Cyber Security News April 2020

This posting is here to collect cyber security news in April 2020.

I post links to security vulnerability news with short descriptions to comments section of this article.

If you are interested in cyber security trends, read my Cyber security trends 2020 posting.

You are also free to post related links to comments.

218 Comments

  1. Tomi Engdahl says:

    Dell releases new tool to detect BIOS attacks
    https://www.zdnet.com/article/dell-releases-new-tool-to-detect-bios-attacks/
    Dell makes new tool named SafeBIOS Events & Indicators of Attack
    available for download for all Dell commercial PCs.

    Reply
  2. Tomi Engdahl says:

    Burning Cell Towers, Out of Baseless Fear They Spread the Virus
    https://www.msn.com/en-us/news/technology/how-a-virus-conspiracy-theory-fueled-arson-and-harassment-in-britain/ar-BB12rCms
    Across Britain, more than 30 acts of arson and vandalism have taken
    place against wireless towers and other telecom gear this month,
    according to police reports and a telecom trade group. In roughly 80
    other incidents in the country, telecom technicians have been harassed
    on the job.

    Reply
  3. Tomi Engdahl says:

    New Wiper Malware impersonates security researchers as prank
    https://www.bleepingcomputer.com/news/security/new-wiper-malware-impersonates-security-researchers-as-prank/
    A malware distributor has decided to play a nasty prank by locking
    victim’s computers before they can start Windows and then blaming the
    infection on two well-known and respected security researchers.

    Reply
  4. Tomi Engdahl says:

    Tältä näyttää zoombombing – viranomaiselta jykevät ohjeet
    https://www.is.fi/digitoday/tietoturva/art-2000006469731.html

    Kyberturvallisuuskeskus opastaa turvalliseen videoneuvotteluun. Etenkin Zoomin on oltava tarkkana.

    Suomen tietoturvaviranomainen Kyberturvallisuuskeskus (KTK) antaa ohjeita turvallisen videoneuvottelusession pitämiseen. Niitä on syytä noudattaa, sillä muuten seuraukset voivat olla ikäviä.

    – Jos neuvotteluun pystyy liittymään esimerkiksi linkin tai neuvottelutunnuksen kautta ilman muita kontrolleja, on todennäköistä, että neuvotteluun yrittää liittyä myös ulkopuolisia, KTK varoittaa.

    Keskuksen mukaan neuvottelu kannattaa esimerkiksi suojata salasanalla tai pin-koodilla, joka on jaettu eri kanavalla kuin kokouksen osallistumislinkki. Tätä ohjetta kannattaa ehdottomasti noudattaa.

    Valitse videoneuvotteluratkaisu käyttötarpeen ja tiedon luottamuksellisuuden mukaan
    https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/valitse-videoneuvotteluratkaisu-kayttotarpeen-ja-tiedon-luottamuksellisuuden-mukaan

    Videoneuvotteluratkaisun valinnassa kannattaa ensimmäisenä pohtia käyttötarkoitusta ja tiedon luottamuksellisuutta. Kokouksen järjestäjän kannattaa myös etukäteen huolehtia siitä, että kokoukseen voivat osallistua vain halutut henkilöt ja että videoneuvotteluun liittyvillä on vain tarvittavat käyttöoikeudet.

    Reply
  5. Tomi Engdahl says:

    Microsoft April 2020 Patch Tuesday fixes 4 zero-days, 15 critical
    flaws
    https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2020-patch-tuesday-fixes-4-zero-days-15-critical-flaws/
    With the release of the April 2020 security updates, Microsoft has
    released fixes for 113 vulnerabilities in Microsoft products. Of these
    vulnerabilities, 15 are classified as Critical, 93 as Important, 3 as
    Moderate, and 2 as Low.. Of particular interest, Microsoft patched
    four zero-day vulnerabilities, with three of them being seen actively
    exploited in attacks.

    Reply
  6. Tomi Engdahl says:

    US consumers report $12M in COVID-19 scam losses since January
    https://www.bleepingcomputer.com/news/security/us-consumers-report-12m-in-covid-19-scam-losses-since-january/
    The U.S. Federal Trade Commission says that approximately $12 million
    were lost to Coronavirus-related scams according to consumer reports
    received since January 2020.

