Cyber Security January 2018

This posting is here to collect security alert news in January 2018.

I post links to security vulnaribility news to comments of this article.

80 Comments

  1. Tomi Engdahl says:

    Hawaii Panics After Alert About Incoming Missile Is Sent in Error
    https://mobile.nytimes.com/2018/01/13/us/hawaii-missile.html

    An early-morning emergency alert mistakenly warning of an incoming ballistic missile attack was dispatched to cellphones across Hawaii on Saturday

    The alert, sent by the Hawaii Emergency Management Agency, was revoked 38 minutes after it was issued, prompting confusion over why it was released — and why it took so long to rescind

    Officials said the alert was the result of human error and not the work of hackers or a foreign government.

    Reply
  2. Tomi Engdahl says:

    January 12, 2018 | Business Security
    https://press.f-secure.com/2018/01/12/intel-amt-security-issue-lets-attackers-bypass-login-credentials-in-corporate-laptops/

    Intel AMT Security Issue Lets Attackers Bypass Login Credentials in Corporate Laptops
    Insecure defaults in Intel AMT allow an intruder to completely bypass user and BIOS passwords and TPM and Bitlocker PINs to backdoor almost any corporate laptop in a matter of seconds.

    Helsinki, Finland – January 12, 2018: F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists within Intel’s Active Management Technology (AMT) and potentially affects millions of laptops globally.

    The security issue “is almost deceptively simple to exploit, but it has incredible destructive potential,” said Harry Sintonen, who investigated the issue in his role as Senior Security Consultant at F-Secure. “In practice, it can give an attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

    To exploit this, all an attacker needs to do is reboot or power up the target machine and press CTRL-P during bootup. The attacker then may log into Intel Management Engine BIOS Extension (MEBx) using the default password, “admin,” as this default is most likely unchanged on most corporate laptops. The attacker then may change the default password, enable remote access and set AMT’s user opt-in to “None.” The attacker can now gain remote access to the system from both wireless and wired networks, as long as they’re able to insert themselves onto the same network segment with the victim. Access to the device may also be possible from outside the local network via an attacker-operated CIRA server.

    Although the initial attack requires physical access, Sintonen explained that the speed with which it can be carried out makes it easily exploitable in a so-called “evil maid” scenario. “You leave your laptop in your hotel room while you go out for a drink. The attacker breaks into your room and configures your laptop in less than a minute, and now he or she can access your desktop when you use your laptop in the hotel WLAN. And since the computer connects to your company VPN, the attacker can access company resources.” Sintonen points out that even a minute of distracting a target from their laptop at an airport or coffee shop is enough to do the damage.

    Sintonen stumbled upon the issue in July 2017, and notes that another researcher* also mentioned it in a more recent talk.

    Reply
  3. Tomi Engdahl says:

    Islamic State Retreats Online to ‘Virtual Caliphate’
    http://www.securityweek.com/islamic-state-retreats-online-virtual-caliphate

    On the brink of defeat in Iraq and Syria, the Islamic State group has been taking refuge in its “virtual caliphate” — but even online, experts say it is in decline.

    Back in 2015, when the jihadists held territory the size of Italy, they also commanded a huge digital presence, flooding the web with slick propaganda lionising their fighters and romanticising life under their rule.

    Today, with many of the top IS leaders either dead or on the run, what remains of the group’s once-sophisticated propaganda machine is also a shadow of its former self.

    Their media centres destroyed, remaining propagandists find themselves struggling to maintain an internet connection while battling surveillance from international intelligence services.

    The jihadist group is less and less vocal on the web, largely leaving supporters whom it cannot control to speak in its name.

    – Pushed to the ‘dark web’ -

    Back in March as Iraqi forces were ousting IS from their long-held bastion Mosul, an AFP journalist was able to pick through the wreckage of what was once a jihadist media centre.

    Such wannabe jihadists need look no further than the internet for abundant advice that has been available online for years — and will merely pop up again after any attempt to remove it.

