Cyber Security March 2019

This posting is here to collect cyber security news in March 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.


  1. Tomi Engdahl says:

    Security flaw put RBS customers at risk of cyber-attack

    Royal Bank of Scotland (RBS) customers have been put at risk of cyber-attack after being recommended flawed security software.

    Since January, the banking group has begun to offer its business banking customers a product called Thor Foresight Enterprise free of charge.

    Heimdal Security sells it as “next generation protection” against cyber-threats.

    Security researchers uncovered a flaw in it that made customers less secure.

    The bug has now been fixed with Heimdal Security estimating that about 50,000 people were using the vulnerable software.

  2. Tomi Engdahl says:

    VirusTotal Goes Retro with New ASCII Site for Older Browsers

    VirusTotal has quietly launched a new retro ASCII site this week that is designed for visitors using older browsers, who want a minimalist experience, or wish to feel the nostalgia of how it felt connecting to a BBS or console in the past. Due to its reduced page size, this new interface is also ideal for mobile browsers who are typically on a slower connection.

    The new VirusTotal site is located at and is rendered using only text, without any images. It also uses a minimal amount of JavaScript and 3rd party libraries to reduce its size and load times.

  3. Tomi Engdahl says:

    Don’t have a heart attack but your implanted defibrillator can be hacked over the air (by someone who really wants you dead)
    US govt sounds alarm over wireless comms, caveats apply

    Wireless vulns in Medtronic’s implanted defibrillators allow remote shocks, shutdown, denial-of-service battery attacks and data theft

  4. Tomi Engdahl says:

    Second Critical Crypto Flaw Found in Swiss E-Voting System

    A second critical crypto vulnerability that can be exploited to hide vote manipulation has been discovered in the Swiss e-voting system, researchers revealed on Sunday.

    The Swiss government, specifically the Swiss Post national postal service, in February announced the launch of a public bug bounty program for its electronic voting systems. Rewards of up to $50,000 have been offered and over 3,000 hackers from around the world have signed up for the program that ended on March 24.

    Switzerland has been conducting e-voting trials since 2004 and Swiss Post believes it has now developed a fully verifiable system that can make e-voting widely available in the country.

    However, it turns out that the components of the system designed to ensure that votes have not been manipulated, which should have already been thoroughly tested, have some potentially serious vulnerabilities.

  5. Tomi Engdahl says:

    A New Age of Warfare: How Internet Mercenaries Do Battle for Authoritarian Governments

    Sophisticated surveillance, once the domain of world powers, is increasingly available on the private market. Smaller countries are seizing on the tools — sometimes for darker purposes.

  6. Tomi Engdahl says:

    Emma Best:
    In-depth profile of Maksym Igor Popov, an infamous Ukrainian hacker whose stated goal was to create conflict and cyberwar between nations using disinformation

    Leaker, Liar, Hacker, Hoaxer: The Russian contractor who infiltrated Anonymous

    ears before the Russian-operated persona Guccifer 2.0 appeared on the internet to claim they were a hacktivist responsible for the DNC breach, a hacker with alleged ties to the Russian government used similar obfuscation strategies. Using numerous false identities and several distribution platforms, they released hacked materials, both genuine and forged, while often lying about the real documents’ provenance. In 2016, refined versions of these tactics would infamously be used by the linked and Russian sponsored fronts Guccifer 2.0, DCLeaks and CyberBerkut.

    According to leaked evidence collected by the FBI in one of the WikiLeaks investigations, the hacker’s stated goal was to sow disinformation and create conspiracies that would increase international tensions. In one exchange with an FBI informant known as Sabu, the Russian hacker/alleged contractor described a plan for a false flag cyberattack that aimed to start a “real cyberwar.”

  7. Tomi Engdahl says:

    Microsoft Finds Privilege Escalation, Code Execution Flaws in Huawei Tool

    Microsoft researchers have identified potentially serious privilege escalation and arbitrary code execution vulnerabilities in a tool from Huawei. The vendor has released updates that should patch the flaws.

  8. Tomi Engdahl says:

    Major U.S. Chemical Firms Hit by Cyberattack

    Operations at two major US-based chemical companies, Hexion and Momentive, were disrupted recently by a cyberattack reportedly involving LockerGoga, the ransomware that recently hit Norwegian aluminum giant Norsk Hydro.

    In press releases published on Friday, Hexion and Momentive said they had been working on restoring networks and resuming normal operations after suffering “network security incidents” that prevented access to certain IT systems and data.

