This posting is here to collect cyber security news September 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
251 Comments
Tomi Engdahl says:
Iranian hackers are selling access to compromised companies on an underground forum
https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum/#ftag=RSSbaffb68
The Iranian hacker group who’s been attacking corporate VPNs for months is now trying to monetize some of the hacked systems by selling access to some networks to other hackers.
Tomi Engdahl says:
FBI warned of how Ring doorbell surveillance can be used against police officers
https://www.zdnet.com/article/fbi-warned-of-how-ring-doorbell-surveillance-can-be-used-against-police-officers/
Smart doorbells can provide the police with valuable intelligence — but the network can also be turned against them.
Leaked documents have revealed the concerns of law enforcement in how Internet of Things (IoT) technology can pose a risk to the safety of police officers.
For homeowners, an IoT doorbell can provide an additional layer of security at points of entry. For law enforcement, their rapid adoption provides a new stream of intelligence for criminal investigations.
The Neighborhoods initiative brings Ring doorbells together as part of a wider network that displays installations on a map — highlighting where law enforcement could request footage from residents rather than obtain warrants.
However, nodes in this network may also be used to push back against the police, according to leaked documents.
As reported by The Intercept, a 2019 analysis bulletin highlights how IoT footage can be used to corroborate witness statements or alibis, but in turn, smart surveillance technology can also “pose security challenges” for law enforcement.
Namely, when police officers are considered unwanted visitors.
“Most IoT devices contain sensors and cameras, which generate an alert or can be remotely accessed by the owner to identify activity in and around an owner’s property,” the bulletin reads. “If used during the execution of a search, potential subjects could learn of LE’s [law enforcement] presence nearby, and LE personnel could have their images captured, thereby presenting risk to their present and future safety.”
Doorbell Cameras Like Ring Give Early Warning of Police Searches, FBI Warned
Two leaked documents show how a monitoring tool used by police has been turned against them.
https://theintercept.com/2020/08/31/blueleaks-amazon-ring-doorbell-cameras-police/
Tomi Engdahl says:
Credit card data smuggled via private Telegram channel
https://www.bleepingcomputer.com/news/security/credit-card-data-smuggled-via-private-telegram-channel/
Security researchers noticed that some cybercriminals attacking online stores are using private Telegram channels to steal credit card information from customers making a purchase on victim sites.
All the information is encrypted using a public key. A Telegram bot then posts the stolen data in a chat as a message.
Tomi Engdahl says:
Norwegian Parliament discloses cyber-attack on internal email system
https://www.zdnet.com/article/norwegian-parliament-discloses-cyber-attack-on-internal-email-system/
Norway’s Parliament, Stortinget, says hackers gained access and downloaded content for “a small number of parliamentary representatives and employees.”
The Norwegian Parliament (Stortinget) said on Tuesday that it fell victim to a cyber-attack that targeted its internal email system.
In a press release today, Stortinget director Marianne Andreassen said that hackers breached email accounts for elected representatives and employees alike, from where they stole various amounts of information.
Norway’s intelligence agency is currently investigating the incident
Local press, who first broke the story about the attacks, also reported that the parliament’s IT staff has shut down its email service to prevent the hackers from siphoning more data.
IT-angrep mot Stortinget
https://stortinget.no/no/Hva-skjer-pa-Stortinget/Nyhetsarkiv/Pressemeldingsarkiv/2019-2020/it-angrep-mot-stortinget/
Tomi Engdahl says:
Exposed Windows Domain Controllers Used in CLDAP DDoS Attacks
https://isc.sans.edu/forums/diary/Exposed+Windows+Domain+Controllers+Used+in+CLDAP+DDoS+Attacks/26526/
LDAP, like many UDP based protocols, has the ability to send responses
that are larger than the request. With UDP not requiring any handshake
before data is sent, these protocols make ideal amplifiers for
reflective distributed denial of service attacks. Most commonly, these
attacks abuse DNS and we have talked about this in the past. But LDAP
is another protocol that is often abused. Some of our honeypots have
been seeing a small number of the reflected packets from these
attacks. In investigating them, we noticed that many of them appear to
come from exposed windows domain controllers. Windows domain
controllers do use LDAP for active directory and support
connectionless LDAP (CLDAP) out of the box. CLDAP is part of the issue
here as it supports UDP. So what should you do? I do not know of a
good reason to allow clear text LDAP (Port 389, not LDAP over TLS)
across your perimeter. Close that port!
