This posting is here to collect cyber security news in March 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
490 Comments
Andreas Reinhard says:
This time, India’s state-owned LPG Gas Company Leaked Aadhaar numbers 6.7 Million Indian Customers.due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers.
Baptiste Robert, a French security researcher who goes by the pseudonym “Elliot Alderson” on Twitter, has prior experience investigating Aadhaar exposures with help of an Indian researcher. who using a custom-built script to scrape the database to the official website LPG Gas Company Leaked Aadhaar numbers 6.7 Million Indian Customers is leaking personal details, including their Aadhaar numbers and also he found 11,000 data Indane dealers.
Steven Raker says:
Hackers have breached the U.S. servers of privacy-focused VFEmail.net and wiped were hacked into on February 11 and destroying on primary and the backup system’s data. attack down without notice the company’s site and webmail client is calling “catastrophic destruction” . some 60,000 emails sent and received over more than a decade
“This is not looking good,” the company tweeted.
All externally facing systems, of differing OS’s and remote authentication, in multiple data centers, are down.”
It added: “
At this time, the attacker has formatted all the disks on every server. Every VM is lost. Every file server is lost, every backup server is lost.
After hack Two hours later, VFEmail announced on official Twitter handle that the hackers were able to format each and every disk on all servers, with all(Vendor management system) VMs, lost in the process.
Email provider VFEmail’s US servers Hacked After Catastrophic Data Loss
“I have an account with that site, all the email in my account was deleted,” Senchak said.
After 17 years if I was planning it shut it down, it’d be shut down by me – not script kiddies.
VFEmail is the first service which gets its data destroyed in a hacking attack without receiving a ransom note to avoid catastrophic data loss.
VFEmail developer says statement posted to its website gave more details. It also pointed to an IP address which looks to be registered in Bulgaria.
Tomi Engdahl says:
Report: Coca-Cola, ToysRUs, McDonald’s, and Fiverr Websites Taken Down by Anonymous Hacker Group
https://www.safetydetective.com/blog/coca-cola-groupon-mcdonalds-and-fiverr-websites-taken-down-by-anonymous-hacker-group/
While you were taking it easy this weekend, over 1 million pages on hundreds of websites were taken over by hacker group Anonymous and made to display a contentious political message.
many Israeli corporate websites
were the local domains of .co.il addres
Programmer and security expert, Ran Bar Zik, reported that the vulnerability was first posted on Twitter by researcher Yuval Adam
The vulnerability, which included malicious code with an embedded link that downloads ransomware to the users’ computer, was due to a third party accessibility plug-in for the disabled, used across many Israeli websites.
Despite many prior warnings about the accessibility plug-in’s extremely lax-security, no action was taken by the developer
The hackers were able to replace the accessibility plugin with malicious JavaScript code that displayed the controversial political message, and embedded a link that downloads ransomware to the users’ computer.
All in all the issue was resolved in under an hour; but it demonstrated the risk of using an unsecured third party plug-in across so many websites. It was lucky that the hackers decided to make the attack about a contentious political message rather than focusing on economic damage, which would have resulted in much greater harm. As little as a basic Java script is all it takes to create wide-spread havoc on so many sites.
using third party plug-ins leaves sites open to undetected vulnerabilities.
Tomi Engdahl says:
Android Q isn’t even out yet, but it has already been rooted
https://www.androidpolice.com/2019/03/03/android-q-isnt-even-out-yet-but-it-has-already-been-rooted/
Android Q may only exist for consumers as leaked, half-built, buggy builds circulating among forums, but Wu has already rooted it.
Tomi Engdahl says:
Chinese cops are wearing glasses that can recognize faces
https://www.technologyreview.com/the-download/610214/chinese-cops-are-using-facial-recognition-specs/?utm_source=facebook&utm_medium=tr_social&utm_content=2018-02-07&utm_campaign=site_visitor.unpaid.engagement
AI that identifies people in crowds is already pervasive in China—and now it’s augmenting police officers’ eyes, too.
