Cyber security news September 2020

This posting is here to collect cyber security news September 2020.

I post links to security vulnerability news with short descriptions to comments section of this article.

If you are interested in cyber security trends, read my Cyber security trends 2020 posting.

You are also free to post related links to comments.



  1. Tomi Engdahl says:

    Zerologon attack lets hackers take over enterprise networks: Patch now

    Microsoft patches one of the most severe bugs ever reported to the company.

    The bug was patched in the August 2020 Patch Tuesday under the identifier of CVE-2020-1472. It was described as an elevation of privilege in Netlogon, the protocol that authenticates users against domain controllers.

    The vulnerability received the maximum severity rating of 10, but details were never made public, meaning users and IT administrators never knew how dangerous the issue really was.

    But in a blog post today, the team at Secura B.V., a Dutch security firm, has finally lifted the veil from this mysterious bug and published a technical report describing CVE-2020-1472 in greater depth.

    And per the report, the bug is truly worthy of its 10/10 CVSSv3 severity score.

    According to Secura experts, the bug, which they named Zerologon, takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process.

  2. Tomi Engdahl says:

    Recent patches to Windows Server closed the CVE-2020-1472 vulnerability that potentially let attackers hijack domain controllers.

    Zerologon vulnerability threatens domain controllers

    On August’s Patch Tuesday, Microsoft closed several vulnerabilities, among them CVE-2020-1472. The Netlogon protocol vulnerability was assigned a “critical” severity level (its CVSS score was the maximum, 10.0). That it might pose a threat was never in doubt, but the other day, Secura researcher Tom Tervoort (who discovered it) published a detailed report explaining why the vulnerability, known as Zerologon, is so dangerous and how it can be used to hijack a domain controller.

  3. Tomi Engdahl says:

    Cerberus banking Trojan source code released for free to cyberattackers
    An auction designed to net the developer of the Android malware $100,000 failed.

  4. Tomi Engdahl says:

    Although the CISA alert only applies to federal government networks, the agency said it “strongly” urges companies and consumers to patch their systems as soon as possible if not already.

    Homeland Security issues rare emergency alert over ‘critical’ Windows bug

    Homeland Security’s cybersecurity advisory unit has issued a rare emergency alert to government departments after the recent disclosure of a “critical”-rated security vulnerability in server versions of Microsoft Windows.

    The Cybersecurity and Infrastructure Security Agency, better known as CISA, issued an alert late on Friday requiring all federal departments and agencies to “immediately” patch any Windows servers vulnerable to the so-called Zerologon attack by Monday, citing an “unacceptable risk” to government networks.

    The Zerologon vulnerability, rated the maximum 10.0 in severity, could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers, the servers that manage a network’s security. The bug was appropriately called “Zerologon,” because an attacker doesn’t need to steal or use any network passwords to gain access to the domain controllers, only gain a foothold on the network, such as by exploiting a vulnerable device connected to the network.

  5. Tomi Engdahl says:

    Billions of devices vulnerable to new ‘BLESA’ Bluetooth security flaw
    New BLESA attack goes after the often ignored Bluetooth reconnection process, unlike previous vulnerabilities, most found in the pairing operation.

  6. Tomi Engdahl says:

    Whitepaper for CVE-2020-1472:

    CVE-2020-1472: ‘Zerologon’ Vulnerability in Netlogon Could Allow Attackers to Hijack Windows Domain Controller

  7. Tomi Engdahl says:

    A hacker group is brute-forcing MSSQL servers with weak passwords and installing crypto-mining malware.

    New MrbMiner malware has infected thousands of MSSQL databases

    A hacker group is brute-forcing MSSQL servers with weak passwords and installing crypto-mining malware.

    Thousands of MSSQL databases have been infected so far, according to the cybersecurity arm of Chinese tech giant Tencent.

    In a report published earlier this month, Tencent Security has named this new malware gang MrbMiner, after one of the domains used by the group to host their malware.

    The Chinese company says the botnet has exclusively spread by scanning the internet for MSSQL servers and then performing brute-force attacks by repeatedly trying the admin account with various weak passwords.

