It’s Patch Tuesday again and, as per usual, both Microsoft and Adobe have pushed out patches for widely-used software packages. The Microsoft patches Microsoft’s December 2018 Patch Tuesday release is pretty lightweight: the company has plugged 38 CVE-numbered security holes, nine of which are considered to be Critical. Among the most notable bugs in this batch are CVE-2018-8611, an elevation of privilege vulnerability that arises when the Windows kernel fails to properly handle objects in … More
The post December 2018 Patch Tuesday: Microsoft patches Windows zero-day exploited in the wild appeared first on Help Net Security.
The just-released Patch Tuesday for December includes a fix for the actively exploited Win32k Elevation of Privilege Vulnerability (CVE-2018-8611). The flaw allows an attacker to exploit a bug in the Windows Kernel and run arbitrary code to install programs; view, change, or delete data; or create new accounts with full user rights. It is also pointed out as likely being used with other bugs in targeted attacks.
The patch release fixes another vulnerability that’s currently under active attack: CVE-2018-8626, a Windows DNS Server Heap Overflow remote code execution (RCE) vulnerability that exists when DNS servers fail to properly handle requests. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the Local System Account. Taking advantage of the vulnerability can be done by sending a specially crafted request to an affected DNS server.
Microsoft closes out the year with 39 security patches and one advisory that cover issues in Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, and the .NET Framework. Of the 39 CVEs, nine are listed as Critical and 30 as Important in severity. Five were disclosed through the Zero Day Initiative (ZDI) program.
On the Adobe front, a total of 87 CVEs were covered by their release, with 39 of these handled by the ZDI. All of the bugs are listed as Important, save for one Moderate CVE. As early as December 5, Adobe also shipped an early patch for Flash Player that addresses two CVEs, with one designated as CVE-2018-15982 and listed as under active attack. The use-after-free (UAF) exploit allows an attacker to execute code at the level of a logged on user. The embedded Flash SWF in a Microsoft Office document is being spread through spear phishing campaigns.
Trend Micro Deep Security and Vulnerability Protection protect user systems from any threats that may target the vulnerabilities addressed in this month’s round of updates via the following DPI rules:
- 1009409-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8583)
- 1009410-Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2018-8619)
- 1009411-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8617)
- 1009412-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8618)
- 1009413-Microsoft Text-To-Speech Remote Code Execution Vulnerability (CVE-2018-8634)
- 1009414-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2018-8631)
- 1009415-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8629)
- 1009416-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8624)
- 1009427-Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2018-8628)
- 1009428-Microsoft Outlook Remote Code Execution Vulnerability (CVE-2018-8587)
- 1009429-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-8643)
- 1009430-Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2018-8625)
- 1009431-Microsoft Windows Multiple Security Vulnerabilities (Dec-2018)
- 33685: HTTP: Microsoft Edge Chakra JIT Type Confusion Vulnerability
- 33686: HTTP: Microsoft Edge Chakra InlineArrayPush Type Confusion Vulnerability
- 33687: HTTP: Microsoft Edge Chakra defineSetter Type Confusion Vulnerability
- 33688: HTTP: Microsoft Edge Memory Corruption Vulnerability
- 33689: HTTP: Microsoft Edge ArrayBuffer Out-of-Bounds Write Vulnerability
- 33690: HTTP: Microsoft Internet Explorer Array Prototype Out-of-Bounds Write Vulnerability
- 33691: HTTP: Microsoft Edge SpeechSynthesis Buffer Overflow Vulnerability
- 33708: HTTP: Microsoft XML XSL VBScript Usage
- 33711: HTTP: Adobe Flash Player SWF Parsing Use-After-Free Vulnerability
- 33818: HTTP: Microsoft PowerPoint Use-After-Free Vulnerability
- 33819: HTTP: Microsoft Internet Explorer Use-After-Free Vulnerability
- 33820: HTTP: Microsoft Windows Kernel Use-After-Free Vulnerability
- 33822: HTTP: Microsoft Windows win32kfull.sys Integer Overflow Vulnerability
TrendLabs Security Intelligence Blog
Aleksandar Nikolic of Cisco Talos discovered this vulnerability.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.
Vulnerability detailsAdobe Acrobat Reader DC text field value remote code execution vulnerability (TALOS-2018-0704/CVE-2018-19716)
Read the complete vulnerability advisory here for additional information.
Versions testedTalos tested and confirmed that Adobe Acrobat Reader DC 2019.8.20071 is impacted by this vulnerability.
CoverageThe following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 48293, 48294
Adobe has once again patched a serious flaw in the Flash Player that has been exploited in the wild. This
Technology, IT and engineering are male-dominated industries. However, multiple companies and organizations are aiming to introduce more diversity by providing the education and training women need to enter these fields. Scholarships and grants can open doors typically closed to many women, especially with the rising costs of BA, Masters and PhD courses in the UK […]… Read More
The post 17 Technology, IT and Engineering Scholarships for Women in 2019-2020 appeared first on The State of Security.
Grab your shovels, dust off the snow blower, and bundle up. The way patches are accumulating this month is making me think of winter in Minnesota. I’m talking about the kind where the snow flurries start and stop so many times over the course of a few weeks, you suddenly realize there is a lot of snow out there! So the question is, do you shovel in small amounts when there are breaks in the … More
The post December Patch Tuesday forecast: Let it snow, let it snow, let it snow appeared first on Help Net Security.
