This posting is here to collect cyber security news in July 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
208 Comments
Tomi Engdahl says:
Why the internet went haywire last week
It was just another Friday, until the internet stopped working for tens of millions of people.
https://www.zdnet.com/article/why-the-internet-went-haywire-last-week/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
It was another end of the workweek; what could possibly go wrong? Sure, Outlook had failed for a few hours earlier in the week and Twitter lost control of some big-name accounts, but surely nothing else could go awry? Right? Wrong. Bad things come in threes. Starting on Friday afternoon, Cloudflare, the major content delivery network (CDN) and Domain Name System (DNS) service, had a major DNS failure, and tens of millions users found their internet services failing.
Whoops.
At the time, there was concern that the US internet itself was under attack. The real problem was much more mundane.
There’s an old saying in network administration circles that when something goes awry on the network, “It’s always DNS.” In this case, that’s exactly right. It was DNS.
Specifically, sites that use Cloudflare DNS hosting and anyone using Cloudflare’s free DNS 1.1.1.1 resolver service were knocked off the web for about half an hour.
The error consisted of a single line of configuration code, but that was more than enough. Instead of removing the Atlanta routes from the backbone, a tiny change started leaking all Border Gateway Protocol (BGP) routes into the backbone.
when DNS goes wrong, especially at a high-level, the result, as we just saw last week, is a near-complete work stoppage. Fortunately, such failures are rare.
Tomi Engdahl says:
The losses suffered by people who unwittingly sent bitcoins to scammers thinking they were going to double their money might ultimately pale in comparison to what could come from ill-gotten info contained in unencrypted direct messages.
Twitter’s Direct Messages Is a Bigger Headache Than the Bitcoin Scamhttps://spectrum.ieee.org/tech-talk/telecom/security/twitters-direct-messages-is-a-bigger-headache-than-the-bitcoin-scam
Twitter has re-enabled the ability for verified accounts to post new messages and restored access to locked accounts after Wednesday’s unprecedented account takeover attack. The company is still investigating what happened in the attack, which resulted in accounts belonging to high-profile individuals posting similar messages asking people to send Bitcoins to an unknown cryptocurrency wallet.
Twitter said about 130 accounts were affected in this attack, and they included high-profile individuals such as Tesla CEO Elon Musk, former president Barack Obama, presumptive Democratic candidate for president Joe Biden, former New York City mayor Michael Bloomberg, and Amazon CEO Jeff Bezos. While there was “no evidence” the attackers had obtained account passwords, Twitter has not yet provided any information about anything else the attackers may have accessed
Tomi Engdahl says:
Firefox on Android: Camera remains active when phone is locked or the user switches apps
Mozilla says it will fix the bug later this year, in October.
https://www-zdnet-com.cdn.ampproject.org/c/s/www.zdnet.com/google-amp/article/firefox-on-android-camera-remains-active-when-phone-is-locked-or-the-user-switches-apps/
Mozilla says it’s working on fixing a bug in Firefox for Android that keeps the smartphone camera active even after users have moved the browser in the background or the phone screen was locked.
A Mozilla spokesperson told ZDNet in an email this week that a fix is expected for later this year in October.
Tomi Engdahl says:
Crooks have acquired proprietary Diebold software to “jackpot” ATMs
ATM maker is investigating the use of its software in black boxes used by thieves.
https://arstechnica.com/information-technology/2020/07/crooks-are-using-a-new-way-to-jackpot-atms-made-by-diebold/
Tomi Engdahl says:
Politics
Chinese, Russian killer satellites ‘seen approaching’ Japanese craft
https://www.google.com/amp/s/amp.scmp.com/week-asia/politics/article/3094275/chinese-russian-killer-satellites-seen-approaching-japanese
Concerns rising in Tokyo that Beijing and Moscow are practising ways to destroy systems critical to Japan’s intelligence-gathering
‘If Tokyo and Washington are going to work together more closely, that would explain it’: expert
Chinese and Russian “killer satellites” have been detected approaching Japanese satellites, according to government sources in Tokyo, raising concerns that Beijing and Moscow are practising ways to disable or destroy systems that are critical to Japan’s intelligence-gathering and defence capabilities.
It is believed the Russian spacecraft was close enough to obtain photographic details of the US satellite, while it has been suggested that the operation was a dry-run for an attack that would have used small projectiles to destroy the craft.
China is also understood to have made significant advances in space weaponry, including “killer satellites”, ground- or air-launched anti-satellite missiles or lasers.
Tomi Engdahl says:
Clever Hackers Are Making ATMs Spit Out All Their Money
https://futurism.com/clever-hackers-atms-spit-out-money
A major ATM sales and services company is warning that thieves have found a new way of “jackpotting” ATM machines — causing them to spit out massive wads of cash, Ars Technica reports.
