AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 1/28/2020

1 – Leaked Documents Expose the Secretive Market for Your Web Browsing Data

An antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world’s biggest companies, a joint investigation by Motherboard and PCMag has found. Our report relies on leaked user data, contracts, and other company documents that show the sale of this data is both highly sensitive and is in many cases supposed to remain confidential between the company selling the data and the clients purchasing it. The documents, from a subsidiary of the antivirus giant Avast called Jumpshot, shine new light on the secretive sale and supply chain of peoples’ internet browsing histories.


2 – Microsoft’s IE Zero-day Fix is Breaking Windows Printing

Microsoft’s temporary fix for a recently disclosed Internet Explorer zero-day vulnerability is causing numerous problems in Windows, including breaking printing for some users. On January 17th, 2020, Microsoft disclosed a zero-day remote code execution vulnerability in Internet Explorer 11, 10, and 9 that was being used in “limited targeted attacks”. To exploit this vulnerability, attackers can create a specially crafted web site that when visited in Internet Explorer will remotely execute commands on the visitor’s computer without their knowledge or permission.


3 – Hackers hijack social media accounts for the NFL and 15 teams

A Saudi hacker group has mass-defaced the social media accounts of the NFL and 15 of its teams. The defacements were claimed by a group of hackers going by the name of OurMine. The hacks, which occurred on the media-busy Super Bowl week, have been confirmed from multiple sources. Exact details of how the defacements took place are currently unclear, however, a large portion of the tweets posted by the OurMine crew on the hijacked accounts are coming from Khoros. Khoros is a web service used by digital marketing and public relations departments to manage social media accounts and gauge social media engagements, and is usually connected to a social media account as a third-party app. A Khoros spokesperson told ZDNet today that “the Khoros platform was not compromised.”


4 – Hackers target unpatched Citrix servers to deploy ransomware

Companies still running unpatched Citrix servers are in danger of having their networks infected with ransomware. Multiple sources in the infosec community are reporting about hacker groups using the CVE-2019-19781 vulnerability in Citrix appliances to breach corporate networks and then install ransomware. Ransomware infections traced back to hacked Citrix servers have been confirmed by security researchers at FireEye and Under the Breach. The REvil (Sodinokibi) ransomware gang has been identified as one of the groups attacking Citrix servers to gain a foothold on corporate networks and later install their custom ransomware strain.


5 – City of Potsdam Servers Offline Following Cyberattack

The City of Potsdam severed the administration servers’ Internet connection following a cyberattack that took place earlier this week. Emergency services including the city’s fire department fully operational and payments are not affected. Potsdam is the largest city and the capital of the German federal state of Brandenburg, bordering the German capital, Berlin. The systems of the Brandenburg capital are still offline after the unauthorized access to the Potsdam administration’s servers was noticed on Tuesday and their Internet connection was shut down on Wednesday evening to prevent data exfiltration.


6 – Magecart gang arrested in Indonesia

Interpol and Indonesian police have arrested three men on suspicion of being part of a cybercrime group engaged in Magecart attacks. The arrests, which took place on December 20 but were only made publish last week in a press conference, mark the first arrests of a Magecart gang. Magecart, also known as web skimming or e-skimming, is a form of cyberecrime where hacker groups plant malicious JavaScript code on online stores. The code is configured to steal payment card data while users enter the card info inside checkout and payment forms. The suspects were only identified by their initials: ANF (27 years), K (35 years), and N (23 years), from he regions of Jakarta and Yogyakarta.


7 – Royal Yachting Association Resets Passwords After Breach

The Royal Yachting Association (RYA) is forcing a password reset for all online users after warning some that their data may have been compromised by a third party. The UK’s national body for all things nautical appears to have moved quickly in response to the discovery. “We have recently become aware that an unauthorized party accessed and may have acquired a database created in 2015 containing personal data associated with a number of RYA user accounts. The affected information included email addresses and RYA website passwords which were encrypted and therefore not visible,” it explained.


8 – After nearly 6 months, Kashmir’s internet opens up – but only to 300 sites

After enduring the longest internet shutdown in a democracy, people in Kashmir are being allowed back online, but with major restrictions. On January 15, the state authorities allowed limited 2G access and broadband access to select institutes in a few areas. Over the weekend, it issued orders to restore 2G internet access to 301 sites across the region of Jammu and Kashmir, including a handful of news outlets. Just 301. The full list includes banking sites, travel booking services, education-related websites, music and video streaming services, and select news sites. Popular social media sites such as Facebook and Twitter are still missing. As per the order, these restrictions will be effective until January 31.


9 – Hackers acting in Turkey’s interests believed to be behind recent cyberattacks

Sweeping cyberattacks targeting governments and other organizations in Europe and the Middle East are believed to be the work of hackers acting in the interests of the Turkish government, three senior Western security officials said.  The hackers have attacked at least 30 organizations, including government ministries, embassies and security services as well as companies and other groups, according to a Reuters review of public internet records. Victims have included Cypriot and Greek government email services and the Iraqi government’s national security advisor, the records show. The attacks involve intercepting internet traffic to victim websites, potentially enabling hackers to obtain illicit access to the networks of government bodies and other organizations.


10 – NSA faces questions over security of Trump officials after alleged Bezos hack

The US National Security Agency is facing questions about the security of top Trump administration officials’ communications following last week’s allegations that the Saudi crown prince may have had a hand in the alleged hack of Jeff Bezos. Ron Wyden, a senior Democratic lawmaker, asked the director of the NSA whether he was confident that the Saudi government had not also sought to hack senior US government officials, including the White House adviser Jared Kushner, who has reportedly had a WhatsApp relationship with the Saudi heir.

Related Posts