Tag Archives: security news

CyberNews: Top of the News

Huawei Backdoors Confirmed in Vodaphone Documents(April 30, 2019)

Vodafone Group Plc has acknowledged that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier’s Italian business. While Vodafone says the issues were resolved, the revelation may further damage the reputation of a major symbol of China’s global technology prowess. This is the first time such serious Huawei security issues have been made public.
– www.bloomberg.com
: Vodafone Found Hidden Backdoors in Huawei Equipment

Maersk Head of Security on Lessons Learned from NotPetya(April 29, 2019)
 In late June 2017, international shipping container company Moller-Maersk was hit with the NotPetya malware. Speaking in a keynote session at CYBER UK 19, Maersk’s head of cybersecurity compliance said he was stunned by “the sheer ferocity and the speed and scale of the attack and the impact it had.” He said that the attack was a reminder that companies can become unintended victims, and that while it is important to protect systems and networks, companies also need to ensure that they have a solid recovery plan in place.

Read more in:
– www.zdnet.com
: Ransomware: The key lesson Maersk learned from battling the NotPetya attack

Greenville, North Carolina, Recovering from Ransomware(April 26, 2019)
 The city of Greenville, North Carolina is in the process of recovering from a ransomware attack that infected its systems on April 10. Officials say the city’s website is operational again and that some employees have email. The city said it never planned to pay the ransom. IT staff is reimaging all of the city’s computers.

Read more in:
– www.scmagazine.com
: Greenville in recovery phase from Robbinhood ransomware attack
– www.wnct.com: City of Greenville bouncing back from ransomware attack

Cleveland Airport Malware Update(April 29, 2019)

Flight and baggage information monitors are once again operational at Cleveland’s Hopkins International Airport. Last week, city officials said that the problems were not caused by ransomware. At a press conference on Monday, April 29 Cleveland’s Chief Information Officer says that the malware that infected computers at the airport was indeed ransomware. Airport officials did not respond to the ransomware demands. The FBI is investigating.
Read more in:
– www.cleveland.com
: Cleveland acknowledges for first time Hopkins airport hack involved ransomware
– www.wkyc.com: Flight screens working again at Cleveland Hopkins Airport after going dark amid malware discovery

Advertisement

CyberSecurity: Top of the News (11 March, 2019)

Senate Panel Equifax Investigation Findings Released(March 8, 2019)


 A Senate panel investigation into the 2017 Equifax breach found that the company again and again neglected to take adequate precautions to protect the consumer data it held. The panel’s report makes several recommendations, including that “Congress should pass legislation that establishes a national uniform standard requiring private entities that collect and store PII to take reasonable and appropriate steps to prevent cyberattacks and data breaches.”
Editor’s Note

[Neely]
Equifax has lots of company: a recent study found most of the fortune 100 companies had similar problems. The argument for stability or status quo, versus the expense of regression testing, possible downtime, to apply updates and security fixes is not new and has to be baked into the business. Reliance on regulatory requirements alone is insufficient. Until security is immutable in the board room this will continue.
Read more in:
– www.theregister.co.uk
: Tech security at Equifax was so diabolical, senators want to pass US laws making its incompetence illegal
– www.carper.senate.gov: How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach: Staff Report (PDF)

RSA Panel: The Five Most Dangerous New Attack Techniques and How to Counter Them(March 7, 2019)


 At the Five Most Dangerous New Attack Techniques and How to Counter Them panel at the RSA conference in San Francisco on Thursday, March 7, Ed Skoudis, Heather Mahalik, and Johannes Ullrich described attack techniques and remediations and answered questions from audience members.
Read more in:
– www.rsaconference.com
: The Five Most Dangerous New Attack Techniques and How to Counter Them (video)

GAO Chief Enumerates High Risk List Issues for Legislators(March 6, 2019)


