Cyber Security August 2018

This posting is here to collect security alert news in August 2018.

I post links to security vulnerability news to comments of this article.

 

428 Comments

  1. Tomi Engdahl says:

    Gmail Confidential Mode lets you send top-secret emails on your phone
    This email will self-destruct in 3…2…1
    https://www.cnet.com/news/gmail-confidential-mode-lets-you-send-top-secret-emails-on-your-phone/

    Worried about sending emails with sensitive information on your phone? Gmail has rolled out its Confidential Mode to the Gmail iOS and Android apps.

    Confidential Mode gives you tight control over the emails you send. You can set emails to expire after a set amount of time, similar to a Snapchat message, or take away someone’s access to a confidential email at any time. The recipient won’t be able to forward, copy, print or download a confidential message, but Google points out they can still take screenshots.

    When sending a confidential email you also have the option of requiring a SMS passcode to open the message. If you choose this, the recipient will get a text with a passcode, and have to enter it to open the message.

    Confidential Mode is part of the new Gmail that Google released this year.

    Reply
  2. Tomi Engdahl says:

    Invisible Mouse Clicks Let Hackers Burrow Deep Into MacOS
    https://www.wired.com/story/invisible-mouse-clicks-hack-macos/

    One way operating system developers try to protect a computers’s secrets from probing hackers is with an appeal to the human at the keyboard. By giving the user a choice to “allow” or “deny” a program’s access to sensitive data or features, the operating system can create a checkpoint that halts malware while letting innocent applications through. But former NSA staffer and noted Mac hacker Patrick Wardle has spent the last year exploring a nagging problem: What if a piece of malware can reach out and click on that “allow” button just as easily as a human?

    At the DefCon hacker conference Sunday in Las Vegas, Wardle plans to present a devious set of automated attacks he’s pulled off against macOS versions as recent as 2017 release High Sierra, capable of so-called synthetic clicks that allow malware to breeze through the permission prompts meant to block it. The result could be malware that, once it has found a way onto a user’s machine, can bypass layers of security to perform tricks like finding the user’s location, stealing their contacts or, with his most surprising and critical technique, taking over the deepest core of the operating system, known as the kernel, to fully control the computer.

    Reply
  3. Tomi Engdahl says:

    Back to the 90′s: FragmentSmack
    https://isc.sans.edu/forums/diary/Back+to+the+90s+FragmentSmack/23998/

    As we had the previous week SegmentSmack (CVE-2018-5390) allowing remote DoS attacks by sending crafted TCP packets, this week a similar vulnerability has been reported on IP fragments.

    Juha-Matti Tilli has reported a vulnerability in the IP implementation of the Linux kernel, versions 3.9+. The vulnerability is being named FragmentSmack (CVE-2018-5391) and can be exploited by sending special crafted IP fragments at a low rate. Due to the increase of the reassembly queue size (you can find the commit here) in the Linux kernel 3.9+ it became exploitable. Similar vulnerabilities (exploits are being known as Teardrop attacks) have been seen before as far as in the 90′s, starting with Windows NT 4.0, Windows 95 and Linux up to 2.0.32 (see this article). It has resurfaced in Windows 7 and Windows Vista and now reappearing in the Linux Kernel. The Teardrop attack originally crashed the system, while these newer vulnerabilities will “just” trigger excessive resource usage (increased CPU and RAM usage).

    If you are not able to apply the patch, changing the values net.ipv4.ipfrag_high_thresh and net.ipv4.ipfrag_low_thresh back to 256kB and 192 kB (respectively) or below will mitigate this problem.

    Reply
  4. Tomi Engdahl says:

    New PHP Code Execution Attack Puts WordPress Sites at Risk
    https://thehackernews.com/2018/08/php-deserialization-wordpress.html

    Sam Thomas, a security researcher from Secarma, has discovered a new exploitation technique that could make it easier for hackers to trigger critical deserialization vulnerabilities in PHP programming language using previously low-risk considered functions.

