Cyber Security February 2018

This posting is here to collect security alert news in February 2018.

I post links to security vulnerability news to comments of this article.

 

 

101 Comments

  1. Tomi Engdahl says:

    Asus Router Flaws Disclosed by Several Researchers
    http://www.securityweek.com/asus-router-flaws-disclosed-several-researchers

    Several security researchers and companies have recently disclosed the details of potentially serious vulnerabilities they discovered in the past months in various Asus routers.

    Fortinet reported on Tuesday that its researchers had found a vulnerability in some Asus routers that allows an authenticated attacker to execute arbitrary commands with root privileges.

    “Technically, vulnerable models are prone to OS command injections via unsanitized parameters passed to the /apply.cgi,” Fortinet explained.

    Eugene Dokukin, aka “MustLive,” a member of the Ukrainian Cyber Forces activist group, has also disclosed the details of some cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities affecting several Asus RT-N10 models.

    XSS and CSRF vulnerabilities in ASUS RT-N10
    http://seclists.org/fulldisclosure/2018/Jan/99

    Reply
  2. Tomi Engdahl says:

    Remotely Exploitable Vulnerability Could Impact 300,000 Oracle PoS Systems
    http://www.securityweek.com/remotely-exploitable-vulnerability-could-impact-300000-oracle-pos-systems

    A vulnerability Oracle addressed in the MICROS Point-of-Sale (PoS) terminals with the January 2018 Critical Patch Update could impact more than 300,000 payment systems worldwide.

    Tracked as CVE-2018-2636 and featuring a CVSS v3 score of 8.1, the vulnerability was discovered in September 2017 as a directory traversal vulnerability. Hackers looking to abuse it could read any file by sending a packet to a particular web service of a PoS terminal.

    The vulnerability was addressed in Oracle’s January 2018 CPU, but the patch was unlikely to have been already deployed to all of the vulnerable MICROS PoS systems out there.

    Reply
  3. Tomi Engdahl says:

    Malware Exploiting Spectre, Meltdown Flaws Emerges
    http://www.securityweek.com/malware-exploiting-spectre-meltdown-flaws-emerges

    Researchers have discovered more than 130 malware samples designed to exploit the recently disclosed Spectre and Meltdown CPU vulnerabilities. While a majority of the samples appear to be in the testing phase, we could soon start seeing attacks.

    The Meltdown and Spectre attack methods allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive data. Shortly after Spectre and Meltdown were disclosed on January 3, experts warned that we could soon see remote attacks, especially since a JavaScript-based proof-of-concept (PoC) exploit for Spectre had been made available.

    On January 17, antivirus testing firm AV-TEST reported that it had seen 77 malware samples apparently related to the CPU vulnerabilities, and the number had increased to 119 by January 23.

    “Most appear to be recompiled/extended versions of the PoCs – interestingly, for various platforms like Windows, Linux and MacOS,” Andreas Marx, CEO of AV-TEST, told SecurityWeek. “We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”

    Fortinet, which also analyzed many of the samples, confirmed that a majority of them were based on available PoC code.

    Marx believes different groups are working on the PoC exploits to determine if they can be used for some purpose. “Most likely, malicious purposes at some point,” he said.

    The expert believes the current malware samples are still in the “research phase” and attackers are most likely looking for ways to extract information from computers, particularly from web browsers. He would not be surprised if we started seeing targeted and even widespread attacks in the future.

    Reply
  4. Tomi Engdahl says:

    A Devastating ATM Hack Swept the World—And Finally Hit the US
    https://www.wired.com/story/jackpotting-atm-hacks

    In July 2016, ATM hackers in Taiwan raked in more than $2 million using a new type of malware attack that manipulated machines into spitting out tons of cash. The method, dubbed “jackpotting,” quickly spread across parts of Asia, Europe, and Central America, resulting in tens of millions of dollars of stolen cash. By November 2016, the FBI issued a warning that “well-resourced and organized malicious cyber actors have intentions to target the US financial sector” using this approach. But it took a year for the attack to arrive stateside.

    This week, the Secret Service began warning financial institutions about a rash of jackpotting attacks across the US, and the threat that more could be coming. In a jackpotting attack, hackers—often dressed as technicians to deflect suspicion—penetrate an ATM’s physical and digital security, install malware, establish remote access, and set it up to display an out-of-order screen.

    Reply
  5. Tomi Engdahl says:

    Johnny Hacker hauls out NSA-crafted Server Message Block exploits, revamps ‘em
    Yep, vulns of WannaCry infamy. Why haven’t you patched yet?
    https://www.theregister.co.uk/2018/01/31/wannacry_smb_exploit_beefed_up/

    Hackers* have improved the reliability and potency of Server Message Block (SMB) exploits used to carry out the hard-hitting NotPetya ransomware attack last year.

    EternalBlue, EternalSynergy, EternalRomance and EternalChampion formed part of the arsenal of NSA-developed hacking tools that were leaked by the Shadow Brokers group before they were used (in part) to mount the devastating NotPetya cyber attack.

    The exploits – linked to the CVE-2017-0143 and CVE-2017-0146 Microsoft vulnerabilities – have been “rewritten and stabilised” to affect operating systems from Windows 2000 up to and including Server 2016 edition, Heimdal Security warns.

    “Instead of going for injecting a shellcode into a target system and taking control over it, attackers will try to overwrite the SMB connection session structures to gain admin rights over the system,” Heimdal said.

