Cyber security May 2018

This posting is here to collect security alert news in May 2018.

I post links to security vulnerability news to comments of this article.

 

Security And Privacy

269 Comments

  1. Tomi Engdahl says:

    Mexico: Cybercriminals steal at least 400 million pesos through unauthorized transfers
    https://www.welivesecurity.com/2018/05/24/mexico-cybercriminals-steal-400-million/

    While the exact amount of stolen money and source of the cybercriminals are not known, the authorities have confirmed that no clients were affected.

    Cybercriminals infiltrated the Mexican financial system for several days at the end of April and stole nearly 400 million Mexican pesos (almost $20 million) from concentration accounts but not from private clients.

    It was not known for certain what financial institutions had been affected but reports suggest that at least five banks had recorded large withdrawals of money through unauthorized transfers to bogus accounts, the Bank of Mexico told Bloomberg.

    Reply
  2. Tomi Engdahl says:

    Activists Urge Amazon to Drop Facial Recognition for Police
    https://www.securityweek.com/activists-urge-amazon-drop-facial-recognition-police

    More than 30 activist groups led by the American Civil Liberties Union urged Amazon Tuesday to stop providing facial recognition technology to law enforcement, warning that it could give authorities “dangerous surveillance powers.”

    Reply
  3. Tomi Engdahl says:

    As EU Privacy Law Looms, Debate Swirls on Cybersecurity Impact
    https://www.securityweek.com/eu-privacy-law-looms-debate-swirls-cybersecurity-impact

    Days ahead of the implementation of a sweeping European privacy law, debate is swirling on whether the measure will have negative consequences for cybersecurity.

    The controversy is about the so-called internet address book or WHOIS directory, which up to now has been a public database identifying the owners of websites and domains.

    The database will become largely private under the forthcoming General Data protection Regulation set to take effect May 25, since it contains protected personal information.

    US government officials and some cybersecurity professionals fear that without the ability to easily find hackers and other malicious actors through WHOIS, the new rules could lead to a surge in cybercrime, spam and fraud.

    Critics say the GDPR could take away an important tool used by law enforcement, security researchers, journalists and others.

    Reply
  4. Tomi Engdahl says:

    Chinese Researchers Find Vulnerabilities in BMW Cars
    https://www.securityweek.com/chinese-researchers-find-vulnerabilities-bmw-cars

    Researchers from Keen Security Lab, a cybersecurity research unit of Chinese company Tencent, have conducted an in-depth analysis of various systems present in BMW cars and discovered more than a dozen locally and remotely exploitable vulnerabilities.

    Reply
  5. Tomi Engdahl says:

    Botnets Target Zero-Days in GPON Routers
    https://www.securityweek.com/botnets-target-zero-days-gpon-routers

    Two unpatched vulnerabilities in Dasan’s Gigabit-capable Passive Optical Network (GPON) routers are being exploited by Internet of Things (IoT) botnets, security researchers warn.

    Tracked as CVE-2018-10561 and CVE-2018-10562, the two vulnerabilities were publicly disclosed in early May and impact hundreds of thousands of devices. The flaws can be exploited remotely, providing an attacker with full control of the impacted devices.

    Reply
  6. Tomi Engdahl says:

    FBI Inflated Numbers on Unhackable Devices
    https://www.securityweek.com/fbi-inflated-numbers-unhackable-devices

    The FBI claimed it was unable to analyze roughly 7,700 devices last year due to strong encryption, but the actual number is likely much lower and the agency has admitted its mistake.

    Over the past years, the FBI and some U.S. lawmakers have been pushing technology companies to find ways to provide law enforcement access to encrypted communications and information. However, tech firms and experts have warned that implementing backdoors could pose a serious risk and it would undermine the purpose of encryption.

    Over the past months, FBI Director Christopher Wray repeatedly claimed that the agency had been unable to access data from nearly 7,800 devices in the previous fiscal year due to encryption. However, it has now come to light that the actual number of devices is only between 1,000 and 2,000, The Washington Post reported.

    Reply
  7. Tomi Engdahl says:

    Cloudflare Improves DDoS Mitigation Tool
    https://www.securityweek.com/cloudflare-improves-ddos-mitigation-tool

    Cloudflare announced a series of improvements to its Rate Limiting distributed denial of service (DDoS) protection tool this week.

