Since September 2018, 360Netlab Scanmon has detected multiple scan spikes on TCP port 5431, each time the system logged more than 100k scan sources, a pretty large number compared with most other botnets we have covered before.
The interaction between the botnet and the potential target takes multiple steps
The botnet has the following characteristics:
The amount of infection is very large, the number of active scanning IP in each scan event is about 100,000;
The target of infection is mainly router equipment with BroadCom UPnP feature enabled.
Self-built proxy network (tcp-proxy), the proxy network is implemented by the attacker, the proxy currently communicates with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. We highly suspect that the attacker’s intention is to send spams.
KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims.
Google released to all users and partners its November security bulletin for the Android operating system, with fixes for critical remote code execution (RCE) and privilege escalation vulnerabilities.
A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular e-commerce plugin with over 4 million installations. The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account.
We detected and reported a file deletion vulnerability in WooCommerce, which was fixed in version 3.4.6. Arbitrary file deletion vulnerabilities aren’t considered critical in most cases as the only thing an attacker can cause is a Denial of Service by deleting the index.php of the website.
Banks are offering more features and upgrades for their banking apps, and thanks to their convenience more users are adopting mobile banking services around the world. But as new financial technology proliferates and users start to look for apps and other services from their particular bank, opportunities for scammers also increase. One recent example of this is the app Movil Secure. We found this malicious app on Google Play on October 22, as part of a SMiShing scheme targeting Spanish-speaking users.
Turva-aukko löytyi D-Link DIR-850L -wlan-tukiaseman wpa-tunnistuksesta. Sen ansiosta hyökkääjä voi päästä liittymään langattomaan verkkoon, vaikkei salasana olisikaan tiedossa.
Haavoittuvia ovat D-Link DIR-850L Rev. Ax Firmware v1.21B06 Beta ja sitä aikaisemmat versiot. Vika on korjattu versiossa v1.21b07.i9d9 (14.9.2018), joka on saatavilla valmistajalta.
After security researchers discovered vulnerabilities in the encryption mechanism of several types of solid-state drives (SSDs), Microsoft decided to explain how one can enforce software encryption instead.
On Tuesday, Microsoft published an advisory to provide information on how users can enforce software encryption on their Windows systems, given that, when a self-encrypting drive is present, BitLocker would use hardware encryption by default.
“Administrators who want to force software encryption on computers with self-encrypting drives can accomplish this by deploying a Group Policy to override the default behavior. Windows will consult Group Policy to enforce software encryption only at the time of enabling BitLocker,” Microsoft says.
Google this week revealed plans to reach out to critical open source projects and invite them to integrate with OSS-Fuzz.
Launched in December 2016, OSS-Fuzz is a free and continuous fuzzing infrastructure hosted on the Google Cloud Platform and designed to serve the Open Source Software (OSS) community through finding security vulnerabilities and stability issues.
OSS-Fuzz has already helped find and report over 9,000 flaws since launch, including bugs in critical projects such as FreeType2, FFmpeg, LibreOffice, SQLite, OpenSSL, and Wireshark.
The U.S. Cyber Command (USCYBERCOM) this week started sharing malware samples with the cybersecurity industry via Chronicle’s VirusTotal intelligence service.
The project is run by USCYBERCOM’s Cyber National Mission Force (CNMF), which will post unclassified malware samples on the CYBERCOM_Malware_Alert account on VirusTotal.
CNMF claims that its goal is to “to help prevent harm by malicious cyber actors by sharing with the global cybersecurity community.”
According to Cisco, Small Business switches running any software release come with a default account that is provided for the initial login. The account has full administrator privileges and it cannot be removed from the system.
The account is disabled if an administrator configures at least one other user account with the access privilege set to level 15, which is equivalent to root/administrator and provides full access to the switch.
The hardest part of using Linux is to find out the correct hardware. Hardware compatibility and drivers can be a big issue. But where one can find Linux desktops or Laptop for sale? Here are sixteen places to buy a preinstalled Linux Desktop and Laptop.
If you are looking to download the very popular Notepad replacement called Notepad2, be careful of sites created to look official, but actually distribute Notepad2 as an adware bundle.
When the search results came back, the first result was for a site called Notepad2.com
JBoss Verify and EXploitation tool (JexBoss) is an open-source tool used by cybersecurity hunt teams (sometimes referred to as “red teams”) and auditors to conduct authorized security assessments. Threat actors use this tool maliciously to test and exploit vulnerabilities in JBoss Application Server (JBoss AS)—now WildFly—and a variety of Java applications and platforms. JexBoss automates all the phases of a cyberattack, making it a powerful and easy-to-use weapon in a threat actor’s cyber arsenal.
