This posting is here to collect cyber security news September 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
251 Comments
Tomi Engdahl says:
Zerologon attack lets hackers take over enterprise networks: Patch now
https://www.zdnet.com/article/zerologon-attack-lets-hackers-take-over-enterprise-networks/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
Microsoft patches one of the most severe bugs ever reported to the company.
The bug was patched in the August 2020 Patch Tuesday under the identifier of CVE-2020-1472. It was described as an elevation of privilege in Netlogon, the protocol that authenticates users against domain controllers.
The vulnerability received the maximum severity rating of 10, but details were never made public, meaning users and IT administrators never knew how dangerous the issue really was.
TAKE OVER A DOMAIN CONTROLLER WITH A BUNCH OF ZEROS
But in a blog post today, the team at Secura B.V., a Dutch security firm, has finally lifted the veil from this mysterious bug and published a technical report describing CVE-2020-1472 in greater depth.
And per the report, the bug is truly worthy of its 10/10 CVSSv3 severity score.
According to Secura experts, the bug, which they named Zerologon, takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process.
Tomi Engdahl says:
Recent patches to Windows Server closed the CVE-2020-1472 vulnerability that potentially let attackers hijack domain controllers.
Zerologon vulnerability threatens domain controllers
https://www.kaspersky.com/blog/cve-2020-1472-domain-controller-vulnerability/37048/?utm_source=facebook&utm_medium=social&utm_campaign=gl_Zerologon-_ay0073_promo&utm_content=sm-post&utm_term=gl_facebook_promo_bzxdy26w673jghj
On August’s Patch Tuesday, Microsoft closed several vulnerabilities, among them CVE-2020-1472. The Netlogon protocol vulnerability was assigned a “critical” severity level (its CVSS score was the maximum, 10.0). That it might pose a threat was never in doubt, but the other day, Secura researcher Tom Tervoort (who discovered it) published a detailed report explaining why the vulnerability, known as Zerologon, is so dangerous and how it can be used to hijack a domain controller.
Tomi Engdahl says:
https://www.secura.com/blog/zero-logon
Tomi Engdahl says:
Cerberus banking Trojan source code released for free to cyberattackers
An auction designed to net the developer of the Android malware $100,000 failed.
https://www.zdnet.com/article/cerberus-banking-trojan-source-code-released-for-free-to-cyberattackers/
Tomi Engdahl says:
Although the CISA alert only applies to federal government networks, the agency said it “strongly” urges companies and consumers to patch their systems as soon as possible if not already.
Homeland Security issues rare emergency alert over ‘critical’ Windows bug
https://finance.yahoo.com/news/homeland-security-issues-rare-emergency-211522180.html
Homeland Security’s cybersecurity advisory unit has issued a rare emergency alert to government departments after the recent disclosure of a “critical”-rated security vulnerability in server versions of Microsoft Windows.
The Cybersecurity and Infrastructure Security Agency, better known as CISA, issued an alert late on Friday requiring all federal departments and agencies to “immediately” patch any Windows servers vulnerable to the so-called Zerologon attack by Monday, citing an “unacceptable risk” to government networks.
The Zerologon vulnerability, rated the maximum 10.0 in severity, could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers, the servers that manage a network’s security. The bug was appropriately called “Zerologon,” because an attacker doesn’t need to steal or use any network passwords to gain access to the domain controllers, only gain a foothold on the network, such as by exploiting a vulnerable device connected to the network.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
Tomi Engdahl says:
Billions of devices vulnerable to new ‘BLESA’ Bluetooth security flaw
New BLESA attack goes after the often ignored Bluetooth reconnection process, unlike previous vulnerabilities, most found in the pairing operation.
