Cyber Security News February 2019

This posting is here to collect cyber security news in February 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

 

373 Comments

  1. Tomi Engdahl says:

    Game of Thrones hacker worked with US defector to hack Air Force employees for Iran
    https://www.zdnet.com/article/game-of-thrones-hacker-worked-with-us-defector-to-hack-air-force-employees-for-iran/

    Former US Air Force intelligence agent passed crucial information to Iranian state hackers after she defected to Iran in 2013.

    Reply
  2. Tomi Engdahl says:

    Lenovo Watch X Riddled with Security Vulnerabilities
    https://threatpost.com/lenovo-watch-x-riddled-with-security-vulnerabilities/141822/

    Researchers have identified multiple security issues with this Lenovo smartwatch.

    Researchers are raking the Lenovo Watch X over the security coals in a report that blasts the device for shipping with a half dozen “disturbing” privacy and security vulnerabilities.

    Reply
  3. Tomi Engdahl says:

    ThreatList: Banking Trojans Are Still The Top Big Bad for Email
    https://threatpost.com/banking-trojans-top-threat-email/141814/

    Banking trojans, led by the ever-changing Emotet, dominated the email-borne threat landscape in Q4, according to Proofpoint.

    Reply
  4. Tomi Engdahl says:

    South Korea is Censoring the Internet by Snooping on SNI Traffic
    https://www.bleepingcomputer.com/news/security/south-korea-is-censoring-the-internet-by-snooping-on-sni-traffic/

    South Korea has been blocking HTTP websites that are on their censor list for a while now and they have recently started using SNI filtering to block their counterparts served over HTTPS.

    A warning page bearing the seals of the Korea Communications Standards Commission (KCSC) and the Korean National Police Agency is displayed for blocked HTTP websites, while TLS sites blocked using Server Name Indication (SNI) filtering will only throw a “This site can’t be reached” error.

    SNI filtering used to block websites

    SNI is a TLS extension which allows browsers to inform a web server of the hostname they want to connect to at the beginning of the handshaking process, as detailed in IETF’s RFC3546.

    Reply
  5. Tomi Engdahl says:

    Got a direct message from a top YouTuber? Chances are, it’s phishing
    https://www.kaspersky.com/blog/youtube-phishing-scam/25600/

    Reply
  6. Tomi Engdahl says:

    Researchers Dig into Microsoft Office Functionality Flaws
    An ongoing study investigating security bugs in Microsoft Office has so far led to two security patches.
    https://www.darkreading.com/endpoint/researchers-dig-into-microsoft-office-functionality-flaws/d/d-id/1333870

    Microsoft Office, ubiquitous on enterprise and personal computers, is a hot target for cybercriminals and a key focus area for researchers hoping to find bugs before the bad guys do.

    Reply
  7. Tomi Engdahl says:

    Swiss e-voting trial offers $150,000 in bug bounties to hackers
    The white hat hacking begins February 24th
    https://www.theverge.com/2019/2/12/18221570/swiss-e-electronic-voting-public-intrusion-test-hacking-white-hack-bug-bounties

    Reply
  8. Tomi Engdahl says:

    OpenOffice Zero-Day Code Execution Flaw Gets Free Micropatch
    https://www.bleepingcomputer.com/news/security/openoffice-zero-day-code-execution-flaw-gets-free-micropatch/

    Using an exploit for this zero-day vulnerability, potential attackers can issue a directory traversal attack against users of all versions of OpenOffice and all LibreOffice releases up to and including 6.0.6/6.1.2.1.

    However, the OpenOffice 0day which is currently tracked as CVE-2018-16858 and received a CVSS3 Base Score of 7.8 from Red Hat, has been fixed by The Document Foundation in the LibreOffice 6.0.7/6.1.3 release after receiving a report from security researcher Alex Inführ who discovered the issue.

