This posting is here to collect cyber security news in March 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
490 Comments
Tomi Engdahl says:
New Mirai Variant Comes with 27 Exploits, Targets Enterprise Devices
https://www.bleepingcomputer.com/news/security/new-mirai-variant-comes-with-27-exploits-targets-enterprise-devices/
A new Mirai variant comes with eleven new exploits, the enterprise WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV being the most notable new devices being targeted.
Tomi Engdahl says:
How hackers pulled off a $20 million bank heist
Efforts were enabled by sloppy and insecure network architecture in Mexico.
https://arstechnica.com/information-technology/2019/03/how-hackers-pulled-of-a-20-million-bank-heist/
In January 2018 a group of hackers, now thought to be working for the North Korean state-sponsored group Lazarus, attempted to steal $110 million from the Mexican commercial bank Bancomext. That effort failed. But just a few months later, a smaller yet still elaborate series of attacks allowed hackers to siphon off 300 to 400 million pesos, or roughly $15 to $20 million from Mexican banks. Here’s how they did it.
Easy pickings
Thanks to security holes in the targeted bank systems, attackers could have accessed internal servers from the public Internet, or launched phishing attacks to compromise executives—or even regular employees—to gain a foothold. Many networks didn’t have strong access controls, so hackers could get a lot of mileage out of compromised employee credentials. The networks also weren’t well segmented, meaning intruders could use that initial access to penetrate deep into banks’s connections to SPEI, and eventually SPEI’s transaction servers, or even its underlying code base.
To make matters worse, transaction data within internal bank networks wasn’t always adequately protected, meaning attackers who had burrowed in could potentially track and manipulate data. And while communication channels between individual users and their banks were encrypted, Loza also suggests that the SPEI app itself had bugs and lacked adequate validation checks, making it possible to slip bogus transactions through. The app may have even been directly compromised in a supply chain attack, to facilitate successful malicious transactions as they moved through the system.
All of these vulnerabilities collectively made it possible for hackers to lay extensive groundwork, eventually establishing the infrastructure they needed to begin carrying out actual cash grabs. Once that was in place, the attacks moved quickly.
The hackers would exploit flaws in how SPEI validated sender accounts to initiate a money transfer from a nonexistant source like “Joe Smith, Account Number: 12345678.”
Wake-up call
SPEI itself and the infrastructure surrounding the app were apparently ripe for attack. Banxico, which could not be reached by WIRED for comment, said in a forensic analysis report released at the end of August that the attacks weren’t a direct assault on Banxico’s central systems, but were instead targeted at overlooked or weak interconnections in the larger Mexican financial system.
Tomi Engdahl says:
IPv6 unmasking via UPnP
https://blog.talosintelligence.com/2019/03/ipv6-unmasking-via-upnp.html
With tools such as ZMap and Masscan and general higher bandwidth availability, exhaustive internet-wide scans of full IPv4 address space have become the norm after it was once impractical. Projects like Shodan and Scans.io aggregate and publish frequently updated datasets of scan results for public analysis, giving researchers greater insight into the current state of the internet.
While IPv4 is the norm, the use of IPv6 is on the rise. However, there’s been very little analysis on the most recent version of the internet protocol because it’s impossible to run exhaustive scans given the size of the address space. We need to deploy novel techniques to enumerate active IPv6 hosts.
In the following post, we’ll present a technique that uses the properties of the Universal Plug and Play (UPnP) protocol to get specific IPv4 hosts to divulge their IPv6 address.
Tomi Engdahl says:
New Sextortion Email Uses CIA Investigation as Scare Tactic
https://www.bleepingcomputer.com/news/security/new-sextortion-email-uses-cia-investigation-as-scare-tactic/
A new sextortion email campaign has started over the weekend that pretends to be from the CIA and states that you are involved in an investigation into the distribution and storage or child pornography. The scammers then demand $10,000 in bitcoin or you will be arrested on April 8th, 2019 as part of an international law enforcement operation.
Tomi Engdahl says:
China Does Not Ask Firms to Spy on Others: Premier
https://www.securityweek.com/china-does-not-ask-firms-spy-others-premier
China will “never” ask its firms to spy on other nations, Premier Li Keqiang said Friday, amid US warnings that Chinese telecommunications behemoth Huawei poses security risks.
The United States has launched a global campaign to convince Western allies to shut Huawei out of next-generation 5G technology over fears the company could be used by Beijing for espionage.
