This posting is here to collect cyber security news in February 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
373 Comments
Tomi Engdahl says:
Game of Thrones hacker worked with US defector to hack Air Force employees for Iran
https://www.zdnet.com/article/game-of-thrones-hacker-worked-with-us-defector-to-hack-air-force-employees-for-iran/
Former US Air Force intelligence agent passed crucial information to Iranian state hackers after she defected to Iran in 2013.
Tomi Engdahl says:
Lenovo Watch X Riddled with Security Vulnerabilities
https://threatpost.com/lenovo-watch-x-riddled-with-security-vulnerabilities/141822/
Researchers have identified multiple security issues with this Lenovo smartwatch.
Researchers are raking the Lenovo Watch X over the security coals in a report that blasts the device for shipping with a half dozen “disturbing” privacy and security vulnerabilities.
Tomi Engdahl says:
ThreatList: Banking Trojans Are Still The Top Big Bad for Email
https://threatpost.com/banking-trojans-top-threat-email/141814/
Banking trojans, led by the ever-changing Emotet, dominated the email-borne threat landscape in Q4, according to Proofpoint.
Tomi Engdahl says:
South Korea is Censoring the Internet by Snooping on SNI Traffic
https://www.bleepingcomputer.com/news/security/south-korea-is-censoring-the-internet-by-snooping-on-sni-traffic/
South Korea has been blocking HTTP websites that are on their censor list for a while now and they have recently started using SNI filtering to block their counterparts served over HTTPS.
A warning page bearing the seals of the Korea Communications Standards Commission (KCSC) and the Korean National Police Agency is displayed for blocked HTTP websites, while TLS sites blocked using Server Name Indication (SNI) filtering will only throw a “This site can’t be reached” error.
SNI filtering used to block websites
SNI is a TLS extension which allows browsers to inform a web server of the hostname they want to connect to at the beginning of the handshaking process, as detailed in IETF’s RFC3546.
Tomi Engdahl says:
Got a direct message from a top YouTuber? Chances are, it’s phishing
https://www.kaspersky.com/blog/youtube-phishing-scam/25600/
Tomi Engdahl says:
Researchers Dig into Microsoft Office Functionality Flaws
An ongoing study investigating security bugs in Microsoft Office has so far led to two security patches.
https://www.darkreading.com/endpoint/researchers-dig-into-microsoft-office-functionality-flaws/d/d-id/1333870
Microsoft Office, ubiquitous on enterprise and personal computers, is a hot target for cybercriminals and a key focus area for researchers hoping to find bugs before the bad guys do.
Tomi Engdahl says:
Swiss e-voting trial offers $150,000 in bug bounties to hackers
The white hat hacking begins February 24th
https://www.theverge.com/2019/2/12/18221570/swiss-e-electronic-voting-public-intrusion-test-hacking-white-hack-bug-bounties
Tomi Engdahl says:
OpenOffice Zero-Day Code Execution Flaw Gets Free Micropatch
https://www.bleepingcomputer.com/news/security/openoffice-zero-day-code-execution-flaw-gets-free-micropatch/
Using an exploit for this zero-day vulnerability, potential attackers can issue a directory traversal attack against users of all versions of OpenOffice and all LibreOffice releases up to and including 6.0.6/6.1.2.1.
However, the OpenOffice 0day which is currently tracked as CVE-2018-16858 and received a CVSS3 Base Score of 7.8 from Red Hat, has been fixed by The Document Foundation in the LibreOffice 6.0.7/6.1.3 release after receiving a report from security researcher Alex Inführ who discovered the issue.
