Cyber Security Trends May 2019

This posting is here to collect cyber security news in May 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.



  1. Tomi Engdahl says:

    Josh Constine / TechCrunch:
    Unlike Facebook at F8, Google didn’t just talk about its commitment to privacy at I/O, it showcased features that were either ready to ship or ready to demo — F8 and I/O, night and day — Mark Zuckerberg: “The future is private”. Sundar Pichai: ~The present is private~.

    Facebook talked privacy, Google actually built it
    F8 and I/O, night and day

  2. Tomi Engdahl says:

    Google is pushing back against ad tracking in Chrome

    ‘People prefer ads that are personalized to their needs and interests’

  3. Tomi Engdahl says:

    Cyberattack Cripples Baltimore’s Government Computer Servers

    Baltimore’s government on Tuesday rushed to shut down most of its computer servers after its network was hit by a ransomware virus. Officials believe it has not touched critical public safety systems.

  4. Tomi Engdahl says:

    Verizon Publishes 2019 Data Breach Investigations Report (DBIR)

    Verizon 2019 DBIR Shows Financially Motivated Attacks Increasing While Criminals Switch to Easiest Targets

  5. Tomi Engdahl says:

    The Microsoft Windows _NSAKEY backdoor

    Microsoft _NSAKEY is a signing key found in Microsoft’s CryptoAPI since Windows 95. Many claimed this was the ultimate backdoor for the National Security Agency. But is this a hoax, or is the _NSAKEY a real backdoor in Microsoft Windows?

    But then Microsoft shipped a Service Pack 5 for WindowsNT4. Somebody down the chain of command at Microsoft forgot to remove information revealing the true identity of both of the signing keys. Chief security scientist at Ontario-based Cryptonym Andrew Fernandes found the names of the two keys. One was simply called “_KEY”. And the other was “_NSAKEY”.

  6. Tomi Engdahl says:

    Rani Molla / Vox:
    Experts say apps like Nextdoor and Ring’s Neighbors give people a false sense that the US crime rate is worsening even as violent crime reaches record lows

    The rise of fear-based social media like Nextdoor, Citizen, and now Amazon’s Neighbors
    Why people are socializing more about crime even as it becomes rarer.

  7. Tomi Engdahl says:

    Vulnerable Apache Jenkins exploited in the wild

    An ongoing malicious campaign is looking for vulnerable Apache Jenkins installations to deploy a Monero cryptominer. The dropper uses sophisticated techniques to hide its presence on the system, to move laterally and to look for new victims on the internet. It also downloads and runs the miner software – of course.
    The exploited vulnerability, CVE-2018-1000861 [1], was published in December 2018. It affects Stapler Web framework used by Jenkins 2.153 and earlier. It may allow attackers to invoke methods on Java objects by accessing crafted URLs.

  8. Tomi Engdahl says:

    Ongoing Attack Stealing Credit Cards From Over A Hundred Shopping Sites

    Researchers from Chinese cybersecurity firm Qihoo 360′s NetLab have revealed details of an ongoing credit card hacking campaign that is currently stealing payment card information of customers visiting more than 105 e-commerce websites.

    The JavaScript scripts in question include the digital credit card skimming code that when execute on a site, automatically steal payment card information, such as credit card owner name, credit card number, expiration time, CVV information, entered by its customers.

  9. Tomi Engdahl says:

    Baltimore City Shuts Down Most of Its Servers After Ransomware Attack

  10. Tomi Engdahl says:

    Dharma Ransomware Uses AV Tool to Distract from Malicious Activities

    Trend Micro recently found new samples of Dharma ransomware using a new technique: using software installation as a distraction to help hide malicious activities.

    Dharma ransomware actors abuse AV tool

    New samples of Dharma ransomware show that it is still being distributed via spam mail. Typical of spam, the message pressures users into downloading a file. If a user clicks on the download link, they will be prompted for a password (provided in the email message) before getting the file.

    The downloaded file is a self-extracting archive named Defender.exe, which drops the malicious file taskhost.exe as well as the installer of an old version of ESET AV Remover renamed as Defender_nt32_enu.exe.

  11. Tomi Engdahl says:

    Information Services Giant Wolters Kluwer Hit by Malware Attack

    The Netherlands-based company started seeing what it described as “technical anomalies” on May 6. This triggered an investigation that led to the discovery of malware.