Tomi Engdahl says:
Hackers Bypass MFA on Cloud Accounts via IMAP Protocol
https://www.securityweek.com/hackers-bypass-mfa-cloud-accounts-imap-protocol
Over the past several months, threat actors have been increasingly targeting Office 365 and G Suite cloud accounts that are using the legacy IMAP protocol, in an attempt to bypass multi-factor authentication (MFA), Proofpoint reports.
Targeted brute-force attacks have increased in sophistication over the past months, attempting to compromise accounts using variations of the usernames and passwords exposed in large credential dumps, and phishing campaigns continued to provide additional avenues into corporate accounts.
An analysis of over one hundred thousand unauthorized logins across millions of monitored cloud accounts revealed that more than 2% of the user accounts were targeted, and that 15 in 10,000 were successfully breached.
Tomi Engdahl says:
G Suite Admins Can Now Disable Phone 2-SV
https://www.securityweek.com/g-suite-admins-can-now-disable-phone-2-sv
Google is making G Suite accounts more secure by allowing administrators to remove phone-based 2-step verification (2-SV) from the available multi-factor verification options.
With the new policy in place, admins enforcing a second factor at login to improve the security of an account can prevent users from selecting 2-SV methods such as SMS and voice codes, which have been already deemed insecure.
Tomi Engdahl says:
Recently Patched WinRAR Flaw Exploited in APT Attacks
https://www.securityweek.com/recently-patched-winrar-flaw-exploited-apt-attacks
Tomi Engdahl says:
Leading Israeli Candidate for PM Targeted by Iranian Hackers
https://www.securityweek.com/leading-israeli-candidate-pm-targeted-iranian-hackers
The campaign of a former Israeli military chief who is a leading challenger to Prime Minister Benjamin Netanyahu in his tight race for re-election says the candidate has been targeted by an Iranian hacking attack.
Israeli media reported Thursday that the Shin Bet internal security service warned Benny Gantz that Iranian intelligence hacked his cellphone, putting “his personal details and addresses in hostile hands.”
A statement from Gantz’s campaign insinuated his opponents leaked the news to damage his political bid, saying the timing of the report just weeks before Israel’s April 9 elections “raises important questions.”
Tomi Engdahl says:
Spam Warns about Boeing 737 Max Crashes While Pushing Malware
https://www.bleepingcomputer.com/news/security/spam-warns-about-boeing-737-max-crashes-while-pushing-malware/
A new malspam campaign is underway that is trying to utilize the tragic Boeing 737 Max crashes as a way to spread malware on a recipient’s computer. These spam emails pretend to be leaked documents about imminent crashes that the sender states should be reviewed and shared with loved ones to warn them.
Tomi Engdahl says:
New Zealand Mobile Carriers Block 8chan, 4chan, and LiveLeak
https://www.bleepingcomputer.com/news/security/new-zealand-mobile-carriers-block-8chan-4chan-and-liveleak/
Following the Friday mass shooting in Christchurch, New Zealand, multiple internet service providers (ISP) in the country have blocked access to websites that distribute gruesome content from the incident.
The attacker live-streamed on his Facebook account his actions that got 49 people killed. A link to the video and a lengthy “manifesto” appeared on 8chan forum, allegedly shared by the shooter. Copies of the 17-minute footage spread to other websites, including YouTube, Instagram, Twitter, and Reddit.
As mainstream platforms struggled to take down the video and segments of it, some websites continue to make the materials available.
Spark NZ, Vodafone NZ, and Vocus NZ agreed to work together to identify and block access at DNS level to such online locations. 8chan and 4chan are currently unavailable to New Zealanders trying to load them through a connection from the three telcos.
Tomi Engdahl says:
Dutch hacker who DDoSed the BBC and Yahoo News gets no jail time
Hacker used a Mirai botnet to DDoS companies and ask for ransoms to stop attacks.
https://www.zdnet.com/article/dutch-hacker-who-ddosed-the-bbc-and-yahoo-news-gets-no-jail-time/
Tomi Engdahl says:
Instagram accounts hijacked with fake copyright infringement notifications
https://www.kaspersky.com/blog/instagram-hijack-new-wave/25997/
Have you reached a few thousand followers on Instagram? More? Congratulations, you are insta-famous. Among other things, though, being an Instagram influencer means that it’s quite possible that account thieves are after you. A new phishing scheme targeting popular accounts on Instagram is gaining momentum. Here is how it works.
