Cyber Security September 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

 

289 Comments

  1. Tomi Engdahl says:

    “Lawful intercept” Pegasus spyware found deployed in 45 countries
    https://www.zdnet.com/article/lawful-intercept-pegasus-spyware-found-deployed-in-45-countries/

    At least ten operators of Pegasus spyware have deployed the malware outside their country’s border, new Citizen Lab report finds.

    Reply
  2. Tomi Engdahl says:

    Bizarre botnet infects your PC to scrub away cryptocurrency mining malware
    https://www.zdnet.com/article/bizarre-botnet-infects-your-pc-to-scrub-away-malware/

    The peculiar botnet, based on Satori, compromises your devices for the sole purpose of cleaning them up.

    Good guy vigilante, or error in coding? A strange botnet has appeared on the scene which instead of infecting devices in order to enslave them, appears to be actually wiping them clean of cryptocurrency mining malware.

    On Monday, researchers from Qihoo’s 360Netlab said that Fbot, a botnet based on Satori botnet coding, is demonstrating some extremely odd behavior for such a system.

    Satori is a botnet variant based on Mirai, the infamous botnet which was able to take down online services across an entire country.

    Satori’s code was released to the public in January. Since then, we have seen variants which target mining rigs for cryptojacking purposes;

    Botnets are generally bad news.

    However, Fbot is not characteristic of your typical botnet.

    The researchers say that Fbot appeared on the radar last week and it appears the only job this botnet has is to chase down systems infected by another botnet, com.ufo.miner, a variant of ADB.Miner.

    The botnet targets Android devices — including smartphones, the Amazon Fire TV, and set-top boxes — for the purpose of cryptojacking and covertly mining for Monero (XMR) with the help of the Coinhive mining script.

    Fbot, A Satori Related Botnet Using Block-chain DNS System
    https://blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/

    Reply
  3. Tomi Engdahl says:

    Cybercrime: Ransomware remains a ‘key’ malware threat says Europol
    https://www.zdnet.com/article/cybercrime-ransomware-remains-a-key-malware-threat-says-europol/

    Targeted attacks replace spam campaigns, but Europol’s annual cybercrime report also warns that cryptojacking malware “may overtake ransomware as a future threat”.

    Ransomware remains the top malware threat to organisations, causing millions of dollars of damage and remaining a potent tool for cyber criminals and nation-state attackers.

    The rise of highly targeted file-locking malware campaigns and the threat posed by nation-state backed campaigns, means ransomware “remains the key malware threat in both law enforcement and industry reporting,” warns Europol’s 2018 Internet Organised Crime Threat Assessment (IOCTA) report.

    The damage of high profile campaigns like WannaCry, NotPetya and Bad Rabbit still loom large in the memory, with figures in the report suggesting a global loss of more than $5bn as a result of these attacks.

    Internet Organised Crime Threat Assessment 2018
    https://www.europol.europa.eu/internet-organised-crime-threat-assessment-2018

    Reply
  4. Tomi Engdahl says:

    Expandable ads can be entry points for site hacks
    https://www.zdnet.com/article/expandable-ads-can-be-entry-points-for-site-hacks/

    Researcher finds XSS vulnerabilities in iframe busters, scripts that power expandable ads that grow and cover a large area of the page.

    Reply
  5. Tomi Engdahl says:

    David Meyer / Fortune:
    Italian court sentences a man who sold hospitality businesses fake reviews on TripAdvisor to nine months in jail
    http://fortune.com/2018/09/13/tripadvisor-review-fraud-italy-promosalento/

    Reply
  6. Tomi Engdahl says:

    Wisconsin Officials Prepare for Potential Election Hackers
    https://www.securityweek.com/wisconsin-officials-prepare-potential-election-hackers

    A private vendor inadvertently introduces malware into voting machines he is servicing. A hacker hijacks the cellular modem used to transmit unofficial Election Day results. An email address is compromised, giving bad actors the same access to voting software as a local elections official.

    These are some of the potential vulnerabilities of Wisconsin’s election system described by cybersecurity experts.

    State officials insist they are on top of the problem and that Wisconsin’s elections infrastructure is secure because, among other safeguards, voting machines are not connected to the internet and each vote is backed by a paper ballot to verify results.

    Reply
  7. Tomi Engdahl says:

    Amazon Probing Staff Data Leaks
    https://www.securityweek.com/amazon-probing-staff-data-leaks

    Amazon is investigating allegations that some of its staff sold confidential customer data to third party companies particularly in China, the online giant confirmed on Sunday.

