Cyber security news August 2020

This posting is here to collect cyber security news in August 2020.

I post links to security vulnerability news with short descriptions to comments section of this article.

If you are interested in cyber security trends, read my Cyber security trends 2020 posting.

You are also free to post related links to comments.

cybergedeon_flame_color

240 Comments

  1. Tomi Engdahl says:

    Ylen uutislähetys jäi ict-ongelman takia esittämättä
    reititysprotokolla sekosi
    https://www.tivi.fi/uutiset/tv/b43b9acb-fea5-48a5-95ef-47c3abb2fb3c
    Keskiviikkona Yle joutui ikävään tilanteeseen, kun Helsingin Pasilassa
    tapahtuneen tietoliikenneongelman takia TV 1:n kello 17.00
    uutislähetys jäi kokonaan näkymättä. Tapahtuneen jälkeen uutisankkuri
    Piia Pasanen kertoi Twitterissä, että hänen 20-vuotisella Yle-uralla
    ei ole koskaan sattunut teknistä ongelmaa, joka olisi kokonaan estänyt
    uutislähetyksen ajamisen.

    Reply
  2. Tomi Engdahl says:

    Lemon_Duck cryptominer malware now targets Linux devices
    https://www.bleepingcomputer.com/news/security/lemon-duck-cryptominer-malware-now-targets-linux-devices/
    The Lemon_Duck cryptomining malware has been updated to compromise
    Linux machines via SSH brute force attacks, to exploit
    SMBGhost-vulnerable Windows systems, and to infect servers running
    Redis and Hadoop instances. Lemon_Duck (spotted last year by Trend
    Micro and further examined by SentinelOne) is known for targeting
    enterprise networks, gaining access over the MS SQL service via
    brute-forcing or the SMB protocol using EternalBlue according to
    Guardicore’s Ophir Harpaz.

    Reply
  3. Tomi Engdahl says:

    Four More Bugs Patched in Microsofts Azure Sphere IoT Platform
    https://threatpost.com/four-more-bugs-patched-in-microsofts-azure-sphere-iot-platform/158643/
    Researchers have unearthed more vulnerabilities in Microsofts IoT
    security solution. Details tied to a pair of remote code execution
    bugs in Microsofts IoT security platform called Azure Sphere were
    released Monday. Also made public were specifics associated with two
    additional privilege escalation flaws impacting the same cloud
    security platform. Public disclosure of all four of the bugs piggyback
    on six vulnerabilities found in July also impacting Microsofts Azure
    Sphere. Cybersecurity researchers at Cisco Talos found each of the
    bugs and released the technical details of the vulnerabilities only
    after Microsoft issued patches.

    Reply
  4. Tomi Engdahl says:

    Cisco Patches High-Severity Bugs Impacting Switches, Fibre Storage
    https://threatpost.com/cisco-high-severity-bugs-impact-switches-fibre-storage/158691/
    Cisco Systems disclosed eight high-severity bugs impacting a range of
    its networking gear, including its switches and fiber storage
    solutions. Ciscos NX-OS was hardest hit, with six security alerts tied
    to the network operating system that underpins the networking giants
    Nexus-series Ethernet switches and MDS-series Fibre Channel storage
    area network switches.  Patches are available for all vulnerabilities,
    according to a Cisco Security Advisory posted on Wednesday. In
    addition to the eight patched high-severity bugs, Cisco also fixed a
    flaw (CVE-2020-3504) listed as medium severity that impacts the Cisco
    Unified Computing System management software.

    Reply
  5. Tomi Engdahl says:

    Emotet Update increases Downloads
    https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/
    The Hornetsecurity Security Lab observed a 1000 % increase in
    downloads of the Emotet loader. The increase in Emotet loader
    downloads correlates with Emotets packer change, which causes the
    Emotet loader to be less detected by AV software. Our gathered data
    suggests that the increase in Emotet loader downloads stems from the
    loader being detected less and thus also the Emotet loader download
    URLs being blocked less by security mechanisms.