    Reply
  7. Tomi Engdahl says:

    Russian state hackers behind San Francisco airport hack
    https://www.zdnet.com/article/russian-state-hackers-behind-san-francisco-airport-hack/
    ESET says a Russian hacker group known as Energetic Bear (DragonFly)
    is behind a hack of two of the airport’s websites.. In a series of
    tweets today, ESET said that “the targeted information was NOT the
    visitor’s credentials to the compromised websites, but rather the
    visitor’s own Windows credentials.”

    Reply
  8. Tomi Engdahl says:

    RagnarLocker ransomware hits EDP energy giant, asks for 10M
    https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/
    Attackers using the Ragnar Locker ransomware have encrypted the
    systems of Portuguese multinational energy giant Energias de Portugal
    (EDP) and are now asking for a 1580 BTC ransom ($10.9M or 9.9M).. EDP
    Group is one of the largest European operators in the energy sector
    (gas and electricity) and the world’s 4th largest producer of wind
    energy.

    Reply
  9. Tomi Engdahl says:

    Think you know how to hide info in images?
    https://www.kaspersky.com/blog/how-to-leak-image-info/34875/
    We explain how to hide private data in images properly, without making
    rookie mistakes.

    Reply
  10. Tomi Engdahl says:

    North Korean Threat Actors Acted as Hackers-for-Hire, Says U.S. Government
    https://www.securityweek.com/north-korean-threat-actors-acted-hackers-hire-says-us-government

    Threat actors working for North Korea have also been hired by others to hack websites and extort targets, the U.S. government says in a new cyber alert.

    A joint advisory published on Wednesday by the U.S. Department of State, the Department of Treasury, the DHS, and the FBI provides guidance on the North Korean cyber threat and summarizes associated activities.

    The United States has released numerous advisories and alerts describing North Korean threat actors, their operations and their tools. The U.S. has officially attributed the 2014 Sony Pictures breach, the 2016 Bangladesh Bank cyberheist, the 2017 WannaCry attack, the 2016 FASTCash campaign aimed at ATMs, and the 2018 attack on a cryptocurrency exchange to North Korea.

    Alert (AA20-106A)
    Guidance on the North Korean Cyber Threat
    https://www.us-cert.gov/ncas/alerts/aa20-106a

    Reply
  11. Tomi Engdahl says:

    Coronavirus: Cisco wanted to delay patch for critical flaw in phone
    used by doctors
    https://www.zdnet.com/article/coronavirus-cisco-wanted-to-delay-patch-for-critical-flaw-in-phone-used-by-doctors/
    Cisco has gone ahead and disclosed a critical flaw in a range of its
    internet protocol (IP) phones. However, it had originally wanted to
    break from its own 90-day disclosure policy due to “extenuating
    circumstances” created by the COVID-19 coronavirus pandemic.

    Reply
  12. Tomi Engdahl says:

    The secret behind unkillable Android backdoor called xHelper has been
    revealed
    https://arstechnica.com/information-technology/2020/04/solved-how-android-backdoor-called-xhelper-survives-factory-resets/
    The precise cause of the reinfections stumped researchers for months.

    Reply
  13. Tomi Engdahl says:

    Sipping from the Coronavirus Domain Firehose
    https://krebsonsecurity.com/2020/04/sipping-from-the-coronavirus-domain-firehose/
    Security experts are poring over thousands of new Coronavirus-themed
    domain names registered each day, but this often manual effort
    struggles to keep pace with the flood of domains invoking the virus to
    promote malware and phishing sites, as well as non-existent healthcare
    products and charities. . As a result, domain name registrars are
    under increasing pressure to do more to combat scams and
    misinformation during the COVID-19 pandemic.

    Reply
  14. Tomi Engdahl says:

    AI spots critical Microsoft security bugs 97% of the time
    https://venturebeat.com/2020/04/16/ai-spots-critical-microsoft-security-bugs-97-of-the-time/
    Microsoft claims to have developed a system that correctly
    distinguishes between security and non-security software bugs 99% of
    the time, and that accurately identifies critical, high-priority
    security bugs on average 97% of the time. In the coming months, it
    plans to open-source the methodology on GitHub, along with example
    models and other resources.