Tomi Engdahl says:
Will Oremus / Slate:
Picking a VPN to trust is a problem, but as demand grows, there’s incentive for the industry to outgrow its Wild West phase and develop industry standards — Virtual private networks are now a must-have privacy tool.
Do You Trust Your VPN? Are You Sure?
https://slate.com/technology/2019/02/best-vpn-companies-trust-privacy.html
Virtual private networks are now a must-have privacy tool. But good luck figuring out which ones will actually make you safer.
The advice is everywhere, from Consumer Reports to the New York Times to the Federal Trade Commission: If you care to keep your web browsing private and secure, you should consider a virtual private network, or VPN.
A VPN encrypts your internet traffic and routes it through remote servers, protecting your data (like your browsing history, downloads, and chat messages) and masking your location. Long popular with hackers and software pirates, VPNs are poised to go mainstream—like ad blockers before them—as the average internet user becomes more sophisticated about online privacy. Reliable data on their use is hard to come by,
One industry analysis estimates that VPN usage worldwide quadrupled between 2016 and 2018, while a forecast by Global Market Insights predicts the U.S. VPN market will be worth more than $54 billion by 2024.
So shouldn’t I, like, have one?
I sometimes connect to insecure Wi-Fi networks at airports or coffee shops, and while I’ve never pirated a movie, there are times when I wouldn’t mind skirting geographic restrictions on web content. I certainly don’t like having to trust my internet service provider, Verizon, with all of my browsing data.
When I set out to find the right VPN, however, I ran into an awkward problem: figuring out which of the scores of VPN providers to trust.
“It is fascinating the amount of sniping that goes on” between VPN companies, said Joseph Jerome, who has closely studied VPNs in his role as policy counsel for the Privacy and Data Project at the nonprofit Center for Democracy & Technology. “They are very quick to pull out knives and shiv each other.”
While it’s possible AnchorFree is just trolling ExpressVPN by suggesting that it’s based in China, the risk is not imaginary.
VPNs work by rerouting your internet connection through remote servers that disguise your location and make you harder for websites to identify. They also hide your browsing activity from your own ISP, which would otherwise have access to pretty much everything you do online—as could, say, a law enforcement agency that subpoenaed your activity (or, if you’re really paranoid, an intelligence agency that somehow hoovered it up).
many VPNs can also be used to sneak around your country’s laws or copyright restrictions
In fact, access to entertainment content is the top reason for VPN use around the world, according to a 2018 report from GlobalWebIndex.
VPNs are not a new phenomenon.
But it’s only in recent years that VPN companies have become a hot commodity in the tech world. They’ve been pushed along by the rise of insecure public Wi-Fi networks and the proliferation of online content that’s available in some countries but not others.
while every VPN will swear to you that it cares more deeply about your privacy than anything else, some also have a penchant for pointing fingers at rivals who they say are not to be trusted.
So how to choose? You might want to start with the biggest VPN—but it’s essentially impossible to figure out which one that is. Most of the major players are privately held and don’t disclose the size of their user base. To further complicate matters, the easiest way to become large as a VPN is to offer a free product, which usually means one that’s ad-supported.
When a VPN hides its owners’ identities and incorporates in an offshore territory, “it’s usually because they’re breaking laws,” says Francis Dinha, co-founder and CEO of OpenVPN, an open-source service aimed at business customers.
With demand for VPNs soaring, there’s plenty of incentive for the industry to outgrow its Wild West phase. The partnerships with nonprofits and third-party audits are a step in that direction. NordVPN recently followed AnchorFree and ExpressVPN down that path, commissioning an audit by PricewaterhouseCoopers to back up its claims to protect user privacy.
I thought when I began writing this story that I’d figure out which VPN I’d trust for my own use. Several weeks, dozens of calls, and thousands of words later, I can’t say I’m much closer to a clear-cut answer.