    Reply
  8. Tomi Engdahl says:

    EternalBlue-Vulnerable Systems Serially Infected
    https://www.securityweek.com/eternalblue-vulnerable-systems-serially-infected

    Windows machines that haven’t been patched against the National Security Agency-linked EternalBlue exploit are stuck in an endless loop of infection, Avira warns.

    The EternalBlue exploit, which the Shadow Brokers hacking group stole from the NSA-linked Equation Group, is best known for its role in the WannaCry outbreak last year.

    The ransomware hit mostly Windows 7 and Windows XP machines, and for good reason. Its spread mechanism was targeting a vulnerability in Windows’ Server Message Block (SMB) on port 445, which mainly impacted those platform iterations.

    Reply
  9. Tomi Engdahl says:

    Code Execution in Alpine Linux Impacts Containers
    https://www.securityweek.com/code-execution-alpine-linux-impacts-containers

    A security researcher discovered several vulnerabilities in Alpine Linux, a distribution commonly used with Docker, including one that could allow for arbitrary code execution.

    Based on musl and BusyBox, the Alpine Linux distribution has a small size and is heavily used in containers, including Docker, as it provides fast boot times.

    APK, the default package manager in Alpine, is impacted by several bugs, security researcher Max Justicz has discovered. The most important of them, the researcher says, could allow a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code on the user’s machine.

    Reply
  10. Tomi Engdahl says:

    Altaba Settles Yahoo Breach Lawsuits for $47 Million
    https://www.securityweek.com/altaba-settles-yahoo-breach-lawsuits-47-million

    Altaba, the investment company that resulted from Verizon’s $4.5 billion acquisition of Yahoo’s Internet business last year, has agreed to settle consumer class action lawsuits triggered by the massive data breaches suffered by Yahoo in the past years.

    Yahoo revealed in September 2016 that its systems had been breached in late 2014 by what it believed to be a state-sponsored threat actor that had managed to access data from at least 500 million accounts.

    Reply
  11. Tomi Engdahl says:

    Facebook Offers Rewards for Access Token Exposure Flaws
    https://www.securityweek.com/facebook-offers-rewards-access-token-exposure-flaws

    Facebook announced on Monday that it has expanded its bug bounty program to introduce rewards for reports describing vulnerabilities that involve the exposure of user access tokens.

    Reply
  12. Tomi Engdahl says:

    F-Secure: salasanat yhteen turvalliseen paikkaan
    http://etn.fi/index.php?option=com_content&view=article&id=8448&via=n&datum=2018-09-18_14:32:59&mottagare=31202

    F-Secure on päivittänyt TOTAL-tietoturvapakettiaan. Uudistettu tuotepaketti lupaa suojata kaikki käyttäjän laitteet, yhteydet ulkomaailmaan myös julkisissa verkoissa, salasanat ja jopa kodin älylaitteet, jos pakettiin hankkii mukaan uuden SENSE-reitittimen. Salasanojen hallinnasta on tehty erittäin helppoa.

    Reply
  13. Tomi Engdahl says:

    Apple Has Started Paying Hackers for iPhone Exploits
    https://motherboard.vice.com/en_us/article/qvapxq/apple-iphone-bug-bounty-payments

    Despite their value in the grey market, security researchers are reporting bugs as part of the Apple iOS Bug Bounty program, and some are getting rewards.

    Reply
  14. Tomi Engdahl says:

    Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows
    https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/

    Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.

    Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya). It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).

    Xbash spreads by attacking weak passwords and unpatched vulnerabilities.

    Xbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities. We can also find no functionality within Xbash that would enable restoration after the ransom is paid. This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware.

    Reply
  15. Tomi Engdahl says:

    Man uses smart phone app to steal Tesla from Mall of America
    http://www.fox9.com/news/man-uses-smart-phone-app-to-steal-tesla-from-mall-of-america

    An alleged car thief can be seen arriving at the Mall of America on surveillance footage only minutes before using technology to steal a Tesla.

    Police say the man somehow manipulated the Tesla app to unlock and start the car, disabling the GPS before leaving town.