    Patches only the Windows version

    The researcher also created and published a Proof-of-Concept for CVE-2018-16858 in the form of a FODT extension which he also uploaded to the VirusTotal malware scanning service

    Reply
  9. Tomi Engdahl says:

    Hackers KO Malta’s Bank of Valletta in attempt to nick €13m
    Hapless bank goes into lockdown mode, vanishes from the internet
    https://www.theregister.co.uk/2019/02/13/bank_of_valletta_13m_euro_hackers_shutdown/

    Update 3 | BOV cyber attack: €13 million transferred out with false transactions
    https://www.maltatoday.com.mt/news/national/92964/bank_of_valletta_shuts_down_operations_following_cyber_attack_#.XGQ_L8Z7mU0

    The bank said customer accounts and their funds were not impacted • Prime Minister addresses Parliament • People and retailers in the dark as to when the situation will return back to normal

    Reply
  10. Tomi Engdahl says:

    Lentokentän kaaoksen seuraus selvisi: Suomeenkin DJI:n lennokeille näkymätön aitaus
    https://www.mikrobitti.fi/uutiset/lentokentan-kaaoksen-seuraus-selvisi-suomeenkin-djin-lennokeille-nakymaton-aitaus/9285ec1a-1b12-4ace-84f2-cc96c1fb3489

    Lennokkivalmistaja DJI ilmoittaa muuttavansa dronejensa geoaitausjärjestelmiä, joilla niitä voidaan estää lentämästä kielletyille alueille.

    Reply
  11. Tomi Engdahl says:

    Episode 20 | Defining Cyber Warfare, with Mikko Hypponen
    https://blog.f-secure.com/podcast-cyber-warfare-mikko/

    Reply
  12. Tomi Engdahl says:

    STOP ransomware claims even more victims
    https://www.pandasecurity.com/mediacenter/malware/stop-ransomware-victims/

    Despite having been ‘in the wild’ for some weeks now, infections caused by STOP ransomware have continued to rise. Perhaps somewhat ironically, those most affected (at the moment) appear to be software pirates.

    Reply
  13. Tomi Engdahl says:

    Researchers Implant “Protected” Malware On Intel SGX Enclaves
    https://thehackernews.com/2019/02/intel-sgx-malware-hacking.html

    Cybersecurity researchers have discovered a way to hide malicious code in Intel SGX enclaves, a hardware-based memory encryption feature in modern processors that isolates sensitive code and data to protect it from disclosure or modification.

    In other words, the technique allows attackers to implant malware code in a secure memory that uses protection features of SGX which are otherwise designed to protect important data from prying eyes or from being tampered, even on a compromised system.

    Reply
  14. Tomi Engdahl says:

    Siemens Warns of Critical Remote-Code Execution ICS Flaw
    https://threatpost.com/siemens-critical-remote-code-execution/141768/

    The affected SICAM 230 process control system is used as an integrated energy system for utility companies, and as a monitoring system for smart-grid applications.

    Reply
  15. Tomi Engdahl says:

    The Scarlet Widow Gang Entraps Victims Using Romance Scams
    https://www.bleepingcomputer.com/news/security/the-scarlet-widow-gang-entraps-victims-using-romance-scams/

    We often hear about sextortion, business email compromise (BEC), and inheritance scams, but the often overlooked “Romance Scams” could be the most insidious of them all. Not only do victims lose money, but the emotional entanglement ultimately leads to heartbreak.

    Romance scams are months long, if not year long, campaigns where bad actors catfish, or pretend to be in love with, an unsuspecting victim in order to steal money from them. They do this by creating fake romantic relationships that the victims become invested in and are willing to help them with fake financial troubles.

    Reply
  16. Tomi Engdahl says:

    New Astaroth Trojan Variant Exploits Anti-Malware Software to Steal Info
    https://www.bleepingcomputer.com/news/security/new-astaroth-trojan-variant-exploits-anti-malware-software-to-steal-info/

    A new Astaroth Trojan campaign targeting Brazil and European countries is currently exploiting the Avast antivirus and security software developed by GAS Tecnologia to steal information and load malicious modules.

