Cyber security news February 2021

This posting is here to collect cyber security news in February 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

310 Comments

  1. Tomi Engdahl says:

    Rikolliset kalastelevat verkkopankkitunnuksia hakutulosten avulla
    https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/rikolliset-kalastelevat-verkkopankkitunnuksia-hakutulosten-avulla
    Rikolliset ovat kalastelleet suomalaisten verkkopankkitunnuksia ja
    siirtäneet suuria summia uhrien pankkitileiltä. Miten tämä on
    mahdollista, kun verkkopankeissa käytetään lukuisia turvatoimia?
    Pankin omien turvatoimien lisäksi asiakkaiden kannattaa edelleen
    noudattaa varovaisuutta verkkoasioinnissa.

    Reply
  2. Tomi Engdahl says:

    Major Vulnerabilities discovered and patched in Realtek RTL8195A Wi-Fi
    Module
    https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/
    In a recent supply chain security assessment, Vdoo has analyzed
    multiple networking devices for security vulnerabilities and
    exposures. During the analysis we have discovered and responsibly
    disclosed six major vulnerabilities in Realtek’s RTL8195A Wi-Fi module
    that these devices were based on. An attacker that exploits the
    discovered vulnerabilities can gain remote root access to the Wi-Fi
    module, and from there very possibly hop to the application processor
    as well (as the attacker has complete control of the device’s wireless
    communications). The RTL8195 module is an extremely compact, low-power
    Wi-Fi module targeted at embedded devices. It has supported software
    from major vendors such as ARM, Samsung, Google, Amazon and more. For
    example, according to AWS it is used in a myriad of industries.

    Reply
  3. Tomi Engdahl says:

    Europol: Emotet malware will uninstall itself on March 25th
    https://www.bleepingcomputer.com/news/security/europol-emotet-malware-will-uninstall-itself-on-march-25th/

    Reply
  4. Tomi Engdahl says:

    23M Gamer Records Exposed in VIPGames Leak
    https://threatpost.com/gamer-records-exposed-vipgames-leak/163352/
    The personal data of 66, 000 users was left wide open on a
    misconfigured Elasticsearch server, joining a growing list of
    companies with leaky clouds. In this case, the site’s unprotected
    server leaked more than 30GB of data containing 23 million individual
    records, including usernames, emails, IP addresses, hashed passwords,
    Facebook, Twitter and Google IDs, bets and even data on players who
    were banned from the platform, WizCase said.

    Reply
  5. Tomi Engdahl says:

    CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit)
    https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
    The Qualys Research Team has discovered a heap overflow vulnerability
    in sudo, a near-ubiquitous utility available on major Unix-like
    operating systems. Any unprivileged user can gain root privileges on a
    vulnerable host using a default sudo configuration by exploiting this
    vulnerability. Also:
    https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt.
    Also: https://www.sudo.ws/alerts/unescape_overflow.html

    Reply
  6. Tomi Engdahl says:

    NAT Slipstreaming v2.0: New Attack Variant Can Expose All Internal
    Network Devices to The Internet
    https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/
    The new variant attack could allow attackers to bypass NATs &
    Firewalls and reach any unmanaged device within the internal network
    from the Internet.

    Reply
  7. Tomi Engdahl says:

    Former LulzSec Hacker Releases VPN Zero-Day Used to Hack Hacking Team
    https://www.vice.com/en/article/dy85nz/former-lulzsec-hacker-releases-vpn-zero-day-used-to-hack-hacking-team
    A security researcher has released an exploit for SonicWall VPNs that
    was originally found by Phineas Fisher in 2015. Also:
    https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/.
    Also: https://www.cybersecurity-help.cz/blog/1892.html

    Reply
  8. Tomi Engdahl says:

    Internet Protocol Next Header escape
    https://medium.com/sensorfu/internet-protocol-next-header-escape-248ab1574e7c
    In IPv6 header it’s called “Next Header” and in IPv4 header it’s just
    “Protocol”. This eight bit value contains information about what kind
    of content we can expect after the IP header. Usual suspect being a
    value for all familiar TCP, UDP and ICMP. But there’s also other
    familiar protocols like GRE and L2TP, and parts of bigger systems like
    IPSec. This header field deserved a closer look since my business is
    to make sure networks don’t leak, and we design escape tests for that
    purpose. There are a total of 256 possibilities to try out and this is
    exactly what our new escape does.

    Reply
  9. Tomi Engdahl says:

    Report: Data Breach Exposed 323K Records Including Sensitive Court
    Files
    https://www.websiteplanet.com/blog/court-records-leak-report/
    On September 26th, 2020 the WebsitePlanet research team in cooperation
    with Security Researcher Jeremiah Fowler discovered a non-password
    protected database that contained over 323, 277 court related records.
    Upon further investigation we noticed that the records were all
    related to Cook County, Illinois, the second most populous county in
    the United States after Los Angeles County.

    Reply
  10. Tomi Engdahl says:

    Hacker leaks data of 2.28 million dating site users
    https://www.zdnet.com/article/hacker-leaks-data-of-2-28-million-dating-site-users/#ftag=RSSbaffb68
    Data belongs to dating site MeetMindful and includes everything from
    real names to Facebook account tokens, and from email addresses and
    geo-location information.

