Cyber Security September 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.



  1. Tomi Engdahl says:

    Port of Barcelona Suffers Cyberattack

    The Port of Barcelona was Thursday morning the target of a cyberattack that affected some of its servers and systems, forcing the organization to launch the contingency plan designed specifically for these incidents.

    Details about the incident are scarce, and little is known besides the information released to the public.

  2. Tomi Engdahl says:

    Guilty: The Romanian ransomware mastermind who infected Trump inauguration CCTV cams
    Mediocre malware operator ‘fesses up to DC infection

    A Romanian woman has admitted running a ransomware operation from infected Washington DC’s CCTV systems just days before President Trump was sworn into office in the US capital.

    Eveline Cismaru, 28, pled guilty this week to one count of conspiracy to commit wire fraud, and one count of conspiracy to commit computer fraud, after hacking into 123 of the 187 high-tech CCTV cameras dotted around the city. The hijacked devices, used by DC’s Metropolitan Police Department, then spammed up to 180,000 email addresses with ransomware-laden messages.

  3. Tomi Engdahl says:

    Thousands of WordPress sites backdoored with malicious code

    Malicious code redirects users to tech support scams, some of which use new “evil cursor” Chrome bug.

  4. Tomi Engdahl says:

    Viro Botnet Ransomware Breaks Through

    Viro botnet was first observed in the wild on September 17, 2018, seven days after we analyzed a ransomware variant that imitates the notorious Locky ransomware. Once Viro botnet is downloaded to a machine, it will check the presence of registry keys (machine GUID and product key) to determine if the system should be encrypted.

  5. Tomi Engdahl says:

    DanaBot shifts its targeting to Europe, adds new features

    ESET researchers have discovered new DanaBot campaigns targeting a number of European countries

    Recently, we have spotted a surge in activity of DanaBot, a stealthy banking Trojan discovered earlier this year. The malware, first observed in campaigns targeting Australia and later Poland, has apparently expanded further, with campaigns popping up in Italy, Germany, Austria, and as of September 2018, Ukraine.

    DanaBot is a modular banking Trojan, first analyzed by Proofpoint in May 2018 after being discovered in malicious email campaigns targeting users in Australia. The Trojan is written in Delphi, has a multi-stage and multi-component architecture, with most of its functionality implemented by plug-ins. At the time of the discovery, the malware was said to have been under active development.

  6. Tomi Engdahl says:

    Scottish brewery recovers from ransomware attack
    Trouble ferments after hackers lock system and Arran with it

    The attack against the Isle of Arran-based Scottish beer maker appears to have been a targeted strike. Prior to the infection, adverts for an already filled finance post at the brewery were placed on recruitment sites worldwide. This, in turn, resulted in an influx of CVs.

    Amidst this, hackers appear to have sent a booby-trapped email message featuring a ransomware payload carried within a PDF file. When an Arran Brewery staffer opened this contaminated email, its systems were infected.

  7. Tomi Engdahl says:

    ZDI-CAN-6135: A Remote Code Execution Vulnerability in the Microsoft Windows Jet Database Engine

    The root cause of this issue resides in the Microsoft JET Database Engine. Microsoft patched two other issues in JET in the September Patch Tuesday updates.

  8. Tomi Engdahl says:

    Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment

  9. Tomi Engdahl says:

    Companies may try to bypass GDPR fines by negotiating with cybercriminals, Europol say

    Europol, the EU’s policing agency, has warned that EU data protection laws may lead to an increase in cyber-extortion in a report released on Tuesday (18 September) .

    The fifth Internet Organised Crime Threat Assessment (IOCTA) was presented at the INTERPOL-Europol Cybercrime Conference in Singapore, and warned of the implications of companies breaching General Data Protection Regulation (GDPR) rules and choosing to pay hackers bribes.

    Under GDPR rules that came into force in May, violations can result in fines of up to €20 million or 4% of global turnover, whichever is higher.

    Europol’s research shines a light on the fact that companies could be inclined to pay lesser extortion fees to hackers.

    The report states:

    “Hacked companies [may] rather pay a smaller ransom to a hacker for non-disclosure than the steep fine that might be imposed by their competent authority.”

