A corporate laptop being used in a coffee shop at a weekend was enough to allow a sophisticated cybercrime group to compromise an organisation’s entire infrastructure.
The incident was detailed by cybersecurity firm Crowdstrike as part of its Cyber Intrusion Services Casebook 2018 report and serves as a reminder that laptops and other devices that are secure while running inside the network of an organisation can be left exposed when outside company walls.
Crowdstrike described the company that fell victim to the hackers only as apparel manufacturer “with an extensive global presence, including retail locations”.
The incident began when an employee of the manufacturer took their laptop to a coffee shop and used it to visit the website of one of the firm’s partners.
The security researchers said the user visited the site after being directed there by a phishing email — and that the site had been compromised by FakeUpdates, a malware and social engineering campaign affecting thousands of Joomla and WordPress sites.
The malware shows users pop-ups which claim their browser software needs updating. In this instance, the laptop was then infected with the Dridex banking trojan and the PowerShell Empire post-exploit toolset.
The security software being used by the clothing company — Crowdstrike didn’t name the vendor — relied on devices being inside the corporate network to pick up threats.
Phishing attacks are the most common form of infiltration used by Iranian state-backed hackers to gain access into accounts. Certfa reviews the latest campaign of phishing attacks that has been carried out and dubbed as “The Return of The Charming Kitten”.
In this campaign, hackers have targeted individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the world.
Four drivers from ASUS and GIGABYTE come with several vulnerabilities that can be leveraged by an attacker to gain higher permissions on the system and to execute arbitrary code.
In total, there are seven vulnerabilities affecting five software products, and researchers wrote exploit code for each of them. Many of them might still be unaddressed.
Two of the vulnerable drivers are installed by the Aura Sync software (v1.07.22 and earlier) from ASUS and the flaws they carry can be exploited for local code execution.
The drivers from GIGABYTE are distributed with motherboards and graphics cards of the same brand as well as from the company’s subsidiary, AORUS.
Microsoft’s coming ‘Windows Sandbox’ feature is a lightweight virtual machine that allow users to run potentially suspicious software in isolation. It could debut in Windows 10 19H1.
Security researchers have found a way to corrupt the firmware of a critical component usually found in servers to turn the systems into an unbootable hardware assembly. The recovery procedure requires physical intervention to replace the malicious firmware.
Achieving this is done via regular tools used to keep the baseboard management controller (BMC) up to date.
BMCs are specialized microcontrollers (more like independent micro-computers) embedded on virtually all server motherboards; they are also present in high-end switches, JBOD (just a bunch of disks) and JBOF (just a bunch of flash) types of storage systems.
Next level in destructive cyber attacks
Although deploying the malicious BMC update is possible from a remote location, the destructive step represents the final stage of an attack, so initial access to the target is needed.
“This malicious BMC firmware update contains additional code that, once triggered, will erase the UEFI system firmware and critical components of the BMC firmware itself,” they explain in a blog post today.
Vulnerability disclosure refers to the process of identifying, reporting and patching weaknesses of software, hardware or services that can be exploited. The different actors within a vulnerability disclosure process are subject to a range of economic considerations and incentives that may influence their behaviour. These economic aspects of vulnerability disclosure are often overlooked and poorly understood, but may help explain why some vulnerabilities are disclosed responsibly while others are not.
A new Amnesty International report goes into some of the technical details around how hackers can automatically phish two-factor authentication tokens sent to phones.
If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account.
Hackers can bypass these protections, as we’ve seen with leaked NSA documents on how Russian hackers targeted US voting infrastructure companies. But a new Amnesty International report gives more insight into how some hackers break into Gmail and Yahoo accounts at scale, even those with two-factor authentication (2FA) enabled.
They do this by automating the entire process, with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account.
The news acts as a reminder that although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message, with some users likely needing to switch to a more robust method.
We have identified several campaigns of credentials phishing, likely operated by the same attackers, targeting hundreds of individuals spread across the Middle East and North Africa.
In one campaign, the attackers were particularly going after accounts on popular self-described “secure email” services, such as Tutanota and ProtonMail.
In another campaign, the attackers have been targeting hundreds of Google and Yahoo accounts, successfully bypassing common forms of two-factor authentication.
From the arsenal of tools and tactics used for targeted surveillance, phishing remains one of the most common and insidious form of attack affecting civil society around the world. More and more Human Rights Defenders (HRDs) have become aware of these threats. Many have taken steps to increase their resilience to such tactics. These often include using more secure, privacy-respecting email providers, or enabling two-factor authentication on their online accounts.
Updated Wednesday, Dec. 19: The United Nations spokesman has issued a comment about the breach and the National Security Agency said it would decline to comment. Both are included in the story below.
Hackers infiltrated the European Union’s diplomatic communications network for years, downloading thousands of cables that reveal concerns about an unpredictable Trump administration and struggles to deal with Russia and China and the risk that Iran would revive its nuclear program.
In one cable, European diplomats described a meeting between President Trump and President Vladimir V. Putin of Russia in Helsinki, Finland, as “successful (at least for Putin).”
Hackers apparently connected to China accessed thousands of sensitive EU diplomatic cables, the New York Times reported Wednesday, in the latest embarrassing data breach to hit a major international organization.
The cables from the EU’s diplomatic missions around the world reveal anxiety about how to handle US President Donald Trump as well as concerns about China, Russia and Iran.
The leak, discovered by cybersecurity firm Area 1, recalls the publication by Wikileaks of a vast haul of US State Department cables in 2010, though in the EU case the trove is much smaller and consists of less secret communications, the NYT reported.
The U.S. Department of Defense lacks visibility into software inventories, a review of Marine Corps, Navy, and Air Force commands and divisions reveals.
The audit found that the Marine Corps divisions and the Navy commands had a process in place to prevent duplication when purchasing applications, but the Air Force did not. Moreover, only the U.S. Fleet Forces Command had a process to eliminate duplicative or obsolete software applications.
