Cyber Security News April 2019

This posting is here to collect cyber security news in April 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.


  1. Tomi Engdahl says:

    Mar-a-Lago Intruder’s Room Had Signal Detector, Cash Hoard

    A Chinese woman who breached security at President Donald Trump’s Mar-a-Lago resort in Palm Beach, Florida, had an even larger cache of electronic devices than originally disclosed, including a signal detector used to locate hidden video or audio recorders.

  2. Tomi Engdahl says:

    LockerGoga: It’s not all about the ransom

    Updated: In some cases, LockerGoga makes it very difficult to pay blackmail demands to decrypt systems.

    Variants of LockerGoga, a form of ransomware which targets industrial systems, have been discovered in which ransom payments appear to be an afterthought rather than the malware’s true purpose.

  3. Tomi Engdahl says:

    Hacker group has been hijacking DNS traffic on D-Link routers for three months

    Other router models have also been targeted, such as ARG, DSLink, Secutech, and TOTOLINK.

  4. Tomi Engdahl says:

    Grab-and-go Baldr malware enters the black market

    Baldr has been linked to three prominent hackers in the Russian underground.

  5. Tomi Engdahl says:

    Reveton ransomware distributor sentenced to six years in prison in the UK

    Zain Qaiser made at least $915,000 (£700,000) from Reventon ransom payments.

  6. Tomi Engdahl says:

    Tens of thousands of cars were left exposed to thieves due to a hardcoded password
    A patch was rolled out in mid-February and the hardcoded credentials revoked.

    The maker of a popular vehicle telematics system has left hardcoded credentials inside its mobile apps, leaving tens of thousands of cars vulnerable to hackers.

    Security updates that remove the hardcoded credentials have been made available for both the MyCar Android and iOS apps since mid-February, the security researcher who found this issue told ZDNet today.

    Similarly, the hardcoded credentials were also removed on the server-side to prevent any abuse against users who failed to update their apps.

    The vulnerability, tracked as CVE-2019-9493, impacts the MyCar telematics system sold by Quebec-based Automobility Distribution.

  7. Tomi Engdahl says:

    Researcher Reveals Multiple Flaws in Verizon Fios Routers — PoC Released

  8. Tomi Engdahl says:

    Microsoft Releases April 2019 Security Updates — Two Flaws Under Active Attack

  9. Tomi Engdahl says:

    Credential Dumping Campaign Hits Multinational Corporations

    Server Misconfigurations Result in Ongoing Theft of Corporate Credentials, Cryptojacking Infections on User and Enterprise Assets

  10. Tomi Engdahl says:

    GOd vs. Germany: How did an amateur cybercriminal shake a whole country?

    January 4 2019. Germany awoke to a media storm. Personal data, emails, phone numbers, private, financial and even family information of a litany of public figures suddenly appeared online. Among those affected were hundreds of politicians (including Angela Merkel and President Frank-Walter Steinmeier), journalists (Hajo Seppelt), comedians (Jan Bohmermann), and even representatives of NGOs. Only one group was excluded from the leak: the German extreme right.

    For the Federal Criminal Police Office (BKA), one thing was quite clear: not only had the cyberattack been deliberately prepared, but it was also a group effort.

    Nevertheless, the BKA’s investigation led them to a somewhat more surprising conclusion: the person arrested for leaking all this data wasn’t the head of some international organization, or a world expert. Nor was he known to police before this incident. The person taken into custody was “GOd”, a 20 year old student who still lives with his parents.

  11. Tomi Engdahl says:

    Triton Hackers Focus on Maintaining Access to Compromised Systems: FireEye

    The existence of Triton, also known as Trisis and HatMan, came to light in 2017 after the malware had caused disruptions at an oil and gas plant in Saudi Arabia. FireEye’s Mandiant was called in to investigate the incident and the company has been tracking the threat ever since.

    FireEye revealed on Wednesday that it recently responded to another attack carried out by the Triton group against a critical infrastructure facility.

    The cybersecurity firm says it has come across several custom tools used by the threat actor, including ones designed for credential harvesting (SecHack, WebShell), remote command execution (NetExec), and several backdoors based on OpenSSH, Bitvise, PLINK and Cryptcat. The attackers have also relied on widely available tools, such as Mimikatz.

