Cyber Security Trends May 2019

This posting is here to collect cyber security news in May 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.



  1. Tomi Engdahl says:

    Stack Overflow says hackers breached website and gained accessed to production servers.
    I guess nothing is secure and you need to assume that you hacked all the time.

  2. Tomi Engdahl says:

    Ukraine under CyberAttack

    New cyber attack on the business of Ukraine. Full analysis of the latest version of SmokeBot Loader.

  3. Tomi Engdahl says:

    Russians hacked 2 Florida voting systems; FBI and DeSantis refuse to release details

    Russian hackers successfully tapped into the voter registration files of two Florida counties in 2016, a startling detail revealed Tuesday by Gov. Ron DeSantis after a meeting with the FBI and the Department of Homeland Security last week.

  4. Tomi Engdahl says:

    San Francisco passes city government ban on facial recognition tech

  5. Tomi Engdahl says:

    San Francisco Could Become the First U.S. City to Ban the Use of Facial Recognition Technology

  6. Tomi Engdahl says:

    Hackers breached 3 US antivirus companies, researchers reveal
    Source code, network access being sold online by “Fxmsp” collective.

  7. Tomi Engdahl says:

    WannaCry, a million computers remain at risk
    The threat posed by the leaked NSA tools remains a concern

  8. Tomi Engdahl says:

    Botched update crashes hundreds of Netherlands police ankle monitors
    They couldn’t track suspects for a worryingly long period.

  9. Tomi Engdahl says:

    Devin Coldewey / TechCrunch:
    AT&T, Sprint, T-Mobile, and Verizon say they’ve stopped selling customer geo-location data to third parties, according to letters they all sent the FCC — Reports emerged a year ago that all the major cellular carriers in

    A year after outcry, carriers are finally stopping sale of location data, letters to FCC show

  10. Tomi Engdahl says:

    Robin Emmott / Reuters:
    EU agrees on a new sanctions mechanism for hackers, with ability to target them anywhere in the world, freeze their assets in the bloc, and ban them from entry

    Days before elections, EU approves new cyber sanctions regime

    The European Union will directly penalize computer hackers after governments agreed on Friday a new mechanism to target individuals anywhere in the world, freezing their assets in the bloc and banning them from entry.

    The new powers follow a diplomatic push by Britain and the Netherlands — overcoming initial reluctance from Italy — to allow the 28-country bloc to move more quickly against malign cyber attacks that can bring down crucial infrastructure.

    While no names were added immediately, the EU says the sanctions mechanism will allow the bloc to move quickly to punish future attacks, rather than rely on the current system of special country lists that are complex to negotiate.

    Russia has made cyber and electronic warfare a key part of its military operations, Western officials say, and Britain, the Netherlands and the United States have accused Moscow of conducting a campaign of hacks against the West.

  11. Tomi Engdahl says:

    Russell Brandom / The Verge:
    Researchers: NYPD used edited suspects’ photos and photos of celebs, when witnesses said the suspects looked like them, to generate facial recognition matches

    The NYPD uses altered images in its facial recognition system, new documents show

    In one case, a photo of the actor Woody Harrelson was used to locate a suspect

  12. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    IBM report attributes a 95% decline in attacks caused by hacktivist groups since 2015 to the disintegration of Anonymous and sustained law enforcement crackdown

    Hacktivist attacks dropped by 95% since 2015

    Hacktivist scene collapses as Anonymous hacker collective dies a slow death.

  13. Tomi Engdahl says:

    Shirin Ghaffary / Vox:
    A look at various tools such as drones, sensors, and AI being deployed at the US-Mexico border, as a proposed “smart wall” garners bipartisan political support — Here’s what a so-called “smart wall” of technology at the US-Mexico border looks like. — Graphics by Javier Zarracina/Vox

    The “smarter” wall: how drones, sensors, and AI are patrolling the border

    Here’s what a so-called “smart wall” of technology at the US-Mexico border looks like.

  14. Tomi Engdahl says:

    >20,000 Linksys routers leak historic record of every device ever connected

    More than 20,000 Linksys wireless routers are regularly leaking full historic records of every device that has ever connected to them, including devices’ unique identifiers, names, and the operating systems they use. The data can be used by snoops or hackers in either targeted or opportunistic attacks.