Tomi Engdahl says:
DLL Fixer leads to Cyrat Ransomware
https://www.gdatasoftware.com/blog/cyrat-ransomware
A new ransomware uses an unusual symmetric encryption method named
“Fernet”. It is Python based and appends.CYRAT to encrypted files. As
it is often the case with brand new malware discoveries, this sample
is buggy and not yet ready to infect any system because it crashes in
it’s current state. However, the threat actor’s reply shows they are
active and might have already published versions that work.
Tomi Engdahl says:
Facebook and Google drop plans for underwater cable to Hong Kong after
security warnings
https://www.zdnet.com/article/facebook-and-google-drop-plans-for-underwater-cable-to-hong-kong-after-security-warnings/
The Pacific Light Cable Network (PLCN), an ambitious underwater data
cable project partly owned by Facebook and Google, won’t be connecting
Los Angeles to Hong Kong after all. The FCC warned that linking Los
Angeles to Hong Kong could harm national security.
Tomi Engdahl says:
Facebook Nabs Russia-Linked Campaign to Fuel US Chaos
https://www.securityweek.com/facebook-nabs-russia-linked-campaign-fuel-us-chaos
Facebook on Tuesday said that it caught a budding Russia-linked campaign to fuel political chaos in the US, working off a tip from the FBI in its latest take-down of coordinated inauthentic behavior at the leading social network.
The network of 13 Facebook accounts and two pages posing as journalists and targeting left-wing progressives was removed for violating a policy against “foreign interference” at the platform.
The investigation that uncovered the covert operation, which was linked to the Internet Research Agency in Russia (IRA), started with a tip from the Federal Bureau of Investigation, according to Facebook head of security policy Nathaniel Gleicher.
The network was in the early stages of building an audience, with little engagement from users, Facebook said.
“They put substantial effort into creating elaborate fictitious personas, trying to make fake accounts look as real as possible,” Gleicher said while briefing reporters.
Tomi Engdahl says:
Cisco Says Hackers Targeting Zero-Days in Carrier-Grade Routers
https://www.securityweek.com/cisco-says-hackers-targeting-zero-days-carrier-grade-routers
Cisco has warned that hackers are targeting not one, but two unpatched vulnerabilities in the DVMRP feature of IOS XR software that runs on many carrier-grade routers.
Over the weekend, the company published an advisory to warn of active attacks targeting a security flaw (CVE-2020-3566) in the Distance Vector Multicast Routing Protocol (DVMRP) feature of IOS XR to cause memory exhaustion denial of service (DoS).
On Monday, the tech giant has updated the advisory to add another CVE to it, namely CVE-2020-3569, which impacts the very same feature and has similar consequences.
Tomi Engdahl says:
American Payroll Association User Data Stolen in Skimmer Attack
https://www.securityweek.com/american-payroll-association-user-data-stolen-skimmer-attack
The American Payroll Association (APA) says user information was stolen after attackers managed to inject a skimmer on its website.
A payroll education, publications, and training provider, APA helps professionals increase their skill, offering payroll conferences and seminars, resources, and certification. APA has over 20,000 members.
