Cyber Security February 2018

This posting is here to collect security alert news in February 2018.

I post links to security vulnerability news to comments of this article.

 

 

101 Comments

  1. Tomi Engdahl says:

    Chinese Police Add Facial-Recognition Glasses to Surveillance Arsenal
    Police are donning the devices as hundreds of millions of Chinese begin traveling for the Lunar New Year holiday
    https://www.wsj.com/articles/chinese-police-go-robocop-with-facial-recognition-glasses-1518004353

    Reply
  2. Tomi Engdahl says:

    Sarah Scoles / Wired:
    US government controls access to sensitive satellite imagery by regulating sales and buying exclusive imagery rights, driving business to other countries

    How the Government Controls Sensitive Satellite Data
    https://www.wired.com/story/how-the-government-controls-sensitive-satellite-data

    Earth orbit doesn’t just host a few Soviet spysats: More than a thousand working orbiters are out there, hundreds of those equipped with Earth-observing cameras. They are American, European, African, South American, Japanese, Indian, Chinese, Russian. And nothing stops many of them from taking pictures of supersecret areas.

    But the government has other ways of restricting information. The feds can limit how good commercially available images can be when taken by US companies. And it can issue a directive barring imaging over a given location. The law regulating that imaging, though, was first passed before satellite imaging really existed as an industry. And according to insiders, it’s been keeping satellites down—even as thousands more of them are set to launch in the next decade.

    When the Land Remote Sensing Policy Act passed, the world was a younger, more naïve place.

    “US government customers have the ability—as, actually, do some of our other customers—to say, ‘We would like you to take this image and not make this image available publicly,’” explains Scott. “It’s an exclusivity arrangement.”

    Then, there are the things that aren’t shutter control but do place cuffs around satellite operators. Take the Kyl-Bingaman Amendment, which bans US companies from releasing their high-resolution images of Israel and the Occupied Territories. In addition, “certain licensees have some area imaging restrictions,”

    In 1999, DigitalGlobe wanted permission to sell images with 25-centimeter resolution—to turn, in other words, three men’s shoes into one pixel. That didn’t sit right with federal regulators, who, in 2000, gave DigitalGlobe permission to sell pictures half that precise: a large throw pillow could become a pixel. Even more, Scott says, “we had to impose a 24-hour delay on anything better than 82-centimeter resolution.”

    That time restriction went away a while ago, but it wasn’t until 2014 that DigitalGlobe finally got permission, after asking again, to release images with 25-centimeter resolution. “The reason was national security,”

    “Licenses are issued with a maximum capability defined in the license,” says Dawkins, about resolution limits. “Other restrictions are based on national security and/or foreign policy concerns, these too are proprietary.”

    Even though DigitalGlobe “won” the right to sell better images, the battle isn’t over.

    Meanwhile, other countries have figured out this whole space snapshot business, too—and they don’t fall under the same US regulations. “All you’ve really done is drive business to those foreign companies,”

    In fact, smart people abroad probably accelerated their technology because of the Americans’ grip on data. “When we tightened up on export control, others decided they couldn’t rely on us anymore,”

    SpaceX wants to launch thousands of satellites to build its own internet network

    Reply
  3. Tomi Engdahl says:

    South Korea Probes Cyber Shutdown During Olympics Ceremony
    https://www.securityweek.com/south-korea-probes-cyber-shutdown-during-olympics-ceremony

    South Korea on Saturday investigated a mysterious internet shutdown during the Winter Olympics opening ceremony, which follows warnings of possible cyberattacks during the Pyeongchang Games.

    Internal internet and wifi systems crashed at about 7:15 pm (1015 GMT) on Friday and were still not back to normal at midday on Saturday, Games organizers said.

    Cyber-security teams and experts from South Korea’s defence ministry, plus four other ministries, formed part of a taskforce investigating the shutdown, they said, adding that it didn’t affect the high-tech opening ceremony.

    The outage follows warnings of malware phishing attacks targeting organizations working at the Olympics, and allegations of cyberattacks from Russia — which has denied any involvement.

    North Korea has also blamed for a series of cyber incidents including the WannaCry global ransomware attack, which infected 300,000 computers worldwide last May.

    Reply
  4. Tomi Engdahl says:

    Half of All Cryptojacking Scripts Found on Porn Sites
    https://www.bleepingcomputer.com/news/security/half-of-all-cryptojacking-scripts-found-on-porn-sites/

    Almost 50% of all cryptojacking scripts (in-browser miners) are deployed on adult-themed sites, according to new numbers released this week by Qihoo 360′s Netlab division.

    Researchers gathered these numbers by using Netlab’s DNSMon system, a tool that analyzes relations in DNS traffic between web domains.

