Table of Contents

  1. Malware
    1. Bitbucket Abused to Infect 500,000+ Hosts with Malware Cocktail
    2. Microsoft detects 77,000 active web shells on a daily basis
    3. Emotet Gets Ready for Tax Season With Malicious W-9 Forms
    4. HorseDeal Riding on The Curveball!
  2. Reverse engineering
    1. MindShaRE: Dealing with encrypted router firmware
    2. Reverse engineering my router's firmware with Binwalk
  3. Privacy
    1. Google, YouTube and Venmo Send Cease-and-Desist Letters To Facial Recognition App That Helps Law Enforcement
    2. Google has a backdoor to track individual users per Chrome installation ID
    3. When Your Used Car is a Little Too ‘Mobile’
    4. Brave uncovers widespread surveillance of UK citizens on UK council websites
    5. What to know before you buy or install an Amazon Ring camera
  4. Vulnerabilities
    1. Critical Android Bluetooth Flaw Exploitable without User Interaction
    2. SurfingAttack: Interactive Hidden Attack on Voice Assistants Using Ultrasonic Guided Wave
    3. Report: Iowa Caucus App Vulnerable to Hacking
    4. Bug in Philips Smart Light Allows Hopping to Devices on the Network
    5. WhatsApp Bug Allowed Attackers to Access the Local File System
    6. 0day vulnerability in firmware for HiSilicon-based DVRs, NVRs and IP cameras
    7. Bicycle Attacks: Quantifying the Damage of Widespread Password Length Leakage
    8. Wacom drawing tablets track the name of every application that you open
  5. Ransomware
    1. Ransomware Exploits GIGABYTE Driver to Kill AV Processes
    2. Mailto (NetWalker) Ransomware Targets Enterprise Networks
  6. Phishing
    1. Charming Kitty Hackers Impersonate Journalist in Phishing Attacks
    2. How Twitter's Default Settings Can Leak Your Phone Number
  7. Politics
    1. UK to host spyware firm accused of aiding human rights abuses
    2. Twitter Will Ban Deepfakes and Other Manipulated Media That Could Cause 'Serious Harm'
    3. Google Releases a Tool To Spot Faked and Doctored Images
    4. FBI Warns of DDoS Attack on State Voter Registration Site
  8. Leaks
    1. Medicaid CCO Vendor Breach Exposes Health, Personal Info of 654K


Bitbucket Abused to Infect 500,000+ Hosts with Malware Cocktail

Attackers are abusing the Bitbucket code hosting service to store seven types of malware threats used in an ongoing campaign that has already claimed more than 500,000 business computers across the world. Systems falling victim to this attack would get infected with multiple payloads that steal data, mine for cryptocurrency, and culminate with delivering STOP ransomware. For this campaign, the attackers use several Bitbucket accounts to host commodity malware that receives frequent updates, security researchers from cybersecurity Cybereason discovered by looking at three Bitbucket repositories linked to each other by the same malware strains with the same names, the researchers noticed that sometimes the threat actor added updates as often as three hours. In some of accounts, the download count for some malware was in the tens of thousands. The researchers estimate that more than 500,000 machines have been infected during this campaign, hundreds of them being compromised every hour. Exhausting all money-making opportunities from a compromised host is a practice cybercriminals have exercised for a long time. Information can be sold on underground forums, cryptocurrency wallets can be depleted, and miners can mint digital coins. When there is nothing to steal from the infected system, attackers deploy ransomware for one last attempt to make a profit. In this case, STOP ransomware can also download other malware, prolonging the compromise.

Microsoft detects 77,000 active web shells on a daily basis

Microsoft published an interesting report that investigates web shell attacks, the IT giant says it detects 77,000 active web shells daily. A web shell is a code often written in typical web development programming languages (e.g., ASP, PHP, JSP), that attackers implant on web servers to gain remote access and code execution. Microsoft observed several threat groups, including ZINC, KRYPTON, and GALLIUM, using these malicious codes in their campaigns. Threat actors use to exploit known issues in web applications to compromise web server and install the web shells. One of the most widely adopted web shells is the China Chopper one that was employed in numerous cyberespionage campaigns carried out by China-linked APT groups.

