This posting is here to collect cyber security news in April 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
402 Comments
Tomi Engdahl says:
An EXE infection for your Mac
https://www.kaspersky.com/blog/macos-exe-malware/26343/
Tomi Engdahl says:
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Tomi Engdahl says:
Twelve years later: Firefox to add full protection against ‘login prompt’ spam
https://www.zdnet.com/article/twelve-years-later-firefox-to-add-full-protection-against-login-prompt-spam/
Firefox to limit the number of “Authentication Required” popups to two per page.
Twelve years after it was first notified of the issue, Mozilla has finally shipped a fix this week that will prevent abusive websites –usually tech support scam sites– from flooding users with non-stop “authentication required” login popups and prevent users from leaving or closing their browsers.
The fix has been shipped in Firefox v68, the current Nightly release, and will hit the browser’s stable branch sometimes in early July.
Tomi Engdahl says:
Hacker group has been hijacking DNS traffic on D-Link routers for three months
https://www.zdnet.com/article/hacker-group-has-been-hijacking-dns-traffic-on-d-link-routers-for-three-months/
Other router models have also been targeted, such as ARG, DSLink, Secutech, and TOTOLINK.
For the past three months, a cybercrime group has been hacking into home routers –mostly D-Link models– to change DNS server settings and hijack traffic meant for legitimate sites and redirect it to malicious clones.
The attackers operate by using well-known exploits in router firmware to hack into vulnerable devices and make silent changes to the router’s DNS configuration, changes that most users won’t ever notice.
The point of this router hacking campaign was to inject the IP addresses of rogue DNS servers inside people’s routers.
Tomi Engdahl says:
By spying on Huawei, U.S. found evidence against the Chinese firm
https://www.reuters.com/article/us-usa-china-huawei-tech/u-s-conducted-secret-surveillance-of-chinas-huawei-prosecutors-say-idUSKCN1RG29T
U.S. authorities gathered information about Huawei Technologies Co Ltd through secret surveillance that they plan to use in a case accusing the Chinese telecom equipment maker of sanctions-busting and bank fraud, prosecutors said on Thursday.
The United States has been pressuring other countries to drop Huawei from their cellular networks, worried its equipment could be used by Beijing for spying. The company says the concerns are unfounded.
Tomi Engdahl says:
https://www.tekniikkatalous.fi/tekniikka/ict/suositussa-maksupalvelussa-piileva-riski-toinen-tilaa-tavarat-sina-maksat-6762792
Asiasta on käyty kiivasta keskustelua kansalaisten digitaalista yksityisyyttä suojelevan Effin (Electronic frontier Finland) Facebook-ryhmässä. Klarnakäyttää ihmisten tunnistamiseen henkilötunnusta, sähköpostia ja puhelinnumeroa.
Mikäli saa ongittua tietoonsa jonkun toisen henkilötunnuksen, pääsee vaikkapa ilmaisella sähköpostiosoitteella ja prepaid-liittymällä tekemään toisen nimiin käyttäjätunnuksen ja tilaamaan tavaraa laskulla. Jos toimitusosoitteeksi vielä valitsee itsepalvelulokeron, on syyllisen selvittäminen kohtuullisen hankalaa.
Teon uhriksi joutunut saa mahdollisesti tietää koko rikoksesta vasta kun postiluukusta tupsahtaa perintätoimiston kirje maksamattomasta laskusta.
Tempulta on valitettavan vaikea suojautua
Tomi Engdahl says:
Genesee County, Michigan Recovering from Ransomware Attack
https://www.bleepingcomputer.com/news/security/genesee-county-michigan-recovering-from-ransomware-attack/
Tomi Engdahl says:
Qt5-Based GUI Apps Susceptible to Remote Code Execution
https://www.bleepingcomputer.com/news/security/qt5-based-gui-apps-susceptible-to-remote-code-execution/
Through a little known command line argument, applications that configure custom protocol handlers and are are developed using the Qt5 graphical user interface framework can be exposed to a remote code execution vulnerability.
when you use the Qt5 framework, it also adds command line arguments that can be used to modify how the framework works
This means that if an attacker hosts a malicious DLL on a remote UNC share and can start the program using the platformpluginpath argument, they can remote load the DLL and execute it.