    PHP unserialization or object injection vulnerabilities were initially documented in 2009, which could allow an attacker to perform different kinds of attacks by supplying malicious inputs

    Reply
  5. Tomi Engdahl says:

    Beyond Spectre: Foreshadow, a new Intel security problem
    https://www.zdnet.com/article/beyond-spectre-foreshadow-a-new-intel-security-problem/

    Researchers have broken Intel’s Software Guard Extensions, System Management Mode, and x86-based virtual machines.

    Reply
  6. Tomi Engdahl says:

    Open MQTT Servers Raise Physical Threats in Smart Homes
    https://threatpost.com/open-mqtt-servers-raise-physical-threats-in-smart-homes/136586/

    Misconfigured DIY smart-home hubs for home automation could allow attackers to track owners’ movements, see if smart doors and windows are opened or closed, and even open garage doors.

    Tens of thousands of consumer-grade Internet of Things (IoT) servers have been found wide-open on the internet, allowing cybercriminals to potentially compromise homeowners’ physical security. Bad actors can gain complete access to smart-home footprints to track owners’ movements, see if smart doors and windows are opened or closed, and even open garage doors.

    The servers in question are 49,000 Message Queuing Telemetry Transport (MQTT) servers, which are publicly visible due to misconfigured MQTT protocol, according to research released Thursday from Avast. This includes more than 32,000 servers with no password protection.

    Reply
  7. Tomi Engdahl says:

    Breaking Down the Door to Emergency Services through Cellular IoT Gateways
    https://www.f5.com/labs/articles/threat-intelligence/breaking-down-the-door-to-emergency-services-through-cellular-io

    Hollywood has provided a spectacular number of films depicting hackers involved in crime rings such as Lyle, the character portrayed by Seth Green in the Italian Job. At the end of the film, Lyle leverages his skills and talents to look after the health and welfare of his associates by manipulating traffic signals to control the flow of traffic, which subsequently assists in their successful heist.

    This scene is no longer fantasy. For instance, the traffic lights that are referenced do exist. They are often connected back to a smart city’s infrastructure through the use of VPN tunnels and other private means of communication over devices like cellular gateways. These gateways are similar to the modems and routers used by consumers at home but with an additional feature, cellular connectivity, often in the form of 4G/LTE, if available. Additionally, these devices are capable of providing a variety of connection options, including wireless connectivity over 802.11x, Ethernet, USB, serial; analog and digital I/O; and cellular bands ranging from 2G through 4G LTE. If said devices are not configured properly, an attacker may be able to access them and do just as Lyle did in the Italian Job.

    It feels like a time warp, but as with all cyber threats, they do not appear instantly. They evolve slowly in the background over long periods of time until the problem seems to reach a critical mass.

    Reply
  8. Tomi Engdahl says:

    Industry Reactions to Foreshadow Flaws: Feedback Friday
    https://www.securityweek.com/industry-reactions-foreshadow-flaws-feedback-friday

    Researchers and several major tech companies this week disclosed the details of three new speculative execution side-channel vulnerabilities affecting Intel processors.

    Reply
  9. Tomi Engdahl says:

    ESET Launches New Enterprise Security Tools
    https://www.securityweek.com/eset-launches-new-enterprise-security-tools

    ESET on Thursday announced the general availability of a new line of enterprise security solutions that include endpoint detection and response (EDR), forensic investigation, threat monitoring, sandbox, and management tools.

    The new EDR tool is ESET Enterprise Inspector, which provides real-time data from the cybersecurity firm’s endpoint security platform. The product is fully customizable and ESET claims it offers “vastly more visibility for complete prevention, detection and response against all types of cyber threats.”

    The new enterprise solutions also include ESET Threat Hunting, an on-demand forensic investigation tool that provides details on alarms and events, and ESET Threat Monitoring, which constantly monitors all Enterprise Inspector data for threats.

