Cyber Security News May 2020

This posting is here to collect cyber security news in May 2020.

I post links to security vulnerability news with short descriptions to comments section of this article.

If you are interested in cyber security trends, read my Cyber security trends 2020 posting.

You are also free to post related links to comments.

222 Comments

  1. Tomi Engdahl says:

    Coronavirus-Themed Phishing Fears Largely Overblown, Researchers Say
    https://www.darkreading.com/risk/coronavirus-themed-phishing-fears-largely-overblown-researchers-say/d/d-id/1337865
    As COVID-19-themed spam rises, phishing-not so much. An analysis of
    newly registered domains finds that only 2.4% are actually phishing
    sites aiming to steal credentials. While many security firms have
    warned that massive spam campaigns employing coronavirus-themed
    messages in an attempt to fool potential victims into parting with
    their credentials, the incidence of COVID-19-specific phishing attacks
    is no higher than before the pandemic, according to a new report.

    Reply
  2. Tomi Engdahl says:

    The Nigerian Fraudsters Ripping Off the Unemployment System
    https://www.wired.com/story/nigerian-scammers-unemployment-system-scattered-canary/
    Security researchers have spotted the “Scattered Canary” group
    scamming vital benefits programs amid the Covid-19 pandemic. On
    Thursday, the Secret Service issued an alert about a massive operation
    to file fraudulent unemployment claims in states around the country,
    like Washington and Massachusetts. Officials attributed the activity
    to Nigerian scammers and said millions of dollars had already been
    stolen. New research is now shedding light on one of the actors tied
    to the scamsand the other pandemic hustles they have going. Read also:
    https://www.bleepingcomputer.com/news/security/bec-scammers-target-unemployment-and-cares-act-claims/
    and
    https://threatpost.com/fraudulent-unemployment-covid-19-relief-claims-earn-bec-gang-millions/155925/

    Reply
  3. Tomi Engdahl says:

    Houseparty denied it had been hacked… while miscreants were abusing
    its dot-com domain name infrastructure
    https://www.theregister.co.uk/2020/05/20/houseparty_subdomain_hijack/
    Subdomain takeover possible, says infosec bod. At the end of March,
    video chat app Houseparty, owned by Epic Games, responded to
    unsubstantiated reports that user accounts had been hacked by offering
    a $1m bounty to anyone able to prove the rumors were part of a
    coordinated campaign to smear the company. Nor was any bug bounty paid
    to security researcher Zach Edwards after he found that Houseparty’s
    domain infrastructure had been hijacked and abused for distributing
    malicious content.

    Reply
  4. Tomi Engdahl says:

    Beer rating app reveals homes and identities of spies and military
    bods, warns Bellingcat
    https://www.theregister.co.uk/2020/05/19/bellingcat_beer_app_osint/
    We tested it and found a naval officer’s partner and kids – they’re
    not kidding. A beer and pub-rating app built off the back of
    Foursquare’s location-tracking API poses a risk to the security of
    military and intelligence personnel, according to legendary OSINT
    website Bellingcat. Untappd ‘has over eight million mostly European
    and North American users, and its features allow researchers to
    uncover sensitive information about said users at military and
    intelligence locations around the world, ‘ wrote Bellingcat’s Foeke
    Postma in a fascinating guide to using the app for tracking down
    people of interest. Read also:
    https://www.bellingcat.com/news/2020/05/18/military-and-intelligence-personnel-can-be-tracked-with-the-untappd-beer-app/

    Reply
  5. Tomi Engdahl says:

    Microsoft warns of ‘massive’ phishing attack pushing legit RAT
    https://www.bleepingcomputer.com/news/security/microsoft-warns-of-massive-phishing-attack-pushing-legit-rat/
    Microsoft is warning of an ongoing COVID-19 themed phishing campaign
    that installs the NetSupport Manager remote administration tool. In a
    series of tweets, the Microsoft Security Intelligence team outlines
    how this “massive campaign” is spreading the tool via malicious Excel
    attachments. Read also:
    https://twitter.com/MsftSecIntel/status/1262876021071568896

    Reply
  6. Tomi Engdahl says:

    Google rolls out pro-privacy DNS-over-HTTPS support in Chrome 83…
    with a handy kill switch for corporate IT
    https://www.theregister.co.uk/2020/05/20/google_chrome_83/
    Google released Chrome 83 on Tuesday after skipping version 82
    entirely due to coronavirus-related challenges, bringing with it
    security for DNS queries, a revised extension interface that
    developers dislike, and a few other features.