    “After that, the exploit module will drop to disk (or use a PowerShell command), explains zerosum0x0, and then copy directly to the hard drive.”

    Reply
  6. Tomi Engdahl says:

    New porn laws will mean Pornhub asks for your name and address before browsing
    http://metro.co.uk/2018/01/31/new-porn-laws-will-mean-pornhub-asks-name-address-wnking-begins-7275023/

    Hand relief, beating your meat, bashing the bishop – whatever you call it, new laws coming into force in April will change the way Britain w*nks forever.

    Porn giant Mindgeek – owner of popular online fleshpots Pornhub, RedTube, YouPorn and Brazzers – will now collect names, mobile phone number, addresses and dates and place of birth before users log in.

    You’ll have to create a username and password to use Pornhub from April onwards.

    The AgeID system has caused alarm among privacy campaigners – who say it has the potential for Ashley Madison-style leaks.

    ‘Once you’ve got a MindGeek login, you’re going to be giving them your entire web browsing history, because they’re going to be able to track every time you log in to anything.’

    A MindGeek spokesman said, ‘AgeID has been built from the ground up with data protection, data minimisation and the principles of privacy by design at its core, while also complying with the GDPR.

    ‘This is why we where do not store any personal data entered during the age-verification process.”

    The data is passed to a government-approved service to confirm that the user is aged 18+ – then users can then use their AgeID account to bypass checks.

    Sites which fail to ID users can be fined up to £250,000, and the government can ask payment services to withdraw their support.

    But critics have suggested that the rules have been rushed – and that systems such as AgeID could be open to Ashley Madison-style leaks of user data.

    Reply
  7. Tomi Engdahl says:

    Naked online: cyberthreats facing users of adult websites and applications
    January 31, 2018
    https://www.kaspersky.com/blog/porn-themed-threats-report/20891/

    Threats to desktop users:

    Kaspersky Lab identified at least 27 variations of PC malware, belonging to three infamous families, which specifically hunt for credentials to paid-for porn websites.
    In 2017, these malicious families were seen more than 300,000 times, attempting to attack more than 50,000 PCs across the world.

    Threats to mobile users:

    In 2017, at least 1.2 million users encountered malware with adult content at least once. That is 25.4% of all users who encountered any type of Android malware.
    Mobile malware is making extensive use of porn to attract users: Kaspersky Lab researchers identified 23 families of mobile malware that use porn content to hide their real functionality.
    Malicious clickers, rooting malware, and banking Trojans are the types of malware that are most often found inside porn apps for Android.

    Reply
  8. Tomi Engdahl says:

    Firefox 59 Will Stop Websites Snooping on Where You’ve Just Been
    https://news.slashdot.org/story/18/02/02/156222/firefox-59-will-stop-websites-snooping-on-where-youve-just-been?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Firefox 59 will reduce how much information websites pass on about visitors in an attempt to improve privacy for users of its private browsing mode. From a report:
    When you click a link in your browser to navigate to a new site, the site you go on to visit receives the address of the site you came from, via the so-called “referrer value.” While this helps websites understand where visitors are coming from, it can also leak data about the individual browsing,

    Firefox 59 will stop websites snooping on where you’ve just been
    http://www.zdnet.com/article/firefox-59-will-stop-websites-snooping-on-where-youve-just-been/

    From the next version of Firefox onward, private browsing mode will cut back details websites can share about the last site visited.

    Reply
  9. Tomi Engdahl says:

    Smart sex toy fails penetration test
    Yep, it’s yet another dildon’t
    https://www.theregister.co.uk/2018/02/02/adult_fun_toy_security_fail/

    Security researchers have found multiple vulnerabilities in smart sex toys that create the potential for all sorts of mischief by hackers.

    The Vibratissimo Panty Buster and its associated services from German company Amor Gummiwaren were riddled with flaws that create all manner of privacy risks, the researchers said.

    A database containing all the customer data (explicit images, chat logs, sexual orientation, email addresses, passwords in clear text, etc) was openly accessible on the internet. Enumeration of users’ explicit images was possible because of predictable numbers and missing authorisation checks.

    SEC Consult has confirmed with The Reg that the database is not accessible any more.

    Reply
  10. Tomi Engdahl says:

    Mining Smominru botnet used NSA exploit to infect more than 526,000 systems
    http://securityaffairs.co/wordpress/68494/malware/smominru-botnet.html

    Researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ that is using the EternalBlue exploit to infect Windows computers and recruit them in Monero cryptocurrency mining activities.
    The number of cyber attacks against the cryptocurrency sector continues, vxers are focusing their efforts on the development of cryptocurrency/miner malware.

    Recently security experts observed cryptocurrency miners leveraging the NSA EternalBlue SMB exploit (CVE-2017-0144) as spreading mechanism.

    Reply
  11. Tomi Engdahl says:

    Security Advisory for Flash Player | APSA18-01
    https://helpx.adobe.com/security/products/flash-player/apsa18-01.html

    A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

    Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.

    Adobe will address this vulnerability in a release planned for the week of February 5.

    Reply
  12. Tomi Engdahl says:

    Does The U.S. Need a National Cybersecurity Safety Board?
    http://www.securityweek.com/does-us-need-national-cybersecurity-safety-board

    It is time, suggest two academics from Indiana University-Bloomington, for Congress to establish a National Cybersecurity Safety Board (NCSB) as an analogue of the National Transportation Safety Board (NTSB), to improve the level of cybersecurity in the U.S.

