Table of Contents

  1. Surveillance
    1. Israeli spyware firm fails to get hacking case dismissed
    2. The Military Is Building Long-Range Facial Recognition That Works In the Dark
  2. Vulnerabilities
    1. Oracle just released a whopping 334 security fixes in critical patch update
    2. Critical Windows 10 vulnerability used to Rickroll the NSA and Github
    3. Busting Cisco's Beans :: Hardcoding Your Way to Hell
    4. A Security Vulnerability Let Anyone “Rewrite the Laws” of Gibraltar
    5. VMware addresses flaws in VMware Tools and Workspace ONE SDK
  3. Ransomware
    1. 5ss5c Ransomware emerges after Satan went down in the hell
  4. Reverse engineering
    1. Reverse engineering course
  5. Apple
    1. iPhones Can Now Be Used To Generate 2FA Security Keys For Google Accounts
    2. FBI unlocked iPhone 11 Pro via GrayKey, raising more doubts about Pensacola case
  6. Leaks
    1. Online Pharmacy PlanetDrugsDirect Discloses Security Breach
    2. P&N Bank discloses data breach, customer account information, balances exposed
  7. Privacy
    1. What kind of data is my new car collecting?
  8. Digital rights
    1. Turkey restores access to Wikipedia after 991 days
  9. Malware
    1. U.N. Weathers Storm of Emotet-TrickBot Malware
    2. More Than Half a Billion Android Users Have Installed 'Fleeceware' Apps
    3. Windows BSOD Betrays Cryptominer Hidden in WAV File
  10. Crime
    1. Police stop online banking fraudsters: mTAN system undermined

Surveillance

Israeli spyware firm fails to get hacking case dismissed

An Israeli judge has rejected an attempt by the spyware firm NSO Group to dismiss a case brought against it by a prominent Saudi activist who alleged that the company's cyberweapons were used to hack his phone. The decision could add pressure on the company, which faces multiple accusations that it sold surveillance technology, named Pegasus, to authoritarian regimes and other governments that have allegedly used it to target political activists and journalists.

The Military Is Building Long-Range Facial Recognition That Works In the Dark

According to contracts posted on a federal spending database, the U.S. military is working to develop facial recognition technology that reads the pattern of heat being emitted by faces in order to identify specific people. OneZero reports: Now, the military wants to develop a facial recognition system that analyzes infrared images to identify individuals. The Army Research Lab has previously publicized research in this area, but these contracts, which started at the end of September 2019 and run until 2021, indicate the technology is now being actively developed for use in the field. "Sensors should be demonstrable in environments such as targets seen through automotive windshield glass, targets that are backlit, and targets that are obscured due to light weather (e.g., fog)," the Department of Defense indicated when requesting proposals.

Vulnerabilities

Oracle just released a whopping 334 security fixes in critical patch update

On the heels of Microsoft's first Patch Tuesday for 2020, Oracle has pushed out a dizzying 334 security patches for its first critical patch update (CPU) of the year. Oracle's January 2020 CPU matches its largest CPU on record, which happened in the July 2018 CPU. In total, the January 2020 CPU addresses flaws in 94 products. Two bugs affecting Oracle Human Resources have a severity rating of 9.9 out of 10. However, the bugs cannot be exploited remotely without authentication.

Critical Windows 10 vulnerability used to Rickroll the NSA and Github

Less than a day after Microsoft disclosed one of the most critical Windows vulnerabilities ever, a security researcher has demonstrated how attackers can exploit it to cryptographically impersonate any website or server on the Internet. Researcher Saleem Rashid on Wednesday tweeted images of the video "Never Gonna Give You Up," by 1980s heart-throb Rick Astley, playing on Github.com and NSA.gov. The digital sleight of hand is known as Rickrolling and is often used as a humorous and benign way to demonstrate serious security flaws. In this case, Rashid's exploit causes both the Edge and Chrome browsers to spoof the HTTPS verified websites of Github and the National Security Agency. Brave and other Chrome derivatives, as well as Internet Explorer, are also likely to fall to the same trick. (There's no indication Firefox is affected). Microsoft's patch for CVE-2020-0601 introduces a call to CveEventWrite in CryptoAPI when a faked certificate is detected. Meanwhile, public exploits are already being published. A technical analysis can be found here.

