This posting is here to collect cyber security news in April 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
402 Comments
Tomi Engdahl says:
Hackers crack university defenses in just two hours
https://www.welivesecurity.com/2019/04/12/hackers-crack-university-cyberdefenses/
More than 50 universities in the United Kingdom had their cyber-defenses tested by ethical hackers, and the ‘grades’ aren’t pretty
A team of ethical hackers recently conducted tests on the cybersecurity defenses of more than 50 universities in the United Kingdom. In each case, it took them less than two hours to gain access to “high-value data”.
How safe is your data? Cyber-security in higher education
https://www.hepi.ac.uk/2019/04/04/how-safe-is-your-data-cyber-security-in-higher-education/
Tomi Engdahl says:
Social engineering – It’s not just about phishing
https://blog.avast.com/social-engineering-hacks
Top 10 Best Preventive Methods to Secure Email Accounts from Email Hackers
https://gbhackers.com/secure-email-accounts/
Tomi Engdahl says:
Facebook Suffers Third Major Global Outage This Year
https://www.bloomberg.com/news/articles/2019-04-14/facebook-suffers-third-major-global-outage-this-year
Tomi Engdahl says:
North Korea’s Hidden Cobra Strikes U.S. Targets with HOPLIGHT
https://threatpost.com/north-koreas-hidden-cobra-strikes-u-s-targets-with-hoplight/143740/
The custom malware is a spy tool and can also disrupt processes at U.S. assets.
A never-before-seen spyware variant called HOPLIGHT is targeting U.S. companies and government agencies in active attacks, according to the U.S. Department of Homeland Security
Malware Analysis Report (AR19-100A)
MAR-10135536-8 – North Korean Trojan: HOPLIGHT
https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Tomi Engdahl says:
Internet Explorer zero-day lets hackers steal files from Windows PCs
Microsoft refused to patch issue so security researcher released exploit code online.
https://www.zdnet.com/article/internet-explorer-zero-day-lets-hackers-steal-files-from-windows-pcs/
Tomi Engdahl says:
Some enterprise VPN apps store authentication/session cookies insecurely
VPN apps from Cisco, F5, Palo Alto Networks, and Pulse Secure found vulnerable.
https://www.zdnet.com/article/some-enterprise-vpn-apps-store-authentication-session-cookies-insecurely/
Tomi Engdahl says:
Microsoft Office and its vulnerabilities
https://www.kaspersky.com/blog/ms-office-vulnerabilities-sas-2019/26415/
Tomi Engdahl says:
Popular Video Editing Software Website Hacked to Spread Banking Trojan
https://thehackernews.com/2019/04/free-video-editing-malware.html
If you have downloaded the VSDC multimedia editing software between late February to late March this year, there are high chances that your computer has been infected with a banking trojan and an information stealer.
The official website of the VSDC software — one of the most popular, free video editing and converting app with over 1.3 million monthly visitors — was hacked, unfortunately once again.
According to a new report Dr. Web published today and shared with The Hacker News, hackers hijacked the VSDC website and replaced its software download links leading to malware versions, tricking visitors into installing dangerous Win32.Bolik.2 banking trojan and KPOT stealer.
The official website of a popular video editing software was infected with a banking trojan
https://news.drweb.com/show/?i=13242
Doctor Web researchers discovered that the official website of a well-known video editing software, VSDC, was compromised. The hackers hijacked download links on the website causing visitors to download a dangerous banking trojan, Win32.Bolik.2, and the Trojan.PWS.Stealer (KPOT stealer) along with the editing software.
Tomi Engdahl says:
Emotet hijacks email conversation threads to insert links to malware
https://www.zdnet.com/article/emotet-hijacks-email-conversation-threads-to-insert-links-to-malware/#ftag=RSSbaffb68
Emotet gang takes their operation to a whole new level, showing why they’re today’s most dangerous malware.
