Cyber Security News April 2020

This posting is here to collect cyber security news in April 2020.

I post links to security vulnerability news with short descriptions to comments section of this article.

If you are interested in cyber security trends, read my Cyber security trends 2020 posting.

You are also free to post related links to comments.

218 Comments

  1. Tomi Engdahl says:

    Chinese Agents Helped Spread Messages That Sowed Virus Panic in U.S.,
    Officials Say
    https://www.nytimes.com/2020/04/22/us/politics/coronavirus-china-disinformation.html
    American officials were alarmed by fake text messages and social media
    posts that said President Trump was locking down the country. Experts
    see a convergence with Russian tactics.

    Reply
  2. Tomi Engdahl says:

    Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese
    Ministry of Emergency Management in Latest Example of COVID-19 Related
    Espionage
    https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html
    - From at least January to April 2020, suspected Vietnamese actors APT32
    carried out intrusion campaigns against Chinese targets that Mandiant
    Threat Intelligence believes was designed to collect intelligence on
    the COVID-19 crisis.

    Reply
  3. Tomi Engdahl says:

    Questioning China’s Politicization of Cyber Intelligence During
    Pandemic
    https://www.cfr.org/blog/questioning-chinas-politicization-cyber-intelligence-during-pandemic
    Recently, Chinese cybersecurity companies have reported an intrusion
    campaign targeting government networks and health-care systems during
    the COVID-19 pandemic. A campaign of this magnitude threatens to
    degrade international norms for the protection of health systems that
    are already under unprecedented pressures. However, there is reason to
    question the narrative from Beijing and these companies.

    Reply
  4. Tomi Engdahl says:

    GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in

    servers and apps
    Static analyzer proves its worth with discovery of null-pointer error
    https://www.theregister.co.uk/2020/04/23/gcc_openssl_vulnerability/
    Bernd Edlinger discovered CVE-2020-1967, a denial-of-service flaw deemed to be a high severity risk by the

    OpenSSL team. It is possible to crash a server or application that uses a vulnerable build of OpenSSL by

    sending specially crafted messages while setting up a TLS 1.3 connection.
    High-Severity Vulnerability in OpenSSL Allows DoS Attacks
    https://www.securityweek.com/high-severity-vulnerability-openssl-allows-dos-attacks
    An update released on Tuesday for OpenSSL patches a high-severity vulnerability that can be exploited for

    denial-of-service (DoS) attacks.
    The OpenSSL Project, which tracks the flaw as CVE-2020-1967, has described it as a “segmentation fault” in
    the SSL_check_chain function.
    “Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3
    handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the
    ‘signature_algorithms_cert’ TLS extension,” reads the advisory for this vulnerability.
    It adds, “The crash occurs if an invalid or unrecognised signature algorithm is received from the peer.
    This could be exploited by a malicious peer in a Denial of Service attack.”
    The vulnerability impacts OpenSSL versions 1.1.1d, 1.1.1e and 1.1.1f, and it has been patched with the
    release of version 1.1.1g.
    Older versions 1.0.2 and 1.1.0, which no longer receive security updates, are not impacted by the flaw.
    https://www.openssl.org/news/secadv/20200421.txt

    Reply
  5. Tomi Engdahl says:

    When in Doubt: Hang Up, Look Up, & Call Back
    https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-look-up-call-back/
    Many security-conscious people probably think they’d never fall for a
    phone-based phishing scam. But if your response to such a scam
    involves anything other than hanging up and calling back the entity
    that claims to be calling, you may be in for a rude awakening. Here’s
    how one security and tech-savvy reader got taken for more than $10,
    000 in an elaborate, weeks-long ruse.

    Reply
  6. Tomi Engdahl says:

    Customer complaint phishing pushes network hacking malware
    https://www.bleepingcomputer.com/news/security/customer-complaint-phishing-pushes-network-hacking-malware/
    A new phishing campaign is underway that targets a company’s employees
    with fake customer complaints that install a new backdoor used to
    compromise a network.

    Reply
  7. Tomi Engdahl says:

    WHO, CDC and Bill and Melinda Gates Foundation Victims of Credential
    Dump, Report
    https://threatpost.com/who-cdc-and-bill-and-melinda-gates-foundation-victims-of-credential-dump-report/155081/
    Hackers have used credentials allegedly stolen from the WHO, CDC and
    other notable groups to spread coronavirus misinformation online.

