Cyber Security July 2018

This posting is here to collect security alert news in July 2018.

I post links to security vulnerability news to comments of this article.

194 Comments

  1. Tomi Engdahl says:

    Heavy claims, true or not?

    Evidence Shows Hackers Changed Votes in the 2016 Election But No One Will Admit It
    https://www.theroot.com/evidence-shows-hackers-changed-votes-in-the-2016-electi-1827871206?utm_medium=sharefromsite&utm_source=The_Root_facebook

    despite what Donald Trump, the Kremlin’s Executive in Charge of U.S. Operations, would have you believe, every credible intelligence source agrees that Russian hackers, under direct instructions from our sidepiece president, Vladimir Putin, interfered with the 2016 presidential elections. The evidence shows this is true.

    But when it comes to whether or not Russin operatives actually changed votes or voter rolls, no one will admit to it, regardless of the mountain of circumstantial evidence.

    So far, most of the news has focused on the “disinformation” part of the narrative—that Russia posted misleading ads on Facebook and spread propaganda on other social media outlets. We know Russian agents paid protesters and created false news reports.

    the hacking part has been largely underreported—mostly because of the difficult-to-explain technological intricacies of the story

    U.S. officials will admit that Vladimir Putin interfered with the 2016 election. They don’t specifically deny that Russian operatives altered votes. They will only say they cannot confirm that fact. They will say that there is no conclusive evidence to support it.

    Russian actors most likely changed votes.

    Russia attempted to break into almost half of America’s voter databases, but the DHS assured the public that they had no evidence that any of the systems were actually compromised.

    documents revealed that Russia actually got inside the voting systems of seven states, including 4 of the 5 largest states in terms of electoral votes—California (55) Texas (38) Florida (29) and Illinois (20).

    Those states have vehemently denied that any votes were changed in the 2016 elections. Then again most of the states had no idea their systems had been penetrated until they were specifically told.

    In fact, 6 of the 7 states still deny that their systems were ever breached.

    But we know, without a shadow of a doubt, that these systems were targeted and breached.

    Illinois admits that hackers unsuccessfully attempted to alter and delete voters rolls but the intruders were unsuccessful

    Georgia firm that handles the state’s election data, computers and training, found a hole in the election system’s server that would have allowed anyone to download or alter the database that included every voter in the state. He also found PDF files with the instructions, all the passwords and software files for the system that allowed poll workers to verify registered voters.

    two Russian military officers, Anatoliy Sergeyevich Kovalev and Aleksandr Vladimirovich Osadchuk, conspired to hack into U.S. election systems in October 2016.

    it is impossible to know if ballots cast by Georgia voters were changed because the state does not require a post-election audit

    But we know Georgia uses some of the most hackable voting machines and runs its election on a system that was breached.

    Georgia’s systems would have been an “ideal” target for Russian hackers

    Then they wiped the servers’ backups clean.

    But is it possible to hack an actual voting machine and change votes?

    At the 2017 Def Con computer security conference
    30 different voting machines
    Within 24 hours they hacked every one.

    A 16-year-old hacker broke into as ExpressPoll voting machine used by Georgia in 45 minutes.

    Another cyberhacker showed how he could change votes in the WINvote machine used in Virginia, Pennsylvania and Mississippi.

    Pennsylvania auditor checking his state’s voting system found remote access software on the system that tallies votes.

    Putin-connected actors also breached voting-machine manufacturers days prior to the 2016 election.

    We know, from Vladimir Putin’s own words, that he wanted Trump to win the 2016 election. We know that Russian agents interfered. The entire intelligence community agrees that Russia targeted the election systems in at least 21 states and breached the barriers in at least 8 states.

    Every single source agrees that Russian could have changed votes. We know it is not a difficult task. We know it is so easy, even a 16-year-old could do it.

    We are supposed to believe the circumstantial evidence that shows Russians interfered but not the circumstantial evidence that shows they changed votes? There will never be any direct evidence.

    We know that hackers attempted to change voter rolls and hack voting machines at least once, but we are supposed to believe that it wasn’t widespread.

    Reply
  2. Tomi Engdahl says:

    “Editor’s Note: This story was an opinion piece asserting there was evidence that hackers changed votes in the 2016 election. However, a number of statements in the piece are disputed by experts. As a result, we have pulled it down for editorial review,
    and will update it once that review is completed.”
    https://www.theroot.com/evidence-shows-hackers-changed-votes-in-the-2016-electi-1827871206?utm_medium=sharefromsite&utm_source=The_Root_facebook

    Reply
  3. Tomi Engdahl says:

    Security breach at major airport – Terminal LOCKDOWN and 200 flights cancelled
    https://www.dailystar.co.uk/news/world-news/719594/Munich-Airport-security-breach-Germany-Terminal-2-200-flights-cancelled

    A MAJOR international airport is on lockdown after a security breach.

    Terminal 2 at Munich Airport has been closed off and 200 flights have been cancelled as a result of the breach, officials said.

    German cops cleared the terminal in search for a mystery woman after she slipped through a security checkpoint with liquid in her handbag.

