This posting is here to collect cyber security news in August 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
240 Comments
Tomi Engdahl says:
Ylen uutislähetys jäi ict-ongelman takia esittämättä
reititysprotokolla sekosi
https://www.tivi.fi/uutiset/tv/b43b9acb-fea5-48a5-95ef-47c3abb2fb3c
Keskiviikkona Yle joutui ikävään tilanteeseen, kun Helsingin Pasilassa
tapahtuneen tietoliikenneongelman takia TV 1:n kello 17.00
uutislähetys jäi kokonaan näkymättä. Tapahtuneen jälkeen uutisankkuri
Piia Pasanen kertoi Twitterissä, että hänen 20-vuotisella Yle-uralla
ei ole koskaan sattunut teknistä ongelmaa, joka olisi kokonaan estänyt
uutislähetyksen ajamisen.
Tomi Engdahl says:
Lemon_Duck cryptominer malware now targets Linux devices
https://www.bleepingcomputer.com/news/security/lemon-duck-cryptominer-malware-now-targets-linux-devices/
The Lemon_Duck cryptomining malware has been updated to compromise
Linux machines via SSH brute force attacks, to exploit
SMBGhost-vulnerable Windows systems, and to infect servers running
Redis and Hadoop instances. Lemon_Duck (spotted last year by Trend
Micro and further examined by SentinelOne) is known for targeting
enterprise networks, gaining access over the MS SQL service via
brute-forcing or the SMB protocol using EternalBlue according to
Guardicore’s Ophir Harpaz.
Tomi Engdahl says:
Four More Bugs Patched in Microsofts Azure Sphere IoT Platform
https://threatpost.com/four-more-bugs-patched-in-microsofts-azure-sphere-iot-platform/158643/
Researchers have unearthed more vulnerabilities in Microsofts IoT
security solution. Details tied to a pair of remote code execution
bugs in Microsofts IoT security platform called Azure Sphere were
released Monday. Also made public were specifics associated with two
additional privilege escalation flaws impacting the same cloud
security platform. Public disclosure of all four of the bugs piggyback
on six vulnerabilities found in July also impacting Microsofts Azure
Sphere. Cybersecurity researchers at Cisco Talos found each of the
bugs and released the technical details of the vulnerabilities only
after Microsoft issued patches.
Tomi Engdahl says:
Cisco Patches High-Severity Bugs Impacting Switches, Fibre Storage
https://threatpost.com/cisco-high-severity-bugs-impact-switches-fibre-storage/158691/
Cisco Systems disclosed eight high-severity bugs impacting a range of
its networking gear, including its switches and fiber storage
solutions. Ciscos NX-OS was hardest hit, with six security alerts tied
to the network operating system that underpins the networking giants
Nexus-series Ethernet switches and MDS-series Fibre Channel storage
area network switches. Patches are available for all vulnerabilities,
according to a Cisco Security Advisory posted on Wednesday. In
addition to the eight patched high-severity bugs, Cisco also fixed a
flaw (CVE-2020-3504) listed as medium severity that impacts the Cisco
Unified Computing System management software.
Tomi Engdahl says:
Emotet Update increases Downloads
https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/
The Hornetsecurity Security Lab observed a 1000 % increase in
downloads of the Emotet loader. The increase in Emotet loader
downloads correlates with Emotets packer change, which causes the
Emotet loader to be less detected by AV software. Our gathered data
suggests that the increase in Emotet loader downloads stems from the
loader being detected less and thus also the Emotet loader download
URLs being blocked less by security mechanisms.
Tomi Engdahl says:
Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome
WebGL could lead to code execution
https://blog.talosintelligence.com/2020/08/vuln-spotlight-chrome-use-free-aug-2020.html
The Google Chrome web browser contains a use-after-free vulnerability
in its WebGL component that could allow a user to execute arbitrary
code in the context of the browser process. This vulnerability
specifically exists in ANGLE, a compatibility layer between OpenGL and
Direct3D that Chrome uses on Windows systems. An adversary could
manipulate the memory layout of the browser in a way that they could
gain control of the use-after-free exploit, which could ultimately
lead to arbitrary code execution. Also:
https://threatpost.com/google-fixes-high-severity-chrome-browser-code-execution-bug/158600/.
