This posting is here to collect cyber security news in May 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
355 Comments
Tomi Engdahl says:
Ohio school sends students home because of Trickbot malware infection
TrickBot infections impacted, PC fleet, phone and HVAC systems.
https://www.zdnet.com/article/ohio-school-sends-students-home-because-of-trickbot-malware-infection/
An Ohio school district was forced to send students and some of its staff home on Monday after a malware infection caused major issues to its IT infrastructure.
But, surprise, surprise, the malware infection was not a ransomware attack, as most infosec experts would have expected, but a banking trojan.
Infected last week, but not by a student
Officials said they were infected last week, but only discovered the infection on Friday.
TrickBot — one of today’s most dangerous malware strains
The FBI has been counseling the school district and helping with recovery efforts. In mid-March this year, the Department of Homeland Security sent a warning about an increase in TrickBot attacks.
The malware started as a banking trojan specialized in stealing credentials for banking portals, but shifted tactics in 2016-2017, when it was re-purposed into a multi-purpose malware platform.
Tomi Engdahl says:
Google research: Most hacker-for-hire services are frauds
Survey of 27 hacker-for-hire services found that only five launched attacks against victims.
https://www.zdnet.com/article/google-research-most-hacker-for-hire-services-are-frauds/
Hacker-for-hire services available online are what we thought they were — scams and ineffective — new research published last week by Google and academics from the University of California, San Diego, reveals.
“Using unique online buyer personas, we engaged directly with 27 such account hacking service providers and asked them with compromising victim accounts of our choosing,” researchers said.
The research team said that of the 27 hacking services they engaged, 10 never replied to their inquiries, 12 responded but never actually attempted to launch an attack, and only five ended up launching attacks against the test Gmail accounts.
Tomi Engdahl says:
Microsoft Defender ATP Adds Live Response for SecOps
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-atp-adds-live-response-for-secops/
Microsoft announced the addition of live response capabilities to its Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) enabling security operation teams to perform system forensic analysis remotely.
Microsoft Defender ATP is a security platform designed to allow security teams to provide “preventative protection, post-breach detection, automated investigation, and response.”
Tomi Engdahl says:
Attack Combines Phishing, Steganography, PowerShell to Deliver Malware
https://www.securityweek.com/attack-combines-phishing-steganography-powershell-deliver-malware
Researchers have discovered a malware campaign targeting Japan and combining phishing, steganography, PowerShell, and the URLZone and Ursnif malwares.
The basic process described in a new report from Cybereason is a malspam campaign with a weaponized Excel document containing a PowerShell script that downloads steganographic images. The script extracts further Base64 and AES-encrypted and compressed PowerShell code from the images. This code subsequently downloads a stripped-down version of URLZone which is then used as a downloader for the Ursnif banking trojan.
The key elements of the campaign are that it is finely targeted against Japanese users, and that URLZone has been repurposed as an evasive downloader. The combination of PowerShell and steganography to deliver URLZone is an evasive technique to avoid detection.
Tomi Engdahl says:
Firefox Now Has Fingerprinting and Crypto-mining Protection
https://www.securityweek.com/firefox-now-has-fingerprinting-and-crypto-mining-protection
Mozilla this week released Firefox 67 to the stable channel with improved protection against tracking and with fingerprinting and crypto-mining protection capabilities.
The new feature builds on the previously introduced privacy-focused opt-in Tracking Protection on the desktop, Tracking protection by default on iOS, and the Facebook Container Extension, all of which were released last year.
Tomi Engdahl says:
Google Warns G Suite Customers of Passwords Stored Unhashed Since 2005
https://www.securityweek.com/google-warns-g-suite-customers-passwords-stored-unhashed
Google on Tuesday said that some passwords for its G Suite customers were stored in an unhashed format since 2005.
“We are writing to inform you that due to legacy functionality that enabled customer Domain Admins to view passwords, some of your users’ passwords were stored in our encrypted systems in an unhashed format,” an email notice to G Suite administrators reads. “This primarily impacted system generated or admin generated passwords intended for one-time use.”
Tomi Engdahl says:
Researcher Drops Windows 10 Zero-Day Exploit
https://www.securityweek.com/researcher-drops-windows-10-zero-day-exploit
A researcher has made public technical details, a video and proof-of-concept (PoC) exploit code for an unpatched local privilege escalation (LPE) vulnerability affecting Windows.