    FireEye, which previously linked Triton to a research institute owned by the Russian government, pointed out that disruptive attacks aimed at industrial environments take a lot of preparation.

  12. Tomi Engdahl says:

    Shock revelation as massive American presidential election hack confirmed
    The student election at Berkeley High School. What did you think we were talking about?

    A student government election in California has taken a bizarre turn after one of the candidates admitted to hacking fellow students in an effort to fix results.

    According to local news site Berkeleyside, the unnamed student at Berkeley High School took advantage of weak passwords and default credentials to get into the email accounts of more than 500 fellow students and cast fraudulent votes for themself and another unsuspecting candidate.

    The report notes that this year’s student body elections were the first to be held online, with students logging in and casting votes with the Google for Education email address

    Least you think millennials are any better at infosec than us old heads, it turns out the students at Berkeley High (located in the shadow of the UC Berkeley campus, no less) had by and large been leaving the default login (a combination of “Berkeley” and the student’s district ID number) on their Google accounts.

    While Google for Education does allow for two-factor authentication, the option must be enabled by an administrator, and while most kids these days have smartphones, getting multi-factor set up for an entire school district (Berkeley High School alone has 3,000 students) may not be practical.

  13. Tomi Engdahl says:

    New Variants of Mirai Botnet Detected, Targeting More IoT Devices

    Mirai, the “botnet” malware that was responsible for a string of massive distributed denial of service (DDoS) attacks in 2016 — including one against the website of security reporter Brian Krebs — has gotten a number of recent updates. Now, developers using the widely distributed “open” source code of the original have added a raft of new devices to their potential bot armies by compiling the code for four more microprocessors commonly used in embedded systems.

  14. Tomi Engdahl says:

    Apple disables iPad for 48 years after toddler runs amok
    Three-year-old will have own kid disable it in 2067

    It’s something many of us have had to deal with: you type in the wrong code into your iPhone or iPad and it get disabled for some period of time.

    It is a welcome security feature: it makes it difficult for someone who doesn’t have the code to get into your device and makes “brute force” attacks

    But as anyone who has a small child will tell you, it can sometimes work against you

    And Good Twitter had the solution.

    Two days later and he is back with more news: “Update on toddler-iPad-lock-out: Got it into DFU mode (don’t hold down the sleep/power button too long or you end up in recovery). Now restoring. Thanks to those who shared advice!”

  15. Tomi Engdahl says:

    BT Tower broadcasts error message to the nation as Windows displays admin’s shame
    A metaphor for Brexit or IT admin’s ineptitude?

    Generally a system crash is a private affair, but the BT Tower, one of London’s tallest landmarks, spent much of the weekend displaying a Windows error message in a very public fashion.

  16. Tomi Engdahl says:

    A powerful hacker group behind the Triton malware strikes again

    A highly capable hacker group reportedly behind a failed plot to blow up a Saudi petrochemical plant has now been found in a second facility.

  17. Tomi Engdahl says:

    Google turns your Android phone into a security key

    Your Android phone could soon replace your hardware security key to provide two-factor authentication access to your accounts.

    a new protocol that uses Bluetooth but doesn’t necessitate the usual Bluetooth connection setup process.

    Google says this new feature will work with all Android 7+ devices that have Bluetooth and location services enabled

    For now, this also only works in combination with Chrome.

  18. Tomi Engdahl says:

    New York City Has a Y2K-Like Problem, and It Doesn’t Want You to Know About It

    On April 6, something known as the GPS rollover, a cousin to the dreaded Y2K bug, mostly came and went, as businesses and government agencies around the world heeded warnings and made software or hardware updates in advance.

    But in New York, something went wrong — and city officials seem to not want anyone to know.

    At 7:59 p.m. E.D.T. on Saturday, the New York City Wireless Network, or NYCWiN, went dark, waylaying numerous city tasks and functions

  19. Tomi Engdahl says:

    Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords

    Next-gen standard was supposed to make password cracking a thing of the past. It won’t.

