This posting is here to collect cyber security news November 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
58 Comments
Fall Guys says:
Ooh, yay! ^.^ I’ll get this info posted soon. Thanks, guys!
Tomi Engdahl says:
Cybersecurity and U.S. Election Infrastructure
What to Know Before—and After—You Go to the Polls.
https://foreignpolicy.com/2020/10/27/election-cybersecurity-cyberattack-critical-infrastructure-voting/
Tomi Engdahl says:
Warning after 75,000 ‘deleted’ files found on used USB drives
https://www.bbc.com/news/uk-scotland-tayside-central-54779322
Tax returns, contracts and bank statements were among the “deleted” files recovered by Abertay University investigators from used USB drives.
Cybersecurity researchers discovered about 75,000 files after buying 100 of the drives on an internet auction site.
Some USB drives contained files named “passwords” and images with embedded location data.
All but two of the drives appeared empty, but the team said it had been “worryingly easy” to retrieve data.
The researchers used “publicly-available tools” to retrieve the sensitive information.
She said: “An unscrupulous buyer could feasibly use recovered files to access sellers’ accounts if the passwords are still valid, or even try the passwords on the person’s other accounts given that password re-use is so widespread.”
Tomi Engdahl says:
https://9to5google.com/2020/11/05/how-to-use-google-one-vpn-android/
Tomi Engdahl says:
Hackers are exploiting unpatched VoIP flaws to compromise business accounts
https://www.zdnet.com/article/hackers-are-exploiting-unpatched-voip-flaws-to-compromise-business-accounts/
Over 1,200 organisations have fallen victim to a campaign that uses known exploits to remotely gain access to VoIP accounts – and the attackers are selling access to the highest bidder.
Tomi Engdahl says:
The feds just seized Silk Road’s $1 billion stash of bitcoin
Forfeiture comes two days after mystery party transferred 69,369 BTC out of wallet.
https://arstechnica.com/tech-policy/2020/11/feds-seize-1-billion-in-bitcoin-from-silk-road-drug-marketplace/
Tomi Engdahl says:
https://thehackernews.com/2020/11/premium-rate-phone-fraudsters-hack-voip.html
Tomi Engdahl says:
Google to GitHub: Time’s up – this unfixed ‘high-severity’ security bug affects developers
No, GitHub, we can’t give you an extra two days for a flaw that we’ve already given you 104 days to fix, says Google.
https://www.zdnet.com/article/google-to-github-times-up-this-unfixed-high-severity-security-bug-affects-developers/
Tomi Engdahl says:
REvil ransomware gang ‘acquires’ KPOT malware
https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/
Ransomware gang who claims to have earned $100 million buys the source code of the KPOT information stealer trojan for $6,500.
Tomi Engdahl says:
Police Will Pilot a Program to Live-Stream Amazon Ring Cameras
https://www.eff.org/deeplinks/2020/11/police-will-pilot-program-live-stream-amazon-ring-cameras
Tomi Engdahl says:
How Facebook was used as a proxy by web scraping bots
https://datadome.co/bot-detection/how-facebook-was-used-as-a-proxy-by-web-scraping-bots/
The DataDome research team recently discovered that bot operators were abusing Facebook’s link preview feature for web scraping purposes. When a link is shared on Facebook or in a Messenger conversation, Facebook crawls the shared webpage to extract information for the preview. By simulating link sharing, web scraping bots could make unlimited requests to their targeted websites via Facebook’s infrastructure. The issue has now been remedied by rate limiting on the API.
