Cyber Security News April 2019

This posting is here to collect cyber security news in April 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

402 Comments

  1. Tomi Engdahl says:

    Fooling Automated Surveillance Cameras with Patchwork Color Printout
    https://www.schneier.com/blog/archives/2019/04/fooling_automat.html

    Reply
  2. Tomi Engdahl says:

    New DNS Hijacking Attacks
    https://www.schneier.com/blog/archives/2019/04/new_dns_hijacki.html

    DNS hijacking isn’t new, but this seems to be an attack of unprecedented scale

    Reply
  3. Tomi Engdahl says:

    Mary Madden / New York Times:
    When low-income people fall victim to an online fraud or a data breach, the cascade of repercussions, both online and offline, can be devastating
    http://www.nytimes.com/2019/04/25/opinion/privacy-poverty.html

    Reply
  4. Tomi Engdahl says:

    Docker Hub Hacked – 190k accounts, GitHub tokens revoked, Builds disabled
    https://news.ycombinator.com/item?id=19763413

    During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.

    Reply
  5. Tomi Engdahl says:

    Man accused of using flash drives to steal money from multiple businesses
    https://www.local10.com/news/florida/miami-dade/man-accused-of-using-flash-drives-to-steal-money-from-multiple-businesses

    A man is facing multiple charges after he used flash drives to steal money from multiple businesses in Miami-Dade County, authorities said.

    asked for printing services for an airline itinerary and handed the clerk a USB drive, which the clerk placed into a computer.

    he left the business after paying a fee for the services.

    Two days later, the manager noticed the computer screen had turned blue and the cursor on the screen was moving on its own, as though someone had gained unauthorized remote access.

    Reply
  6. Tomi Engdahl says:

    ‘Facebook is spying on me’: User gets ads for obscure things she’s just chatted about
    https://www.mirror.co.uk/news/uk-news/facebook-isnt-spying-us-ads-12362519

    Tyler Mears has been left baffled after two obscure products she had chatted about out loud randomly appeared as a targeted advert on her Facebook the next day

    Reply
  7. Tomi Engdahl says:

    Andy Greenberg / Wired:
    While many foreign phone carriers are sharing real-time SIM swap data with banks to stop financial fraud, US carriers are dragging their feet
    http://www.wired.com/story/sim-swap-fix-carriers-banks

    Reply
  8. Tomi Engdahl says:

    Mara Hvistendahl / Wired:
    Inside the criminal investigation of an IT support technician who ordered his wife’s murder on a dark web site, which was a scam, and then killed her himself
    http://www.wired.com/story/dark-web-bitcoin-murder-cottage-grove

    Reply
  9. Tomi Engdahl says:

    New York Times:
    Officials say FBI, DHS, NSA, and the US Cyber Command task forces, formed before midterms to combat foreign interference in elections, have been made permanent — WASHINGTON — The F.B.I. director warned anew on Friday about Russia’s continued meddling in American elections, calling it a “significant counterintelligence threat.”
    https://www.nytimes.com/2019/04/26/us/politics/fbi-russian-election-interference.html

    Reply
  10. Tomi Engdahl says:

    How to combat the threat of Android malware
    Many antivirus apps are bad, but there are solutions.
    https://www.popsci.com/android-malware-tips

    Android malware is real, but the risk is higher outside the U.S.

    The risk of malware on the Android operating system “depends on many different factors,” says Andreas Clementi, CEO of AV-Comparatives.

    “Official stores such as Google Play are mostly used in western countries, where the risk of infection is very low,’ Clementi says. “In Asian countries, where rooted devices and large number of third-party app stores can be found, the chance of installing a dangerous app is greatly increased.”

    Furthermore, Android malware is different from Windows malware, and that leads to confusion when all you see are scary statistics.

    “Numbers propagated in the media might be inflated, depending on how threats are defined,” Clementi says. “Some people define Adware and other potentially unwanted apps as threats. If those are counted as such, the numbers look very high, as there are a lot of potentially unwanted apps on Android.”

    Most (but not all) Android antivirus apps are terrible

    This spring, AV-Comparatives tested 250 antivirus apps, finding only 80 that detected a significant amount of malicious samples.

    Reply
  11. Tomi Engdahl says:

    BEC fraud losses almost doubled last year
    https://www.welivesecurity.com/2019/04/25/bec-fraud-losses-doubled-2018/

    On the good news front, the FBI notes the success of its newly-established team in recovering some of the funds lost in BEC scams

    Reply
  12. Tomi Engdahl says:

    Threat actors abuse GitHub service to host a variety of phishing kits
    https://www.proofpoint.com/us/threat-insight/post/threat-actors-abuse-github-service-host-variety-phishing-kits

    Editor’s Note:

    As of Friday, April 19, GitHub had taken down all accounts hosting phishing material listed in this blog. GitHub has been extremely responsive in addressing this abuse of their systems.