    The argument is that the NTSB helped to improve the safety of air travel while still stimulating growth and innovation in the industry. “Today,” they say in a paper published this week, “air travel is widely regarded as among the safest forms of mass transportation. Can the same feat be replicated in cyberspace?”

    The paper argues that there have been many propositions for strengthening U.S. cybersecurity, “from federally sponsored cyber risk insurance programs to allowing companies to have a freer hand to engage in proactive cybersecurity measures.”

    Reply
  13. Tomi Engdahl says:

    Japan Raids Hacked Crypto Exchange, Bitcoin Plunges Further
    http://www.securityweek.com/japan-raids-hacked-crypto-exchange-bitcoin-plunges-further

    Japanese authorities on Friday raided virtual currency exchange Coincheck, a week after the Tokyo-based firm lost $530 million in cryptocurrency to hackers.

    The raid comes as bitcoin dipped below $9,000 for the first time since November after India said Thursday it would take measures to prevent the use of cryptocurrencies.

    The search of Coincheck’s headquarters in Tokyo’s Shibuya district was carried out by the Financial Services Agency, which had already slapped the company with an administrative order following the hack.

    “We have launched an on-site inspection to ensure preservation of clients’ assets,” Finance Minister Taro Aso said at a briefing.

    Japanese officials have suggested Coincheck lacked proper security measures, making itself vulnerable to theft.

    Reply
  14. Tomi Engdahl says:

    Crypto-Mining Botnet Ensnares 500,000 Windows Machines
    http://www.securityweek.com/crypto-mining-botnet-ensnares-500000-windows-machines

    Focused on mining Monero crypto-currency, a new botnet has managed to ensnare over half a million machines to date, Proofpoint reports.

    Dubbed Smominru, the botnet managed to infect over 526,000 Windows hosts to date, most of which are believed to be servers. After conducting a sinkholing operation, the security researchers discovered that the infected machines are distributed worldwide, with the highest numbers in Russia, India, and Taiwan.

    The Monero miner, which is also known as Ismo, has been observed since the end of May 2017 spreading via EternalBlue, the National Security Agency-linked exploit that targets a vulnerability (CVE-2017-0144) in Windows’ Server Message Block (SMB) on port 445. The exploit was previously used in other global attacks, including WannaCry and NotPetya.

    Reply
  15. Tomi Engdahl says:

    Web Server Used in 100 ICS Products Affected by Critical Flaw
    http://www.securityweek.com/web-server-used-100-ics-products-affected-critical-flaw

    A critical vulnerability that could allow a remote attacker to execute arbitrary code has been found in a component used by more than 100 industrial control systems (ICS) from tens of vendors.

    The flaw affects the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product, which allows users to view human-machine interfaces (HMIs) for programmable logic controllers (PLCs) in a web browser.

    According to the CODESYS website, the WebVisu product is used in 116 PLCs and HMIs from roughly 50 vendors, including Schneider Electric, WAGO, Hitachi, Advantech, Beck IPC, Berghof Automation, Hans Turck, and NEXCOM.

    Zhu WenZhe of Istury IOT discovered that the CODESYS web server is affected by a stack-based buffer overflow vulnerability that could allow an attacker to cause a denial-of-service (DoS) condition and possibly even execute arbitrary code on the web server.

    “A crafted web server request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of service condition due to a crash in the web server,”

    The vulnerability is tracked as CVE-2018-5440 and it has been assigned a CVSS score of 9.8. CODESYS v2.3 web servers running on any version of Windows (including Windows Embedded Compact) as stand-alone or part of the CODESYS runtime system prior to version 1.1.9.19 are affected.

    the company has advised organizations to ensure that access to controllers is restricted through minimization of network exposure, and the use of firewalls and VPNs.

    Vulnerabilities in CODESYS components are not uncommon.

    Reply
  16. Tomi Engdahl says:

    Cybercriminals Stealing From Cybercriminals Ransomware Victims Left Stranded
    http://securityaffairs.co/wordpress/68452/cyber-crime/crooks-stealing-cybercriminals-ransomware-victims.html

    What do you get when you add Bitcoin, with a TOR network proxy and cybercriminals? Even more cybercrime!
    Bitcoin is the preferred cryptocurrency for ransomware payments. Like most cryptocurrencies it is largely anonymous, allowing the ransoming cybercriminals to collect their money while staying safely in the shadows.

    Payment websites are hosted on the Tor network where victims login, purchase Bitcoin and deposit them into the wallet of the bad actors. Sounds convenient, unless there is another bad actor in the middle.

    Reply
  17. Tomi Engdahl says:

    DDG, the second largest mining botnet targets Redis and OrientDB servers
    http://securityaffairs.co/wordpress/68555/malware/ddg-botnet.html

    Researchers at Qihoo 360’s Netlab analyzed a new campaign powered by the DDG botnet, the second largest mining botnet of ever, that targets Redis and OrientDB servers.
    A new Monero-mining botnet dubbed DDG was spotted in the wild, the malware targets Redis and OrientDB servers.

    According to the researchers at Qihoo 360’s Netlab, the DDG botnet was first detected in 2016 and is continuously updated throughout 2017.