Tomi Engdahl says:
Aamir Siddiqui / XDA Developers:
ZTE announces 6.92″ Axon 20 5G, with a camera under the display and Snapdragon 765G and 4,220 mAh battery, starting at ~$322 only in China
ZTE announces the first smartphone with a camera under the display: the Axon 20 5G
https://www.xda-developers.com/zte-axon-20-5g-china-launch-first-smartphone-under-display-camera/
Tomi Engdahl says:
Donie O’Sullivan / CNN:
Facebook says, after an FBI tip, it took down several Pages and accounts pushing a fake left-wing news outlet made by people linked to Russian troll group IRA — New York (CNN Business)People associated with the infamous St. Petersburg troll group that was part of Russia’s attempt to interfere
After FBI tip, Facebook says it uncovered Russian meddling
https://edition.cnn.com/2020/09/01/tech/russian-troll-group-facebook-campaign/
Tomi Engdahl says:
https://etn.fi/index.php/13-news/11095-lentoyhtiot-eivat-suojaudu-huijaussahkoposteja-vastaan
Tomi Engdahl says:
Microsoft Releases Deepfake Detection Tool Ahead of Election
https://politics.slashdot.org/story/20/09/01/2218212/microsoft-releases-deepfake-detection-tool-ahead-of-election?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
https://www.bloomberg.com/news/articles/2020-09-01/microsoft-releases-deepfake-detection-tool-ahead-of-election?srnd=politics-vp
Tomi Engdahl says:
Virtual Black Hat 2020 – The Latest in Security, From the Comfort of Your Armchair
https://www.securityweek.com/virtual-black-hat-2020-latest-security-comfort-your-armchair
Tomi Engdahl says:
Russia Interferes With U.S. Election Again—Targeting Biden Voters This Time—Facebook Data Shows
https://www.forbes.com/sites/jemimamcevoy/2020/09/01/russia-interferes-with-us-election-again-targeting-biden-voters-this-time-facebook-data-shows/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Gordie/#676f7264696
Varun Sharma says:
The article is very nice. Keep going.
Tomi Engdahl says:
Hackers are exploiting a critical flaw affecting >350,000 WordPress sites
Flaw is in File Manager, a plugin with more than 700,000 users; 52% are affected.
https://arstechnica.com/information-technology/2020/09/hackers-are-exploiting-a-critical-flaw-affecting-350000-wordpress-sites/
Hackers are actively exploiting a vulnerability that allows them to execute commands and malicious scripts on Websites running File Manager, a WordPress plugin with more than 700,000 active installations, researchers said on Tuesday. Word of the attacks came a few hours after the security flaw was patched.
Attackers are using the exploit to upload files that contain webshells that are hidden in an image. From there, they have a convenient interface that allows them to run commands in plugins/wp-file-manager/lib/files/, the directory where the File Manager plugin resides. While that restriction prevents hackers from executing commands on files outside of the directory, hackers may be able to exact more damage by uploading scripts that can carry out actions on other parts of a vulnerable site.
Tomi Engdahl says:
Companies continue to expose unsafe network services to the internet
https://www.helpnetsecurity.com/2020/09/02/companies-continue-to-expose-unsafe-network-services-to-the-internet/
33% of companies within the digital supply chain expose common network
services such as data storage, remote access and network
administration to the internet, according to RiskRecon. In addition,
organizations that expose unsafe services to the internet also exhibit
more critical security findings. The research is based on an
assessment of millions of internet-facing systems across approximately
40, 000 commercial and public institutions. The data was analyzed in
two strategic ways: the direct proportion of internet-facing hosts
running unsafe services, as well as the percentage of companies that
expose unsafe services somewhere across their infrastructure.
Tomi Engdahl says:
Operation PowerFall: CVE-2020-0986 and variants
https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/
In August 2020, we published a blog post about Operation PowerFall.
This targeted attack consisted of two zero-day exploits: a remote code
execution exploit for Internet Explorer 11 and an elevation of
privilege exploit targeting the latest builds of Windows 10. While we
already described the exploit for Internet Explorer in the original
blog post, we also promised to share more details about the elevation
of privilege exploit in a follow-up post. Let’s take a look at
vulnerability CVE-2020-0986, how it was exploited by attackers, how it
was fixed and what additional mitigations were implemented to
complicate exploitation of many other similar vulnerabilities.