    Reply
  15. Tomi Engdahl says:

    Critical ‘starbleed’ vulnerability in FPGA chips identified
    https://www.eurekalert.org/pub_releases/2020-04/rb-cv041620.php
    FPGA chips are part of many safety-critical applications; they have one particular valuable feature: they
    are individually reprogrammable — but with this feature also comes a risk
    https://www.usenix.org/system/files/sec20fall_ender_prepub.pdf

    Reply
  16. Tomi Engdahl says:

    Google: We’ve blocked 126 million COVID-19 phishing scams in the last week
    240 million daily virus themed spams as ‘bad actors’ feed on people’s fear
    https://www.theregister.co.uk/2020/04/17/google_coronavirus_spam/

    In the past week some 18 million COVID-19 phishing emails were sent via Gmail to unsuspecting marks, according to Google.

    “No matter the size of your business, IT teams are facing increased pressure to navigate the challenges of COVID-19,” said Neil Kumaran, products manager for Gmail and Sam Lugani, lead security PMM, G Suite and CP platform, today.

    The pair said phishing is still the “most effective method” that scammers deploy to compromise accounts and grab data and resources from businesses. They added that “bad actors” have leapt upon the “uncertainty surrounding the pandemic”.

    Google said its malware scanner uses deep learning tech to detect malware on 300 billion attachments each week, and 63 per cent of dodgy docs blocked by Gmail are different from day to day.

    Kumaran and Lugani said Google prevents 100 million phishing mails daily from reaching their targets and “during the last week, we saw 18 million daily malware and phishing emails related to COVID-19.”

    Reply
  17. Tomi Engdahl says:

    Microsoft throws extended support lifeline for folk stuck on car-crash Windows 10 1809
    Also: 2010 server products to survive into 2021 as overstretched admins given more breathing space
    https://www.theregister.co.uk/2020/04/15/windows_10_1809_support_extended/

    Reports of the death of The Update Of The Damned (aka Windows 10 1809) appear to have been premature as Microsoft flung a lifeline to those with a little too much on their plate.

    A number of Microsoft products got a life extension late yesterday, but the most eye-catching is the move from 12 May 2020 to 10 November 2020 for Windows 10 1809′s end of support. The delay affects the Home, Pro, Pro Education, Pro for Workstations, and IoT Core editions of Windows 10 1809 and is in light of Microsoft’s evaluation of the public health situation and its impact.

    Reply
  18. Tomi Engdahl says:

    Academics steal data from air-gapped systems using PC fan vibrations
    https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-using-pc-fan-vibrations/?ftag=TREc64629f&bhid=65342234&mid=12794455&cid=716803486

    Israeli researchers use vibrations from CPU, GPU, or PC chassis fans to broadcast stolen information through solid materials and to nearby receives, breaking air-gapped system protections

    Reply
  19. Tomi Engdahl says:

    Does Covid-19 Contact Tracing Pose a Privacy Risk? Your Questions,
    Answered
    https://www.wired.com/story/apple-google-contact-tracing-strengths-weaknesses/
    Apple and Google’s Bluetooth-based system isn’t perfect. But many of
    the biggest concerns have solutions.

    NHS in standoff with Apple and Google over coronavirus tracing
    https://www.theguardian.com/technology/2020/apr/16/nhs-in-standoff-with-apple-and-google-over-coronavirus-tracing
    Tech firms place limitations on how tracing apps may work in effort to
    protect users’ privacy

    Europe publishes draft rules for coronavirus contact-tracing app
    development, on a relaxed schedule
    https://www.theregister.co.uk/2020/04/17/european_contact_tracing_app_spec/
    No phone numbers needed but you’ll need Notifications and Bluetooth on
    all the time

    Reply
  20. Tomi Engdahl says:

    German government loses tens of millions of euros in COVID-19 phishing
    attack
    https://www.zdnet.com/article/german-government-loses-tens-of-millions-of-euros-in-covid-19-phishing-attack/
    The government of North Rhine-Westphalia, a province in western
    Germany, is believed to have lost tens of millions of euros after it
    failed to build a secure website for distributing coronavirus
    emergency aid funding. The funds were lost following a classic
    phishing operation.

    Reply
  21. Tomi Engdahl says:

    FBI says cybercrime reports quadrupled during COVID-19 pandemic
    https://www.zdnet.com/article/fbi-says-cybercrime-reports-quadrupled-during-covid-19-pandemic/
    FBI official also says foreign hackers targeted COVID-19 research

    Reply
  22. Tomi Engdahl says:

    IT services giant Cognizant suffers Maze Ransomware cyber attack
    https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/
    Information technologies services giant Cognizant suffered a cyber
    attack Friday night allegedly by the operators of the Maze Ransomware,
    BleepingComputer has learned. Cognizant is one of the largest IT
    managed services company in the world with close to 300, 000 employees
    and over $15 billion in revenue.