You’ve got copyright violation notification
“Your account will be permanently deleted for copyright infringement,” claims an e-mail notification that looks very official. It has the usual Instagram header and logo, and the e-mail address in the From field is extremely close to a legitimate one: In most cases it’s either [email protected] or [email protected].
The e-mail claims that you have just 24 hours (in some versions it’s 48 hours) to appeal and provides a “Review complaint” button. If you click it, you end up on a convincing phishing page
How to protect your Instagram account
As soon as your data goes to the scammers, they can take over your Instagram profile and modify the information you need to recover it.
Tomi Engdahl says:
DNS Tunneling: how DNS can be (ab)used by malicious actors
https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
Malicious actors have utilized Command & Control (C2) communication channels over the Domain Name Service (DNS) and, in some cases, have even used the protocol to exfiltrate data. This is beyond what a C2 “heartbeat” connection would communicate. Malicious actors have also infiltrated malicious data/payloads to the victim system over DNS and, for some years now, Unit 42 research has described different types of abuse discovered.
Tomi Engdahl says:
Critical Flaw in Swiss Internet Voting System
https://www.schneier.com/blog/archives/2019/03/critical_flaw_i.html
Researchers have found a critical flaw in the Swiss Internet voting system. I was going to write an essay about how this demonstrates that Internet voting is a stupid idea and should never be attempted — and that this system in particular should never be deployed, even if the found flaw is fixed
A critical flaw in Switzerland’s e-voting system is a microcosm of everything wrong with e-voting, security practice, and auditing firms
https://boingboing.net/2019/03/13/principal-agent-problems.html
Switzerland is about to have a national election with electronic voting, overseen by Swiss Post; e-voting is a terrible idea and the general consensus among security experts who don’t work for e-voting vendors is that it shouldn’t be attempted, but if you put out an RFP for magic beans, someone will always show up to sell you magic beans, whether or not magic beans exist.
Swiss Post contracted with Barcelona firm Scytl to build the system, then consulted with outside security experts and KPMG to audit the system, and then announced a bug-bounty program that would allow people who promised to only disclose defects on Swiss Post’s terms to look at some of the source code.
This kind of bug bounty is pretty common, and firms like to assert that they can be trusted to be responsible stewards of bad news about their own products and should have the right to decide who can make truthful disclosures about their mistakes and the defects in their offerings. During the fight over DRM standardization for browsers at the W3C, we pointed out that one side-effect of adding DRM to browsers would be that browser vendors and media companies would acquire a new right to silence security researchers who wanted to make factual statements about security defects in their products.
trying to craft rules for when it would be OK for companies to decide that users couldn’t know about defects in their products.
The belief that companies can be trusted with this power defies all logic, but it persists. Someone found Swiss Post’s embrace of the idea too odious to bear, and they leaked the source code that Swiss Post had shared under its nondisclosure terms, and then an international team of some of the world’s top security experts (including some of our favorites, like Matthew Green) set about analyzing that code, and (as every security expert who doesn’t work for an e-voting company has predicted since the beginning of time), they found an incredibly powerful bug that would allow a single untrusted party at Swiss Post to undetectably alter the election results.
Tomi Engdahl says:
Patched WinRAR Bug Still Under Active Attack—Thanks to No Auto-Updates
https://thehackernews.com/2019/03/winrar-hacking-malware.html
Tomi Engdahl says:
Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250)
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/attackers-exploiting-winrar-unacev2-dll-vulnerability-cve-2018-20250/
Over 100 Exploits Found for 19-Year Old WinRAR RCE Bu
https://www.bleepingcomputer.com/news/security/over-100-exploits-found-for-19-year-old-winrar-rce-bug/
Tomi Engdahl says:
Lenovo Patches Intel Firmware Flaws in Multiple Product Lines
https://threatpost.com/lenovo-patches-high-severity-arbitrary-code-execution-flaws/142860/
Lenovo has issued patches for several serious vulnerabilities in its products stemming from Intel technology fixes.
Tomi Engdahl says:
MS-ISAC Releases Security Primer on TrickBot Malware
https://www.us-cert.gov/ncas/current-activity/2019/03/14/MS-ISAC-Releases-Security-Primer-TrickBot-Malware
The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released a security primer on TrickBot malware. TrickBot is a modular banking Trojan that targets users’ financial information and acts as a dropper for other malware. An attacker can leverage TrickBot’s modules to steal banking information, conduct system and network reconnaissance, harvest credentials, and achieve network propagation.
