Cyber Attacks, Threats, and Vulnerabilities
In Ukraine, Russia Tests a New Facebook Tactic in Election Tampering (New York Times) With Facebook focused on weeding out fake pages, Russian agents are spreading propaganda on the pages of real people willing to sell or rent them out.
APT group Elfin switches from data destruction to data stealing via WinRAR vulnerability (CSO Online) Iran-linked hacker group switches techniques from Shamoon wiper attacks to WinRAR exploits.
Lazarus Group Widens Tactics in Cryptocurrency Attacks (Threatpost) macOS users as well as Windows are in the cross-hairs, especially those based in South Korea.
Emotet-Distributed Ransomware Loader for Nozelesn Found via Managed Detection and Response (TrendLabs Security Intelligence Blog) We discovered the modular Emotet malware distributing the Nozelesn ransomware through our managed detection and response (MDR) monitoring.
The Huawei Threat Isn't Backdoors. It's Bugs (WIRED) A British report finds that Huawei equipment, suspected of including backdoors for China's government, suffers from a lack of "basic engineering competence."
Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole (TrendLabs Security Intelligence Blog) We discovered a phishing campaign that compromised at least four South Korean websites by injecting fake login forms to steal user credentials. While we’ve previously seen cybercriminals inject a malicious JavaScript code in the websites to load browser exploits or financial information skimmers, using the watering hole technique for a phishing campaign is unusual.
LockerGoga: The Newest Industrial Ransomware Threat (Threatpost) Researchers are still looking for answers when it comes to LockerGoga's initial infection method – and what the attackers behind the ransomware really want.
Thirty-six new security flaws found in 4G mobile networks (Computing) South Korean researchers discovered 36 new flaws using a technique called 'fuzzing'
Pydio 8 Multiple Vulnerabilities (SecureAuth) 1. Advisory Information. Title: Pydio 8 Multiple VulnerabilitiesAdvisory ID: SAUTH-2019-0002Advisory URL: https://www.secureauth.com/labs/advisories/pydio-8-multiple-vulnerabilities Date published: 2019-03-28Date of last update: 2019-03-28Vendors contacted: PydioRelease mode: Coordinated release
Rockwell Automation PowerFlex 525 AC Drives (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 7.5ATTENTION: Exploitable remotely/low skill level to exploitVendor: Rockwell AutomationEquipment: PowerFlex 525 AC DrivesVulnerability: Resource Exhaustion2. RISK EVALUATIONSuccessful exploitation of this vulnerability could result in resource exhaustion, denial of service, and/or memory corruption.
Spyware app exposes private photos, hosting provider steps in (Naked Security) A hosting company has taken down a database owned by a mobile spying app after it was found displaying phone owners’ intimate images online.
HTTPS Isn't Always As Secure As It Seems (WIRED) A surprising number of high-traffic sites have TLS vulnerabilities that are subtle enough for the green padlock to still appear.
SECURITY: Hackers force water utilities to sink or swim (E&E News) Digital threats could turn off America's water taps. Nearly 70,000 drinking water and wastewater utilities already strapped for cash and expertise are turning their attention to fast-moving online threats.
Systems Used to Track US Debt Vulnerable - Report (GovInfo Security) The computer systems the U.S. Department of the Treasury uses to track the nation's debt have serious security flaws that could allow unauthorized access to a
Hacker Claims to Have Stolen 200 Bitcoins From Dark Net Sites via 'TypoSquatting' (Crowdfund Insider) A hacker has been bragging on the Dark Net that he or she siphoned 200 bitcoins ($760 000 USD) from Dark Net websites by using an impersonation scam known as 'typo-squatting,' cybersecurity firm Digital Shadows reports. On the Dark Net, 'Typo-squatting' involves subtle alphanumeric bait-and-switch
Dark web typosquatting: Scammers v. Tor (Digital Shadows) One day while using our Shadow Search investigation tool, I stumbled upon a network of typosquat domains. We see squats all the time, but what caught my eye was that these weren't for legitimate businesses, they were for criminal dark web sites, specifically on the Tor network.
SQL Injection in Magento Core (Sucuri Blog) We disclose an SQL Injection vulnerability in Magento core which can be exploited without any form of privilege or authentication.
