This posting is here to collect cyber security news in March 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
490 Comments
Tomi Engdahl says:
New Global Attack on Point of Sale Systems
http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems
Over the past 8-10 weeks, Morphisec has been tracking multiple sophisticated attacks targeting Point of Sale thin clients globally. More specifically, on the 6th of February we identified an extremely high number of prevention events stopping Cobalt Strike backdoor execution, with some of the attacks expressly targeting Point of Sale VMWare Horizon thin clients.
Based on the initial indicators, we identified FrameworkPOS scraping malware installed on some of the thin clients, after initializing PowerShell/WMI stages that downloaded and reflectively loaded Cobalt-Strike beacon with PowerShell extension directly into the memory.
Tomi Engdahl says:
How a Hacking Group is Stealing Popular Instagram Profiles
https://blog.trendmicro.com/trendlabs-security-intelligence/how-a-hacking-group-is-stealing-popular-instagram-profiles/
Social media influencers build and expand their business or brand through credibility and authenticity to their audience. For hackers, however, they could be seen as trophies. That’s what happened to a photographer with more than 15,000 followers on Instagram, when she had her account stolen.
A closer look into the incident revealed that the hacker got into her account through phishing.
The group also engages in digital extortion. Once a victim tries to reach out to the hacker, they would be wringed to fork over a ransom or nude photos and videos to get the account back. Of course, the hackers never give it back. Indeed, this kind of attack — targeting high-profile accounts or social media influencers — highlights our predictions for this year’s threat landscape.
Tomi Engdahl says:
Identifying Cobalt Strike team servers in the wild
https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
On the 2nd of January 2019 Cobalt Strike version 3.13 was released, which contained a fix for an “extraneous space”. This uncommon whitespace in its server responses represents one of the characteristics Fox-IT has been leveraging to identify Cobalt Strike Servers, with high confidence, for the past one and a half year. In this blog we will publish a full list of servers for readers to check against the logging and security controls of their infrastructure.
Tomi Engdahl says:
Magecart Group 4: Never Gone, Always Advancing
https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/
Tomi Engdahl says:
FBI head Christopher Wray: We can’t let criminals hide behind encryption
https://www.cnet.com/news/fbi-director-christopher-wray-tells-cybersecurity-experts-to-partner-with-feds/
Speaking at the RSA Conference, Wray acknowledges the topic is “provocative.”
Tomi Engdahl says:
NSA releases cybersecurity tool to the public
https://www.axios.com/nsa-releases-cybersecurity-tool-open-source-3c94ebe4-8229-428d-876c-47a08e2c08e3.html?utm_source=facebook&utm_medium=fbsocialshare&utm_campaign=organic
The big picture: The NSA program, known as GHIDRA, is a reverse engineering tool that takes malware and returns the source code used to make it, which otherwise remains inaccessible. That enables researchers and security pros to understand, attribute and even counter the malware.
Show less
Why it matters: This small move could be widely disruptive.
Tomi Engdahl says:
Triton is the world’s most murderous malware, and it’s spreading
https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/?utm_source=facebook&utm_medium=tr_social&utm_campaign=site_visitor.unpaid.engagement&fbclid=IwAR2Pb8pfVs1sXLxC9KuW7OYgrE3FK0ScLbu7Ee7kggmxgNx3N23pjENpmOk&fbclid=IwAR28IVcVRrAW-GADYQwhK1ZYT2_fu0q2wwAj1dU14SfiieNODJTahM5N7ag
The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too.
Tomi Engdahl says:
You cannot opt out of Facebook’s surveillance network
https://boingboing.net/2019/03/06/you-cannot-opt-out-of-facebook.html
Even if you don’t use it, Facebook is embedded across the web and in apps through ads, share buttons, tracking pixels and so forth, watching everything and everyone. Katherine Brindley set out to find how forthright the company was in its claims not to track users who engage privacy controls. Not very.
