This posting is here to collect cyber security news in May 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
355 Comments
Tomi Engdahl says:
Cartoon Network websites hacked to show Arabic memes, male stripper videos
https://www.zdnet.com/article/cartoon-network-websites-hacked-to-show-arabic-memes-and-brazilian-male-stripper/
At least 16 regional Cartoon Network websites have been defaced by two Brazilian hackers.
Tomi Engdahl says:
UK Defense Secretary Gavin Williamson fired over Huawei leak
https://www.google.com/amp/s/amp.cnn.com/cnn/2019/05/01/uk/gavin-williamson-defense-secretary-fired-huawei-leak-gbr-intl/index.html
British Prime Minister Theresa May has fired her Defense Secretary Gavin Williamson over the leaking of a key decision related to the Chinese telecoms company Huawei from a UK National Security Council meeting.
May’s surprise decision followed an inquiry into how the Daily Telegraph newspaper discovered that the UK government was preparing to give Huawei access to parts of the country’s 5G mobile network.
Tomi Engdahl says:
Many Vulnerabilities Found in Wireless Presentation Devices
https://www.securityweek.com/many-vulnerabilities-found-wireless-presentation-devices
Researchers at Tenable have discovered a total of 15 vulnerabilities across eight wireless presentation systems, including flaws that can be exploited to remotely hack devices.
some of the 15 flaws also impact Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, and possibly products from other vendors. Barco appears to be the OEM for some of these devices.
Tomi Engdahl says:
Putin Signs Controversial Internet Law
https://www.securityweek.com/putin-signs-controversial-internet-law
President Vladimir Putin on Wednesday signed into law a “sovereign internet” bill which will allow Russian authorities to isolate the country’s internet, a move decried by rights groups.
Russian lawmakers insist the new law is necessary to ensure the security of Russia’s online networks but critics say the vaguely worded bill gives new censorship powers to government monitors.
Tomi Engdahl says:
Electrum DDoS Botnet Builds Army of 150,000 Hosts
https://www.securityweek.com/electrum-ddos-botnet-builds-army-150000-hosts
A botnet targeting the users of the popular Electrum Bitcoin wallet managed to ensnare more than 150,000 hosts at its peak, Malwarebytes security researchers say.
First observed in December 2018, the threat was initially attempting to lure users into downloading a malicious update aimed at stealing their cryptocurrency. By mid-April 2019, threat actors behind the malware anaged to steal around $4 million in Bitcoin from their victims.
Tomi Engdahl says:
Hackers Had Access to Citrix Network for Five Months
https://www.securityweek.com/hackers-had-access-citrix-network-five-months
Software giant Citrix has shared more information about the recent data breach and it appears the hackers had access to the company’s network for roughly five months.
Tomi Engdahl says:
Majority of Encrypted Email Clients Vulnerable to Signature Spoofing
https://www.securityweek.com/majority-encrypted-email-clients-vulnerable-signature-spoofing
Out of 20 Email Clients Tested, 14 Were Vulnerable to OpenPGP Signature Spoofing Attacks
Tomi Engdahl says:
U.S. will rethink cooperation with allies who use Huawei: official
https://www.reuters.com/article/us-usa-huawei-tech/u-s-will-rethink-cooperation-with-allies-who-use-huawei-official-idUSKCN1S517H
Washington does not see any distinction between core and non-core parts of 5G networks and will reassess sharing information with any allies which use equipment made by China’s Huawei, a U.S. cybersecurity official said on Monday.
“It is the United States’ position that putting Huawei or any other untrustworthy vendor in any part of the 5G telecommunications network is a risk,”
Tomi Engdahl says:
APT trends report Q1 2019
https://securelist.com/apt-trends-report-q1-2019/90643/
If we are to provide a few general highlights, we can conclude that:
Geopolitics keeps gaining weight as the main driver of APT activity
South East Asia is still the most active region of the world in terms of APT activity, but probably this is also related to the “noise” that some of the less experienced groups make
Russian-speaking groups keep a low profile in comparison with recent years: maybe this is part of internal restructuring, but this is just a hypothesis
Chinese-speaking actors maintain a high level of activity, combining low and high sophistication depending on the campaign
Providers of “commercial” malware available for governments and other entities seem to be doing well, with more customers
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/9422-huawei-takaovi-oli-telnet-ohjelma
Tomi Engdahl says:
Mysterious hacker has been selling Windows 0-days to APT groups for three years
https://www.zdnet.com/article/mysterious-hacker-has-been-selling-windows-0-days-to-apt-groups-for-three-years/#ftag=RSSbaffb68
Hacker has sold Windows zero-days to the likes of Fancy Bear, FruityArmor, and SandCat.