Jackpotting involves attaching rogue devices called “black boxes” to open up programming interfaces inside the ATM machine’s software and issue commands, forcing it to, proverbially, make it rain.
According to a statement issued by multinational banking solutions corporation Diebold Nixdorf, thieves have worked out a new way to get their hands of copious amounts of cash.
https://arstechnica.com/information-technology/2020/07/crooks-are-using-a-new-way-to-jackpot-atms-made-by-diebold/
Tomi Engdahl says:
ATM hacking
https://www.facebook.com/groups/majordomo/permalink/10160368920374522/
Tomi Engdahl says:
Report: No-Log VPNs Exposed Users’ Logs and Personal Details for All to See
https://www.vpnmentor.com/blog/report-free-vpns-leak/
A group of free VPN (virtual private network) apps left their server completely open and accessible, exposing private user data for anyone to see. This lack of basic security measures in an essential part of a cybersecurity product is not just shocking. It also shows a total disregard for standard VPN practices that put their users at risk.
The vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.
Tomi Engdahl says:
Facial recognition adapts to a mask-wearing public
https://gcn.com/articles/2020/06/03/facial-recognition-masks.aspx?m=1
Tomi Engdahl says:
https://www.forbes.com/sites/thomasbrewster/2020/07/13/inside-americas-secretive-2-billion-research-hub-collecting-fingerprints-from-facebook-hacking-smartwatches-and-fighting-covid-19/
Tomi Engdahl says:
Firefox on Android: Camera remains active when phone is locked or the user switches apps
Mozilla says it will fix the bug later this year, in October.
https://www.zdnet.com/article/firefox-on-android-camera-remains-active-when-phone-is-locked-or-the-user-switches-apps/
Tomi Engdahl says:
New ‘Shadow Attack’ can replace content in digitally signed PDF files
15 out of the 28 biggest desktop PDF viewers are vulnerable, German academics say
https://www.zdnet.com/article/new-shadow-attack-can-replace-content-in-digitally-signed-pdf-files/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research [PDF] published this week by academics from the Ruhr-University Bochum in Germany.
Academics have named this technique of forging documents a Shadow Attack.
The main idea behind a Shadow Attack is the concept of “view layers” — different sets of content that are overlaid on top of each other inside a PDF document.
A Shadow Attack is when a threat actor prepares a document with different layers and sends it to a victim. The victim digitally signs the document with a benign layer on top, but when the attacker receives it, they change the visible layer to another one.
Because the layer was included in the original document that the victim signed, changing the layer’s visibility doesn’t break the cryptographic signature and allows the attacker to use the legally-binding document for nefarious actions — such as replacing the payment recipient or sum in a PDF payment order or altering contract clauses.
Researchers say that Shadow Attacks are possible because PDF documents, even when digitally signed, allow unused PDF objects to be present inside their content.
PDF viewer apps that remove unused PDF objects when signing a document are immune to Shadow Attacks.
Tomi Engdahl says:
How Chinese hackers pillaged computers’ recycling bins to steal secrets and coronavirus research
https://www.yahoo.com/news/chinese-hackers-pillaged-computers-recycling-005329847.html
Before an abundance of encrypted messaging apps, “trash” email folders were often used to communicate without leaving a trace.
The tactic, common among al-Qaeda terrorists – and teenagers – involved setting up an email account which two people could access, and write and read deleted messages. The technique caused the downfall of former CIA director General Petraeus, who resigned after he was caught by the FBI talking to his lover through draft emails.
The tactic resurfaced this week when the US government said it had caught two Chinese hackers pillaging the recycling bins of employees at “hundreds” of companies, stealing trade and business secrets worth “hundreds of millions” during a ten-year spree.
The humble icon, which we largely ignore on computer desktops, was used both to hide malicious software that could steal computer files, and to hoover up anything that was deleted.
Tomi Engdahl says:
U.S. Space Command announced Thursday (July 23) that it has evidence that Russia has tested a space-based anti-satellite space weapon
Russia has tested an anti-satellite weapon in space, US Space Command says
https://www.google.com/amp/s/www.space.com/amp/russia-tests-anti-satellite-weapon-in-space.html
The U.S. Space Command announced Thursday (July 23) that it has evidence that Russia has tested a space-based anti-satellite weapon.
On July 15, Russia “injected a new object into orbit” orbit from the Cosmos 2543 satellite and “conducted a non-destructive test of a space-based anti-satellite weapon,” the U.S. Space Command (USSC) said an emailed statement. The object is listed under the Satellite Catalog Number 45915 on space-track.org, it added.
