Cyber Security News April 2019

This posting is here to collect cyber security news in April 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

402 Comments

  1. Tomi Engdahl says:

    Zero-Day Bug Lays Open TP-Link Smart Home Router
    https://threatpost.com/zero-day-tp-link-smart-home-router/143266/

    An exploit would allow an attacker to establish a persistent backdoor for ongoing remote access.

    A zero-day bug has been uncovered in the TP-Link SR20 smart hub and home router, which would allow a local adversary to execute arbitrary commands on the device without authentication and establish a persistent backdoor for remote access.

    Reply
  2. Tomi Engdahl says:

    Some ASUS Updates Drop Backdoors on PCs in ‘Operation ShadowHammer’
    https://threatpost.com/asus-pc-backdoors-shadowhammer/143129/

    The threat surface is not small: The ASUS Live Update Utility is a pre-installed utility in most new ASUS computers, for automatic BIOS, UEFI, drivers and applications updates. Popular among gamers, ASUS ranks fifth in the laptop market, with a market share of 7.4 percent as of August 2018, according to TrendForce. With an estimated 41.08 million laptops shipped in that quarter, it means ASUS sold around 3 million of them for that time period.

    Reply
  3. Tomi Engdahl says:

    Drones are Quickly Becoming a Cybersecurity Nightmare
    https://threatpost.com/drones-breach-cyberdefenses/143075/

    Hacked drones are breaching physical and cyberdefenses to cause disruption and steal data, experts warn.

    Drones are a growing threat for law enforcement and business security officers. In the run-up to Christmas 2018, rogue drones grounded planes at London Gatwick, the UK’s second-busiest airport. But, increasingly it’s not just the air traffic controllers sounding the alarms over drones, it’s also the cybersecurity community.

    Drones are already being used as one component of cyberattacks

    Reply
  4. Tomi Engdahl says:

    WordPress Plugin Patched After Zero Day Discovered
    https://threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/

    The plugin, Social Warfare, is no longer listed after a cross site scripting flaw was found being exploited in the wild.

    Reply
  5. Tomi Engdahl says:

    Russia threatens to block popular VPNs
    https://www.itproportal.com/news/russia-threatens-to-block-popular-vpns/

    Russia’s recently introduced tougher internet laws could spell trouble for VPN services in the country.

    Reply
  6. Tomi Engdahl says:

    Ironically, Phishing Kit Hosted on Nigerian Government Site
    https://www.bleepingcomputer.com/news/security/ironically-phishing-kit-hosted-on-nigerian-government-site/

    For over two weeks, the Nigerian National Assembly (NASS) site has been serving a fraudulent page that asks for DHL account credentials. This is just a landing location, most likely pushed through spam.

    Reply
  7. Tomi Engdahl says:

    How Microsoft found a Huawei driver that opened systems to attack
    Monitoring systems were looking for attacks using technique popularized by the NSA.
    https://arstechnica.com/gadgets/2019/03/how-microsoft-found-a-huawei-driver-that-opened-systems-up-to-attack/

    Reply
  8. Tomi Engdahl says:

    A Hammer Lurking In The Shadows
    https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows/

    And then there was ShadowHammer, the supply chain attack on the ASUS Live Update Utility between June and November 2018, which was discovered by Kaspersky earlier this year, and made public a few days ago.

    Reply
  9. Tomi Engdahl says:

    Here’s the List of ~600 MAC Addresses Targeted in Recent ASUS Hack
    https://thehackernews.com/2019/03/asus-hack-mac-addresses.html

    Reply
  10. Tomi Engdahl says:

    Magento Patches Critical SQL Injection and RCE Vulnerabilities
    https://threatpost.com/magento-xss-csrf-rce-vulnerabilities/143274/

    Reply
  11. Tomi Engdahl says:

    Researchers Find Google Play Store Apps Were Actually Government Malware
    https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv

    Security researchers have found a new kind of government malware that was hiding in plain sight within apps on Android’s Play Store. And they appear to have uncovered a case of lawful intercept gone wrong.