    Reply
  4. Tomi Engdahl says:

    Sean Gallagher / Ars Technica:
    A deep look at Mueller’s mid-July indictment of Russia’s GRU officers and how they hacked the Clinton campaign, the DNC, and DCCC before the 2016 election — Latest Mueller indictment offers excruciating details to confirm known election pwnage. — In a press briefing just two weeks ago …

    How they did it (and will likely try again): GRU hackers vs. US elections
    Latest Mueller indictment offers excruciating details to confirm known election pwnage.
    https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/

    In a press briefing just two weeks ago, Deputy Attorney General Rod Rosenstein announced that the grand jury assembled by Special Counsel Robert Mueller had returned an indictment against 12 officers of Russia’s Main Intelligence Directorate of the Russian General Staff (better known as Glavnoye razvedyvatel’noye upravleniye, or GRU). The indictment was for conducting “active cyber operations with the intent of interfering in the 2016 presidential election.”

    The filing [PDF] spells out the Justice Department’s first official, public accounting of the most high-profile information operations against the US presidential election to date. It provides details down to the names of those alleged to be behind the intrusions into the networks of the Democratic National Committee and the Democratic Congressional Campaign Committee, the theft of emails of members of former Secretary of State Hillary Clinton’s presidential campaign team, and various efforts to steal voter data and undermine faith in voting systems across multiple states in the run-up to the 2016 election.

    http://www1.icsi.berkeley.edu/~nweaver/netyksho_et_al_indictment_ocr.pdf

    Reply
  5. Tomi Engdahl says:

    Zach Dorfman / Politico:
    Silicon Valley, as world’s tech innovation hub, has been target of foreign industrial espionage for decades; its open culture makes it hard to deal with threats — The West Coast is a growing target of foreign espionage. And it’s not ready to fight back.

    How Silicon Valley Became a Den of Spies
    https://www.politico.com/magazine/story/2018/07/27/silicon-valley-spies-china-russia-219071

    The West Coast is a growing target of foreign espionage. And it’s not ready to fight back.

    Reply
  6. Tomi Engdahl says:

    Joseph Marks / Nextgov:
    NSA inspector general’s report says the agency has not yet properly implemented post-Snowden two-person access controls to data, lists more security weaknesses

    NSA Hasn’t Implemented Post-Snowden Security Fixes, Audit Finds
    https://www.nextgov.com/cybersecurity/2018/07/nsa-hasnt-implemented-post-snowden-security-fixes-audit-finds/150067/

    The spy agency also fell short on numerous information security requirements, according to its first public audit overview.

    The nation’s cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency’s inspector general released Wednesday.

    Those vulnerabilities include computer system security plans that are inaccurate or incomplete, removable media that aren’t properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they’re qualified for the highest-level work they do, according to the overview.

    Perhaps most striking, the agency has not properly implemented “two-person access controls” on its data centers and equipment rooms.

    Former NSA Director Gen. Keith Alexander instituted the two-person access system after contractor Edward Snowden leaked reams of data about agency spy programs in 2013. The general idea is that no employee or contractor can access sensitive information unless another employee approves it.

    Those information security weaknesses are described in the unclassified version of the NSA inspector general’s semiannual report to Congress.

    As of March 31, NSA had 699 open inspector general recommendations, according to the report, 76 percent of which were overdue.

    https://www.oversight.gov/sites/default/files/oig-sa-reports/OIG%20UNCLASS%20SAR%20OCT-MAR%202018.pdf

    Reply
  7. Tomi Engdahl says:

    Defense Department will Implement Anti-Spoofing Email Protections, CIO Says
    https://www.nextgov.com/cybersecurity/2018/07/defense-department-will-implement-anti-spoofing-email-protections-cio-says/150048/

    The DMARC protections are already required for civilian agencies.

    Reply
  8. Tomi Engdahl says:

    Lindsey O’Donnell / Threatpost:
    Samsung patches multiple SmartThings Hub vulnerabilities found by researchers that could have allowed remote control of smart locks, connected cameras, more

    Bugs in Samsung IoT Hub Leave Smart Home Open To Attack
    https://threatpost.com/bugs-in-samsung-iot-hub-leave-smart-home-open-to-attack/134454/

    Researchers found 20 flaws in Samsung’s SmartThings Hub controller – opening up supported third-party smart home devices to attack.

    Researchers found 20 vulnerabilities in Samsung’s SmartThings Hub, allowing attackers to control smart locks, remotely monitor the home via connected cameras and perform other alarming functions.

    SmartThings Hub uses a Linux-based firmware and allows for communications with various IoT devices using various wireless standards Zigbee, Z-Wave and Bluetooth. SmartThings supports a broad spectrum of third-party products- from Philips Hue smart lightbulbs, to Ring video doorbells, as well dozens more smart home products sold under the brands GE, Bose and Lutron.

    The breadth of potentially impacted products means an attacker could hack an array of connected home devices allowing adversaries to disable smart locks, turn off motion detectors, shut down smart plugs, control thermostats or even cause physical damage to appliances.

    A Samsung spokesperson told Threatpost patches have been deployed that fix the bugs.

    Reply
  9. Tomi Engdahl says:

    Podcast: The Industrial World is Facing a Security Crisis
    https://threatpost.com/podcast-the-industrial-world-is-facing-a-security-crisis/134385/

    Eddie Habibi, the CEO of industrial IoT security company PAS, sounds off on how to secure the increasingly connected industrial control space.