    According to researchers, 241 (0.24%) out of Alexa Top 100,000 websites, and 629 (0.21%) out of Alexa Top 300,000 websites are deploying JavaScript code that mines Monero using the users’ CPU power, most of it without the user’s permission. Also by the same numbers, Coinhive is by far the favorite cryptojacking script, found on 78% of all offending sites, with JSEcoin coming second with a 9% “market share.”

    Adult sites accounted for 49%, followed by fraud sites (8%), advertising domains (7%), cryptocurrency mining (7%), and film and television streaming sites (6%).

    The biggest surprise is that cryptojacking scripts were not often found on gaming-related domains, this category accounting for 1.4% of the sites in Netlab’s list

    Cryptojacking scripts are known to be efficient when loaded on sites where users spend a lot of time, allowing site operators to take full advantage of the user’s computing power. Gaming and video streaming portals are considered good places to run in-browser miners, as users tend to spend a lot of time on these types of sites.

    Seeing adult sites on the list is no surprise, as porn sites are usually some of the biggest offenders when it comes to intrusive and over-the-top advertising schemes.

    Google is readying to release the first version of Chrome with a built-in ad blocker next week

    Reply
  5. Tomi Engdahl says:

    NSA Used Public Tweets To Communicate With Russian Spies In Secret
    http://www.iflscience.com/policy/nsa-used-public-tweets-to-communicate-with-russian-spies-in-secret/

    the hiding of a secret message in plain sight (or steganography) is a tactic that goes back millennia.

    Last week, reports in The New York Times and The Intercept revealed the National Security Agency (NSA) has been communicating with Russian spies using their public Twitter account, giving the old practice a 21st-century spin.

    More recently, spies have turned to the realm of the digital. In one case, the FBI discovered secret messages from Russian spies in New Jersey hidden in the pixels of photos posted on a public website.

    Reply
  6. Tomi Engdahl says:

    Attackers had arbitrary script injection on thousands of sites including many NHS websites here in England. Just stop and think for a few moments about what exactly they could have done with that capability…

    Cryptojacking attack hits ~4,000 websites, including UK’s data watchdog
    https://techcrunch.com/2018/02/12/ico-snafu/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Reply
  7. Tomi Engdahl says:

    Be careful if Facebook suggests you to install the “Onavo Protect” app – it’s a VPN app that forwards ALL of your network traffic to Facebook.

    Facebook is suggesting mobile users ‘Protect’ themselves…by downloading a Facebook-owned app that tracks their mobile usage
    https://www.cnbc.com/2018/02/12/facebook-promoting-onavo-protect-without-disclosing-ownership.html

    Facebook is now pointing some users to a secure wireless networking app without disclosing it’s a Facebook-owned company.
    The app, Onavo Protect, also tracks users’ apps, how often they’re used and what websites users visit.

    Reply
  8. Tomi Engdahl says:

    Cryptojacking attack hits ~4,000 websites, including UK’s data watchdog
    https://techcrunch.com/2018/02/12/ico-snafu/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    MenuTechCrunch
    Cryptojacking attack hits ~4,000 websites, including UK’s data watchdog
    Posted yesterday by Natasha Lomas (@riptari)

    At first glance a CoinHive crypto miner being served by a website whose URL contains the string ‘ICO’ might not seem so strange.

    But when you know that ICO in this case stands for the UK’s Information Commissioner’s Office — aka the national data protection and privacy watchdog, whose URL (https://ico.org.uk) predates both Bitcoin and the current craze for token sales — well, the extent of the cryptojacking security snafu quickly becomes apparent.

    Reply
  9. Tomi Engdahl says:

    Nine Remotely Exploitable Vulnerabilities Found in Dell EMC Storage Platform
    https://www.securityweek.com/nine-remotely-exploitable-vulnerabilities-found-dell-emc-storage-platform

    Nine remotely exploitable vulnerabilities have been found in Dell EMC’s Isilon OneFS platform, a scale-out NAS storage platform that combines modular hardware with unified software to harness unstructured data.

    “Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root,” warns an advisory released today.

    The vulnerabilities were discovered by researchers Ivan Huertas and Maximiliano Vidal from CoreLabs, the research center of Core Security, and disclosed to Dell in September 2017. A range of Isilon OneFS versions from 7.1.1.11 to 8.0.1.2 were found to be affected by two or more of the vulnerabilities. “Other products and versions might be affected, but they were not tested,” states the advisory.

    Reply
  10. Tomi Engdahl says:

    Critical Code Execution Flaws Patched in Android
    https://www.securityweek.com/critical-code-execution-flaws-patched-android

    Google this month addressed several critical severity remote code execution (RCE) vulnerabilities in the Android operating system.