A new brand of side-channel vulnerabilities has been disclosed and this time it’s not the CPU that’s under attack: it’s the GPU.
New exploits published by computer scientists at the University of California, Riverside, leave both individual users and high-performance computing systems at potential risk. The three sets of exploits pull sensitive data out of a graphics processing unit core, and do so with relative ease, compared to some of the side-channel attacks that have been demonstrated on CPUs
Two of the attacks target individual users, pulling information on website history and passwords. The third could open the door to an organization’s machine-learning or neural network applications, exposing details about their computational model to competitors.
For Windows version 1803 and later versions, if your platform supports the new Kernel DMA Protection feature, we recommend that you leverage that feature to mitigate Thunderbolt DMA attacks. For earlier versions of Windowsor platforms that lack the new Kernel DMA Protection feature, if your organization allows for TPM-only protectors or supports computers in sleep mode, the following is one DMA mitigation option. Please refer to BitLocker Countermeasures to understand the spectrum of mitigations.
Also users may refer to Intel Thunderbolt 3 and Security on Microsoft Windows 10 Operating System documentation for alternative mitigations.
Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.
In addition to providing web server functionality, Nginx can be used as a load balancer and a reverse proxy. It powers roughly 400 million websites, which makes it one of the most widely used web servers. NGINX, Inc., the company behind nginx, has raised over $100 million, including $43 million in June 2018.
Nginx developers announced this week that versions 1.15.6 and 1.14.1 address two HTTP/2 implementation vulnerabilities that can lead to a DoS condition. The issues impact versions 1.9.5 through 1.15.5.
Mobile overlay attacks are a highly trafficked commodity on the underground today as attackers, stunted by improvements in browser protections on the desktop, are swaying toward stealing credentials, banking information, and other personal information primarily from Android devices.
Some Russian-speaking marketplaces sell hundreds of overlays—which are sometimes conflated with injection attacks—that are configured to run on top of legitimate applications and steal user inputs for anything including banking apps, social media, email, e-commerce, and payment applications and websites.
A 23-year-old hacker from Utah pleaded guilty this week to launching a series of denial-of-service (DoS) attacks against multiple online services, websites, and online gaming companies between 2013 and 2014.
Check Point Researchers developed an attack to hijack DJI drone user accounts that may contain the user’s sensitive information as well as access to the device itself.
Researchers developed an XSS attack that could be posted on a DJI forum that is used by hundreds of thousands of DJI customers
Hackers siphoned off thousands of Healthcare.gov applications by breaking into the accounts of brokers and agents tasked with helping customers sign up for healthcare plans.
The two researchers pointed out that the telco company leverages the PoPs to hijack traffic through China, it has happened several times over the past years,
According to the experts, the activity went unnoticeable for a long time, but to better understand how it is possible to hijack the traffic let’s reads this excerpt from the paper:
“Within the BGP forwarding tables, administrators of each AS announce to their AS neighbors the IP address blocks that their AS owns, whether to be used as a destination or a convenient transit node.” states the paper.
“Errors can occur given the complexity of configuring BGP, and these possible errors offer covert actors a number of hijack opportunities.
You’re probably familiar with some of the most common requirements for creating passwords. A mix of upper and lowercase letters is a simple example. These are known as password constraints. They’re rules for how you must construct a password. If your password must be at least eight characters long, contain lower case, uppercase, numbers and symbol characters, then you have one length, and four character set constraints.
Password constraints eliminate a number of both good and bad passwords.
Long and simple is better than short and hard
Password strength: It’s length, not complexity that matters
Norway and Finland have both reported problems with GPS signals in their northern regions this month.
Both countries have been taking part in NATO’s exercise Trident Juncture, which has irked Russia.
Reports of GPS interference related to Russian military activities have been reported in the past.
A malicious group known as the “Inception” attackers has been using a year-old Office exploit and a new backdoor in recent attacks, Palo Alto Networks security researchers warn.
VMware informed customers on Friday that patches are available for a critical virtual machine (VM) escape vulnerability disclosed recently by a researcher at the GeekPwn2018 hacking competition.
Shortly after the VM escape exploit was demonstrated, Chaitin Tech wrote on Twitter that it was the first time anybody managed to escape VMware ESXi and get a root shell on the host system.
Vulnerabilities discovered in several medical devices made by the diagnostics division of Swiss-based healthcare company Roche can put patients at risk, a cybersecurity firm has warned.
