Cyber Security December 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.


  1. Tomi Engdahl says:

    BBC News: “The government says the laws, a world first, are necessary to help combat terrorism and crime.
    However critics have listed wide-ranging concerns, including that the laws could undermine the overall security and privacy of users.”

  2. Tomi Engdahl says:

    Google warns app developers of three malicious SDKs being used for ad fraud

    A few days ago, Google removed popular Cheetah Mobile and Kika Tech apps from its Play Store following a BuzzFeed investigation, which discovered the apps were engaging in ad fraud. Today, as a result of Google’s ongoing investigation into the situation, it has discovered three malicious ad network SDKs that were being used to conduct ad fraud in these apps

  3. Tomi Engdahl says:

    Australia data encryption laws explained

    Australia has passed controversial laws designed to compel technology companies to grant police and security agencies access to encrypted messages.

  4. Tomi Engdahl says:

    Don’t use Huawei phones, say heads of FBI, CIA, and NSA

    The US intelligence community is still worried about Chinese tech giants’ government ties

  5. Tomi Engdahl says:

    The trust dilemma of continuous background checks

    Plus Huawei CFO craziness, SoftBank IPO and more

    Background checks are a huge business.

    Here’s a question that bugs me though: We have continuous criminal monitoring and expense monitoring. Most corporations monitor web traffic and email/Slack/communications. Everything we do at work is poked and prodded to make sure it meets “policy.”

    And yet, we see vituperative attacks on China’s social credit system, which …. monitors criminal records, looks for financial frauds and sanctions people based on their scores. How long will we have to wait before employers give us “good employee behavior” scores and attach it to our profiles in Slack?

    The conundrum, of course, is that no startup or company wants (or can avoid) background checks.

  6. Tomi Engdahl says:

    Google, Apple, Facebook face world-first encryption laws in Australia

    Tech companies can be forced to “build new capabilities” that allow access to encrypted messages.

    Australia passed new laws that allow law enforcement to access encrypted messages, legislation that leading tech companies, including Google, Facebook and Twitter, have all opposed.

  7. Tomi Engdahl says:

    Russian accounts fuel French outrage online

    Hundreds of social media accounts linked to Russia have sought to amplify the street protests that have rocked France, according to analysis seen by The Times.

    The network of accounts has circulated messages on Twitter that focus on the violence and chaos of the yellow vest or gilet jaune riots

  8. Tomi Engdahl says:

    Australia just voted to ban working cryptography. No, really.

    Remember when Malcolm Turnbull, the goddamned idiot who was briefly Prime Minister of Australia, was told that the laws of mathematics mean that there was no way to make a cryptography system that was weak enough that the cops could use to spy on bad guys, but strong enough that the bad guys couldn’t use it to spy on cops, and he said: “Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”

    Malcolm Turnbull lost his job, though not for saying this goddamned idiotic thing. This goddamned idiotic thing has continued to fester in Australian politics, until today, when the pustule ruptured and Parliament sat down and voted to make the laws of Australia prevail over the laws of mathematics.

    Good luck with that.

    Under the new rule, cops can get court orders that will require tech companies to backdoor their encryption, serve malware, or do whatever else it takes to decrypt subjects’ messages, even if those messages are so well encrypted that it would take more computational cycles than can be wrung out of all the matter in the universe to brute-force the key.

    Bad guys, meanwhile, can just use free/open source software, or tools that are made by companies located outside of Australia, or tools that exist today without any backdoors, and never fear police interception.

  9. Tomi Engdahl says:

    Australia Passes Encryption Law Every Tech Expert Says Will Lead To Disaster

    Australia has adopted legislation to create “backdoors” in encrypted software so police and national security authorities can access online conversations. IT workers and commentators, however, argue the new laws will create a string of unintended consequences that could make Australia a tech pariah, with companies refusing to produce or sell their products in the country.

  10. Tomi Engdahl says:

    Warning! Unprivileged Linux Users With UID > INT_MAX Can Execute Any Command

    Hold tight, this may blow your mind…
    A low-privileged user account on most Linux operating systems with UID value anything greater than 2147483647 can execute any systemctl command unauthorizedly—thanks to a newly discovered vulnerability.

    The reported vulnerability actually resides in PolicyKit (also known as polkit)

    The issue, tracked as CVE-2018-19788, impacts PolicyKit version 0.115 which comes pre-installed on most popular Linux distributions, including Red Hat, Debian, Ubuntu, and CentOS.