Tomi Engdahl says:
Cisco tells Nexus switch owners to disable POAP feature for security reasons
Cisco releases new Nexus firmware that includes a new command to turn off POAP.
https://www.zdnet.com/article/cisco-tells-nexus-switch-owners-to-disable-poap-feature-for-security-reasons/
Tomi Engdahl says:
Firefox to add Tor Browser anti-fingerprinting technique called letterboxing
Firefox gets another new feature from the Tor Uplift project started in 2016.
https://www.zdnet.com/article/firefox-to-add-tor-browser-anti-fingerprinting-technique-called-letterboxing/
Tomi Engdahl says:
Chinese hackers reportedly targeted 27 universities for military secrets
https://www.theverge.com/2019/3/5/18251836/chinese-hackers-us-servers-universities-military-secrets-cybersecurity
Chinese hackers singled out over two dozen universities in the US and around the world in an apparent bid to gain access to maritime military research, according to a report by cybersecurity firm iDefense, which was obtained by The Wall Street Journal.
Tomi Engdahl says:
RSAC 2019: TLS Markets Flourish on the Dark Web
https://threatpost.com/tls-markets-fdark-web/142310/
The certificates are often paired with ancillary products, like Google-indexed “aged” domains, after-sale support, web design services and even integration with a range of payment processors.
SAN FRANCISCO – Thriving marketplaces for TLS certificates have emerged on the Dark Web, which are hawking the certs both as individual goods and packaged with an array of malware and other ancillary services.
Tomi Engdahl says:
Jokeroo Ransomware-as-a-Service Offers Multiple Membership Packages
https://www.bleepingcomputer.com/news/security/jokeroo-ransomware-as-a-service-offers-multiple-membership-packages/
Tomi Engdahl says:
You. Shall. Not. Pass… word: Soon, you may be logging into websites using just your phone, face, fingerprint or token
Just don’t lose your hardware keys
https://www.theregister.co.uk/2019/03/05/web_authentication/
At 2004′s RSA Conference, then Microsoft chairman Bill Gates predicted the death of the password because passwords have problems and people are bad at managing them. And fifteen years on, as RSA USA 2019 gets underway in San Francisco this week, we still have passwords.
But the possibility that internet users may be able to log into websites without typing a password or prompting a password management app to fill in the blanks has become a bit more plausible, with the standardization of the Web Authentication specification.
Tomi Engdahl says:
FBI boss: Never mind Russia and social media, China ransacks US biz for blueprints, secrets at ‘surprisingly’ huge scale
‘Espionage and criminal investigations … almost all of which lead back to Beijing’
https://www.theregister.co.uk/2019/03/05/fbi_china_warning/
Tomi Engdahl says:
New Stealth Worker Campaign Creates a Multi-platform Army of Brute Forcers
https://www.fortinet.com/blog/threat-research/new-stealth-worker-campaign-creates-a-multi-platform-army-of-bru.html
FortiGuard Labs recently discovered a new campaign of StealthWorker malware, also called GoBrut, that was first reported by Malwarebytes just a few days ago. This malware is written in Golang. Although uncommonly seen being used by malware, it is the same programming language used to develop the module that controlled the bots of Mirai.
StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details. Before hackers can embed a skimmer, however, the first requirement is for hackers to gain access to their target’s backend. Hacker’s commonly take advantage of vulnerabilities in the Content Management System (CMS) or its plugins to gain entry into the target’s system. Another, simpler option is to use brute force attacks. Though quite slow, this method is still effective against administrators using weak or commonly used passwords.
Tomi Engdahl says:
Cloudflare Deploys Firewall Rule to Block New Drupal Exploits
https://www.bleepingcomputer.com/news/security/cloudflare-deploys-firewall-rule-to-block-new-drupal-exploits/
Tomi Engdahl says:
Hackers Revive Microsoft Office Equation Editor Exploit
https://www.bleepingcomputer.com/news/security/hackers-revive-microsoft-office-equation-editor-exploit/
Hackers used specially-crafted Microsoft Word documents during the last few months to abuse an Integer Overflow bug that helped them bypass sandbox and anti-malware solutions and exploit the Microsoft Office Equation Editor vulnerability patched 15 months ago.
Tomi Engdahl says:
Oh no Xi didn’t?! China’s hackers nick naval tech blueprints, diddle with foreign elections to boost trade – new claim
In the Navy, you can sail the 7 seas! In the Navy, you’ll get hacked by the Chinese!
https://www.theregister.co.uk/2019/03/05/chinas_navy_hacking/
Tomi Engdahl says:
New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wild
https://thehackernews.com/2019/03/update-google-chrome-hack.html
You must update your Google Chrome immediately to the latest version of the web browsing application.
