Cyber Security March 2019

This posting is here to collect cyber security news in March 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

490 Comments

  1. Tomi Engdahl says:

    New Global Attack on Point of Sale Systems
    http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems

    Over the past 8-10 weeks, Morphisec has been tracking multiple sophisticated attacks targeting Point of Sale thin clients globally. More specifically, on the 6th of February we identified an extremely high number of prevention events stopping Cobalt Strike backdoor execution, with some of the attacks expressly targeting Point of Sale VMWare Horizon thin clients.

    Based on the initial indicators, we identified FrameworkPOS scraping malware installed on some of the thin clients, after initializing PowerShell/WMI stages that downloaded and reflectively loaded Cobalt-Strike beacon with PowerShell extension directly into the memory.

    Reply
  2. Tomi Engdahl says:

    How a Hacking Group is Stealing Popular Instagram Profiles
    https://blog.trendmicro.com/trendlabs-security-intelligence/how-a-hacking-group-is-stealing-popular-instagram-profiles/

    Social media influencers build and expand their business or brand through credibility and authenticity to their audience. For hackers, however, they could be seen as trophies. That’s what happened to a photographer with more than 15,000 followers on Instagram, when she had her account stolen.

    A closer look into the incident revealed that the hacker got into her account through phishing.

    The group also engages in digital extortion. Once a victim tries to reach out to the hacker, they would be wringed to fork over a ransom or nude photos and videos to get the account back. Of course, the hackers never give it back. Indeed, this kind of attack — targeting high-profile accounts or social media influencers — highlights our predictions for this year’s threat landscape.

    Reply
  3. Tomi Engdahl says:

    Identifying Cobalt Strike team servers in the wild
    https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/

    On the 2nd of January 2019 Cobalt Strike version 3.13 was released, which contained a fix for an “extraneous space”. This uncommon whitespace in its server responses represents one of the characteristics Fox-IT has been leveraging to identify Cobalt Strike Servers, with high confidence, for the past one and a half year. In this blog we will publish a full list of servers for readers to check against the logging and security controls of their infrastructure.

    Reply
  4. Tomi Engdahl says:

    FBI head Christopher Wray: We can’t let criminals hide behind encryption
    https://www.cnet.com/news/fbi-director-christopher-wray-tells-cybersecurity-experts-to-partner-with-feds/

    Speaking at the RSA Conference, Wray acknowledges the topic is “provocative.”

    Reply
  5. Tomi Engdahl says:

    NSA releases cybersecurity tool to the public
    https://www.axios.com/nsa-releases-cybersecurity-tool-open-source-3c94ebe4-8229-428d-876c-47a08e2c08e3.html?utm_source=facebook&utm_medium=fbsocialshare&utm_campaign=organic

    The big picture: The NSA program, known as GHIDRA, is a reverse engineering tool that takes malware and returns the source code used to make it, which otherwise remains inaccessible. That enables researchers and security pros to understand, attribute and even counter the malware.

    Show less
    Why it matters: This small move could be widely disruptive.

    Reply
  6. Tomi Engdahl says:

    Triton is the world’s most murderous malware, and it’s spreading
    https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/?utm_source=facebook&utm_medium=tr_social&utm_campaign=site_visitor.unpaid.engagement&fbclid=IwAR2Pb8pfVs1sXLxC9KuW7OYgrE3FK0ScLbu7Ee7kggmxgNx3N23pjENpmOk&fbclid=IwAR28IVcVRrAW-GADYQwhK1ZYT2_fu0q2wwAj1dU14SfiieNODJTahM5N7ag

    The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too.

    Reply
  7. Tomi Engdahl says:

    You cannot opt out of Facebook’s surveillance network
    https://boingboing.net/2019/03/06/you-cannot-opt-out-of-facebook.html

    Even if you don’t use it, Facebook is embedded across the web and in apps through ads, share buttons, tracking pixels and so forth, watching everything and everyone. Katherine Brindley set out to find how forthright the company was in its claims not to track users who engage privacy controls. Not very.

