This posting is here to collect cyber security news in February 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
373 Comments
Tomi Engdahl says:
Research
ATM robber WinPot: a slot machine instead of cutlets
https://securelist.com/atm-robber-winpot/89611/
Tomi Engdahl says:
LPG Gas Company Leaked Details, Aadhaar Numbers of 6.7 Million Indian Customers
https://thehackernews.com/2019/02/indane-aadhaar-leak.html
Tomi Engdahl says:
Global Cyber Alliance and Mastercard Launch Cybersecurity Toolkit to Enable Small Businesses to Stay Protected
https://www.finanzen.ch/nachrichten/aktien/global-cyber-alliance-and-mastercard-launch-cybersecurity-toolkit-to-enable-small-businesses-to-stay-protected-1027962450
Tomi Engdahl says:
Security
Password managers may leave your online crown jewels ‘exposed in RAM’ to malware – but hey, they’re still better than the alternative
The alternative being memorizing a load of really long unique passphrases
https://www.theregister.co.uk/2019/02/20/password_managers_security_bugs/
A bunch of infosec bods are taking some of the most popular password managers to task after an audit revealed some mildly annoying, non-world-ending security shortcomings.
Researchers at ISE declared on Tuesday that the likes of 1Password, KeePass, LastPass, and Dashline all have vulnerabilities that would potentially allow malicious software on a Windows machine to steal either the master password or individual passwords stored by the applications.
The problem here is mainly secure memory management. To some degree, every one of the four password managers left passwords – either the master password or individual credentials – accessible in memory.
Password Managers: Under the Hood of Secrets Management
https://www.securityevaluators.com/casestudies/password-manager-hacking/
Tomi Engdahl says:
Why hackers love mainframe passwords – and what to do about it
https://www.itproportal.com/features/why-hackers-love-mainframe-passwords-and-what-to-do-about-it/
Why are IBM’s mainframe customers seemingly reluctant to upgrade their security by incorporating multi-factor authentication?
Tomi Engdahl says:
Monero Miner-Malware Uses RADMIN, MIMIKATZ to Infect, Propagate via Vulnerability
https://blog.trendmicro.com/trendlabs-security-intelligence/monero-miner-malware-uses-radmin-mimikatz-to-infect-propagate-via-vulnerability/
Tomi Engdahl says:
A malicious USB cable with its own wifi rig
https://boingboing.net/2019/02/19/o-mg.html
MG has built a proof-of-concept malicious USB cable with a tiny wifi radio hidden inside of it, able to wirelessly exfilatrate stolen data; he calls it the O. MG, and while the prototype cost him $4k and took 300 hours, he’s working with a team on a small production run for other security researchers to play with.
Tomi Engdahl says:
Private Mossad for Hire
Inside an effort to influence American elections, starting with one small-town race.
https://www.newyorker.com/magazine/2019/02/18/private-mossad-for-hire
Tomi Engdahl says:
Black-hat sextortionists required: Competitive salary and dental plan
Cybercrims aren’t just raking it in – they’re dishing it out too
https://www.theregister.co.uk/2019/02/21/black_hats_sextortion_275k_salaries_helpers/
Extortionists are promising salaries of more than a quarter of a million pounds to skilled infosec folk willing to put on a black hat, according to research outfit Digital Shadows.
Tomi Engdahl says:
China Uses DNA to Track Its People, With the Help of American Expertise
https://www.nytimes.com/2019/02/21/business/china-xinjiang-uighur-dna-thermo-fisher.html
The Chinese authorities turned to a Massachusetts company and a prominent Yale researcher as they built an enormous system of surveillance and control.
Tomi Engdahl says:
Fool ML once, shame on you. Fool ML twice, shame on… the AI dev? If you can hoodwink one model, you may be able to trick many more
Some tips on how to avoid miscreants deceiving your code
https://www.theregister.co.uk/2019/02/21/ai_attack_transfer/
Adversarial attacks that trick one machine-learning model can potentially be used to fool other so-called artificially intelligent systems, according to a new study.
It’s hoped the research will inform and persuade AI developers to make their smart software more robust against these transferable attacks, preventing malicious images, text, or audio that hoodwinks one trained model from tricking another similar model.
Tomi Engdahl says:
Russia bans smartphones for soldiers over social media fears
https://www.bbc.com/news/world-europe-47302938
Russia’s parliament has voted to ban soldiers from using smartphones while on duty, after their social media use raised issues of national security.
The bill forbids military personnel from using a phone with the ability to take pictures, record videos and access the internet.
