Cyber security news January 2020

This posting is here to collect cyber security news in January 2020.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2020 posting.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    “We continue to recommend that our customers apply the mitigation immediately – and the permanent fixes when they become available.”

    A hacker is patching Citrix servers to maintain exclusive access

    FireEye believes this is a bad guy hoarding Citrix servers, rather than a good-guy vigilante looking out for organizations.

  2. Tomi Engdahl says:


    Things are getting spicy in the internet world and we are filling you in on it!

    Storm clouds are gathering in the world of cybersecurity. Russian hackers likely targeted Burisma, the Ukrainian oil company at the center of Donald Trump’s various Biden conspiracies. If so, you can bet good money that they’ll selectively leak politically damaging documents ahead of the 2020 election. The Department of Justice is pressuring Apple to undermine iPhone encryption again, which you can expect to turn into another high-stakes court battle. And the NSA found a Windows 10 bug so bad they went ahead and told Microsoft—which means exploits won’t be far behind.

    The timing is especially auspicious for Microsoft, which also stopped supporting Windows 7 this week

    We’ve written lots about the site Have I Been Pwned, which maintains a massive database of leaked credentials so that victims can see if they’re affected. The bizarro world version of that is sites like WeLeakInfo, which takes that same data breach data and sells it for rock bottom prices to hackers who want to exploit it. This week, the FBI announced that it had seized WeLinkInfo

  3. Tomi Engdahl says:

    Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices
    The list was shared by the operator of a DDoS booter service.

    A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) “smart” devices.

    The list, which was published on a popular hacking forum, includes each device’s IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet.

  4. Tomi Engdahl says:

    Police Scotland to roll out encryption bypass technology
    So-called ‘cyber kiosks’ will enable officers to get data from digital devices without a password.

  5. Tomi Engdahl says:

    Hackers may have gained ‘almost total control’ of an election server in Georgia, report says

    An election security report has revealed evidence of a possible hacking on a Georgia server that may have compromised the state’s voting machines in both 2016 and 2018.

    The alleged attack on a Georgia election server was first discovered by Logan Lamb, an election security expert who suggested that hackers may have been able to significantly interfere with state voting data.

    If the hackers successfully broke into the server, Mr Lamb said in his report that they likely obtained “almost total control of the server, including abilities to modify files, delete data, and install malware”.

    Multiple activist groups have filed a lawsuit arguing that the vulnerabilities would have allowed hackers to manipulate the results of the state’s most recent elections.

    Republican Brian Kemp narrowly beat Democrat Stacey Abrams during the 2018 gubernatorial race, in which he ran while serving as Georgia’s secretary of state.

    Georgia officials have insisted the server was not used to transmit voter registration files and other election materials to voting machines across the state.

    Mr Lamb’s report was included as an affidavit filed in an Atlanta federal court on Thursday.

    Marylin Marks, executive director of the Coalition for Good Governance, told Politico that evidence of the possible hacking “creates a very dark cloud over all of the previous elections” in Georgia. Her organisation is one of the groups suing the state over the compromised server.

    a group of people standing in a room: image
    © Provided by The Independent image
    Read more
    Georgia could be ordered to use paper ballots over electronic fears
    “We know there was no way to audit” the results of the previous elections, Ms Marks said. “There was no … attempt at accountability by the secretary of state, and the entire programming of elections was outsourced.”

    “What Logan’s findings show us,” she added, “is that vulnerabilities were not just hypothetical as the state had been claiming. Now we know that it was a very real risk, but what we don’t know is just how bad did it get. And the public deserves to know.”

    The alleged attack has added fuel to an ongoing debate about the integrity of Georgia’s elections. The state uses paperless voting machines, a process the activist groups behind the lawsuit are hoping to put an end to, and the election server had previously faced security issues before the 2016 elections.

    The Centre for Election Systems at Kennesaw State University, which was tasked with overseeing the programming of Georgia’s elections, then erased all of the data on the server in question. Mr Lamb was later able to assess a copy of the server collected by the FBI in March 2017 after state officials lost a years-long battle to prevent it from being examined in 2019.

    “I can think of no legitimate reason why records from that critical period of time should have been deleted”, Mr Lamb wrote in the affidavit.

    He reportedly found a vulnerability dubbed “Shellshock” that allowed the server to be compromised in December 2014, as well as a separate, unpatched vulnerability in its Drupal software that could have allowed the hacking to take place prior to the 2016 elections.

