Cyber security news September 2020

This posting is here to collect cyber security news September 2020.

I post links to security vulnerability news with short descriptions to comments section of this article.

If you are interested in cyber security trends, read my Cyber security trends 2020 posting.

You are also free to post related links to comments.

cybergedeon_flame_color

251 Comments

  1. Tomi Engdahl says:

    RayBan parent company reportedly suffers major ransomware attack
    https://www.welivesecurity.com/2020/09/24/ray-ban-parent-company-reportedly-suffers-major-ransomware-attack/
    There is no evidence that cybercriminals were also able to steal
    customer data

    Reply
  2. Tomi Engdahl says:

    Windows-huijarit puhuvat nyt jopa suomea puhelimessa “Erittäin
    huolestuttava ilmiö”
    https://www.tivi.fi/uutiset/tv/74fa8ce4-321c-4ff9-885d-3622156ff064
    Moni on saanut viime viikkoina puhelun, jossa hänen tietokoneen
    väitetään olevan saastunut haittaohjelmilla ja soittajan auttavan tätä
    tietokoneen kanssa. Puheluita tehdään Kyberturvallisuuskeskukseen
    mukaan nyt Suomeen miljoona kuukaudessa.

    Reply
  3. Tomi Engdahl says:

    Twitter is warning devs that API keys and tokens may have leaked
    https://www.bleepingcomputer.com/news/security/twitter-is-warning-devs-that-api-keys-and-tokens-may-have-leaked/
    Twitter is emailing developers stating that their API keys, access
    tokens, and access token secrets may have been exposed in a browser’s
    cache.

    Reply
  4. Tomi Engdahl says:

    Fortinet VPN with Default Settings Leave 200, 000 Businesses Open to
    Hackers
    https://thehackernews.com/2020/09/fortigate-vpn-security.html
    “We quickly found that under default configuration the SSL VPN is not
    as protected as it should be, and is vulnerable to MITM attacks quite
    easily, ” SAM IoT Security Lab’s Niv Hertz and Lior Tashimov said.
    “The Fortigate SSL-VPN client only verifies that the CA was issued by
    Fortigate (or another trusted CA), therefore an attacker can easily
    present a certificate issued to a different Fortigate router without
    raising any flags, and implement a man-in-the-middle attack.”

    Update now: Cisco warns over 25 high-impact flaws in its IOS and IOS
    XE software
    https://www.zdnet.com/article/update-now-cisco-warns-over-25-high-impact-flaws-in-its-ios-and-ios-xe-software/
    Cisco has alerted customers using its IOS and ISO XE networking gear
    software to apply updates for 34 flaws across 25 high-severity
    security advisories.

    Reply
  5. Tomi Engdahl says:

    Blast from the past! Windows XP source code allegedly leaked online
    https://nakedsecurity.sophos.com/2020/09/25/blast-from-the-past-windows-xp-source-code-allegedly-leaked-online/
    If the reports are to be believed, someone has just leaked a
    mega-torrent (pun intended allegedly some of the files have also been
    uploaded to Kiwi file-sharing service Mega) of Microsoft source code
    going all the way back to MS-DOS 6.

    Reply
  6. Tomi Engdahl says:

    “Organisaation näkökulmasta Whatsapp on katastrofi”, sanoo
    digikonsultti mahdoton hallinnoitava, silti käytössä työpaikoilla
    https://yle.fi/uutiset/3-11545657
    Ryhmien hallinta on käsityötä ja se mahdollistaa myös virheitä.

    Reply
  7. Tomi Engdahl says:

    ThunderX ransomware silenced with release of a free decryptor
    https://www.bleepingcomputer.com/news/security/thunderx-ransomware-silenced-with-release-of-a-free-decryptor/
    A decryptor for the ThunderX ransomware has been released by
    cybersecurity firm Tesorion that lets victims recover their files for
    free.

    Reply
  8. Tomi Engdahl says:

    Industrial Cyberattacks Get Rarer but More Complex
    https://threatpost.com/industrial-cyberattacks-rarer-complex/159573/
    The first half of 2020 saw decreases in attacks on most ICS sectors,
    but oil/gas firms and building automation saw upticks.

    Reply
  9. Tomi Engdahl says:

    The Android 11 Privacy and Security Features You Should Know
    https://www.wired.com/story/android-11-privacy-and-security-features/
    Many of the updates to Google’s mobile OS are behind the scenesbut
    they can help you control your app permissions and keep your data
    safe.

