This posting is here to collect cyber security news in April 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
218 Comments
Tomi Engdahl says:
Dell releases new tool to detect BIOS attacks
https://www.zdnet.com/article/dell-releases-new-tool-to-detect-bios-attacks/
Dell makes new tool named SafeBIOS Events & Indicators of Attack
available for download for all Dell commercial PCs.
Tomi Engdahl says:
Burning Cell Towers, Out of Baseless Fear They Spread the Virus
https://www.msn.com/en-us/news/technology/how-a-virus-conspiracy-theory-fueled-arson-and-harassment-in-britain/ar-BB12rCms
Across Britain, more than 30 acts of arson and vandalism have taken
place against wireless towers and other telecom gear this month,
according to police reports and a telecom trade group. In roughly 80
other incidents in the country, telecom technicians have been harassed
on the job.
Tomi Engdahl says:
New Wiper Malware impersonates security researchers as prank
https://www.bleepingcomputer.com/news/security/new-wiper-malware-impersonates-security-researchers-as-prank/
A malware distributor has decided to play a nasty prank by locking
victim’s computers before they can start Windows and then blaming the
infection on two well-known and respected security researchers.
Tomi Engdahl says:
Tältä näyttää zoombombing – viranomaiselta jykevät ohjeet
https://www.is.fi/digitoday/tietoturva/art-2000006469731.html
Kyberturvallisuuskeskus opastaa turvalliseen videoneuvotteluun. Etenkin Zoomin on oltava tarkkana.
Suomen tietoturvaviranomainen Kyberturvallisuuskeskus (KTK) antaa ohjeita turvallisen videoneuvottelusession pitämiseen. Niitä on syytä noudattaa, sillä muuten seuraukset voivat olla ikäviä.
– Jos neuvotteluun pystyy liittymään esimerkiksi linkin tai neuvottelutunnuksen kautta ilman muita kontrolleja, on todennäköistä, että neuvotteluun yrittää liittyä myös ulkopuolisia, KTK varoittaa.
Keskuksen mukaan neuvottelu kannattaa esimerkiksi suojata salasanalla tai pin-koodilla, joka on jaettu eri kanavalla kuin kokouksen osallistumislinkki. Tätä ohjetta kannattaa ehdottomasti noudattaa.
Valitse videoneuvotteluratkaisu käyttötarpeen ja tiedon luottamuksellisuuden mukaan
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/valitse-videoneuvotteluratkaisu-kayttotarpeen-ja-tiedon-luottamuksellisuuden-mukaan
Videoneuvotteluratkaisun valinnassa kannattaa ensimmäisenä pohtia käyttötarkoitusta ja tiedon luottamuksellisuutta. Kokouksen järjestäjän kannattaa myös etukäteen huolehtia siitä, että kokoukseen voivat osallistua vain halutut henkilöt ja että videoneuvotteluun liittyvillä on vain tarvittavat käyttöoikeudet.
Tomi Engdahl says:
Microsoft April 2020 Patch Tuesday fixes 4 zero-days, 15 critical
flaws
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2020-patch-tuesday-fixes-4-zero-days-15-critical-flaws/
With the release of the April 2020 security updates, Microsoft has
released fixes for 113 vulnerabilities in Microsoft products. Of these
vulnerabilities, 15 are classified as Critical, 93 as Important, 3 as
Moderate, and 2 as Low.. Of particular interest, Microsoft patched
four zero-day vulnerabilities, with three of them being seen actively
exploited in attacks.
Tomi Engdahl says:
US consumers report $12M in COVID-19 scam losses since January
https://www.bleepingcomputer.com/news/security/us-consumers-report-12m-in-covid-19-scam-losses-since-january/
The U.S. Federal Trade Commission says that approximately $12 million
were lost to Coronavirus-related scams according to consumer reports
received since January 2020.
Tomi Engdahl says:
Russian state hackers behind San Francisco airport hack
https://www.zdnet.com/article/russian-state-hackers-behind-san-francisco-airport-hack/
ESET says a Russian hacker group known as Energetic Bear (DragonFly)
is behind a hack of two of the airport’s websites.. In a series of
tweets today, ESET said that “the targeted information was NOT the
visitor’s credentials to the compromised websites, but rather the
visitor’s own Windows credentials.”
