Table of Contents

  1. Politics
    1. NSA Phone Surveillance Program Cost $100 Million, Yielded One Major Investigation
    2. Russia Is Trying to Tap Transatlantic Cables
    3. Internal Docs Show Why the US Military Publishes North Korean and Russian Malware
  2. Exploit development
    1. Exploit published OpenSMTPD 6.6.3 - remote arbitrary file read
    2. Bypass Windows 10 User Group Policy (and more) with this One Weird Trick
    3. Open Security Training
  3. Privacy
    1. Mozilla Enables DNS-over-HTTPS by Default for All USA Users
    2. Facebook would have to pay $3.50 per month to U.S. users for contact info: study
    3. Microsoft apparently removing ‘Offline Accounts’ for international Windows users
    4. A Group of Ex-NSA and Amazon Engineers Are Building a 'GitHub For Data'
  4. Vulnerabilities
    1. Hackers Could Shut Down Satellites or Turn Them into Weapons
    2. LTE security flaw can be abused to take out subscriptions at your expense
    3. FIDO2 security key company publishes results of internal security audit
  5. Breaches
    1. ISS World Hit with Malware Attack that Shuts Down Global Computer Network
    2. Lawsuit Claims HIV Data Exposed in Leak
    3. Data Breach Occurs at Agency in Charge of Secure White House Communications
    4. Hacking of Accounting Firm Affects Medical Group
    5. Mapping MITRE ATT&CK to the Equifax Indictment
  6. Ransomware
    1. DoppelPaymer Ransomware Launches Site to Post Victim's Data
  7. IoT
    1. Petnet's Smart Pet Feeder Goes Offline For a Week, Can't Answer Customers At All
  8. Phishing
    1. SMS Phishing Campaign Used to Spread Emotet: Report
  9. Digital rights
    1. EFF Calls For Disclosure of Secret Financing Details Behind $1.1 Billion .ORG Sale, Asks FTC To Scrutinize Deal
    2. Social media disrupted in Togo on election day
  10. Crime
    1. Paypal disaster worse than expected
    2. Drug Dealer Loses $58M in Bitcoin After Landlord Accidentally Throws Codes Out
  11. Malware
    1. ObliqueRAT, a new malware employed in attacks on government targets in Southeast Asia
    2. Google Cleans Play Store of Nearly 600 Apps for Ad Policy Violation

Politics

NSA Phone Surveillance Program Cost $100 Million, Yielded One Major Investigation

A National Security Agency (NSA) surveillance program that accessed American citizens' domestic phone calls and text messages resulted in only one investigation between 2015 and 2019 despite costing $100 million, a newly declassified study found. The report, which was produced by the Privacy and Civil Liberties Oversight Board and briefed to Congress on Tuesday, also found that the program only yielded information the FBI did not already have on two occasions during that four-year period. "Based on one report, F.B.I. vetted an individual, but, after vetting, determined that no further action was warranted," the report said, according to The New York Times. "The second report provided unique information about a telephone number, previously known to U.S. authorities, which led to the opening of a foreign intelligence investigation." The report contains no further details of the investigation in question or its outcome.

Russia Is Trying to Tap Transatlantic Cables

The Times of London is reporting that Russian agents are in Ireland probing transatlantic communications cables. Ireland is the landing point for undersea cables which carry internet traffic between America, Britain and Europe. The cables enable millions of people to communicate and allow financial transactions to take place seamlessly. Garda and military sources believe the agents were sent by the GRU, the military intelligence branch of the Russian armed forces which was blamed for the nerve agent attack in Britain on Sergei Skripal, a former Russian intelligence officer.