    Reply
  11. Tomi Engdahl says:

    Malware found on laptops given out by government
    https://www.bbc.com/news/technology-55749959
    Some of the laptops given out in England to support vulnerable
    children home-schooling during lockdown contain malware, BBC News has
    learned.

    Reply
  12. Tomi Engdahl says:

    SitePoint discloses data breach after stolen info used in attacks
    https://www.bleepingcomputer.com/news/security/sitepoint-discloses-data-breach-after-stolen-info-used-in-attacks/

    The SitePoint web professional community has disclosed a data breach after their user database was sold and eventually leaked for free on a hacker forum.

    At the end of December 2020, BleepingComputer learned of a data breach broker selling the user databases for 26 different companies. One of the databases was for SitePoint.com, which the broker stated contained one million user records.

    On January 26th, 2021, a threat actor known as ShinyHunters shared the database for Learnable.com for free on a hacker forum. The learnable.com redirects to the Sitepoint.com domain.

    Reply
  13. Tomi Engdahl says:

    Plex Media servers are being abused for DDoS attacks
    Cyber-security firm Netscout warns of new DDoS attack vector.
    https://www.zdnet.com/article/plex-media-servers-are-being-abused-for-ddos-attacks/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook

    DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks, security firm Netscout said in an alert on Wednesday.

    The company’s alert warns owners of devices that ship with Plex Media Server, a web application for Windows, Mac, and Linux that’s usually used for video or audio streaming and multimedia asset management.

    The app can be installed on regular web servers or usually ships with network-attached storage (NAS) systems, digital media players, or other types of multimedia-streaming IoT devices.

    Netscout says that when a server/device running a Plex Media Server app is booted and connected to a network, it will start a local scan for other compatible devices via the Simple Service Discovery Protocol (SSDP).

    The problem comes when a Plex Media Server discovers a local router that has SSDP support enabled. When this happens, the Plex Media Server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service directly on the internet on UDP port 32414.

    Reply
  14. Tomi Engdahl says:

    It’s like everyone just decided to take a closer look at SolarWinds and have realized just HOW BAD THE CODE IS.

    This is beginning to remind me of the Openssl Valhalla rampage after Heartbleed…

    Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities
    https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-control-with-new-solarwinds-orion-based-and-serv-u-ftp-vulnerabilities/

    In this blog, I will be discussing three new security issues that I recently found in several SolarWinds products. All three are severe bugs with the most critical one allowing remote code execution with high privileges. To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any “in the wild” attacks. However, given the criticality of these issues, we recommend that affected users patch as soon as possible. We have purposely left out specific Proof of Concept (PoC) code in this post in order to give SolarWinds users a longer margin to patch but we will post an update to this blog that includes the PoC code on Feb. 9.

    Reply
  15. Tomi Engdahl says:

    Copyright trolls are out in force around the world. And the pandemic is their perfect excuse
    https://cybernews.com/editorial/copyright-trolls-are-out-in-force-around-the-world/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=copyright_trolls&fbclid=IwAR1MoZwrdDcuz9tTe9j2QOX_U2bPxRBW3K8jdhn-W7mb4eLPrxIaHHElIm8

    Along with it, there’s also been a growth of notifications sent by copyright trolls seeking to get money from users who, in fear, end up not seeking their rights and paying immediately what these trolls demand. In many cases users are wrongly notified, IPs are poorly identified or in many cases it is virtually impossible to know exactly who actually downloaded the files illegally.

    The use of P2P sharing apps, such as those using the Torrent protocol, is not illegal – as in sharing personal files or files not protected by copyright. The situation becomes more complicated when file sharing of copyrighted material takes place.

    “There is no doubt that under US copyright law, sharing copyrighted works without the permission of the copyright owner is illegal,”

    Sag adds that “United States copyright law provides copyright owners with the option of statutory damages, and these damages can range from a minimum of $750 to an astounding maximum of $150,000 and it also allows for a successful copyright plaintiff to be reimbursed for their reasonable litigation expenses.”

    All of this, says Sag, “give[s] enormous ammunition to plaintiffs in file sharing cases to demand comparatively high settlements for comparatively minimal alleged infringement.” And this gives rise to what many have called Copyright Trolls, “actors that make a business out of copyright enforcement,”

    “A key difference between copyright trolls and other rights holders is that trolls actually want people to infringe the copyrights they hold, because that’s how they make their money—they typically aren’t the content creators themselves,” Gagliano explains.

    Issues with identification
    A big problem involved in the Copyright Troll’s actions and lawsuits is that it is hard to identify one specific user who has actually downloaded copyrighted material. This leads to awkward cases such as when RIAA sued a 66-year-old grandmother, Sarah Seabury Ward of Massachusetts, for illegally downloading over 2,000 songs in 2002. But her computer, a Macintosh, was not even compatible with the program she was accused of using, Kazaa.

    More recently, in 2019, a retired police officer in his 70’s was falsely accused of sharing several adult films using BitTorrent after his IP address was wrongly identified. In Brazil, over 70,000 people have received out-of-court settlements demanding compensation last year for downloading three blockbuster movies. And in Sweden, also last year, 42,800 people were targeted by copyright trolls for allegedly sharing files through torrent.