    Reply
  10. Tomi Engdahl says:

    Google Warns Thousands Each Month of State-Sponsored Attacks
    https://www.securityweek.com/google-warns-thousands-each-month-state-sponsored-attacks

    Each month, Google sends thousands of warnings to users who might have been targeted in government-backed attacks, even if the attempts have been blocked.

    Highly targeted and more sophisticated when compared to typical phishing attempts, which are mainly focused on financial fraud, these state-sponsored attacks come from dozens of countries worldwide, Google says.

    Only an extremely small fraction of Google’s users have received such an alert, and they don’t necessarily mean that accounts have been compromised, but the search giant urges all of those who receive the notification to take immediate action.

    Reply
  11. Tomi Engdahl says:

    Hacking Elections: Georgia’s Midterm Electronic Voting in the Dock
    https://www.securityweek.com/hacking-elections-georgias-midterm-electronic-voting-dock

    The security of electronic voting and the direct-recording election (DRE) voting machines used has been questioned for years. The upcoming U.S. midterm elections in November, coupled with the attempted Russian meddling in the 2016 presidential election, have made this a current and major concern for many in the security industry and beyond. Now it has gone to court.

    Security concerns

    Concern over the security of electronic voting was heightened following the 2016 presidential election. The incumbent Obama administration accused Russia of interfering and being behind a breach of the DNC and subsequent leak of sensitive data.

    For the most part it is believed that Russia attempted to influence rather than control the vote. However, an NSA document acquired and discussed by The Intercept in June 2017 “raises the possibility that Russian hacking may have breached at least some elements of the voting system, with disconcertingly uncertain results.”

    There is no claim that Russia affected the outcome of the election. The primary concern is that nobody knows the extent of what was done, nor what could have been done – and, more disconcertingly, what might be done next time.

    Reply
  12. Tomi Engdahl says:

    Microsoft Disrupts Election-Related Domains Used by Russian Hackers
    https://www.securityweek.com/microsoft-disrupts-election-related-domains-used-russian-hackers

    Microsoft on Monday announced that it took control of several domains associated with a notorious Russia-linked threat actor. The names of the domains suggest the hackers may have been using them in campaigns related to the upcoming midterm elections in the United States.

    The tech giant’s Digital Crimes Unit obtained a court order to take control of six domains created by a threat group tracked as APT28, Fancy Bear, Pawn Storm, Strontium, Sednit, Tsar Team and Sofacy.

    Reply
  13. Tomi Engdahl says:

    Even the world’s most popular security meet-up is susceptible to hacks…

    ‘Legacy system’ exposed Black Hat 2018 attendees’ contact information
    https://techcrunch.com/2018/08/22/legacy-system-exposed-black-hat-2018-attendees-contact-information/?sr_share=facebook&utm_source=tcfbpage

    AdChoices

    ‘Legacy system’ exposed Black Hat 2018 attendees’ contact information
    Zack Whittaker
    @zackwhittaker / 14 hours ago

    Black Hat
    A “legacy system” was to blame for exposing the contact information of attendees of this year’s Black Hat security conference.

    Colorado-based pen tester and security researcher who goes by the handle NinjaStyle said it would have taken about six hours to collect all the registered attendees’ names, email and home addresses, company names and phone numbers from anyone who registered for the 2018 conference.

    In a blog post, he explained that he used a reader to access the data on his NFC-enabled conference badge, which stored his name in plaintext and other scrambled data. The badge also contained a web address to download BCard, a business card reader app.

    How I Hacked BlackHat 2018
    Enumerating registered BlackHat attendees with the BCard API
    https://ninja.style/post/bcard/

    The rate at which we were able to brute force the API would mean that we could successfully collect all BlackHat 2018 registered attendees’ names, email addresses, company names, phone numbers, and addresses in only approximately 6 hours.

