Crypto miners in the browser are not new. Delivery through malicious or compromised piece of javascript code is common these days (see my previous diary about this topic[1]). This time, it’s another way to deliver the crypto miner that we found in a sample reported by one of our readers.
What if the victim does not run a browser? What happens if the victim closes it? No problem, just fire one in headless mode to remain stealthy! Indeed, all modern browsers can be run in headless mode (read: without graphical interface).
You know what isn’t a good look for a data management software company? A massive mismanagement of your own customer data.
Veeam, a backup and data recovery company, bills itself as a data giant that among other things can “anticipate need and meet demand, and move securely across multi-cloud infrastructures,” but is believed to have mislaid its own database of customer records.
Security researcher Bob Diachenko found an exposed database containing more than 200 gigabytes of customer records, mostly names, email addresses, and in some cases IP addresses.
It’s not the first time a massive database of email addresses has leaked online. An exposed database run by River City Media leaked over 393 million email addresses in 2017
Researchers have determined that some light bulbs are suitable for covert data exfiltration from personal devices, and can leak multimedia preferences by recording their luminance patterns from afar.
For the light sources to become an attack surface, they need to meet some requirements such as support for multimedia visualizations and infrared capabilities.
The adversary does not need to attack the internal network of the victim to extract the information. They only need a direct connection between the target device and the lights, and line-of-sight with bulbs during the exfiltration process.
An EOS-based decentralized app (dApp) has been paying out big time. Betting platform DEOSGames was drained of a significant chunk of its operating funds in a heist that netted one ‘lucky’ punter almost $24,000.
Over less than an hour, a decentralized dice betting game paid its jackpot 24 times to just one individual.
The wins were seemingly automatic. Each and every time runningsnail deposited 10 EOS, the jackpot was paid within an average of 30 seconds.
DEOSGames has confirmed the exploit on its social channels. “Yesterday, we got a malicious contract exploit our contract, ” a statement read. “It is a good stress test and we got significant improvements on contract level.”
DEOSGames has confirmed the exploit on its social channels. “Yesterday, we got a malicious contract exploit our contract, ” a statement read. “It is a good stress test and we got significant improvements on contract level.”
The BullyBoys and CoCo Boys street gangs, who both have roots in Antioch, Pittsburg, and Bay Point, allegedly burglarized medical and dental businesses in 13 counties in Northern California.
According to authorities, suspects stole and ran fraudulent returns on credit card terminals, placing the money on debit cards for their own use.
On September 6th, British Airways announced it had suffered a breach resulting in the theft of customer data. In interviews with the BBC, the company noted that around 380,000 customers could have been affected and that the stolen information included personal and payment information but not passport information.
On its website, British Airways placed an article explaining details of the incident that answered as many questions as possible for customers. The technical details were sparse but included the following pieces of information:
Payments through its main website were affected
Payments through its mobile app were affected
Payments were affected from 22:58 BST August 21, 2018, until 21:45 BST September 5, 2018
The report also stated very clearly that information was stolen from the British Airways website and mobile app but did not mention breaches of anything else, namely databases or servers—anything indicating the breach affected more than the payment information entered into the website. Because these reports only cover customer data stolen directly from payment forms, we immediately suspected one group: Magecart.
Magecart: A Familiar Adversary
Since 2016, RiskIQ has reported on the use of web-based card skimmers operated by the threat group Magecart. Traditionally, criminals use devices known as card skimmers—devices hidden within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day—to steal credit card data for the criminal to later collect and either use themselves or sell to other parties. Magecart uses a digital variety of these devices.
Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.
Finding the Breach of British Airways
Our first step in linking Magecart to the attack on British Airways was simply going through our Magecart detection hits. Seeing instances of Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code. Customer notifications through our products are automated, but our research team searches for any instances outside of these workspaces manually and adds them to our global blacklists. In the case of the British Airways breach, we had no hits in our blacklist incidents or suspects because the Magecart actors customized their skimmer in this case.
Eventually, we recorded a change in one of the scripts. Opening up the crawl, we saw this script was a modified version of the Modernizr JavaScript library, version 2.6.2 to be precise. The script was loaded from the baggage claim information page on the British Airways website
The noted change was at the bottom of the script, a technique we often see when attackers modify JavaScript files to not break functionality.
On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server.
This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.
The infrastructure used in this attack was set up only with British Airways in mind
Mobile Skimming
In the security advisory from British Airways, the company made note that both the web app and the mobile app users were affected. We found the skimmer on the webpage for British Airways, but how does that translate to mobile? To figure this out we’ll look at the British Airways Android application
Often, when developers build a mobile app, they make an empty shell and loads content from elsewhere. In the case of British Airways, a portion of the app is native but the majority of its functionality loads from web pages from the official British Airways website.
Analysis If Equifax’s mother-of-all-security-disasters last year underlined one thing, it was that big companies think they can weather just about anything cybercriminals – and regulators – can throw at them.
It all stands in fascinating contrast to what is happening in the UK and Europe, where the mood over database security breaches is darkening. It’s not that there are necessarily more of them so much as the speed with which they are being revealed.
Last week’s British Airways hack makes an interesting case study, not simply because of the technically embarrassing fact cybercriminals were able to skim up to 380,000 transactions in real time but the speed with which the company owned up to the calamity.
Confessions
According to BA, the attack began at 22.58 BST on August 21, and was stopped at 21:45 BTS on September 5. This meant BA had taken 15 days to notice hackers were grabbing its customers’ card numbers, but under 24 hours to tell the world via Twitter and email – a contender for a world record for computer security breach confessions.
Security analysts RiskIQ have speculated that the same gang was behind June’s Ticketmaster web breach, which took a still fairly rapid five days to surface after being discovered on June 23.
Compare this haste to Equifax, which detected its breach on July 29 last year, but only told the world months later on September 7.
Why the sudden hurry? In the case of BA, officially, the answer is Article 33 of Europe’s GDPR, under which cyber-break-ins involving personal data must be reported within 72 hours.
“This is definitely due to the awareness and the run up to the GDPR,”
“Crisis management is a relatively new yet vitally important area to focus on. As more chief staff realise that it’s a case of when rather than if a breach occurs, it is highly possible that more businesses have a ready-made crisis procedure waiting for a potential strike,” said ESET security specialist, Jake Moore.
A researcher has discovered an address bar spoofing vulnerability in the Microsoft Edge and Apple Safari web browsers, but a patch is currently only available for the former.