    Reply
  4. Tomi Engdahl says:

    Microsoft Brings End-to-End Encryption to Skype
    http://www.securityweek.com/microsoft-brings-end-end-encryption-skype

    Microsoft this week announced that end-to-end encrypted communications are now available for preview to Skype insiders.

    Called Private Conversations, the newly introduced feature secures both text chat messages and audio calls, Microsoft Program Manager Ellen Kilbourne revealed.

    Furthermore, end-to-end encryption is also applied to any files users send to their conversational partners, including images, audio files, and videos. Not only will the contents of these conversations be hidden in the chat list, but they won’t appear in notifications either, to keep user’s information private.

    Private Conversations, Kilbourne explains in a post, is using the industry standard Signal Protocol by Open Whisper Systems. The protocol is already providing end-to-end encryption to users of popular messaging applications such as Signal, WhatsApp, and Facebook Messenger.

    Reply
  5. Tomi Engdahl says:

    ‘MaMi’ Mac Malware Hijacks DNS Settings
    http://www.securityweek.com/mami-mac-malware-hijacks-dns-settings

    Researcher Patrick Wardle has analyzed what seems to be a new piece of malware designed to hijack DNS settings on macOS devices. The threat has other capabilities as well, but they do not appear to be active.

    Reply
  6. Tomi Engdahl says:

    Risky Business (Part 2): Why You Need a Risk Treatment Plan
    http://www.securityweek.com/risky-business-part-2-why-you-need-risk-treatment-plan

    Performing a Risk Analysis and Taking Due Care Are No Longer Optional

    Now hear this: You will always have exposure.

    No company has the ability to mitigate all risks at all times. No company I’ve ever visited has even had all of its identified risks treated at any given point.

    Yet so many companies lead their security strategy with controls. They’ll make sizable investments in security appliances without fully understanding why the appliance is required. They’ll implement their controls without documentation of what the actual risks are and how they’re being treated.

    You may have learned about due diligence and due care, but this situation amounts to omitting both. To bridge that gap, you need a risk treatment plan.

    The objective of a risk treatment plan is to document your exposure and show that the organization is applying appropriate resources to mitigate it in a reasonable timeframe.

    Not only does this tie your mitigation efforts to the actual business risks being addressed, but the RTP is really a form of risk treatment in itself. Even if you can’t mitigate every risk, you’re documenting that you have a plan to deal with those risks — and having your efforts documented provides some recourse to prove due care.

    Reply
  7. Tomi Engdahl says:

    CRUNCH NETWORK
    The state of Israel’s cybersecurity market
    https://techcrunch.com/2018/01/14/the-state-of-israels-cybersecurity-market/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    The Equifax breach, WannaCry, NotPetya, the NSA leak, and many more cyber incidents – 2017 was certainly a busy year for hackers, illustrating yet again just how vital innovative cybersecurity solutions are in the fight against cyber threats.

    Second only to the U.S., in terms of cybersecurity investment 2017 was another excellent year for Israeli cybersecurity startups

    Reply
  8. Tomi Engdahl says:

    Ransomware attack drives Indianapolis hospital back to pen and paper
    https://hotforsecurity.bitdefender.com/blog/ransomware-attack-drives-indianapolis-hospital-back-to-pen-and-paper-19444.html?utm_source=SMGlobal&utm_medium=Facebook&utm_campaign=H4S

    A hacker out to make a fast buck last week decided to hit an Indianapolis hospital with a ransomware attack, demanding a ransom payment to his Bitcoin wallet in exchange for de-crippling the facility’s computer network.

    Hancock Health fell victim to the attack sometime last week, when employees noticed the network started running more slowly than normal, according to local newspaper The Greenfield Reporter.

    One of the hospital’s computers then flashed a message indicative of a typical ransomware attack – that the facility’s data was being held “hostage” until a ransom was paid to the attacker.

    Reply
  9. Tomi Engdahl says:

    Fake Meltdown/Spectre Patch Installs Malware
    http://www.securityweek.com/fake-meltdownspectre-patch-installs-malware

    Cybercriminals are already taking advantage of the massive attention the recently detailed Meltdown and Spectre CPU flaws have received, in an attempt to trick users into installing malware instead, Malwarebytes warns.

