Tech News - Cybersecurity

Yesterday, the Microsoft Defender Advanced Threat Protection (ATP) Research Team shared details of a fileless malware campaign through which attackers were dropping Astaroth Trojan into the memory of infected computers. https://twitter.com/MsftSecIntel/status/1148262969710698498 Astaroth is a malware known for abusing living-off-the-land binaries (LOLbins) such as Windows Management Instrumentation Command-line (WMIC) to steal sensitive information including credentials, keystrokes, and other data. It sends stolen data to a remote attacker, who can misuse them to carry out financial theft or sell victim information in the cybercriminal underground. This trojan has been public since 2017 and has affected a few European and Brazilian companies. As of now, Microsoft has not disclosed whether any other user’s machine was compromised. What are fileless threats? Fileless malware attacks either run the payload directly in the memory or use already installed applications to carry out the attack. As these attacks use legitimate programs, they are very difficult to detect for most security programs and even for experienced security analysts. Andrea Lelli, a member of Microsoft Defender ATP Research Team, thinks that though these attacks are difficult to detect, they are certainly not undetectable. “There’s no such thing as the perfect cybercrime: even fileless malware leaves a long trail of evidence that advanced detection technologies in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can detect and stop,” he wrote in the blog post. How is the Astaroth Trojan attack implemented? During a standard review, Lelli observed that telemetry was showing a sudden increase in the use of WMIC tool to run a script. This made him suspicious of a fileless attack. Upon further investigation, he realized that the campaign was trying to run Astaroth backdoor directly into the memory. Here’s how the initial access and execution takes place using only system tools: Source: Microsoft The attack begins with a spear-phishing email containing a malicious link that redirects a user to an LNK file. When the user double-clicks on the LNK file, it triggers the execution of the WMIC tool with the “/Format” parameter. This allows the download and execution of a JavaScript code that in turn downloads payloads by abusing the Bitsadmin tool. The downloaded payloads are Base64-encoded and are decoded using the Certutil tool. While others remain encrypted, two of them are decoded to plain DLL files. The Regsvr32 tool loads one of the decoded DLLs, which then decrypts and loads other files until the Astaroth, the final payload is injected into the Userinit process. How does Microsoft Defender ATP detect and stop these attacks? Microsoft Defender ATP comes with several advanced technologies to “spot and stop a wide range of attacks.” It leverages protection capabilities from the cloud including metadata-based ML engine, behavior-based ML engine, AMSI-paired ML engine, file classification engine, among others. On the client-side, it includes protection techniques such as memory scanning engine, emulation engine, network engine, and more. Here’s a diagram depicting all the protection technologies Microsoft Defender ATP comes with: Source: Microsoft Check out the official post by Microsoft Defender ATP Research to know more in detail. Microsoft is seeking membership to Linux-distros mailing list for early access to security vulnerabilities 12 Visual Studio Code extensions that Node.js developers will love [Sponsored by Microsoft] 5 reasons Node.js developers might actually love using Azure [Sponsored by Microsoft]

A vulnerability in Mac’s Zoom Client allows any malicious website to initiate users’ camera and forcibly join a Zoom call without their authority. This vulnerability was publicly disclosed by security researcher, Jonathan Leitschuh, today. The flaw exposes up to 750,000 companies around the world using the video conferencing app on their Macs, to conduct day-to-day business activities. It also allows a website to launch a DoS (Denial of Service) attack on Macs by repeatedly joining a user to an invalid call. Even if one tries to uninstall the app from their devices, it can even re-install the app without user’s permission with the help of a localhost web server on the machine that should have installed the app at least once. https://twitter.com/OldhamMade/status/1148476854837415936 “This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine”, Leitschuh writes. Leitschuh said that the vulnerability was responsibly disclosed on March 26, this year. This means the company had 90 days to fix this issue based on the disclosure policy. He had suggested a ‘quick fix’ which Zoom could have implemented by simply changing their server logic. However, Zoom first took 10 days to confirm the vulnerability and held a meeting about how the vulnerability would be patched, only 18 days before the end of the 90-day public disclosure deadline, i.e. June 11th, 2019. A day before the public disclosure, Zoom had only implemented the quick fix solution. “An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack”, Leitschuh says. Leitschuh also mentioned the Tenable Remote Code Execution in Zoom security vulnerability which was only patched within the last 6 months. “Had the Tenable vulnerability been combined with this vulnerability it would have allowed RCE against any computer with the Zoom Mac client installed. If a similar future vulnerability were to be found, it would allow any website on the internet to achieve RCE on the user’s machine”, Leitschuh adds. According to ZDNet, “Leitschuh also pointed out to Zoom that a domain it used for sending out updates was about to expire before May 1, but the domain was renewed in late April”. In a statement to The Verge, Zoom said, the local webserver was developed “to save users some clicks after Apple changed its Safari web browser in a way that requires Zoom users to confirm that they want to launch Zoom each time”. Zoom defended their “workaround” and said it is a “legitimate solution to poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.” The company said it would do some minor tweaking to the app this month. “Zoom will save users’ and administrators’ preferences for whether the video will be turned on, or not when they first join a call”, the company said. https://twitter.com/backlon/status/1148464344876716033 This move by Zoom is unfair towards users where they have to turn their cameras off and the company just escapes with a minor change to the app for such a serious security lapse issue where they should have taken a major step. Many are unhappy with the way Zoom is handling this vulnerability. https://twitter.com/chadloder/status/1148375915329495040 https://twitter.com/ticky/status/1148389970073096192 Users can patch the camera issue by themselves by updating their Mac and disabling the setting that allows Zoom to turn your camera on when joining a meeting. As mentioned earlier, the vulnerability may re-install the applications; hence, users are advised to run some terminal commands to turn off their web server. Leitschuh has explained these commands in detail in his blog post on Medium. Google researcher reveals an unpatched bug in Windows’ cryptographic library that can quickly “take down a windows fleet” Apple promotes app store principles & practices as good for developers and consumers following rising antitrust worthy allegations Google Project Zero reveals an iMessage bug that bricks iPhone causing repetitive crash and respawn operations

