This posting is here to collect cyber security news in January 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
412 Comments
Tomi Engdahl says:
U.S. to formally seek extradition of Huawei executive Meng Wanzhou: Globe and Mail
https://www.reuters.com/article/us-usa-china-huawei-canada-idUSKCN1PG078?
Tomi Engdahl says:
Google fined €50 million for violating EU data privacy rules
https://www.welivesecurity.com/2019/01/22/google-fined-violating-eu-data-privacy-rules/
France’s data protection watchdog issues the first major penalty under the EU’s new privacy regime
Tomi Engdahl says:
Remote Code Execution in apt/apt-get
https://justi.cz/security/2019/01/22/apt-rce.html
tl;dr I found a vulnerability in apt that allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package. The bug has been fixed in the latest versions of apt. If you’re worried about being exploited during the update process, you can protect yourself by disabling HTTP redirects while you update.
Tomi Engdahl says:
PEAR to be Hacked
Hackers managed to change the “go pear.phar”; a lot of users’ systems can be compromised
https://hype.codes/pear-be-hacked?page=1
Traces of hacking of the official repository of packages PEAR (PHP Extension and Application Repository), offering additional functions and classes for the PHP language, are reported. During the attack, the attackers managed to gain access to the project’s web server and make changes to the “go pear.phar” file, which contains the installation package with the go pear package manager. The modification was carried out 6 months ago.
The systems of PHP users who have installed the go-pear package manager from the phar archive for the last 6 months can potentially be compromised (as a rule, this installation is practiced by Windows users).
Tomi Engdahl says:
Researcher to Find Vulnerability in phpBB3
https://hype.codes/pear-be-hacked?page=1
The bug allows an attacker, having obtained the rights of the administrator of one of the forums, to execute his own code and to seize complete control over the entire server.
Attacker with obtained the rights of the administrator of one of the forums can seize complete control over the entire server
Tomi Engdahl says:
Wifi-bugi uhkaa monia suosittuja laitteita
http://www.etn.fi/index.php/13-news/8968-wifi-bugi-uhkaa-monia-suosittuja-laitteita
http://www.etn.fi/index.php/13-news/8972-wifi-bugi-ei-johtunut-rtos-koodista
Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE
https://embedi.org/blog/remotely-compromise-devices-by-using-bugs-in-marvell-avastar-wi-fi-from-zero-knowledge-to-zero-click-rce/
Tomi Engdahl says:
Bug in widespread Wi-Fi chipset firmware can lead to zero-click code execution
https://www.helpnetsecurity.com/2019/01/21/marvell-avastar-wi-fi-vulnerability/
A vulnerability in the firmware of a Wi-Fi chipset that is widely used in laptops, streaming, gaming and a variety of “smart” devices can be exploited to compromise them without user interaction.
Tomi Engdahl says:
Windows Zero-Day Bug That Lets Attackers Read Any File Gets Micropatch
https://www.bleepingcomputer.com/news/security/windows-zero-day-bug-that-lets-attackers-read-any-file-gets-micropatch/
A micropatch is now available for a zero-day vulnerability in Windows that allows unauthorized read access with the highest privileges to any file on the operating system.
Tomi Engdahl says:
Adminer leaks passwords; Magecart hackers rejoice
https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
Adminer is a popular PHP tool to administer MySQL and PostgreSQL databases. However, it can be lured to disclose arbitrary files. Attackers can abuse that to fetch passwords for popular apps such as Magento and WordPress, and gain control of a site’s database.
https://www.adminer.org/
Tomi Engdahl says:
MySQL Design Flaw Allows Malicious Servers to Steal Files from Clients
https://www.bleepingcomputer.com/news/security/mysql-design-flaw-allows-malicious-servers-to-steal-files-from-clients/
A design flaw in the file transfer interaction between a client host and a MySQL server allows an attacker running a malicious MySQL server to get access to any data the connected client has read access to.
Someone can leverage this issue to retrieve sensitive information from an improperly configured web server that allows connections to untrusted servers, or from database management applications.
Tomi Engdahl says:
Canadian network says Huawei is “reliable” partner
https://www.itproportal.com/news/canadian-network-says-huawei-is-reliable-partner/
Telus says Huawei offers “comprehensive security measures”.
Tomi Engdahl says:
VLC Responds to Criticism Over Lack of HTTPS for Updates
https://www.securityweek.com/vlc-responds-criticism-over-lack-https-updates
The developers of the popular open source video player VLC, which recently surpassed 3 billion downloads, have responded to criticism over the use of HTTP for software updates.