https://www.bleepingcomputer.com/news/security/google-chrome-85-fixes-webgl-code-execution-vulnerability/
Tomi Engdahl says:
Office 365 now opens attachments in a sandbox to prevent infections
https://www.bleepingcomputer.com/news/security/office-365-now-opens-attachments-in-a-sandbox-to-prevent-infections/
Microsoft today announced the launch of Application Guard for Office
in public preview to protect enterprise users from threats using
malicious attachments as an attack vector. Application Guard for
Office (also known as Microsoft Defender Application Guard for Office)
is designed to help prevent block files downloaded from untrusted
sources from gaining access trusted resources by opening them within
an isolated sandbox.
Tomi Engdahl says:
Browser-based cryptojacking sees sudden spike in activity in Q2 2020
https://www.zdnet.com/article/browser-based-cryptojacking-sees-sudden-spike-in-activity-in-q2-2020/
Browser-based cryptocurrency mining, also known as cryptojacking, made
a surprising comeback earlier this year, in the month of June. In its
Threat Landscape Trends report for Q2 2020, US cyber-security vendor
Symantec said cryptojacking saw a 163% increase in detections,
compared to the previous quarters. The spike in activity is extremely
uncharacteristic for this particular threat, considered by all
security experts to be long dead.
Tomi Engdahl says:
Large Ad Network Collects Private Activity Data, Reroutes Clicks
https://www.darkreading.com/mobile/large-ad-network-collects-private-activity-data-reroutes-clicks/d/d-id/1338733
A Chinese mobile advertising firm has modified code in the software
development kit included in more than 1,200 apps, maliciously
collecting user activity and performing ad fraud, says Snyk, a
software security firm. More than 1,200 applications exceeding 300
million collective monthly downloads have incorporated a software
development kit (SDK) from Chinese advertising service Mintegral that
has malicious code to spy on user activity and steal potential revenue
from competitors, software security firm Snyk stated in an analysis
published on Aug. 24.
Tomi Engdahl says:
Hackers Target Defense Contractors’ Employees By Posing as Recruiters
https://thehackernews.com/2020/08/job-offer-hackers.html
The United States Cybersecurity and Infrastructure Security Agency
(CISA) has published a new report warning companies about a new
in-the-wild malware that North Korean hackers are reportedly using to
spy on key employees at government contracting companies. Dubbed
‘BLINDINGCAN,’ the advanced remote access trojan acts as a backdoor
when installed on compromised computers.
Tomi Engdahl says:
https://www.zdnet.com/article/atm-makers-diebold-and-ncr-deploy-fixes-for-deposit-forgery-attacks/
https://www.zdnet.com/article/atm-makers-diebold-and-ncr-deploy-fixes-for-deposit-forgery-attacks/
Two of today’s biggest ATM manufacturers, Diebold Nixdorf and NCR,
have released software updates to address bugs that could have been
exploited for “deposit forgery” attacks. Deposit forgery attacks
happen when fraudsters can tamper with an ATM’s software to modify the
amount and value of currency being deposited on a payment card.
Tomi Engdahl says:
CREST exam cheat-sheet scandal: New temp chairman at UK infosec body
as lawyers and ex-copper get involved
https://www.theregister.com/2020/08/21/crest_ncc_group_scandal_lawyers_new_chairman/
British infosec accreditation body CREST has appointed an ex-police
officer to investigate the NCC Group exam cheat-sheet scandal as its
chairman temporarily steps aside. The accreditation body has been
rocked by revelations from The Register that major industry player NCC
Group’s training material was leaked in a Github repo alongside cheat
sheets to help candidates pass accreditation exams first time.
Tomi Engdahl says:
Cryptominer Found Embedded in AWS Community AMI
https://www.darkreading.com/cloud/cryptominer-found-embedded-in-aws-community-ami/d/d-id/1338713
Researchers advise Amazon Web Services users running Community Amazon
Machine Images to verify them for potentially malicious code. Security
researchers urge AWS customers running Elastic Cloud Compute (EC2)
instances based on community Amazon Machine Images (AMIs) to check for
potentially malicious embedded code, following their discovery of a
cryptominer lurking inside a Community AMI. An AMI is a template with
a software configuration an operating system, application server, and
applications needed to launch a virtual machine. Also:
https://threatpost.com/malicious-aws-community-amis/158555/
Tomi Engdahl says:
DarkSide: New targeted ransomware demands million dollar ransoms
https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/
A new ransomware operation named DarkSide began attacking
organizations earlier this month with customized attacks that have
already earned them million-dollar payouts. Starting around August
10th, 2020, the new ransomware operation began performing targeted
attacks against numerous companies.