A detailed list of vulnerable products and versions is available in an advisory published recently by ICS-CERT. It’s worth noting that each vulnerability impacts certain models and versions of the Roche devices.
A recently patched remote code execution vulnerability affecting the Adobe ColdFusion web application development platform has been exploited in the wild by one or more threat groups, Volexity warned on Thursday.
A newly discovered botnet that appears designed to send spam emails likely infected around 400,000 machines to date, 360 Netlab security researchers warn.
Dubbed BCMPUPnP_Hunter, the threat was observed mainly targeting routers that have the BroadCom UPnP feature enabled.
Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.
In addition to providing web server functionality, Nginx can be used as a load balancer and a reverse proxy. It powers roughly 400 million websites, which makes it one of the most widely used web servers. NGINX, Inc., the company behind nginx, has raised over $100 million, including $43 million in June 2018.
In August 2017 the U.S. Immigration and Customs Enforcement agency (ICE) issued an intelligence bulletin warning that Da Jiang Innovations (DJI) — the world’s largest drone manufacturer — was “likely passing U.S. critical infrastructure and law enforcement data to [the] Chinese government.” DJI strenuously denied the accusation.
Now Check Point Research has published details of a DJI vulnerability that would allow the Chinese government — or anybody else in the world — to simply take that data without any involvement from DJI. The vulnerability could provide full access to a drone user’s DJI account.
A critical security flaw affecting a GDPR compliance plugin for WordPress has been exploited in the wild to take control of vulnerable websites, users have been warned.
The WordPress GDPR Compliance plugin, which has over 100,000 active installations, is designed to help the administrators of websites and online shops become compliant with the EU’s General Data Protection Regulation (GDPR). It supports plugins such as Contact Form, Gravity Forms, WordPress Comments, and WooCommerce.
According to researchers in Defiant’s Wordfence team, the vulnerabilities can be exploited by unauthenticated attackers to obtain privileged access to targeted websites by adding new admin accounts.
Shortly after the news broke that the GDPR Compliance flaws have been exploited in the wild, WordPress notified the developer and deactivated the plugin on its official store. The application was quickly reinstated after its creators released version 1.4.3 on November 7, which should resolve the vulnerabilities.
Zack Whittaker / TechCrunch:
Cloudflare launches Android and iOS apps for its privacy-focused DNS service 1.1.1.1 — Months after announcing its privacy-focused DNS service, Cloudflare is bringing 1.1.1.1 to mobile users. — Granted, nothing ever stopped anyone from using 1.1.1.1 on their phones or tablets already.
Joe Uchill / Axios:
France’s Macron releases an international pact on cyber warfare and security principles that over 50 nations have signed, but not the US, UK, Russia, or China
French President Emmanuel Macron released an international agreement on cybersecurity principles Monday as part of the Paris Peace Forum. The original signatories included more than 50 nations, 130 private sector groups and 90 charitable groups and universities, but not the United States, Russia or China.
Details: The agreement does not command any specific legislation.
The principles include agreements to promote human rights on the internet, thwart election hacking, cease the theft of intellectual property via hacking and stop “malicious cyber activities in peacetime, notably the ones threatening or resulting in significant, indiscriminate or systemic harm to individuals.” China, Russia and North Korea have each been accused of violating some or all of these in the past.
Private sector groups are tasked with having a unique responsibility in security.
It includes an endorsement of certain security measures, including basic security practices and responsible disclosure campaigns, allowing security researchers to alert organizations and governments to security vulnerabilities in their systems.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
558 Comments
Tomi Engdahl says:
BCMPUPnP_Hunter: A 100k Botnet Turns Home Routers to Email Spammers
https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/
Since September 2018, 360Netlab Scanmon has detected multiple scan spikes on TCP port 5431, each time the system logged more than 100k scan sources, a pretty large number compared with most other botnets we have covered before.
The interaction between the botnet and the potential target takes multiple steps
The botnet has the following characteristics:
The amount of infection is very large, the number of active scanning IP in each scan event is about 100,000;
The target of infection is mainly router equipment with BroadCom UPnP feature enabled.
Self-built proxy network (tcp-proxy), the proxy network is implemented by the attacker, the proxy currently communicates with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. We highly suspect that the attacker’s intention is to send spams.
Tomi Engdahl says:
Busting SIM Swappers and SIM Swap Myths
https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/
KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims.
Tomi Engdahl says:
November Android Security Update Fixes Critical Bugs, Drops Media Library
https://www.bleepingcomputer.com/news/security/november-android-security-update-fixes-critical-bugs-drops-media-library/
Google released to all users and partners its November security bulletin for the Android operating system, with fixes for critical remote code execution (RCE) and privilege escalation vulnerabilities.
