Cyber Security November 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.

558 Comments

  1. Tomi Engdahl says:

    This one weird trick turns your Google Home Hub into a doorstop
    Secret API leaves door open for remote commands from other gadgets sharing its Wi-Fi
    https://www.theregister.co.uk/2018/10/31/google_home_api/

    A security researcher says an undocumented API in the Google Home Hub assistant can be exploited to kick the gizmo off its own wireless network.

    Flaw finder Jerry Gamblin says the API allows the device to receive commands from systems and handhelds sharing its local wireless network that can, among other things, reboot the unit, or even cause it to disconnect from the Wi-Fi, necessitating a manual reconfiguration.

    The problem, Gamblin said, stems from the Google Home Hub’s inclusion of a web-based software interface that had not previously been disclosed. That API can be used by a computer or device on the same Wi-Fi network as the Home Hub to perform tasks on the targeted voice-controlled assistant without any authentication.

    Reply
  2. Tomi Engdahl says:

    Nice work if you can get it: GandCrab ransomware nets millions even though it has been broken
    As it turns out, crime pays incredibly well for some
    https://www.theregister.co.uk/2018/10/31/gandcrab_ransomware_payouts/

    The infamous GandCrab malware infection has netted its operators an estimated nine-figure payout from targeting large, high-value corporate systems.

    This according to security house Bitdefender, who reckon that in the last two months alone victims have forked over more than a quarter of a billion dollars to crooks in order to have their data decrypted.

    Reply
  3. Tomi Engdahl says:

    Armis has identified two chip-level vulnerabilities impacting access points and potentially other unmanaged devices. Dubbed “BLEEDINGBIT,” they are two critical vulnerabilities related to the use of BLE (Bluetooth Low Energy) chips made by Texas Instruments (TI). The chips are embedded in, among other devices, certain access points that deliver Wi-Fi to enterprise networks manufactured by Cisco, Meraki and Aruba.
    https://armis.com/bleedingbit/

    Reply
  4. Tomi Engdahl says:

    CTA Adversary Playbook: Goblin Panda
    https://www.fortinet.com/blog/threat-research/cta-security-playbook–goblin-panda.html

    Adversary Playbook: The FortiGuard SE Team is releasing this new playbook on the threat actor group known as Goblin Panda as part of its role in the Cyber Threat Alliance. For more information regarding this series of adversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper.

    Reply
  5. Tomi Engdahl says:

    Talos Vulnerability Deep Dive – TALOS-2018-0636 / CVE-2018-3971 Sophos HitmanPro.Alert vulnerability
    https://blog.talosintelligence.com/2018/11/TALOS-2018-0636.html

    Reply
  6. Tomi Engdahl says:

    Semmle Discovers Six Critical Vulnerabilities Affecting Macs, iPhones, and iPads
    https://semmle.com/news/apple-xnu-kernel-icmp-nfs-vulnerabilities

    Reply
  7. Tomi Engdahl says:

    New BLEEDINGBIT Vulnerabilities Affect Widely-Used Bluetooth Chips
    https://www.bleepingcomputer.com/news/security/new-bleedingbit-vulnerabilities-affect-widely-used-bluetooth-chips/

    Two vulnerabilities in the Bluetooth chips typically found in access points that provide WiFi service in enterprises allow attackers to take control of the devices without authentication or to breach the network.

    The vulnerable chips are also present in medical devices (insulin pumps, pacemakers), smart locks and a variety of other types of products that rely on Bluetooth Low Energy (BLE) technology for communication. A tally of affected gadgets is currently unavailable.

    BLEEDINGBIT remote code execution CVE-2018-16986

    Tracked as CVE-2018-16986, one of the issues can be leveraged to trigger a memory corruption in the BLE stack, offering an unauthenticated attacker the opportunity to take full control of the system.

    “The vulnerability can be exploited by an attacker in the vicinity of the affected device, provided its BLE is turned on, without any other prerequisites or knowledge about the device,” Armis says in a report shared with BleepingComputer.