Security researcher Clement Lecigne of Google’s Threat Analysis Group discovered and reported a high severity vulnerability in Chrome late last month that could allow remote attackers to execute arbitrary code and take full control of the computers.
The vulnerability, assigned as CVE-2019-5786, affects the web browsing software for all major operating systems including Microsoft Windows, Apple macOS, and Linux.
Tomi Engdahl says:
Defeating Compiler-Level Obfuscations Used in APT10 Malware
https://www.carbonblack.com/2019/02/25/defeating-compiler-level-obfuscations-used-in-apt10-malware/
Tomi Engdahl says:
Virsec Launches Application Memory Firewall
https://www.securityweek.com/virsec-launches-application-memory-firewall
Fileless attacks are increasing and are more likely to succeed than traditional file-based malware. Most defenses seek to detect them by recognizing anomalous behavior on the network — but this is basically an after-the-event approach.
Virsec takes a different approach. It seeks to detect malicious fileless behavior while still in memory and before any bad effect can occur.
To this effect, Virsec announced what it calls the first application memory firewall. Its function is to detect deviations in application execution caused by memory-based attacks — and stop them instantly. The implications of such an approach are attractive. If an application is seen to be misbehaving internally, then a memory firewall doesn’t merely stop unknown zero-day fileless attacks, it also provides virtual patching.
Tomi Engdahl says:
Several Industrial Automation Products Affected by WibuKey DRM Flaws
https://www.securityweek.com/several-industrial-automation-products-affected-wibukey-drm-flaws
The WibuKey DRM is used for thousands of applications, including by several industrial automation vendors. Cisco mentioned Straton when it published its advisories, and German industrial giant Siemens admitted recently that its SICAM 230 process control and monitoring system and SIMATIC WinCC OA human-machine interface (HMI) product are impacted as well.
Tomi Engdahl says:
Iranian Hackers Caused Losses in Hundreds of Millions: Report
https://www.securityweek.com/iranian-hackers-caused-losses-hundreds-millions-report
Iranian hackers working to penetrate systems, businesses and governments around the world have caused hundreds of millions of dollars in damages, a report said Wednesday.
Researchers for tech giant Microsoft said the attackers stole secrets and wiped data from computer networks after targeting thousands of people at some 200 companies over the past two years, according to The Wall Street Journal.
Microsoft did not immediately respond to an AFP query on the report.
The Journal said Microsoft traced the attacks to Holmium, a group linked to Iran, and that some of the hacking was done for Holmium by another Iranian group known as APT33.
Tomi Engdahl says:
China’s Huawei Sues US Over Federal Ban on Its Products
https://www.securityweek.com/chinas-huawei-sues-us-over-federal-ban-its-products
Tech giant Huawei on Thursday opened a legal front in its counter-offensive against US warnings that it could aid Chinese intelligence services, filing suit to overturn a US law that bars federal agencies from buying its products.
Tomi Engdahl says:
Cybersecurity Startup PolySwarm Launches Malware Detection Marketplace
https://www.securityweek.com/cybersecurity-startup-polyswarm-launches-malware-detection-marketplace
Cybersecurity startup firm PolySwarm has officially launched at this year’s RSAC. It describes itself as a ‘VirusTotal replacement’, and is an innovative malware detection marketplace based on blockchain contracts and virtual currency payments.
“Currently,” explains PolySwarm CEO and founder Steve Bassi, “incident response teams in organizations primarily use VirusTotal as the go-to-database” to determine whether a suspicious file or artifact is malicious, but our platform is more effective for a number of reasons. PolySwarm is differentiated by economic incentives to increase quality and effectiveness of threat identification.
Tomi Engdahl says:
New CyberArk Solution Secures AWS Accounts
https://www.securityweek.com/new-cyberark-solution-secures-aws-accounts
Boston-based privileged access security provider CyberArk this week announced it can now automate detection, alerting and response for unmanaged and potentially risky Amazon Web Services (AWS) accounts.