Adobe has released an out-of-band security update for Flash Player that fixes two vulnerabilities, one of which is a zero-day (CVE-2018-15982) that has been spotted being exploited in the wild. About the vulnerability (CVE-2018-15982) CVE-2018-15982 is a use-after-free in the Flash’s file package com.adobe.tvsdk.mediacore.metadata that can be exploited to deliver and execute malicious code on a victim’s computer. It was flagged on November 29 by researchers with Gigamon Applied Threat Research (ATR) and Qihoo 360 … More
Vision Direct reported a website compromise, which impacted users of their website between 3rd and 8th November, some 16,300 people were said to be at risk A fake Google Analytics script was placed within its website code by hackers.
Eurostar customers were notified by email to reset their passwords following presumably successful automated login attempts to Eurostar accounts with stolen credentials obtained by an unknown method.
Two of the TalkTalk hackers were sentenced to a grand total of 20 months for their involvement in the infamous 2015 blackmail hack, which was said to have cost TalkTalk £77 million. There may have been up to 10 other attackers involved according to the court transcripts when hackers attempted to blackmail TalkTalk’s then CEO Dido Harding into paying a ransom in Bitcoin to cover up the breach. Has the enterprise, and judiciary, learned anything from TalkTalk hack?
Uber was fined £385,000 by the UK Information Commissioner's Office, after hackers stole 2.7 million UK customers in October and November 2016. Uber attempted to cover up the breach by paying the hackers $100,000 (£78,400) to destroy the stolen customer data. Meanwhile stateside, Uber paid $148m to settle federal charges.
HSBC announced it had suffered a customer data breach in between 4th and 14th of October 2018 in a suspected "credential stuffing" attack. HSBC didn't state how many customers were impacted but are known to have 38 million customers worldwide. HSBC advised their customers to regularly change and use strong passwords and to monitor their accounts for unauthorised activity, sage good practice online banking advice, but I am sure their customers will want to know what has happened.
Facebook is still making the wrong kind of privacy headlines, this time it was reported that Facebook member's private message data was found for sale online, with one instance involving 257,256 stolen profiles and including 81,208 private messages. The report appears to suggest malicious browser extensions, not Facebook, may be behind the data breach.
A report from a UK parliamentary committee warned the UK government is failing to deliver on protecting the UK's critical national infrastructure (CNI) from cyber attacks. "The threat to critical infrastructure, including the power grid, is growing" the committee reported, with some states -"especially Russia" - starting to explore ways of disrupting CNI. An advisory notice also warned that UK companies connected to CNI were being targeted by cyber attackers believed to be in eastern Europe. APT28 (Russian based FancyBear) has added the "Cannon" Downloader Tool to their arsenal, according to researchers.
Amazon's showcase Black Friday sale was hit by data breach days before it started. The online retail giant said it emailed affected customers, but refused to provide any details on the extent or nature of the breach. The customer email said “Our website inadvertently disclosed your email address or name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”
There was a far more positive security announcement by Amazon about their AWS (cloud) services, with the launch of three new services to simplify and automate AWS security configuration called AWS Control Tower, AWS Security Hub, and AWS Lake Formation. McAfee released their 2019 'Cloud Adoption and Risk Report' which highlights the vital importance of configuring cloud services correctly and securely.
RiskIQ claimed that monitoring for malicious code could have stopped the recent theft of 185,000 British Airways customer records. The Magecart hacker group is believed to be responsible for injecting twenty-two lines of malicious script into the British Airway's payment page, which successfully lifted debit and credit card details, including the CVV code.
Finally, according to enSilo, European Windows users are said to be targeted by a sophisticated malware called 'DarkGate', which has an arrange of nefarious capabilities, including cryptomining, credential stealing, ransomware, and remote-access takeovers. The DarkGate malware has been found to be distributed via Torrent files disguised as popular entertainment offerings, which includes Campeones and The Walking Dead, so be careful to avoid becoming infected!
- Marriott Hotels 4 Year Hack Impacts Half a Billion Guests!