    Reply
  23. Tomi Engdahl says:

    Security News This Week: Russian Hackers Went After San Francisco
    International Airport
    https://www.wired.com/story/russian-hackers-san-francisco-airport-windows-zero-days-security-roundup/
    Plus: Windows zero days, Covid-19 spam, and more of the week’s top
    security news.

    Reply
  24. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    Cloudflare debuts Is BGP Safe Yet, a site that checks if your ISP has added security protections and filtering that make Border Gateway Protocol less vulnerable — “Is BGP Safe Yet” is a new site that names and shames internet service providers who don’t tend to their routing.

    You Can Now Check If Your ISP Uses Basic Security Measures
    “Is BGP Safe Yet” is a new site that names and shames internet service providers that don’t tend to their routing.
    https://www.wired.com/story/cloudflare-bgp-routing-safe-yet/

    BGP is like a GPS mapping service for the internet, enabling ISPs to automatically choose what route data should take.

    For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn’t a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw.

    BGP disruptions happen frequently, generally by accident. But BGP can also be hijacked for large-scale spying, data interception, or as a sort of denial of service attack. Just last week, United States Executive Branch agencies moved to block China Telecom from offering services in the US, because of allegedly malicious activity that includes BGP attacks.

    “BGP is one of these really frustrating areas that we can’t solve ourselves.”
    Matthew Prince, Cloudflare

    On Friday, the company launched Is BGP Safe Yet​, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements.

    https://isbgpsafeyet.com/

    Reply
  25. Tomi Engdahl says:

    Ian Walker / Kotaku:
    Riot launches one of the biggest bug bounty programs in gaming, offering up to $100K for finding security flaws in its controversial Vanguard anti-cheat system

    Riot Offering Up To $100,000 For Finding Vulnerabilities In Valorant’s Anti-Cheat System
    https://kotaku.com/riot-offering-up-to-100-000-for-finding-vulnerabilitie-1842926182

    Riot has posted one of the biggest—if not the biggest—bounties in gaming, offering people up to $100,000 if they can find a security flaw in the company’s controversial Vanguard anti-cheat system.

    The bounty, announced today, is being hosted on HackerOne, where users can earn some scratch from tech companies for pinpointing flaws in their security. There are several distinct reward tiers; the more dangerous the exploit someone finds in Vanguard, the more money they can potentially earn. This starts at $25,000 for a bug that allows outside entities to access users’ private information all the way to $100,000 for “code execution on the kernel level,”

    Reply
  26. Tomi Engdahl says:

    Ad Fraud Operation Accounted for Large Amount of Connected TV Traffic
    https://www.securityweek.com/ad-fraud-operation-accounted-large-amount-connected-tv-traffic

    A Connected TV (CTV) ad fraud operation managed to generate as much as 28% of the CTV traffic observed in January 2020 by White Ops, a company that specializes in bot fraud protection.

    Referred to as Icebucket, the operation was highly successful until discovered, at its peak impersonating roughly 2 million users in more than 30 countries. It also counterfeited more than 300 different publishers, the researchers say.

    The bots involved in the attacks were hidden “within the limited signal and transparency of server side ad insertion (SSAI) backed video ad impressions,” White Ops says.

    Icebucket, the company says, is the largest case of SSAI spoofing observed to date, in January accounting for 28% of the programmatic CTV traffic that White Ops has visibility into. This translates into around 1.9 billion ad requests per day.

    Reply
  27. Tomi Engdahl says:

    IT Giant Cognizant Hit by ‘Maze’ Ransomware, Certain Clients Face Service Issues
    https://www.news18.com/news/tech/it-giant-cognizant-hit-by-maze-ransomware-certain-clients-face-service-issues-2584419.html

    According to cybersecurity firm McAfee, hackers who deploy Maze threaten to release information on the internet if the targeted companies fail to pay.

    Cognizant Technology Solutions Corp on Saturday said it was hit by a “Maze” ransomware cyberattack, resulting in service disruptions for some of its clients. The information technology services provider said it was taking steps to contain the incident, with the help of cyber defense companies, and has also engaged with law enforcement authorities.