The flaw, disclosed by a researcher who uses the online moniker SandboxEscaper, is related to discretionary access control lists (DACL) and the Task Scheduler, and the exploit has been confirmed to work reliably on a fully patched Windows 10 machine, including 64-bit systems.
https://twitter.com/wdormann/status/1130958441378394113
Tomi Engdahl says:
Hackers have been holding the city of Baltimore’s computers hostage for 2 weeks
https://www.vox.com/recode/2019/5/21/18634505/baltimore-ransom-robbinhood-mayor-jack-young-hackers
A ransomware attack means Baltimore citizens can’t pay their water bills or parking tickets.
Tomi Engdahl says:
President Trump’s golf scores hacked; USGA confirms it’s looking into the matter
https://golfweek.com/2019/05/18/president-trumps-golf-scores-hacked-on-usga-website/
Four scores were posted to Trump’s USGA-administered GHIN handicap system on Friday, a day on which the president returned from New York to Washington and did not actually play golf.
The scores posted were suspiciously unflattering
The scores were posted in the same manner that any other golfer or club in America can post, suggesting that a jokester has obtained access to Trump’s GHIN information.
Tomi Engdahl says:
Singapore updates guidelines on data breach notification and accountability
https://www.zdnet.com/article/singapore-updates-guidelines-on-data-breach-notification-accountability/
Expected to be included as part of the upcoming amendment to the country’s data protection law, the new guidelines state businesses must take no more than 30 days to investigate a suspected breach and notify authorities 72 hours after completing their assessment of the breach.
Tomi Engdahl says:
Windows 7 patch warning: Antivirus clash causing PCs to freeze
Updates for Windows 7 cause startup problems for a second month in a row.
https://www.zdnet.com/article/windows-7-patch-warning-antivirus-clash-causing-pcs-to-freeze/
In a repeat of April’s Windows 7 update clashes with multiple antivirus products, the May 2019 Windows 7 updates are causing new problems for users of McAfee and Sophos security products.
Tomi Engdahl says:
Intel Fixes Critical, High-Severity Flaws Across Several Products
https://threatpost.com/intel-fixes-critical-high-severity-flaws-across-several-products/144940/
Intel has issued an updated advisory for more than 30 fixes addressing vulnerabilities across various products – including a critical flaw in Intel’s converged security and management engine (CSME) that could enable privilege-escalation.
The bug (CVE-2019-0153) exists in a subsystem of Intel CSME, which powers Intel’s Active Management System hardware and firmware technology, used for remote out-of-band management of personal computers. An unauthenticated user could potentially abuse this flaw to enable escalation of privilege over network access, according to the Intel advisory, updated this week.
The flaw is a buffer overflow vulnerability with a CVSS score of 9 out of 10
Overall, the chip giant issued 34 fixes for various vulnerabilities – with seven of those ranking high-severity
Tomi Engdahl says:
Fingerprinting iPhones
https://www.schneier.com/blog/archives/2019/05/fingerprinting_7.html
This clever attack allows someone to uniquely identify a phone when you visit a website, based on data from the accelerometer, gyroscope, and magnetometer sensors.
SensorID
Sensor Calibration Fingerprinting for Smartphones
https://sensorid.cl.cam.ac.uk/
When you visit a website, your web browser provides a range of information to the website, including the name and version of your browser, screen size, fonts installed, and so on. Ostensibly, this information allows the website to provide a great user experience. Unfortunately this same information can also be used to track you. In particular, this information can be used to generate a distinctive signature, or device fingerprint, to identify you.
Browser vendors have long worried about the potential privacy invasion from device fingerprinting and have included measures to prevent such tracking.
We have developed a new type of fingerprinting attack, the calibration fingerprinting attack. Our attack uses data gathered from the accelerometer, gyroscope and magnetometer sensors found in smartphones to construct a globally unique fingerprint
Am I affected by the attack?
You are affected by this fingerprinting attack if you are using any iOS devices with the iOS version below 12.2, including the latest iPhone XS, iPhone XS Max, and iPhone XR. You are also likely to be affected if you are using a Pixel 2/3 device
How can I protect myself from this attack?
If you are using an iOS device, please update the system to iOS 12.2 to protect against this attack.
Sensor calibration is the process of identifying and removing the deterministic errors from the sensor.
How does the sensor calibration fingerprinting attack work?