    CVE-2018-16986 is present in the following Texas Instruments chips:

    CC2640 (non-R2) with BLE-STACK version 2.2.1 or earlier
    CC2650 with BLE-STACK version 2.2.1 or earlier
    CC2640R2 with BLE-STACK version 1.0 or earlier

    According to Armis, the bug can be exploited in the following Cisco and Meraki access points: 1542 AP, 1815 AP, 4800 AP, MR33, MR30H, MR74, and MR53E.

    Reply
  8. Tomi Engdahl says:

    Announcing some security treats to protect you from attackers’ tricks
    https://security.googleblog.com/2018/10/announcing-some-security-treats-to.html

    It’s Halloween and the last day of Cybersecurity Awareness Month, so we’re celebrating these occasions with security improvements across your account journey: before you sign in, as soon as you’ve entered your account, when you share information with other apps and sites, and the rare event in which your account is compromised.

    Reply
  9. Tomi Engdahl says:

    The best antivirus software for Android
    https://www.av-test.org/en/antivirus/mobile-devices/

    During September 2018 we evaluated 20 mobile security products for Android using their default settings.

    Reply
  10. Tomi Engdahl says:

    Never accept an MDM policy on your personal phone
    https://blog.cdemi.io/never-accept-an-mdm-policy-on-your-personal-phone/

    In this new age of BYOD (Bring Your Own Device), employees can bring personally owned devices (laptops, tablets, smartphones, etc…) to their workplace, and to use those devices to access privileged company information and applications. The intent of MDM is to optimize the functionality and security of these devices while minimizing cost and downtime.

    There are various MDM solutions available, but the most common ones right now are:

    Google Apps Mobile Managment
    VMware AirWatch
    IBM MaaS360
    Microsoft Intune

    In essence, there is nothing wrong with MDM. In fact, I would say, it is a vital part of the infrastructure to keep an organization’s data secure. However, this comes at a cost: it invades your personal privacy.

    Reply
  11. Tomi Engdahl says:

    The hackers getting paid to keep the internet safe
    https://mashable.com/article/bug-bounty-hackers/?europe=true#K4NwSTBcrsqr

    But contrary to many people’s perceptions of shadowy hackers, her next move wasn’t trading the data on the dark web, or crafting exploits to sell to the highest bidder. Rather, she was faced with a different sort of daunting task: developing a responsible disclosure process to notify the thousands of vulnerable companies she’d just pwned. That’s right, after accessing all that code, her next job was to let the victims know exactly how she’d done it — and how they could stop someone with a different set of moral guideposts from doing the same.

    Reply
  12. Tomi Engdahl says:

    Private messages from 81,000 hacked Facebook accounts for sale
    https://www.bbc.com/news/technology-46065796

    Hackers appear to have compromised and published private messages from at least 81,000 Facebook users’ accounts.

    The perpetrators told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell, although there are reasons to be sceptical about that figure.

    Facebook said its security had not been compromised.

    And the data had probably been obtained through malicious browser extensions.

    Reply
  13. Tomi Engdahl says:

    Improving web performance & security with TLS 1.3
    https://www.cdn77.com/blog/latest-tls-improving-https/

    HTTPS is a must these days. And there’s a way to make it even faster and more secure. CDN77 now supports the latest TLS 1.3 with 0-RTT to boost HTTPS performance and security all over the world.

    Reply
  14. Tomi Engdahl says:

    A mysterious message is locking Google Docs users out of their files
    https://www.washingtonpost.com/news/the-switch/wp/2017/10/31/a-mysterious-message-is-locking-google-docs-users-out-of-their-files/?utm_term=.1952ab25fda6

    Imagine you’re working on a Google Doc when, seemingly out of nowhere, your ability to edit the online file gets revoked. What you see instead is an error message indicating that you’ve violated Google’s terms of service.

