Cyber Security News April 2019

This posting is here to collect cyber security news in April 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

402 Comments

  1. Tomi Engdahl says:

    Hackers crack university defenses in just two hours
    https://www.welivesecurity.com/2019/04/12/hackers-crack-university-cyberdefenses/

    More than 50 universities in the United Kingdom had their cyber-defenses tested by ethical hackers, and the ‘grades’ aren’t pretty

    A team of ethical hackers recently conducted tests on the cybersecurity defenses of more than 50 universities in the United Kingdom. In each case, it took them less than two hours to gain access to “high-value data”.

    How safe is your data? Cyber-security in higher education
    https://www.hepi.ac.uk/2019/04/04/how-safe-is-your-data-cyber-security-in-higher-education/

    Reply
  2. Tomi Engdahl says:

    Social engineering – It’s not just about phishing
    https://blog.avast.com/social-engineering-hacks

    Top 10 Best Preventive Methods to Secure Email Accounts from Email Hackers
    https://gbhackers.com/secure-email-accounts/

    Reply
  3. Tomi Engdahl says:

    North Korea’s Hidden Cobra Strikes U.S. Targets with HOPLIGHT
    https://threatpost.com/north-koreas-hidden-cobra-strikes-u-s-targets-with-hoplight/143740/

    The custom malware is a spy tool and can also disrupt processes at U.S. assets.

    A never-before-seen spyware variant called HOPLIGHT is targeting U.S. companies and government agencies in active attacks, according to the U.S. Department of Homeland Security

    Malware Analysis Report (AR19-100A)
    MAR-10135536-8 – North Korean Trojan: HOPLIGHT
    https://www.us-cert.gov/ncas/analysis-reports/AR19-100A

    Reply
  4. Tomi Engdahl says:

    Internet Explorer zero-day lets hackers steal files from Windows PCs
    Microsoft refused to patch issue so security researcher released exploit code online.
    https://www.zdnet.com/article/internet-explorer-zero-day-lets-hackers-steal-files-from-windows-pcs/

    Reply
  5. Tomi Engdahl says:

    Some enterprise VPN apps store authentication/session cookies insecurely
    VPN apps from Cisco, F5, Palo Alto Networks, and Pulse Secure found vulnerable.
    https://www.zdnet.com/article/some-enterprise-vpn-apps-store-authentication-session-cookies-insecurely/

    Reply
  6. Tomi Engdahl says:

    Popular Video Editing Software Website Hacked to Spread Banking Trojan
    https://thehackernews.com/2019/04/free-video-editing-malware.html

    If you have downloaded the VSDC multimedia editing software between late February to late March this year, there are high chances that your computer has been infected with a banking trojan and an information stealer.

    The official website of the VSDC software — one of the most popular, free video editing and converting app with over 1.3 million monthly visitors — was hacked, unfortunately once again.

    According to a new report Dr. Web published today and shared with The Hacker News, hackers hijacked the VSDC website and replaced its software download links leading to malware versions, tricking visitors into installing dangerous Win32.Bolik.2 banking trojan and KPOT stealer.

    The official website of a popular video editing software was infected with a banking trojan
    https://news.drweb.com/show/?i=13242

    Doctor Web researchers discovered that the official website of a well-known video editing software, VSDC, was compromised. The hackers hijacked download links on the website causing visitors to download a dangerous banking trojan, Win32.Bolik.2, and the Trojan.PWS.Stealer (KPOT stealer) along with the editing software.

    Reply
  7. Tomi Engdahl says:

    Emotet hijacks email conversation threads to insert links to malware
    https://www.zdnet.com/article/emotet-hijacks-email-conversation-threads-to-insert-links-to-malware/#ftag=RSSbaffb68

    Emotet gang takes their operation to a whole new level, showing why they’re today’s most dangerous malware.

    Reply
  8. Tomi Engdahl says:

    Cyber-security firm Verint hit by ransomware
    In an extreme case of irony, ransomware hits cyber-security firm.
    https://www.zdnet.com/article/cyber-security-firm-verint-hit-by-ransomware/

    Reply
  9. Tomi Engdahl says:

    Microsoft: WinRAR exploit gives attackers ‘full control’ of Windows PC
    https://www.zdnet.com/article/microsoft-winrar-exploit-gives-attackers-full-control-of-windows-pc/#ftag=RSSbaffb68

    Microsoft shines a light on the handiwork of an advanced threat group known as MuddyWater

    Reply
  10. Tomi Engdahl says:

    Hyperlink Auditing Pings Being Used to Perform DDoS Attacks
    https://www.bleepingcomputer.com/news/security/hyperlink-auditing-pings-being-used-to-perform-ddos-attacks/

    Researchers have found that the HTML feature called hyperlink auditing, or pings, is being used to perform DDoS attacks against various sites. This feature is normally used by sites to track link clicks, but is now found to be abused by attackers to send a massive amount of web requests to sites in order to take them offline.