    Reply
  10. Tomi Engdahl says:

    Sen. Wyden Urges Government Ban on Adobe Flash
    https://threatpost.com/sen-wyden-urges-ban-of-adobe-flash-for-gov-use/134439/

    Senator sends letter to NSA and NIST urging a mandate to stop using Adobe Flash by August 2019.

    Citing security concerns, Sen. Ron Wyden is urging the government to create a plan to transition away from Adobe Flash before the vendor stops supporting it in 2020.

    To that end, the Oregon Democrat delivered a formal request to the National Security Agency and the National Institute of Standards and Technology (NIST) to mandate a ban on Flash, via an open letter sent Wednesday (PDF) to the agencies.

    Reply
  11. Tomi Engdahl says:

    Security Glitch in IoT Camera Enabled Remote Monitoring
    https://threatpost.com/security-glitch-in-iot-camera-enabled-remote-monitoring/134504/

    After researchers found a security glitch that let them hack into an IoT camera, the manufacturer of the camera has fixed the issue.

    Swann has patched a flaw in its connected cameras that would allow a remote attacker to access their video feeds.

    A research team, consisting of Andrew Tierney, Chris Wade and Ken Munro from Pen Test Partners, as well as security researchers Alan Woodward, Scott Helme and Vangelis Stykas, developed a proof-of-concept attack taking advantage of security issues in the device’s cloud service, Safe by Swann. They ultimately were able to access Swann-connected cameras via their mobile devices — so that they could see and hear footage on the other end.

    “As a consumer, I would be pretty bothered by the potential for someone else accessing my home video feed. Swann acted promptly and resolved the issue as soon as they became aware of it,” wrote Pen Test Partners in a posting on Thursday.

    After noticing a BBC article outlining how a BBC employee had seen someone else’s footage on the mobile app for their home security camera, the researchers decided to dig into the incident.

    The camera impacted is a battery-powered HD camera that is able to stream video either direct over the local network or via a cloud service, with the cloud provided by Ozvision. When a user logs into the system through Safe by Swann, a request is made (userListAssets) to the server. This returns a response containing the devices associated with the account.

    The researchers used proxy software (Charles – although they said Burp and MITMproxy also work) to intercept these serial numbers, and then altered them with another camera’s serial number.

    The researchers said they were easily able to find a serial number that corresponds to the targeted device via the API endpoint and APK.

    The researchers notified both Swann and Ozvision about the security flaw.

    “Ozvision already knew about the vulnerability, as Swann had informed them,” the researchers said. “The Swann customer camera cloud environment had quickly been fixed. Swann took swift action to fix the flaw and had a constructive dialogue with us.”
    However, the cloud service provider Ozvision was a different matter

    IoT Issues Rampant

    Security vulnerabilities continue to plague internet of things objects.

    Hacking Swann & FLIR/Lorex home security camera video
    https://www.pentestpartners.com/security-blog/hacking-swann-home-security-camera-video/

    A few weeks back we read a story on the BBC web site about a BBC employee seeing someone else’s video footage on the mobile app for their home security camera.

    It wasn’t clear how this happened, but we were intrigued, so we bought several of the cameras in question to see for ourselves. We put a team together to work on this, made up of me, Chris Wade and Ken Munro from PTP, plus the awesome Alan Woodward, Scott Helme and Vangelis Stykas.

    Reply
  12. Tomi Engdahl says:

    Hacking IoT Cameras with s/swnb479e7d24/swn1bf9f32f2/g
    https://scotthelme.co.uk/hacking-iot-cameras/

    Yep, that’s a pretty intriguing blog post title and it’s not often that you can literally put the payload for an attack into a title! I was invited to taked part in some research recently after a smart CCTV camera made the news here in the UK. Turns out that things were a little worse than they first appeared.

    Reply
  13. Tomi Engdahl says:

    Ecuador to withdraw asylum for Julian Assange in coming weeks or days
    https://securityaffairs.co/wordpress/74651/security/julian-assange-ecuador-asylum.html

    According to media, Ecuador is going to hand over the WikiLeaks founder Julian Assange to the UK in “coming weeks or even days.”

    In May 2017, Swedish prosecutors dropped their preliminary investigation into an allegation of rape against Julian Assange, but the Wikileaks founder fears that he would be extradited to the US, where he is facing federal charges his role in the Chelsea Manning‘s case.

    Three months ago, Ecuador blocked Assange from accessing the internet

    Which are current charges against Assange in the UK?

    The only criminal proceeding against Assange is a pending 2012 arrest warrant for “failure to surrender” that is considered by experts a minor bail violation charge.

    Reply
  14. Tomi Engdahl says:

    Mysterious snail mail from China sent to US agencies includes Malware-Laden CD
    https://securityaffairs.co/wordpress/74879/hacking/malware-laden-cd-hack.html

    Several U.S. state and local government agencies have reported receiving suspicious letters via snail mail containing malware-laden CD Crooks and cyberspies attempt to exploit any attack vector to compromise the targeted computers

    Reply
  15. Tomi Engdahl says:

    Massive Singapore Healthcare Breach Possibly Involved Contractor
    https://www.securityweek.com/massive-singapore-healthcare-breach-possibly-involved-contractor

    Researchers have come across two Pastebin posts that could shed more light on the data breach that resulted in the health records of 1.5 million Singaporeans getting stolen by hackers.

    Authorities in Singapore announced on July 20 that a sophisticated threat actor had gained unauthorized access to a database of SingHealth, the city-state’s largest group of healthcare institutions.

