This posting is here to collect cyber security news in June 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
204 Comments
Tomi Engdahl says:
Never leave your key laying around
https://www.facebook.com/paulvutv/videos/682908555878206/
Tomi Engdahl says:
https://etn.fi/index.php/13-news/10830-tutkijat-loysivat-26-usb-haavoittuvuutta-linux-reikaisin
Lausannessa sijaitsevan EPFL:n eli polyteknisen korkeakoulun tutkijat ovat kehittämällään työkalulla löytäneet peräti 26 haavoittuvuutta USB-ajurien protokollista. Kaikkiaan bugeja löytyi 26. Huomattavaa on se, että bugeista 18 löytyi Linux-käyttöjärjestelmistä.
Tomi Engdahl says:
Minneapolis Police Department Hack Likely Fake, Says Researcher
https://threatpost.com/anonymous-hack-minneapolis-police-department-fake/156171/
Troy Hunt said that the supposed data breach perpetrated by Anonymous is most likely a hoax.
As protests continue to proliferate across the globe in the wake of George Floyd’s death, the Minnesota Police Department is making news for something else: A supposed hack, perpetrated at the hands of the Anonymous hacktivist group.
Hunt’s review of the situation comes to a different conclusion.
“Don’t spread disinformation and right now, all signs point to just that – the alleged Minneapolis Police Department ‘breach’ is fake,” he wrote, in an analysis posted on Monday, adding that the data is likely not from the MPD at all, but rather a collection of widely available credentials from earlier breaches, and possibly some made-up combinations, that have been assembled into a new database for the purpose of perpetrating this hoax.
Analysing the (Alleged) Minneapolis Police Department “Hack”
https://www.troyhunt.com/analysing-the-alleged-minneapolis-police-department-hack/
Tomi Engdahl says:
IP-in-IP Vulnerability Affects Devices From Cisco and Others
https://www.securityweek.com/ip-ip-vulnerability-affects-devices-cisco-and-others
A vulnerability related to the IP-in-IP tunneling protocol that can be exploited for denial-of-service (DoS) attacks and to bypass security controls has been found to impact devices from Cisco and other vendors.
“An unauthenticated attacker can route network traffic through a vulnerable device, which may lead to reflective DDoS, information leak and bypass of network access controls,” the CERT Coordination Center (CERT/CC) said in an advisory published on Tuesday.
Tomi Engdahl says:
https://www.securityweek.com/androids-june-2020-patches-fix-critical-rce-vulnerabilities
Tomi Engdahl says:
REvil Ransomware Gang Starts Auctioning Victim Data
https://krebsonsecurity.com/2020/06/revil-ransomware-gang-starts-auctioning-victim-data/
Prior to this auction, REvil like many other ransomware gangs has
sought to pressure victim companies into paying up mainly by
publishing a handful of sensitive files stolen from their extortion
targets, and threatening to release more data unless and until the
ransom demand is met. Experts say the auction is a sign that
ransomware groups may be feeling the financial pinch from the current
economic crisis, and are looking for new ways to extract value from
victims who are now less likely or able to pay a ransom demand. See
also:
https://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/
Tomi Engdahl says:
Huge Cyber Attacks Attempt To Silence Black Rights Movement With DDoS Attacks
https://www.forbes.com/sites/thomasbrewster/2020/06/03/huge-cyber-attacks-attempt-to-silence-black-rights-movement-with-ddos-attacks/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie/#676f7264696
After the death of George Floyd and the subsequent protests across the U.S., cyberattacks on advocacy groups spiked by an astonishing 1,120 times. It’s unclear who is behind the attacks, but they included attempts to neuter anti-racist organizations’ freedom of speech.
And organizations whose purpose is to fight prejudice went from seeing almost no attacks on their sites, to significant attempts to knock them offline. They included nearly 140 million likely-malicious requests to load their websites. DDoS attacks see sites swamped with such requests, which mimic a massive number of people trying to get on a site at the same time, clogging up traffic to the page and making it inaccessible.
“Those groups went from having almost no attacks at all in April, to attacks peaking at 20 thousand requests per second on a single site,” the company’s CEO Matthew Prince and chief technology officer John Graham-Cumming wrote in a blog post.
Tomi Engdahl says:
Ivan Mehta / The Next Web:
Zoom CEO says the app’s upcoming end-to-end encryption feature will be available only to paid users in order to comply with law enforcement in case of misuse — If you’re a free Zoom user, and waiting for the company to roll out end-to-end encryption for better protection of your calls, you’re out of luck.