One of the only definitive takeaways, besides “steer clear of free VPNs,” is that your choice of VPN should depend on what you’re using it for.
Tomi Engdahl says:
Comcast set mobile pins to “0000,” helping attackers steal phone numbers
https://arstechnica.com/information-technology/2019/03/a-comcast-security-flub-helped-attackers-steal-mobile-phone-numbers/
Xfinity Mobile deploys fix after weak PIN system fueled number-porting attacks.
Tomi Engdahl says:
New exploit lets attackers take control of Windows IoT Core devices
https://www.zdnet.com/article/new-exploit-lets-attackers-take-control-of-windows-iot-core-devices/
Exclusive: Researcher creates a remote access trojan for Windows IoT Core smart devices.
Tomi Engdahl says:
19-year-old makes millions from ethical hacking
https://www.zdnet.com/article/19-year-old-makes-millions-from-ethical-hacking/
The Argentine teenager has topped the charts when it comes to bug bounty hunting.
Tomi Engdahl says:
Researchers uncover ring of GitHub accounts promoting 300+ backdoored apps
https://www.zdnet.com/article/researchers-uncover-ring-of-github-accounts-promoting-300-backdoored-apps/
GitHub ring consisting of 89 accounts promoted 73 repos containing over 300 backdoored apps.
Tomi Engdahl says:
W3C finalizes Web Authentication (WebAuthn) standard
https://www.zdnet.com/article/w3c-finalizes-web-authentication-webauthn-standard/
WebAuthn is already support on Windows 10, Android, Chrome, Edge, Firefox, and soon on Safari.
Today, the World Wide Web Consortium (W3C), the organization behind all web standards, has formally promoted the Web Authentication API to the title of official web standard.
WebAuthn is what security experts are calling a passwordless authentication system and what they see as the future of user account security.
WebAuthn allows users to register and authenticate on websites or mobile apps using an “authenticator” instead of a password.
Development on the WebAuthn standard started back in November 2015, after the FIDO (Fast IDentity Online) Alliance donated the FIDO 2.0 Web API to the W3C.
The original FIDO 2.0 Web API is already supported by browsers and online services. It’s what currently allows users to use secret tokens stored on YubiKey USB thumb drives (aka hardware security keys) to log into websites such as Google, Facebook, Dropbox, AWS, GitHub, YouTube, and others.
The WebAuthn API is an upgrade of the old FIDO 2.0 Web API and will support a multitude of other authentication systems besides USB-stored security keys –including biometrics.
Tomi Engdahl says:
Researchers granted server by gov officials link Sharpshooter attacks to North Korea
Analysis of the server revealed links to North Korea’s Lazarus Group.
https://www.zdnet.com/article/researchers-granted-command-server-by-officials-link-sharpshooter-campaign-to-north-korea/
Tomi Engdahl says:
Open source software breaches surge in the past 12 months
A simple lack of time is blamed for a lack of security governance in open-source projects.
https://www.zdnet.com/article/open-source-software-breaches-surge-in-the-past-12-months/
Security breaches related to open-source security projects are on the rise and a lack of time being made available to developers to resolve vulnerabilities is believed to be to blame.
According to Sonatype’s DevSecOps Community Survey, in which over 5,500 IT professionals were asked to give their opinion on today’s open-source projects and the community’s security stance, open-source breaches have increased by 71 percent over the last five years.
Tomi Engdahl says:
Data leaks, default passwords exposed in visitor management systems
https://www.zdnet.com/article/19-vulnerabilities-exposed-in-visitor-management-systems/
Automation is big business, but smart visitor systems can be as vulnerable to attacks as any other connected device.
Researchers have uncovered a swathe of vulnerabilities which impact visitor management systems in which automation has replaced human assistants.
Automation, artificial intelligence (AI), machine learning (ML), the Internet of Things (IoT), and mobility have begun to permeate every aspect of our daily lives. In the hospitality industry, these technologies have presented an opportunity to improve the security of visitors and guests, as well as reduce the human workforce required to maintain protective measures.