Tomi Engdahl says:
Only six TSA staffers are overseeing US oil&gas pipeline security
https://www.zdnet.com/article/only-six-tsa-staffers-are-overseeing-us-oil-gas-pipeline-security/
GAO report highlight lack of oil&gas security staff, outdated cyber-security risk assessment methodologies.
The Transportation Security Administration (TSA), the US agency in charge of the US oil&gas pipeline system, has a serious staffing issue on physical and cyber-security positions.
Tomi Engdahl says:
Dell laptops and computers vulnerable to remote hijacks
Another security flaw in a vendor’s bloatware apps puts users at risk.
https://www.zdnet.com/article/dell-laptops-and-computers-vulnerable-to-remote-hijacks/
A vulnerability in the Dell SupportAssist utility exposes Dell laptops and personal computers to a remote attack that can allow hackers to execute code with admin privileges on devices using an older version of this tool and take over users’ systems.
Dell has released a patch for this security flaw on April 23; however, many users are likely to remain vulnerable unless they’ve already updated the tool –which is used for debugging, diagnostics, and Dell drivers auto-updates.
Tomi Engdahl says:
Google adds option to auto-delete search and location history data
https://www.zdnet.com/article/google-adds-option-to-auto-delete-location-history-data/
Google gives users more control over search and location data in the face of impending government scrutiny.
Tomi Engdahl says:
Windows Server hosting provider still down a week after ransomware attack
A2 Hosting has yet to fully restore services after a week, angering tens of customers.
https://www.zdnet.com/article/windows-server-hosting-provider-still-down-a-week-after-ransomware-attack/
A ransomware infection has crippled the operations of a US-based web hosting provider for almost eight days now, several of the company’s disgruntled customers have told ZDNet today.
Impacted are all Windows-based servers owned by A2 Hosting, a provider of virtual private servers (VPS) and WordPress hosting services.
Tomi Engdahl says:
Human Rights Watch:
Researchers reverse engineer an app used by Chinese authorities in Xinjiang which connects to a mass surveillance system for tracking Muslim minorities
How Mass Surveillance Works in Xinjiang, China
‘Reverse Engineering’ Police App Reveals Profiling and Monitoring Strategies
https://www.hrw.org/video-photos/interactive/2019/05/02/china-how-mass-surveillance-works-xinjiang
Tomi Engdahl says:
Kyle Wiggers / VentureBeat:
Google says it will roll out a new tool that lets users limit how long it keeps location, search, and browsing data to either three or 18 months — Last August, the Associated Press reported that various Google apps store the timestamped locations of the devices on which they’re installed.
Google can now automatically delete your location, app, and search activity data
https://venturebeat.com/2019/05/01/google-can-now-automatically-delete-your-location-app-and-search-activity-data/
Last August, the Associated Press reported that various Google apps store the timestamped locations of the devices on which they’re installed. Some of this collection occurs regardless of which privacy settings are enabled — Google Location Services, Find My Device, Search, and Maps continuously record telemetry data. But other entries can be viewed and manually deleted on Android, iOS, and the web, and Google says it’s committed to streamlining the auditing process with new tools.
Tomi Engdahl says:
Tara Seals / Threatpost:
Flashpoint says April Wipro attack was done by hackers who may have been operating under the radar since ’15, have the hallmarks of an advanced, organized group
Wipro Attackers Have Operated Under the Radar for Years
https://threatpost.com/wipro-attackers-under-radar/144276/
The adversaries have the hallmarks of an advanced, organized group, with well-established infrastructure.
New details are emerging in the April attack on systems consulting behemoth Wipro, which saw its network hacked and used for mounting attacks on a dozen of its customers. In a fresh analysis of the indicators of compromise (IOCs), Flashpoint analysts said that the cyberattackers have actually been operating in the shadows for some time – and that the Wipro incident is only its latest effort.