Zoom won’t encrypt free calls because it wants to comply with law enforcement
https://thenextweb.com/security/2020/06/03/zoom-wont-encrypt-free-calls-because-it-wants-to-comply-with-law-enforcement/
If you’re a free Zoom user, and waiting for the company to roll out end-to-end encryption for better protection of your calls, you’re out of luck. Free calls won’t be encrypted, and law enforcement will be able to access your information in case of ‘misuse’ of the platform.
Zoom CEO Eric Yuan today said that the video conferencing app’s upcoming end-to-end encryption feature will be available to only paid users.
Tomi Engdahl says:
Zoom won’t encrypt conversations for free users so law enforcement can intercept calls
https://www.independent.co.uk/life-style/gadgets-and-tech/news/zoom-call-encryption-free-users-law-enforcement-a9545991.htm
‘We also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,’ Zoom CEO Eric Yuan said
Tomi Engdahl says:
Email from HaveIBeenPwned wipes helpdesk tickets
https://www.itnews.com.au/news/email-from-haveibeenpwned-wipes-helpdesk-tickets-548916
A software development house got more than it bargained for after an alert email from the HaveIBeenPwned (HIBP) data breach monitoring site wiped all its helpdesk support tickets.
When a message from HIBP arrived to QB8′s helpdesk address after a recent data breach, it was automatically turned into a ticket in the company’s tech support system, the open source
Gestionnaire Libre de Parc Informatique (GLPI) version 9.4.5.
By assigning the ticket to a particular team member, the GLPI system parsed the “;–” characters in the header of the HBPI email, and interpreted it as a Structured Query Language database command that deleted data in the helpdesk system.
The SQL injection (SQLi) vulnerability is fixed in GLPI version 9.4.6 as it had been discovered prior to the HBPI email incident.
Tomi Engdahl says:
Vulnerability Spotlight: Two vulnerabilities in Zoom could lead to
code execution
https://blog.talosintelligence.com/2020/06/vuln-spotlight-zoom-code-execution-june-2020.html
An exploitable path traversal vulnerability exists in the Zoom Client
version 4.6.10 processes messages including animated GIFs. In order to
trigger this vulnerability, an attacker needs to send a specially
crafted message to a target user or a group. See also:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1055.
And also:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1056
Tomi Engdahl says:
Large-scale attack tries to steal configuration files from WordPress
sites
https://www.zdnet.com/article/large-scale-attack-tries-to-steal-configuration-files-from-wordpress-sites/
Hackers have launched a massive campaign against WordPress websites
over the past weekend, attacking old vulnerabilities in unpatched
plugins to download configuration files from WordPress sites. Campaign
accounted for 75% of all attempted exploits of plugin and theme
vulnerabilities across the WordPress ecosystem
Tomi Engdahl says:
Researchers Dive Into Evolution of Malicious Excel 4.0 Macros
https://www.securityweek.com/researchers-dive-evolution-malicious-excel-40-macros
For more than five months, Lastline security researchers have tracked the evolution of malicious Excel 4.0 (XL4) macros, observing the fast pace at which malware authors change them to stay ahead of security tools.
A central part of many organizations’ productivity tools, Excel opens the door for phishing attacks where victims are tricked into enabling macros in malicious documents, which can results in the attackers gaining a foothold on the network, in preparation for additional activities.
During their five-month research, Lastline observed thousands of malicious samples, clustered into waves that provide a comprehensive picture of how the threat has evolved in both sophistication and evasiveness.
Tomi Engdahl says:
Why This Image Is Causing Android Phones to Crash
It’s beautiful—and dangerous.
https://www.popularmechanics.com/technology/a32757062/android-wallpaper-crash/
A particular image of a sunset over a lake is causing some Android phones to malfunction when set as a wallpaper, according to Twitter users.
Security experts believe it has to do with a glitch in how Android software understands color space.
Popular Mechanics has reached out to Google to learn more.
“WARNING!!!
Never set this picture as wallpaper, especially for Samsung mobile phone users!
It will cause your phone to crash!
Don’t try it!
If someone sends you this picture, please ignore it.”
Tomi Engdahl says:
A new Java-based ransomware targets Windows and Linux
https://techcrunch.com/2020/06/04/tycoon-java-ransomware/
Tomi Engdahl says:
U.S. Nuclear Contractor Hit with Maze Ransomware, Data Leaked
https://threatpost.com/nuclear-contractor-maze-ransomware-data-leaked/156289/
A U.S. military contractor involved in the maintenance of the
country’s Minuteman III nuclear arsenal has been hit by the Maze
ransomware, according to reports – with the hackers making off with
reams of sensitive information.