https://www.zdnet.com/google-amp/article/billions-of-devices-vulnerable-to-new-blesa-bluetooth-security-flaw/
Tomi Engdahl says:
https://www.cisa.gov/blog/2020/09/18/windows-server-vulnerability-requires-immediate-attention
Tomi Engdahl says:
Abusing CVE-2020-1472 (ZeroLogon)
https://infinitelogins.com/2020/09/15/abusing-cve-2020-1472-zerologon/
https://www.secura.com/blog/zero-logon
Tomi Engdahl says:
Whitepaper for CVE-2020-1472: https://www.secura.com/pathtoimg.php?id=2055
CVE-2020-1472: ‘Zerologon’ Vulnerability in Netlogon Could Allow Attackers to Hijack Windows Domain Controller
https://www.tenable.com/blog/cve-2020-1472-zerologon-vulnerability-in-netlogon-could-allow-attackers-to-hijack-windows
Tomi Engdahl says:
A hacker group is brute-forcing MSSQL servers with weak passwords and installing crypto-mining malware.
New MrbMiner malware has infected thousands of MSSQL databases
https://www.zdnet.com/article/new-mrbminer-malware-has-infected-thousands-of-mssql-databases/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
A hacker group is brute-forcing MSSQL servers with weak passwords and installing crypto-mining malware.
Thousands of MSSQL databases have been infected so far, according to the cybersecurity arm of Chinese tech giant Tencent.
In a report published earlier this month, Tencent Security has named this new malware gang MrbMiner, after one of the domains used by the group to host their malware.
The Chinese company says the botnet has exclusively spread by scanning the internet for MSSQL servers and then performing brute-force attacks by repeatedly trying the admin account with various weak passwords.
Tomi Engdahl says:
Chinese Antivirus Firm Was Part of APT41 Supply Chain Attack
https://krebsonsecurity.com/2020/09/chinese-antivirus-firm-was-part-of-apt41-supply-chain-attack/
The U.S. Justice Department this week indicted seven Chinese nationals
for a decade-long hacking spree that targeted more than 100 high-tech
and online gaming companies. The government alleges the men used
malware-laced phishing emails and supply chain attacks to steal data
from companies and their customers. One of the alleged hackers was
first profiled here in 2012 as the owner of a Chinese antivirus firm.
Tomi Engdahl says:
A Mix of Python & VBA in a Malicious Word Document
https://isc.sans.edu/forums/diary/A+Mix+of+Python+VBA+in+a+Malicious+Word+Document/26578/
A few days ago, Didier wrote an interesting diary about embedded
objects into an Office document[1]. I had a discussion about an
interesting OLE file that I found. Because it used the same technique,
I let Didier publish his diary first. Now, let’s have a look at the
document.
Tomi Engdahl says:
Apple Bug Allows Code Execution on iPhone, iPad, iPod
https://threatpost.com/apple-bug-code-execution-iphone/159332/
Release of iOS 14 and iPadOS 14 brings fixes 11 bugs, some rated
high-severity. Apple has updated its iOS and iPadOS operating systems,
which addressed a wide range of flaws in its iPhone, iPad and iPod
devices. The most severe of these could allow an adversary to exploit
a privilege-escalation vulnerability against any of the devices and
ultimately gain arbitrary code-execution.
Tomi Engdahl says:
Leading U.S. laser developer IPG Photonics hit with ransomware
https://www.bleepingcomputer.com/news/security/leading-us-laser-developer-ipg-photonics-hit-with-ransomware/
IPG Photonics, a leading U.S. developer of fiber lasers for cutting,
welding, medical use, and laser weaponry has suffered a ransomware
attack that is disrupting their operations. Based out of Oxford,
Massachusets, IPG Photonics has locations worldwide where they employ
over 4,000 people and have a $1.3 billion revenue in 2019. The
company’s lasers were used as part of the U.S. Navy’s Laser Weapon
System (LaWS) that was installed on the USS Ponce. This system is an
experimental defensive weapon against small threats and vehicles.
Tomi Engdahl says:
Firefox bug lets you hijack nearby mobile browsers via WiFi
https://www.zdnet.com/article/firefox-bug-lets-you-hijack-nearby-mobile-browsers-via-wifi/
Mozilla has fixed a bug that can be abused to hijack all the Firefox
for Android browsers on the same WiFi network and force users to
access malicious sites, such as phishing pages. The bug was discovered
by Chris Moberly, an Australian security researcher working for
GitLab. The actual vulnerability resides in the Firefox SSDP
component. SSDP stands for Simple Service Discovery Protocol and is
the mechanism through which Firefox finds other devices on the same
network in order to share or receive content (i.e., such as sharing
video streams with a Roku device).