    Reply
  11. Tomi Engdahl says:

    Source code of Iranian cyber-espionage tools leaked on Telegram
    APT34 hacking tools and victim data leaked on a secretive Telegram channel since last month.
    https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/

    n an incident reminiscent of the Shadow Brokers leak that exposed the NSA’s hacking tools, someone has now published similar hacking tools belonging to one of Iran’s elite cyber-espionage units, known as APT34, Oilrig, or HelixKitten.

    The hacking tools are nowhere near as sophisticated as the NSA tools leaked in 2017, but they are dangerous nevertheless.

    Reply
  12. Tomi Engdahl says:

    The Death Metal Suite
    https://www.coalfire.com/The-Coalfire-Blog/April-2019/The-Death-Metal-Suite

    Intel Active Management Technology (AMT) is a feature provided by Intel for remote administration. If you happen to have a corporate laptop, odds are you too have AMT built into your system. To a sysadmin, AMT eases access to machines for the sake of assisting employees with technical issues, even if the hard drive has failed or been affected by ransomware. This is due primarily to the fact that AMT does not require a functioning operating system for accessibility. Its configuration and operating environment reside completely within its own dedicated hardware!

    Death Metal is a toolkit designed to exploit AMT’s legitimate features, as the AMT framework’s functionality, designed for innocent system administration purposes, inadvertently allows these features to be used by hackers for surreptitious persistence. This is because many of the legitimate features violate the expectations of sysadmins and endpoint protection software.

    Reply
  13. Tomi Engdahl says:

    Huawei’s surveillance system in Serbia threatens citizens’ rights, watchdog warns
    https://www.zdnet.com/article/huaweis-surveillance-system-in-serbia-threatens-citizens-rights-watchdog-warns/

    The Chinese giant’s Safe City Solution for Belgrade is raising questions about its use of personal data.

    Reply
  14. Tomi Engdahl says:

    Two Thirds of Hotel Sites Leak Guest Booking Info to Third-Parties
    https://www.bleepingcomputer.com/news/security/two-thirds-of-hotel-sites-leak-guest-booking-info-to-third-parties/

    Third-party services running on most hotel websites have access to guest booking information, including personal data and payment card details. The data they’re privy to also allows them to cancel reservations.

    Multiple websites for over 1,500 hotels in 54 countries fail to protect user information from partner services such as advertisers and analytics companies. In 67% of the studied cases, some level of personal information is leaked via booking reference codes.

    Reply
  15. Tomi Engdahl says:

    Chrome Saying It’s Managed by Your Organization May Indicate Malware
    https://www.bleepingcomputer.com/news/software/chrome-saying-its-managed-by-your-organization-may-indicate-malware/

    Recently users have noticed that Google Chrome has started stating that it is “Managed by your organization” when they open the browser’s menu, which is a confusing for home users who are not part of any organization. It turns out that with the release of Chrome 73, the browser will now display this message whenever a group policy is configured for the browser.

    Reply
  16. Tomi Engdahl says:

    Intel finally issues Spoiler attack alert: Now non-Spectre exploit gets CVE but no patch
    https://www.zdnet.com/article/intel-finally-issues-spoiler-attack-alert-now-non-spectre-exploit-gets-cve-but-no-patch/

    No patch for Spoiler attack affecting all Intel chips, but a security advisory gives it an official CVE identifier.

    Intel has finally posted an official security advisory in response to the recently revealed Spoiler attack, which uses a weakness in Intel CPUs to enhance already known attacks that leak secrets from memory.

    Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lübeck in north Germany in March drew attention to a weakness in Intel’s proprietary memory subsystem that affects Intel CPUs all the way back to its 1st generation Intel Core processors, regardless of the operating system.

    Intel has now assigned the vulnerability identifier CVE-2019-0162 to Spoiler and given it a CVSS severity score of 3.8 out of a possible 10. The ‘low’ severity rating is likely because an attacker would need to be authenticated and have local access to the hardware, while existing mitigations further reduce risks.

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0162

    Reply
  17. Tomi Engdahl says:

    Security Flaws in WPA3 Protocol Let Attackers Hack WiFi Password
    https://thehackernews.com/2019/04/wpa3-hack-wifi-password.html

    Breaking — It has been close to just one year since the launch of next-generation Wi-Fi security standard WPA3 and researchers have unveiled several serious vulnerabilities in the wireless security protocol that could allow attackers to recover the password of the Wi-Fi network.

    WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data.

    The Wi-Fi Protected Access III (WPA3) protocol was launched in an attempt to address technical shortcomings of the WPA2 protocol from the ground, which has long been considered to be insecure and found vulnerable to KRACK (Key Reinstallation Attack).

    Though WPA3 relies on a more secure handshake, known as Dragonfly

    ecurity researchers Mathy Vanhoef and Eyal Ronen found weaknesses in the early implementation of WPA3-Personal, allowing an attacker to recover WiFi passwords by abusing timing or cache-based side-channel leaks.

    “Concretely, attackers can then read information that WPA3 was assumed to safely encrypt. This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on,” the researchers say.

    Reply
  18. Tomi Engdahl says:

    APT reports
    Project TajMahal – a sophisticated new APT framework
    https://securelist.com/project-tajmahal/90240/

    APT reports
    Gaza Cybergang Group1, operation SneakyPastes
    https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/

    Reply
  19. Tomi Engdahl says:

    Malicious AutoHotkey Scripts Used to Steal Info, Remotely Access Systems
    https://www.bleepingcomputer.com/news/security/malicious-autohotkey-scripts-used-to-steal-info-remotely-access-systems/

    Attackers are targeting potential victims using a malicious AutoHotkey script to avoid detection and to steal information, to drop more payloads, and to remotely access compromised machines using TeamViewer​​​​​​.

    Reply
  20. Tomi Engdahl says:

    Microsoft Edge Uses a Secret Trick And Breaks Internet Explorer’s Security
    https://blog.0patch.com/2019/04/microsoft-edge-uses-secret-trick-and.html

    Edge Decided To Use An Undocumented Security Feature.
    Internet Explorer Didn’t Get The Memo.

    Reply
  21. Tomi Engdahl says:

    The curious case of Spamhaus, a port scanning scandal, and an apparent U-turn
    Blocklist biz appears to swing ban-hammer at legit vuln scanners, denies doing so
    https://www.theregister.co.uk/2019/04/16/spamhaus_port_scans/

    In recent months, several security researchers have said Spamhaus has been automatically blocking people for carrying out legitimate network port scanning and failed to provide a prompt means of redress.

    Reply
  22. Tomi Engdahl says:

    Medical device manufacturers against healthcare malware and ransomware
    https://www.itproportal.com/features/medical-device-manufacturers-against-healthcare-malware-and-ransomware/

    By Julie Cole 2019-04-17T09:30:07Z Security
    Dealing with cybersecurity in the contemporary healthcare environment is undoubtedly challenging.

    Reply
  23. Tomi Engdahl says:

    Bug in EA’s Origin client left gamers open to attacks
    https://www.welivesecurity.com/2019/04/17/bug-ea-origin-client-attacks/

    The gaming company has rolled out a fix for the remote code execution vulnerability, so make sure you run the platform’s latest version

    Reply
  24. Tomi Engdahl says:

    ThreatList: Bad Bots Account for a Fifth of All Web Traffic, FinServ Hit the Worst
    https://threatpost.com/bad-bots-web-traffic-finserv/143859/

    The financial services industry sees nearly half of all website traffic coming from malicious bots.

    About a fifth of all web traffic (20.4 percent) comes from bad bots, which continue to attack daily in automated offensives on websites, mobile apps and APIs. That’s worse for some verticals, like the banking and finance sector, which was hit the hardest last year.

    Reply
  25. Tomi Engdahl says:

    Oracle security warning: Customers told to patch ASAP to swat 297 bugs
    https://www.zdnet.com/article/oracle-security-warning-customers-told-to-patch-asap-to-swat-297-bugs/

    Update addresses multiple flaws that can be remotely exploited without user credentials.

    The April critical patch update includes fixes for 297 security flaws affecting Oracle’s Database Server, Fusion Middleware, Enterprise Manager, E-Business Suite, PeopleSoft, and Siebel CRM.

    Reply
  26. Tomi Engdahl says:

    Wipro Confirms Hack and Supply Chain Attacks on Customers
    https://threatpost.com/wipro-confirms-hack/143826/

    Reply
  27. Tomi Engdahl says:

    Wipro hacked, used as a springboard for more attacks
    https://www.itproportal.com/news/wipro-hacked-used-as-a-springboard-for-more-attacks/

    Phishing attacks attempted against Wipro’s clients.

    Wipro, one of India’s largest IT outsourcing and consulting companies, has been used as a weapon against its own customers, security researchers are saying.