Tomi Engdahl says:
KryptoCibule: The multitasking multicurrency cryptostealer
https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/
ESET researchers have uncovered a hitherto undocumented malware family
that we named KryptoCibule. This malware is a triple threat in regard
to cryptocurrencies. It uses the victim’s resources to mine coins,
tries to hijack transactions by replacing wallet addresses in the
clipboard, and exfiltrates cryptocurrency-related files, all while
deploying multiple techniques to avoid detection. KryptoCibule makes
extensive use of the Tor network and the BitTorrent protocol in its
communication infrastructure.
Tomi Engdahl says:
Cloud firewall management API SNAFU put 500k SonicWall customers at
risk
https://www.pentestpartners.com/security-blog/cloud-firewall-management-api-snafu-put-500k-sonicwall-customers-at-risk/
I found a security issue so serious that we then spent £££ on our own
SonicWall products in order to independently validate the issue, to be
certain it wasn’t just our client that was affected. What I discovered
was a trivial method to compromise every single cloud managed device
attached to mysonicwall.com, affecting around 1.9 million user groups
across hundreds of thousands of organisations. At least 10 million
individual devices were affected. Disclosure was initially very
positive, then went rapidly downhill as SonicWall procrastinated with
a fix and refused to take down the vulnerable functionality in the
meantime, knowingly leaving their customers exposed for a full 17
days.
Tomi Engdahl says:
AlphaBay Market: Dark Web Moderator Receives 11 Years Imprisonment
https://darkweblink.com/alphabay-moderator-sentenced/
An Alphabay moderator who was held responsible for moderating the
content on the now-defunct darknet market, AlphaBay has been sentenced
imprisonment until 2031.
Tomi Engdahl says:
Inter: The Magecart Skimming Tool Now on More than 1, 500 Sites
https://www.riskiq.com/blog/external-threat-management/inter-skimmer/
Digital web skimming attacks continue to increase. By now, anyone
running an e-commerce shop is aware of the dangers of groups like
Magecart, which infect a website every 16 minutes. However, to truly
understand these skimmer groups, you have to understand the tools of
the trade. The Inter Skimmer kit is one of today’s most common and
widely used digital skimming solutions globally. It has been involved
in some of the most high-profile magecart attacks to date, most
notably Group 7′s breach of the Nutribullet website. RiskIQ has
identified more than 1, 500 sites compromised by the Inter skimmer,
but the data theft tool is still misunderstood by those tasked with
defending their organization against it. To demystify Inter, RiskIQ
tapped our unmatched body of research into Magecart and its dozens of
groups, open-source intelligence (OSINT), and our global internet
telemetry.
Tomi Engdahl says:
Using assert() to Execute Malware in PHP 7 Environments
https://blog.sucuri.net/2020/09/using-assert-to-execute-malware-php-7.html
During a recent investigation, our team stumbled across some malicious
code which is used to inject a.user.ini file into a PHP 7 environment
and add zend.assertions = 1. Once this injection is accomplished, bad
actors can leverage PHP’s assert() function to execute any malicious
code they like.
Tomi Engdahl says:
Android security: Six more apps containing Joker malware removed from
the Google Play Store
https://www.zdnet.com/article/android-security-six-more-apps-containing-joker-malware-removed-from-the-google-play-store/
Cybersecurity researchers have unmasked six applications on the Google
Play store with a combined total of over 200, 000 downloads in yet
another example of the highly persistent malware that has been
plaguing Android users for the past three years.
Tomi Engdahl says:
Homeland Security demands a 911 for reporting security holes in federal networks: ‘Vulns in internet systems cause real-world impacts’
Great – and who will be the first responders?
https://www.theregister.com/2020/09/03/us_bug_bounty/
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday ordered US federal agencies outside the defense and intelligence communities to develop a working vulnerability disclosure policy.
