This posting is here to collect cyber security news in April 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
402 Comments
Tomi Engdahl says:
Security flaw in EA’s Origin client exposed gamers to hackers
https://techcrunch.com/2019/04/16/ea-origin-bug-exposed-hackers/
The bug affected Windows users with the Origin app installed. Tens of millions of gamers use the Origin app to buy, access and download games.
Tomi Engdahl says:
Tracking Phones, Google Is a Dragnet for the Police
https://www.nytimes.com/interactive/2019/04/13/us/google-location-tracking-police.html
The tech giant records people’s locations worldwide. Now, investigators are using it to find suspects and witnesses near crimes, running the risk of snaring the innocent.
Tomi Engdahl says:
Facial recognition to replace passports, boarding passes at Tampa Intl. Airport
https://www.wfla.com/news/hillsborough-county/facial-recognition-tech-to-replace-passports-boarding-passes-at-tampa-international/1929518296?fbclid=IwAR167eCu3os85DNnTpNx4sah5K907fYk4Tx6H2CYYkyadGgVVN1cr6wJxR8
The goal is to replace passports and boarding passes with biometric technology that scans your face before getting on the plane for international travel.
Tomi Engdahl says:
Internet Explorer zero-day lets hackers steal files from Windows PCs
https://www.zdnet.com/article/internet-explorer-zero-day-lets-hackers-steal-files-from-windows-pcs/
Microsoft refused to patch issue so security researcher released exploit code online.
The vulnerability resides in the way Internet Explorer processes MHT files.
Tomi Engdahl says:
‘NamPoHyu Virus’ Ransomware Targets Remote Samba Servers
https://www.bleepingcomputer.com/news/security/nampohyu-virus-ransomware-targets-remote-samba-servers/
Instead of an executable running on a victim’s computer, the attacker is running the ransomware locally and having it remotely encrypt accessible Samba servers.
Tomi Engdahl says:
Leo Kelion / BBC:
UK government announces that porn websites will have to introduce age-checks by July 15; sites failing to comply will face being blocked by ISPs
UK to introduce porn age-checks in July
https://www.bbc.com/news/technology-47960775
An age-check scheme designed to stop under-18s viewing pornographic websites will come into force on 15 July.
From that date, affected sites will have to verify the age of UK visitors.
If they fail to comply they will face being blocked by internet service providers.
Tomi Engdahl says:
Shamima Begum: Why women are terrorism’s secret weapon
https://www.bbc.com/news/world-47653190
When women make the news because of terrorism, the focus has often been on their role as victims or as potential allies in countering the threat.
By contrast, women who take part in and support extremism have sometimes been overlooked.
Tomi Engdahl says:
How Facebook is being used to profile and kill Kenyan ‘gangsters’
https://www.bbc.com/news/world-africa-47805113
A suspected death squad operating inside Kenya’s police force is using Facebook to target and kill young men they believe to be gang members, residents of a poor and overcrowded area of the capital have told a public meeting.
suspected to be criminals, were profiled within various Facebook groups by “gangster hunters”.
“They profile them on Facebook, after one week or a month they shoot them, and put pictures of their dead bodies on Facebook,” Wilfred Olal from the Dandora Community Justice Centre told the meeting.
Last November, former police chief Joseph Boinnet had said: “The person behind the Facebook accounts is not a police officer, but [a civilian] passionate about security matters.”
Tomi Engdahl says:
Internet Explorer browser flaw threatens all Windows users
https://nakedsecurity.sophos.com/2019/04/17/internet-explorer-browser-flaw-threatens-all-windows-users/amp/
Nearly four years after it was replaced by Edge as Microsoft’s preferred Windows browser, researchers keep finding unpleasant security flaws in Internet Explorer (IE).
Success would…
Allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.
IE should throw up a security warning, but this could be bypassed
Tomi Engdahl says:
Major Browsers to Prevent Disabling of Click Tracking Privacy Risk
https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/
Tomi Engdahl says:
Rare spying platform TajMahal discovered after 5 years
https://www.thequint.com/news/hot-news/rare-spying-platform-tajmahal-discovered-after-5-years?ch=10&share=cbc4665f
Researchers with cyber security firm Kaspersky Lab have uncovered a sophisticated spying platform, TajMahal, that has been active for more than five years now and appears to be unconnected to any known threat actors.