Tomi Engdahl says:
Prototype pollution vulnerability left bug bounty platform HackerOne open to attack
https://portswigger.net/daily-swig/prototype-pollution-vulnerability-left-bug-bounty-platform-hackerone-open-to-attack
Tomi Engdahl says:
Linux version of RansomEXX ransomware discovered
This marks the first time a major Windows ransomware strain has been ported to Linux to aid hackers in their targeted intrusions
https://www.zdnet.com/article/linux-version-of-ransomexx-ransomware-discovered/
Tomi Engdahl says:
Tuhoisa pankkitroijalainen leviää Android- ja iPhone-puhelimissa – suojaudu näin
6.11.202020:00
Pankkitroijalainen Wroba on riehunut maailmalla jo vuosia. Nyt se on jälleen nostanut päätään.
https://www.mikrobitti.fi/uutiset/tuhoisa-pankkitroijalainen-leviaa-android-ja-iphone-puhelimissa-suojaudu-nain/68ce08eb-943f-4230-8881-52f524109b75
Tomi Engdahl says:
https://www.forbes.com/sites/daveywinder/2020/11/01/windows-10-users-beware-new-hacker-attack-confirmed-by-google-microsoft/
Tomi Engdahl says:
Securing Endpoints in 2020: Proactive Security with XDR
https://pentestmag.com/securing-endpoints-in-2020-proactive-security-with-xdr/
#pentest #magazine #pentestmag #pentestblog #PTblog #endpoint #proactive #security #XDR #cybersecurity #infosecurity #infosec
Tomi Engdahl says:
New ransomware vaccine kills programs wiping Windows shadow volumes
https://www.bleepingcomputer.com/news/security/new-ransomware-vaccine-kills-programs-wiping-windows-shadow-volumes/
A new ransomware vaccine program has been created that terminates processes that try to delete volume shadow copies using Microsoft’s vssadmin.exe program,
Every day, Windows will create backups of your system and data files and store them in Shadow Volume Copy snapshots.
These snapshots can then be used to recover files if they are mistakenly changed or deleted.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadminexe-now/
Tomi Engdahl says:
Company forced to change name that could be used to hack websites
Software firm’s director thought name using HTML would be ‘fun and playful’
https://www.theguardian.com/uk-news/2020/nov/06/companies-house-forces-business-name-change-to-prevent-security-risk
Companies House has forced a company to change its name after it belatedly realised it could pose a security risk.
The company now legally known as “THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD” was set up by a British software engineer, who says he did it purely because he thought it would be “a fun playful name” for his consulting business.
He now says he didn’t realise that Companies House was actually vulnerable to the extremely simple technique he used, known as “cross-site scripting”, which allows an attacker to run code from one website on another.
Tomi Engdahl says:
FBI blames intrusions on improperly configured SonarQube source code management tools. The Federal Bureau of Investigation has sent out a security alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses.
FBI: Hackers stole source code from US government agencies and private companies
https://www.zdnet.com/google-amp/article/fbi-hackers-stole-source-code-from-us-government-agencies-and-private-companies/
FBI blames intrusions on improperly configured SonarQube source code management tools.
The Federal Bureau of Investigation has sent out a security alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses.
Intrusions have taken place since at least April 2020, the FBI said in an alert sent out last month and made public this week on its website.
The alert specifically warns owners of SonarQube, a web-based application that companies integrate into their software build chains to test source code and discover security flaws before rolling out code and applications into production environments.
https://www.sonarqube.org/
Tomi Engdahl says:
https://cybernews.com/security/your-iot-device-is-one-of-your-biggest-cybersecurity-risks/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=iot_risks&fbclid=IwAR0vMSKEh_f1N39EQdlG3owoLay7AzqZZJCwjxTDk3Kt8J6MKHM9J_NTFAo
Tomi Engdahl says:
CVE-2020-16939: Windows Group Policy DACL Overwrite Privilege Escalation
A simple walkthrough using the Windows Group Policy client to escalate privileges and PoC showing how CVE-2020-16939 can be abused by attackers to obtain full permissions on the contents of a folder.
