Cyber Security News February 2019

This posting is here to collect cyber security news in February 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

 

373 Comments

  1. Tomi Engdahl says:

    DanaBot updated with new C&C communication
    https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/

    ESET researchers have discovered new versions of the DanaBot Trojan, updated with a more complicated protocol for C&C communication and slight modifications to architecture and campaign IDs

    Reply
  2. Tomi Engdahl says:

    MacOS Zero-Day Exposes Apple Keychain Passwords
    https://threatpost.com/macos-zero-day-exposes-apple-keychain-passwords/141584/

    A researcher who discovered a flaw letting him steal passwords in MacOS is not sharing his findings with Apple without a macOS bug bounty program.

    A researcher claims to have found a new Apple zero-day impacting macOS that could allow an attacker to extract passwords from a targeted Mac’s keychain password management system. However, the researcher refuses to disclose the alleged vulnerability citing Apple’s lack of macOS bug bounty program.

    Reply
  3. Tomi Engdahl says:

    Airbus Data Takes Flight; and Billions of Credentials Dumped on Dark Web
    https://threatpost.com/airbus-data-breach/141368/

    A cyberattack lifts employee data at the French aerospace giant as news hits of “Collections 2-5” being passed around the underground.

    French airplane and military aircraft behemoth Airbus SE has become the latest victim of a cyberattack leading to a data breach, with an incident detected on its “commercial aircraft business” information systems.

    It is only the latest high-profile data exposure to come to light in recent days, and it dovetails with the release of billions of records on the Dark Web as part of a data dump that’s being called “Collections #2-5.”

    The company said on Wednesday that the incident resulted in unauthorized access to employee data, but that there was no impact on Airbus’ commercial operations or intellectual property.

    Reply
  4. Tomi Engdahl says:

    Business Email Compromise Attacks See Almost 500% Increase
    https://www.bleepingcomputer.com/news/security/business-email-compromise-attacks-see-almost-500-percent-increase/

    Business email compromised (BEC) attacks have seen an explosive 476% growth between Q4 2017 and Q4 2018, while the number of email fraud attempts against companies increased 226% QoQ.

    BEC attacks use social engineering to target specific company employees, regularly from the firm’s Finance department, and try to persuade them into wiring large sums of money to third-party banking accounts controlled by the attackers.

    Cryptojacking Overtakes Ransomware, Malware-as-a-Service on the Rise
    https://www.bleepingcomputer.com/news/security/cryptojacking-overtakes-ransomware-malware-as-a-service-on-the-rise/

    Cryptominers infected roughly ten times more organizations during 2018 than ransomware did, however only one in five security professionals knew that their company’s systems have been impacted by a malware attack as reported by Check Point Research.

    This follows a trend where threat actors have been doing their best to keep a low profile as much as possible, giving up on large scale ransomware attacks which get noticed immediately and switching to the harder to detect cryptojacking campaigns.

    Reply
  5. Tomi Engdahl says:

    Flaw in Multiple Airline Systems Exposes Passenger Data
    https://threatpost.com/flaw-in-multiple-airline-systems-exposes-passenger-data/141596/

    Up to eight airlines do not encrypt e-ticketing booking systems – leaving personal customer data open for the taking.

    Researchers have discovered that multiple airline e-ticketing systems do not encrypt check-in links. The security faux pas could allow bad actors on the same network as the victim to view – and in some cases even change – their flight booking details or boarding passes.

    Reply
  6. Tomi Engdahl says:

    Who are the last people you’d expect to spill thousands of student records? A computer science dept? What a fantastic guess
    O(1)? More like O(h) n(O)! Proto-boffins’ info leaks out
    https://www.theregister.co.uk/2019/02/07/cal_poly_leak/

    An errant email leaked academic information on every student at the Cal Poly Pomona College of Science, in California.

    University publication Poly Post reports that it was, of all people, the American school’s computer science department that was to blame for the exposure of 4,557 active student records in an email that got sent out to other students – and was later partially posted to the forums of Reddit.