Tomi Engdahl says:
A Google Drive ‘Feature’ Could Let Attackers Trick You Into Installing
Malware
https://thehackernews.com/2020/08/google-drive-file-versions.html
An unpatched security weakness in Google Drive could be exploited by
malware attackers to distribute malicious files disguised as
legitimate documents or images, enabling bad actors to perform
spear-phishing attacks comparatively with a high success rate. The
latest security issueof which Google is aware but, unfortunately, left
unpatchedresides in the “manage versions” functionality offered by
Google Drive that allows users to upload and manage different versions
of a file, as well as in the way its interface provides a new version
of the files to the users.
Tomi Engdahl says:
From SSRF to Compromise: Case Study
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-ssrf-to-compromise-case-study/
Server-side request forgery (SSRF)
https://portswigger.net/web-security/ssrf
Tomi Engdahl says:
Security.txt – one small file for an admin, one giant help to a security researcher
https://isc.sans.edu/forums/diary/Securitytxt+one+small+file+for+an+admin+one+giant+help+to+a+security+researcher/26510/
Tomi Engdahl says:
Academics bypass PINs for Visa contactless payments
Researchers: “In other words, the PIN is useless in Visa contactless transactions”
https://www.zdnet.com/article/academics-bypass-pins-for-visa-contactless-payments/
A team of academics from Switzerland has discovered a security bug that can be abused to bypass PIN codes for Visa contactless payments.
This means that if criminals are ever in possession of a stolen Visa contactless card, they can use it to pay for expensive products, above the contactless transaction limit, and without needing to enter the card’s PIN code.
The attack is extremely stealthy, academics said, and can be easily mistaken for a customer paying for products using a mobile/digital wallet installed on their smartphone.
According to the research team, a successful attack requires four components: (1+2) two Android smartphones, (3) a special Android app developed by the research team, and (4) a Visa contactless card.
The Android app is installed on the two smartphones, which will work as a card emulator and a POS (Point-Of-Sale) emulator.
The phone that emulates a POS device is put close to the stolen card, while the smartphone working as the card emulator is used to pay for goods.
The entire idea behind the attack is that the POS emulator asks the card to make a payment, modifies transaction details, and then sends the modified data via WiFi to the second smartphone that makes a large payment without needing to provide a PIN (as the attacker has modified the transaction data to say that the PIN is not needed).
Tomi Engdahl says:
It’s demonstrated that it’s possible to bypass the PIN on a EMV VISA card
The EMV Standard: Break, Fix, Verify
https://emvrace.github.io/
EMV, named after its founders Europay, Mastercard, and Visa, is the international protocol standard for smartcard payment. As of December 2019, EMV is used in over 9 billion debit and credit cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages.
We present a comprehensive model of EMV, specified in the Tamarin verification tool. Using our model, we automatically identified several authentication flaws. One of the encountered flaws, present in the Visa contactless protocol, leads to a PIN bypass attack for transactions that are presumably protected by cardholder verification, typically those whose amount is above a local PIN-less upper limit (e.g., currently 80 CHF in Switzerland)
Tomi Engdahl says:
Tesla and FBI prevented $1 million ransomware hack at Gigafactory Nevada
https://electrek.co/2020/08/27/tesla-fbi-prevent-ransomware-hack-gigafactory-nevada/
Tesla and the FBI worked together to prevent a group of ransomware hackers from attacking Tesla’s Gigafactory Nevada, according to a complaint from the FBI.
