This posting is here to collect cyber security news October 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
249 Comments
Tomi Engdahl says:
Norway says Russian hackers were behind August Parliament attack
https://www.bleepingcomputer.com/news/security/norway-says-russian-hackers-were-behind-august-parliament-attack/
Norway’s Minister of Foreign Affairs Ine Eriksen Sreide today said
that Russia is behind the August 2020 cyber-attack on the Norwegian
Parliament (Stortinget).
túi lọc bụi says:
This is an article I think has good and quality content. Inserted is a beautiful image, thank you for sharing.
Tomi Engdahl says:
Anatomy of Ryuk Attack: 29 Hours From Initial Email to Full Compromise
https://www.securityweek.com/anatomy-ryuk-attack-29-hours-initial-email-full-compromise
Tomi Engdahl says:
Study Finds 400,000 Vulnerabilities Across 2,200 Virtual Appliances
https://www.securityweek.com/study-finds-400000-vulnerabilities-across-2200-virtual-appliances
Virtual appliances, even if they are provided by major software or cybersecurity vendors, can pose a serious risk to organizations, according to a report published on Tuesday by cloud visibility firm Orca Security.
Virtual appliances can be highly useful to organizations as they eliminate the need for dedicated hardware, they are often inexpensive or free, they are easy to configure and maintain, and they can be easily deployed on cloud platforms. Many virtual appliances can be used as provided.
Orca Security used its SideScanning technology to check virtual appliances for vulnerabilities and outdated operating systems. The company scanned a total of more than 2,200 virtual appliances from 540 vendors in April and May, and identified over 400,000 vulnerabilities.
The virtual appliances were obtained from marketplaces associated with cloud platforms such as AWS, VMware, Google Cloud Platform, and Microsoft Azure, but Orca says these virtual appliances are in many cases the same as the ones provided directly by vendors.
Tomi Engdahl says:
Adobe Patches Critical Code Execution Vulnerability in Flash Player
https://www.securityweek.com/adobe-patches-critical-code-execution-vulnerability-flash-player
Adobe has patched a critical arbitrary code execution vulnerability in Flash Player. This is the only flaw fixed by the software giant this Patch Tuesday.
The vulnerability, tracked as CVE-2020-9746, has been described as a NULL pointer dereference issue.
Tomi Engdahl says:
Microsoft Patches Several Publicly Disclosed Windows Vulnerabilities
https://www.securityweek.com/microsoft-patches-several-publicly-disclosed-windows-vulnerabilities
Microsoft has fixed nearly 90 vulnerabilities with its October 2020 Patch Tuesday updates and while none of them has been exploited in attacks, several of the flaws were publicly disclosed before the patches were released.
The publicly disclosed vulnerabilities have been classified as important severity and their exploitation can lead to information disclosure or privilege escalation. A majority impact Windows and one affects the .NET framework.
Tomi Engdahl says:
Kieren McCarthy / The Register:
The EU is seeking applicants for the next Registry of the .eu TLD, limited to non-profits, and is offering a five-year contract to manage 3.6M domain names — Five-year deal to oversee 3.6 million web addresses … but does anyone actually want it? — The European Union has opened …
Contract to run .eu domain-name registry is up for grabs as Brussels tries to avoid a .co-style debacle
Five-year deal to oversee 3.6 million web addresses … but does anyone actually want it?
https://www.theregister.com/2020/10/13/eu_internet_domain_contract/
The European Union has opened up the .eu internet registry for a new owner, offering a five-year contract to oversee its 3.6 million domain names from October 2022.
The EC’s Directorate General for Communication Networks, Content and Technologies announced the rebid last week and its director of future networks, Pearse O’Donohue, has been pushing the issue to the DNS industry – including personally contacting registry operators to encourage them to apply.
It is just the latest in a series of rebids for major internet address spaces in recent years – several of which have been shrouded in claims of corruption, backroom deals and legal threats, including Colombia’s .co, India’s .in and Australia’s .au domains.
The EC has tried to avoid similar controversy by insisting all applicants be non-profit organizations based in Europe: criteria that appears designed to prevent Afilias and Neustar from applying.