Our approach works by carefully analysing the data from sensors which are accessible without any special permissions to both websites and apps. Our analysis infers the per-device factory calibration data which manufacturers embed into the firmware of the smartphone to compensate for systematic manufacturing errors. This calibration data can then be used as the fingerprint.
Tomi Engdahl says:
A ransomware attack means Baltimore citizens can’t pay their water bills or parking tickets.
Tomi Engdahl says:
RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
During Microsoft’s May Patch Tuesday cycle, a security advisory was released for a vulnerability in the Remote Desktop Protocol (RDP). What was unique in this particular patch cycle was that Microsoft produced a fix for Windows XP and several other operating systems, which have not been supported for security updates in years. So why the urgency and what made Microsoft decide that this was a high risk and critical patch?
The bulletin referenced well-known network worm “WannaCry” which was heavily exploited just a couple of months after Microsoft released MS17-010 as a patch for the related vulnerability in March 2017. McAfee Advanced Threat Research has been analyzing this latest bug to help prevent a similar scenario and we are urging those with unpatched and affected systems to apply the patch for CVE-2019-0708 as soon as possible. It is extremely likely malicious actors have weaponized this bug and exploitation attempts will likely be observed in the wild in the very near future.
Tomi Engdahl says:
New Zero-Day Exploit for Bug in Windows 10 Task Scheduler
https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-bug-in-windows-10-task-scheduler/
Exploit developer SandboxEscaper has quietly dropped a new zero-day exploit for the Windows operating system just a week after Microsoft’s monthly cycle of security updates.
Tomi Engdahl says:
Researchers Demo PoC For Remote Desktop BlueKeep RCE Exploit
https://www.bleepingcomputer.com/news/security/researchers-demo-poc-for-remote-desktop-bluekeep-rce-exploit/
A proof-of-concept remote code execution (RCE) exploit for the wormable BlueKeep vulnerability tracked as CVE-2019-0708 has been demoed by security researchers from McAfee Labs.
Microsoft issued a security fix on May 14 to patch the critical vulnerability on both out-of-support and in-support Windows version, describing the bug as capable to allow malware to self-propagate between vulnerable Windows machines, just “as the WannaCry malware spread across the globe in 2017.”
Tomi Engdahl says:
G Suite’n’sour: Google resets passwords after storing some unhashed creds for months, years
Biz app login details encrypted at rest, though, ad giant insists
https://www.theregister.co.uk/2019/05/22/google_g_suite_password_reset/
Google admitted Tuesday its paid-for G Suite of cloudy apps aimed at businesses stored some user passwords in plaintext albeit in an encrypted form.
Administrators of accounts affected by the security blunder were warned via email that, in certain circumstances, passwords had not been hashed. Hashing is a standard industry practice that protects credentials by scrambling them using a one-way encryption algorithm.
Tomi Engdahl says:
Google Stored G Suite Users’ Passwords in Plain-Text for 14 Years
https://thehackernews.com/2019/05/google-gsuite-plaintext-password.html
Tomi Engdahl says:
PoC Exploit For Unpatched Windows 10 Zero-Day Flaw Published Online
https://thehackernews.com/2019/05/windows-zero-day-vulnerability.html
An anonymous hacker with an online alias “SandboxEscaper” today released proof-of-concept (PoC) exploit code for a new zero-day vulnerability affecting Windows 10 operating system—that’s his/her 5th publicly disclosed Windows zero-day exploit [1, 2, 3] in less than a year.
Published on GitHub, the new Windows 10 zero-day vulnerability is a privilege escalation issue that could allow a local attacker or malware to gain and run code with administrative system privileges on the targeted machines, eventually allowing the attacker to gain full control of the machine.
Tomi Engdahl says:
Cyber Command’s latest VirusTotal upload has been linked to an active attack
https://www.cyberscoop.com/cyber-command-virustotal-apt28-kaspersky-zonealarm/
The malware sample that U.S. Cyber Command uploaded to VirusTotal last week is still involved in active attacks, multiple security researchers tell CyberScoop.
According to Kaspersky Lab, the malware resembles XTunnel, a tool APT28 used to breach the DNC in 2016. It also has a few components in common with SPLM/XAgent, according to Baumgartner.