    Independent researcher Troy Mursch said the leak is the result of a flaw in almost three dozen models of Linksys routers. It took about 25 minutes for the Binary Edge search engine of Internet-connected devices to find 21,401 vulnerable devices on Friday.

    Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw

    This sensitive information disclosure vulnerability requires no authentication and can be exploited by a remote attacker with little technical knowledge.

  15. Tomi Engdahl says:

    Security Research Labs:
    Many Ethereum nodes running popular clients like Parity and Geth take months to apply security patches, which may leave the network vulnerable to 51% attacks

    The blockchain ecosystem has a patch problem

    SRLabs research suggests that security vulnerabilities remain unpatched for many Ethereum blockchain participants for extended periods of time, putting the blockchain ecosystem at risk.

    Crypto currencies provide a popular alternative to centralized payment systems, and promise transactions between mutually anonymous parties, often called “trustless” transactions.

    However, the required rational actions seem to extend beyond what many blockchain users are willing to do. In particular, we found early evidence that blockchain participants do not sufficiently patch and hence carry known vulnerabilities.

    Ethereum relies on high availability to prevent double spending. A hacker who controls more than 51% of the computational power in the network can double spend coins, enriching the hacker and undermining the trust in the ecosystem. If a hacker can crash a large number of nodes, controlling 51% of the network becomes easier. Hence, software crashes are a serious security concern for blockchain nodes (unlike in other pieces of software where the hacker does not usually benefit from a crash).

    For that reason, denial of service vulnerabilities have a particularly high severity in cryptocurrency networks; they can be used to massively reduce the amount of computational power needed to perform a 51% attack and double-spend.

    Unpatched Parity Ethereum nodes can be remotely crashed. In February 2019, we reported a vulnerability in the Parity Ethereum client that could be used to remotely crash any Parity Ethereum node prior to version 2.2.10.

    According to our collected data, only two thirds of nodes have been patched so far. Shortly after we reported this vulnerability, Parity released a security alert, urging participants to update their nodes.

    Breaking the backbone of the Ethereum network requires crashing only a handful of nodes. Unfortunately, the data from does not include whether a node is a miner. However, we know that currently the vast amount of hashing power is concentrated in a few mining pools. Mining pools often share one node to communicate with the Ethereum network, and we can safely assume that those mining pools are very security aware and keep their nodes up-to-date.

    To resolve this situation, more reliable update mechanisms are needed. It is therefore desirable (and in line with Ethereum core beliefs) to decentralize the hashing power – this decentralization however would only increase security if the new mining nodes would still be security aware.

    Even if the miner nodes are secure for now, failure to close known vulnerabilities may lead to a collapse of the blockchain ecosystem if and when the hashing power becomes more decentralized. This failure to update could leave the blockchain ecosystem in a more vulnerable state by lowering the barrier for performing a 51% attack.

  16. Tomi Engdahl says:

    Angela Moon / Reuters:
    Source: Google will stop collaborating and providing Huawei with technical support for Android and Google services, including Google Play — NEW YORK (Reuters) – Alphabet Inc’s Google has suspended business with Huawei that requires the transfer of hardware, software and technical services except …

    Exclusive: Google suspends some business with Huawei after Trump blacklist – source

  17. Tomi Engdahl says:

    Good heavens, is it time to patch Cisco kit again? Prime Infrastructure root privileges hole plugged
    Do the thing ASAP, you know how it works by now

    CVE-2019-1821 “can be exploited by an unauthenticated attacker that has network access to the affected [web] administrative interface,” Cisco said in an advisory.

  18. Tomi Engdahl says:

    A large chunk of Ethereum clients remain unpatched

    Unpatched clients leave Ethereum network vulnerable to 51% attacks.

  19. Tomi Engdahl says:

    Security researchers discover Linux version of Winnti malware

    Winnti Linux variant used in 2015 in the hack of a Vietnamese gaming company.

  20. Tomi Engdahl says:

    Stack Overflow says hackers breached production systems

    Stack Overflow said it detected a security breach over the weekend.

  21. Tomi Engdahl says:

    Stack Overflow hacker went undetected for a week

    Stack Overflow now says hacker might have also accessed user data.

