The peculiar botnet, based on Satori, compromises your devices for the sole purpose of cleaning them up.
Good guy vigilante, or error in coding? A strange botnet has appeared on the scene which instead of infecting devices in order to enslave them, appears to be actually wiping them clean of cryptocurrency mining malware.
On Monday, researchers from Qihoo’s 360Netlab said that Fbot, a botnet based on Satori botnet coding, is demonstrating some extremely odd behavior for such a system.
Satori is a botnet variant based on Mirai, the infamous botnet which was able to take down online services across an entire country.
Satori’s code was released to the public in January. Since then, we have seen variants which target mining rigs for cryptojacking purposes;
Botnets are generally bad news.
However, Fbot is not characteristic of your typical botnet.
The researchers say that Fbot appeared on the radar last week and it appears the only job this botnet has is to chase down systems infected by another botnet, com.ufo.miner, a variant of ADB.Miner.
The botnet targets Android devices — including smartphones, the Amazon Fire TV, and set-top boxes — for the purpose of cryptojacking and covertly mining for Monero (XMR) with the help of the Coinhive mining script.
Targeted attacks replace spam campaigns, but Europol’s annual cybercrime report also warns that cryptojacking malware “may overtake ransomware as a future threat”.
Ransomware remains the top malware threat to organisations, causing millions of dollars of damage and remaining a potent tool for cyber criminals and nation-state attackers.
The rise of highly targeted file-locking malware campaigns and the threat posed by nation-state backed campaigns, means ransomware “remains the key malware threat in both law enforcement and industry reporting,” warns Europol’s 2018 Internet Organised Crime Threat Assessment (IOCTA) report.
The damage of high profile campaigns like WannaCry, NotPetya and Bad Rabbit still loom large in the memory, with figures in the report suggesting a global loss of more than $5bn as a result of these attacks.
A private vendor inadvertently introduces malware into voting machines he is servicing. A hacker hijacks the cellular modem used to transmit unofficial Election Day results. An email address is compromised, giving bad actors the same access to voting software as a local elections official.
These are some of the potential vulnerabilities of Wisconsin’s election system described by cybersecurity experts.
State officials insist they are on top of the problem and that Wisconsin’s elections infrastructure is secure because, among other safeguards, voting machines are not connected to the internet and each vote is backed by a paper ballot to verify results.
Amazon is investigating allegations that some of its staff sold confidential customer data to third party companies particularly in China, the online giant confirmed on Sunday.
Windows machines that haven’t been patched against the National Security Agency-linked EternalBlue exploit are stuck in an endless loop of infection, Avira warns.
The EternalBlue exploit, which the Shadow Brokers hacking group stole from the NSA-linked Equation Group, is best known for its role in the WannaCry outbreak last year.
The ransomware hit mostly Windows 7 and Windows XP machines, and for good reason. Its spread mechanism was targeting a vulnerability in Windows’ Server Message Block (SMB) on port 445, which mainly impacted those platform iterations.
A security researcher discovered several vulnerabilities in Alpine Linux, a distribution commonly used with Docker, including one that could allow for arbitrary code execution.
Based on musl and BusyBox, the Alpine Linux distribution has a small size and is heavily used in containers, including Docker, as it provides fast boot times.
APK, the default package manager in Alpine, is impacted by several bugs, security researcher Max Justicz has discovered. The most important of them, the researcher says, could allow a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code on the user’s machine.
Altaba, the investment company that resulted from Verizon’s $4.5 billion acquisition of Yahoo’s Internet business last year, has agreed to settle consumer class action lawsuits triggered by the massive data breaches suffered by Yahoo in the past years.
Yahoo revealed in September 2016 that its systems had been breached in late 2014 by what it believed to be a state-sponsored threat actor that had managed to access data from at least 500 million accounts.
Facebook announced on Monday that it has expanded its bug bounty program to introduce rewards for reports describing vulnerabilities that involve the exposure of user access tokens.
F-Secure on päivittänyt TOTAL-tietoturvapakettiaan. Uudistettu tuotepaketti lupaa suojata kaikki käyttäjän laitteet, yhteydet ulkomaailmaan myös julkisissa verkoissa, salasanat ja jopa kodin älylaitteet, jos pakettiin hankkii mukaan uuden SENSE-reitittimen. Salasanojen hallinnasta on tehty erittäin helppoa.
Despite their value in the grey market, security researchers are reporting bugs as part of the Apple iOS Bug Bounty program, and some are getting rewards.
Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.
Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya). It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).
Xbash spreads by attacking weak passwords and unpatched vulnerabilities.
Xbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities. We can also find no functionality within Xbash that would enable restoration after the ransom is paid. This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware.
If password-only security is reaching its end of days, what will replace it?
For years, many have assumed that some form of new authentication must be the answer without being able to agree on which.
Now an alliance of big US mobile carriers – Verizon, AT&T, Sprint, and T-Mobile – has added a new possibility to the mix under the banner of Project Verify.
Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.
Firmware used in up to 800,000 CCTV cameras open to attack thanks to buffer overflow zero-day bug.
Between 180,000 and 800,000 IP-based closed-circuit television cameras are vulnerable to a zero-day vulnerability that allows hackers to access surveillance cameras, spy on and manipulate video feeds or plant malware.
NUUO, the Taipei, Taiwan-base company that makes the firmware, is expected to issue a patch for the bug Tuesday. The company lists over a 100 different partners including Sony, Cisco Systems, D-Link and Panasonic. It’s unclear how many OEM partners may use the vulnerable firmware.