  8. Tomi Engdahl says:

    Chinese Antivirus Firm Was Part of APT41 Supply Chain Attack
    The U.S. Justice Department this week indicted seven Chinese nationals
    for a decade-long hacking spree that targeted more than 100 high-tech
    and online gaming companies. The government alleges the men used
    malware-laced phishing emails and supply chain attacks to steal data
    from companies and their customers. One of the alleged hackers was
    first profiled here in 2012 as the owner of a Chinese antivirus firm.

  9. Tomi Engdahl says:

    A Mix of Python & VBA in a Malicious Word Document
    A few days ago, Didier wrote an interesting diary about embedded
    objects into an Office document[1]. I had a discussion about an
    interesting OLE file that I found. Because it used the same technique,
    I let Didier publish his diary first. Now, let’s have a look at the

  10. Tomi Engdahl says:

    Apple Bug Allows Code Execution on iPhone, iPad, iPod
    Release of iOS 14 and iPadOS 14 brings fixes 11 bugs, some rated
    high-severity. Apple has updated its iOS and iPadOS operating systems,
    which addressed a wide range of flaws in its iPhone, iPad and iPod
    devices. The most severe of these could allow an adversary to exploit
    a privilege-escalation vulnerability against any of the devices and
    ultimately gain arbitrary code-execution.

  11. Tomi Engdahl says:

    Leading U.S. laser developer IPG Photonics hit with ransomware
    IPG Photonics, a leading U.S. developer of fiber lasers for cutting,
    welding, medical use, and laser weaponry has suffered a ransomware
    attack that is disrupting their operations. Based out of Oxford,
    Massachusets, IPG Photonics has locations worldwide where they employ
    over 4,000 people and have a $1.3 billion revenue in 2019. The
    company’s lasers were used as part of the U.S. Navy’s Laser Weapon
    System (LaWS) that was installed on the USS Ponce. This system is an
    experimental defensive weapon against small threats and vehicles.

  12. Tomi Engdahl says:

    Firefox bug lets you hijack nearby mobile browsers via WiFi
    Mozilla has fixed a bug that can be abused to hijack all the Firefox
    for Android browsers on the same WiFi network and force users to
    access malicious sites, such as phishing pages. The bug was discovered
    by Chris Moberly, an Australian security researcher working for
    GitLab. The actual vulnerability resides in the Firefox SSDP
    component. SSDP stands for Simple Service Discovery Protocol and is
    the mechanism through which Firefox finds other devices on the same
    network in order to share or receive content (i.e., such as sharing
    video streams with a Roku device).

  13. Tomi Engdahl says:

    Nainen kuoli ambulanssiin, kun kyberhyökkäys jumitti saksalaisen
    sairaalan tietojärjestelmän syyttäjä avasi harvinaisen
    Jos tutkimukset johtavat syytteeseen, on kyseessä Reutersin mukaan
    ensimmäinen kerta, kun ihmisen kuolema on suoraan yhdistetty
    kyberhyökkäykseen. Rikosnimikkeenä olisi kuolemantuottamus. Saksassa
    syyttäjä avasi perjantaina harvinaisen henkirikostutkimuksen, jossa
    naisen epäillään kuolleen sairaalaan tehdyn kyberhyökkäyksen
    seurauksena, kertoo uutistoimisto Reuters.

  14. Tomi Engdahl says:

    Google App Engine feature abused to create unlimited phishing pages
    A newly discovered technique by a researcher shows how Google’s App
    Engine domains can be abused to deliver phishing and malware while
    remaining undetected by leading enterprise security products. Google
    App Engine is a cloud-based service platform for developing and
    hosting web apps on Google’s servers. While reports of phishing
    campaigns leveraging enterprise cloud domains are nothing new, what
    makes Google App Engine infrastructure risky in how the subdomains get
    generated and paths are routed.

  15. Tomi Engdahl says:

    Mozi Botnet Accounted for Majority of IoT Traffic: IBM

    Mozi, a relatively new botnet, has fueled a significant increase in Internet of Things (IoT) botnet activity, IBM reported this week.

