This posting is here to collect cyber security news in April 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
402 Comments
Tomi Engdahl says:
Zero-Day Bug Lays Open TP-Link Smart Home Router
https://threatpost.com/zero-day-tp-link-smart-home-router/143266/
An exploit would allow an attacker to establish a persistent backdoor for ongoing remote access.
A zero-day bug has been uncovered in the TP-Link SR20 smart hub and home router, which would allow a local adversary to execute arbitrary commands on the device without authentication and establish a persistent backdoor for remote access.
Tomi Engdahl says:
Some ASUS Updates Drop Backdoors on PCs in ‘Operation ShadowHammer’
https://threatpost.com/asus-pc-backdoors-shadowhammer/143129/
The threat surface is not small: The ASUS Live Update Utility is a pre-installed utility in most new ASUS computers, for automatic BIOS, UEFI, drivers and applications updates. Popular among gamers, ASUS ranks fifth in the laptop market, with a market share of 7.4 percent as of August 2018, according to TrendForce. With an estimated 41.08 million laptops shipped in that quarter, it means ASUS sold around 3 million of them for that time period.
Tomi Engdahl says:
Drones are Quickly Becoming a Cybersecurity Nightmare
https://threatpost.com/drones-breach-cyberdefenses/143075/
Hacked drones are breaching physical and cyberdefenses to cause disruption and steal data, experts warn.
Drones are a growing threat for law enforcement and business security officers. In the run-up to Christmas 2018, rogue drones grounded planes at London Gatwick, the UK’s second-busiest airport. But, increasingly it’s not just the air traffic controllers sounding the alarms over drones, it’s also the cybersecurity community.
Drones are already being used as one component of cyberattacks
Tomi Engdahl says:
WordPress Plugin Patched After Zero Day Discovered
https://threatpost.com/wordpress-plugin-removed-after-zero-day-discovered/143051/
The plugin, Social Warfare, is no longer listed after a cross site scripting flaw was found being exploited in the wild.
Tomi Engdahl says:
Russia threatens to block popular VPNs
https://www.itproportal.com/news/russia-threatens-to-block-popular-vpns/
Russia’s recently introduced tougher internet laws could spell trouble for VPN services in the country.
Tomi Engdahl says:
Only 10% of Tech Companies Protected From Phishing by DMARC Enforcement
https://www.bleepingcomputer.com/news/security/only-10-percent-of-tech-companies-protected-from-phishing-by-dmarc-enforcement/
Tomi Engdahl says:
Ironically, Phishing Kit Hosted on Nigerian Government Site
https://www.bleepingcomputer.com/news/security/ironically-phishing-kit-hosted-on-nigerian-government-site/
For over two weeks, the Nigerian National Assembly (NASS) site has been serving a fraudulent page that asks for DHL account credentials. This is just a landing location, most likely pushed through spam.
Tomi Engdahl says:
How Microsoft found a Huawei driver that opened systems to attack
Monitoring systems were looking for attacks using technique popularized by the NSA.
https://arstechnica.com/gadgets/2019/03/how-microsoft-found-a-huawei-driver-that-opened-systems-up-to-attack/
Tomi Engdahl says:
A Hammer Lurking In The Shadows
https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows/
And then there was ShadowHammer, the supply chain attack on the ASUS Live Update Utility between June and November 2018, which was discovered by Kaspersky earlier this year, and made public a few days ago.
Tomi Engdahl says:
Here’s the List of ~600 MAC Addresses Targeted in Recent ASUS Hack
https://thehackernews.com/2019/03/asus-hack-mac-addresses.html
Tomi Engdahl says:
Magento Patches Critical SQL Injection and RCE Vulnerabilities
https://threatpost.com/magento-xss-csrf-rce-vulnerabilities/143274/
Tomi Engdahl says:
Researchers Find Google Play Store Apps Were Actually Government Malware
https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv
Security researchers have found a new kind of government malware that was hiding in plain sight within apps on Android’s Play Store. And they appear to have uncovered a case of lawful intercept gone wrong.
Tomi Engdahl says:
Unpatched Zero-Days in Microsoft Edge and IE Browsers Disclosed Publicly
https://thehackernews.com/2019/03/microsoft-edge-ie-zero-days.html
A security researcher today publicly disclosed details and proof-of-concept exploits for two ‘unpatched’ zero-day vulnerabilities in Microsoft’s web browsers after the company allegedly failed to respond to his responsible private disclosure.
