Table of Contents

  1. Politics
    1. Iran-linked APT34 group is targeting US federal workers
    2. Charges dropped against pentesters paid to break into Iowa courthouse
    3. Feds Order Massive Number Of Tech Giants To Help Hunt Down One WhatsApp Meth Dealer
    4. The Russian Government blocked ProtonMail and ProtonVPN
    5. Russia’s watchdog Roskomnadzor threatens to fine Twitter and Facebook
    6. The EARN IT Act: how to ban end-to-end encryption without banning it
    7. Winnti APT Group targeted Hong Kong Universities
    8. NSA released 136 Historical Propaganda Posters
    9. FBI Probes Use of Israeli Firm's Spyware In Personal and Government Hacks
  2. Malware
    1. Microsoft Detects New Evil Corp Malware Attacks After Short Break
    2. OpendoorCDN Magecart Skimmer Analysis Continued
    3. Pirated Software is All Fun and Games Until Your Data’s Stolen
    4. TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly
  3. Privacy
    1. Facebook pays $550m settlement for breaking Illinois data protection law
    2. Avast Stops Using Security Software to Track Browsing Data
    3. A sloppy click can exfiltrate your important data!
    4. The Guardian Privacy Policies for the 577 Companies with whom they may share your data
    5. Deanonymizing Tor Circuits
    6. FCC says wireless location data sharing broke the law
    7. Why Using WhatsApp Is Dangerous
    8. Collating Hacked Data Sets
  4. Vulnerabilities
    1. Attackers are hacking NSC Linear eMerge E3 building access systems to launch DDoS attacks
    2. Buffer overflow when pwfeedback is set in sudoers
    3. Researchers Find Some LoRaWAN Networks Vulnerable to Cyber-Attacks
    4. OpenSMTPD advisory dissected
    5. Nello One opens the door to strangers without being asked
    6. OpenWRT remote code execution via MITM due to bug in package manager
  5. Google
    1. Google Chrome Tests Replacing URLs With Search Queries in Address Bar
    2. Google releases OpenSK: a fully open-source security key implementation
  6. Scams
    1. Tech Support Scam Hitting Microsoft Edge Start Page Takes a Break
  7. Phishing
    1. Devious Spamhaus Phishing Scam Warns You're on an Email Block List
    2. Coronavirus Phishing Attacks Are Actively Targeting the US
  8. Leaks
    1. Data leak at the University of Erlangen Nuremberg
    2. Social Media Boosting Service Exposed Thousands of Instagram Passwords
  9. Crime
    1. Hackers penetrated NEC defense business division in 2016
    2. 6 Suspects Arrested in Maltese Bank Hacking Heist
  10. Apple
    1. Apple Wants To Standardize the Format of SMS OTPs (One-Time Passcodes)

Politics

Iran-linked APT34 group is targeting US federal workers

The Iran-linked APT34 group has targeted a U.S.-based research company that provides services to businesses and government organizations. Security experts from Intezer observed targeted attacks on a US-based research company that provides services to businesses and government organizations. The emails contain Excel spreadsheets that, once downloaded, at first appear to be blank, according to the analysis Only after victims enable macros on the spreadsheet does the survey appear asking whether victims are satisfied by career-development opportunities and job-related training, for instance but in the background, unbeknownst to them, malicious Visual Basic for Applications (VBA) programming code for macro is being executed.

Charges dropped against pentesters paid to break into Iowa courthouse

Prosecutors have dropped criminal charges against two security professionals who were arrested and jailed last September for breaking into an Iowa courthouse as part of a contract with Iowa's judicial arm. The dismissal, which was announced on Thursday, is a victory not only for Coalfire Labs, the security firm that employed the two penetration testers, but the security industry as a whole and the countless organizations that rely on it. Although employees Gary DeMercurio and Justin Wynn had written authorization to test the physical security of the Dallas County Courthouse in Iowa, the men spent more than 12 hours in jail on felony third-degree burglary charges. The charges were later lowered to misdemeanor trespass.

Feds Order Massive Number Of Tech Giants To Help Hunt Down One WhatsApp Meth Dealer

As it struggles to get content from encrypted messenger apps and smartphones, the U.S. government is getting creative in how it tracks down criminal WhatsApp users, according to a search warrant uncovered by Forbes. Aside from shedding light on police data-trawling operations, these new efforts are "problematic," legal experts tell Forbes. They show that investigators are willing to test the boundaries of legality by demanding content they may not legally be allowed to collect from WhatsApp. And they're then demanding data from a seemingly endless list of tech providers from Google to any telecom company imaginable - that could feasibly help them catch a single WhatsApp user.

