This posting is here to collect cyber security news in April 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
218 Comments
Tomi Engdahl says:
Chinese Agents Helped Spread Messages That Sowed Virus Panic in U.S.,
Officials Say
https://www.nytimes.com/2020/04/22/us/politics/coronavirus-china-disinformation.html
American officials were alarmed by fake text messages and social media
posts that said President Trump was locking down the country. Experts
see a convergence with Russian tactics.
Tomi Engdahl says:
Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese
Ministry of Emergency Management in Latest Example of COVID-19 Related
Espionage
https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html
- From at least January to April 2020, suspected Vietnamese actors APT32
carried out intrusion campaigns against Chinese targets that Mandiant
Threat Intelligence believes was designed to collect intelligence on
the COVID-19 crisis.
Tomi Engdahl says:
Questioning China’s Politicization of Cyber Intelligence During
Pandemic
https://www.cfr.org/blog/questioning-chinas-politicization-cyber-intelligence-during-pandemic
Recently, Chinese cybersecurity companies have reported an intrusion
campaign targeting government networks and health-care systems during
the COVID-19 pandemic. A campaign of this magnitude threatens to
degrade international norms for the protection of health systems that
are already under unprecedented pressures. However, there is reason to
question the narrative from Beijing and these companies.
Tomi Engdahl says:
NordVPN unveils first mainstream WireGuard virtual private network
https://www.zdnet.com/article/nordvpn-unveils-first-mainstream-wireguard-virtual-private-network/
Tomi Engdahl says:
GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in
servers and apps
Static analyzer proves its worth with discovery of null-pointer error
https://www.theregister.co.uk/2020/04/23/gcc_openssl_vulnerability/
Bernd Edlinger discovered CVE-2020-1967, a denial-of-service flaw deemed to be a high severity risk by the
OpenSSL team. It is possible to crash a server or application that uses a vulnerable build of OpenSSL by
sending specially crafted messages while setting up a TLS 1.3 connection.
High-Severity Vulnerability in OpenSSL Allows DoS Attacks
https://www.securityweek.com/high-severity-vulnerability-openssl-allows-dos-attacks
An update released on Tuesday for OpenSSL patches a high-severity vulnerability that can be exploited for
denial-of-service (DoS) attacks.
The OpenSSL Project, which tracks the flaw as CVE-2020-1967, has described it as a “segmentation fault” in
the SSL_check_chain function.
“Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3
handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the
‘signature_algorithms_cert’ TLS extension,” reads the advisory for this vulnerability.
It adds, “The crash occurs if an invalid or unrecognised signature algorithm is received from the peer.
This could be exploited by a malicious peer in a Denial of Service attack.”
The vulnerability impacts OpenSSL versions 1.1.1d, 1.1.1e and 1.1.1f, and it has been patched with the
release of version 1.1.1g.
Older versions 1.0.2 and 1.1.0, which no longer receive security updates, are not impacted by the flaw.
https://www.openssl.org/news/secadv/20200421.txt
Tomi Engdahl says:
When in Doubt: Hang Up, Look Up, & Call Back
https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-look-up-call-back/
Many security-conscious people probably think they’d never fall for a
phone-based phishing scam. But if your response to such a scam
involves anything other than hanging up and calling back the entity
that claims to be calling, you may be in for a rude awakening. Here’s
how one security and tech-savvy reader got taken for more than $10,
000 in an elaborate, weeks-long ruse.
Tomi Engdahl says:
Customer complaint phishing pushes network hacking malware
https://www.bleepingcomputer.com/news/security/customer-complaint-phishing-pushes-network-hacking-malware/
A new phishing campaign is underway that targets a company’s employees
with fake customer complaints that install a new backdoor used to
compromise a network.
Tomi Engdahl says:
WHO, CDC and Bill and Melinda Gates Foundation Victims of Credential
Dump, Report
https://threatpost.com/who-cdc-and-bill-and-melinda-gates-foundation-victims-of-credential-dump-report/155081/
Hackers have used credentials allegedly stolen from the WHO, CDC and
other notable groups to spread coronavirus misinformation online.