    Reply
  8. Tomi Engdahl says:

    NSA: Hackers exploit these vulnerabilities to deploy backdoors
    https://www.bleepingcomputer.com/news/security/nsa-hackers-exploit-these-vulnerabilities-to-deploy-backdoors/
    The NSA has a dedicated GitHub repository containing tools that
    companies can use to detect and block web shell threats, and to
    prevent web shell deployment including:

    Reply
  9. Tomi Engdahl says:

    Endpoint security firm Malwarebytes has launched a new VPN offering targeting work from home and consumer markets, featuring AES 256 encryption, WireGuard VPN protocol, no logging, and virtual servers in more than 30 different countries.

    https://www.securityweek.com/malwarebytes-unveils-new-privacy-vpn-service
    https://www.malwarebytes.com/vpn

    Reply
  10. Tomi Engdahl says:

    Vietnamese Hackers Mount COVID-19 Espionage Campaigns Against China
    https://www.securityweek.com/vietnamese-hackers-mount-covid-19-espionage-campaigns-against-china

    A Vietnam-linked threat actor tracked as APT32 is believed to have carried out intrusion campaigns against Chinese entities in an effort to collect intelligence on the COVID-19 crisis, FireEye reports.

    A state-sponsored hacking group also known as OceanLotus and APT-C-00, APT32 is believed to be well-resourced and determined, and was previously observed targeting corporate and government organizations in Southeast Asia.

    The most recent attacks associated with the group started with spear phishing messages sent to China’s Ministry of Emergency Management and to the government of Wuhan province, which is considered the epicenter of the current coronavirus pandemic.

    Reply
  11. Tomi Engdahl says:

    Rapid Change is the New Normal
    https://www.securityweek.com/rapid-change-new-normal

    Change is the New Normal, and it is Coming at a Speed That Few Have Been Ready For

    Over the past several weeks, threat researchers have been documenting a dramatic shift in the behavior of cybercriminals. March, for example, saw a 131% increase in viruses over the previous year, many of them attributed to the rise in phishing attacks – an average of about 600 new attacks per day – targeting remote workers. At the same time, traditional attacks have fallen off, with indicators like IPS triggers and botnets dropping by over 30%.

    Of course, this shift mirrors the dramatic change in how organizations do business. With millions of companies and workers suddenly transitioning to a remote worker model, cybercriminals are eager to scan this new attack surface, looking for weaknesses and security gaps to exploit. And given the rapid pace at which these changes took place, their chances of success are very high.

    Lessons Learned

    As a result, there are a couple of takeaways that every organization should take into consideration, starting with making sure that they have a comprehensive BCDR (business continuity/disaster recovery) plan in place. Even organizations with plans in place may have been caught off-guard because they never imagined that they would have to move their entire workforce to teleworker status so rapidly.

    While nearly every organization has some percentage of their workforce – mostly road warriors – working remotely, the next biggest issue has been scalability. VPN aggregation tools at the network perimeter were swamped. And helpdesks were unprepared to address the volume of calls coming in from workers trying to use their personal laptops, desktops, and tablets to connect to the network. Novice remote workers not only needed additional hand-holding from IT, they have also been hotly targeted by cybercriminals looking for a weak link back into the network.

    That’s because even the most challenging connectivity issues pale in comparison to the security issues that have arisen. Security is traditionally the most resistant to change. All of this new remote traffic needs to be encrypted, so every device needs a VPN client installed. But that’s the easy part. That encrypted traffic also needs to be inspected, and most commercial firewalls are not up to the task. Inspecting encrypted traffic is the Achilles’ heel of most firewalls, which means perimeter security has become a severe bottleneck for users needing access to critical resources stored on-premises.

    Likewise, log files from all of these new remote connections need to be monitored and reviewed – and that process is overwhelming IT team members already overloaded with ensuring essential business continuity. And this doesn’t even cover the issues associated with securing all of the personal endpoint devices joining the network, or the unsecured home networks they are connecting from

    The Need for Security-Driven Networking

    This dramatic shift, both in this new network model and the latest attack strategies and tactics being used by the cybercriminal community, is a clear sign that organizations need to seriously rethink and reengineer their security model. The most significant change is to stop thinking about security as a framework that operates outside the network. The changes organizations are facing right now are only the tip of the iceberg in terms of network disruption. Edge computing, rich media streaming, and the launch of 5G will further compound the security challenges organizations are currently facing.