Tomi Engdahl says:
Chinese hackers poke the Bayer, but German giant says it withstood attack
Pharmaceutical brand says no data lost in Winnti outbreak
https://www.theregister.co.uk/2019/04/04/chinese_hackers_bayer_but_german_giant_says_it_withstood_attack/
German pharmaceuticals giant Bayer says it has been hit by malware, possibly from China, but that none of its intellectual property has been accessed.
On Thursday the aspirin-flingers issued a statement confirming a report from Reuters that the Winnti malware, a spyware tool associated with Chinese hacking groups, had been detected on some of its machines.
Tomi Engdahl says:
Facebook Let Dozens of Cybercrime Groups Operate in Plain Sight
https://www.wired.com/story/facebook-cybercrime-groups-again/
Facebook’s failure to moderate bad behavior on the sprawling online world it created, what with political trolls, extremist content, and livestreamed acts of horrific violence, has received a torrent of criticism. But researchers have found that the social media giant is also failing to police a far more basic and decades-old internet problem among its users: plain old cybercrime.
Tomi Engdahl says:
Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography
https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final
Tomi Engdahl says:
Christopher Mims / Wall Street Journal:
How fraud-detection services like Sift and SecureAuth use thousands of signals and opaque algorithms to generate user-trustworthiness scores — When you’re logging in to a Starbucks account, booking an Airbnb or making a reservation on OpenTable, loads of information about you is crunched instantly …
The Secret Trust Scores Companies Use to Judge Us All
https://www.wsj.com/articles/the-secret-trust-scores-companies-use-to-judge-us-all-11554523206?emailToken=bd7d6996e8ca158ff04e3334b88d6fb83BuYJKdaw73ojfqnwxncAqzxqucRWiMeNxMGo090LgKAvsNUMatwoUGRN1IbOaWdB6mhLGHWgkpE9kL1t2Wh0otIBzeGWm2fZ8H8vJtjfJwUfT04Pg+QA9alJPeFt3q9&reflink=article_copyURL_share
In the world of online transactions, trust scores are the new credit scores—but good luck finding out yours
Tomi Engdahl says:
MSRC:
Microsoft partners with HackerOne, says its bug bounty program awarded $2M+ in 2018, now pays bounties faster, and has increased max rewards from $15K to $50K — In 2018 The Microsoft Bounty Program awarded over $2,000,000 to encourage and reward external security research in key technologies to protect our customers.
Microsoft Bounty Program Updates: Faster bounty review, faster payments, and higher rewards
https://blogs.technet.microsoft.com/msrc/2019/04/02/microsoft-bounty-program-updates-faster-bounty-review-faster-payments-and-higher-rewards/
Tomi Engdahl says:
Hackers Can Add, Remove Cancer From CT Scans: Researchers
https://www.securityweek.com/hackers-can-add-remove-cancer-ct-scans-researchers
Tomi Engdahl says:
Ongoing DNS Hijacking Campaign Targets Gmail, PayPal, Netflix Users
https://www.securityweek.com/ongoing-dns-hijacking-campaign-targets-gmail-paypal-netflix-users
A DNS hijacking campaign that has been ongoing for the past three months is targeting the users of popular online services, including Gmail, PayPal, and Netflix.
As part of the campaign, the attackers compromised consumer routers to modify their DNS settings and redirect users to rogue websites to steal their login credentials.
Bad Packets security researchers, who have been following the attacks since December, have identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.
“All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169),” the researchers reveal.
The first DNS hijacking exploit targeted D-Link DSL modems such as D-Link DSL-2640B, DSL-2740R, DSL-2780B, and DSL-526B. The rogue DNS server used in this attack was hosted by OVH Canada (IP address 66.70.173.48).