    Showing code overlaps with Mirai and its variants and reusing Gafgyt code, Mozi has been highly active over the past year, and it accounted for 90% of the IoT network traffic observed between October 2019 and June 2020, although it did not attempt to remove competitors from compromised systems, IBM researchers say.

  16. Tomi Engdahl says:

    Senate’s encryption backdoor bill is ‘dangerous for Americans,’ says Rep. Lofgren

    A Senate bill that would compel tech companies to build backdoors to allow law enforcement access to encrypted devices and data would be “very dangerous” for Americans, said a leading House Democrat.

    Senate Republicans in June introduced their latest “lawful access” bill, renewing previous efforts to force tech companies to allow law enforcement access to a user’s data when presented with a court order.

    “It’s dangerous for Americans, because it will be hacked, it will be utilized, and there’s no way to make it secure,” Rep. Zoe Lofgren, whose congressional seat covers much of Silicon Valley, told TechCrunch at Disrupt 2020. “If we eliminate encryption, we’re just opening ourselves up to massive hacking and disruption,” she said.

    Lofgren’s comments echo those of critics and security experts, who have long criticized efforts to undermine encryption, arguing that there is no way to build a backdoor for law enforcement that could not also be exploited by hackers.

    Several previous efforts by lawmakers to weaken and undermine encryption have failed. Currently, law enforcement has to use existing tools and techniques to find weaknesses in phones and computers. The FBI claimed for years that it had thousands of devices that it couldn’t get into, but admitted in 2018 that it repeatedly overstated the number of encrypted devices it had and the number of investigations that were negatively impacted as a result.

    The group’s final report, bipartisan but not binding, found that any measures to undermine encryption “works against the national interest.”

    Still, it’s a talking point that the government continues to push, even as recently as this year when U.S. Attorney General William Barr said that Americans should accept the security risks that encryption backdoors pose.

    “You cannot eliminate encryption safely,” Lofgren told TechCrunch. “And if you do, you will create chaos in the country and for Americans, not to mention others around the world,” she said. “It’s just an unsafe thing to do, and we can’t permit it.”

  17. Tomi Engdahl says:

    Firefox Flaw Allowed Hackers to Remotely Open Malicious Sites on Android Phones

    Mozilla Discontinues Firefox Feature Abused in Malware, Phishing Attacks

    Mozilla is decommissioning Firefox Send and Firefox Notes, two legacy services that emerged out of the Firefox Test Pilot program.

  18. Tomi Engdahl says:

    FERC, NERC Conduct Study on Cyber Incident Response at Electric Utilities

    The U.S. Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) last week released a report outlining cyber incident response and recovery best practices for electric utilities.

    The report is based on a study conducted by staff at FERC, NERC and NERC regional entities. The study is based on information provided by experts at eight U.S. electric utilities of various sizes and functions, and its goal was to help the industry improve incident response and incident recovery plans, which authors of the study say help ensure the reliability of the bulk electric system in the event of a cybersecurity incident.

    The study found that there is no best incident response and recovery (IRR) plan model. The IRR plans of the targeted utilities share many similarities — they are based on the same NIST framework (SP 800-61) — but there are also differences, and some organizations have developed separate plans for incidents impacting their operational and business networks.

  19. Tomi Engdahl says:

    Firefox 81 Release Kills High-Severity Code-Execution Bugs
    Mozilla patched high-severity vulnerabilities with the release of
    Firefox 81 and Firefox ESR 78.3, including several that could be
    exploited to run arbitrary code. Two severe bugs (CVE-2020-15674 and
    CVE-2020-15673) are errors in the browsers memory-safety protections,
    which prevent memory access issues like buffer overflows.
    CVE-2020-15674 was reported in Firefox 80, while CVE-2020-15673 was
    reported in Firefox 80 and Firefox ESR 78.2.

  20. Tomi Engdahl says:

    Russian hackers use fake NATO training docs to breach govt networks
    A Russian hacker group known by names, APT28, Fancy Bear, Sofacy,
    Sednit, and STRONTIUM, is behind a targeted attack campaign aimed at
    government bodies. The group delivered a hard-to-detect strand of
    Zebrocy Delphi malware under the pretense of providing NATO training
    materials. Researchers further inspected the files containing the
    payload and discovered these impersonated JPG files showing NATO
    images when opened on a computer.