    Reply
  8. Tomi Engdahl says:

    Cisco tells Nexus switch owners to disable POAP feature for security reasons
    Cisco releases new Nexus firmware that includes a new command to turn off POAP.
    https://www.zdnet.com/article/cisco-tells-nexus-switch-owners-to-disable-poap-feature-for-security-reasons/

    Reply
  9. Tomi Engdahl says:

    Firefox to add Tor Browser anti-fingerprinting technique called letterboxing
    Firefox gets another new feature from the Tor Uplift project started in 2016.
    https://www.zdnet.com/article/firefox-to-add-tor-browser-anti-fingerprinting-technique-called-letterboxing/

    Reply
  10. Tomi Engdahl says:

    Chinese hackers reportedly targeted 27 universities for military secrets
    https://www.theverge.com/2019/3/5/18251836/chinese-hackers-us-servers-universities-military-secrets-cybersecurity

    Chinese hackers singled out over two dozen universities in the US and around the world in an apparent bid to gain access to maritime military research, according to a report by cybersecurity firm iDefense, which was obtained by The Wall Street Journal.

    Reply
  11. Tomi Engdahl says:

    RSAC 2019: TLS Markets Flourish on the Dark Web
    https://threatpost.com/tls-markets-fdark-web/142310/

    The certificates are often paired with ancillary products, like Google-indexed “aged” domains, after-sale support, web design services and even integration with a range of payment processors.

    SAN FRANCISCO – Thriving marketplaces for TLS certificates have emerged on the Dark Web, which are hawking the certs both as individual goods and packaged with an array of malware and other ancillary services.

    Reply
  12. Tomi Engdahl says:

    You. Shall. Not. Pass… word: Soon, you may be logging into websites using just your phone, face, fingerprint or token
    Just don’t lose your hardware keys
    https://www.theregister.co.uk/2019/03/05/web_authentication/

    At 2004′s RSA Conference, then Microsoft chairman Bill Gates predicted the death of the password because passwords have problems and people are bad at managing them. And fifteen years on, as RSA USA 2019 gets underway in San Francisco this week, we still have passwords.

    But the possibility that internet users may be able to log into websites without typing a password or prompting a password management app to fill in the blanks has become a bit more plausible, with the standardization of the Web Authentication specification.

    Reply
  13. Tomi Engdahl says:

    FBI boss: Never mind Russia and social media, China ransacks US biz for blueprints, secrets at ‘surprisingly’ huge scale
    ‘Espionage and criminal investigations … almost all of which lead back to Beijing’
    https://www.theregister.co.uk/2019/03/05/fbi_china_warning/

    Reply
  14. Tomi Engdahl says:

    New Stealth Worker Campaign Creates a Multi-platform Army of Brute Forcers
    https://www.fortinet.com/blog/threat-research/new-stealth-worker-campaign-creates-a-multi-platform-army-of-bru.html

    FortiGuard Labs recently discovered a new campaign of StealthWorker malware, also called GoBrut, that was first reported by Malwarebytes just a few days ago. This malware is written in Golang. Although uncommonly seen being used by malware, it is the same programming language used to develop the module that controlled the bots of Mirai.

    StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details. Before hackers can embed a skimmer, however, the first requirement is for hackers to gain access to their target’s backend. Hacker’s commonly take advantage of vulnerabilities in the Content Management System (CMS) or its plugins to gain entry into the target’s system. Another, simpler option is to use brute force attacks. Though quite slow, this method is still effective against administrators using weak or commonly used passwords.

    Reply
  15. Tomi Engdahl says:

    Hackers Revive Microsoft Office Equation Editor Exploit
    https://www.bleepingcomputer.com/news/security/hackers-revive-microsoft-office-equation-editor-exploit/

    Hackers used specially-crafted Microsoft Word documents during the last few months to abuse an Integer Overflow bug that helped them bypass sandbox and anti-malware solutions and exploit the Microsoft Office Equation Editor vulnerability patched 15 months ago.