    The incident, described as Singapore’s biggest ever data breach

    Reply
  16. Tomi Engdahl says:

    Microsoft Uncovers Multi-Tier Supply Chain Attack
    https://www.securityweek.com/microsoft-uncovers-multi-tier-supply-chain-attack

    Microsoft has shared details of a new attack that attempted to spread crypto-mining malware to a large number of users by compromising the software supplying partner of an application developer.

    The multi-tier attack relied on compromising the shared infrastructure between a PDF editor vendor and one of its partners that provided additional font packages for the application: the attackers aimed at the supply chain of the supply chain.

    It was then discovered that the application vendor itself hadn’t been compromised, but the malicious package was served by a partner that creates and distributes additional font packages used by the app.

    The attackers discovered a weakness in the interactions between the app vendor and its partner and also found a way to leverage it to hijack the installation chain of the MSI font packages, thus turning the PDF editor into the unexpected carrier of the malicious payload.

    Reply
  17. Tomi Engdahl says:

    Parasite HTTP RAT Packs Extensive Protection Mechanisms
    https://www.securityweek.com/parasite-http-rat-packs-extensive-protection-mechanisms

    A newly discovered remote access Trojan (RAT) dubbed Parasite HTTP includes a broad range of protections, including sandbox detection, anti-debugging, anti-emulation, and more, Proofpoint reports.

    The threat was recently used in a small email campaign targeting recipients primarily in the information technology, healthcare, and retail industries. The emails contained Microsoft Word attachments with malicious macros designed to download the RAT from a remote site.

    Written in C, the tool is advertised as having no dependencies, a small size of around 49Kb, and plugin support. Moreover, its author claims the malware supports dynamic API calls, has encrypted strings, features a secure command and control (C&C) panel written in PHP, can bypass firewalls, and features encrypted communications.

    Reply
  18. Tomi Engdahl says:

    Pentagon Creates ‘Do Not Buy’ List of Chinese and Russian Software Providers
    https://www.bleepingcomputer.com/news/government/pentagon-creates-do-not-buy-list-of-chinese-and-russian-software-providers/

    The Department of Defense (DOD) acquisition chief confirmed on Friday in a press conference that they’ve been silently working on a “Do Not Buy” list of companies known to use Chinese and Russian software in their products.

    Department shared the list with DOD agencies but have not enforced or made it obligatory.

    Defense contractors have been warned

    The Pentagon hopes these contractors will switch to products deemed safe for supplying the Pentagon with equipment and services for future contracts.

    “What we are doing is making sure that we do not buy software that’s Russian or Chinese provenance,” Lord said, as cited by Defense One. “Quite often that’s difficult to tell at first glance because of holding companies”

    Reply
  19. Tomi Engdahl says:

    “In their latest research, Onapsis and online monitoring firm Digital Shadows identified some 17,000 SAP and Oracle software installations exposed to the internet at more than 3,000 top companies, government agencies and universities.”
    via Reuters

    Study warns of rising hacker threats to SAP, Oracle business software
    https://www.reuters.com/article/us-cyber-secrets-sap-se-oracle/study-warns-of-rising-hacker-threats-to-sap-oracle-business-management-software-idUSKBN1KF1G8

    At least a dozen companies and government agencies have been targeted and thousands more are exposed to data breaches by hackers exploiting old security flaws in management software

    risks posed to thousands of unpatched business systems from software makers Oracle (ORCL.N) and SAP (SAPG.DE).

    These can enable hackers to steal corporate secrets

    failing to install patches or take other security measures advised by Oracle or SAP

    The alarm was raised because firms store highly sensitive data – including financial results, manufacturing secrets and credit card numbers – in the vulnerable products, known as enterprise resource planning (ERP) software

    signs of increasing hacker focus on ERP applications

    Many of these issues date back a decade or more, but the new report shows rapidly rising interest by hacker activists, cyber criminals and government spy agencies

    “These attackers are ready to exploit years-old risks that give them full access to SAP and Oracle systems without being detected,”

    customers are often reluctant to make fixes out of fear doing so might disrupt their manufacturing, sales or finance activities

    SECURITY BY OBSCURITY

    some 17,000 SAP and Oracle software installations exposed to the internet at more than 3,000 top companies, government agencies and universities.

    At least 10,000 servers are running incorrectly configured software

    More than 4,000 known bugs in SAP and 5,000 in Oracle software pose security threats

    “Publicly disclosed attacks are rare, so the problem remains largely ignored,”

    This year, hackers began exploiting a vulnerability in WebLogic servers which Oracle fixed last October.

    Reply
  20. Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / Motherboard:
    Court docs: CA police have arrested a college student who allegedly was a member of OGUSERS and stole $5M+ worth of cryptocurrency by SIM swapping ~40 people

    ‘TELL YOUR DAD TO GIVE US BITCOIN:’ How a Hacker Allegedly Stole Millions by Hijacking Phone Numbers
    https://motherboard.vice.com/en_us/article/a3q7mz/hacker-allegedly-stole-millions-bitcoin-sim-swapping

    California authorities say a 20-year-old college student hijacked more than 40 phone numbers and stole $5 million, including some from cryptocurrency investors at a blockchain conference Consensus.