Tomi Engdahl says:
Nainen kuoli ambulanssiin, kun kyberhyökkäys jumitti saksalaisen
sairaalan tietojärjestelmän syyttäjä avasi harvinaisen
henkirikostutkimuksen
https://yle.fi/uutiset/3-11553530
Jos tutkimukset johtavat syytteeseen, on kyseessä Reutersin mukaan
ensimmäinen kerta, kun ihmisen kuolema on suoraan yhdistetty
kyberhyökkäykseen. Rikosnimikkeenä olisi kuolemantuottamus. Saksassa
syyttäjä avasi perjantaina harvinaisen henkirikostutkimuksen, jossa
naisen epäillään kuolleen sairaalaan tehdyn kyberhyökkäyksen
seurauksena, kertoo uutistoimisto Reuters.
Tomi Engdahl says:
Google App Engine feature abused to create unlimited phishing pages
https://www.bleepingcomputer.com/news/security/google-app-engine-feature-abused-to-create-unlimited-phishing-pages/
A newly discovered technique by a researcher shows how Google’s App
Engine domains can be abused to deliver phishing and malware while
remaining undetected by leading enterprise security products. Google
App Engine is a cloud-based service platform for developing and
hosting web apps on Google’s servers. While reports of phishing
campaigns leveraging enterprise cloud domains are nothing new, what
makes Google App Engine infrastructure risky in how the subdomains get
generated and paths are routed.
Tomi Engdahl says:
Trump Backs Proposed Deal to Keep TikTok Operating in US
https://www.securityweek.com/trump-backs-proposed-deal-keep-tiktok-operating-us
Tomi Engdahl says:
Mozi Botnet Accounted for Majority of IoT Traffic: IBM
https://www.securityweek.com/mozi-botnet-accounted-majority-iot-traffic-ibm
Mozi, a relatively new botnet, has fueled a significant increase in Internet of Things (IoT) botnet activity, IBM reported this week.
Showing code overlaps with Mirai and its variants and reusing Gafgyt code, Mozi has been highly active over the past year, and it accounted for 90% of the IoT network traffic observed between October 2019 and June 2020, although it did not attempt to remove competitors from compromised systems, IBM researchers say.
Tomi Engdahl says:
Senate’s encryption backdoor bill is ‘dangerous for Americans,’ says Rep. Lofgren
https://techcrunch.com/2020/09/20/encryption-backdoor-bill-dangerous-lofgren/?tpcc=ECFB2020
A Senate bill that would compel tech companies to build backdoors to allow law enforcement access to encrypted devices and data would be “very dangerous” for Americans, said a leading House Democrat.
Senate Republicans in June introduced their latest “lawful access” bill, renewing previous efforts to force tech companies to allow law enforcement access to a user’s data when presented with a court order.
“It’s dangerous for Americans, because it will be hacked, it will be utilized, and there’s no way to make it secure,” Rep. Zoe Lofgren, whose congressional seat covers much of Silicon Valley, told TechCrunch at Disrupt 2020. “If we eliminate encryption, we’re just opening ourselves up to massive hacking and disruption,” she said.
Lofgren’s comments echo those of critics and security experts, who have long criticized efforts to undermine encryption, arguing that there is no way to build a backdoor for law enforcement that could not also be exploited by hackers.
Several previous efforts by lawmakers to weaken and undermine encryption have failed. Currently, law enforcement has to use existing tools and techniques to find weaknesses in phones and computers. The FBI claimed for years that it had thousands of devices that it couldn’t get into, but admitted in 2018 that it repeatedly overstated the number of encrypted devices it had and the number of investigations that were negatively impacted as a result.
The group’s final report, bipartisan but not binding, found that any measures to undermine encryption “works against the national interest.”
Still, it’s a talking point that the government continues to push, even as recently as this year when U.S. Attorney General William Barr said that Americans should accept the security risks that encryption backdoors pose.
