Cyber Security October 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.

495 Comments

  1. Tomi Engdahl says:

    Phishing Campaign uses Hijacked Emails to Deliver URSNIF by Replying to Ongoing Threads
    https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/

    While most phishing campaigns are fairly simplistic in nature and easy to spot (they usually involve a legitimate-looking email, often with a malicious attachment or link embedded in the text), a spam campaign we observed in September indicates attackers are angling towards a more sophisticated form of phishing. The campaign uses hijacked email accounts to send malware as part of or as a response to an existing email thread. Because it’s part of a legitimate and on-going conversation, this particular approach can often be tricky and difficult to detect. Often, the victim may not realize that they’ve been a victim of a cyberattack until it’s too late.

    Reply
  2. Tomi Engdahl says:

    Windows 10 Ransomware Protection Bypassed Using DLL Injection
    https://www.bleepingcomputer.com/news/security/windows-10-ransomware-protection-bypassed-using-dll-injection/

    In Windows 10, Microsoft added a new ransomware protection feature called Controlled Folder Access that can be used to prevent modifications to files in protected folders by unknown programs.

    At the DerbyCon security conference last week, a security researcher showed how DLL injection can be used by ransomware to bypass the Controlled Folder Access ransomware protection feature.

    Reply
  3. Tomi Engdahl says:

    Don’t make us pay compensation for employee data breach, Morrisons begs UK court
    Appeal beaks ponder first-of-a-kind data protection case
    https://www.theregister.co.uk/2018/10/09/morrisons_data_breach_appeal/

    Lawyers for supermarket chain Morrisons today urged the UK Court of Appeal to overturn an earlier judgment that made the company partly liable for a criminal data breach that saw 100,000 people’s payroll details published via Tor.

    Four years ago a disgruntled Morrisons employee, Andrew Skelton, who had legitimate access to the company’s entire payroll, published its contents online using anonymising network Tor. The breach was widely regarded as one of the worst in recent years.

    He posted details of salaries, bank details and National Insurance numbers on data-sharing sites in a move said to have cost Morrisons more than £2m to sort out.

    The High Court ruled last year that the supermarket was “vicariously liable” for Skelton’s actions – and would therefore have to pay compensation.

    This week Morrisons wants to have that judgment “overturned”

    “Morrisons itself is completely innocent in respect of this data event,”

    If Morrisons wins, the effect on data protection law will be massive: it will become more difficult for employers to be held responsible for malicious employees committing data breaches.

    Reply
  4. Tomi Engdahl says:

    Microsoft says it fixed a Windows 10 update bug that deleted folders
    And it’s tweaking the Insider feedback program as a result.
    https://www.engadget.com/2018/10/09/windows-10-october-update-missing-folders/

    Last week the October 2018 update for Windows 10 had barely arrived before Microsoft was forced to pause its rollout, as a few users complained of missing files. Now Microsoft says it has identified and fixed the problem, which was related to a feature called “Known Folder Redirection (KFR)” and an attempt to remove extra duplicate folders that could cause lost files in three specific scenarios.

    It isn’t ready to begin delivering the fixed 1809 update to most users yet (a test version is rolling out to its Slow and Release preview rings first), but a change that’s already noticeable is in its Windows Insider Feedback Hub.

    Reply
  5. Tomi Engdahl says:

    Torii botnet – Not another Mirai variant
    https://blog.avast.com/new-torii-botnet-threat-research

    New, more sophisticated IoT botnet targets a wide range of devices

    2018 has been a year where the Mirai and QBot variants just keep coming. Any script kiddie now can use the Mirai source code, make a few changes, give it a new Japanese-sounding name, and then release it as a new botnet.

    Reply
  6. Tomi Engdahl says:

    Britain has reportedly practiced a cyberattack to send Moscow into total blackout
    https://nordic.businessinsider.com/britain-to-send-moscow-into-total-blackout-if-putin-attacks-west-2018-10?r=US&IR=T

    Britain’s military just underwent a $130.5 million (£100 million) exercise, part of which focussed on what to do if Russia attacks the West.
    If Russia does, Britain will send Moscow into total darkness by launching a cyberattack on its electricity supply, Military sources told the Sunday Times.
    The two-day training exercise took place on Saturday and Sunday deep in a desert in Oman.

