Cyber Security News January 2019

This posting is here to collect cyber security news in January 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.



  1. Tomi Engdahl says:

    Ransomware attack sends City of Del Rio back to the days of pen and paper

    Servers at City Hall were rendered useless due to the outbreak.

  2. Tomi Engdahl says:

    Sitadel – Web Application Security Scanner

    Sitadel is basically an update for WAScan making it compatible for python >= 3.4 It allows more flexibility for you to write new modules and implement new features :
    Frontend framework detection
    Content Delivery Network detection
    Define Risk Level to allow for scans
    Plugin system
    Docker image available to build and run

  3. Tomi Engdahl says:

    Schneider’s EVLink car charging stations were easily hackable, thanks to a hardcoded password

    Schneider has fixed three vulnerabilities in one of its popular electric car charging stations, which security researchers said could have easily allowed an attacker to remotely take over the unit.

    The bugs were fixed with a software update

  4. Tomi Engdahl says:

    ‘Rahaf Is Going to Start a Revolution.’ Saudi Women Are Demanding Reforms After a Teen Fled the Country in Fear for Her Life

    Women across Saudi Arabia, inspired by a teenager who fled the country to seek asylum in Australia amid fears that she would be killed by her family, are demanding further reforms — including an end to the male-dominated guardianship system – or else they will leave the country, they say.

    The emigration threats began trending on social media in the days since 18-year-old Rahaf Mohammed Alqunun was detained in Thailand on Saturday after escaping her relatives in Kuwait.

  5. Tomi Engdahl says:

    The “AVE_MARIA” Malware

    The Cybaze-Yoroi ZLab researchers analyzed phishing attempts spreading in the last days of the past year against an italian organization operating in the Oil&Gas sector. The malicious emails try to impersonate a supplier’s sales office sending invoices and shipping orders confirmations. As usual, the mail conveys malicious Excel files exploiting the popular CVE-2017-11882 vulnerability to run an executable retrieved from a malicious website, previously compromised by the attackers.

  6. Tomi Engdahl says:

    Poland may consider Huawei ban amid ‘spy’ arrests – reports
    Chinese hardware biz faces more push-back in Western nations

  7. Tomi Engdahl says:

    Mozilla Kills Default Support for Adobe Flash in Firefox 69

    Firefox 69 will force users to manually install Adobe Flash as the plugin inches toward end of life.

    Mozilla is disabling default support for Adobe’s Flash Player plugin in the latest upcoming version of its FireFox browser, marking the latest step in end-of-life for the infamous plugin.

    The disabled default support means that Firefox users will now be required to manually enable Adobe Flash in Mozilla’s latest browser version, Firefox 69. More importantly, the change signals another step toward the end of Flash in general, as Mozilla and other popular browsers push the plugin off the radar.

  8. Tomi Engdahl says:

    Escaping Containers to Execute Commands on Play with Docker Servers

    Improperly secured privileged containers on the Play with Docker testing platform offered security researchers a way to escape Linux containers and run arbitrary code on the host system.

    An attacker successfully exploiting the flaw would have had high-level access to the Play with Docker (PWD). They would also have been able to access all running containers.

  9. Tomi Engdahl says:

    Chinese hackers may have struck Keidanren system in 2016

    A Chinese group that has been accused by the U.S. government in a series of cybertheft cases around the world is now suspected in the 2016 hacking of the computer system used by Keidanren (Japan Business Federation).

    Keidanren officials announced in November 2016 that 23 computers used in the federation’s system had been infected with a virus. However, no details were released about what hacking group might have been behind the cyberattack.

  10. Tomi Engdahl says:

    No more privacy: 202 Million private resumes exposed

    On December 28th, Bob Diachenko, Director of Cyber Risk Research at and bug bounty platform HackenProof, analyzed the data stream of BinaryEdge search engine and identified an open and unprotected MongoDB instance

    Upon closer inspection, an 854 GB sized MongoDB database was left unattended, with no password/login authentication needed to view and access the details of what appeared to be more than 200 million very detailed resumes of Chinese job seekers.