The TajMahal framework features around 80 malicious modules and includes functionality never before seen in an advanced persistent threat, such as the ability to steal information from printer queues and to grab previously seen files from a USB device the next time it reconnects, the researchers said.
Tomi Engdahl says:
Ecuador says hit by 40 million cyber attacks since Assange arrest
https://news.yahoo.com/ecuador-says-hit-40-million-cyber-attacks-since-224432459.html
Quito (AFP) – Ecuador said on Monday it has suffered 40 million cyber attacks on the webpages of public institutions since stripping Wikileaks founder Julian Assange of political asylum.
country had suffered “volumetric attacks” that blocked access to the internet following “threats from those groups linked to Julian Assange.”
Tomi Engdahl says:
Student used ‘USB Killer’ device to destroy $58,000 worth of college computers
https://www.theverge.com/2019/4/17/18412427/college-saint-rose-student-guilty-usb-killer-destroyed-computers
The former College of Saint Rose student faces up to 10 years in prison
Tomi Engdahl says:
A new state-backed hacker group is hijacking
https://techcrunch.com/2019/04/17/sea-turtle-talos-dns-hijack/?tpcc=ECFB2019
government domains at a phenomenal pace
The hackers exploit flaws in the domain name system to carry out espionage
Tomi Engdahl says:
Subaru StarLink persistent root code execution.
https://github.com/sgayou/subaru-starlink-research
Rooting the latest generation of Harman head units running on newer Subaru vehicles.
Tomi Engdahl says:
These new newspaper racks from the Tampa Bay Times are tracking your emotions, age and gender
https://www.cltampa.com/news-views/local-news/article/21064539/these-new-newspaper-racks-from-the-tampa-bay-times-are-tracking-your-emotions-age-and-gender?utm_source=featurefollow&utm_medium=home&utm_campaign=hpfeatures
Tomi Engdahl says:
Väärinkäytösten ilmiantajat saavat lisäsuojaa – Uudet EU-säännöt suojaavat myös työnantajan kostolta
https://www.hs.fi/ulkomaat/art-2000006075728.html?share=e3b7b4d534b9ddc4b83384989bf1c225
Tomi Engdahl says:
EU Parliament Takes Up Its Next Attempt To Wipe Out An Open Internet: Terrorist Content Regulation Vote On Wednesday
https://www.techdirt.com/articles/20190415/17130042019/eu-parliament-takes-up-next-attempt-to-wipe-out-open-internet-terrorist-content-regulation-vote-wednesday.shtml
if you were worried about the EU Copyright Directive, you should be absolutely terrified about the EU Terrorist Content Regulation, which has continued to march forward with very little attention compared to the Copyright Directive
Terrorist Content Regulation, starting with the requirement that any site (even a one-person blog somewhere outside of the EU) be required to take down content within an hour of notification by an ill-defined “competent authority,” but also covering other aspects, such as requiring mandatory content filters.
left in the 1 hour content removal requirement. And the largest group in the EU Parliament, the EPP, has already put forth amendments to bring back all the other bad stuff in the proposal.
As MEP Julia Reda notes, the EU Parliament will now vote on the Terrorist Content Regulation on Wednesday
https://juliareda.eu/2019/04/reject-terror-filters/
Tomi Engdahl says:
Why didn’t GPS crash?
https://www.youtube.com/watch?v=iyz7dSnZItw
“In the Future the Modernized GPS Navigation (CNAV and MNAV) message has a 13-bit week number, which for all practical purposes solves this ambiguity”
Fun fact: GPS uses 10 bits to store the week. That means it runs out… oh heck – April 6, 2019
https://www.theregister.co.uk/2019/02/12/current_gps_epoch_ends/
Nav gadgets will be Gah, Properly Screwed if you don’t or can’t update firmware
Tomi Engdahl says:
Adblock Plus Filters Can Be Exploited to Run Malicious Code
https://www.bleepingcomputer.com/news/security/adblock-plus-filters-can-be-exploited-to-run-malicious-code/
An exploit has been discovered that could allow ad blocking filter list maintainers for the Adblock Plus, AdBlock, and uBlocker browser extensions to create filters that inject remote scripts into web sites.
