This posting is here to collect cyber security news in March 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
490 Comments
Tomi Engdahl says:
Critical zero-day vulnerability fixed in WordPress Easy WP SMTP plugin.
https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/
Tomi Engdahl says:
Russian hackers are eight times faster than North Korean groups
https://www.technologyreview.com/the-download/612983/russian-hackers-are-eight-times-faster-than-chinese-and-north-korean-groups/?utm_campaign=site_visitor.unpaid.engagement&utm_medium=tr_social&utm_source=facebook
Russian hackers are way ahead of the next-fastest state-sponsored hackers, North Korea, who themselves are nearly twice as fast as Chinese groups, according to a new report by US cybersecurity firm Crowdstrike.
Tomi Engdahl says:
http://m.startribune.com/750-000-medtronic-defibrillators-vulnerable-to-hacking/507470932/
Tomi Engdahl says:
Lithuanian Pleads Guilty to Stealing $100 Million From Google, Facebook
https://www.bleepingcomputer.com/news/security/lithuanian-pleads-guilty-to-stealing-100-million-from-google-facebook/
A Lithuanian man pleaded guilty today to wire fraud, aggravated identity theft, and three counts of money laundering, after tricking employees of Alphabet’s Google unit and Facebook into wiring more than $100 million into bank accounts he controlled as part of multiple business email compromise (BEC) fraud attacks spanning from at least in or around 2013 through in or about 2015.
Tomi Engdahl says:
Denial of service in Facebook Fizz due to integer overflow (CVE-2019-3560)
https://lgtm.com/blog/facebook_fizz_CVE-2019-3560
Tomi Engdahl says:
Keeping Passwords Secure
https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/
Tomi Engdahl says:
Vulnerability in Swiss e-voting system could have led to vote alterations
https://www.google.com/amp/s/www.zdnet.com/google-amp/article/vulnerability-in-swiss-e-voting-system-could-have-led-to-vote-alterations/
A fix has been deployed to Switzerland’s e-voting system, slated to roll out later this year.
Tomi Engdahl says:
Complete Beto cDc text archive.
http://obsceneworks.com/blog/complete-beto-cdc-text-archive/
Tomi Engdahl says:
Glitch in new Presto app can shut down systems, Toronto man warns
https://www.cbc.ca/news/canada/toronto/toronto-man-finds-apparent-glitch-on-presto-1.5061232
Robert Leyzerovich claims his Presto card can disable fare gates, card loading machines
Robert Leyzerovich says he’s discovered a glitch in Presto’s mobile app that lets him shut down fare gates and card-loading machines
Tomi Engdahl says:
Encryption pioneer aims to end our data dilemma with cryptography’s holy grail
https://www.fastcompany.com/90314942/duality-homomorphic-encryption
A company founded by one of cryptography’s heavyweights is making waves with a long-awaited approach to the data privacy problem.
Tomi Engdahl says:
QUANTUM PHYSICS COULD PROTECT THE GRID FROM HACKERS—MAYBE
https://www.wired.com/story/quantum-physics-protect-grid/amp
One challenge with this approach is the grid itself. It’s a mishmash of transformers, switches, and sundry parts installed over various years, and grafting on any new technology is difficult. “You can’t just shut the power off,” says physicist Tom Venhaus of Los Alamos National Laboratory, who collaborated on the project. “It’s like working on a car with its engine running.”
Tomi Engdahl says:
As the Cyber War Grows: Is It Time to Strike Back?
https://www.venafi.com/blog/cyber-war-grows-it-time-strike-back?utm_source=socialmedia&utm_medium=Bora&utm_campaign=Cyber-War-RSA-blog
According to Nakasone, cyber attacks from nation state actors, like Russia, North Korea and Iran, have increased in sophistication and intensity; some even breached critical naval systems. As a result, the general recommended the United States become more prepared to aggressively strike back their assailants.
