what’s arguably the Internet’s most secure browser, a researcher has documented a malicious add-on that tricks users into installing it and then, he said, is nearly impossible for most to manually uninstall. It was available for download on Google servers until Wednesday, 19 days after it was privately reported to Google security officials, a researcher said.

    Once installed, an app called “Tiempo en colombia en vivo” prevents users from accessing the list of installed Chrome extensions by redirecting requests

    Malwarebytes researcher Pieter Arntz said he experimented with a variety of hacks—including disabling JavaScript in the browser, starting Chrome with all extensions disabled, and renaming the folder where extensions are stored—none of them worked. Removing the extension proved so difficult that he ultimately advised users to run the free version of Malwarebytes and let it automatically remove the add-on.

    https://www.malwarebytes.com/mwb-download/

    Reply
  44. Tomi Engdahl says:

    China flaunts quantum key distribution in-SPAAACE by securing videoconference
    Satellite carries keys to Graz
    https://www.theregister.co.uk/2018/01/22/china_flaunts_its_qkdinspaaace_by_securing_videoconference/

    China has revealed more detail of its much-hyped satellite quantum key distribution network.

    In a paper published at Physical Review Letters, Liao Shengkai of University of Science and Technology of China and other researchers describe the experiment in which they passed quantum-created keys between Xinglong and Graz in Austria.

    In quantum key distribution (QKD), the keys used to secure communications take advantage of quantum entanglement to protect secret keys against eavesdropping. Those keys are then used to secure communications transmitted over non-quantum channels.

    The Chinese experiment demonstrated communication with transmitted images, and followed that up with a 75-minute videoconference on 29 September 2017 secured with quantum-distributed keys.

    Satellite-Relayed Intercontinental Quantum Network
    https://journals.aps.org/prl/abstract/10.1103/PhysRevLett.120.030501

    Reply
  45. Tomi Engdahl says:

    OnePlus issues statement as some buyers complain of credit card fraud
    http://mashable.com/2018/01/15/oneplus-credit-card-fraud/#N_pHvys1Emq6

    A significant number of OnePlus customers have reported suspicious activity on the credit cards they’d used to purchase a OnePlus phone.

    According to this post on the company’s official forums, 73 customers who had purchased something from OnePlus using their credit card in the last two months have had fraudulent charges on their card.

    https://forums.oneplus.net/threads/credit-card-fraud.747206/

    Reply
  46. Tomi Engdahl says:

    Bitcoin’s fluctuations are too much for even ransomware cybercriminals
    https://www.theguardian.com/technology/2018/jan/18/bitcoin-fluctuations-ransomware-cybercrminals-malware-developers

    Malware developers have had to demand ransoms in local currencies as they attempt to not price their targets out

    Bitcoin’s price swings are so huge that even ransomware developers are dialling back their reliance on the currency, according to researchers at cybersecurity firm Proofpoint.

    Over the last quarter of 2017, researchers saw a fall of 73% in payment demands denominated in bitcoin. When demanding money to unlock a victim’s data, cybercriminals are now more likely to simply ask for a figure in US dollars, or a local currency, than specify a sum of bitcoin.

    Just like conventional salespeople, ransomware developers pay careful attention to the prices they charge. Some criminals offer discounts depending on the region the victim is in, offering cheaper unlocking to residents of developing nations, while others use an escalating price to encourage users to pay quickly and without overthinking things.

    But a rapidly oscillating bitcoin price plays havoc with those goals, Proofpoint says. “Surging cryptocurrency values are a boon for holders of bitcoin. But they are a challenge for anyone who tries to price their product or service in bitcoin — threat actors included. In Q4, newer ransomware strains appeared to take this into account. Sigma ransomware first appeared in mid-November demanding a payment denominated in US dollars.”

    Reply
  47. Tomi Engdahl says:

    Dridex redux, with FTP serving the nasties
    Venerable malware is back for another round of phishing phun
    https://www.theregister.co.uk/2018/01/22/dridex_redux_with_ftp_serving_the_nasties/

    Keep your eyes open for yet-another Dridex-based malware attack.

    Forcepoint researchers spotted the campaign last week, noting that instead of hitting up HTTP links the attackers are targeting compromised FTP sites (and exposing those sites’ credentials).

    The FTP sites in question were used to host the malware sent to victims who clicked on links (insert usual statement about care with links), and the post noted that the attackers didn’t care that they exposed the logins of sites they abused. The upshot, however, could be that other attackers also get a chance to abuse the same targets.

    Reply
  48. Tomi Engdahl says:

    Dridex Campaign Abuses FTP Servers
    http://www.securityweek.com/dridex-campaign-abuses-ftp-servers

    A recently observed email campaign is abusing compromised FTP servers as download locations for malicious documents and infecting users with the Dridex banking Trojan, Forcepoint has discovered.

    Dridex has been one of the most prolific banking Trojans over the past several years, with the actors behind it constantly adopting new techniques and improving their malware for increased efficiency. The malware is focused on stealing user’s online banking credentials to perform financial fraud.

    Malicious emails distributed as part of the new campaign were observed on January 17, 2018, primarily sent to .com top level domains (TDLs). Analysis of the top affected TDLs revealed that major regional targets included France, the UK, and Australia.

    The malicious actor(s) behind the attack used two types of malicious documents as delivery mechanisms, namely a Word document abusing Dynamic Data Exchange (DDE) for malware execution, and a XLS file with macro code to fetch the banking Trojan.

    The compromised servers abused in this campaign don’t appear to be running the same FTP software, and the security researchers believe that the attackers obtained the login credentials as part of other attacks.

    Reply
  49. Tomi Engdahl says:

    UK Teen Gained Access to CIA Chief’s Accounts: Court
    http://www.securityweek.com/uk-teen-gained-access-cia-chiefs-accounts-court

    A British teenager managed to access the communications accounts of top US intelligence and security officials including the then CIA chief John Brennan, a London court heard Friday.

    Kane Gamble, now 18, was aged 15 and 16 when, from his bedroom in Coalville, central England, he managed to impersonate his targets to gain highly sensitive information.

    “Kane Gamble gained access to the communications accounts of some very high-ranking US intelligence officials and government employees,” prosecutor John Lloyd-Jones told England’s Old Bailey central criminal court. “He also gained access to US law enforcement and intelligence agency networks.”

    Gamble has admitted 10 offences against the computer misuse act, between June 2015 and February 2016, and is awaiting sentencing.

    Gamble impersonated Brennan in calls to the telecommunications companies Verizon and AOL, although in one attempt, he stumbled on a question about Brennan’s first pet.

    Several sensitive documents were reportedly obtained from Brennan’s private email inbox and Gamble managed to get information about military and intelligence operations in Iran and Afghanistan.

    “It also seems he was able to successfully access Mr Brennan’s iCloud account,” the prosecutor said.

    Gamble called AOL and initiated a password reset, took control of Brennan’s wife’s iPad.

    - ‘I own you’ -

    Gamble also targeted the then US secretary of homeland security Jeh Johnson and made calls to his phone number.

    He left Johnson’s wife a voicemail saying “Am I scaring you?” and managed to get a message to appear on the family television saying: “I own you”.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*