    Reply
  10. Tomi Engdahl says:

    KuCoin cryptocurrency exchange hacked for $150 million
    KuCoin said an intruder drained all its hot wallets today.
    https://www.zdnet.com/article/kucoin-cryptocurrency-exchange-hacked-for-150-million/

    Singapore-based cryptocurrency exchange KuCoin disclosed today a mega hack. In a statement posted on its website, the company confirmed that a threat actor breached its systems and emptied its hot wallets of all funds.

    Hot wallets are cryptocurrency management apps that are connected to the internet. Cold wallets are stored offline.

    Cryptocurrency exchanges like KuCoin use hot wallets as their temporary storage systems for assets that are currently being exchanged on the platform, and they are used to power conversion operations and funds transfers.

    KuCoin said it detected the hack after observing “some large withdrawals” from its hot wallets on September 26.

    https://www.kucoin.com/news/en-kucoin-security-incident-update

    Reply
  11. Tomi Engdahl says:

    ‘The Underground Golden Age Is Over’: Epic Dark Web Opioid Bust Sees 179 Arrests And $6.5 Million Seized
    https://www.forbes.com/sites/thomasbrewster/2020/09/22/epic-dark-web-bust-sees-179-arrests-and-65-million-seized/#68b3913f440c

    In one of the biggest ever busts of dark web enterprise, global police agencies announced Tuesday they had arrested 179 vendors and buyers of illegal drugs in Europe and the U.S.

    Reply
  12. Tomi Engdahl says:

    Britain has offensive cyberwar capability, top general admits
    Gen Sir Patrick Sanders says Boris Johnson has told him to ensure UK is major cyber power
    https://www.theguardian.com/technology/2020/sep/25/britain-has-offensive-cyberwar-capability-top-general-admits

    Britain’s most senior cyber general has said the UK possesses the capacity to “degrade, disrupt and destroy” its enemies’ critical infrastructure in a future cyber conflict, in a rare acknowledgement of the military’s offensive hacking capability.

    Reply
  13. Tomi Engdahl says:

    U.S. judge blocks Twitter’s bid to reveal government surveillance requests
    https://reut.rs/3exss7W

    (Reuters) – Twitter Inc will not be able to reveal surveillance requests it received from the U.S. government after a federal judge accepted government arguments that this was likely to harm national security after a near six-year long legal battle.

    The social media company had sued the U.S. Department of Justice in 2014 to be allowed to reveal, as part of its “Draft Transparency Report”, the surveillance requests it received. It argued its free-speech rights were being violated by not being allowed to reveal the details.

    Reply
  14. Tomi Engdahl says:

    “LokiBot,” the malware that steals your most sensitive data, is on the rise
    “Persistent malicious” activity sees a “notable increase” since July, feds say.
    https://arstechnica.com/information-technology/2020/09/lokibot-the-malware-that-steals-your-most-sensitive-data-is-on-the-rise/

    Reply
  15. Tomi Engdahl says:

    Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns
    https://www.propublica.org/article/foreign-hackers-cripple-texas-countys-email-system-raising-election-security-concerns

    The malware attack, which sent fake email replies to voters and businesses, spotlights an overlooked vulnerability in counties that don’t follow best practices for computer security.

    Last week, voters and election administrators who emailed Leanne Jackson, the clerk of rural Hamilton County in central Texas, received bureaucratic-looking replies. “Re: official precinct results,” one subject line read. The text supplied passwords for an attached file.

    But Jackson didn’t send the messages. Instead, they came from Sri Lankan and Congolese email addresses, and they cleverly hid malicious software inside a Microsoft Word attachment. By the time Jackson learned about the forgery, it was too late. Hackers continued to fire off look-alike replies. Jackson’s three-person office, already grappling with the coronavirus pandemic, ground to a near standstill.

    “I’ve only sent three emails today, and they were emails I absolutely had to send,” Jackson said Friday. “I’m scared to” send more, she said, for fear of spreading the malware.

    The previously unreported attack on Hamilton illustrates an overlooked security weakness that could hamper the November election: the vulnerability of email systems in county offices that handle the voting process from registration to casting and counting ballots.

    Reply
  16. Tomi Engdahl says:

    You know that Microsoft ZeroLogon bug you’ve been dragging your feet on? It’s getting pwned in the wild now
    Scan servers for signs of compromise and patch if you haven’t already
    https://www.theregister.com/2020/09/24/microsoft_zerologon_in_wild/?utm_source=dlvr.it&utm_medium=facebook

    The rather concerning design flaw in Microsoft’s netlogon protocol is being exploited in the wild by miscreants, the Windows giant’s security team has warned.