    Red Hat has recommended system administrators not to allow any negative UIDs or UIDs greater than 2147483646 in order to mitigate the issue until the patch is released.

  11. Tomi Engdahl says:

    President signs National Timing Security and Resilience Act

    The act tasks the Secretary of Transportation with establishing a terrestrial backup timing system for GPS within two years.

  12. Tomi Engdahl says:


    The Dublin offices of Phantom Secure were raided, by the Criminal Assets Bureau in a coordinated operation with the FBI.

    on the official Blackberry blog INSIDE Blackberry the company wrote that “privacy and security form the crux of everything we do. However,our privacy commitment does not extend to criminals.”

    But isn’t criminality established after due process has taken place? Warrants do not prove criminality even if there is probable cause? Are RIM Blackberry qualified to make the distinctions?

    There are products which can guarantee this and even in the face of warrants are unable to provide logs, metadata, or encryption keys. But BES cannot.

    “Considering this, requests for the contents of communications may arise from government agencies, which would require a valid search warrant from an agency with proper jurisdiction over Phantom Secure.”

    “However, our response to such requests will be the content and identity of our clients are not stored on our server and that the content is encrypted data, which is indecipherable.”

    Feds Bust CEO Allegedly Selling Custom BlackBerry Phones to Sinaloa Drug Cartel

    Phantom Secure is one of the most infamous companies in the secure phone industry. Sources and court documents detail that its owner has been arrested for allegedly helping criminal organizations.

  13. Tomi Engdahl says:

    The 6 reasons why Huawei gives the US and its allies security nightmares

    The biggest fear is that China could exploit the telecom giant’s gear to wreak havoc in a crisis.

    Behind this very public drama is a long-running, behind-the-scenes one centered on Western intelligence agencies’ fears that Huawei poses a significant threat to global security. Among the spooks’ biggest concerns:

    There could be “kill switches” in Huawei equipment …
    … that even close inspections miss
    Back doors could be used for data snooping
    The rollout of 5G wireless networks will make everything worse
    Chinese firms will ship tech to countries in defiance of a US trade embargo
    Huawei isn’t as immune to Chinese government influence as it claims to be

    In its defense, Huawei can point to the fact that no security researchers have found back doors in its products. “There’s all this concern, but there’s never been a smoking gun,”

  14. Tomi Engdahl says:

    Australia’s Encryption-Busting Law Could Impact Global Privacy

    Australia’s parliament passed controversial legislation on Thursday that will allow the country’s intelligence and law enforcement agencies to demand access to end-to-end encrypted digital communications. This means that Australian authorities will be able to compel tech companies like Facebook and Apple to make backdoors in their secure messaging platforms, including WhatsApp and iMessage. Cryptographers and privacy advocates—who have long been staunch opponents of encryption backdoors on public safety and human rights grounds—warn that the legislation poses serious risks, and will have real consequences that reverberate far beyond the land down under.

    “The Australian legislation is particularly broad and vague, and would serve as an extremely poor model.”
    Greg Nojeim, CDT

    Under the Australian law, companies that fail or refuse to comply with these orders will face fines up to about $7.3 million. Individuals who resist could face prison time.

    Australian lawmakers nonetheless lauded the bill, saying it will enable crucial capabilities in organized crime and anti-terrorism investigations.

    “We will pass the legislation, inadequate as it is, so we can give our security agencies some of the tools they say they need,” Bill Shorten, the opposition Labor party leader, told reporters.

    “The debate about simplifying lawful access to encrypted communication carries a considerable risk of regulations spilling to other countries,” says Lukasz Olejnik, a security and privacy researcher and member of the W3C Technical Architecture Group. “Once the capabilities exist, there will be many parties interested in similar access. It would spread.”

  15. Tomi Engdahl says:

    Bomb Threat Hoaxer, DDos Boss Gets 3 Years

    The ringleader of a gang of cyber hooligans that made bomb threats against hundreds of schools and launched distributed denial-of-service (DDoS) attacks against Web sites — including KrebsOnSecurity on multiple occasions — has been sentenced to three years in a U.K. prison, and faces the possibility of additional charges from U.S.-based law enforcement officials.

    George Duke-Cohan, 19, caused a massive uproar earlier this year after communicating a series of bomb threats against 1,700 schools, colleges and universities across the United Kingdom.