Serious Magento bug will likely be exploited in the wild by card skimmers (Ars Technica) Magento admins: beware of SQL flaw that requires no authentication.
300,000 online retailers at risk from Magento security flaw enabling attackers to take control of ecommerce sites (Computing) Magento rushes out patch for critical vulnerability to protect open source and commercial versions of its ecommerce software
Is your e-commerce site being used to test stolen card data? (Naked Security) If you’re running Magento you should be on the look out for hackers testing stolen card data – it could get your PayPal account suspended.
One third of connected homes in Australia at risk of cyber attack, Avast reveals (PRWire) Printers are the most vulnerable home devices in Australia. 33.4 percent of connected homes in Australia have one or more vulnerable device. 59.7 percent of household routers worldwide are vulnerable
“Twitter 2007 multicolor” hoax – debunk it, don’t spread it! (Naked Security) Hoaxers are saying you can unlock colorful new “features” in Twitter, but you’ll probably lock yourself out instead.
The Haunting of Hacker House (WIRED) How tales of Edward Snowden and Albert Gonzalez possess an old Victorian in the Catskills.
Security Patches, Mitigations, and Software Updates
Windows security: Microsoft Defender AV can now stop malware from disabling it (ZDNet) Microsoft adds new tamper-protection feature that stops malware from switching off key security features.
Boeing announces fixes for 737 Max planes (BBC News) The US planemaker is making cockpit alterations in the plane model involved in two fatal crashes.
Microsoft Tackles IoT Security with New Azure Updates (Dark Reading) The Azure Security Center for IoT provides teams with an overview of IoT devices and helps monitor their security properties.
Ghidra update squashes serious bugs in NSA reverse-engineering tool (SearchSecurity) The first Ghidra update since the NSA made the software open source has patched a few serious bugs and proved to the community that the NSA will actively support the tool.
Cisco Small Business RV320 and RV325 Routers Information Disclosure VulnerabilityCisco Security - CiscoTest Application (Cisco Security Advisory) The Cisco Security portal provides actionable intelligence for security threats and vulnerabilities in Cisco products and services and third-party products.
Cisco botched patches for its RV320/RV325 routers (Help Net Security) Cisco RV320 and RV325 WAN VPN routers are still vulnerable to attack through two flaws that Cisco had supposedly patched.
Cyber Trends
Venafi Survey: The Negative Impact of Government Mandated Encryption Backdoors (Venafi) According to Venafi Survey, Countries with Government-Mandated Encryption Backdoors More Susceptible to Nation-State Attacks.
Crowdsourced Security Poised for Breakthrough in 2019 (PR Newswire) Bugcrowd, the #1 crowdsourced security company, today released Security Leadership Study - Trends in Application...
nCipher: New Digital Initiatives, IoT and Cloud Adoption Driving the Use of Trusted Cryptography Revealed by 2019 Global Encryption Trends Study (Financial Post) nCipher Security, the provider of trust, integrity and control for business critical information and applications, announces that as organizations em…
American Consumers Distrust Social Media Privacy Capabilities (eWEEK) eWEEK DATA POINTS: According to the latest Norton LifeLock Cyber Safety Insights Report, Americans are worried about privacy but are still willing to accept certain risks.
Cyber attacks on non-standard ports tripled in 2018 (TechHQ) As more and more devices become networked— no longer just our desktops, laptop, and mobile phones— cybercriminals are quickly exploiting a wealth of new
Vulnerability management woes continue, but there is hope (CSO Online) Prioritizing fixes, workflows, and timely patching are just some of the challenges organizations face, but advanced data analytics may help with vulnerability management.
Enterprise Data Encryption Hits All-time High (Dark Reading) A new report by the Ponemon Institute shows 45% of organizations have a comprehensive encryption policy in place.
CyberGRX Study Finds Current Third-Party Cyber Risk Management Practices and Technologies Fall Short Despite Significant Investment (BusinessWire) CyberGRX today announced the results of their inaugural Cost of Third-Party Cybersecurity; Risk Management study executed by Ponemon Institute.