    British military forces reportedly practiced a cyberattack on Russia on Saturday to send Moscow into total darkness if Vladimir Putin’s forces attack the West.

    Military sources told the Sunday Times that the only other way of hitting Russia back would be to use nuclear weapons.

    But cyber weapons reportedly give Britain the best chance of deterring Russia because the West no longer has small battlefield nuclear weapon

    UK war-games cyber attack on Moscow
    Troops train for clashes against the Russians
    https://www.thetimes.co.uk/edition/news/uk-war-games-cyber-attack-on-moscow-dgxz8ppv0?_ga=2.58052266.1684028993.1538922478-959467586.1538672718

    Defence chiefs have war-gamed a massive cyber-strike to black out Moscow if Vladimir Putin launches a military attack on the West, after concluding that the only other way of hitting back would be to use nuclear weapons.

    Senior security sources have told The Sunday Times they are concerned that Britain has a capability gap that has left commanders with too few weapons to meet Kremlin aggression short of firing a Trident nuclear missile.

    Reply
  7. Tomi Engdahl says:

    World’s largest CCTV maker leaves at least 9 million cameras open to public viewing
    Xiongmai’s cloud portal opens sneaky backdoor into servers
    https://www.theregister.co.uk/2018/10/09/xiongmai_cctv_fail/

    Security
    World’s largest CCTV maker leaves at least 9 million cameras open to public viewing
    Xiongmai’s cloud portal opens sneaky backdoor into servers
    By Shaun Nichols in San Francisco 9 Oct 2018 at 23:51
    17 Reg comments SHARE ▼
    people peer into camera. photo by shutterstock

    Yet another IoT device vendor has been found to be exposing their products to attackers with basic security lapses.

    This time, it’s Chinese surveillance camera maker Xiongmai who was named and shamed by researchers with SEC Consult for the poor security in the XMEye P2P Cloud service. Among the problems researchers pointed to were exposed default credentials and unsigned firmware updates that could be delivered via the service.

    “Our recommendation is to stop using Xiongmai and Xiongmai OEM devices altogether,” SEC Consult recommended.

    “The company has a bad security track record including its role in Mirai and various other IoT botnets. There are vulnerabilities that have been published in 2017, which are still not fixed in the most recent firmware version.”

    Enabled by default, the P2P Cloud service allows users to remotely connect to devices via either a web browser or an iOS/Android app and control the hardware without needing a local network connection.

    Unfortunately, SEC Consult explained, shortcomings in both the devices themselves and the service, such as unencrypted connections and default passwords (owners are not required to change the defaults when setting up the device) mean that in many cases, accessing and compromising camera could be a cinch.

    Additionally, SEC Consult notes, the Xiongmai devices do not require that firmware updates be signed

    Reply
  8. Tomi Engdahl says:

    Russian ‘troll factory’ firebombed – but still fit to fiddle with our minds
    Sick burn, bro: attacker only managed to torch a window-sill
    https://www.theregister.co.uk/2018/10/10/russian_troll_factory_firebombed_with_minor_damage/

    Russian media is reporting that someone has tried to torch the notorious St Petersberg “troll factory,” linked with trolling Western social media sites, sparking a police investigation.

    The Internet Research Agency became famous as a “fake news” operation spreading misinformation by way of Facebook ads, and stealing Americans’ identities to set up the PayPal accounts that paid for the ads. In February, US authorities indicted 13 individuals as operating the troll factory.

    Russian outlet RBC reported last year (in Russian) that the agency had reinvented itself as a media operation, Federal News Agency, claiming an audience of 36 million people.

    Reply
  9. Tomi Engdahl says:

    GLitch Chronicles: Turning WebGL Into A Hammer
    https://conference.hitb.org/hitbsecconf2018dxb/sessions/glitch-chronicles-turning-webgl-into-a-hammer/

    The outcome of such thesis is a JavaScript exploit that takes advantage of the (now) well-known Rowhammer vulnerability to compromise an Android smartphone with NO software bugs in less than two minutes. Not completely satisfied we also wanted to give it a cool name: meet GLitch. GLitch is the first exploit of its kind for two main reasons: (i) it represents the first instance of a JavaScript-based Rowhammer attack on the more widespread ARM platforms (that is, your smartphone), (ii) it is the first PoC of Rowhammer bit flips triggered from the GPU (and from a website).