The vulnerabilities (CVE-2018-1149, CVE-2018-1150), dubbed Peekaboo by Tenable, are tied to the software’s NUUO NVRMini2 webserver software.
Two thirds of Germany’s manufacturers have been hit by cyber-crime attacks, costing industry in Europe’s largest economy some 43 billion euros ($50 billion)
“With its worldwide market leaders, German industry is particularly interesting for criminals,”
“Illegal knowledge and technology transfer … is a mass phenomenon,”
Zack Whittaker / TechCrunch:
Cloudflare adds new “one-click” DNSSEC setup to make it far more difficult to spoof websites, likely increasing the protocol’s woeful adoption rate
Bad news first: the internet is broken for a while. The good news is that Cloudflare thinks it can make it slightly less broken.
With “the click of one button,” the networking giant said Tuesday, its users can now switch on DNSSEC in their dashboard. In doing so, Cloudflare hopes it removes a major pain-point in adopting the web security standard, which many haven’t set up — either because it’s so complicated and arduous, or too expensive.
It’s part of a push by the San Francisco-based networking giant to try to make the pipes of the internet more secure — even from the things you can’t see.
DNS, which translates web addresses into computer-readable IP addresses, has been plagued with vulnerabilities, making it easy to hijack any step of the process to surreptitiously send users to fake or malicious sites.
Take two incidents in the past year — where traffic to and from Amazon and separately Google, Facebook, Apple, and Microsoft were hijacked and rerouted for between minutes and hours at a time.
That’s where a security-focused DNS evolution — DNSSEC — is meant to help. It’s like DNS, but it protects requests end-to-end, from computer or mobile device to the web server of the site you’re trying to visit, by cryptographically signing the data so that it’s far tougher — if not impossible — to spoof.
But DNSSEC adoption is woefully low. Just three percent of websites in the Fortune 1000 sign their primary domains
Just like HTTPS was slow to adopt over the years — but finally took off in 2015 — there’s hope that DNSSEC can follow the same fate.
As many as 93 percent of companies in the Forbes Global 2000 list don’t include a vulnerability disclosure policy among top business concerns, according to HackerOne’s The Hacker-Powered Security Report 2018, a deep dive into bug bounty and vulnerability disclosure in the financial services and insurance industries.
All my personal data was STOLEN from the Western Australian Government’s Perth Mint thanks to a third party data breach.
Obvious serious identity theft implications for customers as a result.
Symantec on Tuesday announced the launch of a new service that aims to make elections more secure by helping candidates and political organizations improve their security posture and detect fake websites.
With midterm elections coming up in the United States, tech companies and government agencies have launched various products and initiatives aimed at improving election security.
Judge Amy Totenberg ruled Monday that the state of Georgia’s existing plans for the midterm elections to be conducted via some 27,000 Diebold AccuVote DRE touchscreen voting machines must stand. Her remarks, however, suggest that this should be the last time.
This coupled with the exposure of the registration details of 6.7 million Georgia voters on an unprotected internet-facing database, repeated demonstrations that such voting machines can be hacked, federal government advice that audit trails are necessary, and the constitutional right for citizens to vote was the basis of the plaintiffs’ argument.
A critical vulnerability in software from a global vendor of video surveillance equipment puts at risk the security of video feeds from over 100 camera brands and more than 2,500 camera models.
Jacob Baines, senior research engineer at cybersecurity company Tenable, discovered in NVRMini2′s video management software an unauthenticated stack buffer overflow that leads to remote code execution.
Dubbed Peekaboo, the vulnerability is now tracked as CVE-2018-1149 and received a critical severity score.
NVRMini2 is a portable network video recorder (NVR) that doubles as a NAS (network attached storage) device, created by NUUO, a company that offers it to partners under an OEM license or as a white-label.
NUUO products, both software and hardware, are used for web-based surveillance in various industries (retail, banking, transportation, education, government).
For this reason, the total number of devices impacted is difficult to estimate. However, according to information from NUUO, the company has over 100,000 installations deployed worldwide.
Certificate Transparency is a program that we’ve all heard about, but might not have had direct contact with. We do hear about it from time to time, for instance when Google (or someone else) busts a CA for generating certificates that should not exist (which is what eventually led to the Symantec CA implosion event ..). I kinda knew about mostly from mentions in the ISC Stormcast.
Anyway, the Cert Transparency program has Certifficate Authorities keeping a transparent log of EV certificates since Jan 1, 2015, and logs for DV and OV certificates as of May 2, 2018 (more here: https://www.certificate-transparency.org/ ). This means that there are central, queriable repo’s for all SSL certificates. As soon as I hear “central database” and “API”, I tend to ask “how can I use that for other purposes” – for instance, how I use that in Penetration Tests?
Politics and ransomware. No, it’s not a lost single from the Oasis back catalogue, but in fact a relatively recent tactic by ransomware developers looking to exploit the profiles of major politicians to install ransomware on victims’ computers. Donald Trump, Angela Merkel, and now Barack Obama all serve as lures for the unsuspecting. Despite its claims, does the “Obama campaign” deliver the ransomware it advertises? Well, perhaps not.
Miscreants can potentially gain admin-level control over Western Digital’s My Cloud gear via an HTTP request over the network or internet.
Researchers at infosec shop Securify revealed today the vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges.
A new botnet captured the attention of security researchers through its harmless behavior and the use of an original communication channel with its command and control server.
Fbot is a peculiar variant of Mirai that preserves the original DDoS module but does not appear to use it. This is not the oddest thing yet because its purpose at the moment is to search for devices infected with a cryptomining malware and clean them.
