Cyber Attacks, Threats, and Vulnerabilities
Cybercom publicly posts malware linked to North Korean hackers (TechCrunch) U.S. Cyber Command, the sister division of the National Security Agency focused on offensive hacking and security operations, has released a set of new samples of malware linked to North Korean hackers. The military unit tweeted Wednesday that it had uploaded the malware to VirusTotal, a widely use…
ECB shuts down one of its websites after hacker attack (Reuters) The European Central Bank (ECB) shut down one of its websites on Thursday after ...
ECB Shuts Site After Subscriber Data Breach (Infosecurity Magazine) Central bank hit by hackers but market data remains safe
Capital One Cyber Staff Raised Concerns Before Hack (Wall Street Journal) Before a giant data breach, Capital One employees raised concerns within the company about what they saw as high turnover in its cybersecurity unit and a failure to promptly install some software to spot and defend against hacks, according to people familiar with the matter.
Capital One management was alerted by staff of multiple security issues prior to data breach (Computing) Employees were unhappy that routine cybersecurity measures were being neglected
New Malware Miner Sneakily Hides When Task Manager Is Open (CoinDesk) Meet "Norman" – a new variant of monero-mining malware that employs crafty tricks to avoid being spotted.
New "Norman" Malware Took Part in Large-Scale Cryptominer Infection (The State of Security) Researchers identified a large-scale cryptocurrency miner infection in which a new malware family called "Norman" took part.
Norman Cryptomining Employs Sophisticated Obfuscation Tactics (Threatpost) A new XMRig Monero cryptominer stands apart, despite its non-flashy name.
Meet Norman, the latest virus plundering Monero (Yahoo) For reasons unknown to Decrypt, they’ve called it “Norman.”
Varonis Uncovers New Malware Strains and a Mysterious Web Shell During a Monero Cryptojacking Investigation (Inside Out Security) The Varonis Security Research team recently investigated an ongoing cryptomining infection that had spread to nearly every device at a mid-size company. Analysis of the collected malware samples revealed a...
Energy Sector Phish Swims Past Microsoft Email Security via Google Drive (Threatpost) The savvy technique of avoiding malicious links in the email allowed the phish to reach its targets.
()
Analysis: New Remcos RAT Arrives Via Phishing Email (TrendLabs Security Intelligence Blog) In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers Remcos using an AutoIT wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is a common method for distributing known malware.
Microsoft Voicemail Notifications Used As Bait in Phishing Campaign (BleepingComputer) A newly spotted phishing campaign uses Microsoft voicemail notifications as baits to trick targets into opening HTML attachments that redirect to the attackers' landing pages using a meta element.
Apache Struts Called Out For Incorrect Security Advisories (Infosecurity Magazine) Open source project may have put customers at risk with wrong info
A compendium of container escapes (Help Net Security) Brandon Edwards, Chief Scientist at Capsule8, talks about about a compendium of container escapes, and the RunC vulnerability in particular.
Hackers Subvert Security Checks Like the Browser Padlock (Wall Street Journal) Recent attacks have shown that cybercriminals have co-opted techniques and tools that people commonly use to distinguish real communications and websites from fake ones, such as the padlock in a browser window.
Clickjacking Still Popular Among Online Scammers (Infosecurity Magazine) A perennial technique among online fraudsters, clickjacking isn't going away anytime soon, researchers say.
All Your Clicks Belong to Me: Investigating Click Interception on the Web (USENIX) Click is the prominent way that users interact with web applications.
Formjacking Now Accounts For Most Web Breaches (Infosecurity Magazine) Magecart and similar attacks siphon payment details direct from websites
Kaspersky AV injected unique ID that allowed sites to track users, even in incognito mode (Ars Technica) Feature Kaspersky added in 2015 also made it possible to be ID'd across different browsers.
Kaspersky Lab Exposed Users' Browsers to Website Tracking (PCMAG) Ronald Eikenberg, a journalist at German computer magazine c't, noticed the code Kaspersky Lab was injecting into browsers, and realized the privacy ramifications. 'Any website can read the user's Kaspersky ID and use it for tracking,' he wrote.
Why the deepfakes threat is shallow (Axios) Researchers say simpler kinds of disinformation are a bigger threat.
Siemens SCALANCE Products (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 6.6
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Siemens
Equipment: SCALANCE Products
Vulnerabilities: Improper Adherence to Coding Standards
2.