    Now you may be asking yourself: wtf?!! how is this even possible?? how can you trigger bit flips from the GPU? and how do you do it from JS? The answer is WebGL. The WebGL API gives access to GPU acceleration

    Reply
  10. Tomi Engdahl says:

    95% of HTTPS servers vulnerable to trivial MITM attacks
    https://news.netcraft.com/archives/2016/03/17/95-of-https-servers-vulnerable-to-trivial-mitm-attacks.html

    Only 1 in 20 HTTPS servers correctly implements HTTP Strict Transport Security, a widely-supported security feature that prevents visitors making unencrypted HTTP connections to a server.

    The remaining 95% are therefore vulnerable to trivial connection hijacking attacks

    Reply
  11. Tomi Engdahl says:

    ThreatList: 83% of Routers Contain Vulnerable Code
    https://threatpost.com/threatlist-83-of-routers-contain-vulnerable-code/137966/

    Five out of six name brand routers, such as Linksys, NETGEAR and D-Link, contain known open-source vulnerabilities.

    A staggering 83 percent of home and office routers have vulnerabilities that could be exploited by attackers. Of those vulnerable, over a quarter harbor high-risk and critical vulnerabilities, according to a report released this week by American Consumer Institute on router safety (PDF).

    http://www.theamericanconsumer.org/wp-content/uploads/2018/09/FINAL-Wi-Fi-Router-Vulnerabilities.pdf

    Reply
  12. Tomi Engdahl says:

    The Breach That Killed Google+ Wasn’t a Breach At All
    https://tech.slashdot.org/story/18/10/10/2041226/the-breach-that-killed-google-wasnt-a-breach-at-all?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    For months, Google has been trying to stay out of the way of the growing tech backlash, but yesterday, the dam finally broke with news of a bug in the rarely used Google+ network that exposed private information for as many as 500,000 users. Google found and fixed the bug back in March, around the same time the Cambridge Analytica story was heating up in earnest. [...] The vulnerability itself seems to have been relatively small in scope. The heart of the problem was a specific developer API that could be used to see non-public information. But crucially, there’s no evidence that it actually was used to see private data, and given the thin user base,

    The bigger problem for Google isn’t the crime, but the cover-up. The vulnerability was fixed in March, but Google didn’t come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug.

    There are lots of laws about reporting breaches — primarily the GDPR but also a string of state-level bills — but by that standard, what happened to Google+ wasn’t technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken.

    The breach that killed Google+ wasn’t a breach at all
    https://www.theverge.com/2018/10/9/17957312/google-plus-vulnerability-privacy-breach-law

    Reply
  13. Tomi Engdahl says:

    Information leaks from army with smart phone apps
    https://yle.fi/uutiset/3-10437111

    Reply
  14. Tomi Engdahl says:

    Threat Actors Prey on Drupalgeddon Vulnerability to Mass-Compromise Websites and Underlying Servers
    https://securityintelligence.com/threat-actors-prey-on-drupalgeddon-vulnerability-to-mass-compromise-websites-and-underlying-servers/

    IBM Security’s Managed Security Services (MSS) team monitors the enterprise threat landscape on an ongoing basis, detecting and mapping new threats as they emerge.

    What Is Drupal, and Why Is It a Target?

    Like WordPress, Drupal is a content management system (CMS) that is used widely by people who create and maintain websites and applications for all sorts of purposes, both personal and business, private and public. Drupal is open source and, as such, is maintained by a community of users. This is also how its security and vulnerability patching is maintained.

    CMSs that are used across a large number of websites are juicy targets for cybercriminals, who commonly automate their attacks in a one-size-fits-all type of operation. Those who target random websites aim to compromise as many as possible and consider the monetization options later.

    Reply
  15. Tomi Engdahl says:

    Payment-card-skimming Magecart strikes again: Zero out of five for infecting e-retail sites
    Customer ratings plugin treated to a malicious rewrite to swipe entered banking info
    https://www.theregister.co.uk/2018/10/09/magecart_payment_card_malware/

    The payment-card-skimming malware operation dubbed Magecart has turned up again, this time in Shopper Approved, a customer rating plugin for websites.

