Cyber Security November 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.

558 Comments

  1. Tomi Engdahl says:

    BCMPUPnP_Hunter: A 100k Botnet Turns Home Routers to Email Spammers
    https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/

    Since September 2018, 360Netlab Scanmon has detected multiple scan spikes on TCP port 5431, each time the system logged more than 100k scan sources, a pretty large number compared with most other botnets we have covered before.

    The interaction between the botnet and the potential target takes multiple steps

    The botnet has the following characteristics:

    The amount of infection is very large, the number of active scanning IP in each scan event is about 100,000;
    The target of infection is mainly router equipment with BroadCom UPnP feature enabled.
    Self-built proxy network (tcp-proxy), the proxy network is implemented by the attacker, the proxy currently communicates with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. We highly suspect that the attacker’s intention is to send spams.

    Reply
  2. Tomi Engdahl says:

    Busting SIM Swappers and SIM Swap Myths
    https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/

    KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims.

    Reply
  3. Tomi Engdahl says:

    November Android Security Update Fixes Critical Bugs, Drops Media Library
    https://www.bleepingcomputer.com/news/security/november-android-security-update-fixes-critical-bugs-drops-media-library/

    Google released to all users and partners its November security bulletin for the Android operating system, with fixes for critical remote code execution (RCE) and privilege escalation vulnerabilities.

    Reply
  4. Tomi Engdahl says:

    WordPress Design Flaw Leads to WooCommerce RCE
    https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/

    A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular e-commerce plugin with over 4 million installations. The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account.

    We detected and reported a file deletion vulnerability in WooCommerce, which was fixed in version 3.4.6. Arbitrary file deletion vulnerabilities aren’t considered critical in most cases as the only thing an attacker can cause is a Denial of Service by deleting the index.php of the website.

    Reply
  5. Tomi Engdahl says:

    Popular WooCommerce WordPress Plugin Patches Critical Vulnerability
    https://thehackernews.com/2018/11/woocommerce-wordpress-hacking.html

    Reply
  6. Tomi Engdahl says:

    Fake Banking App Found on Google Play Used in SMiShing Scheme
    https://blog.trendmicro.com/trendlabs-security-intelligence/fake-banking-app-found-on-google-play-used-in-smishing-scheme/

    Banks are offering more features and upgrades for their banking apps, and thanks to their convenience more users are adopting mobile banking services around the world. But as new financial technology proliferates and users start to look for apps and other services from their particular bank, opportunities for scammers also increase. One recent example of this is the app Movil Secure. We found this malicious app on Google Play on October 22, as part of a SMiShing scheme targeting Spanish-speaking users.

    Reply
  7. Tomi Engdahl says:

    https://www.tivi.fi/Kaikki_uutiset/onko-sinulla-tama-tukiasema-paivita-heti-suomalaista-kiitetaan-pahan-haavoittuvuuden-loytamisesta-6748385

    Turva-aukko löytyi D-Link DIR-850L -wlan-tukiaseman wpa-tunnistuksesta. Sen ansiosta hyökkääjä voi päästä liittymään langattomaan verkkoon, vaikkei salasana olisikaan tiedossa.

    Haavoittuvia ovat D-Link DIR-850L Rev. Ax Firmware v1.21B06 Beta ja sitä aikaisemmat versiot. Vika on korjattu versiossa v1.21b07.i9d9 (14.9.2018), joka on saatavilla valmistajalta.

    Haavoittuvuus D-Link DIR-850L wlan-tukiasemassa
    https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2018/haavoittuvuus-2018-026.html

    Reply
  8. Tomi Engdahl says:

    Microsoft Releases Guidance for Users Concerned About Flawed SSD Encryption
    https://www.securityweek.com/microsoft-releases-guidance-users-concerned-about-flawed-ssd-encryption

    After security researchers discovered vulnerabilities in the encryption mechanism of several types of solid-state drives (SSDs), Microsoft decided to explain how one can enforce software encryption instead.