Several people have submitted bug reports to VLC over the past period regarding the use of HTTP instead of HTTPS for software updates. A report submitted five days ago has triggered some heated discussions on Twitter and Reddit regarding the associated risks.
When VLC is updated, the client communicates with the server over HTTP, which, in theory, exposes the connection to man-in-the-middle (MitM) attacks and could allow a threat actor to replace the legitimate update with a malicious one without the user’s knowledge.
Tomi Engdahl says:
DarkHydrus Hackers Use Google Drive in Recent Attacks
https://www.securityweek.com/darkhydrus-hackers-use-google-drive-recent-attacks
The DarkHydrus threat group has added new functionality to the payloads used in recent attacks and is also leveraging Google Drive for command and control (C&C) purposes, Palo Alto Networks security researchers say.
Tomi Engdahl says:
Websites Can Exploit Browser Extensions to Steal User Data
https://www.securityweek.com/websites-can-exploit-browser-extensions-steal-user-data
Tomi Engdahl says:
Report: Facebook’s Privacy Lapses May Result in Record Fine
https://www.securityweek.com/report-facebooks-privacy-lapses-may-result-record-fine
Facebook may be facing the biggest fine ever imposed by the U.S. Federal Trade Commission for privacy violations involving the personal information of its 2.2 billion users.
The FTC is considering hitting Facebook with a penalty that would top its previous record fine of $22.5 million , which it dealt to Google in 2012 for bypassing the privacy controls in Apple’s Safari browser, according to The Washington Post.
Tomi Engdahl says:
Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis
https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/
Let’s continue to dissect unusual malicious email attachments used by modern APT. This time I’m going to focus on malicious CHM files used by Silence APT. If you haven’t heard about it for some reason, I would recommend to read this detailed report by Group-IB, as this APT attacks not only Russian banks, but also banks in more than 25 countries.
Tomi Engdahl says:
Latest Target Attack of DarkHydruns Group Against Middle East
https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/
DarkHydrus APT Uses Google Drive to Send Commands to RogueRobin Trojan
https://www.bleepingcomputer.com/news/security/darkhydrus-apt-uses-google-drive-to-send-commands-to-roguerobin-trojan/
Tomi Engdahl says:
Exploit for Recent Flash Zero-Day Added to Fallout Exploit Kit
https://www.securityweek.com/exploit-recent-flash-zero-day-added-fallout-exploit-kit
An updated version of the Fallout exploit kit recently emerged with an exploit for a recent Flash zero-day included in its arsenal
Tomi Engdahl says:
Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE
https://embedi.org/blog/remotely-compromise-devices-by-using-bugs-in-marvell-avastar-wi-fi-from-zero-knowledge-to-zero-click-rce/
Tomi Engdahl says:
US midterms barely over when Russians came knocking on our servers (again), Democrats claim
https://www.theregister.co.uk/2019/01/18/russia_hack_democrats/
Russian hackers attempted to infiltrate the Democratic National Committee (DNC) just after the US midterm elections last year, according to a new court filing.
The attack in November 2018 was previously reported as targeting a number of organizations including law enforcement, defense contractors, and media companies, but the filing this week claims that the DNC was also a direct target.
Tomi Engdahl says:
Sextortion Bitcoin on the Move
https://isc.sans.edu/forums/diary/Sextortion+Bitcoin+on+the+Move/24548/
Tomi Engdahl says:
This Runner Is a Hitman. His GPS Watch Tied Him to a Mob Boss Murder
https://www.runnersworld.com/news/a25924256/mark-fellows-runner-hitman-murder/
The health-conscious assassin was picked up for another murder, then investigators found his Garmin.
Tomi Engdahl says:
Opettajien Wilma-tunnuksia joutui vääriin käsiin: ”Nämä täytyy ottaa vakavasti”
https://www.is.fi/digitoday/tietoturva/art-2000005970212.html
Tomi Engdahl says:
New Android Malware Apps Use Motion Sensor to Evade Detection
https://thehackernews.com/2019/01/android-malware-play-store.html
Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware.
The apps in question masquerade as a currency exchange app called Currency Converter and battery saver app called BatterySaverMobi, and are using motion-sensor inputs of infected Android devices to monitor them before installing a dangerous banking Trojan called Anubis.
