Cyber Security March 2018

This posting is here to collect security alert news in March 2018.

I post links to security vulnerability news to comments of this article.



  1. Tomi Engdahl says:

    Canadian Firm Linked to Cambridge Analytica Exposed Source CodeCanadian Firm Linked to Cambridge Analytica Exposed Source Code

    Source code belonging to Canada-based digital advertising and software development company AggregateIQ has been found by researchers on an unprotected domain. The exposed files appear to confirm reports of a connection between AggregateIQ and Cambridge Analytica, the controversial firm caught in the recent Facebook data scandal.

    On March 20, Chris Vickery of cyber risk company UpGuard stumbled upon an AggregateIQ subdomain hosting source code for the company’s tools. The files, stored using a custom version of the code repository GitLab, were accessible simply by providing an email address.

    The exposed information included the source code of tools designed for organizing information on a large number of individuals, including how they are influenced by ads, and tracking their online activities. The files also contained credentials that may have allowed malicious actors to launch damaging attacks, UpGuard said.

    The nature of the exposed code is not surprising considering that the firm is said to have developed tools used in political campaigns around the world, including in the United States and United Kingdom.

    AggregateIQ has been linked by the press and a whistleblower to Cambridge Analytica, a British political consulting and communications firm said to be involved in the presidential campaigns of Donald Trump and Ted Cruz, and the Brexit “Vote Leave” campaign.

  2. Tomi Engdahl says:

    Windows 7 Meltdown patch opens worse vulnerability: Install March updates now

    Microsoft’s Meltdown fix opened a gaping hole in Windows 7 security, warns researcher.

    Microsoft’s early patches for Intel’s Meltdown CPU vulnerability created an even bigger problem in Windows 7 that allowed any unprivileged application to read kernel memory.

    Microsoft’s January and February patches stopped the Meltdown bug that exposed passwords in protected memory, but security researcher Ulf Frisk has discovered that the patches introduced a far worse kernel bug, which allows any process to read and write anywhere in kernel memory.

    Frisk says the vulnerability affects Windows 7 x64 and Windows 2008R2 with the January or February patches.

    According to Frisk, the two faulty patches wrongly set a bit in the virtual-to-physical-memory translator known as PLM4 to allow any user-mode application to access the kernel’s page tables.

  3. Tomi Engdahl says:

    Critical Flaws Found in Siemens Telecontrol, Building Automation Products

    Siemens informed customers this week that critical vulnerabilities have been found in some of its telecontrol and building automation products, and revealed that some SIMATIC systems are affected by a high severity flaw.

    One advisory published by the company describes several critical and high severity flaws affecting Siveillance and Desigo building automation products. The security holes exist due to the use of a vulnerable version of a Gemalto license management system (LMS).

    The bugs affect Gemalto Sentinel LDK and they can be exploited for remote code execution and denial-of-service (DoS) attacks.

  4. Tomi Engdahl says:

    Fileless Crypto-Mining Malware Discovered

    Malicious crypto-miners have invaded the threat landscape over the past year, fueled by a massive increase in the value of crypto-currency.

    A recent attack discovered by security researchers from Minerva Lab used malware dubbed GhostMiner, which has adopted the most effective techniques used by other malware families, including fileless infection attacks.

    Focused on mining Monero crypto-currency, the new threat used PowerShell evasion frameworks – Out-CompressedDll and Invoke-ReflectivePEInjection – that employed fileless techniques to hide the malicious code.

    Each of the malware’s components was designed for a different purpose: one PowerShell script to ensure propagation to new machines, and another to perform the actual mining operations.

    “This evasive approach was highly effective at bypassing many security tools: some of the payloads analyzed were fully undetected by all the security vendors,” Minerva Labs’ Asaf Aprozper and Gal Bitensky reveal.

  5. Tomi Engdahl says:

    GoScanSSH Malware Targets Linux Servers

    A recently discovered malware family written using the Golang (Go) programming language is targeting Linux servers and using a different binary for each attack, Talos warns.

    Dubbed GoScanSSH because it compromises SSH servers exposed to the Internet, the malware’s command and control (C&C) infrastructure leverages the Tor2Web proxy service to prevent tracking and takedowns.

    The malware operators, Talos believes, had a list of more than 7,000 username/password combinations they would use to authenticate to the servers, after which they would create a unique GoScanSSH binary to upload and execute on the server.

    The actors behind this threat would target weak or default credentials used across a variety of Linux-based devices. Usernames used in the attack include admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.