    Made public in early January, Meltdown and Spectre are two new side-channel attack methods against modern processors and are said to impact billions of devices. Based on vulnerabilities at the CPU level, the flaws allow malicious apps to access data as it is being processed, including passwords, photos, documents, emails, and the like.

    Chip makers and vendors were alerted on the bugs last year, and some started working on patches for their users several months ago, but waited for a coordinated public disclosure set for last week. Apple, Microsoft, Google, Canonical, and IBM are just a few of the vendors that have already deployed patches.

    Soon after the patches began rolling out, however, attacks taking advantage of the Meltdown/Spectre fever surfaced. One of them, Malwarebytes reports, is targeting German users with the SmokeLoader malware.

    The attack was spotted soon after the German authorities issued a warning on phishing emails trying to take advantage of infamous bugs started to appear.

    Reply
  10. Tomi Engdahl says:

    Backdoor Found in Lenovo, IBM Switches
    http://www.securityweek.com/backdoor-found-lenovo-ibm-switches

    A high severity vulnerability described as a backdoor has been patched in several Flex System, RackSwitch and BladeCenter switches from Lenovo and IBM.

    The flaw, tracked as CVE-2017-3765, affects the Enterprise Network Operating System (ENOS) running on affected devices. The vulnerability allows an attacker to gain access to the management interface of a switch.

    “An authentication bypass mechanism known as ‘HP Backdoor’ was discovered during a Lenovo security audit in the Telnet and Serial Console management interfaces, as well as the SSH and Web management interfaces under certain limited and unlikely conditions,” Lenovo said in its advisory.

    The problematic feature, introduced by Nortel in 2004 at the request of a customer, can be found in Lenovo devices and IBM Flex System, BladeCenter and RackSwitch switches that still use the ENOS firmware.

    Reply
  11. Tomi Engdahl says:

    “PowerStager” Tool Employs Unique Obfuscation
    http://www.securityweek.com/powerstager-tool-employs-unique-obfuscation

    A malicious tool that has managed to fly under the radar since April 2017 is showing great focus on obfuscation, in an attempt to evade detection, Palo Alto Networks warns.

    Dubbed PowerStager, the tool has shown an uptick in usage for in-the-wild attacks around December 2017. Developed as a Python script that generates Windows executables using C source code, it uses multiple layers of obfuscation to launch PowerShell scripts to execute a shellcode payload.

    PowerStager uses a unique obfuscation technique for PowerShell segments, while also offering increased flexibility, due to multiple configuration options.

    Some of these options include the ability to target both x86 and x64 platforms, support for additional obfuscation on top of defaults, support for customized error messages/executable icon for social engineering, and the ability to use Meterpreter or other built-in shellcode payloads. The tool can also fetch remote payloads or embed them into the executable and can escalate privileges using UAC.

    PowerStager Analysis
    https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/

    Reply
  12. Tomi Engdahl says:

    New KillDisk Variant Spotted in Latin America
    http://www.securityweek.com/new-killdisk-variant-spotted-latin-america

    A new variant of the disk-wiper malware known as KillDisk has been spotted by Trend Micro researchers in attacks aimed at financial organizations in Latin America.

    Early versions of KillDisk were designed to wipe hard drives in an effort to make systems inoperable. The malware was used by the Russia-linked threat actor BlackEnergy in the 2015 attack aimed at Ukraine’s energy sector.

    Roughly one year after the Ukraine attack, researchers reported that its developers had turned KillDisk into file-encrypting ransomware. However, the samples analyzed at the time used the same encryption key for all instances, making it possible for victims to recover files.

    Experts later reported seeing a KillDisk ransomware designed to target Linux machines, but the malware did not save encryption keys anywhere, making it impossible to recover files.