  20. Tomi Engdahl says:

    Why the US still won’t require SS7 fixes that could secure your phone

    The regulatory back door big telecom uses to weaken security regulation.

  21. Tomi Engdahl says:

    App could have let attackers locate and take control of users’ cars

    The MyCar application, from Canada-based AutoMobility Distribution, allowed anyone that knew about the vulnerability to control, monitor, and access vehicles from an unauthorized device, experts said

  22. Tomi Engdahl says:

    Security Flaws in WPA3 Protocol Let Attackers Hack WiFi Password

  23. Tomi Engdahl says:

    Amazon admits that employees review “small sample” of Alexa audio

    Amazon says it uses human transcriptions to “improve the customer experience.”

  24. Tomi Engdahl says:

    Amazon Workers Are Listening to What You Tell Alexa

    A global team reviews audio clips in an effort to help the voice-activated assistant respond to commands.

  25. Tomi Engdahl says:

    Hackers publish personal data on thousands of US police officers and federal agents

    A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web, including dozens of files containing the personal information of thousands of federal agents and law enforcement officers, TechCrunch has learned.

    Thousands of FBI agents just had their personal information stolen and published

    The hackers reportedly penetrated the sites through security flaws, downloaded each of their web servers, and posted the data to their own website. Some 4,000 agents’ personal information was exposed

  26. Tomi Engdahl says:

    Amazon admits that employees review “small sample” of Alexa audio

    Amazon says it uses human transcriptions to “improve the customer experience.”

    Most of the time, when you talk to an Amazon Echo device, only Amazon’s voice-recognition software is listening. But sometimes, Bloomberg reports, a copy of the audio is sent to a human reviewer at one of several Amazon offices around the world. The human listens to the audio clip, transcribes it, and adds annotations to help Amazon’s algorithms get better.

    Amazon Workers Are Listening to What You Tell Alexa

  27. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    DHS warns about a bug in VPN apps from Cisco, Palo Alto Networks, Pulse Secure, and F5 Networks, which can give attackers remote access to enterprise networks — Several enterprise virtual private networking apps are vulnerable to a security bug that can allow an attacker to remotely break …

    Homeland Security warns of security flaws in enterprise VPN apps

    Several enterprise virtual private networking apps are vulnerable to a security bug that can allow an attacker to remotely break into a company’s internal network, according to a warning issued by Homeland Security’s cybersecurity division.

    The VPN apps built by four vendors — Cisco, Palo Alto Networks, Pulse Secure and F5 Networks — improperly store authentication tokens and session cookies on a user’s computer.

    The apps generate tokens from a user’s password and are stored on their computer to keep the user logged in without having to reenter their password every time. But if stolen, these tokens can allow access to that user’s account without needing their password.

    But with access to a user’s computer — such as through malware — an attacker could steal those tokens

  28. Tomi Engdahl says:

    Microsoft says a “limited” number of its web email service accounts were breached between Jan. 1 and March 28 using a customer support agent’s credentials

  29. Tomi Engdahl says:

    Jennifer Valentino-DeVries / New York Times:
    A detailed look at how police forces use “geofence” warrants and Google’s Sensorvault location history database to find witnesses and suspects near crime scenes

    Tracking Phones, Google Is a Dragnet for the Police

    The tech giant records people’s locations worldwide. Now, investigators are using it to find suspects and witnesses near crimes, running the risk of snaring the innocent.

  30. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    Hackers claim they stole ~4K unique personnel records from sites related to the FBI National Academy Association, claim to have data from 1K+ more hacked sites — A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web

  31. Tomi Engdahl says:

    Brian J. Barth / The Walrus:
    Interview with RIM cofounder Jim Balsillie about his advocacy against the rise of surveillance capitalism in Canada and the Sidewalk Toronto smart city project

    Are You Afraid of Google? BlackBerry Cofounder Jim Balsillie Says You Should Be

    The entrepreneur who made billions putting BlackBerrys into pockets is now sounding the alarm about Big Tech’s creep toward surveillance capitalism

  32. Tomi Engdahl says:

    Katie Notopoulos / BuzzFeed News:
    Facebook’s transparency tool that shows users which advertisers have used a contact list with their information is a nightmare for a normal person to use —

    Facebook Showed Me My Data Is Everywhere And I Have Absolutely No Control Over It

    A transparency tool on Facebook inadvertently provides a window into the confusing maze of companies you’ve never heard of who appear to have your data.

