This posting is here to collect cyber security news in March 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
490 Comments
Tomi Engdahl says:
Norsk Hydro Restoring Systems, But Not Paying Ransom
https://www.securityweek.com/norsk-hydro-restoring-systems-not-paying-ransom
Norwegian metals and energy giant Norsk Hydro is working on restoring systems after being hit by ransomware, but the company says it does not plan on paying the hackers.
Tomi Engdahl says:
European Government Websites Are Delivering Tracking Cookies to Visitors
https://www.securityweek.com/european-government-websites-are-delivering-tracking-cookies-visitors
Governments within the European Union appear to be flouting their own GDPR laws. Many official government websites are harboring and delivering tracking cookies from the ad tech industry even though they don’t rely on any advertising income. Eighty-nine percent of 184,683 pages delivered tracking cookies. Twenty-five of the 28 member states have websites with tracking cookies — only the Spanish, German and Dutch sites had no trackers.
Tomi Engdahl says:
Google Photos Flaw Allowed Hackers to Track Users
https://www.securityweek.com/google-photos-flaw-allowed-hackers-track-users
Google recently patched a vulnerability in its Photos service that could have been exploited via browser-based timing attacks to track users, Imperva revealed on Wednesday.
Tomi Engdahl says:
Man Pleads Guilty Over $100M BEC Scheme Targeting Google, Facebook
https://www.securityweek.com/man-pleads-guilty-over-100m-bec-scheme-targeting-google-facebook
A 50-year-old Lithuanian citizen has pleaded guilty over his role in a business email compromise (BEC) scheme in which Google and Facebook employees were tricked into wiring a total of more than $100 million to bank accounts he controlled.
Tomi Engdahl says:
Vulnerability in NSA’s Reverse Engineering Tool Allows Remote Code Execution
https://www.securityweek.com/vulnerability-nsas-reverse-engineering-tool-allows-remote-code-execution
A vulnerability in Ghidra, the generic disassembler and decompiler released by the National Security Agency (NSA) in early March, could be exploited to execute code remotely, researchers say.
The flaw, an XML external entity (XXE) issue, was discovered in the Ghidra project loading process immediately after the tool was released.
Impacting the project open/restore, the vulnerability can be exploited by anyone able to trick a user into opening or restoring a specially crafted project, a GitHub report reveals.
Tomi Engdahl says:
On the new #GalaxyS10, it can be unlocked with an image of your face–using another phone.
https://mobile.twitter.com/DigitalTrends/status/1107710762959683584
Tomi Engdahl says:
Cyberattacks: Europe gets ready to face crippling online assaults
https://www.zdnet.com/article/cyber-attacks-europe-gets-ready-to-face-crippling-online-assaults/
Massive cyberattacks with real-world consequences are no longer unthinkable. Time to get prepared, says Europe.
Europe is gearing up to deal with the impact of large-scale international cyberattacks.
“The possibility of a large-scale cyber-attack having serious repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable,” warned Europol, the European Union’s (EU) law enforcement agency, which focuses on terrorism, cybercrime and serious and organised crime.
Europol pointed to WannaCry and NotPetya ransomware attacks as examples of incidents that showed the existing ways of tackling major cyberattacks were insufficient.
Tomi Engdahl says:
The search is on for Hydro hackers
https://www.newsinenglish.no/2019/03/20/the-search-is-on-for-hydro-hackers/
An international investigation is underway to get to the root of this week’s extensive cyber attack on Norwegian industrial concern Norsk Hydro. The partially state-owned company remained mostly offline Wednesday morning, but Hydro officials claimed they were making progress in restoring “secure and stable” operations.
Tomi Engdahl says:
Many Vulnerabilities Found in Oracle’s Java Card Technology
https://www.securityweek.com/many-vulnerabilities-found-oracles-java-card-technology
Poland-based cybersecurity research firm Security Explorations claims to have identified nearly 20 vulnerabilities in Oracle’s Java Card, including flaws that could be exploited to compromise the security of chips using this technology.
Oracle’s Java Card technology is designed to provide a secure environment for applications running on smart cards, SIMs, embedded secure elements and other trusted devices that have limited memory and processing capabilities. Oracle says the technology is deployed on nearly six billion devices every year, including in the financial, telecoms, and government sectors.