    Reply
  13. Tomi Engdahl says:

    Half Million Impacted by Four Malicious Chrome Extensions
    http://www.securityweek.com/half-million-impacted-four-malicious-chrome-extensions

    Four malicious Chrome extensions managed to infect over half a million users worldwide, including employees of major organizations, ICEBRG reports.

    The extensions were likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, but they could have also been used by threat actors to gain access to corporate networks and user information, the security company warns.

    The malicious extensions were discovered after observing an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider, ICEBRG reveals. The HTTP traffic was associated with the domain ‘change-request[.]info’ and was generated from a Chrome extension named Change HTTP Request Header.

    Malicious Chrome Extensions Enable Criminals to Impact Over Half a Million Users and Global Businesses
    https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses

    ICEBRG has battled this threat in the wild and worked with our customers to understand the risk browser extensions pose. Recently, ICEBRG detected a suspicious spike in outbound network traffic from a customer workstation which prompted an investigation that led to the discovery of four malicious extensions impacting a total of over half a million users, including workstations within major organizations globally. Although likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, these extensions provided a foothold that the threat actors could leverage to gain access to corporate networks and user information.

    Reply
  14. Tomi Engdahl says:

    Canadian Man Charged Over Leak of Three Billion Hacked Accounts
    http://www.securityweek.com/canadian-man-charged-over-leak-three-billion-hacked-accounts

    An Ontario man made his first court appearance Monday to answer charges of running a website that collected personal and password data from some three billion accounts, and sold them for profit.

    Jordan Evan Bloom, 27, of Thornhill earned some Can$247,000 ($198,800 US) by selling the data for a “small fee” via leakedsource.com, the Royal Canadian Mounted Police said in a statement.

    The information was stolen during massive hacks of websites including LinkedIn and the Ashley Madison online dating service.

    Some of the data could also be used to access other popular websites if the hacked user used the same password and username combination, according to police.

    Reply
  15. Tomi Engdahl says:

    Flaws Allowed Facebook Account Hacking via Oculus App
    http://www.securityweek.com/flaws-allowed-facebook-account-hacking-oculus-app

    Facebook recently patched a couple of vulnerabilities that could have been exploited by malicious hackers to hijack accounts by abusing integration with the Oculus virtual reality headset.

    Franjkovic discovered that a malicious actor could have used specially crafted GraphQL queries to connect a targeted user’s Facebook account to the attacker’s Oculus account. GraphQL is a query language created by Facebook in 2012 and later released to the public.

    According to the researcher, a specially crafted query allowed an attacker to obtain the victim’s access token, which under normal circumstances should not be accessible to third-party apps, and use it to take control of their Facebook account.

    Reply
  16. Tomi Engdahl says:

    North Korean Hackers Prep Attacks Against Cryptocurrency Exchanges: Report
    http://www.securityweek.com/north-korean-hackers-prep-attacks-against-cryptocurrency-exchanges-report

    Researchers Say a North Korea-Linked Hacking Campaign is Ready to Go Against South Korean Cryptocurrency Exchanges

    North Korean hackers, loosely categorized as the Lazarus Group, have continued their attacks against South Korean interests, with particular emphasis on cryptocurrency exchanges.

    Recorded Future said they discovered a spear-phishing campaign that uses the CVE-2017-8291 Ghostscript vulnerability triggered from within a Hangul Word Processor (popular in South Korea) document.

    Earlier this month, McAfee described a separate attack against North Korean defectors from a group — almost certainly North Korean — that does not appear to be related to any known cybercrime group.

    The Lazarus targets are users of the Coinlink cryptocurrency exchange, other exchanges, and a group known as ‘Friends of MOFA (Ministry of Foreign Affairs)’.

    The cryptocurrency target is typical Lazarus.

    In December 2017, the South Korean Youbit cryptocurrency exchange went bankrupt following its second hack of the year. In the first attack it lost 4000 bitcoin or around 40% of its reserves (around $5 million at the time), and a further 17% of its assets in the December breach. Some reports suggest that the attacks were undertaken by BlueNoroff, a sub-group of Lazarus.

