This posting is here to collect cyber security news in January 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
412 Comments
Tomi Engdahl says:
Jan 19
How the U.S. Govt. Shutdown Harms Security
https://krebsonsecurity.com/2019/01/how-the-u-s-govt-shutdown-harms-security/
Tomi Engdahl says:
Nation-State Actors Leverage Insiders for Economic Espionage
https://www.flashpoint-intel.com/blog/nation-state-actors-leverage-insiders-for-economic-espionage/
The term ‘insider threat’ often brings to mind an image of a disgruntled employee who abuses their internal privileges in an unsophisticated manner for personal gain. While insider threat certainly can manifest in this form, it can also take more coordinated, insidious forms when insiders act as agents of economic espionage.
Tomi Engdahl says:
Microsoft Cybersecurity Defense Operations Center
https://docs.microsoft.com/en-us/security/msrc/fy18-strategy-brief
Tomi Engdahl says:
Chinese Hacker Publishes PoC for Remote iOS 12 Jailbreak On iPhone X
https://thehackernews.com/2019/01/ios12-jailbreak-exploit.html
IPC Voucher UaF Remote Jailbreak Stage 2 (EN)
http://blogs.360.cn/post/IPC%20Voucher%20UaF%20Remote%20Jailbreak%20Stage%202%20(EN).html
Tomi Engdahl says:
Apple delivers security patches, plugs an RCE achievable via FaceTime
https://www.helpnetsecurity.com/2019/01/23/apple-security-patches-january-2019/
Apple has released a new set of updates for its various products, plugging a wide variety of vulnerabilities.
Tomi Engdahl says:
Happy New Year 2019! Anatova is here!
By Alexandre Mundo on Jan 22, 2019
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/
During our continuous hunt for new threats, we discovered a new ransomware family we call Anatova (based on the name of the ransom note). Anatova was discovered in a private peer-to-peer (p2p) network. After initial analysis, and making sure that our customers are protected, we decided to make this discovery public.
Tomi Engdahl says:
265 Researchers Take Down 100,000 Malware Distribution Websites
https://www.bleepingcomputer.com/news/security/265-researchers-take-down-100-000-malware-distribution-websites/
Security researchers across the globe united in a project dedicated to sharing URLs used in malicious campaigns managed to take down close to 100,000 websites actively engaged in malware distribution.
Called URLhaus, the project was initiated by abuse.ch, a non-profit cybersecurity organization in Switzerland. It started at the end of March 2018 and recorded a daily average of 300 submissions from 265 security researchers.
Chinese hosting networks are slow to react
The takedown activity involved the cooperation of the companies hosting the offensive websites on their infrastructure, some of them not rushing to respond to abuse reports.
Chinese hosting providers took the longest to react to complaints against some websites’ involvement in malicious activities.
“The three top Chinese malware hosting networks have an average abuse desk reaction time of more than a month!” abuse.ch writes in a report.
https://urlhaus.abuse.ch/
Tomi Engdahl says:
Going In-depth with Emotet: Multilayer Operating Mechanisms
https://blog.trendmicro.com/trendlabs-security-intelligence/going-in-depth-with-emotet-multilayer-operating-mechanisms/
Tomi Engdahl says:
DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains
https://thehackernews.com/2019/01/dns-hijacking-cyber-attacks.html
The U.S. Department of Homeland Security (DHS) has today issued an “emergency directive” to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains, within next 10 business days.
The emergency security alert came in the wake of a series of recent incidents involving DNS hijacking, which security researchers with “moderate confidence” believe originated from Iran.