  21. Tomi Engdahl says:

    Microsoft Extending Threat Protection Portfolio, Unifying Security Solutions

    Microsoft announced on Tuesday at its Ignite 2020 conference that it has extended its threat protection portfolio and it has unified some of its cybersecurity solutions.

    The company says its goal is to provide the “most comprehensive” XDR solution on the market by unifying all XDR technologies under the Microsoft Defender brand. Microsoft Defender includes Microsoft 365 Defender, formerly Microsoft Threat Protection, and Azure Defender, which includes the cloud workload protections in the Azure Security Center.

    Azure Defender, which provides XDR capabilities for Azure and hybrid resources, is expected to become the default later this month.

    Microsoft says Azure Defender can now protect SQL servers in the cloud and on premises, as well as virtual machines in other clouds, thanks to Azure Act support. As for container security in Azure, the tech giant told customers that its Kubernetes and Container Registry services (now called Azure Defender for Kubernetes and Azure Defender for Container Registries) have received some new features that should provide enhanced protection for containers.

  22. Tomi Engdahl says:

    Samba Issues Patches for Zerologon Vulnerability

    The Samba team has released patches for a critical-severity elevation of privilege vulnerability impacting the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).

    Also referred to as Zerologon and tracked as CVE-2020-1472, the security issue was addressed on August 2020 Patch Tuesday and can be triggered when an adversary connects to a domain controller using a vulnerable Netlogon secure channel connection.

    An attacker can leverage a specially crafted application on a device connected to the network to exploit the vulnerability and gain domain administrator access.

    On Friday, the DHS issued an Emergency Directive requiring all federal agencies to address the flaw within three days, deeming it an “unacceptable risk to the Federal Civilian Executive Branch.”

    As it turns out, Windows Server wasn’t the only product impacted by the vulnerability. Samba, which allows users to easily share files between Linux and Windows systems, is impacted as well, as it relies on Netlogon.

    With Zerologon being a protocol-level vulnerability and Samba implementing the Netlogon protocol, Samba is also vulnerable to the bug, when used as domain controller only. Active Directory DC installations are affected the most, with the flaw having low impact on the classic/NT4-style DC.

    “Since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having ‘server schannel = yes’ in the smb.conf. Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines ‘server schannel = no’ or ‘server schannel = auto’,” the Samba team explains.

    == Subject: Unauthenticated domain takeover via netlogon (“ZeroLogon”)
    == CVE ID#: CVE-2020-1472
    == Versions: Samba 4.0 and later
    == Summary: An unauthenticated attacker on the network can gain
    == administrator access by exploiting a netlogon
    == protocol flaw.

  23. Tomi Engdahl says:

    Shopify Discloses Insider Threat Incident

    E-commerce platform provider Shopify on Tuesday said two members of its support staff were caught accessing customer information without authorization.

    According to Shopify, the two employees used their permissions to access customer transactional records from some merchants. The company says less than 200 merchants are impacted by the incident and they have all been notified.

  24. Tomi Engdahl says:

    Google Patches Privilege Escalation Vulnerability in Cloud Service

    Google recently patched a privilege escalation vulnerability in OS Config, a Google Cloud Platform service for Compute Engine that is designed for managing operating systems running on virtual machine instances.

    Security researcher Imre Rad analyzed the service, which he says is still in beta. He noticed that the agent process associated with the service, google_osconfig_agent, is running by default, with root privileges.

  25. Tomi Engdahl says:

    ESP32 Vulnerability Affects Older Chips

    There is a scene from the movie RED (Retired, Extremely Dangerous) where Bruce Willis encounters a highly-secure door with a constantly changing lock code deep inside the CIA. Knowing the lock would be impossible to break, he simply destroyed the wall next to the door, reached through, and opened the door from the other side. We thought about that when we saw [raelize’s] hack to bypass the ESP32’s security measures.

    Before you throw out all your ESP32 spy gadgets, though, be aware that the V3 silicon can be made to prevent the attack. V1 and V2, however, have a flaw that — if you know how to exploit it — renders secure boot and flash encryption almost meaningless.

