This posting is here to collect cyber security news in May 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
222 Comments
Tomi Engdahl says:
Coronavirus-Themed Phishing Fears Largely Overblown, Researchers Say
https://www.darkreading.com/risk/coronavirus-themed-phishing-fears-largely-overblown-researchers-say/d/d-id/1337865
As COVID-19-themed spam rises, phishing-not so much. An analysis of
newly registered domains finds that only 2.4% are actually phishing
sites aiming to steal credentials. While many security firms have
warned that massive spam campaigns employing coronavirus-themed
messages in an attempt to fool potential victims into parting with
their credentials, the incidence of COVID-19-specific phishing attacks
is no higher than before the pandemic, according to a new report.
Tomi Engdahl says:
The Nigerian Fraudsters Ripping Off the Unemployment System
https://www.wired.com/story/nigerian-scammers-unemployment-system-scattered-canary/
Security researchers have spotted the “Scattered Canary” group
scamming vital benefits programs amid the Covid-19 pandemic. On
Thursday, the Secret Service issued an alert about a massive operation
to file fraudulent unemployment claims in states around the country,
like Washington and Massachusetts. Officials attributed the activity
to Nigerian scammers and said millions of dollars had already been
stolen. New research is now shedding light on one of the actors tied
to the scamsand the other pandemic hustles they have going. Read also:
https://www.bleepingcomputer.com/news/security/bec-scammers-target-unemployment-and-cares-act-claims/
and
https://threatpost.com/fraudulent-unemployment-covid-19-relief-claims-earn-bec-gang-millions/155925/
Tomi Engdahl says:
Houseparty denied it had been hacked… while miscreants were abusing
its dot-com domain name infrastructure
https://www.theregister.co.uk/2020/05/20/houseparty_subdomain_hijack/
Subdomain takeover possible, says infosec bod. At the end of March,
video chat app Houseparty, owned by Epic Games, responded to
unsubstantiated reports that user accounts had been hacked by offering
a $1m bounty to anyone able to prove the rumors were part of a
coordinated campaign to smear the company. Nor was any bug bounty paid
to security researcher Zach Edwards after he found that Houseparty’s
domain infrastructure had been hijacked and abused for distributing
malicious content.
Tomi Engdahl says:
Beer rating app reveals homes and identities of spies and military
bods, warns Bellingcat
https://www.theregister.co.uk/2020/05/19/bellingcat_beer_app_osint/
We tested it and found a naval officer’s partner and kids – they’re
not kidding. A beer and pub-rating app built off the back of
Foursquare’s location-tracking API poses a risk to the security of
military and intelligence personnel, according to legendary OSINT
website Bellingcat. Untappd ‘has over eight million mostly European
and North American users, and its features allow researchers to
uncover sensitive information about said users at military and
intelligence locations around the world, ‘ wrote Bellingcat’s Foeke
Postma in a fascinating guide to using the app for tracking down
people of interest. Read also:
https://www.bellingcat.com/news/2020/05/18/military-and-intelligence-personnel-can-be-tracked-with-the-untappd-beer-app/
Tomi Engdahl says:
Microsoft warns of ‘massive’ phishing attack pushing legit RAT
https://www.bleepingcomputer.com/news/security/microsoft-warns-of-massive-phishing-attack-pushing-legit-rat/
Microsoft is warning of an ongoing COVID-19 themed phishing campaign
that installs the NetSupport Manager remote administration tool. In a
series of tweets, the Microsoft Security Intelligence team outlines
how this “massive campaign” is spreading the tool via malicious Excel
attachments. Read also:
https://twitter.com/MsftSecIntel/status/1262876021071568896
Tomi Engdahl says:
Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83…
with a handy kill switch for corporate IT
https://www.theregister.co.uk/2020/05/20/google_chrome_83/
Google released Chrome 83 on Tuesday after skipping version 82
entirely due to coronavirus-related challenges, bringing with it
security for DNS queries, a revised extension interface that
developers dislike, and a few other features.
Tomi Engdahl says:
NSO Group Impersonated Facebook to Help Clients Hack Targets
https://www.vice.com/en_us/article/qj4p3w/nso-group-hack-fake-facebook-domain
Infamous Israeli surveillance firm NSO Group created a web domain that
looked as if it belonged to Facebook’s security team to entice targets
to click on links that would install the company’s powerful cell phone
hacking technology, according to data analyzed by Motherboard.
Tomi Engdahl says:
Netwalker Fileless Ransomware Injected via Reflective Loading
https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/
Threat actors are continuously creating more sophisticated ways for
malware to evade defenses. We have observed Netwalker ransomware
attacks that involve malware that is not compiled, but written in
PowerShell and executed directly in memory and without storing the
actual ransomware binary into the disk. This makes this ransomware
variant a fileless threat, enabling it to maintain persistence and
evade detection by abusing tools that are already in the system to
initiate attacks.