  11. Tomi Engdahl says:

    200 million resumes of Chinese jobseekers leaked, cybersecurity researcher says

    The 854-GB database was available for anyone to grab for a week
    Information scrapped from Chinese job portals includes names, mobile numbers, and political affiliation

  12. Tomi Engdahl says:

    Del Rio City Hall Forced to Use Paper After Ransomware Attack

    The City Hall of Del Rio, Texas was hit by a ransomware attack on Thursday, which led to multiple computers on the network being turned off and disconnected from the Internet to contain and analyze the malware.

  13. Tomi Engdahl says:

    How I Hacked Play-with-Docker and Remotely Ran Code on the Host

    Play-with-Docker (PWD), Docker’s playground website, allows beginners to run Docker commands in a matter of seconds. Built on a number of hosts with each running multiple student’s containers, it’s a great place to learn Docker. PWD provides the experience of having a free Alpine Linux virtual machine in a web browser where students can build and run Docker containers and experience Docker firsthand without having to first install and configure it.

    This unique offering was warmly welcomed by DevOps practitioners with more than 100,000 total monthly site visits, where Docker tutorials, workshops and training are also available. The initiative was an effort originated by Marcos Nils and Jonathan Leibiusky, aided by the Docker community and sponsored by Docker.

    CyberArk Labs set out to try and escape the mock container in an effort to run code on the Docker host.

    The impact of container escape is similar to escape from a virtual machine, as both allow access to the underlying server.

  14. Tomi Engdahl says:

    Unpatched Flaws in Building Access System Allow Hackers to Create Fake Badges

    Researchers discovered that a popular building access control system made by IDenticard contains vulnerabilities that can be exploited to create fake badges, disable door locks, and obtain or modify user data.

    IDenticard is a US-based provider of ID, access and security solutions. On its website, the company says it has tens of thousands of customers around the world, including Fortune 500 companies, educational institutions, medical centers, factories, and government agencies.

  15. Tomi Engdahl says:

    Researchers Invited to Hack a Tesla at Pwn2Own 2019

    Researchers can earn up to $300,000 and a car if they manage to hack a Tesla Model 3 at this year’s Pwn2Own competition, Trend Micro’s Zero Day Initiative (ZDI) announced on Monday.

  16. Tomi Engdahl says:

    The Securities and Exchange Commission filed suit on Tuesday in a New Jersey federal court against a Ukrainian computer hacker, eight more trader defendants and four relief defendants it said in a court filing are responsible for the 2016 scheme to hack into the SEC’s online EDGAR system to obtain nonpublic documents containing earnings announcements of publicly-traded companies. The defendants then allegedly used that information to make more than $4.1 million in profits from trading in advance of the information becoming public.

    SEC sues hacker, traders who stole earnings announcements from Edgar

    The Securities and Exchange Commission filed suit on Tuesday in a New Jersey federal court against a Ukrainian computer hacker, eight more trader defendants and four relief defendants

    hack into the SEC’s online EDGAR system to obtain nonpublic documents containing earnings announcements of publicly-traded companies

    make more than $4.1 million in profits from trading in advance of the information becoming public

  17. Tomi Engdahl says:

    Google & Facebook fed ad dollars to child porn discovery apps

    Google has scrambled to remove third-party apps that led users to child porn sharing groups on WhatsApp in the wake of TechCrunch’s report about the problem last week.

    Several of these apps had more than 100,000 downloads, and they’re still functional on devices that already downloaded them.

    WhatsApp failed to adequately police its platform, confirming to TechCrunch that it’s only moderated by its own 300 employees and not Facebook’s 20,000 dedicated security and moderation staffers.

    child porn sharing rings on WhatsApp were supported with ads run by Google and Facebook’s ad networks

    The situation reveals that tech giants aren’t just failing to spot offensive content in their own apps, but also in third-party apps that host their ads and that earn them money.

    WhatsApp has an encrypted child porn problem

    WhatsApp chat groups are being used to spread illegal child pornography, cloaked by the app’s end-to-end encryption. Without the necessary number of human moderators, the disturbing content is slipping by WhatsApp’s automated systems.