    The hack centers around the UART bootloader. You can cause the chip to enter that mode and do basic operations such as read and write RAM and registers. You can also execute code from RAM. That’s not a particular security risk, though, since the flash memory may be encrypted. Decryption is transparent in the hardware and the chip doesn’t do the decryption during the boot loader mode. Sure, you can read the encrypted flash, but you could do that with some fancy desoldering or probing techniques, too.

    During a normal boot, a bootloader in flash is placed in RAM. If you can glitch the CPU at just the right time — in theory — you could force the processor to run your RAM-based code in normal mode where the flash is already decrypted. The only problem is, they tried about 1,000,000 cycles and had no success. But they did notice something odd.

    Espressif ESP32: Bypassing Encrypted Secure Boot (CVE-2020-13629)

  26. Tomi Engdahl says:

    Micropatch for Zerologon, the “perfect” Windows vulnerability
    The Zerologon vulnerability allows an attacker with network access to
    a Windows Domain Controller to quickly and reliably take complete
    control of the Windows domain. As such, it is a perfect vulnerability
    for any attacker and a nightmare for defenders. It was discovered by
    Tom Tervoort, a security researcher at Secura and privately reported
    to Microsoft, which issued a patch for supported Windows versions as
    part of August 2020 updates and assigned it CVE-2020-1472.. The
    micropatch we wrote is logically identical to Microsoft’s fix. We
    injected it in function NetrServerAuthenticate3 in roughly the same
    place where Microsoft added the call to
    NlIsChallengeCredentialPairVulnerable, but since the latter doesn’t
    exist in old versions of netlogon.dll, we had to implement its logic
    in our patch.

  27. Tomi Engdahl says:

    Alien Android Banking Trojan Sidesteps 2FA
    A newly uncovered banking trojan called Alien is invading Android
    devices worldwide, using an advanced ability to bypass two-factor
    authentication (2FA) security measures to steal victim credentials.
    Once it has infected a device, the RAT aims to steal passwords from at
    least 226 mobile applications including banking apps like Bank of
    America Mobile Banking and Capital One Mobile, as well as a slew of
    collaboration and social apps like Snapchat, Telegram and Microsoft
    Outlook.. Also:

  28. Tomi Engdahl says:

    Erittäin kriittinen Windows-haava uhkaa nyt varoittaa
    Kyberturvallisuuskeskus: paikkaa heti
    Kirjoitimme aiemmin tällä viikolla Zerologon-hyökkäyksistä Windowsin
    turva-aukkoon. Haavoittuvuuden löytäneen turvallisuusyhtiön Securan
    mukaan sen hyödyntäminen vie “käytännössä noin kolme sekuntia” eikä
    vaadi hyökkääjältä lainkaan kirjautumista. yberturvallisuuskeskus
    kertoo nyt, että haavoittuvuuden hyödyntämiseen on julkaistu
    hyökkäystyökaluja. Haavoittuvuudelle julkaistiin korjaus Microsoftin
    elokuun päivityksissä, ja Kyberturvallisuuskeskus suosittelee
    välitöntä päivitysten asentamista. Lisäksi:

  29. Tomi Engdahl says:

    ZeroLogon(CVE-2020-1472) – Attacking & Defending
    A handy walkthrough of CVE-2020-1472 from both a red and blue team
    perspective, how to detect, patch and hack ZeroLogon. You’re reading
    this already thinking, not another zerologon post, oh great… Stay
    tuned it’s a bit more than the normal posts, looking at it from the
    build break defend fix mentality. I’ve added a quick skip ToC if you
    want to skip to specific areas that interest you, or otherwise buckle
    up folks, it’s going to be a long ride!

  30. Tomi Engdahl says:

    Google Launches Enterprise Threat Detection Solution

    Google this week announced the availability of Chronicle Detect, a threat detection solution for enterprises from Google Cloud.

    This is the first threat detection product out of the Chronicle cybersecurity platform after Chronicle became part of Google in June last year.