Last week, a developer Tute Costa notified Ruby users that the strong_password v0.0.7 rubygem has been hijacked. The malicious actor published v0.0.7 containing the malicious code, which enabled the attacker to execute remote code in production. As of now, the thread has been tweaked and the attacker’s RubyGems account has been locked. A strong_password is an entropy-based password strength used for checking Ruby and ActiveModel. How was the strong_password v0.0.7 hijack identified? While linking line by line to each library’s changeset, Costa noticed that the strong_password has changed from 0.0.6 to 0.0.7. Although the last changes in any branch in GitHub was from 6 months ago, Costa recalled that everything was up to date. Costa then downloaded the gem from RubyGems and compared its contents with its latest copy in GitHub. He found that at the end of the lib/strong_password/strength_checker.rb version 0.0.7 there was the following message: Image Source: With a Twist Dev Costa found that a malicious actor has used an empty account, with a different name than the maintainer’s. The malicious actor has published the gem, after receiving access to the particular gem. Later, Costa forwarded this thread to the strong_password maintainer’s email in GitHub. Brian McManus, the strong_password maintainer replied, “The gem seems to have been pulled out from under me. When I login to rubygems.org I don’t seem to have ownership now. Bogus 0.0.7 release was created 6/25/2019.” How does the malicious code work? If the malicious code didn’t run before checking for the existence of the Z1 dummy constant, it injects a middleware that eval’s cookies named with an ___id suffix, only in production. It is surrounded by the empty exception handler _! function that’s defined in the hijacked gem. This opens the door to the attacker to silently execute remote codes in production. The malicious code also sends a request to a controlled domain with an HTTP header informing the infected host URLs. What is the current status of strong_password v0.0.7? Rafael França, the Ruby on Rails’ security coordinator has added asecurity@rubygems.org to the thread. Later André Arko, the founder of Ruby Together, tweaked the thread and locked the RubyGems account. McManus was later added back to the gem. Costa also notified users that he asked for a CVE identifier (Common Vulnerabilities and Exposures) to cve-request@mitre.org and received CVE-2019-13354. He used this CVE “to announce the potential issue in production installations to the rubysec/ruby-advisory-db project and the ruby-security-ann Google Group.” The community has been praising Tute Costa for his efforts in finding out about the hijack. https://twitter.com/mjos_crypto/status/1148153570631589889 A user on Hacker News states that “In light of vulnerabilities like these, I’m glad there are developers that spend time to make their apps more secure. Thus, making us all aware that issues like these are out there. Security is almost always just put off in exchange for features and security is most of the time taken for granted. It’s about time that we start taking it seriously. Kudos to you!” Many users are also skeptical about RubyGem’s security vulnerabilities. A user on Hacker News says, “There's still a lot to learn about this incident, but most likely the RubyGems account was compromised, allowing the attacker to upload whatever they wanted. Signed releases with a web of trust would be ideal, but I doubt we'll ever see that world. A simple and pragmatic solution would be to have the next version of bundler support the ability to only install packages published with 2 factor enabled, then the next major rails version default it to on, with plenty of advanced warning in 6.x/bundler. This still has plenty of gaps, such as an attacker being able to take over even with 2 factor, and then re-enabling it with their own keys, or RubyGems.org itself being compromised. It still represents a major upgrade in security for the entire Ruby ecosystem without causing much pain to authors and users.” Another comment reads, “Rubygem should contract an external auditor (security firm), this could go way deeper. Until they perform a thorough audit I will personally stay away from this project.” Why Ruby developers like Elixir Ruby ends support for its 2.3 series How Deliveroo migrated from Ruby to Rust without breaking production

A zero-day vulnerability in Apple's iMessage, which bricks an iPhone and survives hard resets was recently brought to light. A specific type of malformed message is sent out to a victim device, forcing users to factory-reset it again. The issue was first posted by Google Project Zero researcher, Natalie Silvanovich on the project’s issue page on April 19, 2019. Due to the usual 90-day disclosure deadline, the bug is held from public view until either 90 days had elapsed or a patch had been made broadly available to the public. On 4th July, Silvanovich revealed that the issue was fixed in the Apple iOS 12.3 update, thus making it public. Labelled as CVE-2019-8573 and CVE-2019-8664, this vulnerability causes a Mac to crash and respawn. Silvanovich says on an iPhone, this code is in Springboard and “receiving this message will cause Springboard to crash and respawn repeatedly, causing the UI not to be displayed and the phone to stop responding to input. The only way I could find to fix the phone is to reboot into recovery mode and do a restore. This causes the data on the device to be lost”. According to Forbes, “The message contains a property with a key value that is not a string, despite one being expected. Calling a method titled IMBalloonPluginDataSource _summaryText, the method assumes the key in question is a string but does not verify it is the case”.  The subsequent call for IMBalloonPluginDataSource replaceHandlewithContactNameInString calls for im_handleIdentifiers for the supposed string, which in turn results in a thrown exception.  For testing purposes, Silvanovich, in her patch update has shared three ways that she found to unbrick the device: wipe the device with 'Find my iPhone' put the device in recovery mode and update via iTunes (note that this will force an update to the latest version) remove the SIM card and go out of Wifi range and wipe the device in the menu Google Project Zero has also released instructions to reproduce the issue: install frida (pip3 install frida) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device in the local directory, run: python3 sendMessage.py Users should make sure their iPhone is up to date with the latest iOS 12.3 update. Read more about the vulnerability on Google Project Zero’s issue page. Approx. 250 public network users affected during Stack Overflow's security attack Google researcher reveals an unpatched bug in Windows’ cryptographic library that can quickly “take down a windows fleet” All about Browser Fingerprinting, the privacy nightmare that keeps web developers awake at night