    After the concept was proved successfully, I began the disclosure process. The ITN team was initially difficult to get in contact with as they do not have a security@ or abuse@ email address, but they were extremely polite, professional, and responsive once I was able to get in contact with the right person. Additionally, they had this issue resolved within 24 hours of initial contact.

    Reply
  14. Tomi Engdahl says:

    Augmented Public Safety: AR Technology Gives Emergency Services Second Set of Eyes
    https://www.sealevel.com/2018/07/27/augmented-public-safety-ar-technology-gives-emergency-services-second-set-of-eyes/

    Public safety departments are catching up with futuristic, augmented reality technology. Some people aren’t happy about it: for example, Microsoft is raising the alarm about facial recognition, wanting to regulate law enforcement use of the tech. However, there are cases where emergency services clearly serve their community better with augmented reality (AR). From training to response, here are three savvy AR public safety applications.

    Reply
  15. Tomi Engdahl says:

    Hackers failed to hack into DNC voter database, says security firm
    https://techcrunch.com/2018/08/22/hackers-failed-to-hack-into-dnc-voter-database-says-security-firm/?utm_source=tcfbpage&sr_share=facebook

    The Democratic National Committee has prevented an attempt to hack into its database of tens of millions of voters.

    CNN and the Associated Press reported on Wednesday, citing an unnamed party official, that the political organization was warned Tuesday of the attempt.

    Lookout, a security firm, told TechCrunch that its staff detected a phishing page hosted on DigitalOcean, a cloud computing and hosting giant, which replicated a login page for NGP VAN, a technology provider for Democratic campaigns.

    Jeremy Richards, principal engineer at the security firm, notified DigitalOcean of the phishing site, which was taken offline.

    It’s not uncommon for political parties to store vast amounts of information on voters.

    Reply
  16. Tomi Engdahl says:

    Russian hackers slipped up in attempt to hack senator
    https://techcrunch.com/2018/08/23/russian-hackers-slipped-up-in-attempt-to-hack-senator/?sr_share=facebook&utm_source=tcfbpage

    Hackers that targeted a Democratic senator up for reelection this year may have left behind clues in their attack that further suggest Russian involvement.

    The office of Claire McCaskill, a Missouri senator, was targeted in an apparent targeted phishing attack from a fake Microsoft domain that the software giant later seized pursuant to a court order. The Daily Beast reported that a then-McCaskill staffer was the target of the attack

    Reply
  17. Tomi Engdahl says:

    Hak5 925 – Break into shell with MsPaint, Launchy, BackTrack Wireless and more
    https://www.hak5.org/episodes/hak5-925

    Reply
  18. Tomi Engdahl says:

    ‘Forget the Facebook leak’: China is mining data directly from workers’ brains on an industrial scale
    https://m.scmp.com/news/china/society/article/2143899/forget-facebook-leak-china-mining-data-directly-workers-brains

    Government-backed surveillance projects are deploying brain-reading technology to detect changes in emotional states in employees on the production line, the military and at the helm of high-speed trains

    Reply
  19. Tomi Engdahl says:

    NBC News:
    New facial recognition technology at Washington Dulles airport catches man trying to enter the US illegally just three days after the tech started being used

    New facial recognition tech catches first impostor at D.C. airport
    https://www.nbcnews.com/news/us-news/new-facial-recognition-tech-catches-first-impostor-d-c-airport-n903236

    An identification card from the Republic of Congo was found hidden in the man’s shoe, officials said.

    Facial recognition technology caught an impostor trying to enter the U.S. on a fake passport that may have passed at face value with humans, federal officials said Thursday.

    And the groundbreaking arrest came on just the third day the biometric technology has been used at Washington Dulles International Airport.

    The 26-year-old man arrived Wednesday on a flight from Sao Paulo, Brazil, and presented a French passport to the customers officer, according to the U.S. Customs and Border Protection (CBP). Using the new facial comparison biometric system, the officer determined the unidentified traveler did not match the passport he presented.