    According to Cybereason’s Nocturnus team which discovered the new Astaroth strain, just like previous installments, the malware uses “legitimate, built-in Windows OS processes to perform malicious activities and deliver a payload without being detected” but it also makes use “of well-known tools and even antivirus software to expand its capabilities.”

    Reply
  17. Tomi Engdahl says:

    Hackers Wipe VFEmail Servers, May Shut Down After Catastrophic Data Loss
    https://www.bleepingcomputer.com/news/security/hackers-wipe-vfemail-servers-may-shut-down-after-catastrophic-data-loss/

    The U.S. servers of privacy-focused e-mail provider VFEmail were hacked into on February 11 and all the data was destroyed, on both the main and the backup systems.

    According to VFEmail’s owner, the hackers did not leave a ransom note and, given the extent of the destruction, the service will most likely go offline to never return.

    Reply
  18. Tomi Engdahl says:

    DNS Manipulation in Venezuela in regards to the Humanitarian Aid Campaign
    https://securelist.com/dns-manipulation-in-venezuela/89592/

    Venezuela is a country facing an uncertain moment in its history. Reports suggests it is in significant need of humanitarian aid.

    Reply
  19. Tomi Engdahl says:

    Norway: GPS jamming during NATO drills in 2018 a big concern
    https://apnews.com/eb300e709dfa4c6fa9d7d65a161d698b

    Reply
  20. Tomi Engdahl says:

    Romance scams will cost you
    https://www.consumer.ftc.gov/blog/2019/02/romance-scams-will-cost-you

    Last year, people reported losing $143 million to romance scams – a higher total than for any other type of scam reported to the FTC. And, according to a new FTC Data Spotlight, reports of romance scams are on the rise.

    Reply
  21. Tomi Engdahl says:

    Xiaomi Electric Scooters Vulnerable to Life-Threatening Remote Hacks
    https://thehackernews.com/2019/02/xiaomi-electric-scooter-hack.html

    Smart devices definitely make our lives easier, faster, and more efficient, but unfortunately, an insecure smart device can also ruin your day, or sometime could even turn into the worst nightmare of your life.

    If you are an electric scooter rider, you should be concerned about yourself.

    In a report shared with The Hacker News in advance, researchers from mobile security firm Zimperium said to have discovered an easy-to-execute but serious vulnerability in M365 Folding Electric Scooter by Xiaomi that could potentially putting riders life at risk.

    Xiaomi e-Scooter has a significant market share and is also being used by different brands with some modifications.

    Xiaomi M365 Electric Scooter comes with a mobile app that utilizes password-protected Bluetooth communication, allowing its riders to securely interact with their scooters remotely for multiple features like changing password, enabling the anti-theft system, cruise-control, eco mode, updating the scooter’s firmware, and viewing other real-time riding statistics.

    However, researchers find that due to improper validation of password at the scooter’s end, a remote attacker, up to 100 meters away, could send unauthenticated commands over Bluetooth to a targeted vehicle without requiring the user-defined password.

    By exploiting this issue, an attacker can perform the following attack scenarios:

    Locking Scooters—A sort of a denial-of-service attack, wherein an attacker can suddenly lock any M365 scooter in the middle of the traffic.
    Deploying Malware—Since the app allows riders to upgrade scooter’s firmware remotely, an attacker can also push malicious firmware to take full control over the scooter.
    Targeted Attack [Brake/Accelerate]—Remote attackers can even target an individual rider and cause the scooter to suddenly brake or accelerate.