On Saturday, Ubuntu-maker Canonical Ltd’s source code repositories were compromised and used to create repositories and issues among other activities. The unknown attacker(s) used a Canonical owned GitHub account whose credentials were compromised to unauthorizedly access Canonical's Github account. According to a mirror of the hacked Canonical GitHub account, the hacker created 11 new GitHub repositories in the official Canonical account. The repositories were empty and  sequentially named CAN_GOT_HAXXD_1, `with no existing data being changed or deleted. The Ubuntu source code remains unaffected. A Canonical representative said in a statement, “There is no indication at this point that any source code or PII was affected. Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected.” The hack appears to be limited to a defacement, as if the hacker(s) had added malicious code to Canonical projects, then they wouldn't have drawn attention by creating new repositories in the Canonical GitHub account. The official Ubuntu forums had been hacked on three different occasions, first in July 2013, when hackers stole the details of 1.82 million users. Second in July 2016, when the data of two million users was compromised. Third, in December 2016 when Ubuntu Forums was hacked with 1.8 Million users credentials stolen. In May, this year attackers wiped many GitHub, GitLab, and Bitbucket repos with ‘compromised’ valid credentials leaving behind a ransom note. Canonical has since removed the compromised account from the Canonical organisation in GitHub and is still investigating the extent of the breach. The Ubuntu security team said it plans to post a public update after our investigation, audit and remediations are finished. Twitter was flooded with people warning others about the hack. https://twitter.com/zackwhittaker/status/1147683774492303360 https://twitter.com/gcluley/status/1147901110503575552 https://twitter.com/evanderburg/status/1147895949697568770     Ubuntu has decided to drop i386 (32-bit) architecture from Ubuntu 19.10 onwards DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories Attackers wiped many GitHub, GitLab, and Bitbucket repos with ‘compromised’ valid credentials leaving behind a ransom note.

Security researchers, Noam Rotem and Ran Locar, from vpnMentor recently revealed in their report, that a Shenzhen-based Chinese IoT management platform company, Orvibo exposed its user database online without any password protection. The Elasticsearch database, which contains user data collected from smart home devices, includes ‘2 billion logs’ containing everything from user passwords to account reset codes and also a "smart" camera recorded conversations. Sample of Orvibo leaked data The data leaked included email addresses, passwords, precise geolocation, IP address, username, userID, family name and ID, smart device, device that accessed account, scheduling information, and account reset codes. Out of these, the password and password reset codes that are being logged create additional problems. Even though these had not been encrypted, they had been hashed using MD5. “Unfortunately, the MD5 algorithm used to hash these passwords isn't considered particularly secure as it has been found to contain a whole bunch of vulnerabilities”. "Orvibo does make some effort into concealing the passwords, which are hashed using MD5 without salt," the vpnMentor team said. However, saltless MD5 passwords are relatively easy to crack, which means that anyone with access to this database could hijack SmartMate accounts and possibly take control of a user's smart devices connected to a user's SmartMate-controlled smart home. The researchers said the reset codes were the most dangerous pieces of information found in the database. "These would be sent to a user to reset either their password or their email address," the report explains, continuing "with that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible." According to ZDNet, “The database was spotted in mid-June by the security team at vpnMentor, led by security researchers Noam Rotem and Ran Locar, who shared their findings with ZDNet last month and asked for help in notifying the vendor.” Since then, both vpnMentor and ZDNet have contacted the Chinese company to let it know about its security issue; however, at the time of writing, Orvibo has failed to respond or take any action. Forbes mentions, “The Orvibo website boasts of a secure cloud providing a "reliable smart home cloud platform," and goes on to mention how it "supports millions of IoT devices and guarantees the data safety." Geoff Tudor, general manager of Vizion.ai, told Forbes that Elasticsearch breaches are becoming almost everyday occurrences. "When first installed, Elasticsearch's API is completely open without any password protection," Tudor says, adding "all a hacker needs to do is to hit a URL with http://[serverIP]:9200 and a user can see if an Elasticsearch is operational. Then it takes a single command to search through the data stored in it..." Orvibo which claims to have  a lot of users, including private individuals with smart home systems but also hotels and other business customers. The vpnMentor report states that it found logs for users in China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom, and the U.S. The report states, "With the information that has leaked. It's clear that there is nothing secure about these devices. Even having one of these devices installed could undermine, rather than enhance, your physical security." How can users secure their data and be safe? Jake Moore, a cybersecurity specialist at ESET said, “Criminal groups may have been aware of this vulnerability but it is unknown if anyone has taken advantage of this flaw yet. I'd hope it would be patched quite quickly now it is out." Moore further advises, "The best thing now for people affected is to make sure their smart device passwords are changed immediately to something long and complex along with other accounts where the same password may be reused," He further pointed out, "they may as well pull the plug on the device until it is fixed." Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, can go a step further than changing their passwords and “file a legal complaint and deactivate any remote management of their homes if it is doable." Yesterday, Orvibo responded by saying that they had secured the database. They said, “Once we received this report on July 2nd, ORVIBO’s RD team took immediate actions to resolve security vulnerability”. The company said they have  taken the following solutions to resolve the issue: Resolved security vulnerability. Upgraded encryption mechanism of password. Upgrade the protection on users account and password resetting. Strengthening cooperation with professional cyber security companies to improve our system security. To know more about this news, read the complete vpnmentor report. NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems Google researcher reveals an unpatched bug in Windows’ cryptographic library that can quickly “take down a windows fleet” How not to get hacked by state-sponsored actors

