AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 10/30/2019

1 – iPhone 5 users risk losing internet access

Apple iPhone 5 users have been warned to update their software before the weekend or face losing access to the internet. The technology giant said users who did not download iOS 10.3.4 by 3 November would be locked out of features that rely on the correct time and date. This includes the App Store, email, web browsing and storage service iCloud. While it is not the latest version of the operating system, it is the most up-to-date available for the model.


2 – Police were cracking cold cases with a DNA website. Then the fine print changed.

In April 2018, California authorities revealed that they’d used a novel investigative technique to arrest a man they called the Golden State Killer, a serial murderer who’d escaped capture for decades. For the first time, police had submitted DNA from a crime scene into a consumer DNA database, where information about distant relatives helped them identify a suspect. The announcement kindled a revolution in forensics that has since helped solve more than 50 rapes and homicides in 29 states. But earlier this year, that online database changed its privacy policy to restrict law enforcement searches, and since then, these cold cases have become much harder to crack.


3 – GitLab backs down on telemetry changes and forced tracking – for now

GitLab has put the brakes on plans to introduce forced tracking by third-party telemetry services by changing its Terms of Service. GitLab is a DevOps platform, delivered as a web application for purposes including management, code creation, security, and project planning. Used by over 100,000 organizations worldwide, GitLab has proven to be a popular resource for DevOps — but its latest decision to introduce telemetry changes has resulted in high levels of criticism and threats by some users to move elsewhere. 


4 – P&G Online Beauty Store Hacked to Steal Payment Info

Hackers in May planted an e-skimmer on Procter & Gamble’s site First Aid Beauty and it was still stealing payment card data today. This particular MageCart script selects its victims from the US. If a shopper is from a different country or uses Linux operating system, the script remains inactive, most likely as a defense against security researchers. Although First Aid Beauty does not bear the Procter & Gamble marks, the company acquired the beauty brand this year for a reported $250 million.


5 – Hackers are using a bug in PHP7 to remotely hijack web servers

The PHP programming language underpins much of the Internet. It forms the basis of popular content management systems like WordPress and Drupal, as well as more sophisticated web applications, like Facebook (kinda). Therefore, it’s a huge deal whenever researchers identify a security vulnerability within it. A couple of days ago, Emil ‘Neex’ Lerner, a Russia-based security researcher, disclosed a remote-code execution vulnerability in PHP 7 – the latest iteration of the hugely popular web development language.


6 – Emotet is back in action after a short break

It’s common for cybercriminals to launch an attack, then shortly thereafter stop the campaign before they are detected. These breaks also give these bad actors a chance to change tactics to, once again, attempt to avoid detection. That’s what operators using the Emotet malware did, taking a short break before bringing Emotet back in a new, more dangerous form. Emotet operators took about a two-month break as command and control (C&C) servers went down in late May and came back online around the end of August. Then, we began observing a new version of this malware around mid-September.


7 – Who’s the leakiest of them all? It’s the UK’s public sector, breach fine analysis reveals

Despite the Information Commissioner’s Office (ICO) recently slapping record megafines on British Airways and Marriott for data leakage, it’s actually the UK’s public sector that racked up the biggest volume of breaches in the last eight years. Since 2010, the ICO has handed out 216 fines totalling £23.5m (excluding the BA and Marriott), according to data crunched by SMS API company The SMS Works. Of those, 110 penalties were for data breaches since 2010, 50.9 per cent of the total. Meanwhile, nuisance calls account for 27 per cent of all fines, with SMS and email spam making up the remaining 22 per cent.


8 – UniCredit reveals data breach exposing 3 million customer records

UniCredit has revealed a data breach resulting in the leak of information belonging to three million customers. On Monday, the Italian bank and financial services organization said that a compromised file, generated in 2015, is the source of the security incident. In total, roughly three million records were exposed, revealing the names, telephone numbers, email addresses, and cities where clients were registered. While UniCredit caters to an international client base, each record related to an Italian customer. 