    Reply
  12. Tomi Engdahl says:

    Unpatched Zero-Days in Microsoft Edge and IE Browsers Disclosed Publicly
    https://thehackernews.com/2019/03/microsoft-edge-ie-zero-days.html

    A security researcher today publicly disclosed details and proof-of-concept exploits for two ‘unpatched’ zero-day vulnerabilities in Microsoft’s web browsers after the company allegedly failed to respond to his responsible private disclosure.

    Reply
  13. Tomi Engdahl says:

    Cisco Improperly Patched Exploited Router Vulnerabilities
    https://www.securityweek.com/cisco-improperly-patched-exploited-router-vulnerabilities

    Cisco this week revealed that patches released in January for vulnerabilities in Small Business RV320 and RV325 routers were incomplete. The flaws have been exploited in live attacks.

    Reply
  14. Tomi Engdahl says:

    Threat Research
    Commando VM: The First of Its Kind Windows Offensive Distribution
    https://www.fireeye.com/blog/threat-research/2019/03/commando-vm-windows-offensive-distribution.html

    For penetration testers looking for a stable and supported Linux testing platform, the industry agrees that Kali is the go-to platform. However, if you’d prefer to use Windows as an operating system, you may have noticed that a worthy platform didn’t exist.

    Born from our popular FLARE VM that focuses on reverse engineering and malware analysis, the Complete Mandiant Offensive VM (“Commando VM”) comes with automated scripts to help each of you build your own penetration testing environment and ease the process of VM provisioning and deployment. This blog post aims to discuss the features of Commando VM, installation instructions, and an example use case of the platform. Head over to the Github to find Commando VM.

    https://github.com/fireeye/commando-vm

    Reply
  15. Tomi Engdahl says:

    Ignore the noise about a scary hidden backdoor in Intel processors: It’s a fascinating debug port
    VISA: It’s everywhere (on the system bus) you want to be
    https://www.theregister.co.uk/2019/03/29/intel_visa_hack/

    Researchers at the Black Hat Asia conference this week disclosed a previously unknown way to tap into the inner workings of Intel’s chip hardware.

    The duo of Mark Ermolov and Maxim Goryachy from Positive Technologies explained how a secret Chipzilla system known as Visualization of Internal Signals Architecture (VISA) allows folks to peek inside the hidden workings and mechanisms of their CPU chipsets – capturing the traffic of individual signals and snapshots of the chip’s internal architecture in real time – without any special equipment.

    To be clear, this hidden debug access is not really a security vulnerability. To utilize the channel, you must exploit a 2017 elevation-of-privilege vulnerability, or one similar to it

    Reply
  16. Tomi Engdahl says:

    Klint Finley / Wired:
    Cloudflare says users can now sign up for its mobile-only VPN service Warp through its 1.1.1.1 app, says it has plans to offer a faster, paid version of Warp
    https://www.wired.com/story/cloudflare-says-new-vpn-service-wont-slow-you-down/

    Reply
  17. Tomi Engdahl says:

    On the dangers of popular television series
    https://www.kaspersky.com/blog/tv-series-threats/26274/

    Despite an increasing number of people preferring to stream their TV shows and generally opting for legally obtained content, pirates and BitTorrent sites hold their ground. And because, from a legal standpoint, torrent sites are in a gray-fading-into-black area, they have been a playground of choice for cybercriminals disguising their malicious files as useful stuff.

    Reply
  18. Tomi Engdahl says:

    New York Albany Capital Hit by Ransomware Attack
    https://www.bleepingcomputer.com/news/security/new-york-albany-capital-hit-by-ransomware-attack/

    The City of Albany, the capital of the U.S. state of New York, was hit by a ransomware attack on March 30, with city officials working over the weekend to respond to the incident.

    Reply
  19. Tomi Engdahl says:

    vxCrypter Is the First Ransomware to Delete Duplicate Files
    https://www.bleepingcomputer.com/news/security/vxcrypter-is-the-first-ransomware-to-delete-duplicate-files/

    The vxCrypter Ransomware could be the first ransomware infection that not only encrypts a victim’s data, but also tidy’s up their computer by deleting duplicate files.