Robert J. Hansen, a maintainer of the GnuPG FAQ, revealed about a certificate spamming attack against him and Daniel Kahn Gillmor, two high-profile contributors in the OpenPGP community, in the last week of June 2019. The attack exploited a defect in the OpenPGP protocol to "poison" both Hansen’s and Gillmor’s OpenPGP certificates. “Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways”, Hansen wrote on his GitHub blog post. Gillmor said his OpenPGP certificate was flooded with bogus certifications which were uploaded to the SKS keyserver network. The main use of OpenPGP today is to verify downloaded packages for Linux-based operating systems, usually using a software tool called GnuPG. This attack has the following consequences: If you fetch a poisoned certificate from the keyserver network, you will break your GnuPG installation. Poisoned certificates cannot be deleted from the keyserver network. The number of deliberately poisoned certificates, currently at only a few, will only rise over time. The attackers may have an intent on poisoning other certificates and the scope of the damage is still unknown A year ago, OpenPGP experienced similar certificate flooding, one, a spam on Werner Koch's key and second, abuse tools made available years ago under the name "trollwot". There's a keyserver-backed filesystem proposed as a proof of concept to point out the abuse. “Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned”, Hansen further added. He also said that the mitigation to this attack cannot be carried out “in any reasonable time period” and that the future releases of OpenPGP software may have mitigation. However, he said he is unsure of the time frame. The best mitigation that can be applied at present is simple: stop retrieving data from the SKS keyserver network, Hansen says. The “keyserver software” was written to facilitate the discovery and distribution of public certificates. Users can search the keyserver by a variety of different criteria to discover public certificates which claim to belong to the desired user. The keyserver network, however, does not attest to the accuracy of the information. This was left for each user to ascertain according to their own criteria. According to the Keyserver design goals, “Keyservers could add information to existing certificates but could never, ever, ever, delete either a certificate or information about a certificate”, Hansen said as he was involved in the PGP community since 1992 and was present for these discussions. “In the early 1990s this design seemed sound. It is not sound in 2019. We've known it has problems for well over a decade”, Hansen adds. This shows that Keyservers are vulnerable and susceptible to attacks and how the data can be easily misused. Why SKS Keyserver Network can never be fixed Hansen has also given some reasons why the software was not fixed or updated for security to date. A difficult to understand algorithm The SKS or standard keyserver software was written by Yaron Minsky. It became the keystone of his Ph.D. thesis, and he wrote SKS originally as a proof of concept of his idea. The algorithm is written in an unusual programming language called OCaml, which Hansen says has an idiosyncratic dialect. “ Not only do we need to be bright enough to understand an algorithm that's literally someone's Ph.D. thesis, but we need expertise in obscure programming languages and strange programming customs”, Hansen says. Change in design goal may result in changes from scratch Due to a difficult programming language it is written in, there are hardly any programmers who are qualified to do such a major overhaul, Hansen says. Also, the design goal of the keyserver network is "baked into" essentially every part of the infrastructure and changing it may lead to huge changes in the entire software. Lack of a centralized authority The lack of centralized authority was a feature, not a bug. This means there is no single point of failure for a government to go after. This makes it even harder to change the design goals as the network works as a confederated system. Keyserver network is a Write-only file system The Keyserver network is based on a write-only, which makes it susceptible to a lot of attacks as one can only write into it and have a tough time deleting files. The keyserver network can be thought of as an extremely large, extremely reliable, extremely censorship-resistant distributed file system which anyone can write to. Attackers can easily add any malicious or censored content files or media, which no one can delete. Mitigations for using the Synchronization Key server Hansen says high-risk users should stop using the keyserver network immediately. For those confident with editing their GnuPG configuration files, the following process is recommended: Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it. keys.openpgp.org is a new experimental keyserver which is not part of the keyserver network and has some features which make it resistant to this sort of attack. It has some limitations like its search functionality is sharply constrained. However, once changes are made users will be able to run gpg --refresh-keys with confidence. Daniel Kahn Gillmor, in his blogpost, says, “This is a mess, and it's a mess a long time coming. The parts of the OpenPGP ecosystem that rely on the naive assumptions of the SKS keyserver can no longer be relied on because people are deliberately abusing those keyservers. We need significantly more defensive programming and a better set of protocols for thinking about how and when to retrieve OpenPGP certificates”. Public reaction to this attack is quite speculative. People shared their opinions on Twitter. Some have also suggested migrating the SKS server towards the new OpenPGP key server called Hagrid. https://twitter.com/matthew_d_green/status/1145030844131753985 https://twitter.com/adulau/status/1145045929428443137 To know more about this in detail, head over to Robert J. Hansen’s GitHub post. Training Deep Convolutional GANs to generate Anime Characters [Tutorial] Former npm CTO introduces Entropic, a federated package registry with a new CLI and much more! Microsoft introduces Service Mesh Interface (SMI) for interoperability across different service mesh technologies