    The cops are starting to close in on hackers who hijack phone numbers to steal Bitcoin and other cryptocurrencies.

    On July 12, police in California arrested a college student accused of being part of a group of criminals who hacked dozens of cellphone numbers to steal more than $5 million in cryptocurrency. Joel Ortiz, a 20-year-old from Boston, allegedly hacked around 40 victims with the help of still unnamed accomplices, according to court documents obtained by Motherboard.

    This is the first reported case against someone who allegedly used the increasingly popular technique known as SIM swapping or SIM hijacking to steal bitcoin, other cryptocurrencies, and social media accounts.

    SIM swapping consists of tricking a provider like AT&T or T-Mobile into transferring the target’s phone number to a SIM card controlled by the criminal. Once they get the phone number, fraudsters can leverage it to reset the victims’ passwords and break into their online accounts (cryptocurrency accounts are common targets.) In some cases, this works even if the accounts are protected by two-factor authentication. This kind of attack, also known as “port out scam,” is relatively easy to pull off and has become widespread, as a recent Motherboard investigation showed.

    Investigators accuse Ortiz of being a prolific SIM hijacker who mainly targeted victims to steal their cryptocurrency but also to take over their social media accounts with the goal of selling them for Bitcoin.

    Ortiz allegedly stole more than $1.5 million from a cryptocurrency entrepreneur

    According to court documents, Ortiz took control of the entrepreneur’s cellphone number, reset his Gmail password and then gained access to his cryptocurrency accounts. The entrepreneur ran to the AT&T store to get his number back, but it was too late.

    Ortiz allegedly targeted the investor between February and March on several occasions. He hijacked his phone number twice, reset passwords on his email and cryptocurrency accounts, added his own two-factor Google authenticator app to further lock the victim out, and even harassed his daughter

    Reply
  21. Tomi Engdahl says:

    David Floyd / CoinDesk:
    Prediction markets that let users bet on assassinations of public figures or the number of days before the next mass shooting, start to appear on Augur

    The First Augur Assassination Markets Have Arrived
    https://www.coindesk.com/the-first-augur-assassination-markets-have-arrived/

    “Killed, not die of natural causes or accidents.”

    Pretty much everyone saw them coming, but it was no less disturbing when assassination markets actually began to appear on Augur, a decentralized protocol for betting on the outcomes of real-world events and that launched two weeks ago on ethereum.

    The markets – which allow users to bet on the fates of prominent politicians, entrepreneurs and celebrities – in some cases explicitly specify assassination

    In addition to targeting individuals, some markets offer bets on whether mass shootings and terrorist attacks with certain minimum numbers of casualties will occur.

    Augur was created by the Forecast Foundation and funded through an ICO in 2015. It is an uncensorable platform where users can create prediction markets based on the outcome of any verifiable event

    Augur became one of the most popular applications on ethereum shortly after launch. At the time of writing, it has nearly $1.5 million staked on over 600 markets,

    By creating a market for an assassination and placing a large “no” bet (actually, selling shares in the outcome), an individual or group could in effect place a bounty on the targeted person. The would-be assassin could then place a bet on “yes” (buy shares) and manipulate the outcome, to put it delicately.

    What’s next?

    Long before the first assassination markets appeared, users on Augur community forums frequently discussed their eventual creation

    One response would be for Augur’s “reporters” – the users designated by market creators to determine the outcome of the event being wagered on – to step in and quash the markets.

    it’s up to token holders’ consensus to decide whether taking out life insurance on other people is acceptable on Augur.

    No control

    “If the Forecast Foundation is compromised by a state agency,” Micah Zoltu, a developer who has worked on the platform, remarked, “the system can’t be turned off.”

    The individuals facing the most immediate legal risks may be the users who created these assassination markets.

    Reply
  22. Tomi Engdahl says:

    How hack on 10,000 WordPress sites was used to launch an epic malvertising campaign
    https://www.theregister.co.uk/2018/07/30/malvertising_wordpress/

    Crooks exploited legit web ad ecosystem – researchers

    Security researchers at Check Point have lifted the lid on the infrastructure and methods of an enormous “malvertising” and banking trojan campaign.

    The operation delivered malicious adverts to millions worldwide, slinging all manner of nasties including crypto-miners, ransomware and banking trojans.

    over 40,000 infection attempts per week from this campaign (that is, at least 40,000 clicks on malicious adverts)

    Check Point claimed that the brain behind the campaign – whom it dubbed Master134 – redirected stolen traffic from over 10,000 hacked WordPress sites and sold it to AdsTerra, a real-time bidding ad platform. They wrote that AdsTerra then sold it to advert resellers (ExoClick, AdKernel, EvoLeads and AdventureFeeds) which then went on to sell it to the highest bidding “advertiser”.

    However, the security researchers claimed, these “advertisers” were actually criminals looking to distribute ransomware, banking trojans, bots and other malware.

    Reply
  23. Tomi Engdahl says:

    Facebook Has Identified Ongoing Political Influence Campaign
    https://www.nytimes.com/2018/07/31/us/politics/facebook-political-campaign-midterms.html

    Facebook announced on Tuesday that it has identified a coordinated political influence campaign, with dozens of inauthentic accounts and pages that are believed to be engaging in political activity around divisive social issues ahead of November’s midterm elections.

