Cyber Security Trends May 2019

This posting is here to collect cyber security news in May 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

 

355 Comments

  1. Tomi Engdahl says:

    Cartoon Network websites hacked to show Arabic memes, male stripper videos
    https://www.zdnet.com/article/cartoon-network-websites-hacked-to-show-arabic-memes-and-brazilian-male-stripper/

    At least 16 regional Cartoon Network websites have been defaced by two Brazilian hackers.

    Reply
  2. Tomi Engdahl says:

    UK Defense Secretary Gavin Williamson fired over Huawei leak
    https://www.google.com/amp/s/amp.cnn.com/cnn/2019/05/01/uk/gavin-williamson-defense-secretary-fired-huawei-leak-gbr-intl/index.html

    British Prime Minister Theresa May has fired her Defense Secretary Gavin Williamson over the leaking of a key decision related to the Chinese telecoms company Huawei from a UK National Security Council meeting.

    May’s surprise decision followed an inquiry into how the Daily Telegraph newspaper discovered that the UK government was preparing to give Huawei access to parts of the country’s 5G mobile network.

    Reply
  3. Tomi Engdahl says:

    Many Vulnerabilities Found in Wireless Presentation Devices
    https://www.securityweek.com/many-vulnerabilities-found-wireless-presentation-devices

    Researchers at Tenable have discovered a total of 15 vulnerabilities across eight wireless presentation systems, including flaws that can be exploited to remotely hack devices.

    some of the 15 flaws also impact Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, and possibly products from other vendors. Barco appears to be the OEM for some of these devices.

    Reply
  4. Tomi Engdahl says:

    Putin Signs Controversial Internet Law
    https://www.securityweek.com/putin-signs-controversial-internet-law

    President Vladimir Putin on Wednesday signed into law a “sovereign internet” bill which will allow Russian authorities to isolate the country’s internet, a move decried by rights groups.

    Russian lawmakers insist the new law is necessary to ensure the security of Russia’s online networks but critics say the vaguely worded bill gives new censorship powers to government monitors.

    Reply
  5. Tomi Engdahl says:

    Electrum DDoS Botnet Builds Army of 150,000 Hosts
    https://www.securityweek.com/electrum-ddos-botnet-builds-army-150000-hosts

    A botnet targeting the users of the popular Electrum Bitcoin wallet managed to ensnare more than 150,000 hosts at its peak, Malwarebytes security researchers say.

    First observed in December 2018, the threat was initially attempting to lure users into downloading a malicious update aimed at stealing their cryptocurrency. By mid-April 2019, threat actors behind the malware anaged to steal around $4 million in Bitcoin from their victims.

    Reply
  6. Tomi Engdahl says:

    Hackers Had Access to Citrix Network for Five Months
    https://www.securityweek.com/hackers-had-access-citrix-network-five-months

    Software giant Citrix has shared more information about the recent data breach and it appears the hackers had access to the company’s network for roughly five months.

    Reply
  7. Tomi Engdahl says:

    Majority of Encrypted Email Clients Vulnerable to Signature Spoofing
    https://www.securityweek.com/majority-encrypted-email-clients-vulnerable-signature-spoofing

    Out of 20 Email Clients Tested, 14 Were Vulnerable to OpenPGP Signature Spoofing Attacks

    Reply
  8. Tomi Engdahl says:

    U.S. will rethink cooperation with allies who use Huawei: official
    https://www.reuters.com/article/us-usa-huawei-tech/u-s-will-rethink-cooperation-with-allies-who-use-huawei-official-idUSKCN1S517H

    Washington does not see any distinction between core and non-core parts of 5G networks and will reassess sharing information with any allies which use equipment made by China’s Huawei, a U.S. cybersecurity official said on Monday.

    “It is the United States’ position that putting Huawei or any other untrustworthy vendor in any part of the 5G telecommunications network is a risk,”

    Reply
  9. Tomi Engdahl says:

    APT trends report Q1 2019
    https://securelist.com/apt-trends-report-q1-2019/90643/

    If we are to provide a few general highlights, we can conclude that:

    Geopolitics keeps gaining weight as the main driver of APT activity
    South East Asia is still the most active region of the world in terms of APT activity, but probably this is also related to the “noise” that some of the less experienced groups make
    Russian-speaking groups keep a low profile in comparison with recent years: maybe this is part of internal restructuring, but this is just a hypothesis
    Chinese-speaking actors maintain a high level of activity, combining low and high sophistication depending on the campaign
    Providers of “commercial” malware available for governments and other entities seem to be doing well, with more customers

    Reply
  10. Tomi Engdahl says:

    Mysterious hacker has been selling Windows 0-days to APT groups for three years
    https://www.zdnet.com/article/mysterious-hacker-has-been-selling-windows-0-days-to-apt-groups-for-three-years/#ftag=RSSbaffb68

    Hacker has sold Windows zero-days to the likes of Fancy Bear, FruityArmor, and SandCat.