Internal Docs Show Why the US Military Publishes North Korean and Russian Malware

Newly released and previously secret documents explain in greater detail how, and why, a section of the U.S. military decides to publicly release a steady stream of adversarial countries' malware, including hacking tools from North Korea and Russia. Cyber Command, or CYBERCOM, publishes the malware samples onto VirusTotal, a semi-public repository that researchers and defenders can then pore over to make systems more secure. The document provides more insight into how the U.S. military is engaged in an unusually public-facing campaign, and in particular highlights one of the reasons CYBERCOM wants to release other nation's hacking tools: to make it harder for enemy hackers to remain undetected. A previously secret section of one of the CYBERCOM documents reads "Posting malware to VT [VirusTotal] and Tweeting to bring attention and awareness supports this strategy by putting pressure on malicious cyber actors, disrupting their efforts." Motherboard obtained the redacted documents through a Freedom of Information Act (FOIA) request to CYBERCOM.

Exploit development

Exploit published OpenSMTPD 6.6.3 - remote arbitrary file read

After patches were released, Qualys has published the exploit source code and you can check it out here.

Bypass Windows 10 User Group Policy (and more) with this One Weird Trick

Tenable researcher wrote a blog post about abusing a Windows feature which can result in bypassing User Group Policy (as well as a few other interesting things). Bypassing User Group Policy is not the end of the world, but it's also not something that should be allowed and depending on User Group Policy setup, could result in unfortunate security scenarios. This technique has been tested against Windows 7 and Windows 10 Enterprise x64 (10.18363 1909) and does not require admin access.

Open Security Training

I've just found out about this website, and looks amazing, with high quality materials. In the spirit of OpenCourseWare and the Khan Academy, OpenSecurityTraining.info is dedicated to sharing training material for computer security classes, on any topic, that are at least one day long. All material is licensed with an open license like CreativeCommons, allowing anyone to use the material however they see fit, so long as they share modified works back to the community.

Privacy

Mozilla Enables DNS-over-HTTPS by Default for All USA Users

Starting now, Mozilla has begun to enable DNS-over-HTTPS (DoH) by default for users in the USA to provide encrypted DNS resolution and increased privacy. "Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users. When enabled, Firefox will use the Cloudflare DNS provider by default, but users can switch to NextDNS or a custom provider by going into the Firefox network options. When Mozilla's plans were first announced, it was met with criticism as Cloudflare was the only DoH provider being used by Firefox. This caused security researchers, privacy advocates, and admins to become concerned that so much user data would now be in the hands of a single DNS provider. To address these concerns, users can use a custom DoH provider or disable it entirely. In Firefox 73, Mozilla also added NextDNS as an additional DoH provider to give users more choice.

Facebook would have to pay $3.50 per month to U.S. users for contact info: study

German Facebook users would want the social media platform to pay them about $8 per month for sharing their contact information, while U.S. users would only seek $3.50, according to a study of how people in various countries value their private information. The study by U.S. based think tank the Technology Policy Institute (TPI) is the first that attempts to quantify the value of online privacy and data. It addresses growing concern about how companies from technology platforms to retailers have been collecting and monetizing personal data. U.S. regulators have imposed hefty fines on Facebook Inc and Alphabet-owned Google's YouTube unit for privacy violations. "Quantifying the value of privacy is necessary for conducting any analysis of proposed privacy policies," he said. The study found Germans want to be paid more for letting technology platforms share their personal data with third-parties followed by U.S. consumers. By contrast, people wanted to be paid only $1.82 per month to share location data and nothing to be sent advertisements via text messages. The study found Latin American consumers have a preference for seeing advertisements on their smartphone, in contrast to U.S. residents and Germans. U.S. lawmakers are working on a federal privacy legislation while states like California have put in place a new privacy law.

Microsoft apparently removing ‘Offline Accounts’ for international Windows users

Once again, Microsoft is fiddling with the local accounts settings in Windows 10 and this new iteration is the company's most flagrant attempt. Back in late 2019, Microsoft began testing a Windows 10 startup process that would forego the tradition of offering an alternative to establishing a Microsoft Account during setup that involved users simply signing in with a Local/"Offline" account. Instead of offering the option during the initial setup process, users would essentially be forced to create an MSA and the could retroactively disable their MSA and revert to a local account by going back into Account Settings once the OS was up and running. Another workaround to the MSA pandering is to simply boot the system up when offline or disable Wifi connectivity.