Tomi Engdahl says:
RagnarLocker ransomware hits EDP energy giant, asks for 10M
https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/
Attackers using the Ragnar Locker ransomware have encrypted the
systems of Portuguese multinational energy giant Energias de Portugal
(EDP) and are now asking for a 1580 BTC ransom ($10.9M or 9.9M).. EDP
Group is one of the largest European operators in the energy sector
(gas and electricity) and the world’s 4th largest producer of wind
energy.
Tomi Engdahl says:
Think you know how to hide info in images?
https://www.kaspersky.com/blog/how-to-leak-image-info/34875/
We explain how to hide private data in images properly, without making
rookie mistakes.
Tomi Engdahl says:
North Korean Threat Actors Acted as Hackers-for-Hire, Says U.S. Government
https://www.securityweek.com/north-korean-threat-actors-acted-hackers-hire-says-us-government
Threat actors working for North Korea have also been hired by others to hack websites and extort targets, the U.S. government says in a new cyber alert.
A joint advisory published on Wednesday by the U.S. Department of State, the Department of Treasury, the DHS, and the FBI provides guidance on the North Korean cyber threat and summarizes associated activities.
The United States has released numerous advisories and alerts describing North Korean threat actors, their operations and their tools. The U.S. has officially attributed the 2014 Sony Pictures breach, the 2016 Bangladesh Bank cyberheist, the 2017 WannaCry attack, the 2016 FASTCash campaign aimed at ATMs, and the 2018 attack on a cryptocurrency exchange to North Korea.
Alert (AA20-106A)
Guidance on the North Korean Cyber Threat
https://www.us-cert.gov/ncas/alerts/aa20-106a
Tomi Engdahl says:
Coronavirus: Cisco wanted to delay patch for critical flaw in phone
used by doctors
https://www.zdnet.com/article/coronavirus-cisco-wanted-to-delay-patch-for-critical-flaw-in-phone-used-by-doctors/
Cisco has gone ahead and disclosed a critical flaw in a range of its
internet protocol (IP) phones. However, it had originally wanted to
break from its own 90-day disclosure policy due to “extenuating
circumstances” created by the COVID-19 coronavirus pandemic.
Tomi Engdahl says:
The secret behind unkillable Android backdoor called xHelper has been
revealed
https://arstechnica.com/information-technology/2020/04/solved-how-android-backdoor-called-xhelper-survives-factory-resets/
The precise cause of the reinfections stumped researchers for months.
Tomi Engdahl says:
Sipping from the Coronavirus Domain Firehose
https://krebsonsecurity.com/2020/04/sipping-from-the-coronavirus-domain-firehose/
Security experts are poring over thousands of new Coronavirus-themed
domain names registered each day, but this often manual effort
struggles to keep pace with the flood of domains invoking the virus to
promote malware and phishing sites, as well as non-existent healthcare
products and charities. . As a result, domain name registrars are
under increasing pressure to do more to combat scams and
misinformation during the COVID-19 pandemic.
Tomi Engdahl says:
AI spots critical Microsoft security bugs 97% of the time
https://venturebeat.com/2020/04/16/ai-spots-critical-microsoft-security-bugs-97-of-the-time/
Microsoft claims to have developed a system that correctly
distinguishes between security and non-security software bugs 99% of
the time, and that accurately identifies critical, high-priority
security bugs on average 97% of the time. In the coming months, it
plans to open-source the methodology on GitHub, along with example
models and other resources.
Tomi Engdahl says:
Critical ‘starbleed’ vulnerability in FPGA chips identified
https://www.eurekalert.org/pub_releases/2020-04/rb-cv041620.php
FPGA chips are part of many safety-critical applications; they have one particular valuable feature: they
are individually reprogrammable — but with this feature also comes a risk
https://www.usenix.org/system/files/sec20fall_ender_prepub.pdf
Tomi Engdahl says:
Google: We’ve blocked 126 million COVID-19 phishing scams in the last week
240 million daily virus themed spams as ‘bad actors’ feed on people’s fear
https://www.theregister.co.uk/2020/04/17/google_coronavirus_spam/
In the past week some 18 million COVID-19 phishing emails were sent via Gmail to unsuspecting marks, according to Google.
