This posting is here to collect cyber security news September 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
251 Comments
Tomi Engdahl says:
RayBan parent company reportedly suffers major ransomware attack
https://www.welivesecurity.com/2020/09/24/ray-ban-parent-company-reportedly-suffers-major-ransomware-attack/
There is no evidence that cybercriminals were also able to steal
customer data
Tomi Engdahl says:
Windows-huijarit puhuvat nyt jopa suomea puhelimessa “Erittäin
huolestuttava ilmiö”
https://www.tivi.fi/uutiset/tv/74fa8ce4-321c-4ff9-885d-3622156ff064
Moni on saanut viime viikkoina puhelun, jossa hänen tietokoneen
väitetään olevan saastunut haittaohjelmilla ja soittajan auttavan tätä
tietokoneen kanssa. Puheluita tehdään Kyberturvallisuuskeskukseen
mukaan nyt Suomeen miljoona kuukaudessa.
Tomi Engdahl says:
Twitter is warning devs that API keys and tokens may have leaked
https://www.bleepingcomputer.com/news/security/twitter-is-warning-devs-that-api-keys-and-tokens-may-have-leaked/
Twitter is emailing developers stating that their API keys, access
tokens, and access token secrets may have been exposed in a browser’s
cache.
Tomi Engdahl says:
Fortinet VPN with Default Settings Leave 200, 000 Businesses Open to
Hackers
https://thehackernews.com/2020/09/fortigate-vpn-security.html
“We quickly found that under default configuration the SSL VPN is not
as protected as it should be, and is vulnerable to MITM attacks quite
easily, ” SAM IoT Security Lab’s Niv Hertz and Lior Tashimov said.
“The Fortigate SSL-VPN client only verifies that the CA was issued by
Fortigate (or another trusted CA), therefore an attacker can easily
present a certificate issued to a different Fortigate router without
raising any flags, and implement a man-in-the-middle attack.”
Update now: Cisco warns over 25 high-impact flaws in its IOS and IOS
XE software
https://www.zdnet.com/article/update-now-cisco-warns-over-25-high-impact-flaws-in-its-ios-and-ios-xe-software/
Cisco has alerted customers using its IOS and ISO XE networking gear
software to apply updates for 34 flaws across 25 high-severity
security advisories.
Tomi Engdahl says:
https://www.epanorama.net/blog/2020/09/26/windows-source-code-leaked/
Tomi Engdahl says:
Blast from the past! Windows XP source code allegedly leaked online
https://nakedsecurity.sophos.com/2020/09/25/blast-from-the-past-windows-xp-source-code-allegedly-leaked-online/
If the reports are to be believed, someone has just leaked a
mega-torrent (pun intended allegedly some of the files have also been
uploaded to Kiwi file-sharing service Mega) of Microsoft source code
going all the way back to MS-DOS 6.
Tomi Engdahl says:
“Organisaation näkökulmasta Whatsapp on katastrofi”, sanoo
digikonsultti mahdoton hallinnoitava, silti käytössä työpaikoilla
https://yle.fi/uutiset/3-11545657
Ryhmien hallinta on käsityötä ja se mahdollistaa myös virheitä.
Tomi Engdahl says:
ThunderX ransomware silenced with release of a free decryptor
https://www.bleepingcomputer.com/news/security/thunderx-ransomware-silenced-with-release-of-a-free-decryptor/
A decryptor for the ThunderX ransomware has been released by
cybersecurity firm Tesorion that lets victims recover their files for
free.
Tomi Engdahl says:
Industrial Cyberattacks Get Rarer but More Complex
https://threatpost.com/industrial-cyberattacks-rarer-complex/159573/
The first half of 2020 saw decreases in attacks on most ICS sectors,
but oil/gas firms and building automation saw upticks.
Tomi Engdahl says:
https://www.securityweek.com/chrome-vulnerabilities-expose-users-attacks-malicious-extensions
Tomi Engdahl says:
The Android 11 Privacy and Security Features You Should Know
https://www.wired.com/story/android-11-privacy-and-security-features/
Many of the updates to Google’s mobile OS are behind the scenesbut
they can help you control your app permissions and keep your data
safe.
Tomi Engdahl says:
KuCoin cryptocurrency exchange hacked for $150 million
KuCoin said an intruder drained all its hot wallets today.
https://www.zdnet.com/article/kucoin-cryptocurrency-exchange-hacked-for-150-million/
Singapore-based cryptocurrency exchange KuCoin disclosed today a mega hack. In a statement posted on its website, the company confirmed that a threat actor breached its systems and emptied its hot wallets of all funds.