  9. Tomi Engdahl says:

    Supply-Chain Attack Used to Install Backdoors on ASUS Computers

    Hijacked Software Update Utility Could Have Impacted Over 1 Million ASUS Users

    Over 1 million ASUS users may have been impacted after attackers managed to inject a backdoor in the ASUS Live Update utility, Kaspersky Lab reports.

    Pre-installed on most ASUS computers, ASUS Live Update is used to automatically update components such as BIOS, UEFI, drivers and applications. To hide the malicious activity, the actors also used a stolen digital certificate that ASUS signs legitimate binaries with.

    Referred to as Operation ShadowHammer, the sophisticated supply chain attack took place between June and November 2018, but was only discovered in January 2019, the security firm says.

  10. Tomi Engdahl says:

    Researchers Uncover Vulnerabilities in LTE Wireless Protocol

    Researchers from the Korea Advanced Institute of Science and Technology Constitution (KAIST) say they have discovered 36 previously undisclosed vulnerabilities in the Long Term Evolution (LTE) protocol used by most mobile carriers.

    The flaws were discovered using a semi-automated testing tool named LTEFuzz, which generates and sends test cases to a target network and then classifies problematic behavior by monitoring device-side logs. The results were confirmed against operational LTE networks.

  11. Tomi Engdahl says:

    LockerGoga Ransomware Neutralized by Shortcut Files

    At least some variants of the LockerGoga ransomware, a piece of malware involved in several recent high profile attacks, do not encrypt files on a compromised device if a certain type of shortcut file is found in a specific Windows folder, researchers discovered.

    Experts at Alert Logic noticed that before LockerGoga starts encrypting files on a system, it performs an initial scan to create a list of files it should encrypt. If it comes across a .lnk file — a shortcut or link used by Windows as a reference to an original file — it will stop without attempting to encrypt anything.

    Specifically, Alert Logic’s analysis shows that LockerGoga may be neutralized if the Recent Items folder contains a shortcut file that has an invalid network path or one that has no associated RPC endpoint.

  12. Tomi Engdahl says:

    From alert to driver vulnerability: Microsoft Defender ATP investigation unearths privilege escalation flaw

    With Microsoft continuously improving kernel mitigations and raising the bar for exploiting native kernel components, third-party kernel drivers are becoming a more appealing target for attackers and an important area of research for security analysts. A vulnerability in a signed third-party driver could have a serious impact: it can be abused by attackers to escalate privileges or, more commonly, bypass driver signature enforcement—without the complexity of using a more expensive zero-day kernel exploit in the OS itself.

    Computer manufacturers usually ship devices with software and tools that facilitate device management. These software and tools, including drivers, often contain components that run with ring-0 privileges in the kernel. With these components installed by default, each must be as secure as the kernel; even one flawed component could become the Achilles’ heel of the whole kernel security design.

  13. Tomi Engdahl says:

    Researchers find 36 new security flaws in LTE protocol

    South Korean researchers apply fuzzing techniques to LTE protocol and find 51 vulnerabilities, of which 36 were new.

    Touching the Untouchables
    Dynamic Security Analysis of the LTE Control Plane

  14. Tomi Engdahl says:

    Touching the Untouchables: Dynamic SecurityAnalysis of the LTE Control Plane

  15. Tomi Engdahl says:

    Android ecosystem of pre-installed apps is a privacy and security mess

    Extensive academic study finds data-harvesting and malware-laced pre-installed apps.

  16. Tomi Engdahl says:

    LockerGoga bug crashes ransomware before encrypting files

    Bug could be used to create (temporary) LockerGoga vaccines.

  17. Tomi Engdahl says:

    Google fixes Chrome ‘evil cursor’ bug abused by tech support scam sites

    Evil cursor trick was being abused by Partnerstroka gang to trap users on tech support sites.

  18. Tomi Engdahl says:

    Warning: ASUS Software Update Server Hacked to Distribute Malware

    CCleaner hack was one of the largest supply chain attacks that infected more than 2.3 million users with a backdoored version of the software in September 2017.

    Security researchers today revealed another massive supply chain attack that compromised over 1 million computers manufactured by Taiwan-based tech giant ASUS.

    A group of state-sponsored hackers last year managed to hijack ASUS Live automatic software update server between June and November 2018 and pushed malicious updates to install backdoors on over one million Windows computers worldwide.