    Overview

    As Proofpoint researchers have observed in the past, phishers and other threat actors are able to bypass whitelists and network defenses due to their widespread use of large consumer cloud storage sites, social networking, and commerce services such as Dropbox, Google Drive, Paypal, Ebay, and Facebook.

    Since at least mid-2017, phishers have also been abusing free code repositories on the popular GitHub service to host phishing websites on the canonical $github_username.github.io domain.

    Reply
  13. Tomi Engdahl says:

    P2P Flaws Expose Millions of IoT Devices to Remote Attacks
    https://www.securityweek.com/p2p-flaws-expose-millions-iot-devices-remote-attacks

    Vulnerabilities discovered by a researcher in a peer-to-peer (P2P) system named iLnkP2P expose millions of cameras and other Internet of Things (IoT) devices to remote attacks from the Internet, and no patches are available.

    Paul Marrapese, a California-based security engineer, discovered two serious flaws in iLnkP2P, a system developed by Chinese firm Shenzhen Yunni Technology Company, Inc. iLnkP2P is a P2P solution that makes it easier for users to connect to their IoT devices from their phone or computer.

    According to the expert, iLnkP2P is present in devices marketed under hundreds of brands, including Hichip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM. Affected products include cameras, baby monitors and smart doorbells. Marrapese has conducted an Internet scan and identified over 2 million vulnerable devices.

    Reply
  14. Tomi Engdahl says:

    Google to Block Logins From Embedded Browsers to Prevent Phishing
    https://www.securityweek.com/google-block-logins-embedded-browsers-prevent-phishing

    Google on Thursday announced that it will soon block login attempts from embedded browser frameworks in an effort to prevent man-in-the-middle (MitM) phishing attacks.

    The tech giant says phishing attacks that involve traffic interception are difficult to detect when an embedded browser framework or a different type of automation platform is used for authentication.

    As an example of an embedded browser framework Google provided its Chromium Embedded Framework (CEF), which is designed for embedding Chromium-based browsers in other applications.

    Reply
  15. Tomi Engdahl says:

    Source Code of Iran-Linked Hacking Tools Posted Online
    https://www.securityweek.com/source-code-iran-linked-hacking-tools-posted-online

    The data, posted online by a group of alleged Iranian hackers called “Lab Dookhtegan,” is supposedly related to the infamous OilRig hackers. Also known as APT34 and active since at least 2014, the OilRig group is believed to be backed by the Iranian government.

    Reply
  16. Tomi Engdahl says:

    Operator of Codeshop Cybercrime Marketplace Sentenced to Prison
    https://www.securityweek.com/operator-codeshop-cybercrime-marketplace-sentenced-prison

    Known online as “codeshop,” “xhevo,” “sindrom” and “sindromx,” Ametovski ran Codeshop, a website that offered stolen payment card data, bank account credentials, and personal information.

    Reply
  17. Tomi Engdahl says:

    Hacker Group Exposes Iranian APT Operations and Members
    https://www.bleepingcomputer.com/news/security/hacker-group-exposes-iranian-apt-operations-and-members/

    Hackers have revealed details about the inner workings of a cyber-espionage group mostly known in the security community as OilRig, APT34, and HelixKitten, linked to the Iranian government.

    Using the online name Lab Dookhtegan, the hackers used a Telegram channel to dump information about APT34′s infrastructure, hacking tools, members, and victims.

    Reply
  18. Tomi Engdahl says:

    RevengeRAT Distributed via Bit.ly, BlogSpot, and Pastebin C2 Infrastructure
    https://www.bleepingcomputer.com/news/security/revengerat-distributed-via-bitly-blogspot-and-pastebin-c2-infrastructure/

    A malicious campaign targeting entities from North America, Europe, Asia, and the Middle East during March used a combination of pages hosted on Bit.ly, BlogSpot, and Pastebin to create a command-and-control (C2) infrastructure designed to avoid getting blocked by security solutions.

    Reply
  19. Tomi Engdahl says:

    Microsoft loses control over Windows Tiles
    https://www.golem.de/news/subdomain-takeover-microsoft-loses-control-over-windows-tiles-1904-140717.html

    A service from Microsoft used to allow web page owners to deliver news on Windows Tiles as so-called Windows Live Tiles. After the service has been disabled, we were able to take over the corresponding subdomain and display our own Tile contents.