    Over the past six months, the company has observed an uptick in application (Layer 7) based DDoS attacks and also noticed that the assaults aren’t using huge payloads (volumetric attacks), but rely on a high number of requests per second to exhaust server resources (CPU, Disk and Memory). Attacks with over 1 million requests per second are a common thing, Cloudflare says.

    Launched by the web infrastructure company a year ago, the Rate Limiting feature helps customers protect their web applications and APIs from various attacks, including DDoS, credential stuffing and content scraping.

    Reply
  8. Tomi Engdahl says:

    You know that silly fear about Alexa recording everything and leaking it online? It just happened
    US pair’s private chat sent to coworker by AI bug
    https://www.theregister.co.uk/2018/05/24/alexa_recording_couple/

    It’s time to break out your “Alexa, I Told You So” banners – because a Portland, Oregon, couple received a phone call from one of the husband’s employees earlier this month, telling them she had just received a recording of them talking privately in their home.

    “Unplug your Alexa devices right now,” the staffer told the couple, who did not wish to be fully identified, “you’re being hacked.”

    At first the couple thought it might be a hoax call. However, the employee – over a hundred miles away in Seattle – confirmed the leak by revealing the pair had just been talking about their hardwood floors.

    Reply
  9. Tomi Engdahl says:

    EU considers baking new norms of cyber-war into security policies
    Plan to paint US, China and Russia as rogues gather steam
    https://www.theregister.co.uk/2018/05/22/global_commission_on_the_stability_for_cyberspace_in_eu_drafts/

    The European Parliament has been asked to adopt a new set of “norms” about online conflict.

    The norms were developed by the Global Commission on the Stability for Cyberspace (GCSC), a group backed and funded by the governments of The Netherlands, France and Singapore, together with Microsoft and The Internet Society, that works to safeguard the Internet. One of the ways the GCSC thinks it can achieve its mission is by defining rules of cyber-war and having as many nations as possible sign up to them.

    Reply
  10. Tomi Engdahl says:

    Summoners of web tsunamis have moved to layer 7, says Cloudflare
    DDoS launchers increasingly target application processes instead of flooding networks
    https://www.theregister.co.uk/2018/05/22/layer_7_ddos_attacks_increasing/

    Attackers have noticed that the world is getting better at fending off massive distributed denial-of-service attacks, and are trying to overwhelm application processes instead.

    So says DDoS-deflector Cloudflare, which reckons it’s seen a spike in cyber-assaults trying to exhaust high-level server resources, such as per-process CPU time, disk space, and memory allocations, as opposed to overwhelming lower parts of the networking stack.

    As a result, the cloud provider’s security product manager Alex Cruz Farmer opined on Monday that OSI layer 7 attacks that usually appear at a rate of around 160 per day are now sprouting at rates of up to 1,000 a day.

    Reply
  11. Tomi Engdahl says:

    Purism’s New Purekey OpenPGP Security Token, Windows 10 Now Includes OpenSSH, Vim 8.1 Released and More
    https://www.linuxjournal.com/content/purisms-new-purekey-openpgp-security-token-windows-10-now-includes-openssh-vim-81-released

    Purism, maker of the security-focused Librem laptops, announced yesterday it has partnered with Nitrokey to create Purekey, “Purism’s own OpenPGP security token designed to integrate with its hardware and software. Purekey embodies Purism’s mission to make security and cryptography accessible where its customers hold the keys to their own security.” You can purchase a Purekey by itself or as an add-on with a laptop order. According to Purism’s CSO Kyle Rankin, “By keeping your encryption keys on a Purekey instead of on a hard drive, your keys never leave the tamper-proof hardware. This not only makes your keys more secure from attackers, it makes using your keys on multiple devices more convenient.”

    The latest update of Windows 10 includes OpenSSH. ZDNet reports this has been in the works since 2015 due to user requests.

    Reply
  12. Tomi Engdahl says:

    ‘Facebook takes data from my phone – but I don’t have an account!’
    Reg reader finds mobile apps can’t be cut or quieted
    https://www.theregister.co.uk/2018/05/22/facebook_data_leak_no_account/

    Reply
  13. Tomi Engdahl says:

    Comcast Website Bug Leaks Xfinity Customer Data
    https://it.slashdot.org/story/18/05/22/0016234/comcast-website-bug-leaks-xfinity-customer-data?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    A bug in Comcast’s website used to activate Xfinity routers can return sensitive information on the company’s customers. The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password.