  19. Tomi Engdahl says:

    Medtronic’s Implantable Defibrillators Vulnerable to Life-Threatening Hacks

    The U.S. Department of Homeland Security Thursday issued an advisory warning people of severe vulnerabilities in over a dozen heart defibrillators that could allow attackers to fully hijack them remotely, potentially putting lives of millions of patients at risk.

    Cardioverter Defibrillator is a small surgically implanted device (in patients’ chests) that gives a patient’s heart an electric shock (often called a countershock) to re-establish a normal heartbeat.

    While the device has been designed to prevent sudden death, several implanted cardiac defibrillators made by one of the world’s largest medical device companies Medtronic have been found vulnerable to two serious vulnerabilities.

  20. Tomi Engdahl says:

    Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers

    The Taiwan-based tech giant ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company’s server and used it to push the malware to machines.

  21. Tomi Engdahl says:

    Operation ShadowHammer

    Earlier today, Motherboard published a story by Kim Zetter on Operation ShadowHammer, a newly discovered supply chain attack that leveraged ASUS Live Update software.

    While the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore, we would like to share some important details about the attack.

    In January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large number of users.

  22. Tomi Engdahl says:

    ShadowHammer: Malicious updates for ASUS laptops

    Asus unwittingly pushed malware to 500k laptops after hack

  23. Tomi Engdahl says:

    Ransomware Forces Two Chemical Companies to Order ‘Hundreds of New Computers’

    It appears that LockerGoga, the same ransomware that hit aluminum manufacturing giant Norsk Hydro this week, also infected American chemicals companies Hexion and Momentive, leaving employees locked out of their computers.

  24. Tomi Engdahl says:

    Sidney Fussell / The Atlantic:
    Airbnb says it’s cracking down on hosts who record guests, but four guests who found cameras in their rentals say Airbnb is inconsistent in enforcing its rules —

    Airbnb Has a Hidden-Camera Problem

    The home-rental start-up says it’s cracking down on hosts who record guests. Is it doing enough?

  25. Tomi Engdahl says:

    ASUS Confirms It Was Used to Install Backdoors on Its Customers’ Computers
    A press release released by ASUS this morning confirms Motherboard’s reporting.

  26. Tomi Engdahl says:

    AZORult Variant Can Establish RDP Connections

    A recently observed C++ version of the AZORult data stealer includes the ability to establish a remote desktop connection compromised devices, Kaspersky Lab’s security researchers have discovered.

    First observed in 2016 as part of a campaign that abused PayPal for malware distribution, the threat has been used in numerous malicious attacks since.

  27. Tomi Engdahl says:

    Norsk Hydro May Have Lost $40M in First Week After Cyberattack

    Norwegian aluminum giant Norsk Hydro estimates that it may have lost more than $40 million in the first week following the ransomware attack that disrupted its operations.

    In an update shared on Tuesday, the company said it’s too soon to provide precise information on the financial impact resulting from the cyberattack, but a rough estimate puts losses at between 300-350 million Norwegian crowns ($35 – $41 million). A majority of that amount represents losses in the Extruded Solutions area, which has been hit the hardest.

    “Hydro has a solid cyber risk insurance policy with recognized insurers, with global insurer AIG as lead,” the company stated.

  28. Tomi Engdahl says:

    New Settings Help Hackers Test Facebook Mobile Apps

    Facebook last week announced that it introduced new settings designed to make it easier for white hat hackers to test the security of its mobile applications.

    The social media giant’s mobile applications use certificate pinning and other security mechanisms to protect communications between the application running on a user’s device and Facebook’s servers. While these measures significantly improve security, they also make it harder for researchers to find server-side vulnerabilities in the company’s apps.

  29. Tomi Engdahl says:

    Senators demand to know why election vendors still sell voting machines with ‘known vulnerabilities’

  30. Tomi Engdahl says:

    Sean Gallagher / Ars Technica:
    How a vulnerability disclosure by researchers to Atrient, a vendor of player reward kiosks for casinos, led to competing claims of assault and blackmail

    Casino Screwup Royale: A tale of “ethical hacking” gone awry
    “Ethical hackers” tried to disclose problems to a casino software company—it got messy.

    People who find security vulnerabilities commonly run into difficulties when reporting them to the responsible company. But it’s less common for such situations to turn into tense trade-show confrontations—and competing claims of assault and blackmail.