    The credential combinations used in these attacks targeted Open Embedded Linux Entertainment Center (OpenELEC); Raspberry Pi; Open Source Media Center (OSMC); jailbroken iPhones; Ubiquiti device, PolyCom SIP phone, Huawei device, and Asterisk default credentials; and various keyboard patterns and well-known commonly used passwords.

    Talos discovered over 70 unique GoScanSSH samples compiled to target multiple system architectures (x86, x86_64, ARM, and MIPS64).

  6. Tomi Engdahl says:

    Severe Vulnerabilities Expose MicroLogix PLCs to Attacks

    Rockwell Automation has released patches and mitigations for several potentially serious vulnerabilities discovered by Cisco Talos researchers in its Allen-Bradley MicroLogix 1400 programmable logic controllers (PLCs).

    According to Cisco Talos, the vulnerabilities can be exploited for denial-of-service (DoS) attacks, modifying a device’s configuration and ladder logic, and writing or removing data on its memory module.

    Since these controllers are typically used in industrial environments, including in critical infrastructure organizations, exploitation of the flaws could result in significant damage, Talos said.

  7. Tomi Engdahl says:

    Drupalgeddon: Critical Flaw Exposes Million Drupal Websites to Attacks

    All versions of the Drupal content management system are affected by a highly critical vulnerability that can be easily exploited to take complete control of affected websites in what may turn out to be Drupalgeddon 2.0.

    While analyzing the security of Drupal, Jasper Mattsson discovered a serious remote code execution flaw that impacts versions 6, 7 and 8. This represents more than one million websites that can be hacked by a remote and unauthenticated attacker.

    The security hole, tracked as CVE-2018-7600 and assigned a risk score of 21/25, can be exploited simply by accessing a page on the targeted Drupal website. Once exploited, it gives the attacker full control over a site, including access to non-public data and the possibility to delete or modify system data, Drupal developers warned.

  8. Tomi Engdahl says:

    Six days after a ransomware cyberattack, Atlanta officials are filling out forms by hand

    Residents can’t pay their water bill or their parking tickets. Police and other employees are having to write out their reports by hand. And court proceedings for people who are not in police custody are canceled until computer systems are functioning properly again.
    More than six days after a ransomware attack shut down the city of Atlanta’s online systems, officials here are still struggling to keep the government running without many of their digital processes and services.

  9. Tomi Engdahl says:

    Facebook is cutting third-party data providers out of ad targeting to clean up its act
    Facebook says it’s going to stop using data from third-party data providers like Experian and Acxiom

  10. Tomi Engdahl says:

    Microsoft bans use of “offensive language” on Xbox Live, Skype, and other services

    If you’re not averse to being a bit sweary on Skype, Xbox Live, or other Microsoft products, be careful: the Redmond firm has updated its service agreement, prohibiting the use of “offensive language” and fraudulent activity.

    Anyone found violating the rules, which go into effect on May 1, may be suspended or banned from Xbox services. Offenders also risk forfeiting their account balances, any content licenses they may own, and their Xbox Gold Membership.

    Microsoft also says that it may trawl through your accounts if it suspects you’ve been violating its Terms and Conditions. “When investigating alleged violations of these Terms, Microsoft reserves the right to review Your Content in order to resolve the issue,” it writes.

    Summary of Changes to Microsoft Services Agreement

  11. Tomi Engdahl says:

    Train to be a top cybercrime fighter at SANS London June 2018
    Hands-on workshops, extra evening sessions – hoodies optional

    Promo As the global volume of data rises like an unstoppable tide, IT systems grow increasingly complex and sophisticated to accommodate it – yet cyber criminals constantly find ingenious new ways of stealing vital information or disrupting systems.

    Understandably, security professionals who can forestall the attackers’ rapidly evolving tactics and keep their organisations safe are more than ever in high demand.

    Leading security training provider SANS is staging an event from 4-9 June at the Grand Connaught Rooms in London offering the chance to choose from a range of SANS courses, many of which prepare students for valuable GIAC certification in specialised areas of cyber security.

  12. Tomi Engdahl says:

    Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE
    You’ll want to install the March update. Like right now – if you can avoid broken networking

    Microsoft’s January and February security fixes for Intel’s Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes.

    This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple’s FileVault disk encryption system.

    We’re told Redmond’s early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system’s memory map, gain administrator-level privileges, and extract and modify any information in RAM.