Hot wallets are cryptocurrency management apps that are connected to the internet. Cold wallets are stored offline.
Cryptocurrency exchanges like KuCoin use hot wallets as their temporary storage systems for assets that are currently being exchanged on the platform, and they are used to power conversion operations and funds transfers.
KuCoin said it detected the hack after observing “some large withdrawals” from its hot wallets on September 26.
https://www.kucoin.com/news/en-kucoin-security-incident-update
Tomi Engdahl says:
‘The Underground Golden Age Is Over’: Epic Dark Web Opioid Bust Sees 179 Arrests And $6.5 Million Seized
https://www.forbes.com/sites/thomasbrewster/2020/09/22/epic-dark-web-bust-sees-179-arrests-and-65-million-seized/#68b3913f440c
In one of the biggest ever busts of dark web enterprise, global police agencies announced Tuesday they had arrested 179 vendors and buyers of illegal drugs in Europe and the U.S.
Tomi Engdahl says:
Britain has offensive cyberwar capability, top general admits
Gen Sir Patrick Sanders says Boris Johnson has told him to ensure UK is major cyber power
https://www.theguardian.com/technology/2020/sep/25/britain-has-offensive-cyberwar-capability-top-general-admits
Britain’s most senior cyber general has said the UK possesses the capacity to “degrade, disrupt and destroy” its enemies’ critical infrastructure in a future cyber conflict, in a rare acknowledgement of the military’s offensive hacking capability.
Tomi Engdahl says:
U.S. judge blocks Twitter’s bid to reveal government surveillance requests
https://reut.rs/3exss7W
(Reuters) – Twitter Inc will not be able to reveal surveillance requests it received from the U.S. government after a federal judge accepted government arguments that this was likely to harm national security after a near six-year long legal battle.
The social media company had sued the U.S. Department of Justice in 2014 to be allowed to reveal, as part of its “Draft Transparency Report”, the surveillance requests it received. It argued its free-speech rights were being violated by not being allowed to reveal the details.
Tomi Engdahl says:
“LokiBot,” the malware that steals your most sensitive data, is on the rise
“Persistent malicious” activity sees a “notable increase” since July, feds say.
https://arstechnica.com/information-technology/2020/09/lokibot-the-malware-that-steals-your-most-sensitive-data-is-on-the-rise/
Tomi Engdahl says:
Foreign Hackers Cripple Texas County’s Email System, Raising Election Security Concerns
https://www.propublica.org/article/foreign-hackers-cripple-texas-countys-email-system-raising-election-security-concerns
The malware attack, which sent fake email replies to voters and businesses, spotlights an overlooked vulnerability in counties that don’t follow best practices for computer security.
Last week, voters and election administrators who emailed Leanne Jackson, the clerk of rural Hamilton County in central Texas, received bureaucratic-looking replies. “Re: official precinct results,” one subject line read. The text supplied passwords for an attached file.
But Jackson didn’t send the messages. Instead, they came from Sri Lankan and Congolese email addresses, and they cleverly hid malicious software inside a Microsoft Word attachment. By the time Jackson learned about the forgery, it was too late. Hackers continued to fire off look-alike replies. Jackson’s three-person office, already grappling with the coronavirus pandemic, ground to a near standstill.
“I’ve only sent three emails today, and they were emails I absolutely had to send,” Jackson said Friday. “I’m scared to” send more, she said, for fear of spreading the malware.
The previously unreported attack on Hamilton illustrates an overlooked security weakness that could hamper the November election: the vulnerability of email systems in county offices that handle the voting process from registration to casting and counting ballots.
Tomi Engdahl says:
http://hacking-printers.net/wiki/index.php/Main_Page
Tomi Engdahl says:
You know that Microsoft ZeroLogon bug you’ve been dragging your feet on? It’s getting pwned in the wild now
Scan servers for signs of compromise and patch if you haven’t already
https://www.theregister.com/2020/09/24/microsoft_zerologon_in_wild/?utm_source=dlvr.it&utm_medium=facebook
The rather concerning design flaw in Microsoft’s netlogon protocol is being exploited in the wild by miscreants, the Windows giant’s security team has warned.