    Reply
  11. Tomi Engdahl says:

    Only six TSA staffers are overseeing US oil&gas pipeline security
    https://www.zdnet.com/article/only-six-tsa-staffers-are-overseeing-us-oil-gas-pipeline-security/

    GAO report highlight lack of oil&gas security staff, outdated cyber-security risk assessment methodologies.

    The Transportation Security Administration (TSA), the US agency in charge of the US oil&gas pipeline system, has a serious staffing issue on physical and cyber-security positions.

    Reply
  12. Tomi Engdahl says:

    Dell laptops and computers vulnerable to remote hijacks
    Another security flaw in a vendor’s bloatware apps puts users at risk.
    https://www.zdnet.com/article/dell-laptops-and-computers-vulnerable-to-remote-hijacks/

    A vulnerability in the Dell SupportAssist utility exposes Dell laptops and personal computers to a remote attack that can allow hackers to execute code with admin privileges on devices using an older version of this tool and take over users’ systems.

    Dell has released a patch for this security flaw on April 23; however, many users are likely to remain vulnerable unless they’ve already updated the tool –which is used for debugging, diagnostics, and Dell drivers auto-updates.

    Reply
  13. Tomi Engdahl says:

    Google adds option to auto-delete search and location history data
    https://www.zdnet.com/article/google-adds-option-to-auto-delete-location-history-data/

    Google gives users more control over search and location data in the face of impending government scrutiny.

    Reply
  14. Tomi Engdahl says:

    Windows Server hosting provider still down a week after ransomware attack
    A2 Hosting has yet to fully restore services after a week, angering tens of customers.
    https://www.zdnet.com/article/windows-server-hosting-provider-still-down-a-week-after-ransomware-attack/

    A ransomware infection has crippled the operations of a US-based web hosting provider for almost eight days now, several of the company’s disgruntled customers have told ZDNet today.

    Impacted are all Windows-based servers owned by A2 Hosting, a provider of virtual private servers (VPS) and WordPress hosting services.

    Reply
  15. Tomi Engdahl says:

    Human Rights Watch:
    Researchers reverse engineer an app used by Chinese authorities in Xinjiang which connects to a mass surveillance system for tracking Muslim minorities

    How Mass Surveillance Works in Xinjiang, China
    ‘Reverse Engineering’ Police App Reveals Profiling and Monitoring Strategies
    https://www.hrw.org/video-photos/interactive/2019/05/02/china-how-mass-surveillance-works-xinjiang

    Reply
  16. Tomi Engdahl says:

    Kyle Wiggers / VentureBeat:
    Google says it will roll out a new tool that lets users limit how long it keeps location, search, and browsing data to either three or 18 months — Last August, the Associated Press reported that various Google apps store the timestamped locations of the devices on which they’re installed.

    Google can now automatically delete your location, app, and search activity data
    https://venturebeat.com/2019/05/01/google-can-now-automatically-delete-your-location-app-and-search-activity-data/

    Last August, the Associated Press reported that various Google apps store the timestamped locations of the devices on which they’re installed. Some of this collection occurs regardless of which privacy settings are enabled — Google Location Services, Find My Device, Search, and Maps continuously record telemetry data. But other entries can be viewed and manually deleted on Android, iOS, and the web, and Google says it’s committed to streamlining the auditing process with new tools.

    Reply
  17. Tomi Engdahl says:

    Tara Seals / Threatpost:
    Flashpoint says April Wipro attack was done by hackers who may have been operating under the radar since ’15, have the hallmarks of an advanced, organized group

    Wipro Attackers Have Operated Under the Radar for Years
    https://threatpost.com/wipro-attackers-under-radar/144276/

    The adversaries have the hallmarks of an advanced, organized group, with well-established infrastructure.