    Reply
  16. Tomi Engdahl says:

    Oh no Xi didn’t?! China’s hackers nick naval tech blueprints, diddle with foreign elections to boost trade – new claim
    In the Navy, you can sail the 7 seas! In the Navy, you’ll get hacked by the Chinese!
    https://www.theregister.co.uk/2019/03/05/chinas_navy_hacking/

    Reply
  17. Tomi Engdahl says:

    New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wild
    https://thehackernews.com/2019/03/update-google-chrome-hack.html

    You must update your Google Chrome immediately to the latest version of the web browsing application.

    Security researcher Clement Lecigne of Google’s Threat Analysis Group discovered and reported a high severity vulnerability in Chrome late last month that could allow remote attackers to execute arbitrary code and take full control of the computers.

    The vulnerability, assigned as CVE-2019-5786, affects the web browsing software for all major operating systems including Microsoft Windows, Apple macOS, and Linux.

    Reply
  18. Tomi Engdahl says:

    Virsec Launches Application Memory Firewall
    https://www.securityweek.com/virsec-launches-application-memory-firewall

    Fileless attacks are increasing and are more likely to succeed than traditional file-based malware. Most defenses seek to detect them by recognizing anomalous behavior on the network — but this is basically an after-the-event approach.

    Virsec takes a different approach. It seeks to detect malicious fileless behavior while still in memory and before any bad effect can occur.

    To this effect, Virsec announced what it calls the first application memory firewall. Its function is to detect deviations in application execution caused by memory-based attacks — and stop them instantly. The implications of such an approach are attractive. If an application is seen to be misbehaving internally, then a memory firewall doesn’t merely stop unknown zero-day fileless attacks, it also provides virtual patching.

    Reply
  19. Tomi Engdahl says:

    Several Industrial Automation Products Affected by WibuKey DRM Flaws
    https://www.securityweek.com/several-industrial-automation-products-affected-wibukey-drm-flaws

    The WibuKey DRM is used for thousands of applications, including by several industrial automation vendors. Cisco mentioned Straton when it published its advisories, and German industrial giant Siemens admitted recently that its SICAM 230 process control and monitoring system and SIMATIC WinCC OA human-machine interface (HMI) product are impacted as well.

    Reply
  20. Tomi Engdahl says:

    Iranian Hackers Caused Losses in Hundreds of Millions: Report
    https://www.securityweek.com/iranian-hackers-caused-losses-hundreds-millions-report

    Iranian hackers working to penetrate systems, businesses and governments around the world have caused hundreds of millions of dollars in damages, a report said Wednesday.

    Researchers for tech giant Microsoft said the attackers stole secrets and wiped data from computer networks after targeting thousands of people at some 200 companies over the past two years, according to The Wall Street Journal.

    Microsoft did not immediately respond to an AFP query on the report.

    The Journal said Microsoft traced the attacks to Holmium, a group linked to Iran, and that some of the hacking was done for Holmium by another Iranian group known as APT33.

    Reply
  21. Tomi Engdahl says:

    China’s Huawei Sues US Over Federal Ban on Its Products
    https://www.securityweek.com/chinas-huawei-sues-us-over-federal-ban-its-products

    Tech giant Huawei on Thursday opened a legal front in its counter-offensive against US warnings that it could aid Chinese intelligence services, filing suit to overturn a US law that bars federal agencies from buying its products.

    Reply
  22. Tomi Engdahl says:

    Cybersecurity Startup PolySwarm Launches Malware Detection Marketplace
    https://www.securityweek.com/cybersecurity-startup-polyswarm-launches-malware-detection-marketplace

    Cybersecurity startup firm PolySwarm has officially launched at this year’s RSAC. It describes itself as a ‘VirusTotal replacement’, and is an innovative malware detection marketplace based on blockchain contracts and virtual currency payments.

    “Currently,” explains PolySwarm CEO and founder Steve Bassi, “incident response teams in organizations primarily use VirusTotal as the go-to-database” to determine whether a suspicious file or artifact is malicious, but our platform is more effective for a number of reasons. PolySwarm is differentiated by economic incentives to increase quality and effectiveness of threat identification.