Tomi Engdahl says:
Investigator Says Amazon Chief’s Phone Hacked by Saudis
https://www.securityweek.com/investigator-says-amazon-chiefs-phone-hacked-saudis
Tomi Engdahl says:
Cisco Improperly Patched Exploited Router Vulnerabilities
https://www.securityweek.com/cisco-improperly-patched-exploited-router-vulnerabilities
Cisco this week revealed that patches released in January for vulnerabilities in Small Business RV320 and RV325 routers were incomplete. The flaws have been exploited in live attacks.
Tomi Engdahl says:
Threat Research
Commando VM: The First of Its Kind Windows Offensive Distribution
https://www.fireeye.com/blog/threat-research/2019/03/commando-vm-windows-offensive-distribution.html
For penetration testers looking for a stable and supported Linux testing platform, the industry agrees that Kali is the go-to platform. However, if you’d prefer to use Windows as an operating system, you may have noticed that a worthy platform didn’t exist.
Born from our popular FLARE VM that focuses on reverse engineering and malware analysis, the Complete Mandiant Offensive VM (“Commando VM”) comes with automated scripts to help each of you build your own penetration testing environment and ease the process of VM provisioning and deployment. This blog post aims to discuss the features of Commando VM, installation instructions, and an example use case of the platform. Head over to the Github to find Commando VM.
https://github.com/fireeye/commando-vm
Tomi Engdahl says:
Ignore the noise about a scary hidden backdoor in Intel processors: It’s a fascinating debug port
VISA: It’s everywhere (on the system bus) you want to be
https://www.theregister.co.uk/2019/03/29/intel_visa_hack/
Researchers at the Black Hat Asia conference this week disclosed a previously unknown way to tap into the inner workings of Intel’s chip hardware.
The duo of Mark Ermolov and Maxim Goryachy from Positive Technologies explained how a secret Chipzilla system known as Visualization of Internal Signals Architecture (VISA) allows folks to peek inside the hidden workings and mechanisms of their CPU chipsets – capturing the traffic of individual signals and snapshots of the chip’s internal architecture in real time – without any special equipment.
To be clear, this hidden debug access is not really a security vulnerability. To utilize the channel, you must exploit a 2017 elevation-of-privilege vulnerability, or one similar to it
Tomi Engdahl says:
Klint Finley / Wired:
Cloudflare says users can now sign up for its mobile-only VPN service Warp through its 1.1.1.1 app, says it has plans to offer a faster, paid version of Warp
https://www.wired.com/story/cloudflare-says-new-vpn-service-wont-slow-you-down/
Tomi Engdahl says:
On the dangers of popular television series
https://www.kaspersky.com/blog/tv-series-threats/26274/
Despite an increasing number of people preferring to stream their TV shows and generally opting for legally obtained content, pirates and BitTorrent sites hold their ground. And because, from a legal standpoint, torrent sites are in a gray-fading-into-black area, they have been a playground of choice for cybercriminals disguising their malicious files as useful stuff.
Tomi Engdahl says:
MS-ISAC Releases Security Primer on LockerGoga Ransomware
https://www.us-cert.gov/ncas/current-activity/2019/04/01/MS-ISAC-Releases-Security-Primer-LockerGoga-Ransomware
Tomi Engdahl says:
New York Albany Capital Hit by Ransomware Attack
https://www.bleepingcomputer.com/news/security/new-york-albany-capital-hit-by-ransomware-attack/
The City of Albany, the capital of the U.S. state of New York, was hit by a ransomware attack on March 30, with city officials working over the weekend to respond to the incident.
Tomi Engdahl says:
vxCrypter Is the First Ransomware to Delete Duplicate Files
https://www.bleepingcomputer.com/news/security/vxcrypter-is-the-first-ransomware-to-delete-duplicate-files/
The vxCrypter Ransomware could be the first ransomware infection that not only encrypts a victim’s data, but also tidy’s up their computer by deleting duplicate files.
Tomi Engdahl says:
https://labsblog.f-secure.com/2019/04/01/mira-ransomware-decryptor/
Tomi Engdahl says:
Google Warns of Growing Android Attack Vector: Backdoored SDKs and Pre-Installed Apps
https://threatpost.com/google-warns-of-growing-android-attack-vector-backdoored-sdks-and-pre-installed-apps/143332/
Tomi Engdahl says:
Cloudflare is adding a free VPN to its 1.1.1.1 app
More speed and security
https://www.theverge.com/2019/4/1/18290615/cloudflare-1-1-1-1-vpn-dns-resolver-security-privacy
Tomi Engdahl says:
Reuters:
Sources: as part of UAE’s Project Raven, at least nine ex-NSA staffers helped hack phones of Al Jazeera’s chairman, a BBC Arabic host, and other journalists
https://www.reuters.com/investigates/special-report/usa-raven-media/
Tomi Engdahl says:
Klint Finley / Wired:
Cloudflare says users can now join waitlist for its mobile-only VPN service Warp via its 1.1.1.1 app, says it has plans to offer a faster, paid version of Warp
Cloudflare Says Its New VPN Service Won’t Slow You Down
https://www.wired.com/story/cloudflare-says-new-vpn-service-wont-slow-you-down/
Virtual private networks (VPNs) can help protect your internet traffic from prying eyes. VPN services route your email, web browsing, and other internet activity through the service provider’s servers, making it appear to outsiders that you’re only accessing those servers. VPN services help users in China, for example, reach blocked sites by making it appear they’re accessing something else. They also prevent your internet service provider from snooping on the pages you visit, and encrypt web connections that might otherwise be exposed, a handy feature on public Wi-Fi networks.