Tomi Engdahl says:
NSA: Hackers exploit these vulnerabilities to deploy backdoors
https://www.bleepingcomputer.com/news/security/nsa-hackers-exploit-these-vulnerabilities-to-deploy-backdoors/
The NSA has a dedicated GitHub repository containing tools that
companies can use to detect and block web shell threats, and to
prevent web shell deployment including:
Tomi Engdahl says:
Endpoint security firm Malwarebytes has launched a new VPN offering targeting work from home and consumer markets, featuring AES 256 encryption, WireGuard VPN protocol, no logging, and virtual servers in more than 30 different countries.
https://www.securityweek.com/malwarebytes-unveils-new-privacy-vpn-service
https://www.malwarebytes.com/vpn
Tomi Engdahl says:
Vietnamese Hackers Mount COVID-19 Espionage Campaigns Against China
https://www.securityweek.com/vietnamese-hackers-mount-covid-19-espionage-campaigns-against-china
A Vietnam-linked threat actor tracked as APT32 is believed to have carried out intrusion campaigns against Chinese entities in an effort to collect intelligence on the COVID-19 crisis, FireEye reports.
A state-sponsored hacking group also known as OceanLotus and APT-C-00, APT32 is believed to be well-resourced and determined, and was previously observed targeting corporate and government organizations in Southeast Asia.
The most recent attacks associated with the group started with spear phishing messages sent to China’s Ministry of Emergency Management and to the government of Wuhan province, which is considered the epicenter of the current coronavirus pandemic.
Tomi Engdahl says:
Rapid Change is the New Normal
https://www.securityweek.com/rapid-change-new-normal
Change is the New Normal, and it is Coming at a Speed That Few Have Been Ready For
Over the past several weeks, threat researchers have been documenting a dramatic shift in the behavior of cybercriminals. March, for example, saw a 131% increase in viruses over the previous year, many of them attributed to the rise in phishing attacks – an average of about 600 new attacks per day – targeting remote workers. At the same time, traditional attacks have fallen off, with indicators like IPS triggers and botnets dropping by over 30%.
Of course, this shift mirrors the dramatic change in how organizations do business. With millions of companies and workers suddenly transitioning to a remote worker model, cybercriminals are eager to scan this new attack surface, looking for weaknesses and security gaps to exploit. And given the rapid pace at which these changes took place, their chances of success are very high.
Lessons Learned
As a result, there are a couple of takeaways that every organization should take into consideration, starting with making sure that they have a comprehensive BCDR (business continuity/disaster recovery) plan in place. Even organizations with plans in place may have been caught off-guard because they never imagined that they would have to move their entire workforce to teleworker status so rapidly.
While nearly every organization has some percentage of their workforce – mostly road warriors – working remotely, the next biggest issue has been scalability. VPN aggregation tools at the network perimeter were swamped. And helpdesks were unprepared to address the volume of calls coming in from workers trying to use their personal laptops, desktops, and tablets to connect to the network. Novice remote workers not only needed additional hand-holding from IT, they have also been hotly targeted by cybercriminals looking for a weak link back into the network.
That’s because even the most challenging connectivity issues pale in comparison to the security issues that have arisen. Security is traditionally the most resistant to change. All of this new remote traffic needs to be encrypted, so every device needs a VPN client installed. But that’s the easy part. That encrypted traffic also needs to be inspected, and most commercial firewalls are not up to the task. Inspecting encrypted traffic is the Achilles’ heel of most firewalls, which means perimeter security has become a severe bottleneck for users needing access to critical resources stored on-premises.
Likewise, log files from all of these new remote connections need to be monitored and reviewed – and that process is overwhelming IT team members already overloaded with ensuring essential business continuity. And this doesn’t even cover the issues associated with securing all of the personal endpoint devices joining the network, or the unsecured home networks they are connecting from
The Need for Security-Driven Networking
This dramatic shift, both in this new network model and the latest attack strategies and tactics being used by the cybercriminal community, is a clear sign that organizations need to seriously rethink and reengineer their security model. The most significant change is to stop thinking about security as a framework that operates outside the network. The changes organizations are facing right now are only the tip of the iceberg in terms of network disruption. Edge computing, rich media streaming, and the launch of 5G will further compound the security challenges organizations are currently facing.
Three Critical Elements
This all starts with three critical elements: integrated platforms, automation, and management.