    The miner has already infected nearly 4,400 servers and has mined over $925,000 worth of Monero since March 2017, DDG is among the largest mining botnets.

    Reply
  18. Tomi Engdahl says:

    Crypto-mining Botnet Targets Android Devices
    http://www.securityweek.com/crypto-mining-botnet-targets-android-devices

    A new crypto-mining botnet has been growing and targeting Android devices with an open ADB port, Qihoo 360′s NetLab researchers reveal.

    The attacks started last week, targeting port 5555, which is the working port for the adb debug interface on Android devices. While this port should be normally closed on all devices, sometimes it could remain open, thus allowing devices to be compromised.

    Courtesy of scanning code borrowed from the infamous Mirai botnet – which targets Internet of Things (IoT) devices – the new threat can spread as a worm, NetLab reports. Each of the infected bots would continue to scan for open 5555 adb ports to spread further.

    This is the first time the Mirai code has been reused to target Android devices, the researchers point out.

    The infection appears to have started on January 21, 2018, and the researchers say that the number of attacks has increased recently.

    As of February 4, between 2,700 and 5,500 devices had been affected by the botnet, with most of them located in China (40%) and South Korea (31%) – based on the scanning IP addresses targeted devices include smartphones and smart TVs (TV set-top boxes), the security researchers say.

    It appears that the botnet isn’t targeting vulnerabilities affecting only specific devices, mainly because models from a broad range of manufacturers have been already impacted.

    Reply
  19. Tomi Engdahl says:

    Gold Dragon Implant Linked to Pyeongchang Olympics Attacks
    http://www.securityweek.com/gold-dragon-implant-linked-pyeongchang-olympics-attacks

    McAfee has discovered an implant that they believe was used as a second-state payload in the recent fileless attacks targeting organizations involved with the upcoming Olympics Games in Pyeongchang, South Korea.

    In early January, McAfee’s security researchers warned that hackers had already began targeting the Pyeongchang Olympic Games with malware-infected emails. The first such attacks reportedly took place on December 22, with the sender’s address spoofed to appear as if the messages came from the South Korea’s National Counter-Terrorism Center.

    The hackers were using a PowerShell implant to establish a channel to the attacker’s server and gather basic system-level data, but McAfee couldn’t immediately determine what the attackers did after gaining initial access to a victim’s system.

    Gold Dragon is not a full-fledged spyware, as it only has limited reconnaissance and data-gathering functionality. The malware, which had its first variant in the wild in South Korea in July 2017, features elements, code, and behavior similar to Ghost419 and Brave Prince, implants that McAfee has been tracking since May 2017.

    The malware can check the system for processes related to antivirus products and cleaner applications, which it can then terminate to evade detection. Furthermore, it supports the download and execution of additional components retrieved from the command and control (C&C) server.

    “From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed,” McAfee reveals.

    Reply
  20. Tomi Engdahl says:

    Grammarly Rushes to Patch Flaw Exposing User Data
    http://www.securityweek.com/grammarly-rushes-patch-flaw-exposing-user-data

    Google Project Zero researcher Tavis Ormandy discovered a vulnerability in the online grammar checker Grammarly that could have been exploited by malicious websites to access user data. The app’s developers quickly patched the flaw after learning of its existence.

    Ormandy found that the Grammarly browser extension, which has roughly 20 million users on Chrome and 645,000 on Firefox, exposed authentication tokens to third-party websites.

    An attacker could have obtained authentication tokens and used them to access the target’s Grammarly.com account simply by getting them to visit a specially crafted website. This was a serious flaw considering that some Grammarly accounts could contain highly sensitive information.

    “I’m calling this a high severity bug, because it seems like a pretty severe violation of user expectations,” Ormandy said in an advisory. “Users would not expect that visiting a website gives it permission to access documents or data they’ve typed into other websites.”

    Reply
  21. Tomi Engdahl says:

    Multiple Flaws Patched in WD MyCloud Device Firmware
    http://www.securityweek.com/multiple-flaws-patched-wd-mycloud-device-firmware

    Vulnerabilities that could allow unauthorized file deletion, unauthorized command execution and authentication bypass impacted WD (Western Digital) MyCloud devices, Trustwave reports.

    The vulnerabilities were discovered in the MyCloud personal storage device and were reported to Western Digital last year. The company has already released a firmware update to address them.

    All of the issue were found by Trustwave security researcher Martin Rakhmanov in the nas_sharing.cgi binary.

    Reply
  22. Tomi Engdahl says:

    Flash Zero-Day Attacks Analyzed by FireEye, Cisco
    http://www.securityweek.com/flash-zero-day-attacks-analyzed-fireeye-cisco

    FireEye and Cisco have analyzed the attacks involving a recently disclosed Flash Player zero-day vulnerability and linked them to a group known for targeting South Korean entities.

    South Korea’s Internet & Security Agency (KISA) warned last week of a zero-day flaw in Flash Player. Some local security experts said the vulnerability had been exploited by North Korean hackers since mid-November 2017 in attacks aimed at individuals in South Korea.

    Adobe has confirmed the existence of the flaw, which affects Flash Player 28.0.0.137 and earlier, and it plans on patching it sometime this week. The security hole, tracked as CVE-2018-4878, is a use-after-free issue that can allow a remote attacker to execute arbitrary code.

    FireEye has launched an investigation following the alert from KISA and linked the attack to a group it tracks as TEMP.Reaper.

