This posting is here to collect cyber security news in March 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
490 Comments
Tomi Engdahl says:
Use an 8-char Windows NTLM password? Don’t. Every single one can be cracked in under 2.5hrs
CorrectHorseBatteryStaple once again more secure and memorable than ff3sd21n
https://www.theregister.co.uk/2019/02/14/password_length/
HashCat, an open source password recovery tool, can now crack an eight-character Windows NTLM password hash in less time than it will take to watch Avengers: Endgame.
Tomi Engdahl says:
PoC Buffer Overflow exploitation in the British Airways Entertainment System
https://www.linkedin.com/pulse/buffer-overflow-exploitation-british-airways-system-marco-gisbert/
Tomi Engdahl says:
https://capsule8.com/blog/nested-guests-cve-2019-7221/
Tomi Engdahl says:
2019 SHA-2 Code Signing Support requirement for Windows and WSUS
https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus
To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.
Tomi Engdahl says:
Taiwan’s darkest military secrets revealed by Google Maps
https://www.scmp.com/news/china/military/article/2186351/taiwans-darkest-military-secrets-revealed-google-maps
Enhanced 3-D maps leave nothing to the imagination including Patriot missile base
Defence minister appeals for calm
Tomi Engdahl says:
JavaScript bridge makes malware analysis with WinDbg easier
https://blog.talosintelligence.com/2019/02/windbg-malware-analysis-with-javascript.html#more
Tomi Engdahl says:
Venezuela’s Government Appears To Be Trying to Hack Activists With Phishing Pages
https://motherboard.vice.com/en_us/article/d3mdxm/venezuela-government-hack-activists-phishing
Security researchers and activists exposed a brazen attempt to steal Venezuelan usernames and passwords for popular email and social media websites such as Gmail, Facebook, Microsoft Live, and Twitter.
Phishing by Venezuelan government puts activists and internet users at risk.
https://vesinfiltro.com/noticias/Phishing_by_Venezuelan_government_targets_activists/
Tomi Engdahl says:
White hats spread VKontakte worm after social network doesn’t pay bug bounty
https://www.zdnet.com/article/white-hats-spread-vkontakte-worm-after-social-network-doesnt-pay-bug-bounty/
VKontakte flooded with spam over Valentine’s Day as part of a revenge prank.
Tomi Engdahl says:
New Service From Cisco’s Duo Labs Analyzes Chrome Extensions
https://www.securityweek.com/new-service-ciscos-duo-labs-analyzes-chrome-extensions
Duo Labs, part of Cisco-owned Duo Security, has launched a new service designed to analyze Chrome extensions and deliver security reports on them.
Dubbed CRXcavator and released in beta, the tool seeks to provide consumers and enterprise users alike with actionable intelligence on the large number of available Chrome extensions by scanning the Chrome Web Store on an ongoing basis.
The tool can analyze extension permissions and their implications and also evaluates extensions from several other angles.
Tomi Engdahl says:
Report: Apps Give Facebook Sensitive Health and Other Data
https://www.securityweek.com/report-apps-give-facebook-sensitive-health-and-other-data
Tomi Engdahl says:
Pulse Secure Unveils Software Defined Perimeter Solution
https://www.securityweek.com/pulse-secure-unveils-software-defined-perimeter-solution
Pulse Secure, a company that specializes in secure access solutions, this week unveiled a new software defined perimeter (SDP) product designed to provide organizations direct secure access to their resources and applications.
Pulse Secure, whose solutions were part of Juniper Networks until 2014, offers a platform that includes VPN, mobile device management (MDM), single sign-on (SSO), device visibility, virtual application delivery controller (ADC), and network access control (NAC) capabilities.
Tomi Engdahl says:
Cybercriminals Promise Millions to Skilled Black Hats: Report
https://www.securityweek.com/cybercriminals-promise-millions-skilled-black-hats-report
Cybercriminals say they are willing to pay over a million dollars per year to individuals with network management, penetration testing, and programming skills willing to put on a black hat, a new Digital Shadows report reveals.