    For anyone who stores work in the cloud, suddenly being unable to access your data — especially due to a terms of service violation — may sound scary. And it’s really happening to some people, according to reports on Twitter. Rachael Bale, a wildlife crime reporter for National Geographic, said Tuesday that a draft of her story was “frozen” by Google.

    Reply
  15. Tomi Engdahl says:

    How to Encode a Secret Message in a Fingerprint
    https://spectrum.ieee.org/tech-talk/telecom/security/how-to-encode-a-secret-message-into-a-fingerprint

    Analyzing fingerprints found at the scene of the crime is a classic way to identify a criminal who has accidentally left behind his or her unique signature. But what if there’s another way to use fingerprints—one that could even help a criminal achieve their ill-intentioned goals? In an interesting twist, researchers in China have described a way to use fingerprints to encode secret messages.

    Reply
  16. Tomi Engdahl says:

    [Update: Intel Responds] Yet Another Side-Channel Vulnerability Discovered – Verified on Skylake and Kaby Lake
    https://wccftech.com/side-channel-portsmash-hits-intel-cpus/

    Intel doesn’t seem to be catching a break… Security researchers have now discovered another chip flaw that could allow attackers to leak encrypted processor data. Dubbed as PortSmash, researchers have verified the exploit on Intel Skylake and Kaby Lake processors. However, they suggested that all CPUs that use a Simultaneous Multithreading (SMT) architecture are impacted.

    SMT allows multiple computing threads to be executed in parallel on a CPU core and with this security flaw, attackers can run a malicious process next to legitimate processes using the architecture’s parallel thread running capabilities. By doing this, the malicious process can then exfiltrate data from the legit processes running on the same core.

    “We recently discovered a new CPU microarchitecture attack vector,” the researchers wrote. “The nature of the leakage is due to execution engine sharing on SMT (e.g. Hyper-Threading) architectures.”

    The proof-of-concept code is currently available on GitHub that can be used to execute PortSmash attack on Intel Skylake and Kaby Lake out of the box. “For other SMT architectures, customizing the strategies and/or waiting times in spy is likely needed,” the researchers said. As for the impact on AMD systems, the research team told ZDNet that they strongly suspect that AMD CPUs are also impacted.

    The research team suggested to “disable SMT/Hyper-Threading in the bios” and “upgrade to OpenSSL 1.1.1 (or >= 1.1.0i” as potential fixes.

    This latest discovery is one of the first results of “SCARE: Side-Channel Aware Engineering” research project

    Tracked as CVE-2018-5407

    https://github.com/bbbrumley/portsmash

    Reply
  17. Tomi Engdahl says:

    Zachary Fryer-Biggs / Center for Public Integrity:
    Current and former senior US officials say the Pentagon has outlined an offensive cyberattack against Russia if it electronically interferes with the midterms

    The Pentagon has prepared a cyber attack against Russia
    https://www.publicintegrity.org/2018/11/02/22421/pentagon-has-prepared-cyber-attack-against-russia

    U.S. military hackers have been given the go-ahead to gain access to Russian cyber systems as part of potential retaliation for any meddling in America’s elections

    This story was published in partnership with the Daily Beast.

    The U.S. intelligence community and the Pentagon have quietly agreed on the outlines of an offensive cyber attack that the United States would unleash if Russia electronically interferes with the 2018 midterm election on Nov. 6, according to current and former senior U.S. officials who are familiar with the plan.

    In preparation for its potential use, U.S. military hackers have been given the go-ahead to gain access to Russian cyber systems that they feel is needed to let the plan unfold quickly, the officials said.

    The effort constitutes one of the first major cyber battle plans organized under a new government policy enabling potential offensive operations to proceed more quickly once the parameters have been worked out in advance and agreed among key agencies.

    While U.S. national security officials have so far reported only intermittent efforts by Russian sources to compromise political organizations and campaigns, they have been worried – in the aftermath of Russia’s digital contact with U.S. election systems in 2016

    The existence of such a plan means that America is more fully integrating offensive cyber attacks into its overall military planning systems, a move likely to make cyber combat more likely and eventually more commonplace, sometimes without first gaining specific presidential approval. Cyber attacks are now on a more obvious path, in short, to becoming a regular currency of warfare.