    Reply
  6. Tomi Engdahl says:

    Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome
    WebGL could lead to code execution
    https://blog.talosintelligence.com/2020/08/vuln-spotlight-chrome-use-free-aug-2020.html
    The Google Chrome web browser contains a use-after-free vulnerability
    in its WebGL component that could allow a user to execute arbitrary
    code in the context of the browser process. This vulnerability
    specifically exists in ANGLE, a compatibility layer between OpenGL and
    Direct3D that Chrome uses on Windows systems. An adversary could
    manipulate the memory layout of the browser in a way that they could
    gain control of the use-after-free exploit, which could ultimately
    lead to arbitrary code execution. Also:
    https://threatpost.com/google-fixes-high-severity-chrome-browser-code-execution-bug/158600/.
    https://www.bleepingcomputer.com/news/security/google-chrome-85-fixes-webgl-code-execution-vulnerability/

    Reply
  7. Tomi Engdahl says:

    Office 365 now opens attachments in a sandbox to prevent infections
    https://www.bleepingcomputer.com/news/security/office-365-now-opens-attachments-in-a-sandbox-to-prevent-infections/
    Microsoft today announced the launch of Application Guard for Office
    in public preview to protect enterprise users from threats using
    malicious attachments as an attack vector. Application Guard for
    Office (also known as Microsoft Defender Application Guard for Office)
    is designed to help prevent block files downloaded from untrusted
    sources from gaining access trusted resources by opening them within
    an isolated sandbox.

    Reply
  8. Tomi Engdahl says:

    Browser-based cryptojacking sees sudden spike in activity in Q2 2020
    https://www.zdnet.com/article/browser-based-cryptojacking-sees-sudden-spike-in-activity-in-q2-2020/
    Browser-based cryptocurrency mining, also known as cryptojacking, made
    a surprising comeback earlier this year, in the month of June. In its
    Threat Landscape Trends report for Q2 2020, US cyber-security vendor
    Symantec said cryptojacking saw a 163% increase in detections,
    compared to the previous quarters. The spike in activity is extremely
    uncharacteristic for this particular threat, considered by all
    security experts to be long dead.

    Reply
  9. Tomi Engdahl says:

    Large Ad Network Collects Private Activity Data, Reroutes Clicks
    https://www.darkreading.com/mobile/large-ad-network-collects-private-activity-data-reroutes-clicks/d/d-id/1338733
    A Chinese mobile advertising firm has modified code in the software
    development kit included in more than 1,200 apps, maliciously
    collecting user activity and performing ad fraud, says Snyk, a
    software security firm. More than 1,200 applications exceeding 300
    million collective monthly downloads have incorporated a software
    development kit (SDK) from Chinese advertising service Mintegral that
    has malicious code to spy on user activity and steal potential revenue
    from competitors, software security firm Snyk stated in an analysis
    published on Aug. 24.

    Reply
  10. Tomi Engdahl says:

    Hackers Target Defense Contractors’ Employees By Posing as Recruiters
    https://thehackernews.com/2020/08/job-offer-hackers.html
    The United States Cybersecurity and Infrastructure Security Agency
    (CISA) has published a new report warning companies about a new
    in-the-wild malware that North Korean hackers are reportedly using to
    spy on key employees at government contracting companies. Dubbed
    ‘BLINDINGCAN,’ the advanced remote access trojan acts as a backdoor
    when installed on compromised computers.

    Reply
  11. Tomi Engdahl says:

    https://www.zdnet.com/article/atm-makers-diebold-and-ncr-deploy-fixes-for-deposit-forgery-attacks/
    https://www.zdnet.com/article/atm-makers-diebold-and-ncr-deploy-fixes-for-deposit-forgery-attacks/
    Two of today’s biggest ATM manufacturers, Diebold Nixdorf and NCR,
    have released software updates to address bugs that could have been
    exploited for “deposit forgery” attacks. Deposit forgery attacks
    happen when fraudsters can tamper with an ATM’s software to modify the
    amount and value of currency being deposited on a payment card.

    Reply
  12. Tomi Engdahl says:

    CREST exam cheat-sheet scandal: New temp chairman at UK infosec body
    as lawyers and ex-copper get involved
    https://www.theregister.com/2020/08/21/crest_ncc_group_scandal_lawyers_new_chairman/
    British infosec accreditation body CREST has appointed an ex-police
    officer to investigate the NCC Group exam cheat-sheet scandal as its
    chairman temporarily steps aside. The accreditation body has been
    rocked by revelations from The Register that major industry player NCC
    Group’s training material was leaked in a Github repo alongside cheat
    sheets to help candidates pass accreditation exams first time.