    Europol goes on to warn that if such companies are to negotiate with cybercriminals, then they “will only fund further attacks and other criminal activity” and that the organisation at risk has no guarantee that “the attacker will not disclose or otherwise exploit information.”

    Internet Organised Crime Threat Assessment 2018

  10. Tomi Engdahl says:

    Google Suppresses Memo Revealing Plans to Closely Track Search Users in China

    Google bosses have forced employees to delete a confidential memo circulating inside the company that revealed explosive details about a plan to launch a censored search engine in China, The Intercept has learned.

    The memo, authored by a Google engineer who was asked to work on the project, disclosed that the search system, codenamed Dragonfly, would require users to log in to perform searches, track their location — and share the resulting history with a Chinese partner who would have “unilateral access” to the data.

    The memo was shared earlier this month among a group of Google employees who have been organizing internal protests over the censored search system, which has been designed to remove content that China’s authoritarian Communist Party regime views as sensitive, such as information about democracy, human rights, and peaceful protest.

  11. Tomi Engdahl says:

    Here was not known to be caused by cyber-attack, but shows possibilities what a silent cyber-attack that changes industry system code could do:

    How a coding error made 293 Subaru SUVs unusable

    A software error has caused Subaru to completely dispose of 293 of its Ascent 2019 SUVs. According to a safety recall report filed with National Highway Traffic Safety Administration (NHTSA), robots at missed critical welds, thanks to improper coding.

  12. Tomi Engdahl says:

    Some credential-stuffing botnets don’t care about being noticed any more
    They just take a battering ram to the gates

    The bots spewing out malicious login attempts by the bucketload appear to have cranked it up a notch.

    According to Akamai’s latest State of the Internet report on credential stuffing (PDF), its customers alone were deluged by 30 billion malicious logins between November 2017 and June this year, an average of 3.75 billion per month.

  13. Tomi Engdahl says:

    macOS Mojave Privacy Bypass Flaw Allows Access to Protected Files

    A security researcher shows on Mojave’s release day that Apple’s latest privacy protection implementations in macOS are not sufficiently strong.

    In a minute-long clip, Patrick Wardle shows that the security in the dark-themed macOS can be bypassed to reach sensitive user data, such as the information in the address book.

  14. Tomi Engdahl says:

    Firefox bug crashes your browser and sometimes your PC
    Bug affects Firefox on Mac, Linux, and Windows, but not Android.

    A security researcher who two weeks ago found a bug that could crash all WebKit-based apps on iPhones, iPads, and Macs, has now discovered another browser bug that can crash Firefox browsers, and sometimes the entire operating system underneath it.

    The bug is just the latest addition to Browser Reaper, a web portal set up by Sabri Haddouche, a software engineer and security researcher at encrypted instant messaging app Wire.

  15. Tomi Engdahl says:

    Google Secretly Logs Users Into Chrome Whenever They Log Into a Google Site

    Starting with Chrome 69, whenever a Chrome user would access a Google-owned site, the browser would take that user’s Google identity and log the user into the Chrome in-browser account system — also known as Sync. This system, Sync, allows users to log in with their Google accounts inside Chrome and optionally upload and synchronize local browser data (history, passwords, bookmarks, and other) to Google’s servers. Sync has been present in Chrome for years, but until now, the system worked independently from the logged-in state of Google accounts.

    Google secretly logs users into Chrome whenever they log into a Google site

    Browser maker faces backlash for failing to inform users about Chrome Sync behavioral change.

  16. Tomi Engdahl says:

    The curious sudden rise of free US election ‘net security guardians
    There is no such thing as a gratis lunch, after all

    Nothing super-fuels a security sales pitch like the sort of threat it’s hard to ignore.

    These days, it’s the Wizard of Oz-like enigma of Russia, which doesn’t just hack systems, but uses fake news, confusion, and the tragic anger-of-the-commons as a sort of mind-hack on entire populations. Allegedly. How can anyone stop that?

    The answer is that US capitalism re-hacks people’s minds back using a word that must make even the well-roubled cyber-miscreants of St Petersburg tremble – free service.

    Symantec is the latest to serve up this idea by offering candidates, election commissions, and political parties in the forthcoming US mid-term election free access to its anti-spoofing service for email and websites, Project Dolphin.