Busting Cisco's Beans :: Hardcoding Your Way to Hell

This post, shares three (3) full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root. In the third chain, I (ab)use the java.lang.InheritableThreadLocal class to perform a shallow copy to gain access to a valid session.

A Security Vulnerability Let Anyone “Rewrite the Laws” of Gibraltar

Due to an SQL injection in the Gibraltar government website, it was possible to edit and delete content allowing an attacker to "alter any law".

VMware addresses flaws in VMware Tools and Workspace ONE SDK

VMware has released VMware Tools 11.0.0 that addresses a local privilege escalation issue in Tools 10.x.y tracked as CVE-2020-3941. The issue, classified as a race condition flaw that could be exploited by an attacker to access the guest virtual machine to escalate privileges. "A malicious actor on the guest VM might exploit the race condition and escalate their privileges on a Windows VM. This issue affects VMware Tools for Windows version 10.x.y as the affected functionality is not present in VMware Tools 11." reads the advisory published by the company.

Ransomware

5ss5c Ransomware emerges after Satan went down in the hell

The threat actors behind the Satan, DBGer and Lucky ransomware and likely Iron ransomware, is back with a new piece of malware named '5ss5c'. The Bart Blaze believes that the threat actors have been working on the 5ss5c ransomware since at least November 2019, and likely the malicious code is still under development. Experts, in fact, discovered a second spreader module, packed with Enigma VirtualBox, within the code, that is named poc.exe.

Reverse engineering

Reverse engineering course

This course is going to teach anyone how to reverse engineer x64 Windows. It starts by covering some basics of binaries, then reverse some small samples, reverse a DLL and implement it into the own program, reverse some malware, and then aferwards look at some realistic situations.

Apple

iPhones Can Now Be Used To Generate 2FA Security Keys For Google Accounts

Most modern iPhones running on iOS 13 can now be used as a built-in phone security key for Google apps. 9to5Google reports: A built-in phone security key differs from the Google Prompt, though both essentially share the same UI. The latter push-based approach is found in the Google Search app and Gmail, while today's announcement is more akin to a physical USB-C/Lightning key in terms of being resistant to phishing attempts and verifying who you are. Your phone security key needs to be physically near (within Bluetooth range) the device that wants to log-in. The login prompt is not just being sent over an internet connection.

FBI unlocked iPhone 11 Pro via GrayKey, raising more doubts about Pensacola case

As Apple stands firm against requests to break iPhone encryption, many people have questioned why the FBI needs Apple's help in the first place. There are plenty of tools available from third-party companies that are more than capable of unlocking the iPhone 5 and iPhone 7 used by the Pensacola gunman. Further, emphasizing that point, a new report from Forbes says that the FBI recently used one of those black/gray market tools to unlock the newest --- and theoretically the most secure --- iPhone that Apple sells. According to the report, FBI investigators in Ohio used the GrayKey hardware box to unlock an iPhone 11 Pro Max. The phone in question belonged to Baris Ali Koch, who was being accused of helping his convicted brother escape the country by letting him use his passport. President Trump has joined the fray around the FBI's request for Apple to help unlock two iPhones used by the gunman responsible for last month's shooting at the Pensacola Naval Air Station. Trump took to Twitter (via his iPhone) this evening to call on Apple to unlock the phones in question.

Leaks

Online Pharmacy PlanetDrugsDirect Discloses Security Breach

Canadian online pharmacy PlanetDrugsDirect is emailing customers, notifying them of a data security incident that might have impacted some of their sensitive personal and financial information. PlanetDrugsDirect (also known as Planet Drugs Direct) is an active Canadian International Pharmacy Association (CIPA) member, and association of licensed, retail pharmacies that sell medication to Canadian and U.S. citizens, and more PlanetDrugsDirect describes itself as an "online prescription referral service which provides our customers with direct access to affordable prescription and non-prescription medications" with roughly 400,000 customers.

P&N Bank discloses data breach, customer account information, balances exposed

The Australian P&N Bank is notifying its customers of a data breach that has exposed personally identifiable information (PII) and sensitive account data. P&N Bank, a division of Police & Nurses Limited and operating in Western Australia, suffered a data breach and is reporting the incident to its customers that attackers have accessed personally identifiable information (PII) and sensitive account data.

Privacy

What kind of data is my new car collecting?

