Cyber security news February 2020

This posting is here to collect cyber security news in February 2020.

I post links to security vulnerability news with short descriptions to comments section of this article.

If you are interested in cyber security trends, read my Cyber security trends 2020 posting.

You are also free to post related links to comments.

208 Comments

  1. Tomi Engdahl says:

    Android App Giant With Hundreds Of Millions Of Users Was Just Wiped From Play Store
    https://www.forbes.com/sites/zakdoffman/2020/02/22/this-android-app-giant-with-hundreds-of-millions-of-users-was-just-wiped-from-play-store-heres-what-you-do-now/

    The after-effects of Google’s unexpected take-down of 600 apps spewing “disruptive ads” to users worldwide are now taking their toll. This isn’t enterprising back-bedroom malware or an underground movement with masked operators. This is an industry.

    Reply
  2. Tomi Engdahl says:

    Top software download site came with a backdoor for hackers
    https://www.techradar.com/uk/news/software-download-site-came-with-a-backdoor-for-hackers

    One of the world’s most popular software download sites was hijacked by hackers to deliver malware alongside commonly-used programs, researchers have claimed.

    According to a Dr. Web report, a link to download the free VSDC video converter tool from CNET’s website was compromised, instead forcing users to download a modified installer which came bundled with a trojan.

    Reply
  3. Tomi Engdahl says:

    All Those Low-Cost Satellites in Orbit Could Be Weaponized by Hackers, Warns Expert
    https://www.sciencealert.com/cheap-satellites-in-orbit-could-be-tempting-targets-for-hackers-to-weaponise

    If hackers were to take control of these satellites, the consequences could be dire. On the mundane end of scale, hackers could simply shut satellites down, denying access to their services.

    Hackers could also jam or spoof the signals from satellites, creating havoc for critical infrastructure. This includes electric grids, water networks and transportation systems.

    Some of these new satellites have thrusters that allow them to speed up, slow down and change direction in space. If hackers took control of these steerable satellites, the consequences could be catastrophic. Hackers could alter the satellites’ orbits and crash them into other satellites or even the International Space Station.

    Reply
  4. Tomi Engdahl says:

    Android saw a 98 percent drop in apps asking for call and text data
    https://www.engadget.com/2020/02/12/android-drop-in-app-call-sms-log-requests
    Google’s attempts to curb permission abuse appear to be working. the
    company revealed that there was a 98 percent drop in the number of
    Play Store apps accessing call log and SMS data in 2019.

    Reply
  5. Tomi Engdahl says:

    SweynTooth Bug Collection Affects Hundreds of Bluetooth Products
    https://www.bleepingcomputer.com/news/security/sweyntooth-bug-collection-affects-hundreds-of-bluetooth-products/
    Security researchers have disclosed a dozen flaws in the
    implementation of the Bluetooth Low Energy technology on multiple
    system-on-a-chip (SoC) circuits that power at least 480 from various
    vendors. Collectively named SweynTooth, the vulnerabilities can be
    used by an attacker in Bluetooth range can crash affected devices,
    force a reboot by sending them into a deadlock state, or bypass the
    secure BLE pairing mode and access functions reserved for authorized
    users.. Report: https://asset-group.github.io/disclosures/sweyntooth/.
    Also: https://www.theregister.co.uk/2020/02/13/dozen_bluetooth_bugs/

    Reply
  6. Tomi Engdahl says:

    Vulnerabilities in Moxa Networking Device Expose Industrial Environments to Attacks
    https://www.securityweek.com/vulnerabilities-moxa-networking-device-expose-industrial-environments-attacks
    According to advisories published on Monday by both Moxa and Talos, AWK-3131A industrial AP/bridge/client devices are affected by 12 vulnerabilities that can be exploited to carry out malicious activities in an attack aimed at an organization’s industrial systems.

    Reply
  7. Tomi Engdahl says:

    Peripherals With Unsigned Firmware Expose Windows, Linux Computers to Attacks
    https://www.securityweek.com/peripherals-unsigned-firmware-expose-windows-linux-computers-attacks
    Perilous Peripherals: The Hidden Dangers Inside Windows & Linux Computers – Eclypsium
    https://eclypsium.com/2020/2/18/unsigned-peripheral-firmware/
    Five years after the Equation Group HDD hacks, firmware security still
    sucks
    https://www.zdnet.com/article/five-years-after-the-equation-group-hdd-hacks-firmware-security-still-sucks/
    In a report published today, Eclypsium, a cyber-security firm
    specialized in firmware security, says that the issue of unsigned
    firmware is still a widespread problem among device and peripheral
    manufactures.. Also
    https://threatpost.com/lenovo-hp-dell-peripherals-unpatched-firmware/152936/

    Reply
  8. Tomi Engdahl says:

    Malware Attack Takes ISS World’s Systems Offline
    https://www.securityweek.com/malware-attack-takes-iss-worlds-systems-offline

    Workplace experience and facility management company ISS World was hit this week by a malware attack that forced its systems offline.