    Three Critical Elements

    This all starts with three critical elements: integrated platforms, automation, and management.

    An Integrated Security Platform

    Having a “security platform” in place may have been a strategic security decision several years ago, but yesterday’s standard platform doesn’t meet the challenges of today’s networks. To be useful, platforms need to be more than just a collection of security devices running inside a single solution.

    • All of the elements of a security platform must be fully integrated into a cohesive security solution, ideally running on a single operating system.

    • The platform needs to be built on open standards and APIs so that it can be integrated with third-party security solutions.

    • Those open standards also need to enable the platform to work seamlessly with networking devices.

    • The platform also needs to be available in a variety of form factors, work natively in virtually any cloud provider environment, and provide consistent policy enforcement across and between every environment in which is it deployed for consistent functionality and policy enforcement

    • In many cases, security and networking functionality need to actually be the exact same solution, especially in highly dynamic environments such as Secure SD-WAN and SD-Branch deployments and in Remote Worker environments for secure connectivity across multiple network environments.

    AI and Automation

    Platforms built on the principles of a security-driven network also need to include AI and automation to ensure that security can keep up with dynamic changes in the cybersecurity community. An AI system can do more than replace the mundane tasks of IT workers. It can collect and analyze massive amounts of threat intelligence, correlate the contents, identify threats, and then automatically respond without human intervention. And it can get better and better at this task over time, significantly reducing the overhead associated with securing highly dynamic network environments.

    Centralized Visibility and Control

    The final critical component is a single pane of glass management and orchestration to ensure a unified point of control for the entire integrated security platform fabric. Remote access, access points (both wired and wireless), network connectivity and traffic management, application recognition, and a full range of advanced security tools all need to be able to be configured, updated, and orchestrated through a single device.

    Recent Changes are Not an Anomaly – They are the New Normal

    The rate at which recent networking changes have had to occur, and the speed at which cybercriminals have been able to respond, teach us clearly what is needed going forward to ensure ongoing proactive cyber protection. W

    Reply
  12. Tomi Engdahl says:

    Passwords for WHO, CDC, Gates Foundation employees reportedly spread online
    https://www.cnet.com/news/passwords-for-who-cdc-gates-foundation-employees-reportedly-spread-online/

    WHO says the data wasn’t recent, and only affected only one older system.

    Email addresses and passwords for almost 25,000 employees at high-profile health organizations fighting the novel coronavirus pandemic were dumped online and spread via Twitter, according to a report published by The Washington Post on Wednesday. The World Health Organization, the Centers for Disease Control and Prevention, the Bill & Melinda Gates Foundation and the National Institutes of Health were among the groups reportedly affected by the exposed data, according the paper.

    SITE Intelligence Group, which reports on the activities of extremist groups from all over the world, found the data and reported its spread, according to the paper. It’s unclear whether the data came from breaches of systems belonging to the affected groups or from earlier data breaches of other systems. An Australian security researcher told the Post that the WHO passwords worked to log into employees’ emails. Email and password combinations for people at the Wuhan Institute of Virology, a facility near the Chinese city where the disease was discovered, also circulated online. 

    Reply
  13. Tomi Engdahl says:

    Nintendo confirms up to 160,000 people’s accounts were hacked
    Their nicknames, dates of birth, locations and emails may have been accessed.
    https://www.cnet.com/news/nintendo-confirms-up-to-160000-peoples-accounts-were-hacked/

    Nintendo acknowledged on Friday that it suffered a major privacy breach, with the accounts of up to 160,000 people having been accessed. The breach began in early April, and linked to its Nintendo Network ID login system, the company said on its Japanese support site.

    Reply
  14. Tomi Engdahl says:

    1984, just went live in Australia :(

    Coronavirus Australia live news: Greg Hunt says coronavirus tracing app COVIDSafe is so secure ‘not even you’ can access your data
    https://mobile.abc.net.au/news/2020-04-26/coronavirus-australia-live-news-covid-19-latest/12185442?pfmredir=sm

    Australians the COVIDSafe tracing app will keep data encrypted on a user’s phone for 21 days, and can it only be accessed by a state health official if the user consents.