But the criteria will also exclude pretty much everyone else in the relatively small registry market, unless those companies decide to set up non-profit subsidiaries in Europe solely to bid for the contract.
In addition, a key component of the .eu contract will be multilingualism, which would disadvantage the dominant English-speaking players in the registry market
Any operator would also have to deal with the EC’s growing tendency to interfere with the .eu registry, imposing top-down decisions with little or no discussion. That became a headache for current operator EURid last year when Brussels bureaucrats decided that, due to Brexit, all .eu domains attached to UK-based registrants would be terminated when the UK exited the European Union.
The registry lost millions of domains and saw its reputation damaged as a result.
Interference
There is also the fact that registry operators tend to be left alone to run things so long as there are no technical problems, but with .eu, the EC has repeatedly added new reporting requirements, making registry operation just one more piece of the Brussels bureaucracy.
The rebid criteria also insist on EU-style governance structures. “The Contractor shall ensure that its internal governance respects the principles of efficiency, effectiveness, accountability, transparency and responsiveness,” reads just one part of the tendering documents. So that probably rules out Nominet.
EC may find that despite its active efforts to give the contract to someone else, the only company willing to put up with its demands is current operator EURid
Tomi Engdahl says:
Kieren McCarthy / The Register:
Barnes and Noble confirms it was hacked, says some users’ personal information may have been stolen; some customers were unable to download purchased e-books
Confirmed: Barnes & Noble hacked, systems taken offline for days, miscreants may have swiped personal info
Nook, line and sinker: Servers restored from backups, punters unable to download purchased e-books
https://www.theregister.com/2020/10/15/nook_barnes_noble_hacked/
Tomi Engdahl says:
German authorities raid FinFisher offices
https://www.zdnet.com/article/german-authorities-raid-finfisher-offices/
German authorities have raided the offices of FinFisher, a German
software company that makes surveillance tools, accused in the past of
providing software to oppressive regimes. FinFisher markets its tools
as meant for law enforcement investigations and intelligence agencies.
Known customers include the German federal police and Berlin police
Tomi Engdahl says:
Zoom rolls out end-to-end encryption (E2EE) next week
https://www.bleepingcomputer.com/news/security/zoom-rolls-out-end-to-end-encryption-e2ee-next-week/
“Zoom users free and paid around the world can host up to 200
participants in an E2EE meeting on Zoom, providing increased privacy
and security for your Zoom sessions.”
Tomi Engdahl says:
Lemon Duck brings cryptocurrency miners back into the spotlight
https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html
This threat, known as “Lemon Duck, ” has a cryptocurrency mining
payload that steals computer resources to mine the Monero virtual
currency. The actor employs various methods to spread across the
network, like sending infected RTF files using email, psexec, WMI and
SMB exploits, including the infamous Eternal Blue and SMBGhost threats
that affect Windows 10 machines. Although this threat has been active
since at least the end of December 2018, we have noticed an increase
in its activity at the end of August 2020.
Tomi Engdahl says:
Canva design platform actively abused in credentials phishing
https://www.bleepingcomputer.com/news/security/canva-design-platform-actively-abused-in-credentials-phishing/
Free graphics design website Canva is being abused by threat actors to
create and host intricate phishing landing pages.
Tomi Engdahl says:
Microsoft Patches New Windows ‘Ping of Death’ Vulnerability
https://www.securityweek.com/microsoft-patches-new-windows-ping-death-vulnerability
One of the vulnerabilities that Microsoft addressed as part of the October 2020 Patch Tuesday is a critical bug in Windows’ TCP/IP driver that could lead to the remote execution of code.
Tracked as CVE-2020-16898, the issue is triggered when the TCP/IP stack doesn’t handle ICMPv6 Router Advertisement packets properly. An attacker could send specially crafted ICMPv6 Router Advertisement packets to a remote Windows machine to exploit the flaw and execute arbitrary code, Microsoft explains.
The tech company notes that Windows 10 and Windows Server are vulnerable to attacks and that there are no mitigations. However, one workaround is available.