    “An IP address alone can’t tell you who downloaded a specific file

    “there are situations in which an IP leads to a machine at a certain time and place, but there is no record of who used the machine.”

    Copyright trolls’ methods are similar, but the laws of different countries vary enormously as to who can be held responsible for illegal downloads and how evidence can and should be obtained.

    due to cases of misidentification, “copyright trials tend to back off from these if the person gets a lawyer. So you don’t see this turn up in the court cases very much,”

    So, the copyright trolls’ tactics often resort to “threatening to sue for improbably high statutory damages figures as a way of extracting settlements,” says Gagliano.

    Other common tactics, she further explains are “Targeting large groups of anonymous defendants identified by IP address; using cookie-cutter, poorly substantiated litigation tactics to keep their costs down; and targeting vulnerable marks, such as individuals or nonprofits that can’t afford legal counsel.”

    To make things worse, “some trolls specifically focus their efforts on pornography downloads, using the threat of public embarrassment to help coerce settlements,” adds Gagliano.

    Badii comments that copyright trolls will tell you that “they want to protect the rights of the authors, that copyright is good for innovation and creativity! Some claim that they are protecting the Internet from dangerous materials, they argue they want to keep us safe.”

    But when they use such excuses, Badii notes, “I imagine Fake Gucci bags attacking the Internet.”

    In addition to the relentless pursuit of easy profit, the action of copyright trolls also aims to undermine decentralized networks and impose centralized governance on the Internet, where users’ privacy is lower, and it becomes easier to identify alleged offenders.

    Reply
  16. Tomi Engdahl says:

    Accused Murderer Wins Right To Check Source Code of DNA Testing Kit
    https://m.slashdot.org/story/381636

    “A New Jersey appeals court has ruled that a man accused of murder is entitled to review proprietary genetic testing software to challenge evidence presented against him,” reports The Register.

    Reply
  17. Tomi Engdahl says:

    They Stormed the Capitol. Their Apps Tracked Them.
    Times Opinion was able to identify individuals from a trove of leaked smartphone location data.
    https://www.nytimes.com/2021/02/05/opinion/capitol-attack-cellphone-data.html

    In 2019, a source came to us with a digital file containing the precise locations of more than 12 million individual smartphones for several months in 2016 and 2017. The data is supposed to be anonymous, but it isn’t. We found celebrities, Pentagon officials and average Americans.

    It became clear that this data — collected by smartphone apps and then fed into a dizzyingly complex digital advertising ecosystem — was a liability to national security, to free assembly and to citizens living mundane lives.

    Surrendering our privacy to the government would be foolish enough. But what is more insidious is the Faustian bargain made with the marketing industry, which turns every location ping into currency as it is bought and sold in the marketplace of surveillance advertising.

    Now, one year later, we’re in a very similar position. But it’s far worse.

    A source has provided another data set, this time following the smartphones of thousands of Trump supporters, rioters and passers-by in Washington, D.C., on January 6, as Donald Trump’s political rally turned into a violent insurrection. At least five people died because of the riot at the Capitol. Key to bringing the mob to justice has been the event’s digital detritus: location data, geotagged photos, facial recognition, surveillance cameras and crowdsourcing.

    The sacking of the Capitol was a shocking assault on the republic and an unwelcome reminder of the fragility of American democracy. But history reminds us that sudden events — Pearl Harbor, the Soviet Union testing an atomic bomb, the Sept. 11 attacks — have led to an overreach in favor of collective security over individual liberty that we’d later regret. And more generally, the data collected on Jan. 6 is a demonstration of the looming threat to our liberties posed by a surveillance economy that monetizes the movements of the righteous and the wicked alike.

    The data we were given showed what some in the tech industry might call a God-view vantage of that dark day. It included about 100,000 location pings for thousands of smartphones, revealing around 130 devices inside the Capitol exactly when Trump supporters were storming the building.
    The data presented here is a bird’s-eye view of an event that posed a clear and grave threat to our democracy. But it tells a second story as well: One of a broken, surreptitious industry in desperate need of regulation, and of a tacit agreement we’ve entered into that threatens our individual privacy. None of this data should ever have been collected.

    Smartphones tracked between 2 p.m. and 5 p.m. record the seige on the Capitol.

    “There is no way that my phone shows me in there,” he said. Yet it did.

    For all its appearance of omniscience, the data can be imprecise. In a situation such as the Capitol riot, exact locations matter. A few feet can be the difference between a participant who committed a serious crime and an onlooker.

    While some location data is accurate to within a few feet, other data is not. Location companies can work with data derived from GPS sensors, Bluetooth signals and other sources. The quality depends on the settings of the phone and whether it is connected to Wi-Fi or a cell tower. Issues like population and building density can sometimes play a role in the quality of the data.

    While the power and scope of this commercial surveillance come into sharp focus when we look at the specific time of the attack on the Capitol, it’s important to remember that it is recording the movements of millions of Americans all day, all night, all year, wherever they are.

    The data set Times Opinion examined shows how Trump supporters traveled from South Carolina, Florida, Ohio and Kentucky to the nation’s capital, with pings tracing neatly along major highways, in the days before the attack. Stops at gas stations, restaurants and motels dot the route like bread crumbs, each offering corroborating details.

    In many cases, these trails lead from the Capitol right back to their homes.