Tomi Engdahl says:
Local privilege escalation via the Windows I/O Manager: a variant finding collaboration
https://blogs.technet.microsoft.com/srd/2019/03/14/local-privilege-escalation-via-the-windows-i-o-manager-a-variant-finding-collaboration/
The Microsoft Security Response Center (MSRC) investigates all reports of security vulnerabilities affecting Microsoft products and services to help make our customers and the global online community more secure. We appreciate the excellent vulnerability research reported to us regularly from the security community, and we consider it a privilege to work with these researchers.
Tomi Engdahl says:
Proof-of-Concept Tracking System Finds RATs Worldwide
https://www.darkreading.com/proof-of-concept-tracking-system-finds-rats-worldwide/d/d-id/1334175
Using a combination of Shodan scans and data from partners, Recorded Future finds nearly 500 malware controllers for 14 different families of remote-access Trojans, as well as the corporate networks they have infected.
Tomi Engdahl says:
Unpatched Fujitsu Wireless Keyboard Bug Allows Keystroke Injection
https://threatpost.com/unpatched-fujitsu-wireless-keyboard-bug-allows-keystroke-injection/142847/
Tomi Engdahl says:
Threat actors leverage credential dumps, phishing, and legacy email protocols to bypass MFA and breach cloud accounts worldwide
https://www.proofpoint.com/us/threat-insight/post/threat-actors-leverage-credential-dumps-phishing-and-legacy-email-protocols
Tomi Engdahl says:
Suureen norjalaiseen alumiiniyhtiöön tehty laaja verkkohyökkäys, yhtiöltä kiristetään rahaa
Norjalaisten tiedotusvälineiden mukaan yhtiö vahvistaa, että siltä kiristetään rahaa hyökkäyksen lakkauttamiseksi.
https://www.hs.fi/talous/art-2000006040924.html
Skreddersydd dobbeltangrep mot Hydro
https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202
Tomi Engdahl says:
Law enforcement agencies across the EU prepare for major cross-border cyber-attacks
https://www.europol.europa.eu/newsroom/news/law-enforcement-agencies-across-eu-prepare-for-major-cross-border-cyber-attacks
The possibility of a large-scale cyber-attack having serious repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable. To prepare for major cross-border cyber-attacks, an EU Law Enforcement Emergency Response Protocol has been adopted by the Council of the European Union. The Protocol gives a central role to Europol’s European Cybercrime Centre (EC3) and is part of the EU Blueprint for Coordinated Response to Large-Scale Cross-Border Cybersecurity Incidents and Crises1. It serves as a tool to support the EU law enforcement authorities in providing immediate response to major cross-border cyber-attacks through rapid assessment, the secure and timely sharing of critical information and effective coordination of the international aspects of their investigations.
Tomi Engdahl says:
https://decrypter.emsisoft.com/pewcrypt
Tomi Engdahl says:
Kyt Dotson / SiliconANGLE:
Nexusguard report: when the FBI shut down 15 of the largest DDoS-for-hire websites in December, it led to an 85% reduction in overall attack size worldwide
FBI crackdown reduced denial-of-service attack sizes by 85 percent
https://siliconangle.com/2019/03/19/fbi-crackdowns-ddos-hire-websites-reduced-attack-sizes-85-percent-year/
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Norsk Hydro, one of the world’s largest producers of aluminum, has shut down several metal extrusion plants as it deals with a ransomware attack
Aluminum producer switches to manual operations after ransomware infection
UPDATE: Cyber-attack identified as LockerGoga ransomware infection.
https://www.zdnet.com/article/aluminium-producer-switches-to-manual-operations-after-extensive-cyber-attack/
Norsk Hydro, one of the world’s largest aluminium producers, revealed today that it “became victim of an extensive cyber-attack” that crippled some of its infrastructure and forced it to switch to manual operations in some smelting locations. The cyber-attack was later identified as an infection with the LockerGoga ransomware strain, the company said during a press conference.
News of the cyber-attack broke earlier this morning in a message the company sent to investors and stock exchanges.
“Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company’s business areas,” the company said. “IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Norsk Hydro: Hydro subject to cyber-attack
https://newsweb.oslobors.no/message/472389
Hydro became victim of an extensive cyber-attack in the early hours of Tuesday (CET), impacting operations in several of the company’s business areas. IT-systems in most business areas are impacted and Hydro is switching to manual operations as far as possible. Hydro is working to contain and neutralize the attack, but does not yet know the full extent of the situation.
Tomi Engdahl says:
ABC:
Sources: Uber used a spyware program code-named Surfcam to steal drivers from an Australian rival by tracking their cars online and scraping driver details — Four Corners By Sean Nicholls, Peter Cronau and Mary Fallon — International rideshare giant Uber used a secret spyware program …
Uber used secret spyware to try to crush Australian start-up GoCatch
https://www.abc.net.au/news/2019-03-18/uber-used-secret-spyware-to-try-and-crush-australian-start-up/10901120
Tomi Engdahl says:
Dell Cameron / Gizmodo:
In response to a FOIA lawsuit, FCC admits in court that its Electronic Comment Filing System isn’t designed to track the sources of comments — The FCC’s public comment system is a bloody mess. Over the past two years, it’s become apparent that political lobbyists, usually acting on behalf …
FCC Admits in Court That It Can’t Track Who Submits Fake Comments
https://gizmodo.com/fcc-admits-in-court-that-it-cant-track-who-submits-fake-1833415042
The FCC’s public comment system is a bloody mess. Over the past two years, it’s become apparent that political lobbyists, usually acting on behalf of the telecom industry itself, are prepared to manipulate the agency’s rulemaking process and impersonate everyday Americans just to create the illusion of public support where, in reality, none exists.
In response to allegations that millions of comments submitted to the FCC about net neutrality in 2017 were fabricated—using the names and home addresses of Americans without their consent—the New York Times is actively seeking access to the FCC’s internal logs under the Freedom of Information Act. Its reporters have specifically asked the FCC to turn over records that contain every comment and the IP addresses from which they originated. But the commission is fighting back.
For starters, the FCC is denying the Times access to these records on privacy grounds
The notion that the system is in any way “secure” to begin with is comical, since one doesn’t need to actually commit a computer crime to flood it with bogus comments. If one were to email the agency and ask for instructions on how to submit comments in large batches, not only will it gladly provide that information, it will load them into the system regardless of whether they’re real or not.
Comments attributed to Americans who have been saying for over a year that their identities were stolen can still be found on the FCC’s website, right next to political (and in some cases veiled anti-Semitic) remarks that they did not write.
Americans should not have to worry about whether malicious political statements, which they did not write and do not stand by, are being published by their own government in their name, without their consent.
Tomi Engdahl says:
Severe security bug found in popular PHP library for creating PDF files
https://www.zdnet.com/article/severe-security-bug-found-in-popular-php-library-for-creating-pdf-files/
Vulnerability patched last year, but many websites and web apps will most likely remain vulnerable for years.
A security researcher has found a severe security flaw in one of the internet’s most popular PHP libraries for creating PDF files.
The vulnerability impacts TCPDF, one of the “big three” PHP libraries –together with mPDF and FPDF– for converting HTML code to PDF docs or assembling PDF files on the fly.
The security flaw can be exploited by an attacker to achieve “remote code execution” on websites and web apps that use the TCPDF library, allowing a threat actor to run malicious code and potentially take over these systems.
How the new TCPDF attack works
In a blog post published over the weekend, an Italian security researcher who goes online as Polict revealed a new PHP serialization flaw impacting TCPDF in the same way as the one discovered by Thomas last year.
Polict says the vulnerability he found can be exploited in two ways. The first case is on websites that allow user input to be part of the PDF file generation process, such as when adding names or other details inside invoices.
The second is on websites that contain cross-site scripting (XSS) vulnerabilities where an attacker can plant malicious code inside the HTML source code that will be fed to the TCPDF library to convert into a PDF.
CVE-2018-17057
yet another phar deserialization in TCPDF
https://polict.net/blog/CVE-2018-17057
Tomi Engdahl says:
Cloudflare Launches New HTTPS Interception Detection Tools
https://www.securityweek.com/cloudflare-launches-new-https-interception-detection-tools
Security services provider Cloudflare on Monday announced the release of two new tools related to HTTPS interception detection.
Occurring at times when the TLS connection between a browser and a server is not direct, but goes through a proxy or middlebox, HTTPS interception can result in third-parties accessing the transmitted encrypted content.