Your car knows all about you -- your habits, where you like to go and when, and maybe even what sort of temperament you have. Cameras inside cars even track your eyes to see whether you're watching the road. If you spent as much time one-on-one with a friend as you do with your car, your friend would know an awful lot about you, too. The difference is that car companies, unlike friends, have a financial incentive for knowing things about you. "Cars already collect a significant and growing amount of data," says Teresa Scassa, Canada Research Chair in information law and policy at the University of Ottawa. The car itself is collecting driving data such as speed and braking patterns, but the built-in navigation and entertainment services are also collecting information of a more personal nature, she says. That could include location information, taste in music, voice commands, search history and so forth. Apps such as Waze, Apple CarPlay or Android Auto connected to the vehicle will also be collecting similar data.

Digital rights

Turkey restores access to Wikipedia after 991 days

Network data from the NetBlocks internet observatory confirm that Turkey has fully restored access to the Wikipedia online encyclopedia as of 15 January 2020, exactly 991 days after the popular online resource was blocked nationally.

Malware

U.N. Weathers Storm of Emotet-TrickBot Malware

A concerted, targeted phishing campaign took aim at 600 different staffers and officials, using Norway as a lure. The operators behind the notorious Emotet malware have taken aim at United Nations personnel in a targeted attack ultimately bent on delivering the TrickBot Trojan. According to researchers at Confense, a concerted phishing campaign has been using emails purporting to be from the Permanent Mission of Norway, which maintains the Scandinavian country's diplomatic presence in New York. The emails were sent to 600 staffers and officials across the U.N., claiming that there was a problem with a supposed "signed agreement" attached to the mails. The endgame however was to steal login credentials. According to a report confirmed by Threatpost with Cofense, if a victim opened the document, a pop-up warning appeared saying, "document only available for desktop or laptop versions of Microsoft Office Word." Users were then prompted to click a button to "enable content," which, if clicked, actually enabled malicious Word macros. In turn, these downloaded and installed Emotet, which would then run in the background.

More Than Half a Billion Android Users Have Installed 'Fleeceware' Apps

The term Fleeceware is a recent addition to the cyber-security jargon. It was coined by UK cyber-security firm Sophos last September following an investigation that discovered a new type of financial fraud on the official Google Play Store. It refers to apps that abuse the ability for Android apps to run trial periods before a payment is charged to the user's account. By default, all users who sign up for an Android app trial period, have to cancel the trial period manually to avoid being charged. However, most users just uninstall an app when they don't like it. The vast majority of app developers interpret this action -- a user uninstalling their app -- as a trial period cancellation and don't follow through with a charge. But last year, Sophos discovered that some Android app developers didn't cancel an app's trial period once the app is uninstalled, and they don't receive a specific request from the user. Sophos said it initially discovered 24 Android apps that were charging obscene fees (between $100 and $240 per year) for the most basic and simplistic apps, such as QR/barcode readers and calculators.

Windows BSOD Betrays Cryptominer Hidden in WAV File

The infamous blue screen of death (BSOD) on computers belonging to a company in the medical tech sector was the reason for a malware infection that spread across more than half the network. The malware was hiding its modules in WAV audio files and spread to vulnerable Windows 7 machines on the network via EternalBlue, the exploit for SMBv1 used in the devastating WannaCry and NotPetya cyber attacks from 2017. Security researchers providing incident response services found that more than 800 computers had been compromised starting October 14, 2019. The discovery was possible by investigating systems that experienced a BSOD crash since that date. With the lack of kernel memory dumps, which would have pointed to what triggered the error, the researchers from Guardicore relied on attack residue data to determine the cause.

Crime

Police stop online banking fraudsters: mTAN system undermined

Fraudsters tried to use eSim swapping to steal money from other bank accounts. The Central Office Cybercrime Bayern (ZCB) and the criminal police Würzburg were able to intervene and prevented transactions amounting to almost 200,000 euros. The General Prosecutor's Office in Bamberg has filed charges against a couple, an accomplice is still unknown. The alleged perpetrators had initially sneaked into the login data of customer profiles from telephone providers in various ways, according to the ZCB announcement. With SIM swapping, fraudsters use eSIM to access the smartphone - it is built into the device and is usually described or activated, for example, by scanning a QR code. The provider provides these codes in an email or on a website.