    In the hands of law enforcement, this data could be evidence. But at every other moment, the location data is reviewed by hedge funds, financial institutions and marketers, in an attempt to learn more about where we shop and how we live.

    Unlike the data we reviewed in 2019, this new data included a remarkable piece of information: a unique ID for each user that is tied to a smartphone. This made it even easier to find people, since the supposedly anonymous ID could be matched with other databases containing the same ID, allowing us to add real names, addresses, phone numbers, email addresses and other information about smartphone owners in seconds.

    The IDs, called mobile advertising identifiers, allow companies to track people across the internet and on apps. They are supposed to be anonymous, and smartphone owners can reset them or disable them entirely. Our findings show the promise of anonymity is a farce.

    We were quickly able to match more than 2,000 supposedly anonymous devices in the data set with email addresses, birthdays, ethnicities, ages and more.

    Smartphone users will never know if they are included in the data or whether their precise movements were sold. There are no laws forcing companies to disclose what the data is used for or for how long. There are no legal requirements to ever delete the data. Even if anyone could figure out where records of their locations were sold, in most states, you can’t request that the data be deleted.

    Their movements could be bought and sold to innumerable parties for years. And the threat that those movements could be tied back to their identity will never go away.

    If the Jan. 6 rioters didn’t know before, they surely know now the cost of leaving a digital footprint. Tip lines at the Federal Bureau of Investigation have been flooded for weeks in an effort to identify participants, and detectives in Miami and other police departments are using facial recognition software. Amateur investigators on TikTok, Instagram and other platforms have launched their own identification efforts.

    Law enforcement has used cellphone footage from the siege to identify participants. As of February 4, there were 181 federal cases pending against individuals involved in the Capitol Hill siege

    A leak of data from the social media platform Parler also helped investigators and journalists place rioters in the building, using posts that were geotagged with GPS location data. For some, like 38-year-old Oath Keepers member Jessica Watkins, there was no need for precise location data. Her words tell the story: “Yeah. We stormed the Capitol today. Teargassed, the whole, 9. Pushed our way into the Rotunda. Made it into the Senate even,” she wrote on Parler.

    Which is to say that law enforcement may not need this data. But as a recent New York Times report shows, military agencies use these data sets — without a warrant, no less. How? They purchase it. Because we have seen what’s in the data, that revelation is deeply troubling.

    While some Americans might cheer the use of location databases to identify Trump supporters who converged on the Capitol, the use of commercial databases has worrying implications for civil liberties. The American criminal justice system is set up for a judge or jury to determine whether, in fact, Ronnie Vincent broke any laws on Jan. 6. But the data leads us directly to him

    the larger surveillance ecosystem that he — and all of us — are trapped in.

    The location-tracking industry exists because those in power allow it to exist. Plenty of Americans remain oblivious to this collection through no fault of their own. But many others understand what’s happening and allow it anyway. They feel powerless to stop it or were simply seduced by the conveniences afforded in the trade-off. The dark truth is that, despite genuine concern from those paying attention, there’s little appetite to meaningfully dismantle this advertising infrastructure that undergirds unchecked corporate data collection.

    This collection will only grow more sophisticated.

    Reply
  18. Tomi Engdahl says:

    Hackers post detailed patient medical records from two hospitals to
    the dark web
    https://www.nbcnews.com/tech/security/hackers-post-detailed-patient-medical-records-two-hospitals-dark-web-n1256887
    The files, which number in at least the tens of thousands, includes
    patients personal identifying information.

    Reply
  19. Tomi Engdahl says:

    They Stormed the Capitol. Their Apps Tracked Them.
    https://www.nytimes.com/2021/02/05/opinion/capitol-attack-cellphone-data.html
    Times Opinion was able to identify individuals from a trove of leaked
    smartphone location data.

    Reply
  20. Tomi Engdahl says:

    Industrial Networks See Sharp Uptick in Hackable Security Holes
    https://threatpost.com/industrial-networks-hackable-security-holes/163708/
    Claroty reports that adversaries, CISOs and researchers have all
    turned their attention to finding critical security bugs in ICS
    networks.. The report analyzed all publicly disclosed vulnerabilities
    in ICS networks in the second half of 2020 and found a nearly 33
    percent increase in ICS disclosures over 2018, both from organizations
    like Claroty and from independent researchers.. Report:
    https://security.claroty.com/biannual-ics-risk-vulnerability-report-2H-2020

    Reply
  21. Tomi Engdahl says:

    Hacked by SolarWinds backdoor masterminds, Mimecast now lays off staff
    after profit surge
    https://www.theregister.com/2021/02/07/in_brief_security/
    Plus: British Mensa in data leak blunder, DARPA are Star Wars fans,
    Sonicwall patch out, and more. Email security biz Mimecast not only
    fell victim to the SolarWinds hackers, leading to its own customers
    being attacked, it is also trimming its workforce amid healthy
    profits.

    Reply
  22. Tomi Engdahl says:

    Barcode Scanner app on Google Play infects 10 million users with one
    update
    https://blog.malwarebytes.com/android/2021/02/barcode-scanner-app-on-google-play-infects-10-million-users-with-one-update/
    After an update in December, Barcode Scanner had gone from an innocent
    scanner to full on malware! Although Google has already pulled this
    app, we predict from a cached Google Play webpage that the update
    occurred on December 4th, 2020.