    Reply
  20. Tomi Engdahl says:

    Raymond Zhong / New York Times:
    Australia bans Huawei and ZTE from providing 5G equipment to support the country’s new telecom networks, citing risks of foreign interference and hacking — BEIJING — The fog of cyberespionage concerns surrounding Huawei has for years kept the Chinese technology giant largely out of the United States.

    Australia Bars China’s Huawei From Building 5G Wireless Network
    https://www.nytimes.com/2018/08/23/technology/huawei-banned-australia-5g.html

    Reply
  21. Tomi Engdahl says:

    Andy Greenberg / Wired:
    A look at the Russia-linked NotPetya cyberattack, which caused an estimated $10B+ in damages worldwide after initially targeting Ukrainian companies — Crippled ports. Paralyzed corporations. Frozen government agencies. How a single piece of code crashed the world.

    https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world

    Reply
  22. Tomi Engdahl says:

    New York Times:
    A look at how FireEye helped Facebook identify Iran-linked fake accounts, after working on the DNC hack in 2016 — SAN FRANCISCO — FireEye, a cybersecurity company that has been involved in a number of prominent investigations, including the 2016 attack on the Democratic National Committee …

    How FireEye Helped Facebook Spot a Disinformation Campaign
    https://www.nytimes.com/2018/08/23/technology/fireeye-facebook-disinformation.html

    FireEye, a cybersecurity company that has been involved in a number of prominent investigations, including the 2016 attack on the Democratic National Committee, alerted Facebook in July that it had a problem.

    Security analysts at the company noticed a cluster of inauthentic accounts and pages on Facebook that were sharing content from a site called Liberty Front Press. It looked like a news site, but most of its content was stolen from outlets like Politico and CNN. The small amount of original material was written in choppy English.

    FireEye’s tip eventually led Facebook to remove 652 fake accounts and pages. And Liberty Front Press, the common thread among much of that sham activity, was linked to state media in Iran, Facebook said on Tuesday.

    Facebook’s latest purge of disinformation from its platforms highlighted the key role that cybersecurity outfits are playing in policing the pages of giant social media platforms. For all of their wealth and well-staffed security teams, companies like Facebook often rely on outside firms and researchers for their expertise.

    The discovery of the disinformation campaign also represented a shift in the bad behavior that independent security companies are on the lookout for. Long in the business of discovering and fending off hacking attempts and all sorts of malware, security companies have expanded their focus to the disinformation campaigns that have plagued Facebook and other social media for the past few years.

    Attributing attacks to Iran has been tricky. Security experts who have studied Iranian hackers said many take part in attacks, or disinformation campaigns, while they are still in college. They are often recruited for government work, but may also float in and out of government-backed contracts.

    Reply
  23. Tomi Engdahl says:

    Millions of Texas voter records exposed online
    https://techcrunch.com/2018/08/23/millions-of-texas-voter-records-exposed-online/

    Over 14 million detailed voter records were found on an unprotected server

    A massive trove of voter records containing personal information on millions of Texas residents has been found online.

    The data — a single file containing an estimated 14.8 million records — was left on an unsecured server without a password. Texas has 19.3 million registered voters.

    It’s the latest exposure of voter data in a long string of security incidents that have cast doubt on political parties’ abilities to keep voter data safe at a time where nation states are actively trying to influence elections.

    Granted, much of that data is public. According to The Texas Tribune, that kind of voter data in Texas is already obtainable for a fee, but information relating to individuals’ political affiliations and party memberships is not.

    Reply
  24. Tomi Engdahl says:

    Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
    https://securelist.com/operation-applejeus/87553/

    Lazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and cybersabotage, the attacker has been targeting banks and other financial companies around the globe. Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies.

    Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

    Reply
  25. Tomi Engdahl says:

    An Android Package is no Longer a ZIP
    https://www.fortinet.com/blog/threat-research/an-android-package-is-no-longer-a-zip.html

    Over the past few years, I have been giving workshops on Android reverse engineering – my next one will be an advanced session at Virus Bulletin in October. As most other researchers on Android, I typically start off with a slide explaining that an Android Package (APK) is just a ZIP. Since Android 7.0, however, this is no longer true.