Tomi Engdahl says:
WordPress Design Flaw Leads to WooCommerce RCE
https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/
A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular e-commerce plugin with over 4 million installations. The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account.
We detected and reported a file deletion vulnerability in WooCommerce, which was fixed in version 3.4.6. Arbitrary file deletion vulnerabilities aren’t considered critical in most cases as the only thing an attacker can cause is a Denial of Service by deleting the index.php of the website.
Tomi Engdahl says:
Popular WooCommerce WordPress Plugin Patches Critical Vulnerability
https://thehackernews.com/2018/11/woocommerce-wordpress-hacking.html
Tomi Engdahl says:
Fake Banking App Found on Google Play Used in SMiShing Scheme
https://blog.trendmicro.com/trendlabs-security-intelligence/fake-banking-app-found-on-google-play-used-in-smishing-scheme/
Banks are offering more features and upgrades for their banking apps, and thanks to their convenience more users are adopting mobile banking services around the world. But as new financial technology proliferates and users start to look for apps and other services from their particular bank, opportunities for scammers also increase. One recent example of this is the app Movil Secure. We found this malicious app on Google Play on October 22, as part of a SMiShing scheme targeting Spanish-speaking users.
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/onko-sinulla-tama-tukiasema-paivita-heti-suomalaista-kiitetaan-pahan-haavoittuvuuden-loytamisesta-6748385
Turva-aukko löytyi D-Link DIR-850L -wlan-tukiaseman wpa-tunnistuksesta. Sen ansiosta hyökkääjä voi päästä liittymään langattomaan verkkoon, vaikkei salasana olisikaan tiedossa.
Haavoittuvia ovat D-Link DIR-850L Rev. Ax Firmware v1.21B06 Beta ja sitä aikaisemmat versiot. Vika on korjattu versiossa v1.21b07.i9d9 (14.9.2018), joka on saatavilla valmistajalta.
Haavoittuvuus D-Link DIR-850L wlan-tukiasemassa
https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2018/haavoittuvuus-2018-026.html
Tomi Engdahl says:
Microsoft Releases Guidance for Users Concerned About Flawed SSD Encryption
https://www.securityweek.com/microsoft-releases-guidance-users-concerned-about-flawed-ssd-encryption
After security researchers discovered vulnerabilities in the encryption mechanism of several types of solid-state drives (SSDs), Microsoft decided to explain how one can enforce software encryption instead.
On Tuesday, Microsoft published an advisory to provide information on how users can enforce software encryption on their Windows systems, given that, when a self-encrypting drive is present, BitLocker would use hardware encryption by default.
“Administrators who want to force software encryption on computers with self-encrypting drives can accomplish this by deploying a Group Policy to override the default behavior. Windows will consult Group Policy to enforce software encryption only at the time of enabling BitLocker,” Microsoft says.
ADV180028 | Guidance for configuring BitLocker to enforce software encryption
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028
Tomi Engdahl says:
Google Wants More Projects Integrated With OSS-Fuzz
https://www.securityweek.com/google-wants-more-projects-integrated-oss-fuzz
Google this week revealed plans to reach out to critical open source projects and invite them to integrate with OSS-Fuzz.
Launched in December 2016, OSS-Fuzz is a free and continuous fuzzing infrastructure hosted on the Google Cloud Platform and designed to serve the Open Source Software (OSS) community through finding security vulnerabilities and stability issues.
OSS-Fuzz has already helped find and report over 9,000 flaws since launch, including bugs in critical projects such as FreeType2, FFmpeg, LibreOffice, SQLite, OpenSSL, and Wireshark.
https://www.securityweek.com/google-launches-oss-fuzz-open-source-fuzzing-service
Tomi Engdahl says:
Troubled Waters: How A New Wave of Cyber-Attacks is Targeting Maritime Trade
https://www.securityweek.com/troubled-waters-how-new-wave-cyber-attacks-targeting-maritime-trade
Protecting Vital Commercial Hubs Requires Thinking Beyond Air-Gapping or Standard IT Solutions
Tomi Engdahl says:
U.S. Cyber Command Shares Malware via VirusTotal
https://www.securityweek.com/us-cyber-command-shares-malware-virustotal
The U.S. Cyber Command (USCYBERCOM) this week started sharing malware samples with the cybersecurity industry via Chronicle’s VirusTotal intelligence service.