https://www.zerodayinitiative.com/blog/2020/10/27/cve-2020-16939-windows-group-policy-dacl-overwrite-privilege-escalation
Tomi Engdahl says:
‘Robot soldiers could make up quarter of British army by 2030s’
Investment in robot warfare at heart of UK’s planned five-year defence review
https://www.theguardian.com/uk-news/2020/nov/08/third-world-war-a-risk-in-wake-of-covid-pandemic-says-uk-defence-chief?CMP=Share_AndroidApp_Other&fbclid=IwAR22ddg-A618iggpALnOruSuvGUvKHSzr95SnnjJpesrnfA6EIfYxEv4_tc
Thirty thousand “robot soldiers” could form an integral part of the British army in the 2030s, working alongside humans in and around the frontline, the head of the armed forces said in a television interview on Sunday.
Gen Sir Nick Carter said the armed forces needed “to think about how we measure effects in a different way” – and he called on the government to proceed with the previously promised five–year integrated defence review.
Tomi Engdahl says:
Zoom Settles With FTC for Allegedly Lying to Everyone About Encryption
https://gizmodo.com/zoom-settles-with-ftc-for-allegedly-lying-to-everyone-a-1845620577?utm_medium=sharefromsite&utm_source=gizmodo_facebook
It’s a bad day to be Zoom.
As Zoom’s stock price plunged amid promising news of a covid-19 vaccine development on Monday morning, the Federal Trade Commission announced a settlement with the video conferencing company over a “series of deceptive and unfair practices that undermined the security of its users.” The FTC hopes the settlement will send a warning to any companies making unfounded claims about user privacy and security.
The FTC said in a press release on Monday that since 2016, Zoom misled customers by falsely claiming it provided “end-to-end, 256-bit encryption” for its users’ video conferences. Instead, the FTC said, “it provided a lower level of security” that was not end-to-end encrypted at all.
The Intercept first uncovered Zoom’s misleading claims about end-to-end encryption in March. In October, the company began rolling out real end-to-end encryption to free and paid users.
https://www.ftc.gov/news-events/press-releases/2020/11/ftc-requires-zoom-enhance-its-security-practices-part-settlement
Tomi Engdahl says:
RansomEXX trojan variant is being deployed against Linux systems, warns Kaspersky
Inoculation is simple: MFA, regular timely patching
https://www.theregister.com/2020/11/09/linux_ransomware_kaspersky/
Tomi Engdahl says:
UK spy agency to launch offensive cyber operation against anti-vaccine propaganda
https://intelnews.org/2020/11/09/01-2900/
BRITAIN’S SIGNALS INTELLIGENCE AGENCY is preparing to launch a major offensive cyber operation against state-sponsored propaganda aimed at undermining research on the COVID-19 vaccine. According to the London-based Times newspaper, which published the information about the purported cyber operation, it will be aimed mostly against disinformation campaigns coming out of Russia.
The alleged disinformation campaigns appear to be targeting research taking place at Oxford University, which seeks to create an effective vaccine against the novel coronavirus. A main theme in these campaigns promotes the claim that the vaccine will turn those who take it in to chimpanzees. Dozens of memes around this theme are said to have flooded Russian social media websites, with English-language translations making the rounds on Facebook, Twitter and Instagram.
Tomi Engdahl says:
Compal, the second-largest laptop manufacturer in the world, hit by ransomware
Compal factories build laptops for Apple, Acer, Lenovo, Dell, Toshiba, HP, and Fujitsu.
https://www.zdnet.com/article/compal-the-second-largest-laptop-manufacturer-in-the-world-hit-by-ransomware/
Tomi Engdahl says:
Hackers Can Grab Passwords By Watching Your Shoulders Move On Zoom
https://www.forbes.com/sites/daveywinder/2020/11/07/surprising-new-zoom-hacking-threat-revealed-what-users-need-to-know/
Tomi Engdahl says:
Gitpaste-12 Worm Targets Linux Servers, IoT Devices
https://threatpost.com/gitpaste-12-worm-linux-servers-iot-devices/161016/
The newly discovered malware uses GitHub and Pastebin to house component code, and harbors 12 different initial attack vectors.