But VPNs typically come with some major trade-offs. One of the biggest is speed.
Security company Cloudflare claims its new mobile-only VPN service will be as fast, if not faster, than a traditional mobile connection.
“We wanted to build a VPN service that my dad would install on his phone,”
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Researcher: ~13,500 iSCSI storage clusters left exposed online without a password, opening backdoors to enterprise disk storage arrays and people’s NAS devices
Over 13K iSCSI storage clusters left exposed online without a password
New attack vector opens backdoor inside enterprise disk storage arrays and people’s NAS devices.
https://www.zdnet.com/article/over-13k-iscsi-storage-clusters-left-exposed-online-without-a-password/
Over 13,000 iSCSI storage clusters are currently accessible via the internet after their respective owners forgot to enable authentication.
This misconfiguration has the risk of causing serious harm to devices’ owners
Tomi Engdahl says:
We found a massive spam operation — and sunk its server
Five million emails in ten days
https://techcrunch.com/2019/04/02/inside-a-spam-operation/
Each email looked like it came from someone the recipient knew: the spammer took stolen email addresses and passwords, quietly logged into their email account, scraped their recently sent emails and pushed out personalized emails to the recipient of that sent email with a link to a fake site pushing a weight loss pill or a bitcoin scam.
The emails were so convincing more than 100,000 people clicked through.
We know this because a security researcher found the server leaking the entire operation. The spammer had forgotten to set a password.
TechCrunch provided a copy of the database to Troy Hunt.
Tomi Engdahl says:
The Navy Is Assembling a Hacker Team to Fight Off Small Drones
https://www.defenseone.com/technology/2019/04/us-navy-seeks-hackers-protect-bases-ships-small-drones/155971/?oref=DefenseOneFB
Tomi Engdahl says:
Online voting isn’t ready for high-stakes elections’
https://horizon-magazine.eu/article/online-voting-isn-t-ready-high-stakes-elections.html?utm_source=fb&utm_medium=share
Tomi Engdahl says:
2 students at a N.J. high school charged with jamming school’s Wi-Fi to avoid exams
https://www.nj.com/hudson/2019/04/2-students-at-a-nj-high-school-charged-with-jamming-schools-wi-fi-to-avoid-exams.html?utm_source=facebook&utm_content=nj_facebook_njcom&utm_medium=social&utm_campaign=njcom_sf
Tomi Engdahl says:
Cryptography That Can’t Be Hacked
https://www.quantamagazine.org/how-the-evercrypt-library-creates-hacker-proof-cryptography-20190402/
Researchers have just released hacker-proof cryptographic code — programs with the same level of invincibility as a mathematical proof.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Source: Arizona Beverages, one of the largest drink suppliers in the US, is reeling after a ransomware attack; FBI warned them beforehand of a malware infection — Arizona Beverages, one of the largest beverage suppliers in the U.S., is recovering after a massive ransomware attack last month, TechCrunch has learned.
Arizona Beverages knocked offline by ransomware attack
https://techcrunch.com/2019/04/02/arizona-beverages-ransomware/?guccounter=1
Arizona Beverages, one of the largest beverage suppliers in the U.S., is recovering after a massive ransomware attack last month, TechCrunch has learned.
The company, famous for its iced tea beverages, is still rebuilding its network almost two weeks after the attack hit, wiping hundreds of Windows computers and servers and effectively shutting down sales operations for days until incident response was called in, according to a person familiar with the matter.
Tomi Engdahl says:
Greylock leads $14 million investment in application security startup Sqreen
https://venturebeat.com/2019/04/02/greylock-leads-14-million-investment-in-application-security-startup-sqreen/
Tomi Engdahl says:
OceanLotus APT Uses Steganography to Load Backdoors
https://www.bleepingcomputer.com/news/security/oceanlotus-apt-uses-steganography-to-load-backdoors/
conceal the encrypted malware payload within PNG images
Tomi Engdahl says:
Google’s April Android Security Bulletin Warns of 3 Critical Bugs
https://threatpost.com/googles-april-android-security-bulletin-warns-of-3-critical-bugs/143357/
Tomi Engdahl says:
New Apache Web Server Bug Threatens Security of Shared Web Hosts
https://thehackernews.com/2019/04/apache-web-server-security.html
The vulnerability, identified as CVE-2019-0211, was discovered by Charles Fol, a security engineer at Ambionics Security firm, and patched by the Apache developers in the latest version 2.4.39 of its software released today.