  18. Tomi Engdahl says:

    Reverse engineering McDonald’s app

    McDonald’s has several country-specific apps

  19. Tomi Engdahl says:

    Platform Bluehost Riddled with Flaws

    He said that similar flaws were also found in the Dreamhost, HostGator, OVH and iPage web hosting platforms.

    A researcher has uncovered several one-click client-side vulnerabilities in the popular Bluehost web hosting platform. These would allow cybercriminals to easily carry out complete account takeover, according to the analysis.

  20. Tomi Engdahl says:

    Another huge database exposed millions of call logs and SMS text messages

    An unprotected server storing millions of call logs and text messages was left open for months before they were found by a security researcher.

    If you thought you’d heard this story before, you’re not wrong. Back in November, another telecoms company Voxox exposed a database containing millions of text messages — including password resets and two-factor codes.

    This time around, it’s a different company: Voipo, a Lake Forest, California communications provider, exposed tens of gigabytes worth of customer data.

  21. Tomi Engdahl says:


    Iranian hackers have been busy lately, ramping up an array of targeted attacks across the Middle East and abroad. And a report this week from the threat intelligence firm FireEye details a massive global data-snatching campaign, carried out over the last two years

  22. Tomi Engdahl says:

    Flaws in Amadeus’ airline booking system made it easy to change passenger records

    Whether you’re traveling for work or vacation, most consumers book their flights through one of a handful of bespoke reservation systems used across the commercial aviation industry. Amadeus is one of the largest reservation systems

    that sits between you and someone rebooking a flight is a passenger’s surname and the booking reference on your ticket, known as the passenger name record — or PNR.

    He found that any airline using Amadeus made it easy to edit and change someone’s reservation with just their booking reference number. No surname needed. In some cases, he didn’t even need to obtain someone’s booking number.

  23. Tomi Engdahl says:

    New Ethereum version postponed after discovery of serious security flaw

    Ethereum Constantinople Upgrade hits last minute snag that saves many users from catastrophic losses.

    A major upgrade of the Ethereum blockchain has been postponed today by the Ethereum team after a security company found a vulnerability that could have allowed hackers to steal users’ funds.

  24. Tomi Engdahl says:

    Over 30 years old bug found:

    SCP clients from multiple vendors are susceptible to a malicious scp server performing
    unauthorized changes to target directory and/or client output manipulation.

    Many scp clients fail to verify if the objects returned by the scp server match those
    it asked for. This issue dates back to 1983 and rcp, on which scp is based.

    Malicious scp server can write arbitrary files to scp target directory, change the
    target directory permissions and to spoof the client output.


    1. OpenSSH

    1.1 Switch to sftp if possible

  25. Tomi Engdahl says:

    Hack a Tesla Model 3, get cash and the car

    For this year’s edition of the Pwn2Own hacking contest at CanSecWest, Trend Micro’s Zero Day Initiative has announced a new target category: Automotive.

  26. Tomi Engdahl says:

    Abusing MySQL clients to get LFI from the server/client

    Thinking to expose your service that fetches content from some user given MySQL server? Think again. You may expose the client to LFI vulnerability via MySQL client feature.

    Recently I found a public webpage that was used to connect to a remote MySQL database, from a bug bounty program. User was able to input server address, username, password in the webpage and do some (restricted) administrative things like issue some predefined SQL queries. The page was always connecting to a MySQL port (3306/TCP) and the web UI was pretty limited and well done, so nothing really exploitable there, unfortunately.

  27. Tomi Engdahl says:

    Exclusive: Hackers Take Control Of Giant Construction Cranes

    Federico Maggi will never forget the first time he saw a crane being hacked.

    Last March, he was on a strange kind of road trip. Travelling the Lombardi region of Italy with his colleague Marco Balduzzi in a red Volkswagen Polo, the pair hoped to convince construction site managers, who they’d never met or spoken with before, to let them have a crack at taking control of cranes with their hacking tools.