    Reply
  7. Tomi Engdahl says:

    NSO Group Impersonated Facebook to Help Clients Hack Targets
    https://www.vice.com/en_us/article/qj4p3w/nso-group-hack-fake-facebook-domain
    Infamous Israeli surveillance firm NSO Group created a web domain that
    looked as if it belonged to Facebook’s security team to entice targets
    to click on links that would install the company’s powerful cell phone
    hacking technology, according to data analyzed by Motherboard.

    Reply
  8. Tomi Engdahl says:

    Netwalker Fileless Ransomware Injected via Reflective Loading
    https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/
    Threat actors are continuously creating more sophisticated ways for
    malware to evade defenses. We have observed Netwalker ransomware
    attacks that involve malware that is not compiled, but written in
    PowerShell and executed directly in memory and without storing the
    actual ransomware binary into the disk. This makes this ransomware
    variant a fileless threat, enabling it to maintain persistence and
    evade detection by abusing tools that are already in the system to
    initiate attacks.

    Reply
  9. Tomi Engdahl says:

    Rogue ADT tech spied on hundreds of customers in their homes via CCTV
    including me, says teen girl
    https://www.theregister.co.uk/2020/05/19/adt_spying_lawsuit/
    A technician at ADT remotely accessed hundreds of customers’ CCTV
    cameras to spy on people in their own homes, the burglar-alarm biz has
    admitted.

    Reply
  10. Tomi Engdahl says:

    Bluetooth flaw exposes countless devices to BIAS attacks
    https://www.welivesecurity.com/2020/05/19/bluetooth-flaw-exposes-countless-devices-bias-attacks/
    As many as 30 smartphones, laptops and other devices were tested and
    all were found to be vulnerable. A team of researchers has unveiled a
    new vulnerability in the Bluetooth wireless communication protocol
    that exposes a wide range of devices, such as smartphones, laptops,
    and smart-home devices, to the so-called Bluetooth Impersonation
    AttackS (BIAS). Read also: https://francozappa.github.io/about-bias/

    Reply
  11. Tomi Engdahl says:

    Take a Bite Out of Sweyn
    https://securityintelligence.com/posts/take-a-bite-out-of-sweyn/
    If you work in the healthcare industry, you may have heard about a
    family of vulnerabilities called “SweynTooth.” Researchers from
    Singapore first discovered the vulnerabilities in 2019. After waiting
    90 days to announce them, which is part of the responsible disclosure
    process, they published a technical paper. If you are not familiar
    with the SweynTooth family, you should still be aware of it
    considering the flaws could enable attackers to compromise some
    medical internet of things (IoT) devices that are being used in
    hospitals today (i.e., blood glucose meters, inhalers and certain
    pacemakers).

    Reply
  12. Tomi Engdahl says:

    ‘Hundreds of millions of dollars’ lost in Washington to unemployment fraud amid coronavirus joblessness surge
    https://www.seattletimes.com/business/economy/washington-adds-more-than-145000-weekly-jobless-claims-as-coronavirus-crisis-lingers/?utm_source=facebook&utm_medium=social&utm_campaign=article_inset_1.1

    Washington state officials have acknowledged the loss of “hundreds of millions of dollars” to an international fraud scheme that hammered the state’s unemployment insurance system and could mean even longer delays for thousands of jobless workers still waiting for legitimate benefits.

    Reply
  13. Tomi Engdahl says:

    Huawei HKSP trying to push exploit code into Linux upstream. If you do anything with opensource, Linux or just generally computing: read that, understand the surface your proj is exposing and think about how you protect against such attempts.https://grsecurity.net/huawei_hksp_introduces_trivially_exploitable_vulnerability

    Reply
  14. Tomi Engdahl says:

    BIAS Attack Allows for Authentication Impersonation of Any Bluetooth Classic Client or Host Device
    https://www.hackster.io/news/bias-attack-allows-for-authentication-impersonation-of-any-bluetooth-classic-client-or-host-device-9c825301ad12

    Flaws in the underlying specification mean a cross-vendor method of impersonating any Bluetooth device or host is now public.

    Reply
  15. Tomi Engdahl says:

    North Dakota’s COVID-19 app has been sending data to Foursquare and Google
    https://www.fastcompany.com/90508044/north-dakotas-covid-19-app-has-been-sending-data-to-foursquare-and-google

    A new report from Jumbo Privacy finds that a coronavirus contact-tracing app is sharing location data with Foursquare and an advertising ID with Google.