- Facebook Users’ Data, Private Messages found up for sale Online
- Amazon hit with Major Data Breach Days before Black Friday
- HSBC Suffers Data Breach, Customer Banking Information Exposed
- Vision Direct Hack places Customers’ Money at Risk
- UK Power Grid Vulnerable as Government Failing on Cyber Security
- TalkTalk Hackers Jailed for Cyber Attack that Cost Company £77m
- Eurostar Customers Forced to Reset Passwords after Breach
- Radisson Hotel Group Member Rewards program Breached
- Uber Fined £385,000 for Losing UK Customer Data
- Amazon's AWS launches Three New Services to simplify Security Configuration
- Database Breach affects 2.6 Million Atrium Health Patients
- Monitoring file output for malicious code 'could have stopped BA attack more quickly’
- Kaspersky moves away from Moscow after allegations of Kremlin spying
- Microsoft Patches 62 Vulnerabilities, including 12 Critical for Windows, Edge\IE, Office Chakra, Flash, and .NET
- Adobe Releases Fixes for an Important Vulnerability for Acrobat and Acrobat Reader
- Cisco Fixes Two Critical Bugs, Recommends Workaround
- D-Link Router Vulnerability Detailed
- SSD Encryption Security Failures Revealed by Researchers
- Apache Struts Vulnerability would allow System Take Over
- Cisco WebEx Flaw Patched
- VMware issues Critical Security Update for Workstation and Fusion products
- Targeted Ransomware Attacks on the Rise in 2018, NCSC warns
- APT Group TA505 testing out new modular RAT
- Kaspersky: Spam and Phishing in Q3 2018
- Chinese Hackers using Russian tactics to attack UK Firms
- Phishing campaign looks like work of Russian APT 28 Cozy Bear
- ‘DarkGate’ Miner, Password-Stealer could open up a world of hurt for Windows Users
- DirtyCOW is back in Backdoor Attack targeting Drupal Web Servers
- ‘Cannon’ Downloader Tool added to Fancy Bear’s APT28 arsenal
- Trickbot’s latest Trick? POS feature
Adobe Flash Player vulnerabilities and their subsequent patches are no surprise to us. Once again, Adobe has patched a critical
Naked Security - Sophos
Adobe has released a Flash Player update that plugs a critical vulnerability (CVE-2018-15981) that could lead to remote code execution, and is urging users to implement it as soon as possible. The flaw affects Flash Player 18.104.22.168 and earlier versions on Windows, macOS, Linux and Chrome OS, and details about it are already publicly available, the company warned. About CVE-2018-15981 CVE-2018-15981 was discovered and publicly disclosed by researcher Gil Dabah last week. “The interpreter code … More
The post Adobe plugs critical RCE Flash Player flaw, update ASAP! Exploitation may be imminent appeared first on Help Net Security.
This week, Adobe released its monthly scheduled update bundle addressing vulnerabilities within its different products. The Adobe patch Tuesday November
In September, Adobe patched numerous critical vulnerabilities in ColdFusion. However, a couple of weeks after Adobe released the patches, researchers
A class action lawsuit has been filed by Dave Cooper, a freelance videographer, against Adobe for a bug in its video-editing software Premiere Pro that deleted years of his work within no time. Cooper software watched in horror as his important videos and clips got permanently deleted. In the lawsuit, Cooper has alleged that the […]
This is a post from HackRead.com Read the original post: Videographer sues Adobe after losing $250k worth of data through Premiere Pro bug
Adobe Patch Tuesday updates for November 2018 addresses three flaws in Flash Player, Acrobat and Reader, and Photoshop CC.
Adobe Patch Tuesday updates for November 2018 fixes three flaws in Flash Player, Acrobat and Reader, and Photoshop CC.
The most severe issue is an information disclosure vulnerability, tracked as CVE-2018-15979, due to the availability of the proof-of-concept (PoC) exploit.
The flaw rated as “important severity” affects Adobe Acrobat and Reader for Windows, its exploitation could lead the leak of the user’s hashed NTLM password.
“Adobe has released security updates for Adobe Acrobat and Reader for Windows to resolve an important vulnerability. Successful exploitation could lead to an inadvertent leak of the user’s hashed NTLM password.” reads the advisory published by Adobe.
The vulnerability was discovered by free exploit detection service EdgeSpot, it received a priority rating of “1,” which means that the risk of exploitation is high.
In April 2018, Assaf Baharav, a security expert at Check Point, demonstrated that exploiting a the flaw (CVE-2018-4993) it was possible to use weaponized PDF files to steal Windows credentials, precisely the associated NTLM hashes, without any user interaction.
The attackers just need to trick victims into opening a file, Baharav explained that attackers could take advantage of features natively found in the PDF standard to steal NTLM hashes.
“The attacker can then use this to inject malicious content into a PDF and so when that PDF is opened, the target automatically leaks credentials in the form of NTLM hashes.” wrote Baharav.
The researcher used a specially crafted PDF document for his proof-of-concept.
When a victim would open the PDF document it would automatically contact a remote SMB server controlled by the attacker, this leads to the exposure of the NTLM details in the SMB requests, including the NTLM hash for the authentication process.
“The NTLM details are leaked through the SMB traffic and sent to the attacker’s server which can be further used to cause various SMB relay attacks.” continues the expert.
According to EdgeSpot, Adobe failed to properly address patch the CVE-2018-4993 vulnerability discovered by Check Point.
“In April or May 2018, Check Point released a blog post detailing a NTLM leaking vulnerability on Adobe Reader & Foxit Reader. Later, Adobe released a security advisory claiming the vulnerability was fixed since Acrobat Reader DC 2018.011.20040.” wrote EdgeSpot. “However, we found that only one variant of this vulnerability were successfully patched by Adobe, and the other variant was not actually addressed.”
Adobe also addressed an out-of-bounds read flaw in Flash Player (CVE-2018-15978) that can lead to information disclosure. The flaw affects the Windows, macOS, Linux and Chrome OS versions of Flash Player, the risk of exploitation associated with the issue is very low.
“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address an important vulnerability in Adobe Flash Player 22.214.171.124 and earlier versions. Successful exploitation could lead to information disclosure.” reads the security advisory published by Adobe.