    Reply
  13. Tomi Engdahl says:

    Cryptominer Found Embedded in AWS Community AMI
    https://www.darkreading.com/cloud/cryptominer-found-embedded-in-aws-community-ami/d/d-id/1338713
    Researchers advise Amazon Web Services users running Community Amazon
    Machine Images to verify them for potentially malicious code. Security
    researchers urge AWS customers running Elastic Cloud Compute (EC2)
    instances based on community Amazon Machine Images (AMIs) to check for
    potentially malicious embedded code, following their discovery of a
    cryptominer lurking inside a Community AMI. An AMI is a template with
    a software configuration an operating system, application server, and
    applications needed to launch a virtual machine. Also:
    https://threatpost.com/malicious-aws-community-amis/158555/

    Reply
  14. Tomi Engdahl says:

    DarkSide: New targeted ransomware demands million dollar ransoms
    https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/
    A new ransomware operation named DarkSide began attacking
    organizations earlier this month with customized attacks that have
    already earned them million-dollar payouts. Starting around August
    10th, 2020, the new ransomware operation began performing targeted
    attacks against numerous companies.

    Reply
  15. Tomi Engdahl says:

    A Google Drive ‘Feature’ Could Let Attackers Trick You Into Installing
    Malware
    https://thehackernews.com/2020/08/google-drive-file-versions.html
    An unpatched security weakness in Google Drive could be exploited by
    malware attackers to distribute malicious files disguised as
    legitimate documents or images, enabling bad actors to perform
    spear-phishing attacks comparatively with a high success rate. The
    latest security issueof which Google is aware but, unfortunately, left
    unpatchedresides in the “manage versions” functionality offered by
    Google Drive that allows users to upload and manage different versions
    of a file, as well as in the way its interface provides a new version
    of the files to the users.

    Reply
  16. Tomi Engdahl says:

    Academics bypass PINs for Visa contactless payments
    Researchers: “In other words, the PIN is useless in Visa contactless transactions”
    https://www.zdnet.com/article/academics-bypass-pins-for-visa-contactless-payments/

    A team of academics from Switzerland has discovered a security bug that can be abused to bypass PIN codes for Visa contactless payments.

    This means that if criminals are ever in possession of a stolen Visa contactless card, they can use it to pay for expensive products, above the contactless transaction limit, and without needing to enter the card’s PIN code.

    The attack is extremely stealthy, academics said, and can be easily mistaken for a customer paying for products using a mobile/digital wallet installed on their smartphone.

    According to the research team, a successful attack requires four components: (1+2) two Android smartphones, (3) a special Android app developed by the research team, and (4) a Visa contactless card.

    The Android app is installed on the two smartphones, which will work as a card emulator and a POS (Point-Of-Sale) emulator.

    The phone that emulates a POS device is put close to the stolen card, while the smartphone working as the card emulator is used to pay for goods.

    The entire idea behind the attack is that the POS emulator asks the card to make a payment, modifies transaction details, and then sends the modified data via WiFi to the second smartphone that makes a large payment without needing to provide a PIN (as the attacker has modified the transaction data to say that the PIN is not needed).

    Reply
  17. Tomi Engdahl says:

    It’s demonstrated that it’s possible to bypass the PIN on a EMV VISA card

    The EMV Standard: Break, Fix, Verify
    https://emvrace.github.io/

    EMV, named after its founders Europay, Mastercard, and Visa, is the international protocol standard for smartcard payment. As of December 2019, EMV is used in over 9 billion debit and credit cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages.

    We present a comprehensive model of EMV, specified in the Tamarin verification tool. Using our model, we automatically identified several authentication flaws. One of the encountered flaws, present in the Visa contactless protocol, leads to a PIN bypass attack for transactions that are presumably protected by cardholder verification, typically those whose amount is above a local PIN-less upper limit (e.g., currently 80 CHF in Switzerland)

    Reply
  18. Tomi Engdahl says:

    Tesla and FBI prevented $1 million ransomware hack at Gigafactory Nevada
    https://electrek.co/2020/08/27/tesla-fbi-prevent-ransomware-hack-gigafactory-nevada/

    Tesla and the FBI worked together to prevent a group of ransomware hackers from attacking Tesla’s Gigafactory Nevada, according to a complaint from the FBI.