 Head of the US Government Accountability Office (GAO) Comptroller General Gene Dodaro spoke to panels at both the House and the Senate regarding the GAO’s recently published High Risk List, which examined 35 areas in “federal programs/operations that are vulnerable to waste, fraud, abuse, and mismanagement, or that need broad reform.” Dodaro told members of the Senate panel that the administration’s National Cyber Security Strategy, released last fall, provides “no implementation plan, definition of responsibilities, or metrics.” Dodaro told the House panel that federal IT systems have the same “material weaknesses” every year, due in part to legacy IT systems. Dodaro also questioned federal agency heads’ attention to known cybersecurity issues, saying that the problems lack “top-level management attention.”
Read more in:
– fcw.com
: Cyber strategy short on specifics and metrics, says GAO
– www.meritalk.com: Comptroller Questions Priority Given by Agency Heads to Cybersecurity Issues
– www.gao.gov: HIGH-RISK SERIES: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas (Highlights)
– www.gao.gov: HIGH-RISK SERIES: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas (full report – PDF)

CyberSecurity: The Rest of the Week’s Cyber News

Bitcoin Stolen From Electrum Wallets (December 27, 2018)
  More than 200 bitcoin has been stolen from Electrum wallets since December 21. The attacker or attackers exploited a vulnerability in the Electrum architecture that allows Electrum servers to trigger custom pop-ups in users’ wallets. The attack involves adding malicious servers to the Electrum network. When legitimate transactions initiated by other users reached one of the malicious servers, they would display a message urging them to download a malicious wallet update from an unauthorized GitHub repository. GitHub admins have taken down the repository, but the pop-up issue has not been fixed.
 
Read more in:
– www.zdnet.com
: Article Users report losing Bitcoin in clever hack of Electrum wallets
Shamoon Sample Signed with Expired Baidu Certificate (December 27, 2018)
  A new sample of the Shamoon disk-wiping malware was uploaded to VirusTotal. It uses an expired digital certificate issued by Baidu. The Shamoon sample is disguised as a Baidu system optimization tool.
 
Read more in:
– www.bleepingcomputer.com
: New Shamoon Sample from France Signed with Baidu Certificate
FBI Warns of Port 1911 Vulnerability in Buildings’ Control Systems (December 27, 2018)
  In a recent industry advisory, the FBI warned that port 1911, which is used to communicate with control systems in buildings could be used to access unpatched devices on those networks. The report warns that “successful exploitation could lead to data leakage and possible privilege escalation.”
  Read more in:
– www.cyberscoop.com
: FBI warns industry that hackers could probe vulnerable connections in building systems
Guardzilla Home Security System Has Hard-Coded Credentials (December 27, 2018)
  A vulnerability in the GZ501W Guardzilla home security device could be exploited to access stored video data. The device uses a shared Amazon S3 credential for storing video in the cloud. Guardzilla learned of the vulnerability on October 24.
 
Editor’s Note

[Neely]
The hard-coded credentials provide access to multiple Guardzilla S3 buckets, rather than a device specific storage location. The additional buckets include free and premium storage as well as development and test buckets. The device firmware root account had an easily cracked DES encoded password. The root password and AWS have been published. Mitigation is dependent on a firmware update from Guardzilla. Changing the firmware to use an intermediate system to limit devices to specific storage with end-user supplied credentials as well as resolving any vulnerabilities in supporting software will be a significant change for Guardzilla, who is keeping tight-lipped about their response to the issue.
Read more in:
– www.cyberscoop.com
: Flaw in Guardzilla home security devices allows outsiders to view stored video, researchers say
– www.forbes.com: 0DayAllDay Hackers Go Godzilla On Guardzilla To Reveal A Real Video Nasty
– blog.rapid7.com: R7-2018-52: Guardzilla IoT Video Camera Hard-Coded Credential (CVE-2018-5560)
San Diego Unified School District Discloses Data Breach (December 25 & 26, 2018)
  On Friday, December 21, the San Diego (California) Unified School District has posted a notice on its website acknowledging that a hacker stole personally identifiable information of 500,000 students and staff members from its network. The hacker was able to gain access to the school district’s system through a phishing attack. Some staff members reported the suspicious emails to the IT department, which discovered the breach in October. The system was compromised from January 2018 through November 1, 2018. The hacker stole data dating back to the 2008-2009 school year. A suspect has been identified.
 