Microsoft’s Patch Tuesday updates for September 2018 address over 60 vulnerabilities, including a zero-day disclosed by a researcher and exploited shortly after by a threat actor.
The actively exploited flaw, identified as CVE-2018-8440, was disclosed on August 27 by a researcher who uses the online moniker SandboxEscaper. The security hole was not reported to Microsoft before its existence was disclosed via Twitter as SandboxEscaper was apparently frustrated with the company’s vulnerability reporting process.
The privilege escalation vulnerability, which according to Microsoft exists when Windows improperly handles calls to the Advanced Local Procedure Call (ALPC) interface of the Task Scheduler, can be exploited by an authenticated attacker to execute code with elevated privileges.
The data breach that British Airways said last week to have impacted 380,000 of its users was caused by an attack from Magecart, a threat group known for the use of web-based card skimmers.
Adobe’s Patch Tuesday updates for September 2018 address a total of 10 vulnerabilities in Flash Player and ColdFusion, but none of the flaws appear too serious.
Only one security hole has been patched in Flash Player. Version 31.0.0.108 fixes CVE-2018-15967, a privilege escalation issue that can lead to information disclosure.
The vulnerability, reported to Adobe by Microsoft’s Security Response Center, has been rated “important” with a priority rating of 2, which indicates that the vendor does not expect to see it being exploited in the wild.
The OpenSSL Project on Tuesday announced the release of OpenSSL 1.1.1, the new Long Term Support (LTS) version of the cryptographic software library.
According to the organization, the most important new feature in OpenSSL 1.1.1 is TLS 1.3, which the Internet Engineering Task Force (IETF) published last month as RFC 8446.
Since OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0, most applications that work with the older version can take advantage of the benefits provided by TLS 1.3 simply by updating to the newer version.
Other noteworthy changes in OpenSSL 1.1.1 include a complete rewrite of the random number generator, support for several new cryptographic algorithms, security improvements designed to mitigate side-channel attacks, support for the Maximum Fragment Length TLS extension, and a new STORE module that implements a uniform and URI-based reader of stores that contain certificates, keys, CRLs and other objects.
The new crypto algorithms include SHA3, SHA512/224 and SHA512/256, EdDSA, X448, multi-prime RSA, SM2, SM3, SM4, SipHash and ARIA.
Researchers claim to have discovered a new attack method that can be used to quickly clone the wireless key fob of Tesla Model S and possibly other vehicles.
The Passive Keyless Entry and Start (PKES) system is used by many high-end cars to unlock the doors and start the engine. The system relies on a paired key fob that needs to be in proximity of the vehicle.
PKES has been known to be vulnerable to relay attacks, which have been used to steal luxury vehicles. These attacks involved relaying messages between the car and the smart key by placing one hacking device near the key and one device in proximity of the car. This allows an attacker to open the door and start the engine even if the key is at a considerable distance from the vehicle. However, in these relay attacks, the car can only be unlocked and started once, while the legitimate key fob is in range.
RiskIQ published details tracking the British Airways hackers’ strategy on Tuesday, also linking the intrusion to a criminal hacking gang that has been active since 2015. The group, which RiskIQ calls Magecart, is known for web-based credit card skimming—finding websites that don’t secure payment data entry forms, and vacuuming up everything that gets submitted. But while Magecart has previously been known to use the same broadly targeted code to scoop up data from various third-party processors, RiskIQ found that the attack on British Airways was much more tailored to the company’s specific infrastructure.
In its initial disclosure, British Airways said that the breach didn’t impact passport numbers or other travel data. But the company later clarified that the compromised data included payment card expiration dates and Card Verification Value codes—the extra three or four-digit numbers that authenticate a card—even though British Airways has said it does not store CVVs.
The Redwood City, CA based company said that private information from about 1,100 individuals was exposed due to the cybersecurity attack.
Liquid Biopsy specialist, Guardant Health faced a cybersecurity attack about two months ago, according to an SEC filing for the firm’s initial public offering. The Redwood City, CA-based company said that private information from about 1,100 individuals was compromised.
A security researcher has discovered a serious vulnerability that could allow attackers to spoof website addresses in the Microsoft Edge web browser for Windows and Apple Safari for iOS.
While Microsoft fixed the address bar URL spoofing vulnerability last month as part of its monthly security updates, Safari is still unpatched, potentially leaving Apple users vulnerable to phishing attacks.
A new report released today shows that distributed denial of service (DDoS) attacks have increased dramatically in the first two quarters of 2018 compared to 2017. The increase in attacks is being attributed to large scale botnets being created by attackers using insecure IoT devices.
According to a report released by DDoS mitigation company NexusGuard, denial-of-service attacks have increased by 29% since Q2 2017, with the average attack size increased by 543% to 26.37 Gbps.
Since March 2018 we have discovered several infections where a previously unknown Trojan was injected into the lsass.exe system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.
These stealthy downloaders initially infect systems and then only install additional malware on systems of interest.
Well-known financial crime gang Cobalt Group and other threat actors have recently shifted tactics to incorporate lightweight modular downloaders that “vet” target machines for their attractiveness before proceeding with a full-fledged attack.
The emergence of the AdvisorsBot and Marap malwares, as well a zero-day attack by the PowerPool actors and Cobalt Group’s use of its custom CobInt code, indicate a new trend for financial adversaries.
Despite the advent to bug bounty programs and enlightened vendors, researchers still complain of abuse, threats and lawsuits.
Despite huge progress in the vulnerability disclosure process, things remain broken when it comes to vendor-researcher relationships.
Case in point: Last year when Leigh-Anne Galloway (a cybersecurity resilience lead at Positive Technologies) found a gaping hole in the Myspace website, she reported it to Myspace owner Time Inc. But then days, weeks and then three months later – crickets.
The Myspace bug wasn’t small. It allowed a hacker to log in to any one of the 3.6 million Myspace active users’ accounts in a few easy steps. “It was a straightforward bug, and easy to execute and reproduce,” Galloway told Threatpost.
After giving up on Time Inc., Galloway weighed the public risk of the bug versus going public. Galloway decided to publish her research. “Within hours of my blog posting, the bug was fixed,” she said. Neither Time Inc. or Myspace ever got back to her.
A year later, things haven’t improved much: Last month, Galloway found several bugs in mobile point-of-sale platforms. After privately disclosing the bugs to the vendors, they didn’t ignore her, but she was threatened with multiple lawsuits for reverse-engineering copyright-protected intellectual property.