The Russian Government blocked ProtonMail and ProtonVPN

This week the Russian government has blocked the ProtonMail end-to-end encrypted email service and ProtonVPN VPN service. Roskomnadzor explained that the services were abused by cybercriminals and that Proton Technologies refused to register them with state authorities. The Russian government asks all Internet service providers and VPN providers operating in the country to provide information about their users. "On January 29, based on the requirements of the General Prosecutor's Office of the Russian Federation, Roskomnadzor will restrict access to the mail service Protonmail.com (Switzerland)," reads a press release published by Roskomnadzor, the Russia's telecommunications watchdog.

Russia’s watchdog Roskomnadzor threatens to fine Twitter and Facebook

Russia's Roskomnadzor watchdog wants to fine Facebook and Twitter after they refused to store data of Russian users on servers located in the country. Russia's telecommunications watchdog Roskomnadzor has instituted administrative proceedings against Facebook and Twitter after they refused to store data of Russian users on servers located in the country. "On January 31, 2020, Roskomnadzor instituted administrative proceedings against Facebook, Inc and Twitter, Inc. 152-FZ." states the press release published by the Russian watchdog. "Administrative proceedings were instituted on the grounds of an administrative offense in accordance with part 8 of article 13.11. Both companies could be condemned to pay a fine ranging between 1 million rubles (approximately $16,000) and 6 million rubles ($94,000).

The EARN IT Act: how to ban end-to-end encryption without banning it

There's a new bill afoot in Congress called the EARN IT Act. A "discussion draft" released by Bloomberg which is available as a PDF here. This bill is trying to convert your anger at Big Tech into law enforcement's long-desired dream of banning strong encryption. It is a bait-and-switch. Don't fall for it. Even if the EARN IT Act bans providers from offering end-to-end encryption, that won't keep child sex abuse material (CSAM) offenders from cloaking their activities with encryption. File encryption technology is out there, and it's been used by CSAM offenders for decades; the EARN IT Act bill can't change that. The EARN IT Act bill is supposedly about CSAM, and it's not-so-secretly about encryption. The sites that are dedicated to CSAM are directly violating federal CSAM law. However, the EARN IT Act bill would change that.

Winnti APT Group targeted Hong Kong Universities

Winnti Group has compromised computer systems at two Hong Kong universities during the Hong Kong protests that started in March 2019. Researchers from ESET discovered the attacks in November 2019 when they spotted the ShadowPad launcher malware samples on multiple devices at the two universities. The launchers were discovered two weeks after Winnti malware infections were detected in October 2019. The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

NSA released 136 Historical Propaganda Posters

Some are hilarious, some bizarre, some others involve religion for some reason, but nevertheless it's quite interesting.

FBI Probes Use of Israeli Firm's Spyware In Personal and Government Hacks

The FBI is investigating the role of Israeli spyware vendor NSO Group Technologies in possible hacks on American residents and companies as well as suspected intelligence gathering on governments, according to four people familiar with the inquiry. NSO has long maintained that its products cannot target U.S. phone numbers, though some cybersecurity experts have disputed that. Part of the FBI probe has been aimed at understanding NSO's business operations and the technical assistance it offers customers, according to two sources familiar with the inquiry. NSO is known in the cybersecurity world for its "Pegasus" software other tools that can be delivered in several ways. The software can capture everything on a phone, including the plain text of encrypted messages, and commandeer it to record audio. The FBI is investigating and has met with Bezos, a member of his team told Reuters. FBI leaders have indicated that they are taking a hard line on spyware vendors.

Malware

Microsoft Detects New Evil Corp Malware Attacks After Short Break

Microsoft says that an ongoing Evil Corp phishing campaign is using attachments featuring HTML redirectors for delivering malicious Excel documents, this being the first time the threat actors have been seen adopting this technique. Dudear (aka TA505/SectorJ04/Evil Corp), used in some of the biggest malware campaigns today, is back in operations this month after a short hiatus. Past email campaigns distributing the malware would deliver the payload onto the victim's computer within the attachment or via malicious download URLs. The phishing messages come with HTML attachments which will automatically start downloading the Excel file used to drop the payload. Also, the attackers make use of an IP trace-back service that enables them to "track the IP addresses of machines that download the malicious Excel file."

OpendoorCDN Magecart Skimmer Analysis Continued

An Olympic ticket reseller website was infected with a Magecart-like credit card skimmer. This article is a continuation of this research, with more findings to share.