A Group of Ex-NSA and Amazon Engineers Are Building a 'GitHub For Data'

A group of engineers and developers with backgrounds from the National Security Agency, Google, and Amazon Web Services are working on Gretel, an early-stage startup that aims to help developers safely share and collaborate with sensitive data in real time (WARNING: at the time of this writing TechCrunch website used an expired certificate which was issued for 12h only). TechCrunch reports: It's not as niche of a problem as you might think, said Alex Watson, one of the co-founders. Developers can face this problem at any company, he said. Often, developers don't need full access to a bank of user data -- they just need a portion or a sample to work with. In many cases, developers could suffice with data that looks like real user data. "It starts with making data safe to share," Watson said. "There's all these really cool use cases that people have been able to do with data." He said companies like GitHub, a widely used source code sharing platform, helped to make source code accessible and collaboration easy. "But there's no GitHub equivalent for data," he said.

Vulnerabilities

Hackers Could Shut Down Satellites or Turn Them into Weapons

If hackers were to take control of these satellites, the consequences could be dire. On the mundane end of scale, hackers could simply shut satellites down, denying access to their services. If hackers took control of these steerable satellites, the consequences could be catastrophic. Hackers could alter the satellites' orbits and crash them into other satellites or even the International Space Station. This scenario played out in 1998 when hackers took control of the U.S.-German ROSAT X-Ray satellite. Hackers could also hold satellites for ransom, as happened in 1999 when hackers took control of the U.K.'s SkyNet satellites. Although the U.S. Department of Defense and National Security Agency have made some efforts to address space cybersecurity, the pace has been slow. There are currently no cybersecurity standards for satellites and no governing body to regulate and ensure their cybersecurity. This means responsibility for satellite cybersecurity falls to the individual companies that build and operate them. Given the traditionally slow pace of congressional action, a multi-stakeholder approach involving public-private cooperation may be warranted to ensure cybersecurity standards.

LTE security flaw can be abused to take out subscriptions at your expense

A security vulnerability in LTE can be exploited to sign up for subscriptions or paid website services at someone else's expense, new research suggests. According to researchers from Ruhr-Universität Bochum, the flaw exists in the 4G mobile communication standard and permits smartphone user impersonation, which could allow attackers to "start a subscription at the expense of others or publish secret company documents under someone else's identity." The research is titled "IMP4GT: IMPersonation Attacks in 4G NeTworks", and the attack impacts all devices that communicate with LTE, which includes virtually all smartphones, tablets, and some Internet of Things (IoT) devices.

FIDO2 security key company publishes results of internal security audit

This blogpost summarizes the result of a cooperation between SoloKeys and Doyensec, and publishes the full security audit report of their own FIDO2 security keys.

Breaches

ISS World Hit with Malware Attack that Shuts Down Global Computer Network

ISS, the multinational Denmark-based facility services company, was hit with a malware that shuts down shared IT services worldwide. The incident cut off access to e-mail and shared IT services across customer sites of the multinational Denmark-based facility-management firm. ISS was able to restore some systems early into the attack and said it initially did not see any evidence of the compromise of customer data. Still, the attack left the 43,000 employees of the company without access to email or other online services, according to reports. Its global network of employees generally works not in offices but at client facilities to ensure day- to-day operations run efficiently. While ISS World is not officially sharing details of the attack, some reports suggest the attackers used ransomware, noting the immediate cut off of online services as a typical indicator of a cyber extortion scheme.

Lawsuit Claims HIV Data Exposed in Leak

A lawsuit seeking class action status filed against UW Medicine in the wake of a data leak incident has been amended to reflect that at least one HIV patient allegedly had their data exposed. The lawsuit alleges UW Medicine, a Seattle-based academic medical system that includes several hospitals and a large physician practice, failed to properly protect PHI when it misconfigured a database, leaving nearly 974,000 patients' information exposed to the internet for several weeks. The plaintiffs are seeking "orders requiring UW Medicine to fully and accurately disclose the precise nature of data that has been compromised and to adopt reasonably sufficient security practices and safeguards to prevent similar incidents in the future."