Hackers could remotely brick servers by launching firmware attacks that involve the Baseboard Management Controller (BMC), researchers at firmware security company Eclypsium have demonstrated.
The U.S. Treasury Department on Wednesday announced sanctions against nearly two dozen Russia-related individuals and entities over their roles in election interference, hacking the World Anti-Doping Agency (WADA), and other malicious activities.
The Treasury Department said these individuals and entities have been added to the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) list “in response to Russia’s continued disregard for international norms.”
A total of nine officers of Russia’s GRU military intelligence service have been sanctioned for their direct involvement in efforts to interfere in the 2016 presidential election in the United States. These and other individuals were indicted in July for hacking the systems of the Democratic Party in an effort to steal documents and emails.
“These nine individuals worked within Unit 26165 and Unit 74455 of the GRU,” the Treasury Department said. “
A malicious email campaign targeting employees of banks and financial services companies in the United States and the United Kingdom has been abusing Google Cloud Storage for payload delivery, Menlo Labs security researchers say.
As part of the attacks, the malicious actor attempts to trick users into clicking on malicious links to archive files such as .zip or .gz. The malicious payloads, which the researchers identified as being part of the Houdini and QRat malware families, were hosted on storage.googleapis.com, the domain of the Google Cloud Storage service.
The Russian-linked cyber-espionage group Sofacy has developed a new version of their Zebrocy tool using the Go programming language, Palo Alto Networks security researchers warn.
The first-stage malware was initially analyzed in April this year, and has been observed in numerous attacks in October and November. Last month, however, the researchers also observed a new Trojan being used in the group’s attacks.
Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the state-sponsored actor has been active for several years, focusing on cyber-espionage and believed to have orchestrated the attacks targeting the 2016 presidential election in the United States.
The group hit Ukraine and NATO countries over the past years, but a recent report revealed governmental targets on four continents. An October report from Kaspersky revealed that the activities of various nation-state Russian groups started to overlap.
The group has used different programming languages to build functionally similar Trojans before, and the Zebrocy tool went through this process as well, with numerous variants developed in AutoIt, Delphi, VB.NET, C# and Visual C++ already observed.
The recently discovered Go variant of Zebrocy has been already used in attacks
One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over the past year, a new Kaspersky Lab survey reveals.
An out-of-band update released by Microsoft on Wednesday for its Internet Explorer web browser patches a zero-day vulnerability exploited by malicious actors in targeted attacks.
Microsoft has credited Clement Lecigne of Google’s Threat Analysis Group for reporting the vulnerability, but neither Microsoft nor Google have shared any details about the attacks involving the flaw.
The security hole is tracked as CVE-2018-8653 and it has been described as a remote code execution vulnerability related to how the scripting engine used by Internet Explorer handles objects in memory.
15 miljoonaa hyökkäystä päivässä http://www.etn.fi/index.php/13-news/8877-15-miljoonaa-hyokkaysta-paivassa
Tietoturvayhtiö Check Point on julkistanut tietoturvaennusteensa ensi vuodelle. Ikävä kyllä moni asia pysyy ennallaan ensi vuonna. Hyökkäysten määrä ei ole ainakaan vähentymässä. – Eilen kirjasimme 15 miljoonaa verkkohyökkäystä,
Ime Archibong / Facebook:
Facebook confirms Spotify, Netflix, Dropbox, and RBC had read/write/delete access for messaging integrations, says it was experimental and ended three years ago — In the past day, we’ve been accused of disclosing people’s private messages to partners without their knowledge.
Ryan Vlastelica / Bloomberg:
Facebook’s stock closed down 7% on Wednesday following a New York Times story and a lawsuit from the District of Columbia’s AG
The lawsuit comes at a time when investors are increasingly concerned that Facebook could be facing greater regulatory pressure.
“Another shoe dropped today, but when we think about Facebook’s fundamentals, its buyback program, we think it looks very attractive from a valuation perspective,” JMP Securities analyst Ron Josey said in a phone interview. “A lot of these issues are in the past or have been fixed, and we think we’re getting to a point where they’ve been priced in.”
Charlie Warzel / BuzzFeed News:
Report: some apps using Facebook’s SDK, like Grindr and Bible+, send user info to Facebook, including location, where users click, and how long the app is used
Facebook provided developers with tools to build Facebook-compatible apps like Tinder, Grindr and Pregnancy+. Those apps have been quietly sending sensitive user data to Facebook.
BBC:
UK’s Gatwick airport was shut down on Wednesday and Thursday after drones were seen flying over the runway; about 760 flights were due to fly on Thursday — Tens of thousands of passengers have been disrupted by drones flying over one of the UK’s busiest airports.
Tens of thousands of passengers have been disrupted by drones flying over one of the UK’s busiest airports.
Gatwick’s runway has been shut since Wednesday night, as devices have been repeatedly flying over the airfield.
Sussex Police said it was not terror-related but a “deliberate act” of disruption, using “industrial specification” drones.
About 110,000 passengers on 760 flights were due to fly on Thursday. Disruption could last “several days”.
Defence Secretary Gavin Williamson has confirmed the Army has been called in to support Sussex Police.
Those due to travel have been told to check the status of their flight
The shutdown started just after 21:00 on Wednesday, when two drones were spotted flying “over the perimeter fence and into where the runway operates from”.
The runway briefly reopened at 03:01 on Thursday but was closed again about 45 minutes later amid “a further sighting of drones”.
police had not wanted to shoot the devices down because of the risk from stray bullets
About 10,000 passengers were affected overnight on Wednesday
About 11,000 people are stuck at the airport
The Civil Aviation Authority said it considered this event to be an “extraordinary circumstance”, and therefore airlines were not obligated to pay any financial compensation to passengers.
Arno Schuetze / Reuters:
Amazon gives a German Alexa user, who requested his personal data under GDPR, access to 1,700 audio files of another user; Amazon says it was due to human error — FRANKFURT (Reuters) – A user of Amazon’s (AMZN.O) Alexa voice assistant in Germany got access to more than a thousand recordings …
A user of Amazon’s (AMZN.O) Alexa voice assistant in Germany got access to more than a thousand recordings from another user because of “a human error” by the company.
