Cyber Attacks, Threats, and Vulnerabilities
Group said to be behind attempted campaign hack has also gone after cybersecurity researchers (CyberScoop) An Iran-linked hacking group that targeted a U.S. presidential campaign in recent months also has a history of trying to compromise cybersecurity analysts who have exposed the hackers’ operations, the analysts told CyberScoop.
Credit Info Exposed in TransUnion Data Security Incident (BleepingComputer) Using a credential stuffing attack, an unauthorized person was able to gain access to a TransUnion Canada web portal and use it to pull consumer credit files.
Hackers breach Volusion and start collecting card details from thousands of sites (ZDNet) More than 6,500 stores have been compromised, but the number could be around 20,000.
Webroot Finds Windows® 7 is Becoming Even Riskier, Infections up by 71% (PR Newswire) Webroot, a Carbonite (NASDAQ: CARB) company, shared the results of its Webroot® Threat Report: Mid-Year Update,...
Phishing attempts increase 400%, many malicious URLs found on trusted domains (Help Net Security) The Webroot report quantifies cybercriminals’ increased use of trusted domains, the growth and expansion of phishing, and Windows 7 infections.
One Identity Global Survey Reveals “Pass the Hash” Attack Prevalence, Impact and Uncertainty, Highlighting the Need for Privileged Access and Active Directory Management Best Practices (West) One Identity, a proven leader in identity-centered security, today released new global research revealing the significant prevalence and impact of cyberattacks that use stolen hashed administrator credentials, also referred to as Pass the Hash (PtH) attacks, within businesses today.
Hackers found tracking web traffic of Chrome and Firefox browsers (HackRead) Two user favorite browsers are commonly known to be Google Chrome and Mozilla Firefox. Exploiting their demand, a Russian group by the handle of Turla has been attempting to track encrypted traffic of both browsers.
Chrome and Firefox hit by encyption-busting malware – what you need to know (TechRadar) Kaspersky's researchers called it 'impressive'
COMpfun successor Reductor infects files on the fly to compromise TLS traffic (SecureList) In April 2019, we discovered new malware that compromises encrypted web communications in an impressive way. We called these new modules ‘Reductor’ after a .pdb path left in some samples.
Majority of IT departments leave major holes in their USB drive security (Help Net Security) Even though 87% of organizations use USB drives, the majority of IT departments aren’t implementing tools to manage USB device usage risk.
Round Rock ISD included in third-party data breach (FOX 7 Austin) The breach impacted 13,000 school districts and universities in the U.S., including Round Rock ISD. The district says they are checking with Pearson to see how many other districts in Texas were impacted.
Governments, police, hospitals held hostage by hackers (KYMA) The attack starts, innocently enough, with an email. But when someone clicks the link inside, hackers quickly take over.
Hacked Programmer Retaliates By Hacking Hackers Who Hacked Him (Fossbytes) Germany-based programmer Tobias Fromel was affected by Muhstik ransomware released around 3,000 decryption keys as well as the free decryptor software which he acquired by hacking the hacker behind the ransomware.
France says hackers might go after supply chains after Airbus cyber assault (The Next Web) France has issued a new cyber threat advisory about targeted espionage operations directed at service providers and engineering firms.
Campagne de récupération d’identifiants de connexion : infrastructure malveillante ciblant des institutions gouvernementales et des entités stratégiques (CERT-FR) Au cours d’investigations et avec la coopération de plusieurs partenaires, l’ANSSI a découvert plusieurs infrastructures malveillantes, incluant des noms de domaine, des sous domaines et des adresses courriel, utilisées dans une large campagne d’attaque dont les premières activités observées remontent à 2017.
Siemens CP, SIMATIC, SIMOCODE, SINAMICS, SITOP, and TIM (Update D) (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Siemens
Equipment: CP, SIMATIC, SIMOCODE, SINAMICS, SITOP, and TIM
Vulnerability: Out-of-bounds Read
2.