Tomi Engdahl says:
Cisco’s warning: Critical flaw in IOS routers allows ‘complete system
compromise’
https://www.zdnet.com/article/ciscos-warning-critical-flaw-in-ios-routers-allows-complete-system-compromise/
Most severe vulns are remote code execution by unauthenticated
attackers.
Tomi Engdahl says:
Anti-racism sites hit by wave of cyber-attacks
https://www.bbc.com/news/technology-52912881
Cloudflare, which blocks attacks designed to knock websites offline,
says advocacy groups in general saw attacks increase 1, 120-fold. That
equates to an extra 110, 000 blocked requests every second, it said.
The problem was particularly acute for certain types of organisations.
One single website belonging to an unnamed advocacy group dealt with
20, 000 requests a second.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Google researchers say hackers backed by China recently targeted the Biden campaign while Iran targeted the Trump campaign, but see “no signs of compromise” — Google security researchers say they’ve identified efforts by at least two nation state-backed hackers against the Trump and Biden presidential campaigns.
Google says Iranian, Chinese hackers targeted Trump, Biden campaigns
https://techcrunch.com/2020/06/04/google-china-iran-trump-biden/
Tomi Engdahl says:
Moxie Marlinspike / Signal Blog:
Messaging app Signal adds face blurring tool on iOS and Android to help hide protesters’ identities — Right now, people around the world are marching and protesting against racism and police brutality, outraged by the most recent police murders of George Floyd and Breonna Taylor.
https://signal.org/blog/blur-tools/
Tomi Engdahl says:
Jared Newman / Fast Company:
Police scanner app Citizen has become an instant hit during the protests but its social networking layer could be adding to a climate of fear and divisiveness
Why Citizen has become the unofficial social network for protests
https://www.fastcompany.com/90512846/why-citizen-has-become-the-unofficial-social-network-for-protests
The George Floyd demonstrations have made the police scanner app into an overnight hit. But it’s unclear whether the app is helping people stay safe or stoking their fears.
Tomi Engdahl says:
Hackers Attempted to Steal Credentials From Millions of WordPress Websites
https://www.securityweek.com/hackers-attempted-steal-credentials-millions-wordpress-websites
Over a period of just a few days in late May, malicious actors attempted to steal database credentials from millions of WordPress websites by exploiting known vulnerabilities in themes and plugins.
According to WordPress security company Defiant, its firewall blocked more than 130 million attempts to collect database credentials from 1.3 million sites between May 29 and May 31. The number of requests peaked on May 30, when 75% of the total exploit attempts were observed by the company. After May 31, the attack volume dropped to what the firm usually sees.
Tomi Engdahl says:
Chinese Hackers Target Air-Gapped Systems With Custom USB Malware
https://www.securityweek.com/chinese-hackers-target-air-gapped-systems-custom-usb-malware
For years, a China-linked threat actor named Cycldek has been exfiltrating data from air-gapped systems using a previously unreported, custom USB malware family, Kaspersky reports.
Also referred to as Goblin Panda and Conimes, the hacking group has been actively targeting governments in Southeast Asia over the past two years, with its activities separated into two main clusters that are under the supervision of a single entity.
Tomi Engdahl says:
https://www.securityweek.com/cisco-patches-dozen-vulnerabilities-industrial-routers
Tomi Engdahl says:
The Cybersecurity 202: Attempted hacks of Trump and Biden campaigns reveal a race to disrupt the 2020 general election
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/06/05/the-cybersecurity-202-attempted-hacks-of-trump-and-biden-campaigns-reveal-a-race-to-disrupt-the-2020-general-election/5ed98eb6602ff12947e84d7c/?tid=ss_fb
It’s official: The race to hack the 2020 general election is in full swing.
Iran tried to hack into Gmail accounts used by President Trump’s reelection campaign staff, the leader of Google’s threat-hunting team revealed in a tweet. China, meanwhile, tried to hack staff for former vice president Joe Biden, the presumptive Democratic presidential nominee, Shane Huntley said.
The hackers didn’t successfully breach those accounts. Butthese nation state-backed hacking campaigns are likely to be the just the beginning of a general election campaign that will be ripe for disruption by U.S. adversaries.