The mega-biz today confirmed it is seeing active attacks abusing the CVE-2020-1472 vulnerability, aka ZeroLogon, which can be exploited to bypass authentication and gain domain-level administrator access in corporate networks.
Tomi Engdahl says:
Tyler Technologies, which provides software to schools, cities and states across US, hit by ransomware attack
https://www.chicagotribune.com/business/ct-biz-tyler-technologies-ransomware-breach-20200925-5n73f3purrdkvnks2v3hetz3y4-story.html
A major U.S. provider of software services to state and local governments acknowledged Friday it was hit by a ransomware attack two days after telling clients an unknown intruder had compromised its phone and information technology systems.
Tyler Technologies said in a statement that it confirmed the intruder used ransomware but did not provide further details on its response, citing an ongoing investigation.
Tomi Engdahl says:
Bypassing Android MDM Using Electromagnetic Fault Injection By A Gas Lighter For $1.5
https://payatu.com/blog/arun/bypassing-android-mdm-using-electromagnetic-fault-injection-by-a-gas-lighter-for-$1.5$
This Proof of Concept is derived from our IoT penetration testing engagements so, most the PoC will be Redacted. This bypass works on Redacted Smartphone running Android 10 with March 2020 Security Update.
Fault Injection
Fault injection is a method of injecting faults in hardware, like a Processor or SRAM or Flash to make it work in a non-intentional manner and use it to bypass any security implementations or even breaking crypto. There are so many ways of injecting fault to a digital circuit, Voltage injection, Clock Injection, Electromagnetic Injection.
Tomi Engdahl says:
Suspicious logins reported after ransomware attack on US govt contractor
Ransomware attack on Tyler Technologies is looking worse by the day.
https://www.zdnet.com/article/suspicious-logins-rats-reported-after-ransomware-attack-on-us-govt-contractor/
Tomi Engdahl says:
Atlanta activist spent $200G in Black Lives Matter donations on house, personal expenses: FBI
https://www.foxnews.com/us/atlanta-activist-spent-200g-in-black-lives-matter-donations-on-house-personal-expenses-fbi.amp
The FBI has arrested the founder of a Black Lives Matter group in Atlanta on fraud and money laundering charges.
Sir Maejor Page, 32, was accused Friday of misappropriating $200,000 in donations he solicited through Facebook on behalf of Black Lives Matter of Greater Atlanta, Fox 5 Atlanta reported Friday.
Black Lives Matter of Greater Atlanta could not solicit donations after losing its tax-exempt status as a charity in 2019 for failing to submit to the IRS 990 tax returns listing donations and expenditures.
Tomi Engdahl says:
New ‘Alien’ malware can steal passwords from 226 Android apps
https://www.zdnet.com/article/new-alien-malware-can-steal-passwords-from-226-android-apps/
Most targets are banking apps, but Alien can also show phishing pages for social, instant messaging, and cryptocurrency apps.
Tomi Engdahl says:
Russian hackers use fake NATO training docs to breach govt networks
https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/
Tomi Engdahl says:
Feds Hit with Successful Cyberattack, Data Stolen
https://threatpost.com/feds-cyberattack-data-stolen/159541/
The attack featured a unique, multistage malware and a likely PulseSecure VPN exploit.
A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees’ legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.
Tomi Engdahl says:
Zerologon explained: Why you should patch this critical Windows Server flaw now
Attackers have learned how to exploit the Zerologon vulnerability in Windows Server, potentially gaining domain admin control.
https://www.csoonline.com/article/3576193/what-is-zerologon-why-you-should-patch-this-critical-windows-server-flaw-now.html
Tomi Engdahl says:
MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.
https://bazaar.abuse.ch/
Tomi Engdahl says:
UHS hospitals hit by reported country-wide Ryuk ransomware attack
https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/
Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider, has reportedly shut down systems at healthcare facilities around the US after a cyber-attack that hit its network during early Sunday morning.
UHS operates over 400 healthcare facilities in the US and the UK, has more than 90,000 employees and provides healthcare services to approximately 3.5 million patients each year.
Tomi Engdahl says:
https://www.facebook.com/groups/2600net/permalink/2843201099236330/
Update on Universal Health.
tl;dr : its bad
They released a public statement that this is a IT Security issue. The PR person is using a personal email address as the UHS systems are down. Via Jim McMurry
Tomi Engdahl says:
Major hospital system hit with cyberattack, potentially largest in U.S. history
https://www.nbcnews.com/tech/security/cyberattack-hits-major-u-s-hospital-system-n1241254?utm_source=facebook&utm_medium=news_tab&utm_content=algorithm
Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend.