Tomi Engdahl says:
Quantum-safe communication over the internet infrastructure? Yeah, that’s doable
https://techcrunch.com/2019/03/19/quantum-safe-communication-over-the-internet-infrastructure-yeah-thats-doable/
Quantum computing promises to do many things for business and industry, processing data at far greater speeds and rates than today’s binary computers can accomplish. But it also promises to do something else — essentially render current security standards useless, as hackers will be able to utilize quantum systems to crack the cryptographic schemes that are used to protect systems today.
Tomi Engdahl says:
Carding Scam Victim’s still Increasing
http://greyhatsecurity.ml/2019/03/18/carding-scam-victims-still-increasing/?i=2
Tomi Engdahl says:
Myspace Lost 13 Years Worth of Data and Basically Nobody Cared
https://www.tomshardware.com/news/myspace-lost-13-years-data,38847.html
Tomi Engdahl says:
We invited professional hackers to attack us: Here’s what happened
https://www.cnet.com/news/we-invited-professional-hackers-to-attack-us-heres-what-happened/
Even when you anticipate a cyberattack, email phishing remains one of the most effective methods used by hackers to access private accounts.
Tomi Engdahl says:
Mitä sinun on hyvä tietää tietosuojastasi ja Nokia 7 Plus -puhelinten väitetystä “tietovuodosta”
https://www.nokia.com/phones/fi_fi/privacy-info
Tomi Engdahl says:
Did not know there was a company actually working to make homomorphic encryption usable…
Encryption pioneer aims to end our data dilemma with cryptography’s holy grail
https://www.fastcompany.com/90314942/duality-homomorphic-encryption
Tomi Engdahl says:
Leaker, Liar, Hacker, Hoaxer: The Russian contractor who infiltrated Anonymous
https://emma.best/2019/03/20/the-russian-contractor-who-infiltrated-anonymous/
Tomi Engdahl says:
New Cybersecurity Regulations About to Hit Everyone
https://pentestmag.com/new-cybersecurity-regulations-about-to-hit-everyone/
Tomi Engdahl says:
Researchers find 36 new security flaws in LTE protocol
https://www.zdnet.com/google-amp/article/researchers-find-36-new-security-flaws-in-lte-protocol/?__twitter_impression=true
South Korean researchers apply fuzzing techniques to LTE protocol and find 51 vulnerabilities, of which 36 were new.
The vulnerabilities allow attackers to disrupt mobile base stations, block incoming calls to a device, disconnect users from a mobile network, send spoofed SMS messages, and eavesdrop and manipulate user data traffic.
Tomi Engdahl says:
70% of Ransomware Attacks Targeted SMBs, BEC Attacks Increased by 130%
https://www.bleepingcomputer.com/news/security/70-percent-of-ransomware-attacks-targeted-smbs-bec-attacks-increased-by-130-percent/
Tomi Engdahl says:
John Herrman / New York Times:
A profile of Citizen, a crime tracking app that notifies users in NYC, SF Bay Area, Baltimore, and LA when a crime or a major incident is reported near them
All the Crime, All the Time: How Citizen Works
https://www.nytimes.com/2019/03/17/style/citizen-neighborhood-crime-app.html
An app called Citizen promises “awareness” of nearby danger. What it provides is more complicated.
Open Citizen and you will see a familiar blue location dot — that’s you! — surrounded by other, often larger dots, in red and yellow. Each represents an incident, either of the “Recent” or “Trending” variety, that has recently been reported in your proximity, and that may even be unfolding at the very moment.
Particularly notable reports might have video, sometimes live, as well as a timeline of new developments, and a chat-scroll full of users discussing what they’re seeing.
“Sometimes it makes me feel paranoid, and afraid knowing that there is a lot that goes on,” she said. “It does give me some comfort knowing my surroundings, but I’m always torn between wanting to know and see everything, or to have that blind eye toward everything.”
Conflicted enthusiasm is a common sentiment among Citizen users: I don’t know if I want to know, but I can’t not know.
Tomi Engdahl says:
Wireless vulns in Medtronic’s implanted defibrillators allow remote shocks, shutdown, denial-of-service battery attacks and data theft
https://boingboing.net/2019/03/22/lethal-shocks-r-us.html
Medtronic is the most notorious maker of insecure medical implants in America, with a long history of inserting computers into people’s bodies with insecure wireless interfaces, toolchains and update paths, and nothing has changed.