Last week, an appellate court in San Francisco ruled against Facebook’s appeal to block a class-lawsuit over a massive data breach it witnessed last year. This data breach impacted nearly 30 million Facebook users. On September 25th last year, Facebook discovered a data breach caused by a vulnerability that existed in its code between July 2017 and September 2018. This vulnerability “was the result of a complex interaction of three distinct software bugs.” These bugs were related to the “View As” feature that allows users to see what their profile looks like to another user. By exploiting this vulnerability, the attackers were able to steal digital access tokens of users. These keys make it easier for users to access their profiles without having to log in every time they visit the site. Facebook shared that the attackers were able to see everything in a user’s profile, although it was not sure whether they got access to private messages or if any of that data was misused. Zuckerberg in a call with reporters following the data breach said, “So far our initial investigation has not shown that these tokens were used to access any private messages or posts or to post anything to these accounts. But this, of course, may change as we learn more. The attackers used our APIs to access profile information fields like name, gender, hometown, etc. But we do not yet know if any private information was accessed that way.” The class-lawsuit against Facebook alleged to violate user privacy Following this incident, several Facebook users filed class-action complaints in a San Francisco appeals court, alleging that Facebook has failed to protect its users' data. The class-action lawsuit alleges that the vulnerability in Facebook’s code plus its “grossly inadequate” security measures have made victims’ more prone to identity theft. The lawsuit seeks to represent all people “who registered for Facebook accounts in the United States and whose PII (personally identifiable information) was accessed, compromised, or stolen from Facebook in the September 2018 data breach.” As a legal remedy, the plaintiffs are seeking statutory damages, penalties, punitive damages, and attorneys’ fees. In response, Facebook appealed to block the lawsuit in March arguing that some of the plaintiffs’ information was not “sensitive” as it was publicly available on their Facebook profile. And, therefore, no real harm had been done as the attackers were not able to steal users’ financial information and passwords. U.S. District Judge William Alsup dismissed Facebook’s appeal saying, “The lack of reasonable care in the handling of personal information can foreseeably harm the individuals providing the information.” He added, “Further, some of the information here was private, and plaintiff plausibly placed trust in Facebook to employ appropriate data security. From a policy standpoint, to hold that Facebook has no duty of care here ‘would create perverse incentives for businesses who profit off the use of consumers’ personal data to turn a blind eye and ignore known security risks.’” This is not the only instance were Facebook has shown its negligence towards personal data. Earlier this month, during a pretrial hearing, Facebook argued that it didn’t violate users’ privacy rights because there’s no expectation of privacy when using social media. Recently Aaron Greenspan, the founder of Think Computer Corporation, claimed that Mark does not really believe in the concept of personal data as Facebook has performed security fraud on a number of occasions, in an incredibly blatant manner. This is one of the many lawsuits against Facebook. Earlier this month, the Austrian Supreme Court overturned Facebook’s appeal to block a lawsuit against it for not conforming to Europe’s General Data Protection Regulation (GDPR). Regarding its alleged involvement in the Cambridge Analytica case, the social media giant is also preparing to pay a fine of up to $5 billion. You can read the lawsuit to know more details. Austrian Supreme Court rejects Facebook’s bid to stop a GDPR-violation lawsuit against it by privacy activist, Max Schrems Facebook fails to block ECJ data security case from proceeding Zuckberg just became the target of the world’s first high profile white hat deepfake op. Can Facebook come out unscathed?  

Researchers from the security firm Dragos reported on Friday that a group of hackers behind two potentially fatal intrusions in industrial facilities have expanded its activities to investigate dozens of electricity grids in the US and other regions. The group, known as Xenotime, had gained attention in 2017 when researchers from Dragos and cyber-security firm FireEye independently reported about Xenotime causing dangerous operational disruption at a critical infrastructure site in the Middle East, reports Ars Technica. Researchers from Dragos have called the group the most dangerous cyber threat in the world since then. According to Bloomberg, FireEye Inc. has linked the group to a research institution in Moscow owned by the Russian government, called the Central Scientific Research Institute of Chemistry and Mechanics. Xenotime is one of the few groups in the world to use malware tailored to industrial control systems, said Benjamin Read, a FireEye senior manager. The most alarming of this group is the use of malware which was never seen before in the security processes of the installation. Such security instrumented systems are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising. For example, when the gas fuel pressure or reactor temperature increases to potentially unsafe thresholds, a SIS will automatically close the valves or initiate cooling processes to avoid accidents that endanger life. In April, FireEye reported that the SIS manipulation malware, alternatively known as Triton and Trisis, was used in an attack at another industrial facility. Proliferation of threats in different sectors Dragos also reported that Xenotime has been conducting network scans and recognition of multiple components through power grids in the United States and other regions. Sergio Caltagirone, senior vice president of threat intelligence at Dragos, told Ars Technica that his firm has detected dozens of public services, some of them located in the United States, which have been subjected to Xenotime surveys from 2018. "The threat has proliferated and is now targeting electric companies in the US and Asia Pacific, which means that we are no longer safe thinking that the threat to our electrical utilities are understood or stable ", He said in an interview: "This is the first sign that threats are proliferating in all sectors, which means that now we can not be sure that a threat to the sector will remain in that sector and will not cross." Probes can come in multiple forms, one of them is credential filler attacks, which use passwords stolen in previous infractions, sometimes unrelated, in the hope that they will work against new targets. Another is network exploration, which maps and catalogs the different computers, routers and other devices connected to it and lists the network ports in which they receive the connections. "The scale of the operation and the regions it addresses, "Caltagirone said," shows more than a passing interest in the sector. " In a publication published on Friday, Dragos researchers wrote: “While none of the events of the electric utility company resulted in a known and successful intrusion into victim organizations to date, persistent attempts and the expansion in scope are cause for ultimate concern. Xenotime has successfully engaged several oil and gas environments, demonstrating its ability to do so in other vertical markets. Specifically, Xenotime remains one of four threats (along with electrum, sandworm and the entities responsible for stuxnet) to execute a deliberate disruptive or disruptive attack. Xenotime is the only known entity specifically aimed at instrumented safety systems (sis) for disruptive or destructive purposes. The electrical service environments are significantly different from oil and gas operations in several aspects, but electrical operations still have safety and protection equipment that could be directed with similar vessels. Xenotime, which expresses a direct and constant interest in the operations of the electric company, is a cause for deep concern, given the willingness of this adversary to compromise the security of the process, and therefore the integrity, of fulfilling its mission. The expansion of Xenotime to another vertical industry is emblematic of an increasingly hostile industrial industry. The most observed Xenotime activity focuses on the collection of initial information and access operations necessary for ICS tracking intrusion operations. As seen in the long-term intrusions sponsored by the state in the US, UU, the United Kingdom and other electrical infrastructure, entities are increasingly interested in the fundamental aspects of ICS operations and show all the badges associated with the information and acquisition of access necessary to carry out future attacks. While Dragos does not see evidence at this time to indicate that Xenotime (or any other activity group, such as electrum or allanite) is capable of executing a prolonged disruptive or disruptive event in the operations of the electric company, the observed activity shows a strong the adversary's interest in meeting the prerequisites for doing so.” This news has brought anxiety among cyber security folks on Reddit comments, “it's time to develop disconnected micro grids”. Another user comments, “Or just do security correctly. Much of the utility infrastructure in the country does not align with best practices or published standards.” To know more about this, check out the official research page of Dragos. Over 19 years of ANU(Australian National University) students’ and staff data breached Symantec says NSA’s Equation group tools were hacked by Buckeye in 2016 way before they were leaked by Shadow Brokers in 2017 How not to get hacked by state-sponsored actors