  16. Tomi Engdahl says:

    In case you’re not already sick of Spectre… Boffins demo Speculator tool for sniffing out data-leaking CPU holes
    First proof-of-concept, SplitSpectre, requires fewer instructions in victim

    Analysis You’ve patched your Intel, AMD, Power, and Arm gear to crush those pesky data-leaking speculative execution processor bugs, right? Good, because IBM eggheads in Switzerland have teamed up with Northeastern University boffins in the US to cook up Spectre exploit code they’ve dubbed SplitSpectre.

    SplitSpectre is a proof-of-concept built from Speculator, the team’s automated CPU bug-discovery tool, which the group plans to release as open-source software. Their work is described here in an academic paper emitted earlier this week.

    Let’s Not Speculate: Discovering and Analyzing Speculative Execution Attacks!OpenDocument&Highlight=0,RZ3933

  17. Tomi Engdahl says:

    Unprivileged Users With UID > INT_MAX can Arbitrarily Execute Any SystemCTL Command (CVE-2018-19788)

    A low-privileged user account on most Linux operating systems with UID value anything greater than 2147483647 (0x7FFFFFFF) can execute

    any systemctl command unauthorizedly.

    The reported vulnerability actually resides in PolicyKit and exists due to the improper validation of permission requests for any low-

    privileged user with UID greater than INT_MAX.

    A PoC exploit has been released too!

    Bugtracker Link:
    PoC Exploit:

  18. Tomi Engdahl says:

    Warning! Unprivileged Linux Users With UID > INT_MAX Can Execute Any Command

    A low-privileged user account on most Linux operating systems with UID value anything greater than 2147483647 can execute any systemctl

    command unauthorizedly—thanks to a newly discovered vulnerability.

    The reported vulnerability actually resides in PolicyKit (also known as polkit)

    The issue, tracked as CVE-2018-19788, impacts PolicyKit version 0.115 which comes pre-installed on most popular Linux distributions,

    including Red Hat, Debian, Ubuntu, and CentOS.

    So it means, if you create a user account on affected Linux systems with any UID greater than INT_MAX value, the PolicyKit component

    will allow you to execute any systemctl command successfully.

    Red Hat has recommended system administrators not to allow any negative UIDs or UIDs greater than 2147483646 in order to mitigate the

    issue until the patch is released.

  19. Tomi Engdahl says:

    DarkVishnya: Banks attacked through direct connection to local network

    While novice attackers, imitating the protagonists of the U.S. drama Mr. Robot, leave USB flash drives lying around parking lots in the hope that an employee from the target company picks one up and plugs it in at the workplace, more experienced cybercriminals prefer not to rely on chance. In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.

    Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.

    The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:

    netbook or inexpensive laptop
    Raspberry Pi computer
    Bash Bunny, a special tool for carrying out USB attacks

    Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard.

    At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. T

    Having succeeded, the cybercriminals proceeded to stage three. Here they logged into the target system and used remote access software to retain access. Next, malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies.

  20. Tomi Engdahl says:

    Australia passes ‘dangerous’ anti-encryption law after bipartisan compromise

    Update, 12/6: The bill has now passed after the Labor party agreed to drop its proposed amendments

  21. Tomi Engdahl says:

    Unprotected MongoDB Exposes Scraped Profile Data of 66 Million

    Information belonging to more than 66 million individuals was discovered in an unprotected database, within anyone’s reach, if they knew where to look on the web. The records look like scraped data from LinkedIn profiles.

    According to Bob Diachenko, Director of Cyber Risk Research at Hacken, the trove was exposed via a MongoDB instance that could be accessed without authentication.

    He found 66,147,856 unique records containing full name, personal or professional email address, user’s location details skills, phone number, and employment history. A link to the individual’s LinkedIn profile was also present.

  22. Tomi Engdahl says:

    Botnet of Infected WordPress Sites Attacking WordPress Sites

    The Defiant Threat Intelligence team recently began tracking the behavior of an organized brute force attack campaign against WordPress sites. This campaign has created a botnet of infected WordPress websites to perform its attacks, which attempt XML-RPC authentication to other WordPress sites in order to access privileged accounts.

    Between Wordfence’s brute force protection and the premium real-time IP blacklist, we have blocked more than five million malicious authentication attempts associated with this attack campaign in the last thirty days alone.