In an online memo, Bryan Ware, Assistant Director for Cybersecurity at CISA, described a scenario of walking in one’s neighborhood and calling emergency services upon seeing a house engulfed in flames.
The government, he suggested, would benefit if people could take similar action upon finding a security flaw in a federal website. But many government websites don’t advertise how to raise the alarm or offer any assurance that vulnerability reports are welcome.
“An open redirect – which can be used to give off-site malicious content the appearance of legitimacy – may not be on par with a fire, yet serious vulnerabilities in internet systems cause real-world, negative impacts every day,” he said.
Tomi Engdahl says:
Sean Lyngaas / CyberScoop:
DHS mandates US agencies have vulnerability disclosure programs within six months that will expand to cover all internet-accessible systems within two years — Out of scores of federal civilian agencies, only a handful of them have official programs to work with outside security researchers …
CISA orders agencies to set up vulnerability disclosure programs
https://www.cyberscoop.com/cisa-vulnerability-disclosure-directive-omb/
Out of scores of federal civilian agencies, only a handful of them have official programs to work with outside security researchers to find and fix software bugs — a process that is commonplace in the private sector.
Now, to put an end to the feet-dragging, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is giving agencies six months to set up the programs, known as vulnerability disclosure policies (VDPs).
CISA on Wednesday issued a directive requiring agencies to establish VDPs that foreswear legal action against researchers who act in good faith, allow participants to submit vulnerability reports anonymously and cover at least one internet-accessible system or service. It’s the latest sign that federal officials are warming to white-hat hackers from various walks of life.
“We believe that better security of government computer systems can only be realized when the people are given the opportunity to help,” CISA Assistant Director Bryan S. Ware said in announcing the directive.
Binding Operational Directive 20-01
September 2, 2020
Develop and Publish a Vulnerability Disclosure Policy
https://cyber.dhs.gov/bod/20-01/
Tomi Engdahl says:
COVID-tracing Framework Privacy Busted By Bluetooth
https://hackaday.com/2020/09/03/covid-tracing-framework-privacy-busted-by-bluetooth/
[Serge Vaudenay] and [Martin Vuagnoux] released a video yesterday documenting a privacy-breaking flaw in the Apple/Google COVID-tracing framework, and they’re calling the attack “Little Thumb” after a French children’s story in which a child drops pebbles to be able to retrace his steps. But unlike Hänsel and Gretl with the breadcrumbs, the goal of a privacy preserving framework is to prevent periodic waypoints from allowing you to follow anyone’s phone around. (Video embedded below.)
The Apple/Google framework is, in theory, quite sound. For instance, the system broadcasts hashed, rolling IDs that prevent tracing an individual phone for more than fifteen minutes. And since Bluetooth LE has a unique numeric address for each phone, like a MAC address in other networks, they even thought of changing the Bluetooth address in lock-step to foil would-be trackers. And there’s no difference between theory and practice, in theory.
In practice, [Serge] and [Martin] found that a slight difference in timing between changing the Bluetooth BD_ADDR and changing the COVID-tracing framework’s rolling proximity IDs can create what they are calling “pebbles”: an overlap where the rolling ID has updated but the Bluetooth ID hasn’t yet
https://vimeo.com/453948863
Tomi Engdahl says:
European ISPs report mysterious wave of DDoS attacks
https://www.zdnet.com/article/european-isps-report-mysterious-wave-of-ddos-attacks/
Over the past week, multiple ISPs in Belgium, France, and the
Netherlands reported DDoS attacks that targeted their DNS
infrastructure. The list of ISPs that suffered attacks over the past
week includes Belgium’s EDP, France’s Bouygues Télécom, FDN, K-net,
SFR, and the Netherlands’ Caiway, Delta, FreedomNet, Online.nl,
Signet, and Tweak.nl. “Multiple attacks were aimed towards routers and
DNS infrastructure of Benelux based ISPs, ” a spokesperson said. “Most
of [the attacks] were DNS amplification and LDAP-type of attacks.”.