Tomi Engdahl says:
DrainerBot SKD Sucks Data and Battery From Android Devices
https://www.securityweek.com/drainerbot-skd-sucks-data-and-battery-android-devices
A major mobile ad fraud operation impacts millions of users through infected consumer applications, Oracle reveals.
Tomi Engdahl says:
Windows Servers Vulnerable to DoS Attacks, Microsoft Warns
https://www.securityweek.com/windows-servers-vulnerable-dos-attacks-microsoft-warns
Microsoft informed users on Wednesday that Windows servers running Internet Information Services (IIS) are vulnerable to denial-of-service (DoS) attacks that rely on malicious HTTP/2 requests.
According to the tech giant, sending specially crafted HTTP/2 requests can cause the machine’s CPU to temporarily spike to 100% until IIS kills the malicious connections.
Tomi Engdahl says:
News: More Swedish Companies Affected by Applion Unsecured Servers
19.Feb.2019
Martin Jartelius, CSO Outpost24
https://outpost24.com/news/More-swedish-companies-affected-by-applion-unsecured-servers
Following further investigations into the exposed data belonging to Swedish Healthcare provider, MediCall, Outpost24 can confirm that many more organisations in Sweden are impacted by the unsecured servers
All companies affected are using service provider Applion to host their confidential information, however Applion is not comprehensively securing that data. Using no firewall protection, encryption or login credentials, Applion is ultimately leaving its customer data completely exposed to the internet and accessible to anyone.
Investigations from Outpost24 reveal that other companies affected include Prebus and iTell, a Swedish telephony service company with a turnover of approximately 4 million €.
Tomi Engdahl says:
Malware Campaigns Target Users of PornHub, XVideos, Other Adult Websites
https://www.bleepingcomputer.com/news/security/malware-campaigns-target-users-of-pornhub-xvideos-other-adult-websites/
Credential-stealing attacks saw a 300% boost in numbers
Trojan-Downloaders the most distributed malware
Tomi Engdahl says:
U.S. won’t partner with countries that use Huawei systems: Pompeo
https://www.reuters.com/article/us-huawei-tech-usa-pompeo/u-s-wont-partner-with-countries-that-use-huawei-systems-pompeo-idUSKCN1QA1O6
Tomi Engdahl says:
New Breed of Fuel Pump Skimmer? Not Really
https://krebsonsecurity.com/2019/02/new-breed-of-fuel-pump-skimmer-uses-sms-and-bluetooth/
Fraud investigators say they’ve uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message. KrebsOnSecurity has since learned those claims simply don’t hold water.
Tomi Engdahl says:
Microsoft Edge Secret Whitelist Allows Facebook to Autorun Flash
https://www.bleepingcomputer.com/news/security/microsoft-edge-secret-whitelist-allows-facebook-to-autorun-flash/
Tomi Engdahl says:
When 2FA means sweet FA privacy: Facebook admits it slurps mobe numbers for more than just profile security
‘This isn’t a mistake now, this is clearly an intentional product choice’ says ex-CSO Stamos
https://www.theregister.co.uk/2019/03/04/facebook_phone_numbers/
Tomi Engdahl says:
Ah, this military GPS system looks shoddy but expensive. Shall we try to break it?
Did we say break? We meant test its ‘survivability’
https://www.theregister.co.uk/2019/03/04/who-me/
“Joe” was working in the British Army and had been sent a load of trial GPS kit for section level force tracking.
“They came in lovely beige boxes, all secure and sealed with only the push buttons available,” Joe told us.
It was well recognised that this kit was, as Joe put it, “a complete and utter rip-off”.
For instance, it included a “cable tidy” that was made of “high denier cordura [fabric] which cost around £250 per item, when the real cost was less than £50″.
Tomi Engdahl says:
North Korea Turns Against New Targets?!
https://research.checkpoint.com/north-korea-turns-against-russian-targets/
Tomi Engdahl says:
Ryuk, Exploring the Human Connection
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-exploring-the-human-connection/
Within Cyber Threat intelligence research, a popular approach is to model the characteristics of an attack using The Diamond Model of Intrusion Analysis. This model relates four basic elements of an intrusion: adversary, capabilities, infrastructure and victim.