    The mega-biz today confirmed it is seeing active attacks abusing the CVE-2020-1472 vulnerability, aka ZeroLogon, which can be exploited to bypass authentication and gain domain-level administrator access in corporate networks.

    Reply
  17. Tomi Engdahl says:

    Tyler Technologies, which provides software to schools, cities and states across US, hit by ransomware attack
    https://www.chicagotribune.com/business/ct-biz-tyler-technologies-ransomware-breach-20200925-5n73f3purrdkvnks2v3hetz3y4-story.html

    A major U.S. provider of software services to state and local governments acknowledged Friday it was hit by a ransomware attack two days after telling clients an unknown intruder had compromised its phone and information technology systems.

    Tyler Technologies said in a statement that it confirmed the intruder used ransomware but did not provide further details on its response, citing an ongoing investigation.

    Reply
  18. Tomi Engdahl says:

    Bypassing Android MDM Using Electromagnetic Fault Injection By A Gas Lighter For $1.5
    https://payatu.com/blog/arun/bypassing-android-mdm-using-electromagnetic-fault-injection-by-a-gas-lighter-for-$1.5$

    This Proof of Concept is derived from our IoT penetration testing engagements so, most the PoC will be Redacted. This bypass works on Redacted Smartphone running Android 10 with March 2020 Security Update.

    Fault Injection
    Fault injection is a method of injecting faults in hardware, like a Processor or SRAM or Flash to make it work in a non-intentional manner and use it to bypass any security implementations or even breaking crypto. There are so many ways of injecting fault to a digital circuit, Voltage injection, Clock Injection, Electromagnetic Injection.

    Reply
  19. Tomi Engdahl says:

    Suspicious logins reported after ransomware attack on US govt contractor
    Ransomware attack on Tyler Technologies is looking worse by the day.
    https://www.zdnet.com/article/suspicious-logins-rats-reported-after-ransomware-attack-on-us-govt-contractor/

    Reply
  20. Tomi Engdahl says:

    Atlanta activist spent $200G in Black Lives Matter donations on house, personal expenses: FBI
    https://www.foxnews.com/us/atlanta-activist-spent-200g-in-black-lives-matter-donations-on-house-personal-expenses-fbi.amp

    The FBI has arrested the founder of a Black Lives Matter group in Atlanta on fraud and money laundering charges.

    Sir Maejor Page, 32, was accused Friday of misappropriating $200,000 in donations he solicited through Facebook on behalf of Black Lives Matter of Greater Atlanta, Fox 5 Atlanta reported Friday.

    Black Lives Matter of Greater Atlanta could not solicit donations after losing its tax-exempt status as a charity in 2019 for failing to submit to the IRS 990 tax returns listing donations and expenditures.

    Reply
  21. Tomi Engdahl says:

    New ‘Alien’ malware can steal passwords from 226 Android apps
    https://www.zdnet.com/article/new-alien-malware-can-steal-passwords-from-226-android-apps/

    Most targets are banking apps, but Alien can also show phishing pages for social, instant messaging, and cryptocurrency apps.

    Reply
  22. Tomi Engdahl says:

    Feds Hit with Successful Cyberattack, Data Stolen
    https://threatpost.com/feds-cyberattack-data-stolen/159541/

    The attack featured a unique, multistage malware and a likely PulseSecure VPN exploit.

    A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees’ legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.

    Reply
  23. Tomi Engdahl says:

    Zerologon explained: Why you should patch this critical Windows Server flaw now
    Attackers have learned how to exploit the Zerologon vulnerability in Windows Server, potentially gaining domain admin control.
    https://www.csoonline.com/article/3576193/what-is-zerologon-why-you-should-patch-this-critical-windows-server-flaw-now.html

    Reply
  24. Tomi Engdahl says:

    MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.
    https://bazaar.abuse.ch/

    Reply
  25. Tomi Engdahl says:

    UHS hospitals hit by reported country-wide Ryuk ransomware attack
    https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/

    Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider, has reportedly shut down systems at healthcare facilities around the US after a cyber-attack that hit its network during early Sunday morning.

    UHS operates over 400 healthcare facilities in the US and the UK, has more than 90,000 employees and provides healthcare services to approximately 3.5 million patients each year.

