Threats & Defense – The Week’s Best News – 2019.09.30

A Review of the Best News of the Week on Cyber Threats & Defense

German Cops Raid “Cyberbunker 2.0,” Arrest 7 in Child Porn, Dark Web Market Sting (Krebs on Security, Sep 28 2019)
“German authorities said Friday they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker. Incredibly, for at least two of the men accused in the scheme, this was their second bunker-based hosting business that was raided by cops and shut down for courting and supporting illegal activity online.”

On Chinese “Spy Trains” (Schneier on Security, Sep 26 2019)
“Part of the reasoning behind this legislation is economic, and stems from worries about Chinese industries undercutting the competition and dominating key global industries. But another part involves fears about national security. News articles talk about “spy trains,” and the possibility that the train cars might surreptitiously monitor their passengers’ faces, movements, conversations or phone calls.”

Cybercriminals plan to make L7 routers serve card stealing code (Help Net Security, Sep 26 2019)
One of the Magecart cybercriminal groups is testing a new method for grabbing users’ credit card info: malicious skimming code that can be loaded into files used by L7 routers. L7 routers are commercial grade routers, typically used by airports, hotels, casinos, malls and similar establishments and organizations, to deliver wireless connectivity to a great number of users.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~11,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

High-severity vulnerability in vBulletin is being actively exploited (Ars Technica, Sep 25 2019)
Devs push a fix for the flaw, but hackers are still hitting unpatched sites.

DoorDash hack spills loads of data for 4.9 million people (Ars Technica, Sep 26 2019)
Intruders got access in May. DoorDash only found out earlier this month.

Scammers using Google Alerts to spread malware, fraud (SC Magazine, Sep 27 2019)
Cybercriminals have found a way to use Google Alerts to hook victims into scams or push malware. Bleeping Computer CEO Lawrence Abrams found that malicious actors are creating malicious sites into Google so they will be emailed to people who have alerts set for that particular subject matter.

IE zero-day under active attack gets emergency patch (Ars Technica, Sep 23 2019)
Denial-of-service flaw in Microsoft Defender also gets unscheduled fix.

Busy North Korean hackers have new malware to target ATMs (Ars Technica, Sep 23 2019)
Lazarus, once considered a ragtag group of hackers, is now among the world’s most active.

No summer vacations for Zebrocy (WeLiveSecurity, Sep 24 2019)
The Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – has been operating since at least 2004 and has made headlines frequently in recent years. On August 20th, 2019, a new campaign was launched by the group targeting their usual victims – embassies of, and Ministries of Foreign Affairs in, Eastern European and Central Asian countries.

Iranian Government Hackers Target US Veterans (Dark Reading, Sep 24 2019)
Tortoiseshell’ discovered hosting a phony military-hiring website that drops a Trojan backdoor on visitors.

Cloudflare Introduces ‘Bot Fight Mode’ Option for Site Operators (Dark Reading, Sep 24 2019)
Goal is to help websites detect and block bad bot traffic, vendor says.

Second phishing campaign featuring LookBack malware targets U.S. utilities (SC Magazine, Sep 24 2019)
A malicious threat actor continued to target the U.S. utilities sector with LookBack malware last August, launching a new phishing campaign that targeted organizations with emails impersonating a certification test administrator.

GandCrab Developers Behind Destructive REvil Ransomware (Dark Reading, Sep 25 2019)
Code similarities show a definite technical link between the malware strains, Secureworks says.

Web Attacks Focus on SQL Injection, Malware on Credentials (Dark Reading, Sep 25 2019)
Overall, the two types of SQL injection attacks included on the list counted for more than a third of all network attacks detected by the firm’s devices. Only two of the other top 10 attacks — exploits focused on vulnerabilities in Adobe Flash and Shockwave — were not Web-based threats, the report found.

Hackers are infecting WordPress sites via a defunct plug-in (Naked Security – Sophos, Sep 26 2019)
If you’re a WordPress admin using a plug-in called Rich Reviews, you’ll want to uninstall it. Now.

Kaspersky releases decryptors for FortuneCrypt and Yalon ransomware. (SC Magazine, Sep 25 2019)
Yalon, which is based on the open-source ransomware Hidden Tear, has been primarily used to hit targets in Germany, China, the Russian Federation, India and Myanmar, Kaspersky noted. Luckily, Yalon’s creator made the mistake of using a third-party malware without checking for vulnerabilities and due to mistakes in the cryptographic scheme…

Voting Machine Systems New & Old Contain ‘Design’ Flaws (Dark Reading, Sep 26 2019)
DEF CON Voting Village organizers presented a final report on their findings at the Capitol.

Why You Need to Think About API Security (Dark Reading, Sep 26 2019)
Businesses of all sorts are increasingly relying on APIs to interact with customers in smartphone apps, but they have their own unique set of vulnerabilities.

Ransomware attacks against small towns require collective defense (Help Net Security, Sep 30 2019)
There is a war hitting small-town America. Hackers are not only on our shores, but they’re in our water districts, in our regional hospitals, and in our 911 emergency systems. The target du jour of ransomware hackers is small towns and they have gone after them with a vengeance.

Fileless malware campaign abuses legit tools Node.js and WinDivert (SC Magazine, Sep 27 2019)
An attack campaign targeting primarily the U.S. and Europe is leveraging two legitimate tools, the Node.js framework and WinDivert, to install “fileless” malware that appears to either turn victims’ systems into proxies or perpetrates click fraud.

Share on facebook
Share on twitter
Share on linkedin