This posting is here to collect cyber security news in February 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
208 Comments
Tomi Engdahl says:
Massive DDoS Attack Shuts Down Iran’s Internet, Tehran Blames Washington
https://www.cpomagazine.com/cyber-security/massive-ddos-attack-shuts-down-irans-internet-tehran-blames-washington/?utm_source=quora&utm_medium=referral
Tomi Engdahl says:
Android App Giant With Hundreds Of Millions Of Users Was Just Wiped From Play Store
https://www.forbes.com/sites/zakdoffman/2020/02/22/this-android-app-giant-with-hundreds-of-millions-of-users-was-just-wiped-from-play-store-heres-what-you-do-now/
The after-effects of Google’s unexpected take-down of 600 apps spewing “disruptive ads” to users worldwide are now taking their toll. This isn’t enterprising back-bedroom malware or an underground movement with masked operators. This is an industry.
Tomi Engdahl says:
https://fossbytes.com/private-whatsapp-groups-exposed-on-google-search-but-its-a-feature/
Tomi Engdahl says:
PayPal ‘Critical’ Login Hack: New Report Warns You Are Now At Risk From Thieves
https://www.forbes.com/sites/zakdoffman/2020/02/22/paypal-critical-login-hack-new-report-warns-you-are-at-risk-from-thieves-heres-the-reality/
Tomi Engdahl says:
Top software download site came with a backdoor for hackers
https://www.techradar.com/uk/news/software-download-site-came-with-a-backdoor-for-hackers
One of the world’s most popular software download sites was hijacked by hackers to deliver malware alongside commonly-used programs, researchers have claimed.
According to a Dr. Web report, a link to download the free VSDC video converter tool from CNET’s website was compromised, instead forcing users to download a modified installer which came bundled with a trojan.
Tomi Engdahl says:
Destructive Sodinokibi ransomware busting unsuspecting MSPs and SMBs
https://www.eset.com/blog/business/destructive-sodinokibi-ransomware-busting-unsuspecting-msps-and-smbs-1/
Tomi Engdahl says:
All Those Low-Cost Satellites in Orbit Could Be Weaponized by Hackers, Warns Expert
https://www.sciencealert.com/cheap-satellites-in-orbit-could-be-tempting-targets-for-hackers-to-weaponise
If hackers were to take control of these satellites, the consequences could be dire. On the mundane end of scale, hackers could simply shut satellites down, denying access to their services.
Hackers could also jam or spoof the signals from satellites, creating havoc for critical infrastructure. This includes electric grids, water networks and transportation systems.
Some of these new satellites have thrusters that allow them to speed up, slow down and change direction in space. If hackers took control of these steerable satellites, the consequences could be catastrophic. Hackers could alter the satellites’ orbits and crash them into other satellites or even the International Space Station.
Tomi Engdahl says:
https://www.wired.com/story/bluetooth-flaws-ble-internet-of-things-pacemakers/
Tomi Engdahl says:
Android saw a 98 percent drop in apps asking for call and text data
https://www.engadget.com/2020/02/12/android-drop-in-app-call-sms-log-requests
Google’s attempts to curb permission abuse appear to be working. the
company revealed that there was a 98 percent drop in the number of
Play Store apps accessing call log and SMS data in 2019.
Tomi Engdahl says:
SweynTooth Bug Collection Affects Hundreds of Bluetooth Products
https://www.bleepingcomputer.com/news/security/sweyntooth-bug-collection-affects-hundreds-of-bluetooth-products/
Security researchers have disclosed a dozen flaws in the
implementation of the Bluetooth Low Energy technology on multiple
system-on-a-chip (SoC) circuits that power at least 480 from various
vendors. Collectively named SweynTooth, the vulnerabilities can be
used by an attacker in Bluetooth range can crash affected devices,
force a reboot by sending them into a deadlock state, or bypass the
secure BLE pairing mode and access functions reserved for authorized
users.. Report: https://asset-group.github.io/disclosures/sweyntooth/.