    In 2016 Russian hackers tried to break into the election systems of at least 21 states, although some were not notified by Washington until September 2017. In at least one state, Illinois, Russian hackers managed to gain access to voter registration data, although state officials said that none of the information was altered. Several other state systems were rumored to have been breached, although none have publicly confirmed it.

    According to the officials’ accounts, military planners in the past were sometimes held back by the intelligence community from hacking into foreign networks for fear of compromising access that spies considered useful for collecting information, particularly when it was uncertain whether any offensive operation would eventually be approved. With only a small number of skilled military hackers available, they were also hesitant to invest time in gaining access to systems not explicitly part of an approved strike.

    One of the U.S. officials used an analogy to describe the new approach: Spy agencies, the official said, sometimes try to place an agent in a service position at a facility run by an adversary. That agent’s assignment would be to learn access codes, map the facility and conduct wide surveillance of its operations, copy sets of keys, and perhaps unlock doors. That information and access would allow the intelligence agency, in theory, to sneak a bomb into the facility when it wants to.

    It essentially is meant to ensure that U.S. cyber warriors can quickly drop off weapons when needed. “You don’t need to pre-position something if you have the right access,” said one of the officials.

    While some officials and cyber experts have said that certain offensive cyber operations risk violating international law, because of the possibility they might cause collateral damage and harm civilians outside target networks, government lawyers have approved the new approach after deciding that letting the military hack into a foreign system is not an act of war, so long as a cyber weapon hasn’t yet been emplaced and the specific system being targeted isn’t actually destroyed.

    NSPM 13, which remains classified, was the backbone of Trump’s new National Cyber Strategy, a mostly unclassified public document which was released in September.

    But the biggest fights, according to several former officials, came between intelligence leaders trying to protect streams of information coming from adversary’s networks and military leaders looking to strike.

    “In practice, whenever we came up with a scenario where we wanted to take action, they [intelligence officials] spent most of their time arguing that any action could harm their access,” one of the former national security officials said.

    Here’s how the process works: Military planners and cyber experts from the civilian intelligence agencies start by finding weaknesses in software security as part of something called the Vulnerabilities Equities Process.

    government hackers tell software makers about roughly 90 percent of the vulnerabilities they find while testing nearly every widely used piece of software.

    “The 10 percent we keep is for our national security purposes,” a former White House official said. “We keep them for a reason.”

    U.S. officials have never publicly claimed responsibility for the use of cyber weapons, although reports have tied U.S. government hackers to disruption of North Korea and Iran’s nuclear programs.

    Reply
  18. Tomi Engdahl says:

    Karen Hao / MIT Technology Review:
    How US-based Truepic and UK-based Serelay discern true images from fakes by using proprietary algorithms to automatically verify photos the moment they’re made

    Deepfake-busting apps can spot even a single pixel out of place
    https://www.technologyreview.com/s/612357/deepfake-busting-apps-can-spot-even-a-single-pixel-out-of-place/

    Two startups are using algorithms to track when images are edited—from the moment they’re taken.

    Falsifying photos and videos used to take a lot of work. Either you used CGI to generate photorealistic images from scratch (both challenging and expensive) or you needed some mastery of Photoshop—and a lot of time—to convincingly modify existing pictures.

    Now the advent of AI-generated imagery has made it easier for anyone to tweak an image or a video with confusingly realistic results. Earlier this year, MIT Technology Review senior AI editor Will Knight used off-the-shelf software to forge his own fake video of US senator Ted Cruz. The video is a little glitchy, but it won’t be for long.

    That same technology is creating a growing class of footage and photos, called “deepfakes,” that have the potential to undermine truth, confuse viewers, and sow discord at a much larger scale than we’ve already seen with text-based fake news.