The customer had asked to listen back to recordings of his own activities made by Alexa but he was also able to access 1,700 audio files from a stranger when Amazon sent him a link, German trade publication c’t reported.
“This unfortunate case was the result of a human error and an isolated single case,” an Amazon spokesman said on Thursday.
Read, Write, Delete permissions make sense in this context. You shouldn’t give permissions or access to things you don’t want accessing other things. Makes you wonder though, how could this go bad?
“In the past day, we’ve been accused of disclosing people’s private messages to partners without their knowledge,” Facebook said. “That’s not true.”
Facebook Inc. took a second stab at convincing its 2.3 billion users that it didn’t allow more than 150 other companies to misuse their personal data on Wednesday night after its valuation fell by more than $28 billion on the stock market.
Facebook for many years gave more than 150 companies extensive access to personal data — focused narrowly on the contention in the Times report that emerged as the most controversial: that Facebook gave four companies access to read, write and delete users’ messages.
Spotify Ltd., Netflix Inc., Dropbox Inc. and the Royal Bank of Scotland — were granted automated access to users’ messages so Facebook users could send Facebook messages to other Facebook users without leaving the Spotify, Netflix, Dropbox or Royal Bank apps.
Far from being a nefarious leaking of private data, the read/write/delete access “was the point of this feature,” Archibong said.
“We worked with them to build messaging integrations into their apps so people could send messages to their Facebook friends,”
We analyzed another Mirai variant called “Miori,” which is being spread through a Remote Code Execution (RCE) vulnerability in the PHP framework, ThinkPHP.
details about it have only surfaced on December 11. For its arrival method, the IoT botnet uses the said exploit that affects ThinkPHP versions prior to 5.0.23 and 5.1.31.
The British government wants to include a “ghost” user or device in otherwise private conversations, requiring the most secure tech products available today to lie to their users, via secret orders that their designers cannot refuse without risking prosecution. This would “likely slow down progress for years to come,” says Matthew Green
The past few years have been an amazing time for the deployment of encryption. In ten years, encrypted web connections have gone from a novelty into a requirement for running a modern website. Smartphone manufacturers deployed default storage encryption to billions of phones. End-to-end encrypted messaging and phone calls are now deployed to billions of users.
While this progress is exciting to cryptographers and privacy advocates, not everyone sees it this way. A few countries, like the U.K. and Australia, have passed laws in an attempt to gain access to this data, and at least one U.S. proposal has made it to Congress.
asking tech companies to deploy “responsible encryption“.
What, exactly, is “responsible encryption”? Well, that’s a bit of a problem. Nobody on the government’s side of the debate has really been willing to get very specific about that. In fact, a recent speech by U.S. Deputy Attorney General Rod Rosenstein implored cryptographers to go figure it out.
An Amazon user in Germany recently requested data about his personal activities and inadvertently gained access to 1,700 audio recordings of someone he didn’t know.
On 11 December 2018, three United Nations Special Rapporteurs published a joint Report on the European Union’s proposal for a Regulation to prevent the dissemination of terrorist content online.
raises a number of serious concerns regarding the definitions used in the draft legislation and the competences and obligations it gives to national authorities.
The congruent demands of international expert organisations highlight that substantial reform of the proposal is imperative to avoid sliding further into an already worrying trend of undermining the rule of law in the fight against terrorism.
the analysis compellingly outlines the inherent dangers of “catch-all” labels such as “glorification of terrorism” and the use of counter-terrorism legislation to suppress political opponents
Thus, both the UN experts and the Council of Europe Commissioner outline perfectly that the scope of counter-terrorism legislation needs to be clearly and narrowly delimited: If statements that offend or shock a population are no longer protected by the freedom of expression, open and democratic societies are not safeguarded, but endangered.
The FBI has seized the domains of 15 high-profile distributed denial-of-service (DDoS) websites after a coordinated effort by law enforcement and several tech companies.
“DDoS for hire services such as these pose a significant national threat,” U.S. Attorney Bryan Schroder said in a statement.
DDoS attacks have long plagued the internet as a by-product of faster connection speeds and easy-to-exploit vulnerabilities in the underlying protocols that power the internet. Through its Internet Crime Complaint Center (IC3), the FBI warned over a year ago of the risks from booter and stresser sites amid a wider concern about the increasing size and scale of powerful DDoS attacks.
One of its servers storing user data and messages was exposed without a password.
Thousands of people trusted Blind, an app-based “anonymous social network,” as a safe way to reveal malfeasance, wrongdoing and improper conduct at their companies.
But Blind left one of its database servers exposed without a password, making it possible for anyone who knew where to look to access each user’s account information and identify would-be whistleblowers.
Blind only pulled the database after TechCrunch followed up by email a week later.
Kim said that there is “no evidence” that the database was misappropriated or misused, but did not say how it came to that conclusion. When asked, the company would not say if it will notify U.S. state regulators of the breach.
A security researcher with Twitter alias SandboxEscaper today released proof-of-concept (PoC) exploit for a new zero-day vulnerability affecting Microsoft’s Windows operating system.
SandboxEscaper is the same researcher who previously publicly dropped exploits for two Windows zero-day vulnerabilities, leaving all Windows users vulnerable to the hackers until Microsoft patched them.
The newly disclosed unpatched Windows zero-day vulnerability is an arbitrary file read issue that could allow a low-privileged user or a malicious program to read the content of any file on a targeted Windows computer that otherwise would only be possible via administrator-level privileges.
Law enforcement launch preemptive strike to shut down some of the DDoS services that may be abused to attack gaming services over the Christmas holiday.
Magellan is a number of vulnerabilities that exist in SQLite. These vulnerabilities were discovered by Tencent Blade Team and verified to be able to successfully implement remote code execution in Chromium browsers. As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. SQLite and Google had confirmed and fixed this vulnerability. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.
Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or even financial aims.