    On Tuesday, Microsoft published an advisory to provide information on how users can enforce software encryption on their Windows systems, given that, when a self-encrypting drive is present, BitLocker would use hardware encryption by default.

    “Administrators who want to force software encryption on computers with self-encrypting drives can accomplish this by deploying a Group Policy to override the default behavior. Windows will consult Group Policy to enforce software encryption only at the time of enabling BitLocker,” Microsoft says.

    ADV180028 | Guidance for configuring BitLocker to enforce software encryption
    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028

    Reply
  9. Tomi Engdahl says:

    Google Wants More Projects Integrated With OSS-Fuzz
    https://www.securityweek.com/google-wants-more-projects-integrated-oss-fuzz

    Google this week revealed plans to reach out to critical open source projects and invite them to integrate with OSS-Fuzz.

    Launched in December 2016, OSS-Fuzz is a free and continuous fuzzing infrastructure hosted on the Google Cloud Platform and designed to serve the Open Source Software (OSS) community through finding security vulnerabilities and stability issues.

    OSS-Fuzz has already helped find and report over 9,000 flaws since launch, including bugs in critical projects such as FreeType2, FFmpeg, LibreOffice, SQLite, OpenSSL, and Wireshark.

    https://www.securityweek.com/google-launches-oss-fuzz-open-source-fuzzing-service

    Reply
  10. Tomi Engdahl says:

    Troubled Waters: How A New Wave of Cyber-Attacks is Targeting Maritime Trade
    https://www.securityweek.com/troubled-waters-how-new-wave-cyber-attacks-targeting-maritime-trade

    Protecting Vital Commercial Hubs Requires Thinking Beyond Air-Gapping or Standard IT Solutions

    Reply
  11. Tomi Engdahl says:

    U.S. Cyber Command Shares Malware via VirusTotal
    https://www.securityweek.com/us-cyber-command-shares-malware-virustotal

    The U.S. Cyber Command (USCYBERCOM) this week started sharing malware samples with the cybersecurity industry via Chronicle’s VirusTotal intelligence service.

    The project is run by USCYBERCOM’s Cyber National Mission Force (CNMF), which will post unclassified malware samples on the CYBERCOM_Malware_Alert account on VirusTotal.

    CNMF claims that its goal is to “to help prevent harm by malicious cyber actors by sharing with the global cybersecurity community.”

    Reply
  12. Tomi Engdahl says:

    Default Account Exposes Cisco Switches to Remote Attacks
    https://www.securityweek.com/default-account-exposes-cisco-switches-remote-attacks

    According to Cisco, Small Business switches running any software release come with a default account that is provided for the initial login. The account has full administrator privileges and it cannot be removed from the system.

    The account is disabled if an administrator configures at least one other user account with the access privilege set to level 15, which is equivalent to root/administrator and provides full access to the switch.

    Reply
  13. Tomi Engdahl says:

    Security flaw in DJI’s website and apps exposed accounts to hackers and drone live feeds
    https://techcrunch.com/2018/11/08/security-flaw-in-dji-apps-exposed-accounts-to-hackers-and-drone-live-feeds/

    Reply
  14. Tomi Engdahl says:

    US Cyber Command starts uploading foreign APT malware to VirusTotal
    https://www.zdnet.com/article/us-cyber-command-starts-uploading-foreign-apt-malware-to-virustotal/#ftag=RSSbaffb68

    USCYBERCOM said it plans to regularly upload “unclassified malware samples” to VirusTotal.

    Reply
  15. Tomi Engdahl says:

    16 Places To Buy A Laptop With Linux Preloaded
    https://www.cyberciti.biz/hardware/laptop-computers-with-linux-installed-or-preloaded/

    The hardest part of using Linux is to find out the correct hardware. Hardware compatibility and drivers can be a big issue. But where one can find Linux desktops or Laptop for sale? Here are sixteen places to buy a preinstalled Linux Desktop and Laptop.