Last week, Damien Miller, a Google security researcher, and one of the popular OpenSSH and OpenBSD developers announced an update to the existing OpenSSH code that can help protect against the side-channel attacks that leak sensitive data from computer’s memory. This protection, Miller says, will protect the private keys residing in the RAM against Spectre, Meltdown, Rowhammer, and the latest RAMBleed attack. SSH private keys can be used by malicious threat actors to connect to remote servers without the need of a password. According to CSO, “The approach used by OpenSSH could be copied by other software projects to protect their own keys and secrets in memory”. However, if the attacker is successful in extracting the data from a computer or server's RAM, they will only obtain an encrypted version of an SSH private key, rather than the cleartext version. In an email to OpenBSD, Miller writes, “this change encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large 'prekey' consisting of random data (currently 16KB)." He further adds, "Attackers must recover the entire prekey with high accuracy before they can attempt to decrypt the shielded private key, but the current generation of attacks have bit error rates that, when applied cumulatively to the entire prekey, make this unlikely”. "Implementation-wise, keys are encrypted 'shielded' when loaded and then automatically and transparently unshielded when used for signatures or when being saved/serialised," Miller said. The OpenSSH dev hope they'll be able to remove this special protection against side-channel attacks "in a few years time when computer architecture has become less unsafe", Miller said at the end of the patch. To know more about this announcement in detail, visit Damien Miller’s email. All Docker versions are now vulnerable to a symlink race attack Telegram faces massive DDoS attack; suspects link to the ongoing Hong Kong protests A second zero-day found in Firefox was used to attack Coinbase employees; fix released in Firefox 67.0.4 and Firefox ESR 60.7.2

On Thursday, the US launched a cyber-attack on Iranian weapons systems, according to sources. This attack is a retaliation by the US govt after Iran shot down a US spy drone. In response to the drone’s destruction, the US was ready to carry out a military strike against Iran but US President Donald Trump said he called it off at the last minute after being told some 150 people could die. Although that didn’t stop him from secretly authorizing US Cyber Command to carry out a retaliatory cyber attack on Iran. Defense officials had prepared such a cyber response as a contingency plan for weeks preceding the attack. The cyber-attacks disabled computer systems controlling Iran’s rocket and missile launchers. Officials told the Guardian that the attack, which specifically targeted computer systems of Iran’s Islamic Revolutionary Guard Corps (IRGC), had been provided as options after two oil tankers were bombed. The IRGC has been designated a foreign terrorist group by the Trump administration. The AP news agency said the cyber-attack had disabled the Iranian systems. The New York Times said it was intended to take the systems offline for a period of time. The response by Iran An Iran Minister however rejected these claims stating that US cyber attacks on Iranian targets were not successful. “They try hard, but have not carried out a successful attack,” Mohammad Javad Azari Jahromi, Iran’s minister for information and communications technology, told Reuters. “Media asked if the claimed cyber attacks against Iran are true,” he said. “Last year we neutralized 33 million attacks with the (national) firewall.” Azari Jahromi called attacks on Iranian computer networks “cyber-terrorism”, referring to Stuxnet, the first publicly known example of a virus used to attack industrial machinery, which targeted Iran’s nuclear facilities in November 2007. In response to the shooting down of the U.S drone, an Iranian navy commander warned it could be repeated. “Everyone saw the downing of the unmanned drone,” navy commander Rear Admiral Hossein Khanzadi was quoted as saying by the Tasnim news agency. “I can assure you that this firm response can be repeated, and the enemy knows it.” On Saturday the US Department for Homeland Security warned that Iran was stepping up its own cyber-attacks on the US. Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency, said "malicious cyber activity" was being directed at US industries and government agencies by "Iranian regime actors and their proxies.'' The US military and intelligence officials are drafting plans for additional cyber attacks against Iranian targets. It will also further impose sanctions on Iran. President Trump said these sanctions were "major" and were needed to prevent Tehran from obtaining nuclear weapons, and economic pressure would be maintained unless Tehran changed course. Technology plays a central role in national security and foreign policies. Most recently, the US-China trade war saw Huawei and Apple caught at the center of escalating tensions. US prohibited wide swath of technology deals with a “foreign adversary” for national security reasons. National security and technological environments are intertwined because technology has a strong influence on the ways wars are fought and the character of the missions reserve components are asked to perform. It is often caught in the web of trade wars. The US Iran cyber attack is a clear example of the way the lines between physical and digital warfare are blurring. Hacker destroys Iranian cyber-espionage data; leaks source code of APT34’s hacking tools on Telegram FireEye’s Global DNS Hijacking Campaign suspects Iranian-based group as the prime source Slack has terminated the accounts of some Iranian users, citing U.S. sanctions as the reason.