Also: https://www.theregister.co.uk/2020/02/13/dozen_bluetooth_bugs/
Tomi Engdahl says:
Vulnerabilities in Moxa Networking Device Expose Industrial Environments to Attacks
https://www.securityweek.com/vulnerabilities-moxa-networking-device-expose-industrial-environments-attacks
According to advisories published on Monday by both Moxa and Talos, AWK-3131A industrial AP/bridge/client devices are affected by 12 vulnerabilities that can be exploited to carry out malicious activities in an attack aimed at an organization’s industrial systems.
Tomi Engdahl says:
Serious Vulnerabilities Expose SonicWall SMA Appliances to Remote Attacks
https://www.securityweek.com/serious-vulnerabilities-expose-sonicwall-sma-appliances-remote-attacks
Tomi Engdahl says:
Peripherals With Unsigned Firmware Expose Windows, Linux Computers to Attacks
https://www.securityweek.com/peripherals-unsigned-firmware-expose-windows-linux-computers-attacks
Perilous Peripherals: The Hidden Dangers Inside Windows & Linux Computers – Eclypsium
https://eclypsium.com/2020/2/18/unsigned-peripheral-firmware/
Five years after the Equation Group HDD hacks, firmware security still
sucks
https://www.zdnet.com/article/five-years-after-the-equation-group-hdd-hacks-firmware-security-still-sucks/
In a report published today, Eclypsium, a cyber-security firm
specialized in firmware security, says that the issue of unsigned
firmware is still a widespread problem among device and peripheral
manufactures.. Also
https://threatpost.com/lenovo-hp-dell-peripherals-unpatched-firmware/152936/
Tomi Engdahl says:
https://www.securityweek.com/rsa-conference-2020-product-announcement-summary-day-1
https://www.securityweek.com/securitiai-wins-rsa-conference-2020-innovation-sandbox-contest
Tomi Engdahl says:
Mismanagement of Device Identities Could Cost Businesses Billions: Report
https://www.securityweek.com/mismanagement-device-identities-could-cost-businesses-billions-report
Tomi Engdahl says:
Google Removes 600 Android Apps for Displaying Disruptive Ads
https://www.securityweek.com/google-removes-600-android-apps-displaying-disruptive-ads
Tomi Engdahl says:
Malware Attack Takes ISS World’s Systems Offline
https://www.securityweek.com/malware-attack-takes-iss-worlds-systems-offline
Workplace experience and facility management company ISS World was hit this week by a malware attack that forced its systems offline.
Tomi Engdahl says:
Fraudulent Login Attacks Against Banks Surge: Akamai
https://www.securityweek.com/fraudulent-login-attacks-against-banks-surge-akamai
On August 7, 2019, a single credential stuffing attack against a financial services company recorded 55,141,782 malicious login attempts. To put that in perspective, it is more than twice the daily average (22,682,022) of credential abuse attacks detected by Akamai Technologies across all companies in all sectors between December 1, 2017, and November 30, 2019 (a total of 85.42 billion attempts).
Tomi Engdahl says:
20,000 WordPress Websites Infected via Trojanized Themes
https://www.securityweek.com/20000-wordpress-websites-infected-trojanized-themes
WordPress Websites Hacked via Vulnerabilities in Two Themes Plugins
https://www.securityweek.com/wordpress-websites-hacked-vulnerabilities-two-themes-plugins
Vulnerabilities in two popular WordPress plugins, ThemeREX Addons and ThemeGrill Demo Importer, are being exploited to hack websites.
Tomi Engdahl says:
Jon Brodkin / Ars Technica:
Firefox begins rollout of encrypted DNS over HTTPS (DoH) by default for US-based users to thwart snooping ISPs
https://arstechnica.com/information-technology/2020/02/firefox-turns-encrypted-dns-on-by-default-to-thwart-snooping-isps/
Sggreek says:
Cyber security must be updated every year due to advance technology… thanks
Tomi Engdahl says:
FEB 20
Pay Up, Or We’ll Make Google Ban Your Ads
https://krebsonsecurity.com/2020/02/pay-up-or-well-make-google-ban-your-ads/
A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.