    Reply
  23. Tomi Engdahl says:

    Ziggy ransomware shuts down and releases victims’ decryption keys
    https://www.bleepingcomputer.com/news/security/ziggy-ransomware-shuts-down-and-releases-victims-decryption-keys/
    The Ziggy ransomware operation has shut down and released the victims’
    decryption keys after concerns about recent law enforcement activity
    and guilt for encrypting victims.

    Reply
  24. Tomi Engdahl says:

    A Swiss Company Says It Found Weakness That Imperils Encryption
    https://www.bloombergquint.com/onweb/a-swiss-company-says-it-found-weakness-that-imperils-encryption
    Now, a Swiss technology company says it has made a breakthrough by
    using quantum computers to uncover vulnerabilities in commonly used
    encryption. The company believes it’s found a security weakness that
    could jeopardize the confidentiality of the world’s internet data,
    banking transactions and emails. The company said that its research
    found vulnerabilities that affect symmetric encryption ciphers,
    including the Advanced Encryption Standard, or AES, which is widely
    used to secure data transmitted over the internet and to encrypt
    files. Using a method known as quantum annealing, the company said its
    research found that even the strongest versions of AES encryption may
    be decipherable by quantum

    Reply
  25. Tomi Engdahl says:

    UK military used malware to disrupt extremist networks
    https://www.itpro.co.uk/security/malware/358550/uk-general-reveals-military-use-of-malware-against-isis

    Experts cite WannaCry with warnings that hacking tools have the potential for severe collateral damage

    Using malware as a deterrent, disrupting extremist networks and remotely disabling devices are just some of the ways the UK is fighting on the cyber front lines, the head of the country’s strategic command has revealed.

    General Sir Patrick Sanders discussed the UK’s cyber offensive capabilities on the Sky News podcast Into The Grey Zone, which also featured insight from Jeremy Fleming, the director of GCHQ.

    The UK’s military has previously suggested the use of ‘cyber offensives’, but this is the first time it has publicly discussed it.

    “I think it sends a really strong signal that we and our allies were not going to leave cyberspace as an uncontested place,” Fleming said to Sky News.

    “We have to defend it. We have to make sure it’s as secure as possible. We have to make sure that it is still underpinning our commerce, our economy, our society and our communities. But equally, when adversaries like Daesh (Islamic State) overstep the line, then they need to expect us to contest it, too.”

    As part of its cyber campaign, the UK military targeted mobile phones and laptops, devices that Isis extremists used to communicate with their contacts on the ground.

    The UK also launched malware against computer servers in various countries around the world to shut down Isis accounts, delete and distort information on their files, and also to remove online posts and videos. It is thought that US cyber operators were also involved in these efforts.

    The ‘Friendly’ use of malware by the UK military should come as no surprise to anyone

    “Cyber conflict is asymmetrical and it is much easier to attack than to defend. The rules of conventional warfare do not apply to cyber and states must strive for good defence, not just good offence.”

    Reply
  26. Tomi Engdahl says:

    New phishing attack uses Morse code to hide malicious URLs
    https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/

    A new targeted phishing campaign includes the novel obfuscation technique of using Morse code to hide malicious URLs in an email attachment

    Reply
  27. Tomi Engdahl says:

    Hackers try to contaminate Florida town’s water supply through computer breach
    https://www.reuters.com/article/us-usa-cyber-florida-idUSKBN2A82FV

    (Reuters) – Hackers broke into the computer system of a facility that treats water for about 15,000 people near Tampa, Florida and sought to add a dangerous level of additive to the water supply, the Pinellas County Sheriff said on Monday.

    The attempt on Friday was thwarted. The hackers remotely gained access to a software program, named TeamViewer, on the computer of an employee at the facility for the town of Oldsmar to gain control of other systems, Sheriff Bob Gualtieri said in an interview.

    “The guy was sitting there monitoring the computer as he’s supposed to and all of a sudden he sees a window pop up that the computer has been accessed,” Gualtieri said. “The next thing you know someone is dragging the mouse and clicking around and opening programs and manipulating the system.”

    The hackers then increased the amount of sodium hydroxide, also known as lye, being distributed into the water supply. The chemical is typically used in small amounts to control the acidity of water, but at higher levels is dangerous to consume.

    The plant employee alerted his employer, who called the sheriff. The water treatment facility was able to quickly reverse the command, leading to minimal impact.

    “The important thing is to put everyone on notice,” he said. “This should be a wake-up call.”

    Reply
  28. Tomi Engdahl says:

    Police Investigating After Hacker Tried to Poison Florida City’s Water Supply
    https://www.complex.com/life/police-claim-hacker-tried-to-poison-florida-citys-water-supply

    On Monday officials in Pinellas County, Florida held a press conference in which they made an announcement that an unidentified hacker had remotely gotten into a panel that controls the water treatment system for the city of Oldsmar, and then greatly bumped up the amount of sodium hydroxide (a.k.a. lye) in the water supply. 

    Pinellas County Sheriff Bob Gualtieri said that the increase was spotted by an operator who then reversed it. Per his claim, the hacker made a dramatic increase by changing the amount of the hydroxide from “one hundred parts per million, to 11,100 parts per million.”