Tomi Engdahl says:
Bug-hunter reveals another ‘make me admin’ Windows 10 zero-day – and vows: ‘There’s more where that came from’
Vulnerability can be exploited to turn users into system stars, no patch available yet
https://www.theregister.co.uk/2019/05/22/windows_zero_day/
Tomi Engdahl says:
Windows 10 zero-day exploit code released online
Security researcher ‘SandboxEscaper’ returns with new Windows LPE zero-day
https://www.zdnet.com/article/windows-10-zero-day-exploit-code-released-online/
Tomi Engdahl says:
Volume of Signed Malware Increases, CAs Need Better Vetting
https://www.bleepingcomputer.com/news/security/volume-of-signed-malware-increases-cas-need-better-vetting/
Digitally signed threats with a valid certificate are no longer the mark of a nation-state, sophisticated attacker. The number of malware samples signed with a valid certificate found on VirusTotal is in the thousands.
Threats signed with a valid digital certificate are no longer the mark of a nation-state, sophisticated attacker and financial-driven cybercriminals are able to purchase code-signing certs either directly or indirectly from certificate authorities (CA) or their resellers.
Tomi Engdahl says:
Patch now! Why the BlueKeep vulnerability is a big deal
What you need to know about the critical security hole that could enable the next WannaCryptor
https://www.welivesecurity.com/2019/05/22/patch-now-bluekeep-vulnerability/
Remember the panic that hit organizations around the world on May 12th, 2017 when machine after machine displayed the WannaCryptor ransom screen? Well, we might have a similar incident on our hands in the coming days, weeks or months if companies don’t update or otherwise protect their older Windows systems right away. The reason is BlueKeep, a ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware. A patch by Microsoft for supported, as well as some unsupported, operating systems has been available since May 14th.
Tomi Engdahl says:
A journey to Zebrocy land
ESET sheds light on commands used by the favorite backdoor of the Sednit group
https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
Tomi Engdahl says:
Microsoft Windows Task Scheduler SetJobFileSecurityByName privilege escalation vulnerability
Vulnerability Note VU#119704
https://kb.cert.org/vuls/id/119704/
Tomi Engdahl says:
Two more Microsoft zero-days uploaded on GitHub
https://www.zdnet.com/article/two-more-microsoft-zero-days-uploaded-on-github/
SandboxEscaper has now published seven zero-days in Microsoft products; two more to come.
Tomi Engdahl says:
Windows Zero-Day Drops on Twitter, Developer Promises 4 More
https://threatpost.com/windows-zero-day-lpe/144976/
SandboxEscaper has released her latest local privilege-escalation exploit for Windows.
Bug-hunter reveals another ‘make me admin’ Windows 10 zero-day – and vows: ‘There’s more where that came from’
Vulnerability can be exploited to turn users into system stars, no patch available yet
https://www.theregister.co.uk/2019/05/22/windows_zero_day/
The discovered hole can be exploited by malware and rogue logged-in users to gain system-level privileges on Windows 10 and recent Server releases, allowing them to gain full control of the machine. No patch exists for this bug, details and exploit code for which were shared online on Tuesday for anyone to use and abuse.
This latest one works by abusing Windows’ schtasks tool, designed to run programs at scheduled times, along with quirks in the operating system.
Tomi Engdahl says:
New Windows 10 Security Exploit Can Read All Your Files — What You Need To Know
https://www.forbes.com/sites/daveywinder/2019/05/22/new-windows-10-threat-can-read-all-your-files-no-microsoft-patch-expected-before-june-11/#5ee40f46998c
A security researcher going by the name of SandboxEscaper has posted a proof of concept demo for a Windows zero-day exploit online. This local privilege escalation (LPE) exploit is the fifth in a series of zero-days that SandboxEscaper has dropped into the Windows environment over the last year. The latest proof of concept doesn’t enable anyone to actually access your computer, but it does provide a method by which those who do so can upgrade their system privileges to an administrator level and in so doing grant them carte blanche to your data.
What was the motivation?
As mentioned, SandboxEscaper has a reputation for releasing exploit code without any prior disclosure to Microsoft. Reporting on one of these last year, Forbes contributor Marco Chiappetta suggested that “depression may have been a factor in SandboxEscaper’s decision to post the exploit”
Tomi Engdahl says:
GetCrypt Ransomware Brute Forces Credentials, Decryptor Released
https://www.bleepingcomputer.com/news/security/getcrypt-ransomware-brute-forces-credentials-decryptor-released/
A new ransomware called GetCrypt is being installed through malvertising campaigns that redirect victims to the RIG exploit kit. Once installed, GetCrypt will encrypt all of the files on a computer and then demand a ransom payment to decrypt the files.