Ongoing DNS hijacking campaign targeting consumer routers
https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-routers/
Tomi Engdahl says:
Foreign Interference in Canadian Election ‘Very Likely’, Says Minister
https://www.securityweek.com/foreign-interference-canadian-election-very-likely-says-minister
Canada’s foreign minister warned Friday that outside interference in the country’s upcoming parliamentary election was “very likely”.
“We are very concerned. Our judgement is that interference is very likely and we think there have probably already been efforts by malign foreign actors to disrupt our democracy,” Chrystia Freeland said.
Speaking on the sidelines of a G7 meeting in northern France, she added: “What we are seeing in many liberal democracies, the effort is not so much to secure a particular outcome in an election.
“The effort is to make our societies more polarised and make us, as citizens of democracies, more cynical about democracy and that it can work.”
Tomi Engdahl says:
NVIDIA Patches High Severity Flaws in Tegra Drivers
https://www.securityweek.com/nvidia-patches-high-severity-flaws-tegra-drivers
Tomi Engdahl says:
New ‘Xwo’ Malware Looks for Exposed Services, Default Passwords
https://www.securityweek.com/new-xwo-malware-looks-exposed-services-default-passwords
A recently identified malware family is actively scanning the Internet for exposed web services and default passwords, AT&T Alien Labs reports.
Tomi Engdahl says:
Rockwell Patches Stratix Switch Flaws Introduced by Cisco Software
https://www.securityweek.com/rockwell-patches-stratix-switch-flaws-introduced-cisco-software
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/9327-samsung-s10-n-sormenjalkianturi-paastaa-helposti-lapi
Tomi Engdahl says:
Steven Melendez / Fast Company:
Experian, Equifax, and TransUnion gather “alternative” credit data like rental payments to expand credit to more people, but it may hurt those same people, too
Now wanted by big credit bureaus like Equifax: Your alternative data
https://www.fastcompany.com/90318224/now-wanted-by-equifax-and-other-credit-bureaus-your-alternative-data
Lenders and credit bureaus say a bold new data push can expand credit to more consumers, but some worry the shift could sting the people it’s meant to help.
Tomi Engdahl says:
A relatively new kind of identify fraud is wreaking havoc with completely fake personas—and Silicon Valley startups are helping banks fight it.
Synthetic fraud occurs when credit applicants create fake identities as “real” people with credit bureaus, take on debt, and then skip out on the repayment. By contrast, victims of traditional identity theft tend to find out that someone is using their personal information by seeing a loan they don’t recognize on their credit report or getting a call from a collections agency.
Silicon Valley is Fighting a New Kind of Identity Fraud
https://medium.com/cheddar/silicon-valley-is-fighting-a-new-kind-of-identity-fraud-907efd7b6102
Synthetic fraud is a fast growing problem in consumer lending, but neither banks nor consumers are really aware of it yet.
Synthetic fraud occurs when credit applicants create fake identities as “real” people with credit bureaus, take on debt, and then skip out on the repayment.
Tomi Engdahl says:
All of records erased, doctor’s office closes after ransomware attack
http://m.startribune.com/all-of-records-erased-doctor-s-office-closes-after-ransomware-attack/508180992/
A computer virus recently injected itself into the electronic medical record system of Brookside ENT & Hearing Services and ruined the business.
The two-doctor medical practice in Michigan has apparently become the first health care provider in the nation to shut its doors for good because of a ransomware attack
Ransomware, which encrypts sensitive information and then demands a small financial payment to unlock the files, has become the most common form of malicious software affecting businesses, typically arriving via e-mail
about one-third of ransomware victims who pay the ransoms end up getting their data back.
lacking any medical and billing records, the doctors closed the business on April 1 and retired about a year before they planned to.
But there was no way to communicate that to patients.
Tomi Engdahl says:
http://www.atmsecurity.com/
Tomi Engdahl says:
ATM network segmentation no guarantee against malware, study says
https://www.atmmarketplace.com/news/atm-network-segmentation-no-guarantee-against-malware-study-says/
According to the report, ATM malware no longer depends on physical access to infect a machine; criminals have proven that they can also obtain network-based access using a bank’s corporate network.