    Apparently an unknown, possibly state-sponsored attacker, has breached Wipro’s networks months ago, and then used it to conduct phishing attacks against Wipro’s clients.

    Reply
  28. Tomi Engdahl says:

    Threat Research
    Silence Group Playbook
    https://www.fortinet.com/blog/threat-research/silence-group-playbook.html

    Adversary Playbook: The FortiGuard SE Team is releasing this new playbook on the threat actor group known as Silence Group as part of our role in the Cyber Threat Alliance. For more information regarding this series of adversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper.

    Reply
  29. Tomi Engdahl says:

    Three WordPress plugins 0day vulnerabilities uncovered, thousands compromised
    By Sead Fadilpašić 2019-04-15T11:00:43Z Security
    Vulnerabilities were disclosed before any patches could be issued.
    https://www.itproportal.com/news/three-wordpress-plugins-0day-vulnerabilities-uncovered-thousands-compromised/

    The more moving parts a website has, the more potential vulnearbilities and entry points it may have, also. This is particularly true with WordPress, whose platform revolves, in good measure, around different plugins.

    Each plugin is a potential disaster waiting to happen, and the bigger the userbase of a specific plugin, the bigger the headline once it hits the fan.

    That puts enormous pressure on plugin developers to keep their products secure and up-to-date, as well as webmasters to make sure they update their platform regularly.

    Reply
  30. Tomi Engdahl says:

    SS7, telecoms’ largest security hole
    https://www.pandasecurity.com/mediacenter/panda-security/ss7-security-hole-telecoms/

    February 2019. At the British retail bank, Metro Bank, a serious problem has been discovered: someone is accessing sensitive client information. More specifically, this intrusion happens when a client receives a code on their mobile phone in order to carry out a certain operation.

    Metro Bank detected that this was the step where a possible data breach was occurring, and where the code in question could fall into a cybercriminal’s hands, leading to real danger for the cybersecurity of the bank’s clients. The bank recognizes and accepts the vulnerability, but says that it is not an isolated case. In fact, it is not the first large banking organization to be affected by this vulnerability. It is, however, the first to admit it.

    Indeed, this is not the first time that something like this has happened. In May of last year, the US senator Ron Wyden claimed that a large telecoms operator had suffered a very similar cyberattack. This attack exposed its customers’ and users’ sensitive data to cybercriminals, who didn’t even need a high level of experience in the field to get their hands on this information. This vulnerability, therefore, is common, and not so hard to exploit.

    The problem with SS7

    Where does the problem lie? The answer is Signaling System 7 (SS7). This protocol allows users to change network and operator when they travel around the world and connect to different networks from their mobile phones. This protocol was created in 1975, and has hardly been updated since, which means that, as of today, it lacks sufficient security for those that make use of it.

    This vulnerability is amplified in situations where operators and users employ SS7 in two-factor authentication processes via mobile phones. Although this login method offers many cybersecurity guarantees, it is far from infallible.

    Reply
  31. Tomi Engdahl says:

    A security researcher with a grudge is dropping Web 0days on innocent users
    Exploits published over the past three weeks exposed 160,000 websites to potent attacks.
    https://arstechnica.com/information-technology/2019/04/a-security-researcher-with-a-grudge-is-dropping-web-0days-on-innocent-users/

    Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.

    Reply
  32. Tomi Engdahl says:

    Bad news, everyone! New hijack attack in the wild
    https://habr.com/en/company/qrator/blog/447776/

    On March 13, a proposal for the RIPE anti-abuse working group was submitted, stating that a BGP hijacking event should be treated as a policy violation. In case of acceptance, if you are an ISP attacked with the hijack, you could submit a special request where you might expose such an autonomous system. If there is enough confirming evidence for an expert group, then such a LIR would be considered an adverse party and further punished. There were some arguments against this proposal.

    With this article, we want to show an example of the attack where not only the true attacker was under the question, but the whole list of affected prefixes.

    Reply
  33. Tomi Engdahl says:

    Bug-hunters punch huge holes in WPA3 standard for Wi-Fi security
    Passwords, personal information can be sussed out by attackers during handshakes
    https://www.theregister.co.uk/2019/04/11/bughunters_punch_holes_in_wpa3_wifi_security/

    Reply
  34. Tomi Engdahl says:

    Cisco Patches Critical Flaw in ASR 9000 Router
    https://www.securityweek.com/cisco-patches-critical-flaw-asr-9000-routers

    Cisco on Wednesday released patches for 30 vulnerabilities, including a critical bug impacting ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit software.

    “An attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device,” Cisco notes in an advisory.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*