    New details are emerging in the April attack on systems consulting behemoth Wipro, which saw its network hacked and used for mounting attacks on a dozen of its customers. In a fresh analysis of the indicators of compromise (IOCs), Flashpoint analysts said that the cyberattackers have actually been operating in the shadows for some time – and that the Wipro incident is only its latest effort.

    Reply
  18. Tomi Engdahl says:

    Theodore Schleifer / Vox:
    As Saudi Arabia keeps spending, China’s history of IP theft, Trump’s aggressive stance, and empowered CFIUS are decimating China’s US tech startup investments

    Silicon Valley is awash in Chinese and Saudi cash — and no one is paying attention (except Trump)
    https://www.vox.com/recode/2019/5/1/18511540/silicon-valley-foreign-money-china-saudi-arabia-cfius-firrma-geopolitics-venture-capital

    A tough, new enforcement regime is becoming a geopolitical minefield for venture capitalists and startups.

    Reply
  19. Tomi Engdahl says:

    Louise Matsakis / Wired:
    Around 20 security experts have united with Securepairs.org to support right-to-repair legislation with expert witnesses at hearings across the US

    Security Experts Unite Over the Right to Repair
    https://www.wired.com/story/right-to-repair-security-experts-california/

    Two years ago, as Nebraska was considering a “right to repair” bill designed to make it easier for consumers to fix their own gadgets, an Apple lobbyist made a frightening prediction. If the state passed the legislation, it would turn into a haven for hackers, Steve Kester told then-state senator Lydia Brasch. He argued the law would inadvertently give bad actors the opportunity to break into devices like smartphones. The bill was later shelved, in part because of industry pressure.

    Now, with right-to-repair legislation gaining traction across the country, a new nonprofit advocacy group called Securepairs.org wants to push back against that kind of messaging, arguing instead that devices can be both easy to fix and secure.

    ight-to-repair bills often mandate companies release manuals and diagnostic software, as well as sell replacement parts and repair tools to the public s

    Securepairs.org, founded by technology journalist Paul Roberts, has attracted the support of more than 20 security experts, including Harvard University security technologist Bruce Schneier, bug bounty expert Katie Moussouris, and ACLU technologist Jon Callas. They plan to arrange for expert witnesses to testify at legislative hearings across the country in an effort to convince lawmakers that the right to repair is inherently safe.

    Reply
  20. Tomi Engdahl says:

    Hugh Handeyside / ACLU:
    Testimonies of US border officials confirm that CBP and ICE have “near-unfettered” authority to search and seize travelers’ electronic devices at the border

    We Got U.S. Border Officials to Testify Under Oath. Here’s What We Found Out.
    https://www.aclu.org/blog/privacy-technology/privacy-borders-and-checkpoints/we-got-us-border-officials-testify-under

    Reply
  21. Tomi Engdahl says:

    Pre-Installed Software Flaw Exposes Most Dell Computers to Remote Hacking

    https://thehackernews.com/2019/05/dell-computer-hacking.html

    If you use a Dell computer, then beware — hackers could compromise your system remotely.

    Bill Demirkapi, a 17-year-old independent security researcher, has discovered a critical remote code execution vulnerability in the Dell SupportAssist utility that comes pre-installed on most Dell computers.

    Remote Code Execution on most Dell computers
    https://d4stiny.github.io/Remote-Code-Execution-on-most-Dell-computers/
    In this article, Ill be looking at a Remote Code Execution
    vulnerability I found in Dell SupportAssist, software meant to
    proactively check the health of your systems hardware and software and
    which is preinstalled on most of all new Dell devices.

    Reply
  22. Tomi Engdahl says:

    Dell Patches Remote Code Execution Vulnerability in SupportAssist Client
    https://www.securityweek.com/dell-patches-remote-code-execution-vulnerability-supportassist-client

    Dell recently patched two security vulnerabilities in its SupportAssist Client, including one that could be exploited to achieve remote code execution. 
    Tracked as CVE-2019-3718, the first of the vulnerabilities is an improper origin validation flaw that could allow an unauthenticated remote attacker to potentially attempt cross-site request forgery (CSRF) attacks on users of the impacted systems.
    The issue has a CVSS score of 7.6 and has been fixed with the release of Dell SupportAssist Client 3.2.0.90.
    Tracked as CVE-2019-3719 and featuring a CVSS score of 7.1, the second vulnerability could be exploited by an unauthenticated attacker that shares the network access layer with the vulnerable system to compromise that system. 