    Surprise, surprise: They weren’t having much luck. But one such manager, who Maggi fondly remembers as Matteo, was game.

    Matteo was asked to turn off his transmitter, the only one on-site capable of controlling the crane, and put the vehicle into a “stop” state. The hackers ran their script. Seconds later, a harsh beeping announced the crane was about to move. And then it did, shifting from side to side. Looking up at the mechanism below a wide blue sky, Matteo was at first confused.

    “I remember him looking up and asking, ‘Who is doing that ?’ Then he realized the test was successful,” Maggi recalls.

    Matteo’s crane was just the start. Over the coming days and weeks, the researchers, who ply their trade at Japanese cybersecurity giant Trend Micro, became professional “crane spotters.”

    It soon became obvious: Cranes were hopelessly vulnerable. And, unless the manufacturers behind the tools could be convinced to secure their kit, the potential for catastrophic damage was very real. The consequences ranged “from theft and extortion to sabotage and injury,” the researchers wrote in a paper handed to Forbes exclusively ahead of publication on Tuesday.

    Attacks Against Industrial Machines via Vulnerable Radio Remote Controllers: Security Analysis and Recommendations

    Radio frequency (RF) technology is being used in operations to control various industrial machines. However, the lack of implemented security in RF communication protocols could lead to production sabotage, system control, and unauthorized access.

  28. Tomi Engdahl says:

    Report: We Tested 5 Popular Web Hosting Companies & All Were Easily Hacked

    The goal of this research was to try and see if websites hosted on Bluehost, Dreamhost, HostGator, OVH, or iPage could be compromised with one click client-side vulnerabilities. Unfortunately, we found at least one client-side vulnerability in all the platforms we tested, allowing account takeover when the victim clicks a link or visits a malicious website.

  29. Tomi Engdahl says:

    Foreign entities said buying domain names of Israeli parties ahead of elections

    Amid meddling concerns, cybersecurity expert says seized URLs could be malicious phishing-like scam, or simply opportunists trying to make money

    Days after national elections were announced in Israel last month, over a dozen political parties were targeted in an apparently coordinated phishing-type scam known as braidjacking

  30. Tomi Engdahl says:

    State Bank of Mauritius files complaint with Singapore police to track down hackers

    Mumbai: The State Bank of Mauritius (SBM) has filed a complaint with the Singapore police to track down unknown hackers who allegedly withdrew Rs 19 crore from its branch in Mumbai.

    “Bank officials have intimated us about lodging a complaint with the Singapore police,” said police inspector Kishore Parab, who is in charge of the bank fraud department of the Economic Offences Wing (EOW), a specialised unit of the Mumbai Police that probes financial frauds.

    “Since the company in whose account the funds were transferred is registered in Singapore, the bank has lodged a complaint with them. The FIR copy of the complaint lodged with the Mumbai police has been shared with the Singapore police,” said another official with the knowledge of the matter.

  31. Tomi Engdahl says:

    Windows Security Patch Breaks PowerShell Remoting

    A security patch released on January 8 that fixed CVE-2019-0543 also inadvertently broke Windows PowerShell and PowerShell Core 6 (PSCore6) WinRM based remoting for one specific PowerShell remoting scenario.

    Microsoft’s CVE-2019-0543 security patch fixed an elevation of privilege security vulnerability which could have been exploited by potential attackers by running a maliciously crafted app on the victim’s machine.

    The issue only affects local loopback remoting on endpoints where loopback endpoints are specifically configured to allow access to non-Administrator accounts, something which is by default disabled in Windows 10.

  32. Tomi Engdahl says:

    New Ransomware Bundles PayPal Phishing Into Its Ransom Note

    A new in-development ransomware has been discovered that not only encrypts your files, but also tries to steal your PayPal credentials with an included phishing page.

    The ransomware itself is nothing special, but the ransom note is clever as it not only tries to steal your money through a normal bitcoin ransom payment, but also offers a choice to pay via PayPal. If a user chooses to pay using PayPal, they will be brought to a phishing site that will then attempt to steal the victim’s PayPal credentials.

