Cyber Security August 2018

This posting is here to collect security alert news in August 2018.

I post links to security vulnerability news to comments of this article.



  1. Tomi Engdahl says:

    FBI: No Evidence Clinton Server Hacked Despite Trump Tweet

    WASHINGTON (AP) — The FBI said Wednesday that it has no evidence Hillary Clinton’s private email server was compromised even though President Donald Trump tweeted a news report that alleged the Chinese had hacked it.

  2. Tomi Engdahl says:

    What are botnets downloading?
    Statistics for the past year on files downloaded by botnets

  3. Tomi Engdahl says:

    Rocke: The Champion of Monero Miners

    Cryptocurrency miners are becoming an increasingly significant part of the threat landscape. These malicious miners steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor.

    In this post, we look at the activity of one particular threat actor: Rocke. We will examine several of Rocke’s campaigns, malware, and infrastructure while uncovering more information about the actor. After months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors.

  4. Tomi Engdahl says:

    Temporary Patch Available for Recent Windows Task Scheduler ALPC Zero-Day

    Earlier this week a security researcher released exploit code for a Windows zero-day affecting the Task Scheduler ALPC interface. Today, cyber-security firm Acros Security published a temporary fix (called a micropatch) that prevents exploitation of that particular zero-day.

    Users can apply the temporary patch by downloading and installing the 0patch Agent client.

    Micropatch currently available for latest Windows 10 only

    The patch is only available for users of 64-bit Windows 10 v1803 versions, Mitja Kolsek, CEO of Acros Security, told Bleeping Computer today via email.

    “We’re releasing a Windows Server 2016 micropatch tomorrow,” Kolsek said.

  5. Tomi Engdahl says:

    Anonymous Catalonia Claims DDoS Attack On Bank of Spain Website

    The website of Banco de España, the central bank of Spain, was offline at the beginning of the week due to a DDoS attack claimed by hacktivist group Anonymous Catalonia.

    The attack started on Sunday and continued through Monday. It is part of #OpCatalonia, a protest against the arrest of Catalan political leaders over the region’s fight for independence last year.

    Anonymous used the famous ‘TangoDown’ hashtag to announce on Twitter that their distributed denial-of-service attack was successful, and showed proof that the server hosting the bank’s website was down all over the world.

  6. Tomi Engdahl says:

    Instagram’s New Security Tools are a Welcome Step, But Not Enough

    Instagram users should soon have more secure options for protecting their accounts against Internet bad guys. On Tuesday, the Facebook-owned social network said it is in the process of rolling out support for third-party authentication apps. Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number — an increasingly common crime.

    For years, security experts have warned that hackers are exploiting weak authentication at Instagram to commandeer accounts. Instagram has long offered users a security option to have a one-time code sent via text message to a mobile device, but these codes can be intercepted via several methods (more on that in a bit).

    The new authentication offering requires users to download a third-party app like Authy, Duo or Google Authenticator, which generates a one-time code that needs to be entered after the user supplies a password.

  7. Tomi Engdahl says:

    Crypto Mining Is More Popular Than Ever!
    Published: 2018-08-30

    We already wrote some diaries about crypto miners and they remain more popular than ever. Based on my daily hunting statistics, we can see that malicious scripts performing crypto mining operations remain on top of the sample I detected for the last 24h

    But crypto miners are not only installed on workstations, servers are juicy targets too… because that’s where the real CPU power is available! The recent Apache Struts remote code execution vulnerability (amongst other like SOLR reported by Renato a few months ago[1]) is heavily used to drop crypto miners on vulnerable systems[2].

    The classic behaviour of a crypto miner dropper is to try to gain as much as available resources. To do so, they usually try to kill competitors

  8. Tomi Engdahl says:

    Now is the Swedish turn to complain – the police report that some are trying to influence the elections

    Systematic manipulation of election results rose for the first time as a front page news story in connection with the US presidential election in 2016. Thereafter, the phenomenon has caused concern in many other elections as well. Now the problem is with the Swedes.

    Parliamentary elections in Sweden will take place on 9 September. Säkerhetspolainen (Säpo, responds to our Sons) reports that he has noticed that attempts are being made to defeat elections and democracy.

    Säpo is now not ready to point out any foreign agent who would be behind the harassment. It recognizes that finding a guilty person requires a lot of work.


  9. Tomi Engdahl says:

    John McAfee’s ‘unhackable’ Bitcoin wallet is hackable, company admits
    The man himself hasn’t weighed in yet.

    Two weeks ago, it seemed safe to say that John McAfee’s supposedly “unhackable” cryptocurrency wallet had been hacked. (It’s been nearly four weeks since the first security researchers reached that conclusion.)