The third flaw addressed by Adobe Patch Tuesday updates for November 2018 is an out-of-bounds read issue that affects Windows and macOS versions of Photoshop CC. The exploitation of the flaw can lead to information disclosure. Adobe credited an anonymous researcher for the flaw, he reported it via Trend Micro’s Zero Day Initiative (ZDI).
“Adobe has released updates for Photoshop CC for Windows and macOS. These updates resolve an important vulnerability in Photoshop CC 19.1.6 and earlier 19.x versions. Successful exploitation could lead to information disclosure.” states the Adobe advisory.
According to Adobe, there is no evidence that any of these flaws addressed with Adobe Patch Tuesday updates for November 2018 have been exploited in attacks in the wild.
The post Adobe Patch Tuesday updates for November 2018 fix known Acrobat flaw appeared first on Security Affairs.
- What is Russia's GRU Intelligence Agency?
- The risks of cyber-conflict with Russia
- Russia accused of net hack attacks
- Russian spy: What happened to the Skripals?
- The systems database of the Montreal-based World Anti-Doping Agency (Wada), using phishing to gain passwords. Athletes' data was later published
- The Democratic National Committee in 2016, when emails and chats were obtained and subsequently published online. The US authorities have already linked this to Russia.
- Ukraine's Kyiv metro and Odessa airport, Russia's central bank, and two privately-owned Russian media outlets - Fontanka.ru and news agency Interfax - in October 2017. They used ransomware to encrypt the contents of a computer and demand payment
- An unnamed small UK-based TV station between July and August 2015, when multiple email accounts were accessed and content stolen
Notable Significant ICO Security Related Fines
- Facebook fined £500,000 over Cambridge Analytica Scandal. The ICO said that the fine would have been considerably higher under the GDPR which came into force on 25 May this year but cannot be applied to this case due to the timing of events.
- Equifax fined £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017
- Carphone Warehouse fined £400,000 for failing to adequately protect customer and employee data
- TalkTalk fined £400,000 after 157,000 customer records were stolen in 2015
- Sony fined £250,000 following the PlayStation network hack in 2013
- The British and Foreign Bible Society fined £100,000 in June 2018 following a cyber-attack that compromised personal data of 417,000 people
Interesting article on Bloomberg on "How China Used a Tiny Chip to Infiltrate U.S. Companies". However, there was a counter-narrative to the Bloomberg article on Sky News. But didn't stop Ex-Security Minister Admiral Lord West calling the Chinese when he said Chinese IT Kit 'is putting all of us at risk' if used in 5G. He raises a valid point, given the US Commerce Department said it would restrict the export of software and technology goods from American firms to Chinese chipmaker Fujian Jinhua BT, which uses Huawei to supply parts for its network, told Sky News that it would "apply the same stringent security measures and controls to 5G when we start to roll it out, in line with continued guidance from government". Recently there have been warnings issued by the MoD and NCSC stating a Chinese espionage group known as APT10 are attacking IT suppliers to target military and intelligence information.
NCSC is seeking feedback on the latest drafts 'knowledge areas' on CyBOK, a Cyber Security body of knowledge which it is supporting along with academics and the general security industry.
Google are finally pulling the plug on Google+, after user personal data was left exposed. Google and the other three major web browser providers in the world said, in what seems like coordinated announcements, businesses must accept TLS Version 1.0 and 1.1 will no longer support after Q1 2018.
- Google with Chrome, said it will depreciate the protocol versions from January 2020
- Mozilla with Firefox have set a deprecation date of March 2020
- Apple with Safari have a deprecation date of March 2020
- Microsoft said both Edge and IE will disable the protocols in the 'first half' of 2020.
- UK Blames Russian GRU for Cyber Attacks and Vows to Respond
- BA Website and Data Breach by Magecart deeper than first thought
- Morrisons Loses Court Appeal over Employee Data Theft
- Cathay Pacific Data Breach exposes PII of 9.4 million Customers
- CyBOK: Feedback sought on NCSC's Cyber Security Body of Knowledge
- Big Four Web Browser Providers say Businesses must Accept TLS v1.0 & v1.1 End of Life by Q1 2020
- Facebook fined £500k by ICO over Cambridge Analytica Scandal
- Hackers Accessed Names and Contact Details of nearly 30 Million Facebook Users
- Chinese IT Kit 'putting all of us at risk' if used in 5G says Ex-security minister Admiral Lord West
- MoD Secrets Exposed in dozens of Cyber Security Breaches
- Plug pulled on Social Network Google+ after Users’ Data Left Exposed
- Heathrow fined £120K by the ICO for USB stick Data Breach
- Fifa Hacked again as officials fear Information has been illegally obtained
- US Weapons Systems can be 'easily hacked'
- UK Government Launches IoT Code of Practice
- Microsoft Patches 49 Vulnerabilities, 12 of which are Critical for Chakra, IE\Edge, MS XML, Scripting Engine & Hyper V
- Adobe Releases Fixes 86 Vulnerabilities for Acrobat and Acrobat Reader
- Adobe Patches Vulnerabilities in Adobe Digital Editions, Experience Manager, FrameMaker & Tech Comms Suite
- TP-Link (TL-WRN841N) Router Vulnerable to Remote Takeover Flaw
- Cisco release Patches for 36 Vulnerabilities, 3 of which are Critical
- Cisco Patches Command Injection Bug in WebEx Meetings Desktop App for Windows
- Vulnerability found in Sophos Anti-Malware Product
- Oracle release Security Updates for 45 Critical-Rated Vulnerabilities
- Amazon Patches IoT and Critical Infrastructure Security Flaws
- FireEye outs APT38 as North Korean Cyber Bank Heist Gang
- APT28 Threat: National Cyber Security Centre warning to UK Companies
- DDoS and Ransomware tools for Starter and Experienced Cybercriminals Exposed
- Cobalt Gang targets Banks and Financial Service providers by sneaking PDFs past staff
- Enigmatic Cyber Espionage Campaign revives source code from old foe APT1
- Exploit Kits: Autumn 2018 Update
- Crypto-Locking Kraken Ransomware Looms Larger
- ICO reveals 400% Increase in Reports of Cyber-Security Incidents
- ICO Average data breach fines have doubled as ICO hints at Higher Fines
- Radware 2018 State of Web Application Security Report
- Abandoned Web Applications 'hidden threat to Corporate Security’ says High-Tech Bridge Report
According to cybersecurity firm Palo Alto Networks, it discovered a fake Flash updater that has been duping conscientious computer users since August. The fake updater installs files to sneak a cryptocurrency mining bot called XMRig, which mines for Monero.