    The data leak occurred on January 28

    Reply
  7. Tomi Engdahl says:

    Ammattilaisetkaan eivät aina huomaa kryptolouhijoita
    http://www.etn.fi/index.php/13-news/9052-ammattilaisetkaan-eivat-aina-huomaa-kryptolouhijoita

    Check Pointin raportin mukaan kyberrikollisuus on demokratisoitunut, kun haittaohjelmien myymisestä palveluna (malware as a service) on tullut ansaintamuoto, ja kehittyneitä hyökkäysmenetelmiä on tarjolla kaikille, jotka ovat halukkaita maksamaan niistä.

    Raportin mukaan kasvussa ovat etenkin useita erilaisia tekniikoita hyödyntävät hyökkäykset, jotka pyrkivät välttämään yritysten tietoturvatutkat.

    Reply
  8. Tomi Engdahl says:

    Power Company Has Security Breach Due to Downloaded Game
    https://www.bleepingcomputer.com/news/security/power-company-has-security-breach-due-to-downloaded-game/

    South African energy supplier Eskom Group has been hit with a double security breach consisting of an unsecured database containing customer information and a corporate computer infected with the Azorult information-stealing Trojan.

    According to Eskom’s web site, they are an energy company based out of Johannesburg in South Africa that supplies 95% of the electricity used in South Africa and approximately 45% of the electricity used in Africa.

    Based on information provided to BleepingComputer, these breaches exposed Eskom’s network credentials, customer information, redacted customer credit card information, and sensitive business information.

    It all started when security researcher .sS.! discovered data belonging to Eskom that was stolen by the Azorult password-stealing Trojan.

    Infection caused by downloaded game

    According to a screenshot created by Azorult when it was installed, the infection was masquerading as a downloader for The Sims 4 game.

    Data breach from unsecured database

    To make matters worse, a security researcher by the name of Devin Stokes found an unsecured database belonging to Eskom that had been publicly available for weeks.

    From screenshots shared by Stokes, this database contained customer information, redacted payment information, meter information, and other sensitive details.

    After repeated attempts to contact them in order to disclose the data breach, Stokes publicly tweeted a portion of the data to the Eskom Twitter account in order to get a response.

    In response, Eskom finally replied that they were investigating the matter.

    Reply
  9. Tomi Engdahl says:

    RDP Clients Exposed to Reverse RDP Attacks by Major Protocol Issues
    https://www.bleepingcomputer.com/news/security/rdp-clients-exposed-to-reverse-rdp-attacks-by-major-protocol-issues/

    Multiple major vulnerabilities were discovered in the Remote Desktop Protocol (RDP) protocol which can allow bad actors to take control of computers connecting to a malicious server using remote code execution and memory corruption.

    Reply
  10. Tomi Engdahl says:

    China hacked Norway’s Visma to steal client secrets – investigators
    https://uk.reuters.com/article/uk-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUKKCN1PV14R

    Hackers working on behalf of Chinese intelligence breached the network of Norwegian software firm Visma to steal secrets from its clients, cybersecurity researchers said, in what a company executive described as a potentially catastrophic attack.

    Visma took the decision to talk publicly about the breach to raise industry awareness about the hacking campaign, which is known as Cloudhopper and targets technology service and software providers in order reach their clients.

    “But if I put on my paranoia hat, this could have been catastrophic,” he said. “If you are a big intelligence agency somewhere in the world and you want to harvest as much information as possible, you of course go for the convergence points, it’s a given fact.”