Pirated Software is All Fun and Games Until Your Data’s Stolen

It may be tempting to try to download the latest games or applications for free, but doing so will ultimately land you in a hotbed of trouble as your computer becomes infected with adware, ransomware, and password-stealing Trojans. This has changed as software installer monetization companies have started to increasingly team up with ransomware and password-stealing Trojan developers to distribute their malware. Security researcher Benkøw has recently noticed that monetized installers pretending to be software cracks and key generators are now commonly installing password-stealing Trojans or remote access Trojans (RATs) when they are executed. In his tests over the past week by downloading various programs promoted as game cheats, software key generators, and licensed software, when installing them he was infected with password-stealing Trojans and backdoors such as Dreambot, Glupteba, and Racoon Stealer.

TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly

The TrickBot Trojan has switched to a new Windows 10 UAC bypass to execute itself with elevated privileges without showing a User Account Control prompt. Windows uses a security mechanism called User Account Control (UAC) that will display a prompt every time a program is run with administrative privileges. These UAC bypasses are found in legitimate Microsoft Windows programs that are used by the operating system to launch other programs. To avoid being detected, malware developers sometimes use a UAC bypass so that the malware runs with administrative privileges, but without displaying a UAC prompt and alerting the user. Researchers discovered that TrickBot has now switched to a different UAC bypass that utilizes the Wsreset.exe program. Wsreset.exe is a legitimate Windows program used to reset the Windows Store cache. When executing the command it will not display a UAC prompt and users will have no idea that a program has been executed.

Privacy

Facebook pays $550m settlement for breaking Illinois data protection law

Facebook has settled a lawsuit over facial recognition technology, agreeing to pay $550m over accusations it had broken an Illinois state law regulating the use of biometric details. The settlement was quietly disclosed in the company's quarterly results, released on Wednesday evening, which showed record revenues overall at the company, but also surging costs. It is one of the largest payouts for a privacy breach in US history, a marker of the strength of Illinois's nation-leading privacy laws. Illinois heavily regulates the use of biometric identifiers, prohibiting the collection and storing of biometric information without consent from individuals. The law, passed in 2008, also requires companies to store the identifiers securely, and to delete them in a timely manner.

Avast Stops Using Security Software to Track Browsing Data

Facing intense criticism, anti-virus software maker Avast on Thursday said it will shut down Jumpshot, its data collecting side business. The Avast subsidiary has been funneling to marketers detailed internet browsing activity from the firm's security products and browser extensions. But Motherboard and PCMag found that the scrubbed browsing data being sold could still be used to identify specific individuals, thus invalidating Avast's privacy assurances. According to Jumpshot's website, the software evolved, adding tracking tools that could collect search data, click data and purchase data from 150 websites, including Amazon Google, Netflix and Walmart.

A sloppy click can exfiltrate your important data!

Phishing email still remains one of the top malware propagation medium. Researchers from QuickHeal came across an interesting phishing email containing a couple of Jumpshare links pointing to malicious components. Jumpshare is an online file sharing service and often cyber criminals abuse these kinds of file sharing services.

The Guardian Privacy Policies for the 577 Companies with whom they may share your data

The tracking on the web has gotten out of control, and this article is a proof of that. By agreeing to the Guardian privacy policy you allow them to share data about you with a bunch of companies no one knows about.

Deanonymizing Tor Circuits

Someone is trying out creative attacks with the goal of deanonymizing Tor circuits, and Neal Krawetz wrote a blog post trying to understand the attack.

FCC says wireless location data sharing broke the law

Federal Communications Commission Chairman Ajit Pai told lawmakers on Friday that he intends to propose fines against at least one U.S. wireless carrier for sharing customers' real-time location data with outside parties without the subscribers' knowledge or consent. Why it matters: The FCC has been investigating for more than a year following revelations that subscriber location data from AT&T, T-Mobile and Sprint made its way to a resale market used by bounty hunters.

Why Using WhatsApp Is Dangerous

A Telegram developer has written a blog post criticizing WhatsApp security after the Jeff Bezos hack. In my opinion Telegram is no better either, using questionable cryptography and claiming they are more secure than the competitors.

Collating Hacked Data Sets

Two Harvard undergraduates completed a project where they went out on the dark web and found a bunch of stolen datasets. Then they correlated all the information, and combined it with additional, publicly available, information. No surprise: the result was much more detailed and personal.