    Reply
  19. Tomi Engdahl says:

    Russian tourist offered employee $1 million to cripple Tesla with malware
    “This was a serious attack,” Elon Musk says.
    https://arstechnica.com/information-technology/2020/08/russian-tourist-offered-employee-1-million-to-cripple-tesla-with-malware/

    Reply
  20. Tomi Engdahl says:

    A quarter of the Alexa Top 10K websites are using browser fingerprinting scripts
    https://www.zdnet.com/article/a-quarter-of-the-alexa-top-10k-websites-are-using-browser-fingerprinting-scripts/

    Academics also discover many new previously unreported JavaScript APIs that are currently being used to fingerprint users

    Reply
  21. Tomi Engdahl says:

    Military’s top cyber official defends more aggressive stance
    https://www.militarytimes.com/news/your-military/2020/08/25/militarys-top-cyber-official-defends-more-aggressive-stance/

    Gen. Paul Nakasone, the commander of U.S. Cyber Command and the director of the National Security Agency, writes in a piece published Tuesday in the magazine Foreign Affairs that the military’s cyber fighters have moved away from a “reactive, defensive posture” and are increasingly engaging in combat with foreign adversaries online.

    “We learned that we cannot afford to wait for cyber attacks to affect our military networks. We learned that defending our military networks requires executing operations outside our military networks. The threat evolved, and we evolved to meet it,” wrote Nakasone in a piece co-authored with Michael Sulmeyer, his senior adviser

    Reply
  22. Tomi Engdahl says:

    Example of Malicious DLL Injected in PowerShell
    https://isc.sans.edu/forums/diary/Example+of+Malicious+DLL+Injected+in+PowerShell/26512/
    For a while, PowerShell remains one of the favorite languages for
    attackers. Installed by default (and almost impossible to get rid of
    it), powerful, perfectly integrated with the core operating system.
    It’s very easy to develop specific PowerShell functions that will
    provide interesting features for an attacker but, if written in
    PowerShell, they could easily ring a bell for the defenders (example:
    by using many suspicious API calls). Another technique to expand the
    language with more functions is just to load a DLL! I found a sample
    that exfiltrates data from the victim’s computer.

    Reply
  23. Tomi Engdahl says:

    We hacked 28, 000 unsecured printers to raise awareness of printer
    security issues
    https://cybernews.com/security/we-hacked-28000-unsecured-printers-to-raise-awareness-of-printer-security-issues/
    Cybersecurity experts at CyberNews hijacked close to 28, 000 unsecured
    printers worldwide and forced them to print out a guide on printer
    security

    Reply
  24. Tomi Engdahl says:

    Fake Android notifications first Google, then Microsoft affected
    https://nakedsecurity.sophos.com/2020/08/28/fake-android-notifications-first-google-then-microsoft-affected/
    If you’re a Google Android user, you may have been pestered over the
    past week by popup notifications that you didn’t expect and certainly
    didn’t want. The first mainstream victim seems to have been Google’s
    own Hangouts app.

    Reply
  25. Tomi Engdahl says:

    New Zealand bourse resumes trade after cyber attacks, government
    activates security systems
    https://www.reuters.com/article/uk-nzx-cyber/new-zealand-bourse-resumes-trade-after-cyber-attacks-government-activates-security-systems-idUSKBN25O03Q
    New Zealand’s stock exchange resumed trading on Friday, after facing
    disruptions for four consecutive days in the wake of cyber attacks
    this week, while the government said national security systems had
    been activated to support the bourse. Finance Minister Grant Robertson
    said the Government Communications Security Bureau and the national
    agency fighting cyber crime had been called in to help the bourse. “I
    can’t go into much more in terms of specific details other than to say
    that we as a government are treating this very seriously, ” Robertson
    said in a media briefing in Wellington.There is no clarity on who was
    behind these two “offshore” attacks, but the failure to stop them has
    raised questions about New Zealand’s security systems, experts said.

