Table of Contents

  1. Vulnerabilities
    1. Ghostcat Bug Impacts All Apache Tomcat Versions Released in the Last 13 Years
    2. A mysterious bug in the firmware of Google's Titan M chip (CVE-2019-9465)
  2. Privacy
    1. Facebook's Download-Your-Data Tool Is Incomplete
    2. This Japanese Smartphone Uses AI to Keep Users from Taking Nude Photos
    3. Here’s the File Clearview AI Has Been Keeping on Me, and Probably on You Too
    4. Apple has blocked Clearview AI's iPhone app for violating its rules
  3. Exploit development
    1. Stealing advanced nations’ Mac malware isn’t hard. Here’s how one hacker did it
  4. Digital rights
    1. Venezuela suffers major power outage knocking out internet connectivity
  5. Leaks
    1. Walgreens mobile app exposed health-related messages
    2. Free Wifi user data exposed in multiple UK train stations
    3. Over 120 million Decathlon accounts hacked
  6. Malware
    1. Hackers Use Windows 10 RDP ActiveX Control to Run Griffon Backdoor
  7. Ransomware
    1. Sodinokibi Ransomware Posts Alleged Data of Kenneth Cole Fashion Giant
    2. City of Cartersville admits paying Ryuk ransomware operators $380,000

Vulnerabilities

Ghostcat Bug Impacts All Apache Tomcat Versions Released in the Last 13 Years

Apache Tomcat servers released in the last 13 years are vulnerable to a bug named Ghostcat that can allow hackers to take over unpatched systems. From a report: Discovered by Chinese cybersecurity firm Chaitin Tech, Ghostcat is a flaw in the Tomcat AJP protocol. AJP stands for Apache JServ Protocol and is a performance-optimized version of the HTTP protocol in binary format. Tomcat uses AJP to exchange data with nearby Apache HTTPD web servers or other Tomcat instances. Tomcat's AJP connector is enabled by default on all Tomcat servers and listens on the server's port 8009. Chaitin researchers say they discovered a bug in AJP that can be exploited to either read or write files to a Tomcat server. The vulnerability is tracked with CVE-2020-1938 and there is already a lot of proof of concept exploits publicly available.

A mysterious bug in the firmware of Google's Titan M chip (CVE-2019-9465)

Starting with the release of the Pixel 3, all of Google's Pixel Android smartphones come with the Titan M security chip on board. Alexander Bakker wrote a blog post describing how he discovered and reported the bug to Google.

Privacy

Facebook's Download-Your-Data Tool Is Incomplete

Despite Facebook claim, "Download Your Information" doesn't provide users with a list of all advertisers who uploaded a list with their personal data. As a user this means you can't exercise your rights under GDPR because you don't know which companies have uploaded data to Facebook. Information provided about the advertisers is also very limited (just a name and no contact details), preventing users from effectively exercising their rights. Recently announced Off-Facebook feature comes with similar issues, giving little insight into how advertisers collect your personal data and how to prevent such data collection.

This Japanese Smartphone Uses AI to Keep Users from Taking Nude Photos

Japanese company Tone Mobile has released a very special new smartphone. Aimed at parents who want to keep their kids from making bad choices, the TONE e20 has an AI-powered "Smartphone Protection" feature that prevents users from shooting or saving "inappropriate" photos. The official Tone Mobile press release hails the TONE e20 as the world's first phone with an AI that "regulates inappropriate images" through an AI built into the so-called TONE Camera. If the AI recognizes that the subject of a photo is "inappropriate," the camera will lock up; and if you somehow manage to snap a photo before the AI kicks in, the phone won't let you save or share it.

Here’s the File Clearview AI Has Been Keeping on Me, and Probably on You Too

Anna Merlan from Motherboard has used California Consumer Privacy Act to see what information the controversial facial recognition company has about her. Gizmodo has also found the APK file for the Clearview AI behind an unprotected AWS S3 bucket, but it turns out that it's not possible to run searches without an existing user account, which Clearview claims to issue only to law enforcement.