Tomi Engdahl says:
Sen. Wyden Confirms Cell-Site Simulators Disrupt Emergency Calls
https://www.eff.org/deeplinks/2018/08/blog-post-wyden-911-disruption-css
Sen. Ron Wyden has sent a letter to the U.S. Department of Justice concerning disruptions to 911 emergency services caused by law enforcement’s use of cell-site simulators (CSS, also known as IMSI catchers or Stingrays). In the letter, Sen. Wyden states that:
Senior officials from the Harris Corporation—the manufacturer of the cell-site simulators used most frequently by U.S. law enforcement agencies—have confirmed to my office that Harris’ cell-site simulators completely disrupt the communications of targeted phones for as long as the surveillance is ongoing. According to Harris, targeted phones cannot make or receive calls, send or receive text messages, or send or receive any data over the Internet.
Moreover, while the company claims its cell-site simulators include a feature that detects and permits the delivery of emergency calls to 9-1-1, its officials admitted to my office that this feature has not been independently tested as part of the Federal Communication Commission’s certification process
Researchers of CSS technology have long suspected that using such technologies, even professionally designed and marketed CSS’s, would have a detrimental effect on emergency services, and now—for the first time—we have confirmation.
It is striking, but unfortunately not surprising, that law enforcement has been allowed to use these technologies and has continued to use them despite the significant and undisclosed risk to public safety posed by disabling 911 service, not to mention the myriad privacy concerns related to CSS use.
there is no way for the public or policy makers to know if this technology works as intended. Thanks to the onerous non-disclosure agreements that customers of Harris Corp and other CSS vendors’ customers
There are several other companies that manufacture such technology and we know even less about the workings of their technologies or whether they have any protections against blocking 911 calls.
The only way to stop the public safety and public privacy threats that cell-site simulators pose is to increase the security of our mobile communications infrastructure at every layer. All companies involved in mobile communications from the network layer (AT&T, T-Mobile, Verizon, etc.) to the hardware layer (Qualcomm, Samsung, Intel), to the software layer (Apple, Google) need to work together to ensure that our cellular infrastructure is safe, secure, and private from attacks by spys, criminals, and rogue law enforcement.
Tomi Engdahl says:
Tätä ei moni tiennyt: Rikolliset voivat vaihtaa sinulle salaa uuden kotiosoitteen käden käänteessä – Posti suosittelee helppoa konstia, joka estää rötöksen
https://www.kauppalehti.fi/uutiset/tata-ei-moni-tiennyt-rikolliset-voivat-vaihtaa-sinulle-salaa-uuden-kotiosoitteen-kaden-kaanteessa-posti-suosittelee-helppoa-konstia-joka-estaa-rotoksen/d1dd4f95-ef05-4bfc-9254-ccad394559e2
Postin mukaan muuttoilmoituksia on käytetty jonkin verran rikollisiin tarkoituksiin.
Vakuutusyhtiö If varoitti keskiviikkona, että identiteettivarkaudet ovat kasvussa. Erityisen ikäviä ovat tapaukset, joissa varas muuttaa uhrin osoitteen ja esimerkiksi hakee hänen nimissään lainaa.
”Uuden osoitteen turvin rikollinen ehtii puuhastella pidempään salassa. Uhrille totuus voi karuimmillaan valjeta vasta kun hänen nimissään on kymmenittäin pikavippejä”, vakuutusyhtiö kertoi.
Åkermanin mukaan muuttoilmoituksia on käytetty jonkin verran rikollisiin tarkoituksiin.
Åkerman suosittaa kieltämään paperisen muuttoilmoituksen.
”Kyllä se kannattaa tehdä. Jos esimerkiksi vanhempi ihminen ei ole itse nettinäppärä, hänen kannattaa pyytää vaikkapa omaista tekemään se.”
Sähköisten muuttoilmoitusten kohdalla ei ole ongelmaa, koska se tehdään tunnistautuneena.
Tomi Engdahl says:
Thousands of People Are Monitoring Police Scanners During the George Floyd Protests
Apps that let people listen to police scanners have skyrocketed to the top of the App Store.
https://www.vice.com/en_us/article/pkybn8/police-radio-scanner-apps-george-floyd-protests
The number of users of an app which lets people listen in to police radio broadcasts across the country is nearly doubling everyday during the protests, according to its developer. As of Monday morning, ’5-0 Radio’ had skyrocketed above apps such as Facebook, Instagram, and TikTok to the most popular paid app, and the second most popular free app on the Apple App Store, according to Apple’s own rankings. Other similar apps have also jumped in popularity.