“I can’t say personally I’m seeing a lot changing,” she said.
The main source of infection on industrial control systems was the internet, researchers at Kaspersky Lab found in a new report.
The systems that power the manufacturing, power and water plants, the oil and gas industry, and many other sectors are increasingly in the crosshairs of cyber-attackers: A full 41.2 percent of industrial control system (ICS) were attacked by malicious software at least once in the first half of 2018.
That’s according to Kaspersky Lab, which analyzed telemetry information from customers using industrial automation computers through the end of June. The data indicates a consistent rise in the percentage of attacks on this segment; the year-ago data showed the percentage of ICS computers attacked to be 36.61 percent; that then ticked upward to 37.75 percent in the second half of 2017.
Proofpoint researchers discovered two new modular downloaders this summer: Marap [1] and AdvisorsBot [2], both of which were noteworthy for their small footprints, stealthy infections, and apparent focus on reconnaissance. We have also observed an actor commonly known as Cobalt Gang (or Group) using another new downloader that shares many of these characteristics since early 2018.
The UK government’s bulk interception of data was against human rights, the European Court of Human Rights has ruled. It’s another surveillance loss for the government
California looks set to regulate IoT devices, becoming the first US state to do so and beating the Federal Government to the post.
The State legislature approved ‘SB-327 Information privacy: connected devices’ last Thursday and handed it over to the Governor to sign. The legislation introduces security requirements for connected devices sold in the US. It defines them as any device that connects directly or indirectly to the internet and has an IP or Bluetooth address. That covers an awful lot of devices.
“This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
Some of us — myself included — have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking. They include:
Disincentive for vulnerability disclosure
Cultivation of a market for surveillance tools
Attackers co-opt hacking tools over which governments have lost control
Attackers learn of vulnerabilities through government use of malware
Government incentives to push for less-secure software and standards
Government malware affects innocent users.
These risks are real, but I think they’re much less than mandating backdoors for everyone.
Some unofficial repositories for Kodi open-source media player serve a modified add-on that leads to downloading cryptomining malware on Windows and Linux platforms.
Security researchers discovered a campaign that infects machines running Kodi via a legitimate add-on that has been altered by cybercriminals looking to mine the Monero cryptocurrency with the resources of Kodi users.
Criminals take advantage of the update verification system
Security researchers from ESET spotted the campaign in the XvBMC repository, which was recently shut down for copyright infringement, but other repositories are likely to offer the tampered file.
A man who spent years on the run from the FBI for his part in a lucrative criminal operation that spread scareware via the Minnesota Star Tribune website has finally been sent to prison.
Security researchers have revealed a new attack to steal passwords, encryption keys and other sensitive information stored on most modern computers, even those with full disk encryption.
The attack is a new variation of a traditional Cold Boot Attack, which is around since 2008 and lets attackers steal information that briefly remains in the memory (RAM) after the computer is shut down.
a safeguard, created by the Trusted Computing Group (TCG), that overwrites the contents of the RAM
Now, researchers from Finnish cyber-security firm F-Secure figured out a new way to disable this overwrite security measure by physically manipulating the computer’s firmware, potentially allowing attackers to recover sensitive data stored on the computer after a cold reboot in a matter of few minutes.
Using a simple tool, researchers were able to rewrite the non-volatile memory chip that contains the memory overwrite settings, disable it, and enable booting from external devices.
Osiris’ fundamental makeup positions it in the fore of malware trends, despite being based on old source code that’s been knocking around for years.
While the behaviors exhibited by the newly spawned banking trojan are similar to many other prevalent banking malware (for instance, it implements Zeus-style G/P/L web-injects, a keylogger and a VNC server, according to Securonix researcher Oleg Kolesnikov), there are also significant differences.
For one, it uses encrypted Tor traffic for command-and-control (C2).
A security vulnerability in Belkin’s Wemo Insight “smartplugs” allows hackers to not only take over the plug, but use it as a jumping-off point to attack everything else on the network.
When you try to install the Firefox pr Chrome web browser on a recent Windows 10 version 1809 Insider build, you may notice that the installation gets interrupted by the operating system.
The intermediary screen that interrupts the installation states that Edge is installed on the device and that it is safer and faster than the browser that the user was about to install on the device.
The small Canadian town of Midland, Ontario, was hit by ransomware, and the municipality seems to be negotiating with hackers to pay ransom, reports Canadian news station CTV News.
The attack on September 1 completely shut down the computer system, leaving the municipality unable to use its financial processing system. During the shutdown, debit and credit card payments were not accepted.
The computer system is slowly returning to normal and everything should be fixed in a few days as negotiations are reaching a consensus
A North Korean hacker accused by the US of orchestrating of a global cyber crime wave does not exist, Pyongyang said, warning that such “falsehoods” could jeopardise denuclearisation talks.
several bugs in apk, the default package manager for Alpine Linux. Alpine is a really lightweight distro that is very commonly used with Docker. The worst of these bugs, the subject of this blog post, allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code on the user’s machine. This is especially bad because packages aren’t served over TLS when using the default repositories. This bug has been fixed and the Alpine base images have been updated – you may want to rebuild your Alpine-derived images!
Facebook on Thursday announced the expansion of their fact-checking army to send “photos and videos to all of our 27 partners in 17 countries around the world,” after using an artificial intelligence which will use “various engagement signals, including feedback from people on Facebook, to identify potentially false content.”
The company says that because people share millions of photos and videos on Facebook each day, it creates an “easy opportunity for manipulation by bad actors.”
Nellie Bowles / New York Times:
A look at Standard Cognition’s tech, which uses cameras and AI to track who people are and what they buy, as it opens San Francisco’s first cashierless store
A start-up uses visual tracking and behavioral data to operate a new San Francisco market, which lets shoppers walk out unimpeded. And sometimes mischarged.
Security researchers have revealed a new attack to steal passwords, encryption keys and other sensitive information stored on most modern computers, even those with full disk encryption.
The attack is a new variation of a traditional Cold Boot Attack, which is around since 2008 and lets attackers steal information that briefly remains in the memory (RAM) after the computer is shut down.
However, to make the cold boot attacks less effective, most modern computers come bundled with a safeguard, created by the Trusted Computing Group (TCG), that overwrites the contents of the RAM when the power on the device is restored, preventing the data from being read.