    “Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year. They have taken interest in subject matter of direct importance to the Democratic People’s Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors,” FireEye said.

    Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations
    https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html

    On Jan. 31, KISA (KrCERT) published an advisory about an Adobe Flash zero-day vulnerability (CVE-2018-4878) being exploited in the wild. On Feb. 1, Adobe issued an advisory confirming the vulnerability exists in Adobe Flash Player 28.0.0.137 and earlier versions, and that successful exploitation could potentially allow an attacker to take control of the affected system.

    FireEye began investigating the vulnerability following the release of the initial advisory from KISA.

    Analysis of the exploit chain is ongoing, but available information points to the Flash zero-day being distributed in a malicious document or spreadsheet with an embedded SWF file. Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third party websites hosted in South Korea. Preliminary analysis indicates that the vulnerability was likely used to distribute the previously observed DOGCALL malware to South Korean victims.

    Reply
  23. Tomi Engdahl says:

    Leaked memo suggest NSA and US Army compromised Tor, I2P, VPNs and want to unmask Monero users
    http://securityaffairs.co/wordpress/68684/digital-id/nsa-memo-anonymizing-systems.html

    US Army and NSA are able to unmask Tor, I2P, VPNs users and they are working to track Monero, this is the truth revealed by a photo alleged leaked by US Army.
    The image revealed a joint project to track anonymous cryptocurrencies conducted by US Army’s Cyber Protection Team (CPT) from the Cyber Protection Brigade and NSA.
    The photo of the memo is dated August 21, 2017, and was posted in the biz section of 4chan.

    Reply
  24. Tomi Engdahl says:

    Hacking Amazon Key – Hacker shows how to access a locked door after the delivery
    http://securityaffairs.co/wordpress/68697/hacking/hacking-amazon-key-dropbox.html

    Other problems for the Amazon Key technology, a hacker posted a video on Twitter to show how to access a locked door after a delivery worker’s one-time code has been used.

    Reply
  25. Tomi Engdahl says:

    Abusing X.509 Digital Certificates to establish a covert data exchange channel
    http://securityaffairs.co/wordpress/68745/hacking/x-509-digital-certificates-abuse.html

    Last year, during the Bsides conference in July 2017, the security researcher at Fidelis Cybersecurity Jason Reaves demonstrated how to covertly exchange data using X.509 digital certificates, now the same expert published the proof-of-concept code.

    The covert channel devised by Reaves uses fields in X.509 extensions to carry data, it could be exploited by an attacker to exfiltrate data from a target organization without being detected.

    “The research demonstrates that a sufficiently motivated attacker can utilize technologies outside of their intended purposes to not only accomplish their goals but also end up bypassing common security measures in the process.” reads the paper published by the expert.

    https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities

    Reply
  26. Tomi Engdahl says:

    PSD2: ‘screen scraping’ ban confirmed in finalised standards
    https://www.out-law.com/en/articles/2017/november/psd2-screen-scraping-ban-confirmed-in-finalised-standards/

    Financial technology (fintech) will be banned from using software to ‘scrape’ data held by banks to provide services to their customers under new regulatory technical standards (RTS) in Europe.28 Nov 2017

    Although ‘screen scraping’ will be barred from the date that the newly finalised RTS on strong customer authentication and common and secure open standards of communications (31-page / 530KB PDF) take effect, the RTS set out new, formal, requirements on banks and other account servicing payment service providers (ASPSPs) over how they must enable third parties to access the payment accounts data they hold.

    “It is no surprise that the Commission has confirmed the ban on screen scraping,”

    The ban is likely to be effective from a date in late September 2019, according to a timetable explained by the European Commission.

    PSD2 will take effect in national laws across the EU by 13 January 2018. A

    The Commission said: “All communication interfaces, whether dedicated or not, will be subject to a three-month ‘prototype’ test and a three-month ‘live’ test in market conditions. The test will allow market players to assess the quality of the interfaces put in place by account servicing payment service providers, including banks.

    Reply
  27. Tomi Engdahl says:

    Bangladesh to File U.S. Suit Over Central Bank Heist
    http://www.securityweek.com/bangladesh-file-us-suit-over-central-bank-heist

    Bangladesh’s central bank will file a lawsuit in New York against a Philippine bank over the world’s largest cyber heist, the finance minister said Wednesday.

    Unidentified hackers stole $81 million in February 2016 from the Bangladesh central bank’s account with the US Federal Reserve in New York.

    The money was transferred to a Manila branch of the Rizal Commercial Banking Corp (RCBC), then quickly withdrawn and laundered through local casinos.

    With only a small amount of the stolen money recovered and frustration growing in Dhaka, Bangladesh’s Finance Minister A.M.A Muhith said last year he wanted to “wipe out” RCBC.

    On Wednesday he said Bangladesh Bank lawyers were discussing the case in New York and may file a joint lawsuit against the RCBC with the US Federal Reserve.

    “It will be (filed) in New York. Fed may be a party,” he told reporters in Dhaka.

    Reply
  28. Tomi Engdahl says:

    Cryptocurrency Mining Malware Hits Monitoring Systems at European Water Utility
    http://www.securityweek.com/cryptocurrency-mining-malware-hits-monitoring-systems-european-water-utility

    Malware Chewed Up CPU of HMI at Wastewater Facility

    Cryptocurrency mining malware worked its way onto four servers connected to an operational technology (OT) network at a wastewater facility in Europe, industrial cybersecurity firm Radiflow told SecurityWeek Wednesday.

