Table of Contents

  1. Leaks
    1. WeLeakInfo.com Domain Name Seized
  2. Politics
    1. FBI Says State Actors Hacked US Govt Network With Pulse VPN Flaw
    2. Turkish Hackers hit Greek Government websites and local stock exchange
    3. Georgia election server showed signs of tampering, expert says
  3. Vulnerabilities
    1. Dutch Govt Suggests Turning Off Citrix ADC Devices, Mitigations May Fail
    2. Microsoft provides mitigation for actively exploited CVE-2020-0674 IE Zero-Day
  4. Malware
    1. JhoneRAT: Cloud based Python RAT targeting Middle Eastern countries
    2. New Jersey Synagogue Suffers Sodinokibi Ransomware Attack
  5. IoT
    1. Telnet Passwords Leaked For More Than 500,000 Servers, Routers, and IoT Devices
    2. Smart homes will turn dumb overnight as Charter kills security service
  6. Hardening
    1. Security Architecture Anti-Patterns
    2. Google Chrome Adds Protection for NSA's Windows CryptoAPI Flaw
  7. Privacy
    1. Report: Adult Site Leaks Extremely Sensitive Data of Cam Models
    2. Dashcam Flaw Allows Anyone To Track Drivers In Real-Time Across the US
    3. EU considers temporary ban on facial recognition in public spaces

Leaks

WeLeakInfo.com Domain Name Seized

The Federal Bureau of Investigation and the U.S. Department of Justice announced that they have seized the internet domain name weleakinfo.com. The announcement was made by U.S. Attorney Jessie K. Liu of the District of Columbia and Special Agent in Charge Timothy M. Dunham of the FBI's Washington Field Office. The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records -- including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts. The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months).

Politics

FBI Says State Actors Hacked US Govt Network With Pulse VPN Flaw

FBI said in a flash security alert that nation-state actors have breached the networks of a US municipal government and a US financial entity by exploiting a critical vulnerability affecting Pulse Secure VPN servers. The US Cybersecurity and Infrastructure Security Agency (CISA) previously alerted organizations on January 10th to patch their Pulse Secure VPN servers against ongoing attacks trying to exploit the flaw tracked as CVE-2019-11510. The FBI has also created a new policy to give "timely" breach notifications to state and local officials concerning election hacking and foreign interference. The new election policy expands the FBI's current method of notifying hacking victims. It will also require agents to work directly with state and local election officials to identify and mitigate cyberthreats to election infrastructure as quickly as possible, according to the FBI announcement.

Turkish Hackers hit Greek Government websites and local stock exchange

Turkish hackers hijacked for more than 1 hour the official websites of the Greek parliament, some ministries, as well as the country's stock exchange. While eastern Libya ports controlled by commander Khalifa Haftar are shutting down oil exports, the group of Turkish hackers named Anka Neferler Tim claimed Friday to have hijacked for more than 90 minutes the official websites of the Greek parliament, the foreign affairs and economy ministries, as well as the country's stock exchange.

Georgia election server showed signs of tampering, expert says

A computer security expert says he found that a forensic image of the election server central to a legal battle over the integrity of Georgia elections showed signs that the original server was hacked. The server was left exposed to the open internet for at least six months, a problem the same expert discovered in August 2016.

Vulnerabilities

Dutch Govt Suggests Turning Off Citrix ADC Devices, Mitigations May Fail

In a warning, the Dutch National Cybersecurity Centre (NCSC) says that companies should consider turning off Citrix ADC and Gateway servers if the impact is acceptable. At the time of BSI warning, 1500 vulnerable systems were still online in Germany. Given the latest update, the organization assesses that at the moment there is no reliable solution to protect all versions of Citrix ADC and Citrix Gateway servers against CVE-2019-19781. Mitigation recommendations for CVE-2019-19781, a currently unpatched critical flaw affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway, do not have the expected effect on all product versions. In an updated advisory today, the software company informs that it found a new product that is vulnerable to the same security issue and that the advised actions do not work on some versions of Citrix ADC. Attacks on Citrix servers are intensifying, one of the threat actors behind them is patching them and installing its own backdoor to lock out other attackers.