Patches only the Windows version
The researcher also created and published a Proof-of-Concept for CVE-2018-16858 in the form of a FODT extension which he also uploaded to the VirusTotal malware scanning service
Tomi Engdahl says:
Hackers KO Malta’s Bank of Valletta in attempt to nick €13m
Hapless bank goes into lockdown mode, vanishes from the internet
https://www.theregister.co.uk/2019/02/13/bank_of_valletta_13m_euro_hackers_shutdown/
Update 3 | BOV cyber attack: €13 million transferred out with false transactions
https://www.maltatoday.com.mt/news/national/92964/bank_of_valletta_shuts_down_operations_following_cyber_attack_#.XGQ_L8Z7mU0
The bank said customer accounts and their funds were not impacted • Prime Minister addresses Parliament • People and retailers in the dark as to when the situation will return back to normal
Tomi Engdahl says:
Lentokentän kaaoksen seuraus selvisi: Suomeenkin DJI:n lennokeille näkymätön aitaus
https://www.mikrobitti.fi/uutiset/lentokentan-kaaoksen-seuraus-selvisi-suomeenkin-djin-lennokeille-nakymaton-aitaus/9285ec1a-1b12-4ace-84f2-cc96c1fb3489
Lennokkivalmistaja DJI ilmoittaa muuttavansa dronejensa geoaitausjärjestelmiä, joilla niitä voidaan estää lentämästä kielletyille alueille.
Tomi Engdahl says:
Episode 20 | Defining Cyber Warfare, with Mikko Hypponen
https://blog.f-secure.com/podcast-cyber-warfare-mikko/
Tomi Engdahl says:
STOP ransomware claims even more victims
https://www.pandasecurity.com/mediacenter/malware/stop-ransomware-victims/
Despite having been ‘in the wild’ for some weeks now, infections caused by STOP ransomware have continued to rise. Perhaps somewhat ironically, those most affected (at the moment) appear to be software pirates.
Tomi Engdahl says:
January 2019’s Most Wanted Malware: A New Threat Speaks Up
https://blog.checkpoint.com/2019/02/13/january-2019s-most-wanted-malware-a-new-threat-speakup-linux-crypto-cryptomining/
Tomi Engdahl says:
Researchers Implant “Protected” Malware On Intel SGX Enclaves
https://thehackernews.com/2019/02/intel-sgx-malware-hacking.html
Cybersecurity researchers have discovered a way to hide malicious code in Intel SGX enclaves, a hardware-based memory encryption feature in modern processors that isolates sensitive code and data to protect it from disclosure or modification.
In other words, the technique allows attackers to implant malware code in a secure memory that uses protection features of SGX which are otherwise designed to protect important data from prying eyes or from being tampered, even on a compromised system.
Tomi Engdahl says:
Siemens Warns of Critical Remote-Code Execution ICS Flaw
https://threatpost.com/siemens-critical-remote-code-execution/141768/
The affected SICAM 230 process control system is used as an integrated energy system for utility companies, and as a monitoring system for smart-grid applications.
Tomi Engdahl says:
Microsoft Releases the February 2019 Updates for Office
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-the-february-2019-updates-for-office/
https://blogs.technet.microsoft.com/office_sustained_engineering/2019/02/12/february-2019-office-update-release/
Tomi Engdahl says:
The Scarlet Widow Gang Entraps Victims Using Romance Scams
https://www.bleepingcomputer.com/news/security/the-scarlet-widow-gang-entraps-victims-using-romance-scams/
We often hear about sextortion, business email compromise (BEC), and inheritance scams, but the often overlooked “Romance Scams” could be the most insidious of them all. Not only do victims lose money, but the emotional entanglement ultimately leads to heartbreak.
Romance scams are months long, if not year long, campaigns where bad actors catfish, or pretend to be in love with, an unsuspecting victim in order to steal money from them. They do this by creating fake romantic relationships that the victims become invested in and are willing to help them with fake financial troubles.
Tomi Engdahl says:
New Astaroth Trojan Variant Exploits Anti-Malware Software to Steal Info
https://www.bleepingcomputer.com/news/security/new-astaroth-trojan-variant-exploits-anti-malware-software-to-steal-info/
A new Astaroth Trojan campaign targeting Brazil and European countries is currently exploiting the Avast antivirus and security software developed by GAS Tecnologia to steal information and load malicious modules.
According to Cybereason’s Nocturnus team which discovered the new Astaroth strain, just like previous installments, the malware uses “legitimate, built-in Windows OS processes to perform malicious activities and deliver a payload without being detected” but it also makes use “of well-known tools and even antivirus software to expand its capabilities.”
Tomi Engdahl says:
Hackers Wipe VFEmail Servers, May Shut Down After Catastrophic Data Loss
https://www.bleepingcomputer.com/news/security/hackers-wipe-vfemail-servers-may-shut-down-after-catastrophic-data-loss/
The U.S. servers of privacy-focused e-mail provider VFEmail were hacked into on February 11 and all the data was destroyed, on both the main and the backup systems.