  33. Tomi Engdahl says:

    Andrea Peterson / Ars Technica:
    SS7, a mobile protocol that can be hacked to track users or intercept calls, remains flawed after decades due to the FCC’s reliance on telecom industry advice

    Why the US still won’t require SS7 fixes that could secure your phone
    The regulatory back door big telecom uses to weaken security regulation.

  34. Tomi Engdahl says:

    Joseph Cox / Motherboard:
    Source: Outlook, MSN, and Hotmail were affected in breach; Microsoft now says email content was also exposed for ~6% of users whose email accounts were hacked — Hackers abused a Microsoft customer support portal that allowed them to read the emails of any non-corporate account.

    Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support

    Hackers abused a Microsoft customer support portal that allowed them to read the emails of any non-corporate account.

  35. Tomi Engdahl says:

    Olivia Carville / Bloomberg:
    Facebook suffers third major outage in 2019, with all of its services down for ~2 hours on Sunday, after a ~24-hour outage in March, and a smaller crash in Jan. — – Facebook, Instagram, WhatsApp and Messenger down for hours — Frustrated users took to Twitter to vent from across the world

    Facebook Suffers Third Major Global Outage This Year

    Facebook Inc. suffered its third major outage this year, with users across the world unable to access the social network or its suite of services such as Facebook Messenger, Instagram and WhatsApp.

    Facebook and Instagram were inaccessible on Sunday morning for several hours

    The outages add to the woes of Facebook, already embattled by revelations it has failed to safeguard user data or stanch the spread of hate speech, fake news and other forms of disinformation.

  36. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    A security researcher publicly disclosed 0-day flaws in WordPress plugins before patches were available to protest support-forum moderators’ alleged behavior — Exploits published over the past three weeks exposed 160,000 websites to potent attacks.

    A security researcher with a grudge is dropping Web 0days on innocent users
    Exploits published over the past three weeks exposed 160,000 websites to potent attacks.

    Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.

    All three waves of exploits caused sites that used the vulnerable plugins to surreptitiously redirect visitors to sites pushing tech-support scams and other forms of online graft. I

    All three of Plugin Vulnerabilities’ zeroday posts came with boilerplate language that said the unnamed author was publishing them to protest “the moderators of the WordPress Support Forum’s continued inappropriate behavior.” The author told Ars that s/he only tried to notify developers after the zerodays were already published.

    “Our current disclosure policy is to full disclose vulnerabilities and then to try to notify the developer through the WordPress Support Forum, though the moderators there… too often just delete those messages and not inform anyone about that,” the author wrote in an email.

    No remorse

    The author said s/he scoured both Yuzo Related Posts and Yellow Pencil for security after noticing they had been removed without explanation from the WordPress plugin repository and becoming suspicious. “So while our posts could have led to exploitation, it also [sic] possible that a parallel process is happening,” the author wrote.

    The author also pointed out that 11 days passed between the disclosure of the Yuzo Related Posts zeroday and the first known reports it was being exploited. Those exploits wouldn’t have been possible had the developer patched the vulnerability during that interval, the author said.

    Whois Plugin Vulnerabilities?

    The crux of the author’s beef with WordPress support-forum moderators, according to threads such as this one, is that they remove his posts and delete his accounts when he discloses unfixed vulnerabilities in public forums. A recent post on Medium said he was “banned for life” but had vowed to continue the practice indefinitely using made-up accounts. Posts such as this one show Plugin Vulnerabilities’ public outrage over WordPress support forums has been brewing since at least 2016.

    To be sure, there’s plenty of blame to spread around recent exploits. Volunteer-submitted WordPress plugins have long represented the biggest security risk for sites running WordPress, and so far, developers of the open source CMS haven’t figured out a way to sufficiently improve the quality. What’s more, it often takes far too long for plugin developers to fix critical vulnerabilities and for site administrators to install them. Warfare Plugins’ blog post offers one of the best apologies ever for its role in not discovering the critical flaw before it was exploited.