  23. Tomi Engdahl says:

    DanaBot evolves beyond banking Trojan with new spam-sending capability

    ESET research shows that DanaBot operators have been expanding the malware’s scope and possibly cooperating with another criminal group

  24. Tomi Engdahl says:

    Warning! Unprivileged Linux Users With UID > INT_MAX Can Execute Any Command

  25. Tomi Engdahl says:

    RPC Bug Hunting Case Studies – Part 1

    When analysing the behaviours of an RPC server, we always call the APIs exposed via the RPC interface. Such interaction with an RPC server of interest can be achieved by sending an RPC request via the RPC Client to the server and then observing its behaviours using the Process Monitor tool in SysInternals. In my opinion, the most convenient way to do this is by scripting rather than writing a C/C++ RPC client that requires program compilation, which is time consuming.

    Instead, we are going to use PythonForWindows. It provides abstractions around some of the Windows features in a pythonic way, which relies heavily on Python’s ctypes. I

  26. Tomi Engdahl says:

    Adobe Flash Zero-Day Exploited In the Wild

    Gigamon Applied Threat Research (ATR) identifies an active exploitation of a zero-day vulnerability in Adobe Flash via a Microsoft Office document. The vulnerability (CVE-2018-15982) allows for a maliciously crafted Flash object to execute code on a victim’s computer, which enables an attacker to gain command line access to the system. The document was submitted to VirusTotal from a Ukranian IP address and contains a purported employment application for a Russian state healthcare clinic.

  27. Tomi Engdahl says:

    The Dark Side of the ForSSHe

    ESET researchers discovered a set of previously undocumented Linux malware families based on OpenSSH. In the white paper, “The Dark Side of the ForSSHe”, they release analysis of 21 malware families to improve the prevention, detection and remediation of such threats

    The de facto implementation, bundled in almost all Linux distributions, is the portable version of OpenSSH. A popular method used by attackers to maintain persistence on compromised Linux servers is to backdoor the OpenSSH server and client already installed. There are several reasons why creating malware based on OpenSSH is popular:

    It doesn’t require a new TCP port to be opened on the compromised machine. SSH should already be there and likely reachable from the internet.
    The OpenSSH daemon and client see passwords in clear text, providing the attacker the potential to steal credentials.
    OpenSSH source code is freely available, making it easy to create a “customized” (backdoored) version.
    OpenSSH is built to make it difficult to implement a man-in-the-middle attack and snoop on its users’ activity. Attackers can leverage this to stay under the radar while they conduct their malicious activities on the compromised server.

    Today, ESET researchers are publishing a paper focused on 21 in-the-wild OpenSSH malware families.

  28. Tomi Engdahl says:

    SNDBOX: AI-Powered Online Automated Malware Analysis Platform

    Israeli cybersecurity and malware researchers today at Black Hat conference launch a revolutionary machine learning and artificial intelligence-powered malware researcher platform that aims to help users identify unknown malware samples before they strike.

    Dubbed SNDBOX, the free online automated malware analysis system allows anyone to upload a file and access its static, dynamic and network analysis in an easy-to-understand graphical interface.

  29. Tomi Engdahl says:

    Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia

    Adobe has released an update for Flash Player that fixes a zero-day user after free vulnerability that was used as part of an APT attack against Russia. This attack is being named “Operation Poison Needles” and targeted the Russian FSBI “Polyclinic #2″ medical clinic.

    When the exploit is triggered, Word will display a warning stating “The embedded content contained in this document may be harmful to your computer.’ and if a user agrees to continue, the following command is executed to extract a rar file and start the backup.exe executable contained within it.

    The backup.exe file is backdoor that pretends to be the Nvidia Control Panel application and uses a stolen certificate from “IKB SERVICE UK LTD”, which has since been revoked.

    The researchers feel that this attack is politically motivated as it occurred right after the Kerch Strait Incident when the Russian coast guard boats fired upon and captured three Ukrainian Navy vessel

  30. Tomi Engdahl says:

    Estonian ex-foreign sec urges governments: Get cosy with the private sector on cybersecurity
    Marina Kaljurand thinks the days of going it alone are over

    Black Hat Governments need to “turn from public private partnership slogans to real partnerships” on cybersecurity, former Estonian foreign minister Marina Kaljurand told the Black Hat infosec conference in London this morning.

    “Cyber is so wide that states alone cannot be sufficient in providing security,” she said. “It is a space where the private sector owns nearly all digital and physical assets and has the best experts. It’s the sphere where civil society can produce norms, recommendations for responsible state behaviour, it is a space where civil society is also the watchdog of civil rights.”

  31. Tomi Engdahl says:

    The CoAP protocol is the next big thing for DDoS attacks
    CoAP DDoS attacks have already been detected in the wild, some clocking at 320Gbps.

    RFC 7252, also known as the Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attacks, security researchers have told ZDNet.