    South Korean exchanges have been strengthening their network defenses, while the government has been considering regulations to tighten control over cryptocurrencies.

    “This campaign relies on multiple payloads fashioned out of the Destover infostealer code to collect information about the victim system and exfiltrate files,” reports Recorded Future. Destover further implicates Lazarus in the campaign. It was used in the Sony Pictures Entertainment attack in 2014, the Polish banking attacks in January 2017, and in the first WannaCry victim discovered by Symantec.

    Reply
  17. Tomi Engdahl says:

    Kaspersky: Malware disguised as Android apps from carriers can steal your WhatsApp messages
    https://thenextweb.com/insider/2018/01/17/kaspersky-malware-disguised-as-android-apps-from-carriers-can-steal-your-whatsapp-messages/

    Security firm Kaspersky has discovered a new piece of malware doing the rounds that’s capable of spying on your Android phone like nothing else before it.

    The company says that the malware is called Skygofree (named after one of the domains on which it was first spotted), and is usually disguised as a downloadable app on fake sites designed to resemble those of mobile carriers, and promises to increase your internet speeds.

    Skygofree: Following in the footsteps of HackingTeam
    https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

    At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.

    Reply
  18. Tomi Engdahl says:

    DNS Servers Crash Due to BIND Security Flaw
    http://www.securityweek.com/dns-servers-crash-due-bind-security-flaw
    Updates released by the Internet Systems Consortium (ISC) for BIND patch a remotely exploitable security flaw that has caused some DNS

    servers to crash.
    The vulnerability, discovered by Jayachandran Palanisamy of Cygate AB, affects BIND versions 9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6,

    9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1. It has been patched with the release of

    BIND 9.9.11-P1, 9.10.6-P1, 9.11.2-P1 and 9.12.0rc2.
    “Once exhausted, the server will not accept additional connections, potentially denying access to legitimate connections from the server operator.”

    CVE-2017-3145: Improper fetch cleanup sequencing in the resolver can cause named to crash
    https://kb.isc.org/article/AA-01542

    While this bug has existed in BIND since 9.0.0, there are no known code paths leading to it in ISC releases prior to those containing the fix for CVE-2017-3137.  Thus while all instances of BIND ought to be patched, only ISC versions [9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6, 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1] acting as DNSSEC validating resolvers are currently known to crash due to this bug.  The known crash is an assertion failure in netaddr.c.

    Reply
  19. Tomi Engdahl says:

    Bots could influence the Finnish presidential election by many means – “Only imagination is a limit”

    According to Professor Kybert Security, the number of bots in the presidential candidates is still too small to influence the election.

    As the presidential election approaches, questions about possible external influences on elections, for example through automated bots following the social media accounts of candidates, have increased.

    IT House eCraft Marketing Director Maria Heimonen says that external influencing companies in the Finnish presidential election through the bots are a relevant concern, especially when recalling Russia’s influence in the US presidential election 2016.

    - It is worrying if the world is trying to influence people’s opinions under elections. The bottoms that divide and love certain types of tattoos create an illusion that this is a big part of people really, heimonen says.

    - Making far-reaching conclusions is too early on the basis of current information. We must remember that, according to the present, we are talking about a fairly small number of potentially automated followers, “Limnéll says.

    The amounts are still small

    Presidential candidate Pekka Haavisto (vihr) has informed about 1700 unspeakable Twitter followers at the end of December that they have since been abolished. According to F-Secure’s expert Andy Patel ‘s analysis, both the Haavisto and Sauli Niiniti’s Twitter accounts would have just under 400 new potential buyers.

    Limnéll does not like these bottoms even more significant. He also remarks that there is still no assurance that at least all the vague Followers of the candidates would be automated bots.

    - If you really want to influence the elections by such measures, the number of followers should be considerably higher.

    However, the professor considers it worthwhile to investigate the matter, as the vigilance of citizens and their preparedness for social media influence is growing.

    - Only imagination is a limit when talking about possible ways of influencing.