Security researchers from Qihoo’s 360Netlab discovered the new strain and noticed that it hunted down a botnet malware called ‘com.ufo.miner,’ a known variant of ADB.Miner that mines for Monero on Android devices (smartphones, smart TVs, set-top boxes).
Between August 2016 and August 2018, we scanned the Internet for servers associated with NSO Group’s Pegasus spyware. We found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that pointed to them. We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator.
We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.
One of the world’s most dangerous Android and iPhone spyware program has been found deployed against targets across 45 countries around the world over the last two years, a new report from Citizen Lab revealed.
Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.
Certificate Authentication is a serious business; it is a business entity that keeps the trust-based digital certificate system secure. The very foundation of the encryption standard in the web we have today. One wrong move and the certificate authority loses the business and exits the digital certificate market, no exemptions. Following the demise of the user to be a popular certificate authority, DigiNotar in Sep 2011, Symantec is exiting the TLS certificate business due to its exposed shady practices.
Symantec sells digital certificate under the brand: Symantec, RapidSSL, Geotrust, and Thawte. Its business establishment will be defunct in favor of the highly trusted certificate authority: Digicert. The pressure comes from the top two browsers: Google Chrome and Mozilla Firefox, starting October 2018, all digital certificate issued under the brands: Symantec, RapidSSL, Geotrust, and Thawte will be denied by the two browsers mentioned.
A little-known Windows feature will create a file that stores text extracted from all the emails and plaintext-files found on your PC, which sometimes may reveal passwords or private conversations.
If you’re one of the people who own a stylus or touchscreen-capable Windows PC, then there’s a high chance there’s a file on your computer that has slowly collected sensitive data for the past months or even years.
This file is named WaitList.dat, and according to Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs, this file is only found on touchscreen-capable Windows PCs where the user has enabled the handwriting recognition feature [1, 2] that automatically translates stylus/touchscreen scribbles into formatted text.
The handwriting to formatted text conversion feature has been added in Windows 8, which means the WaitList.dat file has been around for years.
The role of this file is to store text to help Windows improve its handwriting recognition feature, in order to recognize and suggest corrections or words a user is using more often than others.
“In my testing, population of WaitList.dat commences after you begin using handwriting gestures,” Skeggs told ZDNet in an interview.
“Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature,” Skeggs says.
Since the Windows Search Indexer service powers the system-wide Windows Search functionality, this means data from all text-based files found on a computer, such as emails or Office documents, is gathered inside the WaitList.dat file. This doesn’t include only metadata, but the actual document’s text.
“If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file,” he says. This provides crucial forensic evidence for analysts like Skeggs that a file and its content had once existed on a PC.
The U.S. Department of Defense this week released its 2018 cyber strategy, which outlines how the organization plans on implementing the country’s national security and defense strategies in cyberspace.
Foreign government hackers continue to target the personal email accounts of U.S. senators and their aides — and the Senate’s security office has refused to defend them, a lawmaker says.
Sen. Ron Wyden, an Oregon Democrat, said in a Wednesday letter to Senate leaders that his office discovered that “at least one major technology company” has warned an unspecified number of senators and aides that their personal email accounts were “targeted by foreign government hackers.” Similar methods were employed by Russian military agents who leaked the contents of private email inboxes to influence the 2016 elections.
Updates released on Wednesday by Adobe for the Windows and macOS versions of Acrobat and Reader address a total of 7 vulnerabilities, including a critical flaw that can allow arbitrary code execution.
The security holes affect Acrobat DC and Acrobat Reader DC (continuous track) 2018.011.20058 and earlier versions; Acrobat 2017 and Acrobat Reader 2017 (classic 2017 track) 2017.011.30099 and earlier versions; and Acrobat DC and Acrobat Reader DC (classic 2015 track) 2015.006.30448 and earlier versions.
Illicit cryptocurrency mining has been surging over the past year, in part due to a leaked software tool from the US National Security Agency, researchers said Wednesday.
A report by the Cyber Threat Alliance, an association of cybersecurity firms and experts, said it detected a 459 percent increase in the past year of illicit crypto mining
One reason for the sharp rise was the leak last year by a group of hackers known as the Shadow Brokers of “EternalBlue,” software developed by the NSA to exploit vulnerabilities in the Windows operating system.
A previously unknown financially motivated threat group is believed to be behind a series of attacks whose goal was to obtain payment card data from U.S. cities relying on Click2Gov software for utility bill payments.
Click2Gov, a product developed by Superion, is designed to provide cities “interactive self-service bill-pay options for utilities, community development and finance.”
The first reports of breaches at Click2Gov customers emerged in October 2017, when Superion published a statement saying that suspicious activity had been detected at some customers using on-premise servers. The company said its investigation, which had been assisted by a PCI forensic investigation firm, had not found any evidence of credit card scrapers or credit card data extraction.
Google on Tuesday announced the general availability of a tool that helps G Suite customers identify security issues within their domains, and take action.
An Iranian government-aligned group of hackers launched a major campaign targeting Mideast energy firms and others ahead of U.S. sanctions on Iran, a cybersecurity firm said Tuesday, warning further attacks remain possible as America re-imposes others on Tehran.
Overview: APT33 has targeted organizations, spanning multiple industries, headquartered in the U.S., Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.
The US State Department has confirmed one of its email systems was attacked, potentially exposing the personal information of some of its employees.
Uncle Sam’s officials said in a statement to The Register on Tuesday that “suspicious activity” in its email system led it to send out warnings to a number of employees whose personal information may have been exposed to network intruders.
However, it didn’t specify exactly what information had been accessed, though it noted that no classified data had been accessed – those documents are transmitted through a separate email system.