Siemens devices using the PROFINET Discovery and Configuration Protocol (Update P) (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 6.5
ATTENTION: Exploitable from an adjacent network/low skill level to exploit.
Vendor: Siemens
Equipment: Devices using the PROFINET Discovery and Configuration Protocol (DCP)
Vulnerabilities: Improper Input Validation
2.
Siemens Industrial Products (Update N) (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Remotely exploitable/low skill level to exploit
Vendor: Siemens
Equipment: Industrial Products
Vulnerability: Improper Input Validation
2. UPDATE INFORMATION
This updated advisory is a follow-up to the updated advisory titled ICSA-17-339-01 Siemens Industrial Products (Update M) published March 12, 2019, on the ICS webpage on us-cert.gov.
Siemens SIMATIC, SINUMERIK, and PROFINET IO (Update D) (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 5.3
ATTENTION: Exploitable from an adjacent network
Vendor: Siemens
Equipment: SIMATIC, SINUMERIK, and PROFINET IO
Vulnerability: Improper Input Validation
2.
Siemens Industrial Products (Update A) (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Siemens
Equipment: Industrial Products
Vulnerabilities: Integer Overflow or Wraparound, Uncontrolled Resource Consumption
2.
BD Pyxis (Update A) (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.6
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Becton, Dickinson and Company (BD)
Equipment: Pyxis
Vulnerability: Session Fixation
2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-19-248-01 BD Pyxis that was published September 5, 2019, on the ICS webpage on us-cert.gov.
Siemens SIMATIC IT UADM (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 6.8
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Siemens
Equipment: SIMATIC IT Unified Architecture Discrete Manufacturing (UADM)
Vulnerability: Inadequate Encryption Strength
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an authenticated attacker to gain access to the TeamCenter station.
Siemens SIMATIC WinAC RTX (F) 2010 (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Siemens
Equipment: SIMATIC WinAC RTX (F) 2010
Vulnerability: Uncontrolled Resource Consumption
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to perform a denial-of-service attack that could compromise the availability of the service provided by the software.
GE Mark VIe Controller (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 6.8
ATTENTION: Low skill level to exploit
Vendor: GE
Equipment: Mark VIe Controller
Vulnerabilities: Improper Authorization, Use of Hard-coded Credentials
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to create read/write/execute commands within the Mark VIe control system.
SMA Solar Technology AG Sunny WebBox (CISA) 1. EXECUTIVE SUMMARY
CVSS v3 9.6
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: SMA Solar Technology AG
Equipment: Sunny WebBox
Vulnerability: Cross-Site Request Forgery
2.
Security Patches, Mitigations, and Software Updates
Patch Tuesday Lowdown, October 2019 Edition (KrebsOnSecurity) On Tuesday Microsoft issued software updates to fix almost five dozen security problems in Windows and software designed to run on top of it.
October 2019 Patch Tuesday: A small batch of updates from Microsoft, none from Adobe (Help Net Security) October 2019 Patch Tuesday came with a relatively small number of Microsoft updates and, curiously enough, with no security updates from Adobe.
Google October Android Security Update Fixes Critical RCE Flaws (Threatpost) Google's October security update fixed several critical and high-severity vulnerabilities.
Google Patches Remote Code Execution Bugs in Android 10 (SecurityWeek) Google’s October 2019 security patches for Android address a total of 26 vulnerabilities, including a couple of remote code execution bugs impacting Android 10.
Signal immediately fixed FaceTime-style eavesdropping bug (Naked Security) Remember the FaceTime bug that allowed a caller to eavesdrop on your phone? Researchers just discovered another – this time in Signal.
Opera's stricter privacy controls could also speed up your web browsing (Engadget) Oh, and they'll limit site tracking, too.
[Official announcement] Realme X September security update hits units in India (Download link inside) - PiunikaWeb (PiunikaWeb) Realme X September security patch has started circulating in India. The new features include Digital Wellbeing and revamped notification icons.