An Integrated Security Platform
Having a “security platform” in place may have been a strategic security decision several years ago, but yesterday’s standard platform doesn’t meet the challenges of today’s networks. To be useful, platforms need to be more than just a collection of security devices running inside a single solution.
• All of the elements of a security platform must be fully integrated into a cohesive security solution, ideally running on a single operating system.
• The platform needs to be built on open standards and APIs so that it can be integrated with third-party security solutions.
• Those open standards also need to enable the platform to work seamlessly with networking devices.
• The platform also needs to be available in a variety of form factors, work natively in virtually any cloud provider environment, and provide consistent policy enforcement across and between every environment in which is it deployed for consistent functionality and policy enforcement
• In many cases, security and networking functionality need to actually be the exact same solution, especially in highly dynamic environments such as Secure SD-WAN and SD-Branch deployments and in Remote Worker environments for secure connectivity across multiple network environments.
AI and Automation
Platforms built on the principles of a security-driven network also need to include AI and automation to ensure that security can keep up with dynamic changes in the cybersecurity community. An AI system can do more than replace the mundane tasks of IT workers. It can collect and analyze massive amounts of threat intelligence, correlate the contents, identify threats, and then automatically respond without human intervention. And it can get better and better at this task over time, significantly reducing the overhead associated with securing highly dynamic network environments.
Centralized Visibility and Control
The final critical component is a single pane of glass management and orchestration to ensure a unified point of control for the entire integrated security platform fabric. Remote access, access points (both wired and wireless), network connectivity and traffic management, application recognition, and a full range of advanced security tools all need to be able to be configured, updated, and orchestrated through a single device.
Recent Changes are Not an Anomaly – They are the New Normal
The rate at which recent networking changes have had to occur, and the speed at which cybercriminals have been able to respond, teach us clearly what is needed going forward to ensure ongoing proactive cyber protection. W
Tomi Engdahl says:
Passwords for WHO, CDC, Gates Foundation employees reportedly spread online
https://www.cnet.com/news/passwords-for-who-cdc-gates-foundation-employees-reportedly-spread-online/
WHO says the data wasn’t recent, and only affected only one older system.
Email addresses and passwords for almost 25,000 employees at high-profile health organizations fighting the novel coronavirus pandemic were dumped online and spread via Twitter, according to a report published by The Washington Post on Wednesday. The World Health Organization, the Centers for Disease Control and Prevention, the Bill & Melinda Gates Foundation and the National Institutes of Health were among the groups reportedly affected by the exposed data, according the paper.
SITE Intelligence Group, which reports on the activities of extremist groups from all over the world, found the data and reported its spread, according to the paper. It’s unclear whether the data came from breaches of systems belonging to the affected groups or from earlier data breaches of other systems. An Australian security researcher told the Post that the WHO passwords worked to log into employees’ emails. Email and password combinations for people at the Wuhan Institute of Virology, a facility near the Chinese city where the disease was discovered, also circulated online.
Tomi Engdahl says:
Nintendo confirms up to 160,000 people’s accounts were hacked
Their nicknames, dates of birth, locations and emails may have been accessed.
https://www.cnet.com/news/nintendo-confirms-up-to-160000-peoples-accounts-were-hacked/
Nintendo acknowledged on Friday that it suffered a major privacy breach, with the accounts of up to 160,000 people having been accessed. The breach began in early April, and linked to its Nintendo Network ID login system, the company said on its Japanese support site.
Tomi Engdahl says:
https://securityaffairs.co/wordpress/102230/hacking/symlink-race-antivirus-flaws.html
Tomi Engdahl says:
1984, just went live in Australia
Coronavirus Australia live news: Greg Hunt says coronavirus tracing app COVIDSafe is so secure ‘not even you’ can access your data
https://mobile.abc.net.au/news/2020-04-26/coronavirus-australia-live-news-covid-19-latest/12185442?pfmredir=sm
Australians the COVIDSafe tracing app will keep data encrypted on a user’s phone for 21 days, and can it only be accessed by a state health official if the user consents.
I want to clarify (thanks to a very helpful blog reader) that the app has built-in mechanisms for these sort of non-sustained contacts of 15 minutes. Here’s what the COVIDSafe FAQ says:
COVIDSafe will poll every minute for new connections and to note the duration of existing connections.
A filtering process on the highly secure information storage system separates information that meets the close contact requirements and makes it available to the relevant state or territory health officials.