  22. Tomi Engdahl says:

    At least 186 EU ISPs use deep-packet inspection to shape traffic, break net neutrality

    NGOs, academics warn about DPI’s impact on user privacy, that net neutrality might be watered down in the EU.

  23. Tomi Engdahl says:

    EternalBlue reaching new heights since WannaCryptor outbreak
    Attack attempts involving the exploit are in hundreds of thousands daily

    It has been two years since EternalBlue opened the door to one of the nastiest ransomware outbreaks in history, known as WannaCryptor (or WannaCry). Since the now-infamous malware incident, attempts to use the exploit have only been growing in prevalence. Currently it is at the peak of its popularity, with users bombarded with hundreds of thousands of attacks every day.

    The EternalBlue exploit was allegedly stolen from the National Security Agency (NSA) in 2016 and leaked online on April 14, 2017 by a group known as Shadow Brokers. The exploit targets a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol, via port 445.

  24. Tomi Engdahl says:

    Feds Target $100M ‘GozNym’ Cybercrime Network

    Law enforcement agencies in the United States and Europe today unsealed charges against 11 alleged members of the GozNym malware network, an international cybercriminal syndicate suspected of stealing $100 million from more than 41,000 victims with the help of a stealthy banking trojan by the same name.

  25. Tomi Engdahl says:

    Slack Flaw Allows Hackers to Steal, Manipulate Downloads

    A recently patched vulnerability in the Slack desktop application for Windows can be exploited by malicious actors to steal and manipulate a targeted user’s downloaded files.

    David Wells, a researcher at Tenable, discovered that version 3.3.7 of the Slack desktop app is affected by a download hijacking vulnerability that can be exploited by getting the targeted user to click on a specially crafted link pasted into a Slack channel. The security hole was patched by Slack with the release of version 3.4.0.

  26. Tomi Engdahl says:

    Days before elections, EU approves new cyber sanctions regime

    The European Union will directly penalize computer hackers after governments agreed on Friday a new mechanism to target individuals anywhere in the world, freezing their assets in the bloc and banning them from entry.

    The new powers follow a diplomatic push by Britain and the Netherlands — overcoming initial reluctance from Italy — to allow the 28-country bloc to move more quickly against malign cyber attacks that can bring down crucial infrastructure.

    “This is decisive action to deter future cyber attacks,” British Foreign Secretary Jeremy Hunt said in a statement.

  27. Tomi Engdahl says:

    Google uses Gmail to track a history of things you buy — and it’s hard to delete

    Google saves years of information on purchases you’ve made, even outside Google, and pulls this information from Gmail.
    It’s complicated to delete this private information, and options to turn it off are hidden in privacy settings.
    Google says it doesn’t use this information to sell you ads.

  28. Tomi Engdahl says:

    It’s not chicken feed: Million-dollar meal deal for livestock sabotaged by hackers… and, er, exchange rates
    Six-week investigation delay shrank payment by 13%

    A $1.2m shipment of livestock feed went awry when “hackers” intercepted and tweaked emails with payment details, eventually costing the cheeky buyers an extra $161,000 after exchange rates moved during the legal fallout.

    The sunflower meal traders ended up in dispute when the buyers refused to pay a shortfall caused by forex rates moving after unnamed hackers allegedly forged vital payment emails.

    A strange tale, this shows the effects of a business email compromise attack.

    Exchange rate malarkey

    The London account was held in the name of Ecobank, which the judge emphasised had not committed any “fraud or wrongdoing” itself. Being received into a London bank account, albeit the wrong one, the USD sum had been converted into sterling on arrival. This turned the $1,167,900 into £768,372.45.

    The judge added, however: “It is commercially impossible to transfer funds to a bank which are intended for the benefit of a customer without identifying the beneficiary and the destination account by branch and account name and number.”

  29. Tomi Engdahl says:

    Giga-hurts radio: Terrorists build Wi-Fi bombs to dodge cops’ cellphone jammers
    Explosives activated by wireless networking signals discovered amid election

    Terrorists have been caught strapping Wi-Fi-activated backup triggers to bombs in Indonesia, police claimed this week.