    Reply
  23. Tomi Engdahl says:

    New CyberArk Solution Secures AWS Accounts
    https://www.securityweek.com/new-cyberark-solution-secures-aws-accounts

    Boston-based privileged access security provider CyberArk this week announced it can now automate detection, alerting and response for unmanaged and potentially risky Amazon Web Services (AWS) accounts.

    Reply
  24. Tomi Engdahl says:

    Joseph Cox / Motherboard:
    Sources: a common practice among bounty hunters and stalkers is to impersonate cops and claim there’s a crisis to get real-time cell location data from telcos

    Stalkers and Debt Collectors Impersonate Cops to Trick Big Telecom Into Giving Them Cell Phone Location Data
    https://motherboard.vice.com/en_us/article/panvkz/stalkers-debt-collectors-bounty-hunters-impersonate-cops-phone-location-data

    In several cases, a stalker impersonated a US Marshal and reported a fake kidnapping in order to get telecom companies to give them real-time cell phone location data.

    Reply
  25. Tomi Engdahl says:

    Associated Press:
    Report: Microsoft says Iran-linked hackers have targeted 2,200+ people at 200+ companies over the past two years, stealing corporate secrets and wiping data

    Microsoft says Iran-linked hackers targeted businesses
    https://apnews.com/c5e1d8f79e86460fbfbd4d36ae348156

    Reply
  26. Tomi Engdahl says:

    Casey Newton / The Verge:
    Mark Zuckerberg says Facebook is working on rebuilding its messaging services to be more interoperable, ephemeral, privacy-focused, with end-to-end encryption — A major new blog post about Facebook’s future — Facebook will increasingly shift its focus away from public posts to encrypted …

    Mark Zuckerberg says Facebook will shift to emphasize encrypted ephemeral messages
    A major new blog post about Facebook’s future
    https://www.theverge.com/2019/3/6/18253458/mark-zuckerberg-facebook-privacy-encrypted-messaging-whatsapp-messenger-instagram

    Mark Zuckerberg / Facebook:
    A Privacy-Focused Vision for Social Networking
    https://www.facebook.com/notes/mark-zuckerberg/a-privacy-focused-vision-for-social-networking/10156700570096634/

    My focus for the last couple of years has been understanding and addressing the biggest challenges facing Facebook. This means taking positions on important issues concerning the future of the internet. In this note, I’ll outline our vision and principles around building a privacy-focused messaging and social networking platform. There’s a lot to do here, and we’re committed to working openly and consulting with experts across society as we develop this.

    Reply
  27. Tomi Engdahl says:

    NSA releases Ghidra, a free software reverse engineering toolkit
    NSA’s Ghidra greeted with positive reviews by the infosec community.
    https://www.zdnet.com/article/nsa-release-ghidra-a-free-software-reverse-engineering-toolkit/

    NSA releases cybersecurity tool to the public
    https://www.axios.com/nsa-releases-cybersecurity-tool-open-source-3c94ebe4-8229-428d-876c-47a08e2c08e3.html

    NSA’s Ghidra Reverse Engineering Framework Stirs Up Malware Researchers
    https://www.bleepingcomputer.com/news/security/nsas-ghidra-reverse-engineering-framework-stirs-up-malware-researchers/

    Reply
  28. Tomi Engdahl says:

    Clement Lecigne / Google Online Security Blog:
    Google says the Chrome zero-day it patched last week was used with a zero-day impacting Windows 7 32-bit systems and that Microsoft said it’s working on a fix

    Disclosing vulnerabilities to protect users across platforms
    https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html

    On Wednesday, February 27th, we reported two 0-day vulnerabilities — previously publicly-unknown vulnerabilities — one affecting Google Chrome and another in Microsoft Windows that were being exploited together. To remediate the Chrome vulnerability (CVE-2019-5786), Google released an update for all Chrome platforms on March 1; this update was pushed through Chrome auto-update. We encourage users to verify that Chrome auto-update has already updated Chrome to 72.0.3626.121 or later.

    Reply
  29. Tomi Engdahl says:

    Man Admits to Hacking Minnesota Databases Over Cop Acquittal
    https://www.securityweek.com/man-admits-hacking-minnesota-databases-over-cop-acquittal

    A Minnesota man admitted Thursday that he hacked into state government databases in 2017 as an act of retaliation after the acquittal of an officer who fatally shot Philando Castile during a 2016 traffic stop.