    Split in two parts, the Android Security Bulletin for February 2018 resolves only 26 vulnerabilities in the mobile operating system, most of which are rated high severity. The vast majority of the security issues are elevation of privilege (EoP) bugs.

    A total of 7 issues were addressed with the 2018-02-01 security patch level, including 6 flaws in Media Framework and one vulnerability in the System component.

    This month, Google addressed two critical RCE bugs in Media Framework: CVE-2017-13228, which impacts Android 6.0 and newer, and CVE-2017-13230, which impacts Android 5.1.1 and later (it is considered a high risk denial-of-service (DoS) flaw on Android 7.0 and newer).

    Reply
  11. Tomi Engdahl says:

    U.K. Officially Blames Russia for NotPetya Attack
    https://www.securityweek.com/uk-officially-blames-russia-notpetya-attack

    The United Kingdom on Thursday officially accused the Russian government of launching the destructive NotPetya attack, which had a significant financial impact on several major companies.

    British Foreign Office Minister for Cyber Security Lord Tariq Ahmad said the June 2017 NotPetya attack was launched by the Russian military and it “showed a continued disregard for Ukrainian sovereignty.”

    “The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it,” the official stated.

    “The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace,” he added.

    Reply
  12. Tomi Engdahl says:

    Intel Offers $250,000 for Side-Channel Exploits
    https://www.securityweek.com/intel-offers-250000-side-channel-exploits

    Intel Opens Bug Bounty Program to All Researchers, Offers up to $250,000 for Flaws Similar to Meltdown and Spectre

    Intel on Wednesday announced major changes to its bug bounty program, including that it’s now open to all researchers, and significant rewards for exploits similar to Meltdown and Spectre.

    Researchers who find critical hardware vulnerabilities that allow software-based side-channel attacks – just like Meltdown and Spectre – can earn up to $250,000. Flaws classified as high severity are worth up to $100,000, while medium- and low-risk issues are worth up to $20,000 and $5,000, respectively. The severity of a flaw is determined based on its CVSS base score, adjusted depending on the security objectives and threat model of the targeted product.

    The part of Intel’s bug bounty program covering side-channel exploits will run until December 31, 2018.

    https://hackerone.com/intel

    Reply
  13. Tomi Engdahl says:

    Energy-efficient encryption for the internet of things
    http://news.mit.edu/2018/energy-efficient-encryption-internet-of-things-0213

    Special-purpose chip reduces power consumption of public-key encryption by 99.75 percent, increases speed 500-fold.

    Reply
  14. Tomi Engdahl says:

    U.S., Canada, Australia Attribute NotPetya Attack to Russia
    https://www.securityweek.com/us-canada-australia-attribute-notpetya-attack-russia

    The United States, Canada, Australia and New Zealand have joined the United Kingdom in officially blaming Russia for the destructive NotPetya attack launched last summer. Moscow has denied the accusations.

    In a statement released on Thursday, the White House attributed the June 2017 attack to the Russian military and described it as “the most destructive and costly cyber-attack in history.”

    “The attack, dubbed ‘NotPetya,’ quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas,” the White House Press Secretary stated. “It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences.”

    Reply
  15. Tomi Engdahl says:

    ‘DoubleDoor’ IoT Botnet Uses Two Backdoor Exploits
    https://www.securityweek.com/doubledoor-iot-botnet-uses-two-backdoor-exploits

    A newly discovered Internet of Things (IoT) botnet is using two exploits to ensure it can not only bypass authentication on targeted devices, but also render additional protections useless, NewSky Security has discovered.

    Dubbed DoubleDoor, the botnet allows attackers to takeover devices even if the user has authentication enabled and has added a firewall for additional protection. Specifically, the malware abuses CVE-2015–7755, a Juniper Networks SmartScreen OS exploit, and CVE-2016–10401, a Zyxel modem backdoor exploit (also abused by the Hide ‘N Seek botnet).

    What NewSky Security discovered was that the botnet first deploys the infamous Juniper Networks exploit, which essentially allows it to get past firewall authentication. The backdoor was initially discovered in the ScreenOS software running on NetScreen firewalls.

    Through this backdoor, the telnet and SSH daemons of Netscreen firewalls become accessible with the hardcoded password

    Next, the botnet attempts to deploy the backdoor for ZyXEL PK5001Z devices, which is pretty straight forward as well, using a hardcoded su password

    The DoubleDoor botnet was also observed performing reconnaissance to ensure the attack was successful and control of the IoT device was achieved.

    The botnet is currently in a nascent phase, with attacks observed only between Jan. 18 and Jan. 27, 2018. Most of the attacks were observed originating from South Korean IPs. The botnet’s attacks are expected to remain low, mainly because they are only effective if the victim runs a specific unpatched version of Juniper ScreenOS firewall and uses unpatched Zyxel modems.

