At a glance.
- Pentagon says it offered no intelligence support to police during protests.
- ActionSpy Android spyware in circulation.
- D-Link patches six privacy-threatening vulnerabilties in home routers.
Pentagon says no military surveillance used during protests.
According to the Washington Post, the US Undersecretary of Defense for Intelligence and Security responded to an inquiry from the Chair of the House Intelligence Committee with a letter assuring the Committee that the Department of Defense didn't provide intelligence or surveillance to law enforcement agencies during recent unrest. Undersecretary Kernan, said no one asked him to “undertake any unlawful or inappropriate intelligence activities that could violate civil liberties” in response to the protests, that he himself directed no agency to do so, and that the Directors of the National Security Agency, the Defense Intelligence Agency, and the National Geospatial Intelligence Agency all assured him that they've also not engaged in such activities.
New Android spyware may have wider application.
Trend Micro is tracking a new campaign by Earth Empusa (also known as Poison Carp, a group believed to be linked to the Chinese government) against Uyghurs in Tibet. The campaign uses a new strain of Android spyware, ActionSpy. Modularized and typically distributed in watering hole attacks, ActionSpy has also been used against a travel agency in Taiwan and political and media organizations in Turkey. The Muslim Uyghur minority in China has long been a target of domestic surveillance, but ActionSpy is clearly adaptable to multiple uses and multiple targets. Its use in Taiwan and Turkey suggest that it's already finding such application.
D-Link patches home router vulnerabilities.
Palo Alto Networks' Unit 42 research shop disclosed Friday that it had found six vulnerabilities in D-Link wireless routers:
- CVE-2020-13782: Improper Neutralization of Special Elements Used in a Command (Command Injection)
- CVE-2020-13786: Cross-Site Request Forgery (CSRF)
- CVE-2020-13785: Inadequate Encryption Strength
- CVE-2020-13784: Predictable seed in pseudo-random number generator
- CVE-2020-13783: Cleartext storage of sensitive information
- CVE-2020-13787: Cleartext transmission of sensitive information
D-Link has issued patches for each of the vulnerabilities.