Tomi Engdahl says:
NSA Releases Reverse Engineering Tool’s Source Code
https://www.securityweek.com/nsa-releases-reverse-engineering-tool%E2%80%99s-source-code
The National Security Agency (NSA) has made the source code for its “Ghidra” reverse engineering tool available for everyone.
Ghidra is a reverse engineering (SRE) framework containing a set of tools developed by NSA’s Research Directorate for NSA’s cybersecurity mission. It was made available to the public last month.
Some of the framework’s capabilities include disassembly, assembly, de-compilation, graphing, and scripting, as well as support for running in both user-interactive and automated modes. It also allows users to develop their own plug-in components and/or scripts using the exposed API.
“Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to provide a customizable and extensible SRE research platform,” the NSA says.
The NSA released the complete source code for Ghidra, along with build instructions. Both the source code and the latest patch for the tool can be downloaded at ghidra-sre.org.
Tomi Engdahl says:
With $600 Million Cybersecurity Budget, JPMorgan Chief Endorses AI and Cloud
https://www.securityweek.com/600-million-cybersecurity-budget-jpmorgan-chief-endorses-ai-and-cloud
JPMorgan Chase spends Roughly $600 Million Annually on its Security Efforts, and Employs Around 3,000 People Involved With Cybersecurity
In his annual letter to shareholders, Jamie Dimon, chairman and CEO of JPMorgan Chase discusses the position and role of the bank in America and the American economy. Against a background of strong performance ($32.5 billion in net income on revenue of $111.5 billion in the last year), he talks about the bank’s principles and strategies, comments on current critical issues, and describes the bank’s public policy.
Tomi Engdahl says:
Attorney: Mar-a-Lago Infiltrator Had Hidden-Camera Detector
https://www.securityweek.com/attorney-mar-lago-infiltrator-had-hidden-camera-detector
A Chinese woman recently arrested at President Donald Trump’s Mar-a-Lago club lied repeatedly to Secret Service agents while carrying computer malware unlike anything a government analyst had ever seen and had more than $8,000 in cash at her hotel room, along with an electronic device that detects hidden cameras, federal authorities told a judge Monday.
Assistant U.S. Attorney Rolando Garcia told Magistrate Judge William Matthewman during a bond hearing that “there are a lot of questions that remain”
“She lies to everyone she encounters,” Garcia told the judge. He said that not only did Zhang falsely tell a Secret Service agent at a Mar-a-Lago checkpoint that she was a member there to use the pool, even though she had no swimsuit, she told agents she was carrying her computer gear because she was afraid the items would be stolen if she left them in her hotel room.
Secret Service agent Samuel Ivanovich told the judge that when an agency analyst uploaded the malware found on Zhang’s thumb drive, it immediately began installing on the analyst’s computer and corrupting its files.
“That was something that had never happened before,” Ivanovich told the judge. He said the analyst immediately shut down the computer to protect it. He said the malware’s ultimate purpose remains unknown.
When agents analyze suspicious devices that might contain malicious software, it is done in a controlled environment and not performed on a computer connected to any government networks, according to Secret Service officials.
Tomi Engdahl says:
Leap in Cyber Attacks Against Elections in OECD Countries: Canada
https://www.securityweek.com/leap-cyber-attacks-against-elections-oecd-countries-canada
Cyber attackers targeted half the member states of the Organization for Economic Cooperation and Development that held national elections in 2018, the agency that monitors Canada’s telecoms networks said Monday.
Tomi Engdahl says:
Anubis Android Trojan Spotted with Almost Functional Ransomware Module
https://www.bleepingcomputer.com/news/security/anubis-android-trojan-spotted-with-almost-functional-ransomware-module/
An Android application which steals PayPal credentials, encrypts files from the device’s external storage, and locks the screen using a black screen was spotted in the Google Play Store by ESET malware researcher Lukas Stefanko.
