AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 12/05/2019

1 – Messaging / Smishing Attacks

One of the most common ways cyber attackers attempt to trick or fool people is by scamming you in email attacks (often called phishing) or try to trick you with phone calls. However, as technology continues to advance bad guys are always trying new methods, to include tricking you with messaging technologies such as text messaging, iMessage/Facetime, WhatsApp, Slack or Skype. Here are some simple steps to protect yourself and spot / stop these common attacks.

 

2 – HPE tells users to patch SSDs to prevent failure after 32,768 hours of operation

Hewlett Packard Enterprise (HPE) warned customers last week to install a critical firmware patch to prevent SAS SSDs (Serial-Attached SCSI solid-state drives) from permanently failing after 32,768 hours of operation — which is 3 years, 270 days, and 8 hours. “After the SSD failure occurs, neither the SSD nor the data can be recovered,” HPE said, clearly suggesting that device owners need to install the firmware patch if they want to keep using their devices past the 32,768-hour deadline. Users who keep data backups on different drives will be able to recover their data, but the HPE SSD will be unrecoverable, according to HPE.

 

3 – Two malicious Python libraries caught stealing SSH and GPG keys

The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers. The two libraries were created by the same developer and mimicked other more popular libraries — using a technique called typosquatting to register similarly-looking names. The first is “python3-dateutil,” which imitated the popular “dateutil” library. The second is “jeIlyfish” (the first L is an I), which mimicked the “jellyfish” library.

 

4 – HackerOne breach lets outside hacker read customers’ private bug reports

As a leading vulnerability reporting platform, HackerOne has paid hackers more than $23 million on behalf of more than 100 customers, including Twitter, Slack, and the US Pentagon. The company’s position also gives it access to unimaginable amounts of sensitive data. Now, the company has paid a $20,000 bounty out of its own pocket after accidentally giving an outside hacker the ability to read and modify some customer bug reports. The outsider—a HackerOne community member who had a proven track record of finding and privately reporting vulnerabilities through the platform—had been communicating late last month with one of the company’s security analysts. In one message, the HackerOne analyst sent the community member parts of a cURL command that mistakenly included a valid session cookie that gave anyone with possession of it the ability to read and partially modify data the analyst had access to.

 

5 – ABN Amro shuts down hundreds of ATMs due to explosive attacks

Dutch bank ABN Amro has temporarily shut down and emptied 479 ATMs — more than half of its ATM fleet in the Netherlands — due to a sharp rise in violent ATM explosive attacks. “The attacks are causing anxiety and unrest among inhabitants and businesses in the vicinity of the ATMs,” the bank said in an announcement yesterday.  Of the closed machines — which the bank identified as a “certain type” of cash dispenser — 380 of them are ABN Amro machines and 90 are former ABN Amro machines that had been remodeled into uniform yellow cash dispensers in recent months. At another 400 locations, ABN Amro has a different type of cash dispenser. These will remain open for use, the bank said. 

 

6 – Iran Has Launched ‘Malicious’ New Malware That Wipes Windows Computers, Warns IBM

Iran’s state-sponsored hackers have deployed a new strain of malicious malware, warns IBM, which has been aimed at the “industrial and energy sectors” in the Middle East. No specific companies have been identified, but there’s no surprise in the nature of the attack. For Iran, its ongoing hybrid conflict with the U.S. and its allies has made these sectors a target. IBM has attributed the latest “destructive attacks” to Iran’s hyperactive APT34 “and at least one other group, [also] likely based out of Iran.”

 

7 – Hackers Find Ways Around a Years-Old Microsoft Outlook Fix

First disclosed and fixed in October 2017, the bug is in a little-known Outlook feature called the Home Page, a tab that can function as a user’s home screen and load external content from, say, a company web server or even a public website. In practice, many Outlook users have no idea that the Home Page exists, because they open Outlook to their inboxes. But hackers realized that if they could get someone’s account credentials, they could exploit a flaw in Home Page and manipulate it to load malicious content. From there, they could remotely run exploit code to break out of Outlook’s defenses and control a device’s operating system. The whole attack is inconspicuous, because it looks like legitimate Outlook traffic. Once it’s set up, the back door persists even after the compromised device is rebooted.

 

8 – Ransomware attack hits major US data center provider

CyrusOne, one of the biggest data center providers in the US, has suffered a ransomware attack, ZDNet has learned. CyrusOne is currently working with law enforcement and forensics firms to investigate the attack and is also helping customers restore lost data from backups. The incident took place yesterday and was caused by a version of the REvil (Sodinokibi) ransomware. This is the same ransomware family that hit several managed service providers in June, over 20 Texas local governments in early August, and 400+ US dentist offices in late August. According to a copy of the ransom note obtained by ZDNet, this was a targeted attack against the company’s network. The point of entry is currently unknown.

 

9 – Sweaty Betty admits eCommerce data breach

Sweaty Betty has revealed that cyber-criminals managed to insert malicious code into its eCommerce website in an attempt to capture customer card details during the checkout process. In an email sent to customers, Sweaty Betty said it was recently made aware of “unusual activity” on its website. According to the retailer, a third party gained unauthorised access to part of its website and inserted malicious code “designed to capture information entered during the checkout process”. Stolen customer data could include name, password, billing address, delivery address, email address, telephone number, payment card number, CVV number and expiry date.

 

10 – 24 Chinese nationals arrested in Thailand over alleged Bitcoin call center scam

Authorities have busted a call center in Thailand and arrested 24 Chinese nationals for allegedly running a Bitcoin investment scam. Chiang Rai Times, an English language news portal, says the scam has been operating since March this year. Additionally, the portal notes that those arrested were tasked with luring citizens in mainland China to trade Bitcoin using cryptocurrency exchange Huobi Global. According to a statement issued by Thailand‘s Immigration Police, it appears the individuals had their passported confiscated when they arrived at a rented property in Bangkok, though this remains unclear.

Related Posts