    Reply
  30. Tomi Engdahl says:

    Zerodium Offers $500,000 for VMware ESXi, Microsoft Hyper-V Exploits
    https://www.securityweek.com/zerodium-offers-500000-vmware-esxi-microsoft-hyper-v-exploits

    Exploit acquisition firm Zerodium this week announced that it’s prepared to pay up to $500,000 for VMware ESXi and Microsoft Hyper-V vulnerabilities.

    The company says it’s looking for ESXi (vSphere) and Hyper-V exploits that allow guest-to-host escapes. The exploits need to work on default configurations, they must be reliable, and they have to allow the attacker to gain full access to the host.

    Reply
  31. Tomi Engdahl says:

    Firefox to Add Letterboxing – Tor’s Anti-Fingerprinting Technique
    https://www.technotification.com/2019/03/firefox-to-add-letterboxing.html

    The third most popular web browser Mozilla Firefox is known for its privacy-oriented features.

    Mozilla keeps updating its browser to cope with the latest user tracking methods. This time Mozilla is planning to add Tor’s Anti-Fingerprinting technique in Firefox 67. The technique is dubbed as ‘Letterboxing’

    Browser fingerprinting is a precise method of identifying unique browsers and tracking the online activity of users. These fingerprints can be used by several external agencies like advertisement networks to partially or fully identify users and their devices.

    Reply
  32. Tomi Engdahl says:

    Cisco: Patch now, attackers are exploiting ASA DoS flaw to take down security
    https://www.zdnet.com/article/cisco-patch-now-attackers-are-exploiting-asa-dos-flaw-to-take-down-security/

    Apply our security fix to your Cisco Adaptive Security Appliance devices now, Cisco warns.

    Reply
  33. Tomi Engdahl says:

    A “serious” Windows zeroday is being actively exploited in the wild
    Unpatched flaw used in combination with Chrome exploit doesn’t work against Win 10.
    https://arstechnica.com/information-technology/2019/03/attackers-are-actively-exploiting-a-serious-windows-zeroday-in-the-wild/

    Reply
  34. Tomi Engdahl says:

    Car alarms with security flaws put 3 million vehicles at risk of hijack
    https://techcrunch.com/2019/03/07/car-alarms-flaw-hijack/

    Two popular car alarm systems have fixed security vulnerabilities that allowed researchers to remotely track, hijack and take control of vehicles with the alarms installed.

    The systems, built by Russian alarm maker Pandora and California-based Viper (or Clifford in the U.K.), were vulnerable to an easily manipulated server-side API, according to researchers at Pen Test Partners

    It’s because the vulnerable alarm systems could be tricked into resetting an account password because the API was failing to check if it was an authorized request, allowing the researchers to log in.

    Reply
  35. Tomi Engdahl says:

    Facebook won’t let you opt out of its phone number ‘look up’ setting
    https://techcrunch.com/2019/03/03/facebook-phone-number-look-up/

    Reply
  36. Tomi Engdahl says:

    JavaScript infinite alert prank lands 13-year-old Japanese girl in hot water
    https://arstechnica.com/tech-policy/2019/03/japanese-police-charge-13-year-old-girl-for-infinite-javascript-popup-prank/

    Girl charged with spreading an unauthorized malicious program.

    Reply
  37. Tomi Engdahl says:

    Iranian hackers ransack Citrix, make off with 6TB+ of emails, biz docs, internal secrets
    https://www.theregister.co.uk/2019/03/08/citrix_hacked_data_stolen/

    Remote-desktop giant ‘among more than 200 govt agencies, oil, gas, tech corps’ hit by cyber-gang

    Citrix today warned its customers that foreign hackers romped through its internal company network and stole corporate secrets.

    Reply
  38. Tomi Engdahl says:

    Google Discloses Unpatched ‘High-Severity’ Flaw in Apple macOS Kernel
    https://thehackernews.com/2019/03/cybersecurity-macos-hacking.html?m=1

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*