This posting is here to collect cyber security news in April 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
218 Comments
Tomi Engdahl says:
Mozilla Says Many Popular Video Call Apps Meet Its Minimum Security Standards
https://www.securityweek.com/mozilla-says-many-popular-video-call-apps-meet-its-minimum-security-standards
Mozilla’s latest “*Privacy Not Included” report shows that twelve out of fifteen popular video call applications and platforms meet the organization’s minimum security standards.
What Mozilla’s researchers discovered was that twelve of the analyzed apps meet Mozilla’s Minimum Security Standards. These include Zoom, Google Hangouts, Apple FaceTime, Skype, Facebook Messenger, WhatsApp, Jitsi Meet, Signal, Microsoft Teams, BlueJeans, GoTo Meeting, and Cisco WebEx.
Apps that meet the standards use encryption, have an automatic security update system, use strong passwords, employ bug bounty programs and clear points of contact for reporting and managing security vulnerabilities, and have clear privacy policies.
The three applications that did not meet the standards are Houseparty, Discord, and Doxy.me.
https://foundation.mozilla.org/en/privacynotincluded/categories/video-call-apps/
Tomi Engdahl says:
CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection
Vulnerability Remediation Guidance and Exposure Overview
https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/
We crafted a lightweight study (a more thorough one is in the works)
to grab any accessible user and/or admin pages from the discovered
nodes and extract that ver= build string. Just over 65, 500 appliances
happily gave up their version information as noted in the figure at
the top of the post, with a fairly inexcusably sizable corpus (~25%)
of unpatched (as of Monday, April 27, 2020) systems. What’s next?. The
Rapid7 Labs team is refining the Sophos version identification studies
and will continue to monitor Project Heisenberg for opportunistic
exploitation attempts. We’ll update this blog post as more information
surfaces. Again, any service provider or individual organization
running a Sophos XG appliance should remediate as quickly as possible.
Tomi Engdahl says:
Remote spring: the rise of RDP bruteforce attacks
https://securelist.com/remote-spring-the-rise-of-rdp-bruteforce-attacks/96820/
With the spread of COVID-19, organizations worldwide have introduced
remote working, which is having a direct impact on cybersecurity and
the threat landscape. Alongside the higher volume of corporate
traffic, the use of third-party services for data exchange, and
employees working on home computers (and potentially insecure Wi-Fi
networks), another headache for infosec teams is the increased number
of people using remote-access tools.
Tomi Engdahl says:
Google discloses zero-click bugs impacting several Apple operating
systems
https://www.zdnet.com/article/google-discloses-zero-click-bugs-impacting-several-apple-operating-systems/
Apple needs to follow in Google and Mozilla’s footsteps and secure its
multimedia processing libraries. Multimedia processing components are
one of today’s most dangerous attack surfaces in any operating system.
When it comes to managing multimedia files, all operating systems work
the same. Any new multimedia file — image, audio, video — that
reaches a device is automatically transferred to a local OS library
that parses the file to know what it is and what to do with it next.
Read also:
https://www.tivi.fi/uutiset/tv/a60314f3-26b4-4e57-88e5-890b2cf6f5c5
Tomi Engdahl says:
Two Usenet providers blame data breaches on partner company
https://www.zdnet.com/article/two-usenet-providers-blame-data-breaches-on-partner-company/
Two companies that provide Usenet services have disclosed security
breaches today. The two companies, UseNeXT and Usenet.nl, blamed the
breaches on “a security vulnerability at a partner company.”
Tomi Engdahl says:
Security experts warn: Don’t let contact-tracing app lead to
surveillance
https://www.zdnet.com/article/security-experts-warn-dont-let-contact-tracing-app-lead-to-surveillance/
More than 170 UK researchers and scientists working in information
security and privacy have signed a joint statement about their
concerns over NHS plans to use a contact-tracing app to help contain
the coronavirus outbreak, warning that the government must not create
a tool that could be used for the purposes of surveillance.
Tomi Engdahl says:
Google Researchers Find Multiple Vulnerabilities in Apple’s ImageIO Framework
https://www.securityweek.com/google-researchers-find-multiple-vulnerabilities-apples-imageio-framework
Tomi Engdahl says:
Microsoft, Google Announce Wider Availability of Secure VMs
https://www.securityweek.com/microsoft-google-announce-wider-availability-secure-vms
Microsoft this week announced the general availability of DCsv2-series virtual machines (VMs), and Google informed customers that Shielded VM is now the default for Google Compute Engine users.
Microsoft has announced the general availability of DCsv2-series VMs for Azure customers in three regions, with plans to expand the offer to other regions before the end of the year.
DCsv2 VMs, part of the Azure confidential computing offering, are designed to allow customers to protect data while it’s being processed by running on servers that implement a hardware-based trusted execution environment (TEE) that uses Intel’s Software Guard Extensions (SGX).