Tomi Engdahl says:
Retail industry endures new point-of-sale cybercrime spree
https://www.zdnet.com/article/retail-industry-endures-new-point-of-sale-cybercrime-spree/
The harvest of sensitive data is at hand, but it is not certain who is behind the campaign.
Tomi Engdahl says:
Hackers have started attacks on Cisco RV110, RV130, and RV215 routers
https://www.zdnet.com/article/hackers-have-started-attacks-on-cisco-rv110-rv130-and-rv215-routers/
Attacks started two days after Cisco released patch, one day after researchers published demo exploit code.
Two days after Cisco patched a severe vulnerability in a popular brand of SOHO routers, and one day after the publication of proof-of-concept code, hackers have started scans and attacks exploiting the said security bug to take over unpatched devices.
The vulnerability, tracked as CVE-2019-1663, was of note when it came out on February 27 because it received a severity score from the Cisco team of 9.8 out of a maximum of 10.
In its blog post, Pen Test Partners blamed the root cause of CVE-2019-1663 on Cisco coders using an infamously insecure function of the C programming language -namely strcpy (string copy).
https://www.pentestpartners.com/security-blog/cisco-rv130-its-2019-but-yet-strcpy/
Tomi Engdahl says:
Threat Research
APT40: Examining a China-Nexus Espionage Actor
https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html
Tomi Engdahl says:
W3C approves WebAuthn as the web standard for password-free logins
https://venturebeat.com/2019/03/04/w3c-approves-webauthn-as-the-web-standard-for-password-free-logins/
The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. First announced by the W3C and the FIDO Alliance in November 2015, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, IBM, Intel, Microsoft, Mozilla, PayPal, SoftBank, Tencent, and Yubico.
Tomi Engdahl says:
Google Discloses Unpatched ‘High-Severity’ Flaw in Apple macOS Kernel
https://thehackernews.com/2019/03/cybersecurity-macos-hacking.html
Cybersecurity researcher at Google’s Project Zero division has publicly disclosed details and proof-of-concept exploit of a high-severity security vulnerability in macOS operating system after Apple failed to release a patch within 90 days of being notified.
The flaw could eventually allow an attacker or a malicious program to bypass the copy-on-write (COW) functionality to cause unexpected changes in the memory shared between processes, leading to memory corruption attacks.
Tomi Engdahl says:
Stranger Danger: X-Force Red Finds 19 Vulnerabilities in Visitor Management Systems
https://securityintelligence.com/stranger-danger-x-force-red-finds-19-vulnerabilities-in-visitor-management-systems/
Automation is pervasive across our modern world and building lobbies are the latest place affected by the changes. The friendly receptionist or security guard is being replaced by kiosks, and it is big business, with sales expected to exceed $1.3 billion by 2025. These systems are officially called visitor management systems and allow businesses to check a guest in, give them a badge and control access to restricted areas of the facility.
Unlike simple pen and paper, they have the ability to authenticate visitors and provision badges for them in an automated way without allowing anyone to see who else has visited.
Tomi Engdahl says:
Container Escape Hack Targets Vulnerable Linux Kernel
https://threatpost.com/container-escape-hack-targets-vulnerable-linux-kernel/142407/
A proof-of-concept hack allows adversaries to tweak old exploits, have code jump containers and attack underlying infrastructure.
Tomi Engdahl says:
Law Expert: Chinese Government Can’t Force Huawei to Make Backdoors
https://www.wired.com/story/law-expert-chinese-government-cant-force-huawei-make-backdoors/
The Sino-US trade war is hurting companies on both sides of the conflict. In early January, the US stock market dropped sharply after Apple issued its first revenue warning in 16 years, citing weak sales in China. Several weeks later, chipmaker Nvidia cut its quarterly revenue expectations by $500 million for the same reason. A survey last year by the US-China Business Council showed that 28 percent of US companies reported increased scrutiny from Chinese regulators because of trade friction. Even American cherry growers are being affected, losing $89 million in sales last year.