    Shopper Approved is a toolkit used by hundreds of e-commerce sites, and it was infected with the MageCart spyware, allowing crooks to siphon off bank card data entered into webpages using the customer-rating plugin, infosec biz RiskIQ reported this week. The infection, first spotted on September 15, closely resembles the cyber-attack that emerged over the summer against Ticketmaster rather than the later and more sophisticated, and high profile, raid on British Airways passengers.

    Reply
  16. Tomi Engdahl says:

    It’s October 2018, and Microsoft Exchange can be pwned by a plucky eight-year-old… bug
    Redmond goes retro in latest Patch Tuesday bundle
    https://www.theregister.co.uk/2018/10/09/october_patch_tuesday/

    Reply
  17. Tomi Engdahl says:

    US may have by far the world’s biggest military budget but it’s not showing in security
    GAO report finds more holes than a Swiss cheese, and very little hope for improvement
    https://www.theregister.co.uk/2018/10/10/gao_weapons_security/

    Reply
  18. Tomi Engdahl says:

    WEAPON SYSTEMS
    CYBERSECURITY
    DOD Just Beginning
    to Grapple with Scale
    of Vulnerabilities
    https://www.gao.gov/assets/700/694913.pdf

    Reply
  19. Tomi Engdahl says:

    The Many Faces of Necurs: How the Botnet Spewed Millions of Spam Emails for Cyber Extortion
    https://securityintelligence.com/the-many-faces-of-necurs-how-the-botnet-spewed-millions-of-spam-emails-for-cyber-extortion/

    The Necurs botnet, a large and well-known spam originator, has become synonymous with cybercrime. Its spam-sending capabilities, through a botnet of a few million infected devices, are frequently dedicated to vast campaigns that deliver banking malware, cryptojacking malware, ransomware and a variety of email scams sent to millions of recipients in each run.

    IBM X-Force monitors Necurs activity and recently discovered yet another face of this malspam volcano. This time, Necurs is spewing geotargeted emails designed to threaten and extort payment from those who may have been watching adult movies or possibly having an extramarital affair.

    Reply
  20. Tomi Engdahl says:

    Naming & Shaming Web Polluters: Xiongmai
    https://krebsonsecurity.com/2018/10/naming-shaming-web-polluters-xiongmai/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

    What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras.

    In late 2016, the world witnessed the sheer disruptive power of Mirai, a powerful botnet strain fueled by Internet of Things (IoT) devices like DVRs and IP cameras that were put online with factory-default passwords and other poor security settings.

    Since then, two of those firms — Huawei and Dahua — have taken steps to increase the security of their IoT products out-of-the-box. But Xiongmai — despite repeated warnings from researchers about deep-seated vulnerabilities in its hardware — has continued to ignore such warnings and to ship massively insecure hardware and software for use in products that are white-labeled and sold by more than 100 third-party vendors.

    On Tuesday, Austrian security firm SEC Consult released the results of extensive research into multiple, lingering and serious security holes in Xiongmai’s hardware.

    “Although Xiongmai had seven months notice, they have not fixed any of the issues,” the researchers wrote in a blog post published today. “The conversation with them over the past months has shown that security is just not a priority to them at all.”

    Reply
  21. Tomi Engdahl says:

    SD-WAN Harvester v 0.99
    https://seclists.org/fulldisclosure/2018/Oct/26

    SD-WAN Harvester tool was created to automatically enumerate and
    fingerprint SD-WAN nodes on the Internet. It uses Shodan search engine
    for discovering, NMAP NSE scripts for fingerprinting, and masscan to
    implement some specific checks.

    http://www.scada.sl/2018/10/sd-wan-harvester-v-099.html

    Reply
  22. Tomi Engdahl says:

    Cyberspy Group ‘Gallmaker’ Targets Military, Government Organizations
    https://www.securityweek.com/cyberspy-group-gallmaker-targets-military-government-organizations

    A previously undocumented cyber espionage group has been targeting entities in the government, military and defense sectors since at least 2017, according to a report published on Wednesday by Symantec.