Editor’s Note

[Neely]
A concern here is that the school district data may be used to pressure parents to respond to false threats against their children. The school district is notifying those impacted and advising them to take measures to prevent fraud and identity-theft.

[Northcutt]
If you read to the bottom of the data safety note, they lost control of fairly sensitive data on minors and aren’t doing anything to help the victims. It gives weak advice in the form of “you can”.

[Murray]
In a world of “advanced persistent threat,” one person taking bait should not be sufficient to compromise so much sensitive data. I do not like the term “zero trusts” security but its principle, “never trust, always verify,” and the measures that it identifies, e.g., least privilege, strong authentication, end-to-end application layer encryption, are now essential practices. New tools, including network defined security services, make this more convenient than it sounds.
Read more in:
– www.zdnet.com
: Hacker steals ten years worth of data from San Diego school district
– www.scmagazine.com: San Diego Unified School District data breach exposed 500,000 students, staff, parents
– www.sandiegounified.org: Data Safety
Schneider Fixes EVLink Parking Charging Station Flaws (December 24, 2018)
  Schneider Electric has fixed a critical vulnerability affecting its EVLink Parking electric vehicle charging stations. The hard-coded credential flaw could be exploited to gain access to the device. Schneider fixed two other flaws in EVLink Parking: a code injection vulnerability and an SQL injection vulnerability.
  Read more in:
– threatpost.com
: Critical Bug Patched in Schneider Electric Vehicle Charging Station
– download.schneider-electric.com: Security Notification – EVLink Parking (PDF)
Orange LiveBox ADSL Modems Leak Credentials (December 24 & 26, 2018)
  A vulnerability affecting Orange LiveBox ADSL modems can be exploited to obtain the devices’ SSIDs and WiFi passwords with a simple GET request. More than 19,000 modems in France and Spain are affected.
 
Editor’s Note

[Neely]
Many of these routers are using default credentials (admin/admin) and are discoverable in Shodan. Once you have the credentials for the targeted SSID, a service such as WiGLE can be used to obtain the exact geolocation of that network. Possible mitigations for this threat include changing both the default credentials as well as the WiFi passwords or possibly moving to a separate WiFi access point and ADSL modem.

Read more in:
– www.zdnet.com
: Over 19,000 Orange modems are leaking WiFi credentials
– threatpost.com: 19K Orange Livebox Modems Open to Attack
– www.bleepingcomputer.com: Orange LiveBox Modems Targeted for SSID and WiFi Info
Indian Government Gives Agencies Authority to Intercept, Monitor, and Decrypt Data (December 21, 2018)
  The Indian government has issued an order that gives ten agencies the authority “to intercept, monitor or decrypt information generated, transmitted, received or stored in any computer.” Individuals and organizations that refuse to comply with an interception, monitoring and access requests could face fines or prison sentences of up to seven years.
  Read more in:
– www.zdnet.com
: India authorizes 10 agencies to intercept, monitor, and decrypt citizens’ data
– twitter.com: MHA authorizes following agencies for the purpose of interception, monitoring & decryption of any Information

CyberSecurity News: Top week’s news (Dec 14, 2018)

US Legislators Can Spend Surplus Campaign Funds on Cybersecurity(December 13, 2018)
  The US Federal Elections Commission says that federal legislators may use surplus campaign funds to bolster cybersecurity for their personal devices and online accounts. The decision came in response to an advisory opinion request from Senator Ron Wyden (D-Oregon).
Read more in:
– www.theregister.co.uk
: US elections watchdog says it’s OK to spend surplus campaign cash

Italy’s Saipem Hit with Shamoon Data-Wiping Malware(December 12 & 13, 2018)
  A new version of the Shamoon data-wiping malware has been used to target computers that belong to Italy’s Saipem, an oil and gas contractor, which does the majority of its business in the Middle East. About 10 percent of the company’s PCs were affected by the malware. Saipem is a contractor for Saudi Aramco, which was the target of earlier, highly-destructive Shamoon attacks. The newest version of Shamoon overwrites files with junk data.
Read more in:
– threatpost.com
: Shamoon Reappears, Poised for a New Wiper Attack