    Small amounts of sodium hydroxide are added to the drinking water supplies of some cities to bump up pH levels, and to keep pipes from becoming corroded.

    Gualtieri added that the levels inputted by the hacker are “dangerous.” Let us note here that, if large amounts of it are ingested, lye can be deadly. 

    Gualtieri was asked if this hacker’s attempt should be counted as bioterrorism, to which he remained impartial. Instead he went with the call-it-whatever-you-want-but-this-is-what-happened-route.

    “What it is is someone hacked into the system not just once but twice … opened the program and changed the levels from 100 to 11,100 parts per million with a caustic substance,” he said, according to Vice. “So, you label it however you want, those are the facts.”

    “The person who remotely accessed the system for about three to five minutes, opening various functions on the screen,” Gualtieri added. “One of the functions opened by the person hacking into the system was one that controls the amount of sodium hydroxide in the water.”

    Very important (especially on the off-chance you’re a resident) nothing actually happened to the water at that time. For those wondering what would’ve occurred if the operator missed the change, it was reported that several additional fail-safes and alarms were in place. 

    “The intruder exited the system, and the plant operator immediately reduced the level back to the appropriate amount of one hundred,” said Gualtieri. He also added that steps were taken to prevent further remote access. 

    Reply
  29. Tomi Engdahl says:

    https://www.bloomberg.com/news/articles/2021-02-07/a-swiss-company-says-it-found-weakness-that-imperils-encryption?utm_source=facebook&utm_medium=news_tab&utm_content=algorithm

    Reply
  30. Tomi Engdahl says:

    I’m not drinking TeamViewer anymore.. zoom!

    Someone tried to poison a Florida city by hijacking its water treatment plant via TeamViewer, says sheriff
    https://www.theregister.com/AMP/2021/02/09/florida_water_hacked/?__twitter_impression=true

    Attempt to flood supply with sodium hydroxide thwarted, safeguards would have kicked in anyway, we’re told

    The sheriff of a small city in Florida warned on Monday that hackers had tried to poison its water.

    Pinellas County Sheriff Bob Gualtieri said Oldsmar’s water treatment system, which serves roughly 15,000 people, was accessed, presumably over the internet, by someone who had hoped to flood the supply with levels of sodium hydroxide more than 100 times the normal amount.

    The miscreant gained access to remote-control software TeamViewer that was running on a PC at the plant, the sheriff told Reuters, and used that machine to ultimately attempt to jack up the levels of sodium hydroxide.

    Fortunately, a staffer who was also working remotely spotted the concentration of the chemical being increased, we’re told, and immediately reversed the change.

    The cyber-break-in did worry officials enough to call a press conference, where they outlined the information they currently have while stressing that there are other safeguards that would have prevented high levels of sodium hydroxide from entering the main water supply.

    It would have taken more than a day for the adulterated water to enter the public’s water system, we’re told, during which time the plant would have caught the disparity. “The public was never in danger,”

    https://m.youtube.com/watch?v=MkXDSOgLQ6M

    Reply
  31. Tomi Engdahl says:

    In Florida, a near-miss with a cybersecurity worst-case scenario
    https://www.nbcnews.com/tech/security/florida-near-miss-cybersecurity-worst-case-scenario-n1257091

    A hacker broke into a Florida water treatment plant and ordered it to increase the amount of lye to extremely dangerous levels, officials said.

    A hacker broke into a Florida water treatment plant and ordered it to increase the amount of lye in the water to extremely dangerous levels, officials said Monday.

    The plant operators noticed and remedied their systems before anyone was put in danger, but the event highlights the risks of internet-connected controls to civic infrastructure.

    Reply
  32. Tomi Engdahl says:

    February 08, 2021 – 05:25 PM EST
    Hackers breach, attempt to poison Florida city’s water supply
    https://thehill.com/policy/cybersecurity/537890-hackers-breach-attempt-to-poison-florida-citys-water-supply

    Officials said Monday that a hacker had breached and attempted to poison the water supply for the city of Oldsmar, Fla., last week, but had been unsuccessful.

    Pinellas County, Fla., Sheriff Bob Gualtieri announced at a press conference Monday that the hacker had gained control of the operating system at the city’s water treatment facility and had attempted to increase the amount of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million.

    “This is obviously a significant and potentially dangerous increase,” Gualtieri told reporters. “Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners. It is used to control water acidity and remove metals from drinking water in water treatment plants.”

    Reply
  33. Tomi Engdahl says:

    CD Projekt hit by ransomware attack, refuses to pay ransom
    https://techcrunch.com/2021/02/09/cd-projekt-red-hit-by-ransomware-attack-refuses-to-pay-ransom/?tpcc=ECFB2021

    Polish video game maker CD Projekt, which makes Cyberpunk 2077 and The Witcher, has confirmed it was hit by a ransomware attack.

    In a statement posted to its Twitter account, the company said it will “not give in nor negotiate” with the hackers, saying it has backups in place. “We have already secured our IT infrastructure and begun restoring data,” the company said.

    According to the ransom note, the hackers said they would release the company’s stolen source code and other internal files if it did not pay the ransom, since the company would “most likely recover from backups.”