Destructive attacks have a critical impact on businesses, causing the loss of data or crippling business operations. When a company is impacted, the damage can be significant. Restoration can take weeks or months, while resulting in unprofitability and diminished reputation.
Recent attacks have demonstrated how big the damage can be. Last year NotPetya affected several companies around the world. Last February, researchers uncovered OlympicDestroyer, which affected the Olympic Games organization.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
486 Comments
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/saitko-pornokiristysviestin-nyt-tekijat-ovat-siirtyneet-pommeihin-ei-henkilokohtaista-silkkaa-bisnesta-6752928
Tomi Engdahl says:
How one hacked laptop led to an entire network being compromised
One worker clicking on the wrong link at the wrong time resulted in a major security breach.
https://www.zdnet.com/article/how-one-hacked-laptop-led-to-an-entire-network-being-compromised/
A corporate laptop being used in a coffee shop at a weekend was enough to allow a sophisticated cybercrime group to compromise an organisation’s entire infrastructure.
The incident was detailed by cybersecurity firm Crowdstrike as part of its Cyber Intrusion Services Casebook 2018 report and serves as a reminder that laptops and other devices that are secure while running inside the network of an organisation can be left exposed when outside company walls.
Crowdstrike described the company that fell victim to the hackers only as apparel manufacturer “with an extensive global presence, including retail locations”.
The incident began when an employee of the manufacturer took their laptop to a coffee shop and used it to visit the website of one of the firm’s partners.
The security researchers said the user visited the site after being directed there by a phishing email — and that the site had been compromised by FakeUpdates, a malware and social engineering campaign affecting thousands of Joomla and WordPress sites.
The malware shows users pop-ups which claim their browser software needs updating. In this instance, the laptop was then infected with the Dridex banking trojan and the PowerShell Empire post-exploit toolset.
The security software being used by the clothing company — Crowdstrike didn’t name the vendor — relied on devices being inside the corporate network to pick up threats.
Global hacking campaign takes aim at finance, defence and energy companies
https://www.zdnet.com/article/global-hacking-campaign-takes-aim-at-finance-defence-and-energy-companies/
Targets around the world are in the sights of a cyber espionage operation, which could have links to North Korea.
Tomi Engdahl says:
IT firms, telcos among dozens hacked in new info-stealing malware attack
https://www.zdnet.com/article/it-firms-telcos-among-dozens-hacked-in-new-info-stealing-malware-attack/
Seedworm hacking operation adopts new techniques to speed up attacks – but it’s come at a cost that’s allowed researchers to uncover their activity.
Tomi Engdahl says:
The Return of The Charming Kitten
A review of the latest wave of organized phishing attacks by Iranian state-backed hackers
https://blog.certfa.com/posts/the-return-of-the-charming-kitten/
Phishing attacks are the most common form of infiltration used by Iranian state-backed hackers to gain access into accounts. Certfa reviews the latest campaign of phishing attacks that has been carried out and dubbed as “The Return of The Charming Kitten”.
In this campaign, hackers have targeted individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the world.
Tomi Engdahl says:
Yrityksen puhelinpalvelu antaa pyydettäessä suomalaisten salattuja osoitetietoja: jopa presidentti Niinistön yksityiskodin osoite kerrottiin
https://www.talouselama.fi/uutiset/te/57ed6d26-ae63-3755-bdbb-faf2ec377e26
Tomi Engdahl says:
European Union diplomatic communications ‘targeted by hackers’
https://www.bbc.com/news/world-europe-46615580
Hackers successfully targeted the European Union’s diplomatic communications over a period of several years, The New York Times reports.
Thousands of messages were intercepted in which diplomats referenced a range of subjects from US President Donald Trump to global trade.
The breach was reportedly discovered by the cyber-security company Area 1.
European officials say that information marked as confidential and secret was not affected by the three-year hack.
Tomi Engdahl says:
Microsoft Releases Out-of-Band Security Update for Internet Explorer RCE Zero-Day
https://www.bleepingcomputer.com/news/security/microsoft-releases-out-of-band-security-update-for-internet-explorer-rce-zero-day/
CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653
Tomi Engdahl says:
ASUS, GIGABYTE Drivers Contain Code Execution Vulnerabilities – PoCs Galore
https://www.bleepingcomputer.com/news/security/asus-gigabyte-drivers-contain-code-execution-vulnerabilities-pocs-galore/
Four drivers from ASUS and GIGABYTE come with several vulnerabilities that can be leveraged by an attacker to gain higher permissions on the system and to execute arbitrary code.
In total, there are seven vulnerabilities affecting five software products, and researchers wrote exploit code for each of them. Many of them might still be unaddressed.
Two of the vulnerable drivers are installed by the Aura Sync software (v1.07.22 and earlier) from ASUS and the flaws they carry can be exploited for local code execution.
The drivers from GIGABYTE are distributed with motherboards and graphics cards of the same brand as well as from the company’s subsidiary, AORUS.
Tomi Engdahl says:
Microsoft officially announces ‘Windows Sandbox’ for running applications in isolation
https://www.zdnet.com/article/microsoft-officially-announces-windows-sandbox-for-running-applications-in-isolation/
Microsoft’s coming ‘Windows Sandbox’ feature is a lightweight virtual machine that allow users to run potentially suspicious software in isolation. It could debut in Windows 10 19H1.
Tomi Engdahl says:
NASA fears hackers may have stolen employee data
https://www.welivesecurity.com/2018/12/19/nasa-suspected-theft-employee-data/
A probe launched immediately after the discovery of the suspected incident has yet to establish the scale of the potential damage
Tomi Engdahl says:
Remote Firmware Attack Renders Servers Unbootable
https://www.bleepingcomputer.com/news/security/remote-firmware-attack-renders-servers-unbootable/
Security researchers have found a way to corrupt the firmware of a critical component usually found in servers to turn the systems into an unbootable hardware assembly. The recovery procedure requires physical intervention to replace the malicious firmware.
Achieving this is done via regular tools used to keep the baseboard management controller (BMC) up to date.