Tomi Engdahl says:
Rogue ADT tech spied on hundreds of customers in their homes via CCTV
including me, says teen girl
https://www.theregister.co.uk/2020/05/19/adt_spying_lawsuit/
A technician at ADT remotely accessed hundreds of customers’ CCTV
cameras to spy on people in their own homes, the burglar-alarm biz has
admitted.
Tomi Engdahl says:
Bluetooth flaw exposes countless devices to BIAS attacks
https://www.welivesecurity.com/2020/05/19/bluetooth-flaw-exposes-countless-devices-bias-attacks/
As many as 30 smartphones, laptops and other devices were tested and
all were found to be vulnerable. A team of researchers has unveiled a
new vulnerability in the Bluetooth wireless communication protocol
that exposes a wide range of devices, such as smartphones, laptops,
and smart-home devices, to the so-called Bluetooth Impersonation
AttackS (BIAS). Read also: https://francozappa.github.io/about-bias/
Tomi Engdahl says:
Take a Bite Out of Sweyn
https://securityintelligence.com/posts/take-a-bite-out-of-sweyn/
If you work in the healthcare industry, you may have heard about a
family of vulnerabilities called “SweynTooth.” Researchers from
Singapore first discovered the vulnerabilities in 2019. After waiting
90 days to announce them, which is part of the responsible disclosure
process, they published a technical paper. If you are not familiar
with the SweynTooth family, you should still be aware of it
considering the flaws could enable attackers to compromise some
medical internet of things (IoT) devices that are being used in
hospitals today (i.e., blood glucose meters, inhalers and certain
pacemakers).
Tomi Engdahl says:
‘Hundreds of millions of dollars’ lost in Washington to unemployment fraud amid coronavirus joblessness surge
https://www.seattletimes.com/business/economy/washington-adds-more-than-145000-weekly-jobless-claims-as-coronavirus-crisis-lingers/?utm_source=facebook&utm_medium=social&utm_campaign=article_inset_1.1
Washington state officials have acknowledged the loss of “hundreds of millions of dollars” to an international fraud scheme that hammered the state’s unemployment insurance system and could mean even longer delays for thousands of jobless workers still waiting for legitimate benefits.
Tomi Engdahl says:
Huawei HKSP trying to push exploit code into Linux upstream. If you do anything with opensource, Linux or just generally computing: read that, understand the surface your proj is exposing and think about how you protect against such attempts.https://grsecurity.net/huawei_hksp_introduces_trivially_exploitable_vulnerability
Tomi Engdahl says:
BIAS Attack Allows for Authentication Impersonation of Any Bluetooth Classic Client or Host Device
https://www.hackster.io/news/bias-attack-allows-for-authentication-impersonation-of-any-bluetooth-classic-client-or-host-device-9c825301ad12
Flaws in the underlying specification mean a cross-vendor method of impersonating any Bluetooth device or host is now public.
Tomi Engdahl says:
North Dakota’s COVID-19 app has been sending data to Foursquare and Google
https://www.fastcompany.com/90508044/north-dakotas-covid-19-app-has-been-sending-data-to-foursquare-and-google
A new report from Jumbo Privacy finds that a coronavirus contact-tracing app is sharing location data with Foursquare and an advertising ID with Google.
Tomi Engdahl says:
Ragnar Locker ransomware deploys virtual machine to dodge security
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/?fbclid=IwAR3JKXTfvmebWQ8Ot6E4DTo_EuRGJbddTTjq5Gv-kRGtSepBzx7JJTTrN-c
A new ransomware attack method takes defense evasion to a new level—deploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine. The attack payload was a 122 MB installer with a 282 MB virtual image inside—all to conceal a 49 kB ransomware executable.
The adversaries behind Ragnar Locker have been known to steal data from targeted networks prior to launching ransomware, to encourage victims to pay. In April, the actors behind Ragnar Locker attacked the network of Energias de Portugal (EDP) and claimed to have stolen 10 terabytes of sensitive company data, demanding a payment of 1,580 Bitcoin (approximately $11 million US) and threatening to release
Tomi Engdahl says:
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
Tomi Engdahl says:
https://arstechnica.com/information-technology/2020/05/hackers-infect-multiple-game-developers-with-advanced-malware/
Tomi Engdahl says:
Check Point released an open-source fix for common Linux memory corruption security hole
https://www.zdnet.com/article/check-point-released-an-open-source-fix-for-common-linux-memory-corruption-security-hole/
For years, there’s been a security problem with how the GNU C Library dealt with single-linked-lists. Now, Check Point has released a patch, which will fix the problem once and for all.