    Reply
  16. Tomi Engdahl says:

    One single character/symbol can crash all iPhones

    Sometimes very special bugs appear. Now, the Italian Mobile World site has found out that one of the only tags in the Telugu Telegraph in India will overwrite all messaging applications for iPhone phones. The problem concerns, for example, Whatsapp, iMessage, Mail, and Facebook Messenger.

    Obviously iOS can not read that character. This is why the app crashes. The problem is that restarting the application will launch it to the same location where it crashed. The result is a chain of crashes that can not be missed without action.

    According to Apple, the bug is no longer affected by iOS version 11.3, but all earlier versions. In addition, the same problem obviously applies to MacOS.

    Source: http://www.etn.fi/index.php/13-news/7574-yksi-ainoa-merkki-kaataa-kaikki-iphonet

    Reply
  17. Tomi Engdahl says:

    Two men charged in jackpotting scheme that drains ATMs in minutes
    As much as $50,000 taken from infected machine in Connecticut, prosecutors say.
    https://arstechnica.com/information-technology/2018/02/two-men-charged-in-jackpotting-scheme-that-drains-atms-in-minutes/

    Two men have been charged with stealing huge amounts of cash through “Jackpotting,” a crime that causes malware-infected ATMs to rapidly empty their cash reserves to waiting accomplices.

    According to the complaint, police who searched the Accord ultimately found screwdrivers, pliers, Allen wrenches, an electronic device, cables, and wires. The car also contained a bag filled with a large number of $20 bills, prosecutors said. Both men also had a large number of $20 bills in their pockets, the complaint said.

    “Based on what I learned, these tools and electronic devices are consistent with the items needed to compromise an ATM… to dispense its cash contents,” Molly Reale, a special agent with the US Secret Service, wrote in the complaint.

    Word of the arrests comes a week after security reporter Brian Krebs reported what are believed to be some of the first jackpotting attacks to take place in the US. Those attacks used malware known as Ploutus.D to infect ATMs made by Diebold Nixdorf. Krebs published a follow-up post reporting that three suspects had been arrested in November after being caught in surveillance video Jackpotting ATMs in Wyoming and Utah. It’s not clear what connection may exist between the two defendant groups or between the crimes they’re alleged to have committed.

    https://krebsonsecurity.com/2018/01/drug-charges-tripped-up-suspects-in-first-known-atm-jackpotting-attacks-in-the-us/

    Reply
  18. Tomi Engdahl says:

    Six top US intelligence chiefs caution against buying Huawei phones
    https://www.cnbc.com/2018/02/13/chinas-hauwei-top-us-intelligence-chiefs-caution-americans-away.html

    The directors of the CIA, FBI, NSA and several other intelligence agencies express their distrust of Apple-rival Huawei and fellow Chinese telecom company ZTE.
    During a hearing, the intelligence chiefs commended American telecom companies for their measured resistance to the Chinese companies.
    Huawei has been trying to enter the U.S. market, first through a partnership with AT&T that was ultimately called off.

    Reply
  19. Tomi Engdahl says:

    Crypto miners are striving for machinery – including in Finland

    According to the data maintained by the security company Check Point, Coinhive-miners was already the second most widely spread malware in Finland’s business network in January.

    On the top ten list of the most common malware, Coinhive was the top spot, and included two other cryptolouragers. In Finland, Coinhive was the second most commonly used corporate network malware after Fireball.

    Crimean miners are used by criminals and miners are not illegal in themselves. However, cybercriminals may harness programs with the secret of some of the victims ‘computers’ performance in extracting the crypto currencies themselves,

    Source: https://www.uusiteknologia.fi/2018/02/16/kryptolouhijat-pyrkivat-koneisiin-myos-suomessa/

    Reply
  20. Tomi Engdahl says:

    Cyber Intrusion Creates More Havoc for Washington State’s New Marijuana Tracking System
    https://spectrum.ieee.org/riskfactor/computing/software/cyber-intrusion-creates-more-havoc-for-washington-states-new-marijuana-tracking-system

    Licensed marijuana product growers and retailers have been very unhappy with Washington State’s new “seed-to-sale” marijuana tracking system that went live on 1 February.

    Buggy software has kept many suppliers from shipping their products because of manifest errors and, equally, retailers from accepting their orders.

    it also has disclosed that the tracking system experienced a cyber intrusion

    The intruder was able to access information for four days of marijuana deliveries

    Like most other states that have legalized marijuana in some form, Washington State requires that marijuana products be tracked from seed, or when it’s planted, to sale to a customer

    Nevada and California have also had problems with their marijuana tracking systems.