Security Explorations says it has discovered 18 vulnerabilities in the reference Java Card implementation from Oracle, along with one flaw that is specific to smart cards made by Gemalto, whose products use Java Card technology. The flaws were reproduced on Gemalto’s 3G USIMERA Prime and GemXplore 3G V3.0-256K SIM cards, and Java Card 3.1 software, which Oracle released in January 2019.
Tomi Engdahl says:
Exclusive: Facebook stored hundreds of millions of user passwords in plain text for years https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/
Tomi Engdahl says:
Finland to Investigate Suspected Nokia Chinese Data Breach
https://www.securityweek.com/finland-investigate-suspected-nokia-chinese-data-breach
Finnish authorities will launch an investigation into claims that Nokia phones have been transmitting users’ personal data to China, the country’s data protection ombudsman announced on Thursday.
“Based on our initial analysis it appears that personal data has also been transferred (to China),” Reijo Aarnio, Finland’s data protection ombudsman, told the news agency STT.
Tomi Engdahl says:
Facebook admits it stored ‘hundreds of millions’ of account passwords in plaintext
https://techcrunch.com/2019/03/21/facebook-plaintext-passwords/
Flip the “days since last Facebook security incident” back to zero.
Facebook confirmed Thursday in a blog post, prompted by a report by cybersecurity reporter Brian Krebs, that it stored “hundreds of millions” of account passwords in plaintext for years.
The discovery was made in January, said Facebook’s Pedro Canahuati, as part of a routine security review. None of the passwords were visible to anyone outside Facebook, he said. Facebook admitted the security lapse months later, after Krebs said logs were accessible to some 2,000 engineers and developers.
Tomi Engdahl says:
PewDiePie fans keep making junk ransomware
https://www.zdnet.com/article/pewdiepie-fans-keep-making-junk-ransomware/
Please, YouTube! Just hide PewDiePie and T-Series’ followers count and put this competition to bed.
For some misguided reason, PewDiePie fans seem to believe that making and releasing ransomware is a proper and acceptable method of supporting their idol.
Over the past three months, PewDiePie fans have released at least two PewDiePie-themed ransomware strains
Tomi Engdahl says:
1,600 Hotel Guests Secretly Live Streamed to 4,000+ Subscribers
https://www.bleepingcomputer.com/news/security/1-600-hotel-guests-secretly-live-streamed-to-4-000-subscribers/
Four individuals from South Korea were detained for secretly recording, live streaming, and selling spy cam videos of 1600 motel guests between November 24 and March 2, with two of them being arrested and facing a maximum of five years in jail.
The South Korean spy cam group used a setup of wireless IP cameras hidden in “42 motel rooms at 30 motels in 10 cities in the North and South Gyeongsang and Chungcheong Provinces” according to a report from Korea Herald.
Tomi Engdahl says:
Facebook Exposes Hundreds of Millions of User Passwords
https://www.tomsguide.com/us/facebook-password-plaintext,news-29696.html
Facebook stored the account passwords of “hundreds of millions” of Facebook, Facebook Lite and Instagram users in unencrypted plaintext on its internal servers, where thousands of Facebook employees could have viewed them, the company said today (March 21) in an official Facebook blog posting.
https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/
Tomi Engdahl says:
Zero-day in WordPress SMTP plugin abused by two hacker groups
https://www.zdnet.com/article/zero-day-in-wordpress-smtp-plugin-abused-by-two-hacker-groups/
Hacker groups are creating backdoor admin accounts on vulnerable sites and redirecting users to tech support scams.
Tomi Engdahl says:
Putty vulnerabilities fixed in new version
http://www.epanorama.net/newepa/2019/03/21/update-putty/
Tomi Engdahl says:
Mac-Focused Malvertising Campaign Abuses Google Firebase DBs
https://threatpost.com/mac-focused-malvertising-campaign-abuses-google-firebase-dbs/143010/
Researchers said 1 million user sessions could have been exposed to the campaign, which downloads the Shlayer trojan.