    I want to clarify (thanks to a very helpful blog reader) that the app has built-in mechanisms for these sort of non-sustained contacts of 15 minutes. Here’s what the COVIDSafe FAQ says:

    COVIDSafe will poll every minute for new connections and to note the duration of existing connections.
    A filtering process on the highly secure information storage system separates information that meets the close contact requirements and makes it available to the relevant state or territory health officials.
    This allows the Australian Government to adjust the filtering process if advised by state or territory health officials – for example to increase or decrease distance, contact time or to account for multiple contact periods in a certain window timeframe (for example, two or more 10 minute contacts within an hour).

    Per the COVIDSafe FAQs, the app actually polls for data every minute “for new connections and to note the duration of existing connections”. Therefore the government can “adjust the filtering process if advised by state or territory health officials – for example to increase or decrease distance, contact time or to account for multiple contact periods in a certain window timeframe”.

    Reply
  15. Tomi Engdahl says:

    Legions of cybersecurity volunteers rally to protect hospitals during COVID-19 crisis
    https://www.csoonline.com/article/3539319/legions-of-cybersecurity-volunteers-rally-to-protect-hospitals-during-covid-19-crisis.html

    The COVID-19 Cyber Threat Intelligence League and other groups cooperate with the industry, law enforcement, and the government to prevent attacks on healthcare providers.

    Reply
  16. Tomi Engdahl says:

    Cognizant’s ransomware attack is making peers like TCS and Infosys nervous — and they are beefing up security
    https://www.businessinsider.in/tech/news/cognizants-ransomware-attack-is-making-peers-like-tcs-and-infosys-nervous-and-they-are-beefing-up-security/articleshow/75271532.cms

    The Maze ransomware attack on Cognizant workers will have an impact on its revenue and operations in the coming year, according to the company filings with the Securities and Exchange Commission (SEC) in the US.
    The attack has put Indian IT companies like Infosys, Wipro and Tata Consultancy Services (TCS) on alert to continuously monitor their own systems.

    Reply
  17. Tomi Engdahl says:

    Academics steal data from air-gapped systems using PC fan vibrations
    Israeli researchers use vibrations from CPU, GPU, or PC chassis fans to broadcast stolen information through solid materials and to nearby receives, breaking air-gapped system protections.

    https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-using-pc-fan-vibrations/?ftag=TREc64629f&bhid=65342234&mid=12794455&cid=716803486

    Reply
  18. Tomi Engdahl says:

    Critical ‘starbleed’ vulnerability in FPGA chips identified
    https://www.eurekalert.org/pub_releases/2020-04/rb-cv041620.php

    FPGA chips are part of many safety-critical applications; they have one particular valuable feature: they are individually reprogrammable — but with this feature also comes a risk

    Reply
  19. Tomi Engdahl says:

    Your Whole Company’s Microsoft Teams Data Could’ve Been Stolen With An ‘Evil GIF’
    https://www.forbes.com/sites/thomasbrewster/2020/04/27/your-whole-companys-microsoft-teams-data-couldve-been-stolen-with-an-evil-gif/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie/#676f7264696

    Tech giants are fighting to become the de facto videoconferencing tool for remote workers in the time of COVID-19. Zoom rose to the top fast, but thanks to various security and privacy issues, was pegged back by competitors. But rivals have their flaws too, as evidenced by a weakness discovered in Microsoft’s collaboration and videoconferencing tool Teams, as revealed on Monday.

    For at least three weeks from the end of February till mid-March, a malicious GIF could’ve stolen user data from Microsoft Teams accounts, possibly across an entire company, and taken control of “an organization’s entire roster of Teams accounts,” cybersecurity researchers have warned.

    Reply
  20. Tomi Engdahl says:

    Unpatchable ‘Starbleed’ Bug in FPGA Chips Exposes Critical Devices to Hackers
    https://thehackernews.com/2020/04/fpga-chip-vulnerability.html

    A newly discovered unpatchable hardware vulnerability in Xilinx programmable logic products could allow an attacker to break bitstream encryption, and clone intellectual property, change the functionality, and even implant hardware Trojans.
    The details of the attacks against Xilinx 7-Series and Virtex-6 Field Programmable Gate Arrays (FPGAs) have been covered in a paper titled “The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs” by a group of academics from the Horst Goertz Institute for IT Security and Max Planck Institute for Cyber Security and Privacy.