For the Ryuk case described above the model can be applied as follows: “An Adversary, cyber-criminal(s), have a capability (Ryuk Ransomware) that is being spread via a TrickBot infection Infrastructure targeting specific victims.
Tomi Engdahl says:
New steps to protect Europe from continued cyber threats
https://blogs.microsoft.com/eupolicy/2019/02/20/accountguard-expands-to-europe/
Tomi Engdahl says:
HACKERS LISTEN IN ON WHAT SYNTHETIC DNA MACHINES ARE PRINTING
https://www.wired.com/story/hackers-listen-synthetic-dna-machines/
These products represent cutting-edge academic research, and the exact formulas are often corporate secrets. Which is why operators usually keep DNA synthesizers offline, to prevent a cyber-heist of those precious strings of As and Ts and Cs and Gs that spell out instructions for lucrative new biological functions. But one group of biohackers has demonstrated for the first time that it’s possible to steal and reverse-engineer the genetic code stitched together by DNA synthesizers by simply recording the sounds they make.
researchers from UC Irvine and UC Riverside unveiled a so-called acoustic side-channel attack on a popular DNA-making machine
It could also have important potential counterterrorism applications—for monitoring suspect machines to see if they’re manufacturing deadly pathogens or other biological weapons.
Two days’ worth of recordings was enough to train algorithms that could surmise unknown strings of DNA with 86 percent accuracy.
Tomi Engdahl says:
The FBI ‘Can Neither Confirm nor Deny’ That It Monitors Your Social Media Posts
https://www.aclu.org/blog/free-speech/internet-speech/fbi-can-neither-confirm-nor-deny-it-monitors-your-social-media?fbclid=IwAR3p_OG6hmCdeW6FnupmylQw-OoF3XLOZ5rvYGhyc8uf0dIm473BLcqesr4
Tomi Engdahl says:
Shannon Liao / The Verge:
Report: hackers believed to be sponsored by the Chinese government targeted over two dozen universities in an apparent bid to access maritime military research — Chinese hackers singled out over two dozen universities in the US and around the world in an apparent bid to gain access …
Chinese hackers reportedly targeted 27 universities for military secrets
https://www.theverge.com/2019/3/5/18251836/chinese-hackers-us-servers-universities-military-secrets-cybersecurity
Tomi Engdahl says:
Nick Statt / The Verge:
Following its Dec. report, Privacy International finds seven major Android apps, including Yelp and Duolingo, still send personal data to Facebook upon launch
Some major Android apps are still sending data directly to Facebook
Even when you’re not logged in or don’t have a Facebook account
https://www.theverge.com/2019/3/5/18252397/facebook-android-apps-sending-data-user-privacy-developer-tools-violation
Tomi Engdahl says:
ji32k7au4a83 is a surprisingly bad password
Hint: users from Taiwan might know this one
https://www.theverge.com/tldr/2019/3/5/18252150/bad-password-security-data-breach-taiwan-ji32k7au4a83-have-i-been-pwned
The password “ji32k7au4a83” might look fairly secure thanks to its seemingly random jumble of letters and numbers. But surprisingly, that exact password has appeared in 141 data breaches, as cataloged by the site Have I Been Pwned and spotted by Gizmodo. It leads to the obvious question: how are so many people using this one password?
Tomi Engdahl says:
Huawei Opens Brussels Security Lab in Bid to Reassure EU
https://www.securityweek.com/huawei-opens-brussels-security-lab-bid-reassure-eu
Chinese tech company Huawei on Tuesday opened a cybersecurity lab in Brussels, the heart of the European Union, as it tries to win over government leaders and fight back U.S. allegations that its equipment poses a national security risk.
Company executives inaugurated the Huawei Cyber Security Transparency Centre, which will allow the wireless companies that are its customers to review the source code running its network gear.