    Reply
  16. Tomi Engdahl says:

    Beware of “Unofficial” Sites Pushing Notepad2 Adware Bundles
    https://www.bleepingcomputer.com/news/security/beware-of-unofficial-sites-pushing-notepad2-adware-bundles/

    If you are looking to download the very popular Notepad replacement called Notepad2, be careful of sites created to look official, but actually distribute Notepad2 as an adware bundle.

    When the search results came back, the first result was for a site called Notepad2.com

    Reply
  17. Tomi Engdahl says:

    Analysis Report (AR18-312A)
    JexBoss – JBoss Verify and EXploitation Tool
    https://www.us-cert.gov/ncas/analysis-reports/AR18-312A

    JBoss Verify and EXploitation tool (JexBoss) is an open-source tool used by cybersecurity hunt teams (sometimes referred to as “red teams”) and auditors to conduct authorized security assessments. Threat actors use this tool maliciously to test and exploit vulnerabilities in JBoss Application Server (JBoss AS)—now WildFly—and a variety of Java applications and platforms. JexBoss automates all the phases of a cyberattack, making it a powerful and easy-to-use weapon in a threat actor’s cyber arsenal.

    Reply
  18. Tomi Engdahl says:

    New Side-Channel Attacks Target Graphics Processing Units
    A trio of new attacks bypass CPUs to wring data from vulnerable GPUs.
    https://www.darkreading.com/attacks-breaches/new-side-channel-attacks-target-graphics-processing-units/d/d-id/1333226

    A new brand of side-channel vulnerabilities has been disclosed and this time it’s not the CPU that’s under attack: it’s the GPU.

    New exploits published by computer scientists at the University of California, Riverside, leave both individual users and high-performance computing systems at potential risk. The three sets of exploits pull sensitive data out of a graphics processing unit core, and do so with relative ease, compared to some of the side-channel attacks that have been demonstrated on CPUs

    Two of the attacks target individual users, pulling information on website history and passwords. The third could open the door to an organization’s machine-learning or neural network applications, exposing details about their computational model to competitors.

    Reply
  19. Tomi Engdahl says:

    Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker
    https://support.microsoft.com/en-us/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d

    For Windows version 1803 and later versions, if your platform supports the new Kernel DMA Protection feature, we recommend that you leverage that feature to mitigate Thunderbolt DMA attacks. For earlier versions of Windowsor platforms that lack the new Kernel DMA Protection feature, if your organization allows for TPM-only protectors or supports computers in sleep mode, the following is one DMA mitigation option. Please refer to BitLocker Countermeasures to understand the spectrum of mitigations.

    Also users may refer to Intel Thunderbolt 3 and Security on Microsoft Windows 10 Operating System documentation for alternative mitigations.

    Reply
  20. Tomi Engdahl says:

    US Cyber Command starts uploading foreign APT malware to VirusTotal
    https://www.zdnet.com/article/us-cyber-command-starts-uploading-foreign-apt-malware-to-virustotal/

    USCYBERCOM said it plans to regularly upload “unclassified malware samples” to VirusTotal.

    Reply
  21. Tomi Engdahl says:

    Adobe ColdFusion servers under attack from APT group
    https://www.zdnet.com/article/adobe-coldfusion-servers-under-attack-from-apt-group/

    A cyber-espionage group appears to have reverse engineer an Adobe security patch and is currently going after unpatched ColdFusion servers.

    Reply
  22. Tomi Engdahl says:

    Chrome 71 will warn users about websites with shady phone subscription forms
    https://www.zdnet.com/article/chrome-71-will-warn-users-about-websites-with-shady-phone-subscription-forms/

    Google plans to show full-page warning for sites that fail to list all mobile subscription information in a proper and clearly visible manner.

    Reply
  23. Tomi Engdahl says:

    Several Vulnerabilities Patched in nginx
    https://www.securityweek.com/several-dos-vulnerabilities-patched-nginx

    Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.

    In addition to providing web server functionality, Nginx can be used as a load balancer and a reverse proxy. It powers roughly 400 million websites, which makes it one of the most widely used web servers. NGINX, Inc., the company behind nginx, has raised over $100 million, including $43 million in June 2018.