    But it’s only today, in the wake of yet another hack (more details at the link), that wallet-maker Bitfi has decided to admit defeat.

    In an announcement on Twitter, the company says it will be removing the “unhackable” claim effective immediately, and the company is also admitting that researchers have identified vulnerabilities.

    “We took this step to stop the negativity and the anger on social media which was not healthy,” the company told CNET by email.

    When we asked, Bitfi wouldn’t say whether it will award the $250,000 or $10,000 bounties it offered to those who could prove they’d been able to hack the wallet — the company says it will make a “comprehensive public statement” on all issues, including the bounty payments, next week.

    Bitfi intends to try to fix the wallet by addressing those issues rather than recalling the product or stopping sales. “Whatever issues we discover will be patched for all customers via our push updates,” the company tells CNET.

  10. Tomi Engdahl says:

    Security bods: Android system broadcasts enable user tracking
    Bypassing permission protection on network info

    Security researchers have found a way to sniff Android system broadcasts to expose Wi-Fi connection information to attackers.

    Tracked as CVE-2018-9489, the issue was discovered by Nightwatch Cybersecurity and published yesterday. If you can, upgrade to Android 9 (Pie), because there’s no plan to fix older versions.

    What they found was that the system broadcasts spaff “Wi-Fi network name, BSSID, local IP addresses, DNS server information and the MAC address” to any application running on the device, even though this is supposed to be protected information, “bypassing any permission checks and existing mitigations”.

  11. Tomi Engdahl says:

    Mozilla announces Firefox will block trackers by default

    Mozilla today announced that Firefox will soon block web trackers by default. In conjunction, Firefox will also let users control what information they share with sites.

    Web trackers are used mainly for targeted advertising and broad user data collection. Mozilla wants to protect users from websites using abusive trackers, improving both performance and privacy.

    Mozilla shared details on three tracker-blocking features it is building into Firefox:

    Blocking trackers that slow down page loads. This feature, aimed at improving page load performance, will be tested in September. If it performs well, Firefox 63 (slated for October 2018) will start blocking slow-loading trackers by default.
    Removing cross-site tracking that follow users around the web. This feature, which strips cookies and blocks storage access from third-party tracking content, will be tested with some Firefox beta users in September. Mozilla plans to bring this protection to all users in Firefox 65 (slated for January 2019).
    Mitigating harmful practices such as trackers that fingerprint users (to identify users by their device properties) and cryptomining scripts. Mozilla didn’t share when future versions of Firefox will stop these practices, but it did say they will also be blocked by default.

  12. Tomi Engdahl says:

    Hackers could be hampered by a crystal oscillator transmitter

    Hackers could be stopped intercepting transmitted data with a transmitter that changes its frequency with each individual 1 or 0 bit within a data packet.

    Hackers can intercept data being transmitted and jam signals or corrupt the packets of data sent wirelessly from a device. A defence against this is to change the transmission frequency with every packet, but, according to researchers, hackers can locate a transmission channel in one microsecond and make a successful attack. By changing the frequency with every digital one and zero in the packet the hackers are not expected to be able to respond quickly enough. Critical devices, such as medical implants whose performance can be altered wirelessly, could therefore be secured.

    A data packet contains the packet’s individual number and destination for routing purposes and reassembly, and up to 1,500 bytes of the data itself, for example the text of an email message. “By developing this protocol and radio frequency architecture together, we offer physical-layer security for connectivity of everything,”

  13. Tomi Engdahl says:

    Windows 0-day pops up out of nowhere Twitter
    Privilege escalation exploit, for which no patch exists, dumped on GitHub

  14. Tomi Engdahl says:

    Black hats are baddie hackers, white hats are goodies, grey hats will sell IP to kids in hoodies
    Survey says one in five security pros have been asked to screw over their employer

  15. Tomi Engdahl says:

    BusyGasper – the unfriendly spy

    In early 2018 our mobile intruder-detection technology was triggered by a suspicious Android sample that, as it turned out, belonged to an unknown spyware family. Further investigation showed that the malware, which we named BusyGasper, is not all that sophisticated, but demonstrates some unusual features for this type of threat. From a technical point of view, the sample is a unique spy implant with stand-out features such as device sensors listeners, including motion detectors that have been implemented with a degree of originality. It has an incredibly wide-ranging protocol – about 100 commands – and an ability to bypass the Doze battery saver.

  16. Tomi Engdahl says:

    Patch Management Must be Guided by Risk

    Since the major technology companies have a regular cadence for the release of patches, organizations can, in theory, better allocate resources, prepare to test software updates, and deploy fixes when ready. But when Microsoft patches dozens of bugs on the second Tuesday month after month, or Oracle fixes hundreds of bugs at a time on a quarterly basis, the temptation could arise to just patch it all, or at least rely on criticality scores and bleating pundits to guide your patch management efforts.