Data Breach Occurs at Agency in Charge of Secure White House Communications

A leak at the Defense Information Systems Agency exposed personal information of government employees, including social security numbers. Hackers have compromised the Department of Defense (DoD) agency in charge of securing and managing communications for the White House, leaking personally identifiable information (PII) of employees and leading to concerns over the safety of the communications of top-level U.S. officials in the run-up to the 2020 presidential election. Reuters first reported the data breach at the Defense Information Systems Agency (DISA), part of the DoD, on Friday, citing letters seen by the news outlet that were sent to people allegedly affected by the breach.

Hacking of Accounting Firm Affects Medical Group

Accounting firm BST says some clients, including Community Care Physicians, were affected by a recent hacking incident. An apparent ransomware attack on an accounting firm in December exposed the patient data of Community Care Physicians, a large upstate New York medical group, as well as other clients of the firm. The data dump includes a complete list of BST's employees: names, addresses, Social Security numbers, dates of birth, phone numbers, pay rate, etc... The data includes everything someone would need to steal their identities.

Mapping MITRE ATT&CK to the Equifax Indictment

On Monday, February 10th, the United States Department of Justice (DoJ) released a nine-count indictment alleging that four members of China's People's Liberation Army (PLA) were responsible for the 2017 intrusion into the credit reporting agency Equifax. Digital Shadows mapped the intrusion to the MITRE ATT&CK framework.

Ransomware

DoppelPaymer Ransomware Launches Site to Post Victim's Data

The operators of the DoppelPaymer Ransomware have launched a site that they will use to shame victims who do not pay a ransom and to publish any files that were stolen before computers were encrypted. The operators of the DoppelPaymer Ransomware have followed in Maze's footsteps and launched a site called 'Dopple Leaks' that will be used to leak files and shame non-paying victims. The ransomware operators state they have created this site as a threat to victims that if they do not pay, their data and names will be leaked by the attackers. For years, it is has been a well-known secret that ransomware attackers are looking through and stealing victim's files before encrypting computers and then threatening to release them. It was not until recently, though, that ransomware operators have followed through with their threats. Now that they are doing so and more ransomware operators are getting on board, companies need to be transparent about the data theft and treat these attacks like data breaches. This is because it is not only corporate data being stolen, but also vendor and client data and the personal information of employees.

IoT

Petnet's Smart Pet Feeder Goes Offline For a Week, Can't Answer Customers At All

The app-driven, cloud-connected "smart" pet feeder from Petnet recently suffered an outage that knocked units offline for a week, leaving pets hungry and customers angry. An anonymous reader shares an excerpt from Ars Technica: Petnet began posting messages on Twitter on February 14 advising customers that some of its SmartFeeders "will appear offline," although they still would nominally work to dispense food. Of course, when something doesn't work, most people will try to turn it off and back on again, as that's the first-line repair for basically everything with a power switch. That, alas, was not the solution here, and Petnet explicitly advised against turning feeders off or on, adding, "We will continue to provide updates on this matter." The next update to the company's Twitter feed came four days later, on February 18, when it said it was working with a third-party service provider and would "release more information as we learn more." Finally on February 21, a full week after users began to notice something was amiss, Petnet said it had resolved the problem and would be pushing a reset and an update to affected customers.

Phishing

SMS Phishing Campaign Used to Spread Emotet: Report

IBM researchers found an SMS phishing campaign spreading Emotet to mobile banking customers. This time, however, in addition to trying to steal usernames and credentials, the attackers are also attempting to install Emotet malware. The phishing campaign apparently started earlier this year and has since slowed down, according to IBM. Earlier this month, cybersecurity firm Lookout discovered that nearly 4,000 mobile banking users were targeted by SMS phishing campaign that started in July 2019. In their report, IBM researchers attribute the increasing spread of Emotet to a group that they refer to as the "Mealybug gang".