Cyber Trends
2019 Threat Report Mid-Year Update (Webroot) Each year, we publish our annual report on the previous year’s cybersecurity trends. As an extension of that, the Mid-year Update offers a recap of the shifts and evolutions we’ve seen through the first half of the year, as well as in-depth analysis.
Thales Study: Organizations Worldwide Failing to Adequately Protect Sensitive Data in the Cloud (BusinessWire) A new global study from Thales, with research from the Ponemon Institute, has exposed an increasing disparity between the rapid growth of data stored
New LastPass Research Finds Password Habits Remain Key Obstacle to Business’ Security (LogMeIn Investor Relations) 3rd Annual Global Password Security Report shows widespread password reuse, despite increased investment in security tools like multifactor authentication
2019 Global Password Security Report (LastPass) Key Takeaways from the 3rd Annual ReportOther key insights include...
Despite Accelerating Adoption of DMARC, Less Than 10% of Enterprise Domains are Protected from Email Impersonation, Valimail Research Finds (BusinessWire) Valimail, the leading provider of identity-based anti-phishing solutions, today released its Summer 2019 Email Fraud Landscape Report, shedding light
Digital Transformation Puts Software Security Strategies in Limbo, Finds ZeroNorth Research (BusinessWire) Organizations agree, building security into digital transformation initiatives is a priority—yet the recommended path to progress is unclear.
EfficientIP and IDC Report Reveals: Financial services organizations suffer $1.3M cyber attacks (Benzinga) 88% of financial services organizations surveyed experienced DNS attacks in the past 12 months
NetDiligence Publishes Ninth Annual Cyber Claim Study (PR Newswire) NetDiligence®, a leading provider of cyber risk readiness and response services, announced today it has published...
The biggest lie tech people tell themselves — and the rest of us (Vox) They see facial recognition, smart diapers, and surveillance devices as inevitable evolutions. They’re not.
Research reveals negligent users as top cyber security threat to German organizations (Continuity Central) The international business continuity management news, jobs and information portal
US job seekers scrub their social media accounts to get success (ZDNet) Are you worried that your social media footprint will jeopardize your career? If so, you are not alone.
Marketplace
Blizzard Bans Gamer, Rescinds Money, on Hong Kong Protest Support (Bloomberg) Expressing sympathy for Hong Kong democracy push proves costly. Hearthstone player won’t be allowed to compete for a year.
The China Cultural Clash (Stratechery) The NBA controversy in China highlights a culture clash that both tech companies and the U.S. government need to take to heart. Plus, why Tiktok being Chinese is increasingly a problem.
Adobe to deactivate accounts for all Venezuelan users due to US sanctions (ZDNet) Because of the White House's sanctions, users aren't eligible for refunds either.
Microsoft, Intel Back Ethereum-Based Token to Reward Consortium Efforts (CoinDesk) The Enterprise Ethereum Alliance has created a token to incentivize firms to participate in consortiums. The system is backed by Microsoft and Intel.
VMware Completes Acquisition of Carbon Black (Yahoo) VMware, Inc. (VMW), a leading innovator in enterprise software, today announced it has completed its acquisition of Carbon Black, a leader in cloud-native endpoint protection, in an all-cash transaction for $26 per share, representing an enterprise value of $2.1 billion. “Carbon Black brings us an industry-leading
Facebook's digital currency faces further questions as Libra Association loses product chief (The Telegraph) A key figure at the organisation behind Facebook’s Libra cryptocurrency has left the group amid growing concerns over the project.
Facebook’s Libra cryptocurrency dealt blow by PayPal’s departure (Naked Security) PayPal abruptly announced that it was leaving the Libra Association.