Tomi Engdahl says:
A Russian satellite caught shadowing a US spy satellite earlier this year launched a mysterious space weapon, US Space Command says
https://www.google.com/amp/s/www.businessinsider.com/russia-conducts-space-based-anti-satellite-weapons-test-2020-7%3famp
Russia conducted a space-based anti-satellite test last week, US Space Command said in a statement Tuesday.
A Russian satellite caught disconcertingly shadowing a US spy satellite earlier this year released some sort of projectile into space in a move mimicking a suspected anti-satellite weapons test in 2017.
As the US relies on satellites for everything from GPS navigation to communication and data relays for military operations, the US has argued that militarization of space by adversarial powers demands the US pay greater attention to what is becoming a contested domain.
Tomi Engdahl says:
Garmin services and production go down after ransomware attack
https://www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack/
Smartwatch and wearable maker Garmin planning multi-day maintenance window to deal with ransomware incident.
Smartwatch and wearables maker Garmin has shut down several of its services on July 23 to deal with a ransomware attack that has encrypted its internal network and some production systems.
The company is currently planning a multi-day maintenance window to deal with the attack’s aftermath, which includes shutting down its official website, the Garmin Connect user data-syncing service, Garmin’s aviation database services, and even some production lines in Asia.
In messages shared on its website and Twitter, Garmin said the same outage also impacted its call centers, leaving the company in the situation of being unable to answer calls, emails, and online chats sent by users.
But in addition to consumer wearables and sportswear, flyGarmin has also been down today. This is Garmin’s web service that supports the company’s line of aviation navigational equipment.
Pilots have told ZDNet today that they haven’t been able to download a version of Garmin’s aviation database on their Garmin airplane navigational systems. Pilots need to run an up-to-date version of this database on their navigation devices as an FAA requirement. Furthermore, the Garmin Pilot app, which they use to schedule and plan flights, was also down today, causing additional headaches.
Some Garmin employees speaking online attributed the incident to a new strain of ransomware that appeared earlier this year, called WastedLocker. ZDNet has not been able to verify these claims
In today’s cyber-security landscape, only ransomware attacks have the destructive power to cause companies to shut down production lines, online services, websites, email servers, and call centers in a matter of hours and enter into an impromptu maintenance mode.
Tomi Engdahl says:
UK and US say Russia fired a satellite weapon in space
https://www.bbc.co.uk/news/world-europe-53518238
Tomi Engdahl says:
Hillicon Valley: Feds warn hackers targeting critical infrastructure | Twitter exploring subscription service | Bill would give DHS cyber agency subpoena power
https://www.msn.com/en-us/news/politics/hillicon-valley-feds-warn-hackers-targeting-critical-infrastructure-twitter-exploring-subscription-service-bill-would-give-dhs-cyber-agency-subpoena-power/ar-BB177fTQ?ocid=mailsignout
THREATS AGAINST CRITICAL INFRASTRUCTURE: Federal authorities on Thursday warned that foreign hackers are attempting to target U.S. critical infrastructure.
The National Security Agency (NSA) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) specifically warned that internet-connected operational technology (OT) assets – which are used throughout U.S. defense systems – were often the targets of malicious cyber actors attempting to hit critical infrastructure, such as systems providing water, gas and electricity.
As a result, the agencies recommended that critical infrastructure operators and owners take “immediate action” to secure their systems.
“Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to US interests or retaliate for perceived US aggression,” the agencies wrote in a joint alert.
The security agencies noted that OT assets are used in Department of Defense systems and throughout the defense industrial base sector, including in national security systems.
The NSA and CISA wrote they had seen evidence of email spear phishing attacks to gain access to critical infrastructure networks to access OT assets, along with attempted ransomware attacks on these systems.
This type of attack, which has become an increasing headache over the past year for state and local governments, involves an attacker encrypting a network and demanding payment before allowing the user to gain access again.
CISA previously issued an alert in February following a ransomware attack on an unnamed “natural gas compression facility” that temporarily shut down operations and disrupted other critical systems operators that interacted with the facility.
Tomi Engdahl says:
New York legislature votes to halt facial recognition tech in schools for two years
https://tcrn.ch/2BqEaCH
The state of New York voted this week to pause any implementation of facial recognition technology in schools for two years. The moratorium, approved by the New York Assembly and Senate Wednesday, comes after an upstate school district adopted the technology earlier this year, prompting a lawsuit in June from theNew York Civil Liberties Union on behalf of parents. If New York Governor Andrew Cuomo signs the legislation into law, the moratorium would freeze the use of any facial recognition school systems in the state until July 1, 2022.