Tomi Engdahl says:
Sai Krishna Kothapalli / InfoSec Write-ups:
Researcher describes how hundreds of medical imaging servers in India were left unsecured months ago and are still leaving 1M+ medical records exposed
How screwed is Indian healthcare data?
https://medium.com/bugbountywriteup/how-screwed-is-indian-healthcare-data-fa4584be8a04
The story behind how I was able to view, edit & delete classified personal information of lakhs of patients all over India
What is DICOM?
DICOM stands for Digital Imaging and Communications in Medicine and is a very old file format which is used for storing and sharing medical images. A series of images are stored in a single DICOM file which makes sharing data with other medical professionals easier.
You require a DICOM viewer to view these files. There are various software in the market(some of them free to download and use) doing this. As an analogy, you can think of them as regular photos.
What is PACS?
PACS stands for Picture Archiving and Communication System. You can think of it as a storage server for the medical images. These support imaging modalities such as X-Ray, CT scan, MRIs etc.
How Can You Access the Data?
There are 2 ways you can access the data which is inside PACS systems.
1. Connect directly to PACS servers
2. Accessing through web Interface
https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/
Every day, millions of new medical images containing the personal health information of patients are spilling out onto the internet.
Hundreds of hospitals, medical offices and imaging centers are running insecure storage systems, allowing anyone with an internet connection and free-to-download software to access over 1 billion medical images of patients across the world.
About half of all the exposed images, which include X-rays, ultrasounds and CT scans, belong to patients in the United States.
Yet despite warnings from security researchers who have spent weeks alerting hospitals and doctors’ offices to the problem, many have ignored their warnings and continue to expose their patients’ private health information.
“It seems to get worse every day,”
The problem is well-documented. Greenbone found 24 million patient exams storing more than 720 million medical images in September, which first unearthed the scale of the problem as reported by ProPublica. Two months later, the number of exposed servers had increased by more than half, to 35 million patient exams, exposing 1.19 billion scans and representing a considerable violation of patient privacy.
But the problem shows little sign of abating. “The amount of data exposed is still rising, even considering the amount of data taken offline due to our disclosures,” said Schrader.
Tomi Engdahl says:
Om Malik / On my Om:
The struggle between real information and fake information is not too different from the fight against spam email, which took a long time but was worth fighting
The Good, The Bad & The Ugly (of Technology)
https://om.co/2020/06/07/the-good-the-bad-the-ugly-of-technology/
Tomi Engdahl says:
IBM Releases Open Source Toolkits for Processing Data While Encrypted
https://www.securityweek.com/ibm-releases-open-source-toolkits-processing-data-while-encrypted
IBM this week announced the availability of open source toolkits that allow for data to be processed while it’s still encrypted.
The toolkits implement fully homomorphic encryption (FHE), which enables the processing of encrypted data without providing access to the actual data. The toolkits are currently available for macOS and iOS, but IBM is also working on versions for Android and Linux.
Applications are typically designed to encrypt data while it’s at rest or in transit, but malicious actors could still gain access to it while it’s being processed since at this stage the data is decrypted. FHE addresses this problem by enabling authorized parties to work with data while it remains encrypted.
IBM invented FHE in 2009, but until recently its use was impractical as it was too slow.
“In recent years, thanks to algorithmic advancements, Fully Homomorphic Encryption has reached an inflection point where its performance is becoming practical. This has revolutionized security and data privacy and how we outsource computation to untrusted clouds,” IBM says on a page dedicated to FHE.
The tech giant says the use of FHE is ideal for sensitive applications such as the ones used in the financial and healthcare sectors, allowing associated data to be shared without exposing it during processing.
Fully Homomorphic Encryption
How to achieve data privacy by design
https://www.research.ibm.com/labs/uk/fhe.html
Tomi Engdahl says:
Critical Vulnerability Could Have Allowed Hackers to Disrupt Traffic Lights
https://www.securityweek.com/critical-vulnerability-could-have-allowed-hackers-disrupt-traffic-lights
A critical vulnerability affecting traffic light controllers made by SWARCO could have been exploited by hackers to disrupt a city’s traffic lights.
SWARCO is an Austria-based company that specializes in traffic management, traffic safety, road marking and other solutions typically found in smart cities. Its products have been deployed in over 70 countries around the world.
Researchers at ProtectEM, a Germany-based company that provides cybersecurity guidance and solutions for industrial and embedded systems, discovered that SWARCO’s CPU LS4000 traffic light controllers are vulnerable to attacks due to an open port designed for debugging.