A major hospital chain has been hit by what appears to be one of the largest medical cyberattacks in United States history.
Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend, and some hospitals have had to resort to filing patient information with pen and paper, according to multiple people familiar with the situation.
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2020/09/18/a-real-life-maze-ransomware-attack-if-at-first-you-dont-succeed/
Tomi Engdahl says:
https://6abc.com/technology/microsoft-down-users-unable-to-access-services/6632079/
Tomi Engdahl says:
Tyler Technologies says it was hacked with ransomware, election programs safe
https://www.reuters.com/article/us-tyler-tech-cyber-idUSKCN26F3F2
SAN FRANCISCO (Reuters) – Tyler Technologies TYL.N said the hacking attack against it disclosed Wednesday used ransomware, which encrypts company files and demands payment to decrypt them again.
In a statement to Reuters, the vendor of software to counties and municipalities said the hacker only reached internal networks.
Tyler said the attack had no impact on the software it hosts for clients, and the software it sells that displays election results is hosted by Amazon and so was not at risk.
Tomi Engdahl says:
This ‘#Hacker University’ offers Dark Web Cybercrime degrees for $125 #darkweb #cybercrime #cybersecurity
https://www.forbes.com/sites/daveywinder/2020/09/28/this-hacker-university-offers-dark-web-cybercrime-degrees-for-125/#71165a34145f
Tomi Engdahl says:
Phishing Scam – Windows 7 ‘Upgrade’ Emails Steal Outlook Credentials
The phishing lure below preys on the victim’s anxiety about losing productivity while their computer is upgraded. Comically, the attacker uses a colorful list of benefits the end user receives to get them to take the bait.
End of Support for Windows 7 Means Beginning of Upgrade-Themed Phishing Campaigns
https://cofense.com/end-support-windows-7-means-beginning-upgrade-themed-phishing-campaigns/
Tomi Engdahl says:
Nevada school district refuses to submit to ransomware blackmail,
hacker publishes student data
https://www.zdnet.com/article/nevada-school-district-refuses-to-submit-to-ransomware-blackmail-hacker-responds-by-publishing-student-data/
Thousands of students have reportedly had their private data released
online.
Tomi Engdahl says:
Ransomware hits US-based Arthur J. Gallagher insurance giant
https://www.bleepingcomputer.com/news/security/ransomware-hits-us-based-arthur-j-gallagher-insurance-giant/
US-based Arthur J. Gallagher (AJG) global insurance brokerage and risk
management firm confirmed a ransomware attack that hit its systems on
Saturday. AJG is one of the largest insurance brokers in the world
with more than 33, 300 employees and operations in 49 countries.
Tomi Engdahl says:
Microsoft Netlogon exploitation continues to rise
https://blog.talosintelligence.com/2020/09/netlogon-rises.html
Cisco Talos is tracking a spike in exploitation attempts against the
Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug
in Netlogon, outlined in the August Microsoft Patch Tuesday report.
Microsoft clarifies patch confusion for Windows Zerologon flaw
https://www.bleepingcomputer.com/news/security/microsoft-clarifies-patch-confusion-for-windows-zerologon-flaw/
Microsoft clarified the steps customers should take to make sure that
their devices are protected against ongoing attacks using Windows
Server Zerologon (CVE-2020-1472) exploits. In a step-by-step approach,
the updated advisory now explains the exact actions that
administrators need to take to make sure that their environments are
protected and outages are prevented in the event of an incoming attack
designed to exploit servers that would otherwise be vulnerable to
Zerologon exploits.
Tomi Engdahl says:
Plane-tracking site Flight Radar 24 DDoSed… just as drones spotted
buzzing over Azerbaijan and Armenia
https://www.theregister.com/2020/09/29/flight_radar_24_ddos/
That’s one way of poking the world’s eyes out for a few hours
Tomi Engdahl says:
UHS hospitals hit by reported country-wide Ryuk ransomware attack
https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/
Universal Health Services (UHS), a Fortune 500 hospital and healthcare
services provider, has reportedly shut down systems at healthcare
facilities around the US after a cyber-attack that hit its network
during early Sunday morning. UHS operates over 400 healthcare
facilities in the US and the UK, has more than 90, 000 employees and
provides healthcare services to approximately 3.5 million patients
each year.