BMCs are specialized microcontrollers (more like independent micro-computers) embedded on virtually all server motherboards; they are also present in high-end switches, JBOD (just a bunch of disks) and JBOF (just a bunch of flash) types of storage systems.
Next level in destructive cyber attacks
Although deploying the malicious BMC update is possible from a remote location, the destructive step represents the final stage of an attack, so initial access to the target is needed.
“This malicious BMC firmware update contains additional code that, once triggered, will erase the UEFI system firmware and critical components of the BMC firmware itself,” they explain in a blog post today.
https://eclypsium.com/2018/12/19/remotely-bricking-a-server/
Tomi Engdahl says:
Economics of Vulnerability Disclosure
https://www.enisa.europa.eu/publications/economics-of-vulnerability-disclosure/
Vulnerability disclosure refers to the process of identifying, reporting and patching weaknesses of software, hardware or services that can be exploited. The different actors within a vulnerability disclosure process are subject to a range of economic considerations and incentives that may influence their behaviour. These economic aspects of vulnerability disclosure are often overlooked and poorly understood, but may help explain why some vulnerabilities are disclosed responsibly while others are not.
Tomi Engdahl says:
How Hackers Bypass Gmail 2FA at Scale
https://motherboard.vice.com/en_us/article/bje3kw/how-hackers-bypass-gmail-two-factor-authentication-2fa-yahoo
A new Amnesty International report goes into some of the technical details around how hackers can automatically phish two-factor authentication tokens sent to phones.
If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account.
Hackers can bypass these protections, as we’ve seen with leaked NSA documents on how Russian hackers targeted US voting infrastructure companies. But a new Amnesty International report gives more insight into how some hackers break into Gmail and Yahoo accounts at scale, even those with two-factor authentication (2FA) enabled.
They do this by automating the entire process, with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account.
The news acts as a reminder that although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message, with some users likely needing to switch to a more robust method.
When Best Practice Isn’t Good Enough: Large Campaigns of Phishing Attacks in Middle East and North Africa Target Privacy-Conscious Users
https://www.amnesty.org/en/latest/research/2018/12/when-best-practice-is-not-good-enough/
Summary
We have identified several campaigns of credentials phishing, likely operated by the same attackers, targeting hundreds of individuals spread across the Middle East and North Africa.
In one campaign, the attackers were particularly going after accounts on popular self-described “secure email” services, such as Tutanota and ProtonMail.
In another campaign, the attackers have been targeting hundreds of Google and Yahoo accounts, successfully bypassing common forms of two-factor authentication.
From the arsenal of tools and tactics used for targeted surveillance, phishing remains one of the most common and insidious form of attack affecting civil society around the world. More and more Human Rights Defenders (HRDs) have become aware of these threats. Many have taken steps to increase their resilience to such tactics. These often include using more secure, privacy-respecting email providers, or enabling two-factor authentication on their online accounts.
Tomi Engdahl says:
Hacked European Cables Reveal a World of Anxiety About Trump, Russia and Iran
https://www.nytimes.com/2018/12/18/us/politics/european-diplomats-cables-hacked.html
Updated Wednesday, Dec. 19: The United Nations spokesman has issued a comment about the breach and the National Security Agency said it would decline to comment. Both are included in the story below.
Hackers infiltrated the European Union’s diplomatic communications network for years, downloading thousands of cables that reveal concerns about an unpredictable Trump administration and struggles to deal with Russia and China and the risk that Iran would revive its nuclear program.
In one cable, European diplomats described a meeting between President Trump and President Vladimir V. Putin of Russia in Helsinki, Finland, as “successful (at least for Putin).”
Tomi Engdahl says:
PHISHING
DIPLOMACY
https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf
Tomi Engdahl says:
Israelilaisten biometrinen data oli kaupallisessa datakeskuksessa
http://www.etn.fi/index.php/13-news/8880-israelilaisten-biometrinen-data-oli-kaupallisessa-datakeskuksessa
Tomi Engdahl says:
‘Thousands’ of EU Diplomatic Cables Hacked: Report
https://www.securityweek.com/thousands-eu-diplomatic-cables-hacked-report
Hackers apparently connected to China accessed thousands of sensitive EU diplomatic cables, the New York Times reported Wednesday, in the latest embarrassing data breach to hit a major international organization.
The cables from the EU’s diplomatic missions around the world reveal anxiety about how to handle US President Donald Trump as well as concerns about China, Russia and Iran.
The leak, discovered by cybersecurity firm Area 1, recalls the publication by Wikileaks of a vast haul of US State Department cables in 2010, though in the EU case the trove is much smaller and consists of less secret communications, the NYT reported.
Tomi Engdahl says:
DoD Lacks Visibility into Software Inventories, Audit Finds
https://www.securityweek.com/dod-lacks-visibility-software-inventories-audit-finds
The U.S. Department of Defense lacks visibility into software inventories, a review of Marine Corps, Navy, and Air Force commands and divisions reveals.
The audit found that the Marine Corps divisions and the Navy commands had a process in place to prevent duplication when purchasing applications, but the Air Force did not. Moreover, only the U.S. Fleet Forces Command had a process to eliminate duplicative or obsolete software applications.
Tomi Engdahl says:
Servers Can Be Bricked Remotely via BMC Attack
https://www.securityweek.com/servers-can-be-bricked-remotely-bmc-attack
Hackers could remotely brick servers by launching firmware attacks that involve the Baseboard Management Controller (BMC), researchers at firmware security company Eclypsium have demonstrated.
Tomi Engdahl says:
U.S. Sanctions Russians for Hacking, Election Interference
https://www.securityweek.com/us-sanctions-russians-hacking-election-interference
The U.S. Treasury Department on Wednesday announced sanctions against nearly two dozen Russia-related individuals and entities over their roles in election interference, hacking the World Anti-Doping Agency (WADA), and other malicious activities.
The Treasury Department said these individuals and entities have been added to the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) list “in response to Russia’s continued disregard for international norms.”