Tomi Engdahl says:
Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com
https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/
Tomi Engdahl says:
Something that happened do to gov shutdown or was attributed to that
Massive Oklahoma Government Data Leak Exposes 7 Years of FBI Investigations
https://www.forbes.com/sites/thomasbrewster/2019/01/16/massive-oklahoma-government-data-leak-exposes-7-years-of-fbi-investigations/#3502de0d6e11
Tomi Engdahl says:
Georgia Official Seeks to Replace Criticized Voting Machines
https://www.securityweek.com/georgia-official-seeks-replace-criticized-voting-machines
Georgia’s new elections chief asked lawmakers Wednesday for $150 million to replace the state’s outdated electronic voting machines. In doing so, he all but closed the door on a hand-marked paper balloting system that experts say is cheapest and most secure.
The current machines and Georgia’s registration practices became the subject of national criticism during last year’s governor’s race between Democrat Stacey Abrams and Republican Brian Kemp. Kemp served as secretary of state and refused calls to resign from overseeing his own election. He stepped down two days postelection after declaring himself the winner.
Tomi Engdahl says:
Bypassing Network Restrictions Through RDP Tunneling
https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
Remote Desktop Services is a component of Microsoft Windows that is used by various companies for the convenience it offers systems administrators, engineers and remote employees. On the other hand, Remote Desktop Services, and specifically the Remote Desktop Protocol (RDP), offers this same convenience to remote threat actors during targeted system compromises. When sophisticated threat actors establish a foothold and acquire ample logon credentials, they may switch from backdoors to using direct RDP sessions for remote access. When malware is removed from the equation, intrusions become increasingly difficult to detect.
Tomi Engdahl says:
Beware of Exit Map Spam Pushing GandCrab v5.1 Ransomware
https://www.bleepingcomputer.com/news/security/beware-of-exit-map-spam-pushing-gandcrab-v51-ransomware/
Tomi Engdahl says:
Alert (AA19-024A)
DNS Infrastructure Hijacking Campaign
https://www.us-cert.gov/ncas/alerts/AA19-024A
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.
Tomi Engdahl says:
Making Meterpreter Look Google-Signed (Using MSI & JAR Files)
https://medium.com/forensicitguy/making-meterpreter-look-google-signed-using-msi-jar-files-c0a7970ff8b7
Tomi Engdahl says:
GreyEnergy’s overlap with Zebrocy
https://securelist.com/greyenergys-overlap-with-zebrocy/89506/
In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.
Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”.
Tomi Engdahl says:
8-year-old ‘scared to death’ after hacked Nest security camera warns of missile attack
https://www.bitdefender.com/box/blog/iot-news/8-year-old-scared-death-hacked-nest-security-camera-warns-missile-attack/#new_tab
A California family has described the ‘sheer terror’ it experienced after its smart security camera began broadcasting a bogus warning that three North Korean missiles were heading to Chicago, Los Angeles, and Ohio.
Laura Lyons, a resident of Orinda, California, told the Mercury News of the scare her family had on Sunday when an internet-connected Nest security camera, sitting on top of a television, broadcast a terrifying warning of intercontinental ballistic missiles launched by Pyongyang.
Tomi Engdahl says:
Malspam with Word docs uses macro to run Powershell script and steal system data
https://isc.sans.edu/forums/diary/Malspam+with+Word+docs+uses+macro+to+run+Powershell+script+and+steal+system+data/24564/
Tomi Engdahl says:
Russian Language Malspam Pushing Redaman Banking Malware
https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/
Tomi Engdahl says:
Malware in Ad-Based Images Targets Mac Users
https://threatpost.com/malware-in-ad-based-images-targets-mac-users/141115/
Researchers detected 191,970 bad ads and estimates that around 1 million users were impacted.
A massive adware campaign has so far impacted up to a million Mac users, using a tricky steganography technique to hide malware in image files.
Confiant & Malwarebytes Uncover Steganography Based Ad Payload That Drops Shlayer Trojan On Mac Users
https://blog.confiant.com/confiant-malwarebytes-uncover-steganography-based-ad-payload-that-drops-shlayer-trojan-on-mac-cd31e885c202?gi=13b4da8ccb11
Tomi Engdahl says:
Massive ‘Fortnite’ security hole allowed hackers to take over accounts, eavesdrop on chats
https://www.nbcnews.com/tech/security/massive-fortnite-security-hole-allowed-hackers-take-over-accounts-eavesdrop-n959306
To fall victim to this attack, a player needed only to click on a crafted phishing link — one typically designed to look like it was coming from an Epic Games domain.