This allows the Australian Government to adjust the filtering process if advised by state or territory health officials – for example to increase or decrease distance, contact time or to account for multiple contact periods in a certain window timeframe (for example, two or more 10 minute contacts within an hour).
Per the COVIDSafe FAQs, the app actually polls for data every minute “for new connections and to note the duration of existing connections”. Therefore the government can “adjust the filtering process if advised by state or territory health officials – for example to increase or decrease distance, contact time or to account for multiple contact periods in a certain window timeframe”.
Tomi Engdahl says:
Legions of cybersecurity volunteers rally to protect hospitals during COVID-19 crisis
https://www.csoonline.com/article/3539319/legions-of-cybersecurity-volunteers-rally-to-protect-hospitals-during-covid-19-crisis.html
The COVID-19 Cyber Threat Intelligence League and other groups cooperate with the industry, law enforcement, and the government to prevent attacks on healthcare providers.
Tomi Engdahl says:
Cognizant’s ransomware attack is making peers like TCS and Infosys nervous — and they are beefing up security
https://www.businessinsider.in/tech/news/cognizants-ransomware-attack-is-making-peers-like-tcs-and-infosys-nervous-and-they-are-beefing-up-security/articleshow/75271532.cms
The Maze ransomware attack on Cognizant workers will have an impact on its revenue and operations in the coming year, according to the company filings with the Securities and Exchange Commission (SEC) in the US.
The attack has put Indian IT companies like Infosys, Wipro and Tata Consultancy Services (TCS) on alert to continuously monitor their own systems.
Tomi Engdahl says:
Academics steal data from air-gapped systems using PC fan vibrations
Israeli researchers use vibrations from CPU, GPU, or PC chassis fans to broadcast stolen information through solid materials and to nearby receives, breaking air-gapped system protections.
https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-using-pc-fan-vibrations/?ftag=TREc64629f&bhid=65342234&mid=12794455&cid=716803486
Tomi Engdahl says:
Domain Services: A domain name extension scam
https://osint.fans/domain-services-domain-extension-scam
Tomi Engdahl says:
Critical ‘starbleed’ vulnerability in FPGA chips identified
https://www.eurekalert.org/pub_releases/2020-04/rb-cv041620.php
FPGA chips are part of many safety-critical applications; they have one particular valuable feature: they are individually reprogrammable — but with this feature also comes a risk
Tomi Engdahl says:
https://onezero.medium.com/zoom-is-a-nightmare-so-why-is-everyone-still-using-it-1b05a4efd5cc
Tomi Engdahl says:
Your Whole Company’s Microsoft Teams Data Could’ve Been Stolen With An ‘Evil GIF’
https://www.forbes.com/sites/thomasbrewster/2020/04/27/your-whole-companys-microsoft-teams-data-couldve-been-stolen-with-an-evil-gif/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie/#676f7264696
Tech giants are fighting to become the de facto videoconferencing tool for remote workers in the time of COVID-19. Zoom rose to the top fast, but thanks to various security and privacy issues, was pegged back by competitors. But rivals have their flaws too, as evidenced by a weakness discovered in Microsoft’s collaboration and videoconferencing tool Teams, as revealed on Monday.
For at least three weeks from the end of February till mid-March, a malicious GIF could’ve stolen user data from Microsoft Teams accounts, possibly across an entire company, and taken control of “an organization’s entire roster of Teams accounts,” cybersecurity researchers have warned.
Tomi Engdahl says:
Unpatchable ‘Starbleed’ Bug in FPGA Chips Exposes Critical Devices to Hackers
https://thehackernews.com/2020/04/fpga-chip-vulnerability.html
A newly discovered unpatchable hardware vulnerability in Xilinx programmable logic products could allow an attacker to break bitstream encryption, and clone intellectual property, change the functionality, and even implant hardware Trojans.
The details of the attacks against Xilinx 7-Series and Virtex-6 Field Programmable Gate Arrays (FPGAs) have been covered in a paper titled “The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs” by a group of academics from the Horst Goertz Institute for IT Security and Max Planck Institute for Cyber Security and Privacy.