  12. Tomi Engdahl says:

    Cybercriminals Unleash MegaCortex Ransomware in Global Attack Campaign

    Sophos security researchers have observed a spike in the number of attacks featuring a new ransomware family called MegaCortex.

    The malware initially appeared in January this year, with the first signs of infection observed in early February, but no major attack was noticed until May 1, when the malware started hitting users worldwide, including Italy, the United States, Canada, the Netherlands, Ireland, and France.

    The infection methodology employed by the malware involves both automated and manual components, but relies heavily on automation to infect a large number of victims.

    The ransomware appears to be distributed through Emotet and Qbot (aka Qakbot) Trojans (they are usually found on networks where MegaCortex attacks happened).

  13. Tomi Engdahl says:

    WordPress 5.2 Brings New Security Features

    WordPress released version 5.2 of the popular content management system (CMS) this week, which includes new security and stability features.

    Named “Jaco,” the update is already available in the WordPress dashboard, and provides administrators with the ability to fix sites much easier than before, in the event something goes wrong.

    Version 5.2 includes more robust tools for identifying and fixing common configuration issues, and also adds space where developers can include debugging information for site maintainers.

    It also comes with PHP Error Protection, a feature to fix and manage fatal errors without requiring developer time, which also improves the handling of the so-called “white screen of death,” along with means to enter recovery mode and pause error-causing plugins or themes.

  14. Tomi Engdahl says:

    Malware authors tend to prefer specific types of file attachments in their campaigns to distribute malicious content. During our routine threat landscape monitoring in the last three months, we observed some interesting patterns about the attachment types that are being used in various campaigns.

  15. Tomi Engdahl says:

    Despite FIN7 arrests, malicious activity continues

    Last year, Europol and the US Department of Justice arrested several cybercriminals suspected to be leaders of the FIN7 and Carbanak cybercriminal groups. News outlets announced the demise of those cybergangs, but our experts are still detecting signs of their activity.

  16. Tomi Engdahl says:

    Industrial espionage: cyberattackers seeking out patents

    Not long ago, the pharmaceutical giant Bayer revealed that it was experiencing intense cyberattacks. Those behind the attacks could be Wicked Group, a cybercriminal organization operating from China. Not only had they targeted Bayer, but they were also going after giants in other industries, such as BASF, Volkswagen and Allianz. In fact, this was by no means a one-off incident: Bayer had been monitoring and analyzing these attacks for close to a year.

    So, why would a pharmaceutical laboratory fall prey to a cyberattack?

    The answer can be summed up in two words: industrial espionage. With the amount of technological and scientific innovations that exist in the world today, it is no surprise that these innovations too can become targets for cybercriminals to steal. And in the case of large companies in the scientific field, patented products or services are the most appealing of targets. And this is exactly what happened to Bayer.

    The theft of patented products due to a cyberattack is a serious problem for this kind of company,

    Protecting corporate cybersecurity is an obligatory requirement for any company, whatever its size, importance, or economic sector.

  17. Tomi Engdahl says:

    Defense alone won’t stop cyber threat to U.S. finance

    The Fed’s responsibility for financial cyber security is ill-defined. But with the financial sector facing the threat of cyber war, something has to be done.

    Financial sector facing a cyber war

    Indeed, cyber risk goes well beyond the theft of personal information or draining of bank accounts. It could include bringing the entire system to a halt, which would then have major physical as well as financial consequences.

    Andrew Kilbourne, managing director at Synopsys, said the magnitude of the threat means that “ultimately this is a war, and we’re probably going to have to start treating it like that.”

    Powell told Pelley that the Fed spends “very large amounts of time and resources” to mitigate the cyber threat. “The banks we supervise are required to have plans in place and state of the art, you know, technology and the like,” he said, to build both “resilience and redundancy.”

    But he also acknowledged that it is a “constantly evolving risk … where the playbook (for defense) is still being developed in real time.”

    “I’ve never felt a time when I think we’re doing enough,” he said.

    Financial cyber security system has “real vulnerabilities”

    Does that mean the rest of us should be losing sleep too? Perhaps. Another unsettling thing Powell said came during testimony last month before a congressional committee. He told U.S. Rep. Jack Reed, D-RI, that large banks “have the resources” to defend themselves against constant cyberattacks, but that for smaller banks, “that is a real vulnerability in the payment system.” As in, they don’t have the resources.

    U.S. financial system is not as resilient or as redundant as it ought to be, given the level and sophistication of the constantly evolving cyber threat.