    Reply
  19. Tomi Engdahl says:

    Yahoo News:
    Sources: in 2011, Iranians used Google search to identify a string of websites the CIA used to communicate with its agents, compromising the CIA’s wider network

    The CIA’s communications suffered a catastrophic compromise. It started in Iran.
    https://www.yahoo.com/news/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html?.tsrc=fauxdal

    In 2013, hundreds of CIA officers — many working nonstop for weeks — scrambled to contain a disaster of global proportions: a compromise of the agency’s internet-based covert communications system used to interact with its informants in dark corners around the world. Teams of CIA experts worked feverishly to take down and reconfigure the websites secretly used for these communications; others managed operations to quickly spirit assets to safety and oversaw other forms of triage.

    “When this was going on, it was all that mattered,” said one former intelligence community official. The situation was “catastrophic,” said another former senior intelligence official.

    From around 2009 to 2013, the U.S. intelligence community experienced crippling intelligence failures related to the secret internet-based communications system, a key means for remote messaging between CIA officers and their sources on the ground worldwide. The previously unreported global problem originated in Iran and spiderwebbed to other countries, and was left unrepaired — despite warnings about what was happening — until more than two dozen sources died in China in 2011 and 2012 as a result, according to 11 former intelligence and national security officials.

    Reply
  20. Tomi Engdahl says:

    Feds: Chinese spies orchestrated massive hack that stole aviation secrets
    https://arstechnica.com/tech-policy/2018/10/feds-say-chinese-spies-and-their-hired-hackers-stole-aviation-secrets/

    Feds say campaign hacked 13 firms in bid to help Chinese state-owned aerospace company.

    Reply
  21. Tomi Engdahl says:

    Jack Morse / Mashable:
    Interview with three renowned women in infosec on how they got started, some of their most memorable finds, and how to encourage more women to join their field — This post is part of Mashable’s ongoing series The Women Fixing STEM, which highlights trailblazing women in science, tech …

    The hackers getting paid to keep the internet safe
    https://mashable.com/article/bug-bounty-hackers/?europe=true#3dCVZdnODsqz

    Reply
  22. Tomi Engdahl says:

    Radisson Hotel Group Hit by Data Breach
    https://www.securityweek.com/radisson-hotel-group-hit-data-breach

    Radisson Hotel Group this week informed members of its rewards program that their personal information may have been stolen as a result of a breach.

    Several major hotel chains suffered data breaches in the past few years. The list includes Hyatt, InterContinental, Huazhu, Hard Rock Hotel & Casino Las Vegas, Trump Hotels, Millennium Hotels & Resorts and Omni Hotels.

    Reply
  23. Tomi Engdahl says:

    Sauter Quickly Patches Flaw in Building Automation Software
    https://www.securityweek.com/sauter-quickly-patches-flaw-building-automation-software

    A serious vulnerability that allows an attacker to steal files from an affected system has been found by a researcher in a building automation product from Swiss-based Fr. Sauter AG. It took the vendor only 10 days to release a patch.

    The impacted product, CASE Suite, is designed for handling building automation projects. ICS-CERT says the software is used worldwide, particularly in the critical manufacturing sector.

    The security hole is tracked as CVE-2018-17912 and it has been assigned CVSS scores of 7.5 (ICS-CERT) and 8.6 (Applied Risk).

    Reply
  24. Tomi Engdahl says:

    Top Australia Defence Firm Reports Serious Cyber Breach
    https://www.securityweek.com/top-australia-defence-firm-reports-serious-cyber-breach

    A top Australian defence firm with major US Navy contracts has admitted its personnel files were breached and that it was the subject of an extortion attempt.

    Austral — which among other things makes small, quick ships for warfare close to shore — said its “data management system” had been infiltrated by an “unknown offender”.