    Reply
  11. Tomi Engdahl says:

    Microsoft Confirms Serious ‘PrivExchange’ Vulnerability
    https://threatpost.com/microsoft-confirms-serious-privexchange-vulnerability/141553/

    The elevated privilege flaw exists in Microsoft Exchange and would allow a remote attacker to impersonate an administrator.

    https://www.us-cert.gov/ncas/current-activity/2019/02/05/Microsoft-Releases-Security-Advisory-Exchange-Server

    Reply
  12. Tomi Engdahl says:

    Critical Zcash Bug Could Have Allowed ‘Infinite Counterfeit’ Cryptocurrency
    https://thehackernews.com/2019/02/zcash-cryptocurrency-hack.html

    Reply
  13. Tomi Engdahl says:

    APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
    https://www.recordedfuture.com/apt10-cyberespionage-campaign/

    Norwegian company Visma, who was targeted in the attack, and U.S. company Rapid7 provided support and extensive expertise throughout this research. Industry collaboration is a vital enabler in illuminating threats and offering protection to organizations at risk from hostile, state-sponsored economic cyberespionage.

    Reply
  14. Tomi Engdahl says:

    BEC Actors Exploiting Gmail “Dot Accounts” for Fun and Profit
    https://www.agari.com/email-security-blog/bec-actors-exploit-google-dot-feature/

    Recently, during one of our investigations into a group comprised of these threat actors, we observed several scammers taking advantage of a “feature” that Google has built into Gmail addresses. While Google sees this as an advantage of consumers, cybercriminals are exploiting it for malicious activities.

    Let’s assume I create a Gmail account with the email address bad.guy007[at]gmail.com. Visually, it looks like the username “bad.guy007” is separated by a period. According to Google, however, “you own all dotted versions of your address.” This means that Google interprets the email address I created as badguy007[at]gmail.com, stripping out the period, and the same can be said if the dot was placed in any other place in the email address. In other words, this interpretation is a feature, not a bug. This also means that b.a.d.g.u.y.007[at]gmail.com and bad.guy.007[at]gmail.com and ba.dg.uy.007[at]gmail.com all direct incoming email to the same account.

    For example, if I sign up for a Netflix account using the email address badguy007[at]gmail.com and then again with b.adg.uy007[at]gmail.com, Netflix—like most other online services—would think that these are two different accounts linked to two different people. This is where, and how, cybercriminals are able to take advantage.

    Reply
  15. Tomi Engdahl says:

    GandCrab Ransomware Helps Shady Data Recovery Firms Hide Ransom Costs
    https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-helps-shady-data-recovery-firms-hide-ransom-costs/

    The GandCrab ransomware TOR site allows shady data recovery companies to hide the actual ransom cost from victims and it is currently being disseminated through a large assortment of distribution channels according to a Coveware report.

    Partnering with recovery firms who frequently access GandCrab’s TOR site is an already documented feature, with “discount” codes being provided to the most active ones, usable when processing future settlements.

    The ransomware’s TOR site comes with a hidden private chat that can be enabled using one of the “discount” codes, allowing dishonest data recovery firms to hide the final cost of the GandCrab decryption process from its customers.

    Reply
  16. Tomi Engdahl says:

    I won’t bother hunting and reporting more Sony zero-days, because all I’d get is a lousy t-shirt
    It’s 2019. Should billion-dollar corps do better than offer swag for vulns?
    https://www.theregister.co.uk/2019/02/05/sony_tshirt_bounty/

    Hunting for exploitable security bugs in software is not an easy way to make a living, and vulnerability researchers say vendors who don’t pay out for reports are making life even harder while putting their own products at risk.

    Such was the case with João Figueiredo, a researcher in Brazil who tracked down and reported remote code execution vulnerabilities in two websites run by Sony and Sony Pictures. Those flaws were rated as a critical risk, and earned Figueiredo recognition on the hacktivity page of HackerOne, hired by Sony to handle its bug bounties.

    It could, however, have been an even bigger disclosure, with potentially more security holes in the entertainment giant’s systems reported, had Sony offered Figueiredo better incentives. With just a t-shirt up for grabs, though, he decided to leave it at two.