The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs
https://www.usenix.org/conference/usenixsecurity20/presentation/ender
Tomi Engdahl says:
Hidden bug in FPGA chips can help hackers steal critical data
A critical vulnerability in FPGA chips can help hackers steal key data of enterprises
https://gulfnews.com/technology/hidden-bug-in-fpga-chips-can-help-hackers-steal-critical-data-1.1587319240780
Tomi Engdahl says:
Lawmakers warn coronavirus contact-tracing is ripe for abusive surveillance
https://news.yahoo.com/lawmakers-warn-coronavirus-contact-tracing-110029995.html
Tomi Engdahl says:
Sneaky Zero-Click Attacks Are a Hidden Menace
https://www.wired.com/story/sneaky-zero-click-attacks-hidden-menace/
Hacks that can play out without any user interaction may be more
common than we realize, in part because they’re so difficult to
detect. Institutions and regular web users are always on alert about
avoiding errant clicks and downloads online that could lead their
devices to be infected with malware. But not all attacks require a
user slip-up to open the door. Research published this week by the
threat monitoring firm ZecOps shows the types of vulnerabilities
hackers can exploit to launch attacks that don’t require any
interaction from the victim at alland the ways such hacking tools may
be proliferating undetected. Read also:
https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/
Tomi Engdahl says:
400.000 US, South Korean card records put up for sale online
https://www.bleepingcomputer.com/news/security/400000-us-south-korean-card-records-put-up-for-sale-online/
Details on roughly 400, 000 payment cards related to US and South
Korean financial organizations and banks are currently up for sale on
Joker’s Stash, the largest carding shop on the Internet.
Tomi Engdahl says:
It’s a great time to tackle core IT upgrades
https://www.zdnet.com/article/its-a-great-time-to-tackle-core-it-upgrades/
And to catch up with all those security patches, too. During normal
times, the enterprise IT department treads cautiously in making any
changes to their main production environments. There are serious risks
of upsetting core IT business processes by making a change that sets
off unexpected problems. There’s always a big backlog of IT tasks that
need to be done. However, it looks like there’s a way to get that list
done a lot more quickly during the COVID-19 lockdown of 2020.
Tomi Engdahl says:
Symlink race bugs discovered in 28 antivirus products
https://www.zdnet.com/article/symlink-race-bugs-discovered-in-28-antivirus-products/
Most products have patched, researchers said, without naming the ones
who skipped.
Tomi Engdahl says:
Researchers: 30, 000% increase in pandemic-related threats
https://www.bleepingcomputer.com/news/security/researchers-30-000-percent-increase-in-pandemic-related-threats/
An increase of 30, 000% in pandemic-related malicious attacks and
malware was seen in March by security researchers at cloud security
firm Zscaler when compared to the beginning of 2020 when the first
threats started using COVID-19-related lures and themes. Read also:
https://www.zscaler.com/blogs/research/30000-percent-increase-covid-19-themed-attacks
Tomi Engdahl says:
WHO Confirms Email Credentials Leak
https://www.darkreading.com/attacks-breaches/who-confirms-email-credentials-leak/d/d-id/1337650
Washington Post had identified the group as one among several whose
passwords and emails were dumped online and abused. Read also:
https://www.washingtonpost.com/technology/2020/04/21/nearly-25000-email-addresses-passwords-allegedly-nih-who-gates-foundation-are-dumped-online/
Tomi Engdahl says:
Hackers are exploiting a Sophos firewall zero-day
https://www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/
Read also: https://community.sophos.com/kb/en-us/135412 and
https://www.theregister.co.uk/2020/04/26/security_roundup_240420/. As
well as:
https://www.bleepingcomputer.com/news/security/hackers-exploit-zero-day-in-sophos-xg-firewall-fix-released/
Tomi Engdahl says:
Reopen Domains: Shut the Front Dorr
https://www.domaintools.com/resources/blog/reopen-domains-shut-the-front-dorr
Update: We noticed that while working on this piece Brian Krebs posted
an excellent article on the same. What can we say, but great minds
think alike? Since we dug into different pieces we have decided to
post as well. Read also:
http://krebsonsecurity.com/2020/04/whos-behind-the-reopen-domain-surge/.