A second issue in the TCP/IP driver, which is tracked as CVE-2020-16899, could be exploited to cause the target computer to stop responding. This flaw too can be exploited through crafted packets, but would not result in code execution, Microsoft says. The company rated the flaw as important.
CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
Tomi Engdahl says:
BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks
https://www.securityweek.com/bleedingtooth-vulnerabilities-linux-bluetooth-allow-zero-click-attacks
Bluetooth vulnerabilities that a Google security researcher has identified in the Linux kernel could be exploited to run arbitrary code or access sensitive information.
Referred to as BleedingTooth, the issues were identified by Andy Nguyen, a security engineer from Google, and are tracked as CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490. They were introduced in 2016, 2012, and 2018, respectively.
The most severe of these flaws is CVE-2020-12351, a heap-based type confusion that affects Linux kernel 4.8 and higher. The issue features a high severity rating (CVSS score of 8.3).
The bug can be exploited by a remote attacker within Bluetooth range of the victim and which knows the bd address of the target device. To trigger the flaw, the attacker would have to send a malicious l2cap packet, which can lead to denial of service or even execution of arbitrary code, with kernel privileges.
Tomi Engdahl says:
BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks
https://www.securityweek.com/bleedingtooth-vulnerabilities-linux-bluetooth-allow-zero-click-attacks
Bluetooth vulnerabilities that a Google security researcher has identified in the Linux kernel could be exploited to run arbitrary code or access sensitive information.
Referred to as BleedingTooth, the issues were identified by Andy Nguyen, a security engineer from Google, and are tracked as CVE-2020-12351, CVE-2020-12352, and CVE-2020-24490. They were introduced in 2016, 2012, and 2018, respectively.
The most severe of these flaws is CVE-2020-12351, a heap-based type confusion that affects Linux kernel 4.8 and higher. The issue features a high severity rating (CVSS score of 8.3).
The bug can be exploited by a remote attacker within Bluetooth range of the victim and which knows the bd address of the target device. To trigger the flaw, the attacker would have to send a malicious l2cap packet, which can lead to denial of service or even execution of arbitrary code, with kernel privileges.
An attacker looking to trigger the vulnerability can also use a malicious Bluetooth chip for that. Proof-of-concept code for an exploit can be found on GitHub.
https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq
Tomi Engdahl says:
Intel Unveils New Security Tech in Upcoming Ice Lake CPU
https://www.securityweek.com/intel-unveils-new-security-tech-upcoming-ice-lake-cpu
Intel on Wednesday announced the new security technologies that will be present in the company’s upcoming 3rd generation Xeon Scalable processor, code-named “Ice Lake.”
Intel told SecurityWeek that it’s aiming to make initial production shipments of the first 10nm-based Xeon Scalable product at the end of the year.
Tomi Engdahl says:
It’s 2020 and a rogue ICMPv6 network packet can pwn your Microsoft Windows machine
Redmond urges folks to apply update ASAP – plus more fixes for Outlook and software from Adobe, Intel, SAP, Red Hat
https://www.theregister.com/2020/10/13/microsoft_patch_tuesday/
Tomi Engdahl says:
https://news.bitcoin.com/a-system-of-robot-drug-dealers-on-telegram-allows-people-to-buy-illegal-products-for-bitcoin/
Tomi Engdahl says:
https://lab.wallarm.com/cloudflare-fixed-an-http-2-smuggling-vulnerability/
Tomi Engdahl says:
Is Scaling a Pyramid on Your Bucket List? It Should Be
https://www.securityweek.com/scaling-pyramid-your-bucket-list-it-should-be
The concept of “The Pyramid of Pain” was first introduced by David J. Bianco in 2013. Today, most security professionals are familiar with it as a construct for describing the usefulness and relative ease of acquiring threat data and intelligence.
Toward the bottom of the pyramid are indicators that are easier to obtain and work with – hash values, IP addresses and domain names. As you move up the pyramid, campaigns, adversaries and tactics, techniques and procedures (TTPs) come into play. Their value to you, as a security professional, increases dramatically, but these insights are also harder to obtain and use effectively without doing some groundwork. To gather the data and intelligence you need to fully detect and respond to threats, you need the ability to scale up and down the pyramid. With a platform that spans the entire journey you can aggregate internal and external threat and event data every step of the way, analyze and understand its relevance to you, and use it to strengthen your security posture.