    The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs
    https://www.usenix.org/conference/usenixsecurity20/presentation/ender

    Reply
  21. Tomi Engdahl says:

    Hidden bug in FPGA chips can help hackers steal critical data
    A critical vulnerability in FPGA chips can help hackers steal key data of enterprises
    https://gulfnews.com/technology/hidden-bug-in-fpga-chips-can-help-hackers-steal-critical-data-1.1587319240780

    Reply
  22. Tomi Engdahl says:

    Lawmakers warn coronavirus contact-tracing is ripe for abusive surveillance
    https://news.yahoo.com/lawmakers-warn-coronavirus-contact-tracing-110029995.html

    Reply
  23. Tomi Engdahl says:

    Sneaky Zero-Click Attacks Are a Hidden Menace
    https://www.wired.com/story/sneaky-zero-click-attacks-hidden-menace/
    Hacks that can play out without any user interaction may be more
    common than we realize, in part because they’re so difficult to
    detect. Institutions and regular web users are always on alert about
    avoiding errant clicks and downloads online that could lead their
    devices to be infected with malware. But not all attacks require a
    user slip-up to open the door. Research published this week by the
    threat monitoring firm ZecOps shows the types of vulnerabilities
    hackers can exploit to launch attacks that don’t require any
    interaction from the victim at alland the ways such hacking tools may
    be proliferating undetected. Read also:
    https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/

    Reply
  24. Tomi Engdahl says:

    400.000 US, South Korean card records put up for sale online
    https://www.bleepingcomputer.com/news/security/400000-us-south-korean-card-records-put-up-for-sale-online/
    Details on roughly 400, 000 payment cards related to US and South
    Korean financial organizations and banks are currently up for sale on
    Joker’s Stash, the largest carding shop on the Internet.

    Reply
  25. Tomi Engdahl says:

    It’s a great time to tackle core IT upgrades
    https://www.zdnet.com/article/its-a-great-time-to-tackle-core-it-upgrades/
    And to catch up with all those security patches, too. During normal
    times, the enterprise IT department treads cautiously in making any
    changes to their main production environments. There are serious risks
    of upsetting core IT business processes by making a change that sets
    off unexpected problems. There’s always a big backlog of IT tasks that
    need to be done. However, it looks like there’s a way to get that list
    done a lot more quickly during the COVID-19 lockdown of 2020.

    Reply
  26. Tomi Engdahl says:

    Symlink race bugs discovered in 28 antivirus products
    https://www.zdnet.com/article/symlink-race-bugs-discovered-in-28-antivirus-products/
    Most products have patched, researchers said, without naming the ones
    who skipped.

    Reply
  27. Tomi Engdahl says:

    Researchers: 30, 000% increase in pandemic-related threats
    https://www.bleepingcomputer.com/news/security/researchers-30-000-percent-increase-in-pandemic-related-threats/
    An increase of 30, 000% in pandemic-related malicious attacks and
    malware was seen in March by security researchers at cloud security
    firm Zscaler when compared to the beginning of 2020 when the first
    threats started using COVID-19-related lures and themes. Read also:
    https://www.zscaler.com/blogs/research/30000-percent-increase-covid-19-themed-attacks

    Reply
  28. Tomi Engdahl says:

    Reopen Domains: Shut the Front Dorr
    https://www.domaintools.com/resources/blog/reopen-domains-shut-the-front-dorr
    Update: We noticed that while working on this piece Brian Krebs posted
    an excellent article on the same. What can we say, but great minds
    think alike? Since we dug into different pieces we have decided to
    post as well. Read also:
    http://krebsonsecurity.com/2020/04/whos-behind-the-reopen-domain-surge/.
    Update: We noticed that while working on this piece Brian Krebs posted
    an excellent article on the same. What can we say, but great minds
    think alike? Since we dug into different pieces we have decided to
    post as well. Read also:
    http://krebsonsecurity.com/2020/04/whos-behind-the-reopen-domain-surge/

    Reply
  29. Tomi Engdahl says:

    CTI League Inaugural Report (March 2020)
    https://cti-league.com/2020/04/21/cti-league-inaugural-report/
    The CTI-League, an all-volunteer non-profit group, issued its
    Inaugural Report on its efforts aggressively dismantling cyber
    criminal infrastructure and protecting healthcare organizations
    against cyber attacks. Report:
    https://cti-league.com/wp-content/uploads/2020/04/CTI-League-Inaugural-Report-March-2020.pdf.
    Read also:
    https://www.csoonline.com/article/3539319/legions-of-cybersecurity-volunteers-rally-to-protect-hospitals-during-covid-19-crisis.html