    Reply
  25. Tomi Engdahl says:

    FIFA admits hack and braces for new leaks
    March 2018 phishing incident pegged as possible origin of latest hack and subsequent data theft.
    https://www.zdnet.com/article/fifa-admits-hack-and-braces-for-new-leaks/

    FIFA officials are bracing for new damaging leaks to be published this week after soccer’s governing body fell victim to a phishing attack.

    both FIFA, soccer’s global governing entity, but also UEFA, Europe’s soccer body, had received hundreds of questions from journalists about subjects only recorded in FIFA confidential documents.

    Officials believe that someone at FIFA fell victim to a phishing attack this March, the New York Times reported on Tuesday.

    Hackers are believed to have used this entry point to gain access to confidential data, which they have now leaked to Football Leaks,

    In a statement released to the Associated Press and other news organizations, FIFA said it was “concerned by the fact that some information has been obtained illegally,” and that it “condemns any attempts to compromise the confidentiality, integrity and availability of data in any organisation using unlawful practices.”

    FIFA, Hacked Again, Braces for New Revelations
    https://www.nytimes.com/2018/10/30/sports/soccer/fifa-uefa-hack.html

    FIFA acknowledged this week that its computer systems were hacked earlier this year for the second time, and officials from European soccer’s governing body fear they also might have suffered a data breach.

    The hack on FIFA, world soccer’s governing body, occurred in March and is not thought to be connected to a cyberattack orchestrated by a group linked to Russia’s intelligence agency in 2017. That incident led to the publication of a list of failed drug tests by soccer players.

    a consortium of European media organizations plans to publish a series of stories based in part on the internal documents

    UEFA officials were targeted in a so-called phishing operation

    Reply
  26. Tomi Engdahl says:

    Google is reading your private documents and will lock you out of them automatically for violating the ToS. They are becoming the Ministry of Truth from 1984

    A mysterious message is locking Google Docs users out of their files
    https://www.washingtonpost.com/news/the-switch/wp/2017/10/31/a-mysterious-message-is-locking-google-docs-users-out-of-their-files/?utm_term=.1952ab25fda6

    https://outline.com/zLdBcT

    Reply
  27. Tomi Engdahl says:

    Who’s In Your Online Shopping Cart?
    https://krebsonsecurity.com/2018/11/whos-in-your-online-shopping-cart/

    Crooks who hack online merchants to steal payment card data are constantly coming up with crafty ways to hide their malicious code on Web sites. In Internet ages past, this often meant obfuscating it as giant blobs of gibberish text that was obvious even to the untrained eye. These days, a compromised e-commerce site is more likely to be seeded with a tiny snippet of code that invokes a hostile domain which appears harmless or that is virtually indistinguishable from the hacked site’s own domain.

    Anyone seeking to view the raw code on sites referenced here should proceed with caution; using an online source code viewer like this one can let readers safely view the HTML code on any Web page without actually rendering it in a Web browser.

    As its name suggests, asianfoodgrocer-dot-com offers a range of comestibles. It also currently includes a spicy bit of card-skimming code that is hosted on the domain zoobashop-dot-com. In this case, it is easy to miss the malicious code when reviewing the HTML source, as it fits neatly into a single, brief line of code.

    Zoobashop is also a presently hacked e-commerce site. Based in Accra, Ghana, zoobashop bills itself as Ghana’s “largest online store.” In addition to offering great deals on a range of electronics and home appliances, it is currently serving a tiny obfuscated script called “js.js” that snarfs data submitted into online forms.

    As sneaky as this attack may be, the hackers in this case did not go out of their way to make the domain hosting the malicious script blend in with the surrounding code. However, increasingly these data-slurping scripts are hidden behind fully fraudulent https:// domains that are custom-made to look like they might be associated with content delivery networks (CDNs) or web-based scripts, and include terms like “jquery,” “bootstrap,” and “js.”