First things first
To complete the round-trip journey successfully, you need to start by communicating with all the different detection tools that comprise your security infrastructure. This is like trying to communicate with a group of kids ranging in age from five to 18. They each communicate differently. So, when you speak with them you need to speak in a way that the five-year-olds will understand too. Similarly, detection tools have many different ways of communicating. So, when you need data from them all the best way to communicate is by using the lowest common denominator – indicators. Indicators allow you to tie things together and make sense of all the output from your different security tools. They also allow you to build a bigger picture and start to scale the pyramid. Here’s how.
Previously, I described a scenario of finding an IP address that you don’t recognize in one tool. You need a bigger picture. So, you look at external threat intelligence and see that the IP address is associated with a specific adversary. Now you can pivot to that adversary and learn that there are numerous additional IP addresses related to that adversary. With a platform that lets you use this lowest common denominator form of communication you can search across your other tools. You may find a substantial set of associated IP addresses, giving you greater certainty that something may be going on. But you need to know more.
Scale up
As you move up the pyramid, you can start to build a complete picture of what is happening. The platform helps you add context and see relationships for a more strategic view. With tools like MITRE ATT&CK that describe campaigns, adversaries and their TTPs, you can pivot and expand your search further. For example, if the indicator is associated with a specific campaign or adversary, are there associated artifacts you can look for in other tools to confirm the presence of malicious activity?
Scale down
Now you need the ability to scale back down the pyramid so you can execute your response. This means sending associated data back to the right tools across your defensive grid in the language they speak – indicators. And, when possible, communicating automatically to accelerate response. The ability to scale up and down the Pyramid of Pain not only enables extended detection and response (XDR), it also sends a message to adversaries that their “go to” methods aren’t going to work with you. It’s fairly trivial for attackers to change hashes, IP addresses and domain names to avoid detection. But changing TTPs is extremely costly and time consuming and may result in their disinterest and dropping their focus on your business.
Tomi Engdahl says:
800,000 SonicWall VPNs vulnerable to new remote code execution bug
VPN vulnerabilities — the gift that keeps on giving (to attackers).
https://www.zdnet.com/article/800000-sonicwall-vpns-vulnerable-to-new-remote-code-execution-bug/
Almost 800,000 internet-accessible SonicWall VPN appliances will need to be updated and patched for a major new vulnerability that was disclosed on Wednesday.
Discovered by the Tripwire VERT security team, CVE-2020-5135 impacts SonicOS, the operating system running on SonicWall Network Security Appliance (NSA) devices.
SonicWall NSAs are used as firewalls and SSL VPN portals to filter, control, and allow employees to access internal and private networks.
Tripwire researchers say SonicOS contains a bug in a component that handles custom protocols.
The component is exposed on the WAN (public internet) interface, meaning any attacker can exploit it, as long as they’re aware of the device’s IP address.
Tomi Engdahl says:
Iranian state hacker group linked to ransomware deployments
https://www.zdnet.com/article/iranian-state-hacker-group-linked-to-ransomware-deployments/
Amidst rising tensions between Israel and Iran, security researchers fear new escalation.
Tomi Engdahl says:
Carnival Corp. Ransomware Attack Affects Three Cruise Lines
https://threatpost.com/carnival-corp-ransomware-attack-cruise/160134/
Hackers accessed personal information of guests, employees and crew
for Carnival Cruise, Holland America and Seabourn as well as casino
operations.
Tomi Engdahl says:
Microsoft now lets you disable insecure JScript in Internet Explorer
https://www.bleepingcomputer.com/news/security/microsoft-now-lets-you-disable-insecure-jscript-in-internet-explorer/
Microsoft says that customers can now disable JScript (JScript.dll)
execution in Internet Explorer 11 after installing the Windows October
2020 monthly security updates.