In a new CERT advisory — scoring 9.3/10 for severity! — we learn that remote attackers can hijack a Medtronic implanted defibrillator and administer potentially lethal shocks, shut down lifesaving features, and put the device into a high power-consumption mode that drains the battery. A separate attack allows attackers to steal sensitive patient data from the device.
https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01
Tomi Engdahl says:
Industry Reactions to Norsk Hydro Breach: Feedback Friday
https://www.securityweek.com/industry-reactions-norsk-hydro-breach-feedback-friday
Norwegian aluminum giant Norsk Hydro has been hit by a serious ransomware attack that caused disruptions at some of its plants and forced the company to turn to manual processes to fulfill customer orders.
The attack appears to have involved file-encrypting ransomware known as LockerGoga. However, Norsk Hydro claims it has good backups in place that should help it restore compromised files without having to pay the ransom.
Cybersecurity expert Kevin Beaumont (blog post on his thoughts and analysis of the attack):
“Hydro started the best incident representation response plan I’ve ever seen — they had a temporary website up, they told the press, they told their staff, they apparently didn’t hide any details — they even had daily webcasts with the most senior staff talking through what was happening, and answering questions.
In contrast to some other incidents, their stock price actually went up — despite a difficult trading period for past 2 years involving some major business setbacks, they have actually gained in value.
Ray Walsh, digital privacy expert, BestVPN.com:
“The surge in the price of aluminum since the cyber attack on the Norwegian producer Norsk Hydro is a stark reminder of the possible ramifications of targeted cyber attacks. Anytime that a large firm has a strong direct influence on the production of a material, it is possible that a large attack of this nature could disrupt distribution levels and therefore affect prices.
Malcolm Taylor, Director Cyber Advisory, ITC Secure:
“Supply chain risk through cyberattack has come to the fore recently. Not, I believe, because it’s become a greater issue or because of attacks like this which are highlighting it, but simply because there is a growing understanding of the inter-connected nature of modern commercial activity and just in time production, and crucially how empowered that is by technology. It may also be a factor, though I think sadly a smaller one, that as firms mature their cyber security, they have the wherewithal, in terms of understanding, time and budget, to begin to get to grips with the problem of their suppliers, which has made the issue gain prominence.
Tyler Moffitt, Security Analyst, Webroot:
“LockerGoga is a new ransomware variant that appears to be targeting European companies. So far, the notable victims have been Altran in France on Jan. 25 and Norsk Hydro in Norway in the past 24 hours. The encryption process used by LockerGoga is slow because it creates a new process each times it encrypts a new file and also exhibits no detection evasion techniques, showing a lack of sophistication. LockerGoga was signed using a valid Digital Certificate which has since been revoked.”
Dean Weber, CTO, Mocana:
“The Norsk Hydro attack goes to show that the reliance of operational technology (OT) systems on information technology (IT) platforms means that any attack is likely to impact both in industrial environments. By targeting and disabling IT systems, adversaries are able to cause a variety of subsequent issues affecting OT input/output, storage, data recorders, ICS/SCADA platforms and more. Why is the impact so widespread? Professionals are forced to disconnect IT systems for either protection purposes or for remediation activities.
Tomi Engdahl says:
Cisco Patches High Severity Vulnerabilities in IP Phones
https://www.securityweek.com/cisco-patches-high-severity-vulnerabilities-ip-phones
Tomi Engdahl says:
Pwn2Own 2019: Researchers Win Tesla After Hacking Its Browser
https://www.securityweek.com/pwn2own-2019-researchers-win-tesla-after-hacking-its-browser
A team of researchers has earned $35,000 and a Tesla Model 3 after hacking the vehicle’s web browser at the Pwn2Own 2019 competition that took place this week in Vancouver, Canada.