    Reply
  30. Tomi Engdahl says:

    New GreyNoise free service alerts you when your devices get hacked
    https://www.bleepingcomputer.com/news/security/new-greynoise-free-service-alerts-you-when-your-devices-get-hacked/
    Cyber-security firm GreyNoise Intelligence today announced the launch
    of GreyNoise Alerts, a new free service that will automatically notify
    you via email when any devices on your organization’s IP address range
    get hacked and start exhibiting potentially malicious behavior. Read
    also: https://viz.greynoise.io/cheat-sheet/examples

    Reply
  31. Tomi Engdahl says:

    Apple says ‘no evidence’ iPhone mail flaw used against customers
    https://www.reuters.com/article/us-apple-cyber/apple-says-no-evidence-iphone-mail-flaw-used-against-customers-idUSKCN2260F0
    Apple Inc said on Thursday it has found “no evidence” a flaw in its
    email app for iPhones and iPads has been used against customers, and
    that it believes the flaw does “not pose an immediate risk to our
    users”. Read also:
    https://www.zdnet.com/article/apple-disputes-recent-ios-zero-day-claim/
    and
    https://threatpost.com/apple-pushes-back-against-zero-day-exploit-claims/155108/.
    As well as:
    https://www.welivesecurity.com/2020/04/23/ios-mail-app-flaws-iphone-users-vulnerable-years/

    Reply
  32. Tomi Engdahl says:

    Detect and prevent web shell malware
    https://www.cyber.gov.au/advice/detect-and-prevent-web-shell-malware
    Malicious web shells are a type of software uploaded to a compromised
    web server to enable remote access by an attacker. While web shells
    may be benign, their use by cyber adversaries is becoming more
    frequent due to the increasing use of web-facing services by
    organisations across the world. The Australian Signals Directorate and
    counterparts at the US National Security Agency (NSA) have for the
    first time jointly published new guidance on mitigating the threat of
    web shell malware. Read also:
    https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/
    and
    https://www.zdnet.com/article/nsa-shares-list-of-vulnerabilities-commonly-exploited-to-plant-web-shells/

    Reply
  33. Tomi Engdahl says:

    Intelligence Agencies Share Web Shell Detection Techniques
    https://www.securityweek.com/intelligence-agencies-share-web-shell-detection-techniques

    The United Sates National Security Agency (NSA) and the Australian Signals Directorate (ASD) have issued a joint Cybersecurity Information Sheet (CSI) that provides details on vulnerabilities exploited by threat actors to install web shell malware on web servers.

    Reply
  34. Tomi Engdahl says:

    ‘VictoryGate’ Botnet Infected 35,000 Devices via USB Drives
    https://www.securityweek.com/victorygate-botnet-infected-35000-devices-usb-drives

    ESET managed to sinkhole several command and control (C&C) servers of a botnet that propagates via infected USB devices, thus disrupting its activities.

    Referred to as VictoryGate and active since at least May 2019, the botnet impacted devices in Latin America the most, especially Peru, where more than 90% of the compromised devices are located. After sinkholing the C&Cs, ESET’s security researchers were able to estimate the botnet’s size at over 35,000 devices.

    VictoryGate was mainly focused on Monero mining, but the malware allowed the botmaster to issue commands to the nodes to download and execute additional payloads. Thus, ESET believes that the botnet’s purpose could have changed at some point.

    “This posed a considerable risk, given that we’ve identified compromised network traffic that stems from the public sector and from organizations in the private sector, including financial institutions,” the security firm notes.

    Reply
  35. Tomi Engdahl says:

    Hoaxcalls Botnet Expands Targets List, DDoS Capabilities
    https://www.securityweek.com/hoaxcalls-botnet-expands-targets-list-ddos-capabilities

    The Hoaxcalls Internet of Things (IoT) botnet has expanded the list of targeted devices and has added new distributed denial of service (DDoS) capabilities to its arsenal, DDoS protection services provider Radware reports.

    First detailed at the beginning of April, Hoaxcalls is based on source code from the Tsunami and Gafgyt botnets and has been targeting vulnerabilities in Grandstream UCM6200 series devices (CVE-2020-5722) and Draytek Vigor routers (CVE-2020-8515).

