This posting is here to collect cyber security news in September 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
211 Comments
Tomi Engdahl says:
Metasploit team releases BlueKeep exploit
Metasploit BlueKeep module can achieve code execution, is easy to use.
https://www.zdnet.com/article/metasploit-team-releases-bluekeep-exploit/
The developers of the Metasploit penetration testing framework have released today a weaponized exploit for the BlueKeep Windows vulnerability.
While other security researchers have released defanged BlueKeep proof-of-concept code in the past, this exploit is advanced enough to achieve code execution on remote systems
Tomi Engdahl says:
Exclusive: Feds Demand Apple And Google Hand Over Names Of 10,000+ Users Of A Gun Scope App
https://www.forbes.com/sites/thomasbrewster/2019/09/06/exclusive-feds-demand-apple-and-google-hand-over-names-of-10000-users-of-a-gun-scope-app/#1bd55d8d2423
The federal order calls for the release on the data of users who downloaded apps used to calibrate scopes from a major manufacturer.
If the court approves the demand, and Apple and Google decide to hand over the information, it could include data on thousands of people who have nothing to do with the crimes being investigated, privacy activists warned. Edin Omanovic, lead on Privacy International’s State Surveillance program, said it would set a dangerous precedent and scoop up “huge amounts of innocent people’s personal data.”
Tomi Engdahl says:
UPSynergy: Chinese-American Spy vs. Spy Story
https://research.checkpoint.com/upsynergy/
Earlier this year, our colleagues at Symantec uncovered an interesting story about the use of Equation group exploitation tools by an alleged Chinese group named Buckeye (a.k.a APT3, or UPS team). One of the key findings in their publication was that variants of the Equation tools were used by the group prior to ‘The Shadow Brokers’ public leak in 2017.
Our observations from the technical analysis allow us to provide evidence for a speculation that was formerly suggested by Symantec – APT3 recreated its own version of an Equation group exploit using captured network traffic.
Tomi Engdahl says:
Thousands of servers infected with new Lilocked (Lilu) ransomware
Researchers spot new ransomware targeting Linux-based servers.
https://www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/
Thousands of web servers have been infected and had their files encrypted by a new strain of ransomware named Lilocked (or Lilu).
Infections have been happening since mid-July, and have intensified in the past two weeks, ZDNet has learned.
Tomi Engdahl says:
Sandbox-Evading Malware Are Coming: 7 Most Recent Attacks
https://hakin9.org/sandbox-evading-malware-are-coming-7-most-recent-attacks/
Nowadays, anti-malware applications widely use sandbox technology for detecting and preventing viruses. Unfortunately, criminals are developing new malware that can evade this technology. If such malware detects the signs of VM environment, it remains inactive until they are outside of the sandbox. Experts predicted that in 2018 we would see an increasing number of cyber attacks performed with sandbox-evading. However, the epidemic has actually started two years ago.
Tomi Engdahl says:
Thieves Pulled Off A $243,000 Heist Using An Audio Deepfake Of A CEO’s Voice
https://www.iflscience.com/technology/thieves-pulled-off-a-243000-heist-using-an-audio-deepfake-of-a-ceos-voice/
Tomi Engdahl says:
Exploit Sellers Say There are More iPhone Hacks on the Market Than They’ve Ever Seen
https://www.vice.com/en_ca/article/7x584y/exploit-sellers-say-there-are-more-iphone-hacks-on-the-market-than-theyve-ever-seen?utm_campaign=sharebutton
There are caveats and the sellers are only a slice of the exploit market, but two exploit brokers say they’re seeing more iOS attacks now.
Tomi Engdahl says:
https://www.us-cert.gov/ncas/current-activity/2019/09/06/wordpress-releases-security-update
Tomi Engdahl says:
Metasploit team releases BlueKeep exploit
Metasploit BlueKeep module can achieve code execution, is easy to use.
https://www.zdnet.com/article/metasploit-team-releases-bluekeep-exploit/
Tomi Engdahl says:
Google launches an open-source version of its differential privacy library
https://techcrunch.com/2019/09/05/google-launches-an-open-source-version-of-its-differential-privacy-library/
Google today released an open-source version of the differential privacy library it uses to power some of its own core products.