According to VFEmail’s owner, the hackers did not leave a ransom note and, given the extent of the destruction, the service will most likely go offline to never return.
Tomi Engdahl says:
Weird Phishing Campaign Uses Links With Almost 1,000 Characters
https://www.bleepingcomputer.com/news/security/weird-phishing-campaign-uses-links-with-almost-1-000-characters/
Tomi Engdahl says:
DNS Manipulation in Venezuela in regards to the Humanitarian Aid Campaign
https://securelist.com/dns-manipulation-in-venezuela/89592/
Venezuela is a country facing an uncertain moment in its history. Reports suggests it is in significant need of humanitarian aid.
Tomi Engdahl says:
500px reveals almost 15 million users are caught up in security breach
https://www.digitaltrends.com/computing/500px-almost-15-million-users-caught-up-in-security-breach/
https://support.500px.com/hc/en-us/articles/360017752493-Security-Issue-February-2019-FAQ
Tomi Engdahl says:
Adobe Reader Zero-Day Micropatch Stops Malicious PDFs from Calling Home
https://www.bleepingcomputer.com/news/security/adobe-reader-zero-day-micropatch-stops-malicious-pdfs-from-calling-home/
Tomi Engdahl says:
Norway: GPS jamming during NATO drills in 2018 a big concern
https://apnews.com/eb300e709dfa4c6fa9d7d65a161d698b
Tomi Engdahl says:
Microsoft Patch Tuesday — February 2019: Vulnerability disclosures and Snort coverage
https://blogs.cisco.com/security/talos/microsoft-patch-tuesday-february-2019-vulnerability-disclosures-and-snort-coverage
https://blog.snort.org/2019/02/snort-rule-update-for-feb-12-2019.html
Tomi Engdahl says:
Dunkin’ Donuts Issues Alert for Credential Stuffing Attack, Passwords Reset
https://www.bleepingcomputer.com/news/security/dunkin-donuts-issues-alert-for-credential-stuffing-attack-passwords-reset/
Tomi Engdahl says:
Romance scams will cost you
https://www.consumer.ftc.gov/blog/2019/02/romance-scams-will-cost-you
Last year, people reported losing $143 million to romance scams – a higher total than for any other type of scam reported to the FTC. And, according to a new FTC Data Spotlight, reports of romance scams are on the rise.
Tomi Engdahl says:
Xiaomi Electric Scooters Vulnerable to Life-Threatening Remote Hacks
https://thehackernews.com/2019/02/xiaomi-electric-scooter-hack.html
Smart devices definitely make our lives easier, faster, and more efficient, but unfortunately, an insecure smart device can also ruin your day, or sometime could even turn into the worst nightmare of your life.
If you are an electric scooter rider, you should be concerned about yourself.
In a report shared with The Hacker News in advance, researchers from mobile security firm Zimperium said to have discovered an easy-to-execute but serious vulnerability in M365 Folding Electric Scooter by Xiaomi that could potentially putting riders life at risk.
Xiaomi e-Scooter has a significant market share and is also being used by different brands with some modifications.
Xiaomi M365 Electric Scooter comes with a mobile app that utilizes password-protected Bluetooth communication, allowing its riders to securely interact with their scooters remotely for multiple features like changing password, enabling the anti-theft system, cruise-control, eco mode, updating the scooter’s firmware, and viewing other real-time riding statistics.
However, researchers find that due to improper validation of password at the scooter’s end, a remote attacker, up to 100 meters away, could send unauthenticated commands over Bluetooth to a targeted vehicle without requiring the user-defined password.
By exploiting this issue, an attacker can perform the following attack scenarios:
Locking Scooters—A sort of a denial-of-service attack, wherein an attacker can suddenly lock any M365 scooter in the middle of the traffic.
Deploying Malware—Since the app allows riders to upgrade scooter’s firmware remotely, an attacker can also push malicious firmware to take full control over the scooter.
Targeted Attack [Brake/Accelerate]—Remote attackers can even target an individual rider and cause the scooter to suddenly brake or accelerate.