Tomi Engdahl says:
UK Police Federation Hit by Ransomware
https://www.securityweek.com/uk-police-federation-hit-ransomware
The UK Police Federation of England & Wales (PFEW) website was subject to a malware attack that it discovered on March 9, 2019. It appears that this was a ransomware attack; but the strain has not been announced.
Tomi Engdahl says:
Russian Hackers Target European Governments Ahead of Elections: FireEye
https://www.securityweek.com/russian-hackers-target-european-governments-ahead-elections-fireeye
Hackers believed to be sponsored by the Russian government are targeting European governments for cyber-espionage purposes ahead of the upcoming European elections, FireEye reports.
The targeting, the security firm says, is focused on NATO member states. The activity has increased significantly since mid-2018, and is ongoing.
The attacks are being carried out by two groups that security companies refer to as APT28 (also known as Pawn Storm, Fancy Bear, Sofacy, Group 74, Sednit, Tsar Team and Strontium) and Sandworm Team (also tracked as TeleBots).
Tomi Engdahl says:
D.C. Attorney General Introduces New Data Security Bill
https://www.securityweek.com/dc-attorney-general-introduces-new-data-security-bill
Karl A. Racine, the attorney general for the District of Columbia, on Thursday announced the introduction of a new bill that aims to expand data breach notification requirements and improve the way personal information is protected by organizations.
The Security Breach Protection Amendment Act of 2019 expands the types of information companies are held accountable for. Current legislation covers social security numbers, payment cards, and driver’s license numbers, and the new bill would also add passport numbers, military IDs, biometric data, health information, taxpayer identification numbers, health insurance info, and genetic information and DNA profiles to that list.
The bill also requires companies that own, maintain, license or handle personal information to implement security measures to prevent unauthorized access and data misuse.
The legislation would also require organizations to notify the AG’s office of any data breaches, and inform impacted consumers of their right (under federal law) to obtain a security freeze.
Tomi Engdahl says:
Microsoft Launches Defender ATP Endpoint Security for macOS
https://www.securityweek.com/microsoft-launches-defender-atp-endpoint-security-macos
Microsoft this week announced the availability of its Microsoft 365 advanced endpoint security solution across platforms, courtesy of Mac support added to Microsoft Defender Advanced Threat Protection (ATP).
Tomi Engdahl says:
Multiple Vulnerabilities Patched in PuTTY and LibSSH2
https://www.securityweek.com/multiple-vulnerabilities-patched-putty-and-libssh2
PuTTY, an SSH and Telnet client program, and LibSSH2, a client-side C library for the SSH2 protocol, have both received updates fixing multiple vulnerabilities. Eight vulnerabilities have been fixed in version 0.71 of PuTTY, and nine vulnerabilities fixed in version 1.8.1 of LibSSH2.
Tomi Engdahl says:
Glitch Exposes the Passwords of Roughly Half Billion Facebook and Instagram Users
https://www.pandasecurity.com/mediacenter/social-media/glitch-facebook-instagram/
Tomi Engdahl says:
Two Russia-backed hacker groups target Europe ahead of elections, FireEye reports
https://boingboing.net/2019/03/21/two-russia-backed-hacker-group.html
Security services firm FireEye says two hacker groups known to be sponsored by the Russian government of Vladimir Putin are waging cyber-attacks currently against European government systems.
FireEye says these internet-based digital attacks are focused on the member states of NATO, the European security alliance that both Putin and Trump disparage.
The two hacking groups are believed to be coordinating their efforts, but they’re using different tools, FireEye reports, adding it noticed a “significant increase” in activity from both groups in mid-2018.
The cyber-espionage campaign is said to be ongoing.
Tomi Engdahl says:
Cyber-espionage warning: Russian hacking groups step up attacks ahead of European elections
https://www.zdnet.com/article/cyber-espionage-warning-russian-hacking-groups-step-up-attacks-ahead-of-european-elections/
Researchers at FireEye say Kremlin-backed hacking operations are attempting to target governments, media and political parties as elections approach.