The flaw affects Apache HTTP Server versions 2.4.17 through 2.4.38 and could allow any less-privileged user to execute arbitrary code with root privileges on the targeted server.
Tomi Engdahl says:
Microsoft Edge and Internet Explorer Zero-Days Allow Access to Confidential Session Data
https://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-edge-and-internet-explorer-zero-days-allow-access-to-confidential-session-data/
A flaw in the same-origin policy for these web browsers, called an Origin Validation Error (CWE-346), allows JavaScript embedded in a malicious web page to gather information about other web pages the user has visited. If a user visits a malicious page via a Microsoft Edge or Internet Explorer web browser, these vulnerabilities may be used to relay sensitive information about the client’s browser session back to an attacker. Lee has shared a simple proof-of-concept (POC) for each vulnerability.
Tomi Engdahl says:
Canadian Police Raid ‘Orcus RAT’ Author
https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/
Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015.
Tomi Engdahl says:
Financial Apps are Ripe for Exploit via Reverse Engineering
https://threatpost.com/financial-apps-are-ripe-for-exploit-via-reverse-engineering/143348/
White hat hacker reverse engineers financial apps and finds a treasure trove of security issues.
Tomi Engdahl says:
Hackers don’t just want to pwn networks, they literally want to OWN your network – and no one knows they’re there
Bad guys are settling in, putting their feet up for the long haul
https://www.theregister.co.uk/2019/04/02/network_busting_hackers_getting_harder_to_be_rid_of/
Network intruders are staying longer and going after wider swathes of machines with their attacks.
This is according to the latest quarterly report (PDF) from security company Carbon Black, which analysed various incident reports from about 40 of its enterprise customers.
https://www.carbonblack.com/wp-content/uploads/2019/04/carbon-black-quarterly-incident-response-threat-report-april-2019.pdf
Tomi Engdahl says:
https://www.pandasecurity.com/mediacenter/panda-security/social-media-scams/
Tomi Engdahl says:
American hackers
helped UAE spy on
Al Jazeera chairman,
BBC host
https://www.reuters.com/investigates/special-report/usa-raven-media/
A group of American hackers who once worked for U.S. intelligence agencies
A Reuters investigation in January revealed Project Raven’s existence and inner workings
https://www.reuters.com/investigates/special-report/usa-spying-raven/
Tomi Engdahl says:
Chinese Woman Carrying Malware Allegedly Got Into Mar-a-Lago
https://www.securityweek.com/chinese-woman-carrying-malware-allegedly-got-mar-lago
Tomi Engdahl says:
Google Patches Critical Vulnerabilities in Android’s Media Framework
https://www.securityweek.com/google-patches-critical-vulnerabilities-androids-media-framework
Google has released its April 2019 set of security patches for the Android platform, which fixes three Critical vulnerabilities, including two that affect the Media framework component.
Tracked as CVE-2019-2027 and CVE-2019-2028, the two security flaws could be exploited remotely by attackers to execute code on vulnerable devices. Android versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9 are impacted.
Tomi Engdahl says:
PoC Exploits Released for Unpatched Edge, IE Vulnerabilities
https://www.securityweek.com/poc-exploits-released-unpatched-edge-ie-vulnerabilities
Tomi Engdahl says:
Attackers Store Malware in Hidden Directories of Compromised HTTPS Sites
https://www.securityweek.com/attackers-store-malware-hidden-directories-compromised-https-sites
Cybercriminals are utilizing hidden “well-known” directories of HTTPS sites to store and serve malicious payloads, Zscaler security researchers have discovered.
Compromised WordPress and Joomla websites were observed serving Shade/Troldesh ransomware, coin miners, backdoors, redirectors, phishing pages, and other threats.
Tomi Engdahl says:
JavaScript Library Introduced XSS Flaw in Google Search
https://www.securityweek.com/javascript-library-introduced-xss-flaw-google-search
https://github.com/google/closure-library
Tomi Engdahl says:
Exodus Android Spyware With Possible Links to Italian Government Analyzed
https://www.securityweek.com/exodus-android-spyware-possible-links-italian-government-analyzed
Android spyware known as Exodus has been found in more than 20 apps on Google Play Store. The malware is believed to have been developed by the Italian firm eSurv, which has commercial connections to the Italian government.