    Yet that’s what happened when executives at Atrient—a casino technology firm headquartered in West Bloomfield, Michigan—stopped responding to two UK-based security researchers who had reported some alleged security flaws. The researchers thought they had reached an agreement regarding payment for their work, but nothing final ever materialized. On February 5, 2019, one of the researchers—Dylan Wheeler, a 23-year-old Australian living in the UK—stopped by Atrient’s booth at a London conference to confront the company’s chief operating officer.

    What happened next is in dispute.

    The story is practically a case study in the problems that can arise with vulnerability research and disclosure.

    Many large companies and technology vendors now run active “bug bounty” programs to channel the efforts of outside hackers and security researchers toward productively uncovering security problems in their software and infrastructure—but the vast majority of companies have no clear mechanism for outsiders to share information about security gaps.

    When it comes to disclosing vulnerabilities to those types of companies, Beardsley told Ars, “I’ve gotten everything ranging from silence to active ignorance—’I don’t wanna hear it’—to cease and desist letters telling me ‘I’ll take down your advisory.’ All of that, and I’ve gotten lots of good [responses], too. I’ve dealt with people who have not had a long track record with disclosure and I hand hold them through it.”

    Atrient is a small company, plying its wares in a highly specific niche of the casino and gaming industry.

    On October 29, 2018, Wheeler and “Me” were engaged in a search for vulnerable systems on the Internet. They sent batches of queries to a pair of Internet vulnerability search engines—Censys and Shodan—via a combination of Web queries and direct commands through the tools’ command-line application interfaces. During their search, they stumbled across what amounted to an open door—a Jenkins server they claim had no access controls enabled.

    Wheeler and “Me” decided to poke around a bit to see if they could identify who owned the server.

    Gill insists what the pair found was simply a demonstration platform with no working code.

    On November 4, 2018, “Me” and Wheeler sent emails to a host of addresses at Atrient and Azilen—including to CEO Sam Attisha—to alert them to the alleged security problem with the server.

    It is not unusual for such emails to go unanswered.

    But Beardsley said that, in his experience, even the most professionally prepared disclosures can be ignored.

    Bule’s amplification did help get the attention of two interested parties: a major casino operator that uses Atrient’s software—and the FBI.

    “We might be able to help you with that,” one of the FBI agents said.

    “When you’re performing Coordinating Disclosure—calling the vendor for the first time—for me it’s super important to really stress, ‘Look I’m not trying to sell you anything. I’m not trying to extort you. I’m not trying to set this up as a future sales call for all of my wonderful products,’” said Rapid7′s Beardsley. “I am very cognizant of that for a couple reasons. One, I don’t want to go to jail. And two, it’s an emotional thing for most people, especially people who’ve never had to deal with [disclosure] before.”

    When a company is faced with an unexpected disclosure, founder and CEO of Luta Security Katie Moussouris told Ars, “At a minimum, it’s always best to take the high road.” Companies can do that by creating or clarifying their policy around vulnerability disclosure and by limiting public comments to a “holding statement” indicating that the company is working to resolve the issue.

    “Nothing else really ‘wins’ in the court of public opinion,”

    Even when coordinated disclosure goes well—without NDAs, legal threats, and whatnot—it can take months. But the upside of doing it right, Beardsley said, is “then maybe the company will respond better to the next guy who comes along with a disclosure, and maybe doesn’t have as light a touch as you. That’s all you can kind of hope for.”

    The interaction between Wheeler and the casino operator is an example of how disclosure can be handled well—and it went well because the casino had a security team ready and willing to respond. It also helped that money never entered the discussion.

    But the animus between Atrient and the researchers seems to have been about more than money. There was also the timing of the disclosure, with a $40 million deal close to its conclusion when the report came in. Given the business situation, the relatively short timeframe (by disclosure standards), and the way the conversation took place, it’s not surprising that emotions ran high on Atrient’s side. Fireworks were almost inevitable.

    Veterans of disclosure, Beardsley said, “know this is all normal, and we can expect what we expect, but someone who doesn’t have a lot of experience can get emotional and personal about it and all that.”

  31. Tomi Engdahl says:

    Microsoft sues to take control of domains involved in Iran hacking campaign

    Microsoft has won a restraining order in a U.S. court in order to take control of domains used by an Iranian hacker group.

    The software and cloud giant applied to the court in order to take control of 99 websites used by the hacker group, known as Phosphorus or APT 35, in various hacking operations.