“Some of the attacks took longer than 4 hours and hit close to
300Gbit/s in volume, ” NBIB said.
Tomi Engdahl says:
NO REST FOR THE WICKED: EVILNUM UNLEASHES PYVIL RAT
https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat
The group’s operations appear to be highly targeted, as opposed to a
widespread phishing operation, with a focus on the FinTech market by
way of abusing the Know Your Customer regulations (KYC), documents
with information provided by clients when business is undertaken.
Since its first discovery, the group’s mainly targeted different
companies across the UK and EU.
Tomi Engdahl says:
COVID-tracing Framework Privacy Busted By Bluetooth
https://hackaday.com/2020/09/03/covid-tracing-framework-privacy-busted-by-bluetooth/
[Serge Vaudenay] and [Martin Vuagnoux] released a video yesterday documenting a privacy-breaking flaw in the Apple/Google COVID-tracing framework, and they’re calling the attack “Little Thumb” after a French children’s story in which a child drops pebbles to be able to retrace his steps. But unlike Hänsel and Gretl with the breadcrumbs, the goal of a privacy preserving framework is to prevent periodic waypoints from allowing you to follow anyone’s phone around. (Video embedded below.)
The Apple/Google framework is, in theory, quite sound. For instance, the system broadcasts hashed, rolling IDs that prevent tracing an individual phone for more than fifteen minutes. And since Bluetooth LE has a unique numeric address for each phone, like a MAC address in other networks, they even thought of changing the Bluetooth address in lock-step to foil would-be trackers. And there’s no difference between theory and practice, in theory.
In practice, [Serge] and [Martin] found that a slight difference in timing between changing the Bluetooth BD_ADDR and changing the COVID-tracing framework’s rolling proximity IDs can create what they are calling “pebbles”: an overlap where the rolling ID has updated but the Bluetooth ID hasn’t yet.
https://vimeo.com/453948863
Tomi Engdahl says:
Authorities have arrested a 16-year-old they say launched a rudimentary distributed denial-of-service attack against Miami-Dade County schools. Despite using Low Orbit Ion Cannon, a dated DDoS tool that most systems should have little trouble handling, the Florida teen was able to disrupt remote learning in the district for several days.
Security News This Week: A Florida Teen Allegedly Shut Down Remote School With a DDoS Attack
https://www.wired.com/story/florida-teen-ddos-school-amazon-labor-surveillance-security-news/
Plus: Predictive policing taken even farther, Amazon surveillance of private Facebook groups, and more of the week’s top security news.
Tomi Engdahl says:
‘Hacker’ is used by mainstream media, September 5, 1983
https://www.edn.com/hacker-is-used-by-mainstream-media-september-5-1983/
Tomi Engdahl says:
Researchers find a way to spot security fixes from Linux kernel with
data mining
https://www.theregister.com/2020/09/04/linux_kernel_flaws/
Researchers affiliated with BMW, Siemens, and two German universities
have found that they can detect Linux kernel security fixes before
they get released, insight that could allow miscreants to develop and
deploy exploit code for which there’s no defense. In an
ArXiv-distributed paper titled, “The Sound of Silence: Mining Security
Vulnerabilities from Secret Integration Channels in Open-Source
Projects, ” researchers outline a data mining scheme that amounts to a
side channel attack on the open source vulnerability disclosure
process. PDF: https://arxiv.org/pdf/2009.01694.pdf
Tomi Engdahl says:
Cybersecurity – the new dimension of automotive quality
https://www.kaspersky.com/blog/cybersecurity-automotive/36924/
Modern computerized car require a secure-by-design platform. And
that’s just what we’ve come up with. A car today is basically a
specialized computer – a ‘cyber-brain’, controlling the
mechanics-and-electrics we traditionally associate with the word ‘car’
- – the engine, the brakes, the turn indicators, the windscreen wipers,
the air conditioner, and in fact everything else.