    Reply
  28. Tomi Engdahl says:

    Microsoft: Our AI can spot security flaws from just the titles of
    developers’ bug reports
    https://www.zdnet.com/article/microsoft-our-ai-can-spot-security-flaws-from-just-the-titles-of-developers-bug-reports/
    Microsoft’s machine-learning model can speed up the triage process
    when handling bug reports. Microsoft says its machine-learning model
    correctly distinguishes between security and non-security bugs 99% of
    the time. It can also accurately identify critical security bugs 97%
    of the time.

    Reply
  29. Tomi Engdahl says:

    Students, university clash over forced installation of remote exam
    monitoring software on home PCs
    https://www.zdnet.com/article/students-university-clash-over-plans-to-install-remote-exam-monitoring-software-on-home-pcs/
    The use of remote spying software to prevent cheating has raised an
    outcry from students.

    Reply
  30. Tomi Engdahl says:

    Separating the Signal from the Noise: How Mandiant Intelligence Rates
    Vulnerabilities Intelligence for Vulnerability Management, Part Three
    https://www.fireeye.com/blog/threat-research/2020/04/how-mandiant-intelligence-rates-vulnerabilities.html

    Reply
  31. Tomi Engdahl says:

    Google rolls out BeyondCorp Remote Access for browser-based apps
    https://www.zdnet.com/article/google-rolls-out-beyondcorp-remote-access-for-browser-based-apps/
    Google Cloud on Monday rolled out BeyondCorp Remote Access, a new
    cloud-based product that allows employees to securely access their
    company’s internal web apps from any device or any location. Amid the
    scramble to get employees working remotely through the COVID-19
    pandemic, the new product aims to quickly provide secure access to
    browser-based apps.

    Reply
  32. Tomi Engdahl says:

    Bad news: Cognizant hit by ransomware gang. Worse: It’s Maze, which leaks victims’ data online after non-payment
    https://www.theregister.co.uk/2020/04/21/cognizant_maze_malware/

    IT services biz warns customers could be at risk of infection, too

    New Jersey IT services provider Cognizant has confirmed it is the latest victim of the Maze ransomware.

    The infection was disclosed to the public this weekend. Cognizant said the malware outbreak will likely disrupt service for some of its customers, and possibly put them in danger as well.

    “Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack,” the announcement read.

    Cognizant provides on-premises and cloud-hosted IT services for companies as well as consultancy gigs. The biz has high-value customers in areas such as banking, health care, and manufacturing, and it is ranked in the Fortune 500, so any large-scale attack on its systems is potentially serious.

    The Maze miscreants may not have been the ones to actually compromise the Cognizant network, though. Monitoring service Under the Breach claimed its team spotted someone selling access to an unnamed “major IT provider” for $200,000 roughly a week before the intrusion was revealed, , leading it to speculate the Maze crew purchased access to Cognizant’s systems from another hacker who performed the task of actually breaking into the network.

    The strategy of leaking data if its demands aren’t met is one favored by the ransomware gang, leading to a new threat for organizations that would otherwise just wiped the ransomware-infected devices and restored from backups without paying the ransom.

    Additionally, the Maze ransomware is particularly well-written and difficult to thwart with technical means.

    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/

    Reply
  33. Tomi Engdahl says:

    Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay
    https://www.theregister.co.uk/2020/04/10/lockheed_martin_spacex_ransomware_leak/

    Reply
  34. Tomi Engdahl says:

    High-Severity Vulnerability in OpenSSL Allows DoS Attacks
    https://www.securityweek.com/high-severity-vulnerability-openssl-allows-dos-attacks

    An update released on Tuesday for OpenSSL patches a high-severity vulnerability that can be exploited for denial-of-service (DoS) attacks.

    The OpenSSL Project, which tracks the flaw as CVE-2020-1967, has described it as a “segmentation fault” in the SSL_check_chain function.

    “Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the ‘signature_algorithms_cert’ TLS extension,” reads the advisory for this vulnerability.

    It adds, “The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.”

    The vulnerability impacts OpenSSL versions 1.1.1d, 1.1.1e and 1.1.1f, and it has been patched with the release of version 1.1.1g.