    Reply
  16. Tomi Engdahl says:

    Ransomware Attack Takes Down Bristol Airport’s Flight Display Screens
    https://thehackernews.com/2018/09/cyberattack-bristol-airport.html

    Reply
  17. Tomi Engdahl says:

    State Department confirms data breach exposed employee data
    https://techcrunch.com/2018/09/18/state-department-confirms-data-breach-exposing-employee-data/?utm_source=tcfbpage&sr_share=facebook

    The State Department has confirmed a data breach affecting an unknown number of employees.

    Reply
  18. Tomi Engdahl says:

    Major US mobile carriers want to be your password
    https://nakedsecurity.sophos.com/2018/09/14/major-us-mobile-carriers-want-to-be-your-password/

    If password-only security is reaching its end of days, what will replace it?

    For years, many have assumed that some form of new authentication must be the answer without being able to agree on which.

    Now an alliance of big US mobile carriers – Verizon, AT&T, Sprint, and T-Mobile – has added a new possibility to the mix under the banner of Project Verify.

    https://youtu.be/RNjshhOHGPY

    Reply
  19. Tomi Engdahl says:

    GovPayNow.com Leaks 14M+ Records
    https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records/

    Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.

    Reply
  20. Tomi Engdahl says:

    Zero-Day Bug Allows Hackers to Access CCTV Surveillance Cameras
    https://threatpost.com/zero-day-bug-allows-hackers-to-access-cctv-surveillance-cameras/137499/

    Firmware used in up to 800,000 CCTV cameras open to attack thanks to buffer overflow zero-day bug.

    Between 180,000 and 800,000 IP-based closed-circuit television cameras are vulnerable to a zero-day vulnerability that allows hackers to access surveillance cameras, spy on and manipulate video feeds or plant malware.

    NUUO, the Taipei, Taiwan-base company that makes the firmware, is expected to issue a patch for the bug Tuesday. The company lists over a 100 different partners including Sony, Cisco Systems, D-Link and Panasonic. It’s unclear how many OEM partners may use the vulnerable firmware.

    The vulnerabilities (CVE-2018-1149, CVE-2018-1150), dubbed Peekaboo by Tenable, are tied to the software’s NUUO NVRMini2 webserver software.

    Reply
  21. Tomi Engdahl says:

    Cyber attacks cost German industry almost $50 billion: study
    https://www.reuters.com/article/us-germany-security-cyber/cyber-attacks-cost-german-industry-almost-50-billion-study-idUSKCN1LT12T

    Two thirds of Germany’s manufacturers have been hit by cyber-crime attacks, costing industry in Europe’s largest economy some 43 billion euros ($50 billion)

    “With its worldwide market leaders, German industry is particularly interesting for criminals,”

    “Illegal knowledge and technology transfer … is a mass phenomenon,”

    Reply
  22. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    Cloudflare adds new “one-click” DNSSEC setup to make it far more difficult to spoof websites, likely increasing the protocol’s woeful adoption rate

    Cloudflare’s new ‘one-click’ DNSSEC setup will make it far more difficult to spoof websites
    https://techcrunch.com/2018/09/18/cloudflare-dnssec-one-click-securing-internet/

    Bad news first: the internet is broken for a while. The good news is that Cloudflare thinks it can make it slightly less broken.

    With “the click of one button,” the networking giant said Tuesday, its users can now switch on DNSSEC in their dashboard. In doing so, Cloudflare hopes it removes a major pain-point in adopting the web security standard, which many haven’t set up — either because it’s so complicated and arduous, or too expensive.

    It’s part of a push by the San Francisco-based networking giant to try to make the pipes of the internet more secure — even from the things you can’t see.

    DNS, which translates web addresses into computer-readable IP addresses, has been plagued with vulnerabilities, making it easy to hijack any step of the process to surreptitiously send users to fake or malicious sites.

    Take two incidents in the past year — where traffic to and from Amazon and separately Google, Facebook, Apple, and Microsoft were hijacked and rerouted for between minutes and hours at a time.

    That’s where a security-focused DNS evolution — DNSSEC — is meant to help. It’s like DNS, but it protects requests end-to-end, from computer or mobile device to the web server of the site you’re trying to visit, by cryptographically signing the data so that it’s far tougher — if not impossible — to spoof.

    But DNSSEC adoption is woefully low. Just three percent of websites in the Fortune 1000 sign their primary domains

    Just like HTTPS was slow to adopt over the years — but finally took off in 2015 — there’s hope that DNSSEC can follow the same fate.