Soldiers also cannot write about the military or talk to journalists.
Tomi Engdahl says:
Researcher: Not Hard for a Hacker to Capsize a Ship at Sea
https://threatpost.com/hacker-capsize-ship-sea/142077/
Capsizing a ship with a cyberattack is a relatively low-skill enterprise, according to an analysis from Pen Test Partners.
With so many previously outlined ways to infiltrate networks on-board shipping vessels (think satcom hacking, phishing, USB attacks, insecure crew Wi-Fi, etc.), the question becomes, what could an adversary do with that access?
“If one was suitably motivated, perhaps by a nation-state or a crime syndicate, one could bring about the sinking of a ship,” said Pen Test Partners researcher Ken Munro, in a stark assessment of maritime cyber-danger this week.
Tomi Engdahl says:
Bored bloke takes control of British Army ‘psyops’ unit’s Twitter
Great recruiting tool there, folks
https://www.theregister.co.uk/2019/02/21/77_brigade_twitter_account_hacked/
Tomi Engdahl says:
Drupal RCE Flaw Exploited in Attacks Days After Patch
https://www.securityweek.com/drupal-rce-flaw-exploited-attacks-days-after-patch
The flaw, tracked as CVE-2019-6340, is caused by the lack of proper data sanitization in some field types and it can allow an attacker to execute arbitrary PHP code. Exploitation is possible if the core RESTful Web Services module is enabled and it allows PATCH or POST requests. Attacks are also possible if another web services module is enabled, such as JSON:API in Drupal 8 or RESTful Web Services or Services in Drupal 7.
Tomi Engdahl says:
China’s Telecom Dominance a Security Challenge: UK’s GCHQ
https://www.securityweek.com/chinas-telecom-dominance-security-challenge-uks-gchq
China’s global dominance in telecommunications networks could pose security threats for decades, Britain’s cybersecurity chief warned in a speech in Singapore on Monday.
As countries move to roll out ultra-fast fifth-generation — 5G — mobile networks, concerns are mounting that Beijing could use hardware provided by Chinese firms to spy on Western governments.
“The strategic challenge of China’s place in the era of globalised technology is much bigger than just one telecommunications equipment company… it’s a first order strategic challenge for us all,” the head of Britain’s GCHQ cybersecurity agency Jeremy Fleming said.
“It’s a hugely complex strategic challenge which will span the next few decades… How we deal with it will be crucial for prosperity and security way beyond 5G contracts.”
In the last year, the United States has stepped up pressure on its allies to block Chinese telecoms giant Huawei from building their 5G networks, citing security concerns.
https://www.securityweek.com/us-urging-allies-shun-huawei-wsj
Tomi Engdahl says:
Mozilla May Reject UAE Firm’s Root Inclusion Request
https://www.securityweek.com/mozilla-may-reject-uae-firms-root-inclusion-request
Mozilla is considering rejecting a request by United Arab Emirates-based DarkMatter to be accepted as a top-level certificate authority in Mozilla’s root certificate program.
In December 2017, the UAE organization asked Mozilla to add its root to Mozilla products, and the request entered the review process soon after. DarkMatter is a subordinate certificate authority (CA) under QuoVadis, now part of DigiCert (which also acquired Symantec’s CA business).
Tomi Engdahl says:
Consumer Groups Protest Being Left Out of Senate Privacy Hearing
https://www.securityweek.com/consumer-groups-protest-being-left-out-senate-privacy-hearing
Tomi Engdahl says:
Prosecutors Seek 3-Year Sentence in ‘Celebgate’ Hacking Case
https://www.securityweek.com/prosecutors-seek-3-year-sentence-celebgate-hacking-case
Tomi Engdahl says:
Support for FIDO2 Passwordless Authentication Added to Android
https://www.securityweek.com/support-fido2-passwordless-authentication-added-android
Google and FIDO Alliance on Monday announced that it is now easier for developers to provide passwordless authentication features for their Android websites and apps as a result of Android becoming FIDO2 Certified.
The FIDO2 Project comprises the W3C’s Web Authentication (WebAuthn) specification, which provides a standard web API that enables online services to use FIDO authentication, and the Client-to-Authenticator Protocol (CTAP), which enables devices such as FIDO security keys and smartphones to serve as authenticators via WebAuthn.
Now that Android has become FIDO2 Certified, it will be easier for developer to enable users to log into apps and websites using their Android device’s built-in fingerprint sensor and/or FIDO security keys.