But here's the catch, while the fake updater is installing the XMRig malware, it's also updating the user's Flash.
Via: The Next Web
Source: Palo Alto Networks
Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.
Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.
On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.
On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution.
There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.
Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month, Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy
- T-Mobile Breach Affects Two Million Customers
- Air Canada Mobile App Breach Affects 20,000 People
- Microsoft takes down 'Russian political Hackers
- Dixons admits Data Breach now Affects 10 million
- Butlin's says Guest Records may have been Hacked
- Huawei set to face even more scrutiny from UK Security Forces
- Reddit user data compromised after 'serious’ Hack
- Instagram Hack sees accounts replaced with film stills
- UK Universities among 76 targeted by Hackers
- Bank of Spain hit with DDoS Attack
- Chinese Hotel Group leak of Millions of Guests’ Data
- Reported Data Breaches up 160% since GDPR
- US warns of Supply Chain Cyber-Attacks
- PGA Championship hit by Ransomware Attack
- Teenage fan Hacks into Apple network
- NIST issues Guidance for Protecting Medical IoT devices
- FBI arrests key members of 'prolific’ FIN7 Cyber Crime Group
- Microsoft Patches 60 Vulnerabilities for Windows, IE\Edge, Office, .NET, Exchange, SQL, Chakra and Adobe
- PHP flaw places CMS sites at risk of remote code execution
- Adobe Releases Important Fixes for Flash Player
- Adobe Releases Critical Fixes for Acrobat and Acrobat Reader
- Adobe pushes out ‘out-of-band’ Critical Updates for Photoshop CC
- Adobe issues ‘out of band’ Patch for Creative Cloud Desktop Application
- Cisco Patches DoS-related flaws in AsyncOS, Unified Comms Manager (CUCM, IM, and P) and ASA
- 'Foreshadow' attack affects Intel chips
- Fax machines and all-in-one devices could be used by Hackers to Infiltrate Networks
- Security update issued after Critical RCE vulnerability found in the core of Apache Struts
- Cyber fall-out of nation-state conflicts extends beyond politics
- Experts warn of increase in Phishing Attacks targeting Cryptocurrency
- Latest Mirai variant leverages open source project for cross-platform infections
- AdvisorBot Downloader in Malware Campaign targeting Hotels, Restaurants, and Telecoms
- Researchers find new POS malware with no data exfiltration capabilities
- CrowdStrike: Global Supply Chain Survey, two-thirds of organisations attacked
- Mimecast ESRA Report: Email attacks on the rise, say 80% of Businesses
- Data Leakage Prevention (DLP) – ISF Briefing Paper
- Cyber-Attack! Would your firm handle it better than this?
- Unpicking the Cyber-Crime Economy
- Cyber fall-out of nation-state conflicts extends beyond politics
Third-Third party services also need to be security assured, as seen with the Typeform compromise. Typeform is a data collection company, on 27th June, hackers gained unauthorised access to one of its servers and accessed customer data. According to their official notification, Typeform said the hackers may have accessed the data held on a partial backup, and that they had fixed a security vulnerability to prevent reoccurrence. Typeform has not provided any details of the number of records compromised, but one of their customers, Monzo, said on its official blog that is was in the region of 20,000. Interestingly Monzo also declared ending their relationship with Typeform unless it wins their trust back. Travelodge one UK company known to be impacted by the Typeform breach and has warned its impacted customers. Typeform is used to manage Travelodge’s customer surveys and competitions.