With ad blockers having a a user base of over 10 million installs, if malicious scripts were injected it would have a huge impact as they could perform unwanted activity such as stealing cookies, login credentials, causing page redirects, or other unwanted behavior.
When Adblocker Plus 3.2 was released in 2018, a new filter list option was added called $rewrite.
Why would a filter maintainer go rogue?
While there may numerous ways to modify a filter list, Sebastian told BleepingComputer his main concern is a “filter list operators that may perform targeted attacks that are difficult to detect”.
As many filter list maintainers are volunteers, it’s conceivable that they would add an unwanted filter for numerous reasons.
Tomi Engdahl says:
Scranos Operation Uses Signed Rootkit to Steal Login and Payment Info
https://www.bleepingcomputer.com/news/security/scranos-operation-uses-signed-rootkit-to-steal-login-and-payment-info/
Tomi Engdahl says:
New Malicious Medical DICOM Image Files Cause HIPAA Headache
https://www.bleepingcomputer.com/news/security/new-malicious-medical-dicom-image-files-cause-hipaa-headache/
Malicious DICOM files can be crafted to contain both CT and MRI scan imaging data and potentially dangerous PE executables, a process which can be used by threat actors to hide malware inside seemingly harmless files.
Tomi Engdahl says:
Microsoft Email Hack Shows the Lurking Danger of Customer Support
https://www.wired.com/story/microsoft-email-hack-outlook-hotmail-customer-support/
On Friday night, Microsoft sent notification emails to an unknown number of its individual email users—across Outlook, MSN, and Hotmail—warning them about a data breach. Between January 1 and March 28 of this year, hackers used a set of stolen credentials for a Microsoft customer support platform to access account data like email addresses in messages, message subject lines, and folder names inside accounts. By Sunday, it acknowledged that the problem was actually much worse.
Tomi Engdahl says:
Massive eGobbler Malvertising Campaign Leverages Chrome Vulnerability To Target iOS Users
https://blog.confiant.com/massive-egobbler-malvertising-campaign-leverages-chrome-vulnerability-to-target-ios-users-a534b95a037f?gi=9f3075b1f672
Tomi Engdahl says:
EU: No evidence of Kaspersky spying despite ‘confirmed malicious’ classification
https://www.zdnet.com/article/eu-no-evidence-of-kaspersky-spying-despite-confirmed-malicious-classification/
European Commission “not in possession of any evidence regarding potential issues related to the use of Kaspersky Lab products.”
Tomi Engdahl says:
Former student destroys 59 university computers using USB Killer device
https://www.zdnet.com/article/former-student-destroys-59-university-computers-using-usb-killer-device/
He also destroyed seven computer monitors and computer-enhanced podiums that had open USB slots.
Tomi Engdahl says:
Scranos rootkit expands operations from China to the rest of the world
https://www.zdnet.com/article/scranos-rootkit-expands-operations-from-china-to-the-rest-of-the-world/
Rise of new multi-functional rootkit-backdoor-infostealer-adware strain worries researchers.
A malware operation previously limited to China’s borders has expanded over the past few months to infect users from all over the world, antivirus firm Bitdefender said in a report published today.
Tomi Engdahl says:
Malspam Campaigns Distribute HawkEye Keylogger, Post Ownership Change
https://threatpost.com/hawkeye-keylogger-malspam-campaigns/143807/
Tomi Engdahl says:
Scranos: New Rapidly Evolving Rootkit-Enabled Spyware Discovered
https://thehackernews.com/2019/04/scranos-rootkit-spyware.html
A new powerful rootkit-enabled spyware operation has been discovered wherein hackers are distributing multifunctional malware disguised as cracked software or trojanized app posing as legitimate software like video players, drivers and even anti-virus products.
