This posting is here to collect cyber security news in March 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
112 Comments
Tomi Engdahl says:
New android Malware Cookiethief to Take Over your Facebook Account
https://www.hackers-review.tech/2020/03/new-android-malware-cookiethief-to-take.html
Tomi Engdahl says:
Reporters Without Borders uses Minecraft to sneak censored works across borders
https://techcrunch.com/2020/03/12/reporters-without-borders-uses-minecraft-to-sneak-censored-works-across-borders/
Tomi Engdahl says:
Emergency Windows 10 Critical Security Update: Microsoft Urges Users To ‘Take Action’
https://www.forbes.com/sites/daveywinder/2020/03/13/emergency-windows-10-critical-security-update-microsoft-urges-users-to-take-action/
Tomi Engdahl says:
https://www.uusiteknologia.fi/2020/03/13/bottiverkon-lonkerot-leviavat-jo-iot-laitteisiin/
Tomi Engdahl says:
https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-malware/
Tomi Engdahl says:
Research finds a new way to hack Siri and Google Assistant with ultrasonic waves
https://techxplore.com/news/2020-03-hack-siri-google-ultrasonic.html
Tomi Engdahl says:
Cyber Attack? Then We Fight Back: Sen. King
Amidst the usual calls for government reform and corporate responsibility, the Cyberspace Solarium Commission makes a surprisingly hard-headed case for old-school deterrence.
https://breakingdefense.com/2020/03/cyber-attack-then-we-fight-back-sen-king/
Tomi Engdahl says:
EU online terrorist content legislation risks undermining press freedom
https://cpj.org/2020/03/eu-online-terrorist-content-legislation-press-freedom.php
Tomi Engdahl says:
Alert (AA20-073A) – Enterprise VPN Security
https://www.us-cert.gov/ncas/alerts/aa20-073a
As organizations prepare for possible impacts of Coronavirus Disease
2019 (COVID-19), many may consider alternate workplace options for
their employees. Remote work optionsor teleworkrequire an enterprise
virtual private network (VPN) solution to connect employees to an
organization’s information technology (IT) network. As organizations
elect to implement telework, the Cybersecurity and Infrastructure
Security Agency (CISA) encourages organizations to adopt a heightened
state of cybersecurity.
Tomi Engdahl says:
Open-source bug bonanza: Vulnerabilities up almost 50 per cent thanks
to people actually looking for them
https://www.theregister.co.uk/2020/03/13/open_source_bugs/
The number of vulnerabilities in open source projects surged almost 50
per cent in 2019, according to security biz WhiteSource, which can be
seen as good news in the sense that you don’t find what you’re not
looking for. Read also:
https://www.zdnet.com/article/open-source-security-this-is-why-bugs-in-open-source-software-have-hit-a-record-high/#ftag=RSSbaffb68
Tomi Engdahl says:
WordPress Plugin Bug Allows Malicious Code Injection on 100K Sites
https://www.bleepingcomputer.com/news/security/wordpress-plugin-bug-allows-malicious-code-injection-on-100k-sites/
Vulnerabilities in the Popup Builder WordPress plugin could allow
unauthenticated attackers to inject malicious JavaScript code into
popups displayed on tens of thousands of websites, to steal
information, and to potentially fully take over targeted sites.
Tomi Engdahl says:
Working from Home: COVID-19′s Constellation of Security Challenges
https://threatpost.com/working-from-home-covid-19s-constellation-of-security-challenges/153720/
Organizations are sending employees and students home to work and
learn but implementing the plan opens the door to more attacks, IT
headaches and brand-new security challenges. As the threat of
coronavirus continues to spread, businesses are sending employees home
to work remotely, and students are moving to online classes. But with
the social distancing comes a new threat a cyber-related one.
Tomi Engdahl says:
The effects of climate change on cybersecurity
https://blog.malwarebytes.com/awareness/2020/03/the-effects-of-climate-change-on-cybersecurity/
To understand how climate change and the methods to counteract its
rapid ascent will affect cybersecurity, we first have to look at how
computing contributes to global warming. Your first instinct about
their relationship is probably right: computing involves energy
consumption and heat production. As long as we cannot produce enough
“clean energy” to satisfy our needs for electricity, the energy
consumed by computingand security within itwill continue to contribute
to global warming.