Read more in:
– threatpost.com
: Shamoon Reappears, Poised for a New Wiper Attack

Maritime Cybersecurity Guidance(December 12, 2018)
  Shipping associations and industry groups have published the third edition of the “Guidelines on Cyber Security Onboard Ships,” which offers guidance for securing ships’ IT systems. The document also includes examples of cybersecurity and IT failure incidents, including a virus infection found on a ship’s Electronic Chart Display and Information System (ECDIS) that delayed the vessel’s departure. In other cases, systems failed due to outdated operating systems, thumb drives infected systems with malware, and ransomware infected onboard IT systems as well as shipping company backend systems. Perhaps the most well-known incident involved systems at the Maersk cargo shipping line, which became infected with the NotPetya malware. The company had to reinstall more than 4,000 servers, more than 45,000 PCs, and incurred costs of more than US $300 million.
Read more in:
– www.zdnet.com
: Ships infected with ransomware, USB malware, worms

Operation Sharpshooter(December 12, 2018)
  The Operation Sharpshooter phishing campaign uses phony job recruitment documents to place backdoors on computers at nuclear, defence, energy, and financial companies. The backdoor malware, dubbed Rising Sun, has been detected on systems at least 87 organizations, according to McAfee Labs. The campaign uses source code that was used in the Lazarus Group’s 2015 Trojan Duzer backdoor. While this could suggest that the Lazarus Group is behind Sharpshooter, McAfee cautions that “numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags.”
Read more in:
– www.mcafee.com
: Operation Sharpshooter (PDF)

China Cyberespionage Threat(December 11 & 12, 2018)
  In a US Senate Judiciary Committee hearing, Assistant Director of the FBI’s Counterintelligence Division Bill Priestap called China “the most severe counterintelligence threat facing our country today.” Officials from the Department of Justice (DOJ) and the Department of Homeland Security (DHS) concurred. Recent news stories suggest that the Marriott breach was allegedly the work of Chinese hackers gathering intelligence.

Read more in:
– www.washingtonpost.com
: Top FBI official warns of strategic threat from China through economic and other forms of espionage

Third-Party Investigation Finds No Evidence of Spy Chips on Super Micro Motherboards(December 11, 2018)
  In a letter to customers, Super Micro President and CEO Charles Liang and other executives wrote that “after thorough examination and a range of functional tests, the [third-party] investigations firm found absolutely no evidence of malicious hardware on out motherboards.” A Bloomberg news story in early October 2018 alleged that Chinese spies had placed “spy chips” on Super Micro motherboards. The allegations have also been refuted by Amazon and Apple, companies that use Super Micro motherboards in their data centers.

Read more in:
– www.supermicro.com
: Letter to Customers

CyberSecurity: Interesting news from around security community

Marriott said more than 500 million Starwood hotel guests had their information stolen in the largest data breach in the U.S. since Yahoo.

https://techcrunch.com/2018/11/30/starwood-hotels-says-500-million-guest-records-stolen-in-massive-data-breach/

Several car makers are transmitting data from their vehicles to China’s government, including drivers’ location.

https://apnews.com/4a749a4211904784826b45e812cff4ca

A hacker backdoored their way into the Event-Stream JavaScript library in order to inject code that steals cryptocurrency.

https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/

Google led a collaborative effort to take down a fraudulent advertising ring made up of more than 1 million compromised IP addresses.

https://security.googleblog.com/2018/11/industry-collaboration-leads-to.html

Republican’s House election committee said they were hacked in the run-up to the midterm elections earlier this year.

https://www.npr.org/2018/12/04/673287352/house-gop-campaign-arm-says-it-was-hacked-during-the-2018-election-cycle

Online anonymous Q&A website Quora says more than 100 million users may have had their account information compromised as part of a hack.

https://www.usatoday.com/story/tech/news/2018/12/04/quora-says-data-breach-may-affect-100-million-its-q-site/2200175002/