Tomi Engdahl says:
Ransomware attack halts Argentinian border crossing for four hours
https://www.bleepingcomputer.com/news/security/ransomware-attack-halts-argentinian-border-crossing-for-four-hours/
Argentina’s official immigration agency, Dirección Nacional de
Migraciones, suffered a Netwalker ransomware attack that temporarily
halted border crossing into and out of the country. The ransomware
demanded $4 million and leaked data from the breach online.
Tomi Engdahl says:
Visa warns of new Baka credit card JavaScript skimmer
https://www.bleepingcomputer.com/news/security/visa-warns-of-new-baka-credit-card-javascript-skimmer/
Visa issued a warning regarding a new JavaScript e-commerce skimmer
known as Baka that will remove itself from memory after exfiltrating
stolen data. The credit card stealing script was discovered by
researchers with Visa’s Payment Fraud Disruption (PFD) initiative in
February 2020 while examining a command and control (C2) server that
previously hosted an ImageID web skimming kit.
Tomi Engdahl says:
Threema E2EE chat app to go ‘fully open source’ within months
https://www.zdnet.com/article/threema-e2ee-chat-app-to-go-fully-open-source-within-months/
Threema, which is one of a handful of instant messaging services that
support end-to-end encryption (E2EE) between users, is the third
service to go open source, after Signal and Wickr.
Tomi Engdahl says:
An easy-to-exploit vulnerability in a popular WordPress plugin has triggered an internet-wide hacking spree.
Millions of WordPress sites are being probed & attacked with recent plugin bug
https://www.zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
An easy-to-exploit vulnerability in a popular WordPress plugin has triggered an internet-wide hacking spree.
Tomi Engdahl says:
Security News This Week: A Florida Teen Allegedly Shut Down Remote School With a DDoS Attack
https://www.wired.com/story/florida-teen-ddos-school-amazon-labor-surveillance-security-news/
Tomi Engdahl says:
Windows 10 low-effort zero-day in Hyper-V / Windows Sandbox enabled
computers
https://www.bleepingcomputer.com/news/security/windows-10-sandbox-activation-enables-zero-day-vulnerability/
A reverse engineer discovered a new zero-day vulnerability in most
Windows 10 editions, which allows creating files in restricted areas
of the operating system – e.g. under system32. The researcher told
BleepingComputer that the vulnerable component is ‘storvsp.sys’
(Storage VSP – Virtualization Service Provider), a server-side Hyper-V
component.
Tomi Engdahl says:
Chilean bank shuts down all branches following ransomware attack
https://www.zdnet.com/article/chilean-bank-shuts-down-all-branches-following-ransomware-attack/
All BancoEstado branches will remain closed on Monday, September 7,
and possibly more days. Details about the attack have not been made
public, but a source close to the investigation told ZDNet that the
bank’s internal network was infected with the REvil (Sodinokibi)
ransomware.
Tomi Engdahl says:
Money from bank hacks rarely gets laundered through cryptocurrencies
https://www.zdnet.com/article/money-from-bank-hacks-rarely-gets-laundered-through-cryptocurrencies/
Despite being considered a cybercrime haven, cryptocurrencies play a
very small role in laundering funds obtained from bank hacks; the
SWIFT financial organization said in a report last week. These funds
are usually laundered using an assortment of techniques, such as money
mules, front companies, cash businesses, cryptocurrencies, and
investments back into other forms of crime. Some groups might rely on
one technique, while others may combine multiple.
Tomi Engdahl says:
New PIN Verification Bypass Flaw Affects Visa Contactless Payments
https://thehackernews.com/2020/09/emv-payment-card-pin-hacking.html
The research, published by a group of academics from the ETH Zurich,
is a PIN bypass attack that allows the adversaries to leverage a
victim’s stolen or lost credit card for making high-value purchases
without knowledge of the card’s PIN, and even trick a point of sale
(PoS) terminal into accepting an unauthentic offline card transaction.