Report: Visibility problems may result in undetected security threat (Back End News) “The State of Cloud Monitoring Report” sponsored by Ixia, a Keysight Business, highlights the security and monitoring challenges faced by enterprise IT (information technology) staff in…
Security industry 'Spakfilla' doesn’t really work, says Nine Publishing CTO (iTnews) As Telstra weighs in with message to focus on the core.
Marketplace
You Need To Know How Cybersecurity Affects Mergers and Acquisitions (Security Boulevard) Time to Learn More Anytime you plan to get involved with something, whether it be a person, place, or thing, you need information —sometimes a lot of information. In the world of M&A, this process involves taking reasonable steps to learn as much as possible about another company’s strengths and assets, as well as their weaknesses and liabilities. For a time, those liabilities often came in the form of financial debt, messy legal obligations, or poor revenue — but these days, this accountability analysis also includes all data related to a company’s cybersecurity posture.
Crypto’s Merger Problem and What Can Be Done When M&As Go Wrong (Cointelegraph) Mergers are becoming more common in crypto, but what happens when things go wrong?
Huawei's half-arsed router patching left kit open to botnets: Chinese giant was warned years ago – then bungled it (Register) ISP alerted biz to UPnP flaw in 2013. Years later, same flaw kept cropping up
Huawei defends security record as annual sales top $100B (Washington Post) Huawei says its sales topped $100 billion last year despite U.S. pressure on allies to shun the Chinese tech giant as a security threat
Huawei's reputation receives another damaging blow from UK security report (TechSpot) An investigation into Huawei's security on networking products performed by UK officials with ties to GCHQ has revealed a bevy of problems. Known issues have not been fixed, leaving opportunity for third-party surveillance to occur on critical infrastructure.
Huawei under pressure to urgently fix 'significant issues' that threaten UK national security (The Telegraph) Huawei is under mounting pressure to accelerate a $2bn overhaul of its technology, after British security officials issued a withering assessment of the cyber-security risks posed by the Chinese telecom giant.
Apple is making itself the anti-Facebook (CRN Australia) Comment: Your world can be pricey and private, or free with endless apologies.
Darktrace founders on data security – Director magazine (Director Magazine) Darktrace uses advanced AI to shield a wide range of clients from online attack. They explain why data security is a board-level concern
Tesserent puts $3.8 million Asta acquisition on hold (CRN Australia) Pushed back by other potential acquisitions.
Palo Alto Networks Completes Acquisition of Demisto (PR Newswire) Palo Alto Networks (NYSE: PANW), the global cybersecurity leader, today announced it has completed its...
Success of Thales Offer for Gemalto Shares (AP NEWS) Reference is made to the joint press release by Thales (Euronext Paris: HO) and Gemalto (Euronext Amsterdam and Paris: GTO) dated 27 March 2018 in relation to the launch of the recommended all-cash offer by Thales for all the issued and outstanding shares of Gemalto (the Offer ), the publication of the Offer Document, and the joint press release of Thales and Gemalto dated 14 March 2019 in relation to the Acceptance Closing Time.
PayPal laying off nearly 400 Hunt Valley employees (Maryland Daily Record) PayPal is firing nearly 400 employees at its Hunt Valley offices, according to filings the company has made with the state. PayPal in a statement said it was terminating the jobs as part of a previous agreement with Synchrony, which will now handle servicing and collections for the company.
Akamai to set up 'scrubbing centre' in Melbourne (iTWire) Global cloud security and content delivery network provider Akamai will set up a "scrubbing centre" in Melbourne later this year, to handle the increa...
SailPoint Announces Tracey Newell Has Joined Its Board of Directors (AP NEWS) SailPoint Technologies Holdings, Inc. (NYSE: SAIL), the leader in enterprise identity governance, today announced the appointment of Tracey Newell to its Board of Directors and as a member of the Compensation Committee and the Nominating and Corporate Governance Committee, effective March 27, 2019.
Products, Services, and Solutions
Portnox Sphere MSP/MSSP Channel Program Enables Partners to Deliver NAC-as-a-Service (Sys-Con Media) SYS-CON Media, NJ, a leading technology and computing media company on breaking news in the Cloud.
Firefox brings Lockbox password manager to Android’s autofill (Naked Security) All your saved Firefox passwords, now happily inserting themselves into your Android-verse!