Emotet Gets Ready for Tax Season With Malicious W-9 Forms

The Emotet Trojan is getting ready for the tax season with a fresh spam campaign pretending to be signed W-9 tax forms. This is the case with a new campaign discovered by email security company Cofense, where the Emotet operators are sending spam pretending to be a requested signed W-9 tax form. With 2019 behind us, accounting departments are starting to issue tax forms needed for preparing the 2019 tax returns. As part of this process, companies request a signed W-9 form from their clients, independent contractors, and other people they do business with. This new Emotet spam campaign captures this feeling perfectly by using brief emails with a simple "Please see attached" and a fake W-9.doc attachment. Once enabled, though malicious macros will fire off that launches a PowerShell command to install and execute the Emotet Trojan on the recipient's computer. This spam campaign is not particularly sophisticated, but Cofense believes that these campaigns will get more sophisticated as we get further into the tax season.

HorseDeal Riding on The Curveball!

It's surprising to see how quickly attackers make use of new vulnerabilities in malware campaigns. Microsoft recently patched a very interesting vulnerability in their monthly Patch Tuesday update for January 2020. It's a spoofing vulnerability in Windows CryptoAPI (Crypt32.dll) validation mechanism for Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed certificate to sign a malicious executable, making it appear as if the file was from a trusted, legitimate source. The end-user would have no way of knowing that the file was malicious. As almost all users and many security vendors rely on the Digital Certificates of executable files to validate the genuineness and authenticity of files, this vulnerability poses a big threat to the basic trust mechanism itself. This vulnerability is being referred as "Curveball" and "Chain of Fools". A new ransomware - HorseDeal is leveraging this vulnerability and making use of a spoofed ECC certificate to evade detections.

Reverse engineering

MindShaRE: Dealing with encrypted router firmware

Zero Day Initiative has posted a blog article on how to deal with encrypted router firmware, when Binwalk isn't giving any results.

Reverse engineering my router's firmware with binwalk

Sergio Prado wrote a nice blog post showing the basics of using Binwalk to reverse engineer a router firmware image.


Google, YouTube and Venmo Send Cease-and-Desist Letters To Facial Recognition App That Helps Law Enforcement

Google, YouTube and Venmo have sent cease-and-desist letters to Clearview AI, a facial recognition app that scrapes images from websites and social media platforms, CBS News has learned. The tech companies join Twitter, which sent a similar letter in January trying to block the app from taking pictures from their platforms. The app is only available to law enforcement to be used to identify criminals, Ton-That said. But YouTube, which is owned by Google as well as Venmo and Twitter say the company is violating their policies.

Google has a backdoor to track individual users per Chrome installation ID

What hasn't been clear until recently is how Google is using the Chrome web browser to track individuals, even when ad blocking and in-built tracking prevention is enabled. The first wave of web tracking worked via cookies. Each visitor to a page would be given a unique ID which would be stored within a browser cookie. With the first and second tracking approaches no longer as effective, Google has decided to up the ante and deploy tracking directly via its Chrome browser. Depending on which settings you configure, the unique ID may be longer or shorter. The evil next step is that this unique ID is then sent (in the "x-client- data" field of a Chrome web request) to Google every time the browser accesses a Google web property. Unfortunately for users of Google Chrome, this third wave tracking identifier will not be removed by using VPNs or Chrome based ad blockers. For a user who wants online privacy, the only option is to use a web browser whose creators aren't funded via advertising. If you're still using Google Chrome, it's time to switch to a browser that isn't built to monetize your privacy.