    Reply
  26. Tomi Engdahl says:

    https://www.facebook.com/groups/2600net/permalink/2843201099236330/
    Update on Universal Health.

    tl;dr : its bad

    They released a public statement that this is a IT Security issue. The PR person is using a personal email address as the UHS systems are down. Via Jim McMurry

    Reply
  27. Tomi Engdahl says:

    Major hospital system hit with cyberattack, potentially largest in U.S. history
    https://www.nbcnews.com/tech/security/cyberattack-hits-major-u-s-hospital-system-n1241254?utm_source=facebook&utm_medium=news_tab&utm_content=algorithm

    Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend.

    A major hospital chain has been hit by what appears to be one of the largest medical cyberattacks in United States history.

    Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend, and some hospitals have had to resort to filing patient information with pen and paper, according to multiple people familiar with the situation.

    Reply
  28. Tomi Engdahl says:

    Tyler Technologies says it was hacked with ransomware, election programs safe
    https://www.reuters.com/article/us-tyler-tech-cyber-idUSKCN26F3F2

    SAN FRANCISCO (Reuters) – Tyler Technologies TYL.N said the hacking attack against it disclosed Wednesday used ransomware, which encrypts company files and demands payment to decrypt them again.

    In a statement to Reuters, the vendor of software to counties and municipalities said the hacker only reached internal networks.

    Tyler said the attack had no impact on the software it hosts for clients, and the software it sells that displays election results is hosted by Amazon and so was not at risk.

    Reply
  29. Tomi Engdahl says:

    This ‘#Hacker University’ offers Dark Web Cybercrime degrees for $125 #darkweb #cybercrime #cybersecurity

    https://www.forbes.com/sites/daveywinder/2020/09/28/this-hacker-university-offers-dark-web-cybercrime-degrees-for-125/#71165a34145f

    Reply
  30. Tomi Engdahl says:

    Phishing Scam – Windows 7 ‘Upgrade’ Emails Steal Outlook Credentials

    The phishing lure below preys on the victim’s anxiety about losing productivity while their computer is upgraded. Comically, the attacker uses a colorful list of benefits the end user receives to get them to take the bait.

    End of Support for Windows 7 Means Beginning of Upgrade-Themed Phishing Campaigns
    https://cofense.com/end-support-windows-7-means-beginning-upgrade-themed-phishing-campaigns/

    Reply
  31. Tomi Engdahl says:

    Nevada school district refuses to submit to ransomware blackmail,
    hacker publishes student data
    https://www.zdnet.com/article/nevada-school-district-refuses-to-submit-to-ransomware-blackmail-hacker-responds-by-publishing-student-data/
    Thousands of students have reportedly had their private data released
    online.

    Reply
  32. Tomi Engdahl says:

    Ransomware hits US-based Arthur J. Gallagher insurance giant
    https://www.bleepingcomputer.com/news/security/ransomware-hits-us-based-arthur-j-gallagher-insurance-giant/
    US-based Arthur J. Gallagher (AJG) global insurance brokerage and risk
    management firm confirmed a ransomware attack that hit its systems on
    Saturday. AJG is one of the largest insurance brokers in the world
    with more than 33, 300 employees and operations in 49 countries.

    Reply
  33. Tomi Engdahl says:

    Microsoft Netlogon exploitation continues to rise
    https://blog.talosintelligence.com/2020/09/netlogon-rises.html
    Cisco Talos is tracking a spike in exploitation attempts against the
    Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug
    in Netlogon, outlined in the August Microsoft Patch Tuesday report.

    Microsoft clarifies patch confusion for Windows Zerologon flaw
    https://www.bleepingcomputer.com/news/security/microsoft-clarifies-patch-confusion-for-windows-zerologon-flaw/
    Microsoft clarified the steps customers should take to make sure that
    their devices are protected against ongoing attacks using Windows
    Server Zerologon (CVE-2020-1472) exploits. In a step-by-step approach,
    the updated advisory now explains the exact actions that
    administrators need to take to make sure that their environments are
    protected and outages are prevented in the event of an incoming attack
    designed to exploit servers that would otherwise be vulnerable to
    Zerologon exploits.

    Reply
  34. Tomi Engdahl says:

    Plane-tracking site Flight Radar 24 DDoSed… just as drones spotted
    buzzing over Azerbaijan and Armenia
    https://www.theregister.com/2020/09/29/flight_radar_24_ddos/
    That’s one way of poking the world’s eyes out for a few hours

    Reply
  35. Tomi Engdahl says:

    UHS hospitals hit by reported country-wide Ryuk ransomware attack
    https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/
    Universal Health Services (UHS), a Fortune 500 hospital and healthcare
    services provider, has reportedly shut down systems at healthcare
    facilities around the US after a cyber-attack that hit its network
    during early Sunday morning. UHS operates over 400 healthcare
    facilities in the US and the UK, has more than 90, 000 employees and
    provides healthcare services to approximately 3.5 million patients
    each year.