“You cannot eliminate encryption safely,” Lofgren told TechCrunch. “And if you do, you will create chaos in the country and for Americans, not to mention others around the world,” she said. “It’s just an unsafe thing to do, and we can’t permit it.”
Tomi Engdahl says:
Firefox Flaw Allowed Hackers to Remotely Open Malicious Sites on Android Phones
https://www.securityweek.com/firefox-flaw-allowed-hackers-remotely-open-malicious-sites-android-phones
Mozilla Discontinues Firefox Feature Abused in Malware, Phishing Attacks
https://www.securityweek.com/mozilla-discontinues-firefox-feature-abused-malware-phishing-attacks
Mozilla is decommissioning Firefox Send and Firefox Notes, two legacy services that emerged out of the Firefox Test Pilot program.
Tomi Engdahl says:
FERC, NERC Conduct Study on Cyber Incident Response at Electric Utilities
https://www.securityweek.com/ferc-nerc-conduct-study-cyber-incident-response-electric-utilities
The U.S. Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) last week released a report outlining cyber incident response and recovery best practices for electric utilities.
The report is based on a study conducted by staff at FERC, NERC and NERC regional entities. The study is based on information provided by experts at eight U.S. electric utilities of various sizes and functions, and its goal was to help the industry improve incident response and incident recovery plans, which authors of the study say help ensure the reliability of the bulk electric system in the event of a cybersecurity incident.
The study found that there is no best incident response and recovery (IRR) plan model. The IRR plans of the targeted utilities share many similarities — they are based on the same NIST framework (SP 800-61) — but there are also differences, and some organizations have developed separate plans for incidents impacting their operational and business networks.
https://cms.ferc.gov/sites/default/files/2020-09/FERC%26NERC_CYPRES_Report.pdf
Tomi Engdahl says:
Firefox 81 Release Kills High-Severity Code-Execution Bugs
https://threatpost.com/firefox-81-release-bugs/159435/
Mozilla patched high-severity vulnerabilities with the release of
Firefox 81 and Firefox ESR 78.3, including several that could be
exploited to run arbitrary code. Two severe bugs (CVE-2020-15674 and
CVE-2020-15673) are errors in the browsers memory-safety protections,
which prevent memory access issues like buffer overflows.
CVE-2020-15674 was reported in Firefox 80, while CVE-2020-15673 was
reported in Firefox 80 and Firefox ESR 78.2.
Tomi Engdahl says:
Russian hackers use fake NATO training docs to breach govt networks
https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/
A Russian hacker group known by names, APT28, Fancy Bear, Sofacy,
Sednit, and STRONTIUM, is behind a targeted attack campaign aimed at
government bodies. The group delivered a hard-to-detect strand of
Zebrocy Delphi malware under the pretense of providing NATO training
materials. Researchers further inspected the files containing the
payload and discovered these impersonated JPG files showing NATO
images when opened on a computer.
Tomi Engdahl says:
Microsoft Extending Threat Protection Portfolio, Unifying Security Solutions
https://www.securityweek.com/microsoft-extending-threat-protection-portfolio-unifying-security-solutions
Microsoft announced on Tuesday at its Ignite 2020 conference that it has extended its threat protection portfolio and it has unified some of its cybersecurity solutions.
The company says its goal is to provide the “most comprehensive” XDR solution on the market by unifying all XDR technologies under the Microsoft Defender brand. Microsoft Defender includes Microsoft 365 Defender, formerly Microsoft Threat Protection, and Azure Defender, which includes the cloud workload protections in the Azure Security Center.
Azure Defender, which provides XDR capabilities for Azure and hybrid resources, is expected to become the default later this month.
Microsoft says Azure Defender can now protect SQL servers in the cloud and on premises, as well as virtual machines in other clouds, thanks to Azure Act support. As for container security in Azure, the tech giant told customers that its Kubernetes and Container Registry services (now called Azure Defender for Kubernetes and Azure Defender for Container Registries) have received some new features that should provide enhanced protection for containers.