Tomi Engdahl says:
Adblock Plus filters can be abused to execute malicious code in browsing sessions
The vendor was not aware of the problem until public disclosure.
https://www.zdnet.com/article/adblock-plus-filters-can-be-abused-by-hackers-to-execute-malware/
Tomi Engdahl says:
Hacker Group Uses RATVERMIN Backdoor to Target Ukrainian Military
https://www.bleepingcomputer.com/news/security/hacker-group-uses-ratvermin-backdoor-to-target-ukrainian-military/
Tomi Engdahl says:
Your Android phone can now double as a security key
An extra layer of security never hurt anybody, and now you can turn your phone into a physical security key
https://www.welivesecurity.com/2019/04/16/android-phone-security-key/
Google has announced that any smartphone running Android 7.0 (Nougat) or later can now be used as a hardware security key for two-factor authentication (2FA).
Available in beta at the moment, the new feature is intended to provide an additional authentication factor and keep Google account users safe from phishing scams and other attacks that attempt to steal people’s login credentials. It can be used to protect your personal Google accounts, as well as Google Cloud Accounts at work.
The ultimate account security is now in your pocket
https://www.blog.google/technology/safety-security/your-android-phone-is-a-security-key/
Tomi Engdahl says:
Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People’s Republic
https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html
Blog >
Game of Thrones Phishing Scams and How to Avoid Them
Game of Thrones Phishing Scams and How to Avoid Them
https://blog.checkpoint.com/2019/04/16/game-of-thrones-phishing-scams-and-how-to-avoid-them/
Tomi Engdahl says:
90% of Infrastructure Security Pros Have Been Hacked in the Last Two Years
https://www.designnews.com/design-hardware-software/90-infrastructure-security-pros-have-been-hacked-last-two-years/213044111660594?ADTRK=UBM&elq_mid=8200&elq_cid=876648
According to a report commissioned by Tenable, 62% of respondents said their organizations have suffered multiple attacks.
Tomi Engdahl says:
CVE-2019-0859: A zero-day vulnerability in Windows
https://www.kaspersky.com/blog/cve-2019-0859-detected/26451/
What are we dealing with?
CVE-2019-0859 is a Use-After-Free vulnerability in the system function that handles dialog windows, or more precisely, their additional styles. The exploit pattern found in the wild targeted 64-bit versions of OS, from Windows 7 to the latest builds of Windows 10. Exploitation of the vulnerability allows the malware to download and execute a script written by the attackers, which in the worst-case scenario results in full control over the infected PC.
Tomi Engdahl says:
New zero-day vulnerability CVE-2019-0859 in win32k.sy
https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/
Tomi Engdahl says:
Patched Windows Zero-Day Provided Full Control Over Vulnerable Systems
https://www.bleepingcomputer.com/news/security/patched-windows-zero-day-provided-full-control-over-vulnerable-systems/
A Windows zero-day vulnerability which got patched by Microsoft as part of the company’s April 2019 Patch Tuesday together with 73 other flaws could allow potential attackers to take full control of vulnerable systems.
The 0-day was actively exploited before patching, with Kaspersky Lab’s researchers Vasiliy Berdnikov and Boris Larin finding an exploit in the wild actively targeting multiple 64-bit versions of Windows, ranging from “Windows 7 to older builds of Windows 10.”
Tomi Engdahl says:
Internet Explorer zero-day lets hackers steal files from Windows PCs
https://www.zdnet.com/article/internet-explorer-zero-day-lets-hackers-steal-files-from-windows-pcs/
Microsoft refused to patch issue so security researcher released exploit code online.
Tomi Engdahl says:
Rogue Waves: Preparing the Internet for the Next Mega DDoS Attack
https://threatpost.com/future-mega-ddos-attacks/143752/
Why many attack techniques can be reused – but organizations can’t defend against them.
When you think of a distributed denial-of-service (DDoS) attack at this point in the age of the internet, you might be thinking they’re old news. But when a multi-million-dollar business can be easily taken offline by an unskilled adversary and a $5 rent-a-DDoS service, I would argue that the issue is still very much relevant. Because of this, I decided to take a look at what might be on the horizon for malicious attackers, not in terms of who they’re going to hit next (that’s a game everyone can play but no one wins), but instead how it’s most likely to happen, and possibly from where.