    Publicwww.com is a handy online service that lets you search the Web for sites running snippets of specific code.

    https://publicwww.com/

    Reply
  28. Tomi Engdahl says:

    New Microsoft Edge Browser Zero-Day RCE Exploit in the Works
    https://www.bleepingcomputer.com/news/security/new-microsoft-edge-browser-zero-day-rce-exploit-in-the-works/

    Details are about to emerge about a zero-day remote code execution vulnerability in the Microsoft Edge web browser, as two researchers plan to reveal a proof-of-concept and publish a general write up. Microsoft has not been told the details of this vulnerability.

    A tweet on November 1 announced that Microsoft Edge had been compromised once more. The proof was an image with the web browser that appeared to launch the popular Windows Calculator app.

    Reply
  29. Tomi Engdahl says:

    Dissecting a CVE-2017-11882 Exploit
    https://isc.sans.edu/diary/rss/24272

    Malicious RTF files can not contain VBA code, in stead, malware authors have to use exploits to achieve code execution. This one here has become a classic: an overflow in the font record of an equation editor expression (CVE-2017-11882).

    Reply
  30. Tomi Engdahl says:

    ICS Devices Vulnerable to Side-Channel Attacks: Researcher
    https://www.securityweek.com/ics-devices-vulnerable-side-channel-attacks-researcher

    Side-channel attacks can pose a serious threat to industrial control systems (ICS), a researcher warned last month at SecurityWeek’s ICS Cyber Security Conference in Atlanta, GA.

    Demos Andreou, a lead engineer at power management company Eaton, has conducted an analysis of protection devices typically used in the energy sector, specifically in power distribution stations.

    While side-channel attacks have been known for a long time, few research papers describe their impact on industrial systems.

    Andreou said he conducted successful experiments on protection devices from three major vendors, but he believes products from other companies are affected as well if the microprocessors they use are vulnerable to these types of attacks.

    While the tested devices are 5-10 years old, the researcher says newer products likely have the same vulnerabilities

    In the case of the analyzed protection devices, an attacker can extract the encryption key and use it to make configuration changes. Since these systems are used to protect the power grid, changing their settings can have serious consequences, Andreou told SecurityWeek.

    A malicious actor could cause the system to fail or have it send false data back to its operator.

    Conducting an attack could take hours, most of which involves physical preparation (e.g., opening the targeted device, connecting sensors). The software part of the attack is much faster and the key can be obtained in a matter of minutes.

    Reply
  31. Tomi Engdahl says:

    Public Hacking Tools: Day in the Sun
    https://threatvector.cylance.com/en_us/home/public-hacking-tools-day-in-the-sun.html

    The old saying goes, “For every job, there is a tool.” In targeted cyber operations, the tools are often custom-designed for the specific job they’re doing. For example, Stuxnet zeroed in on a specific product made by a specific manufacturer as used in a specific country during a specific time period.

    These tools are often devastating because they are tailored for the exact target at which they are aimed, and they have often taken into consideration the target’s defensive posture in order to neutralize it. But a new report by the UK’s National Cyber Security Centre (NCSC) draws attention to almost the opposite problem – the danger posed by a proliferation of generic, publicly available hacking tools that threat actors of all skill levels can, and indeed are, using with increased frequency and success.

    The trend in the increased use of public tools is one we have noticed and are following at Cylance. In this blog post, we’ll take a look at the five tools identified by the Five Eyes and offer some commentary from the NCSC’s Report.

    Reply
  32. Tomi Engdahl says:

    Worst Malware and Threat Actors of 2018
    Two reports call out the most serious malware attacks and attackers of the year (so far).
    https://www.darkreading.com/attacks-breaches/worst-malware-and-threat-actors-of-2018-/d/d-id/1333157

    Reply
  33. Tomi Engdahl says:

    Two botnets are fighting over control of thousands of unsecured Android devices
    https://www.zdnet.com/article/two-botnets-are-fighting-over-control-of-thousands-of-unsecured-android-devices/#ftag=RSSbaffb68

    Researchers spot Trinity and Fbot botnets trying to infect Android devices via the ADB interface.