    Four major concerns for financial cyber security

    It concluded that while there has been “great progress” on cyberdefense, both domestically and internationally, four major concerns still exist:

    “Increasingly knowledgeable and sophisticated adversaries” who could, deliberately or unintentionally, undermine the stability of the financial sector.
    Lack of understanding of “the potential interactions of cyber risks, financial contagion channels, and possible ‘amplifiers’ within those channels, such as single points of failure.”
    Fragmentation of effort. “Even though cyberspace, like the financial sector, is global and interconnected, responses to major crises remain significantly national.”
    New technologies, including blockchain and the cloud, that could be helpful in some ways but risky in others. “It will be especially difficult to develop controls in the face of increased financial and technological complexity.”

    Is the Fed doing enough … or too much?

    Fragmentation bad, communication good

  18. Tomi Engdahl says:

    Säilytetäänkö teilläkin tietoja näin tyhmästi? Kalahtaa nilkkaan viimeistään kun työntekijä lähtee

  19. Tomi Engdahl says:

    Jonathan Browning / Bloomberg:
    In a UK court filing, Amazon says hackers siphoned money from ~100 seller accounts over a period of six months last year

    Amazon Hit by Extensive Fraud With Hackers Siphoning Merchant Funds

    Amazon asked U.K. court for bank details linked to hackers
    Hackers break into about 100 accounts, according to documents

  20. Tomi Engdahl says:

    Hard-Coded Credentials Found in Alpine Linux Docker Images

    For the past three years, Alpine Linux Docker images have been shipped with a NULL password for the root user, Cisco’s Talos security researchers have discovered.

    The hard-coded credentials were included in the Official Alpine Linux Docker images since v3.3, as part of a regression introduced in December 2015.

    Featuring a CVSS score of 9.8, this Critical vulnerability was found to impact Alpine Docker versions 3.3 to 3.9, as well as Alpine Docker Edge.

  21. Tomi Engdahl says:

    U.S. Blocks China Mobile, Citing National Security

    US regulators on Thursday denied a request by China Mobile to operate in the US market and provide international telecommunications services, saying links to the Chinese government pose a national security risk.

  22. Tomi Engdahl says:

    Hackers Say They’ve Breached Three Antivirus Companies,news-30045.html

    A New York security firm says that an international cybercrime group has penetrated the company networks of three unnamed U.S.-based antivirus firms, and stolen some 30 terabytes of data. The group is offering to sell the data, plus access to the company networks, for $300,000.

  23. Tomi Engdahl says:

    Mental health apps are sharing data without proper disclosure
    Others don’t even have a privacy policy.

  24. Tomi Engdahl says:

    Flaws in a popular GPS tracker leak real-time locations and can remotely activate its microphone

    The Chinese-manufactured white-label location tracker, rebranded and sold by more than a dozen companies — including Pebbell by HoIP Telecom, OwnFone Footprint and SureSafeGo — uses a SIM card to connect to the 2G/GPRS cell network.

    An attacker only requires the phone number of the device

    There are an estimated 10,000 devices in the U.K. — and thousands more around the world.

    there’s no way to fix the vulnerabilities without recalling every device.

    “Fixing this broken security would be trivial,” said the team. “All they needed to do was print a unique code on each pendant and require that to be used to change configurations.

  25. Tomi Engdahl says:

    The U.K. just last week announced a proposed new cybersecurity law that would require connected devices to be sold with a unique password, and not a default.

  26. Tomi Engdahl says:

    ‘Unhackable’ Biometric USB Offers Up Passwords in Plain Text

    A USB stick dubbed eyeDisk that uses iris recognition to unlock the drive claims to be “unhackable” – only, it isn’t. In fact, a simple Wireshark analysis revealed the device’s password – in plain text.

  27. Tomi Engdahl says:

    Chrome Browser to Stop Websites Abusing the Back Button

    Websites that abuse back button functionality in Chrome to trap you are not going to be able to use the technique for much longer as new browser behavior will render the abuse useless.

  28. Tomi Engdahl says:

    Crime Gang Advertises Stolen ‘Anti-Virus Source Code’

    Researchers: ‘Fxmsp’ Russian Hacking Collective Exploits Victims Via RDP and Active Directory

  29. Tomi Engdahl says:

    Laura Hautala / CNET:
    A look at the eclectic, global data-hunting community, and the tools its members use to scour the internet for unsecured databases — Justin Paine sits in a pub in Oakland, California, searching the internet for your most sensitive data. It doesn’t take him long to find a promising lead.