Tomi Engdahl says:
Sextortion Scams Now Using Password Protected Evidence Files
https://www.bleepingcomputer.com/news/security/sextortion-scams-now-using-password-protected-evidence-files/
New variants of the sextortion scams are now attaching password protected zip files that contain alleged proof that the sender has a video recording of the recipient. While you cannot view the individual files in the archive, you can see what they are named, which can cause recipients to become scared enough to make a payment.
Tomi Engdahl says:
SAS 2019: Exodus Spyware Found Targeting Apple iOS Users
https://threatpost.com/exodus-spyware-apple-ios/143544/
Tomi Engdahl says:
Drones are Quickly Becoming a Cybersecurity Nightmare
https://threatpost.com/drones-breach-cyberdefenses/143075/
Tomi Engdahl says:
Cyber Attack Shuts Down Hoya Corp’s Thailand Plant for Three Days
https://www.bleepingcomputer.com/news/security/cyber-attack-shuts-down-hoya-corps-thailand-plant-for-three-days/
Japanese optical products manufacturer HOYA Corporation was hit by a cyber attack at the end of February which led to a partial shutdown of its production lines from Thailand for three days.
The company disclosed that around 100 computers were infected with a malware strain designed to steal user credentials from the machines it compromises and to drop a cryptocurrency miner during the infection process’ second stage.
The IT computing system of the Thailand plant was not the only victim given that the computers at the Japanese headquarters were also impacted, making it harder to issue invoices during the incident.
Toyota and Norsk Hydro also under attack this year
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
EU starts investigation into Microsoft products used across EU institutions, after a Dutch probe found some products’ hidden telemetry violated GDPR
EU to check for GDPR violations in Microsoft’s contracts with EU institutions
https://www.zdnet.com/article/eu-to-check-for-gdpr-violations-in-microsoft-products-across-eu-institutions/
EU starts investigation of Microsoft’s contracts with EU institutions after Dutch government report
Tomi Engdahl says:
Cybercrime group FIN6 evolves from POS malware to ransomware
https://www.zdnet.com/article/cybercrime-group-fin6-evolves-from-pos-malware-to-ransomware/
FireEye: FIN6 group is now deploying the Ryuk and LockerGoga ransomware strains on the networks of hacked companies from where it cannot steal POS data.
Tomi Engdahl says:
Cybercrime market selling full digital fingerprints of over 60,000 users
https://www.zdnet.com/article/cybercrime-market-selling-full-digital-fingerprints-of-over-60000-users/
Genesis service is selling users’ personal data, complete with digital fingerprints, such as account credentials, cookies, browser user-agent details, and more.
Today, at the Kaspersky Security Analyst Summit conference taking place in Singapore, security researchers from Kaspersky Lab have revealed the existence of a new cybercrime marketplace where crooks are selling full digital fingerprints for over 60,000 users.
This new marketplace is like nothing that has ever been seen on the hacking scene until now.
Tomi Engdahl says:
With $600 Million Cybersecurity Budget, JPMorgan Chief Endorses AI and Cloud
https://www.securityweek.com/600-million-cybersecurity-budget-jpmorgan-chief-endorses-ai-and-cloud
JPMorgan Chase spends Roughly $600 Million Annually on its Security Efforts, and Employs Around 3,000 People Involved With Cybersecurity
Tomi Engdahl says:
Duqu Remained Active After Operations Were Exposed in 2011
https://www.securityweek.com/duqu-remained-active-after-operations-were-exposed-2011
Tomi Engdahl says:
No one, not even the Secret Service, should randomly plug in a strange USB stick
https://techcrunch.com/2019/04/08/secret-service-mar-a-lago/?tpcc=ECFB2019
alarm bells ringing was how the Secret Service handled the USB drive, which cannot be understated — it was not good.
agent put Zhang’s thumb-drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis.