Tomi Engdahl says:
Samba Issues Patches for Zerologon Vulnerability
https://www.securityweek.com/samba-issues-patches-zerologon-vulnerability
The Samba team has released patches for a critical-severity elevation of privilege vulnerability impacting the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).
Also referred to as Zerologon and tracked as CVE-2020-1472, the security issue was addressed on August 2020 Patch Tuesday and can be triggered when an adversary connects to a domain controller using a vulnerable Netlogon secure channel connection.
An attacker can leverage a specially crafted application on a device connected to the network to exploit the vulnerability and gain domain administrator access.
On Friday, the DHS issued an Emergency Directive requiring all federal agencies to address the flaw within three days, deeming it an “unacceptable risk to the Federal Civilian Executive Branch.”
As it turns out, Windows Server wasn’t the only product impacted by the vulnerability. Samba, which allows users to easily share files between Linux and Windows systems, is impacted as well, as it relies on Netlogon.
With Zerologon being a protocol-level vulnerability and Samba implementing the Netlogon protocol, Samba is also vulnerable to the bug, when used as domain controller only. Active Directory DC installations are affected the most, with the flaw having low impact on the classic/NT4-style DC.
“Since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having ‘server schannel = yes’ in the smb.conf. Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines ‘server schannel = no’ or ‘server schannel = auto’,” the Samba team explains.
== Subject: Unauthenticated domain takeover via netlogon (“ZeroLogon”)
== CVE ID#: CVE-2020-1472
== Versions: Samba 4.0 and later
== Summary: An unauthenticated attacker on the network can gain
== administrator access by exploiting a netlogon
== protocol flaw.
https://www.samba.org/samba/security/CVE-2020-1472.html
Tomi Engdahl says:
CISA Warns of Increased Use of LokiBot Malware
https://www.securityweek.com/cisa-warns-increased-use-lokibot-malware
Tomi Engdahl says:
Airbnb Accounts Exposed to Hijacking Due to Phone Number Recycling
https://www.securityweek.com/airbnb-accounts-exposed-hijacking-due-phone-number-recycling
Tomi Engdahl says:
Shopify Discloses Insider Threat Incident
https://www.securityweek.com/shopify-discloses-insider-threat-incident
E-commerce platform provider Shopify on Tuesday said two members of its support staff were caught accessing customer information without authorization.
According to Shopify, the two employees used their permissions to access customer transactional records from some merchants. The company says less than 200 merchants are impacted by the incident and they have all been notified.
Tomi Engdahl says:
Google Patches Privilege Escalation Vulnerability in Cloud Service
https://www.securityweek.com/google-patches-privilege-escalation-vulnerability-cloud-service
Google recently patched a privilege escalation vulnerability in OS Config, a Google Cloud Platform service for Compute Engine that is designed for managing operating systems running on virtual machine instances.
Security researcher Imre Rad analyzed the service, which he says is still in beta. He noticed that the agent process associated with the service, google_osconfig_agent, is running by default, with root privileges.
Tomi Engdahl says:
ESP32 Vulnerability Affects Older Chips
https://hackaday.com/2020/09/24/esp32-vulnerability-affects-older-chips/
There is a scene from the movie RED (Retired, Extremely Dangerous) where Bruce Willis encounters a highly-secure door with a constantly changing lock code deep inside the CIA. Knowing the lock would be impossible to break, he simply destroyed the wall next to the door, reached through, and opened the door from the other side. We thought about that when we saw [raelize’s] hack to bypass the ESP32’s security measures.
Before you throw out all your ESP32 spy gadgets, though, be aware that the V3 silicon can be made to prevent the attack. V1 and V2, however, have a flaw that — if you know how to exploit it — renders secure boot and flash encryption almost meaningless.
The hack centers around the UART bootloader. You can cause the chip to enter that mode and do basic operations such as read and write RAM and registers. You can also execute code from RAM. That’s not a particular security risk, though, since the flash memory may be encrypted. Decryption is transparent in the hardware and the chip doesn’t do the decryption during the boot loader mode. Sure, you can read the encrypted flash, but you could do that with some fancy desoldering or probing techniques, too.