Facebook underestimated Libra pushback - Loop (Seeking Alpha) Facebook (FB -0.8%) seems to have underestimated pressures in its attempt to launch its Libra digital currency initiative, Loop Capital says
Forcepoint Strengthens Global Partner Program to Dynamically Accelerate Adoption of Behavior-Centric Cybersecurity (Forcepoint) New Global System Integrators (GSI) Platinum and Accredited Services Partners (ASP) Programs ensure frictionless channel engagement for customers worldwide
Cyber Defense Magazine Announces Cyber Defense Global Awards Winners for 2019 (PRWeb) Today, Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine with its sister platform is ...
Speakers Censored at AISA Conference in Melbourne (Schneier on Security) Two speakers were censored at the Australian Information Security Association's annual conference this week in Melbourne.
AttackIQ Opening New Offices in Australia to Better Serve Partners in APAC (BusinessWire) AttackIQⓇ, the largest independent leader of the continuous security validation market, today announced its expansion into a new market with the openi
Marianne Brown, Financial Services Executive, Joins VMware Board of Directors (West) VMware, Inc. (NYSE: VMW), a leading innovator in enterprise software, today announced that Marianne Brown has been elected to the VMware board of directors.
Products, Services, and Solutions
Fugue Adopts Open Policy Agent (OPA) for its Policy-as-Code Framework for Cloud Security (Fugue) Fugue announced its support for Open Policy Agent (OPA), an open source general-purpose policy engine and language for cloud infrastructure. Fugue is leveraging OPA to provide customers with maximum flexibility when implementing their custom enterprise policies for cloud infrastructure.
New software release: Milestone Systems introduces centralized Search (Mynewsdesk) With the introduction of centralized Search in Milestone XProtect Smart Client, users will be able to perform investigations faster and more intelligently...
Versa Networks Achieves NSS Labs “Recommended” Rating for NGIPS - (Versa Network) Versa Networks Achieves NSS Labs “Recommended” Rating for NGIPS Versa Networks has achieved a highly coveted Recommended rating in the NSS Labs Next Generation Intrusion Prevention Systems (NGIPS) Group Test. NSS Labs, Inc. is a global leader and trusted source for independent, fact-based cybersecurity guidance. This NSS Labs report focuses on the main differentiators for … Continue reading "Versa Networks Achieves NSS Labs “Recommended” Rating for NGIPS"
KnowBe4 Launches New Multi-Factor Authentication Security Assessment Tool (Benzinga) Complimentary tool aimed to inform security professionals of vulnerabilities in MFA, authored by KnowBe4's Roger Grimes
TAMPA BAY, Fla. (PRWEB) October 08, 2019
KnowBe4, the...
vArmour Announces Version 5 of its Application Controller with SDK and Security Graph Technology (West) Application Relationships Put On Center Spotlight to Help Organizations Intelligently Reduce Risk
Trend Micro and Snyk partner to deliver complete remediation to secure containers | Snyk (Snyk) We’re excited to announce a new strategic partnership with Trend Micro to help businesses quickly deliver secure applications. Trend Micro is well known
DeepCode boosts its intelligence and can now explain the reasons behind coding errors (Medium) At DeepCode, we’re always focused on discovering important software bugs and being a tool that can improve and even replace testing. To…
New Appdome Security Service Protects Mobile APIs Inside Android and iOS Apps (PR Newswire) Appdome, the mobile industry's first no-code mobile solutions platform, announced the immediate...
Privacy-first ClearPHONE with ClearOS Mobile Hits 50 Percent of Kickstarter Goal Within 12 Hours (PR Newswire) A nonprofit Clear company, ClearUnited, today surpassed the funding halfway point within just a few...
Technologies, Techniques, and Standards
ZeekWeek 2019: 5 Things Network Security Pros Should Know about Zeek (Bricata) As the annual ZeekWeek conference kicks off – here are 5 things network security professionals should know about Zeek.
Winning the security fight: Tips for organizations and CISOs (Help Net Security) Matthew Rosenquist, a former Cybersecurity Strategist for Intel (now independent), talks about overcoming denial of risk and defining clear goals.