Tomi Engdahl says:
Theodore Schleifer / Vox:
As Saudi Arabia keeps spending, China’s history of IP theft, Trump’s aggressive stance, and empowered CFIUS are decimating China’s US tech startup investments
Silicon Valley is awash in Chinese and Saudi cash — and no one is paying attention (except Trump)
https://www.vox.com/recode/2019/5/1/18511540/silicon-valley-foreign-money-china-saudi-arabia-cfius-firrma-geopolitics-venture-capital
A tough, new enforcement regime is becoming a geopolitical minefield for venture capitalists and startups.
Tomi Engdahl says:
Louise Matsakis / Wired:
Around 20 security experts have united with Securepairs.org to support right-to-repair legislation with expert witnesses at hearings across the US
Security Experts Unite Over the Right to Repair
https://www.wired.com/story/right-to-repair-security-experts-california/
Two years ago, as Nebraska was considering a “right to repair” bill designed to make it easier for consumers to fix their own gadgets, an Apple lobbyist made a frightening prediction. If the state passed the legislation, it would turn into a haven for hackers, Steve Kester told then-state senator Lydia Brasch. He argued the law would inadvertently give bad actors the opportunity to break into devices like smartphones. The bill was later shelved, in part because of industry pressure.
Now, with right-to-repair legislation gaining traction across the country, a new nonprofit advocacy group called Securepairs.org wants to push back against that kind of messaging, arguing instead that devices can be both easy to fix and secure.
ight-to-repair bills often mandate companies release manuals and diagnostic software, as well as sell replacement parts and repair tools to the public s
Securepairs.org, founded by technology journalist Paul Roberts, has attracted the support of more than 20 security experts, including Harvard University security technologist Bruce Schneier, bug bounty expert Katie Moussouris, and ACLU technologist Jon Callas. They plan to arrange for expert witnesses to testify at legislative hearings across the country in an effort to convince lawmakers that the right to repair is inherently safe.
Tomi Engdahl says:
Hugh Handeyside / ACLU:
Testimonies of US border officials confirm that CBP and ICE have “near-unfettered” authority to search and seize travelers’ electronic devices at the border
We Got U.S. Border Officials to Testify Under Oath. Here’s What We Found Out.
https://www.aclu.org/blog/privacy-technology/privacy-borders-and-checkpoints/we-got-us-border-officials-testify-under
Tomi Engdahl says:
Pre-Installed Software Flaw Exposes Most Dell Computers to Remote Hacking
https://thehackernews.com/2019/05/dell-computer-hacking.html
If you use a Dell computer, then beware — hackers could compromise your system remotely.
Bill Demirkapi, a 17-year-old independent security researcher, has discovered a critical remote code execution vulnerability in the Dell SupportAssist utility that comes pre-installed on most Dell computers.
Remote Code Execution on most Dell computers
https://d4stiny.github.io/Remote-Code-Execution-on-most-Dell-computers/
In this article, Ill be looking at a Remote Code Execution
vulnerability I found in Dell SupportAssist, software meant to
proactively check the health of your systems hardware and software and
which is preinstalled on most of all new Dell devices.
Tomi Engdahl says:
Dell Patches Remote Code Execution Vulnerability in SupportAssist Client
https://www.securityweek.com/dell-patches-remote-code-execution-vulnerability-supportassist-client
Dell recently patched two security vulnerabilities in its SupportAssist Client, including one that could be exploited to achieve remote code execution.
Tracked as CVE-2019-3718, the first of the vulnerabilities is an improper origin validation flaw that could allow an unauthenticated remote attacker to potentially attempt cross-site request forgery (CSRF) attacks on users of the impacted systems.
The issue has a CVSS score of 7.6 and has been fixed with the release of Dell SupportAssist Client 3.2.0.90.
Tracked as CVE-2019-3719 and featuring a CVSS score of 7.1, the second vulnerability could be exploited by an unauthenticated attacker that shares the network access layer with the vulnerable system to compromise that system.
For that, however, the attacker would need to trick the victim user into downloading and executing arbitrary files via the SupportAssist client, Dell noted in an advisory. The files would be fetched from attacker hosted sites.