Tomi Engdahl says:
Runner found to be a hitman after GPS Watch ties him to crime scene
https://www.runnersworld.com/uk/news/a25945315/mark-fellows-runner-hitman-murder/?utm_content=buffer5bee3&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer
The health-conscious assassin was picked up for another murder, then investigators found his Garmin.
Tomi Engdahl says:
The American Military Sucks at Cybersecurity
https://motherboard.vice.com/en_us/article/7xy5ky/the-american-military-sucks-at-cybersecurity?utm_campaign=site_visitor.unpaid.engagement&utm_source=facebook&utm_medium=tr_social&utm_content=69039116&_hsenc=p2ANqtz-_mxu-m32-rTql9OqFt8C0jx8Yqg_HF7g3gS4Q_iietAGC7ygZaroPgiUv_AD8t6uqYh3SLM-skgWvjuTa4GJQPz7csoexvs91VgsSWmFElRTFYy1E&_hsmi=69039118&fbclid=IwAR26Z3KcJ_b9-oHe68wP0CCiN9B7-Kd2JS3SJcnZiCQoDjS9Lg0cCWRhjQU
A new report from US military watchdogs outlines hundreds of cybersecurity vulnerabilities.
Tomi Engdahl says:
Bypassing Network Restrictions Through RDP Tunneling
https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
Tomi Engdahl says:
US gov issues emergency directive after wave of domain hijacking attacks
https://nakedsecurity.sophos.com/2019/01/25/us-gov-declares-emergency-after-wave-of-domain-hijacking-attacks/
The US Department of Homeland Security (DHS) has issued an emergency directive tightening DNS security after a recent wave of domain hijacking attacks targeting government websites.
Under the directive, which appeared a week after a US-CERT warning on the same topic, admins looking after US .gov domains have until 5 February to do all of the following or explain why they can’t
Tomi Engdahl says:
Black hats are great for language diversity, says Eugene Kaspersky
https://www.theregister.co.uk/2019/01/23/eugene_kaspersky_hacker_language_diversity/
Also reckons Russian hackers go quiet over the Christmas holidays
Tomi Engdahl says:
Police license plate readers are still exposed on the internet
https://techcrunch.com/2019/01/22/police-alpr-license-plate-readers-accessible-internet/?sr_share=facebook&utm_source=tcfbpage
Most of the ALPR devices are shipped with default passwords
Tomi Engdahl says:
Batten down the DNS hatches as attackers strike Feds
https://www.networkworld.com/article/3336201/security/batten-down-the-dns-hatches-as-attackers-strike-feds.html
DHS warns federal agencies of DNS attacks and offers best practices to help mitigate the situation.
Tomi Engdahl says:
Data of 100,000+ Alaskan households that applied for public assistance breached
https://www.scmagazine.com/home/security-news/data-of-100000-alaskan-households-that-applied-for-public-assistance-breached/
Tomi Engdahl says:
A DNS hijacking wave is targeting companies at an almost unprecedented scale
https://arstechnica.com/information-technology/2019/01/a-dns-hijacking-wave-is-targeting-companies-at-an-almost-unprecedented-scale/
Clever trick allows attackers to obtain valid TLS certificate for hijacked domains.
Federal authorities and private researchers are alerting companies to a wave of domain hijacking attacks that use relatively novel techniques to compromise targets at an almost unprecedented scale.
One DNS hijacking technique involves changing what’s known as the DNS A record. It works when the attackers have somehow previously compromised the login credentials for the administration panel of the target’s DNS provider.