Tomi Engdahl says:
The Norsk Hydro cyber attack is about money, not war
https://www.wired.co.uk/article/norsk-hydro-cyber-attack
Aluminium maker shows the importance of manual overrides as a way to cope when hackers cripple your systems
Tomi Engdahl says:
Fake CDC Emails Warning of Flu Pandemic Push Ransomware
https://www.bleepingcomputer.com/news/security/fake-cdc-emails-warning-of-flu-pandemic-push-ransomware/
Tomi Engdahl says:
Sloppy Hackers Take Down Another Major Company
https://www.eeweb.com/profile/loucovey/articles/sloppy-hackers-take-down-another-major-company
Based on FBI estimates, ransomware-based cybercrime will cost companies $11.5 billion this year, up from $325 million in 2015
A shoutout to Israeli cybersecurity firm CyberHat for the notification in my inbox this week of a fairly significant cyberattack that started Monday and is still ongoing. Let’s start with the news and follow with a rant:
Norwegian company Norsk Hydro, one of the most significant aluminum producers in the world, was hit Monday morning using a relatively new ransomware, dubbed LockerGoga. This malware, which was discovered by an independent cybersecurity expert in Serbia early this year, seems to be targeting large engineering and manufacturing firms.
Norsk Hydro has been forced to take its automated systems offline and switch to manual operation until the virus is removed or isolated. A similar attack was initiated on French engineering firm Altran Technologies on Jan. 25.
“This is a classic ransomware attack; the situation is quite severe,”
Tomi Engdahl says:
Nokia firmware blunder sent some user data to China
https://www.zdnet.com/article/nokia-firmware-blunder-sent-some-user-data-to-china/
Company behind Nokia smartphones accidentally left a data collection package inside some Nokia 7 Plus devices’ firmware.
Tomi Engdahl says:
NRK: Nokia-puhelinmalli lähetti säännöllisesti tietoja kiinalaiselle palvelimelle – tietosuojavaltuutettu selvittää asiaa
https://yle.fi/uutiset/3-10699425
Tomi Engdahl says:
Hackers Take Down Safari, VMware and Oracle at Pwn2Own
https://threatpost.com/hackers-take-down-safari-vmware-and-oracle-at-pwn2own/143042/
Tomi Engdahl says:
Analysis of a Chrome Zero Day: CVE-2019-5786
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analysis-of-a-chrome-zero-day-cve-2019-5786/
On March 1st, Google published an advisory [1] for a use-after-free in the Chrome implementation of the FileReader API (CVE 2019-5786). Clement Lecigne from Google Threat Analysis Group reported the bug as being exploited in the wild and targeting Windows 7, 32-bit platforms. The exploit leads to code execution in the Renderer process, and a second exploit was used to fully compromise the host system [2].
Tomi Engdahl says:
Most second-hand thumb drives contain data from past owners
https://www.welivesecurity.com/2019/03/21/most-second-hand-thumb-drives-contain-data-past-owners-usb/
Our penchant for plugging in random memory sticks isn’t the only trouble with our USB hygiene, a study shows
Many computer users don’t take enough precautions when disposing of their USB sticks, leaving a trove of what is often sensitive information about themselves for the drives’ new owners, a study has shown.
Researchers from the University of Hertfordshire purchased 200 second-hand memory sticks – 100 in the United States, 100 in the United Kingdom – on the open market recently to see how many of them still contained data from previous owners.
Tomi Engdahl says:
Hunting for the True Meaning of Threat Hunting at RSAC 2019
https://securityintelligence.com/hunting-for-the-true-meaning-of-threat-hunting-at-rsac-2019/
Don’t Believe the Hype: 3 Common Misconceptions About Threat Hunting
Let’s be honest: “Threat hunting” certainly has a cool ring to it that draws people in and makes them want to learn more. However, it’s important not to lose sight of the fact that threat hunting is an actual approach to cyber investigations that has been around since long before marketers starting using it as a hook.
1. Threat Hunting Should Be Fully Automated
2. Threat Hunting and EDR Are One and the Same
3. Threat Hunting Is Overly Complicated
What Is the True Meaning of Cyber Threat Hunting?
Don’t get me wrong — I am thrilled that threat hunting is gaining steam and vendors are coming up with innovative solutions to contribute to the definition of threat hunting. As a former analyst, I define threat hunting as an in-depth, human-led, investigative process to discover threats to an organization. My definition may vary from most when it comes to how this is conducted, since most definitions emphasize that threat hunting is a totally proactive approach. While I absolutely agree with the importance of proactivity, there aren’t many organizations that can take a solely proactive approach to threat hunting due to constraints related to budget, training and time.