The State Department has promised to foot the bill for three years of credit and identity theft monitoring to those workers. According to its own estimates, the State Department employs around 69,000 people, meaning if the numbers are to be believed somewhere around 600-700 people were impacted by this incident.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
493 Comments
Tomi Engdahl says:
“Lawful intercept” Pegasus spyware found deployed in 45 countries
https://www.zdnet.com/article/lawful-intercept-pegasus-spyware-found-deployed-in-45-countries/
At least ten operators of Pegasus spyware have deployed the malware outside their country’s border, new Citizen Lab report finds.
Tomi Engdahl says:
Bizarre botnet infects your PC to scrub away cryptocurrency mining malware
https://www.zdnet.com/article/bizarre-botnet-infects-your-pc-to-scrub-away-malware/
The peculiar botnet, based on Satori, compromises your devices for the sole purpose of cleaning them up.
Good guy vigilante, or error in coding? A strange botnet has appeared on the scene which instead of infecting devices in order to enslave them, appears to be actually wiping them clean of cryptocurrency mining malware.
On Monday, researchers from Qihoo’s 360Netlab said that Fbot, a botnet based on Satori botnet coding, is demonstrating some extremely odd behavior for such a system.
Satori is a botnet variant based on Mirai, the infamous botnet which was able to take down online services across an entire country.
Satori’s code was released to the public in January. Since then, we have seen variants which target mining rigs for cryptojacking purposes;
Botnets are generally bad news.
However, Fbot is not characteristic of your typical botnet.
The researchers say that Fbot appeared on the radar last week and it appears the only job this botnet has is to chase down systems infected by another botnet, com.ufo.miner, a variant of ADB.Miner.
The botnet targets Android devices — including smartphones, the Amazon Fire TV, and set-top boxes — for the purpose of cryptojacking and covertly mining for Monero (XMR) with the help of the Coinhive mining script.
Fbot, A Satori Related Botnet Using Block-chain DNS System
https://blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/
Tomi Engdahl says:
Cybercrime: Ransomware remains a ‘key’ malware threat says Europol
https://www.zdnet.com/article/cybercrime-ransomware-remains-a-key-malware-threat-says-europol/
Targeted attacks replace spam campaigns, but Europol’s annual cybercrime report also warns that cryptojacking malware “may overtake ransomware as a future threat”.
Ransomware remains the top malware threat to organisations, causing millions of dollars of damage and remaining a potent tool for cyber criminals and nation-state attackers.
The rise of highly targeted file-locking malware campaigns and the threat posed by nation-state backed campaigns, means ransomware “remains the key malware threat in both law enforcement and industry reporting,” warns Europol’s 2018 Internet Organised Crime Threat Assessment (IOCTA) report.
The damage of high profile campaigns like WannaCry, NotPetya and Bad Rabbit still loom large in the memory, with figures in the report suggesting a global loss of more than $5bn as a result of these attacks.
Internet Organised Crime Threat Assessment 2018
https://www.europol.europa.eu/internet-organised-crime-threat-assessment-2018
Tomi Engdahl says:
Expandable ads can be entry points for site hacks
https://www.zdnet.com/article/expandable-ads-can-be-entry-points-for-site-hacks/
Researcher finds XSS vulnerabilities in iframe busters, scripts that power expandable ads that grow and cover a large area of the page.
Tomi Engdahl says:
David Meyer / Fortune:
Italian court sentences a man who sold hospitality businesses fake reviews on TripAdvisor to nine months in jail
http://fortune.com/2018/09/13/tripadvisor-review-fraud-italy-promosalento/
Tomi Engdahl says:
Wisconsin Officials Prepare for Potential Election Hackers
https://www.securityweek.com/wisconsin-officials-prepare-potential-election-hackers
A private vendor inadvertently introduces malware into voting machines he is servicing. A hacker hijacks the cellular modem used to transmit unofficial Election Day results. An email address is compromised, giving bad actors the same access to voting software as a local elections official.
These are some of the potential vulnerabilities of Wisconsin’s election system described by cybersecurity experts.
State officials insist they are on top of the problem and that Wisconsin’s elections infrastructure is secure because, among other safeguards, voting machines are not connected to the internet and each vote is backed by a paper ballot to verify results.
Tomi Engdahl says:
Amazon Probing Staff Data Leaks
https://www.securityweek.com/amazon-probing-staff-data-leaks
Amazon is investigating allegations that some of its staff sold confidential customer data to third party companies particularly in China, the online giant confirmed on Sunday.
Tomi Engdahl says:
EternalBlue-Vulnerable Systems Serially Infected
https://www.securityweek.com/eternalblue-vulnerable-systems-serially-infected
Windows machines that haven’t been patched against the National Security Agency-linked EternalBlue exploit are stuck in an endless loop of infection, Avira warns.
The EternalBlue exploit, which the Shadow Brokers hacking group stole from the NSA-linked Equation Group, is best known for its role in the WannaCry outbreak last year.
The ransomware hit mostly Windows 7 and Windows XP machines, and for good reason. Its spread mechanism was targeting a vulnerability in Windows’ Server Message Block (SMB) on port 445, which mainly impacted those platform iterations.
Tomi Engdahl says:
Code Execution in Alpine Linux Impacts Containers
https://www.securityweek.com/code-execution-alpine-linux-impacts-containers
A security researcher discovered several vulnerabilities in Alpine Linux, a distribution commonly used with Docker, including one that could allow for arbitrary code execution.
Based on musl and BusyBox, the Alpine Linux distribution has a small size and is heavily used in containers, including Docker, as it provides fast boot times.