Tomi Engdahl says:
State-Sponsored Hackers Supporting China’s Naval Modernization Efforts: Report
https://www.securityweek.com/state-sponsored-hackers-supporting-china%E2%80%99s-naval-modernization-efforts-report
APT40 Hackers Appear to be Supporting China’s Belt and Road Initiative
A cyber-espionage group believed to be sponsored by the Chinese government is focused on targeting countries important to the country’s Belt and Road Initiative, FireEye reports.
Tomi Engdahl says:
New VMware Firewall Focuses on Known Good Behavior
https://www.securityweek.com/new-vmware-firewall-focuses-known-good-behavior
VMware on Tuesday announced the launch of a new internal firewall solution designed to reduce an organization’s attack surface by focusing on known good behavior rather than attempting to chase potential threats.
The new VMware Service-defined Firewall aims to protect apps, data and users by locking down known good behavior both at host and network level.
VMware says that while other companies have tried this approach – focusing on known good behavior – getting a complete understanding of every application has been difficult to achieve.
VMware Service-Defined FirewallShrink the application attack surface with a new approach to firewalling
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/solutions/vmw-service-defined-firewall-solution-overview.pdf
Tomi Engdahl says:
Iran-Linked Hackers Use Python-Based Backdoor in Recent Attacks
https://www.securityweek.com/iran-linked-hackers-use-python-based-backdoor-recent-attacks
The Iran-linked Chafer threat group has used a new Python-based backdoor in November 2018 attacks targeting a Turkish government entity, Palo Alto Networks reveals.
Tomi Engdahl says:
Huawei Opens Brussels Security Lab in Bid to Reassure EU
https://www.securityweek.com/huawei-opens-brussels-security-lab-bid-reassure-eu
Tomi Engdahl says:
Armor Scientific Emerges From Stealth With Wearable Authentication Solution
https://www.securityweek.com/armor-scientific-emerges-stealth-wearable-authentication-solution
California-based Armor Scientific this week announced that it has emerged from stealth mode with an identity and authentication platform that combines wearable hardware and patent-pending middleware components.
Tomi Engdahl says:
Hackers Sell Access to Bait-and-Switch Empire
https://krebsonsecurity.com/2019/03/hackers-sell-access-to-bait-and-switch-empire/
Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people searches. In an ironic twist, the marketing empire that owns the hacked online properties appears to be run by a Canadian man who’s been sued for fraud by the U.S. Federal Trade Commission, Microsoft and Oprah Winfrey, to name a few.
Tomi Engdahl says:
RSA Conference: BEC Scammer Gang Takes Aim at Boy Scouts, Other Nonprofts
https://threatpost.com/rsac-2019-bec-scammer-gang-takes-aim-at-boy-scouts-other-nonprofts/142302/
Tomi Engdahl says:
RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes
https://threatpost.com/zero-day-exploit-microsoft/142327/
A previously unknown bug in Microsoft Office has been spotted being actively exploited in the wild; it can be used to bypass security solutions and sandboxes, according to findings released at the RSA Conference 2019.
The bug exists in the OLE file format and the way it’s handled in Microsoft Word, said researchers from Mimecast. They noted that the OLE32.dll library incorrectly handles integer overflows.
Tomi Engdahl says:
Security
McAfee: Oops, our bad. Sharpshooter malware was the Norks’ Lazarus Group the whole time
Access to C’n’C server data shows state hackers weren’t smart enough for false flags
https://www.theregister.co.uk/2019/03/04/sharpshooter_malware_campaign_lazarus_group_mcafee/
McAfee (the antivirus firm, not John the dodgy “playboy”) reckons the Sharpshooter malware campaign it uncovered in late 2018 is the work of North Korean hacking crew the Lazarus Group.
Thanks to data from a command-and-control server that was “provided to McAfee for analysis by a government entity that is familiar with McAfee’s published research on this malware campaign”, researchers were able to link Sharpshooter to earlier Lazarus Group activity from 2017.