    Reply
  16. Tomi Engdahl says:

    Ragnar Locker ransomware deploys virtual machine to dodge security
    https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/?fbclid=IwAR3JKXTfvmebWQ8Ot6E4DTo_EuRGJbddTTjq5Gv-kRGtSepBzx7JJTTrN-c

    A new ransomware attack method takes defense evasion to a new level—deploying as a full virtual machine on each targeted device to hide the ransomware from view. In a recently detected attack, Ragnar Locker ransomware was deployed inside an Oracle VirtualBox Windows XP virtual machine. The attack payload was a 122 MB installer with a 282 MB virtual image inside—all to conceal a 49 kB ransomware executable.

    The adversaries behind Ragnar Locker have been known to steal data from targeted networks prior to launching ransomware, to encourage victims to pay. In April, the actors behind Ragnar Locker attacked the network of Energias de Portugal (EDP) and claimed to have stolen 10 terabytes of sensitive company data, demanding a payment of 1,580 Bitcoin (approximately $11 million US) and threatening to release

    Reply
  17. Tomi Engdahl says:

    Check Point released an open-source fix for common Linux memory corruption security hole
    https://www.zdnet.com/article/check-point-released-an-open-source-fix-for-common-linux-memory-corruption-security-hole/

    For years, there’s been a security problem with how the GNU C Library dealt with single-linked-lists. Now, Check Point has released a patch, which will fix the problem once and for all.

    Reply
  18. Tomi Engdahl says:

    Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking
    The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and it affects any PC manufactured before 2019.
    https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/

    Reply
  19. Tomi Engdahl says:

    A passwordless server run by spyware maker NSO sparks contact-tracing privacy concerns
    https://techcrunch.com/2020/05/07/nso-group-fleming-contact-tracing/

    Reply
  20. Tomi Engdahl says:

    GitHub Takes Aim at Open Source Software Vulnerabilities
    GitHub Advanced Security will help automatically spot potential security problems in the world’s biggest open source platform.
    https://www.wired.com/story/github-advanced-security-open-source/

    Reply
  21. Tomi Engdahl says:

    New Kaiji malware targets IoT devices via SSH brute-force attacks
    https://www.zdnet.com/article/new-kaiji-malware-targets-iot-devices-via-ssh-brute-force-attacks/

    Researchers say the malware was coded by a Chinese developer for the sole purpose of launching DDoS attacks.

    Reply
  22. Tomi Engdahl says:

    DHS CISA and FBI share list of top 10 most exploited vulnerabilities
    Office is the most exploited technology, followed by Apache Struts.
    https://www.zdnet.com/article/dhs-cisa-and-fbi-share-list-of-top-10-most-exploited-vulnerabilities/

    Reply
  23. Tomi Engdahl says:

    Hey, who remembers the Equifax breach? >.>

    Washington state rocked by coronavirus benefit fraud in ‘the hundreds of millions’
    https://www.cbc.ca/news/world/new-york-coronavirus-homes-1.5580089?fbclid=IwAR1j8g27E6UJtL-rHP0pH-Sr_vgHiV8wGkqG0vgDoQnkUnuems3j6Lgxw-k

    Official won’t confirm if fraud is from Nigeria, says info may have been stolen from credit agencies.

    Impostors have used the stolen information of tens of thousands of people in Washington state to fraudulently receive hundreds of millions of dollars in unemployment benefits, the head of the state’s Employment Security Department said Thursday.

    Commissioner Suzi LeVine said the state is working with federal law enforcement, financial institutions and the U.S. Department of Labor to investigate the fraud and try to recover the money paid out during the huge spike in joblessness during the coronavirus crisis.

    LeVine said that in addition to other measures the agency has already taken, they will continue to delay payments — a step they first took last week — to all applicants in order to take extra steps to verify claims.

    LeVine said agency officials realized something was amiss even before that alert, once they started receiving communication from employers or employees who got information about unemployment benefits the employee didn’t seek.

    More than 1.1 million people in Washington have filed for unemployment benefits since businesses started closing in March due to COVID-19.

    Reply
  24. Tomi Engdahl says:

    Hackers release a new jailbreak that unlocks every iPhone
    https://techcrunch.com/2020/05/23/hackers-iphone-new-jailbreak/?tpcc=ECFB2020

    A renowned iPhone hacking team has released a new “jailbreak” tool that unlocks every iPhone, even the most recent models running the latest iOS 13.5.

    For as long as Apple has kept up its “walled garden” approach to iPhones by only allowing apps and customizations that it approves, hackers have tried to break free from what they call the “jail,” hence the name “jailbreak.” Hackers do this by finding a previously undisclosed vulnerability in iOS that break through some of the many restrictions that Apple puts in place to prevent access to the underlying software.