There are several types of known HTTPS interception, including TLS-terminating forward proxies (to forward and possibly modify traffic), antivirus and corporate proxies (to detect inappropriate content, malware, and data breaches), malicious forward proxies (to insert or exfiltrate data), leaky proxies (any proxy can expose data), and reverse proxies (legitimate, aim to improve performance).
Detecting HTTPS interception, Clourflare says, can help a server identify suspicious or potentially vulnerable clients that connect to the network and notify users on compromised or degraded security.
Tomi Engdahl says:
Microsoft Dominates 2018′s Most Exploited Vulnerabilities
https://www.securityweek.com/microsoft-dominates-2018s-most-exploited-vulnerabilities
Eight of the top ten most exploited vulnerabilities in 2018 affected Microsoft products. Only one — but the second most exploited — was an Adobe vulnerability. The last one, ranking at the ninth most exploited vulnerability of 2018, was an Android vulnerability
Tomi Engdahl says:
Trapdoor commitments in the SwissPost e-voting shuffle proof
https://people.eng.unimelb.edu.au/vjteague/SwissVote
The implementation of the commitment scheme in the SwissPost-Scytl mixnet uses a trapdoor commitment scheme, which allows anyone who knows the trapdoor values to generate a shuffle proof transcript that passes verification but actually alters votes. This allows undetectable vote manipulation by an authority who implemented or administered a mix server.
Tomi Engdahl says:
It seems that some Nokia 7 Plus./ 7.1 phones have called to home server in China and sent periodically without telling users data like phone location, phone serial number and SIM card number.
https://nrkbeta.no/2019/03/21/norske-telefoner-sendte-personopplysninger-til-kina/
https://www.google.com/url?sa=t&source=web&rct=j&url=https://www.is.fi/digitoday/art-2000006042696.html&ved=2ahUKEwi8j6zej5PhAhURmYsKHXiVCaAQFjADegQIARAB&usg=AOvVaw2FKy0rNbopv2L89UgAwwmi
https://www.google.com/url?sa=t&source=web&rct=j&url=https://www.is.fi/digitoday/tietoturva/art-2000006042651.html&ved=2ahUKEwi8j6zej5PhAhURmYsKHXiVCaAQFjACegQIAhAB&usg=AOvVaw1chNQepxVHHVMmu-Hbvsq6
Tomi Engdahl says:
Vulnerability in NSA’s Reverse Engineering Tool Allows Remote Code Execution
https://www.securityweek.com/vulnerability-nsas-reverse-engineering-tool-allows-remote-code-execution
vulnerability in Ghidra, the generic disassembler and decompiler released by the National Security Agency (NSA) in early March, could be exploited to execute code remotely, researchers say.
Tomi Engdahl says:
Ransomware is not dead – a light analysis of LockerGoga
https://www.joesecurity.org/blog/2995389471535835488
Despite many reports saying that the number of Ransomware samples is on the decrease, we see again and again big multinational companies suffering from these attacks.
Just two days ago, Norway based Norsk Hydro – one of the World’s largest Aluminium producers – was hit by a severe Ransomware attack
The attack is so massive that Hydro had to switch its productions to manual mode
According to various press releases, the entire worldwide Norsk Hydro network is down
Tomi Engdahl says:
Years-Long Phishing Campaign Targets Saudi Gov Agencies
https://threatpost.com/phishing-campaign-saudi-gov/142998/
The campaign, codenamed “Bad Tidings,” has sought out victims’ credentials with clever fake landing pages pretending to be the Saudi Arabian Ministry of Interior’s e-Service portal.
An ongoing three-year-old phishing campaign has been targeting the credentials of Saudi Arabian government agencies — with a financially motivated actor the likely culprit.
Tomi Engdahl says:
Ransomware or Wiper? LockerGoga Straddles the Line
https://blog.talosintelligence.com/2019/03/lockergoga.html
Tomi Engdahl says:
Google Photos Bug Exposed the Location & Time of Your Pictures
https://www.bleepingcomputer.com/news/security/google-photos-bug-exposed-the-location-and-time-of-your-pictures/
A vulnerability in the web version of Google Photos allowed websites to learn a user’s location history based on the images they stored in the account.
The flaw affected the Google Photos search endpoint that allows users to quickly find pictures based on aggregated metadata, such as geo-location and date of creation, an artificial intelligence algorithm that can recognize objects and people’s faces after they’ve been tagged.