A total of nine officers of Russia’s GRU military intelligence service have been sanctioned for their direct involvement in efforts to interfere in the 2016 presidential election in the United States. These and other individuals were indicted in July for hacking the systems of the Democratic Party in an effort to steal documents and emails.
“These nine individuals worked within Unit 26165 and Unit 74455 of the GRU,” the Treasury Department said. “
Tomi Engdahl says:
Cybercriminals Host Malicious Payloads on Google Cloud Storage
https://www.securityweek.com/cybercriminals-host-malicious-payloads-google-cloud-storage
A malicious email campaign targeting employees of banks and financial services companies in the United States and the United Kingdom has been abusing Google Cloud Storage for payload delivery, Menlo Labs security researchers say.
As part of the attacks, the malicious actor attempts to trick users into clicking on malicious links to archive files such as .zip or .gz. The malicious payloads, which the researchers identified as being part of the Houdini and QRat malware families, were hosted on storage.googleapis.com, the domain of the Google Cloud Storage service.
Tomi Engdahl says:
Russian Cyberspies Build ‘Go’ Version of Their Trojan
https://www.securityweek.com/russian-cyberspies-build-go-version-their-trojan
The Russian-linked cyber-espionage group Sofacy has developed a new version of their Zebrocy tool using the Go programming language, Palo Alto Networks security researchers warn.
The first-stage malware was initially analyzed in April this year, and has been observed in numerous attacks in October and November. Last month, however, the researchers also observed a new Trojan being used in the group’s attacks.
Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the state-sponsored actor has been active for several years, focusing on cyber-espionage and believed to have orchestrated the attacks targeting the 2016 presidential election in the United States.
The group hit Ukraine and NATO countries over the past years, but a recent report revealed governmental targets on four continents. An October report from Kaspersky revealed that the activities of various nation-state Russian groups started to overlap.
The group has used different programming languages to build functionally similar Trojans before, and the Zebrocy tool went through this process as well, with numerous variants developed in AutoIt, Delphi, VB.NET, C# and Visual C++ already observed.
The recently discovered Go variant of Zebrocy has been already used in attacks
Tomi Engdahl says:
Quarter of Healthcare Organizations Hit by Ransomware in Past Year: Study
https://www.securityweek.com/quarter-healthcare-organizations-hit-ransomware-past-year-study
One in four (27%) employees of healthcare organizations in North America admit to being aware of a ransomware attack targeting their employer over the past year, a new Kaspersky Lab survey reveals.
Tomi Engdahl says:
Google Finds Internet Explorer Zero-Day Exploited in Targeted Attacks
https://www.securityweek.com/google-finds-internet-explorer-zero-day-exploited-targeted-attacks
An out-of-band update released by Microsoft on Wednesday for its Internet Explorer web browser patches a zero-day vulnerability exploited by malicious actors in targeted attacks.
Microsoft has credited Clement Lecigne of Google’s Threat Analysis Group for reporting the vulnerability, but neither Microsoft nor Google have shared any details about the attacks involving the flaw.
The security hole is tracked as CVE-2018-8653 and it has been described as a remote code execution vulnerability related to how the scripting engine used by Internet Explorer handles objects in memory.
Tomi Engdahl says:
15 miljoonaa hyökkäystä päivässä
http://www.etn.fi/index.php/13-news/8877-15-miljoonaa-hyokkaysta-paivassa
Tietoturvayhtiö Check Point on julkistanut tietoturvaennusteensa ensi vuodelle. Ikävä kyllä moni asia pysyy ennallaan ensi vuonna. Hyökkäysten määrä ei ole ainakaan vähentymässä. – Eilen kirjasimme 15 miljoonaa verkkohyökkäystä,
Tomi Engdahl says:
Ime Archibong / Facebook:
Facebook confirms Spotify, Netflix, Dropbox, and RBC had read/write/delete access for messaging integrations, says it was experimental and ended three years ago — In the past day, we’ve been accused of disclosing people’s private messages to partners without their knowledge.
Facts About Facebook’s Messaging Partnerships
https://newsroom.fb.com/news/2018/12/facebooks-messaging-partnerships/
Ryan Vlastelica / Bloomberg:
Facebook’s stock closed down 7% on Wednesday following a New York Times story and a lawsuit from the District of Columbia’s AG
Facebook Has Biggest Plunge Since July as ‘Another Shoe’ Drops
https://www.bloomberg.com/news/articles/2018-12-19/facebook-has-biggest-plunge-since-july-as-another-shoe-drops
The lawsuit comes at a time when investors are increasingly concerned that Facebook could be facing greater regulatory pressure.
“Another shoe dropped today, but when we think about Facebook’s fundamentals, its buyback program, we think it looks very attractive from a valuation perspective,” JMP Securities analyst Ron Josey said in a phone interview. “A lot of these issues are in the past or have been fixed, and we think we’re getting to a point where they’ve been priced in.”
Tomi Engdahl says:
Charlie Warzel / BuzzFeed News:
Report: some apps using Facebook’s SDK, like Grindr and Bible+, send user info to Facebook, including location, where users click, and how long the app is used
Apps Are Revealing Your Private Information To Facebook And You Probably Don’t Know It
https://www.buzzfeednews.com/article/charliewarzel/apps-are-revealing-your-private-information-to-facebook-and
Facebook provided developers with tools to build Facebook-compatible apps like Tinder, Grindr and Pregnancy+. Those apps have been quietly sending sensitive user data to Facebook.
Tomi Engdahl says:
BBC:
UK’s Gatwick airport was shut down on Wednesday and Thursday after drones were seen flying over the runway; about 760 flights were due to fly on Thursday — Tens of thousands of passengers have been disrupted by drones flying over one of the UK’s busiest airports.
Gatwick Airport: Drones ground flights
https://www.bbc.com/news/uk-england-sussex-46623754
Tens of thousands of passengers have been disrupted by drones flying over one of the UK’s busiest airports.