Tomi Engdahl says:
Cable Modem Jailbreaks
https://medium.com/@cityhnet/cable-modem-jailbreaks-e98cce92698c
First of all, the goal of this blog is not to steal internet or clone modems !! We are working on a way where certificates will only be used for encryption and NOT to protect the revenue of the ISPs.
Tomi Engdahl says:
Analyysi: Facebook paljastaa, miten yhtiö seuraa sinua palvelun ulkopuolella – yhtiö tietää, mitä sovelluksia käytät ja milloin
https://yle.fi/uutiset/3-11186679
Tomi Engdahl says:
Microsoft Users Forced To Set Up A Microsoft Account For Fresh Installations
https://www.techworm.net/2020/02/set-up-microsoft-account-fresh-installations.html
Tomi Engdahl says:
Microsoft Brings Defender Antivirus for Linux, Coming Soon for Android and iOS
https://thehackernews.com/2020/02/windows-defender-atp-linux-android.html?m=1
Almost within a year after releasing Microsoft Defender Advanced Threat Protection (ATP) for macOS computers, Microsoft today announced a public preview of its antivirus software for various Linux distributions, including Ubuntu, RHEL, CentOS and Debian
Microsoft is also planning to soon release Defender ATP anti-malware apps for smartphones and other devices running Google’s Android and Apple’s iOS mobile operating systems.
Since the last few years, hackers have started paying more attention to Linux and macOS platforms, making them a new target for viruses, Trojans, spyware, adware, ransomware, and other nefarious threats.
Despite the fact that the attack surface for Linux is much much smaller, Linux has its own share of vulnerabilities and malware threats, and you need proactive monitoring to keep your system safe.
Tomi Engdahl says:
Critical PayPal Security Hack: Multiple Thefts Now Reported—Check Your Settings..
https://www.forbes.com/sites/zakdoffman/2020/02/25/critical-paypal-security-hack-multiple-thefts-now-reported-check-your-settings/
“We have found a serious issue in PayPal’s contactless payment,” security researcher Markus Fenske explained to me. He claims that when using PayPal there is a vulnerability that Fenske and colleague Andreas Mayer say enables an attacker “near your mobile phone [to have] a virtual credit card which deducts money from your PayPal account.”
Tomi Engdahl says:
PayPal Users Hit With Fraudulent ‘Target’ Charges via Google Pay
https://www.bleepingcomputer.com/news/security/paypal-users-hit-with-fraudulent-target-charges-via-google-pay/
Hackers are using an unknown method to make fraudulent charges on
PayPal accounts linked via GooglePay. These transactions are being
charged through Target stores or Starbucks in the United States even
though the account holders are in Germany.
Tomi Engdahl says:
Credit Card Skimmer Running on 13 Sites, Despite Notification
https://www.bleepingcomputer.com/news/security/credit-card-skimmer-running-on-13-sites-despite-notification/
The tally of shopping websites infected by MageCart Group 12 with
JavaScript that steals payment card info is seeing a sharp increase.
Nearly 40 new victims have been discovered.
Tomi Engdahl says:
DoppelPaymer Ransomware Launches Site to Post Victim’s Data
https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/
The operators of the DoppelPaymer Ransomware have launched a site that
they will use to shame victims who do not pay a ransom and to publish
any files that were stolen before computers were encrypted.
Tomi Engdahl says:
Direct Memory Access (DMA) Attack Software
PCILeech uses PCIe hardware devices to read and write target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target systems.
Works without hardware together with a wide range of software memory acqusition methods supported by the LeechCore library – including capture of remote live memory using DumpIt or WinPmem. PCILeech also supports local capture of memory and a number of memory dump file formats.
Supports multiple memory acquisition devices. Both hardware and software based. USB3380 based hardware is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. FPGA based hardware, and software based methods, are able to read all memory.