    Reply
  9. Tomi Engdahl says:

    Fraudulent Login Attacks Against Banks Surge: Akamai
    https://www.securityweek.com/fraudulent-login-attacks-against-banks-surge-akamai

    On August 7, 2019, a single credential stuffing attack against a financial services company recorded 55,141,782 malicious login attempts. To put that in perspective, it is more than twice the daily average (22,682,022) of credential abuse attacks detected by Akamai Technologies across all companies in all sectors between December 1, 2017, and November 30, 2019 (a total of 85.42 billion attempts).

    Reply
  10. Tomi Engdahl says:

    20,000 WordPress Websites Infected via Trojanized Themes
    https://www.securityweek.com/20000-wordpress-websites-infected-trojanized-themes

    WordPress Websites Hacked via Vulnerabilities in Two Themes Plugins
    https://www.securityweek.com/wordpress-websites-hacked-vulnerabilities-two-themes-plugins

    Vulnerabilities in two popular WordPress plugins, ThemeREX Addons and ThemeGrill Demo Importer, are being exploited to hack websites.

    Reply
  11. Tomi Engdahl says:

    Jon Brodkin / Ars Technica:
    Firefox begins rollout of encrypted DNS over HTTPS (DoH) by default for US-based users to thwart snooping ISPs
    https://arstechnica.com/information-technology/2020/02/firefox-turns-encrypted-dns-on-by-default-to-thwart-snooping-isps/

    Reply
  12. Sggreek says:

    Cyber security must be updated every year due to advance technology… thanks

    Reply
  13. Tomi Engdahl says:

    FEB 20
    Pay Up, Or We’ll Make Google Ban Your Ads

    https://krebsonsecurity.com/2020/02/pay-up-or-well-make-google-ban-your-ads/

    A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.

    Reply
  14. Tomi Engdahl says:

    Cable Modem Jailbreaks
    https://medium.com/@cityhnet/cable-modem-jailbreaks-e98cce92698c

    First of all, the goal of this blog is not to steal internet or clone modems !! We are working on a way where certificates will only be used for encryption and NOT to protect the revenue of the ISPs.

    Reply
  15. Tomi Engdahl says:

    Analyysi: Facebook paljastaa, miten yhtiö seuraa sinua palvelun ulkopuolella – yhtiö tietää, mitä sovelluksia käytät ja milloin
    https://yle.fi/uutiset/3-11186679

    Reply
  16. Tomi Engdahl says:

    Microsoft Users Forced To Set Up A Microsoft Account For Fresh Installations
    https://www.techworm.net/2020/02/set-up-microsoft-account-fresh-installations.html

    Reply
  17. Tomi Engdahl says:

    Microsoft Brings Defender Antivirus for Linux, Coming Soon for Android and iOS
    https://thehackernews.com/2020/02/windows-defender-atp-linux-android.html?m=1

    Almost within a year after releasing Microsoft Defender Advanced Threat Protection (ATP) for macOS computers, Microsoft today announced a public preview of its antivirus software for various Linux distributions, including Ubuntu, RHEL, CentOS and Debian

    Microsoft is also planning to soon release Defender ATP anti-malware apps for smartphones and other devices running Google’s Android and Apple’s iOS mobile operating systems.

    Since the last few years, hackers have started paying more attention to Linux and macOS platforms, making them a new target for viruses, Trojans, spyware, adware, ransomware, and other nefarious threats.
    Despite the fact that the attack surface for Linux is much much smaller, Linux has its own share of vulnerabilities and malware threats, and you need proactive monitoring to keep your system safe.

    Reply
  18. Tomi Engdahl says:

    Critical PayPal Security Hack: Multiple Thefts Now Reported—Check Your Settings..
    https://www.forbes.com/sites/zakdoffman/2020/02/25/critical-paypal-security-hack-multiple-thefts-now-reported-check-your-settings/

    “We have found a serious issue in PayPal’s contactless payment,” security researcher Markus Fenske explained to me. He claims that when using PayPal there is a vulnerability that Fenske and colleague Andreas Mayer say enables an attacker “near your mobile phone [to have] a virtual credit card which deducts money from your PayPal account.”