Tomi Engdahl says:
Google Patches Actively Exploited Chrome Vulnerability
https://www.securityweek.com/google-patches-actively-exploited-chrome-vulnerability
Tomi Engdahl says:
Joseph Cox / Motherboard:
Sources: a common practice among bounty hunters and stalkers is to impersonate cops and claim there’s a crisis to get real-time cell location data from telcos
Stalkers and Debt Collectors Impersonate Cops to Trick Big Telecom Into Giving Them Cell Phone Location Data
https://motherboard.vice.com/en_us/article/panvkz/stalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data
In several cases, a stalker impersonated a US Marshal and reported a fake kidnapping in order to get telecom companies to give them real-time cell phone location data.
Tomi Engdahl says:
Associated Press:
Report: Microsoft says Iran-linked hackers have targeted 2,200+ people at 200+ companies over the past two years, stealing corporate secrets and wiping data
Microsoft says Iran-linked hackers targeted businesses
https://apnews.com/c5e1d8f79e86460fbfbd4d36ae348156
Tomi Engdahl says:
Casey Newton / The Verge:
Mark Zuckerberg says Facebook is working on rebuilding its messaging services to be more interoperable, ephemeral, privacy-focused, with end-to-end encryption — A major new blog post about Facebook’s future — Facebook will increasingly shift its focus away from public posts to encrypted …
Mark Zuckerberg says Facebook will shift to emphasize encrypted ephemeral messages
A major new blog post about Facebook’s future
https://www.theverge.com/2019/3/6/18253458/mark-zuckerberg-facebook-privacy-encrypted-messaging-whatsapp-messenger-instagram
Mark Zuckerberg / Facebook:
A Privacy-Focused Vision for Social Networking
https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/
My focus for the last couple of years has been understanding and addressing the biggest challenges facing Facebook. This means taking positions on important issues concerning the future of the internet. In this note, I’ll outline our vision and principles around building a privacy-focused messaging and social networking platform. There’s a lot to do here, and we’re committed to working openly and consulting with experts across society as we develop this.
Tomi Engdahl says:
NSA releases Ghidra, a free software reverse engineering toolkit
NSA’s Ghidra greeted with positive reviews by the infosec community.
https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/
NSA releases cybersecurity tool to the public
https://www.axios.com/nsa-releases-cybersecurity-tool-open-source-3c94ebe4-8229-428d-876c-47a08e2c08e3.html
NSA’s Ghidra Reverse Engineering Framework Stirs Up Malware Researchers
https://www.bleepingcomputer.com/news/security/nsas-ghidra-reverse-engineering-framework-stirs-up-malware-researchers/
Tomi Engdahl says:
Clement Lecigne / Google Online Security Blog:
Google says the Chrome zero-day it patched last week was used with a zero-day impacting Windows 7 32-bit systems and that Microsoft said it’s working on a fix
Disclosing vulnerabilities to protect users across platforms
https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html
On Wednesday, February 27th, we reported two 0-day vulnerabilities — previously publicly-unknown vulnerabilities — one affecting Google Chrome and another in Microsoft Windows that were being exploited together. To remediate the Chrome vulnerability (CVE-2019-5786), Google released an update for all Chrome platforms on March 1; this update was pushed through Chrome auto-update. We encourage users to verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2019/03/08/terveyslaitteissa-voi-piilla-tietoturvariski/
Tomi Engdahl says:
UltraHack: The Security Risks of Medical IoT
https://blog.checkpoint.com/2019/03/07/ultrahack-the-security-risks-of-medical-iot/
Tomi Engdahl says:
Man Admits to Hacking Minnesota Databases Over Cop Acquittal
https://www.securityweek.com/man-admits-hacking-minnesota-databases-over-cop-acquittal
A Minnesota man admitted Thursday that he hacked into state government databases in 2017 as an act of retaliation after the acquittal of an officer who fatally shot Philando Castile during a 2016 traffic stop.
Tomi Engdahl says:
Zerodium Offers $500,000 for VMware ESXi, Microsoft Hyper-V Exploits
https://www.securityweek.com/zerodium-offers-500000-vmware-esxi-microsoft-hyper-v-exploits
Exploit acquisition firm Zerodium this week announced that it’s prepared to pay up to $500,000 for VMware ESXi and Microsoft Hyper-V vulnerabilities.