    Nginx developers announced this week that versions 1.15.6 and 1.14.1 address two HTTP/2 implementation vulnerabilities that can lead to a DoS condition. The issues impact versions 1.9.5 through 1.15.5.

    Reply
  24. Tomi Engdahl says:

    Mobile Overlay Attacks a Hot Underground Commodity
    https://www.flashpoint-intel.com/blog/mobile-overlay-attacks-a-hot-underground-commodity/

    Mobile overlay attacks are a highly trafficked commodity on the underground today as attackers, stunted by improvements in browser protections on the desktop, are swaying toward stealing credentials, banking information, and other personal information primarily from Android devices.

    Some Russian-speaking marketplaces sell hundreds of overlays—which are sometimes conflated with injection attacks—that are configured to run on top of legitimate applications and steal user inputs for anything including banking apps, social media, email, e-commerce, and payment applications and websites.

    Reply
  25. Tomi Engdahl says:

    Steam bug could have given you access to all the CD keys of any game
    https://www.zdnet.com/article/steam-bug-could-have-given-you-access-to-all-the-cd-keys-of-any-game/#ftag=RSSbaffb68

    Bug affected a Steam API and was patched in August. Downgrading your Steam client won’t help you get free games.

    Reply
  26. Tomi Engdahl says:

    Hacker Who DDoSed Sony, EA and Steam Gaming Servers Pleads Guilty
    https://thehackernews.com/2018/11/gaming-server-ddos-attack.html?m=1

    A 23-year-old hacker from Utah pleaded guilty this week to launching a series of denial-of-service (DoS) attacks against multiple online services, websites, and online gaming companies between 2013 and 2014.

    Reply
  27. Tomi Engdahl says:

    Drone vulnerability could compromise enterprise data
    https://www.scmagazine.com/home/security-news/drone-vulnerability-could-compromise-enterprise-data/

    Check Point Researchers developed an attack to hijack DJI drone user accounts that may contain the user’s sensitive information as well as access to the device itself.

    Researchers developed an XSS attack that could be posted on a DJI forum that is used by hundreds of thousands of DJI customers

    Reply
  28. Tomi Engdahl says:

    Hackers stole income, immigration and tax data in Healthcare.gov breach, government confirms
    https://techcrunch.com/2018/11/09/hackers-stole-income-immigration-and-tax-data-in-healthcare-gov-breach-government-confirms/?sr_share=facebook&utm_source=tcfbpage

    Hackers siphoned off thousands of Healthcare.gov applications by breaking into the accounts of brokers and agents tasked with helping customers sign up for healthcare plans.

    Reply
  29. Tomi Engdahl says:

    Experts detailed how China Telecom used BGP hijacking to redirect traffic worldwide
    https://securityaffairs.co/wordpress/77799/hacking/bgp-hijacking-china-telecom.html

    The two researchers pointed out that the telco company leverages the PoPs to hijack traffic through China, it has happened several times over the past years,

    According to the experts, the activity went unnoticeable for a long time, but to better understand how it is possible to hijack the traffic let’s reads this excerpt from the paper:

    “Within the BGP forwarding tables, administrators of each AS announce to their AS neighbors the IP address blocks that their AS owns, whether to be used as a destination or a convenient transit node.” states the paper.

    “Errors can occur given the complexity of configuring BGP, and these possible errors offer covert actors a number of hijack opportunities.

    Reply
  30. Tomi Engdahl says:

    Password Constraints and Their Unintended Security Consequences
    https://www.webroot.com/blog/2018/11/05/password-constraints-unintended-security-consequences/

    You’re probably familiar with some of the most common requirements for creating passwords. A mix of upper and lowercase letters is a simple example. These are known as password constraints. They’re rules for how you must construct a password. If your password must be at least eight characters long, contain lower case, uppercase, numbers and symbol characters, then you have one length, and four character set constraints.