Tomi Engdahl says:
Cyber-security firm Verint hit by ransomware
In an extreme case of irony, ransomware hits cyber-security firm.
https://www.zdnet.com/article/cyber-security-firm-verint-hit-by-ransomware/
Tomi Engdahl says:
Microsoft: WinRAR exploit gives attackers ‘full control’ of Windows PC
https://www.zdnet.com/article/microsoft-winrar-exploit-gives-attackers-full-control-of-windows-pc/#ftag=RSSbaffb68
Microsoft shines a light on the handiwork of an advanced threat group known as MuddyWater
Tomi Engdahl says:
Hyperlink Auditing Pings Being Used to Perform DDoS Attacks
https://www.bleepingcomputer.com/news/security/hyperlink-auditing-pings-being-used-to-perform-ddos-attacks/
Researchers have found that the HTML feature called hyperlink auditing, or pings, is being used to perform DDoS attacks against various sites. This feature is normally used by sites to track link clicks, but is now found to be abused by attackers to send a massive amount of web requests to sites in order to take them offline.
Tomi Engdahl says:
The Nasty List Phishing Scam is Sweeping Through Instagram
https://www.bleepingcomputer.com/news/security/the-nasty-list-phishing-scam-is-sweeping-through-instagram/
Tomi Engdahl says:
Source code of Iranian cyber-espionage tools leaked on Telegram
APT34 hacking tools and victim data leaked on a secretive Telegram channel since last month.
https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/
n an incident reminiscent of the Shadow Brokers leak that exposed the NSA’s hacking tools, someone has now published similar hacking tools belonging to one of Iran’s elite cyber-espionage units, known as APT34, Oilrig, or HelixKitten.
The hacking tools are nowhere near as sophisticated as the NSA tools leaked in 2017, but they are dangerous nevertheless.
Tomi Engdahl says:
The Death Metal Suite
https://www.coalfire.com/The-Coalfire-Blog/April-2019/The-Death-Metal-Suite
Intel Active Management Technology (AMT) is a feature provided by Intel for remote administration. If you happen to have a corporate laptop, odds are you too have AMT built into your system. To a sysadmin, AMT eases access to machines for the sake of assisting employees with technical issues, even if the hard drive has failed or been affected by ransomware. This is due primarily to the fact that AMT does not require a functioning operating system for accessibility. Its configuration and operating environment reside completely within its own dedicated hardware!
Death Metal is a toolkit designed to exploit AMT’s legitimate features, as the AMT framework’s functionality, designed for innocent system administration purposes, inadvertently allows these features to be used by hackers for surreptitious persistence. This is because many of the legitimate features violate the expectations of sysadmins and endpoint protection software.
Tomi Engdahl says:
25% of Phishing Emails Bypass Office 365 Default Security
https://www.bleepingcomputer.com/news/security/25-percent-of-phishing-emails-bypass-office-365-default-security/
Tomi Engdahl says:
Huawei’s surveillance system in Serbia threatens citizens’ rights, watchdog warns
https://www.zdnet.com/article/huaweis-surveillance-system-in-serbia-threatens-citizens-rights-watchdog-warns/
The Chinese giant’s Safe City Solution for Belgrade is raising questions about its use of personal data.
Tomi Engdahl says:
Two Thirds of Hotel Sites Leak Guest Booking Info to Third-Parties
https://www.bleepingcomputer.com/news/security/two-thirds-of-hotel-sites-leak-guest-booking-info-to-third-parties/
Third-party services running on most hotel websites have access to guest booking information, including personal data and payment card details. The data they’re privy to also allows them to cancel reservations.
Multiple websites for over 1,500 hotels in 54 countries fail to protect user information from partner services such as advertisers and analytics companies. In 67% of the studied cases, some level of personal information is leaked via booking reference codes.
Tomi Engdahl says:
Chrome Saying It’s Managed by Your Organization May Indicate Malware
https://www.bleepingcomputer.com/news/software/chrome-saying-its-managed-by-your-organization-may-indicate-malware/
Recently users have noticed that Google Chrome has started stating that it is “Managed by your organization” when they open the browser’s menu, which is a confusing for home users who are not part of any organization. It turns out that with the release of Chrome 73, the browser will now display this message whenever a group policy is configured for the browser.