    Get Zuck’d

    Never one to be left out, Facebook launched its own “pilot program” designed to protect the Facebook accounts of anyone involved in US elections.

    It’s no secret that almost any phishing attack can get through – eventually. Endpoint security tools struggle because there is no malware, only ruses designed to steal credentials. Until now, the industry’s clever answer was extra authentication, ignoring the fact that a lot of the most targeted people don’t seem interested in using it. In future, getting a protected email service might depend on it.

  17. Tomi Engdahl says:

    Symantec Completes Internal Accounting Investigation

    Symantec announced on Monday that it has completed its internal accounting audit, and while some issues have been uncovered, only one customer transaction has an impact on financial statements.

    Symantec stock dropped from nearly $30 to just under $20 after the company announced the investigation on May 10.

  18. Tomi Engdahl says:

    U.S. General Service Administration Launches Bug Bounty Program

    The United States General Service Administration’s (GSA) Technology Transformation Service (TTS) has launched a bug bounty program on HackerOne, the hacker-powered security platform announced on Friday.

    GSA, the first federal civilian agency to have launched a bug bounty program, is willing to pay up to $5,000 for Critical vulnerabilities found in its services. However, only some of the GSA’s TTS services are included in the multi-year HackerOne bug bounty program.

  19. Tomi Engdahl says:

    New Adwind Campaign Targets Linux, Windows, and macOS

    Adwind remote access Trojan (RAT) samples detected in a recently campaign were configured to gain persistence on Linux, Windows, and macOS systems, Cisco Talos warns.

    The attacks featured the Adwind 3.0 RAT and employed a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel, ReversingLabs and Cisco Talos security researchers discovered.

    The attackers used at least two different droppers for their malicious payload, in the form of CSV and XLT files. Both of them, however, would leverage a new variant of the DDE code injection attack, one that remained undetected until now.

  20. Tomi Engdahl says:

    United Nations WordPress Site Exposes Thousands of Resumes

    Disclosure vulnerabilities in a web app from the United Nations leave open to public access CVs from job applicants and the organization failed to plug the leak despite receiving a private report on the issues.

    Security researcher Mohamed Baset of penetration testing company Seekurity found a path disclosure and an information disclosure bug in one of the UN’s WordPress websites, which gives unfettered access to job applications since 2016. He claims that thousands of documents have been uploaded.

    Although fixing the problem is a simple matter, Baset says he did not receive the expected answer following his reporting of the problem.

    A month after sending his initial report on August 6, two messages asking for the status of his disclosure and another email announcing full public disclosure, Baset says he got a reply.

    According to the researcher, “someone from [email protected]” said that the vulnerability did not “pertain to the United Nations Secretariat, and is for UNDP [United Nations Development Programme].” This was on September 5.

    Today, 48 days after making a responsible disclosure to [email protected], Baset decided to release the details to the public.

    “The discovered vulnerabilities have been responsibly reported to the United Nations along with other discovered issues (not mentioned here) including the technical details on how to reproduce the issues,” the researcher announced.

    Baset’s recommendation to WordPress website owners is to keep their installation up to date as well as of any plugins; they should lock any sensitive files from public view and restrict access to all folders under /wp-content/*.

  21. Tomi Engdahl says:

    ‘McAfee Labs Threats Report’ Highlights Cryptojacking, Blockchain, Mobile Security Issues

    As we look over some of the key issues from the newly released McAfee Labs Threats Report, we read terms such as voice assistant, blockchain, billing fraud, and cryptojacking. Although voice assistants fall in a different category, the other three are closely linked and driven by the goal of fast, profitable attacks that result in a quick return on a cybercriminal’s investment.

  22. Tomi Engdahl says:

    French cybersecurity agency open sources security hardened CLIP OS

    After developing it internally for over 10 years, the National Cybersecurity Agency of France (ANSSI) has decided to open source CLIP OS, a Linux-based operating system developed “to meet the specific needs of the [French] administration,” and is asking outside coders to contribute to its development.

    “The CLIP OS project is lead and maintained by developers from the ANSSI but most of the source code resulting in the final CLIP OS system image comes from popular open source projects (the Linux kernel, the GNU Compiler Collection, etc.),” the Agency shared. “The project is based on Gentoo Hardened and has many similarities with Chromium OS or the Yocto project.”