    Reply
  23. Tomi Engdahl says:

    Hackers behind Mirai botnet could be sentenced to working for the FBI
    https://www.cnet.com/news/hackers-behind-mirai-botnet-could-be-sentenced-to-working-for-the-fbi/

    This comes after more than 18 months of already helping the FBI stop cyberattacks.

    Reply
  24. Tomi Engdahl says:

    93% of Forbes Global 2000 Don’t Stress Vulnerability Disclosure Policies, Says HackerOne Report
    https://securityboulevard.com/2018/09/93-of-forbes-global-2000-dont-stress-vulnerability-disclosure-policies-says-hackerone-report/

    As many as 93 percent of companies in the Forbes Global 2000 list don’t include a vulnerability disclosure policy among top business concerns, according to HackerOne’s The Hacker-Powered Security Report 2018, a deep dive into bug bounty and vulnerability disclosure in the financial services and insurance industries.

    Reply
  25. Tomi Engdahl says:

    Remote access bug turns Western Digital My Cloud into Everyone’s Cloud
    https://www.theregister.co.uk/2018/09/18/remote_access_bug_turns_western_digital_my_cloud_into_everyones_cloud/

    An elevation of privilege flaw in the Western Digital My Cloud
    platform allows attackers to gain admin-level access to the device via
    an HTTP request.

    Reply
  26. Tomi Engdahl says:

    EEVblog reports data breach in Australia:

    eevBLAB #52 – My Personal Data STOLEN from the Government!
    https://www.youtube.com/watch?v=znvIAEquD3k

    All my personal data was STOLEN from the Western Australian Government’s Perth Mint thanks to a third party data breach.
    Obvious serious identity theft implications for customers as a result.

    http://www.eevblog.com/forum/blog/eevblab-52-my-personal-data-stolen-from-the-government!/

    Reply
  27. Tomi Engdahl says:

    Symantec Launches Free Election Security Service
    https://www.securityweek.com/symantec-launches-free-election-security-service

    Symantec on Tuesday announced the launch of a new service that aims to make elections more secure by helping candidates and political organizations improve their security posture and detect fake websites.

    With midterm elections coming up in the United States, tech companies and government agencies have launched various products and initiatives aimed at improving election security.

    Reply
  28. Tomi Engdahl says:

    Georgia’s Use of Electronic Voting Machines Allowed for Midterms
    https://www.securityweek.com/georgias-use-electronic-voting-machines-allowed-midterms

    Judge Amy Totenberg ruled Monday that the state of Georgia’s existing plans for the midterm elections to be conducted via some 27,000 Diebold AccuVote DRE touchscreen voting machines must stand. Her remarks, however, suggest that this should be the last time.

    This coupled with the exposure of the registration details of 6.7 million Georgia voters on an unprotected internet-facing database, repeated demonstrations that such voting machines can be hacked, federal government advice that audit trails are necessary, and the constitutional right for citizens to vote was the basis of the plaintiffs’ argument.

    Reply
  29. Tomi Engdahl says:

    Critical RCE Peekaboo Bug in NVR Surveillance System, PoC Available
    https://www.bleepingcomputer.com/news/security/critical-rce-peekaboo-bug-in-nvr-surveillance-system-poc-available/

    A critical vulnerability in software from a global vendor of video surveillance equipment puts at risk the security of video feeds from over 100 camera brands and more than 2,500 camera models.

    Jacob Baines, senior research engineer at cybersecurity company Tenable, discovered in NVRMini2′s video management software an unauthenticated stack buffer overflow that leads to remote code execution.

    Dubbed Peekaboo, the vulnerability is now tracked as CVE-2018-1149 and received a critical severity score.

    NVRMini2 is a portable network video recorder (NVR) that doubles as a NAS (network attached storage) device, created by NUUO, a company that offers it to partners under an OEM license or as a white-label.

    NUUO products, both software and hardware, are used for web-based surveillance in various industries (retail, banking, transportation, education, government).

    For this reason, the total number of devices impacted is difficult to estimate. However, according to information from NUUO, the company has over 100,000 installations deployed worldwide.

    Reply
  30. Tomi Engdahl says:

    Using Certificate Transparency as an Attack / Defense Tool
    https://isc.sans.edu/forums/diary/Using+Certificate+Transparency+as+an+Attack+Defense+Tool/24114/

    Certificate Transparency is a program that we’ve all heard about, but might not have had direct contact with. We do hear about it from time to time, for instance when Google (or someone else) busts a CA for generating certificates that should not exist (which is what eventually led to the Symantec CA implosion event ..). I kinda knew about mostly from mentions in the ISC Stormcast.