APK, the default package manager in Alpine, is impacted by several bugs, security researcher Max Justicz has discovered. The most important of them, the researcher says, could allow a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code on the user’s machine.
Tomi Engdahl says:
Altaba Settles Yahoo Breach Lawsuits for $47 Million
https://www.securityweek.com/altaba-settles-yahoo-breach-lawsuits-47-million
Altaba, the investment company that resulted from Verizon’s $4.5 billion acquisition of Yahoo’s Internet business last year, has agreed to settle consumer class action lawsuits triggered by the massive data breaches suffered by Yahoo in the past years.
Yahoo revealed in September 2016 that its systems had been breached in late 2014 by what it believed to be a state-sponsored threat actor that had managed to access data from at least 500 million accounts.
Tomi Engdahl says:
Facebook Offers Rewards for Access Token Exposure Flaws
https://www.securityweek.com/facebook-offers-rewards-access-token-exposure-flaws
Facebook announced on Monday that it has expanded its bug bounty program to introduce rewards for reports describing vulnerabilities that involve the exposure of user access tokens.
Tomi Engdahl says:
F-Secure: salasanat yhteen turvalliseen paikkaan
http://etn.fi/index.php?option=com_content&view=article&id=8448&via=n&datum=2018-09-18_14:32:59&mottagare=31202
F-Secure on päivittänyt TOTAL-tietoturvapakettiaan. Uudistettu tuotepaketti lupaa suojata kaikki käyttäjän laitteet, yhteydet ulkomaailmaan myös julkisissa verkoissa, salasanat ja jopa kodin älylaitteet, jos pakettiin hankkii mukaan uuden SENSE-reitittimen. Salasanojen hallinnasta on tehty erittäin helppoa.
Tomi Engdahl says:
Apple Has Started Paying Hackers for iPhone Exploits
https://motherboard.vice.com/en_us/article/qvapxq/apple-iphone-bug-bounty-payments
Despite their value in the grey market, security researchers are reporting bugs as part of the Apple iOS Bug Bounty program, and some are getting rewards.
Tomi Engdahl says:
Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows
https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.
Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya). It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).
Xbash spreads by attacking weak passwords and unpatched vulnerabilities.
Xbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities. We can also find no functionality within Xbash that would enable restoration after the ransom is paid. This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware.
Tomi Engdahl says:
Man uses smart phone app to steal Tesla from Mall of America
http://www.fox9.com/news/man-uses-smart-phone-app-to-steal-tesla-from-mall-of-america
An alleged car thief can be seen arriving at the Mall of America on surveillance footage only minutes before using technology to steal a Tesla.
Police say the man somehow manipulated the Tesla app to unlock and start the car, disabling the GPS before leaving town.
Tomi Engdahl says:
Ransomware Attack Takes Down Bristol Airport’s Flight Display Screens
https://thehackernews.com/2018/09/cyberattack-bristol-airport.html
Tomi Engdahl says:
State Department confirms data breach exposed employee data
https://techcrunch.com/2018/09/18/state-department-confirms-data-breach-exposing-employee-data/?utm_source=tcfbpage&sr_share=facebook
The State Department has confirmed a data breach affecting an unknown number of employees.
Tomi Engdahl says:
Major US mobile carriers want to be your password
https://nakedsecurity.sophos.com/2018/09/14/major-us-mobile-carriers-want-to-be-your-password/
If password-only security is reaching its end of days, what will replace it?
For years, many have assumed that some form of new authentication must be the answer without being able to agree on which.
Now an alliance of big US mobile carriers – Verizon, AT&T, Sprint, and T-Mobile – has added a new possibility to the mix under the banner of Project Verify.
https://youtu.be/RNjshhOHGPY
Tomi Engdahl says:
GovPayNow.com Leaks 14M+ Records
https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records/
Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.
Tomi Engdahl says:
Zero-Day Bug Allows Hackers to Access CCTV Surveillance Cameras
https://threatpost.com/zero-day-bug-allows-hackers-to-access-cctv-surveillance-cameras/137499/
Firmware used in up to 800,000 CCTV cameras open to attack thanks to buffer overflow zero-day bug.
Between 180,000 and 800,000 IP-based closed-circuit television cameras are vulnerable to a zero-day vulnerability that allows hackers to access surveillance cameras, spy on and manipulate video feeds or plant malware.
NUUO, the Taipei, Taiwan-base company that makes the firmware, is expected to issue a patch for the bug Tuesday. The company lists over a 100 different partners including Sony, Cisco Systems, D-Link and Panasonic. It’s unclear how many OEM partners may use the vulnerable firmware.
The vulnerabilities (CVE-2018-1149, CVE-2018-1150), dubbed Peekaboo by Tenable, are tied to the software’s NUUO NVRMini2 webserver software.
Tomi Engdahl says:
Cyber attacks cost German industry almost $50 billion: study
https://www.reuters.com/article/us-germany-security-cyber/cyber-attacks-cost-german-industry-almost-50-billion-study-idUSKCN1LT12T
Two thirds of Germany’s manufacturers have been hit by cyber-crime attacks, costing industry in Europe’s largest economy some 43 billion euros ($50 billion)
“With its worldwide market leaders, German industry is particularly interesting for criminals,”
“Illegal knowledge and technology transfer … is a mass phenomenon,”
Tomi Engdahl says:
Britain’s ‘Wild West’ crypto market should be regulated, say lawmakers
https://www.reuters.com/article/us-crypto-currencies/britains-wild-west-crypto-market-should-be-regulated-say-lawmakers-idUSKCN1LY37J
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Cloudflare adds new “one-click” DNSSEC setup to make it far more difficult to spoof websites, likely increasing the protocol’s woeful adoption rate
Cloudflare’s new ‘one-click’ DNSSEC setup will make it far more difficult to spoof websites
https://techcrunch.com/2018/09/18/cloudflare-dnssec-one-click-securing-internet/
Bad news first: the internet is broken for a while. The good news is that Cloudflare thinks it can make it slightly less broken.