Tomi Engdahl says:
Two men charged with hacking into SEC in stock-trading scheme
https://www.welivesecurity.com/2019/01/18/two-men-charged-hacking-sec/
The hacking duo is believed to have exploited a software flaw and compromised several SEC workstations with malware in order to take early peeks at financial disclosures
Tomi Engdahl says:
Over 140 International Airlines Affected by Major Security Breach
https://www.bleepingcomputer.com/news/security/over-140-international-airlines-affected-by-major-security-breach/
Tomi Engdahl says:
Microsoft Launches Azure DevOps Bug Bounty Program
https://threatpost.com/microsoft-launches-azure-devops-bug-bounty-program/140984/
Tomi Engdahl says:
A Twitter Bug Left Android Users’ Private Tweets Exposed For 4 Years
https://thehackernews.com/2019/01/twitter-privacy-settings.html
Twitter just admitted that the social network accidentally revealed some Android users’ protected tweets to the public for more than 4 years — a kind of privacy blunder that you’d typically expect from Facebook.
Tomi Engdahl says:
South Korea reckons mystery hackers cracked open advanced weapons servers
No idea who could have been behind this one…
https://www.theregister.co.uk/2019/01/17/south_korea_defense_ministryt_hacked/
The South Korea Ministry of National Defense says 10 of its internal PCs have been compromised by unknown hackers.
Tomi Engdahl says:
Xbash Malware Uninstalls Cloud Security Products
https://www.securityweek.com/xbash-malware-uninstalls-cloud-security-products
Recent samples of the destructive Xbash Linux malware can uninstall cloud security protection products from infected servers, Palo Alto Networks reports.
First detailed last year, the malware features a broad set of malicious capabilities, ranging from ransomware and crypto-currency mining to self-propagation, database deletion, and the enrolling of compromised servers into a botnet.
Tomi Engdahl says:
Marco Rubio Proposes New Federal Data Privacy Bill
https://www.securityweek.com/marco-rubio-proposes-new-federal-data-privacy-bill
Tomi Engdahl says:
Hackers Actively Scanning for ThinkPHP Vulnerability, Akamai Says
https://www.securityweek.com/hackers-actively-scanning-thinkphp-vulnerability-akamai-says
There is widespread scanning for a recently disclosed remote code execution vulnerability in the ThinkPHP framework, Akamai reveals.
Tomi Engdahl says:
Senators worry that new D.C. Metro railcars could carry cyber risk
https://www.cyberscoop.com/dc-metro-wmata-china-cars-cybersecurity-risk/
Senators who represent the Washington, D.C., area have raised concerns about added cybersecurity risks in the region’s Metro system after reports that a Chinese state-owned manufacturing company could win a $1 billion procurement for railcars.
Tomi Engdahl says:
Police license plate readers are still exposed on the internet
https://techcrunch.com/2019/01/22/police-alpr-license-plate-readers-accessible-internet/?utm_source=tcfbpage&sr_share=facebook
Most of the ALPR devices are shipped with default passwords
Tomi Engdahl says:
These are all the federal HTTPS websites that’ll expire soon because of the US government shutdown
https://techcrunch.com/2019/01/17/federal-https-domains-expire-government-shutdown/
Tomi Engdahl says:
Massive Oklahoma Government Data Leak Exposes 7 Years of FBI Investigations
https://www.forbes.com/sites/thomasbrewster/2019/01/16/massive-oklahoma-government-data-leak-exposes-7-years-of-fbi-investigations/#368dddb86e11
Another day, another huge leak of government information.
Last December, a whopping 3 terabytes of unprotected data from the Oklahoma Securities Commission was uncovered by Greg Pollock, a researcher with cybersecurity firm UpGuard. It amounted to millions of files, many on sensitive FBI investigations, all of which were left wide open on a server with no password, accessible to anyone with an internet connection, Forbes can reveal.
The Oklahoma department regulates all financial securities business happening in the state. It may be little surprise there was leaked information on FBI cases.
Tomi Engdahl says:
“5 minutes of sheer terror”: Hackers infiltrate East Bay family’s Nest surveillance camera, send warning of incoming North Korea missile attack
https://www.mercurynews.com/2019/01/21/it-was-five-minutes-of-sheer-terror-hackers-infiltrate-east-bay-familys-nest-surveillance-camera-send-warning-of-incoming-north-korea-missile-attack/
Fake ICBM missile warning over Nest system sends East Bay family into panic
Tomi Engdahl says:
Non-Microsoft controlled content hosted on some of the above endpoints #233
https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/issues/233
Tomi Engdahl says:
A popular WordPress plugin leaked access tokens capable of hijacking Twitter accounts
https://techcrunch.com/2019/01/17/wordpress-plugin-leaked-twitter-account-access-tokens/?sr_share=facebook&utm_source=tcfbpage
A popular WordPress plugin, installed on thousands of websites to help users share content on social media sites, left linked Twitter accounts exposed to compromise.
The plugin, Social Network Tabs, was storing so-called account access tokens in the source code of the WordPress website. Anyone who viewed the source code could see the linked Twitter handle and the access tokens.