VLAN Hopping and Mitigation https://www.alienvault.com/blogs/security-essentials/vlan-hopping-and-mitigation
A VLAN is used to share the physical network while creating virtual segmentations to divide specific groups. For example, a host on VLAN 1 is separated from any host on VLAN 2. Any packets sent between VLANs must go through a router or other layer 3 devices. Security is one of the many reasons network administrators configure VLANs. However, with an exploit known as ‘VLAN Hopping’, an attacker is able to bypass these security implementations.
Researchers discovered that the firmware running on nearly all modern computers is vulnerable to cold boot attacks that can allow hackers to recover highly sensitive data from the device’s memory.
A cold boot attack is a side-channel attack that allows an attacker with physical access to a computer to obtain encryption keys, passwords and other data from the device’s random access memory (RAM) after a cold or hard reboot (i.e. the computer is restarted suddenly without going through the normal shutdown process). The data can remain in memory for tens of seconds or several minutes, but the time window for an attack can be extended to hours by cooling memory modules with liquid nitrogen or compressed air to slow down the degradation process.
A group of United States senators this week sent a letter to Secretary of State Mike Pompeo requesting clarifications regarding the Department of State’s failure to meet federal cybersecurity standards.
What are MHT files? Microsoft is a wonderful source of multiple file formats. MHT files are web page archives. Usually, a web page is based on a piece of HTML code with links to external resources, images and other media. MHT files contain all the data related to a web page in a single place and are therefore very useful to archive them. Also called MHTML[1] (MIME Encapsulation of Aggregate HTML Documents), there are encoded like email messages using MIME parts.
To save a web page in MHT format, in Internet Explorer, just press CTRL-S, select the “MHT” file format and save
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
493 Comments
Tomi Engdahl says:
Crypto Mining in a Windows Headless Browser
https://isc.sans.edu/forums/diary/Crypto+Mining+in+a+Windows+Headless+Browser/24078/
Crypto miners in the browser are not new. Delivery through malicious or compromised piece of javascript code is common these days (see my previous diary about this topic[1]). This time, it’s another way to deliver the crypto miner that we found in a sample reported by one of our readers.
What if the victim does not run a browser? What happens if the victim closes it? No problem, just fire one in headless mode to remain stealthy! Indeed, all modern browsers can be run in headless mode (read: without graphical interface).
Tomi Engdahl says:
Businesses Can Now Pay to Extend Windows 7 Security Updates Beyond 2020
https://www.bleepingcomputer.com/news/microsoft/businesses-can-now-pay-to-extend-windows-7-security-updates-beyond-2020/
Tomi Engdahl says:
Vulnerability Spotlight: CVE-2018-3952 / CVE-2018-4010 – Multi-provider VPN Client Privilege Escalation Vulnerabilities
https://blog.talosintelligence.com/2018/09/vulnerability-spotlight-Multi-provider-VPN-Client-Privilege-Escalation.html
Tomi Engdahl says:
Veeam server lapse leaks over 440 million email addresses
https://techcrunch.com/2018/09/11/veeam-security-lapse-leaked-over-440-million-email-addresses/?sr_share=facebook&utm_source=tcfbpage
You know what isn’t a good look for a data management software company? A massive mismanagement of your own customer data.
Veeam, a backup and data recovery company, bills itself as a data giant that among other things can “anticipate need and meet demand, and move securely across multi-cloud infrastructures,” but is believed to have mislaid its own database of customer records.
Security researcher Bob Diachenko found an exposed database containing more than 200 gigabytes of customer records, mostly names, email addresses, and in some cases IP addresses.
It’s not the first time a massive database of email addresses has leaked online. An exposed database run by River City Media leaked over 393 million email addresses in 2017
Tomi Engdahl says:
Novel Attack Technique Uses Smart Light Bulbs to Steal Data
https://www.bleepingcomputer.com/news/security/novel-attack-technique-uses-smart-light-bulbs-to-steal-data/
Researchers have determined that some light bulbs are suitable for covert data exfiltration from personal devices, and can leak multimedia preferences by recording their luminance patterns from afar.
For the light sources to become an attack surface, they need to meet some requirements such as support for multimedia visualizations and infrared capabilities.
The adversary does not need to attack the internal network of the victim to extract the information. They only need a direct connection between the target device and the lights, and line-of-sight with bulbs during the exfiltration process.
Tomi Engdahl says:
Hacker exploits EOS betting platform to ‘win’ jackpot 24 times in a row
EOS gambling dApps are being picked apart
https://thenextweb.com/hardfork/2018/09/10/eos-betting-platform-hacked/
An EOS-based decentralized app (dApp) has been paying out big time. Betting platform DEOSGames was drained of a significant chunk of its operating funds in a heist that netted one ‘lucky’ punter almost $24,000.
Over less than an hour, a decentralized dice betting game paid its jackpot 24 times to just one individual.
The wins were seemingly automatic. Each and every time runningsnail deposited 10 EOS, the jackpot was paid within an average of 30 seconds.
DEOSGames has confirmed the exploit on its social channels. “Yesterday, we got a malicious contract exploit our contract, ” a statement read. “It is a good stress test and we got significant improvements on contract level.”
DEOSGames has confirmed the exploit on its social channels. “Yesterday, we got a malicious contract exploit our contract, ” a statement read. “It is a good stress test and we got significant improvements on contract level.”
Tomi Engdahl says:
32 East Bay street gang members arrested in million-dollar fraud scheme
https://m.sfgate.com/crime/article/32-East-Bay-street-gang-members-arrested-in-13218991.php
The BullyBoys and CoCo Boys street gangs, who both have roots in Antioch, Pittsburg, and Bay Point, allegedly burglarized medical and dental businesses in 13 counties in Northern California.
According to authorities, suspects stole and ran fraudulent returns on credit card terminals, placing the money on debit cards for their own use.
Tomi Engdahl says:
Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims
https://www.riskiq.com/blog/labs/magecart-british-airways-breach/
On September 6th, British Airways announced it had suffered a breach resulting in the theft of customer data. In interviews with the BBC, the company noted that around 380,000 customers could have been affected and that the stolen information included personal and payment information but not passport information.
On its website, British Airways placed an article explaining details of the incident that answered as many questions as possible for customers. The technical details were sparse but included the following pieces of information:
Payments through its main website were affected
Payments through its mobile app were affected
Payments were affected from 22:58 BST August 21, 2018, until 21:45 BST September 5, 2018
The report also stated very clearly that information was stolen from the British Airways website and mobile app but did not mention breaches of anything else, namely databases or servers—anything indicating the breach affected more than the payment information entered into the website. Because these reports only cover customer data stolen directly from payment forms, we immediately suspected one group: Magecart.