When Your Used Car is a Little Too ‘Mobile’

Many modern vehicles let owners use the Internet or a mobile device to control the car's locks, track location and performance data, and start the engine. But who exactly owns that control is not always clear when these smart cars are sold or leased again. Here's the story of one former electric vehicle owner who discovered he could still gain remote, online access to his old automobile years after his lease ended. Mathew Marulla began leasing a Ford Focus electric vehicle in 2013, but turned the car back in to Ford at the end of his lease in 2016. So Marulla was surprised when he recently received an email from stating that the clock in his car was set incorrectly. "A master reset cleans phone data and removes previous Ford Pass and My Ford Mobile connections," the company said in a statement released to KrebsOnSecurity. And if you're thinking of selling your car, it's a good idea to clear your personal data from the vehicle first. "For example, your old car may still be connected to subscription services like satellite radio, mobile Wi-Fi hotspots, and data services.

Brave uncovers widespread surveillance of UK citizens on UK council websites

A new report from Brave reveals that people seeking help for addiction, disability, and poverty on council websites are profiled by private companies in the UK. Brave announces Surveillance on UK council websites, a study of private companies' data collection on council websites across the United Kingdom. Brave has uncovered widespread surveillance of UK citizens by private companies embedded on UK council websites. "Surveillance on UK council websites", a new report from Brave, reveals the extent of private companies' surveillance of UK citizens when they seek help for addiction, disability, and poverty from their local government authorities.

What to know before you buy or install an Amazon Ring camera

With a Ring camera, Amazon employees have access to the cloud where your footage is stored - and a few have already been fired for unauthorized access to people's personal videos. Knowing all this, would you be comfortable if other houses - perhaps across the street from your own - had a Ring camera pointing at you? The idea that Ring cameras prevent crime is based on the idea that a potential burglar will see the Ring doorbell, recognize it, and then decide to turn around. Amazon's Ring doorbell has rolled out a new update that lets users add and remove shared users on an account, restrict third-party access, view two-factor authentication settings, and (perhaps, most importantly) opt out of all video request notifications from law enforcement.


Critical Android Bluetooth Flaw Exploitable without User Interaction

Android users are urged to apply the latest security patches released for the operating system on Monday that address a critical vulnerability in the Bluetooth subsystem. An attacker could leverage the security flaw, now identified as CVE-2020-0022 without user participation to run arbitrary code on the device with the elevated privileges of the Bluetooth daemon when the wireless module is active. According to Ruge, attackers could use this security fault to spread malware from one vulnerable device to another, like a worm. The Android security bulletin notes that CVE-2020-0022 "could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process." The only prerequisite for taking advantage of the issue is knowing the Bluetooth MAC address. "For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address," says the researcher on the blog site of German IT security consultant ERNW. On Android 10, the severity rating drops to moderate since all it does is to crash the Bluetooth daemon, the researcher says. Android versions earlier than 8.0 may also be affected but the impact on them has not been assessed. Despite a patch being available, OEM vendors and mobile carriers also have to push it to user terminals. If a patch does not become available, Ruge recommends enabling Bluetooth only "if strictly necessary."

SurfingAttack: Interactive Hidden Attack on Voice Assistants Using Ultrasonic Guided Wave

SurfingAttack exploits ultrasonic guided wave propagating through solid-material tables to attack voice control systems. By leveraging the unique properties of acoustic transmission in solid materials, we design a new attack called SurfingAttack that would enable multiple rounds of interactions between the voice-controlled device and the attacker over a longer distance and without the need to be in line-of-sight. By completing the interaction loop of inaudible sound attack, SurfingAttack enables new attack scenarios, such as hijacking a mobile Short Message Service (SMS) passcode, making ghost fraud calls without owners' knowledge, etc.