The project is run by USCYBERCOM’s Cyber National Mission Force (CNMF), which will post unclassified malware samples on the CYBERCOM_Malware_Alert account on VirusTotal.
CNMF claims that its goal is to “to help prevent harm by malicious cyber actors by sharing with the global cybersecurity community.”
Tomi Engdahl says:
Default Account Exposes Cisco Switches to Remote Attacks
https://www.securityweek.com/default-account-exposes-cisco-switches-remote-attacks
According to Cisco, Small Business switches running any software release come with a default account that is provided for the initial login. The account has full administrator privileges and it cannot be removed from the system.
The account is disabled if an administrator configures at least one other user account with the access privilege set to level 15, which is equivalent to root/administrator and provides full access to the switch.
Tomi Engdahl says:
Security flaw in DJI’s website and apps exposed accounts to hackers and drone live feeds
https://techcrunch.com/2018/11/08/security-flaw-in-dji-apps-exposed-accounts-to-hackers-and-drone-live-feeds/
Tomi Engdahl says:
US Cyber Command starts uploading foreign APT malware to VirusTotal
https://www.zdnet.com/article/us-cyber-command-starts-uploading-foreign-apt-malware-to-virustotal/#ftag=RSSbaffb68
USCYBERCOM said it plans to regularly upload “unclassified malware samples” to VirusTotal.
Tomi Engdahl says:
16 Places To Buy A Laptop With Linux Preloaded
https://www.cyberciti.biz/hardware/laptop-computers-with-linux-installed-or-preloaded/
The hardest part of using Linux is to find out the correct hardware. Hardware compatibility and drivers can be a big issue. But where one can find Linux desktops or Laptop for sale? Here are sixteen places to buy a preinstalled Linux Desktop and Laptop.
Tomi Engdahl says:
Beware of “Unofficial” Sites Pushing Notepad2 Adware Bundles
https://www.bleepingcomputer.com/news/security/beware-of-unofficial-sites-pushing-notepad2-adware-bundles/
If you are looking to download the very popular Notepad replacement called Notepad2, be careful of sites created to look official, but actually distribute Notepad2 as an adware bundle.
When the search results came back, the first result was for a site called Notepad2.com
Tomi Engdahl says:
Analysis Report (AR18-312A)
JexBoss – JBoss Verify and EXploitation Tool
https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
JBoss Verify and EXploitation tool (JexBoss) is an open-source tool used by cybersecurity hunt teams (sometimes referred to as “red teams”) and auditors to conduct authorized security assessments. Threat actors use this tool maliciously to test and exploit vulnerabilities in JBoss Application Server (JBoss AS)—now WildFly—and a variety of Java applications and platforms. JexBoss automates all the phases of a cyberattack, making it a powerful and easy-to-use weapon in a threat actor’s cyber arsenal.
Tomi Engdahl says:
New Side-Channel Attacks Target Graphics Processing Units
A trio of new attacks bypass CPUs to wring data from vulnerable GPUs.
https://www.darkreading.com/attacks-breaches/new-side-channel-attacks-target-graphics-processing-units/d/d-id/1333226
A new brand of side-channel vulnerabilities has been disclosed and this time it’s not the CPU that’s under attack: it’s the GPU.
New exploits published by computer scientists at the University of California, Riverside, leave both individual users and high-performance computing systems at potential risk. The three sets of exploits pull sensitive data out of a graphics processing unit core, and do so with relative ease, compared to some of the side-channel attacks that have been demonstrated on CPUs
Two of the attacks target individual users, pulling information on website history and passwords. The third could open the door to an organization’s machine-learning or neural network applications, exposing details about their computational model to competitors.
Tomi Engdahl says:
Rendered Insecure: GPU Side Channel Attacks are Practical
http://www.cs.ucr.edu/~zhiyunq/pub/ccs18_gpu_side_channel.pdf
Tomi Engdahl says:
Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker
https://support.microsoft.com/en-us/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d
For Windows version 1803 and later versions, if your platform supports the new Kernel DMA Protection feature, we recommend that you leverage that feature to mitigate Thunderbolt DMA attacks. For earlier versions of Windowsor platforms that lack the new Kernel DMA Protection feature, if your organization allows for TPM-only protectors or supports computers in sleep mode, the following is one DMA mitigation option. Please refer to BitLocker Countermeasures to understand the spectrum of mitigations.
Also users may refer to Intel Thunderbolt 3 and Security on Microsoft Windows 10 Operating System documentation for alternative mitigations.