Gatwick’s runway has been shut since Wednesday night, as devices have been repeatedly flying over the airfield.
Sussex Police said it was not terror-related but a “deliberate act” of disruption, using “industrial specification” drones.
About 110,000 passengers on 760 flights were due to fly on Thursday. Disruption could last “several days”.
Defence Secretary Gavin Williamson has confirmed the Army has been called in to support Sussex Police.
Those due to travel have been told to check the status of their flight
The shutdown started just after 21:00 on Wednesday, when two drones were spotted flying “over the perimeter fence and into where the runway operates from”.
The runway briefly reopened at 03:01 on Thursday but was closed again about 45 minutes later amid “a further sighting of drones”.
police had not wanted to shoot the devices down because of the risk from stray bullets
About 10,000 passengers were affected overnight on Wednesday
About 11,000 people are stuck at the airport
The Civil Aviation Authority said it considered this event to be an “extraordinary circumstance”, and therefore airlines were not obligated to pay any financial compensation to passengers.
Gatwick Airport drones: ‘Absolute shambles’ as flights cancelled
https://www.bbc.com/news/uk-england-46633772
Drones flying over Gatwick Airport have caused Christmas travel chaos for thousands.
Tomi Engdahl says:
Arno Schuetze / Reuters:
Amazon gives a German Alexa user, who requested his personal data under GDPR, access to 1,700 audio files of another user; Amazon says it was due to human error — FRANKFURT (Reuters) – A user of Amazon’s (AMZN.O) Alexa voice assistant in Germany got access to more than a thousand recordings …
Amazon error allowed Alexa user to eavesdrop on another home
https://www.reuters.com/article/us-amazon-data-security/amazon-error-allowed-alexa-user-to-eavesdrop-on-another-home-idUSKCN1OJ15J
A user of Amazon’s (AMZN.O) Alexa voice assistant in Germany got access to more than a thousand recordings from another user because of “a human error” by the company.
The customer had asked to listen back to recordings of his own activities made by Alexa but he was also able to access 1,700 audio files from a stranger when Amazon sent him a link, German trade publication c’t reported.
“This unfortunate case was the result of a human error and an isolated single case,” an Amazon spokesman said on Thursday.
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
Microsoft releases out-of-band security update for Internet Explorer that fixes a remote code execution vulnerability allowing attackers to hijack computers — Microsoft has released an out-of-band security update that fixes an actively exploited vulnerability in Internet Explorer.
https://www.bleepingcomputer.com/news/security/microsoft-releases-out-of-band-security-update-for-internet-explorer-rce-zero-day/?mid=1
Tomi Engdahl says:
Read, Write, Delete permissions make sense in this context. You shouldn’t give permissions or access to things you don’t want accessing other things. Makes you wonder though, how could this go bad?
Facebook tries to explain why companies could erase your messages
https://www.nbcnews.com/news/amp/ncna950201
“In the past day, we’ve been accused of disclosing people’s private messages to partners without their knowledge,” Facebook said. “That’s not true.”
Facebook Inc. took a second stab at convincing its 2.3 billion users that it didn’t allow more than 150 other companies to misuse their personal data on Wednesday night after its valuation fell by more than $28 billion on the stock market.
Facebook for many years gave more than 150 companies extensive access to personal data — focused narrowly on the contention in the Times report that emerged as the most controversial: that Facebook gave four companies access to read, write and delete users’ messages.
Spotify Ltd., Netflix Inc., Dropbox Inc. and the Royal Bank of Scotland — were granted automated access to users’ messages so Facebook users could send Facebook messages to other Facebook users without leaving the Spotify, Netflix, Dropbox or Royal Bank apps.
Far from being a nefarious leaking of private data, the read/write/delete access “was the point of this feature,” Archibong said.
“We worked with them to build messaging integrations into their apps so people could send messages to their Facebook friends,”
Tomi Engdahl says:
With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit
https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/
We analyzed another Mirai variant called “Miori,” which is being spread through a Remote Code Execution (RCE) vulnerability in the PHP framework, ThinkPHP.
details about it have only surfaced on December 11. For its arrival method, the IoT botnet uses the said exploit that affects ThinkPHP versions prior to 5.0.23 and 5.1.31.
https://whatcms.org/c/ThinkPHP
ThinkPHP framework | Chinese best practice PHP open source framework, focus on WEB application rapid development for 8 years!
Tomi Engdahl says:
The British government wants to include a “ghost” user or device in otherwise private conversations, requiring the most secure tech products available today to lie to their users, via secret orders that their designers cannot refuse without risking prosecution. This would “likely slow down progress for years to come,” says Matthew Green
On Ghost Users and Messaging Backdoors
https://blog.cryptographyengineering.com/2018/12/17/on-ghost-users-and-messaging-backdoors/
The past few years have been an amazing time for the deployment of encryption. In ten years, encrypted web connections have gone from a novelty into a requirement for running a modern website. Smartphone manufacturers deployed default storage encryption to billions of phones. End-to-end encrypted messaging and phone calls are now deployed to billions of users.
While this progress is exciting to cryptographers and privacy advocates, not everyone sees it this way. A few countries, like the U.K. and Australia, have passed laws in an attempt to gain access to this data, and at least one U.S. proposal has made it to Congress.
asking tech companies to deploy “responsible encryption“.
What, exactly, is “responsible encryption”? Well, that’s a bit of a problem. Nobody on the government’s side of the debate has really been willing to get very specific about that. In fact, a recent speech by U.S. Deputy Attorney General Rod Rosenstein implored cryptographers to go figure it out.
Tomi Engdahl says:
The Amazon Alexa Eavesdropping Nightmare Came True
https://gizmodo.com/the-amazon-alexa-eavesdropping-nightmare-came-true-1831231490/amp
An Amazon user in Germany recently requested data about his personal activities and inadvertently gained access to 1,700 audio recordings of someone he didn’t know.