The FIDO2 certification has been granted to devices running Android 7 and later. New devices will be certified out of the box, while existing devices will include FIDO2 support after an automated Google Play Services update. Since a Google Play Services update is used to roll out FIDO2 support, users will not have to wait on their device’s manufacturer to benefit from passwordless authentication capabilities.
The use of FIDO authentication, which can be implemented by developers via a simple API call, increases protection against phishing, man-in-the-middle (MitM) and other types of attacks.
Tomi Engdahl says:
Hacker puts up for sale third round of hacked databases on the Dark Web
https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/
Hacker is selling 93 million user records from eight companies, including GfyCat.
Tomi Engdahl says:
Fake Jobs: Campaigns Delivering More_eggs Backdoor via Fake Job Offers
https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers
Tomi Engdahl says:
CyberSecurity Firm Darkmatter Request to be Trusted Root CA Raises Concerns
https://www.bleepingcomputer.com/news/security/cybersecurity-firm-darkmatter-request-to-be-trusted-root-ca-raises-concerns/
Tomi Engdahl says:
Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan
https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
Tomi Engdahl says:
ICANN Calls for Full DNSSEC Deployment, Promotes Community Collaboration to Protect the Internet
https://www.icann.org/news/announcement-2019-02-22-en
The Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure.
In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems.
Tomi Engdahl says:
B0r0nt0K Ransomware Wants $75,000 Ransom, Infects Linux Servers
https://www.bleepingcomputer.com/news/security/b0r0nt0k-ransomware-wants-75-000-ransom-infects-linux-servers/
A new ransomware called B0r0nt0K is encrypting victim’s web sites and demanding a 20 bitcoin, or approximately $75,000, ransom. This ransomware is known to infect Linux servers, but may also be able to encrypt users running Windows.
When examining the source code for the payment site, BleepingComputer noticed the “Vietnamese Hacker” embedded comment. While this could indicate that the developer is Vietnamese, this is by no means proof.
Tomi Engdahl says:
U.S. Cyber Command operation disrupted Internet access of Russian troll factory on day of 2018 midterms
https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Cloudflare expands its government warrant canaries, claiming it’s never handed over its SSL keys or customers’ SSL keys, as many firms abandon their canaries — When the government comes for your data, tech companies can’t always tell you. But thanks to a legal loophole, companies can say if they haven’t had a visit yet
Cloudflare expands its government warrant canaries
https://techcrunch.com/2019/02/26/cloudflare-warrant-canary/
Tomi Engdahl says:
Four Unusual Hacking Strategies I’ve Seen As A Cyber-Security CEO
https://www.forbes.com/sites/quora/2019/02/26/four-unusual-hacking-strategies-ive-seen-as-a-cyber-security-ceo/#59dbbb456564
Tomi Engdahl says:
Hackers can hijack bare-metal cloud servers by corrupting their BMC firmware
https://www.zdnet.com/article/hackers-can-hijack-bare-metal-cloud-servers-by-corrupting-their-bmc-firmware/
Cloud providers are failing to wipe bare-metal servers clean when re-assigning them to new clients.
Tomi Engdahl says:
We Need More Phishing Sites on HTTPS!
https://www.venafi.com/blog/we-need-more-phishing-sites-https?utm_source=socialmedia&utm_medium=Bora&utm_campaign=Helme-phishing-HTTPS-blog
There, I said it! It might sound like a weird thing to stay but stick with me on this one. We really do need more phishing sites on HTTPS, all of them, encrypt all the things, and not for the reason you might think.
The web is going HTTPS
If we want the whole web to be on HTTPS, which we do, then we need to remove the barriers to going HTTPS, mainly financial and technical barriers. Let’s Encrypt managed to do both of those things
The HTTPS phishing thing
There’s been a lot of noise in the industry recently about Let’s Encrypt issuing certs to domains being used for phishing.
The CA needs to prove you own a domain and they issue a cert.
Up until last year COMODO were issuing a lot more phishing certs than Let’s Encrypt
Let’s Encrypt log all of their certs, where, right now, COMODO don’t. When we get to April and CT logging becomes mandatory and not optional as it is now
If we want a 100% encrypted web then we need to encrypt all sites, despite whether or not you agree with what they do/say/sell/etc… 100% is 100% and it includes the ‘bad guys’ too.
there is another reason we want phishing sites on HTTPS and it’s actually so we can find them and shut them down faster.
Certificate Transparency
any certificate that a CA issue has to be placed into a public log for the whole world to see. Just think about that for a second. Right now when someone registers a domain, we don’t know. When they setup a domain in DNS, we don’t know. When they go phishing on HTTP, we don’t know. But now, when they get a certificate, we’ve got them! The CT logs are an awesome way to monitor for new phishing sites coming into existence by watching for them issuing new certificates!