    Reply
  26. Tomi Engdahl says:

    Major internet outage: Dozens of websites and apps are down
    https://edition.cnn.com/2020/08/30/tech/internet-outage-cloudflare/index.html
    Cloudflare, an internet service that is supposed to keep websites up
    and running, was down itself Sunday, taking dozens of websites and
    online services along with it. Hulu, the PlayStation Network, Xbox
    Live, Feedly, Discord, and dozens of other services reported
    connectivity problems Sunday morning. Cloudflare said the problem was
    with a third-party “transit provider, ” and its service was becoming
    increasingly stable over the course of the day. CenturyLink, formerly
    known as Level 3, confirmed there was an IP outage impacting Content
    Delivery Networks (CDN), and that all services had been restored as of
    11:12 am ET. also: https://isc.sans.edu/forums/diary/

    Reply
  27. Tomi Engdahl says:

    Ex-employee hacked Cisco’s AWS Infrastructure; erased virtual machines
    https://www.hackread.com/ex-employee-hacked-cisco-cloud-erased-virtual-machines/
    A former Cisco employee, Sudhish Kasaba Ramesh has pleaded guilty for
    damaging and exploiting the company’s internal networks. His reckless
    action resulted in obliterating more than 16, 000 Webex Teams
    application. In order to ensue remedial measures, Cisco had to spend a
    whopping $1.4 million and refund $1 million to the affected customers.

    Reply
  28. Tomi Engdahl says:

    Elon Musk Says Failed Russian Ransomware Attack on Tesla Was ‘Serious’
    https://www.newsweek.com/elon-musk-russian-ransomware-attack-tesla-1528524

    Kriuchkov allegedly offered to pay the unnamed Russian-speaking employee—who worked at the Tesla “Gigafactory” in Reno, Nevada—$1 million to install the malware. The employee instead notified Tesla, which contacted the FBI. Agents then ran a sting operation using the employee to catch Kriuchkov, who was arrested Tuesday.

    Reply
  29. Tomi Engdahl says:

    Breaking: a new Firebase FCM exploit seems to have hit #MSTeams. The vulnerability was first reported on CyberNews via Abss, affecting possibly billions of users of popular apps like Hangouts, YouTube, and more.

    Exposed FCM keys leaves billions of users open to mass spam and phishing notifications
    https://cybernews.com/security/exposed-google-keys-leaves-billions-of-users-open-to-mass-spam-and-phishing-notifications/?utm_source=facebook&utm_medium=traffic_rm&utm_campaign=news&utm_content=exposed_google_keys

    New vulnerabilities involving Google’s Firebase Cloud Messaging (FCM) service could have allowed fraudsters to send mass spam and phishing push notifications to billions of Android users. The exploit involves Firebase, a Google platform that allows app developers to build their apps, and leverages its Firebase Cloud Messaging Service. This was discovered by Abhishek Dharani, a Bangalore-based security researcher better known as “Abss.”

    Reply
  30. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    Researcher finds a macOS adware campaign using malware notarized by Apple; after being notified, Apple shut it down, but then another notarized variant emerged — The ubiquitous Shlayer adware has picked up a new trick, slipping past Cupertino’s “notarization” defenses for the first time.

    Apple Accidentally Approved Malware to Run on MacOS
    The ubiquitous Shlayer adware has picked up a new trick, slipping past Cupertino’s “notarization” defenses for the first time.

    Reply
  31. Tomi Engdahl says:

    Apple has some of the strictest rules to prevent malicious software from landing in its app store, even if on occasion a bad app slips through the net. https://tcrn.ch/2YSRHLQ

    Apple mistakenly approved a widely used malware to run on Macs
    https://techcrunch.com/2020/08/31/apple-notarized-mac-malware/?tpcc=ECFB2020

    Apple has some of the strictest rules to prevent malicious software from landing in its app store, even if on occasion a bad app slips through the net. But last year Apple took its toughest approach yet by requiring developers to submit their apps for security checks in order to run on millions of Macs unhindered.

    The process, which Apple calls “notarization,” scans an app for security issues and malicious content. If approved, the Mac’s in-built security screening software, Gatekeeper, allows the app to run.

    Reply
  32. Tomi Engdahl says:

    A hacking course on PornHub, strange!
    https://www.facebook.com/groups/2600net/permalink/2823820341174406/

    They started moving over there when YouTube incorrectly started banning videos

    Oh yeah that guy. https://www.reddit.com/r/IAmA/comments/azwb59/im_ryan_creamer_i_make_wholesome_sfw_videos_on/

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*