Tomi Engdahl says:
NRK: Ainakin neljä Nokia-puhelinmallia lähettää tietoja Kiinaan
https://www.is.fi/digitoday/tietoturva/art-2000006044697.html
Flere Nokia-modeller har kommunisert med server eid av kinesisk selskap
https://nrkbeta.no/2019/03/22/flere-nokia-modeller-har-kommunisert-med-kinesiske-servere/
Tomi Engdahl says:
Evidence mounts that Russian hackers are trying to disrupt the EU elections
State-sponsored groups Fancy Bear and Sandworm are phishing for government info.
https://www.engadget.com/2019/03/21/russia-hackers-influence-eu-election-phishing/
Tomi Engdahl says:
Nokia-puhelinten valmistajaa infottiin mystisestä yhteydenpidosta Kiinaan jo viime kesänä
https://www.tivi.fi/Kaikki_uutiset/nokia-puhelinten-valmistajaa-infottiin-mystisesta-yhteydenpidosta-kiinaan-jo-viime-kesana-6761908
Flere Nokia-modeller har kommunisert med server eid av kinesisk selskap
https://nrkbeta.no/2019/03/22/flere-nokia-modeller-har-kommunisert-med-kinesiske-servere/
Tomi Engdahl says:
Nokia phones may have breached user data
And may have sent it to the Chinese.
https://www.itproportal.com/news/nokia-phones-may-have-breached-user-data/
Reports are coming in that a certain Nokia phone model may have leaked personal information to a Chinese server, and Finnish authorities are moving in to investigate.
The news was confirmed by Reuters recently, which confirmed that Finland’s data protection ombudsman would investigate the matter.
Ombudsman Reijo Aarnio told Reuters he’d look into any potential breaches that involved “personal information and if there has been a legal justification for this.”
According to local media, the device in question is the Nokia 7 Plus. The company that makes these phones, HMD Global, said that an “unspecified number” of these devices sent data to a Chinese server.
Nokia, the company, didn’t want to comment.
Tomi Engdahl says:
Vietnam ‘State-Aligned’ Hackers Are Targeting Auto Firms, FireEye Says
https://www.bloomberg.com/news/articles/2019-03-20/vietnam-tied-hackers-target-auto-industry-firms-fireeye-says
Vietnamese “state-aligned” hackers are targeting foreign automotive companies in attacks that appear to support the country’s vehicle manufacturing goals, according to cyber-security provider FireEye Inc.
FireEye, which designated the group as APT32 and dates its activities to 2014, said the attacks accelerated in early February. The hacking targeted companies in Southeast Asia and “the broader areas surrounding Vietnam,” said Nick Carr, a FireEye senior manager.
Tomi Engdahl says:
Ransomware Forces Two Chemical Companies to Order ‘Hundreds of New Computers’
https://motherboard.vice.com/en_us/article/8xyj7g/ransomware-forces-two-chemical-companies-to-order-hundreds-of-new-computers
It appears that LockerGoga, the same ransomware that hit aluminum manufacturing giant Norsk Hydro this week, also infected American chemicals companies Hexion and Momentive, leaving employees locked out of their computers.
A ransomware attack appears to have affected two American chemicals companies, Motherboard has learned.
Hexion and Momentive, which make resins, silicones, and other materials, and are controlled by the same investment fund, were hit by the ransomware on March 12, according to a current employee. An internal email obtained by Motherboard and signed by Momentive’s CEO Jack Boss refers to a “global IT outage” that required the companies to deploy “SWAT teams” to manage.
Tomi Engdahl says:
Lithuanian Pleads Guilty to Stealing $100 Million From Google, Facebook
https://www.bleepingcomputer.com/news/security/lithuanian-pleads-guilty-to-stealing-100-million-from-google-facebook/
Tomi Engdahl says:
Over 100,000 GitHub repos have leaked API or cryptographic keys
Thousands of new API or cryptographic keys leak via GitHub projects every day.
https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/
A scan of billions of files from 13 percent of all GitHub public repositories over a period of six months has revealed that over 100,000 repos have leaked API tokens and cryptographic keys, with thousands of new repositories leaking new secrets on a daily basis.