Tomi Engdahl says:
Microsoft Releases Info on Protecting BitLocker From DMA Attacks
https://www.bleepingcomputer.com/news/security/microsoft-releases-info-on-protecting-bitlocker-from-dma-attacks/
Tomi Engdahl says:
US Cyber Command starts uploading foreign APT malware to VirusTotal
https://www.zdnet.com/article/us-cyber-command-starts-uploading-foreign-apt-malware-to-virustotal/
USCYBERCOM said it plans to regularly upload “unclassified malware samples” to VirusTotal.
Tomi Engdahl says:
Adobe ColdFusion servers under attack from APT group
https://www.zdnet.com/article/adobe-coldfusion-servers-under-attack-from-apt-group/
A cyber-espionage group appears to have reverse engineer an Adobe security patch and is currently going after unpatched ColdFusion servers.
Tomi Engdahl says:
Chrome 71 will warn users about websites with shady phone subscription forms
https://www.zdnet.com/article/chrome-71-will-warn-users-about-websites-with-shady-phone-subscription-forms/
Google plans to show full-page warning for sites that fail to list all mobile subscription information in a proper and clearly visible manner.
Tomi Engdahl says:
Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets
https://cloudblogs.microsoft.com/microsoftsecure/2018/11/08/attack-uses-malicious-inpage-document-and-outdated-vlc-media-player-to-give-attackers-backdoor-access-to-targets/
Tomi Engdahl says:
Cryptocurrency Mining Malware uses Various Evasion Techniques, Including Windows Installer, as Part of its Routine
https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-malware-uses-various-evasion-techniques-including-windows-installer-as-part-of-its-routine/
Tomi Engdahl says:
Several Vulnerabilities Patched in nginx
https://www.securityweek.com/several-dos-vulnerabilities-patched-nginx
Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.
In addition to providing web server functionality, Nginx can be used as a load balancer and a reverse proxy. It powers roughly 400 million websites, which makes it one of the most widely used web servers. NGINX, Inc., the company behind nginx, has raised over $100 million, including $43 million in June 2018.
Nginx developers announced this week that versions 1.15.6 and 1.14.1 address two HTTP/2 implementation vulnerabilities that can lead to a DoS condition. The issues impact versions 1.9.5 through 1.15.5.
Tomi Engdahl says:
Mobile Overlay Attacks a Hot Underground Commodity
https://www.flashpoint-intel.com/blog/mobile-overlay-attacks-a-hot-underground-commodity/
Mobile overlay attacks are a highly trafficked commodity on the underground today as attackers, stunted by improvements in browser protections on the desktop, are swaying toward stealing credentials, banking information, and other personal information primarily from Android devices.
Some Russian-speaking marketplaces sell hundreds of overlays—which are sometimes conflated with injection attacks—that are configured to run on top of legitimate applications and steal user inputs for anything including banking apps, social media, email, e-commerce, and payment applications and websites.
Tomi Engdahl says:
Steam bug could have given you access to all the CD keys of any game
https://www.zdnet.com/article/steam-bug-could-have-given-you-access-to-all-the-cd-keys-of-any-game/#ftag=RSSbaffb68
Bug affected a Steam API and was patched in August. Downgrading your Steam client won’t help you get free games.
Tomi Engdahl says:
Pentagon Draws Back the Veil on APT Malware with Sudden Embrace of VirusTotal
https://threatpost.com/pentagon-draws-back-the-veil-on-apt-malware-with-sudden-embrace-of-virustotal/138954/
Tomi Engdahl says:
Hacker Who DDoSed Sony, EA and Steam Gaming Servers Pleads Guilty
https://thehackernews.com/2018/11/gaming-server-ddos-attack.html?m=1
A 23-year-old hacker from Utah pleaded guilty this week to launching a series of denial-of-service (DoS) attacks against multiple online services, websites, and online gaming companies between 2013 and 2014.
Tomi Engdahl says:
Hackers can compromise your network just by sending a Fax
https://thehackernews.com/2018/08/hack-printer-fax-machine.html?m=1
Tomi Engdahl says:
Drone vulnerability could compromise enterprise data
https://www.scmagazine.com/home/security-news/drone-vulnerability-could-compromise-enterprise-data/
Check Point Researchers developed an attack to hijack DJI drone user accounts that may contain the user’s sensitive information as well as access to the device itself.
Researchers developed an XSS attack that could be posted on a DJI forum that is used by hundreds of thousands of DJI customers
Tomi Engdahl says:
Hackers stole income, immigration and tax data in Healthcare.gov breach, government confirms
https://techcrunch.com/2018/11/09/hackers-stole-income-immigration-and-tax-data-in-healthcare-gov-breach-government-confirms/?sr_share=facebook&utm_source=tcfbpage
Hackers siphoned off thousands of Healthcare.gov applications by breaking into the accounts of brokers and agents tasked with helping customers sign up for healthcare plans.