Tomi Engdahl says:
Fancy Bear Imposters Are on a Hacking Extortion Spree
https://www.wired.com/story/ddos-extortion-hacking-fancy-bear-lazarus-group/
On Wednesday, the web security firm Radware published extortion notes
that had been sent to a variety of companies around the world. In each
of them, the senders purport to be from the North Korean government
hackers Lazarus Group, or APT38, and Russian state-backed hackers
Fancy Bear, or APT28.. The communications threaten that if the target
doesnt send a set number of bitcointypically equivalent to tens or
even hundreds of thousands of dollarsthe group will launch powerful
distributed denial of service attacks against the victim
Lazarus Bear Armada (LBA) DDoS Extortion Attack Campaign October 2020
https://www.netscout.com/blog/asert/lazarus-bear-armada-lba-ddos-extortion-attack-campaign-october
Tomi Engdahl says:
Time to remove Nano Adblocker and Defender from your browsers (except
Firefox)
https://www.ghacks.net/2020/10/16/time-to-remove-nano-adblocker-and-defender-from-your-browsers-except-firefox/
The developer of the extension revealed on the official GitHub that he decided to sell the extension twelve days ago to two Turkish developers.
Tomi Engdahl says:
Phishers Capitalize on Headlines with Breakneck Speed
https://threatpost.com/phishers-capitalize-headlines-speed/160249/
Marking a pivot from COVID-19 scams, researchers track a single threat
actor through the evolution from the pandemic to PayPal, and on to
more timely voter scams all with the same infrastructure.
Tomi Engdahl says:
New Windows 10 Remote Hacking Threat ConfirmedHomeland Security Says
Update Now
https://www.forbes.com/sites/daveywinder/2020/10/18/new-windows-10-remote-hacking-threat-confirmed-homeland-security-says-update-now/
Tomi Engdahl says:
Dickey’s Barbecue Pit Investigating Possible Breach Affecting 3M Payment Cards
https://www.securityweek.com/dickeys-barbecue-pit-investigating-possible-breach-affecting-3m-payment-cards
A data set of millions of payment card records apparently stolen from US-based restaurant franchise Dickey’s Barbecue Pit has emerged on a Dark Web marketplace, Gemini Advisory reports.
Tomi Engdahl says:
Tech Glitch Takes Twitter Offline
https://www.securityweek.com/twitter-service-restored-following-global-platform-outage
Twitter went offline for almost two hours on Thursday, in an outage that the social media platform — used by hundreds of millions worldwide — blamed on a technical glitch.
The company said there was no evidence that its security had been breached.
It marked a new setback for the company, which late Thursday altered its policies on hacked content after accusations of bias stemming from its decision to block a news report critical of Democratic White House candidate Joe Biden.
Tomi Engdahl says:
US Indicts Sandworm, Russia’s Most Destructive Cyberwar Unit
https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/
The Department of Justice has named and charged six men for allegedly
carrying out many of the most costly cyberattacks in history.. see
also
https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and.
indictment
https://www.justice.gov/opa/press-release/file/1328521/download. see
also
https://www.ncsc.gov.uk/news/uk-and-partners-condemn-gru-cyber-attacks-against-olympic-an-paralympic-games
Tomi Engdahl says:
Watch out for Emotet malware’s new ‘Windows Update’ attachment
https://www.bleepingcomputer.com/news/security/watch-out-for-emotet-malwares-new-windows-update-attachment/
The Emotet botnet has begun to use a new malicious attachment that
pretends to be a message from Windows Update telling you to upgrade
Microsoft Word.
Tomi Engdahl says:
Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack
https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/
Researchers said the group was able to move from initial phish to full
domain-wide encryption in just five hours.
Tomi Engdahl says:
Hackers hijack Telegram, email accounts in SS7 mobile attack
https://www.bleepingcomputer.com/news/security/hackers-hijack-telegram-email-accounts-in-ss7-mobile-attack/
Hackers with access to the Signaling System 7 (SS7) used for
connecting mobile networks across the world were able to gain access
to Telegram messenger and email data of high-profile individuals in
the cryptocurrency business.