    Reply
  23. Tomi Engdahl says:

    Many Siemens Products Affected by Foreshadow Vulnerabilities
    https://www.securityweek.com/many-siemens-products-affected-foreshadow-vulnerabilities

    Siemens informed customers this week that many of its products are affected by the recently disclosed processor vulnerabilities known as Foreshadow and L1 Terminal Fault (L1TF).

    There are a total of three Foreshadow vulnerabilities affecting Intel Core and Xeon CPUs: CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).

    Reply
  24. Tomi Engdahl says:

    Windows Zero-Day Exploited in Attacks Aimed at Middle East
    https://www.securityweek.com/windows-zero-day-exploited-attacks-aimed-middle-east

    One of the vulnerabilities patched by Microsoft with its latest Patch Tuesday updates is a Windows zero-day exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.

    The flaw, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. An authenticated attacker can exploit the vulnerability to take control of an affected system.

    Reply
  25. Tomi Engdahl says:

    HOW JAMAL KHASHOGGI’S APPLE WATCH COULD SOLVE HIS DISAPPEARANCE
    https://www.wired.com/story/jamal-khashoggis-apple-watch-investigation/

    Saudi dissident and Washington Post columnist Jamal Khashoggi went missing in Turkey last week. The outspoken critic of Saudi Arabia’s war on Yemen walked into the Saudi consulate in Istanbul at 1 pm on Tuesday, October 2, to obtain documents for his upcoming wedding. Within two hours, Turkish security officials now say, Khashoggi was dead—assassinated by a team of Saudi agents.

    Reply
  26. Tomi Engdahl says:

    Mindbody exposed millions of customer records — because its servers weren’t password protected.

    MindBody-owned FitMetrix exposed millions of user records — thanks to servers without passwords
    https://techcrunch.com/2018/10/11/fitmetrix-mindbody-data-exposed-password/?utm_source=tcfbpage&sr_share=facebook

    FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password.

    The company builds fitness tracking software for gyms and group classes — like CrossFit and SoulCycle — that displays heart rate and other fitness metric information for interactive workouts.

    Last week, a security researcher found three FitMetrix unprotected servers leaking customer data.

    The servers included two of the same ElasticSearch instances and a storage server — all hosted on Amazon Web Service — yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users.

    Bob Diachenko, Hacken.io’s director of cyber risk research, found the databases containing 113.5 million records

    Diachenko rebuffed Mindbody’s claim, saying that there was “some” health information in the data, based on his analysis of the data. TechCrunch also found several records including height, weight and shoe sizes.

    Mindbody said that it will “comply with all applicable legal obligations” in reporting the data exposure to U.S. and European authorities, but wouldn’t say if it will inform customers of the security lapse.

    The company may also face action from European authorities under GDPR

    Reply
  27. Tomi Engdahl says:

    Leaked, exposed, hacked, it’s all just an intermediary for SOLD YOUR DATA.

    Reply
  28. Tomi Engdahl says:

    In a first, a Chinese spy is extradited to the U.S. after stealing technology secrets, Justice Dept. says
    https://wapo.st/2IOBXAb?tid=ss_tw&utm_term=.ec0f193543e4

    In a first, federal agents lured a Chinese government spy to Belgium, where authorities transferred him this week to the United States for prosecution on economic espionage charges, U.S. officials said Wednesday.

    Reply
  29. Tomi Engdahl says:

    Watchdog: ‘Nearly all’ new US weapons systems vulnerable to cyber attacks
    https://www-m.cnn.com/2018/10/09/politics/us-weapons-report-vulnerable-cyber-attacks/index.html

    Washington (CNN) — “Nearly all” the weapons systems that were being developed by the US military from 2012 to 2017 are vulnerable to cyber-attack, according to a new report by the Government Accountability Office.
    The watchdog’s report says the GAO “found that from 2012 to 2017, (Department of Defense) testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development.”

    Reply
  30. Tomi Engdahl says:

    US WEAPONS SYSTEMS ARE EASY CYBERATTACK TARGETS, NEW REPORT FINDS
    https://www.wired.com/story/us-weapons-systems-easy-cyberattack-targets/?mbid=social_fb

    “The key conclusion is that the DOD needs a new weapons security paradigm,” says Edelman. “In a world where our most sophisticated fighter jets are effectively supercomputers with very hot engines, that’s a risk we have to take very seriously.” Over a trillion dollars of advanced military weapon systems is worth nothing, if all it takes to compromise them is a default admin password.