The researcher also published a demo to show how the vulnerability can be exploited, and made the proof-of-concept code available online.
https://github.com/D4stiny/Dell-Support-Assist-RCE-PoC
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Dark web marketplace Wall Street Market, whose admins exit-scammed users of $14.2M+ in cryptocurrency, seized by German police and other international agencies
Law enforcement seizes dark web market after moderator leaks backend credentials
https://www.zdnet.com/article/law-enforcement-seizes-dark-web-market-after-moderator-leaks-backend-credentials/
Wall Street Market seized by law enforcement agencies from Germany, the US, the Netherlands, and Romania.
Tomi Engdahl says:
Trump Signs Executive Order to Bolster Cybersecurity Workforce
https://www.securityweek.com/trump-signs-executive-order-bolster-cybersecurity-workforce
U.S. President Donald Trump on Thursday signed an executive order whose goal is to grow and strengthen the country’s cybersecurity workforce.
The White House says there are over 300,000 cybersecurity job vacancies in the United States and believes it’s crucial for the country’s economy and security that these jobs are filled.
The executive order outlines the development of a rotational program that enables government employees to temporarily be assigned to other agencies. A similar program is proposed by the Federal Rotational Cyber Workforce Program Act, a bill passed in the Senate earlier this year.
Executive Order on America’s Cybersecurity Workforce
https://www.whitehouse.gov/presidential-actions/executive-order-americas-cybersecurity-workforce/
Section 1. Policy. (a) America’s cybersecurity workforce is a strategic asset that protects the American people, the homeland, and the American way of life. The National Cyber Strategy, the President’s 2018 Management Agenda, and Executive Order 13800 of May 11, 2017 (Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure), each emphasize that a superior cybersecurity workforce will promote American prosperity and preserve peace. America’s cybersecurity workforce is a diverse group of practitioners who govern, design, defend, analyze, administer, operate, and maintain the data, systems, and networks on which our economy and way of life depend. Whether they are employed in the public or private sectors, they are guardians of our national and economic security.
Tomi Engdahl says:
PoC Exploits for Old SAP Configuration Flaws Increase Risk of Attacks
https://www.securityweek.com/poc-exploits-old-sap-configuration-flaws-increase-risk-attacks
Tomi Engdahl says:
Assange Refuses Extradition to US; Long Legal Fight Expected
https://www.securityweek.com/assange-refuses-extradition-us-long-legal-fight-expected
Tomi Engdahl says:
Russian Charged With Stealing $1.5 Million From IRS
https://www.securityweek.com/russian-charged-stealing-15-million-irs
The United States this week indicted a Russian national for obtaining over $1.5 million in fraudulent tax refunds from the Internal Revenue Service.
Tomi Engdahl says:
Windows Server hosting provider still down a week after ransomware attack
A2 Hosting has yet to fully restore services after a week, angering tens of customers.
https://www.zdnet.com/article/windows-server-hosting-provider-still-down-a-week-after-ransomware-attack/
Tomi Engdahl says:
50,000 enterprise firms running SAP software vulnerable to attack
9 out of 10 SAP production systems are believed to be vulnerable to new exploits.
https://www.zdnet.com/article/50000-enterprise-firms-running-sap-software-vulnerable-to-attack/#ftag=RSSbaffb68
Tomi Engdahl says:
Hackers lurked in Citrix systems for six months
Social Security numbers and financial data may have been stolen.
https://www.zdnet.com/article/hackers-lurked-in-citrix-systems-for-six-months/#ftag=RSSbaffb68
Tomi Engdahl says:
NSA surveillance of foreign nationals surges
https://www.zdnet.com/article/nsa-surveillance-of-foreign-nationals-surges/
Domestic communications record slurping is reducing, but global spying is on the uptick.
Tomi Engdahl says:
UK is ‘not a surveillance state’ insists minister defending police face recog tech
Creepycams are fine. Public just needs to trust us… I mean them, I mean private firms
https://www.theregister.co.uk/2019/05/03/facial_recognition_debate_westminster_hall/
Opposition MPs have debated whether automated facial recognition technology should be used at all in the UK, after a pressure group mounted legal challenges against police use of face-scanning equipment.
Tomi Engdahl says:
Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again
Better ban this gear from non-US core networks, right?
https://www.theregister.co.uk/2019/05/02/cisco_vulnerabilities/
Right on cue, Cisco on Wednesday patched a security vulnerability in some of its network switches that can be exploited by miscreants to commandeer the IT equipment and spy on people.