Tomi Engdahl says:
Demo Exploit Code Available for Privilege Escalation Bug in Windows
https://www.bleepingcomputer.com/news/microsoft/demo-exploit-code-available-for-privilege-escalation-bug-in-windows/
Tomi Engdahl says:
Intel finally issues Spoiler attack alert: Now non-Spectre exploit gets CVE but no patch
https://www.zdnet.com/article/intel-finally-issues-spoiler-attack-alert-now-non-spectre-exploit-gets-cve-but-no-patch/
No patch for Spoiler attack affecting all Intel chips, but a security advisory gives it an official CVE identifier.
Intel has finally posted an official security advisory in response to the recently revealed Spoiler attack, which uses a weakness in Intel CPUs to enhance already known attacks that leak secrets from memory.
Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lübeck in north Germany in March drew attention to a weakness in Intel’s proprietary memory subsystem that affects Intel CPUs all the way back to its 1st generation Intel Core processors, regardless of the operating system.
Intel has now assigned the vulnerability identifier CVE-2019-0162 to Spoiler and given it a CVSS severity score of 3.8 out of a possible 10. The ‘low’ severity rating is likely because an attacker would need to be authenticated and have local access to the hardware, while existing mitigations further reduce risks.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0162
Tomi Engdahl says:
Security Flaws in WPA3 Protocol Let Attackers Hack WiFi Password
https://thehackernews.com/2019/04/wpa3-hack-wifi-password.html
Breaking — It has been close to just one year since the launch of next-generation Wi-Fi security standard WPA3 and researchers have unveiled several serious vulnerabilities in the wireless security protocol that could allow attackers to recover the password of the Wi-Fi network.
WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data.
The Wi-Fi Protected Access III (WPA3) protocol was launched in an attempt to address technical shortcomings of the WPA2 protocol from the ground, which has long been considered to be insecure and found vulnerable to KRACK (Key Reinstallation Attack).
Though WPA3 relies on a more secure handshake, known as Dragonfly
ecurity researchers Mathy Vanhoef and Eyal Ronen found weaknesses in the early implementation of WPA3-Personal, allowing an attacker to recover WiFi passwords by abusing timing or cache-based side-channel leaks.
“Concretely, attackers can then read information that WPA3 was assumed to safely encrypt. This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on,” the researchers say.
Tomi Engdahl says:
APT reports
Project TajMahal – a sophisticated new APT framework
https://securelist.com/project-tajmahal/90240/
APT reports
Gaza Cybergang Group1, operation SneakyPastes
https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/
Tomi Engdahl says:
‘NamPoHyu Virus’ Ransomware Targets Remote Samba Servers
https://www.bleepingcomputer.com/news/security/nampohyu-virus-ransomware-targets-remote-samba-servers/
Tomi Engdahl says:
Malicious AutoHotkey Scripts Used to Steal Info, Remotely Access Systems
https://www.bleepingcomputer.com/news/security/malicious-autohotkey-scripts-used-to-steal-info-remotely-access-systems/
Attackers are targeting potential victims using a malicious AutoHotkey script to avoid detection and to steal information, to drop more payloads, and to remotely access compromised machines using TeamViewer.
Tomi Engdahl says:
Microsoft Edge Uses a Secret Trick And Breaks Internet Explorer’s Security
https://blog.0patch.com/2019/04/microsoft-edge-uses-secret-trick-and.html
Edge Decided To Use An Undocumented Security Feature.
Internet Explorer Didn’t Get The Memo.
Tomi Engdahl says:
The curious case of Spamhaus, a port scanning scandal, and an apparent U-turn
Blocklist biz appears to swing ban-hammer at legit vuln scanners, denies doing so
https://www.theregister.co.uk/2019/04/16/spamhaus_port_scans/
In recent months, several security researchers have said Spamhaus has been automatically blocking people for carrying out legitimate network port scanning and failed to provide a prompt means of redress.