Vulnerabilities

Attackers are hacking NSC Linear eMerge E3 building access systems to launch DDoS attacks

Hackers have already compromised more than 2,300 Linear eMerge E3 building access systems exploiting a severe vulnerability that has yet to be fixed. Linear eMerge E3 smart building access systems designed by Nortek Security & Control (NSC) are affected by a severe vulnerability (CVE-2019-7256) that has yet to be fixed and attackers are actively scanning the internet for vulnerable devices. Researchers from SonicWall revealed that hackers are attempting to compromise Linear eMerge E3 smart building access systems to recruit them in a DDoS botnet. The Linear E3 devices are installed in commercial, industrial, banking, medical, retail, hospitality, and other businesses to secure their facilities and manage access to personnel. In May 2019, security researcher Gjoko Krstic from Applied Risk discovered over 100 vulnerabilities in management and access control systems from four major vendors, including Nortek.

Buffer overflow when pwfeedback is set in sudoers

Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting their password. For each key press, an asterisk is printed. This option was added in response to user confusion over how the standard Password: prompt disables the echoing of key presses. While pwfeedback is not enabled by default in the upstream version of sudo, some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files. Due to a bug, when the pwfeedback option is enabled in the sudoers file, a user may be able to trigger a stack-based buffer overflow. This bug can be triggered even by users not listed in the sudoers file. There is no impact unless pwfeedback has been enabled.

Researchers Find Some LoRaWAN Networks Vulnerable to Cyber-Attacks

Security experts have published a report warning that the new and fast-rising LoRaWAN technology is vulnerable to cyberattacks and misconfigurations, despite claims of improved security rooted in the protocol's use of two layers of encryption. The LoRa protocol was developed to allow companies to connect battery-powered or other low-powered devices to the internet via a wireless connection. LoRaWAN takes the LoRa protocol and allows devices to spread across a large geographical area to wirelessly connect to the internet via radio waves. LoRaWAN is particularly popular with developers of Internet of Things devices. An IoT device with a LoRaWAN client will broadcast data via radio waves to a nearby LoRaWAN gateway (in most cases, an antenna). For example, smart parking, smart lighting, traffic management, or weather monitoring devices across a "smart city" use LoRaWAN to report to a central data collection station. Many devices come with a tag displaying a QR code and/or text with the device's identifier, security keys, or more. Researchers say the tag is intended to be used in the commissioning process and removed afterward. LoRaWAN network servers may be insecure configured or vulnerable to other non-LoRaWAN vulnerabilities, allowing hackers to take over these systems.

OpenSMTPD advisory dissected

OpenSMTPD developer wrote a blog post about the recent critical bug discovered by Qualys, how the bug was introduced, and what can be done to prevent such bugs from arriving in the future.

Nello One opens the door to strangers without being asked

The smart door opener Nello One has major technical problems. It could happen that the front door opens unintentionally. It could take a while until the error is fixed. Owners of the smart door opener Nello One should consider deactivating their device. The smart door opener does not work properly and keeps opening the door unitentionally. The error will be fixed, but it still takes some time, said the support of the provider.

OpenWRT remote code execution via MITM due to bug in package manager

A bug in the package list parse logic of OpenWrt's opkg fork caused the package manager to ignore SHA-256 checksums embedded in the signed repository index, effectively bypassing integrity checking of downloaded .ipk artifacts. Due to the fact that opkg on OpenWrt runs as root and has written access to the entire filesystem, arbitrary code could be injected by the means of forged .ipk packages with malicious payload.

Google

Google Chrome Tests Replacing URLs With Search Queries in Address Bar

Google has started testing a feature that will display the search query in the Chrome address bar rather than the actual page's URL when performing searches on Google, reports Bleeping Computer: This experimental feature is called "Query in Omnibox" and has been available as a flag in Google Chrome since Chrome 71, but is disabled by default. In a test being conducted by Google, this feature is being enabled for some users and will cause the search keyword to be displayed in the browser's address bar, or Omnibox, instead of the URL that you normally see... When this feature is not enabled, Google will display the URL of the search in the Omnibox as you would expect. This allows you to not only properly identify the site you are on, but also to easily share the search with another user. It's been 18 months since Wired reported that Google "wants to kill the URL. This week now finds Bleeping Computer arguing that instead of removing URLs in one fell swoop, Google is gradually eroding the various elements of a URL until there is nothing left.