Tomi Engdahl says:
Russian tourist offered employee $1 million to cripple Tesla with malware
https://arstechnica.com/information-technology/2020/08/russian-tourist-offered-employee-1-million-to-cripple-tesla-with-malware/?amp=14
Tomi Engdahl says:
Russian tourist offered employee $1 million to cripple Tesla with malware
“This was a serious attack,” Elon Musk says.
https://arstechnica.com/information-technology/2020/08/russian-tourist-offered-employee-1-million-to-cripple-tesla-with-malware/
Tomi Engdahl says:
A quarter of the Alexa Top 10K websites are using browser fingerprinting scripts
https://www.zdnet.com/article/a-quarter-of-the-alexa-top-10k-websites-are-using-browser-fingerprinting-scripts/
Academics also discover many new previously unreported JavaScript APIs that are currently being used to fingerprint users
Tomi Engdahl says:
https://cybernews.com/security/we-hacked-28000-unsecured-printers-to-raise-awareness-of-printer-security-issues/
Tomi Engdahl says:
Military’s top cyber official defends more aggressive stance
https://www.militarytimes.com/news/your-military/2020/08/25/militarys-top-cyber-official-defends-more-aggressive-stance/
Gen. Paul Nakasone, the commander of U.S. Cyber Command and the director of the National Security Agency, writes in a piece published Tuesday in the magazine Foreign Affairs that the military’s cyber fighters have moved away from a “reactive, defensive posture” and are increasingly engaging in combat with foreign adversaries online.
“We learned that we cannot afford to wait for cyber attacks to affect our military networks. We learned that defending our military networks requires executing operations outside our military networks. The threat evolved, and we evolved to meet it,” wrote Nakasone in a piece co-authored with Michael Sulmeyer, his senior adviser
Tomi Engdahl says:
https://9to5mac.com/2020/08/30/centurylink-outage/
Tomi Engdahl says:
How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today
https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/
Tomi Engdahl says:
Example of Malicious DLL Injected in PowerShell
https://isc.sans.edu/forums/diary/Example+of+Malicious+DLL+Injected+in+PowerShell/26512/
For a while, PowerShell remains one of the favorite languages for
attackers. Installed by default (and almost impossible to get rid of
it), powerful, perfectly integrated with the core operating system.
It’s very easy to develop specific PowerShell functions that will
provide interesting features for an attacker but, if written in
PowerShell, they could easily ring a bell for the defenders (example:
by using many suspicious API calls). Another technique to expand the
language with more functions is just to load a DLL! I found a sample
that exfiltrates data from the victim’s computer.
Tomi Engdahl says:
We hacked 28, 000 unsecured printers to raise awareness of printer
security issues
https://cybernews.com/security/we-hacked-28000-unsecured-printers-to-raise-awareness-of-printer-security-issues/
Cybersecurity experts at CyberNews hijacked close to 28, 000 unsecured
printers worldwide and forced them to print out a guide on printer
security
Tomi Engdahl says:
Fake Android notifications first Google, then Microsoft affected
https://nakedsecurity.sophos.com/2020/08/28/fake-android-notifications-first-google-then-microsoft-affected/
If you’re a Google Android user, you may have been pestered over the
past week by popup notifications that you didn’t expect and certainly
didn’t want. The first mainstream victim seems to have been Google’s
own Hangouts app.
Tomi Engdahl says:
New Zealand bourse resumes trade after cyber attacks, government
activates security systems
https://www.reuters.com/article/uk-nzx-cyber/new-zealand-bourse-resumes-trade-after-cyber-attacks-government-activates-security-systems-idUSKBN25O03Q
New Zealand’s stock exchange resumed trading on Friday, after facing
disruptions for four consecutive days in the wake of cyber attacks
this week, while the government said national security systems had
been activated to support the bourse. Finance Minister Grant Robertson
said the Government Communications Security Bureau and the national
agency fighting cyber crime had been called in to help the bourse. “I
can’t go into much more in terms of specific details other than to say
that we as a government are treating this very seriously, ” Robertson
said in a media briefing in Wellington.There is no clarity on who was
behind these two “offshore” attacks, but the failure to stop them has
raised questions about New Zealand’s security systems, experts said.