Tomi Engdahl says:
https://thehackernews.com/2020/05/hacking-bluetooth-vulnerability.html
Tomi Engdahl says:
Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking
The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and it affects any PC manufactured before 2019.
https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/
Tomi Engdahl says:
Exclusive: Warning Over Chinese Mobile Giant Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/
Tomi Engdahl says:
A passwordless server run by spyware maker NSO sparks contact-tracing privacy concerns
https://techcrunch.com/2020/05/07/nso-group-fleming-contact-tracing/
Tomi Engdahl says:
Hackers Target WHO by Posing as Think Tank, Broadcaster
https://www.bloomberg.com/amp/news/articles/2020-05-07/hackers-target-who-by-posing-as-think-tank-broadcaster
Tomi Engdahl says:
Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected
https://www.forbes.com/sites/daveywinder/2020/05/07/samsung-confirms-critical-security-warning-for-millions-every-galaxy-after–2014-affected/
Tomi Engdahl says:
Kyberhyökkäysten korvausriskit ovat ylimitoitettuja
https://www.uusiteknologia.fi/2020/05/08/kyberhyokkaysten-korvausriskit-ovat-ylimitoitettuja/
Tomi Engdahl says:
GitHub Takes Aim at Open Source Software Vulnerabilities
GitHub Advanced Security will help automatically spot potential security problems in the world’s biggest open source platform.
https://www.wired.com/story/github-advanced-security-open-source/
Tomi Engdahl says:
https://www.tivi.fi/uutiset/valtioiden-omat-koronaseurantasovellukset-lentavat-yksi-toisensa-jalkeen-romukoppaan-ja-hyvasta-syysta/ac67fe37-5639-40f4-b164-4fc3d72b4170
Tomi Engdahl says:
https://threatpost.com/google-android-rce-bug-full-device-access/155460/
Tomi Engdahl says:
New Kaiji malware targets IoT devices via SSH brute-force attacks
https://www.zdnet.com/article/new-kaiji-malware-targets-iot-devices-via-ssh-brute-force-attacks/
Researchers say the malware was coded by a Chinese developer for the sole purpose of launching DDoS attacks.
Tomi Engdahl says:
Toll Group shuts IT systems amid new security scare
https://www.itnews.com.au/news/toll-group-shuts-it-systems-amid-new-security-scare-547713
Tomi Engdahl says:
THERE’S NO TELLING WHAT DATA FACEBOOK WILL COLLECT IF YOU USE ITS ZOOM CLONE
https://theintercept.com/2020/05/20/facebook-messenger-rooms-video-call/?utm_campaign=theintercept&utm_source=facebook&utm_medium=social
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2020/05/22/the-ransomware-that-attacks-you-from-inside-a-virtual-machine/
Tomi Engdahl says:
DHS CISA and FBI share list of top 10 most exploited vulnerabilities
Office is the most exploited technology, followed by Apache Struts.
https://www.zdnet.com/article/dhs-cisa-and-fbi-share-list-of-top-10-most-exploited-vulnerabilities/
Tomi Engdahl says:
Hey, who remembers the Equifax breach? >.>
Washington state rocked by coronavirus benefit fraud in ‘the hundreds of millions’
https://www.cbc.ca/news/world/new-york-coronavirus-homes-1.5580089?fbclid=IwAR1j8g27E6UJtL-rHP0pH-Sr_vgHiV8wGkqG0vgDoQnkUnuems3j6Lgxw-k
Official won’t confirm if fraud is from Nigeria, says info may have been stolen from credit agencies.
Impostors have used the stolen information of tens of thousands of people in Washington state to fraudulently receive hundreds of millions of dollars in unemployment benefits, the head of the state’s Employment Security Department said Thursday.
Commissioner Suzi LeVine said the state is working with federal law enforcement, financial institutions and the U.S. Department of Labor to investigate the fraud and try to recover the money paid out during the huge spike in joblessness during the coronavirus crisis.
LeVine said that in addition to other measures the agency has already taken, they will continue to delay payments — a step they first took last week — to all applicants in order to take extra steps to verify claims.
LeVine said agency officials realized something was amiss even before that alert, once they started receiving communication from employers or employees who got information about unemployment benefits the employee didn’t seek.
More than 1.1 million people in Washington have filed for unemployment benefits since businesses started closing in March due to COVID-19.