With “the click of one button,” the networking giant said Tuesday, its users can now switch on DNSSEC in their dashboard. In doing so, Cloudflare hopes it removes a major pain-point in adopting the web security standard, which many haven’t set up — either because it’s so complicated and arduous, or too expensive.
It’s part of a push by the San Francisco-based networking giant to try to make the pipes of the internet more secure — even from the things you can’t see.
DNS, which translates web addresses into computer-readable IP addresses, has been plagued with vulnerabilities, making it easy to hijack any step of the process to surreptitiously send users to fake or malicious sites.
Take two incidents in the past year — where traffic to and from Amazon and separately Google, Facebook, Apple, and Microsoft were hijacked and rerouted for between minutes and hours at a time.
That’s where a security-focused DNS evolution — DNSSEC — is meant to help. It’s like DNS, but it protects requests end-to-end, from computer or mobile device to the web server of the site you’re trying to visit, by cryptographically signing the data so that it’s far tougher — if not impossible — to spoof.
But DNSSEC adoption is woefully low. Just three percent of websites in the Fortune 1000 sign their primary domains
Just like HTTPS was slow to adopt over the years — but finally took off in 2015 — there’s hope that DNSSEC can follow the same fate.
Tomi Engdahl says:
Hackers behind Mirai botnet could be sentenced to working for the FBI
https://www.cnet.com/news/hackers-behind-mirai-botnet-could-be-sentenced-to-working-for-the-fbi/
This comes after more than 18 months of already helping the FBI stop cyberattacks.
Tomi Engdahl says:
93% of Forbes Global 2000 Don’t Stress Vulnerability Disclosure Policies, Says HackerOne Report
https://securityboulevard.com/2018/09/93-of-forbes-global-2000-dont-stress-vulnerability-disclosure-policies-says-hackerone-report/
As many as 93 percent of companies in the Forbes Global 2000 list don’t include a vulnerability disclosure policy among top business concerns, according to HackerOne’s The Hacker-Powered Security Report 2018, a deep dive into bug bounty and vulnerability disclosure in the financial services and insurance industries.
Tomi Engdahl says:
Remote access bug turns Western Digital My Cloud into Everyone’s Cloud
https://www.theregister.co.uk/2018/09/18/remote_access_bug_turns_western_digital_my_cloud_into_everyones_cloud/
An elevation of privilege flaw in the Western Digital My Cloud
platform allows attackers to gain admin-level access to the device via
an HTTP request.
Tomi Engdahl says:
EEVblog reports data breach in Australia:
eevBLAB #52 – My Personal Data STOLEN from the Government!
https://www.youtube.com/watch?v=znvIAEquD3k
All my personal data was STOLEN from the Western Australian Government’s Perth Mint thanks to a third party data breach.
Obvious serious identity theft implications for customers as a result.
http://www.eevblog.com/forum/blog/eevblab-52-my-personal-data-stolen-from-the-government!/
Tomi Engdahl says:
Symantec Launches Free Election Security Service
https://www.securityweek.com/symantec-launches-free-election-security-service
Symantec on Tuesday announced the launch of a new service that aims to make elections more secure by helping candidates and political organizations improve their security posture and detect fake websites.
With midterm elections coming up in the United States, tech companies and government agencies have launched various products and initiatives aimed at improving election security.
Tomi Engdahl says:
Georgia’s Use of Electronic Voting Machines Allowed for Midterms
https://www.securityweek.com/georgias-use-electronic-voting-machines-allowed-midterms
Judge Amy Totenberg ruled Monday that the state of Georgia’s existing plans for the midterm elections to be conducted via some 27,000 Diebold AccuVote DRE touchscreen voting machines must stand. Her remarks, however, suggest that this should be the last time.
This coupled with the exposure of the registration details of 6.7 million Georgia voters on an unprotected internet-facing database, repeated demonstrations that such voting machines can be hacked, federal government advice that audit trails are necessary, and the constitutional right for citizens to vote was the basis of the plaintiffs’ argument.
Tomi Engdahl says:
Critical RCE Peekaboo Bug in NVR Surveillance System, PoC Available
https://www.bleepingcomputer.com/news/security/critical-rce-peekaboo-bug-in-nvr-surveillance-system-poc-available/
A critical vulnerability in software from a global vendor of video surveillance equipment puts at risk the security of video feeds from over 100 camera brands and more than 2,500 camera models.
Jacob Baines, senior research engineer at cybersecurity company Tenable, discovered in NVRMini2′s video management software an unauthenticated stack buffer overflow that leads to remote code execution.
Dubbed Peekaboo, the vulnerability is now tracked as CVE-2018-1149 and received a critical severity score.
NVRMini2 is a portable network video recorder (NVR) that doubles as a NAS (network attached storage) device, created by NUUO, a company that offers it to partners under an OEM license or as a white-label.
NUUO products, both software and hardware, are used for web-based surveillance in various industries (retail, banking, transportation, education, government).
For this reason, the total number of devices impacted is difficult to estimate. However, according to information from NUUO, the company has over 100,000 installations deployed worldwide.