    The APK Format: a Modified ZIP File

    The Format of an APK File Since Android 7.0

    Reply
  26. Tomi Engdahl says:

    New Android Malware Framework Turns Apps Into Powerful Spyware
    https://thehackernews.com/2018/08/android-malware-spyware.html

    ecurity researchers have uncovered a new, powerful Android malware framework that is being used by cybercriminals to turn legitimate apps into spyware with extensive surveillance capabilities—as part of what seems to be a targeted espionage campaign.

    Legitimate Android applications when bundled with the malware framework, dubbed Triout, gain capabilities to spy on infected devices by recording phone calls, and monitoring text messages, secretly stealing photos and videos, and collecting location data—all without users’ knowledge.

    Reply
  27. Tomi Engdahl says:

    Android/BondPath: a Mature Spyware
    https://www.fortinet.com/blog/threat-research/android-bondpath–a-mature-spyware.html

    We have recently stumbled on several active samples of an Android spyware. They belong to a family we have named BondPath (also known as PathCall or Dingwe), which was first reported in May 2016. While our customers have been protected against that malware since 2016, in July 2018 we discovered that some samples are still in the wild and continue to be a threat to unprotected smartphones.

    This malware poses as a Google Play Store Services application. The fact that it is signed by the unknown developer hola should be the first clue to raise an alert.

    Reply
  28. Tomi Engdahl says:

    Attempt to Break Into Democratic Party Voter Data Thwarted
    https://www.securityweek.com/attempt-break-democratic-party-voter-data-thwarted

    An attempt to break into the Democratic National Committee’s massive voter database has been thwarted, a party official said Wednesday, two years after Russian operatives sent the party into disarray by hacking into its computers and facilitating the release of tens of thousands of emails amid the presidential election.

    A web security firm using artificial intelligence uncovered the attempt. The DNC was notified Tuesday, it said. Hackers had created a fake login page to gather usernames and passwords in an effort to gain access to the Democratic Party’s voter file, a party official said. The file contains information on tens of millions of voters. The attempt was quickly thwarted by suspending the attacker’s account, and no information was compromised, the official said. The FBI was notified.

    The official wasn’t authorized to speak about sensitive security information and spoke to The Associated Press on condition of anonymity.

    Reply
  29. Tomi Engdahl says:

    Microsoft Releases Intel Microcode Patches for Foreshadow Flaws
    https://www.securityweek.com/microsoft-releases-intel-microcode-patches-foreshadow-flaws

    Microsoft this week made available another round of microcode updates created by Intel for mitigating the recently disclosed speculative

    execution vulnerabilities tracked as Foreshadow and L1 Terminal Fault (L1TF).

    The Foreshadow/L1TF vulnerabilities are CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts

    operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors

    (VMM).

    Reply
  30. Tomi Engdahl says:

    Iran-Linked Influence Campaign Targets US, Others
    https://www.securityweek.com/iran-linked-influence-campaign-targets-us-others

    Threat actors apparently working out of Iran have been conducting an operation whose goal is to influence the opinions of people in the United States and other countries around the world, FireEye reported on Tuesday.

    This campaign, which the cybersecurity firm describes as an “influence operation,” involves a network of “inauthentic” news websites and clusters of social media accounts whose apparent purpose is to “promote political narratives in line with Iranian interests.”

    Reply
  31. Tomi Engdahl says:

    Critical Apache Struts 2 Flaw Allows Remote Code Execution
    https://www.securityweek.com/critical-apache-struts-2-flaw-allows-remote-code-execution

    Updates released on Wednesday for the Apache Struts 2 open source development framework address a critical vulnerability that can be exploited for remote code execution.

    The flaw, tracked as CVE-2018-11776, affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.