Ethical hackers, a digital vaccine against cyber threats (EBU) Vaccinations are controlled, low impact measures that trigger significant improvements in an organism's defenses – and working with so-called 'ethical hackers' may be the digital equivalent for an organization. That's what Inti De Ceukelaire, a well-known ethical, or as white hat, hacker thinks. De Ceukelaire previousl...
DIA looks to data interoperability to combat misinformation (Federal News Network) DIA’s problem is not operating at speed, it’s operating at scale.
Legislation, Policy, and Regulation
U.S. agrees to help Baltic states bolster grid cybersecurity (CyberScoop) The United States on Sunday agreed to work more closely with three Baltic countries to protect their electric sectors from cyberattacks.
China plans to restrict visas for U.S. visitors with 'anti-China' links (WKZO) China is planning tighter visa restrictions for U.S. nationals with ties to anti-China groups, people with knowledge of the proposed curbs said, following similar U.S. restrictions on Chinese nationals, as relations between the countries sour.
China's Ministry of Public Security has for months been working on ...
China's New Cybersecurity Program: NO Place to Hide (China Law Blog) The Chinese government has been working for several years on a comprehensive Internet security/surveillance program. This program is based on the
Nationwide facial recognition ID program underway in France (Naked Security) It’s coming next month, in spite of a lawsuit and the data regulator’s protests about lack of consent, data security and privacy.
Telcos decry lack of consultation on new snoop powers (CRN Australia) Talks with US on access to locally-held data come as a surprise.
Bipartisan Senate report calls for sweeping effort to prevent Russian interference in 2020 election (Washington Post) The Senate Intelligence Committee said in blunt language that Russians worked to damage Democrat Hillary Clinton while bolstering Republican Donald Trump — and made clear that fresh rounds of interference are likely ahead of the 2020 vote.
Briefing: Senate Committee Wants Social Media Firms to Help Block Russian Hackers (The Information) The U.S. Senate Intelligence Committee is calling on social media platforms to work with each other, government agencies and law enforcement in a coordinated effort to block Russia and other foreign states from interfering in U.S. elections.The recommendation was one of several included in the committee’s second report on Russian interference in the U.S. election. The report warned that social media companies fail to consistently notify users exposed to fake accounts such as those used by Russian operatives during the 2016 election.It noted that activity in accounts associated with Russia’s election hacking effort have increased since 2016 by 238% on Instagram, 84% on YouTube, 59% on Facebook, 52% on Twitter.
The report also recommended that Congress consider enacting legislation that would require social media companies to ensure Americans have information about the source of online political advertising, similar to the disclosures required for television and radio.
House Democrats introduce new legislation to combat foreign election interference (TheHill) A group of House Democrats led by Administration Committee Chairwoman Zoe Lofgren (Calif.) on Tuesday introduced new legislation aimed at combating foreign efforts to interfere in U.S. elections.
Small businesses main focus of new cybersecurity rules (Fifth Domain) Forthcoming cybersecurity controls are designed to help the Department of Defense and small business work together to protect sensitive data based on tiers of systems.
California Privacy Law May Spur Data Breach Lawsuit Wave (Bloomberg Law) Companies doing business in California may face a heightened risk of litigation when the state’s new privacy law takes effect in January, litigation and privacy attorneys say.
INSIGHT: Cyber Wolves in CEOs’ Clothing—Business Leaders Thwart Privacy Efforts (Bloomberg Law) National data breach plaintiffs’ attorneys with DiCello Levitt take issue with a recent letter from 51 Business Roundtable CEOs about protecting data privacy. They say the CEOs are paying lip service to consumer privacy in the hopes Congress will quickly pass watered-down privacy legislation that shields them from any real accountability to consumers.
OPM to launch job rotation program for cyber reskilling academy graduates (Federal News Network) OPM is working with the Federal CIO Council to create a job rotation program for federal employees who went through the Federal Cybersecurity Reskilling Academy.