Tomi Engdahl says:
Cyberattack on HHS meant to slow coronavirus response, sources say
https://abcnews.go.com/Politics/cyberattack-hhs-meant-slow-coronavirus-response-sources/story?id=69619094&fbclid=IwAR1fxemX0sKJUZMButMWzpZTiXmfAyiR9FRMrNkbOW-Ma00JoDqXqKBBHA0
The Department of Health and Human Services experienced some form of cyberattack Sunday night related to its coronavirus response, administration sources confirmed to ABC News Monday.
The attempt was to slow down operations, sources said.
Tomi Engdahl says:
Microsoft Teams goes down as coronavirus forces millions to work from home
https://www.independent.co.uk/life-style/gadgets-and-tech/news/microsoft-teams-service-status-crashes-outage-issues-today-work-home-down-a9404771.html
Popular remote working platform suffers major outage
Tomi Engdahl says:
Computer systems at UK and UK HealthCare hobbled by massive, month-long cyber attack
https://www.kentucky.com/news/local/education/article240970221.html
The University of Kentucky and UK HealthCare conducted a major reboot of their computer systems early Sunday morning in an effort to end a month-long cyber attack that university officials say is the most substantial cyber intrusion in university history.
The unidentified “threat actors” infiltrated Kentucky’s largest university system in early February from somewhere outside the United States and installed malware that utilized UK’s vast processing capabilities to mine cryptocurrency, such as Bitcoin,
Tomi Engdahl says:
sneaky attempt to end encryption is worming its way through Congress
https://www.theverge.com/interface/2020/3/12/21174815/earn-it-act-encryption-killer-lindsay-graham-match-group
The EARN IT Act could give law enforcement officials the backdoor they have long wanted — unless tech companies come together to stop it
Tomi Engdahl says:
Let the good times roll for Android malware.
Coinbase Card Users Can Now Make Crypto-Backed Payments With Google Pay
Mar 17, 2020 at 14.35 UTC
https://www.coindesk.com/coinbase-card-users-can-now-make-crypto-backed-payments-with-google-pay
Google Pay users can now make payments with cryptocurrencies, thanks to a tie-up with Coinbase’s debit card offering.
Tomi Engdahl says:
Alfred Ng / CNET:
HHS waives penalties for the use of non-HIPAA compliant video chatting services, like FaceTime and Skype, for telehealth during COVID-19 outbreak — The coronavirus crisis is pushing the US government to loosen one of its only laws on data privacy. The Department of Health and Human Services …
US waives potential health privacy penalties during coronavirus crisis
https://www.cnet.com/news/us-waives-potential-health-privacy-penalties-during-coronavirus-outbreak/
Doctors in the states can start using Facebook Messenger and FaceTime to diagnose patients, without worrying about violating privacy laws.
Tomi Engdahl says:
CVE-2020-8597: Buffer Overflow Vulnerability in Point-to-Point Protocol Daemon (pppd)
https://www.tenable.com/blog/cve-2020-8597-buffer-overflow-vulnerability-in-point-to-point-protocol-daemon-pppd
Tomi Engdahl says:
Open-source bug bonanza: Vulnerabilities up almost 50 per cent thanks to people actually looking for them
Can’t fix flaws if you don’t look for them
https://www.theregister.co.uk/2020/03/13/open_source_bugs/
The number of vulnerabilities in open source projects surged almost 50 per cent in 2019, according to security biz WhiteSource, which can be seen as good news in the sense that you don’t find what you’re not looking for.
In its annual vulnerability report, the biz attributes the growing vulnerability count with increased awareness of open source security. That’s a consequence of widespread adoption of open source components and the overall growth of the community in recent years, not to mention media attention of data exposure.
https://www.whitesourcesoftware.com/open-source-vulnerability-management-report/
Tomi Engdahl says:
https://www.searchenginejournal.com/8-popular-wordpress-plugins-are-currently-being-exploited-by-hackers/352714/
Tomi Engdahl says:
Firefox Password Manager To Be Secured With Windows 10 Credentials
https://www.bleepingcomputer.com/news/software/firefox-password-manager-to-be-secured-with-windows-10-credentials/
Mozilla is making changes to the Firefox Lockwise password manager so that users will need to enter their Windows 10 credentials before being allowed to edit or view saved logins.