Other companies known to be impacted by the Typeform breach include:
- 80,000 hours (a career advice provider) – 8,300 customers, names, emails, mobile
- Revolut11,000 customers, ICO is known to be informed
- Fortnum and Mason (Food retailer) -23,000 customers
- UK Liberal Democrat Party
- Airtasker (Australian job marketplace)
- Tasmanian Electoral Commission
- Baker Delight
- German SPCAF & Rencore
Facebook-Cambridge Analytica data scandal
Facebook reveals its data-sharing VIPs
Cambridge Analytica boss spars with MPs
A UK government report criticised the security of Huawei products, concluded the government had "only limited assurance" Huawei kit posed no threat toUK national security. I remember being concerned many years ago when I heard BT had ditched US Cisco routers for Huawei routers to save money, not much was said about the national security aspect at the time. The UK gov report was written by the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up in 2010 in response to concerns that BT and other UK companies reliance on the Chinese manufacturer's devices, by the way, that body is overseen by GCHQ.
Banking hacking group "MoneyTaker" has struck again, this time stealing a reported £700,000 from a Russia bank according to Group-IB. The group is thought to be behind several other hacking raids against UK, US, and Russian companies. The gang compromise a router which gave them access to the bank's internal network, from that entry point, they were able to find the specific system used to authorise cash transfers and then set up the bogus transfers to cash out £700K.
- NHS Data Breach affects 150,000 Patients due to Third-Party Supplier Coding Error
- Names and flight details exposed in Thomas Cook Customer Data Breach
- Hackers net almost $1m in Russian Bank Raid
- Hacker found selling info on top-secret MQ-9 Reaper UAV on the Dark Web
- Ex-Apple Engineer on Route to China Arrested for stealing secret info on Autonomous Car Project
- Telefonica Breach leaves Data on Millions Exposed
- Facebook fined £500,000 by the ICO for Cambridge Analytica Data Breach
- Several Companies Customer Data compromised by Hacked Third Party Supplier Typeform
- UK Gov Criticises the Security of Huawei Products
- Flaws in Health and Fitness Wearables help Hackers poach Personal Data of Users
- Singapore Personal Data Hack hits 1.5m, Health Authority says
- Banking Trojans Rocket & Cryptomining here to stay
- BAE Systems launches ‘The Intelligence Network’
- Two New Spectre Vulnerability Variants Emerge
- New and Improved Magniber Ransomware within Asia
- Russia leads the Nation-state Attacks against Business according to a Report by Carbon Black
- Financial Times Special Report on Cyber Security
- Banking Trojans rocket, while cryptomining is here to Stay according to the Check Point Global Threat Index
- The share of Cryptomining attacks grew from 7% to 32% of all Attacks in just Six months
Ticketmaster reported the data theft of up to 40,000 UK customers, which was caused by security weakness in a customer support app, hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. Ticketmaster informed affected customers to reset their passwords and has offered (to impacted customers) a free 12-month identity monitoring service with a leading provider. No details were released on how the hackers exploited the app to steal the data, likely to be a malware-based attack. However, there are questions on whether Ticketmaster disclosed and responded to the data breach quick enough, after digital banking company Monzo, claimed the Ticketmaster website showed up as a CPP (Common Point of Purchase) in an above-average number of recent fraud reports. The company noticed 70% of fraudulent transactions with stolen payment cards had used the Ticketmaster site between December 2017 and April 2018. The UK's National Cyber Security Centre said it was monitoring the situation.
TSB customers were targetted by fraudsters after major issues with their online banking systems was reported. The TSB technical issues were caused by a botched system upgrade rather than hackers. TSB bosses admitted 1,300 UK customers had lost money to cyber crooks during its IT meltdown, all were said to be fully reimbursed by the bank.
- Couple 'lose thousands' to TSB fraudsters
- TSB letter error 'may have broken law'
- TSB left man on hold as his wedding savings were stolen
Facebook woes continue, this time a bug changed the default sharing setting of 14 million Facebook users to "public" between 18th and 22nd May. Users who may have been affected were said to have been notified on the site’s newsfeed.
Chinese Hackers were reported as stealing secret US Navy missile plans. It was reported that Chinese Ministry of State Security hackers broke into the systems of a contractor working at the US Naval Undersea Warfare Center, lifting a massive 614GB of secret information, which included the plans for a supersonic anti-ship missile launched from a submarine. The hacks occurred in January and February this year according to a report in the Washington Post.
Elon Musk (Telsa CEO) claimed an insider sabotaged code and stole confidential company information. According to CNBC, in an email to staff, Elon wrote “I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties". Telsa has filed a lawsuit accusing a disgruntled former employee of hacking into the systems and passing confidential data to third parties. In the lawsuit, it said the stolen information included photographs and video of the firm's manufacturing systems, and the business had suffered "significant and continuing damages" as a result of the misconduct.
As always, a busy month for security patching, Microsoft released 50 patches, 11 of which were rated as Critical. Adobe released their monthly fix for Flash Player and a critical patch for a zero-day bug being actively exploited. Cisco released patches to address 34 vulnerabilities, 5 critical, and a critical patch for their Access Control System. Mozilla issued a critical patch for the Firefox web browser.