Tomi Engdahl says:
Hackers release a new jailbreak that unlocks every iPhone
https://techcrunch.com/2020/05/23/hackers-iphone-new-jailbreak/?tpcc=ECFB2020
A renowned iPhone hacking team has released a new “jailbreak” tool that unlocks every iPhone, even the most recent models running the latest iOS 13.5.
For as long as Apple has kept up its “walled garden” approach to iPhones by only allowing apps and customizations that it approves, hackers have tried to break free from what they call the “jail,” hence the name “jailbreak.” Hackers do this by finding a previously undisclosed vulnerability in iOS that break through some of the many restrictions that Apple puts in place to prevent access to the underlying software.
The jailbreak, released by the unc0ver team, supports all iPhones that run iOS 11 and above, including up to iOS 13.5, which Apple released this week.
Details of the vulnerability that the hackers used to build the jailbreak aren’t known, but it’s not expected to last forever. Just as jailbreakers work to find a way in, Apple works fast to patch the flaws and close the jailbreak.
https://mobile.twitter.com/Pwn20wnd/status/1264315776338554880
Tomi Engdahl says:
Hacker arrested in Ukraine for selling billions of stolen credentials
Hacker “Sanix” has been selling billions of hacked user credentials on hacker forums and Telegram channels.
https://www.zdnet.com/article/hacker-arrested-in-ukraine-for-selling-billions-of-stolen-credentials/?fbclid=IwAR1LlCRWahVCsoB39J3auNMu7x5kOy9D1xlf14JhGGIFdU9A03v-EzPWxGw
Tomi Engdahl says:
Hacker Used £270 of TV Equipment to Eavesdrop on Sensitive Satellite Communications
https://www.cbronline.com/news/satellite-hacking
“Vulnerable systems administration pages and FTP servers were publicly routable from the open internet.
An Oxford University-based security researcher says he used £270 ($300) of home television equipment to capture terabytes of real-world satellite traffic — including sensitive data from “some of the world’s largest organisations.”
some of the eavesdropping was conducted using a “75 cm, flat-panel satellite receiver dish and a TBS-6983 DVB-S receiver… configured to receive Ku-band transmissions between 10,700 MHz and 12,750 MHz. A set of 14 geostationary satellites were selected [and from them] over 350 transponders were identified using existing “Blind Scan” tools.
Pavur targets the Digital Video Broadcasting-Satellite (DVB-S) and DVB-S version 2 protocols, which transmit data in MPEG-TS format.
The paper adds: “A collection of Python utilities… was used to analyze each of these transponders for signs of DVB-based internet transmissions.”
“Vulnerable systems administration pages and FTP servers were publicly
routable from the open internet. This means that an attacker could sniff a session token from a satellite connection, open a web browser, and login to the plant’s control panel…”
Tomi Engdahl says:
Windows malware opens RDP ports on PCs for future remote access
https://www.zdnet.com/article/windows-malware-opens-rdp-ports-on-pcs-for-future-remote-access/
Security researchers say they’ve spotted a new version of the Sarwent
malware that opens RDP (Remote Desktop Protocol) ports on infected
computers so hackers could gain hands-on access to infected hosts.
Tomi Engdahl says:
Windows Security Alert: Core System File Zero-Days Confirmed Unpatched
https://www.forbes.com/sites/daveywinder/2020/05/23/windows-security-alert-four-new-zero-day-vulnerabilities-confirmed-unpatched/
Tomi Engdahl says:
Alleged Hacker Behind Massive ‘Collection 1’ Data Dump Arrested
https://threatpost.com/alleged-hacker-behind-massive-collection-1-data-dump-arrested/155915/
The threat actor known as ‘Sanix’ had terabytes of stolen credentials at his residence, authorities said.
A hacker accused of selling hundreds of millions of stolen credentials from last year’s “Collection 1” data dump on the dark web has been arrested in the Ukraine.
Tomi Engdahl says:
Don’t Be Fooled by Covid-19 Contact-Tracing Scams
https://www.wired.com/story/covid-19-contact-tracing-scams/
Fraudsters have found yet another way to take advantage of the
pandemic.
Tomi Engdahl says:
ThreatList: People Know Reusing Passwords Is Dumb, But Still Do It
https://threatpost.com/threatlist-people-know-reusing-passwords-is-dumb-but-still-do-it/155996/
Even seeing data breaches in the news, more than half of consumers are
still reusing passwords. More than half of people haven’t changed
their password in the last year even after they’ve heard about a data
breach in the news.
Tomi Engdahl says:
Raymond Zhong / New York Times:
The worst of the pandemic may have passed in China, but officials are eager to find new uses for the virus monitoring software that’s now on many phones
China’s Virus Apps May Outlast the Outbreak, Stirring Privacy Fears
https://www.nytimes.com/2020/05/26/technology/china-coronavirus-surveillance.html
With the disease there mostly under control, officials are looking for new uses for the government software that’s now on many phones.