Meanwhile Huawei, a Chinese supplier of telecommunications equipment, has become the target of a US campaign to bar its gear from many global markets.
Tomi Engdahl says:
US Lawyers Don’t Buy Huawei’s Argument on Chinese Hacking
https://www.wired.com/story/us-lawyers-dont-buy-huaweis-argument-chinese-hacking/
Tomi Engdahl says:
An Alphabet Moonshot Wants to Store the Security Industry’s Data
https://www.wired.com/story/chronicle-backstory-network-intelligence-data/
Now Chronicle, a company born last year out of X, Alphabet’s “moonshot factory,” is going to try it for defending corporate networks.
On Monday, Chronicle announced its first product: Backstory. The tool is a cloud platform on which companies can store their network intelligence data indefinitely, allowing them to use Google’s search smarts to comb through logs and gain insight into emerging digital security threats. For example, an organization that missed a breach on its network initially will be able to use Backstory to find the origins of the incident and track what played out as a result. Crucially, Backstory customers will also benefit from the discoveries Chronicle makes by looking for patterns and anomalies in the combined data set of all its clients.
Tomi Engdahl says:
Armor Games admits all its users’ deets slurped in database mega-hack as site moves to repair chink
We were caught in hack that bled 617 million online accounts
https://www.theregister.co.uk/2019/03/04/armor_games_breach_disclosure/
Tomi Engdahl says:
Op ‘Sharpshooter’ Connected to North Korea’s Lazarus Group
https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/
After analyzing code from a command and control (C2) server used in the global cyber-espionage campaign dubbed ‘Sharpshooter’, security researchers found more evidence linking it to North Korea’s Lazarus threat actor.
The assessment was possible with the help of a government entity and revealed that the operation is broader in scope, more complex and older than initially thought.
Tomi Engdahl says:
As Trump and Kim Met, North Korean Hackers Hit Over 100 Targets in U.S. and Ally Nations
https://www.nytimes.com/2019/03/03/technology/north-korea-hackers-trump.html
North Korean hackers who have targeted American and European businesses for 18 months kept up their attacks last week even as President Trump was meeting with North Korea’s leader in Hanoi.
The attacks, which include efforts to hack into banks, utilities and oil and gas companies, began in 2017, according to researchers at the cybersecurity company McAfee, a time when tensions between North Korea and the United States were flaring. But even though both sides have toned down their fiery threats and begun nuclear disarmament talks, the attacks persist.
Tomi Engdahl says:
EdgeSpot detects PDF samples tracking users who use Google Chrome as local PDF viewer
https://blog.edgespot.io/2019/02/edgespot-detects-pdf-zero-day-samples.html
Tomi Engdahl says:
Alphabet’s Chronicle Launches Security Telemetry Platform
https://www.securityweek.com/alphabets-chronicle-launches-security-telemetry-platform
Chronicle on Monday announced the launch of Backstory, a security telemetry platform that allows organizations to store and quickly analyze large amounts of data.
Chronicle, a subsidiary of Google’s parent company Alphabet, was launched in January 2018 and it has been put in charge of the VirusTotal platform. The company has now launched its first own product.
Tomi Engdahl says:
Tripwire Launches Industrial Cybersecurity Assessment Service
https://www.securityweek.com/tripwire-launches-industrial-cybersecurity-assessment-service
Belden-owned Tripwire on Monday announced the availability of two new assessment services designed to help enterprises and industrial organizations find potentially dangerous vulnerabilities in their systems.
One of the new services, Industrial Cybersecurity Assessment, provides experts who can discover vulnerabilities in industrial control system (ICS) environments and determine if they can actually be exploited and if they pose a significant risk.