Tomi Engdahl says:
Critical, Unpatched Cisco Flaw Leaves Small Business Networks Wide Open
https://threatpost.com/critical-unpatched-cisco-flaw/141010/
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Researcher: 24M+ financial and banking documents, representing tens of thousands of loans and mortgages, were left exposed online by Texas-based firm Ascension — Exclusive: The database included highly sensitive financial data on customers who have taken out loans with U.S. banks
https://techcrunch.com/2019/01/23/financial-files/
Millions of bank loan and mortgage documents have leaked online
Exclusive: The database included highly sensitive financial data on customers who have taken out loans with U.S. banks
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Researcher: 24M+ financial and banking documents, representing tens of thousands of loans and mortgages, were left exposed online by Texas-based firm Ascension — Exclusive: The database included highly sensitive financial data on customers who have taken out loans with U.S. banks
Millions of bank loan and mortgage documents have leaked online
https://techcrunch.com/2019/01/23/financial-files/
Exclusive: The database included highly sensitive financial data on customers who have taken out loans with U.S. banks
Tomi Engdahl says:
Robert McMillan / Wall Street Journal:
Inside Google’s 27-person in-house counterespionage team, the Threat Analysis Group, which tracks 200+ hacker groups, many of which are linked to US adversaries — Google likely has ‘the most useful data set available to any private company for tracking state adversaries and intelligence services,’ an expert says
Inside Google’s Team Fighting to Keep Your Data Safe From Hackers
https://www.wsj.com/articles/inside-googles-team-battling-hackers-11548264655?mod=e2twd
Google likely has ‘the most useful data set available to any private company for tracking state adversaries and intelligence services,’ an expert says
Tomi Engdahl says:
Apple Patches Dozens of Vulnerabilities in iOS, macOS
https://www.securityweek.com/apple-patches-dozens-vulnerabilities-ios-macos
Tomi Engdahl says:
WhiteHat Security Launches New Software Testing Products
https://www.securityweek.com/whitehat-security-launches-new-software-testing-products
Tomi Engdahl says:
Voicemail Phishing Campaign Tricks You Into Verifying Password
https://www.bleepingcomputer.com/news/security/voicemail-phishing-campaign-tricks-you-into-verifying-password/
A new phishing campaign is underway that utilizes EML attachments that pretend to be a received voicemail and prompts you to login to retrieve it. This campaign also uses a clever tactic of tricking you into entering your password twice in order to confirm that you are providing the correct account credentials.
Tomi Engdahl says:
Monero: Cybercrime’s Top Choice for Mining Malware
https://threatpost.com/monero-cybercrime-mining-malware/141116/
Illicit Monero-mining malware accounts for more than 4 percent of the XMR in circulation, and has created $57 million in profits for the bad guys.
An academic analysis of cryptomining malware has determined that the Monero virtual currency (XMR) is “by far” the most popular cryptocurrency to mine among cybercriminals. And, it would appear that cryptomining as a criminal enterprise is unlikely to wane anytime soon.
After examining approximately 4.4 million malware samples (1 million of which turned out to be malicious miners) over a period of twelve years from 2007 to 2018, Sergio Pastrana of the Universidad Carlos III de Madrid and Guillermo Suarez-Tangil of King’s College London carried out a profit analysis that shows that criminals have mined more than 4.32 percent of the circulating XMR.
Tomi Engdahl says:
New ransomware strain is locking up Bitcoin mining rigs in China
https://www.zdnet.com/article/new-ransomware-strain-is-locking-up-bitcoin-mining-rigs-in-china/#ftag=RSSbaffb68
Ransomware threatens to overheat and destroy mining rigs if victims don’t infect 1,000 other devices or don’t pay a 10 Bitcoin ransom.
Tomi Engdahl says:
US Senators fear Chinese-made metro rail cars could be used for surveillance
https://www.zdnet.com/article/us-senators-fear-chinese-made-metro-rail-cars-could-be-used-for-surveillance/
US Senators want Washington Metro to block a Chinese state-owned company from providing subway cars.
Tomi Engdahl says:
Chrome API update will kill a bunch of other extensions, not just ad blockers
https://www.zdnet.com/article/chrome-api-update-will-kill-a-bunch-of-other-extensions-not-just-ad-blockers/
Chrome extensions for antivirus products, parental control enforcement, and various privacy-enhancing services also affected.
A planned update to one of the Google Chrome extensions APIs would kill much more than a few ad blockers, ZDNet has learned, including browser extensions for antivirus products, parental control enforcement, and various privacy-enhancing services.
https://www.zdnet.com/article/google-chrome-could-soon-kill-off-most-ad-blocker-extensions/