Fuji Electric Alpha5 Smart Loader (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.8
ATTENTION: Low skill level to exploit
Vendor: Fuji Electric
Equipment: Alpha5 Smart Loader
Vulnerability: Stack-based Buffer Overflow
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to execute code under the privileges of the application.
Johnson Controls Metasys (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 6.8
ATTENTION: Exploitable remotely
Vendor: Johnson Controls
Equipment: Metasys
Vulnerabilities: Reusing a Nonce, Key Pair in Encryption; Use of Hard-coded Cryptographic Key
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could be leveraged by an attacker to decrypt captured network traffic.
Siemens SINAMICS (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Siemens
Equipment: SINAMICS
Vulnerability: Uncontrolled Resource Consumption
2. RISK EVALUATION
Successful exploitation of this vulnerability may allow an attacker to perform a denial-of-service attack.
City of Saskatoon loses $1 million to fraudster posing as executive (Saskatoon StarPhoenix) This type of fraud has not happened before at City of Saskatoon
British Airways e-ticketing bug may have exposed data on 2.5 million passengers (ConsumerAffairs) A bug has been detected in British Airways e-ticketing system which could expose a passenger’s personal data.Researchers at Wandera, a mobile security
U.S. Coast Guard warns of cyber-attack & electronic interference threats to commercial vessels (AJOT) The U.S. Coast Guard warned of a “significant cyber incident” on one ship that “exposes potential vulnerabilities on board commercial vessels” and reported on a second incident in which “unknown interference” impacted a U.S. flag vessel. Both incidents occurred in 2019
Cyber-attack leads to forensic samples backlog (BBC News) Police warn of delays to investigations and court cases after the attack led to a backlog of 20,000 samples.
A researcher made a Lightning cable that can hack your computer (The Verge) Nothing is sacred
Why You Should Never Borrow Someone Else's Charging Cable (Forbes) Cyberhackers have figured out how to implant charging cables with malware that can remotely hijack mobile devices and computers. Here's how not to be a victim.
A Buttplug Hacker Talks Security, Consent, and Why He Hacked a Buttplug (Gizmodo) Voting machines weren’t the only thing getting penetrated at DEF CON this year.
Security Patches, Mitigations, and Software Updates
Kaspersky and Trend Micro get patch bonanza after ID flaw and password manager holes spotted (Register) Quis custodiet ipsos custodes?
Firefox fixes “master password” security bypass bug (Naked Security) The bug’s in Firefox, but our advice is worth reading whether you use Firefox or not.
Critical updates for Microsoft Patch Tuesday may cause testing headaches (Computerworld) This is a huge month for Patch Tuesday as Microsoft attempts to address 93 unique vulnerabilities spanning Windows desktop and server platforms, Microsoft Office and core development tools.
Microsoft warns of Visual Basic, VBA and VBScript 'procedure call' errors after August patches (Computerworld) Sometime in the past few hours, Microsoft posted official warnings about an 'invalid procedure call error' associated with August patches for all versions of Windows, from Win7 onward, and encompassing all flavors of Visual Basic. Who’s testing this stuff?
Cyber Trends
Thefts from cryptocurrency exchanges continue despite increased security (Help Net Security) The CipherTrace report analyzes cryptocurrency-related crime and how countries are working to foster trust and safety in the crypto economy.
Exabeam Study: Red Team vs. Blue Team Cyberattack Tests (MSSP Alert) Security professionals often prefer red team security testing, aka "ethical hacking," over blue team security assessments & analyses, an Exabeam survey shows.
Most UK financial firms hit by cyber attack in the past year (ComputerWeekly) The majority of UK financial companies are failing to prevent cyber security incidents, mainly because of employees failing to follow security policies and a lack of security budget, a survey reveals.
Marketplace
Converged Security Solutions Buys Maverick Cyber-Defense (FinSMEs) Converged Security Solutions (CSS), a Reston, Virginia-based security company, is acquiring Maverick Cyber-Defense, LLC, a Virginia-based cybersecurity company.
Accenture to Acquire Analytics8, Australian Analytics and Data Specialists (BusinessWire) Accenture entered into an agreement to acquire Analytics8, a privately held Australian big data and analytics consultancy.
Cloudflare, in its IPO filing, thanks a third cofounder: Lee Holloway (TechCrunch) Not every co-founder is acknowledged at the companies that they help to launch. Sometimes, they quit or they’re elbowed out. Often, they’re conveniently written out of the company’s history. In the case of Cloudflare, a third co-founder who began the company with its higher-profil…
Cisco: Shivering China Comments And Tech Implications (Seeking Alpha) Cisco had some frightening comments about China.