    Reply
  32. Tomi Engdahl says:

    Foreign F-35 Users Spend Millions To Stop Jet’s Computer From Sharing Their Secrets
    http://www.thedrive.com/the-war-zone/23052/foreign-f-35-users-spend-millions-to-stop-jets-computer-from-sharing-their-secrets

    Operators will now be able to block the F-35′s systems from sending data back to the United States, but other security concerns may remain.

    Lockheed Martin has received a multi-million dollar contract for work on a firewall that will allow F-35 Joint Strike Fighter operators to prevent the transfer of potentially sensitive information that the jet’s sensors and computer brain scoop up and send back to the United States via a cloud-based network. The development comes as foreign partners in the project become increasingly worried about the data that the aircraft is collecting and storing, but concerns could remain about security breaches or if the links to the system gets cut altogether, especially in the middle of a crisis.

    Reply
  33. Tomi Engdahl says:

    Organizations Hit With North Korea-Linked Ryuk Ransomware
    https://www.securityweek.com/organizations-hit-north-korean-linked-ryuk-ransomware

    A recent wave of ransomware attacks against organizations around the world have been linked to a notorious North Korean threat actor, security firm Check Point says.

    The campaign appears highly targeted, with at least three organizations in the United States and worldwide severely affected. Because some victims decided to pay large ransoms in order to retrieve access to their files, the campaign operators are estimated to have netted over $640,000 to date.

    Reply
  34. Tomi Engdahl says:

    Unpatched Ghostscript Vulnerabilities Impact Popular Software
    https://www.securityweek.com/unpatched-ghostscript-vulnerabilities-impact-popular-software

    Ghostscript Impacted by Multiple -dSAFER Sandbox Bypass Vulnerabilities

    Unpatched vulnerabilities in Ghostscript impact a broad range of popular software products, including several Linux distributions, CERT CC reveals in a Tuesday alert.

    Reply
  35. Tomi Engdahl says:

    Supply Chain Attack Hits South Korean Firms
    https://www.securityweek.com/supply-chain-attack-hits-south-korean-firms

    Security researchers have uncovered a supply chain attack aimed at infecting organizations in South Korea with a remote access Trojan (RAT) to steal valuable information.

    Called Operation Red Signature, the attack was first detected in July and was carried out through the compromised update server of a remote support solutions provider. The end goal was to infect targets of interest with the 9002 RAT backdoor.

    The attackers managed to steal a valid digital certificate and use it to sign their malware. They also reconfigured the update server to only deliver the malicious files to organizations within a specified range of IP addresses.

    Once on an infected machine, the 9002 RAT would also install additional malware, such as an exploit tool for Internet Information Services (IIS) 6 WebDav (exploiting CVE-2017-7269) and an SQL database password dumper.

    “These tools hint at how the attackers are also after data stored in their target’s web server and database,” Trend Micro, the security firm that discovered the campaign, reveals.

    Reply
  36. Tomi Engdahl says:

    Microsoft’s Anti-Hacking Efforts Make it an Internet Cop
    https://www.securityweek.com/microsofts-anti-hacking-efforts-make-it-internet-cop

    Intentionally or not, Microsoft has emerged as a kind of internet cop by devoting considerable resources to thwarting Russian hackers.

    The company’s announcement Tuesday that it had identified and forced the removal of fake internet domains mimicking conservative U.S. political institutions triggered alarm on Capitol Hill and led Russian officials to accuse the company of participating in an anti-Russian “witch hunt.”

    Microsoft stands virtually alone among tech companies with an aggressive approach that uses U.S. courts to fight computer fraud and seize hacked websites back. In the process, it has acted more like a government detective than a global software giant.