Earlier this week, a school district in Topeka, Kansas announced that it would employ facial recognition technology at a temperature check kiosk for staff as part of its plan to reopen schools. Unfortunately, such a system would not be capable of preventing asymptomatic spread of the virus—one of COVID-19′s most challenging features.
Tomi Engdahl says:
https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html
In this post we summarize the situation as of July 17 at 8:35p Pacific Time. The following information is what we know as of today and may change as our investigation and outside investigations continue. Additionally, as the investigation of this incident is unfolding, there are some details — particularly around remediation — that we are not providing right now to protect the security of the effort.
At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme.
The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets.
Tomi Engdahl says:
Cat-themed hackers trashed a shady VPN’s database of customer records
https://mashable.com/article/cat-hackers-meow-unsecured-databases-vpns/
If you’re going to mess with an unscrupulous VPN provider keeping logs of its customers’ IP addresses, you might as well do it with some panache.
That appears to be the thinking of unknown vigilante hackers who, over the course of the past week, overwrote the contents of over 1,000 unsecured databases left online for anyone to read. One of those databases, reports Ars Technica, belonged to UFO VPN — a Hong Kong VPN that claimed to not log any user data, but instead was recording everything from users’ passwords to IP addresses and storing it all in an unsecured database exposed to the open web.
“New Elasticsearch bot attack does not contain any ransom or threats, just ‘meow’ with a random set of numbers,” he explained on Twitter. “It is quite fast and search&destroy new clusters pretty effectively”
Catch that? The hackers aren’t running ransomware, or attempting to extort corporations for the sin of improperly securing their customers’ data. Rather, much like the famed BrickerBot that searched and destroyed IoT devices with hard-coded passwords that could easily be made part of a botnet, the Meow hackers essentially destroy exposed data (presumably) before someone else can find it and steal it.
Then again, it’s unclear if the hackers are stealing it themselves before writing over it. Those databases become a lot more valuable if you’re the only one with a copy, after all.
Tomi Engdahl says:
U.S. Air Force satellites get ability to update software quickly to help mitigate cyber security threats
https://www.militaryaerospace.com/trusted-computing/article/14179959/satellites-update-software-cyber-security
Chameleon Constellation satellites may work together to process data from one another, rather than sending data back to Earth and risk interception.
Tomi Engdahl says:
Bleeping Computer: New ‘Meow’ attack has deleted almost 4,000 unsecured databases >
https://www.bleepingcomputer.com/news/security/new-meow-attack-has-deleted-almost-4-000-unsecured-databases/
Tomi Engdahl says:
Will Garmin Pay $10m Ransom To End Two-Day Outage?
https://www.forbes.com/sites/barrycollins/2020/07/25/will-garmin-pay-10m-ransom-to-end-two-day-outage/amp/
Garmin is reportedly being asked to pay a $10 million ransom to free its systems from a cyberattack that has taken down many of its services for two days.
Tomi Engdahl says:
https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/
Tomi Engdahl says:
Disney, Microsoft, Nintendo and 50 more hit by massive source code leak
https://www.tomsguide.com/news/companies-source-code-leak
More than 50 high-profile companies have had their software source code made freely available online, partly as the result of incorrectly configured infrastructure.
Software source code belonging to household names such as Adobe, Microsoft, Lenovo, Qualcomm, AMD, Motorola, GE Appliances, Nintendo, Disney, Daimler, Roblox and many other companies was collected and placed in an online repository
https://www.bleepingcomputer.com/news/security/source-code-from-dozens-of-companies-leaked-online/
Tomi Engdahl says:
CISA says 62,000 QNAP NAS devices have been infected with the QSnatch malware
https://www.zdnet.com/article/cisa-says-62000-qnap-nas-devices-have-been-infected-with-the-qsnatch-malware/
QSnatch malware, first spotted in late 2019, has grown from 7,000 bots to more than 62,000, according to a joint US CISA and UK NCSC security alert.
Cyber-security agencies from the UK and the US have published today a joint security alert about QSnatch, a strain of malware that has been infecting network-attached storage (NAS) devices from Taiwanese device maker QNAP.
“The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019,” the two agencies say.
CISA and the NCSC say that the two campaigns used different versions of the QSnatch malware (also tracked under the name of Derek).
Attackers could be exploiting vulnerabilities in the QNAP firmware or they could be using default passwords for the admin account — however, none of this could be verified beyond a doubt.
But once the attackers gain a foothold, CISA and the NCSC say the QSnatch malware is injected into the firmware, from where it takes full control of the device and then blocks future updates to the firmware to survive on the victim NAS.