    Radiflow says the incident is the first documented cryptocurrency malware attack to hit an OT network of a critical infrastructure operator.

    The servers were running Windows XP and CIMPLICITY SCADA software from GE Digital.

    “In this case the [infected] server was a Human Machine Interface (HMI),” Yehonatan Kfir, CTO at Radiflow, told SecurityWeek. “The main problem,” Kfir continued “is that this kind of malware in an OT network slows down the HMIs. Those servers are responsible for monitoring physical processes.”

    Radiflow wasn’t able to name the exact family of malware it found, but said the threat was designed to mine Monero cryptocurrency and was discovered as part of routine monitoring of the OT network of the water utility customer.

    “A cryptocurrency malware attack increases device CPU and network bandwidth consumption, causing the response times of tools used to monitor physical changes on an OT network, such as HMI and SCADA servers, to be severely impaired,” the company explained. “This, in turn, reduces the control a critical infrastructure operator has over its operations and slows down its response times to operational problems.”

    Reply
  29. Tomi Engdahl says:

    Automation Software Flaws Expose Gas Stations to Hacker Attacks
    http://www.securityweek.com/automation-software-flaws-expose-gas-stations-hacker-attacks

    Gas stations worldwide are exposed to remote hacker attacks due to several vulnerabilities affecting the automation software they use, researchers at Kaspersky Lab reported on Wednesday.

    The vulnerable product is SiteOmat from Orpak, which is advertised by the vendor as the “heart of the fuel station.” The software, designed to run on embedded Linux machines or a standard PC, provides “complete and secure site automation, managing the dispensers, payment terminals, forecourt devices and fuel tanks to fully control and record any transaction.”

    Reply
  30. Tomi Engdahl says:

    Cisco Aware of Attacks Exploiting Critical Firewall Flaw
    http://www.securityweek.com/cisco-aware-attacks-exploiting-critical-firewall-flaw

    Cisco informed customers on Wednesday that it has become aware of malicious attacks attempting to exploit a recently patched vulnerability affecting the company’s Adaptive Security Appliance (ASA) software.

    No other information has been provided by the networking giant, but it’s worth noting that a proof-of-concept (PoC) exploit designed to cause a denial-of-service (DoS) condition on devices running ASA software was made public this week.

    Cato Networks reported finding roughly 120,000 potentially vulnerable Cisco devices connected to the Internet, with a vast majority located in the United States and Europe.

    The ASA software vulnerability, tracked as CVE-2018-0101, allows a remote and unauthenticated attacker to execute arbitrary code or cause a DoS condition.

    Reply
  31. Tomi Engdahl says:

    Bitcoin malware in health care system in Lahti Finland
    https://www.is.fi/taloussanomat/art-2000005558367.html

    Reply
  32. Tomi Engdahl says:

    CVE-2018-18078: systemd-tmpfiles root privilege escalation with fs.protected_hardlinks=0
    http://seclists.org/oss-sec/2018/q1/115

    == Summary ==

    Before version 237, the systemd-tmpfiles program will change the
    permissions and ownership of hard links. If the administrator disables
    the fs.protected_hardlinks sysctl, then an attacker can create hard
    links to sensitive files and subvert systemd-tmpfiles, particularly
    with “Z” type entries.

    Systemd as PID 1 with the default fs.protected_hardlinks=1 is safe.

    Reply
  33. Tomi Engdahl says:

    Adobe rolled out an emergency patch that fixed CVE-2018-4878 flaw exploited by North Korea
    http://securityaffairs.co/wordpress/68785/hacking/cve-2018-4878-adobe-flash.html

    Reply
  34. Tomi Engdahl says:

    Chinese police are using smart glasses to identify potential suspects
    https://techcrunch.com/2018/02/08/chinese-police-are-getting-smart-glasses/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    The smart specs look a lot like Google Glass, but they are used for identifying potential suspects. The device connects to a feed which taps into China’s state database to root out potential criminals using facial recognition. Officers can identify suspects in a crowd by snapping their photo and matching it to the database. Beyond a name, officers are also supplied with the person’s address, according to the BBC.

    The glasses have been deployed in Zhengzhou, the capital of central province Henan, where it has been used to surveil those traveling by plane and train, according to the Wall Street Journal.

    Reply
  35. Tomi Engdahl says:

    Swisscom Breach Hits 800,000 Customers
    http://www.securityweek.com/swisscom-breach-hits-800000-customers

    Swiss telecoms giant Swisscom on Wednesday said it had tightened security controls after suffering a data breach that affected roughly 800,000 of its customers.

    The company said unauthorized parties gained access to customer data by leveraging the access privileges of a sales partner. The attackers somehow obtained the partner’s credentials and used them to access contact information, including names, physical addresses, phone numbers, and dates of birth.

    Swisscom pointed out that it collects this type of data legally from customers when they enter a subscription agreement, and sales partners are given limited access to records for identification and contracting purposes.

    Reply
  36. Tomi Engdahl says:

    Malware is Pervasive Across Cloud Platforms: Report
    http://www.securityweek.com/malware-pervasive-across-cloud-platforms-report

    Leading Cloud Service Providers and Majority of AV Engines Failed to Detect New Ransomware Variant

    Cloud Access Security Brokers (CASBs) provide visibility into the cloud. Some CASBs provide malware protection. Some clouds provide malware protection. Bitglass analyzed the efficacy of cloud-only protection by scanning the files of its customers that had not implemented its own Advanced Threat Protection (actually Cylance).