    Reply
  17. Tomi Engdahl says:

    Shellbot Crimeware Re-Emerges in Monero Mining Campaign
    New attack uses a repurposed version of the Trojan that spreads using Internet Relay Chat.
    https://www.darkreading.com/vulnerabilities—threats/shellbot-crimeware-re-emerges-in-monero-mining-campaign/d/d-id/1333801

    Reply
  18. Tomi Engdahl says:

    Ethical Hacker Exposes Magyar Telekom Vulnerabilities, Faces 8 Years in Jail
    https://www.bleepingcomputer.com/news/security/ethical-hacker-exposes-magyar-telekom-vulnerabilities-faces-8-years-in-jail/

    An ethical hacker who discovered a security vulnerability in Magyar Telekom’s IT systems during April 2018 is currently being investigated by the Hungarian Prosecution Service after the company filed a complaint and faces 8 years in prison, local Hungarian media reports.

    Reply
  19. Tomi Engdahl says:

    Report: Chinese cyberspies hacked MSP, retailer and law firm in economic espionage campaign
    https://www.scmagazine.com/home/security-news/apts-cyberespionage/report-chinese-cyberspies-hacked-msp-retailer-and-law-firm-in-economic-espionage-campaign/

    The Chinese state-sponsored threat actor APT10 used stolen remote access software credentials to infiltrate the network of Norwegian managed services provider Visma last year, likely in an effort to launch secondary attacks against the MSP’s clients.

    An investigation into the cyber espionage campaign revealed that APT10, aka Stone Panda, used similar tactics to invade the networks of at least two other companies – an international apparel retailer and a U.S.-based law firm with a specialization in intellectual property law.

    Reply
  20. Tomi Engdahl says:

    A Valentine’s Day Warning for Let’s Encrypt TLS-SNI Users
    https://www.venafi.com/blog/valentines-day-warning-lets-encrypt-sni-users?utm_source=socialmedia&utm_medium=Bora&utm_campaign=Valentine-letsencrypt-crawley-blog

    Many organizations need to use free certificate authorities. If your business doesn’t have a budget for a paid CA, it’s certainly better to deliver your website or web app through HTTPS with the help of Let’s Encrypt than to use the plaintext web through HTTP. Recent versions of popular web browsers on both desktop and mobile such as Mozilla Firefox and Google Chrome have started to warn web surfers that HTTP sites are “not secure.”

    probably convinced many organizations which previously avoided HTTPS because they didn’t want to pay for TLS certificates to sign up with Let’s Encrypt so that their users wouldn’t be dissuaded to visit their websites with a web browser-delivered warning. Also, Google has acknowledged that HTTP web pages are now being ranked lower in their search engine than HTTPS web pages

    If your organization uses Let’s Encrypt as a CA, there’s an important deadline coming up very, very soon. On February 13, 2019, Let’s Encrypt will disable support for TLS-SNI-01 domain validation.

    Reply
  21. Tomi Engdahl says:

    Not allowed to invent imaginary MITM attacks: Like MITI (Man in the Intern, aka social engineering via romantic compromise)… Its a big problem this time of year or so it is said.

    Reply
  22. Tomi Engdahl says:

    Sean Gallagher / Ars Technica:
    Jack’d, a gay dating app with 1M+ downloads from the Play store, stored users’ images, posted and marked as private in chat sessions, on an unsecured AWS server

    Indecent disclosure: Gay dating app left “private” images, data exposed to Web (Updated)
    https://arstechnica.com/information-technology/2019/02/indecent-disclosure-gay-dating-app-left-private-exposed-to-web/

    Online-Buddies was exposing its Jack’d users’ private images and location; disclosing posed a risk.

    Reply
  23. Tomi Engdahl says:

    BBC:
    Germany orders Facebook to stop combining data from WhatsApp, Instagram, and third-party sites with data in a user’s main Facebook account without their consent

    Facebook ordered by Germany to gather and mix less data
    https://www.bbc.com/news/technology-47146431

    Reply
  24. Tomi Engdahl says:

    Thousands of industrial refrigerators can be remotely defrosted, thanks to default passwords
    https://techcrunch.com/2019/02/08/industrial-refrigerators-defrost-flaw/?sr_share=facebook&utm_source=tcfbpage

    Security researchers have found thousands of exposed internet-connected industrial refrigerators that can be easily remotely instructed to defrost.