Tomi Engdahl says:
Millions of Americans are suddenly working from home. That’s a huge security risk
https://edition.cnn.com/2020/03/20/tech/telework-security/index.html
The dramatic expansion of teleworking by US schools, businesses and government agencies in response to the coronavirus is raising fresh questions about the capacity and security of the tools many Americans use to connect to vital workplace systems and data.
Tomi Engdahl says:
[1064] First No Touch Open! (Retekess Keypad)
https://m.youtube.com/watch?feature=share&v=KHvfwpnPwwU
Tomi Engdahl says:
1065] FINALLY! A Fingerprint Gun Safe With Truth in Labeling (CaCaGoo)
https://m.youtube.com/watch?feature=share&v=ogELZ78OfyM
Tomi Engdahl says:
Finnish hackers created a coalition to offer their help to crucial functions of the society for free if they have an IT security problem during the Corona virus crisis:
https://kybervpk.fi
Tomi Engdahl says:
The U.S. wants smartphone location data to fight coronavirus. Privacy advocates are worried.
https://www.nbcnews.com/tech/tech-news/u-s-wants-smartphone-location-data-fight-coronavirus-privacy-advocates-n1162821?cid=sm_npd_nn_fb_ma&fbclid=IwAR00CJf9FQ4dZBPRcj9RTo-50Nj1FYR2-fnItx4b4y8NLxPjtHqu41yWlWQ
Federal health officials say they could use anonymous, aggregated user data collected by the tech companies to map the spread of the virus.
Tomi Engdahl says:
Smartphone data reveal which Americans are social distancing (and not)
https://www.washingtonpost.com/technology/2020/03/24/social-distancing-maps-cellphone-location/?outputType=amp
D.C. gets an ‘A’ while Wyoming earns an ‘F’ for following coronavirus stay-at-home advice, based on the locations of tens of millions of phones
Tomi Engdahl says:
I Got My File From Clearview AI, and It Freaked Me Out
Here’s how you might be able to get yours
https://onezero.medium.com/i-got-my-file-from-clearview-ai-and-it-freaked-me-out-33ca28b5d6d4
Tomi Engdahl says:
IMPORTANT — It’s under active zero-day attacks. No patch available, so all Windows users are highly recommended to immediately apply workarounds (mentioned in the article) to reduce the risk of getting hacked.
https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html?m=1
According to Microsoft, both unpatched flaws are being used in limited, targeted attacks and impact all supported versions of the Windows operating system—including Windows 10, 8.1 and Server 2008, 2012, 2016, and 2019 editions, as well as Windows 7 for which Microsoft ended its support on January 14, 2020.
Both vulnerabilities reside in the Windows Adobe Type Manager Library, a font parsing software that not only parses content when open with a 3rd-party software but also used by Windows Explorer to display the content of a file in the ‘Preview Pane’ or ‘Details Pane’ without having users to open it.
“For systems running supported versions of Windows 10, a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities,” Microsoft said.
At this moment, though it’s not clear if the flaws can also be triggered remotely over a web browser by convincing a user to visit a web-page containing specially-crafted malicious OTF fonts, there are multiple other ways an attacker could exploit the vulnerability, such as through the Web Distributed Authoring and Versioning (WebDAV) client service.
No Patch Yet Available; Apply Workarounds
Microsoft said it’s aware of the issue and working on a patch, which the company would release to all Windows users as part of its next Patch Tuesday updates, on 14th April.
“Enhanced Security Configuration does not mitigate this vulnerability,” the company added.
1) Disable the Preview Pane and Details Pane in Windows Explorer
2) Disable the WebClient service
3) Rename or Disable ATMFD.DLL
Microsoft is also urging users to rename Adobe Type Manager Font Driver (ATMFD.dll) file to temporarily disable the embedded font technology, which could cause certain 3rd-party apps to stop working.
Tomi Engdahl says:
https://thehackernews.com/2020/03/openwrt-rce-vulnerability.html?m=1
A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt, a widely used Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic.