    CLIP OS incorporates a number of security mechanisms. One of these is environment isolation (partitioning), so that users can simultaneously process both public and sensitive information within two totally isolated software environments (“cages”), in order to avoid the risk of sensitive information leaking onto the public network.

  23. Tomi Engdahl says:

    U.S. Unveils First Step Toward New Online Privacy Rules

    The US administration called Tuesday for public comments on a “new approach to consumer data privacy” that could trigger fresh regulations of internet companies.

    The Commerce Department said the announcement is part of an effort to “modernize US data privacy policy for the 21st century.”

    The move follows the implementation this year of ramped up data protection rules imposed by the European Union, and a new privacy law enacted in California.

    Both measures will impact internet firms whose websites can be accessed around the globe.

    NTIA Seeks Comment on New Approach to Consumer Data Privacy

  24. Tomi Engdahl says:

    Cloudflare Encrypts SNI Across Its Network

    Cloudflare this week announced it has turned on Encrypted SNI (ESNI) across all of its network, making yet another step toward improving user privacy.

    The Transport Layer Security (TLS) Server Name Indication (SNI) extension was introduced to resolve the issue of accessing encrypted websites hosted at the same IP address. Before that, when a request was made for a HTTPS connection, the web server would only hand a single SSL certificate per IP address.

    With SNI, however, if a web server hosts multiple domains, the request is routed to the correct site and the right SSL certificate is returned. This ensures that content is encrypted correctly and browsers widely adopted the TLS extension after its specification was introduced by the IETF in 2003.

  25. Tomi Engdahl says:

    Third-Party Patch Available for Microsoft JET Database Zero-Day

    An unofficial patch is already available for the unpatched Microsoft JET Database Engine vulnerability that Trend Micro’s Zero Day Initiative (ZDI) made public last week.

    The security flaw, an out-of-bounds (OOB) write in the JET Database Engine that could be exploited for remote code execution, was reported to the vendor in early May. ZDI disclosed the issue publicly as 120 days had passed after they notified the vendor, although a patch hadn’t been released.

    Despite not being considered critical, attackers could use social engineering to trick users into opening malicious files capable of triggering the exploit.

    Outrunning Attackers On The Jet Database Engine 0day

  26. Tomi Engdahl says:

    Ex-NSA Hacker Sentenced to Jail Over Kaspersky Leak

    A former National Security Agency hacker whose leak of extremely top secret online spying materials led to the US government ban on Kaspersky software was sentenced to 66 months in prison Tuesday.

    Nghia Hoang Pho, 68, a 10-year veteran of the NSA’s elite Tailored Access Operations hacking unit, pleaded guilty in December to one count of willful retention of classified national defense information.

    Authorities discovered that between 2010 and 2015, he had taken home with him substantial TAO materials, including programs and data, that eventually ended up in the hands of Russian intelligence.

    Vietnam-born Pho put the information on his home computer, which was protected by the popular Kaspersky anti-virus program. US authorities believe that Russian intelligence was able to access his computer through Kaspersky.

  27. Tomi Engdahl says:

    Testing Firm NSS Labs Declares War on Antivirus Industry

    Simmering Tensions in the Antivirus World Erupt Again

    NSS Labs, a security product testing and validation firm, has effectively declared war on the entire antivirus (AV) industry. On September 18, it filed an antitrust law suit against CrowdStrike, Symantec, ESET, the Anti-Malware Testing Standards Organization (AMTSO), and Does.

    The ‘Does’ are described as endpoint protection (EPP) vendors (that is, AV vendors) and members of AMTSO.

    AMTSO is a non-profit organization established in 2008 with the stated purpose of improving anti-malware testing. It is open to academics, reviewers, publications, testers and vendors, and its current 51 members include the named defendants, the plaintiff NSS Labs, and most – if not all – of the major EPP vendors.

    NSS Labs claims that AMTSO has organized a conspiracy against the EPP product testing industry – and specifically NSS Labs – to prevent independent testing of EPP products.

  28. Tomi Engdahl says:

    Over 6 Million Users Hit by Breach at Fashion Retailer SHEIN

    U.S.-based online fashion retailer SHEIN informed customers recently that their personal information was stolen by hackers who gained access to the company’s systems.