    The explosives were discovered in a raid earlier this month, and included a switching mechanism that enabled them to be detonated using a signal sent via Wi-Fi if the main trigger, which uses a SIM card and waits for a mobile phone message to detonate, was blocked by radio-frequency jammers.

  30. Tomi Engdahl says:

    Ransomware ‘Remediation’ Firm Exposed: Researchers Weigh in on Paying

    The decision to pay a ransom in the case of a ransomware attack can be a complex one for businesses.

    A company that claimed to use technology tools to help victims with ransomware cleanup was found to secretly be paying the ransom, while collecting a premium from their clients, according to an expose out this week. The situation brings the core dilemma of business-focused ransomware directly into the spotlight: To pay, or not to pay?

  31. Tomi Engdahl says:

    Dutch Probe China’s Huawei for Possible Spying: Report

    Dutch intelligence services are investigating Huawei for possibly spying for the Chinese government by leaving a “back door” to data of customers of major telecoms firms, a report said Thursday.

  32. Tomi Engdahl says:

    Hacking forums survive cybercrime dragnet as feds prioritize drug-market busts

    t might be more difficult these days to conduct an anonymous drug deal on the dark web, but not every online criminal enterprise is feeling the pinch of international law enforcement.

    New research shows that as the FBI and other crime-fighting agencies have gone after dark web markets, cybercrime communities have avoided the heat. Stolen financial information, access to hacked social media accounts and malicious software tools are still widely available on forums accessible on the open web, without using the Tor anonymity software.

  33. Tomi Engdahl says:

    GozNym cyber-crime gang which stole millions busted

  34. Tomi Engdahl says:

    Slack Bug Allows Remote File Hijacking, Malware Injection

    An attacker can supply a malicious hyperlink in order to secretly alter the download path for files shared in a Slack channel.

  35. Tomi Engdahl says:

    Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques

  36. Tomi Engdahl says:

    LeakedSource Operator Pleads Guilty in Canada

    Canadian authorities announced last week that Defiant Tech Inc., the company that ran LeakedSource, pleaded guilty to trafficking identity information and possession of property obtained through crime.

  37. Tomi Engdahl says:

    Linux Kernel Privilege Escalation Vulnerability Found in RDS Over TCP

    A memory corruption vulnerability recently found in Linux Kernel’s implementation of RDS over TCP could lead to privilege escalation.

    Tracked as CVE-2019-11815 and featuring a CVSS base score of 8.1, the flaw impacts Linux kernels prior to 5.0.8, but only systems that use the Reliable Datagram Sockets (RDS) for the TCP module.

  38. Tomi Engdahl says:

    DHS Highlights Common Security Oversights by Office 365 Customers

    As organizations migrate to Microsoft Office 365 and other cloud services, many fail to use proper configurations that ensure good security practices, the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warns.

  39. Tomi Engdahl says:

    Face It, You’re Being Watched

    San Francisco is the first American city to ban facial recognition software used by police and other agencies. Bloomberg QuickTake explains why the technology’s advance is so alarming to regulators, the public, and even the people developing it.

  40. Tomi Engdahl says:

    US Warns Chinese Drones May Steal Data: Report

    Washington has warned that Chinese-made drones could be giving spy agencies in Beijing “unfettered access” to stolen data, according to a report in American media.

    The Department of Homeland Security sent out an alert on Monday flagging drones built in China as a “potential risk to an organization’s information”, CNN reported.

    The US government has “strong concerns about any technology product that takes American data into the territory of an authoritarian state that permits its intelligence services to have unfettered access to that data or otherwise abuses that access,” wrote CNN, quoting the DHS alert.

  41. Tomi Engdahl says:

    Sean Gallagher / Ars Technica:
    Two weeks after the city of Baltimore’s networks suffered a ransomware attack, many of its systems remain offline, including utilities billing, phone, and email — Houses can’t be sold, bills can’t be paid while city networks are shuttered. — It’s been nearly two weeks since the City …

    Baltimore ransomware nightmare could last weeks more, with big consequences

    Houses can’t be sold, bills can’t be paid while city networks are shuttered.