Update: We noticed that while working on this piece Brian Krebs posted
an excellent article on the same. What can we say, but great minds
think alike? Since we dug into different pieces we have decided to
post as well. Read also:
http://krebsonsecurity.com/2020/04/whos-behind-the-reopen-domain-surge/
Tomi Engdahl says:
CTI League Inaugural Report (March 2020)
https://cti-league.com/2020/04/21/cti-league-inaugural-report/
The CTI-League, an all-volunteer non-profit group, issued its
Inaugural Report on its efforts aggressively dismantling cyber
criminal infrastructure and protecting healthcare organizations
against cyber attacks. Report:
https://cti-league.com/wp-content/uploads/2020/04/CTI-League-Inaugural-Report-March-2020.pdf.
Read also:
https://www.csoonline.com/article/3539319/legions-of-cybersecurity-volunteers-rally-to-protect-hospitals-during-covid-19-crisis.html
Tomi Engdahl says:
New GreyNoise free service alerts you when your devices get hacked
https://www.bleepingcomputer.com/news/security/new-greynoise-free-service-alerts-you-when-your-devices-get-hacked/
Cyber-security firm GreyNoise Intelligence today announced the launch
of GreyNoise Alerts, a new free service that will automatically notify
you via email when any devices on your organization’s IP address range
get hacked and start exhibiting potentially malicious behavior. Read
also: https://viz.greynoise.io/cheat-sheet/examples
Tomi Engdahl says:
Apple says ‘no evidence’ iPhone mail flaw used against customers
https://www.reuters.com/article/us-apple-cyber/apple-says-no-evidence-iphone-mail-flaw-used-against-customers-idUSKCN2260F0
Apple Inc said on Thursday it has found “no evidence” a flaw in its
email app for iPhones and iPads has been used against customers, and
that it believes the flaw does “not pose an immediate risk to our
users”. Read also:
https://www.zdnet.com/article/apple-disputes-recent-ios-zero-day-claim/
and
https://threatpost.com/apple-pushes-back-against-zero-day-exploit-claims/155108/.
As well as:
https://www.welivesecurity.com/2020/04/23/ios-mail-app-flaws-iphone-users-vulnerable-years/
Tomi Engdahl says:
Detect and prevent web shell malware
https://www.cyber.gov.au/advice/detect-and-prevent-web-shell-malware
Malicious web shells are a type of software uploaded to a compromised
web server to enable remote access by an attacker. While web shells
may be benign, their use by cyber adversaries is becoming more
frequent due to the increasing use of web-facing services by
organisations across the world. The Australian Signals Directorate and
counterparts at the US National Security Agency (NSA) have for the
first time jointly published new guidance on mitigating the threat of
web shell malware. Read also:
https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/
and
https://www.zdnet.com/article/nsa-shares-list-of-vulnerabilities-commonly-exploited-to-plant-web-shells/
Tomi Engdahl says:
Intelligence Agencies Share Web Shell Detection Techniques
https://www.securityweek.com/intelligence-agencies-share-web-shell-detection-techniques
The United Sates National Security Agency (NSA) and the Australian Signals Directorate (ASD) have issued a joint Cybersecurity Information Sheet (CSI) that provides details on vulnerabilities exploited by threat actors to install web shell malware on web servers.
Tomi Engdahl says:
‘VictoryGate’ Botnet Infected 35,000 Devices via USB Drives
https://www.securityweek.com/victorygate-botnet-infected-35000-devices-usb-drives
ESET managed to sinkhole several command and control (C&C) servers of a botnet that propagates via infected USB devices, thus disrupting its activities.
Referred to as VictoryGate and active since at least May 2019, the botnet impacted devices in Latin America the most, especially Peru, where more than 90% of the compromised devices are located. After sinkholing the C&Cs, ESET’s security researchers were able to estimate the botnet’s size at over 35,000 devices.
VictoryGate was mainly focused on Monero mining, but the malware allowed the botmaster to issue commands to the nodes to download and execute additional payloads. Thus, ESET believes that the botnet’s purpose could have changed at some point.
“This posed a considerable risk, given that we’ve identified compromised network traffic that stems from the public sector and from organizations in the private sector, including financial institutions,” the security firm notes.
Tomi Engdahl says:
Hoaxcalls Botnet Expands Targets List, DDoS Capabilities
https://www.securityweek.com/hoaxcalls-botnet-expands-targets-list-ddos-capabilities
The Hoaxcalls Internet of Things (IoT) botnet has expanded the list of targeted devices and has added new distributed denial of service (DDoS) capabilities to its arsenal, DDoS protection services provider Radware reports.