“No matter the size of your business, IT teams are facing increased pressure to navigate the challenges of COVID-19,” said Neil Kumaran, products manager for Gmail and Sam Lugani, lead security PMM, G Suite and CP platform, today.
The pair said phishing is still the “most effective method” that scammers deploy to compromise accounts and grab data and resources from businesses. They added that “bad actors” have leapt upon the “uncertainty surrounding the pandemic”.
Google said its malware scanner uses deep learning tech to detect malware on 300 billion attachments each week, and 63 per cent of dodgy docs blocked by Gmail are different from day to day.
Kumaran and Lugani said Google prevents 100 million phishing mails daily from reaching their targets and “during the last week, we saw 18 million daily malware and phishing emails related to COVID-19.”
Tomi Engdahl says:
Microsoft throws extended support lifeline for folk stuck on car-crash Windows 10 1809
Also: 2010 server products to survive into 2021 as overstretched admins given more breathing space
https://www.theregister.co.uk/2020/04/15/windows_10_1809_support_extended/
Reports of the death of The Update Of The Damned (aka Windows 10 1809) appear to have been premature as Microsoft flung a lifeline to those with a little too much on their plate.
A number of Microsoft products got a life extension late yesterday, but the most eye-catching is the move from 12 May 2020 to 10 November 2020 for Windows 10 1809′s end of support. The delay affects the Home, Pro, Pro Education, Pro for Workstations, and IoT Core editions of Windows 10 1809 and is in light of Microsoft’s evaluation of the public health situation and its impact.
Tomi Engdahl says:
Academics steal data from air-gapped systems using PC fan vibrations
https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-using-pc-fan-vibrations/?ftag=TREc64629f&bhid=65342234&mid=12794455&cid=716803486
Israeli researchers use vibrations from CPU, GPU, or PC chassis fans to broadcast stolen information through solid materials and to nearby receives, breaking air-gapped system protections
Tomi Engdahl says:
Hacking against corporations surges as workers take computers home
https://www.reuters.com/article/us-health-coronavirus-cyber-corporations/hacking-against-corporations-surges-as-workers-take-computers-home-idUSKBN21Z0Y6
Also
https://arcticsecurity.com/news/2020/04/17/number-of-potentially-compromised-organizations-more-than-doubles-since-january/
Tomi Engdahl says:
Does Covid-19 Contact Tracing Pose a Privacy Risk? Your Questions,
Answered
https://www.wired.com/story/apple-google-contact-tracing-strengths-weaknesses/
Apple and Google’s Bluetooth-based system isn’t perfect. But many of
the biggest concerns have solutions.
NHS in standoff with Apple and Google over coronavirus tracing
https://www.theguardian.com/technology/2020/apr/16/nhs-in-standoff-with-apple-and-google-over-coronavirus-tracing
Tech firms place limitations on how tracing apps may work in effort to
protect users’ privacy
Europe publishes draft rules for coronavirus contact-tracing app
development, on a relaxed schedule
https://www.theregister.co.uk/2020/04/17/european_contact_tracing_app_spec/
No phone numbers needed but you’ll need Notifications and Bluetooth on
all the time
Tomi Engdahl says:
German government loses tens of millions of euros in COVID-19 phishing
attack
https://www.zdnet.com/article/german-government-loses-tens-of-millions-of-euros-in-covid-19-phishing-attack/
The government of North Rhine-Westphalia, a province in western
Germany, is believed to have lost tens of millions of euros after it
failed to build a secure website for distributing coronavirus
emergency aid funding. The funds were lost following a classic
phishing operation.
Tomi Engdahl says:
FBI says cybercrime reports quadrupled during COVID-19 pandemic
https://www.zdnet.com/article/fbi-says-cybercrime-reports-quadrupled-during-covid-19-pandemic/
FBI official also says foreign hackers targeted COVID-19 research
Tomi Engdahl says:
Growth in surveillance may be hard to scale back after pandemic,
experts say
https://www.theguardian.com/world/2020/apr/14/growth-in-surveillance-may-be-hard-to-scale-back-after-coronavirus-pandemic-experts-say
Tomi Engdahl says:
IT services giant Cognizant suffers Maze Ransomware cyber attack
https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/
Information technologies services giant Cognizant suffered a cyber
attack Friday night allegedly by the operators of the Maze Ransomware,
BleepingComputer has learned. Cognizant is one of the largest IT
managed services company in the world with close to 300, 000 employees
and over $15 billion in revenue.