Tomi Engdahl says:
State-Sponsored DNS Hijacking Infiltrates 40 Firms Globally
https://threatpost.com/dns-hijacking-campaign-40-firms-globally/143870/
Tomi Engdahl says:
DNS Hijacking Abuses Trust In Core Internet Service
https://blog.talosintelligence.com/2019/04/seaturtle.html
Tomi Engdahl says:
Medical device manufacturers against healthcare malware and ransomware
https://www.itproportal.com/features/medical-device-manufacturers-against-healthcare-malware-and-ransomware/
By Julie Cole 2019-04-17T09:30:07Z Security
Dealing with cybersecurity in the contemporary healthcare environment is undoubtedly challenging.
Tomi Engdahl says:
Potential Targeted Attack Uses AutoHotkey and Malicious Script Embedded in Excel File to Avoid Detection
https://blog.trendmicro.com/trendlabs-security-intelligence/potential-targeted-attack-uses-autohotkey-and-malicious-script-embedded-in-excel-file-to-avoid-detection/
Tomi Engdahl says:
Bug in EA’s Origin client left gamers open to attacks
https://www.welivesecurity.com/2019/04/17/bug-ea-origin-client-attacks/
The gaming company has rolled out a fix for the remote code execution vulnerability, so make sure you run the platform’s latest version
Tomi Engdahl says:
ThreatList: Bad Bots Account for a Fifth of All Web Traffic, FinServ Hit the Worst
https://threatpost.com/bad-bots-web-traffic-finserv/143859/
The financial services industry sees nearly half of all website traffic coming from malicious bots.
About a fifth of all web traffic (20.4 percent) comes from bad bots, which continue to attack daily in automated offensives on websites, mobile apps and APIs. That’s worse for some verticals, like the banking and finance sector, which was hit the hardest last year.
Tomi Engdahl says:
Oracle security warning: Customers told to patch ASAP to swat 297 bugs
https://www.zdnet.com/article/oracle-security-warning-customers-told-to-patch-asap-to-swat-297-bugs/
Update addresses multiple flaws that can be remotely exploited without user credentials.
The April critical patch update includes fixes for 297 security flaws affecting Oracle’s Database Server, Fusion Middleware, Enterprise Manager, E-Business Suite, PeopleSoft, and Siebel CRM.
Tomi Engdahl says:
Wipro Confirms Hack and Supply Chain Attacks on Customers
https://threatpost.com/wipro-confirms-hack/143826/
Tomi Engdahl says:
Experts: Breach at IT Outsourcing Giant Wipro
https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/
Tomi Engdahl says:
Wipro hacked, used as a springboard for more attacks
https://www.itproportal.com/news/wipro-hacked-used-as-a-springboard-for-more-attacks/
Phishing attacks attempted against Wipro’s clients.
Wipro, one of India’s largest IT outsourcing and consulting companies, has been used as a weapon against its own customers, security researchers are saying.
Apparently an unknown, possibly state-sponsored attacker, has breached Wipro’s networks months ago, and then used it to conduct phishing attacks against Wipro’s clients.
Tomi Engdahl says:
Threat Research
Silence Group Playbook
https://www.fortinet.com/blog/threat-research/silence-group-playbook.html
Adversary Playbook: The FortiGuard SE Team is releasing this new playbook on the threat actor group known as Silence Group as part of our role in the Cyber Threat Alliance. For more information regarding this series of adversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper.
Tomi Engdahl says:
Three WordPress plugins 0day vulnerabilities uncovered, thousands compromised
By Sead Fadilpašić 2019-04-15T11:00:43Z Security
Vulnerabilities were disclosed before any patches could be issued.
https://www.itproportal.com/news/three-wordpress-plugins-0day-vulnerabilities-uncovered-thousands-compromised/
The more moving parts a website has, the more potential vulnearbilities and entry points it may have, also. This is particularly true with WordPress, whose platform revolves, in good measure, around different plugins.
Each plugin is a potential disaster waiting to happen, and the bigger the userbase of a specific plugin, the bigger the headline once it hits the fan.
That puts enormous pressure on plugin developers to keep their products secure and up-to-date, as well as webmasters to make sure they update their platform regularly.