    As a practical example, Limnéll mentions the possibility that bots would strengthen some kind of political messages on Twitter. The counter-argument put forward by the candidate to point out the argument could get a disproportionate amount of likes and re-references from the world, which would make the counter-argument more powerful than the original.

    In addition, bots may, for example, “capture” Twitter tag names, for example, the much-used # presidential elections2018. Bots could fill the aptitude tag with irrelevant information that would give a distorted picture of the debate under the election.

    Source: http://www.iltalehti.fi/digi/201801122200663812_du.shtml

    Reply
  20. Tomi Engdahl says:

    Zyklon Malware Delivered via Recent Office Flaws
    http://www.securityweek.com/zyklon-malware-delivered-recent-office-flaws

    A piece of malware known as Zyklon has been delivered by cybercriminals using some relatively new vulnerabilities in Microsoft Office, FireEye reported on Wednesday.

    Zyklon has been around since early 2016 and it allows attackers to conduct a wide range of malicious activities, including launch distributed denial-of-service (DDoS) attacks, log keystrokes, steal passwords, and mine cryptocurrency.

    A recent campaign observed by FireEye has been aimed at organizations in the telecommunications, insurance and financial services sectors. The malware has been delivered as a ZIP archive attached to spam emails.

    The ZIP file contains a specially crafted Word document that exploits one of three weaknesses in Microsoft Office to deliver a PowerShell script that downloads the final Zyklon payload from a remote server.

    One of the vulnerabilities exploited by the malicious documents is CVE-2017-8759, a flaw patched by Microsoft in September 2017

    Another flaw exploited to deliver Zyklon is CVE-2017-11882, a 17-year-old vulnerability in the Equation Editor component that Microsoft patched in November. CVE-2017-11882 has been leveraged by Iranian cyberspies, the Cobalt hacking group, and others.

    Cybercriminals have also abused the Dynamic Data Exchange (DDE) feature in Office to spread the malware.

    If the malicious documents successfully exploit one of these weaknesses, they download a PowerShell script that injects code and fetches the final payload from a server.

    The malware uses the Tor network to communicate with its command and control (C&C) server. Once a connection has been established, the attacker can instruct the malware to provide information about the infected system, launch DDoS attacks, mine cryptocurrency, and upload harvested data.

    Reply
  21. Tomi Engdahl says:

    Crypto-Mining Attack Targets Web Servers Globally
    http://www.securityweek.com/crypto-mining-attack-targets-web-servers-globally

    A new malware family is targeting web servers worldwide in an attempt to ensnare them into a crypto-mining botnet, security researchers have discovered.

    Dubbed RubyMiner, the threat was discovered last week, when it started launching massive attacks on web servers in the United States, Germany, United Kingdom, Norway, and Sweden. Within a single day, the attackers behind this malware attempted to compromise nearly one third of networks globally, Check Point revealed last week.

    The purpose of the attack, which is targeting both Windows and Linux servers, is to install a Monero miner by exploiting old vulnerabilities that have been published and patched in 2012 and 2013. The attackers weren’t looking for stealth compromise, but attempted to compromise a large number of vulnerable HTTP web servers as quickly as possible.

    The infection campaign is targeting vulnerabilities in PHP, Microsoft IIS, and Ruby on Rails. Despite the large number of compromise attempts observed, only 700 servers worldwide have been successfully enslaved within the first 24 hours of attacks.

    The deployed malware – on all infected servers – is XMRig, a Monero miner that was used in September 2017 in an attack exploiting a vulnerability in Microsoft IIS 6.0, the webserver in Windows Server 2003 R2.

    Reply
  22. Tomi Engdahl says:

    Threat Actors Quickly Adopt Effective Exploits
    http://www.securityweek.com/threat-actors-quickly-adopt-effective-exploits

    Cybercriminals and nation state groups were quick to adopt the most effective exploits last year, a new AlienVault report reveals.

    Not only do the most effective exploits proliferate quickly between cybercriminals, but some of them remain popular for years after their initial discovery.