Tomi Engdahl says:
Security News This Week: Russian Hackers Went After San Francisco
International Airport
https://www.wired.com/story/russian-hackers-san-francisco-airport-windows-zero-days-security-roundup/
Plus: Windows zero days, Covid-19 spam, and more of the week’s top
security news.
Tomi Engdahl says:
https://www.wired.com/story/apple-google-social-distancing-maps-privacy/
Tomi Engdahl says:
Coronavirus Dark Web Scams: From infected blood to ventilators
https://www.bleepingcomputer.com/news/security/coronavirus-dark-web-scams-from-infected-blood-to-ventilators/
Tomi Engdahl says:
Lily Hay Newman / Wired:
Cloudflare debuts Is BGP Safe Yet, a site that checks if your ISP has added security protections and filtering that make Border Gateway Protocol less vulnerable — “Is BGP Safe Yet” is a new site that names and shames internet service providers who don’t tend to their routing.
You Can Now Check If Your ISP Uses Basic Security Measures
“Is BGP Safe Yet” is a new site that names and shames internet service providers that don’t tend to their routing.
https://www.wired.com/story/cloudflare-bgp-routing-safe-yet/
BGP is like a GPS mapping service for the internet, enabling ISPs to automatically choose what route data should take.
For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn’t a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw.
BGP disruptions happen frequently, generally by accident. But BGP can also be hijacked for large-scale spying, data interception, or as a sort of denial of service attack. Just last week, United States Executive Branch agencies moved to block China Telecom from offering services in the US, because of allegedly malicious activity that includes BGP attacks.
“BGP is one of these really frustrating areas that we can’t solve ourselves.”
Matthew Prince, Cloudflare
On Friday, the company launched Is BGP Safe Yet, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements.
https://isbgpsafeyet.com/
Tomi Engdahl says:
Ian Walker / Kotaku:
Riot launches one of the biggest bug bounty programs in gaming, offering up to $100K for finding security flaws in its controversial Vanguard anti-cheat system
Riot Offering Up To $100,000 For Finding Vulnerabilities In Valorant’s Anti-Cheat System
https://kotaku.com/riot-offering-up-to-100-000-for-finding-vulnerabilitie-1842926182
Riot has posted one of the biggest—if not the biggest—bounties in gaming, offering people up to $100,000 if they can find a security flaw in the company’s controversial Vanguard anti-cheat system.
The bounty, announced today, is being hosted on HackerOne, where users can earn some scratch from tech companies for pinpointing flaws in their security. There are several distinct reward tiers; the more dangerous the exploit someone finds in Vanguard, the more money they can potentially earn. This starts at $25,000 for a bug that allows outside entities to access users’ private information all the way to $100,000 for “code execution on the kernel level,”
Tomi Engdahl says:
Ad Fraud Operation Accounted for Large Amount of Connected TV Traffic
https://www.securityweek.com/ad-fraud-operation-accounted-large-amount-connected-tv-traffic
A Connected TV (CTV) ad fraud operation managed to generate as much as 28% of the CTV traffic observed in January 2020 by White Ops, a company that specializes in bot fraud protection.
Referred to as Icebucket, the operation was highly successful until discovered, at its peak impersonating roughly 2 million users in more than 30 countries. It also counterfeited more than 300 different publishers, the researchers say.
The bots involved in the attacks were hidden “within the limited signal and transparency of server side ad insertion (SSAI) backed video ad impressions,” White Ops says.
Icebucket, the company says, is the largest case of SSAI spoofing observed to date, in January accounting for 28% of the programmatic CTV traffic that White Ops has visibility into. This translates into around 1.9 billion ad requests per day.
Tomi Engdahl says:
IT Giant Cognizant Hit by ‘Maze’ Ransomware, Certain Clients Face Service Issues
https://www.news18.com/news/tech/it-giant-cognizant-hit-by-maze-ransomware-certain-clients-face-service-issues-2584419.html
According to cybersecurity firm McAfee, hackers who deploy Maze threaten to release information on the internet if the targeted companies fail to pay.