    In a series of briefings on Capitol Hill this week and a public post on Tuesday, the company told lawmakers that it had detected and removed 32 pages and accounts connected to the influence campaign on Facebook and Instagram as part of its investigations into election interference. It publicly said it had been unable to tie the accounts to Russia

    Facebook suspends ‘inauthentic’ accounts, sees Russia link
    https://www.politico.com/story/2018/07/31/facebook-suspends-inauthentic-propaganda-accounts-752615

    The social media company says it sees ties to Russia’s 2016 election meddling

    Reply
  24. Tomi Engdahl says:

    Malware and ransomware see huge rises across the world
    By Anthony Spadafora 2018-07-10T16:31:23ZSecurity
    https://www.itproportal.com/news/malware-and-ransomware-see-huge-rises-across-the-world/

    Cybercriminals turn to encryption to help deliver their malicious payloads.

    Malware and ransomware attacks have returned in record numbers during the first half of 2018 according to the mid-year update to SonicWall’s annual Cyber Threat Report.

    Last year’s malware boom is showing no signs of slowing down and the firm’s threat researchers recorded 5.99bn malware attacks during the first half of 2018 compared to 2.97bn during the same period in 2017. The volume of malware attacks remained consistent in the first quarter before dropping to less than one billion per month across April, May and June.

    Cybercriminals have turned to encryption as a means of preventing their malicious payloads from being discovered. When compared to the first half of 2017, encrypted attacks have increased by 275 per cent.

    SonicWall CEO Bill Conner offered further insight on the increased adoption of encryption by cybercriminals, saying:

    “Encrypted attacks are a critical challenge in the industry. Far too few organizations are aware that cybercriminals are using encryption to circumvent traditional networks security controls, and others aren’t activating new mitigation techniques, such Deep Packet Inspection of SSL and TLS traffic (DPI-SSL). We predict encrypted attacks to increase in scale and sophistication until they become the standard for malware delivery. And we’re not that far off.”

    https://www.itproportal.com/features/startling-facts-you-need-to-know-about-ransomware-and-what-to-do-about-them/

    Reply
  25. Tomi Engdahl says:

    USB Accessory Can Defeat iOS’s New “USB Restricted Mode” Security Feature
    https://thehackernews.com/2018/07/bypass-ios-usb-restricted-mode.html

    With the release of iOS 11.4.1, Apple has finally rolled out a new security feature designed to protect your devices against USB accessories that connect to the data port, making it harder for law enforcement and hackers to break into your iPhone or iPad without your permission.

    Dubbed USB Restricted Mode, the feature automatically disables data connection capabilities of the Lightning port on your iPhone or iPad if the device has been locked for an hour or longer, while the port can still be used for device charging.

    In other words, every time you lock your iPhone, a countdown timer of an hour gets activated in the background, which if completed, enables the USB restricted mode to prevent unauthorized access to the data port.

    Once the USB Restricted Mode gets activated, there’s no way left for breaking into an iPhone or iPad without the user’s permission.

    The feature would, no doubt, defeat law enforcement’s use of special unlocking hardware made by Cellebrite and Grayshift from attempting multiple passcode guesses via the iPhone’s Lightning port.

    However, security researchers from ElcomSoft have found a simple way that could allow anyone to reset the countdown timer of USB Restricted Mode to effectively defeat the purpose of the new security feature.

    According to the researchers, by directly connecting a USB accessory—such as Apple’s $39 Lightning to USB 3 Camera adapter—to a targeted iOS device within an hour after it was last unlocked would reset the 1-hour countdown.

    https://blog.elcomsoft.com/2018/07/this-9-device-can-defeat-ios-usb-restricted-mode/

    Reply
  26. Tomi Engdahl says:

    Worm (Mirai?) Exploiting Android Debug Bridge (Port 5555/tcp)
    https://isc.sans.edu/diary/rss/23856

    Note that our honeypot has a web server listening on this port, so it is not going to respond to this sequence. As it turns out, this command is directed at the Android Debug Bridge, an optional feature in the Android operating system. Recently, researchers discovered that this feature appears to be enabled on some Android phones [1]. The feature does allow for full shell access to the phone, and the above command may be executed.

    The initial script downloaded

    Which then downloads the actual “worm” for various platforms and attempts to run them. A quick analysis of the file via virus total suggests that this is a Mirai variant

    Reply
  27. Tomi Engdahl says:

    Local authorization bypass by using suspend mode
    https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1777415

    Version: Ubuntu 16.04.04 LTS Desktop, all packets are updated at 15.06.2018
    Affects: access to latest user opened applications, that can contain sensitive information (documents, private information, passwords, etc.)

    “We’re unlikely to fix this, since having physical access means an attacker could simply access the hard disk directly or replace the password on it and unlock the computer.”

    Reply
  28. Tomi Engdahl says:

    LifeLock Bug Exposed Millions of Customer Email Addresses
    https://krebsonsecurity.com/2018/07/lifelock-bug-exposed-millions-of-customer-email-addresses/

    Identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers. The company just fixed a vulnerability on its site that allowed anyone with a Web browser to index email addresses associated with millions of customer accounts, or to unsubscribe users from all communications from the company.

    The upshot of this weakness is that cyber criminals could harvest the data and use it in targeted phishing campaigns that spoof LifeLock’s brand. Of course, phishers could spam the entire world looking for LifeLock customers without the aid of this flaw, but nevertheless the design of the company’s site suggests that whoever put it together lacked a basic understanding of Web site authentication and security.