    More than 7,000 vulnerable temperature controlled systems, manufactured by U.K.-based firm Resource Data Management, are accessible from the internet and can be controlled by simply plugging in its default password found in documentation on the company’s website, according to Noam Rotem, one of the security researchers who found the vulnerable systems.

    Reply
  25. Tomi Engdahl says:

    Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries
    https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/

    On November 30, 2018. We disclosed CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, and CVE-2018-16870. These were from vulnerabilities found back in August 2018 in several TLS libraries.

    We tested nine different TLS implementations against cache attacks and seven were found to be vulnerable: OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS. The cat is not dead yet, with two lives remaining thanks to BearSSL (developed by my colleague Thomas Pornin) and Google’s BoringSSL.

    The attack leverages a side-channel leak via cache access timings of these implementations in order to break the RSA key exchanges of TLS implementations.

    Reply
  26. Tomi Engdahl says:

    Chinese intelligence hacked Norwegian software firm Visma to steal client secrets, investigators say
    https://m.scmp.com/news/world/europe/article/2185218/chinese-intelligence-hacked-norwegian-software-firm-visma-steal?utm_medium=Social&utm_source=Facebook#Echobox=1549474474

    The alleged attack was part of a global effort by China’s Ministry of State Security to steal intellectual property and company secrets, say security experts

    The claims came after Norway’s police intelligence agency accused Beijing of stealing information via technology provided by telecom tech giant Huawei

    Reply
  27. Tomi Engdahl says:

    SWITZERLAND OFFERS BOUNTIES TO ANYONE WHO HACKS ITS E-VOTING SYSTEM
    https://www.securitynewspaper.com/2019/02/09/switzerland-offers-bounties-to-anyone-who-hacks-its-e-voting-system/

    Security investigators aspire to rewards of up to 50k Swiss francs

    Swiss government announced a bounty of 150K Swiss francs (about $140k USD) for hackers who successfully enter to its electronic voting system, as reported by network security and ethical hacking specialists from the International Institute of Cyber Security.

    Reply
  28. Tomi Engdahl says:

    Power Company Has Security Breach Due to Downloaded Game
    https://www.bleepingcomputer.com/news/security/power-company-has-security-breach-due-to-downloaded-game/

    South African energy supplier Eskom Group has been hit with a double security breach consisting of an unsecured database containing customer information and a corporate computer infected with the Azorult information-stealing Trojan.

    Reply
  29. Tomi Engdahl says:

    Power Company Fined $10 Million For Inadequate Cybersecurity
    https://www.cynexlink.com/2019/02/04/power-company-fined-10-million-for-inadequate-cybersecurity/

    Identified as Duke Energy Corp. in recent reports, one energy company experienced a cybersecurity inadequacy that is costing them a whopping fine of $10 million dollars. Said to be the largest imposed fine for the offense, the company was told to pay up by The North American Electric Reliability Corp. for the infraction.

    Reply
  30. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    Google warns about two iOS zero-day vulnerabilities that hackers have been actively exploiting; the vulnerabilities have been fixed in iOS 12.1.4

    Google warns about two iOS zero-days ‘exploited in the wild’
    https://www.zdnet.com/article/google-warns-about-two-ios-zero-days-exploited-in-the-wild/

    iOS users are advised to update to iOS 12.1.4; release which also fixes infamous FaceTime bug.

    Reply
  31. Tomi Engdahl says:

    Facebook Says It Needs to Collect All Your Data to Protect Against Terrorism and Child Abuse
    https://gizmodo.com/facebook-scolded-in-germany-but-insists-it-needs-to-col-1832421065

    Facebook was slapped with a ruling in Germany today that limits how the social media giant can collect data across its multiple platforms, like WhatsApp and Instagram. And Facebook is not happy about it, to say the least. The company says it’s collecting all of that data for your own good. They’re simply using their data sharing methods to protect you against terrorism and child abuse, according to Facebook. Seriously.