  6. Tomi Engdahl says:

    LastPass stores passwords so securely, not even its users can access them
    Login management service sulks in days-long TITSUP* for some

    While the company’s status page insists that everything is hunky-dory, the volume of wailing indicates that something has gone awry. Customers have been asked to clear caches, reinstall apps, everything bar the immortal “turn it off and turn it on again” to no avail. Some have indulged in a bit of amateur sleuthing to identify a pattern in the affected accounts.

    Fanning the flames is the company’s attitude, which seems akin to the “works alright on my PC, guv” so beloved by techies and users alike.

    Password managers are tremendously useful tools in a world where every website seems to require a login with ever more convoluted passwords.

    LastPass has made contact again to say:

    “After a thorough investigation, we have determined it was the result of a bug in a recent release and was limited to a very small set of users (a fraction of a percent of our user base). This has been resolved and all services are now functional.”

  7. Tomi Engdahl says:

    Hospital hacker spared prison after plod find almost 9,000 cardiac images at his home
    NHS working with cops and ICO to determine if patients must be told

  8. Tomi Engdahl says:

    Netgear Signed TLS Cert Private Key Disclosure

    There are at least two valid, signed TLS certificates that are bundled with publicly available Netgear device firmware.

    These certificates are trusted by browsers on all platforms, but will surely be added to revocation lists shortly.

    The firmware images that contained these certificates along with their private keys were publicly available for download through Netgear’s support website, without authentication; thus anyone in the world could have retrieved these keys.

    Rationale for Full Disclosure
    We are aware that Netgear has public bug bounty programs. However, at current date those programs do not allow public disclosure under any circumstances.

    We as researchers felt that the public should know about these certificate leaks in order to adequately protect themselves and that the certificates in question should be revoked so that major browsers do not trust them any longer. We could not guarantee either if we had used the existing bug bounty programs.

  9. Tomi Engdahl says:

    #nationalcybersecuritymonth | New cyberattack plagues New Orleans: Ernest N. Morial Convention Center latest to be targeted | Business News

    They join more than 40 municipalities across the U.S. this year whose systems have been infiltrated by foreign and domestic cyber criminals seeking a quick payout. Some government agencies have obliged, although experts say cooperating with the hackers only emboldens them to attack in the future.

  10. Tomi Engdahl says:

    The RIAA, which helped many of its members with this case, is pleased with the outcome.

    Cox Is Liable for Pirating Subscribers, Hit With $1 Billion Damages Verdict

    Internet provider Cox Communications is responsible for the copyright infringements of its subscribers, a Virginia federal jury has ruled. The ISP is contributorily and vicariously liable for the copyright infringements and must pay a group of music companies $1 billion in damages. The ISP has already announced that it will appeal.

  11. Tomi Engdahl says:

    Fake Company, Real Threats
    Logs From a Smart Factory Honeypot

    To determine threat actors’ degree of knowledge in compromising a smart factory, we deployed our most elaborate honeypot to date. The incidents we observed show the kinds of attacks that can easily affect poorly secured manufacturing environments.

  12. Tomi Engdahl says:

    Visa’s plan against Magecart attacks: Devalue and disrupt

    Visa is actively going after Magecart groups, but also deploying new technologies to safeguard payment card data.

  13. Tomi Engdahl says:

    CVE-2020-0674 is a critical flaw for most Internet Explorer versions, allowing remote code execution and complete takeover

  14. Tomi Engdahl says:

    Amazon boss Jeff Bezos’s phone ‘hacked by Saudi crown prince’

    Exclusive: investigation suggests Washington Post owner was targeted five months before murder of Jamal Khashogg

    The Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia, sources have told the Guardian.

    The encrypted message from the number used by Mohammed bin Salman is believed to have included a malicious file that infiltrated the phone of the world’s richest man, according to the results of a digital forensic analysis.

  15. Tomi Engdahl says:

    Expert found a hardcoded SSH public key in Fortinet ’s Security Information and Event Management FortiSIEM that can allow access to the FortiSIEM Supervisor.

  16. Tomi Engdahl says:

    UN calls for investigation after Saudis linked to Bezos phone hack

    United Nations experts are calling for an investigation after a forensic report said Saudi officials “most likely” used a mobile hacking tool built by the NSO Group to hack into the Amazon founder Jeff Bezos’ phone.