This comes immediately after panic this week over a hidden Telnet-based diagnostic interface was found in Huawei gateways. Although that vulnerability was real, irritating, and eventually removed at Vodafone’s insistence, it was dubbed by some a hidden backdoor perfect for Chinese spies to exploit to snoop on Western targets.
Well, if a non-internet-facing undocumented diagnostic Telnet daemon is reason enough to kick Huawei kit out of Western networks, surely this doozy from Cisco is enough to hoof American equipment out of British, European and other non-US infrastructure? Fair’s fair, no?
US tech giant Cisco has issued a free fix for software running on its Nexus 9000 series machines that can be exploited to log in as root and hijack the device for further mischief and eavesdropping. A miscreant just needs to be able to reach the vulnerable box via IPv6.
Tomi Engdahl says:
Hey, those warrantless smartphone searches at the US border? Unconstitutional, yeah? Civil-rights warriors ask court to settle this
Latest development in long-running lawsuit over electronic device slurping
https://www.theregister.co.uk/2019/05/01/us_border_phone_searches_warrantless/
Civil rights groups including the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) have pushed this week for a US judge to declare the search of mobile phones at America’s borders to be unconstitutional.
Tomi Engdahl says:
Vodafone Found Hidden Backdoors in Huawei Equipment
https://www.bloomberg.com/news/articles/2019-04-30/vodafone-found-hidden-backdoors-in-huawei-equipment
While the carrier says the issues found in 2011 and 2012 were resolved at the time, the revelation may further damage the reputation of a Chinese powerhouse.
Tomi Engdahl says:
Mozilla Says It Will Ban Firefox Add-ons With Obfuscated Code
https://news.slashdot.org/story/19/05/02/1653228/mozilla-says-it-will-ban-firefox-add-ons-with-obfuscated-code?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Tomi Engdahl says:
Putin Signs Law To Create an Independent Russian Internet
https://tech.slashdot.org/story/19/05/02/1535237/putin-signs-law-to-create-an-independent-russian-internet?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Russia is one step closer to creating its own, independent internet — at least legally speaking. Russian President Vladimir Putin has signed into law new measures that would enable the creation of a national network, able to operate separately from the rest of the world, according to documents posted on a government portal this week
Putin signs law to create an independent Russian internet
https://edition.cnn.com/2019/05/01/europe/vladimir-putin-russian-independent-internet-intl/
Tomi Engdahl says:
Mijente:
Document from May 2017 shows ICE used Palantir’s software to target and arrest parents and other relatives of unaccompanied minors crossing the US-Mexico border — The data-mining firm Palantir played a key role in federal immigration efforts to target and arrest family members of children crossing …
Palantir Played Key Role in Arresting Families for Deportation, Document Shows
https://mijente.net/2019/05/02/palantir-arresting-families/
The data-mining firm Palantir played a key role in federal immigration efforts to target and arrest family members of children crossing the border alone, a new document released this week shows.
https://mijente.net/wp-content/uploads/2019/05/Smuggling-Initiative-ConOP.pdf
Tomi Engdahl says:
China’s Mass Surveillance App Hacked; Code Reveals Specific Criteria For Illegal Oppression
https://www.zerohedge.com/news/2019-05-02/chinas-mass-surveillance-app-hacked-code-reveals-specific-criterea-illegal
Human Rights Watch got their hands on an app used by Chinese authorities in the western Xinjiang region to surveil, track and categorize the entire local population – particularly the 13 million or so Turkic Muslims
Tomi Engdahl says:
Eight Devices, One Exploit
OEM Vulnerabilities
https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c
15 vulnerabilities in Crestron’s AM-100 and AM-101 devices.
Crestron had silently patched a backdoor in the AM-100 that had been previously found and patched in a Barco WePresent WiPG-1000.
It turns out that Crestron’s AirMedia and Barco’s WePresent are more or less the exact same product. The underlying software was developed by Barco’s subsidiary AWIND.
What’s striking is the devices are used overwhelmingly by universities. Particularly universities in North America. From the Ivy Leagues to state schools, it seems these devices have seriously penetrated the market. Using ARIN’s whois database, I found over 100 different universities in North America
Shodan sleuthing uncovered six more companies repackaging the WePresent platform
So many different brands! Yet none of them seem to be linked by CVE. Maybe vulnerabilities found in WePresent or AirMedia simply aren’t patched in other devices?