    Bitglass scanned tens of millions of customer files and found (PDF) a remarkably high number of infections: 44% of organizations had at least one piece of malware in their cloud applications; and nearly one-in-three SaaS app instances contained at least one threat. Among the SaaS apps, 54.4% of OneDrive and 42.9% of Google Drive instances were infected. Dropbox and Box followed, both at 33%.

    https://pages.bitglass.com/rs/418-ZAL-815/images/Bitglass_Report-Malware_PI.pdf

    Reply
  37. Tomi Engdahl says:

    Philippine Bank Threatens Counter-Suit Over World’s Biggest Cyber-Heist
    http://www.securityweek.com/philippine-bank-threatens-counter-suit-over-worlds-biggest-cyber-heist

    The Philippine bank used by hackers to transfer money in the world’s biggest cyber heist warned of tit-for-tat legal action Thursday, after Bangladeshi officials said they would sue the lender.

    Unidentified hackers stole $81 million from the Bangladesh central bank’s account with the US Federal Reserve in New York two years ago, then transferred it to a Manila branch of the Rizal Commercial Banking Corp (RCBC).

    But RCBC maintained the February 2016 cyber-heist was an “inside job” and that the Philippine bank was being used as a scapegoat to hide the real culprits.

    Reply
  38. Tomi Engdahl says:

    Flaws Affecting Top-Selling Netgear Routers Disclosed
    http://www.securityweek.com/flaws-affecting-top-selling-netgear-routers-disclosed

    Security firm Trustwave has disclosed the details of several vulnerabilities affecting Netgear routers, including devices that are top-selling products on Amazon and Best Buy.

    The flaws were discovered by researchers in March 2017 and they were patched by Netgear in August, September and October.

    One of the high severity vulnerabilities has been described as a password recovery and file access issue affecting 17 Netgear routers and modem routers, including best-sellers such as R6400, R7000 (Nighthawk), R8000 (Nighthawk X6), and R7300DST (Nighthawk DST).

    Reply
  39. Tomi Engdahl says:

    Actor Targeting Middle East Shows Excellent OPSEC
    http://www.securityweek.com/actor-targeting-middle-east-shows-excellent-opsec

    An actor making extensive use of scripting languages in attacks on targets in the Middle East demonstrates excellent operational security (OPSEC), researchers from Talos say.

    As part of these targeted attacks allegedly confidential decoy documents supposedly written by the Jordanian publishing and research house Dar El-Jaleel were used, as well as VBScript, PowerShell, and VBA scripts that would dynamically load and execute functions retrieved from a command and control (C&C) server.

    The threat actor(s) was particularly careful to camouflage the infrastructure and used several reconnaissance scripts to check the validity of victim machines. The actor was observed blocking systems that didn’t meet their criteria, filtering connections based on their User-Agent strings, and hosting the infrastructure on CloudFlare.

    Reply
  40. Tomi Engdahl says:

    Secret Apple iOS source code LEAKED – why you need to update your iPhone right now
    https://www.thesun.co.uk/tech/5536291/ios-source-code-apple-iboot-github-leak-iphone/

    HACKERS have posted a secret iOS source code online in what’s been described as the “biggest leak in history” amid fears iPhones have been left vulnerable to hackers.

    Apple has admitted that the software code is an older version of iOS, which means that anyone who hasn’t updated their iPhone lately could be at risk – so it’s worth updating as soon as possible.

    A key piece of core Apple software called iBoot, which runs when turn on an iOS device, was shared by anonymous user “Zioshiba” on Github.

    Security researcher Jonathan Levin described the breach to Motherboard as the “biggest leak in history” and according to his own reverse engineering, it appears to be authentic.

    Key iPhone Source Code Gets Posted Online in ‘Biggest Leak in History’
    Source code for iBoot, one of the most critical iOS programs, was anonymously posted on GitHub.
    https://motherboard.vice.com/en_us/article/a34g9j/iphone-source-code-iboot-ios-leak

    Someone just posted what experts say is the source code for a core component of the iPhone’s operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve.

    The GitHub code is labeled “iBoot,” which is the part of iOS that is responsible for ensuring a trusted boot of the operating system. In other words, it’s the program that loads iOS, the very first process that runs when you turn on your iPhone. It loads and verifies the kernel is properly signed by Apple and then executes it—it’s like the iPhone’s BIOS.

    The code says it’s for iOS 9, an older version of the operating system, but portions of it are likely to still be used in iOS 11.

    Apple has traditionally been very reluctant to release code to the public, though it has made certain parts of iOS and MacOS open source in recent years.

    Reply
  41. Tomi Engdahl says:

    Apple ordered GitHub to remove iOS source code leak
    https://www.theverge.com/2018/2/8/16992626/apple-github-dmca-request-ios-iboot-source-code

    A portion of iOS’s source code was leaked online yesterday and quickly removed after Apple filed a takedown notice with GitHub, where the code was posted. The leak, which was first reported by Motherboard, was for an iOS process named “iBoot” that starts up the system when you first turn on your iPhone and ensures the code being run is valid and originates from Apple. It was posted to GitHub at this link, which is now down.