    Reply
  20. Tomi Engdahl says:

    Reuters:
    Sources: as part of UAE’s Project Raven, at least nine ex-NSA staffers helped hack phones of Al Jazeera’s chairman, a BBC Arabic host, and other journalists
    https://www.reuters.com/investigates/special-report/usa-raven-media/

    Reply
  21. Tomi Engdahl says:

    Klint Finley / Wired:
    Cloudflare says users can now join waitlist for its mobile-only VPN service Warp via its 1.1.1.1 app, says it has plans to offer a faster, paid version of Warp

    Cloudflare Says Its New VPN Service Won’t Slow You Down
    https://www.wired.com/story/cloudflare-says-new-vpn-service-wont-slow-you-down/

    Virtual private networks (VPNs) can help protect your internet traffic from prying eyes. VPN services route your email, web browsing, and other internet activity through the service provider’s servers, making it appear to outsiders that you’re only accessing those servers. VPN services help users in China, for example, reach blocked sites by making it appear they’re accessing something else. They also prevent your internet service provider from snooping on the pages you visit, and encrypt web connections that might otherwise be exposed, a handy feature on public Wi-Fi networks.

    But VPNs typically come with some major trade-offs. One of the biggest is speed.

    Security company Cloudflare claims its new mobile-only VPN service will be as fast, if not faster, than a traditional mobile connection.

    “We wanted to build a VPN service that my dad would install on his phone,”

    Reply
  22. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    Researcher: ~13,500 iSCSI storage clusters left exposed online without a password, opening backdoors to enterprise disk storage arrays and people’s NAS devices

    Over 13K iSCSI storage clusters left exposed online without a password
    New attack vector opens backdoor inside enterprise disk storage arrays and people’s NAS devices.
    https://www.zdnet.com/article/over-13k-iscsi-storage-clusters-left-exposed-online-without-a-password/

    Over 13,000 iSCSI storage clusters are currently accessible via the internet after their respective owners forgot to enable authentication.

    This misconfiguration has the risk of causing serious harm to devices’ owners

    Reply
  23. Tomi Engdahl says:

    We found a massive spam operation — and sunk its server
    Five million emails in ten days
    https://techcrunch.com/2019/04/02/inside-a-spam-operation/

    Each email looked like it came from someone the recipient knew: the spammer took stolen email addresses and passwords, quietly logged into their email account, scraped their recently sent emails and pushed out personalized emails to the recipient of that sent email with a link to a fake site pushing a weight loss pill or a bitcoin scam.

    The emails were so convincing more than 100,000 people clicked through.

    We know this because a security researcher found the server leaking the entire operation. The spammer had forgotten to set a password.

    TechCrunch provided a copy of the database to Troy Hunt.

    Reply
  24. Tomi Engdahl says:

    Cryptography That Can’t Be Hacked
    https://www.quantamagazine.org/how-the-evercrypt-library-creates-hacker-proof-cryptography-20190402/

    Researchers have just released hacker-proof cryptographic code — programs with the same level of invincibility as a mathematical proof.

    Reply
  25. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    Source: Arizona Beverages, one of the largest drink suppliers in the US, is reeling after a ransomware attack; FBI warned them beforehand of a malware infection — Arizona Beverages, one of the largest beverage suppliers in the U.S., is recovering after a massive ransomware attack last month, TechCrunch has learned.

    Arizona Beverages knocked offline by ransomware attack
    https://techcrunch.com/2019/04/02/arizona-beverages-ransomware/?guccounter=1

    Arizona Beverages, one of the largest beverage suppliers in the U.S., is recovering after a massive ransomware attack last month, TechCrunch has learned.

    The company, famous for its iced tea beverages, is still rebuilding its network almost two weeks after the attack hit, wiping hundreds of Windows computers and servers and effectively shutting down sales operations for days until incident response was called in, according to a person familiar with the matter.

    Reply
  26. Tomi Engdahl says:

    OceanLotus APT Uses Steganography to Load Backdoors
    https://www.bleepingcomputer.com/news/security/oceanlotus-apt-uses-steganography-to-load-backdoors/

    conceal the encrypted malware payload within PNG images

    Reply
  27. Tomi Engdahl says:

    New Apache Web Server Bug Threatens Security of Shared Web Hosts
    https://thehackernews.com/2019/04/apache-web-server-security.html

    The vulnerability, identified as CVE-2019-0211, was discovered by Charles Fol, a security engineer at Ambionics Security firm, and patched by the Apache developers in the latest version 2.4.39 of its software released today.