Tomi Engdahl says:
SS7, telecoms’ largest security hole
https://www.pandasecurity.com/mediacenter/panda-security/ss7-security-hole-telecoms/
February 2019. At the British retail bank, Metro Bank, a serious problem has been discovered: someone is accessing sensitive client information. More specifically, this intrusion happens when a client receives a code on their mobile phone in order to carry out a certain operation.
Metro Bank detected that this was the step where a possible data breach was occurring, and where the code in question could fall into a cybercriminal’s hands, leading to real danger for the cybersecurity of the bank’s clients. The bank recognizes and accepts the vulnerability, but says that it is not an isolated case. In fact, it is not the first large banking organization to be affected by this vulnerability. It is, however, the first to admit it.
Indeed, this is not the first time that something like this has happened. In May of last year, the US senator Ron Wyden claimed that a large telecoms operator had suffered a very similar cyberattack. This attack exposed its customers’ and users’ sensitive data to cybercriminals, who didn’t even need a high level of experience in the field to get their hands on this information. This vulnerability, therefore, is common, and not so hard to exploit.
The problem with SS7
Where does the problem lie? The answer is Signaling System 7 (SS7). This protocol allows users to change network and operator when they travel around the world and connect to different networks from their mobile phones. This protocol was created in 1975, and has hardly been updated since, which means that, as of today, it lacks sufficient security for those that make use of it.
This vulnerability is amplified in situations where operators and users employ SS7 in two-factor authentication processes via mobile phones. Although this login method offers many cybersecurity guarantees, it is far from infallible.
Tomi Engdahl says:
FLASHMINGO: The FireEye Open Source Automatic Analysis Tool for Flash
https://www.fireeye.com/blog/threat-research/2019/04/flashmingo-open-source-automatic-analysis-tool-for-flash.html
Tomi Engdahl says:
A security researcher with a grudge is dropping Web 0days on innocent users
Exploits published over the past three weeks exposed 160,000 websites to potent attacks.
https://arstechnica.com/information-technology/2019/04/a-security-researcher-with-a-grudge-is-dropping-web-0days-on-innocent-users/
Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.
Tomi Engdahl says:
Exploiting Apache Solr through OpenCMS
https://www.shielder.it/blog/exploit-apache-solr-through-opencms/
Tomi Engdahl says:
Bad news, everyone! New hijack attack in the wild
https://habr.com/en/company/qrator/blog/447776/
On March 13, a proposal for the RIPE anti-abuse working group was submitted, stating that a BGP hijacking event should be treated as a policy violation. In case of acceptance, if you are an ISP attacked with the hijack, you could submit a special request where you might expose such an autonomous system. If there is enough confirming evidence for an expert group, then such a LIR would be considered an adverse party and further punished. There were some arguments against this proposal.
With this article, we want to show an example of the attack where not only the true attacker was under the question, but the whole list of affected prefixes.
Tomi Engdahl says:
Malware Creates Cryptominer Botnet Using EternalBlue and Mimikatz
https://www.bleepingcomputer.com/news/security/malware-creates-cryptominer-botnet-using-eternalblue-and-mimikatz/
Tomi Engdahl says:
Bug-hunters punch huge holes in WPA3 standard for Wi-Fi security
Passwords, personal information can be sussed out by attackers during handshakes
https://www.theregister.co.uk/2019/04/11/bughunters_punch_holes_in_wpa3_wifi_security/
Tomi Engdahl says:
Cisco Patches Critical Flaw in ASR 9000 Router
https://www.securityweek.com/cisco-patches-critical-flaw-asr-9000-routers
Cisco on Wednesday released patches for 30 vulnerabilities, including a critical bug impacting ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit software.
“An attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device,” Cisco notes in an advisory.
Tomi Engdahl says:
Mysterious Operative Haunted Kaspersky Critic
https://www.securityweek.com/mysterious-operative-haunted-kaspersky-critics
Tomi Engdahl says:
Symfony, jQuery Vulnerabilities Patched in Drupal
https://www.securityweek.com/symfony-jquery-vulnerabilities-patched-drupal
Tomi Engdahl says:
Russian Hackers Use RATs to Target Financial Entities
https://www.securityweek.com/russian-hackers-use-rats-target-financial-entities