9 – Indian nuke plant’s network reportedly hit by malware tied to N. Korea

A former analyst for India’s National Technical Research Organization (NTRO) has tied a malware report published by VirusTotal to a cyber attack on India’s Kudankulam Nuclear Power Plant. The malware, identified by researchers as North Korea’s Dtrack, was reported by Pukhraj Singh to have gained “domain controller-level access” at Kudankulam. The attack has been reported to the government. The attack likely did not affect reactor controls, but it may have targeted research and technical data. The attack apparently focused on collection of technical information, using a Windows SMB network drive share with credentials hard-coded into the malware to aggregate files to steal. Dtrack was tied to North Korea’s Lazarus threat group by researchers based on code shared with DarkSeoul, a malware attack that wiped hard drives at South Korean media companies and banks in 2013.


10 – City of Joburg says it knows who ransom hack attacker is, refuses to pay off criminals

Several hours past the payment deadline, Johannesburg has vowed not to give in to criminal hackers who demanded £29,000 (4 bitcoins) not to publish its data, four days after the South African city shut down its public sector networks in response to the breach. Several “customer facing systems – including the city’s website, e-services, and billing system[s]” – have remained offline since they were pulled down Thursday night “as a precaution” after a “network intrusion”, which the city first announced just after 11pm local time on 24 October.


11 – The U.S. Army Didn’t Even Use Tools it Bought from Hacking Team

Despite spending hundreds of thousands of dollars on equipment from controversial malware vendor Hacking Team, a section of the U.S. Army focused on counterintelligence never even used the tools. The U.S. Army paid Cicom USA, the U.S. subsidiary of Hacking Team, $350,000 for the company’s “Remote Control System” (RCS) in 2011, according to publicly available contract records. Motherboard filed a Freedom of Information Act (FOIA) request with the U.S. Army for documents related to this contract, and one showed the purchase was specifically for the 902nd Military Intelligence Group.


12 – Fancy Bear hackers targeted at least 16 athletic organizations ahead of Tokyo Olympics

State-sponsored Russian hackers are targeting anti-doping authorities and other sports-related organizations ahead of the Tokyo Olympics in 2020, Microsoft announced on Monday. The hacking group known as Fancy Bear — or Strontium, APT28 and other names — targeted at least 16 national and international organizations across three continents starting Sept. 16, Tom Burt, Microsoft’s vice president for customer security and trust said in a blog post. That date roughly coincides with when World-Anti Doping Agency officials told international media outlets that Russia may be banned from all international sporting events over “inconsistencies” at its Moscow testing facility.


13 – Facebook sues hosts behind hacking sites that it says target the social network

Facebook wants to take down sites like “HackingFacebook.net” and “iiinstagram.com,” which allegedly offer hacking tools against the social networking giant. But it’s doing so by filing a copyright lawsuit and targeting the two domain hosts where the websites are registered. The company filed its lawsuit on Monday in the US District Court of the Northern District of California. It accuses web hosts OnlineNIC and ID Shield of trademark infringement and cybersquatting. 


14 – American Cancer Society’s online store infected with credit card stealing malware

The American Cancer Society’s online store has become the latest victim of credit card-stealing malware. Security researcher Willem de Groot found the malware on the organization’s store website, buried in obfuscated code designed to look like legitimate analytics code. The code was designed to scrape credit card payments from the page, like similar attacks targeting British Airways, Ticketmaster, AeroGarden and Newegg. The attackers, known as Magecart, use their stolen credit card numbers to sell on the dark web or use the numbers for committing fraud.


15 – London police software quarantines thousands of cybercrime reports

Over 9,000 cybercrime reports filed by UK citizens have sat inside a police database without being investigated after security software mistakenly identified them as containing malicious code and placed them in quarantine. All the quarantined reports came from Action Fraud, an official UK police website where victims can report fraud and cybercrime. According to an audit published this week by the HMICFRS (Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services), thousands of these reports never reached police officers.


16 – Facebook drops U.K. appeal against Cambridge Analytica fine, but admits no liability

Facebook has reached a settlement with the U.K.’s Information Commissioner’s Office (ICO) over Facebook’s role in the misuse of users’ personal data in the lead up to the 2016 European Union (EU) membership referendum. Following an investigation that started in 2017, the ICO hit Facebook with a £500,000 ($644,000) fine last October over its failure to prevent controversial data analytics firm Cambridge Analytica from improperly accessing user data. Facebook argued that even by the ICO’s own admission, there was no evidence to suggest that any private Facebook users’ data was used by Cambridge Analytica, Cambridge University academic Dr. Aleksandr Kogan, or any affiliates to target voters in the build up to the Brexit vote, and thus it planned to appeal the fine.

Related Posts