    Remarks made by U.N. human rights experts on Wednesday said said the Israeli spyware maker’s flagship Pegasus mobile spyware was likely used to exfiltrate gigabytes of data from Bezos’ phone in May 2018, about six months after the Saudi government first obtained the spyware.

  17. Tomi Engdahl says:

    How A Single Apple Mac Hack Scored North Korean Spies $7 Million In Cryptocurrency

    North Korean hackers are using legitimate-looking LinkedIn and Telegram profiles in order to target the cryptocurrency wallets of macOS users, cybersecurity experts at Chainalysis have warned. 

  18. Tomi Engdahl says:

    Should tech giants slam the encryption door on the government?

    Reuters reported yesterday, citing six sources familiar with the matter, that the FBI pressured Apple into dropping a feature that would allow users to encrypt iPhone backups stored in Apple’s cloud.

    The decision to abandon plans to end-to-end encrypt iCloud-stored backups was reportedly made about two years ago. The feature, if rolled out, would have locked out anyone other than the device owner — including Apple — from accessing a user’s data. In doing so, it would have made it more difficult for law enforcement and federal investigators, warrant in hand, to access a user’s device data stored on Apple’s servers.

    Reuters said it “could not determine exactly” why the decision to drop the feature was made, but one source said “legal killed it,” referring to the company’s lawyers. One of the reasons that Apple’s lawyers gave, per the report, was a fear that the government would use the move as “an excuse for new legislation against encryption.”

    Exclusive: Apple dropped plan for encrypting backups after FBI complained – sources

  19. Tomi Engdahl says:

    Octarine releases open source security scanning tools for Kubernetes

    Octarine, a startup that helps automate security of Kubernetes workloads, released an open source scanning tool today. The tool, which is called Kube -scan, is designed to help developers understand the level of security risk in their Kubernetes clusters.

  20. Tomi Engdahl says:

    DDoS Mitigation Firm Founder Admits to DDoS

    A Georgia man who co-founded a service designed to protect companies from crippling distributed denial-of-service (DDoS) attacks has pleaded to paying a DDoS-for-hire service to launch attacks against others.

  21. Tomi Engdahl says:

    A billion animals were burnt to death, thousands of buildings and houses were destroyed, above 30+ people have died in Australia’s Bushfire. But this just does not end here, when people all over the world started to donate their hard-earned money to help, cybercriminals at this very crucial time infected 39+ legitimate donation sites and transferred all the amount to their domains. Learn more about this Magecart attack at

  22. Tomi Engdahl says:

    Passengers with mobile WiFi network named “Remote Detonator” removed from plane

    At Detroit Metropolitan Airport, police removed two passengers from a GoJet/Delta Connection flight because they apparently wouldn’t turn off a mobile phone that reportedly had a WiFi network name of “Remote Detonator.”

  23. Tomi Engdahl says:

    Rogue NYPD cops are using facial recognition app Clearview

    Rogue NYPD officers are using a sketchy facial-recognition software on their personal phones that the department’s own facial recognition unit doesn’t want to touch because of concerns about security and potential for abuse, The Post has learned.

    Clearview AI, which has scraped millions of photos from social media and other public sources for its facial recognition program — earning a cease-and-desist order from Twitter — has been pitching itself to law enforcement organizations across the country, including to the NYPD.

  24. Tomi Engdahl says:

    Ryuk Ransomware Hit Multiple Oil & Gas Facilities, ICS Security Expert
    More signs that the industrial control system (ICS) sector has become
    one of the latest favorite targets of ransomware attacks: The head of
    an operational technology (OT) cybersecurity services firm says at
    least five organizations in the oil and gas industry were recently hit
    by Ryuk.

  25. Tomi Engdahl says:

    Euro Cup and Olympics Ticket Reseller Hit by MageCart
    Site belonging to a reseller of tickets for Euro Cup and the Tokyo
    Summer Olympics, two major sports events happening later this year,
    have been infected with JavaScript that steals payment card details..
    Pimental and Kersten warn that shopping at or between December 3, 2019, and January 21, 2020,
    likely resulted in card data being stolen. Contacting the issuing bank
    and requesting a card replacement is the recommended action.. also:

  26. Tomi Engdahl says:

    Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus

    Malware analysts believe someone has hijacked the Phorpiex botnet from its creator and is sabotaging its operations by alerting users they’ve been infected.

    A mysterious entity appears to have hijacked the backend infrastructure of the Phorpiex (Trik) botnet and is uninstalling the spam-bot malware from infected hosts, while also showing a popup telling users to install an antivirus and update their computers, ZDNet has learned.