Tomi Engdahl says:
Disputed N.S.A. Phone Program Is Shut Down, Aide Says
https://www.nytimes.com/2019/03/04/us/politics/nsa-phone-records-program-shut-down.html
The National Security Agency has quietly shut down a system that analyzes logs of Americans’ domestic calls and texts, according to a senior Republican congressional aide, halting a program that has touched off disputes about privacy and the rule of law since the Sept. 11 attacks.
Tomi Engdahl says:
SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability
‘Leakage … is visible in all Intel generations starting from first-gen Core CPUs’
https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/
In a research paper distributed this month through pre-print service ArXiv, “SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks,” computer scientists at Worcester Polytechnic Institute in the US, and the University of Lübeck in Germany, describe a new way to abuse the performance boost.
SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks
https://arxiv.org/pdf/1903.00446.pdf
Tomi Engdahl says:
Microsoft Sees 250% Phishing Increase, Malware Decline by 34%
https://www.bleepingcomputer.com/news/security/microsoft-sees-250-percent-phishing-increase-malware-decline-by-34-percent/
Phishing attacks have seen an impressive 250% increase between January and December 2018, with attackers moving to multiple points of attacks during the same campaign, switching between URLs, domains, and servers when sending e-mails and hosting phishing forms.
As a side note, Microsoft saw “an increase in the use of compromised accounts to further distribute malicious emails both inside and outside an organization.”
Tomi Engdahl says:
CryptoMix Clop Ransomware Says It’s Targeting Networks, Not Computers
https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/
A new CryptoMix Ransomware variant has been discovered that appends the .CLOP or .CIOP extension to encrypted files. Of particular interest, is that this variant is now indicating that the attackers are targeting entire networks rather than individual computers.
Tomi Engdahl says:
US surveillance scheme unlikely to be renewed, says key adviser
https://www.theguardian.com/us-news/2019/mar/05/us-surveillance-programme-unlikely-to-be-renewed-says-adviser-edward-snowden
Programme that followed one exposed by Edward Snowden not used in past six months
Tomi Engdahl says:
Hackers have started attacks on Cisco RV110, RV130, and RV215 routers
Attacks started two days after Cisco released patch, one day after researchers published demo exploit code.
https://www.zdnet.com/article/hackers-have-started-attacks-on-cisco-rv110-rv130-and-rv215-routers/
Tomi Engdahl says:
Microsoft’s latest security service uses human intelligence, not artificial
Computers are good at processing vast amounts of data, but humans still have their uses.
https://arstechnica.com/gadgets/2019/02/microsofts-latest-security-service-uses-human-intelligence-not-artificial/
Tomi Engdahl says:
In the cloud, things aren’t always what they SIEM: Microsoft rolls out AI-driven Azure Sentinel
And ‘ask a Redmond security bod’ panic button for Windows Defender ATP customers
https://www.theregister.co.uk/2019/02/28/microsoft_azure_sentinel_wheeled_out/
Tomi Engdahl says:
UN Aviation Agency Concealed Serious Hack: Media
https://www.securityweek.com/un-aviation-agency-concealed-serious-hack-media
The International Civil Aviation Organization (ICAO) had in November 2016 been the victim of the “most serious cyberattack in its history,” Radio-Canada said.
Internal documents obtained by the broadcaster revealed a flawed response to the attack — believed to have been launched by a Chinese hacker group — mired in delays, obstruction and negligence, and attempts by staff to hide their incompetence.
The UN agency, working with 192 member states and industry groups, is responsible for setting international civil aviation standards, including for safety and security.
Tomi Engdahl says:
Coinhive In-Browser Cryptomining Service Shuts Down on March 8
https://www.bleepingcomputer.com/news/technology/coinhive-in-browser-cryptomining-service-shuts-down-on-march-8/
Tomi Engdahl says:
Outlook and Microsoft Account Phishing Emails Utilize Azure Blob Storage
https://www.bleepingcomputer.com/news/security/outlook-and-microsoft-account-phishing-emails-utilize-azure-blob-storage/