    According to SHEIN, the incident impacts roughly 6.42 million customers, who had their email addresses and passwords stolen. SHEIN says the passwords are encrypted, but that may actually mean they are hashed. Customers are being notified and provided instructions on how to reset their passwords.

  29. Tomi Engdahl says:

    Microsoft Boosts Azure Security With Array of New Tools

    At its Ignite conference this week, Microsoft announced improved security features for Azure with the addition of Microsoft Authenticator, Azure Firewall, and several other tools to the cloud computing platform.

    After announcing Azure Active Directory (AD) Password Protection in June to combat bad passwords, Microsoft is now bringing password-less logins to Azure AD connected apps with the addition of support for Microsoft Authenticator.

  30. Tomi Engdahl says:

    Symantec Completes Internal Accounting Investigation

    Symantec announced on Monday that it has completed its internal accounting audit, and while some issues have been uncovered, only one customer transaction has an impact on financial statements.

    Symantec stock dropped from nearly $30 to just under $20 after the company announced the investigation on May 10. It recovered slightly a few days later after more details were made public, but again dove under $20 after the firm revealed plans to cut as much as 8% of its workforce, representing roughly 1,000 employees.

    Shares went up approximately 4 percent after the firm announced the completion of the audit.

    The investigation was launched after a former employee raised concerns about “the Company’s public disclosures including commentary on historical financial results, its reporting of certain Non-GAAP measures including those that could impact executive compensation programs, certain forward-looking statements, stock trading plans and retaliation.”

    Symantec Announces Completion of Audit Committee Investigation

  31. Tomi Engdahl says:

    Mikko Hyppönen paljastaa F-Securen suurimmat mokat: ”Suomalaisia kun olimme…”

    Suomalaisesta tietoturvayhtiöstä olisi voinut tulla todella iso, jos se olisi puhunut tekoälystä tekoälynä ja lähtenyt verkkosivustojen todentamisbisnekseen.

    Sertifioitu http-salausta käyttävä verkkosivusto on turvallinen, eli käyttäjä voi luottaa siihen, että sivusto on se, mikä se väittääkin olevansa.

    – Kyse olisi siis siitä, että käytännössä olisimme pyytäneet verkkosivujen pyörittäjiltä 500 dollaria ja tekstitiedoston, jossa he kertovat, keitä he ovat.

    – Mietimme asiaa pitkään ja hartaasti. Sitten totesimme, ettei tämä ole meidän bisneksemme.

    Sittemmin web-sivustojen sertifikaattibisnes nousi miljardien arvoiseksi.

  32. Tomi Engdahl says:

    New CVE-2018-8373 Exploit Spotted in the Wild

    On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability CVE-2018-8373 that affects the VBScript engine in newer Windows versions, we spotted another exploit, possibly in the wild, that uses the same vulnerability. It’s important to note that this exploit doesn’t work on systems with updated Internet Explorer versions.

  33. Tomi Engdahl says:

    Stop Office 365 Credential Theft with an Artificial Eye

    We all know that email remains by far the number one threat vector facing organizations today. Trend Micro blocked more than 20.4 billion threat in the first half of 2018 alone, nearly 83% of which were email borne. But there’s more: corporate email accounts have also become a key target for attackers in their own right. And as Office 365 becomes ever-more popular, its log-in page increasingly represents the frontline in the battle against phishing attacks designed to hijack email accounts. According to Osterman Research, email account takeovers now represent over two-fifths (44%) of enterprise attacks.

    That’s why Trend Micro has developed a new layer of defense to add to our formidable range of email security offerings: innovative capabilities leveraging computer vision and AI to block attacks in real-time.

  34. Tomi Engdahl says:

    Ujjwal Pugalia / Amazon Web Services:
    AWS announces that YubiKey can now be used as a multi-factor authentication (MFA) device to sign into the AWS management console — AWS Identity and Access Management (IAM) best practice is to require all IAM and root users in your account to sign into the AWS Management Console with multi-factor authentication (MFA).