    For that, however, the attacker would need to trick the victim user into downloading and executing arbitrary files via the SupportAssist client, Dell noted in an advisory. The files would be fetched from attacker hosted sites. 

    The researcher also published a demo to show how the vulnerability can be exploited, and made the proof-of-concept code available online. 
    https://github.com/D4stiny/Dell-Support-Assist-RCE-PoC

    Reply
  23. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    Dark web marketplace Wall Street Market, whose admins exit-scammed users of $14.2M+ in cryptocurrency, seized by German police and other international agencies

    Law enforcement seizes dark web market after moderator leaks backend credentials
    https://www.zdnet.com/article/law-enforcement-seizes-dark-web-market-after-moderator-leaks-backend-credentials/

    Wall Street Market seized by law enforcement agencies from Germany, the US, the Netherlands, and Romania.

    Reply
  24. Tomi Engdahl says:

    Trump Signs Executive Order to Bolster Cybersecurity Workforce
    https://www.securityweek.com/trump-signs-executive-order-bolster-cybersecurity-workforce

    U.S. President Donald Trump on Thursday signed an executive order whose goal is to grow and strengthen the country’s cybersecurity workforce.

    The White House says there are over 300,000 cybersecurity job vacancies in the United States and believes it’s crucial for the country’s economy and security that these jobs are filled.

    The executive order outlines the development of a rotational program that enables government employees to temporarily be assigned to other agencies. A similar program is proposed by the Federal Rotational Cyber Workforce Program Act, a bill passed in the Senate earlier this year.

    Executive Order on America’s Cybersecurity Workforce
    https://www.whitehouse.gov/presidential-actions/executive-order-americas-cybersecurity-workforce/

    Section 1. Policy. (a) America’s cybersecurity workforce is a strategic asset that protects the American people, the homeland, and the American way of life. The National Cyber Strategy, the President’s 2018 Management Agenda, and Executive Order 13800 of May 11, 2017 (Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure), each emphasize that a superior cybersecurity workforce will promote American prosperity and preserve peace. America’s cybersecurity workforce is a diverse group of practitioners who govern, design, defend, analyze, administer, operate, and maintain the data, systems, and networks on which our economy and way of life depend. Whether they are employed in the public or private sectors, they are guardians of our national and economic security.

    Reply
  25. Tomi Engdahl says:

    Russian Charged With Stealing $1.5 Million From IRS
    https://www.securityweek.com/russian-charged-stealing-15-million-irs

    The United States this week indicted a Russian national for obtaining over $1.5 million in fraudulent tax refunds from the Internal Revenue Service.

    Reply
  26. Tomi Engdahl says:

    Windows Server hosting provider still down a week after ransomware attack
    A2 Hosting has yet to fully restore services after a week, angering tens of customers.
    https://www.zdnet.com/article/windows-server-hosting-provider-still-down-a-week-after-ransomware-attack/

    Reply
  27. Tomi Engdahl says:

    50,000 enterprise firms running SAP software vulnerable to attack
    9 out of 10 SAP production systems are believed to be vulnerable to new exploits.
    https://www.zdnet.com/article/50000-enterprise-firms-running-sap-software-vulnerable-to-attack/#ftag=RSSbaffb68

    Reply
  28. Tomi Engdahl says:

    Hackers lurked in Citrix systems for six months
    Social Security numbers and financial data may have been stolen.
    https://www.zdnet.com/article/hackers-lurked-in-citrix-systems-for-six-months/#ftag=RSSbaffb68

    Reply
  29. Tomi Engdahl says:

    NSA surveillance of foreign nationals surges
    https://www.zdnet.com/article/nsa-surveillance-of-foreign-nationals-surges/

    Domestic communications record slurping is reducing, but global spying is on the uptick.

    Reply
  30. Tomi Engdahl says:

    UK is ‘not a surveillance state’ insists minister defending police face recog tech
    Creepycams are fine. Public just needs to trust us… I mean them, I mean private firms
    https://www.theregister.co.uk/2019/05/03/facial_recognition_debate_westminster_hall/

    Opposition MPs have debated whether automated facial recognition technology should be used at all in the UK, after a pressure group mounted legal challenges against police use of face-scanning equipment.

    Reply
  31. Tomi Engdahl says:

    Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again
    Better ban this gear from non-US core networks, right?
    https://www.theregister.co.uk/2019/05/02/cisco_vulnerabilities/

    Right on cue, Cisco on Wednesday patched a security vulnerability in some of its network switches that can be exploited by miscreants to commandeer the IT equipment and spy on people.