Microsoft provides mitigation for actively exploited CVE-2020-0674 IE Zero-Day

Microsoft has published a security advisory (ADV200001) that includes mitigations for a zero-day Remote Code Execution (RCE) vulnerability, tracked as CVE-2020-0674, affecting Internet Explorer. "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user." reads the advisory published by Microsoft. "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Malware

JhoneRAT: Cloud based Python RAT targeting Middle Eastern countries

Cisco Talos is unveiling the details of a new RAT called "JhoneRAT." This new RAT is dropped to the victims via malicious Microsoft Office documents. The dropper, along with the Python RAT, attempts to gather information on the victim's machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms. The RAT attempts to download additional payloads and upload the information gathered during the reconnaissance phase. This particular RAT attempts to target a very specific set of Arabic-speaking countries. The filtering is performed by checking the keyboard layout of the infected systems. Based on the analyzed sample, JhoneRAT targets Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.

New Jersey Synagogue Suffers Sodinokibi Ransomware Attack

Temple Har Shalom in Warren, New Jersey had their network breached by the actors behind the Sodinokibi Ransomware who encrypted numerous computers on the network. After checking their servers, they found that the Temple's files were encrypted and a ransom note was left behind. Other computers on the network had been encrypted as well. "The encryption affected all of our server-based files and electronic data. We have a mechanical back up for those files and data, but the back-up was encrypted as well. Certain computers were affected in full. Others were unaffected and remain functional," the email from Temple Har Shalom stated.

IoT

Telnet Passwords Leaked For More Than 500,000 Servers, Routers, and IoT Devices

A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) "smart" devices. The list, which was published on a popular hacking forum, includes each device's IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet. According to experts to who ZDNet spoke this week, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker then tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

Smart homes will turn dumb overnight as Charter kills security service

Charter is killing its home-security service and telling customers that security devices they've purchased will stop working once the service is shut down on February 5th. The impending shutdown and customers' anger at Charter---a cable company also known by the brand name "Spectrum"---has been widely reported over the past month. Over the years, some customers have spent large sums on products that will no longer work.

Hardening

Security Architecture Anti-Patterns

This security paper describes some common patterns we often see in system designs that you should avoid. We'll unpick the thinking behind them, explain why the patterns are bad, and most importantly, propose better alternatives.

Google Chrome Adds Protection for NSA's Windows CryptoAPI Flaw

Google just released Chrome 79.0.3945.130, which will now detect certificates that attempt to exploit the NSA discovered CVE-2020-0601 CryptoAPI Windows vulnerability. As part of Microsoft's January 2020 Patch Tuesday, security updates were released for a vulnerability discovered by the NSA in the Windows CryptoAPI library Crypt32.dll.

Privacy

Report: Adult Site Leaks Extremely Sensitive Data of Cam Models

The vpnMentor cybersecurity research team, led by Noam Rotem and Ran Locar, have uncovered a leaking S3 Bucket with 19.95 GB of visible data on a Virginia-based Amazon server, belonging to PussyCash and its network. PussyCash is an explicit 'cam' affiliate network that owns the brand ImLive and other similar adult-oriented websites. This leak has exposed the personal data and likeness of over 4,000 models among more than 875,000 files and has high-risk, real life implications for said models.

Dashcam Flaw Allows Anyone To Track Drivers In Real-Time Across the US

BlackVue is a dashcam company with its own social network. With a small, internet-connected dashcam installed inside their vehicle, BlackVue users can receive alerts when their camera detects an unusual event such as someone colliding with their parked car. But what BlackVue's app doesn't make clear is that it is possible to pull and store users' GPS locations in real-time over days or even weeks. Motherboard was able to track the movements of some of BlackVue's customers in the United States.

EU considers temporary ban on facial recognition in public spaces

The EU could temporarily ban the use of facial recognition technology in public places such as train stations, sport stadiums and shopping centers over fears about creeping surveillance of European citizens. A prohibition lasting between three and five years is seen as a way for Brussels to manage the risks said to be posed by the breakneck speed at which the software is being adopted. The option is contained in an early draft of a European commission white paper obtained by the news website Euractiv. The final version is due to be published in February as part of a wider overhaul of the regulation of artificial intelligence.