Tomi Engdahl says:
When Putin’s around, GPS goes haywire, study finds
https://www.msn.com/en-us/news/world/when-putins-around-gps-goes-haywire-study-finds/ar-BBVEYVr?ocid=ientp&fbclid=IwAR2Ukj2kvn4Fz4HJtccaxQD9ONFiSRq0ZhWUc9uJ9qqMyxUL6-LP_Gc-W7E
Tomi Engdahl says:
Scary Bug in Burp Suite Upstream Proxy Allows Hackers to Hack Hackers
https://medium.com/@armaanpathan/scary-bug-in-burp-suite-upstream-proxy-allows-hackers-to-hack-hackers-e6fc9a8d60a
Tomi Engdahl says:
https://www.hybrid-analysis.com
This is a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology
Tomi Engdahl says:
Russia Is Tricking GPS to Protect Putin
https://foreignpolicy.com/2019/04/03/russia-is-tricking-gps-to-protect-putin/
The Kremlin’s manipulation of global navigation systems is more extensive than previously understood.
Tomi Engdahl says:
Zain Qaiser: Student jailed for blackmailing porn users worldwide
https://www.bbc.com/news/uk-47800378?ns_mchannel=social&ns_campaign=bbcnews&ocid=socialflow_facebook&ns_source=facebook&fbclid=IwAR3Bn7vcw_JeVJu8alsNlc_VqUMMC_mdDtepGx0o0E0c113JZG_tKH_fu6A&fbclid=IwAR1v3n27mEIzUTrcyvmK6ZG2EIDmL5n6TkMAQLjW3T28wsUjkFgPKIRLJmM
A student who made hundreds of thousands of pounds blackmailing pornography website users with cyber attacks has been jailed.
the most prolific cyber criminal to be sentenced in the UK.
Tomi Engdahl says:
New Version of Flame Malware Platform Discovered
https://www.securityweek.com/new-version-flame-malware-platform-discovered
The Flame platform was believed dead following public exposure in 2012, but recently discovered evidence suggests that it remained alive, albeit very well hidden, security researchers at Alphabet-owned Chronicle reveal.
Tomi Engdahl says:
New Mirai Variant Targets More Processor Architectures
https://www.securityweek.com/new-mirai-variant-targets-more-processor-architectures
Targeting IoT devices in an attempt to ensnare them into a botnet capable of launching distributed denial of service (DDoS) attacks, the malware has been around since late 2016, with numerous variants observed since (such as Wicked, Satori, Okiru, Masuta, and others).
Mirai’s source code was publicly released in October 2016, and various threat actors built their own iterations of the malware in order to target additional device types. A version that emerged earlier this year aims at devices specifically intended for businesses.
The newly observed Mirai samples, Palo Alto Networks reports, are compiled to run on Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors, which shows that the threat’s developers continue to innovate.
Tomi Engdahl says:
Microsoft Patches Windows Privilege Escalation Flaws Exploited in Attacks
https://www.securityweek.com/microsoft-patches-windows-privilege-escalation-flaws-exploited-attacks
Microsoft has fixed over 70 vulnerabilities with its April 2019 Patch Tuesday updates
The actively exploited flaws, tracked as CVE-2019-0803 and CVE-2019-0859, appear similar — the security advisories published by Microsoft are nearly identical.
Tomi Engdahl says:
iOS Version of Exodus Spyware Discovered in an Escalating Italian Spy Scandal
https://www.securityweek.com/ios-version-exodus-spyware-discovered-escalating-italian-spy-scandal
Tomi Engdahl says:
New Module Suggests Fourth Team Involved in Stuxnet Development
https://www.securityweek.com/new-module-suggests-fourth-team-involved-stuxnet-development
Stuxnet has been extensively analyzed and researchers have found ties to several other threats, including Duqu, Flame and malware developed by the NSA-linked Equation Group.
Chronicle has introduced the concept of Supra Threat Actor (STA), which describes threat actors representing multiple countries, institutions or groups.
The STA that is believed to have developed Stuxnet has been dubbed GOSSIPGIRL. Chronicle’s discovery of a new Stuxnet-related component, named Stuxshop, revealed that the GOSSIPGIRL STA included not only Duqu, Flame and Equation, but also a fourth group linked to Flowershop, a malware platform that was active between 2002 and 2013, primarily in the Middle East.