    The jailbreak, released by the unc0ver team, supports all iPhones that run iOS 11 and above, including up to iOS 13.5, which Apple released this week.

    Details of the vulnerability that the hackers used to build the jailbreak aren’t known, but it’s not expected to last forever. Just as jailbreakers work to find a way in, Apple works fast to patch the flaws and close the jailbreak.

    https://mobile.twitter.com/Pwn20wnd/status/1264315776338554880

    Reply
  25. Tomi Engdahl says:

    Hacker arrested in Ukraine for selling billions of stolen credentials
    Hacker “Sanix” has been selling billions of hacked user credentials on hacker forums and Telegram channels.
    https://www.zdnet.com/article/hacker-arrested-in-ukraine-for-selling-billions-of-stolen-credentials/?fbclid=IwAR1LlCRWahVCsoB39J3auNMu7x5kOy9D1xlf14JhGGIFdU9A03v-EzPWxGw

    Reply
  26. Tomi Engdahl says:

    Hacker Used £270 of TV Equipment to Eavesdrop on Sensitive Satellite Communications
    https://www.cbronline.com/news/satellite-hacking

    “Vulnerable systems administration pages and FTP servers were publicly routable from the open internet.

    An Oxford University-based security researcher says he used £270 ($300) of home television equipment to capture terabytes of real-world satellite traffic — including sensitive data from “some of the world’s largest organisations.”

    some of the eavesdropping was conducted using a “75 cm, flat-panel satellite receiver dish and a TBS-6983 DVB-S receiver… configured to receive Ku-band transmissions between 10,700 MHz and 12,750 MHz. A set of 14 geostationary satellites were selected [and from them] over 350 transponders were identified using existing “Blind Scan” tools.

    Pavur targets the Digital Video Broadcasting-Satellite (DVB-S) and DVB-S version 2 protocols, which transmit data in MPEG-TS format.

    The paper adds: “A collection of Python utilities… was used to analyze each of these transponders for signs of DVB-based internet transmissions.”

    “Vulnerable systems administration pages and FTP servers were publicly
    routable from the open internet. This means that an attacker could sniff a session token from a satellite connection, open a web browser, and login to the plant’s control panel…”

    Reply
  27. Tomi Engdahl says:

    Windows malware opens RDP ports on PCs for future remote access
    https://www.zdnet.com/article/windows-malware-opens-rdp-ports-on-pcs-for-future-remote-access/
    Security researchers say they’ve spotted a new version of the Sarwent
    malware that opens RDP (Remote Desktop Protocol) ports on infected
    computers so hackers could gain hands-on access to infected hosts.

    Reply
  28. Tomi Engdahl says:

    Alleged Hacker Behind Massive ‘Collection 1’ Data Dump Arrested
    https://threatpost.com/alleged-hacker-behind-massive-collection-1-data-dump-arrested/155915/

    The threat actor known as ‘Sanix’ had terabytes of stolen credentials at his residence, authorities said.

    A hacker accused of selling hundreds of millions of stolen credentials from last year’s “Collection 1” data dump on the dark web has been arrested in the Ukraine.

    Reply
  29. Tomi Engdahl says:

    Don’t Be Fooled by Covid-19 Contact-Tracing Scams
    https://www.wired.com/story/covid-19-contact-tracing-scams/
    Fraudsters have found yet another way to take advantage of the
    pandemic.

    Reply
  30. Tomi Engdahl says:

    ThreatList: People Know Reusing Passwords Is Dumb, But Still Do It
    https://threatpost.com/threatlist-people-know-reusing-passwords-is-dumb-but-still-do-it/155996/
    Even seeing data breaches in the news, more than half of consumers are
    still reusing passwords. More than half of people haven’t changed
    their password in the last year even after they’ve heard about a data
    breach in the news.

    Reply
  31. Tomi Engdahl says:

    Raymond Zhong / New York Times:
    The worst of the pandemic may have passed in China, but officials are eager to find new uses for the virus monitoring software that’s now on many phones

    China’s Virus Apps May Outlast the Outbreak, Stirring Privacy Fears
    https://www.nytimes.com/2020/05/26/technology/china-coronavirus-surveillance.html

    With the disease there mostly under control, officials are looking for new uses for the government software that’s now on many phones.

    At the height of China’s coronavirus outbreak, officials made quick use of the fancy tracking devices in everybody’s pockets — their smartphones — to identify and isolate people who might be spreading the illness.