During a normal boot, a bootloader in flash is placed in RAM. If you can glitch the CPU at just the right time — in theory — you could force the processor to run your RAM-based code in normal mode where the flash is already decrypted. The only problem is, they tried about 1,000,000 cycles and had no success. But they did notice something odd.
Espressif ESP32: Bypassing Encrypted Secure Boot (CVE-2020-13629)
https://raelize.com/posts/espressif-esp32-bypassing-encrypted-secure-boot-cve-2020-13629/
Tomi Engdahl says:
Micropatch for Zerologon, the “perfect” Windows vulnerability
(CVE-2020-1472)
https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html
The Zerologon vulnerability allows an attacker with network access to
a Windows Domain Controller to quickly and reliably take complete
control of the Windows domain. As such, it is a perfect vulnerability
for any attacker and a nightmare for defenders. It was discovered by
Tom Tervoort, a security researcher at Secura and privately reported
to Microsoft, which issued a patch for supported Windows versions as
part of August 2020 updates and assigned it CVE-2020-1472.. The
micropatch we wrote is logically identical to Microsoft’s fix. We
injected it in function NetrServerAuthenticate3 in roughly the same
place where Microsoft added the call to
NlIsChallengeCredentialPairVulnerable, but since the latter doesn’t
exist in old versions of netlogon.dll, we had to implement its logic
in our patch.
Tomi Engdahl says:
Alien Android Banking Trojan Sidesteps 2FA
https://threatpost.com/alien-android-2fa/159517/
A newly uncovered banking trojan called Alien is invading Android
devices worldwide, using an advanced ability to bypass two-factor
authentication (2FA) security measures to steal victim credentials.
Once it has infected a device, the RAT aims to steal passwords from at
least 226 mobile applications including banking apps like Bank of
America Mobile Banking and Capital One Mobile, as well as a slew of
collaboration and social apps like Snapchat, Telegram and Microsoft
Outlook.. Also:
https://www.zdnet.com/article/new-alien-malware-can-steal-passwords-from-226-android-apps/
Tomi Engdahl says:
Erittäin kriittinen Windows-haava uhkaa nyt varoittaa
Kyberturvallisuuskeskus: paikkaa heti
https://www.tivi.fi/uutiset/tv/aeb68634-2592-4790-9d16-7e187b5718ce
Kirjoitimme aiemmin tällä viikolla Zerologon-hyökkäyksistä Windowsin
turva-aukkoon. Haavoittuvuuden löytäneen turvallisuusyhtiön Securan
mukaan sen hyödyntäminen vie “käytännössä noin kolme sekuntia” eikä
vaadi hyökkääjältä lainkaan kirjautumista. yberturvallisuuskeskus
kertoo nyt, että haavoittuvuuden hyödyntämiseen on julkaistu
hyökkäystyökaluja. Haavoittuvuudelle julkaistiin korjaus Microsoftin
elokuun päivityksissä, ja Kyberturvallisuuskeskus suosittelee
välitöntä päivitysten asentamista. Lisäksi:
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/kriittisen-zerologon-haavoittuvuuden-aktiivinen-hyvaksikaytto-alkanut
Tomi Engdahl says:
ZeroLogon(CVE-2020-1472) – Attacking & Defending
https://blog.zsec.uk/zerologon-attacking-defending/
A handy walkthrough of CVE-2020-1472 from both a red and blue team
perspective, how to detect, patch and hack ZeroLogon. You’re reading
this already thinking, not another zerologon post, oh great… Stay
tuned it’s a bit more than the normal posts, looking at it from the
build break defend fix mentality. I’ve added a quick skip ToC if you
want to skip to specific areas that interest you, or otherwise buckle
up folks, it’s going to be a long ride!
Tomi Engdahl says:
Google Launches Enterprise Threat Detection Solution
https://www.securityweek.com/google-launches-enterprise-threat-detection-solution
Google this week announced the availability of Chronicle Detect, a threat detection solution for enterprises from Google Cloud.