  33. Tomi Engdahl says:

    Distribution of malicious JAR appended to MSI files signed by third parties

    Microsoft Windows keeps the Authenticode signature valid after appending any content to the end of Windows Installer (.MSI) files signed by any software developer. This behaviour can be exploited by attackers to bypass some security solutions that rely on Microsoft Windows code signing to decide if files are trusted. The scenario is especially dangerous when the appended code is a malicious JAR because the resulting file has a valid signature according to Microsoft Windows and the malware can be directly executed by Java.

    Code signing is the method of using a certificate-based digital signature to sign executables and scripts in order to verify the author’s identity and ensure that the code has not been changed or corrupted since it was signed by the author.[1]

  34. Tomi Engdahl says:

    Old RF Protocols Expose Cranes to Remote Hacker Attacks

    A team of researchers from Japan-based cybersecurity firm Trend Micro has analyzed the communication mechanisms used by cranes and other industrial machines and discovered serious vulnerabilities that can make it easy for malicious actors to launch remote attacks.

    Cranes, hoists, drills and other heavy machinery used in the manufacturing, construction, transportation and mining sectors often rely on radio frequency (RF) controllers. These systems include a transmitter that sends out commands via radio waves, and a receiver that interprets those commands.

  35. Tomi Engdahl says:

    Researchers Create PoC Malware for Hacking Smart Buildings

    Researchers at IoT security company ForeScout have created a piece of malware to demonstrate how malicious actors could remotely hack into smart buildings.

    Smart buildings have become increasingly common. They rely on building automation systems – including sensors, controllers and actuators – to control heating, ventilation, air conditioning, lighting, surveillance, elevators, and access.

    The automation systems that power smart buildings are similar to industrial control systems (ICS), but ForeScout warns that their security should be handled differently given that building automation systems are much more open and interconnected compared to ICS. Furthermore, when it comes to the threats targeting these systems, the final payload is much easier to deliver in the case of building systems as the physical processes involved are less complicated.

  36. Tomi Engdahl says:

    Hack Brief: An Astonishing 773 Million Records Exposed in Monster Breach

    There are breaches, and there are megabreaches, and there’s Equifax. But a newly revealed trove of leaked data tops them all for sheer volume: 772,904,991 unique email addresses, over 21 million unique passwords, all recently posted to a hacking forum.

    The data set was first reported by security researcher Troy Hunt, who maintains Have I Been Pwned, a way to search whether your own email or password has been compromised by a breach at any point. (Trick question: It has.) The so-called Collection #1 is the largest breach in Hunt’s menagerie, and it’s not particularly close.

    In raw form, it comprises 2.7 billion rows of email addresses and passwords, including over a billion unique combinations of email addresses and passwords.

    The trove appeared briefly on MEGA, the cloud service, and persisted on what Hunt refers to as “a popular hacking forum.” It sat in a folder called Collection #1, which contained over 12,000 files that weigh in at over 87 gigabytes. While it’s difficult to confirm exactly where all that info came from, it appears to be something of a breach of breaches; that is to say, it claims to aggregate over 2,000 leaked databases that contain passwords whose protective hashing has been cracked.

    “It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers,” Hunt tells WIRED. “There’s no obvious patterns, just maximum exposure.”

    That sort of Voltron breach has happened before, but never on this scale. In fact, not only is this the largest breach to become public, it’s second only to Yahoo’s pair of incidents—which affected 1 billion and 3 billion users, respectively—in size. Fortunately, the stolen Yahoo data hasn’t surfaced. Yet.

    Who’s Affected?

    The accumulated lists seem designed for use in so-called credential-stuffing attacks, in which hackers throw email and password combinations at a given site or service. These are typically automated processes

    The silver lining in Collection #1 going public is that you can definitively find out if your email and password were among the impacted accounts.

    Have I Been Pwned also introduced a password-search feature a year and a half ago; you can just type in whatever passwords go with your most sensitive accounts to see if they’re out in the open. If they are, change them.