The flaw, tracked as CVE-2020-12493 with a CVSS score of 10, was reported to the vendor in July 2019 and a patch was provided by SWARCO to customers in April. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Germany’s VDE CERT recently published advisories for the vulnerability.
The affected SWARCO controller runs BlackBerry’s QNX real-time operating system and it’s designed to control traffic lights in one intersection. The system had a debug port open, which granted root access over the network without a password, allowing an attacker to remotely shut down or manipulate impacted controllers.
“In the unpatched system, an attacker gets unlimited root access to any traffic light controller without requiring any credentials through a well documented and known feature of the underlying operating system. The access is meant for debugging, so it is not a bug or software defect that can be exploited. Rather the system was deployed in a configuration not meant for a production system with no security in place for this access port. As documented for the operating system, for a production system this debug option needs to be turned off,” Fröhlich explained.
“As we move to smart cities the industry faces new challenges with respect to hardening their system against intentional and untargeted security threats. Embedded controllers not only run traffic lights but also lighting systems, heating and cooling, elevators, doors and many other automated systems which affect a large number of people. Manipulation of the the behavior of such systems or mere denial of service can create significant impact,” Fröhlich concluded. “Yet many of those systems have not yet been created with a focus on cyber security. With increased connectivity and networking these systems become vulnerable. As can be seen in this specific example, vendors of such embedded systems are facing new challenges and will need to ramp up their focus, expertise and processes.”
ICS Advisory (ICSA-20-154-06)
SWARCO CPU LS4000
https://www.us-cert.gov/ics/advisories/icsa-20-154-06
Tomi Engdahl says:
FULL INFRASTRUCTURE TAKEOVER OF VMWARE CLOUD DIRECTOR (CVE-2020-3956)
https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
How a single simple form submission can be manipulated to gain control
of any Virtual Machine (VM) within VMware Cloud Director. The story of
a critical vulnerability that enables a full infrastructure takeover.
Tomi Engdahl says:
Mozilla fixes five highrisk Firefox flaws, bug in DoH feature
https://www.welivesecurity.com/2020/06/04/mozilla-fixes-five-high-risk-firefox-flaws-dns-over-https/
The browser maker rolls out updates on back-to-back days, including a
patch to avoid unintentionally overloading DNS providers
Tomi Engdahl says:
Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique
https://blog.trendmicro.com/trendlabs-security-intelligence/barcode-reader-apps-on-google-play-found-using-new-ad-fraud-technique/
We recently saw two barcode reader apps in Google Play, together
downloaded more than a million times, that started showing unusual
behavior (Trend Micro detects these as AndroidOS_HiddenAd.HRXJA). This
includes behavior that can be seen even when the user is not actively
using the phones
Tomi Engdahl says:
Not so FastCGI!
https://isc.sans.edu/forums/diary/Not+so+FastCGI/26208/
This past month, we’ve seen some new and different scans targeting tcp
ports between 8000 and 10,000.
It is clear that the payload is trying to exploit something PHP related, but it was not immediately obvious what service was being targeted. After Googling around for a while, I could identify the payload as being targeting fastcgi. Fastcgi can run using both unix sockets (named pipes on Windows) and tcp sockets. Apparently they are scanning for publicly available, incorrect configured fastcgi sockets.
Tomi Engdahl says:
Fake ransomware decryptor double-encrypts desperate victims’ files
https://www.bleepingcomputer.com/news/security/fake-ransomware-decryptor-double-encrypts-desperate-victims-files/
A fake decryptor for the STOP Djvu Ransomware is being distributed
that lures already desperate people with the promise of free
decryption. Instead of getting their files back for free, they are
infected with another ransomware that makes their situation even
worse.
Tomi Engdahl says:
This bot hunts software bugs for the Pentagon
https://arstechnica.com/information-technology/2020/06/this-bot-hunts-software-bugs-for-the-pentagon/
Champion of a 2016 DARPA contest at DEFCON, now Mayhem gets used by
the military.
Tomi Engdahl says:
uBlock Origin for Chrome now blocks port scans on most sites
https://www.bleepingcomputer.com/news/security/ublock-origin-for-chrome-now-blocks-port-scans-on-most-sites/
A recent update to an ad block filter list now allows the uBlock
Origin extension to block most of the known sites that perform port
scans of your local Windows computer.