    This comes immediately after panic this week over a hidden Telnet-based diagnostic interface was found in Huawei gateways. Although that vulnerability was real, irritating, and eventually removed at Vodafone’s insistence, it was dubbed by some a hidden backdoor perfect for Chinese spies to exploit to snoop on Western targets.

    Well, if a non-internet-facing undocumented diagnostic Telnet daemon is reason enough to kick Huawei kit out of Western networks, surely this doozy from Cisco is enough to hoof American equipment out of British, European and other non-US infrastructure? Fair’s fair, no?

    US tech giant Cisco has issued a free fix for software running on its Nexus 9000 series machines that can be exploited to log in as root and hijack the device for further mischief and eavesdropping. A miscreant just needs to be able to reach the vulnerable box via IPv6.

    Reply
  32. Tomi Engdahl says:

    Hey, those warrantless smartphone searches at the US border? Unconstitutional, yeah? Civil-rights warriors ask court to settle this
    Latest development in long-running lawsuit over electronic device slurping
    https://www.theregister.co.uk/2019/05/01/us_border_phone_searches_warrantless/

    Civil rights groups including the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) have pushed this week for a US judge to declare the search of mobile phones at America’s borders to be unconstitutional.

    Reply
  33. Tomi Engdahl says:

    Vodafone Found Hidden Backdoors in Huawei Equipment
    https://www.bloomberg.com/news/articles/2019-04-30/vodafone-found-hidden-backdoors-in-huawei-equipment

    While the carrier says the issues found in 2011 and 2012 were resolved at the time, the revelation may further damage the reputation of a Chinese powerhouse.

    Reply
  34. Tomi Engdahl says:

    Putin Signs Law To Create an Independent Russian Internet
    https://tech.slashdot.org/story/19/05/02/1535237/putin-signs-law-to-create-an-independent-russian-internet?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Russia is one step closer to creating its own, independent internet — at least legally speaking. Russian President Vladimir Putin has signed into law new measures that would enable the creation of a national network, able to operate separately from the rest of the world, according to documents posted on a government portal this week

    Putin signs law to create an independent Russian internet
    https://edition.cnn.com/2019/05/01/europe/vladimir-putin-russian-independent-internet-intl/

    Reply
  35. Tomi Engdahl says:

    Mijente:
    Document from May 2017 shows ICE used Palantir’s software to target and arrest parents and other relatives of unaccompanied minors crossing the US-Mexico border — The data-mining firm Palantir played a key role in federal immigration efforts to target and arrest family members of children crossing …

    Palantir Played Key Role in Arresting Families for Deportation, Document Shows
    https://mijente.net/2019/05/02/palantir-arresting-families/

    The data-mining firm Palantir played a key role in federal immigration efforts to target and arrest family members of children crossing the border alone, a new document released this week shows.

    https://mijente.net/wp-content/uploads/2019/05/Smuggling-Initiative-ConOP.pdf

    Reply
  36. Tomi Engdahl says:

    China’s Mass Surveillance App Hacked; Code Reveals Specific Criteria For Illegal Oppression
    https://www.zerohedge.com/news/2019-05-02/chinas-mass-surveillance-app-hacked-code-reveals-specific-criterea-illegal

    Human Rights Watch got their hands on an app used by Chinese authorities in the western Xinjiang region to surveil, track and categorize the entire local population – particularly the 13 million or so Turkic Muslims

    Reply
  37. Tomi Engdahl says:

    Eight Devices, One Exploit
    OEM Vulnerabilities
    https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c

    15 vulnerabilities in Crestron’s AM-100 and AM-101 devices.

    Crestron had silently patched a backdoor in the AM-100 that had been previously found and patched in a Barco WePresent WiPG-1000.

    It turns out that Crestron’s AirMedia and Barco’s WePresent are more or less the exact same product. The underlying software was developed by Barco’s subsidiary AWIND.

    What’s striking is the devices are used overwhelmingly by universities. Particularly universities in North America. From the Ivy Leagues to state schools, it seems these devices have seriously penetrated the market. Using ARIN’s whois database, I found over 100 different universities in North America

    Shodan sleuthing uncovered six more companies repackaging the WePresent platform

    So many different brands! Yet none of them seem to be linked by CVE. Maybe vulnerabilities found in WePresent or AirMedia simply aren’t patched in other devices?

