Table of Contents

  1. Vulnerabilities
    1. Trend Micro antivirus zero-day used in Mitsubishi Electric hack
  2. Ransomware
    1. A new piece of the Ryuk malware has been improved to steal confidential files related to the military, government, financial statements, and banking
    2. New York State Wants To Ban Government Agencies From Paying Ransomware Demands
  3. Privacy
    1. Clearview AI sued over facial recognition privacy concerns
    2. Online Advertisers Are Breaking The Law
    3. Adult website leaves sex workers' personal information vulnerable, report says
    4. London Police Amp Up Surveillance With Real-Time Facial Recognition
  4. OSINT
    1. Pokémon GO OSINT Techniques: Part II
  5. Malware
    1. Authorities arrest 3 Indonesian hackers behind many Magecart attacks
    2. Mozilla has banned nearly 200 malicious Firefox add-ons over the last two weeks
  6. Leaks
    1. Tout - 652,683 breached accounts
  7. Hardening
    1. Does Your Domain Have a Registry Lock?

Vulnerabilities

Trend Micro antivirus zero-day used in Mitsubishi Electric hack

The 0-day used in the Mitsubishi attack was probably CVE-2019-18187 patched by Trend Micro in October. According to a security advisory Trend Micro sent out in October 2019, "affected versions of OfficeScan could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to remote code execution (RCE)."

Ransomware

A new piece of the Ryuk malware has been improved to steal confidential files related to the military, government, financial statements, and banking

Security experts from MalwareHunterTeam have discovered a new version of the Ryuk Stealer malware that has been enhanced to allow its operators to steal a greater amount of confidential files related to the military, government, financial statements, and banking.

New York State Wants To Ban Government Agencies From Paying Ransomware Demands

Two New York state senators have proposed two bills last week to ban local municipalities and other government entities from using taxpayer money for paying ransomware demands. The first bill (S7246) was proposed by Republican NY Senator Phil Boyle on January 14th. The second bill (S7289) was introduced by Democrat NY Senator David Carlucci two days later, on January 16th. Both bills are under discussion in committee, and is unclear which will move forward to a vote on the Senate floor.

Privacy

Clearview AI sued over facial recognition privacy concerns

A lawsuit is taking aim at Clearview AI, a controversial facial recognition app being used by US law enforcement to identify suspects and other people. The app is under fire after a New York Times investigation into the software company earlier this week. The app identifies people by comparing photos to a database of images scraped from social media and other sites, and then sells the info to law enforcement agencies.

Online Advertisers Are Breaking The Law

According to a report by Forbrukerradet --- online advertisers are ignoring the GDPR and continuing to track consumers and build profiles of them. The report, linked above, and the technical addendum are both quite long (193 and 93 pages respectively) and detail how Android apps are continuing to send Advertiser IDs and other personal data --- including precise GPS coordinates --- to third parties. One particularly disturbing revelation is that the Grindr app, a dating app for gay, bi, and trans people was collecting personal and sensitive information from its users and sending it to numerous third parties. The report devotes 39 pages to Grindr and its data sharing.

Adult website leaves sex workers' personal information vulnerable, report says

A popular sexting website has exposed thousands of photo IDs belonging to models and sex workers who earn commissions from the site. SextPanther, an Arizona-based adult site, stored more than 11,000 identity documents on an exposed Amazon Web Services (AWS) storage bucket, including passports, driver's licenses and Social Security numbers, without a password. The company says on its website that it uses these documents to verify the ages of models with whom users communicate.

London Police Amp Up Surveillance With Real-Time Facial Recognition

The Metropolitan Police Service announced on Friday, January 24th, that it will begin the operational use of Live Facial Recognition (LFR) technology. The use of live facial recognition technology will be intelligence-led and deployed to specific locations in London. This will help tackle serious crime, including serious violence, gun and knife crime, child sexual exploitation and help protect the vulnerable. The technology, from NEC, provides police officers with an additional tool to assist them in doing what officers have always done -- to try to locate and arrest wanted people.

OSINT

Pokémon GO OSINT Techniques: Part II

Secjuice has posted another article detailing tracking down Pokemon GO users with OSINT.

Malware

Authorities arrest 3 Indonesian hackers behind many Magecart attacks

The Indonesian National Police in a joint press conference with Interpol announced the result of an investigation dubbed 'Operation Night Fury' that allowed to arrest three hackers that carried out Magecart attacks to steal payment card data. According to the authorities, the hackers had compromised at least 12 e-commerce websites, but the trio may be involved in a larger number of attacks.

Mozilla has banned nearly 200 malicious Firefox add-ons over the last two weeks

Over the past two weeks, Mozilla's add-on review team has banned 197 Firefox add-ons that were caught executing malicious code, stealing user data, or using obfuscation to hide their source code. The add-ons have been banned and removed from the Mozilla Add-on (AMO) portal to prevent new installs, but they've also been disabled in the browsers of the users who already installed them. The bulk of the ban was levied on 129 add-ons developed by 2Ring, a provider of B2B software. The ban was enforced because the add-ons were downloading and executing code from a remote server.

Leaks

Tout - 652,683 breached accounts

In approximately September 2014, the now defunct social networking service Tout suffered a data breach. The breach subsequently appeared years later and included 653k unique email addresses, names, IP addresses, the location of the user, their bio and passwords stored as bcrypt hashes.

Hardening

Does Your Domain Have a Registry Lock?

If you're running a business online, few things can be as disruptive or destructive to your brand as someone stealing your company's domain name and doing whatever they wish with it. Even so, most major Website owners aren't taking full advantage of the security tools available to protect their domains from being hijacked. Here's the story of one recent victim who was doing almost everything possible to avoid such a situation and still had a key domain stolen by scammers.