The two agencies are now urging companies and home users who use QNAP devices to follow remediation and mitigation steps listed in the Taiwanese vendor’s support page to get rid of QSnatch and prevent future infections.
https://www.qnap.com/en/security-advisory/nas-201911-01
Tomi Engdahl says:
Garmin’s outage, ransomware attack response lacking as earnings loom
https://www.zdnet.com/article/garmins-outage-ransomware-attack-response-lacking-as-earnings-loom/
Garmin’s response to a cyberattack has been less than stellar, but earnings loom and Wall Street will want answers just as much as customers do.
Garmin’s long-running outage is a case study in how not to handle an IT meltdown and cybersecurity attack and may indicate a longer recovery than expected.
You could almost smell the panic as Garmin dealt with a ransomware attack that brought down numerous systems including Garmin Connect, the software that holds data on your runs, workouts, and activities as well as production systems and call centers. On Sunday morning, July 26, Garmin Fenix smartwatches couldn’t offer distance and GPS tracking on runs. Garmin’s aviation apps are currently operational, but they’re being monitored closely after initial problems.
On Monday, July 27, Garmin began restoring services to Garmin Connect. Some functionality was limited, but the basics were working.
Meanwhile, the clock is ticking as Garmin is scheduled to report earnings Wednesday. Customers will want answers, but Wall Street will want more clarity. Garmin’s success story and run of strong quarters are going to be overshadowed by its cyberattack.
But the focus on Garmin Connect loses the plot.
Garmin may take a reputation hit, but Garmin is much more than just fitness wearables and smartwatches. Garmin also operates critical data infrastructure for automotive, aviation, and marine as well as enterprise health.
Tomi Engdahl says:
Garmin Obtains Decryption Key After Ransomware Attack
“We are happy to report that many of the systems and services affected by the recent outage, including Garmin Connect, are returning to operation,” Garmin said in an online post.
“Some features still have temporary limitations while all of the data is being processed.”
Some reports have linked the malware to a Russian cybercriminal group known as Evil Corp.
https://news.yahoo.com/garmin-says-systems-back-online-cyber-attack-191028198.html
Tomi Engdahl says:
UNTOUCHABLE’ Meet the Lamborghini-driving, tiger owning Russian playboy hacker, 33, whose Evil Corp firm is behind Garmin attack
https://www.thesun.co.uk/news/12237300/garmin-cyberattack-evil-corp-maksim-yakubets-playboy-lamborghini/
THE Russian hacker who heads up the Evil Corp group thought to be behind the Garmin cyberattack is a playboy who drives a personalised Lamborghini and owns a tiger.
Maksim Yakubets, 33, is said to be the head of the cybercriminal group who targeted Garmin devices and demanded $10million to restore their operation.
Yakubets is said to have run the operation since May 2009 from a number of cafes in Moscow.
It’s alleged he employed dozens of people to steal money from victims in 43 countries using computer viruses that are designed to only target victims outside Russia.
Using the name Aqua, the hacker and his group are accused of stealing at least $100million.
Tomi Engdahl says:
Garmin Obtains Decryption Key After Ransomware Attack
“We are happy to report that many of the systems and services affected by the recent outage, including Garmin Connect, are returning to operation,” Garmin said in an online post.
“Some features still have temporary limitations while all of the data is being processed.”
Some reports have linked the malware to a Russian cybercriminal group known as Evil Corp.
Garmin says systems back online after cyber attack
https://news.yahoo.com/garmin-says-systems-back-online-cyber-attack-191028198.html
Computer networks of the smartwatch and electronics firm Garmin were coming back online Monday, the company said, after an outage widely believed to have been due to a ransomware attack.
The company acknowledged it was the victim of a “cyber attack that encrypted some of our systems,” without offering details.
The comments suggest a ransomware attack which would have required a payment to hackers in order to get a decryption key.
The attack on July 23 disrupted Garmin’s website; company communications, and customer-facing services, according to the Kansas-based company.
There was no indication customer data was stolen or functionality of Garmin products affected, the company said.
“As our affected systems are restored, we expect some delays as the backlog of information is being processed,” Garmin said
Tomi Engdahl says:
Undetectable Linux Malware Targeting Docker Servers With Exposed APIs
Cybersecurity researchers today uncovered a completely undetectable Linux malware that exploits undocumented techniques to stay under the radar and targets publicly accessible Docker servers hosted with popular cloud platforms, including AWS, Azure, and Alibaba Cloud.
https://thehackernews.com/2020/07/docker-linux-malware.html?m=1
Tomi Engdahl says:
Rite Aid used facial recognition in secret across hundreds of its stores
The drugstore chain used the tech predominantly in low-income and minority neighborhoods
https://www.theverge.com/platform/amp/2020/7/28/21345185/rite-aid-facial-recognition-surveillance-spying
Tomi Engdahl says:
Vatican, Hong Kong diocese allegedly hacked by China ahead of landmark talks
Vatican, Hong Kong diocese allegedly hacked by China ahead of landmark talks
https://www.google.com/amp/s/www.foxnews.com/world/vatican-hong-kong-diocese-allegedly-hacked-by-china-ahead-of-landmark-talks.amp
The Chinese foreign ministry called the report ‘groundless speculation’
The Vatican and the Catholic Diocese of Hong Kong have been the targets of alleged Chinese state-backed hackers ahead of talks on renewal of a landmark 2018 deal that helped thaw diplomatic relations between the Vatican and China, according to a monitoring group.