- Dixons Carphone Admits 5.9M Payment Cards and 1.2 M Personal Records Data Breach
- European Authority and the ICO both Fine Yahoo! and Optical Center £250,000
- Ticketmaster Discloses Data Theft of up to 40,000 UK Customers via Third-Party Customer Support App
- Wi-Fi Alliance issues WPA3 Standard to improve Wireless Security
- Chinese Hackers Steal Secret US Navy Missile plans in Contractor Breach
- Tesla Chief Elon Musk says an Insider Maliciously Changed Code and Exfiltrated Data
- HealthEquity Exposes PII of 23,000 Customers after Employee fell for Phishing Scam
- Privacy by Design Standard being developed for IOT devices and apps
- TSB admits 1,300 accounts hit by Fraud amid IT Meltdown
- Facebook privacy bug 'affects 14 Million Users’
- Swann Home Security sends Video to Wrong User
- Hackers exploit FastBooking flaw to steal Customer Data from Hundreds of Hotels
- Ransomware hits Atlanta Police Dashcam Footage
- 27 Million Account Data Breach and Website Defacement Rock Ticketfly
- Australian Bank Mistakenly Sent Data on 10K Customers to Wrong Domain
- Watchdog org accuses HMRC of collecting 5.1 million audio signatures without consent
- Microsoft Patches 50 Vulnerabilities for Windows IE\Edge, Office, Chakra & Flash
- Adobe Releases Critical Fixes for Flash Player
- Adobe issues a critical patch after Flash zero-day bug actively exploited in Middle East
- Cisco Patches 34 vulnerabilities, 5 Critical
- Cisco patches Critical Secure Access Control System (ACS) Remote Code Execution Flaw
- Mozilla issues Critical patches for Firefox ESR 52.9, Firefox ESR 60.1, and Firefox 61
- VPNFilter Malware Affects more Devices and Exploits Endpoints
- Sofacy rolls out Zebrocy Toolkit to hit Government Targets
- Olympic Destroyer Threat Group Switches Target Sectors
- TG-3390 deemed responsible for Watering Hole Attacks
- Scammers Abuse Multilingual Domain Names
- 539% uptick in Attacks Targeting Consumer-grade Routers Since, Report
The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.
Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
- NatWest Customers targeted by Scammers
- Phishing campaign targeting Airbnb customers
- Phishing campaign targeting Apple.
- GDPR Fraudster con people with wave of Phishing Emails
Developing GDPR Compliant Applications Guidance
- Part 1: A Developer's Guide to the GDPR
- Part 2: Application Privacy by Design
- Part 3: Minimizing Application Privacy Risk
Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.
IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.
As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.
Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.
As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.
Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacksSome interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak.
Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.
- IBM Release Application Developers Guidance to the GDPR (written by me)
- NHS gets new Data Security and Protection Toolkit
- European Directive NIS Comes into Force
- Twitter Advises 330 Million Users to Change Passwords after Internal Leak
- IBM Workers Banned from using USB Sticks
- T-Mobile Website bug Exposed Personal Customer Data
- UK Colleges Hit by 12 Cyber Attacks A Week
- Coca-Cola Hit with Insider Breach, 8,000 Affected
- London Cyber Crime pair Jailed for £1m Phishing Scam
- A Year after WannaCry, is NHS better prepared?
- The Welsh Cyber Security Revolution
- UK begins to Formalise its Legal approach to Cyber War
- BMW Cars found to contain more than a Dozen Flaws
- Scammers are using GDPR email alerts to Conduct Phishing Attacks
- Microsoft Patches 70 Vulnerabilities for Windows IE/Edge, Exchange, Hyper-V & Chakra
- Adobe Releases Critical Fixes for Flash Player
- PHP Programming Languages updated to Fix Multiple Bugs
- Critical Vulnerabilities found in PGP/GPG, S/MIME
- DNS Flaw allows Hackers to change DNS settings in 800,000 Draytek Routers
- Multiple Flaws in TP-Link EAP Controller
- Google Fixes 24 bugs in Chrome OS, Security Pass Flaw in reCAPTCHA Feature
- Six Security Flaws discovered in Dell EMC RecoverPoint Devices
- Flaw in Git could result in Remote Code Execution
- ‘Roaming Mantis’ Malware is now 'Spreading across the Globe'
- VPNFilter Malware Infects 500,000 Routers
- Cyber-Criminals Switching to Layer 7 based DDoS Attacks
- SilverTerrier uses Malware to drive BEC Attacks
- BackSwap Banking Malware bypasses Browser Protections with Clever Technique
On the international front, the Winter Olympic games were subjected to several cyber-attacks kicking websites and other services offline during the games. The UK government blamed Russia for the NotPetya attacks as part of an attack on the Ukraine. North Korea's nation-state allegedly backed APT37 (Reaper) is believed to be expanding its cyber-attack capabilities with an objective of causing disruption according to FireEye. An Open AWS S3 Bucket exposed the private information of thousands of FedEx customers, and Google reported it will longer label all HTTP websites at 'not secure' from July 2018.
- Digital Guardian: Do you know your data's worth?