    In fact, the report found that only one out of 20 cyber vulnerabilities that the DOD had been alerted to in previous risk assessments had been fixed during the time period of the new report.

    Reply
  31. Tomi Engdahl says:

    A flood of fake installers will really update Flash for you – but also install cryptocurrency mining malware
    https://techcrunch.com/2018/10/11/fake-flash-installer-cryptocurrency-malware/?utm_source=tcfbpage&sr_share=facebook

    If you think that Flash, the once-popular web plugin, couldn’t die fast enough, even those annoying fake Flash installers riddled with malware aren’t going anywhere any time soon. In fact, they’re getting even sneakier.

    New research out of Palo Alto Networks found a recent spike of fake Flash installers not only dropping cryptocurrency mining malware on vulnerable computers — but actually installing Flash while it’s there.

    Reply
  32. Tomi Engdahl says:

    ‘Five Eyes’ Agencies Release Joint Report on Hacking Tools
    https://www.securityweek.com/five-eyes-agencies-release-joint-report-hacking-tools

    Cybersecurity agencies in the United States, United Kingdom, Canada, Australia and New Zealand have released a joint report describing five of the most commonly used hacking tools.

    The report was written by experts at the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC), and the US National Cybersecurity and Communications Integration Center (NCCIC).

    The goal of the report, its authors said, is to provide network defenders and system administrators advice on how to detect the tools and limit their effectiveness.

    Five types of tools are described, including remote access trojans (RATs), web shells, lateral movement frameworks, command and control (C&C) obfuscators, and credential stealers – all of which can be used after the targeted system has been compromised.

    The RAT included in the report is JBiFrost, a variant of Adwind. The Five Eyes agencies have warned that while JBiFrost has been mostly used by low-skilled threat actors and cybercriminals, it can also be useful to state-sponsored groups.

    Alert (AA18-284A)
    Publicly Available Tools Seen in Cyber Incidents Worldwide
    https://www.us-cert.gov/ncas/alerts/AA18-284A

    Reply
  33. Tomi Engdahl says:

    Hackers Exploit Drupalgeddon2 to Install Backdoor
    https://www.securityweek.com/hackers-exploit-drupalgeddon2-install-backdoor

    A threat actor was observed targeting Drupal vulnerabilities patched earlier this year to install a backdoor on compromised servers, IBM reports.

    The hackers target CVE-2018-7600, or Drupalgeddon2, a critical vulnerability found to impact Drupal versions 6, 7 and 8, but which was addressed in March this year. Assigned a risk score of 21/25, the vulnerability could be exploited to gain full control over a site, including access to non-public data.

    Reply
  34. Tomi Engdahl says:

    Google Hardens Android Kernel
    https://www.securityweek.com/google-hardens-android-kernel

    Google this week revealed that Android’s kernel is becoming more resilient to code reuse attacks, courtesy of implemented support for LLVM’s Control Flow Integrity (CFI).

    CFI support, Google says, was added to Android kernel versions 4.9 and 4.14 and the feature is available to all device vendors. However, Google Pixel 3, which was launched earlier this week, is the first device to take advantage of the new security mitigations.

    One of the manners in which attackers achieve code execution even without injecting executable code of their own, Google reveals, is by abusing kernel bugs to overwrite a function pointer stored in memory. The method is popular with the kernel given the large number of function pointers the latter uses and the protections that make code injection difficult.

    CFI, however, was designed to mitigate these attacks through additional checks applied to the kernel’s control flow. While this still allows an attacker to change a function pointer if a bug provides write access to one, it significantly restricts the valid call targets, thus making exploitation more difficult.

    LLVM’s solution to CFI also requires the use of Link Time Optimization (LTO), which also requires the adoption of LLVM’s integrated assembler for inline assembly. The GNU toolchain, which Linux kernel relies on for assembling, compiling, and linking the kernel, will continue to be used for stand-alone assembly code.

    Reply
  35. Tomi Engdahl says:

    Audit Finds No Critical Flaws in Firefox Update System
    https://www.securityweek.com/audit-finds-no-critical-flaws-firefox-update-system

    An audit commissioned by Mozilla for the Firefox update system revealed no critical vulnerabilities and the flaws rated “high severity” were not easy to exploit.