    Reply
  19. Tomi Engdahl says:

    PayPal Users Hit With Fraudulent ‘Target’ Charges via Google Pay
    https://www.bleepingcomputer.com/news/security/paypal-users-hit-with-fraudulent-target-charges-via-google-pay/
    Hackers are using an unknown method to make fraudulent charges on
    PayPal accounts linked via GooglePay. These transactions are being
    charged through Target stores or Starbucks in the United States even
    though the account holders are in Germany.

    Reply
  20. Tomi Engdahl says:

    Credit Card Skimmer Running on 13 Sites, Despite Notification
    https://www.bleepingcomputer.com/news/security/credit-card-skimmer-running-on-13-sites-despite-notification/
    The tally of shopping websites infected by MageCart Group 12 with
    JavaScript that steals payment card info is seeing a sharp increase.
    Nearly 40 new victims have been discovered.

    Reply
  21. Tomi Engdahl says:

    DoppelPaymer Ransomware Launches Site to Post Victim’s Data
    https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/
    The operators of the DoppelPaymer Ransomware have launched a site that
    they will use to shame victims who do not pay a ransom and to publish
    any files that were stolen before computers were encrypted.

    Reply
  22. Tomi Engdahl says:

    Direct Memory Access (DMA) Attack Software

    PCILeech uses PCIe hardware devices to read and write target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target systems.
    Works without hardware together with a wide range of software memory acqusition methods supported by the LeechCore library – including capture of remote live memory using DumpIt or WinPmem. PCILeech also supports local capture of memory and a number of memory dump file formats.
    Supports multiple memory acquisition devices. Both hardware and software based. USB3380 based hardware is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. FPGA based hardware, and software based methods, are able to read all memory.
    Capable of inserting a wide range of kernel implants into the targeted kernels – allowing for easy access to live ram and the file system via a “mounted drive”. It is also possible to remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. PCIleech runs on Windows and Linux. Supported target systems are currently the x64 versions of: UEFI, Linux, FreeBSD, macOS and Windows. This requires write access to memory (USB3380 hardware, FPGA hardware or CVE-2018-1038 “Total Meltdown”).
    PCILeech is capable of inserting a wide range of kernel implants into the targeted kernels – allowing for easy access to live ram and the file system via a “mounted drive”.
    https://github.com/ufrisk/pcileech/

    Reply
  23. Tomi Engdahl says:

    Google Patches Chrome Vulnerability Exploited in the Wild
    https://www.securityweek.com/google-patches-chrome-vulnerability-exploited-wild
    A Chrome 80 update released on Monday patches three high-severity vulnerabilities, including one that Google says has been exploited in the wild.
    The zero-day vulnerability, tracked as CVE-2020-6418, has been described as a type confusion issue affecting the V8 open source JavaScript engine used by Chrome. Google has credited Clement Lecigne of its Threat Analysis Group for reporting the vulnerability.

    Reply
  24. Tomi Engdahl says:

    https://www.theregister.co.uk/2020/02/26/crypto_theft_att_judge/ after being SIM jacked a second time, AT&T. He is suing for $240 million after bitcoin theft

    It’s Terpin time: Bloke who was SIM jacked twice by Bitcoin thieves gets green light to sue telco for millions
    Plus or minus a few caveats
    https://www.theregister.co.uk/2020/02/26/crypto_theft_att_judge/

    A California judge has given the go-ahead for a $240m lawsuit against AT&T for porting a subscriber’s phone number to a hacker, allowing the criminal to steal $24m in cryptocurrency.

    Michael Terpin sued the mobile operator back in August 2018, revising his legal challenge a year later to make more specific allegations. This week, a judge dismissed AT&T’s effort to dismiss the case, noting that Terpin had provided sufficient proof that the US telco giant should defend its position in front of a jury.

    In June 2017, miscreants successfully managed, after no fewer than 11 attempts in AT&T retail stores, to transfer his number to a smartphone controlled by the criminals – a so-called SIM jacking attack. The phone was then used to gain access to cryptocurrency accounts, linked to his phone number, to steal an unspecified amount of Bitcoin, and impersonate him on Skype.