Tomi Engdahl says:
Terrorist Content Regulation: Warnings from the UN and the CoE
https://edri.org/terrorist-content-regulation-warnings-from-the-un-and-the-coe/
On 11 December 2018, three United Nations Special Rapporteurs published a joint Report on the European Union’s proposal for a Regulation to prevent the dissemination of terrorist content online.
raises a number of serious concerns regarding the definitions used in the draft legislation and the competences and obligations it gives to national authorities.
The congruent demands of international expert organisations highlight that substantial reform of the proposal is imperative to avoid sliding further into an already worrying trend of undermining the rule of law in the fight against terrorism.
the analysis compellingly outlines the inherent dangers of “catch-all” labels such as “glorification of terrorism” and the use of counter-terrorism legislation to suppress political opponents
Thus, both the UN experts and the Council of Europe Commissioner outline perfectly that the scope of counter-terrorism legislation needs to be clearly and narrowly delimited: If statements that offend or shock a population are no longer protected by the freedom of expression, open and democratic societies are not safeguarded, but endangered.
Tomi Engdahl says:
FBI kicks some of the worst ‘DDoS for hire’ sites off the internet
https://techcrunch.com/2018/12/20/fbi-ddos-booter-sites-offline/?utm_source=tcfbpage&sr_share=facebook
The FBI has seized the domains of 15 high-profile distributed denial-of-service (DDoS) websites after a coordinated effort by law enforcement and several tech companies.
“DDoS for hire services such as these pose a significant national threat,” U.S. Attorney Bryan Schroder said in a statement.
DDoS attacks have long plagued the internet as a by-product of faster connection speeds and easy-to-exploit vulnerabilities in the underlying protocols that power the internet. Through its Internet Crime Complaint Center (IC3), the FBI warned over a year ago of the risks from booter and stresser sites amid a wider concern about the increasing size and scale of powerful DDoS attacks.
Tomi Engdahl says:
At Blind, a security lapse revealed private complaints from Silicon Valley employees
https://techcrunch.com/2018/12/20/blind-anonymous-app-data-exposure/?utm_source=tcfbpage&sr_share=facebook
One of its servers storing user data and messages was exposed without a password.
Thousands of people trusted Blind, an app-based “anonymous social network,” as a safe way to reveal malfeasance, wrongdoing and improper conduct at their companies.
But Blind left one of its database servers exposed without a password, making it possible for anyone who knew where to look to access each user’s account information and identify would-be whistleblowers.
Blind only pulled the database after TechCrunch followed up by email a week later.
Kim said that there is “no evidence” that the database was misappropriated or misused, but did not say how it came to that conclusion. When asked, the company would not say if it will notify U.S. state regulators of the breach.
Tomi Engdahl says:
Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information
https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion
Tomi Engdahl says:
Hacker Discloses New Unpatched Windows Zero-Day Exploit On Twitter
https://thehackernews.com/2018/12/windows-zero-day-exploit.html
A security researcher with Twitter alias SandboxEscaper today released proof-of-concept (PoC) exploit for a new zero-day vulnerability affecting Microsoft’s Windows operating system.
SandboxEscaper is the same researcher who previously publicly dropped exploits for two Windows zero-day vulnerabilities, leaving all Windows users vulnerable to the hackers until Microsoft patched them.
The newly disclosed unpatched Windows zero-day vulnerability is an arbitrary file read issue that could allow a low-privileged user or a malicious program to read the content of any file on a targeted Windows computer that otherwise would only be possible via administrator-level privileges.
https://twitter.com/Evil_Polar_Bear/status/1075605011105767424
Tomi Engdahl says:
With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit
https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/suomalaiset-keksivat-miten-saada-lahes-ilmaista-pizzaa-il-oman-elamansa-macgyverit-keksivat-aina-takaportin-6753010
Tomi Engdahl says:
SQLite bug impacts thousands of apps, including all Chromium-based browsers
https://www.zdnet.com/article/sqlite-bug-impacts-thousands-of-apps-including-all-chromium-based-browsers/
New ‘Magellan’ vulnerability will haunt the app ecosystem for years to come.
Tomi Engdahl says:
Caribou Coffee chain announces card breach impacting 239 stores
https://www.zdnet.com/article/caribou-coffee-chain-announces-card-breach-impacting-239-stores/
Almost 40 percent of the company’s coffee stores impacted by breach of its POS system.
Tomi Engdahl says:
Law enforcement shut down DDoS booters ahead of annual Christmas DDoS attacks
https://www.zdnet.com/article/law-enforcement-shut-down-ddos-booters-ahead-of-annual-christmas-ddos-attacks/
Law enforcement launch preemptive strike to shut down some of the DDoS services that may be abused to attack gaming services over the Christmas holiday.
Tomi Engdahl says:
Code Execution Flaw in SQLite Affects Chrome, Other Software
https://www.securityweek.com/code-execution-flaw-sqlite-affects-chrome-other-software
Tomi Engdahl says:
Cybercriminals Use Malicious Memes that Communicate with Malware
https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/suomalainen-ydinlaitos-kohteena-arvostettu-tietoturvafirma-raportoi-salaperaisesta-hyokkayskampanjasta-6752577
‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/
Tomi Engdahl says:
Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers
https://thehackernews.com/2018/12/sqlite-vulnerability.html
Tomi Engdahl says:
Magellan
https://blade.tencent.com/magellan/index_en.html
Magellan is a number of vulnerabilities that exist in SQLite. These vulnerabilities were discovered by Tencent Blade Team and verified to be able to successfully implement remote code execution in Chromium browsers. As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. SQLite and Google had confirmed and fixed this vulnerability. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.
Tomi Engdahl says:
Shamoon Returns to Wipe Systems in Middle East, Europe
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or even financial aims.
Destructive attacks have a critical impact on businesses, causing the loss of data or crippling business operations. When a company is impacted, the damage can be significant. Restoration can take weeks or months, while resulting in unprofitability and diminished reputation.
Recent attacks have demonstrated how big the damage can be. Last year NotPetya affected several companies around the world. Last February, researchers uncovered OlympicDestroyer, which affected the Olympic Games organization.