UK Ex-Spy Chief Reveals Big Tech Like Google, Facebook ‘Know More About Us’ Than MI5 (Sputnik News) The Cambridge Analytica scandal of early 2018, when it was revealed the personal data of millions of Facebook users had been harvested without their consent and used to target them with political advertising, sparked the outrage of users, lawmakers, privacy advocates, and media pundits.
Civil rights groups urge lawmakers to dissolve police partnerships with Ring (ZDNet) It has been reported that roughly 400 US police departments are collaborating with the smart doorbell firm.
Litigation, Investigation, and Law Enforcement
Top Secret Russian Unit Seeks to Destabilize Europe, Security Officials Say (New York Times) Known as Unit 29155, the group is skilled in subversion, sabotage and assassination and has only recently become known to Western intelligence agencies.
FBI’s Use of Surveillance Database Violated Americans’ Privacy Rights, Court Found (Wall Street Journal) Some of the FBI’s electronic surveillance activities violated the constitutional privacy rights of Americans swept up in a controversial foreign intelligence program, a surveillance court has ruled.
FBI’s Foreign Surveillance Program Violated Americans’ Civil Liberties, FISA Court Finds (National Review) The Foreign Intelligence Surveillance Court has ruled that an FBI program intended to target foreign suspects violated Americans’ privacy.
Senate Report: Russians Used Social Media Mostly To Target Race In 2016 (NPR.org) The Russian government's efforts to interfere in the 2016 elections focused on African American audiences, according to a new bipartisan report.
Russian Active Measures Campaigns and Interference in the 2016 U.S. Election, Volume 2: Russia's Use of Social Media (Select Committee on Intelligence, United States Senate) In 2016, Russian operatives associated with the St. Petersburg-based Internet Research Agency (IRA) used social media to conduct an information warfare campaign designed to spread disinformation and societal division in the United States.
Twitter says it unintentionally misused user data for advertising (Axios) Users saw adds targeted based on email and phone numbers provided for security.
Twitter transgression proves why its flawed 2FA system is such a privacy trap (Ars Technica) Twitter 2FA is every bit as bad as critics said it was. Site signals a change is coming.
Twitter: No, really, we're very sorry we sold your security info for a boatload of cash (Register) That was just an unfortunate accident that ended up padding Jack's bank account
Twitter says phone numbers users provided for security were ‘inadvertently’ used for ad purposes (Washington Post) Twitter revealed Tuesday that it mishandled an unspecified number of users' email addresses and phone numbers, allowing that data to be used "inadvertently" for advertising purposes.
The Weather Channel mobile app is being sued for 'unfair and fraudulent' mining of user data (Business Insider) The city of Los Angeles has sued the Weather Channel mobile app claiming it misled users who agreed to share their location information.
Facebook denies Biden campaign's request to remove false Ukraine ad by Trump campaign (CNN) Facebook denied a request from Joe Biden's campaign to take down a video ad by President Donald Trump's reelection campaign that falsely accuses the former vice president of corruption for his role in Ukraine policy during the Obama administration.
Paris police attacker had top secret security clearance (The Irish Times) Islamist cleared for access to all computers in police prefecture’s directorate of intelligence
Yahoo To Compensate Users In US, Israel For Data Breach: Report (NDTV.com) If you live in the US or in Israel, had a Yahoo account between 2012 and 2016 and have got an email from Yahoo on the settlement claim over data breach, you could be eligible for $358 or more.
GPS tracker from stalked woman’s car led to indictment of 20 mobsters (Naked Security) Girlfriend found it, girlfriend popped it onto a city bus, gadget got found, multiyear investigation got launched, 20 got indicted.
Case 1:19-cr-00442-ILG Document 21 (United States Attorney Eastern District of New York (via the Register)) Dear Judge Scanlon: The government respectfully submits this letter in support of its motion for permanent orders of detention as to the defendants Joseph Amato, Daniel Capaldo, Thomas Scorcia, Joseph Amato Jr. and Anthony Silvestro. As set forth below, the defendants pose a danger to the community and should be detained pending trial.