    Reply
  34. Tomi Engdahl says:

    CD Projekt Red ‘EPICALLY pwned’: Cyberpunk 2077 dev publishes ransom note after company systems encrypted
    Hackers threaten to release source and docs, but games giant isn’t playing ball
    https://www.theregister.com/2021/02/09/cd_projekt_red_hack/

    Reply
  35. Tomi Engdahl says:

    https://kotaku.com/cd-projekt-red-hit-by-cyber-attack-source-code-for-cyb-1846227975

    Reply
  36. Tomi Engdahl says:

    Hackers tried poisoning town after breaching its water facility
    https://www.bleepingcomputer.com/news/security/hackers-tried-poisoning-town-after-breaching-its-water-facility/
    A hacker gained access to the water treatment system for the city of
    Oldsmar, Florida, and attempted to increase the concentration of
    sodium hydroxide (NaOH), also known as lye and caustic soda, to
    extremely dangerous levels.
    Recommendations Following the Oldsmar Water Treatment Facility Cyber
    Attack
    https://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/
    The case is evolving and details are ongoing but this blog is intended
    to share what’s known currently with some defensive recommendations.

    Reply
  37. Tomi Engdahl says:

    Web hosting provider shuts down after cyberattack
    https://www.zdnet.com/article/web-hosting-provider-shuts-down-after-cyber-attack/
    Two other UK web hosting providers also suffered similar hacks over
    the weekend, although it’s unconfirmed if the attacks are related. A
    web hosting company named No Support Linux Hosting announced today it
    was shutting down after a hacker breached its internal systems and
    compromised its entire operation.

    Reply
  38. Tomi Engdahl says:

    Browser Favicons’ Can Be Used as Undeletable Supercookies’ to Track
    You Online
    https://www.vice.com/en/article/n7v5y7/browser-favicons-can-be-used-as-undeletable-supercookies-to-track-you-online
    Favicons can break through incognito mode, VPNs, and Pi-holes to track
    your movement online

    Reply
  39. Tomi Engdahl says:

    CD PROJEKT RED gaming studio hit by ransomware attack
    https://www.bleepingcomputer.com/news/security/cd-projekt-red-gaming-studio-hit-by-ransomware-attack/
    CD PROJEKT RED, the video game development studio behind Cyberpunk
    2077 and The Witcher trilogy, has disclosed a ransomware attack that
    impacted its network. The attackers claim in the ransom note left on
    CD PROJEKT RED’s encrypted systems that they were able to steal the
    full source code of Cyberpunk 2077, the Witcher 3, Gwent, as well as
    for an unreleased Witcher 3 version.

    HelloKitty ransomware behind CD Projekt Red cyberattack, data theft
    https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-behind-cd-projekt-red-cyberattack-data-theft/
    The ransomware attack against CD Projekt Red was conducted by a
    ransomware group that goes by the name ‘HelloKitty, ‘ and yes, that’s
    the name the threat actors utilize.

    Reply
  40. Tomi Engdahl says:

    Huijarit käyttävät Googlen hakutuloksia reittinä verkkopankkiisi näin
    suojaudut
    https://www.tivi.fi/uutiset/tv/94fc74fb-dff0-4fe3-a13c-c78ee320f681
    Rikolliset voivat siirtää suuriakin summia rahaa pankkitileiltä, jos
    huijauksen kohde ei ole valppaana. Huijarit käyttävät nyt
    verkkopankkeja muistuttavia huijaussivustoja, joihin johdetaan
    hakukoneiden, kuten Googlen ja Bingin hakutulosten kautta.

    Reply
  41. Tomi Engdahl says:

    Researcher hacks Microsoft, Apple, more in novel supply chain attack
    https://www.bleepingcomputer.com/news/security/researcher-hacks-microsoft-apple-more-in-novel-supply-chain-attack/
    A researcher managed to breach over 35 major companies’ internal
    systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp,
    Tesla, and Uber, in a novel software supply chain attack. The attack
    leveraged a unique design flaw of the open-source ecosystems called
    dependency confusion. Birsan noticed some of the manifest file
    packages were not present on the public npm repository but were
    instead PayPal’s privately created npm packages, used and stored
    internally by the company.

    Reply
  42. Tomi Engdahl says:

    Shocked I tell you… Shocked!

    North Korean hackers stole more than $300 million to pay for nuclear weapons, says confidential UN report
    https://edition.cnn.com/2021/02/08/asia/north-korea-united-nations-report-intl-hnk/index.html

    New York (CNN)North Korea’s army of hackers stole hundreds of millions of dollars throughout much of 2020 to fund the country’s nuclear and ballistic missile programs in violation of international law, according to a confidential United Nations report.

    The document accused the regime of leader Kim Jong Un of conducting “operations against financial institutions and virtual currency exchange houses” to pay for weapons and keep North Korea’s struggling economy afloat.

    Reply
  43. Tomi Engdahl says:

    A researcher managed to breach over 35 major companies’ internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, in a novel software supply chain attack.
    The attack comprised uploading malware to open source repositories including PyPI, npm, and RubyGems, which then got distributed downstream automatically into the company’s internal applications.
    https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/

    Reply
  44. Tomi Engdahl says:

    Hackers Begin Sharing Internal CD Projekt Red Data Publicly
    Files for multiple versions of CDPR’s card game ‘Gwent’ are now being shared online
    https://www.vice.com/en/article/qjpapp/hackers-release-cdpr-data-gwent

    Earlier this week, Cyberpunk 2077 and Witcher 3 developer CD Projekt Red (CDPR) announced hackers had targeted the company and attempted to hold it to ransom. Now, someone in possession of the data has leaked at least some of it online publicly.