Trade War Pain Comes to Cisco Systems (The Motley Fool) The networking hardware giant for a time seemed immune to the impacts of the U.S.-China economic conflict. Not anymore.
Kaspersky touts APAC Transparency Center as proving 100% trustworthiness (ZDNet) The company's third global Transparency Center to open next year in Malaysia.
NAVAIR Selects Sabre Systems to Perform Cyber Warfare and Resiliency R&D (SIGNAL Magazine) Sabre Systems Inc., Warrington, Pennsylvania, is awarded $42,999,468 for cost-plus-fixed-fee delivery order N68335-19-F-0533 against a previously issued basic ordering agreement (N68335-16-G-0022).
Former Coinbase CTO joins crypto startup Findora (Decrypt) Balaji Srinivasan, a former executive at leading cryptocurrency exchange Coinbase, joins a stellar group of advisors at DeFi startup Findora.
Malwarebytes Snags AlienVault's Mike LaPeters To Globalize Channel (CRN) Malwarebytes has hired former AlienVault channel chief Mike LaPeters to unite the company's different regions and different types of channel partners under a single umbrella.
Products, Services, and Solutions
New infosec products of the week: August 16, 2019 (Help Net Security) BitSight Enterprise Analytics enables more effective risk management BitSight Enterprise Analytics helps security and risk leaders gain insight into the
StackRox Kubernetes Security Platform Available via Google Cloud Platform Marketplace (PR Newswire) StackRox, the leader in container and Kubernetes security, today announced that The StackRox Kubernetes...
ZeroFOX's new solution safeguards political candidates, campaigns, and organizations from threats (Help Net Security) ZeroFOX announced the availability of a new Election Protection offering to safeguard political candidates, campaigns, and organizations from threats.
You've quit Facebook, but is it finally time to ditch WhatsApp too? (The Telegraph) So you've quit Facebook, deleted the app from your phone, cleared every cookie out of your browser history, asked the company to delete all your data and endured the mandatory one-month cooling-off period.
Microsoft, Imprivata Launch Cloud Access Security Tool for Healthcare (Dark Reading) Imprivata Identity Governance enables customers to manage the provisioning, tracking, and deprovisioning of users in hybrid on-premises and cloud environments.
Technologies, Techniques, and Standards
One easy way for underwriters to find out if their clients’ data has already been breached (Canadian Underwriter) Underwriters can better price cyber insurance if they have a clear understanding of that user’s real risk of being breached. To do that, it’s essential to understand when a user’s email and password combination has been exposed in a previous…
Organizations that scan applications in production have a reduced risk of being breached (Help Net Security) Despite a significantly increased focus on application security testing, remediation rates for vulnerabilities continue to shrink.
Extending security to fourth parties your business needs, but doesn't control (Help Net Security) Fourth parties may provide a critical service but in turn extend your risk surface in ways you hadn’t understood, or can’t really attempt to control.
How to prevent data destruction from cybersecurity attacks (TechRepublic) IBM's Christoper Scott discusses malware, how cyberattackers get into environments, and why using multifactor authentication is crucial if you use an online service.
Network Deception Techniques Cut Dwell Times, Says Report (Infosecurity Magazine) Those who lay false trails for hackers can often detect them more quickly, says a survey released this week.
Counting on Quantitative Cyber Risk (Infosecurity Magazine) The perceived importance of cyber risk has almost tripled in five years, but the expertise and technology has not kept pace
How Facebook Catches Bugs in Its 100 Million Lines of Code (WIRED) For the past four years, Facebook has quietly used a homegrown tool called Zoncolan to find bugs in its massive codebase.
Safe travels: 7 best practices for protecting data at border crossings (CSO Online) Border agents are requesting access to devices and the data on them with no regard to your organization's security policies. Here's how to protect that data and your employees.
How Secure is Your Online Store’s Rewards Program? (business.com) Hackers are going to great lengths to steal loyalty rewards' program data. It is critical businesses know this is happening and take steps to prevent it.
The ‘SAFE’ replacement for a popular Army file-sharing tool (Fifth Domain) The Defense Information Systems Agency launched a new secure file sharing site Aug. 15 as part of an effort to replace a popular tool run by the Army that had far exceeded what its creators had intended and become the go-to site for sending large files.
The Army’s new multi-domain units are understaffed (Fifth Domain) The Army accelerated the fielding of new units but did not conduct sufficient risk assessments, Congress' watchdog agency found in a new report.