AdChoices
Google launches an open-source version of its differential privacy library
Frederic Lardinois
@fredericl / 1:00 pm EEST • September 5, 2019
Google Inc. Offices As Company Partners With Wal-Mart On Voice-Based Shopping
Google today released an open-source version of the differential privacy library it uses to power some of its own core products. Developers will be able to take this library and build their own tools that can work with aggregate data without revealing personally identifiable information either inside or outside their companies.
“Whether you’re a city planner, a small business owner, or a software developer, gaining useful insights from data can help make services work better and answer important questions,” writes Miguel Guevara, a product manager in the company’s Privacy and Data Protection Office. “But, without strong privacy protections, you risk losing the trust of your citizens, customers, and users. Differentially-private data analysis is a principled approach that enables organizations to learn from the majority of their data while simultaneously ensuring that those results do not allow any individual’s data to be distinguished or re-identified.”
As Google notes, the current version of the Apache-licensed C++ library focuses on features that are typically hard to build from scratch and includes many of the standard statistical functions that developers would need (think count, sum, mean, variance, etc.). The company also stresses that the library includes an additional library for “rigorous testing”
https://github.com/google/differential-privacy/tree/master/differential_privacy
Tomi Engdahl says:
Richard Stiennon is Documenting the History of the Cybersecurity Industry
https://threatvector.cylance.com/en_us/home/richard-stiennon-is-documenting-the-history-of-the-cybersecurity-industry.html
Tomi Engdahl says:
IAB Tech Lab proposes a new tracking alternative to the cookie
https://techcrunch.com/2019/09/04/iab-cookie/
The Interactive Advertising Bureau’s Tech Lab is calling for a new approach to online tracking, one that would replace the long-lived cookie.
In a lengthy post, the IAB Tech Lab’s Jordan Mitchell runs through the history of tracking, describing the cookie as “a boon to the internet” that allowed websites to tailor their ads and content to each visitor, while acknowledging that this approach has some shortfalls
THE EVOLUTION OF THE INTERNET, IDENTITY, PRIVACY AND TRACKING – HOW COOKIES AND TRACKING EXPLODED, AND WHY WE NEED NEW STANDARDS FOR CONSUMER PRIVACY
https://iabtechlab.com/blog/evolution-of-internet-identity-privacy-tracking/
Tomi Engdahl says:
AMAZON WANTS YOU TO PAY FOR THINGS WITH YOUR HANDPRINT
https://futurism.com/the-byte/amazon-pay-handprint
Tomi Engdahl says:
How to Restrict Facebook’s Access to Your Phone Number
https://www.pcmag.com/news/366925/how-to-restrict-facebooks-access-to-your-phone-number?amp=1
Tomi Engdahl says:
Critical ‘Backdoor Attack’ Warning Issued For 60 Million WordPress Users
https://www.forbes.com/sites/daveywinder/2019/08/31/critical-backdoor-attack-warning-issued-for-60-million-wordpress-users/
Tomi Engdahl says:
https://pentestmag.com/chb-cybersecurity-digest-02-09-19/
Tomi Engdahl says:
Hong Kong Protestors Using Mesh Messaging App China Can’t Block: Usage Up 3685%
https://www.forbes.com/sites/johnkoetsier/2019/09/02/hong-kong-protestors-using-mesh-messaging-app-china-cant-block-usage-up-3685/
Tomi Engdahl says:
Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran
https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html
Tomi Engdahl says:
Encryption has created an uncrackable puzzle for the real world
https://www.zdnet.com/article/encryption-has-created-an-uncrackable-puzzle-for-the-real-world/
Encryption protects us, so maybe it’s time for us to protect it. But no answer to the encryption debate is without a downside.
Tomi Engdahl says:
https://www.schneier.com/blog/archives/2019/09/the_doghouse_cr_1.html
Tomi Engdahl says:
Fred Sainz / Apple:
Apple accuses Google’s Project Zero of stoking fear by creating a “false impression of mass exploitation”, says the sophisticated attack was narrowly focused — Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February.