  13. Tomi Engdahl says:

    Baltimore: Ransomware attack hobbled city’s dispatch system

  14. Tomi Engdahl says:

    Boeing hit by WannaCry virus, but says attack caused little damage

    Though news of the attack by the WannaCry virus triggered widespread alarm within Boeing and among airline customers during the day Wednesday, by evening the company was calling for calm.

    Boeing was hit Wednesday by the WannaCry computer virus, and after an initial scare within the company that vital airplane-production equipment might be brought down, company executives later offered assurances that the attack had been quashed with minimal damage.

  15. Tomi Engdahl says:

    Under Armour says MyFitnessPal data breach affected 150 million users

    Under Armour, the fitness company that owns MyFitnessPal, disclosed today a data breach that affected about 150 million users. MyFitnessPal, a food and nutrition application, earlier this week became aware of the breach, which took place late last month.

  16. Tomi Engdahl says:

    It’s Not Just Facebook That Knows A Horrifying Amount Of Stuff About You

    Following the recent Cambridge Analytica scandal, many people are expressing concern about Facebook and how much it knows about them.

    A poll by Reuters found that trust in the social media giant has plummeted recently, with 51 percent of people saying they don’t trust the company to obey the laws protecting our personal information. What’s more, many people have been investigating how much data Facebook has on them, and are horrified by the results.

    As everyone keeps telling you (ironically through the medium of social media): If the product is free, you are the product. If they’re making money, they probably have a lot of your data to sell.

    Google is pretty much the master of collecting and monetizing big data.

    Apple knows a lot about you too. As well as tracking your location, it tracks your speed using GPS, stores all the messages you’ve sent over iMessenger as encrypted data, and stores everything you’ve ever said to your robot buddy Siri, the Huffington Post reports.

    TomTom obviously has a lot of data on where you’ve traveled that’s useful to everyone from city planners to governments.

    Alexa is always listening. The microphones in Echo are always on.

    Twitter isn’t quite the money-making machine that Facebook is, in part due to its unwillingness or ineffectiveness when it comes to monetizing your data. Nevertheless, last year they updated their privacy policy in order to collect more data

    Facebook, the company that has made people panic about their data over the last week, has quite a lot of personal data, given how people use it as a place to talk about their private lives. Depending on your privacy settings, it can collect data on things like messages you’ve sent, your contacts, and even calls that you’ve made from your phone.

  17. Tomi Engdahl says:

    Why you shouldn’t trust a stranger’s VPN: Plenty leak your IP addresses
    WebRTC flaw still dogs so-called ‘secure’ providers

    Virtual Private Networks, or VPNs, turn out to be less private than the name suggests, and not just because service providers may keep more records than they acknowledge.

    Security researcher Paolo Stagno, also known as VoidSec, has found that 23 per cent (16 out of 70) of VPNs tested leak users’ IP address via WebRTC.

    The privacy problem presented by WebRTC is not new. The issue has been known at least since 2015.

    The protocol is often employed with the ICE (Interactive Connectivity Establishment) framework and STUN (Session Traversal Utilities for NAT) servers, among other options.

    VPNs use the STUN server to translate between the VPN user’s local IP address and the public IP address in much the same way that a home router acts as a network intermediary between local devices and the external internet.

    According to Stagno, WebRTC can be queried to return information that should remain private.

    “WebRTC allows requests to be made to STUN servers which return the ‘hidden’ home IP-address as well as local network addresses for the system that is being used by the user,” he said in a post on Tuesday.

    Such requests aren’t normally visible because they aren’t part of standard XML/HTTP interaction, he explains, but they can be made via JavaScript. Stagno says the technique can be employed in any browser that supports both WebRTC and JavaScript.

    The list of leaky VPNs is available on VoidSec’s website.

    Stagno suggests disabling WebRTC, among other measures to protect privacy. In Chrome, that requires an extension, such as uBlock Origin. In other browsers, the fixes vary.

  18. Tomi Engdahl says:

    Brit cloud slinger iomart goes TITSUP, knackers Virgin Trains, Parentpay
    Young, hungry and stranded punters pray for resurrection

  19. Tomi Engdahl says:

    As marketing data proliferates, consumers should have more control

    At the Adobe Summit in Las Vegas this week, privacy was on the minds of many people. It was no wonder with social media data abuse dominating the headlines, GDPR just around the corner, and Adobe announcing the concept of a centralized customer experience record.