Tomi Engdahl says:
YouTube’s copyright strikes have become a tool for extortion
Scammers are threatening to shut down channels — unless the owner pays up
https://www.theverge.com/2019/2/11/18220032/youtube-copystrike-blackmail-three-strikes-copyright-violation
Tomi Engdahl says:
Collaborative Client-Side DNS Cache PoisoningAttack
https://www.cs.ucr.edu/~nael/pubs/infocom19.pdf
Tomi Engdahl says:
Client-Side DNS Attack Emerges From Academic Research
A new DNS cache poisoning attack is developed as part of the research toward a dissertation.
https://www.darkreading.com/attacks-breaches/client-side-dns-attack-emerges-from-academic-research/d/d-id/1333848
Tomi Engdahl says:
Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/
On November 30, 2018. We disclosed CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, and CVE-2018-16870. These were from vulnerabilities found back in August 2018 in several TLS libraries.
Tomi Engdahl says:
How Hackers and Scammers Break into iCloud-Locked iPhones
https://motherboard.vice.com/en_us/article/8xyq8v/how-to-unlock-icloud-stolen-iphone
In a novel melding of physical and cybercrime, hackers, thieves, and even independent repair companies are finding ways to “unlock iCloud” from iPhones.
Tomi Engdahl says:
The perils of using Internet Explorer as your default browser
https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/The-perils-of-using-Internet-Explorer-as-your-default-browser/ba-p/331732
From time to time, I am asked by customers, “How do I ensure that all web traffic goes to Internet Explorer?” In fact, I was recently asked this question by someone trying to help a hospital. Now, I understand the scenario. In healthcare (as in many other industries), it’s often the case that you’re running with an extremely thin team. As a result, it can seem that using Internet Explorer be default for all situations is the “easy button” because, well, most of your sites were designed for Internet Explorer, so…just…always use it, ok?
In short, this seems like a deliberate decision to take on some technical debt. It’s true that most organizations have some technical debt lying around. (For example, if you’ve disabled User Account Control, require a 32-bit OS or 32-bit Office suite, or are paying for extended support for a legacy version of Java, you have some technical debt.) But this technical debt? Well, it’s different.
Tomi Engdahl says:
Cybersecurity Workers Scramble to Fix a Post-Shutdown Mess
https://www.wired.com/story/government-shutdown-cybersecurity-recovery/
http://www.govtech.com/security/Federal-Government-Shutdown-Threatens-Cybersecurity-Strength.html
Tomi Engdahl says:
Germany just deleted Facebook
https://boingboing.net/2019/02/07/zuckerbackpfeifengesicht.html
Germany’s Federal Cartel Office (Bundeskartellamt, the country’s antitrust regulator) has ruled that Facebook can’t combine user data aggregated from different sources (Facebook usage data, data from pages with Facebook Like buttons, data purchased from third parties, etc), because users can’t reasonably anticipate the way these different datastreams might be combined, nor the kinds of inferences that could be gleaned thereby.
Tomi Engdahl says:
Opening this image file grants hackers access to your Android phone
Be careful if you are sent an image from a suspicious source.
https://www.zdnet.com/article/opening-this-image-file-grants-hackers-access-to-your-android-phone/
Tomi Engdahl says:
Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/
Tomi Engdahl says:
Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners
https://blog.trendmicro.com/trendlabs-security-intelligence/linux-coin-miner-copied-scripts-from-korkerds-removes-all-other-malware-and-miners/
Tomi Engdahl says:
Apple Update: Drop Everything and Patch iOS
Zero Days Being Exploited; Apple Contributes to ‘FacePalm’ Bug Finder’s Tuition
https://www.bankinfosecurity.com/apple-update-drop-everything-patch-ios-a-12013
Patch now. That’s the message security experts have for all iOS users following Apple’s release of a security update on Thursday.
Tomi Engdahl says:
Federal MPs’ computer network hacked in possible foreign government attack
https://www.smh.com.au/politics/federal/federal-mps-computer-network-hacked-forcing-passwords-to-be-changed-20190208-p50wgm.html
National security agencies are continuing to scour the Parliament’s computer network for threats to MPs’ data after what is being described as a “sophisticated” hack attack that could be the work of a foreign government.
Alastair MacGibbon, head of the Australian Cyber Security Centre, said the government’s cyber experts would work over coming days and weeks to make sure all the breaches had been detected and the hackers’ presence removed.