With that in place, people who visit the targeted domain don’t access its legitimate server. Instead, they access an attacker-controlled server that connects back to the legitimate server to give visitors the impression nothing is amiss. The attackers then collect usernames and passwords. End users receive no warnings and won’t notice any differences in the site they’re accessing except, possibly, for a longer-than-normal delay.
FireEye said attackers are using the techniques to hijack dozens of domains belonging to entities in North America, Europe, the Middle East, and North Africa.
With control over the domain, the attackers then use the automated Let’s Encrypt service to generate a valid TLS certificate for it.
Tomi Engdahl says:
MH370 SHOCK: Plane missing due to ‘CYBER HACKING attack’, defence expert claims
https://www.express.co.uk/news/world/1077616/mh370-latest-update-flight-missing-hacked-cyber-hack-attack-spt
MH370 was targeted and taken over by cyber hackers, according to an expert speaking in a new documentary.
Tomi Engdahl says:
Exploiting CVE-2017-5123 with full protections. SMEP, SMAP, and the Chrome Sandbox!
https://salls.github.io/Linux-Kernel-CVE-2017-5123/
In this blog post I’m going to explain how to exploit CVE-2017-5123, a bug I found in the Linux kernel, and show how it can be used to escalate privileges, even with SMEP, SMAP and from inside the Chrome sandbox.
Tomi Engdahl says:
Benjamin Mayo / 9to5Mac:
FaceTime bug lets a caller hear audio or view video from recipient’s phone before call has been accepted or rejected; Apple says fix coming later this week — A significant bug has been discovered in FaceTime and is currently spreading virally over social media.
Major iPhone FaceTime bug lets you hear the audio of the person you are calling … before they pick up
https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/
A significant bug has been discovered in FaceTime and is currently spreading virally over social media. The bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call. Apple says the issue will be addressed in a software update “later this week”.
Tomi Engdahl says:
Tom Warren / The Verge:
Apple has disabled the Group FaceTime feature on the server side and reports suggest this has fixed the security flaw for most people — Software update still due later this week — Apple has temporarily disabled its Group FaceTime feature in iOS and macOS to fix a major security flaw.
Apple disables Group FaceTime following major security flaw
https://www.theverge.com/2019/1/29/18201667/apple-group-facetime-disabled-server-side-major-security-flaw-fix
Software update still due later this week
Tomi Engdahl says:
Appeals Court to Hear Case of Reporter Alleging Surveillance
https://www.securityweek.com/appeals-court-hear-case-reporter-alleging-surveillance
When Sharyl Attkisson first began hearing clicking sounds on her phone and her computers started turning on and off in the middle of the night, she thought it was a technical glitch that could be easily fixed.
Attkisson, then a longtime investigative reporter for CBS News, didn’t suspect anything more until her sources in the intelligence community suggested that the government might be spying on her because of critical stories she had done.
Tomi Engdahl says:
Authorities Track Down Users of DDoS Services
https://www.securityweek.com/authorities-track-down-users-ddos-services
The seizure of several websites offering distributed denial of service (DDoS) for hire services has allowed authorities to track down and take action against people who used such websites, Europol announced today.
Tomi Engdahl says:
Authorities Seize Hacked Server Marketplace
https://www.securityweek.com/authorities-seize-hacked-server-marketplace
Tomi Engdahl says:
Apple Working on Patch to Prevent FaceTime Spying
https://www.securityweek.com/apple-working-patch-prevent-facetime-spying
Tomi Engdahl says:
Zero-Days in WordPress Plugin Actively Exploited
https://www.securityweek.com/zero-days-wordpress-plugin-actively-exploited
The commercial Total Donations plugin for WordPress is impacted by multiple zero-day vulnerabilities that are being actively exploited in attacks, Wordfence security researchers report.
Tomi Engdahl says:
UK government reveals £70m plan to combat cyberthreats
https://www.itproportal.com/news/uk-government-reveals-pound70m-plan-to-combat-cyberthreats/
It wants businesses to design out cyberthreats by designing in security.