    The news shows not only the risk that video game studios face from hackers, but also the continuing trend of hackers not only deploying ransomware to lock target machines for payment, but also threaten, and follow through with, the leaking of data.

    Reply
  45. Tomi Engdahl says:

    Breached water plant employees used the same TeamViewer password and no firewall
    Shortcomings illustrate the lack of security rigor in critical infrastructure environments.
    https://arstechnica.com/information-technology/2021/02/breached-water-plant-employees-used-the-same-teamviewer-password-and-no-firewall/

    The Florida water treatment facility whose computer system experienced a potentially hazardous computer breach last week used an unsupported version of Windows with no firewall and shared the same TeamViewer password among its employees, government officials have reported.

    The computer intrusion happened last Friday in Oldsmar, a Florida city of about 15,000 that’s roughly 15 miles northwest of Tampa. After gaining remote access to a computer that controlled equipment inside the Oldsmar water treatment plant, the unknown intruder increased the amount of sodium hydroxide—a caustic chemical better known as lye—by a factor of 100. The tampering could have caused severe sickness or death had it not been for safeguards the city has in place.
    Beware of lax security
    According to an advisory from the state of Massachusetts, employees with the Oldsmar facility used a computer running Windows 7 to remotely access plant controls known as a SCADA—short for “supervisory control and data acquisition”—system. What’s more, the computer had no firewall installed and used a password that was shared among employees for remotely logging into city systems with the TeamViewer application

    The revelations illustrate the lack of security rigor found inside many critical infrastructure environments. In January, Microsoft ended support for Windows 7, a move that ended security updates for the operating system. Windows 7 also provides fewer security protections than Windows 10. The lack of a firewall and a password that was the same for each employee are also signs that the department’s security regimen wasn’t as tight as it could have been.

    Christopher Krebs, the former head of the Cybersecurity and Infrastructure Security Agency, reportedly told a House of Representatives Homeland Security committee on Wednesday that the breach was “very likely” the work of “a disgruntled employee.”

    City officials said residents were never in danger, because the change was quickly detected and reversed. Even if the change hadn’t been reversed, the officials said, treatment plant personnel have redundancies in place to catch dangerous conditions before water is delivered to homes and businesses.

    Hack exposes vulnerability of cash-strapped US water plants
    https://apnews.com/article/water-utilities-florida-coronavirus-pandemic-utilities-882ad1f6e9f80c053ef5f88a23b840f4

    Reply
  46. Tomi Engdahl says:

    Can you even call this a hack?

    Turns out that Florida water treatment facility left the doors wide open for hackers
    Can you even call this a hack?
    https://www.theverge.com/2021/2/10/22277300/florida-water-treatment-chemical-tamper-teamviewer-shared-password

    By now, you’ve probably heard the theoretically scary story of how hackers managed to infiltrate the computer systems at a water treatment plant in Oldsmar, Florida and remotely control the chemical levels — but it turns out that description gives the hackers far, far too much credit.

    The reality? The water treatment plant itself left off-the-shelf remote control software on these critical computers — and apparently never, ever bothered to change the password.

    An official cybersecurity advisory about the incident from the state of Massachusetts (via Ars Technica) explains that the SCADA control system was accessed via TeamViewer, the kind of remote desktop application an IT administrator might roll out to remotely troubleshoot computers — not something you’d generally want hooked up to a critical system. More importantly, and here I will just quote the Massachusetts report verbatim:

    Reply
  47. Tomi Engdahl says:

    Following Oldsmar attack, FBI warns about using TeamViewer and Windows
    7
    https://www.zdnet.com/article/following-oldsmar-attack-fbi-warns-about-using-teamviewer-and-windows-7/
    An FBI alert sent on Tuesday warns companies about the use of
    out-of-date Windows 7 systems, poor account passwords, and desktop
    sharing software TeamViewer.

    Reply
  48. Tomi Engdahl says:

    North Korean attacks on crypto exchanges reportedly netted $316m in
    two years
    https://www.theregister.com/2021/02/10/north_korea_cryptocurrency/
    United Nations sanctions made silly by sloppy security. North Korean
    attacks on crypto exchanges reportedly netted an estimated $316m in
    cryptocurrency in 2019 and 2020, according to a report by Japan’s
    Nikkei.

    Reply
  49. Tomi Engdahl says:

    Adobe patches wave of critical bugs in Magento, Acrobat, Reader
    https://www.zdnet.com/article/adobe-patches-wave-of-critical-bugs-in-magento-acrobat-reader/
    Some of the vulnerabilities were reported through a hacking contest.

    Reply
  50. Tomi Engdahl says:

    SIM hijackers arrested after stealing millions from US celebrities
    https://www.bleepingcomputer.com/news/security/sim-hijackers-arrested-after-stealing-millions-from-us-celebrities/
    Ten men part of a criminal gang involved in series of SIM swapping
    attacks targeting high-profile victims in the United States were
    arrested in the UK, Malta, and Belgium.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*