    The top 10 list of exploits – by number of occurrences in vendor reports – is dominated by Microsoft Office and Microsoft Windows, data from AlienVault’s Open Threat Exchange (OTX) platform reveals. Adobe Flash, Microsoft .NET, and Android/Linux were also present on the list, with one exploit each.

    The exploit to appear most often in vendor reports last year was CVE-2017-0199, a code execution bug affecting Microsoft Office. Detailed in April 2017, when it was already being abused in attacks, the vulnerability started being adopted almost immediately, and the trend continued toward the end of the year as well.

    Reply
  23. Tomi Engdahl says:

    Found: New Android malware with never-before-seen spying capabilities
    https://arstechnica.com/information-technology/2018/01/found-new-android-malware-with-never-before-seen-spying-capabilities/

    Skygofree is among the most powerful spy platforms ever created for Android.

    Last year, researchers found what at the time was quite possibly the world’s most sophisticated espionage app ever written for the Android mobile operating system. Now, in a discovery that underscores the growing arms race among competing malware developers, researchers have uncovered a new Android spying platform that includes location-based audio recording and other features that have never been seen in the wild before.

    According to a report published Tuesday by antivirus provider Kaspersky Lab, “Skygofree” is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares.

    Reply
  24. Tomi Engdahl says:

    Found: New Android malware with never-before-seen spying capabilities
    Skygofree is among the most powerful spy platforms ever created for Android.
    https://arstechnica.com/information-technology/2018/01/found-new-android-malware-with-never-before-seen-spying-capabilities/

    Last year, researchers found what at the time was quite possibly the world’s most sophisticated espionage app ever written for the Android mobile operating system. Now, in a discovery that underscores the growing arms race among competing malware developers, researchers have uncovered a new Android spying platform that includes location-based audio recording and other features that have never been seen in the wild before.

    According to a report published Tuesday by antivirus provider Kaspersky Lab, “Skygofree” is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares. With 48 different commands in its latest version, the malware has undergone continuous development since its creation in late 2014. It relies on five separate exploits to gain privileged root access that allows it to bypass key Android security measures. Skygofree is capable of taking pictures, capturing video, and seizing call records, text messages, geolocation data, calendar events, and business-related information stored in device memory.

    Skygofree: Following in the footsteps of HackingTeam
    https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

    Reply
  25. Tomi Engdahl says:

    VTech fondleslabs for kids ‘still vulnerable’ despite sanctions
    Researchers claim flaws remain more than two years later
    https://www.theregister.co.uk/2018/01/18/innotab_kid_tech_still_vulnerable/

    New InnoTab child learning devices still have the same security flaw first found by researchers at Pen Test Partners two years ago.

    The issues persist even after manufacturer VTech was fined $650,000 by US watchdogs at the Federal Trade Commission (FTC) via a ruling published earlier this week. The settlement deal came after the FTC scolded the children’s toymaker for both unnecessarily collecting kids’ personal information and (worse) failing to protect this sensitive data before a massive breach in November 2015.

    As well as paying the fine, VTech agreed to apply privacy and security requirements so that it complied with the Children’s Online Privacy Protection Act (COPPA) and the FTC Act, as previously reported.

    Tests by UK security consultancy Pen Test Partners at the time found it was possible to lift data from its InnoTab tablet, as El Reg reported at the time.

    The same tests on a newly purchased InnoTab reveal that the same hack is still possible and nothing had been done to address the problem, according to Pen Test Partners’ Ken Munro.

    The FTC settlement resulted in VTech promising to improve its security. More specifically the deal means that VTech is “required to implement a comprehensive data security program, which will be subject to independent audits for 20 years” as well as “misrepresenting its security and privacy practices”.

    In response to queries from El Reg, VTech said it was working hard to fulfil its security obligations.

    Munro wasn’t impressed by what he described as a “carefully caged non-answer”.

    Reply
  26. Tomi Engdahl says:

    Intel Forms New Security Group to Avoid Future Meltdowns
    https://hackaday.com/2018/01/17/intel-forms-new-security-group-to-avoid-future-meltdowns/

    Intel just moved some high level people around to form a dedicated security group.