    Months later, China’s official statistics suggest that the worst of the epidemic has passed there, but the government’s monitoring apps are hardly fading into obsolescence. Instead, they are tiptoeing toward becoming a permanent fixture of everyday life, one with potential to be used in troubling and invasive ways.

    While the technology has doubtless helped many workers and employers get back to their lives, it has also prompted concern in China, where people are increasingly protective of their digital privacy. Companies and government agencies in China have a mixed record on keeping personal information safe from hacks and leaks. The authorities have also taken an expansive view of using high-tech surveillance tools in the name of public well-being.

    Reply
  32. Tomi Engdahl says:

    A new Android bug, Strandhogg 2.0, lets malware pose as real apps and steal user data
    https://tcrn.ch/3ewKuqf

    Security researchers have found a major vulnerability in almost every version of Android, which lets malware imitate legitimate apps to steal app passwords and other sensitive data.

    The vulnerability, dubbed Strandhogg 2.0 (named after the Norse term for a hostile takeover) affects all devices running Android 9.0 and earlier. It’s the “evil twin” to an earlier bug of the same name, according to Norwegian security firm Promon, which discovered both vulnerabilities six months apart. Strandhogg 2.0 works by tricking a victim into thinking they’re entering their passwords on a legitimate app while instead interacting with a malicious overlay. Strandhogg 2.0 can also hijack other app permissions to siphon off sensitive user data, like contacts, photos, and track a victim’s real-time location.

    The bug is said to be more dangerous than its predecessor because it’s “nearly undetectable,” Tom Lysemose Hansen, founder and chief technology officer at Promon, told TechCrunch.

    Reply
  33. Tomi Engdahl says:

    Hacker, 22, who released personal data of German politicians charged
    https://www.google.com/amp/s/www.thelocal.de/20200526/hacker-behind-doxxing-of-german-politicians-charged/amp

    German prosecutors said Tuesday they had brought charges against a 22-year-old hacker who released personal data of dozens of politicians, journalists and other public figures online, embarrassing national authorities.

    Reply
  34. Tomi Engdahl says:

    Hacking Team Founder: ‘Hacking Team is Dead’
    https://www.google.com/amp/s/www.vice.com/amp/en_us/article/n7wbnd/hacking-team-is-dead

    The company’s former CEO posted a bizarre obituary on LinkedIn saying the infamous surveillance firm is “definitely dead.”

    The founder and former CEO of the infamous surveillance technology company Hacking Team wrote a bizarre obituary for his old company on its official LinkedIn account.

    David Vincenzetti posted a short message saying “Hacking Team is dead” on Tuesday, more than a year after the Italian company was acquired by another cybersecurity firm and rebranded as Memento Labs. As Motherboard reported earlier this year, Memento Labs is struggling to take off after several key Hacking Team employees have left

    The company was one of the pioneers of the so-called lawful intercept industry, a market where firms provide these kinds of tools exclusively to law enforcement and intelligence agencies. In the 2000s, Hacking Team went from selling only to Italian agencies to selling to Spain’s national intelligence agency, and later to cops and spies in 41 different countries in its heyday in 2015. That year, a hacktivist known as Phineas Fisher broke into Hacking Team’s servers, stole gigabytes of sensitive data and posted it online, dealing the company with what would eventually become a deadly blow.

    Reply
  35. Tomi Engdahl says:

    Researchers Say They Caught an iPhone Zero-Day Hack in the Wild
    https://www.vice.com/amp/en_us/article/pken5n/iphone-email-zero-day-hack-in-the-wild

    The attack shows, once again, that iPhones can be hacked. But there’s no reason to panic yet.

    Reply
  36. Tomi Engdahl says:

    New fuzzing tool finds 26 USB bugs in Linux, Windows, macOS, and
    FreeBSD
    https://www.zdnet.com/article/new-fuzzing-tool-finds-26-usb-bugs-in-linux-windows-macos-and-freebsd/
    Eighteen of the 26 bugs impact Linux. Eleven have been patched
    already.

    Reply
  37. Tomi Engdahl says:

    Viranomainen yllättyi: Suomeen tulleet helpdesk-huijauspuhelut
    loppuivat yhtäkkiä jäljet johtivat Intian suljettuihin
    puhelinkeskuksiin
    https://yle.fi/uutiset/3-11370619
    Huijaussoittojen ympärille on muodostunut Intiassa kokonaisia
    puhelinkeskuksia. Koronan vuoksi nekin ovat nyt kiinni.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*