Magecart: A Familiar Adversary
Since 2016, RiskIQ has reported on the use of web-based card skimmers operated by the threat group Magecart. Traditionally, criminals use devices known as card skimmers—devices hidden within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day—to steal credit card data for the criminal to later collect and either use themselves or sell to other parties. Magecart uses a digital variety of these devices.
Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.
Finding the Breach of British Airways
Our first step in linking Magecart to the attack on British Airways was simply going through our Magecart detection hits. Seeing instances of Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code. Customer notifications through our products are automated, but our research team searches for any instances outside of these workspaces manually and adds them to our global blacklists. In the case of the British Airways breach, we had no hits in our blacklist incidents or suspects because the Magecart actors customized their skimmer in this case.
Eventually, we recorded a change in one of the scripts. Opening up the crawl, we saw this script was a modified version of the Modernizr JavaScript library, version 2.6.2 to be precise. The script was loaded from the baggage claim information page on the British Airways website
The noted change was at the bottom of the script, a technique we often see when attackers modify JavaScript files to not break functionality.
On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server.
This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.
The infrastructure used in this attack was set up only with British Airways in mind
Mobile Skimming
In the security advisory from British Airways, the company made note that both the web app and the mobile app users were affected. We found the skimmer on the webpage for British Airways, but how does that translate to mobile? To figure this out we’ll look at the British Airways Android application
Often, when developers build a mobile app, they make an empty shell and loads content from elsewhere. In the case of British Airways, a portion of the app is native but the majority of its functionality loads from web pages from the official British Airways website.
Tomi Engdahl says:
Generally Disclosing Pretty Rapidly: GDPR strapped a jet engine on hacked British Airways
Suddenly, corps in a rush to fess up to e-break-ins
https://www.theregister.co.uk/2018/09/12/ba_equifax_breach_notification_speed/
Analysis If Equifax’s mother-of-all-security-disasters last year underlined one thing, it was that big companies think they can weather just about anything cybercriminals – and regulators – can throw at them.
It all stands in fascinating contrast to what is happening in the UK and Europe, where the mood over database security breaches is darkening. It’s not that there are necessarily more of them so much as the speed with which they are being revealed.
Last week’s British Airways hack makes an interesting case study, not simply because of the technically embarrassing fact cybercriminals were able to skim up to 380,000 transactions in real time but the speed with which the company owned up to the calamity.
Confessions
According to BA, the attack began at 22.58 BST on August 21, and was stopped at 21:45 BTS on September 5. This meant BA had taken 15 days to notice hackers were grabbing its customers’ card numbers, but under 24 hours to tell the world via Twitter and email – a contender for a world record for computer security breach confessions.
Security analysts RiskIQ have speculated that the same gang was behind June’s Ticketmaster web breach, which took a still fairly rapid five days to surface after being discovered on June 23.
Compare this haste to Equifax, which detected its breach on July 29 last year, but only told the world months later on September 7.
Why the sudden hurry? In the case of BA, officially, the answer is Article 33 of Europe’s GDPR, under which cyber-break-ins involving personal data must be reported within 72 hours.
“This is definitely due to the awareness and the run up to the GDPR,”
“Crisis management is a relatively new yet vitally important area to focus on. As more chief staff realise that it’s a case of when rather than if a breach occurs, it is highly possible that more businesses have a ready-made crisis procedure waiting for a potential strike,” said ESET security specialist, Jake Moore.
Tomi Engdahl says:
Address Bar Spoofing Flaw Found in Edge, Safari
https://www.securityweek.com/address-bar-spoofing-flaw-found-edge-safari
A researcher has discovered an address bar spoofing vulnerability in the Microsoft Edge and Apple Safari web browsers, but a patch is currently only available for the former.
Tomi Engdahl says:
Microsoft Patches Windows Zero-Day Disclosed via Twitter
https://www.securityweek.com/microsoft-patches-windows-zero-day-disclosed-twitter
Microsoft’s Patch Tuesday updates for September 2018 address over 60 vulnerabilities, including a zero-day disclosed by a researcher and exploited shortly after by a threat actor.
The actively exploited flaw, identified as CVE-2018-8440, was disclosed on August 27 by a researcher who uses the online moniker SandboxEscaper. The security hole was not reported to Microsoft before its existence was disclosed via Twitter as SandboxEscaper was apparently frustrated with the company’s vulnerability reporting process.
The privilege escalation vulnerability, which according to Microsoft exists when Windows improperly handles calls to the Advanced Local Procedure Call (ALPC) interface of the Task Scheduler, can be exploited by an authenticated attacker to execute code with elevated privileges.
Tomi Engdahl says:
British Airways, Another Victim of Ongoing Magecart Attacks
https://www.securityweek.com/british-airways-another-victim-ongoing-magecart-attacks
The data breach that British Airways said last week to have impacted 380,000 of its users was caused by an attack from Magecart, a threat group known for the use of web-based card skimmers.
Tomi Engdahl says:
Adobe Patches Vulnerabilities in Flash Player, ColdFusion
https://www.securityweek.com/adobe-patches-vulnerabilities-flash-player-coldfusion
Adobe’s Patch Tuesday updates for September 2018 address a total of 10 vulnerabilities in Flash Player and ColdFusion, but none of the flaws appear too serious.
Only one security hole has been patched in Flash Player. Version 31.0.0.108 fixes CVE-2018-15967, a privilege escalation issue that can lead to information disclosure.
The vulnerability, reported to Adobe by Microsoft’s Security Response Center, has been rated “important” with a priority rating of 2, which indicates that the vendor does not expect to see it being exploited in the wild.
Tomi Engdahl says:
OpenSSL 1.1.1 Released With TLS 1.3, Security Improvements
https://www.securityweek.com/openssl-111-released-tls-13-security-improvements
The OpenSSL Project on Tuesday announced the release of OpenSSL 1.1.1, the new Long Term Support (LTS) version of the cryptographic software library.
According to the organization, the most important new feature in OpenSSL 1.1.1 is TLS 1.3, which the Internet Engineering Task Force (IETF) published last month as RFC 8446.
Since OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0, most applications that work with the older version can take advantage of the benefits provided by TLS 1.3 simply by updating to the newer version.