The alleged attacks by a group called RedDelta began in May with an eye on September talks to renew a provisional agreement on bishop appointments
Tomi Engdahl says:
“I’ve made enough money now” ShinyHunters said as stolen data is offered for free in a commercial dark web hacker forum.
In just the first two weeks of May 2020, a hacker, known only as ShinyHunters, offered an astonishing [200 million stolen data records for sale](https://www.wired.com/story/shinyhunters-hacking-group-data-breach-spree/) on the dark web. Not repurposed data from old breaches, but fresh to the market and, therefore, very valuable. The surprising thing is that, until then, nobody had even heard of ShinyHunters.
That has changed in the weeks since. By the start of July 2020, ShinyHunters had become [a well-known data breach broker](https://nakedsecurity.sophos.com/2020/07/02/133m-records-for-sale-as-fruits-of-data-breach-spree-keep-raining-down/) with an expanding number of breaches under their belt.
Hacker Gives Away 386 Million Stolen Records On Dark Web—What You Need To Do Now
https://www.forbes.com/sites/daveywinder/2020/07/29/hacker-gives-away-386-million-stolen-records-on-dark-web-what-you-need-to-do-now-shinyhunters-data-breach/#e9ac3096f395
Tomi Engdahl says:
Steve Wozniak sues Google over YouTube bitcoin scam
https://www.cnet.com/news/steve-wozniak-sues-google-over-youtube-bitcoin-scam/
The Apple co-founder says YouTube repeatedly ignored requests to take down a scam video.
Steve Wozniak, Apple co-founder and tech entrepreneur, filed a lawsuit against Google on Wednesday over a YouTube scam that allegedly used his name and likeness to convince viewers to send cryptocurrency during a fake bitcoin giveaway event. The fraudsters also apparently used images and video of other celebrities, including Tesla CEO Elon Musk and Microsoft founder Bill Gates.
“If YouTube had acted quickly to stop this to a reasonable extent, we would not be here now,” Wozniak said in the complaint. “YouTube, like Google, seems to rely on algorithms and no special effort requiring custom software employed quickly in these cases of criminal activity. If a crime is being committed, you must be able to reach humans capable of stopping it.”
Tomi Engdahl says:
A report says China is suspected of hacking the Vatican. Here’s why
https://amp.cnn.com/cnn/2020/07/29/world/vatican-china-hacking-burke/index.html
(CNN) – When you think about cyber espionage, the Vatican doesn’t come to mind as an obvious target. It’s a tiny country whose leader has more moral authority than worldly power.
“Our research uncovered a suspected China state-sponsored campaign targeting multiple high-profile entities associated with the Catholic Church ahead of the likely renewal of the provisional China-Vatican deal in September 2020,” analysts at Recorded Future wrote in a report released Tuesday.
Tomi Engdahl says:
FBI believes device vendors won’t disable these protocols and warns companies to take preventive and protective measures.
FBI warns of new DDoS attack vectors: CoAP, WS-DD, ARMS, and Jenkins
https://www.zdnet.com/article/fbi-warns-of-new-ddos-attack-vectors-coap-ws-dd-arms-and-jenkins/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
FBI believes device vendors won’t disable these protocols and warns companies to take preventive and protective measures.
The Federal Bureau of Investigation sent an alert last week warning about the discovery of new network protocols that have been abused to launch large-scale distributed denial of service (DDoS) attacks.
The alert lists three network protocols and a web application as newly discovered DDoS attack vectors.
The list includes CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software.
Three of the four (CoAP, WS-DD, ARMS) have already been abused in the real-world to launch massive DDoS attacks
Tomi Engdahl says:
RangeForce gets backing from Cisco for plugging cyber security skills gap
https://www.zdnet.com/google-amp/article/rangeforce-gets-backing-from-cisco-for-plugging-cyber-security-skills-gap/
Properly trained IT security teams are the best defense against hackers and the loss of sensitive data, says RangeForce.