    Terpin complained to AT&T, and the carrier agreed to put a special system in place

    Despite those additional measures, however, in January 2018, fraudsters were again able to hijack his phone number and, once again, broke into his cryptocurrency accounts

    Terpin is suing AT&T for not following its own agreed security protocol, and he wants punitive damages. AT&T denies it is responsible for any loss.

    Critically, the judge decided Terpin had proved his case that there was a “special relationship” between himself and AT&T necessary for his claim of economic loss to be accepted legally. Terpin pointed to his contract with AT&T, the fact that AT&T had promised to keep his information confidential through the special six-digit PIN, and that by holding AT&T accountable it will require the telco to “provide reasonable, reliable, and industry-standard security measures.”

    Taken overall, the decision to allow the case to move forward is an important one. The judge accepted that AT&T may well be responsible for the money lost by Terpin as a result of it handing over control of his phone number to someone who didn’t have the necessary proof of identification.

    With our phones increasingly gateways to so much of our lives, the big question is: are we solely responsible for making sure they are secure, or do the companies that make money from the sale of phones and related data plans also share a degree of responsibility?

    Reply
  25. Tomi Engdahl says:

    https://www.ghacks.net/2020/02/19/mozilla-launches-firefox-private-network-vpn-for-android/

    Mozilla launched Firefox Private Network VPN for Google’s Android operating system recently. The standalone Android application extends support to Android devices.

    Reply
  26. Tomi Engdahl says:

    The majority of chips on Wi-Fi devices have this flaw.
    #cybersecurity #cyberwall

    Flaw in billions of Wi-Fi devices left communications open to eavesdropping
    https://arstechnica.com/information-technology/2020/02/flaw-in-billions-of-wi-fi-devices-left-communications-open-to-eavesdroppng/

    Cypress and Broadcom chip bug bit iPhones, Macs, Android devices, Echoes, and more.

    Billions of devices—many of them already patched—are affected by a Wi-Fi vulnerability that allows nearby attackers to decrypt sensitive data sent over the air, researchers said on Wednesday at the RSA security conference.

    The vulnerability exists in Wi-Fi chips made by Cypress Semiconductor and Broadcom

    The affected devices include iPhones, iPads, Macs, Amazon Echos and Kindles, Android devices, Raspberry Pi 3’s, and Wi-Fi routers from Asus and Huawei. Eset, the security company that discovered the vulnerability, said the flaw primarily affects Cyperess’ and Broadcom’s FullMAC WLAN chips, which are used in billions of devices. Eset has named the vulnerability Kr00k, and it is tracked as CVE-2019-15126.

    “an adversary can decrypt data that was transmitted by a vulnerable access point to a specific client (which may or may not be vulnerable itself).”

    With the forced disassociation, vulnerable devices will typically transmit several kilobytes of data that’s encrypted with the all-zero session key.

    Reply
  27. Tomi Engdahl says:

    Accused Chinese hackers abandon techniques after U.S. indictments
    https://www.cyberscoop.com/china-pla-hacking-indictment-deterrence/

    U.S. indictments against individual Chinese soldiers accused of hacking various American targets have deterred those military personnel from conducting the same kinds of hacks again, according to the co-founder of a firm known for investigating nation-state activity.

    Digital infrastructure associated with alleged hackers charged in 2014, 2017 and 2018 essentially evaporated when charges in each case were made public,

    Reply
  28. Tomi Engdahl says:

    New CWE List of Common Security Weaknesses
    https://www.us-cert.gov/ncas/current-activity/2020/02/26/new-cwe-list-common-security-weaknesses-0
    With version 4.0, the CWE list expands to include hardware security
    weaknesses. Additionally, version 4.0 simplifies the presentation of
    weaknesses into various views and adds a search function to enable
    easier navigation of the information.

    Reply
  29. Tomi Engdahl says:

    Wi-Fi of more than a billion PCs, phones, gadgets can be snooped on. But you’re using HTTPS, SSH, VPNs… right?
    Encryption keys forced to zero by chip-level KrØØk flaw
    https://www.theregister.co.uk/2020/02/27/wifi_chip_bug_eset/

    Reply
  30. Tomi Engdahl says:

    DoppelPaymer Ransomware Launches Site to Post Victim’s Data
    https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/

    The operators of the DoppelPaymer Ransomware have launched a site that they will use to shame victims who do not pay a ransom and to publish any files that were stolen before computers were encrypted.