- 77 Facts About Cyber Crime
- GDPR Preparation: Recent Articles of Note
- North Korea (APT37) expanding Cyber Attack capabilities, Intention is Disruption
- Coldroot RAT Still Undetectable Despite Being Uploaded on GitHub Two Years Ago
- Hackers could Obfuscate Malware through Code Signing and SSL Certificates
- Two New Thefts using SWIFT Network Confirmed
Any businesses or individuals using Kaspersky should be aware the UK National Cyber Security Centre has warned government agencies against using the Russian supplier’s products and services, which follows a ban by US government departments in November. Barclays responded to the warning by stopping their free offering of Kaspersky anti-virus products to its customers. 2017 saw Cyber Security become a political football, so it is no real surprise that the UK and US once again blamed North Korea for the devasting WannaCry attacks earlier in the year, personally, I blame poor patch management and hackers, not the North Korea cyber army!
Nadine Dorries MP got herself in hot water after trying to defend now former political colleague Damian Green, following claims of Mr.Green accessed porn on his Parliment computer. This was activity was reported by a retired Police officer, which was said to be a breach of the data protection act. Nadine tweeted "my staff log onto my computer on my desk with my login everyday" to suggest anyone could have used Damian Green's PC to access the illicit websites. This led to widespread condemnation and a warning by ICO to MPs on password sharing.
The fact illicit websites were not blocked by Parliament systems is one concerning lack security issue, but the flagrant disregard for basic cybersecurity by government MPs is gobsmacking, especially when you consider they are supposed to be understanding the risk and setting laws to protect UK citizens from cyber attacks and data breaches. Its another "slap palm on head" after the last UK Prime Minister announced he wanted to ban encryption.
2017 has seen huge rises in cryptocurrencies values, which has placed cryptocurrency brokers and user crypto coin wallets in the sights of cybercriminals. This month mining platform NiceHash was breached by hackers, who stole £51 million worth of Bitcoin and Bitcoin exchange Youbit, which lets people buy and sell Bitcoins and other virtual currencies, shut down and filed for bankruptcy after losing 17% of its assets in the cyber-attacks. I think we can expect further cryptocurrencies attacks in 2018 given the cryptocurrency bubble is yet to burst.
Faked LinkedIn profiles are nothing new, however, the German Intelligence Agency (BfV) said it had spotted China were using faked LinkedIn profiles to connect with and gather information on German officials and politicians, which is an interesting development.
Finally, Hackers were reported as taking advantage of poorly secured systems at UK private schools, and it was claimed hackers could turn off heating systems at UK schools and military bases.
- NCSC warns UK government agencies on use of Kaspersky Products and Services
- Morrisons Supermarket held Liable after Employee Leaks Data
- Data breach at PayPal's TIO Networks unit affects 1.6 million Customers
- Hackers target Private UK Schools
- Hackers could turn off UK School and Military Base Heating Systems
- UK & US Blame North Korea for WannaCry
- German Spy Agency warns of Chinese LinkedIn Espionage
- Nadine Dorries MP under scrutiny for comments about Password Sharing
- Three plead guilty to creating Mirai IoT Botnet Malware
- Cryptocurrency thieves steal £51 million of Bitcoin from Mining Platform
- Microsoft releases 19 Critical Security Updates for IE/Edge, Office, & Windows
- Adobe releases fixes for Flash Player
- Updates Address Security Vulnerabilities in Apache Struts versions 2.5 to 2.5.14
- Cisco Patches Multiple Vulnerabilities in WebEx Platforms
- Apple Release Security Updates shortly after releasing another KRACK Fix
- TLS exploit Capitalises on 19-year-old vulnerability; Vendors issue Patch
- TeamViewer releases Emergency Patch for Permissions Flaw
- VMware Fixes Bugs in vCenter Service Appliance and Hypervisors
- Threat Group APT-C-23 still active, releases GnatSpy Mobile Malware
- Microsoft bug CVE-2017-11882 Exploited to deliver Loki Information Stealer
- Uber paid off Hackers to delete the Stolen Data of 57 Million People
- OWASP Top Ten 2017 Released: App Development Best Practice & Top Vulnerabilities
- Equifax's Net Income down £20m and £67m Costs Post Data Breach
- Jewson tells Customers their Data may have been Stolen
- Cash Converters hit by Security Breach
- Web Analytics may Jeopardise User Information and GDPR Compliance
- US charges members of elite Chinese Hacking Unit APT3
- Imgur Discloses years-old Data Breach that Compromised 1.7 Million Users
- Hackers 'fool' iPhone X Face ID with a Simple Mask
- Tether Crypto-Currency Operator Reports $31m Raid
- Microsoft releases 20 Critical Security Updates for IE/Edge, Office, & Windows
- Adobe releases fixes for 83 Security Vulnerabilities in Acrobat and Flash
- Apple Addresses KRACK exploits in iOS and macOS Updates, and an Emergency Patch
- Cisco: Critical Vulnerability in 12 types of Voice OS-based Products
- Oracle issues emergency patch for JoltandBleed bug in Tuxedo Middleware
- Windows, Mac and Linux all at Risk from Flaws in Excel File Reader Library
- US CERT issues warning on ASLR vulnerability in Windows 8 & 10
- Intel Management engine Vulnerabilities Expose Millions of PCs to Attack
- APT28's latest Word doc Attack Eliminates needing to Enable Macros
- DDoS attacks have doubled in the six months, up 91% in the First Quarter of 2017
- New Mirai variant back on the Radar after New Exploit Code Published
- Cobalt Malware leverages recently Patched 17-year-old Microsoft Flaw