    The popups have started appearing on users’ screens today,

  27. Tomi Engdahl says:

    London police to deploy facial recognition cameras across the city

    Privacy campaigners called the move ‘a serious threat to civil liberties’

  28. Tomi Engdahl says:

    Microsoft confirms that most Windows 7 users won’t get a critical Internet Explorer security patch

    Internet Explorer may be a relic from the past, but it’s still out there and used by surprising numbers of people. Not all versions of it are supported by Microsoft anymore, so when a critical bug was discovered in the Windows 7, 8.x, 10, Windows Server 2008 and 2012 versions of the browser, there were questions about who was going to be protected.

    The bug was revealed just days after support ended for Windows 7

    Microsoft says that it is only Windows 7 users who have paid for Extended Security Updates who will receive a patch for the vulnerability. Home users for whom ESU is not an option will have no official patch available to them.

  29. Tomi Engdahl says:

    CVE-2020-0674 is a critical flaw for most Internet Explorer versions, allowing remote code execution and complete takeover.

  30. Tomi Engdahl says:

    Hackers target unpatched Citrix servers to deploy ransomware
    REvil ransomware gang has been spotted abusing Citrix bug to infect

    Citrix Releases Final Patch as Ransomware Attacks Ramp Up
    Citrix released the final permanent fix for the actively exploited
    CVE-2019-19781 vulnerability, needed to secure all vulnerable Citrix
    Application Delivery Controller (ADC), Citrix Gateway, and Citrix
    SD-WAN WANOP appliances.

  31. Tomi Engdahl says:

    Mozilla has banned nearly 200 malicious Firefox add-ons over the last
    two weeks
    Over the past two weeks, Mozilla’s add-on review team has banned 197
    Firefox add-ons that were caught executing malicious code, stealing
    user data, or using obfuscation to hide their source code.

  32. Tomi Engdahl says:

    TrickBot Now Steals Windows Active Directory Credentials
    A new module for the TrickBot trojan has been discovered that targets
    the Active Directory database stored on compromised Windows domain

  33. Tomi Engdahl says:

    Joseph Cox / VICE:
    Documents reveal that Avast has sold its users internet browsing data, through a subsidiary called Jumpshot, to clients like Pepsi, Google, and Microsoft — An antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data …

    Leaked Documents Expose the Secretive Market for Your Web Browsing Data

    An Avast antivirus subsidiary sells ‘Every search. Every click. Every buy. On every site.’ Its clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey.

  34. Tomi Engdahl says:

    “According to the review, which will soon appear in the proceedings of the 2nd ACM Workshop on Automotive and Aerial Vehicle Security (AutoSec 2020), hackers can cause a series of attacks, including eavesdropping on users and even spoof GPS systems to direct riders to unintended locations.”

    The Great E-Scooter Hack: New Research Exposes Security Risk for E-Scooters and Riders

  35. Tomi Engdahl says:

    Cyberattacks targeted world leaders’ planes as they flew into Israel last week

    At least 800 attacks, including from Iran and Poland, were beaten back by Israel’s newly upgraded air traffic cyber defenses, officials say

    The attacks “were directed at the airport and the planes,” the report said, “and were aimed at disrupting the flight paths of more than 60 planes carrying heads of state, kings and presidents.”

  36. Tomi Engdahl says:

    The Cost of Avast’s Free Antivirus: Companies Can Spy on Your Clicks

    Avast is harvesting users’ browser histories on the pretext that the data has been ‘de-identified,’ thus protecting your privacy. But the data, which is being sold to third parties, can be linked back to people’s real identities, exposing every click and search they’ve made.

  37. Tomi Engdahl says:

    Ring Doorbell App Packed with Third-Party Trackers

    Ring isn’t just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers.

    An investigation by EFF of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers’ personally identifiable information (PII).

  38. Tomi Engdahl says:

    Amazon engineer calls for Ring to be ‘shut down immediately’ over privacy concerns

    An Amazon software engineer named Max Eliaser said the home-security company Ring should be “shut down immediately.”

    “The privacy issues are not fixable with regulation and there is no balance that can be struck,” Eliaser said.

    “The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society,” Max Eliaser, an Amazon software-development engineer, said in a post published on Medium on Sunday. “The privacy issues are not fixable with regulation and there is no balance that can be struck. Ring should be shut down immediately and not brought back.”