Report: Iowa Caucus App Vulnerable to Hacking

A review by two computer security experts of the mobile app that malfunctioned during Iowa's critical tally of the Democratic Party's caucus has uncovered that it insecurely sends data, ProPublica reports. Veracode found that the app was vulnerable to hacking "because of a lack of safeguards, transmissions to and from the phone were left largely unprotected," it reported. But its founder, Gerard Niemira, told ProPublica that "our app underwent multiple, rigorous tests by a third party." Motherboard reports that Shadow Inc. has shut down the back-end servers and the app is no longer being used. Iowa's Democratic Party caucus was thrown into chaos after the mobile app deployed among precinct workers failed because of a variety of technical problems. The app was designed as a faster way to report results, rather than over the phone, as had been the tradition. Once the bug was fixed, it was then capable of sending data to the Democratic Party's data warehouse. Iowa's Democratic Party didn't entirely rely on the app to tally preferences. Insecure data transmission could mean that the app didn't use HTTPS encryption, which encrypts data traffic between a device and a server. Halderman tells ProPublica that "an adversary could exploit it to intercept and change caucus results as they were being submitted through the app.

Bug in Philips Smart Light Allows Hopping to Devices on the Network

Security researchers taking a closer look at the Philips Hue smart bulbs and the bridge device that connects them discovered a vulnerability that helped them compromise more meaningful systems on the local network. The security flaw was discovered is in the ZigBee wireless communication protocol that is used by a wide range of smart home devices. Tracked as CVE-2020-6007, the bug has a severity score of 7.9 out of 10. It is a heap buffer overflow that can be exploited remotely in Philips Hue Bridge model 2.x to execute arbitrary code. Security researchers at Check Point discovered the issue and developed an attack that allowed them to hack into other devices on the same network as the vulnerable Philips Hue bulb. They started by fitting the smart light with malicious firmware. Then they moved to take control of the bulb's control bridge by triggering a heap buffer overflow in it. According to the researchers, an attacker can jump to other systems on the network using known exploits, such as the infamous EternalBlue. Otherwise, they can check if a new firmware release is available from the Settings menu of the Hue app. Full technical details for this attack will emerge in the near future, to give enough time for a significant number of Philips Hue customers to install the latest firmware.

WhatsApp Bug Allowed Attackers to Access the Local File System

Facebook patched a critical WhatsApp vulnerability that would have allowed potential attackers to read files from a user's local file system, on both macOS and Windows platforms. "A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading," Facebook's security advisory explains. "Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message. All WhatsApp Desktop versions before v0.3.9309 are affected by this issue when paired with WhatsApp for iPhone versions prior to 2.20.10. The vulnerability tracked as CVE-2019-18426 received an 8.2 high severity CVSS 3.x base score, but, although it could be exploited remotely, it also required user interaction for exploit attempts to be successful. While investigating his discovery, Weizman was able to gain read permissions on the local file system on both Windows and macOS WhatsApp desktop apps. "I did however demonstrated how I use fetch() API, for example, to read files from the local OS like the content of C:\Windows{=latex}\System32{=latex}\drivers{=latex}\etc{=latex}\hosts{=latex} file in this case, Weizman added. Such attacks would be possible by simply modifying the JavaScript code of a single message prior to delivery to its recipient. For reference, WhatsApp has over 1.5 billion monthly active users, so attacks could be executed on a large scale resulting in grave implications, Safruti added.

0day vulnerability in firmware for HiSilicon-based DVRs, NVRs and IP cameras

This is a full disclosure of recent backdoor integrated into DVR/NVR devices built on top of HiSilicon SoC. Described vulnerability allows attacker to gain root shell access and full control of device. Full disclosure format for this report has been chosen due to lack of trust to vendor. Proof of concept code is already published. It's worth noting that disclosure was ignored by vendor. More recent firmware versions had telnet access and debug port (9527/tcp) disabled by default. Possible effects of that (potential) failure wasn't explored because macGuarder/dvrHelper backdoor functionality appears strictly superior and straightforward approach. Also it outlines differences between 3DES cipher variant used by HiSilicon for backdoor authentication and original 3DES cipher.