    Comcast website bug leaks Xfinity customer data
    https://www.zdnet.com/article/comcast-bug-leaks-xfinity-home-addresses-wireless-passwords/
    Exclusive: A bug in Comcast’s website leaks sensitive customer information.

    Reply
  14. Tomi Engdahl says:

    F-Secure Unveils New Endpoint Detection & Response Solution
    https://www.securityweek.com/f-secure-unveils-new-endpoint-detection-response-solution

    Finland-based cybersecurity firm F-Secure on Thursday announced the launch of a new endpoint detection and response (EDR) solution that combines human expertise and artificial intelligence.

    The new offering, F-Secure Rapid Detection & Response, is designed to help organizations protect their IT systems against targeted attacks.

    The solution leverages lightweight endpoint sensors and AI-powered data analysis capabilities to monitor devices for malicious activity. Rapid Detection & Response creates a baseline for normal behavior and flags any unusual activity. Suspicious behavior is subjected to additional analysis to prevent false positives that could overwhelm security teams, F-Secure said.

    Reply
  15. Tomi Engdahl says:

    Hackers Find New Method of Installing Backdoored Plugins on WordPress Sites
    https://www.bleepingcomputer.com/news/security/hackers-find-new-method-of-installing-backdoored-plugins-on-wordpress-sites/

    Hackers have come up with a never-before-seen method of installing backdoored plugins on websites running the open-source WordPress CMS, and this new technique relies on using weakly protected WordPress.com accounts and the Jetpack plugin.

    The technique is highly complex, and to compromise a site, a hacker must go through different steps, during which multiple things can prevent the attack from being successful.

    Hijacked WordPress.com Accounts Being Used To Infect Sites
    https://www.wordfence.com/blog/2018/05/wordpress-com-jetpack-infection/

    Reply
  16. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    FBI and DOJ ask users to restart routers and NAS devices to disrupt VPNFilter malware and help identify infected devices, which Cisco estimates is 500K+ devices — Feds take aim at potent VPNFilter malware allegedly unleashed by Russia. — The FBI is advising users of consumer-grade routers …

    FBI tells router users to reboot now to kill malware infecting 500k devices
    Feds take aim at potent VPNFilter malware allegedly unleashed by Russia.
    https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/

    Reply
  17. Tomi Engdahl says:

    Todd Spangler / Variety:
    Parisian authorities charged two French teens for allegedly hacking Vevo’s YouTube account last month and altering some music videos with pro-Palestine messages — Two 18-year-old French citizens have been arrested in Paris and charged with crimes related to the hack of Vevo’s YouTube accounts …

    Two French Teens Arrested in Connection With Vevo Hack That Defaced ‘Despacito,’ Other YouTube Music Videos
    http://variety.com/2018/digital/news/vevo-hack-despacito-videos-french-teenagers-arrest-1202822839/

    Two 18-year-old French citizens have been arrested in Paris and charged with crimes related to the hack of Vevo’s YouTube accounts last month that resulted in pro-Palestine messages being posted on several popular videos, according to prosecutors.

    Authorities allege the duo gained access to the YouTube account maintained by Vevo, to alter the content of multiple music videos, including Luis Fonsi’s “Despacito” — the most-viewed music video on YouTube in 2017, which recently surpassed 5 billion views. The hackers also targeted videos by Selena Gomez, Taylor Swift, Katy Perry, Chris Brown and Shakira, replacing their thumbnail images, video titles and descriptions. Vevo has since removed all changes the hackers made on its YouTube videos.

    Reply
  18. Tomi Engdahl says:

    Reuters:
    In a final ruling, Egypt’s court orders regulators to block YouTube for one month over the 2012 “Innocence of Muslims” video that denigrates Prophet Mohammad

    Top Egypt court orders temporary YouTube ban over Prophet Mohammad video
    https://www.reuters.com/article/us-egypt-youtube/top-egypt-court-orders-temporary-youtube-ban-over-prophet-mohammad-video-idUSKCN1IR0FD

    Egypt’s top administrative court ruled on Saturday that regulators must block the video file-sharing site YouTube for one month over a video that denigrates the Prophet Mohammad, a lawyer who filed the case told Reuters.

    A lower administrative court had ordered that the Ministry of Communications and Information Technology block YouTube, owned by Google, in 2013 over the video, but the case was appealed and its ruling stayed during the appeal process.

    Reply
  19. Tomi Engdahl says:

    Josiah Wilmoth / CCN:
    Bitcoin fork Bitcoin Gold suffers 51% attack; attacker with more than half of network’s hash rate double spent BTG coins on exchanges and may have stolen $18M

    Bitcoin Gold Responds to Recent Double Spend Attack
    https://www.ccn.com/bitcoin-gold-responds-to-recent-double-spend-attack/

    The development team behind Bitcoin Gold has released an update on last week’s 51 percent attack, which the attacker weaponized through a double spend attack to steal funds from cryptocurrency exchanges.

    Published on Thursday, the update confirmed that the attacker had gained majority control of the network’s hashrate and used that control to reorganize the blockchain and reverse transactions.

    In this case, the attacker made deposits at cryptocurrency exchanges, traded the coins for BTC or another coin, and then withdrew the funds. Next, the attacker used their dominant computing power to force the rest of the network to accept falsified blocks that reversed their initial deposits and caused these funds to vanish from exchange-controlled wallets.

    As CCN reported, an address associated with the attacker had sent itself more than 380,000 BTG in a series of transactions consistent with double spending behavior. It’s not clear how many of these transactions resulted in successful thefts from exchanges. In theory, the attacker could have made off with more than $18 million worth of funds, but only if every transaction resulted in a successful theft (again, the attacker’s rate of success has not been verified).

    Reply
  20. Tomi Engdahl says:

    https://www.talouselama.fi/uutiset/bemareista-loytyi-14-haavoittuvuutta-autovalmistaja-palkitsi-loytajan/3fe7b058-78ec-3703-a59a-5131faae0dcc

    BMW cars found to contain more than a dozen flaws
    http://www.bbc.com/news/technology-44224794

    BMW’s car computer systems have been found to contain 14 separate flaws, according to a study by a Chinese cyber-security lab.

    They could, in theory, let hackers take at least partial control of affected vehicles while in use.

    The researchers identified ways to compromise the cars by plugging in infected USB sticks, as well via contactless means including Bluetooth and the vehicles’ own 3G/4G data links.

    BMW is working on fixes.

    Its customers have been advised to keep an eye out for software updates and other counter-measures from the German company over the coming months.

    Reply
  21. Tomi Engdahl says:

    Security
    Epyc fail? We can defeat AMD’s virtual machine encryption, say boffins
    Evil hypervisors can lift plaintext info out of ciphered memory, it is claimed
    http://www.theregister.co.uk/2018/05/25/amd_epyc_sev_vm_encryption_bypass/

    Reply
  22. Tomi Engdahl says:

    Microsoft: Here’s why Windows Defender AV isn’t ranked higher in new antivirus tests
    https://www.zdnet.com/article/microsoft-heres-why-windows-defender-av-isnt-ranked-higher-in-new-antivirus-tests/

    Windows Defender trails third-party antivirus in tests, but Microsoft says you should still use it over other products.

    Video: When it comes to malware, Windows 10 is twice as secure as Windows 7.

    With improvements to Windows 10′s built-in Windows Defender antivirus, some users are questioning whether it’s worth paying for a third-party product from the likes of Symantec, McAfee or Kaspersky.

    But according to the latest results for Windows home and business use from German AV benchmarking firm, AV-Test, Windows Defender is still trailing third-party AV, tying in seventh place with four other vendors.

    Reply
  23. Tomi Engdahl says:

    Facebook refines 2FA setup, adds authenticator app support
    https://www.welivesecurity.com/2018/05/25/facebook-refines-2fa-setup/

    Do try this at home! If you haven’t taken advantage of the extra protection that two-factor authentication offers, now is a great time to do so. And you don’t even need to hand over your phone number.

    To authenticate logins, the social network now enables users to employ a third-party app such as Google Authenticator or Duo Security on both desktop and mobile. The company has also revamped its 2FA feature with a “streamlined setup flow that guides you through the process”.

    “Two-factor authentication is an industry best practice for providing additional account security and we just made it easier to set up,” wrote Dickens.

    Text messages are the most common second factor although, due to the vulnerability of text messages to a number of threats, security professionals have been advising against using SMS for verification for a long time. Facebook has been offering SMS-based 2FA for a while now and will continue to do so, but using other means such as a hardware device or an authenticator app is generally viewed as safer.

    There is no word on how many Facebook users actually use 2FA. On Google accounts, for example, the data are rather grim, as fewer than one in ten Google account holders utilize 2FA

    To enable two-factor authentication on your Facebook profile, navigate to “Settings”, then to “Security and Login”, and then to the “Use two-factor authentication” section, where you can choose and set up your 2FA method of choice.

    Reply
  24. Tomi Engdahl says:

    Z-Shave Attack Could Impact Over 100 Million IoT Devices
    https://www.bleepingcomputer.com/news/security/z-shave-attack-could-impact-over-100-million-iot-devices/

    The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack that can allow a malicious party to intercept and tamper with traffic between smart devices.

    The attack —codenamed Z-Shave— relies on tricking two smart devices that are pairing into thinking one of them does not support the newer S-Wave S2 security features, forcing both to use the older S0 security standard.

    The problem, as security researchers from Pen Test Partners have explained this week, is that all S0 traffic is secured by default with an encryption key of “0000000000000000.”

    An attacker that can trick a smart device into pairing with another device, a PC, or a smartphone app via the older S0 standard, can later decrypt all traffic exchanged between the two because the decryption key is widely known.

    The Pen Test crew say they identified three methods that can be used to trick two devices into pairing via the old S0 instead of S2, even if both support the newer security standard.

    Z-Shave attack is pretty dangerous

    The Z-Shave attack is dangerous because devices paired via an older version of Z-Wave can become a point of entry for an attacker into a larger network, or can lead to the theft of personal property.

    Z-Wave maker plays down attack’s importance

    But in a blog post published on the same day Pen Test researchers published their work, Silicon Labs, the company behind the Z-Wave protocol downplayed the issue. The main criticism of the Z-Shave attack was that an attacker had a very very short time window to execute his attack.

    “You would need advanced equipment in proximity to the home during the short installation process,” a Silicon Labs spokesperson said.

    “When installing a new device there is a very small window of time (milliseconds) to force the S2 to S0 reversion,” he added. “The homeowner or professional installer will always be present during installation and is the only one who can initiate the inclusion process.”

    COMMENTS:
    “S2-to-S0 downgrade was considered an acceptable risk”

    Words of an idiot. Hardcoded key is NEVER acceptable risk. Also, who thought creating S0 security standard (or rather “S0-called security standard”) with such trivial hardcoded key is a good idea? And who wrote the word “security” in it’s name? It was a bad idea to start with.

    This article is total GARBAGE.

    THERE IS NO REQUIREMENT TO USE ALL ZEROS FOR THE KEY AND IT IS NOT HARD-CODED ALL ZEROS EITHER. While you COULD use all zeros you’re a bleeping IDIOT if you do. Anyone with more than 2 firing neurons generates a 16-byte RANDOM key when they do their original installation and they guard it like their sister’s you-know-what. The original pairing exchange IS potentially at-risk but the timing of that is under your control. It”s probably easier to *steal* one of the installed units and pull the key out of its NVRAM than to intercept it during pairing, given that it only happens *once* for a given unit in an installation *and* that exchange can be programmed to occur at very low power

    Reply
  25. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    FBI and DOJ ask users to restart routers and NAS devices to disrupt VPNFilter malware and help identify infected devices, which Cisco estimates is 500K+ devices

    FBI tells router users to reboot now to kill malware infecting 500k devices
    Feds take aim at potent VPNFilter malware allegedly unleashed by Russia.
    https://arstechnica.com/information-technology/2018/05/fbi-tells-router-users-to-reboot-now-to-kill-malware-infecting-500k-devices/

    Reply
  26. Tomi Engdahl says:

    Todd Spangler / Variety:
    Parisian authorities charged two French teens for allegedly hacking Vevo’s YouTube account last month and altering some music videos with pro-Palestine messages

    Two French Teens Arrested in Connection With Vevo Hack That Defaced ‘Despacito,’ Other YouTube Music Videos
    http://variety.com/2018/digital/news/vevo-hack-despacito-videos-french-teenagers-arrest-1202822839/

    Reply
  27. Tomi Engdahl says:

    Researchers Bypass AMD’s SEV Virtual Machine Encryption
    https://www.bleepingcomputer.com/news/security/researchers-bypass-amd-s-sev-virtual-machine-encryption/

    Four researchers from the Fraunhofer Institute for Applied and Integrated Safety in Munich, Germany have published a research paper this week detailing a method of recovering data that is normally encrypted by AMD’s Secure Encrypted Virtualization (SEV), a safety mechanism designed to encrypt the data of virtual machines running on servers with AMD CPUs.

    The research team says their attack, which they named SEVered, is capable of recovering plaintext memory data from guest VMs running on the same server as the VM that’s under attack.

    “By repeatedly sending requests for the same resource to the service while re-mapping the identified memory pages, we extract all the VM’s memory in plaintext,”

    Reply
  28. Tomi Engdahl says:

    FontCode Technique Can Hide Secret Messages Inside Font Glyphs
    https://www.bleepingcomputer.com/news/technology/fontcode-technique-can-hide-secret-messages-inside-font-glyphs/

    Three researchers from Columbia University have created a technique named FontCode that can be used to embed hidden messages inside font glyphs (characters).

    The technique takes advantage of how computers work with font glyphs, which for them, are nothing more than mathematical equations used to draw lines and curves on a screen.

    Reply
  29. Tomi Engdahl says:

    Oracle plans to dump risky Java serialization
    https://www.infoworld.com/article/3275924/java/oracle-plans-to-dump-risky-java-serialization.html

    A “horrible mistake” from 1997, the Java object serialization capability for encoding objects has serious security issues

    Oracle plans to drop from Java its serialization feature that has been a thorn in the side when it comes to security. Also known as Java object serialization, the feature is used for encoding objects into streams of bytes. Used for lightweight persistence and communication via sockets or Java RMI, serialization also supports the reconstruction of an object graph from a stream.

    Removing serialization is a long-term goal and is part of Project Amber, which is focused on productivity-oriented Java language features, says Mark Reinhold, chief architect of the Java platform group at Oracle.

    Reply
  30. Tomi Engdahl says:

    Hackers Behind ‘Triton’ Malware Attack Expand Targets
    https://www.securityweek.com/hackers-behind-triton-malware-attack-expand-targets

    The threat group responsible for the recently uncovered attack involving a piece of malware known as Triton, Trisis and HatMan is still active, targeting organizations worldwide and safety systems other than Schneider Electric’s Triconex.

    The actor, which industrial cybersecurity firm Dragos tracks as Xenotime, is believed to have been around since at least 2014, but its activities were only discovered in 2017 after it targeted a critical infrastructure organization in the Middle East.

    The attack that led to the cybersecurity industry uncovering Xenotime was reportedly aimed at an oil and gas plant in Saudi Arabia. It specifically targeted Schneider Electric’s Triconex safety instrumented systems (SIS) through a zero-day vulnerability.

    Reply
  31. Tomi Engdahl says:

    Flaw in Schneider PLC Programming Tool Allows Remote Attacks
    https://www.securityweek.com/flaw-schneider-plc-programming-tool-allows-remote-attacks

    Schneider Electric this week announced that an update for its EcoStruxure Machine Expert product patches a high severity vulnerability that can be exploited remotely to obtain sensitive data.

    EcoStruxure Machine Expert – Basic, formerly known as SoMachine Basic, is a lightweight tool designed for programming Schneider’s Modicon M221 programmable logic controller (PLC).

    Gjoko Krstic, a researcher at industrial cybersecurity firm Applied Risk, discovered recently that SoMachine Basic 1.6.0 build 61653, 1.5.5 SP1 build 60148, and likely earlier versions are impacted by an XML external entity (XXE) vulnerability that can be exploited to launch an out-of-band (OOB) attack.

    Tracked as CVE-2018-7783, the vulnerability can be exploited by a remote and unauthenticated attacker to read arbitrary files on the targeted system. These files can include sensitive information, including passwords, user data, and details about the system.

    Reply
  32. Tomi Engdahl says:

    UK Warns That Aggressive Cyberattack Could Trigger Kinetic Response
    https://www.securityweek.com/uk-warns-aggressive-cyberattack-could-trigger-kinetic-response

    UK Says it Doesn’t Need to Demonstrate Attribution Before Engaging Cyber Retaliation

    The scene was set last week when Air Marshall Phil Collins (Chief of Defence Intelligence, UK Ministry of Defence) spoke at the Royal United Services Institute (RUSI). In his speech Collins talked about the growing use of non-kinetic (primarily cyber) warfare.

    “We can see numerous examples of this today,” he said: “unprecedented industrial espionage activity against the UK and Allies; private security contractors being used in high-end expeditionary warfare in Syria; cyber-attacks against national infrastructure and reputation across Europe; information operations that attempt to pervert political process and frustrate the rule of law; and attempted assassinations.”

    He warned that the nature of modern warfare is becoming broader, more strategic, and features “continuous full spectrum competition and confrontation.”

    Reply
  33. Tomi Engdahl says:

    Europol Signs Cybersecurity Agreement With EU Agencies, WEF
    https://www.securityweek.com/europol-signs-cybersecurity-agreement-eu-agencies-wef

    Europol this week signed two memorandums of understanding related to cybersecurity cooperation – one with the World Economic Forum (WEF) and one with the European Union Agency for Network and Information Security (ENISA), the European Defence Agency (EDA), and the EU’s Computer Emergency Response Team (CERT-EU).

    The agreement focuses on cyber exercises, education and training, exchange of information, strategic and administrative matters, and technical cooperation. The MoU also allows cooperation in other areas that may turn out to be important for all four organizations.

    “EDA supports Member States in the development of their defence capabilities. As such, we also act as the military interface to EU policies,”

    Reply
  34. Tomi Engdahl says:

    Is Cryptojacking Replacing Ransomware as the Next Big Threat?
    https://www.securityweek.com/cryptojacking-replacing-ransomware-next-big-threat

    Monitoring cyberthreats over time reveals interesting insights into the strategies used by cybercriminals and the evolution of the attack vectors they target. While the threat landscape continues to be quite diversified, trends do seem to run in predictable cycles. For example, over the last year or so ransomware has risen to become one of the most dominant threats plaguing organizations, especially in the market sectors of healthcare, finance, and education.

    As more and more cybercriminals have jumped on the bandwagon, ransomware as a service and dozens of variations targeting organizations across the globe have practically turned it into a commodity. As it has evolved it has leveraged new delivery channels such as social engineering, new techniques such as multi-stage attacks to evade detection and infect systems, and new methods of payment often involving fledgling cryptocurrencies.

    Reply
  35. Tomi Engdahl says:

    New Features Added to CERT Tapioca Tool
    https://www.securityweek.com/new-features-added-cert-tapioca-tool

    The CERT Coordination Center (CERT/CC) at Carnegie Mellon University this week announced the launch of a new version of the network traffic analysis tool CERT Tapioca.

    CERT Tapioca was first released in 2014 as a network-layer man-in-the-middle (MITM) proxy virtual machine designed for identifying apps that fail to validate certificates and investigating the content of HTTP and HTTPS traffic.

    CERT Tapioca has been used to identify Android applications that fail to properly validate SSL certificates and expose users to MitM attacks. More than one million apps have been checked and over 23,000 of them failed dynamic testing.

    The tool can be used to analyze network traffic not only on smartphones, but also on IoT devices, computers and VMs.

    CERT Tapioca for MITM network analysis
    https://github.com/CERTCC/tapioca

    Reply
  36. Tomi Engdahl says:

    Watch out for public USB charging stations

    Many airports and cafes already have USB ports that your phone can connect to for additional power. However, Nathan Fisk, Associate Professor of Cybersecurity at the University of Florida, warns that this USB link may be accompanied by malicious software, including power.

    Fisk gives danger to “juice jacking,” which could turn it off even if it is a power strip. According to him, the hacker can control the hijacked smartphone without the owner having any information.

    Fortunately, protection is very easy. It’s enough for you to charge your phone only through an electrical plug. In addition, there are USB cables that are only powered by electricity. In such cables, the connector data pairs have been removed.

    Another way is to only charge the spare battery at the charging station. It does not have any data to capture

    Source: http://www.etn.fi/index.php/13-news/8053-varo-julkisia-usb-latausasemia

    Reply
  37. Tomi Engdahl says:

    Daniel Miessler:
    An analysis of possible attack scenarios on smart speakers shows that fears of Amazon Echo devices being hacked to record owners’ conversations are overblown
    https://danielmiessler.com/blog/why-im-not-overly-concerned-about-smart-speaker-security/

    I’m Not (Overly) Concerned About Smart Speaker Security, And You Shouldn’t Be Either
    Why smart speaker attack scenarios are not worth worrying about

    Reply
  38. Tomi Engdahl says:

    FBI Attribution of ‘VPNFilter’ Attack Raises Questions
    https://www.securityweek.com/fbi-attribution-vpnfilter-attack-raises-questions

    Information shared by the FBI on the massive VPNFilter attack in which more than half a million devices have been compromised raises some interesting questions about the connection between Russia-linked hacker groups.

    The existence of VPNFilter was brought to light last week by Cisco Talos and several other cybersecurity firms. The botnet is powered by at least 500,000 hacked routers and network-attached storage (NAS) devices across 54 countries.

    The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.

    Many of the hijacked devices are located in Ukraine and a separate command and control (C&C) infrastructure has been set up for devices in this country. Researchers also spotted code similarities to the BlackEnergy malware and pointed out that there are only a few weeks until Ukraine celebrates its Constitution Day, which last year coincided with the destructive NotPetya attack. All this has led experts to believe that VPNFilter may mean Russia is preparing for a new attack on Ukraine.

    Shortly after security firms published technical details on the attack, the U.S. Department of Justice announced that the FBI had seized toknowall.com, one of the C&C domains utilized by VPNFilter.

    Sandworm, also tracked by some security companies as TeleBots, is a threat actor known to use the BlackEnergy malware in attacks aimed at industrial systems and it’s believed to be responsible for the 2015 power outage in Ukraine. However, Sandworm was until now seen as a separate group from Sofacy.

    Industry professionals, however, have offered some possible explanations as to why the FBI may see Sofacy and Sandworm as the same group.

    “Sandworm is a similar team whose interests overlap with APT 28. We believe these actors are related and act accordingly,” Craig Williams, director of outreach with Cisco Talos, told SecurityWeek.

    Rebooting a router is typically enough to remove a piece of malware from the device. However, VPNFilter has some clever persistence mechanisms that help its stage 1 component survive a reboot.

    The VPNFilter malware has been observed targeting devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. All of these vendors have published advisories to warn their customers about the threat.

    Reply
  39. Tomi Engdahl says:

    Europol Signs Cybersecurity Agreement With EU Agencies, WEF
    https://www.securityweek.com/europol-signs-cybersecurity-agreement-eu-agencies-wef

    Europol this week signed two memorandums of understanding related to cybersecurity cooperation – one with the World Economic Forum (WEF) and one with the European Union Agency for Network and Information Security (ENISA), the European Defence Agency (EDA), and the EU’s Computer Emergency Response Team (CERT-EU).

    Reply
  40. Tomi Engdahl says:

    Cyber crooks claim to hit two big Canadian banks
    https://www.reuters.com/article/us-bmo-attack/cyber-thieves-claim-to-hit-two-big-canadian-banks-idUSKCN1IT1PQ

    Bank of Montreal (BMO.TO) and Canadian Imperial Bank of Commerce (CM.TO) said on Monday that cyber attackers may have stolen the data of nearly 90,000 customers in what appeared to be the first significant assault on financial institutions in the country.

    Reply
  41. Tomi Engdahl says:

    Security
    Softbank’s ‘Pepper’ robot is a security joke
    Big-in-Japan ‘bot offers root access through hard-coded password and worse bugs too
    https://www.theregister.co.uk/2018/05/29/softbank_pepper_robot_multiple_basic_security_flaws/

    Softbank’s popular anthropomorphic robot, Pepper, has myriad security holes according to research published by Scandinavian researchers earlier this month.

    The ‘bot allows unauthenticated root-level access, runs a Meltdown/Spectre-vulnerable processor, can be administered over unencrypted HTTP and has a default root password.

    Reply
  42. Tomi Engdahl says:

    ISP popped router ports, saving customers the trouble of making themselves hackable
    SingTel then left them open for a while, because … well there’s no excuse is there?
    https://www.theregister.co.uk/2018/05/29/singtel_left_home_router_ports_open/

    Singaporean broadband users were left vulnerable to attackers after their ISP opened remote access ports on their modems and forgot to close them.

    The discovery was made by NewSky Security researcher Ankit Anubhav, who used Shodan to scan for SingTel routers open on port 10,000 – the default Network Data Management Protocol TCP/UDP port.

    Anubhav said the scan yielded 975 devices that had port 10,000 open with no protection, as a result of a fault-finding exercise gone wrong (that number is only those found on the scan).

    Anubhav said the root cause was that SingTel enabled port 10,000 to troubleshoot a problem with the SingTel-branded routers (the “Wi-Fi Gigabit Router” is supplied by Arcadyan).

    The carrier neglected to close the port once the issues were resolved, leaving the customers vulnerable.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*