    CoAP was designed as a lightweight machine-to-machine (M2M) protocol that can run on smart devices where memory and computing resources are scarce

    In a very simplistic explanation, CoAP is very similar to HTTP, but instead of working on top of TCP packets, it works on top of UDP, a lighter data transfer format created as a TCP alternative.

    Just like HTTP is used to transport data and commands (GET, POST, CONNECT, etc.) between a client and a server,

    But just like any other UDP-based protocol, CoAP is inherently susceptible to IP address spoofing and packet amplification, the two major factors that enable the amplification of a DDoS attack.

    An attacker can send a small UDP packet to a CoAP client (an IoT device), and the client would respond with a much larger packet.

    The people who designed CoAP added security features to prevent these types of issues, but as Cloudflare pointed out in a blog post last year, if device makers implement these CoAP security features, the CoAP protocol isn’t so light anymore, negating all the benefits of a lightweight protocol.

    That’s why most of today’s CoAP implementations forgo using hardened security modes for a “NoSec” security mode that keeps the protocol light, but also vulnerable to DDoS abuse.

    TLS 1.3 is going to save us all, and other reasons why IoT is still insecure

  32. Tomi Engdahl says:

    Cyber-espionage group uses Chrome extension to infect victims

    Suspected North Korean APT uses Google Chrome extension to infect victims in the academic sector.

  33. Tomi Engdahl says:

    STOLEN PENCIL Campaign Targets Academia

    ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018. The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension. Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.

  34. Tomi Engdahl says:

    Russian Hospital Targeted With Flash Zero-Day After Kerch Incident

    Security updates released by Adobe on Wednesday for Flash Player patch two vulnerabilities, including a critical flaw exploited by a sophisticated threat actor in attacks aimed at a healthcare organization associated with the Russian presidential administration. The attack may be related to the recent Kerch Strait incident involving Russia and Ukraine.

  35. Tomi Engdahl says:

    Exclusive: Emails of top NRCC officials stolen in major 2018 hack

    Republican leaders were not informed until POLITICO contacted committee officials about the incident.

    The House GOP campaign arm suffered a major hack during the 2018 midterm campaigns, exposing thousands of sensitive emails to an outside intruder, according to three senior party officials.

    The email accounts of four senior aides at the National Republican Congressional Committee were surveilled for several months, the party officials said. The intrusion was detected in April by an NRCC vendor, who alerted the committee and its cybersecurity contractor.

  36. Tomi Engdahl says:

    Operation Poison Needles – APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day

  37. Tomi Engdahl says:

    Millions of smartphones were taken offline yesterday by an expired certificate
    Ericsson’s preventable failure created issues in 11 countries

    Ericsson has confirmed that a fault with its software was the source of yesterday’s massive network outage, which took millions of smartphones offline across the UK and Japan and created issues in almost a dozen countries. In a statement, Ericsson said that the root cause was an expired certificate, and that “the faulty software that has caused these issues is being decommissioned.” The statement notes that network services were restored to most customers on Thursday, while UK operator O2 said that its 4G network was back up as of early Friday morning.

  38. Tomi Engdahl says:

    WebKit Vulnerability Affects Latest Versions of Apple Safari

    A researcher published exploit code for a vulnerability in WebKit, the web browser engine that powers Apple’s Safari, along with other apps on macOS, iOS, and Linux.

    The exploit takes advantage of an optimization error with WebKit’s matching of regular expressions, which could end with the possibility to execute arbitrary shellcode.

    Linus Henze, the developer of the exploit, says that the vulnerability has been patched in WebKit sources but the fix is yet to reach the Safari browser.

  39. Tomi Engdahl says:

    Kubernetes, welcome to the coin mines. Crooks dig into open containers to craft crypto-cash
    Lock down your installations and APIs, or prepare to be hijacked for funbux and giggles

  40. Tomi Engdahl says:

    Google warns app developers of three malicious SDKs being used for ad fraud

    A few days ago, Google removed popular Cheetah Mobile and Kika Tech apps from its Play Store following a BuzzFeed investigation, which discovered the apps were engaging in ad fraud. Today, as a result of Google’s ongoing investigation into the situation, it has discovered three malicious ad network SDKs that were being used to conduct ad fraud in these apps. The company is now emailing developers who have these SDKs installed in their apps and demanding their removal. Otherwise, the developers’ apps will be pulled from Google Play, as well.


Leave a Comment

Your email address will not be published. Required fields are marked *