    Older versions 1.0.2 and 1.1.0, which no longer receive security updates, are not impacted by the flaw.

    https://www.openssl.org/news/secadv/20200421.txt

    Reply
  35. Tomi Engdahl says:

    Nearly 25,000 email addresses and passwords allegedly from NIH, WHO, Gates Foundation and others are dumped online
    https://www.washingtonpost.com/technology/2020/04/21/nearly-25000-email-addresses-passwords-allegedly-nih-who-gates-foundation-are-dumped-online/

    The lists, whose origins are unclear, appear to have first been posted to 4chan, a message board notorious for its hateful and extreme political commentary, and later to Pastebin, a text storage site, to Twitter and to far-right extremist channels on Telegram, a messaging app.

    “Neo-Nazis and white supremacists capitalized on the lists and published them aggressively across their venues,” said Rita Katz, SITE’s executive director. “Using the data, far-right extremists were calling for a harassment campaign while sharing conspiracy theories about the coronavirus pandemic. The distribution of these alleged email credentials were just another part of a months-long initiative across the far right to weaponize the covid-19 pandemic.”

    The report by SITE, based in Bethesda, Md., said the largest group of alleged emails and passwords was from the NIH, with 9,938 found on lists posted online. The Centers for Disease Control and Prevention had the second-highest number, with 6,857. The World Bank had 5,120. The list of WHO addresses and passwords totaled 2,732.

    Reply
  36. Tomi Engdahl says:

    IBM == Insecure Business Machines: No-auth remote root exec exploit in Data Risk Manager drops after Big Blue snubs bug report
    IT giant admits it made ‘a process error, improper response’ to flaw finder
    https://www.theregister.co.uk/2020/04/21/ibm_security_vulnerabilities/

    IBM has acknowledged that it mishandled a bug report that identified four vulnerabilities in its enterprise security software, and plans to issue an advisory.

    IBM Data Risk Manager offers security-focused vulnerability scanning and analytics, to help businesses identify weaknesses in their infrastructure. At least some versions of the Linux-powered suite included four exploitable holes, identified and, at first, privately disclosed by security researcher Pedro Ribeiro at no charge. Three are considered to be critical, and one is high risk.

    The software flaws can be chained together to achieve unauthenticated remote code execution as root on a vulnerable installation, as described in an advisory Ribeiro published today on GitHub.

    Prior to going public, Ribeiro had tried to get CC/CERT to privately coordinate responsible disclosure with IBM, but Big Blue refused to accept the bug report. He said the mainframe giant replied thus: “We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers.”

    “This is an unbelievable response by IBM, a multi-billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide,” said Ribeiro in his disclosure.

    The vulnerabilities consist of authentication bypass, command injection, insecure default password, and arbitrary file download. Using the first three, an unauthenticated remote user can run arbitrary code, and there’s now a Metasploit module to do so.

    The flaws don’t yet have CVE designations, and as far as we can tell, no patches nor updates to address the holes are available right now.

    https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md

    Reply
  37. Tomi Engdahl says:

    Hackers Can Exfiltrate Data From Air-Gapped Computers Via Fan Vibrations
    https://www.securityweek.com/hackers-can-exfiltrate-data-air-gapped-computers-fan-vibrations

    A researcher was able to exfiltrate data from air-gapped computers using vibrations produced by controlling the rotation speed of the machines’ internal fans.

    Previously, researchers demonstrated that it was possible to exfiltrate data from air-gapped systems via heat emissions, HDD LEDs, infrared cameras, magnetic fields, power lines, router LEDs, scanners, screen brightness, USB devices, and noise from hard drives and fans.

    The newly proposed technique relies on the fact that the entire structure on which a computer is placed is affected by the vibrations produced by the device’s internal fans, and uses sensors in modern smartphones to sense these vibrations.

    In order to transmit data from networkless computers, researcher Mordechai Guri from the Ben-Gurion University of the Negev, Israel, has implemented AiR-ViBeR, new malware that can encode binary information and modulate it over a low frequency vibrational carrier.