Tracked as CVE-2020-7982, the vulnerability resides in the OPKG package manager of OpenWrt that exists in the way it performs integrity checking of downloaded packages using the SHA-256 checksums embedded in the signed repository index.
While an ‘opkg install’ command is invoked on the victim system, the flaw could allow a remote man-in-the-middle attacker in a position to intercept the communication of a targeted device to execute arbitrary code by tricking the system into installing a malicious package
Tomi Engdahl says:
US Government Sites Give Bad Security Advice
https://krebsonsecurity.com/2020/03/us-government-sites-give-bad-security-advice/
Many U.S. government Web sites now carry a message prominently at the
top of their home pages meant to help visitors better distinguish
between official U.S. government properties and phishing pages.
Unfortunately, part of that message is misleading and may help
perpetuate a popular misunderstanding about Web site security and
trust that phishers have been exploiting for years now.
Tomi Engdahl says:
Tupperware website hacked and infected with payment card skimmer
https://www.zdnet.com/article/tupperware-website-hacked-and-infected-with-payment-card-skimmer/
Hackers have breached the website of Tupperware, a US company known
for its plastic food container products, and placed malicious code on
its website to collect payment card details from site buyers. Report:
https://blog.malwarebytes.com/hacking-2/2020/03/criminals-hack-tupperware-website-with-credit-card-skimmer/.
Also:
https://www.bleepingcomputer.com/news/security/tupperware-site-hacked-with-fake-form-to-steal-credit-cards/.
https://www.theregister.co.uk/2020/03/25/tupperware_dot_com_credit_card_skimmer_malwarebytes/
Tomi Engdahl says:
Three More Ransomware Families Create Sites to Leak Stolen Data
https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/
Three more ransomware families have created sites that are being used
to leak the stolen data of non-paying victims and further illustrates
why all ransomware attacks must be considered data breaches. Ever
since Maze created their “news” site to publish stolen data of their
victims who choose not to pay, other ransomware actors such as
Sodinokibi/REvil, Nemty, and DoppelPaymer have been swift to follow.
Tomi Engdahl says:
Vulnerability reporting is dysfunctional
https://freedom-to-tinker.com/2020/03/25/vulnerability-reporting-is-dysfunctional/
In January, we released a study showing the ease of SIM swaps at five
U.S. prepaid carriers. These attacksin which an adversary tricks
telecoms into moving the victims phone number to a new SIM card under
the attackers controldivert calls and SMS text messages away from the
victim. This allows attackers to receive private information such as
SMS-based authentication codes, which are . often used in multi-factor
login and password recovery procedures.
Tomi Engdahl says:
Python backdoor attacks and how to prevent them
https://www.helpnetsecurity.com/2020/03/24/python-backdoor-attacks/
Python backdoor attacks are increasingly common. Iran, for example,
used a MechaFlounder Python backdoor attack against Turkey last year.
Scripting attacks are nearly as common as malware-based attacks in the
United States and, according to the most recent Crowdstrike Global
Threat Report, scripting is the most common attack vector in the EMEA
region.
Tomi Engdahl says:
0Patch publishes micropatch to address Windows Font Parsing vulnerability
https://www.ghacks.net/2020/03/27/0patch-publishes-micropatch-to-address-windows-font-parsing-vulnerability/
Tomi Engdahl says:
With many people around the world working from home, hackers now have more easy pickings because security levels in households and VPNs are often less secure than in the office environment. For instance, hackers are changing Domain Name System (DNS) settings and gain access through routers to promote fake coronavirus information apps, mostly in Germany and France
https://threatpost.com/hackers-hijack-routers-to-spread-malware-via-coronavirus-apps/154170/
Tomi Engdahl says:
WireGuard 1.0 released in Linux 5.6. WireGuard is a new VPN technology that is simpler and better performing than IPsec/OpenVPN. https://news.ycombinator.com/item?id=22727358
Tomi Engdahl says:
Algo VPN is a set of Ansible scripts that simplify the setup of a personal WireGuard and IPsec VPN. It uses the most secure defaults available and works with common cloud providers.
https://github.com/trailofbits/algo
Tomi Engdahl says:
Somebody’s dropping F@H on vulnerable systems instead of a crypto miner
https://mobile.twitter.com/MT6572A/status/1242814267692331010
“Honeypot just got hit with a payload that drops something very compute-intensive. It doesn’t install a coinminer, but instead Folding@Home. (no IOCs because it does something good)”
Tomi Engdahl says:
Work from home: Videoconferencing with security in mind
https://www.welivesecurity.com/2020/03/30/work-from-home-videoconferencing-security-in-mind/?