    Launched in 2018 as a separate entity, Chronicle was established in 2016 within Google’s parent company Alphabet, aiming at delivering visibility into possible vulnerable areas, to help improve security posture. In March 2019, Chronicle launched security telemetry platform Backstory, and in June 2019 it announced joining Google Cloud.

    The newly announced detection tool, Google revealed in a blog post this week, takes advantage of its large infrastructure to help organizations identify threats faster and at a higher scale than before.

    Modern detection for modern threats: Changing the game on today’s threat actors

  31. Tomi Engdahl says:

    DHS Admits Facial Recognition Photos Were Hacked, Released on Dark Web

    Traveler’s faces, license plates, and care information were hacked from a subcontractor called Perceptics and released on the dark web.

    The Department of Homeland Security (DHS) finally acknowledged Wednesday that photos that were part of a facial recognition pilot program were hacked from a Customs and Border Control subcontractor and were leaked on the dark web last year.

    Among the data, which was collected by a company called Perceptics, was a trove of traveler’s faces, license plates, and care information. The information made its way to the Dark Web, despite DHS claiming it hadn’t. In a newly released report about the incident, the DHS Office of Inspector General admitted that 184,000 images were stolen and at least 19 of them were posted to the Dark Web.

  32. Tomi Engdahl says:

    Andrew Martin / Bloomberg:
    CISA: a hacker accessed the network of an unnamed US federal agency using valid credentials for multiple users’ Microsoft 365 accounts and domain admin accounts — An unnamed U.S. federal agency was hit with a cyber-attack after a hacker used valid access credentials, authorities said on Thursday.

    Hacker Accessed Network of U.S. Agency and Downloaded Data

    An unnamed U.S. federal agency was hit with a cyber-attack after a hacker used valid access credentials, authorities said on Thursday.

    While many details of the hack weren’t revealed, federal authorities did divulge that the hacker was able to browse directories, copy at least one file and exfiltrate data, according to the Cybersecurity & Infrastructure Security Agency, known as CISA.

    The hacker implanted malware that evaded the agency’s protection system and was able to gain access to the network by using valid access credentials for multiple users’ Microsoft 365 accounts and domain administrator accounts, according to authorities.

    Investigators weren’t able to determine how the hacker initially obtained the credentials. But the agency said it was possible that the hacker obtained them by exploiting a known vulnerability in Pulse Secure virtual private network servers.

    The network breach wasn’t related to the upcoming U.S. election, according to a Department of Homeland Security official. CISA is part of the department.

  33. Tomi Engdahl says:

    Bentsi Ben-Atar, a prominent cybersecurity expert, and chief marketing officer at Sepio Systems, says that it “only takes a number of highly publicized attacks” to drive significant budget increases in cybersecurity.

    Why is your personal health information worth 350 dollars on the black market?

    A woman who died in Duesseldorf University Hospital during a ransomware attack might be the first victim linked to a cyberattack on a hospital. Bentsi Ben-Atar, a prominent cybersecurity expert, and chief marketing officer at Sepio Systems, says that it “only takes a number of highly publicized attacks” to drive significant budget increases in cybersecurity. At the moment, the healthcare system worldwide doesn’t invest enough to shield themselves from cyberattacks.

  34. Tomi Engdahl says:

    Facebook says fake accounts tied to Russia posed as journalists and promoted other websites

    The social network pulled down three networks of fake account tied to Russia, including some that had links to the Russian military and intelligence services.

  35. Tomi Engdahl says:

    Bluetooth Security Weaknesses Pile Up, While Patching Remains Problematic

    Turns out, creating wireless ecosystems for a vast number of different architectures, configurations, and use cases is hard.

  36. Tomi Engdahl says:

    Windows XP Source Code Reportedly Leaked, Posted to 4chan
    By Paul Alcorn 14 hours ago
    There’s no putting this genie back in the bottle

    Reports have emerged today that the Windows XP source code has been leaked to 4chan, with the leaked code then being posted to a torrent and the Mega file sharing service. Reports have also emerged that independent researchers have since begun analyzing the data, with initial indications that the leak is legitimate. However, there hasn’t been an official confirmation.

    Looks Like the Windows XP Source Code Just Leaked on 4chan


Leave a Comment

Your email address will not be published. Required fields are marked *