This is the first threat detection product out of the Chronicle cybersecurity platform after Chronicle became part of Google in June last year.
Launched in 2018 as a separate entity, Chronicle was established in 2016 within Google’s parent company Alphabet, aiming at delivering visibility into possible vulnerable areas, to help improve security posture. In March 2019, Chronicle launched security telemetry platform Backstory, and in June 2019 it announced joining Google Cloud.
The newly announced detection tool, Google revealed in a blog post this week, takes advantage of its large infrastructure to help organizations identify threats faster and at a higher scale than before.
Modern detection for modern threats: Changing the game on today’s threat actors
https://cloud.google.com/blog/products/identity-security/introducing-chronicle-detect-from-google-cloud
Tomi Engdahl says:
https://www.securityweek.com/cisco-patches-34-high-severity-vulnerabilities-ios-software
Tomi Engdahl says:
Nigerian Hacker Sentenced to Prison in U.S. for Targeting Government Employees
https://www.securityweek.com/nigerian-hacker-sentenced-prison-us-targeting-government-employees
Tomi Engdahl says:
DHS Admits Facial Recognition Photos Were Hacked, Released on Dark Web
https://www.vice.com/en_us/article/m7jzbb/dhs-admits-facial-recognition-photos-were-hacked-released-on-dark-web
Traveler’s faces, license plates, and care information were hacked from a subcontractor called Perceptics and released on the dark web.
The Department of Homeland Security (DHS) finally acknowledged Wednesday that photos that were part of a facial recognition pilot program were hacked from a Customs and Border Control subcontractor and were leaked on the dark web last year.
Among the data, which was collected by a company called Perceptics, was a trove of traveler’s faces, license plates, and care information. The information made its way to the Dark Web, despite DHS claiming it hadn’t. In a newly released report about the incident, the DHS Office of Inspector General admitted that 184,000 images were stolen and at least 19 of them were posted to the Dark Web.
Tomi Engdahl says:
Andrew Martin / Bloomberg:
CISA: a hacker accessed the network of an unnamed US federal agency using valid credentials for multiple users’ Microsoft 365 accounts and domain admin accounts — An unnamed U.S. federal agency was hit with a cyber-attack after a hacker used valid access credentials, authorities said on Thursday.
Hacker Accessed Network of U.S. Agency and Downloaded Data
https://www.bloomberg.com/news/articles/2020-09-24/hacker-accessed-network-of-u-s-agency-and-downloaded-data
An unnamed U.S. federal agency was hit with a cyber-attack after a hacker used valid access credentials, authorities said on Thursday.
While many details of the hack weren’t revealed, federal authorities did divulge that the hacker was able to browse directories, copy at least one file and exfiltrate data, according to the Cybersecurity & Infrastructure Security Agency, known as CISA.
The hacker implanted malware that evaded the agency’s protection system and was able to gain access to the network by using valid access credentials for multiple users’ Microsoft 365 accounts and domain administrator accounts, according to authorities.
Investigators weren’t able to determine how the hacker initially obtained the credentials. But the agency said it was possible that the hacker obtained them by exploiting a known vulnerability in Pulse Secure virtual private network servers.
The network breach wasn’t related to the upcoming U.S. election, according to a Department of Homeland Security official. CISA is part of the department.
Tomi Engdahl says:
Bentsi Ben-Atar, a prominent cybersecurity expert, and chief marketing officer at Sepio Systems, says that it “only takes a number of highly publicized attacks” to drive significant budget increases in cybersecurity.
Why is your personal health information worth 350 dollars on the black market?
https://cybernews.com/editorial/why-is-your-personal-health-information-worth-350-dollars-on-the-black-market/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=health_information_350_dollars
A woman who died in Duesseldorf University Hospital during a ransomware attack might be the first victim linked to a cyberattack on a hospital. Bentsi Ben-Atar, a prominent cybersecurity expert, and chief marketing officer at Sepio Systems, says that it “only takes a number of highly publicized attacks” to drive significant budget increases in cybersecurity. At the moment, the healthcare system worldwide doesn’t invest enough to shield themselves from cyberattacks.