Tomi Engdahl says:
Eyeing Russia, EU Girds for Cyberthreats to Parliament Vote
https://www.securityweek.com/eyeing-russia-eu-girds-cyberthreats-parliament-vote
With campaigning for May’s European Parliament elections shifting into high gear, security officials are preparing for potential attempts by Russia-linked hackers to sway the vote — and potentially deepen divisions in the bloc.
“There’s a strong likelihood that people will try to manipulate the debates and falsify the European election results,” the EU’s security commissioner Julian King told France’s Alsace newspaper last week.
Tomi Engdahl says:
Better Security Not Sole Factor for Improved Breach Detection Times: FireEye
https://www.securityweek.com/better-security-not-sole-factor-improved-breach-detection-times-fireeye
Organizations are getting better at detecting breaches, but the positive trend observed last year has been attributed by experts not only to improved cybersecurity capabilities, but also an increase in the number of attacks that are quickly detected by victims.
Tomi Engdahl says:
Data Breach Cost Marriott $28 Million So Far
https://www.securityweek.com/data-breach-cost-marriott-28-million-so-far
The massive data breach disclosed by Marriott last year has cost the company $28 million to date, most of which has been covered by insurance, the hotel giant revealed last week in its earnings report for the last quarter of 2018.
Tomi Engdahl says:
Adobe Patches ColdFusion Vulnerability Exploited in the Wild
https://www.securityweek.com/adobe-patches-coldfusion-vulnerability-exploited-wild
Tomi Engdahl says:
Two White Hats Earn Over $1 Million via Bug Bounty Programs
https://www.securityweek.com/two-white-hats-earn-over-1-million-bug-bounty-programs
Bug bounty platform HackerOne says two of its members have each earned more than $1 million by helping organizations find and fix vulnerabilities in their systems.
While many white hat hackers don’t make much money from bug bounty programs, there are some who have dedicated a lot of time to finding vulnerabilities and they have managed to earn significant rewards.
Tomi Engdahl says:
40% of malicious URLs were found on good domains
https://www.helpnetsecurity.com/2019/03/01/malicious-urls-good-domains/
Tomi Engdahl says:
Ransomware Pretends to Be Proton Security Team Securing Data From Hackers
https://www.bleepingcomputer.com/news/security/ransomware-pretends-to-be-proton-security-team-securing-data-from-hackers/
A recent variant of the GarrantyDecrypt ransomware has been found that pretends to be from the security team for Proton Technologies, the company behind ProtonMail and ProtonVPN.
Tomi Engdahl says:
JAVA-VBS Joint Exercise Delivers RAT
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/java-vbs-joint-exercise-delivers-rat/
The Adwind remote administration tool (RAT) is a Java-based backdoor Trojan that targets various platforms supporting Java files.
Tomi Engdahl says:
Qbot malware resurfaces in new attack against businesses
This new persistent and difficult-to-detect Qbot version is designed to steal financial information.
https://www.csoonline.com/article/3345972/qbot-malware-resurfaces-in-new-attack-against-businesses.html
Tomi Engdahl says:
Did you hear the one about Cisco routers using strcpy insecurely for login authentication? Makes you go AAAAA-AAAAAAArrg *segfault*
RV110W, RV130W, RV215W need patching to close remote hijacking bug
https://www.theregister.co.uk/2019/03/01/cisco_cve_2019_1663_strcpy_login_authentication/
Cisco has patched three of its RV-series routers after Pen Test Partners (PTP) found them using hoary old C function strcpy insecurely in login authentication function. The programming blunder can be exploited to potentially hijack the devices.
PTP looked at how the routers’ web-based control panel handled login attempts by users, and found that it was alarmingly easy to trigger a buffer overflow by simply supplying a long string of characters as the password, something which Cisco admitted “could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device”.
Lobbing in a password of 447 characters, such as ‘A’, followed by four characters, would allow the hijacker to control a subroutine return address on the web app’s stack using the values of those final characters. That means the hacker could force the device’s 32-bit Arm-based processor to jump to malicious code stashed in the login request.