A message about iOS security
https://www.apple.com/newsroom/2019/09/a-message-about-ios-security/
Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Tomi Engdahl says:
Wikipedia blames malicious DDOS attack after site goes down across Europe, Middle East
https://techcrunch.com/2019/09/07/wikipedia-blames-malicious-ddos-attack-after-site-goes-down-across-europe-middle-east/
Wikipedia was forced offline in several countries Friday after a cyber attack hit the global encyclopedia.
Users across Europe and parts of the Middle East experienced outages
Malicious attack on Wikipedia—What we know, and what we’re doing
https://wikimediafoundation.org/news/2019/09/07/malicious-attack-on-wikipedia-what-we-know-and-what-were-doing/
Tomi Engdahl says:
Guy returns his “smart” light bulbs, discovers he can still control them after someone else buys them
https://boingboing.net/2019/09/03/dutch-treat-2.html
Tomi Engdahl says:
Exploit Sellers Say There are More iPhone Hacks on the Market Than They’ve Ever Seen
https://www.vice.com/en_ca/article/7x584y/exploit-sellers-say-there-are-more-iphone-hacks-on-the-market-than-theyve-ever-seen?utm_campaign=sharebutton
Tomi Engdahl says:
Sean Gallagher / Ars Technica:
Internet Society-supported initiative MANRS has launched Observatory, a web tool for providing insight into how well ISPs comply with routing security standards
A project aims to help ISPs mind their routing security manners
MANRS Observatory gives a peek inside security issues of Internet routing.
https://arstechnica.com/information-technology/2019/09/a-project-aims-to-help-isps-to-mind-their-routing-security-manners/
On August 13, the MANRS initiative launched the MANRS Observatory, a new Web tool that provides insight into just how well networks comply with routing security standards. The observatory provides a semblance of transparency into a part of the Internet invisible to most users.
Last year, there were more than 12,000 routing outages or attacks, according to the Internet Society, including the use of BGP to hijack or misdirect traffic and internal BGP “leaks” from poorly configured routers. Deliberate BGP attacks can be used to steal data or redirect requests to hostile “spoofed” websites, as some state actors have been known to do.
https://observatory.manrs.org/#/overview
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Exim servers running v4.92.1 and before are vulnerable to a security bug, patched in v4.92.2, which could allow attackers to run malicious code with root access — The internet’s most popular email server impacted by second major bug this summer. — Millions of Exim servers are vulnerable …
Millions of Exim servers vulnerable to root-granting exploit
https://www.zdnet.com/article/millions-of-exim-servers-vulnerable-to-root-granting-exploit/
The internet’s most popular email server impacted by second major bug this summer.
Millions of Exim servers are vulnerable to a security bug that when exploited can grant attackers the ability to run malicious code with root privileges.
All Exim servers running version 4.92.1 and before are vulnerable, the Exim team said in an advisory this week. Version 4.92.2 was released on Friday, September 6, to address the issue.
The issue might seem unimportant to many, but Exim is one of the most prevalent software today. Exim is a mail transfer agent (MTA)
Exim is the most prevalent MTA today, with a market share of over 57%, according to a June 2019 survey. Its success can be attributed to the fact that it’s been bundled with a slew of Linux distros, from Debian to Red Hat.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Metasploit framework, an open source tool used by white hat and black hat hackers, releases an exploit for wormable BlueKeep Windows vulnerability on Github
https://arstechnica.com/information-technology/2019/09/exploit-for-wormable-bluekeep-windows-bug-released-into-the-wild/
Tomi Engdahl says:
SHARK JACK
$59.99
This portable network attack tool is a pentesters best friend optimized for social engineering engagements and opportunistic wired network auditing. Out-of-the-box it’s armed with an ultra fast nmap payload, providing quick and easy network reconnaissance.
https://shop.hak5.org/products/shark-jack
Tomi Engdahl says:
Maintainers of the PHP programming language recently released the latest versions of PHP to patch multiple high-severity vulnerabilities in its core and bundled libraries.