Tomi Engdahl says:
Using Certificate Transparency as an Attack / Defense Tool
https://isc.sans.edu/forums/diary/Using+Certificate+Transparency+as+an+Attack+Defense+Tool/24114/
Certificate Transparency is a program that we’ve all heard about, but might not have had direct contact with. We do hear about it from time to time, for instance when Google (or someone else) busts a CA for generating certificates that should not exist (which is what eventually led to the Symantec CA implosion event ..). I kinda knew about mostly from mentions in the ISC Stormcast.
Anyway, the Cert Transparency program has Certifficate Authorities keeping a transparent log of EV certificates since Jan 1, 2015, and logs for DV and OV certificates as of May 2, 2018 (more here: https://www.certificate-transparency.org/ ). This means that there are central, queriable repo’s for all SSL certificates. As soon as I hear “central database” and “API”, I tend to ask “how can I use that for other purposes” – for instance, how I use that in Penetration Tests?
Tomi Engdahl says:
Political Figures Differ Online: Names of Trump, Obama, Merkel Attached to Ransomware Campaigns
https://securingtomorrow.mcafee.com/mcafee-labs/political-figures-differ-online-names-of-trump-obama-merkel-attached-to-ransomware-campaigns/
Politics and ransomware. No, it’s not a lost single from the Oasis back catalogue, but in fact a relatively recent tactic by ransomware developers looking to exploit the profiles of major politicians to install ransomware on victims’ computers. Donald Trump, Angela Merkel, and now Barack Obama all serve as lures for the unsuspecting. Despite its claims, does the “Obama campaign” deliver the ransomware it advertises? Well, perhaps not.
Tomi Engdahl says:
‘I am admin’ bug turns WD’s My Cloud boxes into Everyone’s Cloud
Western Digital NAS machines vulnerable to hijacking via HTTP cookies
https://www.theregister.co.uk/2018/09/18/remote_access_vulnerability_western_digital_my_cloud/
Miscreants can potentially gain admin-level control over Western Digital’s My Cloud gear via an HTTP request over the network or internet.
Researchers at infosec shop Securify revealed today the vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges.
Tomi Engdahl says:
https://www.wired.com/story/mirai-botnet-creators-fbi-sentencing/
Tomi Engdahl says:
New Botnet Hides in Blockchain DNS Mist and Removes Cryptominer
https://www.bleepingcomputer.com/news/security/new-botnet-hides-in-blockchain-dns-mist-and-removes-cryptominer/
A new botnet captured the attention of security researchers through its harmless behavior and the use of an original communication channel with its command and control server.
Fbot is a peculiar variant of Mirai that preserves the original DDoS module but does not appear to use it. This is not the oddest thing yet because its purpose at the moment is to search for devices infected with a cryptomining malware and clean them.
Security researchers from Qihoo’s 360Netlab discovered the new strain and noticed that it hunted down a botnet malware called ‘com.ufo.miner,’ a known variant of ADB.Miner that mines for Monero on Android devices (smartphones, smart TVs, set-top boxes).
Tomi Engdahl says:
HIDE AND SEEK Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries
https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/
Between August 2016 and August 2018, we scanned the Internet for servers associated with NSO Group’s Pegasus spyware. We found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that pointed to them. We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator.
We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.
Tomi Engdahl says:
Powerful Android and iOS Spyware Found Deployed in 45 Countries
https://thehackernews.com/2018/09/android-ios-hacking-tool.html
One of the world’s most dangerous Android and iPhone spyware program has been found deployed against targets across 45 countries around the world over the last two years, a new report from Citizen Lab revealed.
Tomi Engdahl says:
Sep 18
GovPayNow.com Leaks 14M+ Records
https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records/
Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.
Tomi Engdahl says:
The Death of Symantec’s Digital Certificate Business
https://hackercombat.com/the-death-of-symantecs-digital-certificate-business/
Certificate Authentication is a serious business; it is a business entity that keeps the trust-based digital certificate system secure. The very foundation of the encryption standard in the web we have today. One wrong move and the certificate authority loses the business and exits the digital certificate market, no exemptions. Following the demise of the user to be a popular certificate authority, DigiNotar in Sep 2011, Symantec is exiting the TLS certificate business due to its exposed shady practices.
Symantec sells digital certificate under the brand: Symantec, RapidSSL, Geotrust, and Thawte. Its business establishment will be defunct in favor of the highly trusted certificate authority: Digicert. The pressure comes from the top two browsers: Google Chrome and Mozilla Firefox, starting October 2018, all digital certificate issued under the brands: Symantec, RapidSSL, Geotrust, and Thawte will be denied by the two browsers mentioned.
Tomi Engdahl says:
This Windows file may be secretly hoarding your passwords and emails
https://www.zdnet.com/article/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/
A little-known Windows feature will create a file that stores text extracted from all the emails and plaintext-files found on your PC, which sometimes may reveal passwords or private conversations.
If you’re one of the people who own a stylus or touchscreen-capable Windows PC, then there’s a high chance there’s a file on your computer that has slowly collected sensitive data for the past months or even years.
This file is named WaitList.dat, and according to Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs, this file is only found on touchscreen-capable Windows PCs where the user has enabled the handwriting recognition feature [1, 2] that automatically translates stylus/touchscreen scribbles into formatted text.
The handwriting to formatted text conversion feature has been added in Windows 8, which means the WaitList.dat file has been around for years.
The role of this file is to store text to help Windows improve its handwriting recognition feature, in order to recognize and suggest corrections or words a user is using more often than others.
“In my testing, population of WaitList.dat commences after you begin using handwriting gestures,” Skeggs told ZDNet in an interview.
“Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature,” Skeggs says.