Tomi Engdahl says:
Android Phone Makers Improve Patching Practices
https://www.securityweek.com/android-phone-makers-improve-patching-practices
Android smartphone manufacturers have significantly improved their patching hygiene over the past couple of years, a new report from Security Research Labs reveals.
“We found that on average, for official firmwares released in 2019 missed only about half as many patches as comparable firmwares released in 2018,” the security firm says.
Monthly security updates are being integrated into firmware builds 15% faster than in 2018. Last year, 90% of unique firmware builds for major Android vendors arrived within 38 days of Google’s security patches.
Tomi Engdahl says:
https://www.tomshardware.com/news/steal-data-through-fan-vibrations-cybersecurity
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/shade-ransomware-shuts-down-releases-750k-decryption-keys/
Tomi Engdahl says:
CVE-2020-0022 an Android 8.0-9.0 Bluetooth Zero-Click RCE – BlueFrag
https://insinuator.net/2020/04/cve-2020-0022-an-android-8-0-9-0-bluetooth-zero-click-rce-bluefrag/
Tomi Engdahl says:
Exclusive: Warning Over Chinese Mobile Giant Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/
“It’s a backdoor with phone functionality,” quips Gabi Cirlig about his new Xiaomi phone. He’s only half-joking.
Cirlig is speaking with Forbes after discovering that his Redmi Note 8 smartphone was watching much of what he was doing on the phone. That data was then being sent to remote servers hosted by another Chinese tech giant, Alibaba, which were ostensibly rented by Xiaomi.
The seasoned cybersecurity researcher found a worrying amount of his behavior was being tracked, whilst various kinds of device data were also being harvested, leaving Cirlig spooked that his identity and his private life was being exposed to the Chinese company.
Meanwhile, at Forbes’ request, cybersecurity researcher Andrew Tierney investigated further. He also found browsers shipped by Xiaomi on Google Play—Mi Browser Pro and the Mint Browser—were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics.
In response to the findings, Xiaomi said, “The research claims are untrue,” and “Privacy and security is of top concern,” adding that it “strictly follows and is fully compliant with local laws and regulations on user data privacy matters.” But a spokesperson confirmed it was collecting browsing data, claiming the information was anonymized so wasn’t tied to any identity. They said that users had consented to such tracking.
It’s the second time in two months that a huge Chinese tech company has been seen watching over users’ phone habits. A security app with a “private” browser made by Cheetah Mobile, a public company listed on the New York Stock Exchange, was seen collecting information on Web use, Wi-Fi access point names and more granular data like how a user scrolled on visited Web pages. Cheetah argued it needed to collect the information to protect users and improve their experience.
Tomi Engdahl says:
Trump bans acquisition of foreign power grid equipment, citing hacking threats
https://www.zdnet.com/article/trump-bans-acquisition-of-foreign-power-grid-equipment-citing-hacking-threats/
White House says foreign-made equipment “augments the ability of foreign adversaries to create and exploit vulnerabilities” in the US power grid.
President Donald Trump signed today an executive order barring US power grid entities from buying and installing electrical equipment that has been manufactured outside the US.
Trump said that “foreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system.”
Tomi Engdahl says:
China is installing surveillance cameras outside people’s front doors … and sometimes inside their homes
By Nectar Gan, CNN Business
Updated 1142 GMT (1942 HKT) April 28, 2020
https://www.cnn.com/2020/04/27/asia/cctv-cameras-china-hnk-intl/index.html
“(Having a camera outside your door is) an incredible erosion of privacy,” said Lahiffe. “It just seems to be a massive data grab. And I don’t know how much of it is actually legal.”
Although there is no official announcement stating that cameras must be fixed outside the homes of people under quarantine, it has been happening in some cities across China since at least February
Tomi Engdahl says:
Senator questions Clearview AI over coronavirus tracking plans
https://www.cnet.com/news/senator-questions-clearview-ai-over-coronavirus-tracking-plans/
Sen. Edward Markey says COVID-19 contact tracing can’t be “used as cover by companies like Clearview to build shadowy surveillance networks.”
Tomi Engdahl says:
RESEARCHERS BREAK FPGA ENCRYPTION USING FPGA ENCRYPTION
https://hackaday.com/2020/04/23/researchers-break-fpga-encryption-using-fpga-encryption
Tomi Engdahl says:
NSO Employee Abused Phone Hacking Tech to Target a Love Interest
https://www.vice.com/en_us/article/bvgwzw/nso-group-employee-abused-pegasus-target-love-interest
The previously unreported news is a serious abuse of NSO’s products, which are typically used by governments and authoritarian regimes.
An employee of controversial surveillance vendor NSO Group abused access to the company’s powerful hacking technology to target a love interest, Motherboard has learned.