Design and Innovation
An Army prototype smartphone hints at the risks of biometric security (NBC News) Biometrics have emerged in consumer electronics as an alternative to passwords, but security experts warn that they also bring new privacy risks.
Instagram adds tool for users to flag false information (Reuters) Instagram is adding an option for users to report posts they think are false, th...
At Twitter, It Seems No One Can Hear the Screams (WIRED) Twitter’s brass at an event this week struggled to balance the platform’s reputation for viral rage with the conversational mecca it wants to become.
Research and Development
A Guide to Not Killing or Mutilating Artificial Intelligence Research (War on the Rocks) Editor’s Note: This article was submitted in response to the call for ideas issued by the co-chairs of the National Security Commission on Artificial
Academia
A Summer Camp for the Next Generation of N.S.A. Agents (The New Yorker) The National Security Agency hopes that its GenCyber camps inspire young people to pursue work in cybersecurity, a field in which three hundred thousand jobs remain unfilled in the U.S. alone.
Legislation, Policy, and Regulation
Huawei boss: 'UK won't say no to us' in the roll-out of 5G (Sky News) Ren Zhengfei said the UK's decision on whether to incorporate equipment from Huawei in the roll-out of 5G is "very important".
Trump Administration Asks Congress to Reauthorize N.S.A.’s Deactivated Call Records Program (New York Times) The White House is seeking reauthorization of a law that lets the N.S.A. gain access to logs of Americans’ phone and text records — while acknowledging that the program has been indefinitely halted.
Trump administration urges Congress to reauthorize NSA surveillance program (TheHill) The Trump administration is urging Congress to reauthorize the National Security Agency's (NSA) authority to collect phone record information on millions of Americans, according to a letter obtained by The Hill.
Litigation, Investigation, and Law Enforcement
A friend for stalked women in cyberspace (The Hindu) Cyber Mithra receives 54 complaints in just 15 days of its launch
Kostya and Me: How Sam Patten Got Ensnared in Mueller’s Probe (WIRED) A political consultant crosses paths with Konstantin Kilimnik, Paul Manafort, and Cambridge Analytica, then becomes part of the Russia investigation.
Re: Investigation of the DOJ’s and FBI’s Handling of the Clinton Investigation (US Senate) We write to provide you with information that we developed as part of your investigation into the mishandling of highly classified information and operation of a non-government server for official business by Secretary Clinton and her associates. Statements made in a joint bipartisan staff interview by intelligence community officials involved in the classification review raise particular concerns that senior State Department officials sought to downgrade classified material found on the server.
Delta Sues Chatbot Provider Over 2017 Breach (Wall Street Journal) The airline is suing an artificial-intelligence company that powered a chatbot on its website, accusing it of lax cybersecurity that caused a 2017 data breach. The unusual lawsuit highlights the sensitive relations between companies that have been hacked and their business partners.
Plaintiffs argue Facebook knew of privacy leak vulnerability (Seeking Alpha) Plaintiffs in a suit against Facebook (FB +0.9%) are working to amend their complaint about the "View As" privacy leak, saying that the company knew about the risks of the feature but didn't remedy them because it would hurt business, Bloomberg reports.
Epic Games slapped with lawsuit over hacked Fortnite accounts (HackRead) Follow us on Twitter @HackRead
Second Life Is Plagued by Security Flaws, Ex-Employee Says (WIRED) A former infosec director at Linden Lab alleges the company mishandled user data and turned a blind eye to simulated sex acts involving children.
Former Employee Accused Of Stealing From Pittsburgh Cyber Security Firm (CBS Pittsburgh) A one-time system administrator for a Pittsburgh cyber security firm is charged with stealing nearly $200,000 from his former employer
Watchdog: Hiring freeze increased cyber risk at State (FCW) An extended hiring freeze at the Department of State delayed key cybersecurity initiatives and placed highly classified information at risk, according to a watchdog report.
Security Clearance Backlog Cut In Half: Kari Bingen (Breaking Defense) In April 2018 the government hit a high point of 725,000 delayed clearances. Today, the number has dipped below 360,000. In May, we reported that would-be federal employees and defense contractors waited an average of 221 days for a Secret clearance and 534 days for a Top Secret clearance.
Could Your Home Country Pride Hurt Your Security Clearance? (ClearanceJobs) ClearanceJobs is your best resource for news and information on security-cleared jobs and professionals. Learn more with our article, "Could Your Home Country Pride Hurt Your Security Clearance? ".