    Your most sensitive data is likely exposed online. These people try to find it

    Don’t worry. They want it to be safe.

    On his laptop, he opens Shodan, a searchable index of cloud servers and other internet-connected devices. Then he types the keyword “Kibana,” which reveals more than 15,000 databases stored online. Paine starts digging through the results, a plate of chicken tenders and fries growing cold next to him.

    “This one’s from Russia. This one’s from China,” Paine said. “This one is just wide open.”

    From there, Paine can sift through each database and check its contents. One database appears to have information about hotel room service. If he keeps looking deeper, he might find credit card or passport numbers. That isn’t far-fetched. In the past, he’s found databases containing patient information from drug addiction treatment centers, as well as library borrowing records and online gambling transactions.

    Paine is part of an informal army of web researchers who indulge an obscure passion: scouring the internet for unsecured databases. The databases — unencrypted and in plain sight — can contain all sorts of sensitive information, including names, addresses, telephone numbers, bank details, Social Security numbers and medical diagnoses. In the wrong hands, the data could be exploited for fraud, identity theft or blackmail.

    The data-hunting community is both eclectic and global. Some of its members are professional security experts, others are hobbyists. Some are advanced programmers, others can’t write a line of code.

    In April, researchers in Israel found demographic details on more than 80 million US households, including addresses, ages and income level.

    No one knows how big the problem is, says Troy Hunt, a cybersecurity expert who’s chronicled on his blog the issue of exposed databases. There are far more unsecured databases than those publicized by researchers, he says, but you can only count the ones you can see. What’s more, new databases are constantly added to the cloud.

    “It’s one of those tip-of-the-iceberg situations,” Hunt said.

    To search out databases, you have to have a high tolerance for boredom and a higher one for disappointment. Paine said it would take hours to find out whether the hotel room service database was actually a cache of exposed sensitive data. Poring over databases can be mind-numbing and tends to be full of false leads.

    The payoff, however, can be a thrill. Bob Diachenko, who hunts databases from his office in Ukraine, used to work in public relations for a company called Kromtech, which learned from a security researcher that it had a data breach.

    “If me, a guy with no technical background, can find this data,” Diachenko said, “then anybody in the world can find this data.”

    In January, Diachenko found 24 million financial documents related to US mortgages and banking on an exposed database. The publicity generated by the find, as well as others, helps Diachenko promote, a cybersecurity consulting business he set up after leaving his previous job.

    Getting it secured

    Facebook said it acted swiftly to get the data removed. But not all companies are responsive.

    When database hunters can’t get a company to react, they sometimes turn to a security writer who uses the pen name Dissent. She used to hunt unsecured databases herself but now spends her time prompting companies to respond to data exposures that other researchers find.

    Not every company understands what it means for data to be exposed

    The hospital described the exposure as a hack, even though Diachenko had simply found the data online and didn’t break any passwords or encryption to see it. Dissent wrote a blog post explaining that a hospital contractor had left the data unsecured. The hospital hired an external IT company to investigate.

    Tools for good or bad

    The search tools that database hunters use are powerful.

  30. Tomi Engdahl says:

    Microsoft SharePoint Vulnerability Exploited in the Wild

    A critical vulnerability in Microsoft’s SharePoint collaboration platform has been exploited in the wild to deliver malware.

    The security hole, tracked as CVE-2019-0604, got its first patch in February and another one in March after the first fix turned out to be incomplete. Microsoft described the issue as a remote code execution vulnerability caused by the software’s failure to check the source markup of an application package. It can be exploited without the need for authentication.

    “An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,” Microsoft said in an advisory.

  31. Tomi Engdahl says:

    Symantec CEO Quits Unexpectedly, Stock Sinks After Missing Estimates

    Symantec on Thursday announced that it appointed board member Richard Hill as interim chief executive officer and president after Greg Clark stepped down.

  32. Tomi Engdahl says:

    Nigerian Cybercrime ‘Group’ Has 400 Malicious Actors

    SilverTerrier is not a traditional cybercrime group. It is the collective name Unit 42 of Palo Alto Networks gives to Nigerian cybercriminals. SilverTerrier continues to grow (over 400 individual actors) and evolve

  33. Tomi Engdahl says:

    Over 100 Flaws Expose Buildings to Hacker Attacks

    A researcher has discovered over 100 vulnerabilities in building management and access control systems from four major vendors.