  32. Tomi Engdahl says:

    Analysis of GPS data finds 9,800+ GPS spoofing instances since 2016, likely to protect sensitive military and VIP travel areas in the Russian Federation — EXECUTIVE SUMMARY GPS and other Global Navigation Satellite


    GPS and other Global Navigation Satellite Systems (GNSS) are used in everything from cellular communication networks, to basic consumer goods, high-end military systems, and stock trading inputs. But these systems are vulnerable: by attacking positioning, navigational, and timing (PNT) data through electronic warfare (EW) capabilities, state and non-state actors can cause significant damage to modern militaries, first-world economies, and everyday consumers alike.

    GNSS attacks are emerging as a viable, disruptive strategic threat.

  33. Tomi Engdahl says:

    Viral Twitter Hoax Tricks People Into Deleting Their Accounts

    People have been tricked into deleting their Twitter accounts, after an obvious hoax went viral.

    If you do make the change, you are essentially informing Twitter you are a child and flagging your account for deletion.

    If you do actually change your birthdate, you are greeted with the message: “Your account is locked.

  34. Tomi Engdahl says:

    ASD’s Burgess warns companies hacking back is illegal

    Australian Signals Directorate director-general Mike Burgess has warned private or public companies against hacking back to defend themselves against potential online attacks, as they would be breaking the law.

  35. Tomi Engdahl says:

    Ex-NSA Contractor Pleads Guilty in Theft of Secret Documents

    A former National Security Agency contractor accused in a theft of classified documents from the agency’s headquarters pleaded guilty Thursday to willful retention of national defense information.

  36. Tomi Engdahl says:

    VMware Patches Flaws Disclosed at Pwn2Own 2019

    Security updates released on Thursday by VMware for its vCloud Director, ESXi, Workstation and Fusion products patch several vulnerabilities, including ones disclosed recently at the Pwn2Own 2019 hacking competition.

  37. Tomi Engdahl says:

    Critical Flaw Allows Hackers to Take Control of PowerFlex AC Drives

    Rockwell Automation’s Allen Bradley PowerFlex 525 AC drives are affected by a critical denial-of-service (DoS) vulnerability that allows hackers to take control of devices.

    PowerFlex 525 AC drives are designed for controlling electrical motors. Unlike traditional drives, these devices offer advanced features, such as embedded Ethernet/IP communications and USB programming. Rockwell Automation says the product is ideal for conveyors, pumps, fans and mixers.

  38. Tomi Engdahl says:

    New Shodan Service Keeps Track of Internet-Exposed Systems

    The popular IoT search engine Shodan this week announced the launch of Monitor, a new service designed to help organizations keep track of systems connected to the Internet.

    Shodan Monitor allows organizations to gain full visibility into their Internet-exposed systems. Users can launch scans and configure real-time notifications in case a new device is detected.

    Shodan Monitor is free for existing customers

  39. Tomi Engdahl says:

    WinRAR Vulnerability Exploited to Deliver New Malware

    The first attacks exploiting CVE-2018-20250 were observed just days after details of the flaw were made public. McAfee reported seeing over 100 unique exploits in the first week alone, with most targets being located in the U.S.

  40. Tomi Engdahl says:

    New Android malware targets 32 cryptocurrency apps and 100 international banks
    Gustuff is out to steal your cryptocurrency (and your fiat!)

  41. Tomi Engdahl says:

    Researchers warn open sky drone policy poses cybercriminal risk

    Left unchecked, our drones may pose significant risks to our privacy and security.

  42. Tomi Engdahl says:

    Some ASUS Updates Drop Backdoors on PCs in ‘Operation ShadowHammer’

  43. Tomi Engdahl says:

    Huawei’s half-arsed router patching left kit open to botnets: Chinese giant was warned years ago – then bungled it

    ISP alerted biz to UPnP flaw in 2013. Years later, same flaw kept cropping up

    Exclusive Huawei bungled its response to warnings from an ISP’s code review team about a security vulnerability common across its home routers – patching only two models rather than all of its products that used the same flawed firmware.

    Years later, those unpatched Huawei gateways, still vulnerable and still in use by broadband subscribers around the world, were caught up in a Mirai-variant botnet that exploited the very same hole flagged up earlier by the ISP’s review team.

  44. Tomi Engdahl says:

    New Shodan Tool Warns Organizations of Their Internet-Exposed Devices
    Shodan Monitor is free to members of the popular Internet search engine.


Leave a Comment

Your email address will not be published. Required fields are marked *