At the height of China’s coronavirus outbreak, officials made quick use of the fancy tracking devices in everybody’s pockets — their smartphones — to identify and isolate people who might be spreading the illness.
Months later, China’s official statistics suggest that the worst of the epidemic has passed there, but the government’s monitoring apps are hardly fading into obsolescence. Instead, they are tiptoeing toward becoming a permanent fixture of everyday life, one with potential to be used in troubling and invasive ways.
While the technology has doubtless helped many workers and employers get back to their lives, it has also prompted concern in China, where people are increasingly protective of their digital privacy. Companies and government agencies in China have a mixed record on keeping personal information safe from hacks and leaks. The authorities have also taken an expansive view of using high-tech surveillance tools in the name of public well-being.
Tomi Engdahl says:
A new Android bug, Strandhogg 2.0, lets malware pose as real apps and steal user data
https://tcrn.ch/3ewKuqf
Security researchers have found a major vulnerability in almost every version of Android, which lets malware imitate legitimate apps to steal app passwords and other sensitive data.
The vulnerability, dubbed Strandhogg 2.0 (named after the Norse term for a hostile takeover) affects all devices running Android 9.0 and earlier. It’s the “evil twin” to an earlier bug of the same name, according to Norwegian security firm Promon, which discovered both vulnerabilities six months apart. Strandhogg 2.0 works by tricking a victim into thinking they’re entering their passwords on a legitimate app while instead interacting with a malicious overlay. Strandhogg 2.0 can also hijack other app permissions to siphon off sensitive user data, like contacts, photos, and track a victim’s real-time location.
The bug is said to be more dangerous than its predecessor because it’s “nearly undetectable,” Tom Lysemose Hansen, founder and chief technology officer at Promon, told TechCrunch.
Tomi Engdahl says:
Hacker, 22, who released personal data of German politicians charged
https://www.google.com/amp/s/www.thelocal.de/20200526/hacker-behind-doxxing-of-german-politicians-charged/amp
German prosecutors said Tuesday they had brought charges against a 22-year-old hacker who released personal data of dozens of politicians, journalists and other public figures online, embarrassing national authorities.
Tomi Engdahl says:
Hacking Team Founder: ‘Hacking Team is Dead’
https://www.google.com/amp/s/www.vice.com/amp/en_us/article/n7wbnd/hacking-team-is-dead
The company’s former CEO posted a bizarre obituary on LinkedIn saying the infamous surveillance firm is “definitely dead.”
The founder and former CEO of the infamous surveillance technology company Hacking Team wrote a bizarre obituary for his old company on its official LinkedIn account.
David Vincenzetti posted a short message saying “Hacking Team is dead” on Tuesday, more than a year after the Italian company was acquired by another cybersecurity firm and rebranded as Memento Labs. As Motherboard reported earlier this year, Memento Labs is struggling to take off after several key Hacking Team employees have left
The company was one of the pioneers of the so-called lawful intercept industry, a market where firms provide these kinds of tools exclusively to law enforcement and intelligence agencies. In the 2000s, Hacking Team went from selling only to Italian agencies to selling to Spain’s national intelligence agency, and later to cops and spies in 41 different countries in its heyday in 2015. That year, a hacktivist known as Phineas Fisher broke into Hacking Team’s servers, stole gigabytes of sensitive data and posted it online, dealing the company with what would eventually become a deadly blow.
Tomi Engdahl says:
Researchers Say They Caught an iPhone Zero-Day Hack in the Wild
https://www.vice.com/amp/en_us/article/pken5n/iphone-email-zero-day-hack-in-the-wild
The attack shows, once again, that iPhones can be hacked. But there’s no reason to panic yet.
Tomi Engdahl says:
New fuzzing tool finds 26 USB bugs in Linux, Windows, macOS, and
FreeBSD
https://www.zdnet.com/article/new-fuzzing-tool-finds-26-usb-bugs-in-linux-windows-macos-and-freebsd/
Eighteen of the 26 bugs impact Linux. Eleven have been patched
already.
Tomi Engdahl says:
Viranomainen yllättyi: Suomeen tulleet helpdesk-huijauspuhelut
loppuivat yhtäkkiä jäljet johtivat Intian suljettuihin
puhelinkeskuksiin
https://yle.fi/uutiset/3-11370619
Huijaussoittojen ympärille on muodostunut Intiassa kokonaisia
puhelinkeskuksia. Koronan vuoksi nekin ovat nyt kiinni.