    Password constraints eliminate a number of both good and bad passwords.

    Long and simple is better than short and hard

    Password strength: It’s length, not complexity that matters

    Reply
  31. Tomi Engdahl says:

    Finland and Norway are telling airline pilots to be ready to fly without GPS, and some think Russia is up to something
    https://www.businessinsider.com.au/finland-norway-tell-pilots-to-fly-without-gps-and-some-blame-russia-2018-11/amp

    Norway and Finland have both reported problems with GPS signals in their northern regions this month.
    Both countries have been taking part in NATO’s exercise Trident Juncture, which has irked Russia.
    Reports of GPS interference related to Russian military activities have been reported in the past.

    Reply
  32. Tomi Engdahl says:

    Helsingissä toimintansa aloittanut venäläinen taksi­palvelu voi saada kuvasi ja tietoja SIM-kortistasi

    https://www.hs.fi/teknologia/art-2000005896249.html

    Reply
  33. Tomi Engdahl says:

    “Inception Attackers” Combine Old Exploit and New Backdoor
    https://www.securityweek.com/inception-attackers-combine-old-exploit-and-new-backdoor

    A malicious group known as the “Inception” attackers has been using a year-old Office exploit and a new backdoor in recent attacks, Palo Alto Networks security researchers warn.

    Reply
  34. Tomi Engdahl says:

    VMware Patches VM Escape Flaw Disclosed at Chinese Hacking Contest
    https://www.securityweek.com/vmware-patches-vm-escape-flaw-disclosed-chinese-hacking-contest

    VMware informed customers on Friday that patches are available for a critical virtual machine (VM) escape vulnerability disclosed recently by a researcher at the GeekPwn2018 hacking competition.

    Shortly after the VM escape exploit was demonstrated, Chaitin Tech wrote on Twitter that it was the first time anybody managed to escape VMware ESXi and get a root shell on the host system.

    https://twitter.com/ChaitinTech/status/1057526019127676929

    Reply
  35. Tomi Engdahl says:

    Flaws in Roche Medical Devices Can Put Patients at Risk
    https://www.securityweek.com/flaws-roche-medical-devices-can-put-patients-risk

    Vulnerabilities discovered in several medical devices made by the diagnostics division of Swiss-based healthcare company Roche can put patients at risk, a cybersecurity firm has warned.

    A detailed list of vulnerable products and versions is available in an advisory published recently by ICS-CERT. It’s worth noting that each vulnerability impacts certain models and versions of the Roche devices.

    Medical Advisory (ICSMA-18-310-01)
    Roche Diagnostics Point of Care Handheld Medical Devices (Update A)
    https://ics-cert.us-cert.gov/advisories/ICSMA-18-310-01

    Reply
  36. Tomi Engdahl says:

    Adobe ColdFusion Vulnerability Exploited in the Wild
    https://www.securityweek.com/adobe-coldfusion-vulnerability-exploited-wild

    A recently patched remote code execution vulnerability affecting the Adobe ColdFusion web application development platform has been exploited in the wild by one or more threat groups, Volexity warned on Thursday.

    Reply
  37. Tomi Engdahl says:

    New Spam Botnet Likely Infected 400,000 Devices
    https://www.securityweek.com/new-spam-botnet-likely-infected-400000-devices

    A newly discovered botnet that appears designed to send spam emails likely infected around 400,000 machines to date, 360 Netlab security researchers warn.

    Dubbed BCMPUPnP_Hunter, the threat was observed mainly targeting routers that have the BroadCom UPnP feature enabled.

    Reply
  38. Tomi Engdahl says:

    Several Vulnerabilities Patched in nginx
    https://www.securityweek.com/several-dos-vulnerabilities-patched-nginx

    Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.

    In addition to providing web server functionality, Nginx can be used as a load balancer and a reverse proxy. It powers roughly 400 million websites, which makes it one of the most widely used web servers. NGINX, Inc., the company behind nginx, has raised over $100 million, including $43 million in June 2018.