This, however, doesn’t impact Mastercard, American Express, and JCB.
Research: https://emvrace.github.io/
Tomi Engdahl says:
FCC estimates it’ll cost $1.8B to remove Huawei, ZTE equipment from US
networks
https://www.cnet.com/news/fcc-estimates-itll-cost-1-8b-to-remove-huawei-zte-equipment-from-us-networks/
The two Chinese tech giants have been designated national security
threats.
Tomi Engdahl says:
China proposes ‘Global Initiative on Data Security’ forbidding stuff it and Huawei are accused of doing already
State-sponsored infrastructure hacking, backdoors-by-fiat and even lock-in all out of bounds in draft code
https://www.theregister.com/2020/09/08/china_global_initiative_on_data_security/
Tomi Engdahl says:
Chun Han Wong / Wall Street Journal:
China launches global data security initiative to to counter US’ “Clean Network” program, urges countries to oppose “mass surveillance against other states”
China Launches Initiative to Set Global Data-Security Rules
Move, unveiled Tuesday is meant to counter U.S. Clean Network effort
https://www.wsj.com/articles/china-to-launch-initiative-to-set-global-data-security-rules-11599502974?mod=djemalertNEWS
HONG KONG—China is launching its own initiative to set global standards on data security, countering U.S. efforts to persuade like-minded countries to ringfence their networks from Chinese technology.
Announcing the initiative on Tuesday at a Beijing seminar on global digital governance, Chinese Foreign Minister Wang Yi cited growing risks to data security and what he characterized as efforts to politicize security issues and smear rival countries on technology matters—in an apparent swipe at Washington.
To counter such challenges, “it is important to develop a set of international rules on data security that reflect the will and respect the interests of all countries,” Mr. Wang said, according to a transcript of his speech published by China’s Foreign Ministry. The Wall Street Journal reported on Monday that Beijing planned to unveil the initiative.
Beijing’s initiative comes amid heightened tensions with Washington over issues including trade and technological competition, which has raised the specter of an increasingly bifurcated internet.
Under its new “Global Initiative on Data Security,” China would call on all countries to handle data security in a “comprehensive, objective and evidence-based manner” and maintain an open, secure and stable supply chain for information and communications technology and services, according to a text released by the Chinese Foreign Ministry.
It also would urge governments to respect other countries’ sovereignty in how they handle data—in line with Beijing’s vision of “cyber sovereignty,” whereby countries exercise full control over their own corners of the internet.
The initiative doesn’t mention the U.S. or its Clean Network program. Mr. Wang nonetheless made it clear in his announcement that the move comes in response to the White House effort.
“Bent on unilateral acts, a certain country keeps making groundless accusations against others in the name of ‘clean’ network and used security as a pretext to prey on enterprises of other countries who have a competitive edge,” Mr. Wang said, according to the transcript. “Such blatant acts of bullying must be opposed and rejected.”
Tomi Engdahl says:
Hidden Linux kernel security fixes spotted before release – by using developer chatter as a side channel
Data mining of code commits and chat gives hackers a cunning edge
https://www.theregister.com/2020/09/04/linux_kernel_flaw_detection/
Boffins affiliated with BMW, Siemens, and two German universities say they can pinpoint obfuscated Linux kernel security fixes, developed in secret, before they are officially released. This is insight miscreants could use to develop and deploy exploit code before patches are widely available.
What’s more, the team found that Linux kernel patches are regularly introduced in a way that bypasses public review and discussion, a practice that opens at least a theoretical risk of backdoored code.
Tomi Engdahl says:
FBI: Thousands of orgs targeted by RDoS extortion campaign
https://www.bleepingcomputer.com/news/security/fbi-thousands-of-orgs-targeted-by-rdos-extortion-campaign/