    Reply
  31. Tomi Engdahl says:

    Six suspected drug dealers went free after police lost evidence in ransomware attack
    https://www.zdnet.com/article/six-suspected-drug-dealers-went-free-after-police-lost-evidence-in-ransomware-attack/?ftag=COS-05-10aaa0g&taid=5e57658d3e2fca0001a3ed3a

    Seventh incident of its kind when police investigations were impacted by a ransomware infection.

    US prosecutors were forced to drop 11 narcotics cases against six suspected drug dealers after crucial case files were lost in a ransomware infection at a Florida police department.

    The evidence in the 11 cases could not be recovered following a ransomware attack that hit the Stuart police department in April 2019.

    While Stuart police recovered some data from backups, some files could not be recovered.

    Reply
  32. Tomi Engdahl says:

    ‘Surfing attack’ hacks Siri, Google with ultrasonic waves
    https://techxplore.com/news/2020-02-surfing-hacks-siri-google-ultrasonic.html?fbclid=IwAR28YqlG5mPsWRRhZCvrp3pHKW4c7782mymiv2zjc5gtQATreWVf-ZA3Mvk

    Ultrasonic waves don’t make a sound, but they can still activate Siri on your cellphone and have it make calls, take images or read the contents of a text to a stranger. All without the phone owner’s knowledge.

    “We want to raise awareness of such a threat,” said Ning Zhang, assistant professor of computer science and engineering at the McKelvey School of Engineering. “I want everybody in the public to know this.”

    Reply
  33. Tomi Engdahl says:

    Let’s Encrypt Has Issued a Billion Certificates
    https://letsencrypt.org/2020/02/27/one-billion-certs.html

    We issued our billionth certificate on February 27, 2020. We’re going to use this big round number as an opportunity to reflect on what has changed for us, and for the Internet, leading up to this event.

    One thing that’s different now is that the Web is much more encrypted than it was. In June of 2017 approximately 58% of page loads used HTTPS globally, 64% in the United States. Today 81% of page loads use HTTPS globally, and we’re at 91% in the United States! This is an incredible achievement. That’s a lot more privacy and security for everybody.

    In June of 2017 we were serving approximately 46M websites, and we did so with 11 full time staff and an annual budget of $2.61M. Today we serve nearly 192M websites with 13 full time staff and an annual budget of approximately $3.35M.

    Nothing drives adoption like ease of use, and the foundation for ease of use in the certificate space is our ACME protocol. ACME allows for extensive automation, which means computers can do most of the work. It was also standardized as RFC 8555 in 2019

    Reply
  34. Tomi Engdahl says:

    Credit Card Skimmer Uses Fake CDNs To Evade Detection
    https://www.bleepingcomputer.com/news/security/credit-card-skimmer-uses-fake-cdns-to-evade-detection/
    Threat actors have been spotted cloaking their credit card skimmers
    using fake content delivery network domains as part of an effort to
    hide them and their exfil traffic in plain sight.. also:
    https://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/

    Reply
  35. Tomi Engdahl says:

    Nämä 10 vaarallista Android-sovellusta tulisi poistaa heti
    https://www.tivi.fi/uutiset/tv/d730cffb-50bd-4753-897b-0bf77236822a
    Google Play -sovelluskaupasta löytyvät vpn-sovellukset voivat olla
    vaaraksi.
    Major vulnerabilities found in top free VPN apps on Google Play store
    https://vpnpro.com/blog/major-vulnerabilities-found-in-top-free-vpn-apps/

    Reply
  36. Tomi Engdahl says:

    Tuorein kybermurhe: verkkoihin tungetaan kelvottomia iot-laitteita
    https://www.tivi.fi/uutiset/tv/3938b616-b370-4e2c-b600-ad296e1d38b1
    Yli puolet yritysverkkojen miljardeista iot-laitteista on
    kuluttajaluokan härpäkkeitä. Työntekijöiden omat älykellot ja
    sykemittarit eivät todellakaan firman verkkoon kuulu.

    Reply
  37. Tomi Engdahl says:

    Android malware can steal Google Authenticator 2FA codes
    https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/
    A new version of the “Cerberus” Android banking trojan will be able to
    steal one-time codes generated by the Google Authenticator app and
    bypass 2FA-protected accounts.. “Abusing the Accessibility privileges,
    the Trojan can now also steal 2FA codes from Google Authenticator
    application,” the ThreatFabric team said.

    Reply
  38. Tomi Engdahl says:

    Android malware can steal Google Authenticator 2FA codes
    https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/

    A new version of the “Cerberus” Android banking trojan will be able to steal one-time codes generated by the Google Authenticator app and bypass 2FA-protected accounts.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*