Apple has blocked Clearview AI's iPhone app for violating its rules

An iPhone app built by controversial facial recognition startup Clearview AI has been blocked by Apple, effectively banning the app from use. From a report: Apple confirmed to TechCrunch that the startup "violated" the terms of its enterprise program. The app allows its users -- which the company claims it serves only law enforcement officers -- to use their phone camera or upload a photo to search its database of three billion photos. But BuzzFeed News revealed that the company -- which claims to only cater to law enforcement users -- also includes many private sector users, including Macy's, Walmart, and Wells Fargo. Clearview AI has been at the middle of a media -- and legal -- storm since its public debut in The New York Times last month. The company scrapes public photos from social media sites, drawing ire from the big tech giants which claim Clearview AI misused their services. But it's also gained attention from hackers. On Wednesday, Clearview AI confirmed a data breach, in which its client list was stolen.

Exploit development

Stealing advanced nations’ Mac malware isn’t hard. Here’s how one hacker did it

Malware developers are always trying to outdo each other with creations that are stealthier and more advanced than their competitors'. At the RSA Security conference this week, a former hacker for the National Security Agency demonstrated an approach that's often more effective: stealing and then repurposing a rival's code. Patrick Wardle, who is now a security researcher at the macOS and iOS enterprise management firm Jamf, showed how reusing old Mac malware can be a smarter and less resource-intensive approach for deploying ransomware, remote access spy tools, and other types of malicious code. Where the approach really pays dividends, he said, is with the repurposing of advanced code written by government-sponsored hackers.

Digital rights

Venezuela suffers major power outage knocking out internet connectivity

The NetBlocks internet observatory has identified a nationwide power outage and fluctuations in supply across Venezuela as of 5:45 p.m. Sunday 1 March 2020, impacting multiple states and cities and also affecting parts of Caracas, sending approximately 35% of the country's telecommunications infrastructure offline. The incident comes almost one year after the collapse of Venezuela's national power grid.

Leaks

Walgreens mobile app exposed health-related messages

The mobile app of U.S. pharmaceutical retailer Walgreens inadvertently disclosed personal messages to other customers due to an internal application error, revealing some health-related information. Walgreens filed a copy of the data breach notification it has sent to affected customers with California's Office of the Attorney General, which makes those notifications public. The notification was published on Friday. "As part of our investigation, Walgreens determined that certain messages containing limited health-related information were involved in this incident for a small percentage of impacted customers," according to the notice.

Free WiFi user data exposed in multiple UK train stations

On February 14th Jeremiah Fowler discovered a non-password protected database that contained a massive amount of records totaling 146 million. Upon further review it appeared to be registrations for free WiFi details in major UK train stations. A large amount of records contained email addresses, age ranges, what was the reason for their travel, device data, and other internal logs. There were references to a company called C3UK inside the database and multiple domains that contained some form of the name C3.

Over 120 million Decathlon accounts hacked

Sporting company Decathlon has suffered a massive data breach exposing records of over 123 million users and employees. According to researchers at vpnMentor, more than 9GB of data was leaked from an unsecured ElasticSearch server. The leaked information, which primarily pertains to the Spanish arm of the company, was found on February 12th, the Decathlon was informed on 16th of February, with the company saying that the server was fixed the next day itself.

Malware

Hackers Use Windows 10 RDP ActiveX Control to Run Griffon Backdoor

A group of hackers is using the remote desktop ActiveX control in Word documents to automatically execute on Windows 10 a malware downloader called Ostap that was seen recently adopted by TrickBot for delivery. ActiveX controls can be added to text or drawing layers in Word documents to make them interactive.

Ransomware

Sodinokibi Ransomware Posts Alleged Data of Kenneth Cole Fashion Giant

The operators behind Sodinokibi Ransomware published download links to files containing what they claim is financial and work documents, as well as customers' personal data stolen from giant U.S. fashion house Kenneth Cole Productions. When victims pay, the ransomware payments are then shared between the affiliates and the Sodinokibi operators. Kenneth Cole is a privately held fashion firm headquartered in New York, founded 38 years ago, in 1982, and known as "one of the world's most recognized fashion companies. "Kenneth Cole Productions, you have to hurry," the ransomware operators said.

City of Cartersville admits paying Ryuk ransomware operators $380,000

Almost a year after getting infected with ransomware, the City of Cartersville in the U.S. State of Georgia this week admitted to paying ransomware operators $380,000 to unlock its systems. Cartersville reportedly got infected in early May last year when it saw "3 terabytes worth of data" vanish from city computers and servers. The city recovered within a week, but only after paying their cyber-aggressors to the tune of $380,000 in non-tradable Bitcoins, "with an additional $7,755.65 paid for transaction fees and negotiators," according to the documents obtained by The Daily Tribune News.