    Reply
  36. Tomi Engdahl says:

    UK, US hospital computers are down, early unofficial diagnosis is a
    suspected outbreak of Ryuk ransomware
    https://www.theregister.com/2020/09/28/united_health_services_ransomware/
    We’ve switched to back-up offline procedures, says Universal Health
    Services. Universal Health Services, which operates over 400 hospitals
    and healthcare facilities in the US, Puerto Rico, and the UK, said on
    Monday that its IT network was offline due to an unspecified
    cybersecurity issue.

    Reply
  37. Tomi Engdahl says:

    REvil ransomware deposits $1 million in hacker recruitment drive
    https://www.bleepingcomputer.com/news/security/revil-ransomware-deposits-1-million-in-hacker-recruitment-drive/
    The REvil Ransomware (Sodinokibi) operation has deposited $1 million
    in bitcoins on a Russian-speaking hacker forum to prove to potential
    affiliates that they mean business. also:
    https://nakedsecurity.sophos.com/2020/09/28/revil-ransomware-crew-dangles-1000000-cybercrime-carrot/

    Reply
  38. Tomi Engdahl says:

    Logistics giant CMA CGM goes offline to block malware attack
    https://www.bleepingcomputer.com/news/security/logistics-giant-cma-cgm-goes-offline-to-block-malware-attack/
    CMA CGM S.A., a French maritime transport and logistics giant, today
    disclosed a malware attack affecting some servers on the edge of its
    network. The attack forced CMA CGM’s IT teams to cut Internet access
    to some applications to block the malware from spreading to other
    network devices.

    Reply
  39. Tomi Engdahl says:

    Suspicious logins reported after ransomware attack on US govt
    contractor
    https://www.zdnet.com/article/suspicious-logins-rats-reported-after-ransomware-attack-on-us-govt-contractor/
    Ransomware attack on Tyler Technologies is looking worse by the day.
    Customers of Tyler Technologies, one of the biggest software providers
    for the US state and federal government, are reporting finding
    suspicious logins and previously unseen remote access tools (RATs) on
    their networks and servers.

    Reply
  40. Tomi Engdahl says:

    China-Linked ‘BlackTech’ Hackers Start Targeting U.S.
    https://www.securityweek.com/china-linked-blacktech-hackers-start-targeting-us

    The China-linked BlackTech cyber-spies have adopted new malicious tools in recent attacks, and they have started targeting the United States, Symantec security researchers revealed on Tuesday.

    Also referred to as Palmerworm, the hacking group is believed to have been active since at least 2013. The campaign analyzed by Symantec ran from August 2019 until as recently as August 2020, and it targeted organizations in construction, electronics, engineering, media, and finance in Japan, Taiwan, the U.S., and China. The threat actor was previously known to target East Asia.

    Reply
  41. Tomi Engdahl says:

    What Caused The Massive Microsoft Teams, Office 365 Outage Yesterday? Here’s What We Know
    https://www.forbes.com/sites/daveywinder/2020/09/29/what-caused-the-massive-microsoft-teams-office-365-outage-yesterday-heres-what-we-know/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Valerie/#76616c657269

    Cloud-based Microsoft applications, including Microsoft Teams, went down across a swathe of the U.S. yesterday.

    Users of Microsoft Office 365, Outlook, Exchange, Sharepoint, OneDrive and Azure also reported they were unable to login. Instead, they were presented with a “transient error” message informing them there was a problem signing them in.

    Reply
  42. Tomi Engdahl says:

    Nämä tunkeutujat jaksavat pötköttää vaikka vuoden järjestelmissä – ja sitten alkaa tapahtua
    Markku Pervilä30.9.2020 13:00|päivitetty30.9.2020 13:19
    TietoturvaKyberHakkeritVakoilu
    Palmerwormin nimellä tunnetut valtiojohtoiset vakoojaryhmät viettävät pitkiä hiljaiselon aikoja organisaatioiden järjestelmissä ennen lopullista iskua.
    https://www.tivi.fi/uutiset/tv/94515d92-6a35-4402-878a-43812f53a47d

    Reply
  43. Tomi Engdahl says:

    FYI: If you’re running HP Device Manager, anyone on your network can
    get admin on your server via backdoor
    https://www.theregister.com/2020/09/30/hp_device_manager_backdoor_database_account/
    Hidden database account discovered, patches finally available as well
    as mitigations

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*