Earlier this week, Mozilla fixed a zero-day vulnerability that was being actively exploited by attackers. It released another security update yesterday when the Coinbase Security team detected a second zero-day vulnerability in Firefox. This update has landed in Firefox 67.0.4 and Firefox ESR 60.7.2. The two zero-day vulnerabilities The first one was a type confusion vulnerability tracked as CVE-2019-11707 that occurs “when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash.” It enables an attacker to run malicious code inside Firefox’s native process. This vulnerability was reported by both Coinbase Security team and Samuel Groß, a security researcher with Google Project Zero security team. Groß has reported the vulnerability on Bugzilla back in April 15th. https://twitter.com/5aelo/status/1141273394723414016 Sharing the implications of the vulnerability, the tech researcher said, “the bug can be exploited for RCE [remote code execution] but would then need a separate sandbox escape to run code on an underlying operating system. However, most likely it can also be exploited for UXSS [universal cross-site scripting] which might be enough depending on the attacker’s goals.” The second zero-day vulnerability was described as “sandbox escape using Prompt:Open” and is assigned CVE-2019-11708. This highly-critical vulnerability enables the escape of malware from the Firefox protected process and its execution on the targeted host. “Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process,” the advisory page reads. The Coinbase attack Not much detail was out about these attacks and vulnerabilities until yesterday when Martin Phil, Chief Information Security Officer at Coinbase, and his team detected an attack targeting Coinbase employees. Coinbase also said that the attacker might have targeted other cryptocurrency organizations as well. It is now notifying the organizations that it believes have been possibly targeted. https://twitter.com/SecurityGuyPhil/status/1141466335592869888 Fortunately, the attack was detected before it was able to do any damage. If it had been left undetected, the attacker could have gained access to the Coinbase backend network and stole funds from exchanges. Phil in his tweets also shared a couple of Indicators of Compromise (IOC) that will give the indication whether a system is affected or not. https://twitter.com/SecurityGuyPhil/status/1141466339518767104 Vitali Kremez who specializes in Information Security, Malware Hunting & Carding, Cybercrime Intelligence, speculated that these IOCs were linked to a username “powercat”. https://twitter.com/VK_Intel/status/1141540229951709184 Going by the IOCs, we can say that the attacker would have sent a spear-phishing email to lure victims to a web page. So, if the victims were using a vulnerable Firefox version, the web page would have downloaded and installed the malware on their systems. The macOS backdoor attack Not only cryptocurrency organizations, it looks like the attacker has also targeted other Firefox users as well. Yesterday, Patrick Wardle, a macOS security expert published an analysis of a Mac malware. This malware was sent by a user who claimed that it was installed in his fully updated Mac through Firefox’s zero-day vulnerability. Here’s how the email sent by the attacker to this user looked like: Source: Objective-See The malware that was installed on the user’s system was called Finder.app, the hash of which completely matched with one of the hashes provided by Martin. This news sparked a discussion on Hacker News. Many users found it unsettling that Mozilla took two months to deliver the security patch to fix a very crucial bug report. “Really, that Mozilla would let a reported RCE vulnerability simmer for two months until it bit someone would seem to reflect very poorly on their priorities and competence,” a user commented. Others were rather interested to know how Coinbase discovered this attack. A user commented, “I am more interested in how Coinbase employees discovered the attack. I am assuming nobody clicked the suspicious link and instead took it to a vm for reversing and analysis. It would have been game over if the exploit was actually executed on a non-sandboxed machine.” Mozilla releases Firefox 67.0.3 and Firefox ESR 60.7.1 to fix a zero-day vulnerability, being abused in the wild Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms

On Tuesday Oracle published an out-of-band security update that had a patch to a critical code-execution vulnerability in its WebLogic server. “This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,'' the Oracle update warned. The vulnerability tracked as CVE-2019-2729, has received a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default—wls9_async_response and wls-wsat.war. The flaw in Oracle's WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404. “This isn't the first, or even second, deserialization attack that has been used to target these services. The wls-wsat component was successfully exploited in a similar fashion in 2017, and KnownSec404 reported another one in April. The 2017 vulnerability was largely used to install bitcoin miners; April's vulnerability was exploited in cryptojacking and ransomware campaigns”, Arstechnica reported. John Heimann, Oracle's Security Program Vice-President, said, this was an incorrect assessment, and that the new attacks are exploiting a separate vulnerability that had nothing to do with the zero-day from April. If patching is not possible right away, the researchers propose two mitigation solutions: delete "wls9_async_response.war" and "wls-wsat.war" then restart the WebLogic service enforce access policy controls for URL access to the paths  "/_async/*" and "/wls-wsat/* According to Johannes Ullrich of the SANS Technology Institute, Oracle has been patching each of these series of deserialization vulnerabilities by individually blacklisting the deserialization of very specific classes as exploits are published. “Oracle has been using a "blacklist" approach in patching these deserialization vulnerabilities, blocking the deserialization of very specific classes, which has led to similar bypass/patch cat and mouse games in the past”, Ullrich mentions. To know more about this in detail, head over to Oracle’s blog post. Oracle does “organizational restructuring” by laying off 100s of employees IBM, Oracle under the scanner again for questionable hiring and firing policies RedHat takes over stewardship for the OpenJDK 8 and OpenJDK 11 projects from Oracle

Yesterday, Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 to fix an actively exploited vulnerability that can enable attackers to remotely execute arbitrary code on devices using vulnerable versions. So, if you are a Firefox user, it is recommended that you update it right now. This critical zero-day flaw was reported by Samuel Groß, a security researcher with Google Project Zero security team and the Coinbase Security team. It is a type confusion vulnerability tracked as CVE-2019-11707 that occurs “when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.” Not much information has been disclosed about the vulnerability yet, apart from this short description on the advisory page. In general, we can say that type confusion happens when a piece of code fails to verify the object type that is passed to it and blindly uses it without type-checking. The US Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert informing users and administrators to update Firefox as soon as possible: “The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Firefox 67.0.3 and Firefox ESR 60.7.1 and apply the necessary updates.” Users can install the patched Firefox versions by downloading them from Mozilla’s official website. Or, they can click on the hamburger icon on the upper-right hand corner, type Update into the search box and hit the Restart to update Firefox button to be sure. This is not the first time when a zero-day vulnerability has been found in Firefox. Back in 2016, a vulnerability was reported in Firefox that was exploited by attackers to de-anonymize Tor Browser users. The attackers then collected the user data that included their IP addresses, MAC addresses, and hostnames. Mozilla then released an emergency fix in Firefox 50.0.2 and 45.5.1 ESR. Firefox releases v66.0.4 and 60.6.2 to fix the expired certificate problem that ended up disabling add-ons Firefox 67 enables AV1 video decoder ‘dav1d’, by default on all desktop platforms Mozilla makes Firefox 67 “faster than ever” by deprioritizing least commonly used features

A team of academic researchers recently unveiled a new class of Rowhammer-based attack known as RAMBleed. This newly discovered side-channel attack allows attackers to read memory data on a victim’s Windows computer, without actually accessing the memory. This vulnerability listed as CVE-2019-0174 is called RAMBleed as the RAM "bleeds its contents, which we then recover through a side channel," the researchers explained at the RAMBleed page. RAMBleed is used to read data from dynamic random access memory (DRAM) chips. It leverages Rowhammer, a DRAM flaw which is exploited to cause bits in neighboring memory rows to flip their values. In their research paper titled "RAMBleed: Reading Bits in Memory Without Accessing Them", the researchers have shown how an attacker, by observing Rowhammer-induced bit flips in her own memory, can deduce the values in nearby DRAM rows. Thus, researchers say that RAMBleed shifts Rowhammer from being a threat not only to integrity but confidentiality as well. This paper will be presented at the 41st IEEE Symposium on Security and Privacy in May 2020. The researchers also said that they have successfully used RAMBleed to obtain a signing key from an OpenSSH server or rather leaked a 2048-bit RSA key using normal user privileges, enabling information to be taken from targeted devices.  To do so, “we also developed memory massaging methods and a technique called Frame Feng Shui that allows an attacker to place the victim’s secret-containing pages in chosen physical frames.”, the researchers mention in their paper. Source: RAMBleed.com Any system that uses Rowhammer-susceptible DIMMs is vulnerable to RAMBleed. Machines with memory chips “both DDR3 and DDR4 with TRR (targeted row refresh) enabled" are vulnerable. Users can mitigate their risk by upgrading their memory to DDR4 with targeted row refresh (TRR) enabled. Intel revealed a piece of mitigation advice for researchers in an article and further suggested that "Intel Software Guard Extensions (Intel SGX) can be used to protect systems from RAMBleed attacks." Oracle, in their blog post, state that machines running DDR2 and DDR1 memory chips aren't affected. "successfully leveraging RAMBleed exploits require that the malicious attacker be able to locally execute malicious code against the targeted system," Oracle states. No additional security patches are expected for Oracle product distributions, the company said. Red Hat, in an article, state that there are at least three known DRAM fault exploits, "Rowhammer," "Spoiler" and "RAMBleed." Mitigation approach depends on the hardware vendor, according to RedHat: There are a few commonly proposed hardware-based mitigations against Rowhammer that have potential to also mitigate RAMBleed. These are Targeted Row Refresh (TRR), increased DRAM refresh intervals (doubled DRAM refresh rate), and use of ECC memory. The extent to which these strategies may actually mitigate the problem varies and is hardware platform specific. Vendors are anticipated to provide suitable platform-specific guidance. To know more about RAMBleed in detail, visit its official page. Researchers discover a new Rowhammer attack, ‘ECCploit’ that bypasses Error Correcting Code protections Researchers discover Spectre like new speculative flaw, “SPOILER” in Intel CPU’s NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems