Cyber security June 2018

This posting is here to collect security alert news in June 2018.

I post links to security vulnerability news to comments of this article.

282 Comments

  1. Tomi Engdahl says:

    APT28 Rollercoaster: The Lowdown on Hijacked LoJack
    https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/

    Recently, the ASERT team at Arbor Networks, published a report on an old version of the Absolute Software product, Absolute LoJack for laptops, being illicitly modified by suspected APT28 actors. The LoJack implant, previously known as Computrace and brought into the spotlight in 2014 at Black Hat USA because it was enabled on some brand new laptops, is an anti-theft technology used in modern laptops to allow remote tracing, data deletion, and system lockdown.

    Based on information from a number of reports, ASERT estimates with moderate confidence that the APT28 group, also known as Fancy Bear, has maliciously modified and deployed Absolute LoJack samples to support its own campaigns against government and defense-related contractors. As sophisticated implants often reveal non-trivial dynamic behaviors, we began an investigation process to analyze this threat in more detail.

    Reply
  2. Tomi Engdahl says:

    G Suite admins need to RTFM – thousands expose internal emails
    The manual is confusing, to be fair, but a third of users read it wrong and are dangling data
    https://www.theregister.co.uk/2018/06/04/g_suite_misconfiguration_leaks_data/

    If you’re sysadmin of an organisation using Google Groups and G Suite, you need to revisit your configuration to make sure you aren’t leaking internal information.

    That advice comes from Kenna Security, which on June 1 said it found 31 per cent of a sample of 9,600 organisations leaking sensitive e-mail information.

    The company explained while previous advisories about the issue (such as this from 2017) have explained how G Suite can leak, sysadmins appear not to be taking the matter seriously.

    The problem, Kenna said in its post, is that Google Groups, available to G Suite customers, has “complex terminology” and a clash between “organisation-wide vs group-specific permissions”. As a result, list admins can “inadvertently expose e-mail list contents” (which were meant to stay in-house).

    Reply
  3. Tomi Engdahl says:

    Zip Slip Vulnerability Affects Thousands of Projects Across Multiple Ecosystems
    https://www.bleepingcomputer.com/news/security/zip-slip-vulnerability-affects-thousands-of-projects-across-multiple-ecosystems/

    Security researchers have disclosed today details about a critical vulnerability impacting open source coding libraries that handle archived files.

    Discovered by the researchers from Synk, the “Zip Slip” vulnerability is an issue in the way coders, plugins, and libraries have implemented the process of decompressing an archived file.

    Numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z, are affected, meaning this is more of a theoretical issue, rather than a specific coding bug.

    According to researchers, Zip Slip is a combination between an “arbitrary file overwrite” and “directory traversal” issues that can lead to situations where an attacker can unzip files outside the normal unzip path and overwrite sensitive files, such as critical OS libraries or server configuration files.

    Reply
  4. Tomi Engdahl says:

    MyHeritage Genealogy Site Announces Mega Breach Affecting 92 Million Accounts
    https://www.bleepingcomputer.com/news/security/myheritage-genealogy-site-announces-mega-breach-affecting-92-million-accounts/

    Family genealogy and DNA testing site MyHeritage announced on Monday a security breach during which an attacker made off with account details for over 92 million MyHeritage users.

    Reply
  5. Tomi Engdahl says:

    Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit
    Monday, June 04, 2018 Swati Khandelwal
    https://thehackernews.com/2018/06/drupalgeddon2-exploit.html

    Hundreds of thousands of websites running on the Drupal CMS—including those of major educational institutions and government organizations around the world—have been found vulnerable to a highly critical flaw for which security patches were released almost two months ago.

    Reply
  6. Tomi Engdahl says:

    IoT Botnets Found Using Default Credentials for C&C Server Databases
    Monday, June 04, 2018 Mohit Kumar
    https://thehackernews.com/2018/06/iot-botnet-password.html

    Not following cybersecurity best practices could not only cost online users but also cost cybercriminals. Yes, sometimes hackers don’t take best security measures to keep their infrastructure safe.

    A variant of IoT botnet, called Owari, that relies on default or weak credentials to hack insecure IoT devices was found itself using default credentials in its MySQL server integrated with command and control (C&C) server, allowing anyone to read/write their database.

    Reply
  7. Tomi Engdahl says:

    Companies urged to ensure supply chain security
    By Anthony Spadafora 2018-06-05T15:08:22.155ZNews
    The supply chain remains the weakest link for a majority of organisations.
    https://www.itproportal.com/news/companies-urged-to-ensure-supply-chain-security/

    New research from Citrix has revealed that large businesses in the UK are overlooking the cybersecurity resilience of external providers within their supply chain network which could leave them vulnerable to an attack.

    The company’s recent poll surveyed 750 IT security decision makers in companies with 250 or more employees across the UK, to better understand their level of preparation for cyber-attacks. The research also explored whether businesses are conducting the necessary due diligence when assessing new suppliers.

    Reply
  8. Tomi Engdahl says:

    IS system problems almost cause blow to the judiciary in Finland in high profile case

    It’s a blow to the judiciary – the charges against Ilja Janitskin were not lifted
    Ilja Janitskin is accused, among other things, of an escalation against the people’s group and of the secret ballot. However, the accusations almost did not go away due to information system failures.

    Legal security A widespread communication disruption has hindered the functioning of the judiciary.
    The authorities of the Finnish state are suffering from broad-bandwidth last week. One of the worst offenders was the judiciary, where the defect had, among other things, influenced the prosecution. In the case of Ilja Janitskin, the founder of the newspaper MV, the charges against him were almost unresolved due to a defect.

    The State Information and Communications Technology Center Valtori admits that the defect was significant.

    According to IS’s data cyber-problem has harassed courts and prosecution services for weeks. It is unclear whether the defects actually prevented the prosecution of some of the lawsuits.

    According to Lehmo, a Friday defect was repaired already during the weekend

    According to IS’s information, however, there were very big problems on Monday in the judicial system.

    According to Lehmo, this was due to a duplicate telecoms connection between the computers, one of which started with the symptoms.

    Source: https://www.is.fi/digitoday/art-2000005707624.html

    Reply
  9. Tomi Engdahl says:

    IBM Adds New Features to MaaS360 with Watson UEM Product
    https://www.securityweek.com/ibm-adds-new-features-maas360-watson-uem-product

    IBM announced on Monday that it has added two new important features to its “MaaS360 with Watson” unified endpoint management (UEM) solution.

    UEM solutions allow enterprise IT teams to manage smartphones, tablets, laptops and IoT devices in their organization from a single management console.

    IBM has improved its MaaS360 with Watson UEM product with two capabilities the company says can be highly useful for IT departments: app intelligence and reporting, and security policy recommendations.

    Reply
  10. Tomi Engdahl says:

    Apple Boosts Security in iOS 12, macOS Mojave
    https://www.securityweek.com/apple-boosts-security-ios-12-macos-mojave

    At its Worldwide Developers Conference (WWDC) 2018 this week, Apple shared information on the security improvements that iOS 12 and macOS Mojave are set to bring when they arrive this fall.

    Reply
  11. Tomi Engdahl says:

    Facebook Says Chinese Phone Makers Got Access to Data
    https://www.securityweek.com/facebook-says-chinese-phone-makers-got-access-data

    Facebook on Tuesday confirmed that a Chinese phone maker deemed a national security threat by the US was among companies given access to data on users.

    Huawei was able to access Facebook data to get the leading social network’s applications to perform on smartphones, according to the California-based company.

    “Facebook along with many other US tech companies have worked with them and other Chinese manufacturers to integrate their services onto these phones,” Facebook mobile partnerships leader Francisco Varela said in a released statement.

    “Given the interest from Congress, we wanted to make clear that all the information from these integrations with Huawei was stored on the device, not on Huawei’s servers.”

    Facebook also had data access deals with Lenovo, OPPO and TCL of China, according to Varela.

    “Facebook’s integrations with Huawei, Lenovo, OPPO and TCL were controlled from the get go,” Varela said.

    Reply
  12. Tomi Engdahl says:

    Fortinet Acquires Bradford Networks to Extend Security to the Edge
    https://www.securityweek.com/fortinet-acquires-bradford-networks-extend-security-edge

    Fortinet has acquired Boston-based network security firm Bradford Networks. The purpose is to extend Fortinet’s micro segmentation to the new perimeter: that is, the IoT and mobile edge.

    Reply
  13. Tomi Engdahl says:

    Flaw in F-Secure Products Allowed Code Execution via Malicious Archives
    https://www.securityweek.com/flaw-f-secure-products-allowed-code-execution-malicious-archives

    A critical vulnerability affecting many consumer and corporate products from F-Secure could have been exploited for remote code execution using specially crafted archive files.

    A researcher who uses the online moniker “landave” has identified several vulnerabilities related to 7-Zip, an open source file archiver used by many commercial products. Some of the security holes impact 7-Zip and products using it, while others are specific to the third-party implementations of 7-Zip.

    Some of the vulnerabilities, disclosed in 2017, impact Bitdefender products. On Tuesday, landave published a blog post describing how one of the 7-Zip bugs he identified last year, namely CVE-2018-10115, can be used to achieve remote code execution on most F-Secure endpoint protection products for Windows.

    The details of the vulnerability have been disclosed after F-Secure rolled out a patch via its automatic update mechanisms on May 22. Users don’t need to take any action, unless they explicitly disabled automatic updates.

    Reply
  14. Tomi Engdahl says:

    Oops! Botnet Operators Use Default Credentials on Command and Control Server
    https://www.securityweek.com/oops-botnet-operators-use-default-credentials-command-and-control-server

    Internet of Things (IoT) botnets prey on the use of default or weak credentials to compromise connected devices, but the operators of such a botnet also used default credentials in their operations.

    As NewSky Security researchers recently discovered, the operators of the Mirai variant Owari botnet used default credentials on their command and control (C&C) server, thus allowing easy access their database.

    Reply
  15. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Cisco: Russian-tied VPNFilter malware targets far more routers and is more powerful than first reported, can attack connected PCs, downgrade HTTPS connections

    VPNFilter malware infecting 500,000 devices is worse than we thought
    Malware tied to Russia can attack connected computers and downgrade HTTPS.
    https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-infecting-50000-devices-is-worse-than-we-thought/

    Two weeks ago, officials in the private and public sectors warned that hackers working for the Russian government infected more than 500,000 consumer-grade routers in 54 countries with malware that could be used for a range of nefarious purposes. Now, researchers from Cisco’s Talos security team say additional analysis shows that the malware is more powerful than originally thought and runs on a much broader base of models, many from previously unaffected manufacturers.

    The most notable new capabilities found in VPNFilter, as the malware is known, come in a newly discovered module that performs an active man-in-the-middle attack on incoming Web traffic. Attackers can use this ssler module to inject malicious payloads into traffic as it passes through an infected router. The payloads can be tailored to exploit specific devices connected to the infected network. Pronounced “essler,” the module can also be used to surreptitiously modify content delivered by websites.

    Reply
  16. Tomi Engdahl says:

    New York Times:
    Facebook has had data-sharing partnerships with Huawei, Lenovo, Oppo, and TCL since at least 2010 and will wind down the Huawei deal by the end of the week — Facebook has data-sharing partnerships with at least four Chinese electronics companies, including a manufacturing giant …
    http://www.nytimes.com/2018/06/05/technology/facebook-device-partnerships-china.html

    Reply
  17. Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    Europe’s top court rules that administrators of fan pages on Facebook are jointly responsible with Facebook for the processing of users’ data
    https://techcrunch.com/2018/06/05/europes-top-court-takes-a-broad-view-on-privacy-responsibilities-around-platforms/

    Reply
  18. Tomi Engdahl says:

    A simple solution to end the encryption debate
    https://techcrunch.com/2018/05/20/a-simple-solution-to-end-the-encryption-debate/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    One-size-fits all technological solutions, like a manufacturer-built universal backdoor tool for smartphones, likely create more dangers than they prevent. While no solution will be perfect, the best ways to square data access with security concerns require a more nuanced approach that rely on non-technological procedures.

    Encryption has a critical role in protecting our digital systems against compromises by hackers and thieves. And of course, a centralized data access tool would be a prime target for hackers and criminals.

    So how do we help law enforcement without making data privacy even thornier than it already is? A potential solution is through a non-technological method, sensitive to the needs of all parties involved

    The solution requires storage of encryption keys — the codes needed to decrypt data — with third-party custodians. Those custodians would not keep these client’s encryption keys. Rather, they give the access tool to clients, and then clients can choose how to use it and to whom they wish to give access. A core component of strong digital security is that a service provider should not have access to client’s unencrypted data nor control over a client’s encryption keys.

    This solution is not technological, like backdoor access built by manufacturers or service providers, but a human solution built around customer control.

    The clients can even split their encryption keys into multiple pieces distributed over different third parties, so that no one custodian can access a client’s data without the cooperation of the others.

    A custodial mechanism that utilizes customer-selected third parties is not the answer to every part of the cybersecurity and privacy dilemma.

    Reply
  19. Tomi Engdahl says:

    Watchdog slams TSB boss for underplaying extent of IT meltdown
    Financial Conduct Authority to probe British bank’s tech migration
    https://www.theregister.co.uk/2018/06/06/city_watchdog_slams_tsb_for_painting_optimistic_view_of_it_meltdown/

    A City watchdog has launched a stinging attack on TSB chief Paul Pester for portraying “an optimistic view” of its catastrophic IT meltdown in April that prevented 1.9 million customers from using online bank services.

    We do not normally make this information public, but given the level of public interest, I want to be clear that we will be conducting this work,”

    “The FCA has been dissatisfied with TSB’s communications with its customers and we have had concerns that TSB was not being open and transparent about the issues experienced,” it added.

    Following the incident, a number of customers fell victim to fraud via phishing calls, emails and texts sent by scammers purporting to be TSB and asking them to verify their bank details.

    Reply
  20. Tomi Engdahl says:

    Loose .zips sink chips: How poisoned archives can hack your computer
    Path traversal flaws could lead to data mangling, code execution – so patch now
    https://www.theregister.co.uk/2018/06/05/zip_slip_bug_archives/

    Specifically, the flaws, dubbed “Zip Slip” by its discoverers at security outfit Snyk, are path traversals that can potentially be exploited to perform arbitrary code execution attacks. It affects certain tools that handle .zip, .tar, .war, .cpio, and .7z formats.

    The programming blunders are present in developer libraries made by Apache, Oracle, and others, which are used by thousands of applications. Patches are available for the libraries, and products and programs using the insecure code should be updated to bring in the fixes and then pushed out to the public so people can install them and be safe

    Zip Slip Vulnerability Affects Thousands of Projects Across Multiple Ecosystems
    https://www.bleepingcomputer.com/news/security/zip-slip-vulnerability-affects-thousands-of-projects-across-multiple-ecosystems/

    Security researchers have disclosed today details about a critical vulnerability impacting open source coding libraries that handle

    archived files.

    Discovered by the researchers from Synk, the “Zip Slip” vulnerability is an issue in the way coders, plugins, and libraries have

    implemented the process of decompressing an archived file.

    Numerous archive formats, including tar, jar, war, cpio, apk, rar, and 7z, are affected, meaning this is more of a theoretical issue,

    rather than a specific coding bug.

    Reply
  21. Tomi Engdahl says:

    IoT CloudPets in the doghouse after damning security audit: Now Amazon bans sales
    Self-appointed privacy paladin Mozilla points out fatal flaws
    https://www.theregister.co.uk/2018/06/06/amazon_dumps_cloudpets/

    Reply
  22. Tomi Engdahl says:

    VPNFilter Can Also Infect ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE Devices
    https://it.slashdot.org/story/18/06/06/1759200/vpnfilter-can-also-infect-asus-d-link-huawei-ubiquiti-upvel-and-zte-devices?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Linksys, MikroTik, Netgear, TP-Link, and QNAP — can also infect routers made by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE.

    Reply
  23. Tomi Engdahl says:

    US Government Probes Airplane Vulnerabilities, Says Airline Hack Is ‘Only a Matter of Time’
    https://tech.slashdot.org/story/18/06/06/2057246/us-government-probes-airplane-vulnerabilities-says-airline-hack-is-only-a-matter-of-time?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    U.S. government researchers believe it is only a matter of time before a cybersecurity breach on an airline occurs, according to government documents obtained by Motherboard. The comment was included in a recent presentation talking about efforts to uncover vulnerabilities in widely used commercial aircraft, building on research in which a Department of Homeland Security (DHS) team successfully remotely hacked a Boeing 737.

    US Government Probes Airplane Vulnerabilities, Says Airline Hack Is ‘Only a Matter of Time’
    https://motherboard.vice.com/en_us/article/d3kwzx/documents-us-government-hacking-planes-dhs

    According to DHS and other US government documents obtained by Motherboard, the DHS is continuing to investigate how insecure commercial aircraft are to cyber attacks, with one research lab saying hacking a plane may lead to a “catastrophic disaster.”

    Reply
  24. Tomi Engdahl says:

    Microsoft Adds Post-Quantum Cryptography To an OpenVPN Fork
    https://tech.slashdot.org/story/18/06/06/138258/microsoft-adds-post-quantum-cryptography-to-an-openvpn-fork?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Microsoft recently published an interesting open source project called “PQCrypto-VPN” that implements post-quantum cryptography (PQC) within OpenVPN. Being developed by the Microsoft Research Security and Cryptography group, as part of their research into post-quantum cryptography, this fork is being used to test PQC algorithms and their performance and functionality when used with VPNs.

    Microsoft Adds Post-Quantum Cryptography to an OpenVPN Fork
    https://www.bleepingcomputer.com/news/microsoft/microsoft-adds-post-quantum-cryptography-to-an-openvpn-fork/

    Microsoft’s PQCrypto-VPN is published on Github and allows anyone to build an OpenVPN implementation that can encrypt communications using three different post-quantum cryptography protocols, with more coming as they are developed. These protocols are:

    Frodo: a key exchange protocol based on the learning with errors problem
    SIKE: a key exchange protocol based on Supersingular Isogeny Diffie-Hellman
    Picnic: a signature algorithm using symmetric-key primitives and non-interactive zero-knowledge proofs

    https://github.com/Microsoft/PQCrypto-VPN

    Reply
  25. Tomi Engdahl says:

    ‘Vigilance’ hacker charged over Minnesota government attacks
    Feds finger 19-year-old for failed hacktivism effort
    https://www.theregister.co.uk/2018/06/07/vigilance_hacker_charged/

    Vigilance, in a statement posted to Twitter and Ghostbin, said the Minnesota hacking attacks followed from the court verdict: “I have attacked large Minnesotan targets for one purpose: Retaliation for ex-officer Yanez’s acquittal.”

    It goes on to say, ironically as it turned out, “The FBI is set to investigate me. I am confident my identity is safe.”

    Vigilance via Twitter took credit for hacking Minnesota’s government portal (MN.gov) and Minnesota State University Moorhead, which acknowledged being attacked on June 20, 2017.

    Reply
  26. Tomi Engdahl says:

    ALTR Emerges From Stealth With Blockchain-Based Data Security Solution
    https://www.securityweek.com/altr-emerges-stealth-blockchain-based-data-security-solution

    Austin, Texas-based ALTR emerged from stealth mode on Wednesday with a blockchain-based data security platform and $15 million in funding.

    ALTR announced the immediate availability of its product, which has been in development for nearly four years while the company operated in stealth mode.

    Originally designed to serve as the public transactions ledger for the Bitcoin cryptocurrency, blockchain is a distributed database consisting of blocks that are linked and secured using cryptography. Companies have been increasingly using blockchain for purposes other than cryptocurrency transactions, including for identity verification and securing data and devices.

    ALTR’s platform uses blockchain technology for secure data access and storage. Built on what the company names ALTRchain, the solution allows organizations to monitor, access and store highly sensitive information.

    Reply
  27. Tomi Engdahl says:

    The Diminishing Returns of Our Constantly Growing Security Stacks
    https://www.securityweek.com/diminishing-returns-our-constantly-growing-security-stacks

    The Right Balance

    Globally, there are more than a million cyber security job openings. Security tools can generate hundreds to thousands of alerts each day – if a company has only two security experts, how can they thoroughly investigate each potential threat?

    Removing security tools can often feel like introducing a vulnerability into the network. But this very hesitancy could actually be undermining the effectiveness of security programs. The excess of alerts generated by an excess of technologies makes it a challenge for analysts to identify and investigate genuine threats.

    Not only is hiring more skilled security professionals a challenge, but it can be just as much of a band-aid fix as adding additional tools without the right core technologies and strategy in place. Appropriately paring down a security stack not only saves money that can be reinvested into the program, but also frees up time that analysts and CISOs alike can dedicate to other important tasks.

    Keep it Simple

    When evaluating the efficiency of an existing stack, it is critical to think about the types of threats that the network is not protected against. Can you spot insider threat, be it malicious or accidental? What about your organization’s ability to spot and contain machine-speed ransomware or never-seen-before threats? Do you have a tool for detecting stealthy campaigns that often lie quietly in networks? How quickly can you catch a foreign presence that is already in operation on your network?

    Reply
  28. Tomi Engdahl says:

    Destructive and MiTM Capabilities of VPNFilter Malware Revealed
    Wednesday, June 06, 2018 Swati Khandelwal
    https://thehackernews.com/2018/06/vpnfilter-router-malware.html

    Reply
  29. Tomi Engdahl says:

    Cybersecurity at the World Cup: What You Should Know
    https://securityintelligence.com/cybersecurity-at-the-world-cup-what-you-should-know/

    Events like the World Cup inspire awe about what teams working together and individuals with determination can accomplish — these events are a time for national pride, excitement and enjoyment.

    Enhanced security at these events often focuses on physical security, with increased local police, physical barriers and identification checks. Yet, such measures should not overlook the need for heightened cybersecurity — not only because of the expanded digitization of sports venues but because the very attributes that make these events worthwhile open additional avenues for social engineering.

    Financially-motivated malicious actors are likely to see significant opportunity in targeting fans — particularly if they can exploit online ticket sales or transactions conducted in a nonsecure environment — while hacktivists and nation-state cyber actors are likely to seek access to information and websites that will be politically advantageous, either now or in the future.

    Fans traveling internationally to attend high-profile sporting events are more likely to receive phishing attack messages

    In addition to phishing attacks, fans can unknowingly expose themselves to malware by using nonsecure Wi-Fi, including open networks available in airports, hotels and restaurants.

    For fans traveling to global sporting events, we recommend the following measures to enhance cybersecurity:

    Be highly suspicious of messages containing links or attachments.
    Avoid using public Wi-Fi. Use a private Wi-Fi network or virtual private network (VPN) that encrypts data to decrease some risk.
    Warn family and friends against potential scams.
    Be cautious of where and how you use a credit card for payment. If in doubt, use cash to avoid compromise of financial information.
    Ensure any devices you bring have the latest operating system and applicable patches installed before you depart.
    Consider bringing a “burner” phone in which you use a SIM card purchased at your destination with cash, and avoid bringing any additional electronics.
    Avoid accessing social media or email.
    Consider going “off the grid” while traveling, except for emergency communications.

    Reply
  30. Tomi Engdahl says:

    In World Cup Russia, our Wi-Fi networks will log on to you!
    Researchers warn of shady hotspots in host cities
    https://www.theregister.co.uk/2018/06/06/world_cup_russia/

    The upcoming soccer World Cup will present no shortage of security dangers for travelers looking to get online in the host cities.

    Security house Kaspersky Lab said its researchers looked at 32,000 public Wi-Fi hotspots in the 11 Russian cities hosting the World Cup this year and found that one in five are using no protection whatsoever and leaving users vulnerable to having their traffic harvested by criminals.

    Reply
  31. Tomi Engdahl says:

    Sofacy APT Has Subtly Changed Tactics
    https://www.bleepingcomputer.com/news/security/sofacy-apt-has-subtly-changed-tactics/

    A well-known Russian cyber-espionage group has subtly changed its modus operandi, moving to what security researchers from Palo Alto Networks are calling “parallel attacks.”

    These new “parallel attacks” are in stark contrast with what security researchers from multiple cyber-security firms have previosuly seen from Sofacy, a well-known APT (advanced persistent threat —a term used to describe nation-state hackers).

    Reply
  32. Tomi Engdahl says:

    Adobe Flash Zero-Day Leveraged For Targeted Attack in Middle East
    https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack

    ICEBRG’s Security Research Team (SRT) has identified active exploitation of a zero-day vulnerability in Adobe Flash that appears to target persons and organizations in the Middle East. The vulnerability (CVE-2018-5002) allows for a maliciously crafted Flash object to execute code on victim computers, which enables an attacker to execute a range of payloads and actions.

    Reply
  33. Tomi Engdahl says:

    Atlanta struggles with major cyberattack
    By Sead Fadilpašić 2018-06-07T09:30:33.157ZNews
    Online assault appears much worse than originally anticipated.
    https://www.itproportal.com/news/atlanta-struggles-with-major-cyberattack/

    The ransomware attack against the city of Atlanta which took place in late March seems to be much worse than originally thought, Reuters is reporting this Thursday. As a matter of fact, it could very well be the worst cyber assault on any U.S. city.

    Here’s the breakdown: more than a third of 424 software used by the city have either gone offline, or have been partially disabled. Almost 30 per cent of the affected applications are considered mission critical, affecting the police and courts, to name a few.

    “It’s a lot more… it seems to be growing every day,” Atlanta Information Management head Daphne Rackley told the Atlanta City Council. An additional $9.5 million had been proposed, to cover for the costs of the incident.

    Hackers have demanded $51,000 worth of bitcoin for the release of all encrypted data. The city said it had not paid the ransom.

    Reply
  34. Tomi Engdahl says:

    System failure shuts down London Stock Exchange
    By Anthony Spadafora 2018-06-07T14:15:14.157ZNews
    https://www.itproportal.com/news/system-failure-shuts-down-london-stock-exchange/

    Brokers were unable to trade for several hours after connectivity issues led to a suspension.

    The London Stock Exchange (LSE) suspended trading for around seven hours following its worst system failure in eight years.

    To make matters worse, the outage occurred on what could have been one of the busiest trading days of the year following a worldwide market rebound after the US government decided to bail out the mortgage companies Fannie Mae and Freddie Mac.

    The Johannesburg Stock Exchange also had to suspend trading as it uses LSE’s trading platform, TradElect.

    The recent trading suspension was the longest the LSE has dealt with since April 5, 2000

    Reply
  35. Tomi Engdahl says:

    Malspam Campaigns Using IQY Attachments to Bypass AV Filters and Install RATs
    https://www.bleepingcomputer.com/news/security/malspam-campaigns-using-iqy-attachments-to-bypass-av-filters-and-install-rats/

    Malspam campaigns, such as ones being distributed by Necurs, are utilizing a new attachment type that is doing a good job in bypassing antivirus and mail filters. These IQY attachments are called Excel Web Query files and when opened will attempt to pull data from external sources.

    The problem is that the external data being imported by the spreadsheet can also be a formula that will be executed by Excel. These formulas can then be used to locally launch PowerShell scripts that download and install malware onto the computer, which is explained later in the article.

    Reply
  36. Tomi Engdahl says:

    You Can File Complaints About Cryptojacking With the FTC
    https://www.bleepingcomputer.com/news/security/you-can-file-complaints-about-cryptojacking-with-the-ftc/

    The US Federal Trade Commission (FTC) is now open to taking complaints from US users about cryptojacking —the practice of using JavaScript code to mine cryptocurrencies inside users’ browsers without notifying them in advance or requesting permission.

    While cryptocurrency mining has been a thing for years and is the primary and only method through which new cryptocurrencies are generated, mining was usually done via special hardware rigs or custom software installed on users’ computers.

    Generating cryptocurrency via these two methods has been usually pretty hard, especially for malware authors, as it required tricking users into install malware or hacking countless of servers across the web.

    Reply
  37. Tomi Engdahl says:

    Adobe Patches Flash Zero-Day
    https://www.bleepingcomputer.com/news/security/adobe-patches-flash-zero-day/

    Adobe has issued a security update for Flash Player today to patch a zero-day vulnerability exploited by attackers in the wild.

    The vulnerability was discovered and independently reported by several security firms —ICEBRG, Tencent, and two security divisions from Chinese cyber-security giant Qihoo 360.

    The vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 29.0.0.171 and earlier versions. It was fixed with the release of Flash Player 30.0.0.113.

    According to Qihoo 360 Core Security, attackers used the Flash zero-day for attacks against targets in the Middle East. It is believed that a nation-state-backed cyber-espionage group is behind the attacks.

    Check Flash Player version and update
    https://helpx.adobe.com/fi/flash-player.html

    Reply
  38. Tomi Engdahl says:

    Cryptocurrency Theft Tops $1 Billion in Past Six Months
    https://www.securityweek.com/cryptocurrency-theft-tops-1-billion-past-six-months

    $1.1 billion has been stolen in cryptocurrency thefts over the last six months. This is the visible effect of an illicit dark web market economy which is reportedly worth $6.7 million. That market fuels cryptocurrency thefts from exchanges, businesses, and individuals; and the growing incidence of cryptojacking.

    A six-month study (PDF) by Carbon Black into how cryptocurrency malware is bought and sold in the dark web has shown an estimated 12,000 dark web marketplaces selling approximately 34,000 offerings related to cryptocurrency theft. Malware offerings range from as little as $1.04 to as much as $1,000, with an average price of $224.

    Reply
  39. Tomi Engdahl says:

    Serious Flaws Found in Philips Patient Monitoring Devices
    https://www.securityweek.com/serious-flaws-found-philips-patient-monitoring-devices

    Researchers have discovered serious vulnerabilities in patient monitoring devices from Philips. The vendor has shared some recommendations for mitigating the risks until patches are made available.

    A total of three flaws were identified by Medigate in Philips IntelliVue patient monitors (MP and MX series) and Avalon fetal monitoring systems (FM20, FM30, FM40 and FM50). Advisories describing the issues have been published by Medigate, Philips and ICS-CERT.

    The most serious of them, based on its CVSS score of 8.3, allows an unauthenticated attacker to access memory and write to the memory of a targeted device. A similar flaw allows an unauthenticated attacker to read memory, but this issue has been assigned a severity rating of “medium.”

    Another high severity vulnerability is related to the devices exposing an “echo” service that can be leveraged by an attacker to cause a stack-based buffer overflow.

    Reply
  40. Tomi Engdahl says:

    Triton ICS Malware Developed Using Legitimate Code
    https://www.securityweek.com/triton-ics-malware-developed-using-legitimate-code

    The developers of Triton, a recently discovered piece of malware designed to target industrial control systems (ICS), reverse engineered a legitimate file in an effort to understand how the targeted devices work.

    Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which use the proprietary TriStation network protocol. The malware leveraged a zero-day vulnerability affecting older versions of the product.Triconex controller targeted by Triton ICS malware

    FireEye’s Advanced Practices Team has conducted a detailed analysis of the threat, which it describes as a malware framework, in an effort to determine when and how it was created.

    The TriStation protocol is designed for communications between PCs (e.g. engineering workstations) and Triconex controllers. With no public documentation available, the protocol is not easy to understand, but it has been implemented by Schneider through the TriStation 1131 software suite.

    It’s unclear how the attackers obtained the hardware and software they used to test the malware.

    A Totally Tubular Treatise on TRITON and TriStation
    https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html

    Reply
  41. Tomi Engdahl says:

    Russian Cyberspies Change Tactics in Recent Campaign
    https://www.securityweek.com/russian-cyberspies-change-tactics-recent-campaign

    Recently observed attacks orchestrated by the Russian threat group Sofacy have revealed a change in tactics and new iterations of previously known tools, according to Palo Alto Networks researchers.

    Also tracked as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the cyber-espionage group has been associated with numerous attacks worldwid

    Now, Palo Alto reveals that a C++ version of Zebrocy has also been seen in attacks. Furthermore, the security researchers discovered Sofacy attacks that leveraged the Dynamic Data Exchange (DDE) exploit technique to deliver different payloads than before.

    As detailed in a February report, Palo Alto also discovered that the group was hiding infrastructure using random registrant and service provider information for each attack and that they deployed a webpage on each of the domains.

    The artifact led to the discovery of an attack campaign using the DealersChoice exploit kit, as well as another domain serving the Zebrocy AutoIT downloader.

    Eventually, this led to the discovery of the C++ variant of the Zebrocy downloader tool, as well as to “evidence of a completely different payload in Koadic being delivered as well.” The Delphi backdoor delivered as the final payload in Zebrocy attacks was found hosted at IP address 185.25.50[.]93, the researchers say.

    From this command and control (C&C) IP, the researchers discovered another hard-coded user agent being used by Zebrocy.

    Two weaponized Office documents leveraging DDE were used to target a North American government organization dealing with foreign affairs with the Zebrocy AutoIT downloader, and the previously mentioned large Central Asian nation, but with a non-Zebrocy payload this time, namely Koadic.

    Reply
  42. Tomi Engdahl says:

    ‘RedEye’ Ransomware Destroys Files, Rewrites MBR
    https://www.securityweek.com/redeye-ransomware-destroys-files-rewrites-mbr

    A newly discovered piece of ransomware appears mainly created to destroy the victim’s files instead of encrypting and holding them for ransom.

    Dubbed RedEye, the malware appears to be the creation of the developer behind the Annabelle ransomware, who also claims to have made the JigSaw ransomware that first emerged a couple of years back (Cisco says the individual might be responsible for several other families as well).

    The same as Anabelle and JigSaw, RedEye’s destructive nature makes it stand out in the crowd. While the vast majority of ransomware families out there have been created with the purpose of generating revenue for their authors and operators, RedEye would gladly destroy users’ files even if there’s no financial gain in it.

    Reply
  43. Tomi Engdahl says:

    Adobe Patches Flash Zero-Day
    https://www.bleepingcomputer.com/news/security/adobe-patches-flash-zero-day/

    Adobe has issued a security update for Flash Player today to patch a zero-day vulnerability exploited by attackers in the wild.

    The vulnerability was discovered and independently reported by several security firms —ICEBRG, Tencent, and two security divisions from Chinese cyber-security giant Qihoo 360.

    The vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player 29.0.0.171 and earlier versions. It was fixed with the release of Flash Player 30.0.0.113.

    Reply
  44. Tomi Engdahl says:

    Helsingin sähköiset palvelut sekoitti inhimillinen virhe – Kaikki oli yhden kaapelin varassa
    https://yle.fi/uutiset/3-10233687

    Reply
  45. Tomi Engdahl says:

    Biometric cards beefing up anti-fraud fight
    https://www.electropages.com/2018/06/biometric-cards-beefing-anti-fraud-fight/?utm_campaign=&utm_source=newsletter&utm_medium=email&utm_term=article&utm_content=Biometric+cards+beefing+up+anti-fraud+fight

    The development of contactless payment cards based on biometrics technology is causing great excitement. Because in the next few years the technology is expected to drastically transform contactless payments worldwide. At the forefront of this development are Mastercard and Visa. And although exhaustive trials are still ongoing both companies are now confident that they are on the verge of a mass rollout of biometric bank cards.

    In April 2017, Mastercard began to test the technology in South Africa. This year, the company started trials in Bulgaria. It also has plans for pilot tests to be conducted elsewhere in the world later this year. Meanwhile Visa, Mastercard’s main rival, is conducting its own biometric card tests. Together with Cyprus’ national bank and the security company Gemalto it is currently undergoing a test in the country that involves tens of thousands of biometric cards. Howard Berg, the managing director of Gemalto UK says that he expects a “significant rollout in the next couple of years”.

    If the rollout of biometric cards by Mastercard and Visa proves to be successful they could eventually result in the death of the humble PIN. Both companies have chips that are embedded in hundreds of millions of credit and debit cards that are in use in more than 200 countries, processing billions of payments each year.

    Reply
  46. Tomi Engdahl says:

    Russia appears to be ‘live testing’ cyber attacks – Former UK spy boss Robert Hannigan
    https://www.theregister.co.uk/2018/06/08/gchq_former_boss_infosec_keynote/

    Warns that nation state hacking threatens corporate networks

    InfoSec Europe Former GCHQ chief Robert Hannigan has warned that the emergence of a commodity marketplace for hacking has changed and escalated the threat.

    Crooks have solved the skills shortage problem by creating a gig economy and creating “more impressive” and capable tools.

    Reply
  47. Tomi Engdahl says:

    GCHQ bod tells privacy advocates: Most of our work is making sure we operate within the law
    https://www.theregister.co.uk/2018/05/29/crypto_wars_fipr/

    ‘If you whack governments on privacy it will only drive the vulnerability market’

    Professor Anderson opened a panel discussion titled “Crypto wars: the control of interception and surveillance” by arguing that the concept of key escrow – which technologists defeated in the 1990s – was back but since “most IP traffic was encrypted it’s all about your phone”. He also said that one of the main issues with government-developed surveillance tools is that they aren’t being applied to fight cybercrime, a particular problem as more and more economic crimes happen online.

    Reply
  48. Tomi Engdahl says:

    WannaCry reverse-engineer Marcus Hutchins hit with fresh charges
    Accused of creating UPAS Kit and lying to FBI
    https://www.theregister.co.uk/2018/06/07/wannacry_reverse_engine_marcus_hutchins_hit_with_fresh_charges/

    WannaCry ransomware killswitch hero* Marcus Hutchins faces fresh charges in relation to separate malware the security researcher is alleged to have created.

    been charged with multiple felony counts related to the 2014 development of the Kronos banking trojan. He denies any wrongdoing.

    Hutchins is now also accused of creating a second piece of malware, known as UPAS Kit, and distributing it with the help of another individual.

    Reply
  49. Tomi Engdahl says:

    Ship hack ‘risks chaos in English Channel’
    https://www.bbc.com/news/technology-44397872

    A commonly used ship-tracking technology can be hacked to spoof the size and location of boats in order to trigger other vessels’ collision alarms, a researcher has discovered.

    Ken Munro has suggested that the vulnerability could be exploited to block the English Channel.

    Other experts suggest the consequences would be less serious.

    “There are really basic steps that can be taken to prevent this from happening,” he told the BBC.

    “In our experience, security on board ships is often dire.”

    Shipping shut-down
    The attack targets a computer-powered navigation system called the Electronic Chart Display (Ecdis), which provides crews an alternative to using paper charts.

    A French researcher, who goes by the nickname x0rz, had earlier demonstrated that many ships never changed their satellite communications equipment’s default username and password, and that it was relatively easy to find cases via an app to gain remote access.

    Mr Munro has shown that it is possible to take advantage of this to reconfigure a ship’s Ecdis software in order to mis-identify the location of its GPS (global positioning system) receiver.

    The receiver’s location can be moved by only about 300m (984ft)

    He added that it was also possible to make the software identify the boat as being much bigger than its true size – up to 1km sq.

    “So, AIS collision alarms would be firing on numerous ships and many would then simply avoid the area completely.

    “It would make for a very brave captain to continue on course while the alert was sounding.”

    The consequence, he added, was a hacker could effectively shut down the Channel’s shipping lanes.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*