    Anyway, the Cert Transparency program has Certifficate Authorities keeping a transparent log of EV certificates since Jan 1, 2015, and logs for DV and OV certificates as of May 2, 2018 (more here: https://www.certificate-transparency.org/ ). This means that there are central, queriable repo’s for all SSL certificates. As soon as I hear “central database” and “API”, I tend to ask “how can I use that for other purposes” – for instance, how I use that in Penetration Tests?

    Reply
  31. Tomi Engdahl says:

    Political Figures Differ Online: Names of Trump, Obama, Merkel Attached to Ransomware Campaigns
    https://securingtomorrow.mcafee.com/mcafee-labs/political-figures-differ-online-names-of-trump-obama-merkel-attached-to-ransomware-campaigns/

    Politics and ransomware. No, it’s not a lost single from the Oasis back catalogue, but in fact a relatively recent tactic by ransomware developers looking to exploit the profiles of major politicians to install ransomware on victims’ computers. Donald Trump, Angela Merkel, and now Barack Obama all serve as lures for the unsuspecting. Despite its claims, does the “Obama campaign” deliver the ransomware it advertises? Well, perhaps not.

    Reply
  32. Tomi Engdahl says:

    ‘I am admin’ bug turns WD’s My Cloud boxes into Everyone’s Cloud
    Western Digital NAS machines vulnerable to hijacking via HTTP cookies
    https://www.theregister.co.uk/2018/09/18/remote_access_vulnerability_western_digital_my_cloud/

    Miscreants can potentially gain admin-level control over Western Digital’s My Cloud gear via an HTTP request over the network or internet.

    Researchers at infosec shop Securify revealed today the vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges.

    Reply
  33. Tomi Engdahl says:

    New Botnet Hides in Blockchain DNS Mist and Removes Cryptominer
    https://www.bleepingcomputer.com/news/security/new-botnet-hides-in-blockchain-dns-mist-and-removes-cryptominer/

    A new botnet captured the attention of security researchers through its harmless behavior and the use of an original communication channel with its command and control server.

    Fbot is a peculiar variant of Mirai that preserves the original DDoS module but does not appear to use it. This is not the oddest thing yet because its purpose at the moment is to search for devices infected with a cryptomining malware and clean them.

    Security researchers from Qihoo’s 360Netlab discovered the new strain and noticed that it hunted down a botnet malware called ‘com.ufo.miner,’ a known variant of ADB.Miner that mines for Monero on Android devices (smartphones, smart TVs, set-top boxes).

    Reply
  34. Tomi Engdahl says:

    HIDE AND SEEK Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries
    https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/

    Between August 2016 and August 2018, we scanned the Internet for servers associated with NSO Group’s Pegasus spyware. We found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that pointed to them. We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator.
    We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.

    Reply
  35. Tomi Engdahl says:

    Powerful Android and iOS Spyware Found Deployed in 45 Countries
    https://thehackernews.com/2018/09/android-ios-hacking-tool.html

    One of the world’s most dangerous Android and iPhone spyware program has been found deployed against targets across 45 countries around the world over the last two years, a new report from Citizen Lab revealed.

    Reply
  36. Tomi Engdahl says:

    Sep 18
    GovPayNow.com Leaks 14M+ Records
    https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records/

    Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.

    Reply
  37. Tomi Engdahl says:

    The Death of Symantec’s Digital Certificate Business
    https://hackercombat.com/the-death-of-symantecs-digital-certificate-business/

    Certificate Authentication is a serious business; it is a business entity that keeps the trust-based digital certificate system secure. The very foundation of the encryption standard in the web we have today. One wrong move and the certificate authority loses the business and exits the digital certificate market, no exemptions. Following the demise of the user to be a popular certificate authority, DigiNotar in Sep 2011, Symantec is exiting the TLS certificate business due to its exposed shady practices.

    Symantec sells digital certificate under the brand: Symantec, RapidSSL, Geotrust, and Thawte. Its business establishment will be defunct in favor of the highly trusted certificate authority: Digicert. The pressure comes from the top two browsers: Google Chrome and Mozilla Firefox, starting October 2018, all digital certificate issued under the brands: Symantec, RapidSSL, Geotrust, and Thawte will be denied by the two browsers mentioned.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*