When a victim is redirected to a page hosting the exploit kit, malicious scripts will try to exploit vulnerabilities found on the computer.
If successful, it will download and install GetCrypt into Windows.
When the exploit kit executes the ransomware, GetCrypt will check if the Windows language is set to Ukrainian, Belarusian, Russian, or Kazakh. If it is, the ransomware will terminate and not encrypt the computer.
Otherwise, the ransomware will examine the CPUID of the computer and use it to create a 4 character string, which will be used as the extension for encrypted files. It then clears the Shadow Volume Copies by running the vssadmin.exe delete shadows /all /quiet command.
Tomi Engdahl says:
Android and iOS devices impacted by new sensor calibration attack
https://www.zdnet.com/article/android-and-ios-devices-impacted-by-new-sensor-calibration-attack/
SensorID technique can track users across apps and websites using sensor calibration data.
Tomi Engdahl says:
London Underground to begin tracking passengers through Wi-Fi hotspots
TfL says the default data collection will be used to boost customer services.
https://www.zdnet.com/article/london-underground-to-begin-tracking-passengers-through-wi-fi-hotspots/
Tomi Engdahl says:
New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices
https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-uses-multiple-exploits-to-target-routers-and-other-devices/
We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campaign.
This attack comes just a few weeks after we last reported on Mirai activity, when it had targeted various routers.
Tomi Engdahl says:
UK says it warned 16 NATO allies of Russian hacking activities
https://www.zdnet.com/article/uk-says-it-warned-16-nato-allies-of-russian-hacking-activities/
UK warns of Russian global hacking campaign targeting critical infrastructure and government networks.
Tomi Engdahl says:
Mobile Chrome, Safari, and Firefox failed to show phishing warnings for more than a year
https://www.zdnet.com/article/mobile-chrome-safari-and-firefox-failed-to-show-phishing-warnings-for-more-than-a-year/
Google Safe Browsing didn’t show phishing warnings for mobile browsers between mid-2017 and late-2018.
Tomi Engdahl says:
We’ll hack back at Russians, declare UK ministers in cyber-Blitz blitz
NATO’s getting in on the action too
https://www.theregister.co.uk/2019/05/23/uk_will_hack_other_countries_say_ministers/
British ministers are stepping up their rhetoric on cyber warfare, with £22m to be splurged on embiggening an “offensive hacking” unit as Foreign Secretary Jeremy Hunt vowed to retaliate against Russian cyber-attacks.
Tomi Engdahl says:
Alert: Microsoft SharePoint remote code vulnerability
https://www.ncsc.gov.uk/news/alert-microsoft-sharepoint-remote-code-vulnerability
The NCSC has seen high levels of successful attacks against UK organisations so system owners need to check that actions have been taken against this vulnerability.
Tomi Engdahl says:
In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc
https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html
For nearly three weeks, Baltimore has struggled with a cyberattack by digital extortionists that has frozen thousands of computers
Tomi Engdahl says:
They won’t stop the attack until they get 13 Bitcoins.
The City Of Baltimore Has Been Held Hostage By Cybercriminals For Two Weeks
https://www.iflscience.com/technology/the-city-of-baltimore-has-been-held-hostage-by-cybercriminals-for-two-weeks/
Over two weeks ago, cybercriminals breached the servers of Baltimore, Maryland, leading to various systems being taken offline and several municipal functions grinding to a halt. The attackers used ransomware called RobbinHood, the latest player in the world of cyberattacks.
A Closer Look at the RobbinHood Ransomware
https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/
Security researcher Vitali Kremez, who reverse engineered the sample, told BleepingComputer that on execution it will stop 181 Windows services associated with antivirus, database, mail server, and other software that could keep files open and prevent their encryption. It does this by issuing the “sc.exe stop” command as shown below.
In addition to stopping Windows services, RobbinHood also disconnects all network shares from the computer
this could indicate that the payload is being pushed to each individual machine via a domain controller or through a framework like Empire PowerShell and PSExec.
Kremez told BleepingComputer that when encrypting files an AES key is created for each file. The ransomware will then encrypt the AES key and the original filename with the public RSA encryption key and append it to the encrypted file.