    Reply
  39. Tomi Engdahl says:

    DJI Drone Vulnerability Exposed Customer Data, Flight Logs, Photos and Videos
    https://www.securityweek.com/dji-drone-vulnerability-exposed-customer-data-flight-logs-photos-and-videos

    In August 2017 the U.S. Immigration and Customs Enforcement agency (ICE) issued an intelligence bulletin warning that Da Jiang Innovations (DJI) — the world’s largest drone manufacturer — was “likely passing U.S. critical infrastructure and law enforcement data to [the] Chinese government.” DJI strenuously denied the accusation.

    Now Check Point Research has published details of a DJI vulnerability that would allow the Chinese government — or anybody else in the world — to simply take that data without any involvement from DJI. The vulnerability could provide full access to a drone user’s DJI account.

    Reply
  40. Tomi Engdahl says:

    Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress
    https://www.securityweek.com/hackers-exploit-flaw-gdpr-compliance-plugin-wordpress

    A critical security flaw affecting a GDPR compliance plugin for WordPress has been exploited in the wild to take control of vulnerable websites, users have been warned.

    The WordPress GDPR Compliance plugin, which has over 100,000 active installations, is designed to help the administrators of websites and online shops become compliant with the EU’s General Data Protection Regulation (GDPR). It supports plugins such as Contact Form, Gravity Forms, WordPress Comments, and WooCommerce.

    According to researchers in Defiant’s Wordfence team, the vulnerabilities can be exploited by unauthenticated attackers to obtain privileged access to targeted websites by adding new admin accounts.

    Shortly after the news broke that the GDPR Compliance flaws have been exploited in the wild, WordPress notified the developer and deactivated the plugin on its official store. The application was quickly reinstated after its creators released version 1.4.3 on November 7, which should resolve the vulnerabilities.

    https://wordpress.org/plugins/wp-gdpr-compliance/#description

    Reply
  41. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    Cloudflare launches Android and iOS apps for its privacy-focused DNS service 1.1.1.1 — Months after announcing its privacy-focused DNS service, Cloudflare is bringing 1.1.1.1 to mobile users. — Granted, nothing ever stopped anyone from using 1.1.1.1 on their phones or tablets already.

    Cloudflare rolls out its 1.1.1.1 privacy service to iOS, Android
    https://techcrunch.com/2018/11/11/cloudflare-privacy-dns-service-ios-android/

    Reply
  42. Tomi Engdahl says:

    Joe Uchill / Axios:
    France’s Macron releases an international pact on cyber warfare and security principles that over 50 nations have signed, but not the US, UK, Russia, or China

    More than 50 nations, but not U.S., sign onto cybersecurity pact
    https://www.axios.com/cybersecurity-paris-call-for-trust-france-21e434df-8a59-48bc-8cde-cd1c1f43dfd0.html

    French President Emmanuel Macron released an international agreement on cybersecurity principles Monday as part of the Paris Peace Forum. The original signatories included more than 50 nations, 130 private sector groups and 90 charitable groups and universities, but not the United States, Russia or China.

    Details: The agreement does not command any specific legislation.

    The principles include agreements to promote human rights on the internet, thwart election hacking, cease the theft of intellectual property via hacking and stop “malicious cyber activities in peacetime, notably the ones threatening or resulting in significant, indiscriminate or systemic harm to individuals.” China, Russia and North Korea have each been accused of violating some or all of these in the past.
    Private sector groups are tasked with having a unique responsibility in security.
    It includes an endorsement of certain security measures, including basic security practices and responsible disclosure campaigns, allowing security researchers to alert organizations and governments to security vulnerabilities in their systems.

    Reply
  43. Tomi Engdahl says:

    Internet Explorer scripting engine becomes North Korean APT’s favorite target in 2018
    https://www.zdnet.com/article/internet-explorer-scripting-engine-becomes-north-korean-apts-favorite-target-in-2018/#ftag=RSSbaffb68

    North Korean hacking group focuses attacks on aging and soon-to-be-deprecated technology.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*