Other noteworthy changes in OpenSSL 1.1.1 include a complete rewrite of the random number generator, support for several new cryptographic algorithms, security improvements designed to mitigate side-channel attacks, support for the Maximum Fragment Length TLS extension, and a new STORE module that implements a uniform and URI-based reader of stores that contain certificates, keys, CRLs and other objects.
The new crypto algorithms include SHA3, SHA512/224 and SHA512/256, EdDSA, X448, multi-prime RSA, SM2, SM3, SM4, SipHash and ARIA.
Tomi Engdahl says:
Trend Micro Admits That Its Mac Apps Collect User Data
https://www.securityweek.com/trend-micro-admits-its-mac-apps-collect-user-data
Tomi Engdahl says:
Hackers Can Clone Tesla Key Fobs in Seconds
https://www.securityweek.com/hackers-can-clone-tesla-key-fobs-seconds
Researchers claim to have discovered a new attack method that can be used to quickly clone the wireless key fob of Tesla Model S and possibly other vehicles.
The Passive Keyless Entry and Start (PKES) system is used by many high-end cars to unlock the doors and start the engine. The system relies on a paired key fob that needs to be in proximity of the vehicle.
PKES has been known to be vulnerable to relay attacks, which have been used to steal luxury vehicles. These attacks involved relaying messages between the car and the smart key by placing one hacking device near the key and one device in proximity of the car. This allows an attacker to open the door and start the engine even if the key is at a considerable distance from the vehicle. However, in these relay attacks, the car can only be unlocked and started once, while the legitimate key fob is in range.
Tomi Engdahl says:
HOW HACKERS SLIPPED BY BRITISH AIRWAYS’ DEFENSES
https://www.wired.com/story/british-airways-hack-details/
RiskIQ published details tracking the British Airways hackers’ strategy on Tuesday, also linking the intrusion to a criminal hacking gang that has been active since 2015. The group, which RiskIQ calls Magecart, is known for web-based credit card skimming—finding websites that don’t secure payment data entry forms, and vacuuming up everything that gets submitted. But while Magecart has previously been known to use the same broadly targeted code to scoop up data from various third-party processors, RiskIQ found that the attack on British Airways was much more tailored to the company’s specific infrastructure.
In its initial disclosure, British Airways said that the breach didn’t impact passport numbers or other travel data. But the company later clarified that the compromised data included payment card expiration dates and Card Verification Value codes—the extra three or four-digit numbers that authenticate a card—even though British Airways has said it does not store CVVs.
Tomi Engdahl says:
Guardant Exposed to Cybersecurity Threat from Phishing Scheme
https://www.mddionline.com/guardant-exposed-cybersecurity-threat-phishing-scheme?ADTRK=UBM&elq_mid=5635&elq_cid=876648
The Redwood City, CA based company said that private information from about 1,100 individuals was exposed due to the cybersecurity attack.
Liquid Biopsy specialist, Guardant Health faced a cybersecurity attack about two months ago, according to an SEC filing for the firm’s initial public offering. The Redwood City, CA-based company said that private information from about 1,100 individuals was compromised.
Tomi Engdahl says:
Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs
https://thehackernews.com/2018/09/browser-address-spoofing-vulnerability.html
A security researcher has discovered a serious vulnerability that could allow attackers to spoof website addresses in the Microsoft Edge web browser for Windows and Apple Safari for iOS.
While Microsoft fixed the address bar URL spoofing vulnerability last month as part of its monthly security updates, Safari is still unpatched, potentially leaving Apple users vulnerable to phishing attacks.
Tomi Engdahl says:
Dramatic Increase of DDoS Attack Sizes Attributed to IoT Devices
https://www.bleepingcomputer.com/news/security/dramatic-increase-of-ddos-attack-sizes-attributed-to-iot-devices/
A new report released today shows that distributed denial of service (DDoS) attacks have increased dramatically in the first two quarters of 2018 compared to 2017. The increase in attacks is being attributed to large scale botnets being created by attackers using insecure IoT devices.
According to a report released by DDoS mitigation company NexusGuard, denial-of-service attacks have increased by 29% since Q2 2017, with the average attack size increased by 543% to 26.37 Gbps.
Tomi Engdahl says:
APT reports
LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company
https://securelist.com/luckymouse-ndisproxy-driver/87914/
What happened?
Since March 2018 we have discovered several infections where a previously unknown Trojan was injected into the lsass.exe system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.
Tomi Engdahl says:
Bad Actors Sizing Up Systems Via Lightweight Recon Malware
https://threatpost.com/bad-actors-sizing-up-systems-via-lightweight-recon-malware/137364/
These stealthy downloaders initially infect systems and then only install additional malware on systems of interest.
Well-known financial crime gang Cobalt Group and other threat actors have recently shifted tactics to incorporate lightweight modular downloaders that “vet” target machines for their attractiveness before proceeding with a full-fledged attack.
The emergence of the AdvisorsBot and Marap malwares, as well a zero-day attack by the PowerPool actors and Cobalt Group’s use of its custom CobInt code, indicate a new trend for financial adversaries.
Tomi Engdahl says:
The Vulnerability Disclosure Process: Still Broken
https://threatpost.com/the-vulnerability-disclosure-process-still-broken/137180/
Despite the advent to bug bounty programs and enlightened vendors, researchers still complain of abuse, threats and lawsuits.
Despite huge progress in the vulnerability disclosure process, things remain broken when it comes to vendor-researcher relationships.
Case in point: Last year when Leigh-Anne Galloway (a cybersecurity resilience lead at Positive Technologies) found a gaping hole in the Myspace website, she reported it to Myspace owner Time Inc. But then days, weeks and then three months later – crickets.
The Myspace bug wasn’t small. It allowed a hacker to log in to any one of the 3.6 million Myspace active users’ accounts in a few easy steps. “It was a straightforward bug, and easy to execute and reproduce,” Galloway told Threatpost.
After giving up on Time Inc., Galloway weighed the public risk of the bug versus going public. Galloway decided to publish her research. “Within hours of my blog posting, the bug was fixed,” she said. Neither Time Inc. or Myspace ever got back to her.
A year later, things haven’t improved much: Last month, Galloway found several bugs in mobile point-of-sale platforms. After privately disclosing the bugs to the vendors, they didn’t ignore her, but she was threatened with multiple lawsuits for reverse-engineering copyright-protected intellectual property.
“I can’t say personally I’m seeing a lot changing,” she said.