Capable of inserting a wide range of kernel implants into the targeted kernels – allowing for easy access to live ram and the file system via a “mounted drive”. It is also possible to remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. PCIleech runs on Windows and Linux. Supported target systems are currently the x64 versions of: UEFI, Linux, FreeBSD, macOS and Windows. This requires write access to memory (USB3380 hardware, FPGA hardware or CVE-2018-1038 “Total Meltdown”).
PCILeech is capable of inserting a wide range of kernel implants into the targeted kernels – allowing for easy access to live ram and the file system via a “mounted drive”.
https://github.com/ufrisk/pcileech/
Tomi Engdahl says:
Google Patches Chrome Vulnerability Exploited in the Wild
https://www.securityweek.com/google-patches-chrome-vulnerability-exploited-wild
A Chrome 80 update released on Monday patches three high-severity vulnerabilities, including one that Google says has been exploited in the wild.
The zero-day vulnerability, tracked as CVE-2020-6418, has been described as a type confusion issue affecting the V8 open source JavaScript engine used by Chrome. Google has credited Clement Lecigne of its Threat Analysis Group for reporting the vulnerability.
Tomi Engdahl says:
https://www.theregister.co.uk/2020/02/26/crypto_theft_att_judge/ after being SIM jacked a second time, AT&T. He is suing for $240 million after bitcoin theft
It’s Terpin time: Bloke who was SIM jacked twice by Bitcoin thieves gets green light to sue telco for millions
Plus or minus a few caveats
https://www.theregister.co.uk/2020/02/26/crypto_theft_att_judge/
A California judge has given the go-ahead for a $240m lawsuit against AT&T for porting a subscriber’s phone number to a hacker, allowing the criminal to steal $24m in cryptocurrency.
Michael Terpin sued the mobile operator back in August 2018, revising his legal challenge a year later to make more specific allegations. This week, a judge dismissed AT&T’s effort to dismiss the case, noting that Terpin had provided sufficient proof that the US telco giant should defend its position in front of a jury.
In June 2017, miscreants successfully managed, after no fewer than 11 attempts in AT&T retail stores, to transfer his number to a smartphone controlled by the criminals – a so-called SIM jacking attack. The phone was then used to gain access to cryptocurrency accounts, linked to his phone number, to steal an unspecified amount of Bitcoin, and impersonate him on Skype.
Terpin complained to AT&T, and the carrier agreed to put a special system in place
Despite those additional measures, however, in January 2018, fraudsters were again able to hijack his phone number and, once again, broke into his cryptocurrency accounts
Terpin is suing AT&T for not following its own agreed security protocol, and he wants punitive damages. AT&T denies it is responsible for any loss.
Critically, the judge decided Terpin had proved his case that there was a “special relationship” between himself and AT&T necessary for his claim of economic loss to be accepted legally. Terpin pointed to his contract with AT&T, the fact that AT&T had promised to keep his information confidential through the special six-digit PIN, and that by holding AT&T accountable it will require the telco to “provide reasonable, reliable, and industry-standard security measures.”
Taken overall, the decision to allow the case to move forward is an important one. The judge accepted that AT&T may well be responsible for the money lost by Terpin as a result of it handing over control of his phone number to someone who didn’t have the necessary proof of identification.
With our phones increasingly gateways to so much of our lives, the big question is: are we solely responsible for making sure they are secure, or do the companies that make money from the sale of phones and related data plans also share a degree of responsibility?
Tomi Engdahl says:
https://www.sciencealert.com/cheap-satellites-in-orbit-could-be-tempting-targets-for-hackers-to-weaponise
Tomi Engdahl says:
They thought they were wiring an $800K home down payment to an escrow agent. It went to a scammer.
https://www.wptv.com/news/national/they-thought-they-were-wiring-an-800k-home-down-payment-to-an-escrow-agent-it-went-to-a-scammer
Tomi Engdahl says:
https://www.ghacks.net/2020/02/19/mozilla-launches-firefox-private-network-vpn-for-android/
Mozilla launched Firefox Private Network VPN for Google’s Android operating system recently. The standalone Android application extends support to Android devices.