Protecting yourself from the RobbinHood Ransomware
As ransomware is only damaging if you have no way of recovering your data, the most important thing is to always have a reliable backup of your files.
Finally, it also important to make sure that your network does not make Remote Desktop Services publicly accessible via the Internet. Instead, you should put it behind a firewall and make it only accessible through a VPN.
Tomi Engdahl says:
Why the Air Force is investigating a cyber attack from the Navy
https://www.airforcetimes.com/news/your-air-force/2019/05/21/why-the-air-force-is-investigating-a-cyber-attack-from-the-navy/
The Air Force is investigating the Navy for a cyber intrusion into its network, according to a memo obtained by Military Times.
The bizarre turn of events stems from a decision by a Navy prosecutor to embed hidden tracking software into emails sent to defense attorneys, including one Air Force lawyer, involved in a high-profile war-crimes case of a Navy SEAL in San Diego.
Tomi Engdahl says:
Baltimore City Council Pres. urges Gov. to seek FEMA declaration for ransomware attack
http://foxbaltimore.com/news/local/baltimore-city-council-pres-urges-gov-to-seek-fema-declaration-for-ransomware-attack
BALTIMORE (WBFF) Baltimore City Council President Brandon Scott is urging Governor Hogan to seek a federal emergency and disaster declaration for the weeks long cyber attack that has disabled city government computer systems and key citizen services.
The N.S.A. cyber-weapon named”Eternal Blue” is estimated to have caused billions of dollars in damages and is thought to be the most destructive and costly N.S.A. security breach in history.
I’m also confident that our federal delegation understands that Cybersecurity is a critically important threat that can wreak disastrous consequences and must be categorized accordingly.” Last week, Council President Scott called for the creation of a Special City Council Committee on Cybersecurity and Emergency Preparedness to investigate the attack calling it a “crisis of the utmost urgency.”
Tomi Engdahl says:
David Wells of Tenable details a vulnerability that came to light in the Slack messaging application. Slack has patched the flaw in its v3.4.0 update.
Stealing Downloads from Slack Users
https://medium.com/tenable-techblog/stealing-downloads-from-slack-users-be6829a55f63
Tomi Engdahl says:
From https://semiengineering.com/week-in-review-iot-security-auto-46/
The city of Baltimore is still unraveling the results of this month’s ransomware attack, this analysis notes. One amusing note: The hackers responsible for the attack included privacy statement boilerplate in one of their communications – “I want to mention that your privacy is important to us.”
Hackers Are Holding Baltimore Hostage: How They Struck and What’s Next
https://www.nytimes.com/2019/05/22/us/baltimore-ransomware.html
More than two weeks ago, hackers seized parts of the computer systems that run Baltimore’s government.
It could take months of work to get the disrupted technology back online. That, or the city could give in to the hackers’ ransom demands.
“Right now, I say no,” Mayor Bernard Young told local reporters on Monday. “But in order to move the city forward? I might think about it. But I have not made a decision yet.”
Here’s a brief rundown of what happened.
On May 7, the city discovered that it was a victim of a ransomware attack, in which critical files are encrypted remotely until a ransom is paid.
The city immediately notified the F.B.I. and took systems offline to keep the ransomware from spreading, but not before it took down voice mail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations.
At least 1,500 pending home sales have been delayed
What was the threat?
A copy of a digital ransom note, obtained by The Baltimore Sun, stated that the city could unlock the seized files for a price: three Bitcoins (nearly $24,000) per system or 13 Bitcoins (about $102,000) for them all.
“We won’t talk more, all we know is MONEY!” the note said.
Baltimore has released little else about the attack, citing a continuing F.B.I. investigation.
Who is behind the attack?
The authorities have not named any individuals or groups behind the attack, but they have identified the malicious software, or malware, behind it as “RobbinHood,” a relatively new ransomware variant, according to The Baltimore Sun.
Was Baltimore targeted?
The city has not described how the attack was executed, but experts don’t believe that hackers sought the city out.
“I think it was purely an opportunistic attack,”
“The reason for the modern rise in ransomware, and frankly the wild success, is directly attributable to Bitcoin and other cryptocurrencies,” Mr. Liska said.
There have been at least 169 incidents of state and local governments falling prey to ransomware since that year, though Mr. Liska said that estimate was probably low because governments don’t always publicize such attacks.