Tomi Engdahl says:
Important Severity Remote Code Execution Vulnerability Patched in Tomcat
https://www.bleepingcomputer.com/news/security/important-severity-remote-code-execution-vulnerability-patched-in-tomcat/
Apache Tomcat Patches Important Remote Code Execution Flaw
https://thehackernews.com/2019/04/apache-tomcat-security-flaw.html
Tomi Engdahl says:
Microsoft Outlook Breach Widens in Scope, Impacting MSN And Hotmail – Report
https://threatpost.com/microsoft-outlook-breach-msn-hotmail/143772/
Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support
https://motherboard.vice.com/en_us/article/ywyz3x/hackers-could-read-your-hotmail-msn-outlook-microsoft-customer-support
Hackers abused a Microsoft customer support portal that allowed them to read the emails of any non-corporate account.
Tomi Engdahl says:
RobbinHood Ransomware Claims It’s Protecting Your Privacy
https://www.bleepingcomputer.com/news/security/robbinhood-ransomware-claims-its-protecting-your-privacy/
Tomi Engdahl says:
The Bayrob malware gang’s rise and fall
https://www.zdnet.com/article/the-bayrob-malware-gangs-rise-and-fall/
The story of how a talented computer science student and his friends created and ran a multi-million dollar botnet.
Three Romanians ran an extremely complex online fraud operation along with a massive malware botnet for nine years, made tens of millions of US dollars, but their crime spree is now over, and all three will be heading to prison by the end of August this year.
Tomi Engdahl says:
US-Cert alert! Thanks to a massive bug, VPN now stands for ‘Vigorously Pwned Nodes’
Multiple providers leaving storage cookies up for grabs
https://www.theregister.co.uk/2019/04/12/uscert_vpn_alert/
The US-Cert is raising alarms following the disclosure of a serious vulnerability in multiple VPN services.
Tomi Engdahl says:
‘Dragonblood’ Vulnerabilities Seep Into WPA3 Secure Wifi Handshake
A new set of vulnerabilities may put some early adopters of strong Wifi security at greater security risk.
https://www.darkreading.com/vulnerabilities—threats/dragonblood-vulnerabilities-seep-into-wpa3-secure-wifi-handshake/d/d-id/1334407
Tomi Engdahl says:
Thousands of WordPress Sites Exposed by Yellow Pencil Plugin Flaw
https://www.bleepingcomputer.com/news/security/thousands-of-wordpress-sites-exposed-by-yellow-pencil-plugin-flaw/
Tomi Engdahl says:
Matrix Compromised Through Known Jenkins Flaws
https://www.infosecurity-magazine.com/news/matrix-compromised-through-known-1/
Matrix users are encouraged to change their passwords after an unauthorized actor gained access to the servers hosting Matrix.org. Those using IRC bridging are also encouraged to change their NickServ passwords.
An open network for secure, interoperable, decentralized, real-time communication over IP, Matrix is used across instant messaging, VoIP/WebRTC signaling and internet of things (IoT) communication, according to the company’s website.
“The rebuilt infrastructure itself is secure, however, and the DNS issue has been solved without further abuse. If you have already changed your password, you do not need to do so again.”
https://matrix.org/blog/2019/04/11/security-incident/
Tomi Engdahl says:
‘Land Lordz’ Service Powers Airbnb Scams
https://krebsonsecurity.com/2019/04/land-lordz-service-powers-airbnb-scams/
Scammers who make a living swindling Airbnb.com customers have a powerful new tool at their disposal: A software-as-a-service offering called “Land Lordz,” which helps automate the creation and management of fake Airbnb Web sites and the sending of messages to advertise the fraudulent listings.
Tomi Engdahl says:
A new piece of malware that could endanger the healthcare sector
https://www.pandasecurity.com/mediacenter/news/new-malware-healthcare-sector/
The malicious software, which can affect CAT and MRI scanners, is able to add fake cancerous tumors to medical results, fooling doctors, and potentially causing serious problems in medical institutions.
Tomi Engdahl says:
Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse
https://blog.trendmicro.com/trendlabs-security-intelligence/miner-malware-spreads-beyond-china-uses-multiple-propagation-methods-including-eternalblue-powershell-abuse/