Tomi Engdahl says:
The majority of chips on Wi-Fi devices have this flaw.
#cybersecurity #cyberwall
Flaw in billions of Wi-Fi devices left communications open to eavesdropping
https://arstechnica.com/information-technology/2020/02/flaw-in-billions-of-wi-fi-devices-left-communications-open-to-eavesdroppng/
Cypress and Broadcom chip bug bit iPhones, Macs, Android devices, Echoes, and more.
Billions of devices—many of them already patched—are affected by a Wi-Fi vulnerability that allows nearby attackers to decrypt sensitive data sent over the air, researchers said on Wednesday at the RSA security conference.
The vulnerability exists in Wi-Fi chips made by Cypress Semiconductor and Broadcom
The affected devices include iPhones, iPads, Macs, Amazon Echos and Kindles, Android devices, Raspberry Pi 3’s, and Wi-Fi routers from Asus and Huawei. Eset, the security company that discovered the vulnerability, said the flaw primarily affects Cyperess’ and Broadcom’s FullMAC WLAN chips, which are used in billions of devices. Eset has named the vulnerability Kr00k, and it is tracked as CVE-2019-15126.
“an adversary can decrypt data that was transmitted by a vulnerable access point to a specific client (which may or may not be vulnerable itself).”
With the forced disassociation, vulnerable devices will typically transmit several kilobytes of data that’s encrypted with the all-zero session key.
Tomi Engdahl says:
Accused Chinese hackers abandon techniques after U.S. indictments
https://www.cyberscoop.com/china-pla-hacking-indictment-deterrence/
U.S. indictments against individual Chinese soldiers accused of hacking various American targets have deterred those military personnel from conducting the same kinds of hacks again, according to the co-founder of a firm known for investigating nation-state activity.
Digital infrastructure associated with alleged hackers charged in 2014, 2017 and 2018 essentially evaporated when charges in each case were made public,
Tomi Engdahl says:
Flaw in billions of Wi-Fi devices left communications open to
eavesdropping
https://arstechnica.com/information-technology/2020/02/flaw-in-billions-of-wi-fi-devices-left-communications-open-to-eavesdroppng/
Cypress and Broadcom chip bug bit iPhones, Macs, Android devices,
Echoes, and more.. also:
https://www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/.
also:
https://www.bleepingcomputer.com/news/security/kr00k-bug-in-broadcom-cypress-wifi-chips-leaks-sensitive-info/
Tomi Engdahl says:
New CWE List of Common Security Weaknesses
https://www.us-cert.gov/ncas/current-activity/2020/02/26/new-cwe-list-common-security-weaknesses-0
With version 4.0, the CWE list expands to include hardware security
weaknesses. Additionally, version 4.0 simplifies the presentation of
weaknesses into various views and adds a search function to enable
easier navigation of the information.
Tomi Engdahl says:
Wi-Fi of more than a billion PCs, phones, gadgets can be snooped on. But you’re using HTTPS, SSH, VPNs… right?
Encryption keys forced to zero by chip-level KrØØk flaw
https://www.theregister.co.uk/2020/02/27/wifi_chip_bug_eset/
Tomi Engdahl says:
DoppelPaymer Ransomware Launches Site to Post Victim’s Data
https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/
The operators of the DoppelPaymer Ransomware have launched a site that they will use to shame victims who do not pay a ransom and to publish any files that were stolen before computers were encrypted.
Tomi Engdahl says:
Six suspected drug dealers went free after police lost evidence in ransomware attack
https://www.zdnet.com/article/six-suspected-drug-dealers-went-free-after-police-lost-evidence-in-ransomware-attack/?ftag=COS-05-10aaa0g&taid=5e57658d3e2fca0001a3ed3a
Seventh incident of its kind when police investigations were impacted by a ransomware infection.