    Reply
  20. Tomi Engdahl says:

    Hacker Breaks Into French Government’s New Secure Messaging App
    https://thehackernews.com/2019/04/france-Tchap-secure-messenger.html

    Reply
  21. Tomi Engdahl says:

    Mozilla Firefox to Enable Hyperlink Ping Tracking By Default
    https://www.bleepingcomputer.com/news/software/mozilla-firefox-to-enable-hyperlink-ping-tracking-by-default/

    For those not familiar with hyperlink auditing, it is a HTML feature that allows web sites to track link clicks by adding the “ping=” attribute to HTML links. When these links are clicked, in addition to navigating to the linked to page, the browser will also connect to the page listed in the ping= attribute, which can then be used to record the click.

    Ping HTML Link

    When these links are displayed on the page, they will appear as a normal link and if a user clicks on it, there is no indication that a connection is being made to a different page as well.

    Privacy risk?

    Earlier this month, we covered how Google Chrome, Opera, Microsoft Edge, and Safari enabled hyperlink auditing pings by default. While some browsers currently enable you to disable this feature, all of the mentioned browsers will no longer allow users to do so in the future.

    Reply
  22. Tomi Engdahl says:

    ‘WannaCry Hero’ Marcus Hutchins Pleads Guilty to Making Banking Malware
    https://motherboard.vice.com/en_us/article/qv7pad/marcus-hutchins-pleads-guilty-banking-malware-wannacry-hero

    The researcher who helped stop the WannaCry ransomware pleaded guilty to two counts of hacking for writing banking malware in 2014.

    Reply
  23. Tomi Engdahl says:

    Ransomware attack knocks Weather Channel off the Air
    https://securityaffairs.co/wordpress/84164/hacking/weather-channel-ransomware-attack.html

    A ransomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.

    Reply
  24. Tomi Engdahl says:

    Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers
    https://blog.trendmicro.com/trendlabs-security-intelligence/tech-support-scam-employs-new-trick-by-using-iframe-to-freeze-browsers/

    We discovered a new technical support scam (TSS) campaign that makes use of iframe in combination with basic pop-up authentication to freeze a user’s browser. Since this technique is new and unfamiliar, it can potentially evade detection. Like many TSS campaigns, it disguises itself as a legitimate or well-known brand’s service provider to lure its victims. This campaign in particular uses Microsoft.

    Reply
  25. Tomi Engdahl says:

    Naming and shaming nations that launch cyberattacks does work, say intel chiefs
    https://www.zdnet.com/article/naming-and-shaming-nations-that-launch-cyberattacks-does-work-say-intel-chiefs/

    Cybersecurity agencies explain when and why they attribute cyberattacks to other nations.

    Reply
  26. Tomi Engdahl says:

    Confidence in the internet is wobbling: Here’s how to fix it, says cyber chief
    https://www.zdnet.com/article/confidence-the-internet-is-wobbling-heres-how-to-fix-it-says-cyber-chief/

    Tech industry has a responsibility to fix security for the next generation, says NCSC head.

    There’s been a dip in confidence around how the internet works and it’s up to the cybersecurity industry and others to help fix problems and ensure that we don’t make the same mistakes that were being made when online connectivity was a new phenomenon as fresh internet-connected technologies emerge.

    “These new generations of technologies still offer unparalleled opportunities to make all our lives so much better – our healthcare, our economy, our societies, but we have to think about managing the risks and the harm,” said Ciaran Martin, CEO of the National Cyber Security Centre (NCSC), the cybersecurity arm of the UK’s GCHQ intelligence agency.

    Reply
  27. Tomi Engdahl says:

    Powershell, the Gandcrab infection and the long-forgotten server
    GCHQ offshoot shares infosec hair-raisers
    https://www.theregister.co.uk/2019/04/29/surprising_infosec_stories_from_ncsc/

    CyberUK 2019 If your hair isn’t already grey enough, GCHQ staff have revealed a handful of infosec incidents that, in their words, “surprised us”.

    The NCSC is part of GCHQ’s drive since 2013 to rebuild public trust and convince industry that the government is also interested in their economic wellbeing. As part of that, NCSC occasionally gets called in to help with particularly pernickety problems involving malware infections on corporate networks.

    A look over the company’s logs revealed that Gandcrab had been introduced via a download from Pastebin – an encoded Base64 binary summoned through a Powershell command, no less.

    CVE-2017-18362 explained half the story. The critical vuln allows anyone with access to the Kaseya server’s ManagedIT.asmx page through its web interface to execute arbitrary SQL queries. As Toby put it: “No whitelisting, no blacklisting, no password entry… send SQL commands and HTTP POST and it’ll just run it.”

    But Powershell? Easy if you know about CVE-2018-20753, which allows (yup, you guessed it) unprivileged remote attackers to execute Powershell payloads on all managed devices.