Tomi Engdahl says:
’100 unique exploits and counting’ for latest WinRAR security bug
https://www.zdnet.com/article/100-unique-exploits-and-counting-for-latest-winrar-security-bug/
As expected, the recent WinRAR vulnerability is now being abused en-masse by multiple threat actors.
Tomi Engdahl says:
Denial of service in Facebook Fizz due to integer overflow (CVE-2019-3560)
https://lgtm.com/blog/facebook_fizz_CVE-2019-3560
This post is about a denial of service vulnerability which I found in Facebook’s Fizz project, using a Semmle QL query. The vulnerability is an infinite loop which can be triggered by an unauthenticated remote attacker. Fizz is Facebook’s TLS implementation, which means that it is used for the “https:” part of https://facebook.com. In a blog post about Fizz
Tomi Engdahl says:
Facebook-Google Scammer Pleads Guilty in $121 Million Theft
https://www.bloomberg.com/news/articles/2019-03-20/man-pleads-guilty-in-100-million-scam-of-facebook-and-google
Tomi Engdahl says:
Critical DoS Bug Bubbles Up in Facebook Fizz TLS 1.3 Project
https://threatpost.com/dos-bug-facebook-fizz-tls/143086/
Users of the open-source project should upgrade immediately.
A critical denial-of-service (DoS) vulnerability in Facebook’s open-source implementation of the transport layer security (TLS) 1.3 protocol could cause an infinite loop – thus disrupting any web service that relies on it.
Semmle Discovers Denial of Service (DoS) Vulnerability in Facebook Fizz
https://semmle.com/news/denial-service-dos-vulnerability-facebook-fizz
Tomi Engdahl says:
Zero-Day WordPress Plugin Vulnerability Used to Add Malicious Redirects
https://www.bleepingcomputer.com/news/security/zero-day-wordpress-plugin-vulnerability-used-to-add-malicious-redirects/
WordPress websites using unpatched Social Warfare installations (v3.5.1 and v3.5.2) are exposed to attacks abusing a stored Cross-Site Scripting (XSS) vulnerability fixed in the 3.5.3 version of the plugin.
After it was determined that the vulnerable plugin which currently has more than 70,000+ installations was actively exploited in the wild, Social Warfare was removed from the WordPress plugin store and was later added back after the development team issued a patch to fix for the zero-day.
Tomi Engdahl says:
Security storm brewing for Oracle Java-powered smart cards: More than a dirty dozen flaws found, fixes… er, any fixes?
Vuln hunters warn malicious applets can bust through protections, snoop on or hijack access gizmos
https://www.theregister.co.uk/2019/03/22/oracles_java_card/
[SE-2019-01] Java Card vulnerabilities
https://seclists.org/fulldisclosure/2019/Mar/35
We discovered multiple security vulnerabilities in reference implementation
of Java Card technology [1] from Oracle used in financial, government,
transportation and telecommunication sectors among others.
According to Oracle, “Java Card technology provides a secured environment
for applications that run on smart cards and other trusted devices with
limited memory and processing capabilities. With close to six billion
Java Card-based devices deployed each year, Java Card is already a leading
software platform to run security services on smart cards and secure
elements, which are chips used to protect smartphones, banking cards and
government services” [2].
Unfortunately, due to certain architectural choices from the past, it’s
hard to perceive Java Card technology in terms of security. There are
ways for malformed applications loaded into a vulnerable Java Card to
easily break memory safety. Such a breach directly leads to the security
compromise of a Java Card VM, applet firewall breach and jeopardizes
security of co-existing applications. In some cases, whole card environment
can be compromised, but that’s dependant on the underlying OS / processor
architecture (i.e. presence of the flat address space, isolation between
tasks).
Tomi Engdahl says:
Firefox and Edge Fall to Hackers on Day Two of Pwn2Own
https://threatpost.com/firefox-edge-pwn2own/143082/
Pwn2Own Vancouver 2019: Day Two Results
https://www.zerodayinitiative.com/blog/2019/3/21/pwn2own-vancouver-2019-day-two-results