    But the bulk of the blame by far goes to a self-described security provider who readily admits to dropping zerodays as a form of protest or, alternatively, as a way to keep customers safe (as if exploit code was necessary to do that).

  37. Tomi Engdahl says:

    Thomas Brewster / Forbes:
    When DEA got a warrant for LogMeIn to divulge a user’s passwords, LastPass’ encryption scheme meant it couldn’t produce them, but other customer info was given

    What Happened When The DEA Demanded Passwords From LastPass

    The government makes very few demands for data from password managers, but when it does it expects a lot, including login information, Forbes has learned.

    the Drug Enforcement Administration (DEA) demanded logins and physical and IP addresses, as well as communications between a user and LogMeIn, the owner of massively popular tool LastPass. It’s an encrypted vault for storing passwords. The DEA was seeking information related to a LastPass customer

    Passwords were not handed over, but LastPass did return IP addresses used by the suspect, alongside information about when Caamano’s LastPass account was created and when it was last used. According to the government’s application for the search warrant, filed at the end of January 2019: “Such information allows investigators to understand the geographic and chronological context of LastPass access, use, and events relating to the crime under investigation.”

    With enough evidence in hand, police arrested Caamano on May 29, when they seized a mobile device on which LastPass was installed. Police were also able to bypass encryption on the suspect’s CyberPowerPC, where they discovered an extension app for LastPass. But as they didn’t have the master password, the police couldn’t get access to the account and the logins within.

    No passwords available

    Despite its demand, the government could never have expected passwords from LastPass. A LogMeIn spokesperson explained: “User passwords stored on LogMeIn’s servers are only done so in an encrypted format. The only way they get decrypted is on the user’s side, and the way that happens—the decryption key—is the user’s master password (used to log into LastPass), which is never received by or available to LogMeIn/LastPass. In other words, we have no means of decrypting user password information on our side, and thus, we are unable to provide these passwords.”

    The spokesperson said it receives fewer than ten such requests a year, startlingly low for a product that has 13.5 million users.

    LogMeIn was also keen to stress its opposition to government calls for backdoors in tech that might allow police a way past encryption. “It is the policy and position of LogMeIn that the company does not create such backdoors or decryption techniques to provide access to customer data.”

    Other password managers have gone to similar lengths to prevent the government from getting easy access to customer logins. Jessy Irwin, a cybersecurity practitioner who was previously “security empress” at LastPass rival 1Password, said her former employer tried to make accessing customers’ private data incredibly difficult for anyone. “One of the biggest things we very deliberately focused on,” she said, “ was not being able to collect browser history, something that would be well within the realm of possibility for other password managers that don’t make conscious privacy choices. … Asking us for data was useless.”

  38. Tomi Engdahl says:

    Gov’t warns on VPN security bug in Cisco, Palo Alto, F5, Pulse software

    VPN packages from Cisco, Palo Alto, F5 and Pulse may improperly secure tokens and cookies

    The Department of Homeland Security has issued a warning that some VPN packages from Cisco, Palo Alto, F5 and Pulse may improperly secure tokens and cookies, allowing nefarious actors an opening to invade and take control over an end user’s system.

    multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files.

  39. Jerry Kevin says:


  40. Tomi Engdahl says:

    Kaspersky: 70 percent of attacks now target Office vulnerabilities

    That’s more than four times the percentage the company was seeing two years before, in Q4 2016.

    Microsoft Office products are today’s top target for hackers, according to attack and exploitation data gathered by Kaspersky Lab.

  41. Tomi Engdahl says:

    Joi Ito / Wired:
    Locking kids out of big internet platforms is not the solution to commercial bad actors, we should optimize algorithms instead to make them safer for kids

    Optimize Algorithms to Support Kids Online, Not Exploit Them

    UK data watchdog proposes a 16-rule code of practice for online services to protect children’s privacy that includes ending “nudge techniques” and more

    Under-18s face ‘like’ and ‘streaks’ limits on social media


Leave a Comment

Your email address will not be published. Required fields are marked *