Digital rights

EFF Calls For Disclosure of Secret Financing Details Behind $1.1 Billion .ORG Sale, Asks FTC To Scrutinize Deal

The Electronic Frontier Foundation (EFF) and the Americans for Financial Reform (AFR) Education Fund called on ICANN and private equity firm Ethos Capital to make public secret details---hidden costs, loan servicing fees, and inducements to insiders---about financing the $1.1 billion sale of the .ORG domain registry. EFF and AFR today also urged the Federal Trade Commission (FTC) to review the leveraged buyout, which will have profound effects on millions of charities, public interest organizations, and nonprofits---and the consumers who rely on them---around the world. The deal would turn the .ORG registry---run for 17 years by the nonprofit Public Interest Registry (PIR) organization---into a for-profit enterprise controlled by a private equity firm that is partially funding the deal with a $360 million term loan.

Social media disrupted in Togo on election day

Network data from the NetBlocks internet observatory confirm the loss of access to social media platforms via Togo's leading operator Togo Telecom (Togocom, AS24691) as polls closed on election day, Saturday 22 February 2020. Measurement from multiple locations show that the services became were reachable during the day but became unavailable by 17:00 at multiple locations via the state operator. Corroboration of the targeted internet disruption comes as AP News reports that the opposition candidate's home has been surrounded by security forces.

Crime

Paypal disaster worse than expected

PayPal vulnerability still not fixed, and Google Pay has deactivated PayPal as a payment method for some users. PayPal creates virtual credit cards by generating random 7 digits, the new credit card number becomes 5356 8001 XXXX XXXY, where X are those digits, and Y is check digit (Luhn algorithm). Expiry date, CVC, Card Holder are not verified. 1 in ~100 cards are assigned to random PP accnt.

Drug Dealer Loses $58M in Bitcoin After Landlord Accidentally Throws Codes Out

Between 2011 and 2012, 49-year-old Clifton Collins bought 6,000 Bitcoin using money he earned from growing and selling weed, reports The Irish Times. At the time, the cryptocurrency's price varied between $4 and $6. Today it stands at over $9,700. But Collins isn't enjoying any euphoria for the windfall -- because his landlord threw out his Bitcoin codes. The Irish Times reports that Collins was arrested in 2017 for growing and selling weed, and was subsequently hit with a five-year prison sentence. Following this, his landlord sent many of Collins' possessions to a local dump during the process of clearing out Collins' room. One such item was a fishing rod case, which housed a piece of A4 paper with $58 million in Bitcoin codes printed onto it.

Malware

ObliqueRAT, a new malware employed in attacks on government targets in Southeast Asia

Cisco Talos has recently discovered a new campaign distributing a malicious remote access trojan (RAT) family called ObliqueRAT. Cisco Talos also discovered a link between ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT sharing similar maldocs and macros. CrimsonRAT has been known to target diplomatic and government organizations in Southeast Asia. The most recent campaign started in January 2020 and is still ongoing. The threat actor uses phishing messages with weaponized Microsoft Office documents to deliver the RAT.

Google Cleans Play Store of Nearly 600 Apps for Ad Policy Violation

Google reacted severely against nearly 600 Android apps in Play Store that were violating two ad-related policies by kicking them out of the repository. The penalty went further with banning the apps from the company's ad monetization platforms (Google AdMob and Google Ad Manager), essentially cutting authors any hope of getting revenue from their apps through Google. The company explains that offensive apps featured advertisements in a way that was in contrast with the disruptive ads and disallowed interstitial policies. The two principles infringed ensure smooth user experience and help combat mobile the many forms of ad fraud, including harmless apps that disobey the rules. When referring to disruptive ads, Google describes them as displayed in a way that could cause the user to click them unintentionally. "Forcing a user to click an ad or submit personal information for advertising purposes before they can fully use an app is prohibited," reads the policy.