US prosecutors were forced to drop 11 narcotics cases against six suspected drug dealers after crucial case files were lost in a ransomware infection at a Florida police department.
The evidence in the 11 cases could not be recovered following a ransomware attack that hit the Stuart police department in April 2019.
While Stuart police recovered some data from backups, some files could not be recovered.
Tomi Engdahl says:
‘Surfing attack’ hacks Siri, Google with ultrasonic waves
https://techxplore.com/news/2020-02-surfing-hacks-siri-google-ultrasonic.html?fbclid=IwAR28YqlG5mPsWRRhZCvrp3pHKW4c7782mymiv2zjc5gtQATreWVf-ZA3Mvk
Ultrasonic waves don’t make a sound, but they can still activate Siri on your cellphone and have it make calls, take images or read the contents of a text to a stranger. All without the phone owner’s knowledge.
“We want to raise awareness of such a threat,” said Ning Zhang, assistant professor of computer science and engineering at the McKelvey School of Engineering. “I want everybody in the public to know this.”
Tomi Engdahl says:
Let’s Encrypt Has Issued a Billion Certificates
https://letsencrypt.org/2020/02/27/one-billion-certs.html
We issued our billionth certificate on February 27, 2020. We’re going to use this big round number as an opportunity to reflect on what has changed for us, and for the Internet, leading up to this event.
One thing that’s different now is that the Web is much more encrypted than it was. In June of 2017 approximately 58% of page loads used HTTPS globally, 64% in the United States. Today 81% of page loads use HTTPS globally, and we’re at 91% in the United States! This is an incredible achievement. That’s a lot more privacy and security for everybody.
In June of 2017 we were serving approximately 46M websites, and we did so with 11 full time staff and an annual budget of $2.61M. Today we serve nearly 192M websites with 13 full time staff and an annual budget of approximately $3.35M.
Nothing drives adoption like ease of use, and the foundation for ease of use in the certificate space is our ACME protocol. ACME allows for extensive automation, which means computers can do most of the work. It was also standardized as RFC 8555 in 2019
Tomi Engdahl says:
Credit Card Skimmer Uses Fake CDNs To Evade Detection
https://www.bleepingcomputer.com/news/security/credit-card-skimmer-uses-fake-cdns-to-evade-detection/
Threat actors have been spotted cloaking their credit card skimmers
using fake content delivery network domains as part of an effort to
hide them and their exfil traffic in plain sight.. also:
https://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/
Tomi Engdahl says:
Nämä 10 vaarallista Android-sovellusta tulisi poistaa heti
https://www.tivi.fi/uutiset/tv/d730cffb-50bd-4753-897b-0bf77236822a
Google Play -sovelluskaupasta löytyvät vpn-sovellukset voivat olla
vaaraksi.
Major vulnerabilities found in top free VPN apps on Google Play store
https://vpnpro.com/blog/major-vulnerabilities-found-in-top-free-vpn-apps/
Tomi Engdahl says:
Tuorein kybermurhe: verkkoihin tungetaan kelvottomia iot-laitteita
https://www.tivi.fi/uutiset/tv/3938b616-b370-4e2c-b600-ad296e1d38b1
Yli puolet yritysverkkojen miljardeista iot-laitteista on
kuluttajaluokan härpäkkeitä. Työntekijöiden omat älykellot ja
sykemittarit eivät todellakaan firman verkkoon kuulu.
Tomi Engdahl says:
Android malware can steal Google Authenticator 2FA codes
https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/
A new version of the “Cerberus” Android banking trojan will be able to
steal one-time codes generated by the Google Authenticator app and
bypass 2FA-protected accounts.. “Abusing the Accessibility privileges,
the Trojan can now also steal 2FA codes from Google Authenticator
application,” the ThreatFabric team said.
Tomi Engdahl says:
Android malware can steal Google Authenticator 2FA codes
https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/
A new version of the “Cerberus” Android banking trojan will be able to steal one-time codes generated by the Google Authenticator app and bypass 2FA-protected accounts.