Tomi Engdahl says:
Experts detailed how China Telecom used BGP hijacking to redirect traffic worldwide
https://securityaffairs.co/wordpress/77799/hacking/bgp-hijacking-china-telecom.html
The two researchers pointed out that the telco company leverages the PoPs to hijack traffic through China, it has happened several times over the past years,
According to the experts, the activity went unnoticeable for a long time, but to better understand how it is possible to hijack the traffic let’s reads this excerpt from the paper:
“Within the BGP forwarding tables, administrators of each AS announce to their AS neighbors the IP address blocks that their AS owns, whether to be used as a destination or a convenient transit node.” states the paper.
“Errors can occur given the complexity of configuring BGP, and these possible errors offer covert actors a number of hijack opportunities.
Tomi Engdahl says:
Password Constraints and Their Unintended Security Consequences
https://www.webroot.com/blog/2018/11/05/password-constraints-unintended-security-consequences/
You’re probably familiar with some of the most common requirements for creating passwords. A mix of upper and lowercase letters is a simple example. These are known as password constraints. They’re rules for how you must construct a password. If your password must be at least eight characters long, contain lower case, uppercase, numbers and symbol characters, then you have one length, and four character set constraints.
Password constraints eliminate a number of both good and bad passwords.
Long and simple is better than short and hard
Password strength: It’s length, not complexity that matters
Tomi Engdahl says:
Finland and Norway are telling airline pilots to be ready to fly without GPS, and some think Russia is up to something
https://www.businessinsider.com.au/finland-norway-tell-pilots-to-fly-without-gps-and-some-blame-russia-2018-11/amp
Norway and Finland have both reported problems with GPS signals in their northern regions this month.
Both countries have been taking part in NATO’s exercise Trident Juncture, which has irked Russia.
Reports of GPS interference related to Russian military activities have been reported in the past.
Tomi Engdahl says:
Helsingissä toimintansa aloittanut venäläinen taksipalvelu voi saada kuvasi ja tietoja SIM-kortistasi
https://www.hs.fi/teknologia/art-2000005896249.html
Tomi Engdahl says:
“Inception Attackers” Combine Old Exploit and New Backdoor
https://www.securityweek.com/inception-attackers-combine-old-exploit-and-new-backdoor
A malicious group known as the “Inception” attackers has been using a year-old Office exploit and a new backdoor in recent attacks, Palo Alto Networks security researchers warn.
Tomi Engdahl says:
VMware Patches VM Escape Flaw Disclosed at Chinese Hacking Contest
https://www.securityweek.com/vmware-patches-vm-escape-flaw-disclosed-chinese-hacking-contest
VMware informed customers on Friday that patches are available for a critical virtual machine (VM) escape vulnerability disclosed recently by a researcher at the GeekPwn2018 hacking competition.
Shortly after the VM escape exploit was demonstrated, Chaitin Tech wrote on Twitter that it was the first time anybody managed to escape VMware ESXi and get a root shell on the host system.
https://twitter.com/ChaitinTech/status/1057526019127676929
Tomi Engdahl says:
Flaws in Roche Medical Devices Can Put Patients at Risk
https://www.securityweek.com/flaws-roche-medical-devices-can-put-patients-risk
Vulnerabilities discovered in several medical devices made by the diagnostics division of Swiss-based healthcare company Roche can put patients at risk, a cybersecurity firm has warned.
A detailed list of vulnerable products and versions is available in an advisory published recently by ICS-CERT. It’s worth noting that each vulnerability impacts certain models and versions of the Roche devices.
Medical Advisory (ICSMA-18-310-01)
Roche Diagnostics Point of Care Handheld Medical Devices (Update A)
https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01
Tomi Engdahl says:
Adobe ColdFusion Vulnerability Exploited in the Wild
https://www.securityweek.com/adobe-coldfusion-vulnerability-exploited-wild
A recently patched remote code execution vulnerability affecting the Adobe ColdFusion web application development platform has been exploited in the wild by one or more threat groups, Volexity warned on Thursday.
Tomi Engdahl says:
ForeScout Acquires Industrial Security Firm SecurityMatters for $113 Million in Cash
https://www.securityweek.com/forescout-acquires-industrial-security-firm-securitymatters-114-million-cash
Tomi Engdahl says:
New Spam Botnet Likely Infected 400,000 Devices
https://www.securityweek.com/new-spam-botnet-likely-infected-400000-devices
A newly discovered botnet that appears designed to send spam emails likely infected around 400,000 machines to date, 360 Netlab security researchers warn.