    With so many high profile breaches in recent years, putting your customer data in a central record-keeping system would seem to be a dangerous proposition, yet Adobe sees so many positives for marketers, it likely believes this to be a worthy trade-off.

  20. Tomi Engdahl says:

    Veriff wants to make it simple to present identification online

    Whenever you are doing something online that requires you to present an official ID like a passport or driver’s license to complete the transaction, it presents risk to both parties.

    Kaarel Kotkas, CEO and founder of the company, says the goal is to be “the Stripe of identity .” What he means is he wants to provide developers with the ability to embed identity verification into any application or website, as easily as you can use Stripe to add payments.

  21. Tomi Engdahl says:

    Tom Pendergast / Wired:
    GDPR in the EU and similar laws in other countries, along with Facebook/Cambridge Analytica scandal, may point to global shift in favor of personal data control — THE HEADLINES ABOUT the trade wars being touched off by President Trump’s new tariffs may telegraph plenty of bombast and shots fired …

    The Next Cold War Is Here, and It’s All About Data

    The headlines about the trade wars being touched off by President Trump’s new tariffs may telegraph plenty of bombast and shots fired, but the most consequential war being waged today is a quieter sort of conflict: It’s the new Cold War over data protection. While the Facebook/Cambridge Analytica crisis currently burns as the latest, hottest flare-up in this simmering conflict, tensions may increase even more on May 25, 2018, when the European Union’s General Data Protection Regulation comes into effect.

  22. Tomi Engdahl says:

    20 Arrested in Italy and Romania for Spear Phishing Scam

    Authorities this week arrested 20 individuals in Italy and Romania for their role in a banking phishing scam that defrauded bank customers of €1 million ($1.23 million).

    The arrests were the result of a two-year long cybercrime investigation conducted by the Romanian National Police and the Italian National Police, with support from Europol, the Joint Cybercrime Action Taskforce (J-CAT), and Eurojust.

    The arrests were made on March 28, following a series of coordinated raids. 9 of the individuals were arrested in Romania and 11 in Italy. The Romanian Police raided 3 houses, while the Italian authorities conducted 10 home and computer searches.

  23. Tomi Engdahl says:

    Critical Flaw Exposes Many Cisco Devices to Remote Attacks

    Cisco has patched more than 30 vulnerabilities in its IOS software, including a critical remote code execution flaw that exposes hundreds of thousands – possibly millions – of devices to remote attacks launched over the Internet.

    A total of three vulnerabilities have been rated critical. One of them is CVE-2018-0171, an issue discovered by researchers at Embedi in the Smart Install feature in IOS and IOS XE software.

    An unauthenticated attacker can send specially crafted Smart Install messages to an affected device on TCP port 4786 and cause it to enter a denial-of-service (DoS) condition or execute arbitrary code.

  24. Tomi Engdahl says:

    Microsoft Fixes Windows Flaw Introduced by Meltdown Patches

    Microsoft has released out-of-band updates for Windows 7 and Windows Server 2008 R2 to address a serious privilege escalation vulnerability introduced earlier this year by the Meltdown mitigations.

    Microsoft informed customers on Thursday that a new patch has been released for Windows 7 x64 Service Pack 1 and Windows Server 2008 R2 x64 Service Pack 1 to fully resolve the problem. “Customers who apply the updates, or have automatic updates enabled, are protected.” a Microsoft spokesperson said.

    The vulnerability, tracked as CVE-2018-1038 and rated “important,” has been patched with the KB4100480 update. Users are advised to install the update as soon as possible, particularly since some Microsoft employees believe it will likely be exploited in the wild soon.

  25. Tomi Engdahl says:

    It’s begun: ‘First’ IPv6 denial-of-service attack puts IT bods on notice
    Internet engineers warn this is only the beginning

    Analysis What’s claimed to be the first IPv6-based distributed denial-of-service attack has been spotted by internet engineers who warn it is only the beginning of what could become the next wave of online disruption.

    Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in an effort to overwhelm it. He was taking packet captures of the malicious traffic as part of his job at Neustar’s SiteProtect DDoS protection service when he realized there were “packets coming from IPv6 addresses to an IPv6 host.”

    Computers behind 1,900 IPv6 addresses were attacking the DNS server as part of a larger army of commandeered systems, mostly using IPv4 addresses on the public internet. Anyone running an IPv6 network needs to, therefore, ensure they have the same level of network security and mitigation tools in place as their IPv4 networks – and fast.


Leave a Comment

Your email address will not be published. Required fields are marked *