    Reply
  32. Tomi Engdahl says:

    Popular iPhone apps caught recording your screen without permission – here are the offenders

    https://bgr.com/2019/02/07/iphone-apps-can-record-your-every-tap-and-swipe-report-says/

    Reply
  33. Tomi Engdahl says:

    Introducing Zombie POODLE and GOLDENDOODLE
    https://www.tripwire.com/state-of-security/vulnerability-management/zombie-poodle-goldendoodle/

    Zombie POODLE and GOLDENDOODLE are the names I’ve given to the vulnerabilities I’ll be discussing. Similar to ROBOT, DROWN and many other vulnerabilities affecting HTTPS, these issues stem from continued use of cryptographic modes which should have been long ago deprecated and yet are inexplicably still supported in TLSv1.2. In this case, the troublesome feature is that TLSv1.2 supports CBC mode ciphersuites.

    Reply
  34. Tomi Engdahl says:

    Japan Is Going To Hack Into Millions Of Its Citizens’ Devices
    http://www.realclearlife.com/daily-brief/japan-going-hack-millions-citizens-devices/

    The hack is part of an effort to improve cyber security.

    Reply
  35. Tomi Engdahl says:

    MISSOURI ROAD SIGN HACKED TO SAY ‘I HATE DONALD TRUMP’: IT ‘RIPS AT THE FABRIC OF OUR COUNTRY,’ SAYS VETERAN
    https://www.newsweek.com/road-sign-donald-trump-pewdiepie-i-hate-donald-trump-missouri-kansas-city-1317942

    Reply
  36. Tomi Engdahl says:

    Reverse RDP Attack: Code Execution on RDP Clients
    https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/

    However, Check Point Research recently discovered multiple critical vulnerabilities in the commonly used Remote Desktop Protocol (RDP) that would allow a malicious actor to reverse the usual direction of communication and infect the IT professional or security researcher’s computer. Such an infection could then allow for an intrusion into the IT network as a whole.
    16 major vulnerabilities and a total of 25 security vulnerabilities were found overall.

    Reply
  37. Tomi Engdahl says:

    FBI ‘ran sting against Huawei in new technology theft case’
    https://m.scmp.com/news/china/article/2185024/fbi-ran-sting-against-huawei-new-technology-theft-case

    Bloomberg Businessweek said the operation involved Akhan Semiconductor, a US start-up with new glass for smartphone screens
    Investigators were said to have asked an Akhan executive to record a conversation with Huawei officials at last month’s electronics trade show in Las Vegas

    Reply
  38. Tomi Engdahl says:

    Does Your Sex Toy Use Encryption?
    Jen Caltrider February 6, 2019
    https://blog.mozilla.org/blog/2019/02/06/does-your-sex-toy-use-encryption/

    This Valentine’s Day, Mozilla is assessing the privacy and security features of romantic connected devices

    Reply
  39. Tomi Engdahl says:

    Open letter on the Terrorism Database
    https://edri.org/open-letter-on-the-terrorism-database/

    On 4 February 2019, EDRi joined dozens of organisations and academics in signing an open letter. The letter criticises, in the Terrorist Content Regulation debate, the blind faith in a database to flag “terrorist content”

    The undersigned organizations write to share our concerns about the EU’s proposed Regulation on Preventing the Dissemination of Terrorist Content Online, and in particular the Regulation’s call for Internet hosts to use “proactive measures” to detect terrorist content. We are concerned that if this Regulation is adopted, it will almost certainly lead platforms to adopt poorly understood tools,

    Reply
  40. Tomi Engdahl says:

    Researcher Assaulted By A Vendor After Disclosing A Vulnerability
    https://www.secjuice.com/security-researcher-assaulted-ice-atrient/

    Following a serious vulnerability disclosure affecting casinos globally, an executive of casino technology vendor Atrient has allegedly assaulted the security researcher who disclosed the vulnerability at the ICE conference in London. This is the story of a vulnerability disclosure gone bad, one involving the FBI, a vendor with a global customer base of casinos and a severe security vulnerability which has gone unresolved for four months without being properly addressed.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*