  34. Tomi Engdahl says:

    Remaining €2.9 million stolen in BOV cyber attack found in Hong Kong

    The remaining €2.9 million which was stolen in a cyber attack on Bank of Valletta last February has been found in Hong Kong

    Around €13 million was stolen from BOV last February after a cyber attack hit the bank, forcing it to shut down its entire grid.

  35. Tomi Engdahl says:

    Software update crashes police ankle monitors in the Netherlands

    Borked update prevents ankle monitors from sending data back to police control rooms.

  36. Tomi Engdahl says:

    SHA-1 collision attacks are now actually practical and a looming danger
    Research duo showcases first-ever SHA-1 chosen-prefix collision attack.

    Attacks on the SHA-1 hashing algorithm just got a lot more dangerous last week with the discovery of the first-ever “chosen-prefix collision attack,” a more practical version of the SHA-1 collision attack first carried out by Google two years ago.

    The SHA-1 hashing function was theoretically broken in 2005; however, the first successful collision attack in the real world was carried out in 2017.

  37. Tomi Engdahl says:

    China’s ‘data doors’ scoop up information straight from your phone

    The security screeners scan more than your face, picking up MAC addresses and IMEI numbers

    Facial recognition devices have become ubiquitous across China. But what you probably didn’t know is that some of these machines can snatch up information straight from your smartphone.

    While they look like regular metal detectors on the outside, they’re much more than that. Aside from facial recognition and ID card verification, the so-called “three-dimensional portrait and integrated data doors” vacuum up MAC addresses, IMEI numbers and other identifying information from electronic devices. This data is unique to a user’s hardware, and it could potentially be used to track people.

  38. Tomi Engdahl says:

    Nine Charged in Alleged SIM Swapping Ring

    Eight Americans and an Irishman have been charged with wire fraud this week for allegedly hijacking mobile phones through SIM-swapping, a form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device. From there, the attackers simply start requesting password reset links via text message for a variety of accounts tied to the hijacked phone number.

  39. Tomi Engdahl says:

    Another remote-code execution hole in top database engine SQLite: How it works, and why not to totally freak out
    You know the drill: Patch and stop using C

    Cisco Talos researchers have uncovered an SQLite use-after-free() vulnerability that could allow an attacker to, in theory, remotely execute code on an affected device.

    “An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0,” said Talos in a blog post describing the vuln, provisionally allocated CVE-2019-5018.

    Now, it sounds scary but the key thing here is that an attacker would have to execute carefully crafted SQL commands on the vulnerable engine to get code execution on the underlying host system.

  40. Tomi Engdahl says:

    Microsoft SharePoint servers are under attack

    Canadian and Saudi cybersecurity agencies warn of attacks that have been going on for at least two weeks.

  41. Tomi Engdahl says:

    How scammers made ad fraud a billion-dollar criminal industry

    Whoever came up with “thieves rob banks because that’s where all the money is” needs to add “digital advertising” to the updated version of the adage.

    Criminals simply don’t need to go through all the trouble of stealing money from well-fortified financial institutions when they can just trick advertisers into directly lining their pockets. With internet ad revenue totaling more than $100 billion in 2018, scammers are following that line of money: ad fraud is set to cost the industry as much as $44 billion annually by 2022.

    But the problem has ramifications for more than just the digital advertising market.

  42. Tomi Engdahl says:

    Two crypto-mining groups are fighting a turf war over unsecured Linux servers

    War in the Cloud: The Rocke and Pascha group are at each other’s throats competing for vulnerable systems.

    Two hacker groups are fighting to take control over as many Linux cloud-based environments as they can so they can use server resources to mine cryptocurrency behind owners’ backs.

    Both groups operate mass-scanning operations that look for open or unpatched cloud services and servers to infect them with a multi-functional Linux-based malware strain.

    The most aggressive of the two is, by far, the smaller Pacha group, which adopted a strategy of removing a long list of known crypto-mining malware strains on each server it infected.

    Using this approach, Pacha hackers have slowly carved out a large piece on the crypto-mining scene.

    “Although [Rocke] does try to eliminate some generic miners, it is a smaller set in comparison with what Pacha does,” Sanmillan told ZDNet.


Leave a Comment

Your email address will not be published. Required fields are marked *