    Two botnet gangs are fighting to take control over as many unsecured Android devices as they can to use their resources and mine cryptocurrency behind owners’ backs.

    Both are in direct competition and are going after the same targets, namely Android devices on which vendors or owners have left the diagnostics port exposed online.

    This port is 5555, and it hosts a standard Android feature called the Android Debug Bridge (ADB). All Android devices support it but most come with it disabled.

    But while ADB is disabled on hundreds of millions of devices, there are tens of thousands where this feature has been left enabled, either by accident during the device’s assembly and testing process or by the user after he used the ADB to debug or customize his phone.

    Reply
  34. Tomi Engdahl says:

    Intel CPUs impacted by new PortSmash side-channel vulnerability
    https://www.zdnet.com/article/intel-cpus-impacted-by-new-portsmash-side-channel-vulnerability/

    Vulnerability confirmed on Skylake and Kaby Lake CPU series. Researchers suspect AMD processors are also impacted.

    Reply
  35. Tomi Engdahl says:

    ThreatList: Fewer Big DDoS Attacks in Q3, Overall Rate Holds Steady
    https://threatpost.com/threatlist-fewer-big-ddos-attacks-in-q3-overall-rate-holds-steady/138757/

    Meanwhile, Saturday now is the most “dangerous” day of the week for DDoS attacks.

    When it comes to distributed denial of service (DDoS) attacks, the third quarter of 2018 marked an apparent lull in the action, with fewer huge, multi-day attacks than in previous quarters. Researchers however warn against having a false sense of security: The total number of attacks in the quarter stayed steady.

    Breaking that down a bit, an analysis by Kaspersky Lab showed that short attacks with a duration of under four hours grew 17.5 percentage points, to account for 86.94 percent of attacks.

    Reply
  36. Tomi Engdahl says:

    Hackers are increasingly destroying logs to hide attacks
    https://www.zdnet.com/article/hackers-are-increasingly-destroying-logs-to-hide-attacks/

    According to a new report, 72 percent of incident response specialists have came across hacks where attackers have destroyed logs to hide their tracks.

    Reply
  37. Tomi Engdahl says:

    Android news and kids apps contain the most third-party trackers
    https://www.zdnet.com/article/android-news-and-kids-apps-contain-the-most-third-party-trackers/

    Over 20 child advocacy groups have sent a letter to the FTC regarding advertising in kids apps.

    Reply
  38. Tomi Engdahl says:

    Defence shipbuilder Austal victim of data breach, extortion attempt
    https://www.news.com.au/technology/online/hacking/defence-shipbuilder-austal-victim-of-data-breach-extortion-attempt/news-story/3d5399b7d671cafd9c1e58929478285f

    SCOTT Morrison says there is no “100 per cent foolproof guarantee” of preventing cyber attacks, after Defence shipbuilder Austal’s business was hit with a data breach and extortion attempt.

    Reply
  39. Tomi Engdahl says:

    SMS Phishing + Cardless ATM = Profit
    https://krebsonsecurity.com/2018/11/sms-phishing-cardless-atm-profit/

    Thieves are combining SMS-based phishing attacks with new “cardless” ATMs to rapidly convert phished bank account credentials into cash. Recent arrests in Ohio shed light on how this scam works.

    A number of financial institutions are now offering cardless ATM transactions that allow customers to withdraw cash using nothing more than their mobile phones. But this also creates an avenue of fraud for bad guys, who can leverage phished or stolen account credentials to add a new phone number to the customer’s account and then use that added device to siphon cash from hijacked accounts at cardless ATMs.

    Reply
  40. Tomi Engdahl says:

    Beware this malware: it can even survive operating systems being reinstalled
    https://www.pandasecurity.com/mediacenter/news/lojax-malware/

    And Fancy Bear’s most recent development fits in perfectly with this level of sophistication: it is called LoJax, and it is a piece of malware that is able to survive an operating system being reinstalled. This makes it especially dangerous for companies and institutions that are lacking protection against this kind of attack.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*