New product versions for R&S Web Application Firewall: Business and Enterprise Edition (Rhode & Schwarz) The latest version of the R&S®Web Application Firewall provides even more comprehensive protection against threats for business-critical web applications. With two product versions, Business and Enterprise Edition, different use cases can be addressed.
Dissect Cyber wins major DHS S&T Award for their BEC Work (Security Boulevard) Congratulations to our great friends at Dissect Cyber for receiving the DHS S&T Global Award for their work on BEC scams!
ADVA Plays Key Role in Development of UK’s Quantum-secured Transport Network (NewsWire) FSP 3000 technology enables 120km link with classical and quantum channels on the same fiber
Technologies, Techniques, and Standards
Task Force Update: From First to Second… (Ukrainian Election Task Force) In the homestretch of Ukraine’s presidential race, we should know in just a few days which two candidates will face off in the second round on April 21. That assumes, of course, that no candidate gets a majority of the vote in the first round on March 31, that there will be no problems in the vote tabulation, that the candidates who fail to advance to the second round accept the results of the first, and that there will be no hacking of the Central Election Commission, as happened in 2014, and so on.
Estonia is winning the cyber war against election meddling (Quartz) Other countries should take note.
Finland Is Using Inmates to Help a Start-Up Train Its A.I. Algorithms (Fortune) The inmates are answering questions that help classify data.
Prisoners to train artificial intelligence as part of developing work activities (Criminal Sanctions Agency) Training artificial intelligence is the most recent form of prison work. The Criminal Sanctions Agency and Vainu company have signed a cooperation agreement according to which Vainu will purchase prison work for training artificial intelligence.
Machines Shouldn’t Have to Spy On Us to Learn (WIRED) We need a breakthrough that allows us to reap the benefits of AI without savaging data privacy.
Father of Cryptography: I believe in writing passwords down on paper (ECNS) Whitfield Diffie, know as 'Father of Cryptography', said he believes in writing passwords down on paper so nobody could figure them out.
Threat Hunting 101: Not Mission Impossible for the Resource-Challenged (Dark Reading) How small and medium-sized businesses can leverage native features of the operating system and freely available, high-quality hunting resources to overcome financial limitations.
Design and Innovation
Facebook tightens up rules for political advertisers (the Guardian) Verifiable contact details will be required to run campaigns on site ahead of EU elections
Facebook’s handling of Alex Jones is a microcosm of its content policy problem (TechCrunch) A revealing cluster of emails reviewed by Business Insider and Channel 4 News offers a glimpse at the fairly chaotic process of how Facebook decides what content crosses the line. In this instance, a group of executives at Facebook went hands-on in determining if an Instagram post by the conspiracy…
Will Facebook’s New Ban on White Nationalist Content Work? (WIRED) Depends on Facebook.
Google pulls controversial anti-gay religious app from the Play Store (TechCrunch) The same day the Human Rights Campaign downranked the company in its index of the best LGBTQ-friendly employers, Google decided to yank a controversial app accused of promoting conversion therapy from the Play Store. On that list, known as the Corporate Equality Index, the HRC, a prominent LGBTQ ri…
Research and Development
Analysis | The Cybersecurity 202: Trump wants a ‘cybersecurity moonshot’ but cuts research (Washington Post) Almost every cybersecurity research budget will face cuts under Trump proposal.
Can "Internet-of-Body" Thwart Cyber Attacks on Implanted Medical Devices? (IEEE Spectrum: Technology, Engineering, and Science News) Medtronic discloses medical device vulnerabilities, while Purdue University scientists propose countermeasure to block attacks
Legislation, Policy, and Regulation
Why Russia Might Shut Off the Internet (Foreign Affairs) The new legislation is the latest in a long campaign.
Is the Russian Internet a Lost Cause? (Slate Magazine) What happens in Russia could hasten the fragmentation of the global internet.
NATO at 70: Lessons From The Cold War (Atlantic Council) On April 4, NATO will mark the 70 th anniversary of the signing of the Washington Treaty, which laid the foundation for arguably the most successful alliance the world has ever seen. Yet despite all of its successes, many forget that NATO never had...
Pompeo wants NATO to take ‘actions’ to help Ukraine (Stars and Stripes) The U.S. and its allies in Europe could agree at an upcoming NATO meeting to provide more support to Ukraine in its efforts to resist Russian aggression in the region, America’s top diplomat said Wednesday.