Tomi Engdahl says:
https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
0BootHole” vulnerability in the GRUB2 bootloader opens up Windows and Linux devices using Secure Boot to attack. All operating systems using GRUB2 with Secure Boot must release new installers and bootloaders.
Eclypsium researchers have discovered a vulnerability — dubbed “BootHole” — in the GRUB2 bootloader utilized by most Linux systems that can be used to gain arbitrary code execution during the boot process, even when Secure Boot is enabled. Attackers exploiting this vulnerability can install persistent and stealthy bootkits or malicious bootloaders that could give them near-total control over the victim device.
The vulnerability affects systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected. In addition, GRUB2 supports other operating systems, kernels and hypervisors such as Xen.
Tomi Engdahl says:
Signing articles with a pgp key could be a great way help to validate authors.
Hackers Broke Into Real News Sites to Plant Fake Stories
https://www.wired.com/story/hackers-broke-into-real-news-sites-to-plant-fake-stories-anti-nato/
A disinfo operation broke into the content management systems of Eastern European media outlets in a campaign to spread misinformation about NATO.
OVER THE PAST few years, online disinformation has taken evolutionary leaps forward, with the Internet Research Agency pumping out artificial outrage on social media and hackers leaking documents—both real and fabricated—to suit their narrative. More recently, Eastern Europe has faced a broad campaign that takes fake news ops to yet another level: hacking legitimate news sites to plant fake stories, then hurriedly amplifying them on social media before they’re taken down.
On Wednesday, security firm FireEye released a report on a disinformation-focused group it’s calling Ghostwriter. The propagandists have created and disseminated disinformation since at least March 2017, with a focus on undermining NATO and the US troops in Poland and the Baltics; they’ve posted fake content on everything from social media to pro-Russian news websites. In some cases, FireEye says, Ghostwriter has deployed a bolder tactic: hacking the content management systems of news websites to post their own stories. They then disseminate their literal fake news with spoofed emails, social media, and even op-eds the propagandists write on other sites that accept user-generated content.
That hacking campaign, targeting media sites from Poland to Lithuania, has spread false stories about US military aggression, NATO soldiers spreading coronavirus, NATO planning a full-on invasion of Belarus, and more. “They’re spreading these stories that NATO is a danger, that they resent the locals, that they’re infected, that they’re car thieves,”
Tomi Engdahl says:
If you own one of these 45 Netgear devices, replace it: Kit maker won’t patch vulnerable gear despite live proof-of-concept code
That’s one way of speeding up the tech refresh cycle
https://www.theregister.com/2020/07/30/netgear_abandons_45_routers_vuln_patching/?utm_source=dlvr.it&utm_medium=facebook
Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code.
The vuln was revealed publicly in June by Trend Micro’s Zero Day Initiative (ZDI) following six months spent chivvying Netgear behind the scenes to take it seriously.
Keen-eyed Reg readers, however, noticed that Netgear quietly declared 45 of the affected products as “outside the security support period” – meaning those items won’t be updated to protect them against the vuln.
America’s Carnegie-Mellon University summarised the vuln in a note from its Software Engineering Institute: “Multiple Netgear devices contain a stack buffer overflow in the httpd web server’s handling of upgrade_check.cgi, which may allow for unauthenticated remote code execution with root privileges.”
Infosec biz Grimm pitched in after independently discovering the vuln itself by publishing proof-of-concept exploits for the SOHO (Small Office/Home Office) devices.
With today’s revelation that 45 largely consumer and SME-grade items will never be patched, Netgear faces questions over its commitment to older product lines. Such questions have begun to be addressed in Britain by calls from government agencies for new laws forcing manufacturers to reveal devices’ design lifespans at the point of purchase.
Tomi Engdahl says:
https://techcrunch.com/2020/07/31/twitter-says-phone-spear-phishing-attack-used-to-gain-network-access-in-crypto-scam-breach/amp/
Twitter has revealed a little more detail about the security breach it suffered earlier this month when a number of high profile accounts were hacked to spread a cryptocurrency scam — writing in a blog post that a “phone spear phishing attack” was used to target a small number of its employees.P
Tomi Engdahl says:
https://www.io-tech.fi/uutinen/muun-muassa-linux-jakeluiden-kayttamasta-grub2-kaynnistyslataajasta-loytyi-vakava-haavoittuvuus/
Tomi Engdahl says:
Thousands of websites at risk from critical WordPress plugin vulnerability
https://hotforsecurity.bitdefender.com/blog/thousands-of-websites-at-risk-from-critical-wordpress-plugin-vulnerability-23844.html
A critical vulnerability in a third-party plugin installed on over 70,000 websites running WordPress could allow hackers to execute malicious code remotely.