The worst in some cases allows remote attackers to execute arbitrary code and compromise targeted servers.
https://thehackernews.com/2019/09/php-programming-language.html
Tomi Engdahl says:
Google Finally Confirms Security Problem For 1.5 Billion Gmail And Calendar Users
https://www.forbes.com/sites/daveywinder/2019/09/09/google-finally-confirms-security-problem-for-15-billion-gmail-and-calendar-users/
Google Calendar allows anyone to schedule a meeting with you, and Gmail is built to integrate tightly with this calendaring functionality. Combine these two facts and users find themselves in a situation whereby the threat actor can use this non-traditional attack vector to bypass the increasing amount of awareness amongst average users when it comes to the danger of clicking unsolicited links.
Although I am sad that Google is still referring to this as a spam issue, rather than explicitly a security one, at least it shows that Google not only confirms there is a problem after all but also that it is committed to fixing it.
Tomi Engdahl says:
NRA Sues San Francisco For Designating It A Domestic Terrorist Organization
https://www.forbes.com/sites/rachelsandler/2019/09/09/nra-sues-san-francisco-for-designating-it-a-domestic-terrorist-organization/?utm_source=FACEBOOK&utm_medium=social&utm_term=Gordie/#676f7264696
Tomi Engdahl says:
Norwegian Bitcoin Millionaire Proves Why You Shouldn’t Brag About Your Crypto Riches
https://news.u.today/news/norwegian-bitcoin-millionaire-proves-why-you-shouldnt-brag-about-your-crypto-riches
Tomi Engdahl says:
BuzzFeed News:
Photos and videos on private Facebook and Instagram accounts can be shared publicly by followers via source URLs, even after Stories expire or media is deleted — Photos and videos posted to private accounts on Instagram and Facebook aren’t as private as they might seem.
Private Instagram Posts Aren’t Exactly Private
https://www.buzzfeednews.com/article/ryanhatesthis/private-instagram-posts-arent-exactly-private
A shockingly simple work-around allows your followers to share private photos and videos posted to both Facebook and Instagram.
Photos and videos posted to private accounts on Instagram and Facebook aren’t as private as they might seem. They can be accessed, downloaded, and distributed publicly by friends and followers via a stupidly simple work-around.
The hack — which works on Instagram stories as well — requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user.
Tomi Engdahl says:
https://lifehacker.com/uninstall-these-24-android-apps-infected-with-new-joker-1837979754
Tomi Engdahl says:
Google siphoning personal data to advertisers, new evidence suggests
https://www.euractiv.com/section/data-protection/news/google-siphoning-personal-data-to-advertisers-new-evidence-suggests/
Google is using a “surreptitious mechanism” to leak personal data to advertisers, according to new evidence presented to the Irish Data Protection Commission as part of an ongoing investigation.
Tomi Engdahl says:
https://thehackernews.com/2019/09/exim-email-server-vulnerability.html?m=1
Tomi Engdahl says:
https://thehackernews.com/2019/09/facebook-hhvm-vulnerability.html?m=1
Tomi Engdahl says:
Japanese Clerk Allegedly Stole Over 1,300 Credit Cards By Instantly Memorizing All the Numbers
https://gizmodo.com/japanese-clerk-allegedly-stole-over-1-300-credit-cards-1837978649?utm_campaign=socialflow_gizmodo_facebook&utm_medium=socialflow&utm_source=gizmodo_facebook
Instead of developing an intricate electronic card skimmer, or pulling off an elaborate online scam, a cashier in Japan used the most undetectable tool imaginable to steal the credit card info of over 1,300 customers: his immaculate and instant photographic memory.
Tomi Engdahl says:
Mengqi Sun / Wall Street Journal:
Cloudflare discloses potential sanctions violations in SEC filing, says its products were used by blacklisted entities such as terrorists and drug traffickers
Cloud-Services Company Cloudflare Discloses Potential Sanctions Violations
https://www.wsj.com/articles/cloud-services-company-cloudflare-discloses-potential-sanctions-violations-11568152033
Technology company says it determined that its products were used by certain blacklisted individuals and entities
Cloudflare said in the filing that it is working to implement additional controls and screening tools to remediate the issue.