Researchers have uncovered a new worm targeting Linux based x86 servers, as well as Linux internet of things (IoT) devices (that are based on ARM and MIPS CPUs).
Of note, the malware utilizes GitHub and Pastebin for housing malicious component code, and has at least 12 different attack modules available – leading researchers to call it “Gitpaste-12.” It was first detected by Juniper Threat Labs in attacks on Oct. 15, 2020.
Tomi Engdahl says:
Ghimob Trojan Affects 153 Android Apps, Can Make Fraud Bank Transactions
https://www.msn.com/en-in/money/news/ghimob-trojan-affects-153-android-apps-can-make-fraud-bank-transactions/ar-BB1aUQRM?ocid=msedgntp
Cyber security experts have discovered a new Android banking trojan which is able to steal data from a total of 153 Android applications. Named ‘Ghimob’, the trojan spies mainly through banks, fintechs, cryptocurrencies and exchanges.
https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/
Tomi Engdahl says:
Reuters:
Sources: top US cybersecurity official Christopher Krebs told associates he expects to be fired, after CISA refused to delete content debunking election misinfo — WASHINGTON/SAN FRANCISCO (Reuters) – Top U.S. cybersecurity official Christopher Krebs has told associates he expects to be fired …
Exclusive: Top official on U.S. election cybersecurity tells associates he expects to be fired
https://www.reuters.com/article/us-usa-cyber-officials-exclusive-idUSKBN27S2YI
WASHINGTON/SAN FRANCISCO (Reuters) – Top U.S. cybersecurity official Christopher Krebs, who worked on protecting the election from hackers but drew the ire of the Trump White House over efforts to debunk disinformation, has told associates he expects to be fired, three sources familiar with the matter told Reuters.
Krebs, who heads the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), did not return messages seeking comment. CISA and the White House declined comment.
Separately, Bryan Ware, assistant director for cybersecurity at CISA, confirmed to Reuters that he had handed in his resignation on Thursday. Ware did not provide details, but a U.S. official familiar with his matter said the White House asked for Ware’s resignation earlier this week.
Krebs has drawn praise from both Democrats and Republicans for his handling of the election, which generally ran smoothly despite persistent fears that foreign hackers might try to undermine the vote.
But he drew the ire of the Trump White House over a website run by CISA dubbed “Rumor Control” which debunks misinformation about the election, according to the three people familiar with the matter.
White House officials have asked for content to be edited or removed which pushed back against numerous false claims about the election, including that Democrats are behind a mass election fraud scheme. CISA officials have chosen not to delete accurate information.
In particular, one person said, the White House was angry about a CISA post rejecting a conspiracy theory that falsely claims an intelligence agency supercomputer and program, purportedly named Hammer and Scorecard, could have flipped votes nationally. No such system exists, according to Krebs, election security experts and former U.S. officials.
Krebs has steadily shot down rumors of fraud in recent days, including retweeting leading election security expert Matt Blaze, who for years has warned of specific vulnerabilities in election gear, when the professor wrote that “no serious evidence has yet been found or presented that suggests that the 2020 election outcome in any state has been altered through technical exploitation.”
Tomi Engdahl says:
North Korean Hackers Used ‘Torisma’ Spyware in Job Offers-based Attacks
https://thehackernews.com/2020/11/north-korean-hackers-used-torisma.html
A cyberespionage campaign aimed at aerospace and defense sectors in order to install data gathering implants on victims’ machines for purposes of surveillance and data exfiltration may have been more sophisticated than previously thought.
The attacks, which targeted IP-addresses belonging to internet service providers (ISPs) in Australia, Israel, Russia, and defense contractors based in Russia and India, involved a previously undiscovered spyware tool called Torisma to stealthily monitor its victims for continued exploitation.