    A high CVE score or a pithy quote from an expert, however, shouldn’t be the deciding factor as to whether an enterprise deploys every patch to every affected system. The discussion should center on risk, and it should land on the likelihood a vulnerability would be exploited on your network and what impact it will have to continuity, data integrity, and the bottom line. An approach aligned with Business Risk Intelligence (BRI) lends itself to informed decisions about patch management, and the right call could save your company precious time and money, and allow your internal experts to focus on what matters most to the business.

  17. Tomi Engdahl says:

    Researchers Detail Two New Attacks on TPM Chips

    Some PC owners may need to apply motherboard firmware updates in the near future to address two attacks on TPM chips detailed earlier this month by four researchers from the National Security Research Institute of South Korea.

    Both attacks target computers that come equipped with a Trusted Platform Module (TPM). TPMs are dedicated microcontrollers (chips, cryptoprocessors) and they are usually deployed on high-value computers, such as those used in enterprise or government networks, but they are also used on personal computers as well.

    The role of a TPM chip is to ensure hardware authenticity. A TPM uses RSA encryption keys to authenticate the hardware components involved in a computer’s boot-up process, but also its normal functioning.

    The way a TPM works and how the TPM authenticates components part of the boot-up chain is dictated by the TPM 2.0 specification released in 2013.

    TPM flaws allow attackers to hide tampered boot components

  18. Tomi Engdahl says:

    3D Printers in The Wild, What Can Go Wrong?

    Richard wrote a quick diary yesterday about an interesting information that we received from one of our readers. It’s about a huge amount of OctoPrint interfaces that are publicly facing the Internet. Octoprint[1] is a web interface for 3D printers that allows to control and monitor all features of the printer. They are thousands of Octoprint instances accessible without any authentication reported by Shoda

    Here is an example of a publicly open interface connected to an online printer (status is “operational”)

    So, what can go wrong with this kind of interface? It’s just another unauthenticated access to an online device. Sure but the printer owners could face very bad situations.

    The interface allows downloading the 3D objects loaded in the printer. Those objects are in G-code format

    We are facing here the first issue: G-code files can be downloaded and lead to potentially trade secret data leak. Indeed, many companies R&D departments are using 3D printers to develop and test some pieces of their future product.

    If the authentication is completely disabled, it is possible to upload G-code files and… print them! What if an anonymous person sends a malicious G-code file to the printer and instructs to print it while nobody is around? There were bad stories of low-cost 3D printers which simply burned!

    Worse, what if the attacker downloads a G-code file, alters it and re-upload it. Be changing the G-code instructions, you will instruct the device to print the object but the altered one won’t have the same physical capabilities and could be a potential danger once used. Think about 3D-printer guns[4] but also 3D-printed objects used in drones. Drone owners are big fans of self-printed hardware.

  19. Tomi Engdahl says:

    We’re all sick of Fortnite, but the flaw found in its downloader is the latest way to attack Android
    Man-in-the-Disk technique able to add malicious files to a device’s external storage

  20. Tomi Engdahl says:

    Mozilla Firefox Will Soon Block All Trackers by Default

    Mozilla has announced that upcoming versions of Firefox will block all cross-site tracking, slow tracking scripts, and malicious miner and fingerprinting scripts by default. These new features will be rolled out over the coming months as part of three new initiatives.

    The goals of these three initiatives is to protects a user’s privacy, block malicious scripts, and to decrease page loading times when browsing the web.

    According to a study by Ghostery, a huge percentage of the time it takes to load a site is caused by tracking scripts.

    “Tracking slows down the web. In a study by Ghostery, 55.4% of the total time required to load an average website was spent loading third party trackers,”

  21. Tomi Engdahl says:

    GOD MODE UNLOCKED – Hardware Backdoors in x86 CPUs

    This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they’re buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors.

  22. Tomi Engdahl says:

    The FBI Distributes Child Pornography to Catch People Who Look at It

    By its own logic, the government victimized children thousands of times.

    As part of a recent child pornography investigation disconcertingly known as Operation Pacifier, the FBI ran a website that distributed photographs and videos of sexual abuse. Last year, the Seattle Times reports, “after arresting the North Carolina administrator of The Playpen, a ‘dark web’ child-pornography internet bulletin board, agents seized the site’s server and moved it to an FBI warehouse in Virginia.”

    FBI’s massive porn sting puts internet privacy in crossfire

    The FBI snared scores of people after taking over a child-pornography bulletin board and conducting a sting and computer-hacking operation. But there is a growing social and legal controversy over the bureau’s tactics and the impact on internet privacy.


Leave a Comment

Your email address will not be published. Required fields are marked *