Tomi Engdahl says:
Threat Roundup for Feb. 22 to March 1
https://blog.talosintelligence.com/2019/03/threat-roundup-for-feb-22-to-march-1.html
Tomi Engdahl says:
ICAO victim of a major cyberattack in 2016
The organization was the victim of a water-hole attack, likely attributable to the APT LuckyMouse group
https://www.welivesecurity.com/2019/03/01/icao-victim-major-cyberattack-2016/
The International Civil Aviation Organization (ICAO) was a victim of a large-scale cyberattack back in 2016. Indeed, in November of that year, a cyber-intelligence analyst at Lockheed Martin contacted the international organization after finding that cybercriminals took control of two of its servers.
Tomi Engdahl says:
Exposed Docker Control API and Community Image Abused to Deliver Cryptocurrency-Mining Malware
https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/poliisin-hakkerointityokaluja-myydaan-netissa-pilkkahintaan-ja-niista-paljastui-tietovuotokin-6759823
The Feds’ Favorite iPhone Hacking Tool Is Selling On eBay For $100—And It’s Leaking Data
https://www.forbes.com/sites/thomasbrewster/2019/02/27/the-feds-favorite-iphone-hacking-tool-is-selling-on-ebay-for-100and-its-leaking-data/#4845a5b55dd4
Tomi Engdahl says:
App Security Improvement Alerts Android Devs of 6 New Vulnerabilities
https://www.bleepingcomputer.com/news/security/app-security-improvement-alerts-android-devs-of-6-new-vulnerabilities/
Tomi Engdahl says:
Cobalt Strike Bug Exposes Attacker Servers
https://www.securityweek.com/cobalt-strike-bug-exposes-attacker-servers
A recently addressed vulnerability in the Cobalt Strike penetration testing platform could be exploited to identify attacker servers, Fox-IT security researchers reveal.
The bug, which was addressed in January with the release of Cobalt Strike version 3.13, consisted of an uncommon whitespace in server responses and had been leveraged by researchers to identify Cobalt Strike servers for one and a half years.
Tomi Engdahl says:
PoS Clients Targeted with Cobalt Strike, Card Scraping Malware
https://www.securityweek.com/pos-clients-targeted-cobalt-strike-card-scraping-malware
Tomi Engdahl says:
Cisco Patches Critical Vulnerability in Wireless Routers
https://www.securityweek.com/cisco-patches-critical-vulnerability-wireless-routers
Cisco released security patches this week to address a Critical vulnerability in several wireless routers that allows an attacker to remotely execute code on the impacted devices.
Tracked as CVE-2019-1663 and featuring a CVSS score of 9.8, the security flaw resides in the web-based management interface of three router models and is created due to improper validation of user-supplied data in the web-based management interface.
“An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user,” Cisco explains in an advisory.
Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Tomi Engdahl says:
Hackers Use Compromised Banks as Starting Points for Phishing Attacks
https://www.bleepingcomputer.com/news/security/hackers-use-compromised-banks-as-starting-points-for-phishing-attacks/
Cybercriminals attacking banks and financial organizations use their foothold in a compromised infrastructure to gain access to similar targets in other regions or countries.
The incident response activities at various financial institutions revealed that in some cases the attacker used their access to send emails to other banks and payment systems.
“So the threat actor definitely carried out attacks beyond its initial targets,” a company representative told us.
Tomi Engdahl says:
Spoofing in the reeds with Rietspoof
https://blog.avast.com/rietspoof-malware-increases-activity
We’re tracking a new cyberthreat that combines file formats to create a more versatile malware.
Since August 2018, we have been monitoring a new malware family we’re calling Rietspoof. Rietspoof is a new multi-stage malware that exhibits some very striking features and capabilities. When we began tracking Rietspoof, it was updated about once a month. However, in January 2019, we noticed the update cadence change to daily.