Tomi Engdahl says:
Vulnerabilities in Ubuntu Desktop enabled root access in two simple steps
https://portswigger.net/daily-swig/vulnerabilities-in-ubuntu-desktop-enabled-root-access-in-two-simple-steps
Tomi Engdahl says:
Spying with Your Robot Vacuum Cleaner: Eavesdropping via Lidar Sensors [pdf]
https://www.cs.umd.edu/~nirupam/images/2_publication/papers/LidarPhone_SenSys20_nirupam.pdf
Tomi Engdahl says:
Dutch reporter hacks EU defense ministers’ meeting
https://www.dw.com/en/dutch-reporter-hacks-eu-defense-ministers-meeting/a-55682752
A Dutch journalist took advantage of a security blunder to hack into a video call with EU defense ministers. “I’m sorry for interrupting your conference, I’ll be leaving,” the reporter told the EU’s top diplomat.
The reporter, Daniel Verlaan, used information from a Twitter post by Dutch Defense Minister Ank Bijleveld. The minister had published a photo of herself working from home while taking part in the conference. The post includes a photo of the minister’s laptop screen with her EU counterparts visible. Another picture, which has since been removed, showed five digits of a six-digit pin needed to gain access to the call.
The video published by the broadcaster shows EU’s Josep Borrell asking “Who are you?” and noting the call has been “intercepted.”
Borrell then asked if the reporter was aware that he was “jumping into a secret conference,” as laughter is heard in the background.
“Yes, I’m sorry, I’m a journalist from the Netherlands,” Verlaan replied. “I’m sorry for interrupting your conference. I’ll be leaving here.”
Borrell then said the breach was a criminal offense, “So you better shut off quickly,” as the reporter replies with a “Yes. Bye, bye.”
It was not immediately clear if Verlaan would face legal consequences.
Dutch Prime Minister Mark Rutte has since reacted to the security blunder with a jab at his defense minister.
“This shows once again that ministers need to realize how careful you have to be with Twitter,” Rutte said in the Hague.
An official with the Dutch Defense Ministry described the incident as a “stupid mistake.”
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
GoDaddy confirms some of its staff fell for a social engineering scam, after hackers changed the email and DNS records for a number of crypto trading platforms — Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week.
GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services
https://krebsonsecurity.com/2020/11/godaddy-employees-used-in-attacks-on-multiple-cryptocurrency-services/
Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy, the world’s largest domain name registrar, KrebsOnSecurity has learned.
The incident is the latest incursion at GoDaddy that relied on tricking employees into transferring ownership and/or control over targeted domains to fraudsters. In March, a voice phishing scam targeting GoDaddy support employees allowed attackers to assume control over at least a half-dozen domain names, including transaction brokering site escrow.com.
And in May of this year, GoDaddy disclosed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in Oct. 2019 that wasn’t discovered until April 2020.
This latest campaign appears to have begun on or around Nov. 13, with an attack on cryptocurrency trading platform liquid.com.
“A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Liquid CEO Kayamori said in a blog post. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”
Tomi Engdahl says:
Dutch journalist gatecrashes EU defence video conference
https://www.bbc.com/news/world-europe-55027641
A Dutch journalist managed to gatecrash a confidential video conference of EU defence ministers.
Daniel Verlaan of RTL Nieuws joined the meeting after the Dutch defence minister accidentally posted some of the login details on Twitter.
The visibly surprised technology reporter started waving once he realised he’d been let in.
“You know that you have been jumping into a secret conference?” EU foreign policy chief Josep Borrell said.
“Yes, yes. I’m sorry. I’m a journalist from the Netherlands. I’m sorry for interrupting your conference,” Mr Verlaan replied, to laughter from officials. “I’ll be leaving here.”