    The botnet was designed to launch DDoS attacks using UDP, DNS and HEX floods, based on commands received from its command and control (C&C) server.

    Reply
  36. Tomi Engdahl says:

    Flaws in ABB DCS Allow Hackers to Cause Disruption in Industrial Environments
    https://www.securityweek.com/flaws-abb-dcs-allow-hackers-cause-disruption-industrial-environmentshttps://www.securityweek.com/flaws-abb-dcs-allow-hackers-cause-disruption-industrial-environments

    Several serious vulnerabilities have been found in the ABB System 800xA distributed control system (DCS), including flaws that can be exploited for remote code execution, denial-of-service (DoS) attacks, and privilege escalation.

    Reply
  37. Tomi Engdahl says:

    Pastebin Made It Harder To Scrape Its Site And Researchers Are Pissed Off
    https://www.vice.com/en_us/article/y3m83v/pastebin-made-it-harder-to-scrape-its-site-and-researchers-are-pissed-off

    Pastebin quietly changed its terms and services that allowed researchers to study leaked data, malware, and stolen passwords

    The most famous paste site, used by hackers of all stripes to host lists of stolen passwords, announcements of data breaches, and malware has made it harder for security researchers to scrape it looking for that kind of information.

    Pastebin is one of the most famous websites that allows anyone, even without being registered, to “paste” any kind of text and make it public. Over the years, it became a repository for all kinds of unsavory data, such as the personal details of people who got doxed by hackers, leaked passwords, hacker manifestos, and even malware payloads. Naturally, this meant it was a treasure trove for security researchers investigating data breaches or hunting hackers.

    On Tuesday, several security researchers complained on Twitter that they were unable to search Pastebin or scrape it using a special API, which they paid to get access to. (The lifetime subscription, which was required to scrape the site, cost $50.)

    When researchers asked the company on Twitter, Pastebin said that the Scraping API “has been discontinued due to active abuse by third parties for commercial purposes, such activity is prohibited by our current [Terms & Conditions].”

    “Researchers may scrape public, non-personal information from Pastebin for research purposes, only if any publications resulting from that research are open access. Archivists may scrape Pastebin for public data for archival purposes. You may not scrape Pastebin for spamming purposes, including for the purposes of selling Pastebin users’ personal information, such as to recruiters, headhunters, and job boards,”

    Reply
  38. Tomi Engdahl says:

    Scraping By – California Court Limits Use of Computer Crime Statute for High Volume Scraping
    https://securitycurrent.com/scraping-by-california-court-limits-use-of-computer-crime-statute-for-high-volume-scraping/

    When you “access” a website, what are you authorized to do? And how would you know what is “authorized?” The federal Computer Fraud and Abuse Act, 18 USC 1030 makes it a crime to “access” a “computer” “without authorization,” and further makes it a crime to “exceed authorization” to access a computer. Courts and computer users have been struggling to determine exactly what it means to be “authorized” to use a computer.

    Does violation of a contract — whether it’s a “terms of service” or “terms of use” or an employment contract — constitute exceeding authorization and therefore “hacking?” Do you have to be expressly kicked out of a website or computer to “trespass,” or do you only exceed authorization to access a computer when you do something technical to break in?

    The Washington case, Domain Name Commission v. DomainTools, Dkt. No. C18-0874RSL (D. Wash., March 26, 2020) following precedent in the federal Ninth Circuit said that the actions of the domain registrant, while in violation of the rules of the registrar, did not violate the Computer Fraud and Abuse Act. The lead case in that regard involved a company that scraped data from LinkedIn “public” webpages and sold data analytics on LinkedIn’s members.

    Reply
  39. Tomi Engdahl says:

    Shade (Troldesh) ransomware shuts down and releases decryption keys
    https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/

    The Shade ransomware gang have published more than 750,000 decryption keys on GitHub. Kaspersky is working on a decryption app.