Dubbed BCMPUPnP_Hunter, the threat was observed mainly targeting routers that have the BroadCom UPnP feature enabled.
Tomi Engdahl says:
Several Vulnerabilities Patched in nginx
https://www.securityweek.com/several-dos-vulnerabilities-patched-nginx
Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.
In addition to providing web server functionality, Nginx can be used as a load balancer and a reverse proxy. It powers roughly 400 million websites, which makes it one of the most widely used web servers. NGINX, Inc., the company behind nginx, has raised over $100 million, including $43 million in June 2018.
Tomi Engdahl says:
DJI Drone Vulnerability Exposed Customer Data, Flight Logs, Photos and Videos
https://www.securityweek.com/dji-drone-vulnerability-exposed-customer-data-flight-logs-photos-and-videos
In August 2017 the U.S. Immigration and Customs Enforcement agency (ICE) issued an intelligence bulletin warning that Da Jiang Innovations (DJI) — the world’s largest drone manufacturer — was “likely passing U.S. critical infrastructure and law enforcement data to [the] Chinese government.” DJI strenuously denied the accusation.
Now Check Point Research has published details of a DJI vulnerability that would allow the Chinese government — or anybody else in the world — to simply take that data without any involvement from DJI. The vulnerability could provide full access to a drone user’s DJI account.
Tomi Engdahl says:
Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress
https://www.securityweek.com/hackers-exploit-flaw-gdpr-compliance-plugin-wordpress
A critical security flaw affecting a GDPR compliance plugin for WordPress has been exploited in the wild to take control of vulnerable websites, users have been warned.
The WordPress GDPR Compliance plugin, which has over 100,000 active installations, is designed to help the administrators of websites and online shops become compliant with the EU’s General Data Protection Regulation (GDPR). It supports plugins such as Contact Form, Gravity Forms, WordPress Comments, and WooCommerce.
According to researchers in Defiant’s Wordfence team, the vulnerabilities can be exploited by unauthenticated attackers to obtain privileged access to targeted websites by adding new admin accounts.
Shortly after the news broke that the GDPR Compliance flaws have been exploited in the wild, WordPress notified the developer and deactivated the plugin on its official store. The application was quickly reinstated after its creators released version 1.4.3 on November 7, which should resolve the vulnerabilities.
https://wordpress.org/plugins/wp-gdpr-compliance/#description
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Cloudflare launches Android and iOS apps for its privacy-focused DNS service 1.1.1.1 — Months after announcing its privacy-focused DNS service, Cloudflare is bringing 1.1.1.1 to mobile users. — Granted, nothing ever stopped anyone from using 1.1.1.1 on their phones or tablets already.
Cloudflare rolls out its 1.1.1.1 privacy service to iOS, Android
https://techcrunch.com/2018/11/11/cloudflare-privacy-dns-service-ios-android/
Tomi Engdahl says:
Joe Uchill / Axios:
France’s Macron releases an international pact on cyber warfare and security principles that over 50 nations have signed, but not the US, UK, Russia, or China
More than 50 nations, but not U.S., sign onto cybersecurity pact
https://www.axios.com/cybersecurity-paris-call-for-trust-france-21e434df-8a59-48bc-8cde-cd1c1f43dfd0.html
French President Emmanuel Macron released an international agreement on cybersecurity principles Monday as part of the Paris Peace Forum. The original signatories included more than 50 nations, 130 private sector groups and 90 charitable groups and universities, but not the United States, Russia or China.
Details: The agreement does not command any specific legislation.
The principles include agreements to promote human rights on the internet, thwart election hacking, cease the theft of intellectual property via hacking and stop “malicious cyber activities in peacetime, notably the ones threatening or resulting in significant, indiscriminate or systemic harm to individuals.” China, Russia and North Korea have each been accused of violating some or all of these in the past.
Private sector groups are tasked with having a unique responsibility in security.
It includes an endorsement of certain security measures, including basic security practices and responsible disclosure campaigns, allowing security researchers to alert organizations and governments to security vulnerabilities in their systems.
Tomi Engdahl says:
Internet Explorer scripting engine becomes North Korean APT’s favorite target in 2018
https://www.zdnet.com/article/internet-explorer-scripting-engine-becomes-north-korean-apts-favorite-target-in-2018/#ftag=RSSbaffb68
North Korean hacking group focuses attacks on aging and soon-to-be-deprecated technology.