    Reply
  21. Tomi Engdahl says:

    Jen Wieczner / Fortune:
    Hackers stole an estimated $50M+ over 3 years by buying Google Search ads, sending users to fake domains that looked like popular Bitcoin wallet Blockchain.info

    Hackers Stole $50 Million in Cryptocurrency Using ‘Poison’ Google Ads
    http://fortune.com/2018/02/14/bitcoin-cryptocurrency-blockchain-wallet-hack/

    For years, hackers have robbed Bitcoin investors, emptying their cryptocurrency wallets without fear of being caught thanks to the relative anonymity of the blockchain. Now, Cisco (csco, +0.59%) has exposed the thieves behind a string of particularly flagrant attacks.

    A Ukrainian hacker group dubbed Coinhoarder has stolen more than $50 million in cryptocurrency from users of Blockchain.info, one of the most popular providers of digital currency wallets, according to a report published Wednesday by Cisco’s Talos cybersecurity team.

    The report explains how thieves preyed upon their victims using a “very simple” yet treacherous technique: Buying Google ads on popular search keywords related to cryptocurrency “to poison user search results” and snatch the contents of crypto wallets. This meant people Googling terms like “blockchain” or “bitcoin wallet,” saw links to malicious websites masquerading as legitimate domains for Blockchain.info wallets.

    Blockchain, for its part, is working with Google “on a daily basis” to take down phishing ads, and secured the removal of almost 10,000 such malicious websites last year, along with another 3,000 it flagged in January alone, according to Blockchain CEO and co-founder Peter Smith.

    Cisco, which investigated the “massive phishing campaign” for more than six months in partnership with Ukraine’s Cyberpolice, noted that the Coinhoarder group’s method has since “become increasingly common in the wild, with attackers targeting many different crypto wallets and exchanges.”

    Phishing, which is just one of several techniques used to steal Bitcoin, is also deployed by the notorious North Korean hacking ring known as the Lazarus Group, which is likewise accused of perpetrating phishing attacks to steal cryptocurrency.

    Reply
  22. Tomi Engdahl says:

    Steve Holland / Reuters:
    White House Council of Economic Advisers report: malicious cyber activity cost the US economy between $57B and $109B in 2016

    Malicious cyber activity cost U.S. up to $109 billion in 2016: White House report
    https://www.reuters.com/article/us-usa-trump-cyber/malicious-cyber-activity-cost-u-s-up-to-109-billion-in-2016-white-house-report-idUSKCN1G01XV

    Malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016

    Reply
  23. Tomi Engdahl says:

    Special counsel Robert Mueller indicts Russian bot farm for election meddling
    https://techcrunch.com/2018/02/16/mueller-indictment-internet-research-agency-russia/?utm_source=tcfbpage&sr_share=facebook

    The indictment names the Internet Research Agency, a bot farm and disinformation operation based out of St. Petersburg, as one of the sources of the fake accounts meant to create divisions in American society. Those accounts were active on Facebook, Twitter and Instagram,

    Reply
  24. Tomi Engdahl says:

    Swedish Public Healthcare Portal is sending your symptoms to Google
    https://www.privateinternetaccess.com/blog/2018/02/swedish-public-healthcare-portal-is-sending-your-symptoms-to-google/

    Because of pure sloppiness in web design, the Swedish Public Healthcare portal is sending every single symptom and medication search to Google.

    The Swedish Public Healthcare portal 1177 — named so for historical reasons, since that is the Swedish “Dial-a-Nurse” phone number — is sending all your searches for embarrassing symptoms and sensitive medications to Google. Not as part of the search, ironically enough; it’s being sent to Google as part of Google Analytics

    This happens even when you’re browsing over HTTPS/SSL, because of how bad this design is

    They seem to get that they can’t use Google to actually search for the symptoms, since that would be intrusive, but then somebody bolts on Google Analytics to send all your symptoms and medications to Google anyway.

    This is so bad, I really don’t know how to articulate my feelings of despair and anger.

    Reply
  25. Tomi Engdahl says:

    Flight Simulator Add-On Tried to Catch Pirates By Installing Password-Stealing Malware on Their Computers
    https://motherboard.vice.com/en_us/article/pamzqk/fs-labs-flight-simulator-password-malware-drm

    Malware included in the installer for pirated versions of the game steals usernames and passwords from Chrome: ‘This is by far one of the most extreme, and bizarre, methods of DRM we’ve ever seen.’