First detailed at the beginning of April, Hoaxcalls is based on source code from the Tsunami and Gafgyt botnets and has been targeting vulnerabilities in Grandstream UCM6200 series devices (CVE-2020-5722) and Draytek Vigor routers (CVE-2020-8515).
The botnet was designed to launch DDoS attacks using UDP, DNS and HEX floods, based on commands received from its command and control (C&C) server.
Tomi Engdahl says:
Flaws in ABB DCS Allow Hackers to Cause Disruption in Industrial Environments
https://www.securityweek.com/flaws-abb-dcs-allow-hackers-cause-disruption-industrial-environmentshttps://www.securityweek.com/flaws-abb-dcs-allow-hackers-cause-disruption-industrial-environments
Several serious vulnerabilities have been found in the ABB System 800xA distributed control system (DCS), including flaws that can be exploited for remote code execution, denial-of-service (DoS) attacks, and privilege escalation.
Tomi Engdahl says:
Pastebin Made It Harder To Scrape Its Site And Researchers Are Pissed Off
https://www.vice.com/en_us/article/y3m83v/pastebin-made-it-harder-to-scrape-its-site-and-researchers-are-pissed-off
Pastebin quietly changed its terms and services that allowed researchers to study leaked data, malware, and stolen passwords
The most famous paste site, used by hackers of all stripes to host lists of stolen passwords, announcements of data breaches, and malware has made it harder for security researchers to scrape it looking for that kind of information.
Pastebin is one of the most famous websites that allows anyone, even without being registered, to “paste” any kind of text and make it public. Over the years, it became a repository for all kinds of unsavory data, such as the personal details of people who got doxed by hackers, leaked passwords, hacker manifestos, and even malware payloads. Naturally, this meant it was a treasure trove for security researchers investigating data breaches or hunting hackers.
On Tuesday, several security researchers complained on Twitter that they were unable to search Pastebin or scrape it using a special API, which they paid to get access to. (The lifetime subscription, which was required to scrape the site, cost $50.)
When researchers asked the company on Twitter, Pastebin said that the Scraping API “has been discontinued due to active abuse by third parties for commercial purposes, such activity is prohibited by our current [Terms & Conditions].”
“Researchers may scrape public, non-personal information from Pastebin for research purposes, only if any publications resulting from that research are open access. Archivists may scrape Pastebin for public data for archival purposes. You may not scrape Pastebin for spamming purposes, including for the purposes of selling Pastebin users’ personal information, such as to recruiters, headhunters, and job boards,”
Tomi Engdahl says:
Scraping By – California Court Limits Use of Computer Crime Statute for High Volume Scraping
https://securitycurrent.com/scraping-by-california-court-limits-use-of-computer-crime-statute-for-high-volume-scraping/
When you “access” a website, what are you authorized to do? And how would you know what is “authorized?” The federal Computer Fraud and Abuse Act, 18 USC 1030 makes it a crime to “access” a “computer” “without authorization,” and further makes it a crime to “exceed authorization” to access a computer. Courts and computer users have been struggling to determine exactly what it means to be “authorized” to use a computer.
Does violation of a contract — whether it’s a “terms of service” or “terms of use” or an employment contract — constitute exceeding authorization and therefore “hacking?” Do you have to be expressly kicked out of a website or computer to “trespass,” or do you only exceed authorization to access a computer when you do something technical to break in?
The Washington case, Domain Name Commission v. DomainTools, Dkt. No. C18-0874RSL (D. Wash., March 26, 2020) following precedent in the federal Ninth Circuit said that the actions of the domain registrant, while in violation of the rules of the registrar, did not violate the Computer Fraud and Abuse Act. The lead case in that regard involved a company that scraped data from LinkedIn “public” webpages and sold data analytics on LinkedIn’s members.
Tomi Engdahl says:
Shade (Troldesh) ransomware shuts down and releases decryption keys
https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/
The Shade ransomware gang have published more than 750,000 decryption keys on GitHub. Kaspersky is working on a decryption app.