At the time of writing one-third of the worlds population is enduring
restricted movement to stem the spread of COVID-19. The lockdown has
driven huge swaths of the working population to become remote workers,
many for the first time. The sudden surge in employees, students,
teachers, and many other professionals working from home is driving a
huge increase in demand for videoconferencing, online
COVID-19 Impact: Cyber Criminals Target Zoom Domains
https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/
While the world is struggling with the Coronavirus outbreak, many
countries have implemented precautionary measures. Schools are being
closed, communities are asked to shelter-in-place, and many
organizations have enabled their employees to work remotely. As a
result, video communication platforms are the daily norm. As the
interest and usage of these platforms increases, cyber criminals stay
a step . ahead. For instance, Check Point Research recently discovered
a technique which could have allowed a threat actor to identify and
join active Zoom meetings.
Tomi Engdahl says:
ZOOM MEETINGS AREN’T END-TO-END ENCRYPTED, DESPITE MISLEADING MARKETING
https://theintercept.com/2020/03/31/zoom-meeting-encryption/
ZOOM, THE video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.
Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood.
In Zoom’s white paper, there is a list of “pre-meeting security capabilities” that are available to the meeting host that starts with “Enable an end-to-end (E2E) encrypted meeting.”
Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”
The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted
This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company.
For a Zoom meeting to be end-to-end encrypted, the video and audio content would need to be encrypted in such a way that only the participants in the meeting have the ability to decrypt it.
This is how end-to-end encryption in messaging apps like Signal work
“When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” the Zoom spokesperson wrote, apparently referring to Zoom servers as “end points” even though they sit between Zoom clients. “The content is not decrypted as it transfers across the Zoom cloud” through the networking between these machines.
group video conferencing is difficult to encrypt end to end.
The only feature of Zoom that does appear to be end-to-end encrypted is in-meeting text chat.
Tomi Engdahl says:
Land of the free,…
Forget China’s ‘Excessive’ Coronavirus Surveillance—This Is America’s Surprising Alternative
https://www.forbes.com/sites/zakdoffman/2020/03/30/forget-chinas-excessive-coronavirus-surveillance-this-is-americas-surprising-alternative/?subId3=xid%3Afr1585637143842ijd
Tomi Engdahl says:
Apparently you can just dial random 10-digit Zoom conference URLs until you hit an active room.
Chicago Politicians’ Zoom Call Interrupted By Porn-Streaming Hijackers
https://blockclubchicago.org/2020/03/31/chicago-politicians-zoom-call-interrupted-by-porn-streaming-hijackers/
“Zoom bombing” is on the rise, the FBI has warned. On Tuesday, Chicago aldermen and state reps were the latest victims.
A virtual press conference hosted by Chicago politicians was cut short after someone hijacked the conference call and started streaming pornographic images.
a private press conference with organizers, health officials and reporters on popular teleconferencing platform Zoom.
was interrupted by a person who said: “Yeah, I don’t care.”
As confusion set in, a pornographic video that included images of a woman who was not fully clothed began playing on the video call.
Tomi Engdahl says:
http://colin-cowie.com/2020/03/28/Chrome-Extension-Analysis.html
Tomi Engdahl says:
https://www.forbes.com/sites/daveywinder/2020/03/30/hack-attack-takes-down-dark-web-7595-websites-confirmed-deleted/
Tomi Engdahl says:
Memcached has a crash-me bug, but hey, only about 83,000 public-facing servers appear to be running it
Yes, you may have detected some sarcasm
https://www.theregister.co.uk/2020/03/24/memcached_crash_bug/
Tomi Engdahl says:
Windows code-execution zeroday is under active exploit, Microsoft warns
https://arstechnica.com/information-technology/2020/03/attackers-exploit-windows-zeroday-that-can-execute-malicious-code/