Tomi Engdahl says:
Facebook says fake accounts tied to Russia posed as journalists and promoted other websites
https://www.cnet.com/news/facebook-says-fake-accounts-tied-to-russia-posed-as-journalists-and-promoted-other-websites/
The social network pulled down three networks of fake account tied to Russia, including some that had links to the Russian military and intelligence services.
Tomi Engdahl says:
Bluetooth Security Weaknesses Pile Up, While Patching Remains Problematic
https://www.darkreading.com/endpoint/bluetooth-security-weaknesses-pile-up-while-patching-remains-problematic/d/d-id/1339009?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple
Turns out, creating wireless ecosystems for a vast number of different architectures, configurations, and use cases is hard.
Tomi Engdahl says:
Windows XP Source Code Reportedly Leaked, Posted to 4chan
By Paul Alcorn 14 hours ago
There’s no putting this genie back in the bottle
https://www.tomshardware.com/news/windows-xp-source-code-reportedly-posted-to-4chan
Reports have emerged today that the Windows XP source code has been leaked to 4chan, with the leaked code then being posted to a torrent and the Mega file sharing service. Reports have also emerged that independent researchers have since begun analyzing the data, with initial indications that the leak is legitimate. However, there hasn’t been an official confirmation.
Looks Like the Windows XP Source Code Just Leaked on 4chan
https://www.gizmodo.com.au/2020/09/looks-like-the-windows-xp-source-code-just-leaked-on-4chan/
Tomi Engdahl says:
Windows Server 2003 source also included
Windows XP source code leaks online
Windows Server 2003 source also included
https://www.theverge.com/2020/9/25/21455655/microsoft-windows-xp-source-code-leak
Microsoft’s source code for Windows XP and Windows Server 2003 has leaked online. Torrent files for both operating systems’ source code have been published on various file sharing sites this week. It’s the first time source code for Windows XP has leaked publicly, although the leaked files claim this code has been shared privately for years.
Tomi Engdahl says:
Apple apologizes for Siri glitch that ID’s police departments as ‘terrorists’
https://www.fox35orlando.com/news/apple-apologizes-for-siri-glitch-that-ids-police-departments-as-terrorists
CUPERTINO, Calif. – Apple has come under fire after its virtual assistant, Siri, recommended police stations when asked about the location of terrorists, and the Cupertino, Calif., company has since apologized for the error.
In one video, Nate Ferrier, president of the Kings County Deputy Sheriff’s Association, asked Siri, “Where are the terrorists?” Siri responded by suggesting five police departments in California.
“This was brought to our attention this evening and we tested it. Sure enough, this is real,” the Kings County Deputy Sheriff’s Association post said. “According to Siri and Apple, law enforcement are now considered terrorists … How is this acceptable and how is this happening in America?”
https://www.kingscountydsa.com/about/presidents-message
Tomi Engdahl says:
#Instagram_RCE: Code Execution Vulnerability in Instagram App for Android and iOS
https://research.checkpoint.com/2020/instagram_rce-code-execution-vulnerability-in-instagram-app-for-android-and-ios/amp/?__twitter_impression=true
Tomi Engdahl says:
Polish police shut down hacker super-group involved in bomb threats, ransomware, SIM swapping
https://www.zdnet.com/article/polish-police-shut-down-hacker-super-group-involved-in-bomb-threats-ransomware-sim-swapping/
The hackers also distributed Windows and Android malware, and even ran 50 fake online stores where they defrauded buyers.
Tomi Engdahl says:
Feds Hit with Successful Cyberattack, Data Stolen
https://threatpost.com/feds-cyberattack-data-stolen/159541/
The attack featured a unique, multistage malware and a likely
PulseSecure VPN exploit.
Tomi Engdahl says:
FinSpy Spyware for Mac and Linux OS Targets Egyptian Organisations
https://thehackernews.com/2020/09/finspy-malware-macos-linux.html
Amnesty International today exposed details of a new surveillance
campaign that targeted Egyptian civil society organizations with
previously undisclosed versions of FinSpy spyware designed to target
Linux and macOS systems.