Tomi Engdahl says:
A new Windows vulnerability, exploited by cybercriminals
https://www.pandasecurity.com/mediacenter/security/cybercriminals-windows-vulnerability/
CVS (Common Vulnerabilities and Exposures) is a system that registers and provides information about known security vulnerabilities. According to CVS, 16,555 vulnerabilities have been discovered in the last year, of which, over 25% are of high or critical severity. In fact, the number of vulnerabilities discovered each year has shot up in the last two years: 6,447 vulnerabilities were discovered in 2016; in 2017 that figure rose to 14,714.
Tomi Engdahl says:
Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years
https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.
Tomi Engdahl says:
Pedro Canahuati / Facebook:
Facebook says it will notify hundreds of millions of Facebook users and thousands of Instagram users after it found passwords were stored in a readable format — As part of a routine security review in January, we found that some user passwords were being stored in a readable format within our internal data storage systems.
Keeping Passwords Secure
https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Facebook admits it inadvertently stored some user passwords in plain text, searchable by employees; source says it may have been between 200M and 600M passwords — Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees …
https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/
Tomi Engdahl says:
Joe Carlson / Star Tribune:
DHS warns of two vulnerabilities affecting about 750,000 Medtronic implantable defibrillators worldwide, which could allow hackers to take control of devices — Alert from Medtronic, Homeland Security says 750K defibrillators are at risk. — As many as 750,000 heart devices …
750,000 Medtronic defibrillators vulnerable to hacking
http://www.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/
The Homeland Security Department, which oversees security in critical U.S. infrastructure including medical devices, issued an alert.
Tomi Engdahl says:
This clever scam lets advertisers make money by draining your Android phone
https://www.theverge.com/2019/3/22/18276542/scam-hidden-video-ads-android-app-drain-batteries-data-cpu-cycles
Hidden video ads that nobody ever sees can fool marketers and drain batteries
Remember when we learned it was theoretically possible for a webpage — or app — to steal your processor cycles to mine cryptocurrency, potentially draining your battery and cellular data in the process? BuzzFeed reports that ad networks have figured out a similar scam — one that lets lucrative, power-hungry video advertisements hide behind traditional banner ads in Android apps, so users don’t even know they’re there.
According to BuzzFeed, it’s not app developers to blame — they were surprised to find an influx of complaints about why their apps are draining users’ batteries and eating up more than their fair share of data. Instead, the report suggests that the ad networks they’d signed up with had been hijacked by fraudsters within the larger ad business.
The scam isn’t just at the expense of consumers, but also ad networks too, as the scammers buy up cheap banner spots and fill them with expensive video ads, profiting in the process.
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Hacker groups are creating backdoor admin accounts and redirecting users to tech support scams using a zero-day vulnerability in a popular WordPress plugin
Zero-day in WordPress SMTP plugin abused by two hacker groups
https://www.zdnet.com/article/zero-day-in-wordpress-smtp-plugin-abused-by-two-hacker-groups/
Tomi Engdahl says:
Facebook Pays Big Bounty for DoS Flaw in Fizz TLS Library
https://www.securityweek.com/facebook-pays-big-bounty-dos-flaw-fizz-tls-library
While Facebook’s bug bounty program does not typically cover denial-of-service (DoS) vulnerabilities, the social media giant has decided to award a significant bounty for a serious flaw affecting Fizz, its open source TLS library.
Fizz, which Facebook released as open source in August 2018, is the company’s implementation of the TLS 1.3 cryptographic protocol. At the time when it was made public, Fizz had been used by Facebook to secure communications in its mobile applications, load balancers, internal services, its Proxygen HTTP framework, and other applications. Other organizations and open source projects may have also started using it after its release as open source.
Tomi Engdahl says:
Finland to Investigate Suspected Nokia Chinese Data Breach
https://www.securityweek.com/finland-investigate-suspected-nokia-chinese-data-breach
Tomi Engdahl says:
Researchers Earn $270,000 for Firefox, Edge Hacks at Pwn2Own 2019
https://www.securityweek.com/researchers-earn-270000-firefox-edge-hacks-pwn2own-2019
Tomi Engdahl says:
Facebook Stored Passwords of Hundreds of Millions Users in Plain Text
https://www.securityweek.com/facebook-stored-passwords-hundreds-millions-users-plain-text
Facebook today admitted to have stored the passwords of hundreds of millions of its users in plain text, including the passwords of Facebook Lite, Facebook, and Instagram users.