Tomi Engdahl says:
Windows 10 SMBGhost bug gets public proof-of-concept RCE exploit
https://www.bleepingcomputer.com/news/security/windows-10-smbghost-bug-gets-public-proof-of-concept-rce-exploit/
Working exploit code that achieves remote code execution on Windows 10
machines is now publicly available for CVE-2020-0796, a critical
vulnerability in Microsoft Server Message Block (SMB 3.1.1).. see also
https://www.kyberturvallisuuskeskus.fi/fi/kriittinen-haavoittuvuus-microsoftin-smbv3-toteutuksessa
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Zoom consultant Alex Stamos and experts say offering end-to-end encryption, which needs user authentication, only to paying customers is a reasonable compromise
Zoom defenders cite legit reasons to not end-to-end encrypt free calls
Critics say everyone deserves it. Others say safety should be factored in, too.
https://arstechnica.com/information-technology/2020/06/zoom-defenders-say-there-are-legit-reasons-to-not-encrypt-free-calls/
If you’ve waded into Twitter timelines for security and privacy advocates over the past five days, you’ve no doubt seen Zoom excoriated for its plans to enable end-to-end encrypted video conferencing solely for paying customers. Zoom’s millions of non-paying users won’t receive the protection so that the company can monitor meetings for child-abuse activity and other types of illegal and disturbing content, executives said.
The move is certainly a departure from some platforms that already offer end-to-end encryption. Signal, Facebook Messenger, and WhatsApp all offer the protection to all users, though few if any pay for the services. Few video conferencing services offer end-to-end encryption. Like Zoom, its competitors that do offer end-to-end crypto generally do so only for select users.
Impossible to unscramble
End-to-end encryption is vastly different from simply encrypting data in transit. Instead, it provides each user with keys that reside solely on their devices, where communications are encrypted and later decrypted (the encrypted data is usually encrypted a second time as it travels over the wire). With the provider having no access to the keys that decrypt the data, it’s impossible for law enforcement or malicious insiders to access the human-readable content.
Security and privacy advocates say that this kind of protection is crucial as more and more sensitive information is transmitted over the Internet. Groups such as the Electronic Frontier Foundation argue that end-to-end encryption should be made available to all users, whether they pay or not. Zoom has not yet implemented end-to-end encryption, but representatives have said that company engineers are in the process of designing and implementing it.
This article isn’t arguing that Zoom’s plans as articulated so far are fine. Rather, it provides a counterpoint to criticism that the plans are motivated by greed or a desire to cozy up to law enforcement. No doubt, some Zoom critics are likely to claim this counterpoint smacks of the same “think-of-the-children” tripe that foes of strong encryption raise all the time.
Others argue that unique attributes of video conferencing and other real-time video platforms warrant people weighing, and ultimately balancing, the pros and cons of end-to-end encryption for all users.
One aspect of video conferencing is that it’s a platform for live child sex shows and other highly disturbing activities.
A person familiar with Zoom’s plans said these types of live sex shows involving children are more common on video services than most people realize. Almost all of the participants use free accounts that are registered in ways that make their identities harder, if not impossible, to track. Few if any paying users engage in illegal activities.
Since almost all of the abuse is broadcast in meetings of unregistered users with free accounts, Zoom decided that the reasonable balance of security and safety was to implement end-to-end encryption only for paying customers. Zoom says it turns over customer data only when presented with a legally binding court order.
Legitimate concerns
Like the Twitter user quoted earlier in this post, critics say Zoom is giving in to law enforcement’s exaggerated complaints of “going dark,” meaning providing no way to gain intelligence about real crimes because of encryption. The counterpoint can be found in a Wednesday Twitter thread from Alex Stamos, a security consultant to Zoom who has a history of defending strong encryption against authorities and resisting unwarranted searches of user data. He cited both technical limitations when meeting participants connect by phone or H.323 and SIP gear and the balancing of privacy and safety of others for Zoom not making end-to-end encryption available for all.
“There are legitimate product reasons for making E2EE an opt-in feature,” he wrote. “Such reasons existed for Facebook Messenger (which FB is working on) and exist now for Zoom. In both cases, I think optional E2EE on top of transport encryption is better than no E2EE option at all. But the other issue we have to grapple with is how products can cause harm outside of surveillance.”
Another Zoom defender is Nicholas Weaver, a researcher at UC Berkeley’s International Computer Science Institute and a lecturer at the university. On Thursday, he challenged a critic on Twitter by saying the video conferencing service rightly needed a way to authenticate users (currently, free users need no account). “ithout it, he argued, end-to-end encryption would provide little meaningful protection because there would be no way to know if the user on the other end was really the person she was claiming to be.
“Billing records matter,” he wrote. “$15/month is establishing a paper trail and friction. I’m very comfortable with this decision, esp since proper end-to-end requires significant authentication infrastructure that isn’t needed in the current security model.