“That’s really only the tip of the iceberg,” he said. “There’s really probably a lot more that are never reported on.”
About 70 percent of state and local governments refused to pay a ransom, while 17 percent did, he said. The outcome could not be determined in the remaining cases.
Should Baltimore pay?
The encryption used by ransomware can often be difficult to crack, but Mr. Liska nonetheless advised against paying the ransom.
“That money is going to help make the bad guy’s job easier,”
Tomi Engdahl says:
In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc
https://www.nytimes.com/2019/05/25/us/nsa-hacking-tool-baltimore.html?action=click&module=Top%20Stories&pgtype=Homepage
Since 2017, when the N.S.A. lost control of the tool, EternalBlue, it has been picked up by state hackers in North Korea, Russia and, more recently, China, to cut a path of destruction around the world, leaving billions of dollars in damage. But over the past year, the cyberweapon has boomeranged back and is now showing up in the N.S.A.’s own backyard.
It is not just in Baltimore. Security experts say EternalBlue attacks have reached a high, and cybercriminals are zeroing in on vulnerable American towns and cities, from Pennsylvania to Texas, paralyzing local governments and driving up costs
EternalBlue reaching new heights since WannaCryptor outbreak
Attack attempts involving the exploit are in hundreds of thousands daily
https://www.welivesecurity.com/2019/05/17/eternalblue-new-heights-wannacryptor/
Tomi Engdahl says:
Sectigo Responds to Chronicle’s Report About Malware Signed by Their Certs
https://www.bleepingcomputer.com/news/security/sectigo-responds-to-chronicles-report-about-malware-signed-by-their-certs/
Following Chronicle’s study on signed malware registered on VirusTotal scanning service over a one-year period, Sectigo carried their own investigation to identify abused certificates and revoke them.
Chronicle’s research focused on the number of malicious code samples they found and not on the number of certificates issued by Certificate Authorities (CA). It’s important to note that malware can use a certificate as long as it is valid.
Lots of duplicates identified
In a post on Friday, Sectigo reveals that most of the certificates Chronicle found to be issued by the company and abused to sign malware were expired, were already revoked or duplicates at the time Sectigo looked into the matter; collectively, they make for 90% of the certs attributed to Comodo/Sectigo.
Expired or revoked certs can no longer be used to validate the authenticity and integrity of the file they vouch for.
Duplicate certificates are those that match other certs had been logged under a different category. “This duplication may owe itself to multiple uses of the same certificate or multiple reports of the same malware application,” explains Sectigo.
Volume of Signed Malware Increases, CAs Need Better Vetting
https://www.bleepingcomputer.com/news/security/volume-of-signed-malware-increases-cas-need-better-vetting/
Tomi Engdahl says:
One year later: The VPNFilter catastrophe that wasn’t
https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html
Cisco Talos first disclosed the existence of VPNFilter on May 23, 2018. The malware made headlines across the globe, as it was a sophisticated piece of malware developed by a nation state, infecting half a million devices, and poised to cause havoc. Yet the attack was averted. The attacker’s command and control (C2) infrastructure was seized by the FBI, preventing the attacker from broadcasting orders to compromised devices. The attacker lost control of the infected systems, and potential catastrophe was prevented.
This was a wakeup call that alerted the cybersecurity community to a new kind of state-sponsored threat
Tomi Engdahl says:
Sorpresa! JasperLoader targets Italy with a new bag of tricks
https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html
Tomi Engdahl says:
Live Coverage Of A Disinformation Operation Against The 2019 EU Parliamentary Elections
https://labsblog.f-secure.com/2019/05/24/live-coverage-of-a-disinformation-operation-against-the-2019-eu-parliamentary-elections/
Tomi Engdahl says:
BlueKeep RCE Flaw Gets Micropatch for Always-On Servers
https://www.bleepingcomputer.com/news/security/bluekeep-rce-flaw-gets-micropatch-for-always-on-servers/
The 0patch platform issued a fix for the Remote Desktop Services RCE vulnerability known as BlueKeep, in the form of a 22 instructions micropatch which can be used to protect always-on servers against exploitation attempts.
The critical software flaw tracked as CVE-2019-0708 and present in both in-support (Windows Server 2008 and Window 7) and out-of-support (Windows 2003 and Window XP) was already patched by Microsoft on May 14, after the vulnerability was disclosed.