    When news of Meltdown and Spectre broke, Intel’s public relations department applied maximum power to their damage control press release generators. The initial message was one of defiance, downplaying the impact and implying people are over reacting. This did not go over well. Since then, we’ve started seeing a trickle of information from engineering and even direct microcode updates for people who dare to live on the bleeding edge.

    All the technical work to put out the immediate fire is great, but for the sake of Intel’s future they need to figure out how to avoid future fires.

    Intel reorganizes amid tumult over computer chip flaw
    http://www.oregonlive.com/silicon-forest/index.ssf/2018/01/intel_reorganizes_amid_fervor.html

    “Security is Job No. 1 for Intel and our industry,” Intel CEO Brian Krzanich said during his keynote address Monday night at the Consumer Electronics Show in Las Vegas.

    Reply
  27. Tomi Engdahl says:

    North Korea linked to new cryptocurrency attacks
    http://money.cnn.com/2018/01/17/technology/north-korea-cryptocurrency-attacks/

    North Korea-linked hackers targeted cryptocurrency investors and exchanges just as bitcoin started to soar to record highs, according to a new report.

    Cybersecurity firm Recorded Future said malware used in the attacks was similar to that used in the Sony Pictures hack, the global WannaCry ransomware attack and the major cyberheist that hit Bangladesh’s central bank.

    North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign
    https://www.recordedfuture.com/north-korea-cryptocurrency-campaign/

    Reply
  28. Tomi Engdahl says:

    ‘Text bomb’ is latest Apple bug
    http://www.bbc.com/news/technology-42728336

    A new “text bomb” affecting Apple’s iPhone and Mac computers has been discovered.

    Abraham Masri, a software developer, tweeted about the flaw which typically causes an iPhone to crash and in some cases restart.

    Simply sending a message containing a link which pointed to Mr Masri’s code on programming site GitHub would be enough to activate the bug – even if the recipient did not click the link itself.

    Mr Masri said he “always reports bugs” before releasing them. Apple has not yet commented on the issue.

    On a Mac, the bug reportedly makes the Safari browser crash, and causes other slowdowns.

    But users should not be alarmed.

    Security expert Graham Cluley wrote on his blog that the bug does not present anything to be particularly worried about – it’s merely very annoying.

    “Something about the so-called ChaiOS bug’s code gives your Apple device a brainstorm,”

    Beware! A new bug can crash iOS and macOS with a single text message
    Resist the temptation to send this text bomb to anyone.
    https://www.grahamcluley.com/chaios-bug-crash-ios-macos-messages/

    Reply
  29. Tomi Engdahl says:

    WiFi Alliance Announces Upcoming Fixes to WPA2
    https://hackaday.com/2018/01/10/wifi-alliance-announces-upcoming-fixes-to-wpa2/

    Last October, before Intel’s Management Engine was completely broken and the Spectre and Meltdown exploits drove Intel’s security profile further into the ground, we had a problem with wireless networking. WPA2 was cracked with KRACK, the Key Reinstallation Attack. The sky isn’t falling quite yet, but the fact remains that the best WiFi security currently available isn’t very secure at all.

    This week, at the Consumer Electronics Show in Las Vegas, the WiFi Alliance announced they would introduce security enhancements in 2018. While it’s not said in the press release if this is a reaction to KRACK, the smart money says yes, this is indeed a reaction to KRACK.

    Reply
  30. Tomi Engdahl says:

    A password for the Hawaii emergency agency was hiding in a public photo, written on a post-it note
    http://nordic.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1?r=US&IR=T

    A false alarm was broadcast to Hawaii on Saturday warning of an inbound missile.
    In the days following the alert, people discovered that a photo taken in Hawaii’s Emergency Management Agency for a newspaper article in July includes a sticky note with a password on it.
    Hawaii says the false alarm was because an employee “pushed the wrong button,” not because it was hacked, but the photo sparked criticsm from the security industry about the general level of security at the agency.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*