    Reply
  22. Tomi Engdahl says:

    YouTube’s copyright strikes have become a tool for extortion
    Scammers are threatening to shut down channels — unless the owner pays up
    https://www.theverge.com/2019/2/11/18220032/youtube-copystrike-blackmail-three-strikes-copyright-violation

    Reply
  23. Tomi Engdahl says:

    Collaborative Client-Side DNS Cache PoisoningAttack
    https://www.cs.ucr.edu/~nael/pubs/infocom19.pdf

    Reply
  24. Tomi Engdahl says:

    Client-Side DNS Attack Emerges From Academic Research
    A new DNS cache poisoning attack is developed as part of the research toward a dissertation.
    https://www.darkreading.com/attacks-breaches/client-side-dns-attack-emerges-from-academic-research/d/d-id/1333848

    Reply
  25. Tomi Engdahl says:

    Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries
    https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/

    On November 30, 2018. We disclosed CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, and CVE-2018-16870. These were from vulnerabilities found back in August 2018 in several TLS libraries.

    Reply
  26. Tomi Engdahl says:

    How Hackers and Scammers Break into iCloud-Locked iPhones
    https://motherboard.vice.com/en_us/article/8xyq8v/how-to-unlock-icloud-stolen-iphone

    In a novel melding of physical and cybercrime, hackers, thieves, and even independent repair companies are finding ways to “unlock iCloud” from iPhones.

    Reply
  27. Tomi Engdahl says:

    The perils of using Internet Explorer as your default browser
    https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/The-perils-of-using-Internet-Explorer-as-your-default-browser/ba-p/331732

    From time to time, I am asked by customers, “How do I ensure that all web traffic goes to Internet Explorer?” In fact, I was recently asked this question by someone trying to help a hospital. Now, I understand the scenario. In healthcare (as in many other industries), it’s often the case that you’re running with an extremely thin team. As a result, it can seem that using Internet Explorer be default for all situations is the “easy button” because, well, most of your sites were designed for Internet Explorer, so…just…always use it, ok?

    In short, this seems like a deliberate decision to take on some technical debt. It’s true that most organizations have some technical debt lying around. (For example, if you’ve disabled User Account Control, require a 32-bit OS or 32-bit Office suite, or are paying for extended support for a legacy version of Java, you have some technical debt.) But this technical debt? Well, it’s different.

    Reply
  28. Tomi Engdahl says:

    Germany just deleted Facebook
    https://boingboing.net/2019/02/07/zuckerbackpfeifengesicht.html

    Germany’s Federal Cartel Office (Bundeskartellamt, the country’s antitrust regulator) has ruled that Facebook can’t combine user data aggregated from different sources (Facebook usage data, data from pages with Facebook Like buttons, data purchased from third parties, etc), because users can’t reasonably anticipate the way these different datastreams might be combined, nor the kinds of inferences that could be gleaned thereby.

    Reply
  29. Tomi Engdahl says:

    Opening this image file grants hackers access to your Android phone
    Be careful if you are sent an image from a suspicious source.
    https://www.zdnet.com/article/opening-this-image-file-grants-hackers-access-to-your-android-phone/

    Reply
  30. Tomi Engdahl says:

    Apple Update: Drop Everything and Patch iOS
    Zero Days Being Exploited; Apple Contributes to ‘FacePalm’ Bug Finder’s Tuition
    https://www.bankinfosecurity.com/apple-update-drop-everything-patch-ios-a-12013

    Patch now. That’s the message security experts have for all iOS users following Apple’s release of a security update on Thursday.

    Reply
  31. Tomi Engdahl says:

    Federal MPs’ computer network hacked in possible foreign government attack
    https://www.smh.com.au/politics/federal/federal-mps-computer-network-hacked-forcing-passwords-to-be-changed-20190208-p50wgm.html

    National security agencies are continuing to scour the Parliament’s computer network for threats to MPs’ data after what is being described as a “sophisticated” hack attack that could be the work of a foreign government.

    Alastair MacGibbon, head of the Australian Cyber Security Centre, said the government’s cyber experts would work over coming days and weeks to make sure all the breaches had been detected and the hackers’ presence removed.

    Reply
  32. Tomi Engdahl says:

    Google warns about two iOS zero-days ‘exploited in the wild’
    https://www.zdnet.com/article/google-warns-about-two-ios-zero-days-exploited-in-the-wild/

    iOS users are advised to update to iOS 12.1.4; release which also fixes infamous FaceTime bug.