The Army wants to know how to deploy cyber teams during peacetime (Fifth Domain) The Army wants to use cyber and information capabilities to compete with adversaries below the threshold of conflict.
Asia Times | Huawei phones a ‘threat to national security’ (Asia Times) Taiwanese cybersecurity expert claims to have found mystery firmware in Huawei smartphones
Director-General ASD speech to the Lowy Institute, March 2019: ASD Australian Signals Directorate (Australian Signals Directorate) Director-General ASD speech to the Lowy Institute, Offensive cyber and the people who do it
Committee pushes 'cyber taskforce' for security of Australia's election system (ZDNet) The taskforce is expected to combat election 'cyber-manipulation' and keep social media sites in-check during election campaigns.
Chief of Ottawa’s new cybersecurity agency makes pitch to hackers’ favourite targets — banks (Financial Post) Head of Canadian Centre for Cyber Security asking lenders to work with the organization to make the country an unappealing target for digital attackers
Feds Seek To Up Their Cybersecurity Game (Forbes) The U.S. government doesn't have.a great track record when it comes to cybersecurity. But several pending initiatives are aimed at improving it, for both the public and private sector.
New Bill to Protect U.S. Senate Personal Devices, Accounts from Hackers (BleepingComputer) U.S. senators and their staff will receive assistance from the Senate Sergeant at Arms to protect their accounts and devices from cyber threats if a bipartisan bill introduced by Senators and Senate Intelligence Committee members Ron Wyden (D-Ore) and Tom Cotton (R-Ark) will be signed into law.
Lawmakers Call for Termination of NSA Domestic Surveillance Program (Wall Street Journal) A bipartisan group of lawmakers introduced legislation to end the National Security Agency’s practice of collecting records of Americans’ phone calls and text messages.
MI5 and the Met sharpen fight on terror (Times) Britain is one of the safest and most prosperous countries in the world. Nonetheless, the complex challenges we and other countries face from terrorism and malign acts by foreign states are all too...
Litigation, Investigation, and Law Enforcement
Harold Martin pleads guilty to vast classified data leak, faces up to 9 years in prison - CyberScoop (CyberScoop) Harold Martin, who worked as an intelligence contractor for multiple firms for over two decades, allegedly stole some 50 terabytes of data from the NSA.
N.S.A. Contractor Arrested in Biggest Breach of U.S. Secrets Pleads Guilty (New York Times) The contractor, Harold Martin, was arrested in 2016, but investigators never found evidence that he had shared stolen classified information with anyone.
Attorney general expected to miss deadline for giving Mueller report to Congress, will not commit to releasing it in full (Washington Post) William P. Barr tells House Judiciary Committee chairman it will be ‘weeks, not months’ before lawmakers can have a redacted copy.
‘COLLUSION DELUSION IS OVER’: Triumphant Trump Takes Victory Lap In Michigan (Daily Caller) President Donald Trump trumpeted special counsel Robert Mueller's finding of "no collusion" between his 2016 campaign and the Russian government.
Broadband providers told to explain how they handle consumer data (Naked Security) The FTC launched a broad inquiry to find out what data they collect, why, who they share it with, and how consumers can change or delete it.
Office Depot rigged PC malware scans to sell unneeded $300 tech support (Ars Technica) Office Depot and its software supplier have to pay $35 million toward refunds.
Office Depot computer scans gave fake results (Federal Trade Commission) Many of us would gladly take advantage of a free computer tune-up from a big-name retailer.
Security researcher pleads guilty to hacking into Microsoft and Nintendo (The Verge) He hacked Microsoft, was arrested, then hacked Nintendo while out on bail.
ICO Fines Pensions Firm for Sending Millions of Spam Emails (Infosecurity Magazine) Kent-based Grove Pensions Solutions received inaccurate legal advice
FCC “fined” robocallers $208 million since 2015 but collected only $6,790 (Ars Technica) Both FCC and FTC fail to collect vast majority of robocall fines, WSJ reports.
Suspected hacker charged over cyber attack on Cheshire Police website (Chester and District Standard) A suspected hacker has been charged after a cyber attack on Cheshire Police’s website.