The vulnerability, discovered by security researchers at Wordfence, hides in a vulnerable version of the wpDiscuz commenting plugin and enables hackers to upload arbitrary files to targeted websites, including executable PHP files.
Tomi Engdahl says:
A 17-year-old caused all that…
A Florida teen just got arrested for Twitter’s huge hack
https://www.theverge.com/2020/7/31/21349920/twitter-hack-arrest-florida-teen-fbi-irs-secret-service
‘This was not an ordinary 17-year old,’ says state attorney
Early this morning, the FBI, IRS, US Secret Service, and Florida law enforcement placed a 17-year-old in Tampa, Florida, under arrest — accusing him of being the “mastermind” behind the biggest security and privacy breach in Twitter’s history, one that took over the accounts of President Barack Obama, Democratic presidential candidate Joe Biden, Bill Gates, Elon Musk, Kanye and more to perpetrate a huge bitcoin scam on July 15th.
The teen is currently in jail, being charged with over 30 felony counts, including organized fraud, communications fraud, identity theft, and hacking
It’s not clear whether the 17-year-old is the only suspect in the case. “I can’t comment on whether he worked alone,”
He’s being charged as an adult — “This was not an ordinary 17-year old,” said the state attorney — and the press conference made clear that law enforcement is considering how bad consequences of the hack could have been, beyond the $100,000-plus in bitcoin that the teen is alleged to have scammed out of unsuspecting Twitter users.
“This could have had a massive, massive amount of money stolen from people, it could have destabilized financial markets within America and across the globe; because he had access to powerful politicians’ Twitter accounts, he could have undermined politics as well as international diplomacy,” said Warren.
“This is not a game… these are serious crimes with serious consequences, and if you think you can rip people off online and get away with it, you’ll be in for a rude awakening, a rude awakening that comes in the form of a 6 AM knock on your door from federal agents,” he added later.
In addition to scamming users out of Bitcoin, the attackers accessed the private direct messages of 36 Twitter users, including one elected official, and may have downloaded even larger caches of data for 7 other users.
Tomi Engdahl says:
Three people just got charged for Twitter’s huge hack, and a Florida teen is in jail
Update: Not just the Tampa teen, two others just got charged in Orlando and the UK
https://www.theverge.com/platform/amp/2020/7/31/21349920/twitter-hack-arrest-florida-teen-fbi-irs-secret-service
Early this morning, the FBI, IRS, US Secret Service, and Florida law enforcement placed a 17-year-old in Tampa, Florida, under arrest — accusing him of being the “mastermind” behind the biggest security and privacy breach in Twitter’s history, one that took over the accounts of President Barack Obama, Democratic presidential candidate Joe Biden, Bill Gates, Elon Musk, Kanye, Apple and more to perpetrate a huge bitcoin scam on July 15th.
Tomi Engdahl says:
Red Hat and CentOS systems aren’t booting due to BootHole patches
Well, you can’t be vulnerable to BootHole if you can’t boot your system.
https://arstechnica.com/gadgets/2020/07/red-hat-and-centos-systems-arent-booting-due-to-boothole-patches/
Early this morning, an urgent bug showed up at Red Hat’s bugzilla bug tracker—a user discovered that the RHSA_2020:3216 grub2 security update and RHSA-2020:3218 kernel security update rendered an RHEL 8.2 system unbootable. The bug was reported as reproducible on any clean minimal install of Red Hat Enterprise Linux 8.2.
The patches were intended to close a newly discovered vulnerability in the GRUB2 boot manager called BootHole. The vulnerability itself left a method for system attackers to potentially install “bootkit” malware on a Linux system despite that system being protected with UEFI Secure Boot.
The issue is confirmed to affect RHEL 7.8 and RHEL 8.2, and it may affect RHEL 8.1 and 7.9 as well. RHEL-derivative distribution CentOS is also affected.
Red Hat is currently advising users not to apply the GRUB2 security patches (RHSA-2020:3216 or RHSA-2020:3217) until these issues have been resolved. If you administer a RHEL or CentOS system and believe you may have installed these patches, do not reboot your system. Downgrade the affected packages
If you’ve already applied the patches and attempted (and failed) to reboot, boot from an RHEL or CentOS DVD in Troubleshooting mode, set up the network, then perform the same steps outlined above in order to restore functionality to your system.
Tomi Engdahl says:
Emotet being hijacked by another actor
https://doublepulsar.com/emotet-being-hijacked-by-another-actor-b22414352a7b
Tomi Engdahl says:
DNS Rebinding Headless Browsers
This article describes the use of HTTP Referer headers to execute DNS rebinding attacks on AWS-hosted analytics systems, leading to a compromise of the cloud environment.
https://alex.kaskaso.li/post/dns-rebinding-headless-browsers