Cloudflare plans to sell 35 million shares at a price between $10 and $12 per share in its initial public offering.
Tomi Engdahl says:
Newly discovered cyber-espionage malware abuses Windows BITS service
https://www.zdnet.com/article/newly-discovered-cyber-espionage-malware-abuses-windows-bits-service/
New backdoor trojan uses Windows BITS service to hide traffic to and from its command-and-control servers.
Tomi Engdahl says:
Intel server-grade CPUs impacted by new NetCAT attack
https://www.zdnet.com/article/intel-server-grade-cpus-impacted-by-new-netcat-attack/
Academics develop new network-based attack that steals keystrokes from an active SSH session.
Tomi Engdahl says:
The NetCAT is out of the bag: Intel chipset exploited to sniff SSH passwords as they’re typed over the network
https://www.theregister.co.uk/2019/09/10/intel_netcat_side_channel_attack/
Cunning data-snooping side-channel technique is tough to exploit, Chipzilla warns
Tomi Engdahl says:
Israel accused of planting mysterious spy devices near the White House
https://www.politico.com/story/2019/09/12/israel-white-house-spying-devices-1491351
The likely Israeli spying efforts were uncovered during the Trump presidency, several former top U.S. officials said.
Tomi Engdahl says:
North Korean hackers target U.S. entities amid stalled denuclearization talks
https://www.cyberscoop.com/north-korea-hackers-kimsuky-microsoft-word-prevailion/
Tomi Engdahl says:
SimJacker 0-day vulnerability under active attack—remove your SIM cards now—it works regardless of which handset victims are using.
New SIM Card Flaw Lets Hackers Hijack Any Phone Just By Sending SMS
https://thehackernews.com/2019/09/simjacker-mobile-hacking.html?m=1
Cybersecurity researchers today revealed the existence of a new and previously undetected critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.
Dubbed “SimJacker,” the vulnerability resides in a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards that is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.
Tomi Engdahl says:
Simjacker – Next Generation Spying Over Mobile
https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile
We will be giving technical details on Simjacker during the Virus Bulletin Conference, London, 3rd October 2019 but in this blog we will give an overview of Simjacker, how it works and who is potentially exploiting it, as well as why it is such a significant new type of attack.
Tomi Engdahl says:
Cyber risk: Counting the cost
https://www.ft.com/paidpost/aon/cyber-risk-counting-the-cost.html?utm_source=FB&utm_medium=interests_content&utm_content=static
It can take months or even years to realise the full cost of a cyber-attack – and some firms may never recover.
When businesses are hit by a cyber-attack, the financial losses can be crippling – from immediate crisis expenses and regulatory fines to longer-term, knock-on costs such as those related to reputational damage, a fall in share price or downgrading of their credit rating.
Tomi Engdahl says:
https://thehackernews.com/2019/09/firefox-privacy-vpn-service.html?m=1
Mozilla has officially launched a new privacy-focused VPN service, called Firefox Private Network, as a browser extension that aims to encrypt your online activity and limit what websites and advertisers know about you.
https://blog.mozilla.org/blog/2019/09/10/firefoxs-test-pilot-program-returns-with-firefox-private-network-beta/
Tomi Engdahl says:
Hackers are exploiting a platform-agnostic flaw to track mobile phone locations
Attacks work by sending commands directly to applications stored on SIM cards.
https://arstechnica.com/information-technology/2019/09/hackers-are-exploiting-a-platform-agnostic-flaw-to-track-mobile-phone-locations/
Tomi Engdahl says:
For $20M, These Israeli Hackers Will Spy On Any Phone On The Planet
https://www.forbes.com/sites/thomasbrewster/2016/05/31/ability-unlimited-spy-system-ulin-ss7/
With just a few million dollars and a phone number, you can snoop on any call or text that phone makes – no matter where you are or where the device is located.
That’s the bold claim of Israel’s Ability Inc, which offers its set of bleeding-edge spy tools to governments the world over.