    “The inclusion of a malware, in the form of a password dumper, in a trusted installer for the sake of combating piracy is absolute insanity,” Andrew Mabbitt, founder of cybersecurity company Fidus Information Security

    FSLabs makes add-ons for the hyper popular Microsoft Flight Simulator

    included a file called “text.exe,” which is actually a password stealer

    When run, the program extracts all saved usernames and passwords from the Chrome browser and appears to send them to FSLabs.

    did not deny bundling a piece of malware with his product

    “There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites,”

    But, the malware file itself, even if not activated, was still “dropped on every single PC it [the FSLabs software] was installed on,” Mabbitt said.

    The company has released an updated version of its installer, this time without the password stealer.

    Reply
  26. Tomi Engdahl says:

    FedEx customer information exposed in data breach
    https://mashable.com/2018/02/15/fedex-unsecured-server-data-exposed/#iTOYU4ab8OqG

    An unsecured FedEx server was breached, exposing thousands of customers’ personal information, a prominent security research firm discovered earlier this month.

    Package forwarding service Bongo International was acquired by FedEx in 2014

    But an unsecured Amazon S3 server, according to the white hat research group Kromtech, was holding more than 100,000 scanned documents including passports, drivers licenses, and security IDs. The white hat group responsibly disclosed the breach.

    In a statement a FedEx spokesperson said the server has since been secured, and the data wasn’t “misappropriated.”

    Reply
  27. Tomi Engdahl says:

    BuzzFeed:
    Twitter investigates how cryptocurrency scammers changed handles on verified accounts and kept verified badges to trick users to send funds to scammer wallets

    Twitter Allowed Cryptocurrency Scammers To Hijack Verified Accounts To Take People’s Money
    https://www.buzzfeed.com/charliewarzel/twitter-allowed-cryptocurrency-scammers-to-hijack-verified?utm_term=.hc1MNwLnJ#.mhZqlwJQp

    Unlike past versions of Twitter cryptocurrency phishing, @TronFoundationl is different: It has a verification badge, the blue check mark that Twitter uses to delineate famous or important accounts from imposters.

    These types of scam accounts imitate real accounts and ask followers to send them bitcoin or ether. Often, these scammers promise those that send digital currency that they’ll receive as a reward four or five times the amount of money they put in.

    Fortunately, these scammers are usually easy to spot: their usernames have extra letters or symbols, and the accounts were only recently created.

    TronFoundationl’s verification hijacking marks the latest in innovation in cryptocurrency scamming. Since the account is legitimately verified by Twitter, it’s much more likely to be trusted than other scams, making people more susceptible to falling for its donation ploys.

    And it appears people are falling for the scam.

    Reply
  28. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Researchers say some security certificates are being sold and registered using stolen corporate identities, making traditional network security less effective

    One-stop counterfeit certificate shops for all your malware-signing needs
    Certificates registered in names of real corporations are surprisingly easy to come by.
    https://arstechnica.com/information-technology/2018/02/counterfeit-certificates-sold-online-make-digitally-signed-malware-a-snap/

    “Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious
    campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective,” Andrei Barysevich, a researcher at Recorded Future, reported.

    Barysevich identified four such sellers of counterfeit certificates since 2011. Two of them remain in business today. The sellers offered a variety of options

    “In his advertisement, [email protected] explained that the certificates are registered under legitimate corporations and issued by Comodo, Thawte, and Symantec—the largest and most respected issuers,” Thursday’s report said. “The seller indicated that each certificate is unique and will only be assigned to a single buyer, which could be easily verified via HerdProtect.com. According to [email protected], the success rate of payload installations from signed files increases by 30 to 50 percent, and he even admitted to selling over 60 certificates in less than six months.”

    [email protected]’s business dwindled in coming years as other providers undercut his prices. One competing service provided a bare-bones code-signing certificate for $299. For $1,599, the service sold a signing certificate with extended validation—meaning it was issued to a corporate or business name that had been verified by the issuer.

    “According to the information provided by both sellers during a private conversation, to guarantee the issuance and lifespan of the products, all certificates are registered using the information of real corporations,” Barysevich wrote.

    Use of legitimate signing certificates to verify malicious apps and legitimate TLS certificates to authenticate domain names that distribute those apps can make security protections less effective. Recorded Future researchers provided one seller with an unreported remote access trojan and convinced the seller to sign it with a certificate that had been recently issued by Comodo. Only eight of the top AV providers detected an encrypted version of the trojan. Only two AV engines detected the same encrypted file when it was signed by the Comodo certificate.

    “Although code signing certificates can be effectively used in widespread malware campaigns such as the distribution of banking trojan or ransomware, the validity of the certificate used to sign a payload would be invalidated fairly quickly,”

    Reply
  29. Tomi Engdahl says:

    1Password bolts on a ‘pwned password’ check
    https://techcrunch.com/2018/02/23/1password-bolts-on-a-pwned-password-check/?utm_source=tcfbpage&sr_share=facebook

    Password management service 1Password has a neat new feature that lets users check whether a password they’re thinking of using has already been breached. At which point it will suggest they pick another.