    Reply
  37. Tomi Engdahl says:

    Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East
    https://www.fireeye.com/blog/threat-research/2018/08/suspected-iranian-influence-operation.html

    Reply
  38. Tomi Engdahl says:

    More Than $1.1M Lost to Cybercrime Every Minute
    By Angela Moscaritolo 21 Aug 2018, noon
    https://uk.pcmag.com/webroot-secureanywhere-internet-security-complete/116979/news/more-than-11m-lost-to-cybercrime-every-minute

    Every 60 seconds, 1,861 people are impacted by cybercrimes such as malware and phishing attacks, cybersecurity company RiskIQ revealed in its Evil Internet Minute 2.0 report.

    That total represents a $282,724 increase since last year, cybersecurity company RiskIQ revealed in its Evil Internet Minute 2.0 report, which draws on the company’s global threat intelligence data, as well as third-party research, to examine the volume of malicious Web activity.

    Reply
  39. Tomi Engdahl says:

    Hackers Made Half a Million Dollars Pretending They Watched You Watch Porn
    Scammers tricked victims to pay ransom in bitcoin for compromising video that didn’t exist.
    https://motherboard.vice.com/en_us/article/xwk3wq/hackers-sextortion-half-million-blackmail-caught-watching-porn

    Sometimes scammers just need to say they hacked you to pull in the cash. Since July, cybersecurity researchers, journalists and victims, have seen a spike in extortion letters and emails demanding hefty sums of bitcoin. The twist is that the scammers send the victim one of their own passwords, likely gleaned from an already public breach, and use that as an intimidation tactic. The blackmailers then claim they have hacked into the target’s webcam while they were watching pornography. Pay up, or they’ll release the (made-up) video.

    Now, researchers have found this scam has been pretty profitable, especially considering the low-level of work involved on the fraudsters’ part.

    “What is worrying is that, scammers were able to siphon off [$500,000], from old passwords dumps, with very little effort,” Suman Kar, CEO of cybersecurity firm Banbreach, told Motherboard in an online chat.

    In July, cybersecurity journalist Brian Krebs reported on the new wave of sextortion emails.

    Sextortion Scam Uses Recipient’s Hacked Passwords
    https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/

    Reply
  40. Tomi Engdahl says:

    Is malware protection software for smart phones needed?
    Maybe not because the problem is very small at least in Finland.

    https://www.tivi.fi/Kaikki_uutiset/maksatko-turhasta-sk-kannykoiden-lisatietoturva-usein-tarpeetonta-suomessa-hyokkayksia-vain-kymmenia-vuodessa-6737553

    Reply
  41. Tomi Engdahl says:

    Picking Apart Remcos Botnet-In-A-Box
    https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html

    Cisco Talos has recently observed multiple campaigns using the Remcos remote access tool (RAT) that is offered for sale by a company called Breaking Security. While the company says it will only sell the software for legitimate uses as described in comments in response to the article here and will revoke the licenses for users not following their EULA, the sale of the RAT gives attackers everything they need to establish and run a potentially illegal botnet.

    Remcos’ prices per license range from €58 to €389. Breaking Security also offers customers the ability to pay for the RAT using a variety of digital currencies. This RAT can be used to fully control and monitor any Windows operating system, from Windows XP and all versions thereafter, including server editions.

    Reply
  42. Tomi Engdahl says:

    TURLA OUTLOOK BACKDOOR
    Analysis of an unusual Turla backdoor
    https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf

    Turla, also known as Snake, is an espionage group notorious for having breached some heavily-
    protected networks such as the US Central Command in 2008
    [1]
    . Since then, they have been busy
    attacking diplomats and military targets around the world. Among the notable victims were the Finnish
    Foreign Ministry in 2013
    [2]
    , the Swiss military firm RUAG between 2014 and 2016
    [3]
    and more recently,
    the German government at the end of 2017/beginning of 2018

    Reply
  43. Tomi Engdahl says:

    Turla: In and out of its unique Outlook backdoor
    https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/

    The latest ESET research offers a rare glimpse into the mechanics of a particularly stealthy and resilient backdoor that the Turla cyberespionage group can fully control via PDF files attached to emails

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*