    Reply
  42. Tomi Engdahl says:

    Business Wire Hit by Ongoing DDoS Attack
    http://www.securityweek.com/business-wire-hit-ongoing-ddos-attack

    Newswire service Business Wire said Tuesday that it has been under a sustained Distributed Denial of Service (DDoS) attack for almost a week.

    The company said that since last Wednesday, January 31, the attack has been attempting to render the newswire service portal unavailable.

    Reply
  43. Tomi Engdahl says:

    Adobe Patches Flash Zero-Day Exploited by North Korean Hackers
    http://www.securityweek.com/adobe-patches-flash-zero-day-exploited-north-korean-hackers

    Adobe updated Flash Player on Tuesday to address a zero-day vulnerability exploited by what experts believe to be a North Korean hacker group in attacks aimed at individuals in South Korea.

    The existence of the vulnerability, tracked as CVE-2018-4878, came to light on January 31 when South Korea’s Internet & Security Agency (KISA) issued an alert. Cybersecurity experts based in the country said the flaw had been used by North Korean threat actors against South Koreans who focus on North Korea research.

    Adobe has promised to release a patch sometime this week and it has kept its promise. Flash Player version 28.0.0.161 should fix the vulnerability, which the company has described as a use-after-free bug that allows remote code execution.

    Reply
  44. Tomi Engdahl says:

    One Computer Can Knock Almost Any WordPress Site Offline
    http://www.securityweek.com/one-computer-can-knock-almost-any-wordpress-site-offline

    As if there aren’t enough ways to attack a WordPress site, an Israeli researcher has published details of how almost anyone can launch a denial of service (DoS) attack against almost any WordPress with just one computer. That, he suggests, is almost 30% of all websites on the internet.

    The attack uses the vulnerability associated with CVE-2018-6389. The CVE database, at the time of writing, has no details, marking it only as ‘reserved’ for future use. Details, however, can be found in a Barak Tawily blog post published Monday. It is an abuse of the WordPress load-scripts.php function, which exists to allow administrators/web designers to improve website performance by combining multiple JavaScript files into a single request at the server end.

    How to DoS 29% of the World Wide Websites – CVE-2018-6389
    https://baraktawily.blogspot.fi/2018/02/how-to-dos-29-of-world-wide-websites.html

    Reply
  45. Tomi Engdahl says:

    Boffins crack smartphone location tracking – even if you’ve turned off the GPS
    Permission? Who needs it?
    https://www.theregister.co.uk/2018/02/07/boffins_crack_location_tracking_even_if_youve_turned_off_the_gps/

    Religiously turning off location services may not save you from having your smartphone tracked: a group of IEEE researchers have demonstrated it’s possible to track mobes even when GPS and Wi-Fi are turned off.

    And, as a kicker: at least some of this data can be collected without permission, because smartphone makers don’t consider it sensitive.

    The researchers from Princeton University (student Arsalan Mosenia, IEEE members Xiaoliang Dai and Prateek Mittal, and IEEE fellow Niraj Jha) tracked smartmobes using a technique dubbed PinMe, which combined information from the phone and non-phone sources to work out where a user is.

    PinMe: Tracking a Smartphone User around the World
    https://arxiv.org/abs/1802.01468

    Reply
  46. Tomi Engdahl says:

    Russian nuclear scientists arrested for ‘Bitcoin mining plot’
    http://www.bbc.com/news/world-europe-43003740

    Russian security officers have arrested several scientists working at a top-secret Russian nuclear warhead facility for allegedly mining crypto-currencies.

    The suspects had tried to use one of Russia’s most powerful supercomputers to mine Bitcoins, media reports say.

    Reply
  47. Tomi Engdahl says:

    U.S. Secretly Negotiated With Russians to Buy Stolen NSA Documents — and the Russians Offered Trump-Related Material, Too
    https://theintercept.com/2018/02/09/donald-trump-russia-election-nsa/

    The United States intelligence community has been conducting a top-secret operation to recover stolen classified U.S. government documents from Russian operatives, according to sources familiar with the matter. The operation has also inadvertently yielded a cache of documents purporting to relate to Donald Trump and Russian meddling in the 2016 presidential election.

    Over the past year, American intelligence officials have opened a secret communications channel with the Russian operatives, who have been seeking to sell both Trump-related materials and documents stolen from the National Security Agency and obtained by Russian intelligence, according to people involved with the matter and other documentary evidence. The channel started developing in early 2017, when American and Russian intermediaries began meeting in Germany.

    The CIA declined to comment on the operation. The NSA did not immediately respond to a request for comment.

    When American intelligence officials initiated efforts to broker a communications channel in 2017, however, their primary objective was to recover stolen NSA documents, not to obtain material about Trump.

    At the time, the NSA was desperate to recover documents that intelligence officials believed Russia had obtained through a mysterious group known as the Shadow Brokers. The group stole highly secret NSA hacking tools and began releasing them on the internet in the summer of 2016. The Shadow Brokers theft of the hacking tools devastated morale at the NSA, putting its custom-built offensive cyber weapons out in the open. It was as if a bioweapons laboratory had lost some of its most deadly and dangerous viruses. U.S. officials wanted to identify which NSA documents the Shadow Brokers had stolen, so they could determine how badly the agency had been damaged by the theft.

    But once the communications channel opened, the Russians on the other side offered to sell documents related to Trump along with the stolen NSA documents.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*