    Reply
  30. Tomi Engdahl says:

    China Just Banned The Letter N From The Internet
    http://www.iflscience.com/policy/china-just-banned-the-letter-n-from-the-internet/

    China censored the letter N from its internet for at least a day.

    The ban came as China cracked down on online discussion over the Chinese Communist Party’s proposal to scrap presidential term limits.

    Abolishing term limits would allow President Xi Jinping to rule indefinitely.

    It’s not entirely clear why the government targeted N, but we have a few theories.

    China temporarily banned the letter N from being published online after people started using it to criticize a plan which paves the way for Xi Jinping to rule the country indefinitely.

    Reply
  31. Tomi Engdahl says:

    Ad Network Performs In-Browser Cryptojacking
    https://www.securityweek.com/ad-network-performs-browser-cryptojacking

    An ad network provider is performing in-browser Coinhive cryptojacking on websites that use its service, 360 Netlab security researchers warn.

    The practice has been ongoing since December 2017, several months after the ad network provider, a company called PopAds Publisher, started using domain generation algorithm (DGA) technology to bypass ad blockers, claiming it would allow customers to “monetize traffic that wasn’t monetized before.”

    In mid-2017, the provider started to generate seemingly random domains that would ensure ads can reach end users. By the end of the year, however, these domains, which 360 Netlab refers to as DGA.popad, started participating in cryptojacking activities, all without end-users’ acknowledgement.

    Given that many people use ad blockers to prevent sites from displaying ads to them, ad networks often attempt to bypass blockers, and this provider decided to use DGA domains to host its advertisements. With these domains changing daily, it becomes difficult to block the ads, the researchers point out.

    Reply
  32. Tomi Engdahl says:

    Memcached Abused for DDoS Amplification Attacks
    https://www.securityweek.com/memcached-abused-ddos-amplification-attacks

    Malicious actors have started abusing the memcached protocol to launch distributed denial-of-service (DDoS) attacks, Cloudflare and Arbor Networks warned on Tuesday.

    Memcached is a free and open source distributed memory caching system designed to work with a large number of open connections. Clients can communicate with memcached servers via TCP or UDP on port 11211.

    Cloudflare noticed in recent days that memcached has been abused for DDoS amplification attacks, and so have Arbor Networks and Chinese security firm Qihoo 360. Cloudflare has dubbed this type of attack Memcrashed.

    Reply
  33. Tomi Engdahl says:

    Thanatos Ransomware Makes Data Recovery Impossible
    https://www.securityweek.com/thanatos-ransomware-makes-data-recovery-impossible

    A newly discovered ransomware family is generating a different encryption key for each of the encrypted files but saves none of them, thus making data recovery impossible.

    Dubbed Thanatos, the malware was discovered by MalwareHunterTeam and already analyzed by several other security researchers.

    When encrypting files on a computer, the malware appends the .THANATOS extension to them. After completing the encryption, the malware connects to a specific URL to report back, thus allowing attackers to keep track of the number of infected victims.

    The malware also generates an autorun key to open the ransom note every time the user logs in. In that note, the victim is instructed to send $200 to a listed crypto-coin address. Victims are also instructed to contact the attackers via email to receive a decryption program.

    Thanatos’ operators allow victims to pay the ransom in Bitcoin, Ethereum, or Bitcoin Cash, thus becoming the first ransomware to accept Bitcoin Cash payments, Bleeping Computer’s Lawrence Abrams points out.

    The issue with the new ransomware is that it, because it doesn’t save the encryption keys, files cannot be decrypted normally. However, victims don’t know that and might end up paying the ransom in the hope they can recover their files.

    Reply
  34. Tomi Engdahl says:

    Widespread Vulnerability Found in Single-Sign-On Products
    https://www.securityweek.com/widespread-vulnerability-found-single-sign-products

    A behavioral quirk in SAML libraries has left many single-sign-on (SSO) implementations vulnerable to abuse. It allows an attacker that has gained any authenticated access to trick the system into granting further access as a different user without knowledge of that user’s password.

    Security Assertion Markup Language (SAML) is the underlying protocol used by most SSO implementations. It is what allows authentication to be passed between a company’s identity store and, for example, a third-party service. Typically, a user will log onto the identity store. This contains the credentials that will allow the same user to access other services.

    SAML is used to pass authentication, via the browser, from the identity provider to the third-party service, granting access. The flaw lies in how authentication is encoded by SAML in the provider’s ‘response’.