Bicycle Attacks: Quantifying the Damage of Widespread Password Length Leakage

Researchers examine the issue of password length leakage via encrypted traffic i.e., bicycle attacks. They aim to quantify both the prevalence of password length leakage bugs as well as the potential harm to users. In an observational study, most of the Alexa top 100 rates sites are vulnerable to bicycle attacks meaning that an eavesdropping attacker can infer the exact length of a password based on the length the encrypted packet containing the password. In this analysis, three different levels are considered of password attackers: hacker, criminal and nation-state. In all cases, such an attacker who knows the length of each user password gains a significant advantage over one without knowing the password length.

Wacom drawing tablets track the name of every application that you open

The author of this blog post has analyzed the traffic generated by Wacom tablets and what kind of information is collected from the users of the tablet.


Ransomware Exploits GIGABYTE Driver to Kill AV Processes

The attackers behind the RobbinHood Ransomware are exploiting a vulnerable GIGABYTE driver to install a malicious and unsigned driver into Windows that is used to terminate antivirus and security software. Using trusted drivers to terminate security processesMost Windows security software processes are protected from being terminated by regular processes and can only be terminated by Kernel drivers, which have the highest permission possible in Windows. In a new report, Sophos researchers have seen the RobbinHood attackers installing a known vulnerable GIGABYTE driver that has been cosigned by Microsoft and exploiting its vulnerability to disable Microsoft's driver signature enforcement feature. Once disabled, they can install a custom malicious kernel driver that is used to terminate antivirus and security software processes.

Mailto (NetWalker) Ransomware Targets Enterprise Networks

With the high ransom prices and big payouts of enterprise-targeting ransomware, we now have another ransomware known as Mailto or Netwalker that is compromising enterprise networks and encrypting all the Windows devices connected to it. In August 2019 a new ransomware was spotted in ID Ransomware that was named Mailto based on the extension that was appended to encrypted files. It was not known until today when the Australian Toll Group disclosed that their network was attacked by the Mailto ransomware, that we discovered that this ransomware is targeting the enterprise. In a recent sample of the Mailto ransomware shared with BleepingComputer by MalwareHunterTeam, the executable attempts to impersonate the 'Sticky Password' software. This ransomware is still being analyzed and it is not known if there are any weaknesses in the encryption algorithm that can be used to decrypt files for free.


Charming Kitty Hackers Impersonate Journalist in Phishing Attacks

A hacker group linked with the Iranian government attempted to steal email login information from their targets through fake interview requests and impersonating a New York Times journalist. Aimed at journalists, activists, people in academia, and prominent Iranians living outside the country, the phishing attacks are the work of Charming Kitten, also known as Phosphorus, APT35, or Ajax Security Team. To gain the trust of their victims, the messages from Charming Kitten pretended to come from Farnaz Fassihi, a New York Times journalist with over 17 years of experience. Previously, she was a senior writer for the Wall Street Journal and covered conflicts in the Middle East. The ruse was an interview invitation that included an incorrect detail that stood out: posing as Fassihi, the threat actor mentioned that the Wall Street Journal (WSJ) was the journalist's current employer. However, the download button redirected to a phishing kit that collected email login info and the two-factor authentication code. Charming Kitten used this method in the past to steal verification codes from Google sent via SMS. Certfa researchers say that this campaign also revealed a new piece of malware from Charming Kitten, which changes the settings in Windows Firewall and the Registry. From their assessment, the malware is not sophisticated and functions as a backdoor the hackers can use to deploy other threats.

How Twitter's Default Settings Can Leak Your Phone Number

Twitter has publicly disclosed a security "incident" that points to long-standing problems with how the service handles phone numbers. Twitter announced it had discovered and shut down "a large network of fake accounts" that were uploading large numbers of phone numbers and using tools in Twitter's API to match them to individual usernames. This type of activity can be used to build a reverse-lookup tool, to find the phone number associated with a given username. It turns out at least one of those people uploading massive lists of phone numbers was a security researcher, whose findings TechCrunch reported on in December. Problems with tools that allow users to find accounts using the phone numbers associated with them are not new at Twitter (or at Facebook, for that matter). That's why Twitter needs to stop pressuring users to add their phone numbers to their profiles and stop making those phone numbers discoverable by default. The problem is that, if Twitter wants to connect you with your friends via their phone numbers, it needs to offer an API to support it.