Tomi Engdahl says:
Mies syytteessä 135 miljoonan euron kiristämisestä haittaohjelmien
avulla Ranskassa
https://www.is.fi/digitoday/art-2000006674258.html
Pariisissa oikeus ryhtyy puimaan juttua, jossa 41-vuotiasta miestä
syytetään 135 miljoonan euron kiristämisestä tietokoneisiin
ujutettujen haittaohjelmien avulla. Uhreja on lähes 200 eri puolilta
maailmaa.
Tomi Engdahl says:
Major Vulnerabilities Discovered in Qualcomm QCMAP
https://www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities
In a recent supply chain security assessment, Vdoo analyzed multiple
networking devices for security vulnerabilities and exposures. During
the analysis we discovered and have responsibly disclosed four major
vulnerabilities in Qualcomms QCMAP (Mobile Access Point) architecture
that these devices were based on.. An attacker that exploits the
discovered vulnerabilities can gain remote root access to any of the
affected devices.
Tomi Engdahl says:
Trump says ‘nobody gets hacked’ but forgot his hotel chain was hacked — twice
https://techcrunch.com/2020/10/19/nobody-gets-hacked-trump-hotel-chain-twice/
According to President Trump speaking at a campaign event in Tucson, Arizona, on Monday, “nobody gets hacked.” You don’t need someone who covers security day in and day out to call bullshit on this one.
“Nobody gets hacked. To get hacked you need somebody with 197 IQ and he needs about 15 percent of your password,” Trump said, referencing the recent suspension of C-SPAN political editor Steve Scully, who admitted falsely claiming his Twitter account was hacked this week after sending a tweet to former White House communications director Anthony Scaramucci.
There’s a lot to unpack in those two-dozen words. But aside from the fact that not all hackers are male (and it’s sexist to assume that), and glossing over the two entirely contrasting sentences, Trump also neglected to mention that his hotel chain was hacked twice — once over a year-long period between 2014 and 2015 and again between 2016 and 2017.
We know this because the Trump business was legally required to file notice with state regulators after each breach, which they did.
In both incidents, customers of Trump’s hotels had their credit card data stolen.
Tomi Engdahl says:
The growing availability of drones on the open market, coupled with the failures of current counter-measures, mean that airports are at risk of disruption by rogue drones. With the prospects of fatal collisions all too evident, is there a growing need for anti-drone technology?
Do we need anti-drone technology to keep airports safe?
https://cybernews.com/editorial/do-we-need-anti-drone-technology-to-keep-airports-safe/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=anti_drone_technology&fbclid=IwAR3-RK1NgqL3aL1roXG0x-aKUsescDmW7x6FVVNtCGfhYZPCoWMjxLlcDyQ
Just before the Christmas holidays in 2018, the UK’s second largest airport, Gatwick, was shut after drones were sighted near the runway. In total, some 1,000 flights were either diverted or cancelled, affecting 140,000 passengers as the airport was shut for a total of three days.
It brought the challenges posed by what is still a relatively new technology to the public’s attention, with the airport’s Chief Operating Officer Chris Woodroofe highlighting the growing threat posed by drones.
“We have had the police, we have had the military seeking to bring this drone down for the last 24 hours and to date that has not been successful.”
It was an incident with huge financial implications for both the airport and airlines, with the estimated cost of the shutdown put at around $64.5 million. It also resulted in several hundred thousand pounds of costs for local police forces. The incident is far from an isolated one, with similar incidents in Canada, Dubai, Poland and China highlighting the scale of the risk.
The threat is exacerbated by the growing availability and affordability of drones on the open market, which coupled with the general inadequacy of current counter-measures, mean that airports are at particular risk of disruption.
While to date, the risk has mainly been a financial one, the prospects of a fatal collision between a drone and a passenger aircraft are all too evident, especially as numerous terrorist organizations have highlighted the potential for drones to carry a lethal payload.
It’s no surprise that the Federal Aviation Administration (FAA) have recently announced plans to evaluate a range of technologies that could be deployed to not only detect drones, but mitigate the security risks they pose.
The project is part of the Research Program for Detection and Mitigation of Unmanned Aircraft Systems in Airports that is run by the agency, and they hope to test a minimum of 10 different technologies by the end of the year.