Tomi Engdahl says:
Facebook apps logged users’ passwords in plaintext, because why not
https://arstechnica.com/information-technology/2019/03/facebook-developers-wrote-apps-that-stored-users-passwords-in-plaintext/
Unencrypted user credentials stored on Facebook internal servers as far back as 2012.
Tomi Engdahl says:
Over 20,000 Facebook employees had access to 600 million user passwords
https://www.google.com/amp/s/www.engadget.com/amp/2019/03/21/facebook-user-passwords-plain-text/
It will notify hundreds of millions of users after discovering credentials were stored in plain text.
Tomi Engdahl says:
Sacked IT guy annihilates 23 of his ex-employer’s AWS servers
https://nakedsecurity.sophos.com/2019/03/22/sacked-it-guy-annihilates-23-of-his-ex-employers-aws-servers/
An employee-from-hell has been jailed after he got fired (after a measly four weeks), ripped off a former colleague’s login, steamrolled through his former employer’s Amazon Web Services (AWS) accounts, and torched 23 servers.
was jailed for two years
he began deleting Voova’s AWS servers.
The company lost big contracts with transport companies as a result.
wreckage caused an estimated loss of £500,000
The company reportedly was never able to claw back the deleted data.
It took months to track down the culprit.
Tomi Engdahl says:
Scammer pleads guilty to fleecing Facebook and Google of $121m
https://nakedsecurity.sophos.com/2019/03/22/scammer-pleads-guilty-to-fleecing-facebook-and-google-of-121m/
Large, worldly tech companies would never fall for a wire transfer invoice scam, would they?
The truth is that any company can fall prey if the fraud is convincing enough – as shown by the case of 50-year-old Lithuanian
Tomi Engdahl says:
Over 20,000 Facebook employees had access to 600 million user passwords
https://www.engadget.com/2019/03/21/facebook-user-passwords-plain-text/?sr_source=Facebook&fbclid=IwAR2yAnc826Zaz_ECjms2WFK27tm7wtXb_gFCIIJZSf4t0vNKEyDQSDd0vqI&guccounter=1
It will notify hundreds of millions of users after discovering credentials were stored in plain text.
Tomi Engdahl says:
UK’s Police Federation hit by ransomware
https://techcrunch.com/2019/03/21/police-federation-ransomware/
Tomi Engdahl says:
https://www.wired.com/story/facebooks-sloppy-data-sharing-deals-might-be-criminal/
Tomi Engdahl says:
DHS reveals some Medtronic heart defibrillators are vulnerable to hacking
https://www.cnet.com/news/dhs-reveals-some-medtronic-heart-defibrillators-are-vulnerable-to-hacking/
An attacker could mess with the settings of defibrillators, the warning noted.
Tomi Engdahl says:
Critical flaw lets hackers control lifesaving devices implanted inside patients
https://arstechnica.com/information-technology/2019/03/critical-flaw-lets-hackers-control-lifesaving-devices-implanted-inside-patients/
Implanted devices from Medtronic can have their firmware rewritten, DHS warns.
Tomi Engdahl says:
70% of Ransomware Attacks Targeted SMBs, BEC Attacks Increased by 130%
https://www.bleepingcomputer.com/news/security/70-percent-of-ransomware-attacks-targeted-smbs-bec-attacks-increased-by-130-percent/
Beazley Breach Response (BBR) Services found that 71% of ransomware attacks targeted small businesses, with an average ransom demand of $116,324 and a median of $10,310, after analyzing 3,300 incidents involving its clients in 2018.
Tomi Engdahl says:
Anonymous Hacker Shuts Down Indian Scam Center In Hilarious Take-down
https://www.anonews.co/annym0us-hacker-shuts-down-indian-scam-center-in-hilarious-take-down/
a hilarious example of what happens when activism, white hat hacking, and comedy collide.
the popular YouTube personality and anonym0us supporter Malcolm Merlyn posted a video to his channel of 69k subscribers which showed him flooding a scam tech support call center with hilarious prank calls.
Tomi Engdahl says:
Microsoft Announces Windows Defender ATP Antivirus for Mac
https://thehackernews.com/2019/03/microsoft-defender-antivirus-macos.html?m=1