Patching Crestron Devices is Hard (Apparently)
WePresent Unpatched Devices
A Conclusion of Sorts
So what have we seen here? A resold platform that has different levels of patching across different vendors. Slow patch deployment amongst the user base. Difficult to obtain firmware. Installations that expose the devices to the internet. And, finally, poor software development practices that left all the devices open to unauthenticated remote code execution.
What’s the solution? Stop buying devices that don’t have obvious firmware upgrade paths.
Tomi Engdahl says:
Prtg Network Monitor Exploit With POC
https://thehackingtutorials.com/prtg-network-monitor-exploit-with-poc/
Tomi Engdahl says:
Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again
Better ban this gear from non-US core networks, right?
https://www.theregister.co.uk/2019/05/02/cisco_vulnerabilities/
Tomi Engdahl says:
Pre-Installed Software Flaw Exposes Most Dell Computers to Remote Hacking
https://thehackernews.com/2019/05/dell-computer-hacking.html?m=1
Tomi Engdahl says:
UoN student Faces long term imprisonment For Deleting Huduma Namba Files
http://dailyactive.info/2019/05/02/uon-student-faces-long-term-imprisonment-for-deleting-huduma-namba-files/
committed the usual crime of hackers who break into computer systems and routinely deleted files of the ongoing Huduma Namba exercise.
More than Ksh 21 Million in damages were lost as a result and he will be charged with “unauthorized damages
Tomi Engdahl says:
DHS Orders Federal Agencies to Patch Critical Flaws Within 15 Days
https://thehackernews.com/2019/05/dhs-patch-vulnerabilities.html?m=1
In recent years, we have seen how hackers prey on those too lazy or ignorant to install security patches, which, if applied on time, would have prevented some devastating cyber attacks and data breaches that happened in major organisations.
Tomi Engdahl says:
A hacker is wiping Git repositories and asking for a ransom
https://www.zdnet.com/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/
Hacker threatens to release the code if victims don’t pay in 10 days.
Tomi Engdahl says:
China’s Mass Surveillance App Hacked; Code Reveals Specific Criteria For Illegal Oppression
https://www.zerohedge.com/news/2019-05-02/chinas-mass-surveillance-app-hacked-code-reveals-specific-criterea-illegal
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Some Git source code repositories, including at least 392 from GitHub, have been wiped and replaced with a ransom demand in a possible coordinated attack — Hacker wipes Git repos and asks for Bitcoin. Gives victims 10 days and threatens to release the code.
A hacker is wiping Git repositories and asking for a ransom
Hacker threatens to release the code if victims don’t pay in 10 days.
https://www.zdnet.com/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/
Hundreds of developers have had had Git source code repositories wiped and replaced with a ransom demand.
The attacks started earlier today, appear to be coordinated across Git hosting services (GitHub, Bitbucket, GitLab), and it is still unclear how they are happening.
What it is known is that the hacker removes all source code and recent commits from vitcims’ Git repositories, and leaves a ransom note behind that asks for a payment of 0.1 Bitcoin (~$570).
The hacker claims all source code has been downloaded and stored on one of their servers, and gives the victim ten days to pay the ransom; otherwise, they’ll make the code public.
Some users who fell victim to this hacker have admitted to using weak passwords for their GitHub, GitLab, and Bitbucket accounts, and forgetting to remove access tokens for old apps they haven’t used for months –both of which are very common ways in which online accounts usually get compromised.
Tomi Engdahl says:
Andy Greenberg / Wired:
Researchers link 6 software supply chain attacks, including backdoors in CCleaner and Asus’ software update tool, to a group of likely Chinese-speaking hackers — A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer’s network …
https://www.wired.com/story/barium-supply-chain-hackers/
“They’re poisoning trusted mechanisms,” says Vitaly Kamluk, the director of the Asia research team for security firm Kaspersky. When it comes to software supply chain attacks, “they’re the champions of this. With the number of companies they’ve breached, I don’t think any other groups are comparable to these guys.”
They’re known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask. More than perhaps any other known hacker team, Barium appears to use supply chain attacks as their core tool. Their attacks all follow a similar pattern: Seed out infections to a massive collection of victims, then sort through them to find espionage targets.