The company says it’s looking for ESXi (vSphere) and Hyper-V exploits that allow guest-to-host escapes. The exploits need to work on default configurations, they must be reliable, and they have to allow the attacker to gain full access to the host.
Tomi Engdahl says:
Study Finds Rampant Sale of SSL/TLS Certificates on Dark Web
https://www.securityweek.com/study-finds-rampant-sale-ssltls-certificates-dark-web
Tomi Engdahl says:
Cisco Patches Two Dozen Serious Flaws in Nexus Switches
https://www.securityweek.com/cisco-patches-two-dozen-serious-flaws-nexus-switches
Tomi Engdahl says:
Firefox to Add Letterboxing – Tor’s Anti-Fingerprinting Technique
https://www.technotification.com/2019/03/firefox-to-add-letterboxing.html
The third most popular web browser Mozilla Firefox is known for its privacy-oriented features.
Mozilla keeps updating its browser to cope with the latest user tracking methods. This time Mozilla is planning to add Tor’s Anti-Fingerprinting technique in Firefox 67. The technique is dubbed as ‘Letterboxing’
Browser fingerprinting is a precise method of identifying unique browsers and tracking the online activity of users. These fingerprints can be used by several external agencies like advertisement networks to partially or fully identify users and their devices.
Tomi Engdahl says:
Defend encryption in Australia
https://digitalrightswatch.org.au/2018/08/19/defend-encryption/
Tomi Engdahl says:
Cisco: Patch now, attackers are exploiting ASA DoS flaw to take down security
https://www.zdnet.com/article/cisco-patch-now-attackers-are-exploiting-asa-dos-flaw-to-take-down-security/
Apply our security fix to your Cisco Adaptive Security Appliance devices now, Cisco warns.
Tomi Engdahl says:
800+ Million Emails Leaked Online by Email Verification Service
https://securitydiscovery.com/800-million-emails-leaked-online-by-email-verification-service/
Tomi Engdahl says:
A “serious” Windows zeroday is being actively exploited in the wild
Unpatched flaw used in combination with Chrome exploit doesn’t work against Win 10.
https://arstechnica.com/information-technology/2019/03/attackers-are-actively-exploiting-a-serious-windows-zeroday-in-the-wild/
Tomi Engdahl says:
Car alarms with security flaws put 3 million vehicles at risk of hijack
https://techcrunch.com/2019/03/07/car-alarms-flaw-hijack/
Two popular car alarm systems have fixed security vulnerabilities that allowed researchers to remotely track, hijack and take control of vehicles with the alarms installed.
The systems, built by Russian alarm maker Pandora and California-based Viper (or Clifford in the U.K.), were vulnerable to an easily manipulated server-side API, according to researchers at Pen Test Partners
It’s because the vulnerable alarm systems could be tricked into resetting an account password because the API was failing to check if it was an authorized request, allowing the researchers to log in.
Tomi Engdahl says:
Facebook won’t let you opt out of its phone number ‘look up’ setting
https://techcrunch.com/2019/03/03/facebook-phone-number-look-up/
Tomi Engdahl says:
Gone in six seconds? Exploiting car alarms
https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/
Tomi Engdahl says:
JavaScript infinite alert prank lands 13-year-old Japanese girl in hot water
https://arstechnica.com/tech-policy/2019/03/japanese-police-charge-13-year-old-girl-for-infinite-javascript-popup-prank/
Girl charged with spreading an unauthorized malicious program.
Tomi Engdahl says:
Iranian hackers ransack Citrix, make off with 6TB+ of emails, biz docs, internal secrets
https://www.theregister.co.uk/2019/03/08/citrix_hacked_data_stolen/
Remote-desktop giant ‘among more than 200 govt agencies, oil, gas, tech corps’ hit by cyber-gang
Citrix today warned its customers that foreign hackers romped through its internal company network and stole corporate secrets.
Tomi Engdahl says:
Google Discloses Unpatched ‘High-Severity’ Flaw in Apple macOS Kernel
https://thehackernews.com/2019/03/cybersecurity-macos-hacking.html?m=1