  39. Tomi Engdahl says:

    How India, the World’s Largest Democracy, Shuts Down the Internet

    When government officials in India decided to shut down the Internet, software engineers working for an IT and data analytics firm lost half a day of work and fell behind in delivering a project for clients based in London. A hotel was unable to pay its employees or manage online bookings for tourists. A major hospital delayed staff salary payments and restricted its medical services to the outpatient and emergency departments.

    At a time when many concerns surround online censorship by authoritarian governments, India represents both the world’s largest democracy and the world leader in deploying Internet shutdowns as a political tool.

    Update 27 January 2020: News reports state that India’s government has restored Internet access to the Kashmir region, though residents there can currently only browse 301 websites approved by the government and still cannot use social media. Mobile Internet is only available at very low speeds, according to a report from The Wire.

  40. Tomi Engdahl says:

    Twitter and Facebook accounts for 15 NFL teams hacked

    The hacking group OurMine took responsibility for the attack, which said it was to show internet security was “still low” and had to be improved.

    Twitter confirmed the accounts were hacked by a third-party platform.

    Many accounts had the same message posted: “Hi, we’re back. We are here to show people that everything is hackable.”

    OurMine told the BBC it reached out to the NFL ahead of the attack to offer its services in improving the league’s security but received no response.

    OurMine says it is currently based in Dubai.

    In the past, the group has hacked companies and well-known individuals to offer its private cyber security services.

  41. Tomi Engdahl says:

    Sources: Turkey-backed hackers have used DNS hijacking to obtain login credentials, targeting ~30 EU and Middle East governments and organizations since 2018

    Exclusive: Hackers acting in Turkey’s interests believed to be behind recent cyberattacks – sources

  42. Tomi Engdahl says:

    Considering 99% of everyone possessing malware is doing it against their will this is fucking stupid on so many levels.

    Maryland: Make malware possession a crime! Yes, yes, researchers get a free pass

    Hardened cybercrooks must be shaking in their boots

    A US state that was struck by a ransomware attack last year is now proposing a local law that would ban possession of malicious software.

    Local news website the Baltimore Fishbowl reported that Maryland’s Senate heard arguments on Senate Bill SB0030, a proposition that would “label the possession and intent to use ransomware in a malicious manner as a misdemeanor” punishable with up to 10 years in prison and/or a $10,000 fine.

    “First, I doubt that too many people in Maryland actually possess ransomware (except for the cities which have been reluctant recipients of it, that is). Second, making something illegal doesn’t help unless you can catch and prosecute those who break the law.”

    Legal remedies for ransomware only work if you know who your attacker is and what jurisdiction they’re in. Strangely enough, most ransomware gangs go to great lengths to ensure their victims can’t work this out.

  43. Tomi Engdahl says:

    Avast Online Security and Avast Secure Browser are spying on you

    Are you one of the allegedly 400 million users of Avast antivirus products? Then I have bad news for you: you are likely being spied upon. The culprit is the Avast Online Security extension that these products urge you to install in your browser for maximum protection.

    Summary of the findings
    When Avast Online Security extension is active, it will request information about your visited websites from an Avast server. In the process, it will transmit data that allows reconstructing your entire web browsing history and much of your browsing behavior. The amount of data being sent goes far beyond what’s necessary for the extension to function, especially if you compare to competing solutions such as Google Safe Browsing.

    Avast Privacy Policy covers this functionality and claims that it is necessary to provide the service. Storing the data is considered unproblematic due to anonymization (I disagree), and Avast doesn’t make any statements explaining just how long it holds on to it.

  44. Tomi Engdahl says:

    Invasive or helpful? MU using students’ phones to track if they are in class or not

    University of Missouri students, be warned: If it’s not Big Brother watching you, it might be your professors and university administrators.

    The school is using hidden technology and an app on student cellphones to keep track of who is in class and who is not.

  45. Tomi Engdahl says:

    Ding-dong. Who’s there? Any marketing outfit willing to pay: Not content with giving cops access to doorbell cams, Ring also touts personal info
    And yes, Facebook is involved, as ever

    Smart-home biz Ring sends its users’ personal app data to a range of analytics and marketing companies, according to an analysis carried out by the Electronic Frontier Foundation (EFF).

    Already under fire for giving the cops access to footage from its ubiquitous video doorbells, the Amazon-owned manufacturer is also apparently selling information including user email addresses and app settings to third parties who package and sell them to others.


Leave a Comment

Your email address will not be published. Required fields are marked *