    It’s been nearly two weeks since the City of Baltimore’s networks were shut down in response to a ransomware attack, and there’s still no end in sight to the attack’s impact. It may be weeks more before the city’s services return to something resembling normal—manual workarounds are being put in place to handle some services now, but the city’s water billing and other payment systems remain offline, as well as most of the city’s email and much of the government’s phone systems.

    To top it off, unlike the City of Atlanta—which suffered from a Samsam ransomware attack in March of 2018—Baltimore has no insurance to cover the cost of a cyber attack. So the cost of cleaning up the RobbinHood ransomware, which will far exceed the approximately $70,000 the ransomware operators demanded, will be borne entirely by Baltimore’s citizens.

    It’s not like the city wasn’t warned. Baltimore’s information security manager warned of the need for such a policy during budget hearings last year. But the final budget did not include funds for that policy, nor did it include funding for expanded security training for city employees, or other strategic investments

    City officials have provided few details about the extent of the attack, as the city is cooperating with an FBI investigation. But it appears that the ransomware was triggered on some systems in the early hours of May 7, when email service was suddenly interrupted. The city’s response to the attack has thrown many city services into disorder or shut them down entirely.

    City officials have stressed that emergency systems, such as police and fire department networks and the city’s 911 system, were not affected. The 911 system suffered from a ransomware attack last year when some firewall settings were disabled during maintenance.

    Real estate purchases cannot be closed, though Mayor Young said that a paper-based workaround for handling closings would be put in place by today. Water bills and other city charges (including parking tickets and citations from the city’s speed camera and red light camera network) cannot be paid. And many city workers have had to resort to using their own laptops without a connection to city networks

    The mayor’s Office of Information Technology has been struggling to regain its footing over the past two years after a string of fired chief information officers—four consecutive CIOs were fired or forced to resign over a period of five years.

    According to a 2018 strategy document, Baltimore spends about half of what other cities budget for IT, and the Office of Information Technology only controls about one percent of the total budget; most of the IT spending is part of other department’s operational budgets.

    Until the ransomware attack, the city’s email was almost entirely internally hosted, running on Windows Server 2012 in the city’s data center. Only the city’s Law Department had moved over to a cloud-based mail platform.

    Some of Baltimore’s systems are hosted elsewhere, including the city’s primary website

    Tracking down how and when the malware got into the city’s network is a significant task. The city has a huge attack surface

  42. Tomi Engdahl says:

    Persistence of Chaos: Laptop infected with world’s most dangerous malware up for sale

    The terms of sale state the buyer must recognise the computer as art and have “no intention of disseminating any malware”.

    A laptop infected with six of the most dangerous viruses and malware that have caused around $95bn (£74bn) of damage has been put up for auction.

  43. Tomi Engdahl says:

    BlueKeep Remote Desktop Exploits Are Coming, Patch Now!

    Security researchers have created exploits for the remote code execution vulnerability in Microsoft’s Remote Desktop Services, tracked as CVE-2019-0708 and dubbed BlueKeep, and hackers may not be far behind.

    While the vulnerability inspired some playful users to create fake proof-of-concept code intended for rickrolling, it is no joke. As Remote Desktop Services is commonly exposed to the public so that users can gain remote access to their internal computers, successful exploitation could allow access to an entire network.

    Using information from their research and from public scripts, security professionals at NCC Group have created a network detection rule for CVE-2019-0708. After testing with Suricata IDS/IPS, NCC Group made it publicly available.

  44. Tomi Engdahl says:

    Google myönsi pahan tietoturvamokan, jota ei huomattu 14 vuoteen

    Google on kertonut löytäneensä bugin, jonka vuoksi joidenkin G Suite -yrityskäyttäjien salasanoja on säilytetty selkokielisinä tiivisteiden käyttämisen sijaan.

  45. Tomi Engdahl says:

    Cisco Starts Patching Firmware Bug; Millions of Devices Still Vulnerable

    A flaw in the Secure Boot trusted hardware root-of-trust affects enterprise, military and government network gear, including routers, switches and firewalls.

    Cisco has issued a handful of firmware releases for a high-severity vulnerability in Cisco’s proprietary Secure Boot implementation that impacts millions of its hardware devices, across the scope of its portfolio.


Leave a Comment

Your email address will not be published. Required fields are marked *