    Reply
  29. Tomi Engdahl says:

    Inside and Beyond Ticketmaster: The Many Breaches of Magecart
    https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/

    On June 27th, Ticketmaster, a ticket sales and distribution company, made public they had been compromised and that hackers stole customer information. However, we discovered that this was not a one-off event as initially reported, but part of a massive digital credit card-skimming campaign by the threat group Magecart affecting over 800 e-commerce sites around the world.

    The target for Magecart actors was the payment information entered into forms on Ticketmaster’s various websites. The method was hacking third-party components shared by many of the most frequented e-commerce sites in the world.

    Reply
  30. Tomi Engdahl says:

    Less Than Half of Cyberattacks Detected via Antivirus: SANS
    https://www.darkreading.com/endpoint/less-than-half-of-cyberattacks-detected-via-antivirus-sans/d/d-id/1332309

    Companies are buying next-gen antivirus and fileless attack detection tools but few have the resources to use them, researchers report.

    Businesses are investing in more advanced endpoint security tools but don’t have the means to properly implement and use them, according to a new report from the SANS Institute.

    The SANS 2018 Survey on Endpoint Protection and Response polled 277 IT professionals on endpoint security concerns and practices. In this year’s survey, 42% of respondents reported endpoint exploits, down from 53% in 2017. However, the number of those who didn’t know they had been breached jumped from 10% in 2017 to 20% in 2018.

    Traditional tools are no longer sufficient to detect cyberattacks, the data shows: Antivirus systems only detected endpoint compromise 47% of the time; other attacks were caught through automated SIEM alerts (32%) and endpoint detection and response platforms (26%).

    Most endpoint attacks are intended to exploit users. More than 50% of respondents reported Web drive-by incidents, 53% pointed to social engineering and phishing attacks, and half cited ransomware. Credential theft was used in 40% of compromises reported, researchers state.

    Reply
  31. Tomi Engdahl says:

    The MITRE ATT&CK Framework: What You Need to Know
    https://www.tripwire.com/state-of-security/mitre-framework/mitre-attack-framework-what-know/

    The MITRE ATT&CK Framework has gained a lot of popularity in the security industry over the past year.

    I have spent a lot of time researching the hundreds of techniques, writing content to support the techniques, and talking about the value to anyone who will listen.

    For those who are not familiar, ATT&CK is the Adversarial Tactics Techniques and Common Knowledge framework available from MITRE. It is a curated knowledge base of 11 tactics and hundreds of techniques that attackers can leverage when compromising enterprises.

    Adversarial Tactics, Techniques & Common Knowledge
    http://attack.mitre.org/wiki/Main_Page

    Reply
  32. Tomi Engdahl says:

    Why Malware as a Business is on the Rise
    We might not have asked for a malware market, but it’s alive and growing every day.
    https://heimdalsecurity.com/blog/the-malware-economy/

    The alarming growth of malware attacks in the last years should concern each of us, but what is more important, should make us AWARE of the risks and consequences. Taking action and preventing these malicious activities operated by cybercriminals has to be a top priority IF we want to stay safe online.

    The reality is that cyber attackers now use different strains of malware, much more sophisticated and agile that prove to be effective and successful, challenging us to build a stronger defense against them.

    Malware evolves at a rapid pace because of advanced malware mastering the art of evasion. Thus, traditional antivirus engines find it difficult to detect attacks in the first stages. Malware is getting bigger and bigger. It fuels growth, innovation and encourages malicious actors to easily reach their goals.

    Reply
  33. Tomi Engdahl says:

    Time to Yank Cybercrime into the Light
    Too many organizations are still operating blindfolded, research finds.
    https://www.darkreading.com/attacks-breaches/time-to-yank-cybercrime-into-the-light/a/d-id/1332231

    At a time when the public and governments are watching their every move, today’s organizations are up against an unprecedented wave of crime and fraud-related risks that affect their internal and external relationships, regulatory status, and reputation. Unfortunately, not enough companies are truly aware of the fraud threats they face.

    According to PricewaterhouseCooper’s 2018 Global Economic Crime and Fraud (GECF) Survey, a poll of some 7,200 respondents across 123 different countries, 49% say their companies had been victimized by fraud or economic crime, up from 36% in 2016. This uptick can be attributed to a greater global awareness of fraud, more survey responses, and better understanding of what constitutes “fraud.” But every company — no matter how vigilant — can have blind spots.

    Some 44% of poll respondents indicate that they intend to increase spending in the next two years. Great — but where? These days, organizations are harnessing some seriously powerful technology and data analytics tools to battle the fraudsters. On top of these tech-based controls, many firms are also expanding whistleblower programs and taking care to keep leadership informed about real and potential breaches.

    Reply
  34. Tomi Engdahl says:

    Analysis of the DHCP Client Script Code Execution Vulnerability (CVE-2018-1111)
    https://researchcenter.paloaltonetworks.com/2018/07/unit42-analysis-dhcp-client-script-code-execution-vulnerability-cve-2018-1111/

    In May 2018, a command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in multiple versions of Red Hat Enterprise Linux (CVE-2018-1111), which has since been patched. An attacker could attack this vulnerability either through the use of a malicious DHCP server, or malicious, spoofed DHCP responses on the local network. A successful attack could execute arbitrary commands with root privileges on systems using NetworkManager with DHCP configured.