Tomi Engdahl says:
Mysterious ‘Robin Hood’ hackers donating stolen money
https://www.google.com/amp/s/www.bbc.com/news/amp/technology-54591761
A hacking group is donating stolen money to charity in what is seen as a mysterious first for cyber-crime that’s puzzling experts.
Darkside hackers claim to have extorted millions of dollars from companies, but say they now want to “make the world a better place”.
In a post on the dark web, the gang posted receipts for $10,000 in Bitcoin donations to two charities.
The move is being seen as a strange and troubling development, both morally and legally.
In the blog post on 13 October, the hackers claim they only target large profitable companies with their ransomware attacks. The attacks hold organisations’ IT systems hostage until a ransom is paid.
They wrote: “We think that it’s fair that some of the money the companies have paid will go to charity.
Brett Callow, Threat Analyst at cyber-security company Emsisoft, said: “What the criminals hope to achieve by making these donations is not at all clear. Perhaps it helps assuage their guilt? Or perhaps for egotistical reasons they want to be perceived as Robin Hood-like characters rather than conscienceless extortionists.
“Whatever their motivations, it’s certainly a very unusual step and is, as far as I know, the first time a ransomware group has donated a portion of their profits to charity.”
Tomi Engdahl says:
Cybersecurity Awareness Month reminder: Ensure everything connected is protected
https://cybernews.com/security/ensure-everything-connected-is-protected/?utm_source=facebook&utm_medium=cpc&utm_campaign=rm&utm_content=everything_connected&fbclid=IwAR3MtK9ritEsh5LpOraSV3dqh0wMHykON9w1f0FX98MWP5PrdxMoODWxFKo
The leaves are falling from the trees, Halloween costumes and pumpkin spice lattes are unavoidable. October is officially here. But that also means that it’s time to put the threat of COVID to one side for a few weeks and celebrate National Cybersecurity Awareness Month or NCSAM as techies prefer to call it.
The ECSM in Europe and the FBI in the US are also urging users to protect their digital lives. Online communities are encouraged to think about their personal accountability when drifting seamlessly between an increasing number of always-connected devices. Here are a few steps you can take to prevent your smart home from becoming a cyber-attack in the waiting.
If you connect it, protect it
We’re living in a hyperconnected world where even your next toaster will ask for your wifi password. But will these devices still receive security patches five years from now?
Taking the simple step of changing the password that devices connect to along with the router password that gives you access to the settings is a great starting point. Secure WPA2 authentication or WPA 3 on newer routers will put you in a much safer position than the average user.
Most people accept that if they do not update the security on their laptops or smartphones, it will increase the chances of being exploited by a cyber attacker. But many forget this simple rule with every other device that connects to their router. If any device is not regularly patched with security updates or firmware, it will create a weak entry point into the network.
Personal accountability
Is your private digital life really private? The inconvenient truth is probably not. The many selfies you have uploaded to the web might have already been scraped from the web by tech companies and could now be stored in a law enforcement database. Some agencies are even using big data to fuel algorithms that will help them predict who might commit a crime as Minority Report-esque policing becomes a reality.
Managing risk when working from home
Change and uncertainty are like currency to cyber attackers. Unsurprisingly, there has been a 72% increase in ransomware attacks since the COVID-19 outbreak. Elsewhere, Google detected 18 million malware and phishing messages per day related to COVID-19. As employees leave the safety of the corporate network, employees run the risk of becoming the weakest link in cybersecurity defenses.
Tomi Engdahl says:
Seven mobile browsers vulnerable to address bar spoofing attacks
https://www.zdnet.com/article/seven-mobile-browsers-vulnerable-to-address-bar-spoofing-attacks/
Vulnerabilities allow attackers to trick users into accessing
malicious sites while showing the incorrect URL in the address bar.
Tomi Engdahl says:
NSA: Top 25 vulnerabilities actively abused by Chinese hackers
https://www.bleepingcomputer.com/news/security/nsa-top-25-vulnerabilities-actively-abused-by-chinese-hackers/
The U.S. National Security Agency (NSA) warns that Chinese
state-sponsored hackers exploit 25 different vulnerabilities in
attacks against U.S. organizations and interests.. see also
https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
Tomi Engdahl says:
Barnes & Noble hit by Egregor ransomware, strange data leaked
https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/
The Egregor ransomware gang is claiming responsibility for the
cyberattack on U.S. Bookstore giant Barnes & Noble on October 10th,
2020. The attackers state that they stole unencrypted files as part of
the attack.