Google releases OpenSK: a fully open-source security key implementation

Today, FIDO security keys are reshaping the way online accounts are protected by providing an easy, phishing-resistant form of two-factor authentication (2FA) that is trusted by a growing number of websites, including Google, social networks, cloud providers, and many others. To help advance and improve access to FIDO authenticator implementations, Google announces the release of OpenSK, an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

Scams

Tech Support Scam Hitting Microsoft Edge Start Page Takes a Break

A sophisticated browser locker campaign that ran on high-profile pages, like Microsoft Edge's home or popular tech sites, was deactivated this week after in-depth research was published. The actors behind it used a compromised ad content supplier for top-tier distribution and combined targeted traffic filtering with steganography. As the name suggests, a browser locker (browlock) affects the web browser, making it unusable by redirecting it to a site that is difficult to close. In a tech support scam, the landing page informs that malware caused the technical difficulty and provides a phone number where victims should seek help. A browlock campaign kept hitting Microsoft users since February 2018 through malvertising on the Edge browser's start page, which is a customized version of Microsoft's MSN page. Researchers at Confiant named it WOOF locker, while Malwarebytes calls it "404Browlock," because they would see a "404 Not Found" error message when they tried to check the redirect page manually.

Phishing

Devious Spamhaus Phishing Scam Warns You're on an Email Block List

A new phishing campaign distributing malware pretends to be from the Spamhaus Project warning that the recipient's email address has been added to a spam block list due to sending unsolicited email. Spamhaus Project is an organization that creates spam block lists that mail servers can utilize to block known spammers from sending emails to recipients in their organization. If you are an email administrator, then you are most likely familiar with this organization and how removing one of your IP addresses or domains from their block list can be an arduous task, to say the least. Due to this, using Spamhaus as the theme of your phishing scam could alarm email administrators enough to cause them to hastily open the link in the email and thus become infected. These email states that the recipient must "Urgently Take Action" because their email address has been added to the Spamhaus Block List (SBL) and will be blacklisted on mail servers unless they follow the instructions found at a listed URL.

Coronavirus Phishing Attacks Are Actively Targeting the US

Ongoing phishing campaigns use the recent Coronavirus outbreak as bait in attacks targeting individuals from the United States and the United Kingdom, impersonating the US CDC and virologists, warning of new infection cases in their area, and providing 'safety measures.' The messages were used to spread of versions of the well-known Emotet malware. The targets are then informed that the "CDC has established an Incident Management System to coordinate a domestic and international public health response." The phishing email itself is rather well done, so whoever is behind it modeled the email after existing CDC press releases.

Leaks

Data leak at the University of Erlangen Nuremberg

At the Chair of Health Management, personal data of over 800 students was released on a web server - including passwords in plain text. Small error, big effect: Due to an obviously incorrect release of the main directory of a web server, personal data of over 828 students at the Friedrich Alexander University in Erlangen Nuremberg could be accessed via the Internet without protection using a browser. According to research by the computer magazine C'T, all students of the 2018 and 2019 cohorts of the "Master of Health Business Administration" (MHBA) are affected. Distance learning is used to train doctors from various clinics and pharmacists in business administration in the health sector for two years at a price of 6000 euros.

Social Media Boosting Service Exposed Thousands of Instagram Passwords

A social media boosting startup, which bills itself as a service to increase a user's Instagram followers, has exposed thousands of Instagram account passwords. The company, Social Captain, says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started. But TechCrunch learned this week Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform.

Crime

Hackers penetrated NEC defense business division in 2016

Japanese electronics and IT giant NEC confirmed a security breach suffered by its defense business division in December 2016. The IT giant NEC confirmed that the company defense business division has suffered a security breach back in December 2016. The Japanese firm confirmed the unauthorized access to its internal network after Japanese newspapers disclosed the security incident citing sources informed of the event. NEC is a contractor for Japan's defense industry and was involved in various defense projects. Roughly 28,000 files were found by the company on one of the compromised servers, some of them containing info about defense equipment. NEC announced it has taken steps to improve the security of its infrastructure and prevent future intrusions.

6 Suspects Arrested in Maltese Bank Hacking Heist

Police in the United Kingdom have arrested six suspects as part of a months-long money laundering investigation tied to the theft of €13 million ($14.4 million) from a Maltese bank. The hackers initiated transactions, moving money to bank accounts in the U.S., U.K., Czech Republic and Hong Kong, according to local media reports. About 30 minutes after it detected the fraudulent transactions, the bank suspended operations, began trying to reverse the fraudulent transfers and worked with international law enforcement partners. On Thursday, working with the Police Service of Northern Ireland, NCA agents arrested another man, age 39, in Belfast. The bank announced on Feb. 13, 2019, the day that the attack occurred, that it had quickly suspended operations after it detected suspicious activity. On Feb. 14, 2019, the Bank of Valetta announced that almost all services had been restored, after rigorous overnight testing of the bank's IT systems had been successful.

Apple

Apple Wants To Standardize the Format of SMS OTPs (One-Time Passcodes)

Apple engineers have put forward a proposal to standardize the format of the SMS messages containing one-time passcodes (OTP) that users receive during the two-factor authentication (2FA) login process.