    This vulnerability poses a serious threat to individuals or organizations running vulnerable instance of Red Hat Enterprise Linux versions 6 or 7 and patches should be applied immediately.

    Reply
  35. Tomi Engdahl says:

    Researchers Mount Successful GPS Spoofing Attack Against Road Navigation Systems
    https://www.bleepingcomputer.com/news/security/researchers-mount-successful-gps-spoofing-attack-against-road-navigation-systems/

    Academics say they’ve mounted a successful GPS spoofing attack against road navigation systems that can trick humans into driving to incorrect locations.

    The research is of note because previous GPS spoofing attacks have been unable to trick humans, who, in past experiments, often received malicious driving instructions that didn’t make sense or were not in sync with the road infrastructure —for example taking a left on a straight highway.

    To perform the attack researchers developed an algorithm that works in near real-time, along with a portable GPS-spoofing device that costs about $223, which can be easily attached to a car or put on a vehicle tailing the target’s car at distances of up to 50 meters.

    Researchers say their algorithm allows an attacker to select an area where they could lure victims.

    “The algorithm crafts the GPS inputs to the target device such that the triggered navigation instruction and displayed routes on the map
    remain consistent with the physical road network,” researchers say. “In the physical world, the victim who follows the instruction would be led to a wrong route (or a wrong destination). ”

    Attack worked on 95% of human testers

    Academics said they tested their algorithm with traffic simulators but also in the real world, in China and the US.

    Reply
  36. Tomi Engdahl says:

    How Can an ISAC Improve Cybersecurity and Resilience?
    https://securityintelligence.com/how-can-an-isac-improve-cybersecurity-and-resilience/

    Sharing computer security threat information is now an established practice in IT. Whether automatically or manually, the primary motivator to pool resources is to improve your own capabilities and those of your peers for responding to security threats and incidents.

    Another factor that can significantly improve your ability is sharing knowledge and experiences. As it happens, there are organizations designed explicitly for that: information sharing and analysis centers (ISACs).

    Reply
  37. Tomi Engdahl says:

    Business E-mail Compromise The 12 Billion Dollar Scam
    https://www.ic3.gov/media/2018/180712.aspx

    This Public Service Announcement (PSA) is an update and companion to Business E-mail Compromise (BEC) PSA 1-050417-PSA posted on http://www.ic3.gov. This PSA includes new Internet Crime Complaint Center (IC3) complaint information and updated statistical data for the time frame October 2013 to May 2018.

    DEFINITION

    Business E-mail Compromise (BEC)/E-mail Account Compromise (EAC) is a sophisticated scam targeting both businesses and individuals performing wire transfer payments.

    The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

    The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.

    Reply
  38. Tomi Engdahl says:

    One-Third of Businesses Lack a Cybersecurity Expert
    https://www.darkreading.com/threat-intelligence/one-third-of-businesses-lack-a-cybersecurity-expert/d/d-id/1332317

    Alarming, yes, but it’s actually an improvement over past years, a new Gartner survey of more than 3,000 CIOs reveals.

    Reply
  39. Tomi Engdahl says:

    Security Gap Grows
    https://semiengineering.com/security-gap-grows/

    Concerns about breaches is up, but the number of attacks is still rising.

    There is far more talk about security in designs these days, and far more security features being added into chips and systems. So why isn’t it making a dent in the number of cyberattacks?

    According to the Online Trust Alliance, there were 159,700 cyber incidents in 2017 around the globe. But the group notes that because most incidents are not reported, the real number could be twice as large. This is about twice what it was in 2016, with the biggest increase due to ransom-based attacks. Also of note, 93% were avoidable, the agency said.

    Reply
  40. Tomi Engdahl says:

    Passwords for Tens of Thousands of Dahua Devices Cached in IoT Search Engine
    https://www.bleepingcomputer.com/news/security/passwords-for-tens-of-thousands-of-dahua-devices-cached-in-iot-search-engine/

    Login passwords for tens of thousands of Dahua devices have been cached inside search results returned by ZoomEye, a search engine for discovering Internet-connected devices (also called an IoT search engine).

    People are still running DVRs with ancient firmware

    This vulnerability is CVE-2013-6117, discovered and detailed by Jake Reynolds, a security researcher with Depth Security.

    According to the researcher’s blog post and to Anubhav, who explained the exploitation process to Bleeping Computer yesterday, an attacker can initiate a raw TCP connection on a Dahua DVR on port 37777 to sent a special payload.

    Once a Dahua device receives this payload, it responds with DDNS credentials for accessing the device, and other data, all in plaintext.

    The vulnerability has been known since 2013 and has been since patched, but many Dahua device owners have failed to update their equipment, and even to this day have continued to deploy DVRs running the antiquated firmware online.

    Reply
  41. Tomi Engdahl says:

    What Drives a Ransomware Criminal? CoinVault Developers Convicted in Dutch Court
    https://securingtomorrow.mcafee.com/mcafee-labs/what-drives-a-ransomware-criminal-coinvault-developers-convicted-in-dutch-court/

    How often do we get a chance to learn what goes on in the minds of cybercriminals? Two members of McAfee’s Advanced Threat Research team recently did, as they attended a court case against two cybercriminal brothers.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*