Tomi Engdahl says:
Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory
https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
Tomi Engdahl says:
https://phishingquiz.withgoogle.com/
Tomi Engdahl says:
How easy is it to steal your car?
https://www.which.co.uk/news/2019/01/how-easy-is-your-car-to-steal/
Four of the UK’s top five best-selling cars, plus hundreds of other models, can easily be stolen by thieves
If your car has keyless entry, then it joins the thousands of cars, including four of the most popular models in the UK from Ford, Nissan and VW, that can easily be stolen by thieves using cheap electronic equipment bought online.
The German General Automobile Club (ADAC) has tested 237 keyless cars (models that unlock and start automatically when the key is close by) and found that thieves can easily trick 230 of them into thinking that your key is closer than it really is, enabling them to unlock and start your car.
A further four cars can be either unlocked or started. Only three – all from Jaguar Land Rover – were not susceptible at all. This means 99% of the cars tested have some form of security flaw.
https://dwkujuq9vpuly.cloudfront.net/news/wp-content/uploads/2019/01/Cars-tested-by-ADAC.pdf
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/vakava-varoitus-pankkitunnistuksen-tupas-protokolla-ei-kohta-kelpaa-harva-varautunut-mullistukseen-6756452
Tomi Engdahl says:
Japanese government plans to hack into citizens’ IoT devices
https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/
Japanese government wants to secure IoT devices before Tokyo 2020 Olympics and avoid Olympic Destroyer and VPNFilter-like attacks.
The Japanese government approved a law amendment on Friday that will allow government workers to hack into people’s Internet of Things devices as part of an unprecedented survey of insecure IoT devices.
The survey will be carried out by employees of the National Institute of Information and Communications Technology (NICT) under the supervision of the Ministry of Internal Affairs and Communications.
NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers’ IoT devices.
The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.
http://www.soumu.go.jp/main_content/000595927.pdf
Tomi Engdahl says:
Mozilla publishes official Firefox anti-tracking policy
https://www.zdnet.com/article/mozilla-publishes-official-firefox-anti-tracking-policy/
Mozilla devs detail what types of websites and abusive user-tracking practices they intend to block in future Firefox versions.
Tomi Engdahl says:
China deletes ‘malicious’ mobile apps
https://www.reuters.com/article/us-china-gaming-tencent-holdings/china-deletes-malicious-mobile-apps-idUSKCN1PI0LO
China’s cyber watchdog said on Thursday it has deleted close to 8,000 “malicious” mobile apps, as regulators step up efforts to tighten control over the country’s internet.
The Cyberspace Administration of China (CAC) said in a statement it had ordered telecom operators to shut down the services of 7,873 apps after finding they had overcharged and cheated users as well as stolen information.
Tomi Engdahl says:
Dailymotion Resets Passwords After Credential Stuffing Attack
https://www.bleepingcomputer.com/news/security/dailymotion-resets-passwords-after-credential-stuffing-attack/
Dailymotion on Friday announced that some accounts were the target of a credential stuffing attack. The video platform’s security team discovered the unauthorized access attempts and stopped them.
Tomi Engdahl says:
Russia hit by new wave of ransomware spam
https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/
Among the increased number of malicious JavaScript email attachments observed in January 2019, ESET researchers have spotted a large wave of ransomware-spreading spam targeting Russian users
January 2019 has seen a dramatic uptick in detections of malicious JavaScript email attachments, an attack vector that mostly lay dormant throughout 2018. Among the “New Year edition” of malicious spam campaigns relying on this vector, we have detected a new wave of Russian-language spam that distributes ransomware known as Shade or Troldesh, and detected by ESET as Win32/Filecoder.Shade.
The campaign appears to be a follow-up to a malicious spam campaign that started distributing the Shade ransomware in October 2018.