“In this world financial access is probably the most reliable device-independent one available,” he added. “You CAN have throwaway credit cards (gift cards) but those should be distinguishable based on a prefix list.”
Zoom still hasn’t followed the example of Google, Facebook, and other companies in publishing transparency reports that detail the law enforcement orders they receive for user data (CEO promises the first one by early July). Until it does, users have a strong reason for caution. There might be other ways to balance privacy and security besides denying end-to-end crypto to all non-paying customers. But if Zoom implements its end-to-end protection properly, it will be one of the few conferencing services that does so for any of its users. Restricting its use to some users is a vastly better way to accommodate safety than building the kinds of backdoors authorities demand.
Tomi Engdahl says:
Honda investigates possible ransomware attack, networks impacted
https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/
Computer networks in Europe and Japan from giant car manufacturer
giant Honda have been affected by issues that are reported related to
a SNAKE Ransomware cyber attack.
Tomi Engdahl says:
Can Governments Defeat Nation-State Attacks on Critical
Infrastructures?
https://threatpost.com/can-governments-defeat-nation-state-attacks-on-critical-infrastructures/156338/
The one cyber risk that governments are much better at controlling
than we are is insider threats. Governments have been dealing with
people threats for centuries and have powerful tools at their disposal
for such investigations.
Tomi Engdahl says:
CallStranger vulnerability lets attacks bypass security systems and scan LANs
The CallStranger vulnerability can also be used to launch major DDoS attacks.
https://www.zdnet.com/article/callstranger-vulnerability-lets-attacks-bypass-security-systems-and-scan-lans/
Tomi Engdahl says:
An online voting system used in Florida and Ohio can be hacked to alter votes without detection, researchers found
https://www.businessinsider.com/online-voting-system-can-be-hacked-to-alter-votes-report-2020-6
Security researchers found vulnerabilities in an online voting system that could let hackers alter votes without being detected by voters or elections officials, according to a report published Sunday.
The report, published by researchers at MIT and the University of Michigan, reveals serious security problems with an online voting application made by Seattle-based Democracy Live.
The online voting software is being used by some county and state governments in Colorado, Delaware, New Jersey, Florida, Ohio, Oregon, Washington, and West Virginia.
Online voting has typically been reserved for overseas voters, but could be expanded to more people given the COVID-19 pandemic. Some counties are expanding mail-in ballots, which experts say are less vulnerable to fraud.
Tomi Engdahl says:
Magecart Targets Emergency Services-related Sites via Insecure S3
Buckets
https://thehackernews.com/2020/06/magecart-skimmer-amazon.html
Hacking groups are continuing to leverage misconfigured AWS S3 data
storage buckets to insert malicious code into websites in an attempt
to swipe credit card information and carry out malvertising campaigns.
Tomi Engdahl says:
Maze Ransomware adds Ragnar Locker to its extortion cartel
https://www.bleepingcomputer.com/news/security/maze-ransomware-adds-ragnar-locker-to-its-extortion-cartel/
A second ransomware gang has partnered with Maze Ransomware to use
their data leak platform to extort victims whose unencrypted files
were stolen.
Tomi Engdahl says:
Spotlight on incident reporting of telecom security and trust services
https://www.enisa.europa.eu/news/enisa-news/spotlight-on-incident-reporting-of-telecom-security-and-trust-services
The European Agency for Cybersecurity releases today a new visual tool
to increase transparency about cybersecurity incidents.
Tomi Engdahl says:
Data breach leads to the theft of $10M from a Norwegian investment
fund
https://www.pandasecurity.com/mediacenter/business/data-breach-theft-norfund/
On May 13, Norways sovereign wealth fund, Norfund, announced that it
had lost $10 million in an advanced data breach. In a statement, the
fund said that it was closely collaborating with the police and other
relevant authorities after a series of events allowed cybercriminals
to steal $10 million from the organization.
Tomi Engdahl says:
Florence, Ala. Hit By Ransomware 12 Days After Being Alerted by
KrebsOnSecurity
https://krebsonsecurity.com/2020/06/florence-ala-hit-by-ransomware-12-days-after-being-alerted-by-krebsonsecurity/
In late May, KrebsOnSecurity alerted numerous officials in Florence,
Ala. that their information technology systems had been infiltrated by
hackers who specialize in deploying ransomware. Nevertheless, on
Friday, June 5, the intruders sprang their attack, deploying
ransomware and demanding nearly $300,000 worth of bitcoin.