    Patching Crestron Devices is Hard (Apparently)

    WePresent Unpatched Devices

    A Conclusion of Sorts
    So what have we seen here? A resold platform that has different levels of patching across different vendors. Slow patch deployment amongst the user base. Difficult to obtain firmware. Installations that expose the devices to the internet. And, finally, poor software development practices that left all the devices open to unauthenticated remote code execution.

    What’s the solution? Stop buying devices that don’t have obvious firmware upgrade paths.

    Reply
  38. Tomi Engdahl says:

    Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again
    Better ban this gear from non-US core networks, right?
    https://www.theregister.co.uk/2019/05/02/cisco_vulnerabilities/

    Reply
  39. Tomi Engdahl says:

    Pre-Installed Software Flaw Exposes Most Dell Computers to Remote Hacking
    https://thehackernews.com/2019/05/dell-computer-hacking.html?m=1

    Reply
  40. Tomi Engdahl says:

    UoN student Faces long term imprisonment For Deleting Huduma Namba Files
    http://dailyactive.info/2019/05/02/uon-student-faces-long-term-imprisonment-for-deleting-huduma-namba-files/

    committed the usual crime of hackers who break into computer systems and routinely deleted files of the ongoing Huduma Namba exercise.

    More than Ksh 21 Million in damages were lost as a result and he will be charged with “unauthorized damages

    Reply
  41. Tomi Engdahl says:

    DHS Orders Federal Agencies to Patch Critical Flaws Within 15 Days
    https://thehackernews.com/2019/05/dhs-patch-vulnerabilities.html?m=1

    In recent years, we have seen how hackers prey on those too lazy or ignorant to install security patches, which, if applied on time, would have prevented some devastating cyber attacks and data breaches that happened in major organisations.

    Reply
  42. Tomi Engdahl says:

    A hacker is wiping Git repositories and asking for a ransom
    https://www.zdnet.com/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/

    Hacker threatens to release the code if victims don’t pay in 10 days.

    Reply
  43. Tomi Engdahl says:

    China’s Mass Surveillance App Hacked; Code Reveals Specific Criteria For Illegal Oppression
    https://www.zerohedge.com/news/2019-05-02/chinas-mass-surveillance-app-hacked-code-reveals-specific-criterea-illegal

    Reply
  44. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    Some Git source code repositories, including at least 392 from GitHub, have been wiped and replaced with a ransom demand in a possible coordinated attack — Hacker wipes Git repos and asks for Bitcoin. Gives victims 10 days and threatens to release the code.

    A hacker is wiping Git repositories and asking for a ransom
    Hacker threatens to release the code if victims don’t pay in 10 days.
    https://www.zdnet.com/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/

    Hundreds of developers have had had Git source code repositories wiped and replaced with a ransom demand.

    The attacks started earlier today, appear to be coordinated across Git hosting services (GitHub, Bitbucket, GitLab), and it is still unclear how they are happening.

    What it is known is that the hacker removes all source code and recent commits from vitcims’ Git repositories, and leaves a ransom note behind that asks for a payment of 0.1 Bitcoin (~$570).

    The hacker claims all source code has been downloaded and stored on one of their servers, and gives the victim ten days to pay the ransom; otherwise, they’ll make the code public.

    Some users who fell victim to this hacker have admitted to using weak passwords for their GitHub, GitLab, and Bitbucket accounts, and forgetting to remove access tokens for old apps they haven’t used for months –both of which are very common ways in which online accounts usually get compromised.

    Reply
  45. Tomi Engdahl says:

    Andy Greenberg / Wired:
    Researchers link 6 software supply chain attacks, including backdoors in CCleaner and Asus’ software update tool, to a group of likely Chinese-speaking hackers — A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer’s network …
    https://www.wired.com/story/barium-supply-chain-hackers/

    “They’re poisoning trusted mechanisms,” says Vitaly Kamluk, the director of the Asia research team for security firm Kaspersky. When it comes to software supply chain attacks, “they’re the champions of this. With the number of companies they’ve breached, I don’t think any other groups are comparable to these guys.”

    They’re known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask. More than perhaps any other known hacker team, Barium appears to use supply chain attacks as their core tool. Their attacks all follow a similar pattern: Seed out infections to a massive collection of victims, then sort through them to find espionage targets.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*