    Reply
  40. Tomi Engdahl says:

    Ciscon USC-laitteet ovat vaarassa tuhoutua omin päin, mikäli
    ylläpitäjät eivät tilannetta ratkaise
    https://www.tivi.fi/uutiset/tv/be4dd0ae-92ab-4e18-8e9b-9d3a04adacb9
    The Register kertoo, että 23:ssa Ciscon USC-malliston palvelimessa on
    ikävä vika. Ne nimittäin ottavat ja itsetuhoutuvat, kun niiden
    käyttöaika yltää 40 000 tuntiin. “Jos ssd-levy yltää 40 000
    käyttötuntiin asti, levy muuttuu täysin käyttökelvottomaksi ja se on
    vaihdettava”, Cisco varoittaa asiakkaitaan. Lue myös:
    https://www.cisco.com/c/en/us/support/docs/field-notices/705/fn70544.html,
    https://www.theregister.co.uk/2020/04/24/cisco_ucs_ssd_warning/,
    https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/levyjarjestelmissa-olleet-ongelmat-aiheuttaneet-tietojen-menetyksia

    Reply
  41. Tomi Engdahl says:

    Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams
    https://www.cyberark.com/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams/
    As more and more business is conducted from remote locations,
    attackers are focusing their efforts on exploiting the key
    technologies like Zoom and Microsoft Teams that companies and their
    employees depend on to stay connected. We found that by leveraging a
    subdomain takeover vulnerability in Microsoft Teams, attackers could
    have used a malicious GIF to scrape user’s data and ultimately take
    over an organization’s entire roster of Teams accounts. Since users
    wouldn’t have to share the GIF just see it to be impacted,
    vulnerabilities like this have the ability to spread automatically.
    This vulnerability would have affected every user who uses the Teams
    desktop or web browser version. CyberArk worked with Microsoft
    Security Research Center under Coordinated Vulnerability Disclosure
    after finding the account takeover vulnerability and a fix was quickly
    issued. Read also:
    https://threatpost.com/single-malicious-gif-opened-microsoft-teams-to-nasty-attack/155155/,
    https://www.theregister.co.uk/2020/04/27/microsoft_teams_gif_pwn_patch/
    and
    https://www.zdnet.com/article/this-is-how-viewing-a-gif-in-microsoft-teams-triggers-account-hijacking-bug/.
    As well as:
    https://www.securityweek.com/microsoft-teams-vulnerability-exposed-organizations-attacks

    Reply
  42. Tomi Engdahl says:

    Australia and US call out cyber attacks on hospitals during COVID-19
    pandemic
    https://www.zdnet.com/article/australia-and-us-call-out-cyber-attacks-on-hospitals-during-covid-19-pandemic/
    As China pushes Huawei-inspired supply chain freedoms at the United
    Nations, Australia reminds the world that a cyber legal framework
    already exists and attacking hospitals is not on. Australia’s cyber
    diplomats have called for an end to attacks on medical facilities,
    such as the recent cyber attack on one of the Czech Republic’s biggest
    COVID-19 testing laboratories.

    Reply
  43. Tomi Engdahl says:

    Israel government tells water treatment companies to change passwords
    https://www.zdnet.com/article/israel-says-hackers-are-targeting-its-water-supply-and-treatment-utilities/
    Israel cyber-security agency reported intrusion attempts last week.

    Reply
  44. Tomi Engdahl says:

    Cyberattack Steals PC Data Through Fan Vibrations
    https://www.tomshardware.com/news/steal-data-through-fan-vibrations-cybersecurity?fbclid=IwAR2HzK5ci9BZTRx0Zlu8sCqjU4JUxqjqo9Yytk84FfNXsnfBnILKst_Q0TQ

    accelerometers in some mobile phones are incredibly accurate and can sense even the smallest of changes in movement coming through your PC’s fan vibrations.

    Researchers proved they can seep data off your PC through fan vibrations.

    the researcher wrote pair of programs — one that installs on the PC as malware and another that can run on your phone. The PC-based malware can then send signals to the PC’s case fans, which in turn get transferred into your desk and picked up by the phone for interpretation. CPU coolers were less effective, due to the added damping from the motherboard. The more imbalance there was in the fans, the easier it was to transmit the data.

    The data rate was slow — we’re talking about single words being transferred. Unless the attackers are extremely desperate and have no other viable way of accessing your data, we wouldn’t worry about this attack.

    The data rate isn’t the only factor holding back the success of this attack method. An attacker would still need to get the malware installed on the PC to be able to send the signals. They’d also need access to your mobile phone to read out the accelerometer; however, this is achievable without any permissions, as many mobile phones give free access to the accelerometer’s data through the browser.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*