    The flaw affects Apache HTTP Server versions 2.4.17 through 2.4.38 and could allow any less-privileged user to execute arbitrary code with root privileges on the targeted server.

    Reply
  28. Tomi Engdahl says:

    Microsoft Edge and Internet Explorer Zero-Days Allow Access to Confidential Session Data
    https://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-edge-and-internet-explorer-zero-days-allow-access-to-confidential-session-data/

    A flaw in the same-origin policy for these web browsers, called an Origin Validation Error (CWE-346), allows JavaScript embedded in a malicious web page to gather information about other web pages the user has visited. If a user visits a malicious page via a Microsoft Edge or Internet Explorer web browser, these vulnerabilities may be used to relay sensitive information about the client’s browser session back to an attacker. Lee has shared a simple proof-of-concept (POC) for each vulnerability.

    Reply
  29. Tomi Engdahl says:

    Canadian Police Raid ‘Orcus RAT’ Author
    https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/

    Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015.

    Reply
  30. Tomi Engdahl says:

    Financial Apps are Ripe for Exploit via Reverse Engineering
    https://threatpost.com/financial-apps-are-ripe-for-exploit-via-reverse-engineering/143348/

    White hat hacker reverse engineers financial apps and finds a treasure trove of security issues.

    Reply
  31. Tomi Engdahl says:

    Hackers don’t just want to pwn networks, they literally want to OWN your network – and no one knows they’re there
    Bad guys are settling in, putting their feet up for the long haul
    https://www.theregister.co.uk/2019/04/02/network_busting_hackers_getting_harder_to_be_rid_of/

    Network intruders are staying longer and going after wider swathes of machines with their attacks.

    This is according to the latest quarterly report (PDF) from security company Carbon Black, which analysed various incident reports from about 40 of its enterprise customers.

    https://www.carbonblack.com/wp-content/uploads/2019/04/carbon-black-quarterly-incident-response-threat-report-april-2019.pdf

    Reply
  32. Tomi Engdahl says:

    American hackers
    helped UAE spy on
    Al Jazeera chairman,
    BBC host
    https://www.reuters.com/investigates/special-report/usa-raven-media/

    A group of American hackers who once worked for U.S. intelligence agencies

    A Reuters investigation in January revealed Project Raven’s existence and inner workings

    https://www.reuters.com/investigates/special-report/usa-spying-raven/

    Reply
  33. Tomi Engdahl says:

    Google Patches Critical Vulnerabilities in Android’s Media Framework
    https://www.securityweek.com/google-patches-critical-vulnerabilities-androids-media-framework

    Google has released its April 2019 set of security patches for the Android platform, which fixes three Critical vulnerabilities, including two that affect the Media framework component.

    Tracked as CVE-2019-2027 and CVE-2019-2028, the two security flaws could be exploited remotely by attackers to execute code on vulnerable devices. Android versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9 are impacted.

    Reply
  34. Tomi Engdahl says:

    Attackers Store Malware in Hidden Directories of Compromised HTTPS Sites
    https://www.securityweek.com/attackers-store-malware-hidden-directories-compromised-https-sites

    Cybercriminals are utilizing hidden “well-known” directories of HTTPS sites to store and serve malicious payloads, Zscaler security researchers have discovered.

    Compromised WordPress and Joomla websites were observed serving Shade/Troldesh ransomware, coin miners, backdoors, redirectors, phishing pages, and other threats.

    Reply
  35. Tomi Engdahl says:

    Exodus Android Spyware With Possible Links to Italian Government Analyzed
    https://www.securityweek.com/exodus-android-spyware-possible-links-italian-government-analyzed

    Android spyware known as Exodus has been found in more than 20 apps on Google Play Store. The malware is believed to have been developed by the Italian firm eSurv, which has commercial connections to the Italian government.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*