Tomi Engdahl says:
ThreatList: Attacks on Industrial Control Systems on the Rise
https://threatpost.com/threatlist-attacks-on-industrial-control-systems-on-the-rise/137251/
The main source of infection on industrial control systems was the internet, researchers at Kaspersky Lab found in a new report.
The systems that power the manufacturing, power and water plants, the oil and gas industry, and many other sectors are increasingly in the crosshairs of cyber-attackers: A full 41.2 percent of industrial control system (ICS) were attacked by malicious software at least once in the first half of 2018.
That’s according to Kaspersky Lab, which analyzed telemetry information from customers using industrial automation computers through the end of June. The data indicates a consistent rise in the percentage of attacks on this segment; the year-ago data showed the percentage of ICS computers attacked to be 36.61 percent; that then ticked upward to 37.75 percent in the second half of 2017.
Tomi Engdahl says:
New modular downloaders fingerprint systems – Part 3: CobInt
https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint
Proofpoint researchers discovered two new modular downloaders this summer: Marap [1] and AdvisorsBot [2], both of which were noteworthy for their small footprints, stealthy infections, and apparent focus on reconnaissance. We have also observed an actor commonly known as Cobalt Gang (or Group) using another new downloader that shares many of these characteristics since early 2018.
Tomi Engdahl says:
The UK’s mass surveillance regime has broken the law again
https://www.wired.co.uk/article/uk-mass-surveillance-echr-ruling
The UK government’s bulk interception of data was against human rights, the European Court of Human Rights has ruled. It’s another surveillance loss for the government
Tomi Engdahl says:
California bill regulates IoT for first time in US
https://nakedsecurity.sophos.com/2018/09/13/california-bill-regulates-iot-for-first-time-in-us/
California looks set to regulate IoT devices, becoming the first US state to do so and beating the Federal Government to the post.
The State legislature approved ‘SB-327 Information privacy: connected devices’ last Thursday and handed it over to the Governor to sign. The legislation introduces security requirements for connected devices sold in the US. It defines them as any device that connects directly or indirectly to the internet and has an IP or Bluetooth address. That covers an awful lot of devices.
“This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
Tomi Engdahl says:
Security Risks of Government Hacking
https://www.schneier.com/blog/archives/2018/09/security_risks_14.html
Some of us — myself included — have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking. They include:
Disincentive for vulnerability disclosure
Cultivation of a market for surveillance tools
Attackers co-opt hacking tools over which governments have lost control
Attackers learn of vulnerabilities through government use of malware
Government incentives to push for less-secure software and standards
Government malware affects innocent users.
These risks are real, but I think they’re much less than mandating backdoors for everyone.
Tomi Engdahl says:
Malicious Kodi Add-ons Install Windows & Linux Coin Mining Trojans
https://www.bleepingcomputer.com/news/security/malicious-kodi-add-ons-install-windows-and-linux-coin-mining-trojans/#.W5pzLczJYMI.facebook
Some unofficial repositories for Kodi open-source media player serve a modified add-on that leads to downloading cryptomining malware on Windows and Linux platforms.
Security researchers discovered a campaign that infects machines running Kodi via a legitimate add-on that has been altered by cybercriminals looking to mine the Monero cryptocurrency with the resources of Kodi users.
Criminals take advantage of the update verification system
Security researchers from ESET spotted the campaign in the XvBMC repository, which was recently shut down for copyright infringement, but other repositories are likely to offer the tampered file.
Tomi Engdahl says:
Prison for man who assisted scareware scheme that targeted newspaper website
https://www.tripwire.com/state-of-security/security-data-protection/prison-for-man-who-assisted-scareware-scheme-that-targeted-newspaper-website/#.W5pk39JQvrU.facebook
A man who spent years on the run from the FBI for his part in a lucrative criminal operation that spread scareware via the Minnesota Star Tribune website has finally been sent to prison.
Tomi Engdahl says:
New Cold Boot Attack Unlocks Disk Encryption On Nearly All Modern PCs
https://thehackernews.com/2018/09/cold-boot-attack-encryption.html
Security researchers have revealed a new attack to steal passwords, encryption keys and other sensitive information stored on most modern computers, even those with full disk encryption.
The attack is a new variation of a traditional Cold Boot Attack, which is around since 2008 and lets attackers steal information that briefly remains in the memory (RAM) after the computer is shut down.
a safeguard, created by the Trusted Computing Group (TCG), that overwrites the contents of the RAM
Now, researchers from Finnish cyber-security firm F-Secure figured out a new way to disable this overwrite security measure by physically manipulating the computer’s firmware, potentially allowing attackers to recover sensitive data stored on the computer after a cold reboot in a matter of few minutes.
Using a simple tool, researchers were able to rewrite the non-volatile memory chip that contains the memory overwrite settings, disable it, and enable booting from external devices.
Tomi Engdahl says:
Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data
https://techcrunch.com/2018/09/12/security-flaw-in-nearly-all-modern-pcs-and-macs-leaks-encrypted-data/?sr_share=facebook&utm_source=tcfbpage
A firmware bug means existing security measures “aren’t enough to protect data in lost of stolen laptops,” say new security research.
Zack Whittaker
Tomi Engdahl says:
Osiris Banking Trojan Displays Modern Malware Innovation
https://threatpost.com/osiris-banking-trojan-displays-modern-malware-innovation/137393/
Osiris’ fundamental makeup positions it in the fore of malware trends, despite being based on old source code that’s been knocking around for years.
While the behaviors exhibited by the newly spawned banking trojan are similar to many other prevalent banking malware (for instance, it implements Zeus-style G/P/L web-injects, a keylogger and a VNC server, according to Securonix researcher Oleg Kolesnikov), there are also significant differences.
For one, it uses encrypted Tor traffic for command-and-control (C2).
Tomi Engdahl says:
Security Vulnerability in Smart Electric Outlets
https://www.schneier.com/blog/archives/2018/09/security_vulner_15.html
A security vulnerability in Belkin’s Wemo Insight “smartplugs” allows hackers to not only take over the plug, but use it as a jumping-off point to attack everything else on the network.
Tomi Engdahl says:
Microsoft intercepting Firefox and Chrome installation on Windows 10
https://www.ghacks.net/2018/09/12/microsoft-intercepting-firefox-chrome-installation-on-windows-10/
When you try to install the Firefox pr Chrome web browser on a recent Windows 10 version 1809 Insider build, you may notice that the installation gets interrupted by the operating system.