    The malware-generated vibrations can then be sensed and decoded by a malicious application on a smartphone placed on the same surface, such as an office desk. Because a mobile device’s sensors such as the accelerometer can be accessed by a malicious application even without asking for the user’s permission, the attack is highly evasive, the researcher argues.

    https://arxiv.org/pdf/2004.06195v1.pdf

    Reply
  38. Tomi Engdahl says:

    Email Addresses And Passwords From WHO, NIH, Wuhan Lab, And Gates Foundation Dumped On 4chan
    https://www.zerohedge.com/health/email-addresses-and-passwords-who-nih-wuhan-lab-and-gates-foundation-dumped-4chan

    A cache of nearly 25,000 email addresses and passwords allegedly belonging to the World Health Organization (WHO), National Institutes of Health (NIH), Wuhan Institute of Virology, Bill Gates Foundation and several other groups involved with the coronavirus pandemic response were dumped on 4chan before appearing on several other websites, according to the SITE Intelligence Group.

    WHO chief information officer Bernardo Mariano told Bloomberg that the organization wasn’t hacked, and that the data was possibly obtained through prior data breaches.

    “The employees may have used their work email address to register an account for a particular website, and then that website has been hacked, leaking their password.”

    Reply
  39. Tomi Engdahl says:

    Cryptographer suggests Australia adopt decentralised model for COVID-19 app
    https://itwire.com/government-tech-policy/cryptographer-suggests-australia-adopt-decentralised-model-for-covid-19-app.html

    Australia should not follow Singapore and adopt a centralised model for its coronavirus contact-tracing app, cryptographer Vanessa Teague says, pointing out that with this model if someone tests positive, their list of contacts is given to the authorities.

    Outlining the way Singapore’s TraceTogether app works, Teague, who is the chief executive of Thinking Cybersecurity, said in a post on GitHub that when one phone was near another, the app sent random-looking beacons over Bluetooth. These TempIDs were encrypted and generated by the central server and there were several problems with this model.

    “When you download your encrypted IDs, you are relying on them to be a truthful reflection of your ID. If a software bug, security problem, or network attack gives you someone else’s encrypted IDs instead, you have no way to notice,” she said. “If you send IDs that are not yours, then when someone near you tests positive, you will not be notified.”

    “Crucially, even if we get the source code for the Australian app, we cannot test that the encryption is being computed properly, since it is not being computed by the app,” Teague said.

    “Singapore’s server code is openly available (good), but an Australian server could decide to downgrade its encryption at any time, even after deployment, and could do so for some people but not others. This would make you easily tracked through shopping malls and other public (and private) spaces, even if you never test positive.”

    The Singapore app trusted Google’s Firebase cloud to hold all the information that was collected and Firebase employees were able to access private information.

    “In its TraceTogether form, I would be happy to run it on the train but refuse to run it in my home or office,” she said. “I need to see the details of Australia’s version before I decide. Informed consent requires telling us what we’re consenting to. Open source code is a minimal requirement.”

    https://github.com/vteague/contactTracing/

    Reply
  40. Tomi Engdahl says:

    Air Force to offer up a satellite to hackers at Defcon 2020
    https://nakedsecurity.sophos.com/2019/09/19/air-force-to-offer-up-a-satellite-to-hackers-at-defcon-2020/

    Last month, when the US Air Force went to the Defcon hacker conference, it dragged along an F-15 fighter-jet data system.

    The destination: a corner of the conference where the first-ever Aviation Village brought together the aviation industry with the infosec/hacker community. There, vetted security researchers picked that system to pieces.

    As in, they literally went at it with screwdrivers and pliers. They filled hotel glasses with screws, nuts and bolts from the Trusted Aircraft Information Download Station. They also remotely inflicted malware on the unit, which collects video and sensor data while the F-15 is in flight.

    The attitude of the Air Force to the results: well, that went well. Now, the Air Force has decided to up the ante, as Wired reports. Next year, it’s offering up an orbiting satellite.

    As Wired has reported, aviation companies have flat-out denied the validity of security researchers’ findings, in spite of some tragic outcomes

    Vetted researchers’ hacking of an F-15 this year and next year’s hacking of a satellite are just the latest signs of this evolution in the government’s approach to military cyber-, hardware, and supply-chain security.

    In 2017, we saw the Air Force offer its first-ever bug bounty program, Hack the Air Force. The Pentagon did the same thing the year before, as did the US Army.

    Reply
  41. Tomi Engdahl says:

    Gates Foundation & WHO Email IDs & Passwords Among 25,000 Hacked
    https://www.thequint.com/tech-and-auto/tech-news/gates-foundation-who-among-25000-email-ids-and-passwords-hacked

    The email addresses and passwords were posted on message boards such as 4chan & Pastebin and also to Telegram.