Tomi Engdahl says:
UK, US hospital computers are down, early unofficial diagnosis is a
suspected outbreak of Ryuk ransomware
https://www.theregister.com/2020/09/28/united_health_services_ransomware/
We’ve switched to back-up offline procedures, says Universal Health
Services. Universal Health Services, which operates over 400 hospitals
and healthcare facilities in the US, Puerto Rico, and the UK, said on
Monday that its IT network was offline due to an unspecified
cybersecurity issue.
Tomi Engdahl says:
REvil ransomware deposits $1 million in hacker recruitment drive
https://www.bleepingcomputer.com/news/security/revil-ransomware-deposits-1-million-in-hacker-recruitment-drive/
The REvil Ransomware (Sodinokibi) operation has deposited $1 million
in bitcoins on a Russian-speaking hacker forum to prove to potential
affiliates that they mean business. also:
https://nakedsecurity.sophos.com/2020/09/28/revil-ransomware-crew-dangles-1000000-cybercrime-carrot/
Tomi Engdahl says:
Logistics giant CMA CGM goes offline to block malware attack
https://www.bleepingcomputer.com/news/security/logistics-giant-cma-cgm-goes-offline-to-block-malware-attack/
CMA CGM S.A., a French maritime transport and logistics giant, today
disclosed a malware attack affecting some servers on the edge of its
network. The attack forced CMA CGM’s IT teams to cut Internet access
to some applications to block the malware from spreading to other
network devices.
Tomi Engdahl says:
Suspicious logins reported after ransomware attack on US govt
contractor
https://www.zdnet.com/article/suspicious-logins-rats-reported-after-ransomware-attack-on-us-govt-contractor/
Ransomware attack on Tyler Technologies is looking worse by the day.
Customers of Tyler Technologies, one of the biggest software providers
for the US state and federal government, are reporting finding
suspicious logins and previously unseen remote access tools (RATs) on
their networks and servers.
Tomi Engdahl says:
China-Linked ‘BlackTech’ Hackers Start Targeting U.S.
https://www.securityweek.com/china-linked-blacktech-hackers-start-targeting-us
The China-linked BlackTech cyber-spies have adopted new malicious tools in recent attacks, and they have started targeting the United States, Symantec security researchers revealed on Tuesday.
Also referred to as Palmerworm, the hacking group is believed to have been active since at least 2013. The campaign analyzed by Symantec ran from August 2019 until as recently as August 2020, and it targeted organizations in construction, electronics, engineering, media, and finance in Japan, Taiwan, the U.S., and China. The threat actor was previously known to target East Asia.
Tomi Engdahl says:
Bleeping Computer: Swiss watchmaker Swatch shuts down IT systems to stop cyberattack >
https://www.bleepingcomputer.com/news/security/swiss-watchmaker-swatch-shuts-down-it-systems-to-stop-cyberattack/
Tomi Engdahl says:
What Caused The Massive Microsoft Teams, Office 365 Outage Yesterday? Here’s What We Know
https://www.forbes.com/sites/daveywinder/2020/09/29/what-caused-the-massive-microsoft-teams-office-365-outage-yesterday-heres-what-we-know/?utm_campaign=forbes&utm_source=facebook&utm_medium=social&utm_term=Valerie/#76616c657269
Cloud-based Microsoft applications, including Microsoft Teams, went down across a swathe of the U.S. yesterday.
Users of Microsoft Office 365, Outlook, Exchange, Sharepoint, OneDrive and Azure also reported they were unable to login. Instead, they were presented with a “transient error” message informing them there was a problem signing them in.
Tomi Engdahl says:
Nämä tunkeutujat jaksavat pötköttää vaikka vuoden järjestelmissä – ja sitten alkaa tapahtua
Markku Pervilä30.9.2020 13:00|päivitetty30.9.2020 13:19
TietoturvaKyberHakkeritVakoilu
Palmerwormin nimellä tunnetut valtiojohtoiset vakoojaryhmät viettävät pitkiä hiljaiselon aikoja organisaatioiden järjestelmissä ennen lopullista iskua.
https://www.tivi.fi/uutiset/tv/94515d92-6a35-4402-878a-43812f53a47d
Tomi Engdahl says:
FYI: If you’re running HP Device Manager, anyone on your network can
get admin on your server via backdoor
https://www.theregister.com/2020/09/30/hp_device_manager_backdoor_database_account/
Hidden database account discovered, patches finally available as well
as mitigations