Cognizant Technology Solutions Corp on Saturday said it was hit by a “Maze” ransomware cyberattack, resulting in service disruptions for some of its clients. The information technology services provider said it was taking steps to contain the incident, with the help of cyber defense companies, and has also engaged with law enforcement authorities.
Tomi Engdahl says:
Microsoft: Our AI can spot security flaws from just the titles of
developers’ bug reports
https://www.zdnet.com/article/microsoft-our-ai-can-spot-security-flaws-from-just-the-titles-of-developers-bug-reports/
Microsoft’s machine-learning model can speed up the triage process
when handling bug reports. Microsoft says its machine-learning model
correctly distinguishes between security and non-security bugs 99% of
the time. It can also accurately identify critical security bugs 97%
of the time.
Tomi Engdahl says:
Students, university clash over forced installation of remote exam
monitoring software on home PCs
https://www.zdnet.com/article/students-university-clash-over-plans-to-install-remote-exam-monitoring-software-on-home-pcs/
The use of remote spying software to prevent cheating has raised an
outcry from students.
Tomi Engdahl says:
Separating the Signal from the Noise: How Mandiant Intelligence Rates
Vulnerabilities Intelligence for Vulnerability Management, Part Three
https://www.fireeye.com/blog/threat-research/2020/04/how-mandiant-intelligence-rates-vulnerabilities.html
Tomi Engdahl says:
Google rolls out BeyondCorp Remote Access for browser-based apps
https://www.zdnet.com/article/google-rolls-out-beyondcorp-remote-access-for-browser-based-apps/
Google Cloud on Monday rolled out BeyondCorp Remote Access, a new
cloud-based product that allows employees to securely access their
company’s internal web apps from any device or any location. Amid the
scramble to get employees working remotely through the COVID-19
pandemic, the new product aims to quickly provide secure access to
browser-based apps.
Tomi Engdahl says:
Bad news: Cognizant hit by ransomware gang. Worse: It’s Maze, which leaks victims’ data online after non-payment
https://www.theregister.co.uk/2020/04/21/cognizant_maze_malware/
IT services biz warns customers could be at risk of infection, too
New Jersey IT services provider Cognizant has confirmed it is the latest victim of the Maze ransomware.
The infection was disclosed to the public this weekend. Cognizant said the malware outbreak will likely disrupt service for some of its customers, and possibly put them in danger as well.
“Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack,” the announcement read.
Cognizant provides on-premises and cloud-hosted IT services for companies as well as consultancy gigs. The biz has high-value customers in areas such as banking, health care, and manufacturing, and it is ranked in the Fortune 500, so any large-scale attack on its systems is potentially serious.
The Maze miscreants may not have been the ones to actually compromise the Cognizant network, though. Monitoring service Under the Breach claimed its team spotted someone selling access to an unnamed “major IT provider” for $200,000 roughly a week before the intrusion was revealed, , leading it to speculate the Maze crew purchased access to Cognizant’s systems from another hacker who performed the task of actually breaking into the network.
The strategy of leaking data if its demands aren’t met is one favored by the ransomware gang, leading to a new threat for organizations that would otherwise just wiped the ransomware-infected devices and restored from backups without paying the ransom.
Additionally, the Maze ransomware is particularly well-written and difficult to thwart with technical means.
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
Tomi Engdahl says:
Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay
https://www.theregister.co.uk/2020/04/10/lockheed_martin_spacex_ransomware_leak/
Tomi Engdahl says:
High-Severity Vulnerability in OpenSSL Allows DoS Attacks
https://www.securityweek.com/high-severity-vulnerability-openssl-allows-dos-attacks
An update released on Tuesday for OpenSSL patches a high-severity vulnerability that can be exploited for denial-of-service (DoS) attacks.
The OpenSSL Project, which tracks the flaw as CVE-2020-1967, has described it as a “segmentation fault” in the SSL_check_chain function.
“Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the ‘signature_algorithms_cert’ TLS extension,” reads the advisory for this vulnerability.
It adds, “The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.”
The vulnerability impacts OpenSSL versions 1.1.1d, 1.1.1e and 1.1.1f, and it has been patched with the release of version 1.1.1g.