UK to host spyware firm accused of aiding human rights abuses

The NSO Group is due to be an exhibitor at the three-day fair, where police and security officials from abroad can browse commercial stalls selling surveillance and crowd-control equipment. The identities of this year's delegations are not known as they are usually announced on the opening day of the fair. NSO has faced allegations that its technology is used to target human rights activists and reporters around the world. At least three UK residents are among those who are alleged to have been targeted using spyware sold by NSO. Last week Reuters reported that the FBI was examining whether NSO technology was used against Americans. The annual trade fair is organized by the Home Office and the Department for International Trade. The NSO Group has attended previously. In its promotional material for the fair, the NSO Group calls itself a "global leader in the world of cyber- intelligence, data acquisition and analysis". There are three cases of NSO technology allegedly being used to target British residents. NSO has said its technology is only intended to be used to fight crime and terrorism.

Twitter Will Ban Deepfakes and Other Manipulated Media That Could Cause 'Serious Harm'

On Tuesday, Twitter announced changes to its synthetic and manipulated media policy, which it defines as any photo, audio, or video that's been "significantly altered or fabricated" to mislead people or change the original meaning of the content. Under the new rules, Twitter will remove this kind of media if the company finds it likely to cause serious harm - such as content that threatens people's physical safety or could cause widespread civil unrest. If Twitter doesn't think manipulated media posts are likely to cause harm, it may still label the tweets as containing manipulated media, warn users who try to share them, and deprioritize the content in users feeds. The changes will take place on March 5th. Recode reports:

Google Releases a Tool To Spot Faked and Doctored Images

Jigsaw, a technology incubator at Google, has released an experimental platform called Assembler to help journalists and front-line fact-checkers quickly verify images. MIT Technology Review reports: Assembler is a good step in fighting manipulated media - but it doesn't cover many other existing manipulation techniques, including those used for video, which the team will need to add and update as the ecosystem keeps evolving, the report notes. It also still exists as a separate platform from the channels where doctored images are usually distributed. Experts have recommended that tech giants like Facebook and Google incorporate these types of detection features directly into their platforms. That way such checks can be performed in close to real time as photos and videos are uploaded and shared.

FBI Warns of DDoS Attack on State Voter Registration Site

The US Federal Bureau of Investigation (FBI) warned of a potential Distributed Denial of Service (DDoS) attack that targeted a state-level voter registration and information site in a Private Industry Notification (PIN) released today. The FBI received reporting indicating a state-level voter registration and voter information website received anomalous Domain Name System (DNS) server requests consistent with a Pseudo Random Subdomain (PRSD) attack, according to the FBI PIN seen by BleepingComputer. PRSD attacks are a type of DDoS attack used by threat actors to disrupt DNS record lookups by flooding a DNS server with large amounts of DNS queries against non-existing subdomains. The FBI says that the state voter registration website was not affected by the DDoS siege due to properly set up rate-limiting on the target's DNS servers.


Medicaid CCO Vendor Breach Exposes Health, Personal Info of 654K

Medicaid coordinated care organization (CCO) Health Share of Oregon disclosed a data breach exposing the health and personal info of 654,362 individuals following the theft of a laptop owned by its transportation vendor GridWorks IC. The non-profit organization is Oregon's largest Medicaid CCO and it serves the Oregon Health Plan (Medicaid) members in Clackamas, Multnomah, and Washington counties. On January 2, 2020, Health Share of Oregon learned that the personal information of its members was located on a laptop stolen from GridWorks IC, Health Share's contracted non-emergent medical transportation (Ride to Care) vendor, says the CCO. The stolen laptop includes several types of member information including members names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers. According to Health Share's statement, the personal health histories of its members were not exposed as part of this incident.