    Reply
  28. Tomi Engdahl says:

    Russia’s great firewall: is it meant to keep information in – or out?
    https://www.theguardian.com/technology/2019/apr/28/russia-great-firewall-sovereign-internet-bill-keeping-information-in-or-out

    Vladimir Putin will soon sign the ‘sovereign internet’ bill to allow greater monitoring of traffic. But what are its other consequences?

    Reply
  29. Tomi Engdahl says:

    Norsk Hydro Says Cyber Attack Cost It Around $50 Mln
    https://www.securityweek.com/norsk-hydro-says-cyber-attack-cost-it-around-50-mln

    Global aluminium producer Norsk Hydro on Tuesday put the cost of a cyber attack targeting the Norwegian company in March at around $50 million.

    In the night between March 18 and 19, the company became the target of a “massive” cyber attack involving ransom ware, forcing it to disconnect from various sites and factories and switch to manual operations in others.

    The attack also forced it to postpone the publication of its quarterly earnings, originally scheduled for Tuesday, to June 5.

    Reply
  30. Tomi Engdahl says:

    ImmuniWeb Launches Free Testing Tool for Website Security and PCI Compliance
    https://www.securityweek.com/immuniweb-launches-free-testing-tool-website-security-and-pci-compliance

    Swiss-based web security company ImmuniWeb, known until recently as High-Tech Bridge, on Monday announced the availability of a free tool designed for testing websites.

    The new Website Security Test tool checks sites for PCI DSS compliance (6.2, 6.5 and 6.6 requirements), it analyzes the content management system (CMS), checks the web server and content security policy (CSP), and looks for privacy issues.

    Specifically, the tool checks if a web application firewall (WAF) is present, if the CMS and its components are up-to-date, if the JavaScript components are up-to-date, if cookies are properly configured, if web server directory listing is enabled, and if cryptojacking malware is detected.

    https://www.immuniweb.com/websec/

    Reply
  31. Tomi Engdahl says:

    Facebook to Fund Research on Social Media Impact on Elections
    https://www.securityweek.com/facebook-fund-research-social-media-impact-elections

    Facebook announced Monday its first research grants to academics studying the impact of social media on elections, part of an effort to prevent manipulation of social platforms.

    The leading social network said some 60 researchers from 30 academic institutions across 11 countries were selected under a review process by the Social Science Research Council and the independent group Social Science One.

    Reply
  32. Tomi Engdahl says:

    GDPR Conformance Does Not Excuse Companies from Vicarious Liability
    https://www.securityweek.com/gdpr-conformance-does-not-excuse-companies-vicarious-liability

    The UK supermarket chain Morrisons’ legal battle with 5,500 of its own employees over vicarious liability introduces a new threat element to the already complex and confusing demands of the EU’s General Data Protection Regulation (GDPR).

    Reply
  33. Tomi Engdahl says:

    Backdoors in Huawei Equipment Discovered by Vodafone Italy in 2009
    https://gizmodo.com/backdoors-in-huawei-equipment-discovered-by-vodaphone-i-1834408368?utm_campaign=socialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow

    Vodafone Italy discovered backdoors in its Huawei home internet routers and software between 2009 and 2011 according to a new report from Bloomberg News. The backdoors have reportedly been fixed, but the revelations are still bad news for Huawei as the Chinese tech giant tries to secure contracts to build 5G infrastructure around the world.

    Reply
  34. Tomi Engdahl says:

    Editors’ picks for 2018: ‘The African Union headquarters hack and Australia’s 5G network
    https://www.aspistrategist.org.au/editors-picks-for-2018-the-african-union-headquarters-hack-and-australias-5g-network/

    Reply
  35. Tomi Engdahl says:

    ‘One Ring’ Wireless Phone Scam
    https://www.fcc.gov/consumers/guides/one-ring-wireless-phone-scam

    If your phone rings once and then stops, think twice before returning the call. It may be a scam

    Why Phone Fraud Starts With A Silent Call
    https://www.npr.org/sections/alltechconsidered/2015/08/24/434313813/why-phone-fraud-starts-with-a-silent-call?t=1556689827658

    Reply
  36. Tomi Engdahl says:

    Oh dear. Secret Huawei enterprise router snoop ‘backdoor’ was Telnet service, sighs Vodafone
    We all want to see hard proof of deliberate espionage. This is absolutely not it
    https://www.theregister.co.uk/2019/04/30/huawei_enterprise_router_backdoor_is_telnet/

    Reply
  37. Tomi Engdahl says:

    Hackers Steal and Ransom Financial Data Related to Some of the World’s Largest Companies
    https://motherboard.vice.com/en_us/article/d3np4y/hackers-steal-ransom-citycomp-airbus-volkswagen-oracle-valuable-companies

    The data was stolen from Citycomp, which provides internet infrastructure for dozens of companies including Oracle, Airbus, Toshiba, and Volkswagen.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*