Tomi Engdahl says:
Google removes two Chrome ad blockers caught collecting user data
https://www.zdnet.com/article/google-removes-two-chrome-ad-blockers-caught-collecting-user-data/
Nano Adblocker and Nano Defender have been removed from the official
Chrome Web Store.
Tomi Engdahl says:
Coinbase phishing hijacks Microsoft 365 accounts via OAuth app
https://www.bleepingcomputer.com/news/microsoft/coinbase-phishing-hijacks-microsoft-365-accounts-via-oauth-app/
A new phishing campaign uses a Coinbase-themed email to install an
Office 365 consent app that gives attackers access to a victim’s
email.
Tomi Engdahl says:
Adobe fixes 18 critical bugs affecting its Windows, macOS apps
https://www.bleepingcomputer.com/news/security/adobe-fixes-18-critical-bugs-affecting-its-windows-macos-apps/
The software products patched today by Adobe include Adobe Creative
Cloud Desktop Application, Adobe InDesign, Adobe Media Encoder, Adobe
Premiere Pro, Adobe Photoshop, Adobe After Effects, Adobe Animate,
Adobe Dreamweaver, Adobe Illustrator, and Marketo.
Tomi Engdahl says:
Security Testing Company NSS Labs Ceases Operations
https://www.securityweek.com/security-testing-company-nss-labs-ceases-operations
“Due to Covid-related impacts, NSS Labs ceased operations on October 15th,” a message on the company’s website reads.
Founded in 2007, NSS Labs has been focused on becoming a trusted source on security product research, testing and advisory, providing private organizations, government agencies, services providers, and resellers with information on product effectiveness, performance, and cost.
In 2018, NSS Labs filed an antitrust lawsuit against the antivirus industry: CrowdStrike, Symantec, ESET, the Anti-Malware Testing Standards Organization (AMTSO), and others.
HardenStance’s Patrick Donegan noted on Twitter that NSS Labs’ model was broken and that NSS Labs’ demise is not surprising. In a report published earlier this year, he pointed out that trust in the proprietary methods of independent testing companies has been declining and that the numerous lawsuits between vendors and test firms in recent years is proof of that.
https://www.nsslabs.com/
Due to Covid-related impacts, NSS Labs ceased operations on October 15th.
Tomi Engdahl says:
New TrickBot Control Servers Unable to Respond to Bot Requests
https://www.securityweek.com/new-trickbot-control-servers-unable-respond-bot-requests
Control servers included in the configuration file of new TrickBot samples fail to respond to bot requests, according to researchers at threat intelligence company Intel 471.
Last week, Microsoft announced that, together with industry partners, it was able to legally take over and disrupt infrastructure used by TrickBot, as well as to block efforts from the its operators to register new infrastructure and revive the botnet.
Days after the announcement, however, Intel 471’s researchers revealed that TrickBot resumed operations, and that Emotet was observed serving TrickBot payloads to infected machines.
CrowdStrike too confirmed that TrickBot was still operational, saying that only approximately 10,000 bots were seen becoming unreachable after being served a non-standard configuration file.
Tomi Engdahl says:
Serious Vulnerability in GitHub Enterprise Earns Researcher $20,000
https://www.securityweek.com/serious-vulnerability-github-enterprise-earns-researcher-20000
A security researcher says he has earned $20,000 for a high-severity GitHub Enterprise vulnerability that might have allowed an attacker to execute arbitrary commands.
GitHub Enterprise, the on-premises version of GitHub.com, is designed to make it easier for large enterprise software development teams to collaborate.
Tomi Engdahl says:
So how to #decrypt the #https traffic to see the request and response headers and the data #web #debugging
#NetworkTroubleshooting #DevOps
How to decrypt HTTPS traffic using SSL Proxy
https://www.middlewareinventory.com/blog/how-to-decrypt-https-traffic/