Since the Windows Search Indexer service powers the system-wide Windows Search functionality, this means data from all text-based files found on a computer, such as emails or Office documents, is gathered inside the WaitList.dat file. This doesn’t include only metadata, but the actual document’s text.
“If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file,” he says. This provides crucial forensic evidence for analysts like Skeggs that a file and its content had once existed on a PC.
Tomi Engdahl says:
https://docs.microsoft.com/en-us/windows/desktop/tablet/about-handwriting-recognition
Tomi Engdahl says:
Department of Defense Releases New Cyber Strategy
https://www.securityweek.com/department-defense-releases-new-cyber-strategy
The U.S. Department of Defense this week released its 2018 cyber strategy, which outlines how the organization plans on implementing the country’s national security and defense strategies in cyberspace.
Tomi Engdahl says:
Lawmaker: US Senate, Staff Targeted by State-Backed Hackers
https://www.securityweek.com/lawmaker-us-senate-staff-targeted-state-backed-hackers
Foreign government hackers continue to target the personal email accounts of U.S. senators and their aides — and the Senate’s security office has refused to defend them, a lawmaker says.
Sen. Ron Wyden, an Oregon Democrat, said in a Wednesday letter to Senate leaders that his office discovered that “at least one major technology company” has warned an unspecified number of senators and aides that their personal email accounts were “targeted by foreign government hackers.” Similar methods were employed by Russian military agents who leaked the contents of private email inboxes to influence the 2016 elections.
Tomi Engdahl says:
Adobe Patches Code Execution, Other Flaws in Acrobat and Reader
https://www.securityweek.com/adobe-patches-code-execution-other-flaws-acrobat-and-reader
Updates released on Wednesday by Adobe for the Windows and macOS versions of Acrobat and Reader address a total of 7 vulnerabilities, including a critical flaw that can allow arbitrary code execution.
The security holes affect Acrobat DC and Acrobat Reader DC (continuous track) 2018.011.20058 and earlier versions; Acrobat 2017 and Acrobat Reader 2017 (classic 2017 track) 2017.011.30099 and earlier versions; and Acrobat DC and Acrobat Reader DC (classic 2015 track) 2015.006.30448 and earlier versions.
Tomi Engdahl says:
NSA Leak Fuels Rise in Hacking for Crypto Mining: Report
https://www.securityweek.com/nsa-leak-fuels-rise-hacking-crypto-mining-report
Illicit cryptocurrency mining has been surging over the past year, in part due to a leaked software tool from the US National Security Agency, researchers said Wednesday.
A report by the Cyber Threat Alliance, an association of cybersecurity firms and experts, said it detected a 459 percent increase in the past year of illicit crypto mining
One reason for the sharp rise was the leak last year by a group of hackers known as the Shadow Brokers of “EternalBlue,” software developed by the NSA to exploit vulnerabilities in the Windows operating system.
They’re Drinking Your Milkshake: CTA’s Joint Analysis on Illicit Cryptocurrency Mining
https://www.cyberthreatalliance.org/joint-analysis-on-illicit-cryptocurrency-mining/
Tomi Engdahl says:
Click2Gov Attacks on U.S. Cities Attributed to Previously Unknown Group
https://www.securityweek.com/click2gov-attacks-us-cities-attributed-previously-unknown-group
A previously unknown financially motivated threat group is believed to be behind a series of attacks whose goal was to obtain payment card data from U.S. cities relying on Click2Gov software for utility bill payments.
Click2Gov, a product developed by Superion, is designed to provide cities “interactive self-service bill-pay options for utilities, community development and finance.”
The first reports of breaches at Click2Gov customers emerged in October 2017, when Superion published a statement saying that suspicious activity had been detected at some customers using on-premise servers. The company said its investigation, which had been assisted by a PCI forensic investigation firm, had not found any evidence of credit card scrapers or credit card data extraction.
In a follow-up statement published in June 2018
Tomi Engdahl says:
New Tool Helps G Suite Admins Uncover Security Threats
https://www.securityweek.com/new-tool-helps-g-suite-admins-uncover-security-threats
Google on Tuesday announced the general availability of a tool that helps G Suite customers identify security issues within their domains, and take action.
Tomi Engdahl says:
Cybersecurity firm: More Iran hacks as US sanctions loomed
https://apnews.com/88ab2debee36432d8d0498991e9f5768
An Iranian government-aligned group of hackers launched a major campaign targeting Mideast energy firms and others ahead of U.S. sanctions on Iran, a cybersecurity firm said Tuesday, warning further attacks remain possible as America re-imposes others on Tehran.
Tomi Engdahl says:
APT33
Suspected attribution: Iran
Target sectors: Aerospace, energy
https://www.fireeye.com/current-threats/apt-groups.html#apt33
Overview: APT33 has targeted organizations, spanning multiple industries, headquartered in the U.S., Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.
Tomi Engdahl says:
US State Department confirms: Unclassified staff email boxes hacked
Pompeo’s peeps get free credit monitoring after some inboxes cracked open, data swiped
https://www.theregister.co.uk/2018/09/18/state_department_hacked/
The US State Department has confirmed one of its email systems was attacked, potentially exposing the personal information of some of its employees.
Uncle Sam’s officials said in a statement to The Register on Tuesday that “suspicious activity” in its email system led it to send out warnings to a number of employees whose personal information may have been exposed to network intruders.
However, it didn’t specify exactly what information had been accessed, though it noted that no classified data had been accessed – those documents are transmitted through a separate email system.
The State Department has promised to foot the bill for three years of credit and identity theft monitoring to those workers. According to its own estimates, the State Department employs around 69,000 people, meaning if the numbers are to be believed somewhere around 600-700 people were impacted by this incident.