Tomi Engdahl says:
Botnets have been silently mass-scanning the internet for unsecured ENV files
Threat actors are looking for API tokens, passwords, and database logins usually stored in ENV files.
https://www.zdnet.com/article/botnets-have-been-silently-mass-scanning-the-internet-for-unsecured-env-files/#ftag=CAD-03-10abf5f
Tomi Engdahl says:
Attackers exploiting an array of Google Services, including Forms, Firebase, Docs and more to boost phishing and BEC campaigns.
A spike in recent phishing and business email compromise (BEC) attacks can be traced back to criminals learning how to exploit Google Services, according to research from Armorblox.
https://threatpost.com/google-services-weaponized-to-bypass-security-in-phishing-bec-campaigns/161467/
Tomi Engdahl says:
Fake Zoom invite cripples Aussie hedge fund with $8m hit
https://www.afr.com/companies/financial-services/fake-zoom-invite-cripples-aussie-hedge-fund-with-8m-hit-20201122-p56f9c?utm_medium=social&utm_campaign=nc&utm_source=Facebook#Echobox=1606073288
A Sydney hedge fund has collapsed after a cyber attack triggered by a fake Zoom invitation saw its trustee and administrator mistakenly approve $8.7 million in fraudulent invoices.
The scam, the latest in a series of strikes by offshore criminal gangs against Australian fund managers, has also ensnared ANZ
Tomi Engdahl says:
Major Power Outage in India Possibly Caused by Hackers: Reports
https://www.securityweek.com/major-power-outage-india-possibly-caused-hackers-reports
Authorities in India determined that a major power outage that occurred last month in Mumbai, the country’s largest
city, may have been caused by hackers, according to reports.
The outage occurred in mid-October and it impacted the Mumbai metropolitan area, causing significant disruption to
traffic management systems and trains. It took two hours to restore power just for essential services, and up to 12
hours to restore power in some of the affected areas.
Tomi Engdahl says:
Amazon Web Services outage takes a portion of the internet down with it
https://techcrunch.com/2020/11/25/amazon-web-services-outage-takes-a-portion-of-the-internet-down-with-it/?tpcc=ECFB2020
Tomi Engdahl says:
Prolonged AWS outage takes down a big chunk of the internet
AWS has been experiencing an outage for hours
https://www.theverge.com/2020/11/25/21719396/amazon-web-services-aws-outage-down-internet
Tomi Engdahl says:
Belgian security researcher hacks Tesla with Raspberry Pi
Belgian security researcher Lennert Wouters once again succeeds in hacking a Tesla vehicle, this time by exploiting the Bluetooth Low Energy standard
https://www.computerweekly.com/news/252492564/Belgian-security-researcher-hacks-Tesla-with-Raspberry-Pi
Tomi Engdahl says:
2FA bypass discovered in web hosting software cPanel
More than 70 million sites are managed via cPanel software, according to the company
https://www.zdnet.com/article/2fa-bypass-discovered-in-web-hosting-software-cpanel/
Tomi Engdahl says:
https://www.darkreading.com/theedge/how-ransomware-defense-is-evolving-with-ransomware-attacks/b/d-id/1339533
Tomi Engdahl says:
https://www.zdnet.com/article/drupal-sites-vulnerable-to-double-extension-attacks/
Tomi Engdahl says:
Hacking group exploits ZeroLogon in automotive, industrial attack wave
https://www.zdnet.com/article/cicada-hacking-group-exploits-zerologon-launches-new-backdoor-in-automotive-industry-attack-wave/
A massive campaign is underway around the globe, with automotive, pharmaceutical and engineering entities top targets.
Tomi Engdahl says:
Hacker posts exploits for over 49,000 vulnerable Fortinet VPNs
https://www.bleepingcomputer.com/news/security/hacker-posts-exploits-for-over-49-000-vulnerable-fortinet-vpns/
Tomi Engdahl says:
Trump fires director of Homeland Security agency who had rejected President’s election conspiracy theories
https://www.cnn.com/2020/11/17/politics/chris-krebs-fired-by-trump/index.html