    Experts at Germany-based X41 spent 27 days analyzing the Firefox Application Update Service (AUS), including its update signing protocol, client code, backend and other components. The audit involved a cryptographic review, fuzzing, pentesting, and manual code analysis.

    X41′s audit revealed 14 vulnerabilities, including three issues that based on their CVSS score would be rated as “high severity,” seven “medium” and four “low” flaws. In addition, experts discovered 21 issues that have been described by Mozilla as “side findings,” which are informational.

    Reply
  36. Tomi Engdahl says:

    Mozilla Delays Distrust of Symantec Certificates
    https://www.securityweek.com/mozilla-delays-distrust-symantec-certificates

    Mozilla this week announced that the distrust of older Symantec certificates, initially planned for Firefox 63, will be delayed.

    Following a long series of problems regarding the wrongful issuance of certificates issued by the Certification Authority (CA) run by Symantec, one of the oldest and largest CAs, browser makers have decided to remove trust in all Symantec-issued certificates before the end of this year.

    Both Google and Mozilla said they would gradually remove trust in all TLS/SSL certificates issed by Symantec. Google, which removed trust in certificates that Symantec issued before June 1, 2016, with the release of Chrome 66 in April, wants to remove trust in all Symantec certificates in Chrome 70.

    Reply
  37. Tomi Engdahl says:

    Broadcom, its baffling $19bn CA biz gobble, and the fake Pentagon memo crying about national security
    Senator calls for real probe into ‘Chinese-controlled’ outfit
    https://www.theregister.co.uk/2018/10/12/broadcom_fake_memo/

    The “weirdest acquisition ever” – Broadcom’s $19bn proposed takeover of CA Technologies – ran into a rather strange road-bump this week: a fake US military memo passed around American politicians on Capitol Hill.

    That bogus missive – apparently signed off by the Department of Defense – asserted that the acquisition faced a probe by the US Treasury’s committee on foreign investment regarding national security concerns with the biz gobble, which was announced in July.

    Reply
  38. Tomi Engdahl says:

    In the two years since Dyn went dark, what have we learned? Not much, it appears
    DNS infrastructures still vulnerable to attacks
    https://www.theregister.co.uk/2018/10/11/dns_insecurity_survey/

    The majority (72 per cent) of FTSE 100 firms are vulnerable to DNS attacks, nearly two years after the major Dyn outage.

    A similar three in five of the top 50 companies listed in the Fortune 500 are also ill-prepared for an attack similar to the Mirai botnet-powered assault against Dyn that left much of the web unreachable in late October 2016. A large minority (44 per cent) of the top 25 SaaS providers are also vulnerable, according to stats from a DNS Infrastructure Performance Report by security firm ThousandEyes published Wednesday.

    Reply
  39. Tomi Engdahl says:

    https://www.tivi.fi/Kaikki_uutiset/palvelunestohyokkaajat-iskivat-suomeen-liian-tehokas-torjunta-viimeisteli-vahingossa-tyon-6744749

    Lehmuksen mukaan häiriön aiheuttanut palvelunestohyökkäys itse asiassa onnistuttiin torjumaan haitallista liikennettä suodattavien pesuripalveluiden avulla.

    “Pesuripalvelut toimivat kuten pitikin ja estivät palvelunestoliikenteen. Samalla ne kuitenkin nitkauttivat palvelun ja estivät vahingossa myös oikeiden käyttäjien pääsyn sivustolle”, Lehmus kertoo.

    Reply
  40. Tomi Engdahl says:

    If you haven’t already patched your MikroTik router for vulns, then if you could go do that, that would be greeeeaat
    MikroTik. Stupid name. Stupid bugs. Get those fixes
    https://www.theregister.co.uk/2018/10/11/tenable_mikrotik_bugs/

    Reply
  41. Tomi Engdahl says:

    Suomen viranomaisten keinot ovat vähissä verkkohyökkäysten edessä – ”Tämä on uusi normaali”
    https://www.is.fi/digitoday/tietoturva/art-2000005859372.html

    Suomalaisviranomasilta puuttuu kysy nopeaan tilannejohtamiseen ja kokonaiskuvan hahmottamiseen verkkohyökkäyksen aikana.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*