    A Google top security engineer has revealed today that hackers have been launching attacks against iPhone users using two iOS vulnerabilities. The attacks have happened before Apple had a chance to release iOS 12.1.4 today –meaning the two vulnerabilities are what security experts call “zero-days.”

    Apple Fixes Pesky FaceTime Bug in iOS 12.1.4 Update
    https://threatpost.com/apple-fixes-pesky-facetime-bug-in-ios-12-1-4-update/141621/

    Reply
  33. Tomi Engdahl says:

    First clipper malware discovered on Google Play
    https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/

    Cryptocurrency stealers that replace a wallet address in the clipboard are no longer limited to Windows or shady Android app stores

    Reply
  34. Tomi Engdahl says:

    Container Escape Flaw Hits AWS, Google Cloud, Linux Distros
    https://www.securityweek.com/container-escape-flaw-hits-aws-google-cloud-linux-distros

    A vulnerability recently addressed in runc could allow malicious containers to gain root-level code execution on the host.

    Introduced in 2015, runc is a lightweight, portable container runtime that includes all of the code used by Docker to interact with system features related to containers. The runtime is used in most containers out there, including cri-o, containerd, Kubernetes, Podman, and others.

    Tracked as CVE-2019-5736 and featuring a CVSSv3 score of 7.2, the vulnerability can be exploited with minimal user interaction, senior software engineer at SUSE Linux and runc maintainer Aleksa Sarai says.

    The use of SELinux in targeted enforcing mode prevents this vulnerability from being exploited. However, the default AppArmor policy and the default SELinux policy on Fedora (only the moby-engine package) fail to prevent the bug, Sarai says.

    Reply
  35. Tomi Engdahl says:

    It starts with Linux: How Red Hat is helping to counter Linux container security flaws
    https://www.redhat.com/en/blog/it-starts-linux-how-red-hat-helping-counter-linux-container-security-flaws

    The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies…and that’s exactly what this vulnerability represents.

    Reply
  36. Tomi Engdahl says:

    Microsoft Patches Internet Explorer Zero-Day Reported by Google
    https://www.securityweek.com/microsoft-patches-internet-explorer-zero-day-reported-google

    Microsoft’s Patch Tuesday updates for February 2019 address more than 70 vulnerabilities, including an Internet Explorer flaw that Google researchers have spotted being exploited in attacks.

    This zero-day vulnerability is tracked as CVE-2019-0676 and it has been described by Microsoft as an information disclosure issue that exists due to the way Internet Explorer handles objects in memory.

    Reply
  37. Tomi Engdahl says:

    Hacker Erases Email Provider’s Servers, Backups
    https://www.securityweek.com/hacker-erases-email-providers-servers-backups

    Email provider VFEmail was hit by a destructive attack, where a hacker who accessed its network was able to erase its servers in the United States, including the backup systems.

    “We have suffered catastrophic destruction at the hands of a hacker. This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can,” the company writes on its website.

    Established in 2001, the company provides email services and claims to provide increased email security through scanning all incoming messages and attachments for viruses and blocking malicious content via a gateway, before reaching its servers.

    However, this incident shows that user data was not protected with appropriate measures

    Reply
  38. Tomi Engdahl says:

    Windows App Runs on Mac, Downloads Info Stealer and Adware
    https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/

    EXE is the official executable file format used for Windows to signify that they only run on Windows platforms, and to serve as a security feature. By default, attempting to run an EXE file on a Mac or Linux OS will only show an error notification.

    However, we found EXE files in the wild delivering a malicious payload that overrides Mac’s built-in protection mechanisms such as Gatekeeper. This routine evades Gatekeeper because EXE is not checked by this software, bypassing the code signature check and verification since the technology only checks native Mac files. While no specific attack pattern is seen, our telemetry showed the highest numbers for infections to be in the United Kingdom, Australia, Armenia, Luxembourg, South Africa and the United States.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*