    And while you’re at it, get a password manager. It’s well past time.

  37. Tomi Engdahl says:

    The 773 Million Record “Collection #1″ Data Breach

    Let’s start with the raw numbers because that’s the headline, then I’ll drill down into where it’s from and what it’s composed of. Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It’s made up of many different individual data breaches from literally thousands of different sources.

    In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive.

    The unique email addresses totalled 772,904,991.

    There are 21,222,975 unique passwords.

    Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totalled over 12,000 separate files and more than 87GB of data. One of my contacts pointed me to a popular hacking forum where the data was being socialised,

    Whilst there are many legitimate breaches that I recognise in that list, that’s the extent of my verification efforts and it’s entirely possible that some of them refer to services that haven’t actually been involved in a data breach at all.

    However, what I can say is that my own personal data is in there and it’s accurate; right email address and a password I used many years ago. Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public.

    Checking Email Addresses and Passwords in HIBP

    There’ll be a significant number of people that’ll land here after receiving a notification from HIBP; about 2.2M people presently use the free notification service and 768k of them are in this breach.

  38. Tomi Engdahl says:

    RSA Encryption Cracked Easily (Sometimes)

    A large chunk of the global economy now rests on public key cryptography. We generally agree that with long enough keys, it is infeasible to crack things encoded that way. Until such time as it isn’t, that is. Researchers published a paper a few years ago where they cracked a large number of keys in a very short amount of time. It doesn’t work on any key

    The basis for public key cryptography is that you multiply two large prime numbers to form a product and post it publicly.

    However, the random selection leads to an unusual attack. Public keys, by their very nature, are available all over the Internet. Most of them were generated with the same algorithm and random number generation isn’t actually totally random. That means some keys share prime factors and finding a common factor between two numbers isn’t nearly as difficult.

    In fact, that’s the heart of the problem.

    Before you get too alarmed, the researches looked at 6.2 million keys and were able to crack fewer than 13,000. Not exactly a gaping security hole, unless you are one of the 13,000, of course.

    You can read his analysis, and decide for yourself how badly this compromises common algorithms.

  39. Tomi Engdahl says:

    Singapore Imposes $740,000 Fines Over Major Cyber Attack

    Singapore’s privacy watchdog Tuesday imposed fines of Sg$1 million ($740,000) on a healthcare provider and an IT agency over a cyber-attack that saw health records of about quarter of the population stolen.

    In the city-state’s biggest ever data breach, hackers last year gained access to a government database and made off with the records of 1.5 million people, with Prime Minister Lee Hsien Loong among those targeted.

  40. Tomi Engdahl says:

    U.S. in Criminal Probe of China’s Huawei: Report

    US authorities are in the “advanced” stages of a criminal probe that could result in an indictment of Chinese technology giant Huawei, a report said Wednesday.

  41. Tomi Engdahl says:

    Vulnerability Allowed Fortnite Account Takeover Without Credentials

    Hacking game accounts is a popular — and enriching — pastime. The rise of in-game marketplaces that can be used for buying and selling game commodities has attracted hackers who break into gamers’ accounts, steal their game commodities (and anything else they can find from personal data to parents’ bank card details) and sell them on for cash.

    The traditional route has always been to phish the gamers’ credentials — and obviously the bigger and more popular the game, the bigger the pool for phishing. Checkpoint recently discovered a vulnerability (now fixed) in the biggest game of all that allowed criminals to gain access to users’ accounts without requiring credentials.

  42. Tomi Engdahl says:

    WordPress to Warn on Outdated PHP Versions

    In an effort to improve the security of websites, WordPress will display a warning starting in April 2019 when encountering outdated PHP versions.

    In December last year, the free and open-source content management system (CMS) announced that 85% of websites running WordPress 5.0 were already using PHP 5.6 or above.

    In light of that, PHP 5.6 will become the minimum PHP version requirement for WordPress websites, and site administrators running outdated PHP versions will receive notices on that.


Leave a Comment

Your email address will not be published. Required fields are marked *