Tomi Engdahl says:
Ciscon USC-laitteet ovat vaarassa tuhoutua omin päin, mikäli
ylläpitäjät eivät tilannetta ratkaise
https://www.tivi.fi/uutiset/tv/be4dd0ae-92ab-4e18-8e9b-9d3a04adacb9
The Register kertoo, että 23:ssa Ciscon USC-malliston palvelimessa on
ikävä vika. Ne nimittäin ottavat ja itsetuhoutuvat, kun niiden
käyttöaika yltää 40 000 tuntiin. “Jos ssd-levy yltää 40 000
käyttötuntiin asti, levy muuttuu täysin käyttökelvottomaksi ja se on
vaihdettava”, Cisco varoittaa asiakkaitaan. Lue myös:
https://www.cisco.com/c/en/us/support/docs/field-notices/705/fn70544.html,
https://www.theregister.co.uk/2020/04/24/cisco_ucs_ssd_warning/,
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/levyjarjestelmissa-olleet-ongelmat-aiheuttaneet-tietojen-menetyksia
Tomi Engdahl says:
Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams
https://www.cyberark.com/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams/
As more and more business is conducted from remote locations,
attackers are focusing their efforts on exploiting the key
technologies like Zoom and Microsoft Teams that companies and their
employees depend on to stay connected. We found that by leveraging a
subdomain takeover vulnerability in Microsoft Teams, attackers could
have used a malicious GIF to scrape user’s data and ultimately take
over an organization’s entire roster of Teams accounts. Since users
wouldn’t have to share the GIF just see it to be impacted,
vulnerabilities like this have the ability to spread automatically.
This vulnerability would have affected every user who uses the Teams
desktop or web browser version. CyberArk worked with Microsoft
Security Research Center under Coordinated Vulnerability Disclosure
after finding the account takeover vulnerability and a fix was quickly
issued. Read also:
https://threatpost.com/single-malicious-gif-opened-microsoft-teams-to-nasty-attack/155155/,
https://www.theregister.co.uk/2020/04/27/microsoft_teams_gif_pwn_patch/
and
https://www.zdnet.com/article/this-is-how-viewing-a-gif-in-microsoft-teams-triggers-account-hijacking-bug/.
As well as:
https://www.securityweek.com/microsoft-teams-vulnerability-exposed-organizations-attacks
Tomi Engdahl says:
Australia and US call out cyber attacks on hospitals during COVID-19
pandemic
https://www.zdnet.com/article/australia-and-us-call-out-cyber-attacks-on-hospitals-during-covid-19-pandemic/
As China pushes Huawei-inspired supply chain freedoms at the United
Nations, Australia reminds the world that a cyber legal framework
already exists and attacking hospitals is not on. Australia’s cyber
diplomats have called for an end to attacks on medical facilities,
such as the recent cyber attack on one of the Czech Republic’s biggest
COVID-19 testing laboratories.
Tomi Engdahl says:
Israel government tells water treatment companies to change passwords
https://www.zdnet.com/article/israel-says-hackers-are-targeting-its-water-supply-and-treatment-utilities/
Israel cyber-security agency reported intrusion attempts last week.
Tomi Engdahl says:
Cyberattack Steals PC Data Through Fan Vibrations
https://www.tomshardware.com/news/steal-data-through-fan-vibrations-cybersecurity?fbclid=IwAR2HzK5ci9BZTRx0Zlu8sCqjU4JUxqjqo9Yytk84FfNXsnfBnILKst_Q0TQ
accelerometers in some mobile phones are incredibly accurate and can sense even the smallest of changes in movement coming through your PC’s fan vibrations.
Researchers proved they can seep data off your PC through fan vibrations.
the researcher wrote pair of programs — one that installs on the PC as malware and another that can run on your phone. The PC-based malware can then send signals to the PC’s case fans, which in turn get transferred into your desk and picked up by the phone for interpretation. CPU coolers were less effective, due to the added damping from the motherboard. The more imbalance there was in the fans, the easier it was to transmit the data.
The data rate was slow — we’re talking about single words being transferred. Unless the attackers are extremely desperate and have no other viable way of accessing your data, we wouldn’t worry about this attack.
The data rate isn’t the only factor holding back the success of this attack method. An attacker would still need to get the malware installed on the PC to be able to send the signals. They’d also need access to your mobile phone to read out the accelerometer; however, this is achievable without any permissions, as many mobile phones give free access to the accelerometer’s data through the browser.