Older versions 1.0.2 and 1.1.0, which no longer receive security updates, are not impacted by the flaw.
https://www.openssl.org/news/secadv/20200421.txt
Tomi Engdahl says:
Nearly 25,000 email addresses and passwords allegedly from NIH, WHO, Gates Foundation and others are dumped online
https://www.washingtonpost.com/technology/2020/04/21/nearly-25000-email-addresses-passwords-allegedly-nih-who-gates-foundation-are-dumped-online/
The lists, whose origins are unclear, appear to have first been posted to 4chan, a message board notorious for its hateful and extreme political commentary, and later to Pastebin, a text storage site, to Twitter and to far-right extremist channels on Telegram, a messaging app.
“Neo-Nazis and white supremacists capitalized on the lists and published them aggressively across their venues,” said Rita Katz, SITE’s executive director. “Using the data, far-right extremists were calling for a harassment campaign while sharing conspiracy theories about the coronavirus pandemic. The distribution of these alleged email credentials were just another part of a months-long initiative across the far right to weaponize the covid-19 pandemic.”
The report by SITE, based in Bethesda, Md., said the largest group of alleged emails and passwords was from the NIH, with 9,938 found on lists posted online. The Centers for Disease Control and Prevention had the second-highest number, with 6,857. The World Bank had 5,120. The list of WHO addresses and passwords totaled 2,732.
Tomi Engdahl says:
Hackers Target Top Officials at World Health Organization
https://www.bloomberg.com/news/articles/2020-04-21/top-officials-at-world-health-organization-targeted-for-hacks
Tomi Engdahl says:
IBM == Insecure Business Machines: No-auth remote root exec exploit in Data Risk Manager drops after Big Blue snubs bug report
IT giant admits it made ‘a process error, improper response’ to flaw finder
https://www.theregister.co.uk/2020/04/21/ibm_security_vulnerabilities/
IBM has acknowledged that it mishandled a bug report that identified four vulnerabilities in its enterprise security software, and plans to issue an advisory.
IBM Data Risk Manager offers security-focused vulnerability scanning and analytics, to help businesses identify weaknesses in their infrastructure. At least some versions of the Linux-powered suite included four exploitable holes, identified and, at first, privately disclosed by security researcher Pedro Ribeiro at no charge. Three are considered to be critical, and one is high risk.
The software flaws can be chained together to achieve unauthenticated remote code execution as root on a vulnerable installation, as described in an advisory Ribeiro published today on GitHub.
Prior to going public, Ribeiro had tried to get CC/CERT to privately coordinate responsible disclosure with IBM, but Big Blue refused to accept the bug report. He said the mainframe giant replied thus: “We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers.”
“This is an unbelievable response by IBM, a multi-billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide,” said Ribeiro in his disclosure.
The vulnerabilities consist of authentication bypass, command injection, insecure default password, and arbitrary file download. Using the first three, an unauthenticated remote user can run arbitrary code, and there’s now a Metasploit module to do so.
The flaws don’t yet have CVE designations, and as far as we can tell, no patches nor updates to address the holes are available right now.
https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md
Tomi Engdahl says:
Hackers Can Exfiltrate Data From Air-Gapped Computers Via Fan Vibrations
https://www.securityweek.com/hackers-can-exfiltrate-data-air-gapped-computers-fan-vibrations
A researcher was able to exfiltrate data from air-gapped computers using vibrations produced by controlling the rotation speed of the machines’ internal fans.
Previously, researchers demonstrated that it was possible to exfiltrate data from air-gapped systems via heat emissions, HDD LEDs, infrared cameras, magnetic fields, power lines, router LEDs, scanners, screen brightness, USB devices, and noise from hard drives and fans.
The newly proposed technique relies on the fact that the entire structure on which a computer is placed is affected by the vibrations produced by the device’s internal fans, and uses sensors in modern smartphones to sense these vibrations.
In order to transmit data from networkless computers, researcher Mordechai Guri from the Ben-Gurion University of the Negev, Israel, has implemented AiR-ViBeR, new malware that can encode binary information and modulate it over a low frequency vibrational carrier.