Tomi Engdahl says:
Cardinal RAT Resurrected to Target FinTech Firms
https://threatpost.com/cardinal-rat-fintech/142965/
A long-quiet malware family has been spotted targeting financial technology firms, armed with new obfuscation techniques to avoid detection.
Tomi Engdahl says:
Cisco Patches Critical ‘Default Password’ Bug
https://threatpost.com/cisco-patches-critical-default-password-bug/142814/
Vulnerability allows adversaries to access monitoring system used for gathering info on operating systems and hardware.
Cisco Systems is warning customers that a discovery tool for network devices can be accessed by a remote and unauthenticated attacker. The flaw could allow an adversary to log into the system and collect sensitive data tied to host operating systems and hardware.
The disclosure is part of a Cisco Security Advisory and patch (CVE-2019-1723) issued Wednesday. The vulnerability is rated critical, with a CVSS rating of 9.8.
Affected is the Cisco Common Service Platform Collector (CSPC), a tool used for discovering and collecting information from the Cisco devices installed on a network.
Tomi Engdahl says:
FIN7 Revisited: Inside Astra Panel and SQLRat Malware
https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/
Despite the arrests of three prominent members of the FIN7 cybercrime gang beginning in January 2018, attacks targeting businesses and customer payment card information did not cease.
Tomi Engdahl says:
PuTTY Releases Important Software Update to Patch 8 High-Severity Flaws
https://thehackernews.com/2019/03/putty-software-hacking.html
The popular SSH client program PuTTY has released the latest version of its software that includes security patches for 8 high-severity security vulnerabilities.
PuTTY is one of the most popular and widely used open-source client-side programs that allows users to remotely access computers over SSH, Telnet, and Rlogin network protocols.
https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.70.html
Tomi Engdahl says:
Fake or Fake: Keeping up with OceanLotus decoys
https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
ESET researchers detail the latest tricks and techniques OceanLotus uses to deliver its backdoor while staying under the radar
Tomi Engdahl says:
Apple, Oracle, VMware Software Hacked at Pwn2Own 2019
https://www.securityweek.com/apple-oracle-vmware-software-hacked-pwn2own-2019
Apple’s Safari web browser and the Oracle VirtualBox and VMware Workstation virtualization products were hacked on the first day of the Pwn2Own 2019 hacking competition, earning researchers a total of $240,000 in cash.
Tomi Engdahl says:
Researchers Use UPnP Protocol to Unmask IPv6 Address
https://www.securityweek.com/researchers-use-upnp-protocol-unmask-ipv6-address
Cisco Talos security researchers were able to leverage properties of the Universal Plug and Play (UPnP) protocol to unmask the IPv6 address of specific IPv4 hosts.
Tomi Engdahl says:
Windows Hello Support Added to Firefox 66
https://www.securityweek.com/windows-hello-support-added-firefox-66
Mozilla this week released Firefox 66 with support for Windows Hello for Web Authentication on Windows 10, as well as with patches for 21 vulnerabilities.
The newly added support for Windows Hello should provide users with a passwordless experience on the web, but also with increased security, Mozilla says.
Tomi Engdahl says:
Multiple Vulnerabilities Fixed in CUJO Smart Firewall
https://www.securityweek.com/multiple-vulnerabilities-fixed-cujo-smart-firewall
Vulnerabilities recently addressed by CUJO AI in the CUJO Smart Firewall could be exploited to take over the device, Cisco Talos security researchers reveal.
Based on a Linux-based operating system running a kernel with PaX patches, the Smart Firewall was designed to protect home networks against attacks such as malware, phishing websites, and hacking attempts, and may be deployed in sensitive locations within the network.
Tomi Engdahl says:
Authentication Bypass Vulnerability Found in SoftNAS Cloud
https://www.securityweek.com/authentication-bypass-vulnerability-found-softnas-cloud
A security firm’s Vulnerability Research Team (VRT) found and reported a vulnerability in SoftNAS Cloud data storage. SoftNAS fixed the vulnerability last week, and details of the vulnerability are now being made public.
The Digital Defense VRT found the vulnerability in SoftNAS Cloud Enterprise 4.2.0. Earlier versions are not affected, and it has been fixed in version 4.2.2.
SoftNAS Cloud is a Linux-based virtual appliance that can be deployed on hypervisor-based systems, including Amazon AWS, Microsoft Azure and VMware vSphere. It runs as a virtual machine (VM), providing a broad range of software-defined capabilities.