Tomi Engdahl says:
Google warns about two iOS zero-days ‘exploited in the wild’
https://www.zdnet.com/article/google-warns-about-two-ios-zero-days-exploited-in-the-wild/
iOS users are advised to update to iOS 12.1.4; release which also fixes infamous FaceTime bug.
A Google top security engineer has revealed today that hackers have been launching attacks against iPhone users using two iOS vulnerabilities. The attacks have happened before Apple had a chance to release iOS 12.1.4 today –meaning the two vulnerabilities are what security experts call “zero-days.”
Apple Fixes Pesky FaceTime Bug in iOS 12.1.4 Update
https://threatpost.com/apple-fixes-pesky-facetime-bug-in-ios-12-1-4-update/141621/
Tomi Engdahl says:
First clipper malware discovered on Google Play
https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/
Cryptocurrency stealers that replace a wallet address in the clipboard are no longer limited to Windows or shady Android app stores
Tomi Engdahl says:
Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions
https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/
Tomi Engdahl says:
Container Escape Flaw Hits AWS, Google Cloud, Linux Distros
https://www.securityweek.com/container-escape-flaw-hits-aws-google-cloud-linux-distros
A vulnerability recently addressed in runc could allow malicious containers to gain root-level code execution on the host.
Introduced in 2015, runc is a lightweight, portable container runtime that includes all of the code used by Docker to interact with system features related to containers. The runtime is used in most containers out there, including cri-o, containerd, Kubernetes, Podman, and others.
Tracked as CVE-2019-5736 and featuring a CVSSv3 score of 7.2, the vulnerability can be exploited with minimal user interaction, senior software engineer at SUSE Linux and runc maintainer Aleksa Sarai says.
The use of SELinux in targeted enforcing mode prevents this vulnerability from being exploited. However, the default AppArmor policy and the default SELinux policy on Fedora (only the moby-engine package) fail to prevent the bug, Sarai says.
Tomi Engdahl says:
It starts with Linux: How Red Hat is helping to counter Linux container security flaws
https://www.redhat.com/en/blog/it-starts-linux-how-red-hat-helping-counter-linux-container-security-flaws
The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies…and that’s exactly what this vulnerability represents.
Tomi Engdahl says:
Microsoft Patches Internet Explorer Zero-Day Reported by Google
https://www.securityweek.com/microsoft-patches-internet-explorer-zero-day-reported-google
Microsoft’s Patch Tuesday updates for February 2019 address more than 70 vulnerabilities, including an Internet Explorer flaw that Google researchers have spotted being exploited in attacks.
This zero-day vulnerability is tracked as CVE-2019-0676 and it has been described by Microsoft as an information disclosure issue that exists due to the way Internet Explorer handles objects in memory.
Tomi Engdahl says:
Hacker Erases Email Provider’s Servers, Backups
https://www.securityweek.com/hacker-erases-email-providers-servers-backups
Email provider VFEmail was hit by a destructive attack, where a hacker who accessed its network was able to erase its servers in the United States, including the backup systems.
“We have suffered catastrophic destruction at the hands of a hacker. This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can,” the company writes on its website.
Established in 2001, the company provides email services and claims to provide increased email security through scanning all incoming messages and attachments for viruses and blocking malicious content via a gateway, before reaching its servers.
However, this incident shows that user data was not protected with appropriate measures
Tomi Engdahl says:
Adobe Patches Disclosed Data Leakage Flaw in Reader
https://www.securityweek.com/adobe-patches-disclosed-data-leakage-flaw-reader
Tomi Engdahl says:
Windows App Runs on Mac, Downloads Info Stealer and Adware
https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/
EXE is the official executable file format used for Windows to signify that they only run on Windows platforms, and to serve as a security feature. By default, attempting to run an EXE file on a Mac or Linux OS will only show an error notification.
However, we found EXE files in the wild delivering a malicious payload that overrides Mac’s built-in protection mechanisms such as Gatekeeper. This routine evades Gatekeeper because EXE is not checked by this software, bypassing the code signature check and verification since the technology only checks native Mac files. While no specific attack pattern is seen, our telemetry showed the highest numbers for infections to be in the United Kingdom, Australia, Armenia, Luxembourg, South Africa and the United States.