The malware-generated vibrations can then be sensed and decoded by a malicious application on a smartphone placed on the same surface, such as an office desk. Because a mobile device’s sensors such as the accelerometer can be accessed by a malicious application even without asking for the user’s permission, the attack is highly evasive, the researcher argues.
https://arxiv.org/pdf/2004.06195v1.pdf
Tomi Engdahl says:
Email Addresses And Passwords From WHO, NIH, Wuhan Lab, And Gates Foundation Dumped On 4chan
https://www.zerohedge.com/health/email-addresses-and-passwords-who-nih-wuhan-lab-and-gates-foundation-dumped-4chan
A cache of nearly 25,000 email addresses and passwords allegedly belonging to the World Health Organization (WHO), National Institutes of Health (NIH), Wuhan Institute of Virology, Bill Gates Foundation and several other groups involved with the coronavirus pandemic response were dumped on 4chan before appearing on several other websites, according to the SITE Intelligence Group.
WHO chief information officer Bernardo Mariano told Bloomberg that the organization wasn’t hacked, and that the data was possibly obtained through prior data breaches.
“The employees may have used their work email address to register an account for a particular website, and then that website has been hacked, leaking their password.”
Tomi Engdahl says:
Cryptographer suggests Australia adopt decentralised model for COVID-19 app
https://itwire.com/government-tech-policy/cryptographer-suggests-australia-adopt-decentralised-model-for-covid-19-app.html
Australia should not follow Singapore and adopt a centralised model for its coronavirus contact-tracing app, cryptographer Vanessa Teague says, pointing out that with this model if someone tests positive, their list of contacts is given to the authorities.
Outlining the way Singapore’s TraceTogether app works, Teague, who is the chief executive of Thinking Cybersecurity, said in a post on GitHub that when one phone was near another, the app sent random-looking beacons over Bluetooth. These TempIDs were encrypted and generated by the central server and there were several problems with this model.
“When you download your encrypted IDs, you are relying on them to be a truthful reflection of your ID. If a software bug, security problem, or network attack gives you someone else’s encrypted IDs instead, you have no way to notice,” she said. “If you send IDs that are not yours, then when someone near you tests positive, you will not be notified.”
“Crucially, even if we get the source code for the Australian app, we cannot test that the encryption is being computed properly, since it is not being computed by the app,” Teague said.
“Singapore’s server code is openly available (good), but an Australian server could decide to downgrade its encryption at any time, even after deployment, and could do so for some people but not others. This would make you easily tracked through shopping malls and other public (and private) spaces, even if you never test positive.”
The Singapore app trusted Google’s Firebase cloud to hold all the information that was collected and Firebase employees were able to access private information.
“In its TraceTogether form, I would be happy to run it on the train but refuse to run it in my home or office,” she said. “I need to see the details of Australia’s version before I decide. Informed consent requires telling us what we’re consenting to. Open source code is a minimal requirement.”
https://github.com/vteague/contactTracing/
Tomi Engdahl says:
Air Force to offer up a satellite to hackers at Defcon 2020
https://nakedsecurity.sophos.com/2019/09/19/air-force-to-offer-up-a-satellite-to-hackers-at-defcon-2020/
Last month, when the US Air Force went to the Defcon hacker conference, it dragged along an F-15 fighter-jet data system.
The destination: a corner of the conference where the first-ever Aviation Village brought together the aviation industry with the infosec/hacker community. There, vetted security researchers picked that system to pieces.
As in, they literally went at it with screwdrivers and pliers. They filled hotel glasses with screws, nuts and bolts from the Trusted Aircraft Information Download Station. They also remotely inflicted malware on the unit, which collects video and sensor data while the F-15 is in flight.
The attitude of the Air Force to the results: well, that went well. Now, the Air Force has decided to up the ante, as Wired reports. Next year, it’s offering up an orbiting satellite.
As Wired has reported, aviation companies have flat-out denied the validity of security researchers’ findings, in spite of some tragic outcomes
Vetted researchers’ hacking of an F-15 this year and next year’s hacking of a satellite are just the latest signs of this evolution in the government’s approach to military cyber-, hardware, and supply-chain security.
In 2017, we saw the Air Force offer its first-ever bug bounty program, Hack the Air Force. The Pentagon did the same thing the year before, as did the US Army.
Tomi Engdahl says:
Gates Foundation & WHO Email IDs & Passwords Among 25,000 Hacked
https://www.thequint.com/tech-and-auto/tech-news/gates-foundation-who-among-25000-email-ids-and-passwords-hacked
The email addresses and passwords were posted on message boards such as 4chan & Pastebin and also to Telegram.