Tomi Engdahl says:
Major internet outage: Dozens of websites and apps are down
https://edition.cnn.com/2020/08/30/tech/internet-outage-cloudflare/index.html
Cloudflare, an internet service that is supposed to keep websites up
and running, was down itself Sunday, taking dozens of websites and
online services along with it. Hulu, the PlayStation Network, Xbox
Live, Feedly, Discord, and dozens of other services reported
connectivity problems Sunday morning. Cloudflare said the problem was
with a third-party “transit provider, ” and its service was becoming
increasingly stable over the course of the day. CenturyLink, formerly
known as Level 3, confirmed there was an IP outage impacting Content
Delivery Networks (CDN), and that all services had been restored as of
11:12 am ET. also: https://isc.sans.edu/forums/diary/
Tomi Engdahl says:
Ex-employee hacked Cisco’s AWS Infrastructure; erased virtual machines
https://www.hackread.com/ex-employee-hacked-cisco-cloud-erased-virtual-machines/
A former Cisco employee, Sudhish Kasaba Ramesh has pleaded guilty for
damaging and exploiting the company’s internal networks. His reckless
action resulted in obliterating more than 16, 000 Webex Teams
application. In order to ensue remedial measures, Cisco had to spend a
whopping $1.4 million and refund $1 million to the affected customers.
Tomi Engdahl says:
https://www.securityweek.com/researchers-analyze-traffic-statistics-popular-cybercrime-forums
Tomi Engdahl says:
https://www.securityweek.com/new-attacks-allow-bypassing-emv-card-pin-verification
Tomi Engdahl says:
Elon Musk Says Failed Russian Ransomware Attack on Tesla Was ‘Serious’
https://www.newsweek.com/elon-musk-russian-ransomware-attack-tesla-1528524
Kriuchkov allegedly offered to pay the unnamed Russian-speaking employee—who worked at the Tesla “Gigafactory” in Reno, Nevada—$1 million to install the malware. The employee instead notified Tesla, which contacted the FBI. Agents then ran a sting operation using the employee to catch Kriuchkov, who was arrested Tuesday.
Tomi Engdahl says:
Breaking: a new Firebase FCM exploit seems to have hit #MSTeams. The vulnerability was first reported on CyberNews via Abss, affecting possibly billions of users of popular apps like Hangouts, YouTube, and more.
Exposed FCM keys leaves billions of users open to mass spam and phishing notifications
https://cybernews.com/security/exposed-google-keys-leaves-billions-of-users-open-to-mass-spam-and-phishing-notifications/?utm_source=facebook&utm_medium=traffic_rm&utm_campaign=news&utm_content=exposed_google_keys
New vulnerabilities involving Google’s Firebase Cloud Messaging (FCM) service could have allowed fraudsters to send mass spam and phishing push notifications to billions of Android users. The exploit involves Firebase, a Google platform that allows app developers to build their apps, and leverages its Firebase Cloud Messaging Service. This was discovered by Abhishek Dharani, a Bangalore-based security researcher better known as “Abss.”
Tomi Engdahl says:
Lily Hay Newman / Wired:
Researcher finds a macOS adware campaign using malware notarized by Apple; after being notified, Apple shut it down, but then another notarized variant emerged — The ubiquitous Shlayer adware has picked up a new trick, slipping past Cupertino’s “notarization” defenses for the first time.
Apple Accidentally Approved Malware to Run on MacOS
The ubiquitous Shlayer adware has picked up a new trick, slipping past Cupertino’s “notarization” defenses for the first time.
Tomi Engdahl says:
Apple has some of the strictest rules to prevent malicious software from landing in its app store, even if on occasion a bad app slips through the net. https://tcrn.ch/2YSRHLQ
Apple mistakenly approved a widely used malware to run on Macs
https://techcrunch.com/2020/08/31/apple-notarized-mac-malware/?tpcc=ECFB2020
Apple has some of the strictest rules to prevent malicious software from landing in its app store, even if on occasion a bad app slips through the net. But last year Apple took its toughest approach yet by requiring developers to submit their apps for security checks in order to run on millions of Macs unhindered.
The process, which Apple calls “notarization,” scans an app for security issues and malicious content. If approved, the Mac’s in-built security screening software, Gatekeeper, allows the app to run.
Tomi Engdahl says:
A hacking course on PornHub, strange!
https://www.facebook.com/groups/2600net/permalink/2823820341174406/
They started moving over there when YouTube incorrectly started banning videos
Oh yeah that guy. https://www.reddit.com/r/IAmA/comments/azwb59/im_ryan_creamer_i_make_wholesome_sfw_videos_on/