Once it comes online, you can see it’s obviously a phishing site and you head over and submit it to SafeBrowsing. You can have it reported and blocked before the phishers have even had chance to send out their first round of emails.
SafeBrowsing is already a proven and reliable method to neutralise phishing sites when they pop up. Finding phishing certs and then asking the CA to revoke them is also a fairly pointless exercise because revocation is broken and of course there’s the obvious possibility of abuse for such a system too.
people seem generally quite happy for the domain registrar to sell the domain and for the DNS providers to resolve the domain and for the browsers to then render the domain, but if a CA issues a certificate for it then there’s uproar. Personally I don’t quite understand the focus on cert issuance for phishing domains and think there are far better places to focus our efforts
Tomi Engdahl says:
DNC issues cybersecurity guidance for 2020 election
https://www.scmagazine.com/home/security-news/dnc-issues-cybersecurity-guidance-for-2020-election/
Tomi Engdahl says:
https://digioikeudet.info
Tomi Engdahl says:
Once hailed as unhackable, blockchains are now getting hacked
https://www.technologyreview.com/s/612974/once-hailed-as-unhackable-blockchains-are-now-getting-hacked/amp/?__twitter_impression=true
Tomi Engdahl says:
Russian Bears Need Less Than 20 Minutes To Hack Your Data
https://www.forbes.com/sites/daveywinder/2019/02/19/how-the-speed-of-russian-bears-can-help-your-business-understand-the-1-10-60-rule/#44815f9d7131
Russian bears lead the way when it comes to gaining enough of a foothold in your networks to perform a successful data breach according to the 2019 Global Threat Report from CrowdStrike. This matters, because having an understanding of how quickly the bad guys can move across your networks is vital in getting to grips with the 1-10-60 rule. And that determines how likely you are to stop them succeeding in breaching your data
Tomi Engdahl says:
Close Enough
https://slate.com/technology/2019/02/reverse-location-search-warrants-google-police.html
Police departments are using “reverse location search warrants” to force Google to hand over data on anyone near a crime scene.
Tomi Engdahl says:
Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints
https://www.theregister.co.uk/2019/02/26/malware_ibm_powershell/
Direct-to-memory attacks now account for 57 per cent of hacks, apparently
A company’s internal network, once compromised, is now more likely to be ransacked by automated scripts than a piece of malware.
Tomi Engdahl says:
The Feds’ Favorite iPhone Hacking Tool Is Selling On eBay For $100—And It’s Leaking Data
https://www.forbes.com/sites/thomasbrewster/2019/02/27/the-feds-favorite-iphone-hacking-tool-is-selling-on-ebay-for-100and-its-leaking-data/#745e64185dd4
When eBay merchant Mr. Balaj was looking through a pile of hi-fi junk at an auction in the U.K., he came across an odd-looking device. Easily mistaken for a child’s tablet, it had the word “Cellebrite” written on it. To Mr. Balaj, it appeared to be a worthless piece of electronic flotsam, so he left it in his garage to gather dust for eight months.
But recently he’s learned just what he had his hands on: a valuable, Israeli-made piece of technology called the Cellebrite UFED. It’s used by police around the world to break open iPhones, Androids and other modern mobiles to extract data.
Tomi Engdahl says:
Network Tallahassee Internet provider hacked, pays ransom to get back online
https://eu.tallahassee.com/story/news/money/2019/02/26/network-tallahassee-internet-provided-hacked-pays-ransom-get-back-online/2991190002/
Hackers attacked a Tallahassee-based broadband provider and demanded $6,000 ransom to get its operations back online.
Tomi Engdahl says:
Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked
https://techcrunch.com/2019/02/27/dow-jones-watchlist-leak/
A watchlist of risky individuals and corporate entities owned by Dow Jones has been exposed, after a company with access to the database left it on a server without a password.
Bob Diachenko, an independent security researcher, found the Amazon Web Services-hosted Elasticsearch database exposing more than 2.4 million records of individuals or business entities.
Tomi Engdahl says:
It seems that the watchlist of risky individuals and corporate entities owned by Dow Jones has been exposed, after a company with access to the database left it on a server without a password.
Dow Jones Risk Screening Watchlist Exposed Publicly
https://securitydiscovery.com/dow-jones-risk-screening-watchlist-exposed-publicly/
“copy of the Dow Jones Watchlist dataset, sitting on a public Elasticsearch cluster 4.4GB in size and available for public access to anyone who knew where to look (hint: any public IoT search engine, such as BinaryEdge).”
Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked
https://techcrunch.com/2019/02/27/dow-jones-watchlist-leak/
This unsecured databases made accudentally publicly accessile seems to become a business failure trend for 2019.
Tomi Engdahl says:
Operator of eight DDoS-for-hire services pleads guilty
https://www.zdnet.com/article/operator-of-eight-ddos-for-hire-services-pleads-guilty/
Investigators tracked him down after he logged into his rented servers using his home IP addresses.
Tomi Engdahl says:
Google Chrome zero-day used in the wild to collect user data via PDF files
https://www.zdnet.com/article/google-chrome-zero-day-used-in-the-wild-to-collect-user-data-via-pdf-files/
Updated: Google is preparing a patch for late April 2019. Some of the suspicious PDF files exploiting this bug don’t appear to be malicious in nature.
Tomi Engdahl says:
Intel SGX Card expands SGX security protections to cloud data centers
Intel announces new Intel SGX Card line.
https://www.zdnet.com/article/intel-sgx-card-expands-sgx-security-protections-to-cloud-data-centers/
ntel announced today Intel SGX Card, a new product to expand its SGX security feature to existing data center server infrastructure that wouldn’t have been able to benefit from it due to hardware architectural limitations.
Intel SGX stands for Software Guard eXtensions, a feature found in modern Intel CPUs that allows developers to isolate parts of applications inside secure “enclaves.”
Tomi Engdahl says:
Targeted malware attacks against Elasticsearch servers surge
Old vulnerabilities are proving to be successful.
https://www.zdnet.com/article/targeted-malware-attacks-against-elasticsearch-clusters-surge/
Unsecured Elasticsearch clusters are being targeted in a fresh wave of attacks designed to drop both malware and cryptocurrency mining software.
This week, cybersecurity researchers from Cisco Talos warned of a spike in recent strikes against these systems, with six separate cyberattack groups believed to be involved.
“The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file,” the researchers say. “Additionally, this bash script serves to download illicit miners and their configuration files. The script achieves persistence by installing shell scripts as cron jobs.”
Tomi Engdahl says:
New Attack Runs Code After Closing Browser Tab
https://www.securityweek.com/new-attack-runs-code-after-closing-browser-tab
A group of researchers has discovered that websites can abuse modern browser APIs to persistently abuse browser resources for nefarious operations even after their tabs or windows have been closed.
In a paper (PDF) detailing the attack, the researchers explain that MarioNet relies solely on already available HTML5 APIs and that it does not require the installation of additional software. This also means that it can be used on all major browsers.
The attack is both persistent and stealthy, as it continues in the background of the browser even after the user closes the window or tab of the malicious website. However, it cannot survive browser reboots.
https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_01B-2_Papadopoulos_paper.pdf
Tomi Engdahl says:
NVIDIA Patches High Risk Vulnerabilities in GPU Display Drivers
https://www.securityweek.com/nvidia-patches-high-risk-vulnerabilities-gpu-display-drivers
NVIDIA has released a security update for the NVIDIA GPU display driver, to address several High severity vulnerabilities impacting GeForce, Quadro, NVS, and Tesla products.
Tomi Engdahl says:
Elasticsearch Clusters Under Attack From Multiple Hacking Groups
https://www.securityweek.com/elasticsearch-clusters-under-attack-multiple-hacking-groups
Tomi Engdahl says:
New Attacks Show Signed PDF Documents Cannot Be Trusted
https://www.securityweek.com/new-attacks-show-signed-pdf-documents-cannot-be-trusted
Many popular PDF viewers and online validation services contain vulnerabilities that can be exploited to make unauthorized changes to signed PDF documents without invalidating their signature, researchers have warned.
Tomi Engdahl says:
Russia’s Ex-Cybersecurity Chief Gets 22-Year Sentence in Jail
https://www.securityweek.com/russias-ex-cybersecurity-chief-gets-22-year-sentence-jail
A Russian military court convicted a former senior counterintelligence officer and a cybersecurity firm executive of treason Tuesday, concluding a case that initially aroused speculation of a manufactured effort to punish the source of leaks about Russian campaign hacking.
Moscow’s District Military Court heard several months of evidence and arguments behind closed doors before it found Col. Sergei Mikhailov, an ex-officer at Russia’s Federal Security Service (FSB), and Kaspersky Lab executive Ruslan Stoyanov guilty.
The basis for the charges remains murky given the top-secret nature of the criminal proceedings.