    Different affected SSOs will have different specific recommendations, and it would be best to refer to them for guidance. Similarly, there are different recommendations for maintainers of identity or service providers, maintainers of SAML processing libraries, and maintainers of XML parsing libraries. One thing that would help, suggest the authors, is the ability to enforce multi-factor authentication, “because this vulnerability would only allow a bypass of a user’s first factor of authentication.” But the authors also warn, “if your IdP is responsible for both first factor and second factor authentication, it’s likely that this vulnerability bypasses both!”

    Duo Labs / Feb 27, 2018
    Duo Finds SAML Vulnerabilities Affecting Multiple Implementations
    https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations

    Reply
  35. Tomi Engdahl says:

    “RedDrop” Mobile Malware Records Ambient Audio
    https://www.securityweek.com/reddrop-mobile-malware-records-ambient-audio

    A newly detailed mobile malware can do more than steal data from infected devices: it can also record ambient audio and send the recordings to cloud storage accounts controlled by attackers.

    Dubbed RedDrop, the malware can also inflict financial costs on victims by sending SMS messages to premium services, security firm Wandera says. The U.K.-based company has discovered 53 malware-ridden apps that are exfiltrating sensitive data from infected devices.

    RedDrop-infected applications are being distributed through a network of more than 4,000 domains and range from tools such as image editors and calculators to recreational apps. Every observed application offers the expected functionality, thus hiding the malicious content stored within.

    Reply
  36. Tomi Engdahl says:

    Russian Hackers Infiltrated German Ministries’ Network: Report
    https://www.securityweek.com/russian-hackers-infiltrated-german-ministries-network-report

    Berlin – Russian hackers have infiltrated Germany’s foreign and interior ministries’ online networks, German news agency DPA reported Wednesday quoting unnamed security sources.

    The hacker group known as APT28 — which has been linked to Russia’s GRU military intelligence and accused of attacks on Hillary Clinton’s 2016 presidential campaign — managed to plant malware in the ministries’ networks for possibly as long as a year, the news agency said.

    Top security officials had repeatedly warned during Germany’s 2017 general elections that Russia hackers may seek to disrupt the polls.

    Reply
  37. Tomi Engdahl says:

    Siemens Releases BIOS Updates to Patch Intel Chip Flaws
    https://www.securityweek.com/siemens-releases-bios-updates-patch-intel-chip-flaws

    Siemens has released BIOS updates for several of its industrial devices to patch vulnerabilities discovered recently in Intel chips, including Meltdown, Spectre and flaws affecting the company’s Management Engine technology.

    Following the disclosure of the Meltdown and Spectre attack methods, industrial control systems (ICS) manufacturers immediately started analyzing the impact of the flaws on their products. Advisories have been published by companies such as Siemens, Rockwell Automation, Schneider Electric, ABB, and Pepperl+Fuchs.

    Siemens has determined that the security holes expose many of its product lines to attacks, including RUGGEDCOM, SIMATIC, SIMOTION, SINEMA, and SINUMERIK.

    Reply
  38. Tomi Engdahl says:

    Fake ionCube Malware Hits Hundreds of Sites
    https://www.securityweek.com/fake-ioncube-malware-hits-hundreds-sites

    Hundreds of websites have been infected with malware that masquerades as legitimate ionCube-encoded files, SiteLock warns.

    The malicious files were initially discovered in core directories of a WordPress site, featuring naming patterns usually associated with malware, namely “diff98.php” and “wrgcduzk.php.” Because the obfuscated files appear as if they had been encoded with ionCube, the researchers named the threat ionCube malware.

    ionCube is an old and powerful PHP obfuscation technology that can be used to scramble text-based PHP files to hide the intellectual property. Due to licensing costs, ionCube isn’t usually used for malicious purposes.

    Reply
  39. Tomi Engdahl says:

    Washington Post:
    NSA director says Russia hasn’t been dissuaded from meddling in US elections, and Trump hasn’t given him new authority to strike at Russian cyber-operations

    Cyber chief says Trump has given him no new authority to strike at Russian interference threat
    https://www.washingtonpost.com/world/national-security/cyber-chief-says-trump-has-given-him-no-new-authority-to-strike-at-russian-interference-threat/2018/02/27/41185978-1c24-11e8-ae5a-16e60e4605f3_story.html

    The head of U.S. Cyber Command warned lawmakers that penalties and other measures have not “changed the calculus or the behavior” of Russia as it seeks to interfere with this year’s midterm elections.

    “We’re taking steps, but we’re probably not doing enough,” Adm. Michael S. Rogers, who also directs the National Security Agency, said in testimony before the Senate Armed Services Committee. Russian President Vladimir Putin, he added, “has clearly come to the conclusion that ‘there’s little price to pay here and therefore I can continue this activity.’ ”

    “If we don’t change the dynamic here, this is going to continue,” Rogers said.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*