The data dump also appears to carry email addresses and passwords for a virology centre based in Wuhan, which has given rise to a lot of conspiracy theories.
According to a report in The Washington Post, unknown activists posted 25,000 email addresses and passwords online. This was brought to light by SITE Intelligence Group, a body that monitors online extremism and terrorist groups. Robert Potter, an independent Australian cybersecurity expert, said the data was real as he could verify some of the email IDs and passwords of WHO.
However, he points out it could be from an earlier attack as cybersecurity tends to be quite low at healthcare organisations.
Tomi Engdahl says:
A new iPhone email security bug may let hackers steal private data
https://techcrunch.com/2020/04/22/iphone-zero-day-steal-data/
Apple will patch a newly discovered iPhone vulnerability that security researchers say hackers have already used to steal data from their victims’ devices.
News of the vulnerability dropped Wednesday by security firm ZecOps. Zuk Avraham, the company’s chief executive, said the firm found the bug last year during a routine investigation. At least six organizations were targeted by attackers as far back as 2018, he said.
Avraham said the bug is in the iPhone’s default Mail app. By sending a specially crafted email to the victim’s device, an attacker can overrun the device’s memory, allowing the attacker to remotely run malicious code to steal data from the device, he said.
You’ve Got (0-click) Mail!
https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/
Tomi Engdahl says:
Nation-backed Hackers Tune Attacks to COVID-19 Fears: Google
https://www.securityweek.com/nation-backed-hackers-tune-attacks-covid-19-fears-google
Google on Wednesday warned that nation-backed hackers are exploiting the coronavirus pandemic to target health care organizations and those working to fight the pandemic.
A security team tasked with defending against government-backed cyberattacks on Google and its users said it identified more than a dozen state-sponsored groups using COVID-19 themes as bait in phishing and malware traps.
Early this month, Google reported that it was detecting about 18 million pandemic-themed malware or phishing messages per day and some 240 million COVID-linked spam messages.
“Hackers frequently look at crises as an opportunity, and COVID-19 is no different,” Shane Huntley of Google Threat Analysis Group said in a blog post.
Tomi Engdahl says:
Cyber Resilience: Doing More with Less
https://www.securityweek.com/cyber-resilience-doing-more-less
The COVID-19 Health Crisis is Forcing Enterprise Security Teams to Deliver More With Less
It’s definitely not business as usual. Threat actors are taking full advantage of these uncertain times by launching a wave of new cyber-attacks, leveraging tactics such as phishing, ransomware, and credential stuffing. Ransomware attacks alone skyrocketed 148% in the past month, according to VMware Carbon Black threat researchers. At the same time, many organizations are being forced to downsize staff and delay planned IT security projects. Now more than ever, it’s important to focus on defense strategies that assure the biggest bang for the buck. So where should organizations focus to improve resilience while stretching their budget further.
According to ESG research, 62% of organizations were poised to increase spending on cyber security in 2020. In fact, 32% of survey respondents said they would invest in cyber security technologies using AI/ML for threat detection, followed by data security (31%), network security (30%), and cloud application security (27%). Obviously, these priorities have been turned upside down and the new normal requires a complete rethinking of traditional security strategies.
The following five best practices, based on an analysis of threat actors’ TTPs, can improve cyber resilience without the need for more resources:
1. Establish Secure Remote Access… for Workforce and IT Admins
2. Avoid Taking the (Phishing) Bait
3. Step Up Your Multi-Factor Authentication Game
4. Boost Your Infrastructure Immunity Against Ransomware
5. Enforce Least Privilege
With IT budgets being cut back in response to the economic contraction caused by the current health crisis, security teams need to deliver more with less. Focusing on identity as a security perimeter an efficient and effective way to mitigate cyber-threats.
Tomi Engdahl says:
Google Sees State-Sponsored Hackers Ramping Up Coronavirus Attacks
https://www.wired.com/story/google-state-sponsored-hackers-coronavirus-phishing-malware/
More than 12 government-backed groups are using the pandemic as cover
for digital reconnaissance and espionage, according to a new report.
Report:
https://blog.google/technology/safety-security/threat-analysis-group/findings-covid-19-and-online-security-threats/