The intermediary screen that interrupts the installation states that Edge is installed on the device and that it is safer and faster than the browser that the user was about to install on the device.
Tomi Engdahl says:
Surprising hidden order unites prime numbers and crystal-like materials
https://m.phys.org/news/2018-09-hidden-prime-crystal-like-materials.html
Tomi Engdahl says:
https://www.htbridge.com/blog/spencer-young-application-security-ai-cybercrime.html
Tomi Engdahl says:
Ransomware attack shuts down small Canadian town; officials pay ransom
https://securityboulevard.com/2018/09/ransomware-attack-shuts-down-small-canadian-town-officials-pay-ransom/
The small Canadian town of Midland, Ontario, was hit by ransomware, and the municipality seems to be negotiating with hackers to pay ransom, reports Canadian news station CTV News.
The attack on September 1 completely shut down the computer system, leaving the municipality unable to use its financial processing system. During the shutdown, debit and credit card payments were not accepted.
The computer system is slowly returning to normal and everything should be fixed in a few days as negotiations are reaching a consensus
Tomi Engdahl says:
Hacker blamed for pornography screened in Chinese college canteen
https://m.scmp.com/news/china/society/article/2164092/pornography-screened-chinese-college-canteen-blamed-hackers
Internet TV turns X-rated for three minutes while people eat their dinner
Tomi Engdahl says:
A North Korean hacker accused by the US of orchestrating of a global cyber crime wave does not exist, Pyongyang said, warning that such “falsehoods” could jeopardise denuclearisation talks.
N Korea denies existence of hacker accused of cyber crime wave
https://www.ft.com/content/488df106-b7c2-11e8-bbc3-ccd7de085ffe
Pyongyang warns such ‘falsehoods’ from US could jeopardise denuclearisation talks
Tomi Engdahl says:
Remote Code Execution in Alpine Linux
https://justi.cz/security/2018/09/13/alpine-apk-rce.html
several bugs in apk, the default package manager for Alpine Linux. Alpine is a really lightweight distro that is very commonly used with Docker. The worst of these bugs, the subject of this blog post, allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code on the user’s machine. This is especially bad because packages aren’t served over TLS when using the default repositories. This bug has been fixed and the Alpine base images have been updated – you may want to rebuild your Alpine-derived images!
Tomi Engdahl says:
Facebook Starts “Fact Checking” Photos And Videos Using AI
https://www.zerohedge.com/news/2018-09-13/facebook-starts-fact-checking-photos-and-videos-using-ai
Facebook on Thursday announced the expansion of their fact-checking army to send “photos and videos to all of our 27 partners in 17 countries around the world,” after using an artificial intelligence which will use “various engagement signals, including feedback from people on Facebook, to identify potentially false content.”
The company says that because people share millions of photos and videos on Facebook each day, it creates an “easy opportunity for manipulation by bad actors.”
Tomi Engdahl says:
Nellie Bowles / New York Times:
A look at Standard Cognition’s tech, which uses cameras and AI to track who people are and what they buy, as it opens San Francisco’s first cashierless store
Stealing From a Cashierless Store (Without You, or the Cameras, Knowing It)
https://www.nytimes.com/2018/09/13/technology/standard-market-retail-automation-behavioral-data.html
A start-up uses visual tracking and behavioral data to operate a new San Francisco market, which lets shoppers walk out unimpeded. And sometimes mischarged.
Tomi Engdahl says:
New Cold Boot Attack Unlocks Disk Encryption On Nearly All Modern PCs
https://thehackernews.com/2018/09/cold-boot-attack-encryption.html
Security researchers have revealed a new attack to steal passwords, encryption keys and other sensitive information stored on most modern computers, even those with full disk encryption.
The attack is a new variation of a traditional Cold Boot Attack, which is around since 2008 and lets attackers steal information that briefly remains in the memory (RAM) after the computer is shut down.
However, to make the cold boot attacks less effective, most modern computers come bundled with a safeguard, created by the Trusted Computing Group (TCG), that overwrites the contents of the RAM when the power on the device is restored, preventing the data from being read.
Tomi Engdahl says:
VLAN Hopping and Mitigation
https://www.alienvault.com/blogs/security-essentials/vlan-hopping-and-mitigation
A VLAN is used to share the physical network while creating virtual segmentations to divide specific groups. For example, a host on VLAN 1 is separated from any host on VLAN 2. Any packets sent between VLANs must go through a router or other layer 3 devices. Security is one of the many reasons network administrators configure VLANs. However, with an exploit known as ‘VLAN Hopping’, an attacker is able to bypass these security implementations.
Tomi Engdahl says:
New Firmware Flaws Resurrect Cold Boot Attacks
https://www.securityweek.com/new-firmware-flaws-resurrect-cold-boot-attacks
Researchers discovered that the firmware running on nearly all modern computers is vulnerable to cold boot attacks that can allow hackers to recover highly sensitive data from the device’s memory.
A cold boot attack is a side-channel attack that allows an attacker with physical access to a computer to obtain encryption keys, passwords and other data from the device’s random access memory (RAM) after a cold or hard reboot (i.e. the computer is restarted suddenly without going through the normal shutdown process). The data can remain in memory for tens of seconds or several minutes, but the time window for an attack can be extended to hours by cooling memory modules with liquid nitrogen or compressed air to slow down the degradation process.
https://en.wikipedia.org/wiki/Cold_boot_attack
Tomi Engdahl says:
Senators Concerned About State Department’s Cybersecurity Failures
https://www.securityweek.com/senators-concerned-about-state-departments-cybersecurity-failures
A group of United States senators this week sent a letter to Secretary of State Mike Pompeo requesting clarifications regarding the Department of State’s failure to meet federal cybersecurity standards.
Tomi Engdahl says:
OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
Tomi Engdahl says:
Malware Delivered Through MHT Files
https://isc.sans.edu/forums/diary/Malware+Delivered+Through+MHT+Files/24096/
What are MHT files? Microsoft is a wonderful source of multiple file formats. MHT files are web page archives. Usually, a web page is based on a piece of HTML code with links to external resources, images and other media. MHT files contain all the data related to a web page in a single place and are therefore very useful to archive them. Also called MHTML[1] (MIME Encapsulation of Aggregate HTML Documents), there are encoded like email messages using MIME parts.
To save a web page in MHT format, in Internet Explorer, just press CTRL-S, select the “MHT” file format and save
Tomi Engdahl says:
APT10 Targeting Japanese Corporations Using Updated TTPs
https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html