    Use YubiKey security key to sign into AWS Management Console with YubiKey for multi-factor authentication

  35. Tomi Engdahl says:

    Linux Kernel Vulnerability Affects Red Hat, CentOS, Debian

    Qualys has disclosed the details of an integer overflow vulnerability in the Linux kernel that can be exploited by a local attacker for privilege

    escalation. The flaw, dubbed “Mutagen Astronomy,” affects certain versions of the Red Hat, CentOS and Debian distributions.

    The vulnerability affects versions of the kernel released between July 19, 2007, and July 7, 2017. While many Linux distributions have backported the

    commit that addresses the bug, the fix hasn’t been implemented in Red Hat Enterprise Linux, CentOS (which is based on Red Hat), and Debian 8 Jessie.

    Red Hat, which assigned the flaw an impact rating of “important” and a CVSS score of 7.8 (high severity), has started releasing updates that should

    address the issue.

    “This issue does not affect 32-bit systems as they do not have a large enough address space to exploit this flaw,” Red Hat explained. “Systems with less

    than 32GB of memory are unlikely to be affected by this issue due to memory demands during exploitation.”

    Mutagen Astronomy: Integer overflow in Linux’s create_elf_tables()

    We discovered an integer overflow in the Linux kernel’s
    create_elf_tables() function: on a 64-bit system, a local attacker can
    exploit this vulnerability via a SUID-root binary and obtain full root

    Only kernels with commit b6a2fea39318 (“mm: variable length argument
    support”, from July 19, 2007) but without commit da029c11e6b1 (“exec:
    Limit arg stack to at most 75% of _STK_LIM”, from July 7, 2017) are

    Most Linux distributions backported commit da029c11e6b1 to their
    long-term-supported kernels, but Red Hat Enterprise Linux and CentOS
    (and Debian 8, the current “oldstable” version) have not, and are
    therefore vulnerable and exploitable.

  36. Tomi Engdahl says:

    Security vulnerability in Apple’s Device Enrollment Program could allow full access to corporate networks

    A security vulnerability discovered in Apple’s Device Enrollment Program (DEP) could allow an attacker to gain full access to a corporate or school network.

    The DEP is a free service offered by Apple to allow new devices to be automatically configured with everything from custom apps to VPN settings. All that is needed is the serial number of the device, and that’s the root of the problem, says the security researcher who discovered it …

  37. Tomi Engdahl says:

    Yes Facebook is using your 2FA phone number to target you with ads

    Facebook has confirmed it does in fact use phone numbers that users provided it for security purposes to also target them with ads.

    Specifically a phone number handed over for two factor authentication (2FA) — a security technique that adds a second layer of authentication to help keep accounts secure.

  38. Tomi Engdahl says:

    Russian hackers ‘Fancy Bear’ now targeting governments with rootkit malware

    Security researchers say that they have found evidence that for the first time Russia-backed hackers are now using a more sophisticated type of malware to target government entities.

    ESET presented its case Thursday that the hacker group, known as Fancy Bear (or APT28), is using rootkit malware to target its victims. That marks an escalation in tactics

  39. Tomi Engdahl says:

    Researchers find Russian “VPNfilter” malware was a Swiss Army hacking knife

    Router malware had nine different tools for exploiting networks.

    Researchers at Cisco’s Talos have discovered that VPNfilter—the malware that prompted Federal Bureau of Investigation officials to urge people to reboot their Internet routers—carried an even bigger punch than had previously been discovered. While researchers already found that the malware had been built with multiple types of attack modules that could be deployed to infected routers, further research uncovered seven additional modules that could have been used to exploit the networks routers were attached to, thus stealing data and creating a covert network for command and control over future attacks. The malware appeared to be primarily intended to attack Ukraine on the anniversary of the NotPetya attack, but VPNfilter was clearly built for long-term use as a network exploitation and attack platform.

  40. Tomi Engdahl says:

    IRS can do more to protect against tax fraudsters, watchdog says

    A government watchdog has said that the Internal Revenue Service could do more to prevent tax fraud if it invested more money in ensuring that the identities of taxpayers are properly verified.

    From the IRS’ own data, fraudsters scammed the agency out of at least $1.6 billion in tax refunds during the 2016 tax season that belonged to taxpayers. That’s a drop in the ocean to the $383 billion paid out in legitimate tax returns.


Leave a Comment

Your email address will not be published. Required fields are marked *