    The data dump also appears to carry email addresses and passwords for a virology centre based in Wuhan, which has given rise to a lot of conspiracy theories.

    According to a report in The Washington Post, unknown activists posted 25,000 email addresses and passwords online. This was brought to light by SITE Intelligence Group, a body that monitors online extremism and terrorist groups. Robert Potter, an independent Australian cybersecurity expert, said the data was real as he could verify some of the email IDs and passwords of WHO.

    However, he points out it could be from an earlier attack as cybersecurity tends to be quite low at healthcare organisations.

    Reply
  42. Tomi Engdahl says:

    A new iPhone email security bug may let hackers steal private data
    https://techcrunch.com/2020/04/22/iphone-zero-day-steal-data/

    Apple will patch a newly discovered iPhone vulnerability that security researchers say hackers have already used to steal data from their victims’ devices.

    News of the vulnerability dropped Wednesday by security firm ZecOps. Zuk Avraham, the company’s chief executive, said the firm found the bug last year during a routine investigation. At least six organizations were targeted by attackers as far back as 2018, he said.

    Avraham said the bug is in the iPhone’s default Mail app. By sending a specially crafted email to the victim’s device, an attacker can overrun the device’s memory, allowing the attacker to remotely run malicious code to steal data from the device, he said.

    You’ve Got (0-click) Mail!
    https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/

    Reply
  43. Tomi Engdahl says:

    Nation-backed Hackers Tune Attacks to COVID-19 Fears: Google
    https://www.securityweek.com/nation-backed-hackers-tune-attacks-covid-19-fears-google

    Google on Wednesday warned that nation-backed hackers are exploiting the coronavirus pandemic to target health care organizations and those working to fight the pandemic.

    A security team tasked with defending against government-backed cyberattacks on Google and its users said it identified more than a dozen state-sponsored groups using COVID-19 themes as bait in phishing and malware traps.

    Early this month, Google reported that it was detecting about 18 million pandemic-themed malware or phishing messages per day and some 240 million COVID-linked spam messages.

    “Hackers frequently look at crises as an opportunity, and COVID-19 is no different,” Shane Huntley of Google Threat Analysis Group said in a blog post.

    Reply
  44. Tomi Engdahl says:

    Cyber Resilience: Doing More with Less
    https://www.securityweek.com/cyber-resilience-doing-more-less

    The COVID-19 Health Crisis is Forcing Enterprise Security Teams to Deliver More With Less

    It’s definitely not business as usual. Threat actors are taking full advantage of these uncertain times by launching a wave of new cyber-attacks, leveraging tactics such as phishing, ransomware, and credential stuffing. Ransomware attacks alone skyrocketed 148% in the past month, according to VMware Carbon Black threat researchers. At the same time, many organizations are being forced to downsize staff and delay planned IT security projects. Now more than ever, it’s important to focus on defense strategies that assure the biggest bang for the buck. So where should organizations focus to improve resilience while stretching their budget further.

    According to ESG research, 62% of organizations were poised to increase spending on cyber security in 2020. In fact, 32% of survey respondents said they would invest in cyber security technologies using AI/ML for threat detection, followed by data security (31%), network security (30%), and cloud application security (27%). Obviously, these priorities have been turned upside down and the new normal requires a complete rethinking of traditional security strategies.

    The following five best practices, based on an analysis of threat actors’ TTPs, can improve cyber resilience without the need for more resources:

    1. Establish Secure Remote Access… for Workforce and IT Admins
    2. Avoid Taking the (Phishing) Bait
    3. Step Up Your Multi-Factor Authentication Game
    4. Boost Your Infrastructure Immunity Against Ransomware
    5. Enforce Least Privilege

    With IT budgets being cut back in response to the economic contraction caused by the current health crisis, security teams need to deliver more with less. Focusing on identity as a security perimeter an efficient and effective way to mitigate cyber-threats.

    Reply
  45. Tomi Engdahl says:

    Google Sees State-Sponsored Hackers Ramping Up Coronavirus Attacks
    https://www.wired.com/story/google-state-sponsored-hackers-coronavirus-phishing-malware/
    More than 12 government-backed groups are using the pandemic as cover
    for digital reconnaissance and espionage, according to a new report.
    Report:
    https://blog.google/technology/safety-security/threat-analysis-group/findings-covid-19-and-online-security-threats/

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*