AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 3/12/2020

1 – What to expect from the Cybersecurity Solarium Commission report

A bipartisan congressional committee is urging the federal government to enact a sweeping set of cybersecurity upgrades in order to modernize American defenses on issues ranging from 5G security to stopping intellectual property theft and mitigating ransomware attacks. The Cybersecurity Solarium Commission on Wednesday released 75 recommendations that call for changes in the way that Congress and the Trump administration oversee crucial security issues that, if unaddressed, may jeopardize U.S. national and economic security. It remains to be seen whether some of the proposals will become a reality. In an interview with CyberScoop, Sen. Angus King, I-Maine, a co-chair of the commission, would not preview what elements of the proposal would appear in forthcoming legislation, but said between 40-50 percent of them could be seen in the 2021 National Defense Authorization Act.

 

2 – Warning — Unpatched Critical ‘Wormable’ Windows SMBv3 Flaw Disclosed

Shortly after releasing its monthly batch of security updates, Microsoft late yesterday separately issued an advisory warning billions of its Windows users of a new critical, unpatched, and wormable vulnerability affecting Server Message Block 3.0 (SMBv3) network communication protocol. It appears Microsoft originally planned to fix the flaw as part of its March 2020 Patch Tuesday update only, but, for some reason, it pulled the plug at the last minute, which apparently did not stop a tech company from accidentally leaking the existence of the unpatched flaw. The yet-to-be patched flaw (tracked as CVE-2020-0796), if exploited successfully, could allow an attacker to execute arbitrary code on the target SMB Server or SMB Client.

 

3 – Avast AntiTrack certificate bug allowed others to snoop on your online activities

A vulnerability impacting Avast and AVG AntiTrack privacy software opened up user PCs to Man-in-The-Middle (MiTM) attacks, browser session hijack, and data theft.  Disclosed by David Eade on March 9, the security researcher said the security flaw, tracked as CVE-2020-8987, is a certification validation issue that affects Avast AntiTrack before 1.5.1.172 and AVG AntiTrack before 2.0.0.178. Attackers do not need local access to trigger the vulnerability, and no special software configuration needs to be in place. Avast’s AntiTrack software is designed to block advertising trackers and to prevent “invasive” monitoring of your online habits. However, a set of three security failures undermined these goals. 

 

4 – It’s official: E3 2020 has been canceled

In a message sent Wednesday morning, the ESA cited “growing concerns over [the] COVID-19 virus” in officially canceling this year’s Electronic Entertainment Expo. The organization says it is “exploring options with our members to coordinate an online experience to showcase industry announcements and news in June 2020,” but nothing concrete has been announced on that score. “After careful consultation with our member companies regarding the health and safety of everyone in our industry—our fans, our employees, our exhibitors, and our longtime E3 partners—we have made the difficult decision to cancel E3 2020, scheduled for June 9-11 in Los Angeles,” the ESA statement reads. 

 

5 – IRS scams during tax season target unsuspecting consumers

During this time of the year consumers need to be aware of the increase in potential threats as hackers pose as collectors from the IRS, tax preparers or government bureaus. These tactics are particularly effective due to tax payers concerns of misfiling their taxes or accidentally running into trouble with groups like the IRS. McAfee researchers recently uncovered an example of an illegitimate IRS site created to scam unsuspecting consumers. If you look closely, you will notice a non-IRS domain and not a secure connection, these are key things to look out for when seeking online resources. Fake sites such as this pose particular risk to consumers when combined with phishing email campaigns. 

 

6 – 8 million UK shopping records exposed on the web, customers’ personal info leaked

A software vendor used by small retailers in the EU exposed a database of nearly 8 million sales records on the web without a password or any other authentication required to access it. The documents contained sales records including customer names, email addresses, shipping addresses, purchases, and the last four digits of credit card numbers, among other info. Anyone could find and access the data. The vendor’s app pulled sales records from marketplace and payment system APIs like that of Amazon UK, Ebay, Shopify, PayPal, and Stripe to aggregate retailers’ sales data and calculate value-added taxes for different EU countries. At this time, we do not know the exact number of retailers or customers affected. Comparitech’s security research team led by Bob Diachenko uncovered the exposed Amazon Web Services server containing the MongoDB database on February 3, 2020.

 

7 – Bogus HIV test results are the latest lures used by cybercrooks

It’s open season for hackers who prey on public health fears to try to dupe people into installing malware. As phishing attempts related to the novel coronavirus surged in late January, another health-related scam was kicking off. Crooks were sending people fake HIV test results that were laced with malicious code. To make the ruse more believable, the emails purported to come from Vanderbilt University’s prestigious medical center. “The psychology behind that is: Whether or not you recently did an HIV test, it is very possible that you would still be interested to see HIV test results,” said Sherrod DeGrippo, who heads the threat research and detection team at Proofpoint, the cybersecurity company that discovered the phishing campaign.

 

8 – Microsoft takes down global zombie bot network

Microsoft has said it was part of a team that dismantled an international network of zombie bots. The network call Necurs infected over nine million computers and one of the world’s largest botnets. Necurs was responsible for multiple criminal scams including stealing personal information and sending fake pharmaceutical emails. Cyber-criminals use botnets to remotely take over internet-connected devices and install malicious software. The software can be used to send spam, collect information about what activity the computer is used for or delete information without notifying the owner.

 

9 – Thousands of fingerprint files exposed in unsecured database, research finds

A web server containing records of about 76,000 unique fingerprints was left exposed on the internet, researchers said Wednesday. The unsecured fingerprint data, as well as employee email addresses and telephone numbers, had been collected by Brazilian company Antheus Tecnologia. The database, which contained nearly 2.3 million data points, most of which were server access logs, has now been secured, according to Anurag Sen, the researcher who published his findings with antivirus review site Safety Detectives. The fingerprint data was stored as a binary data stream, which is a string of ones and zeroes. Sen said bad actors may be able to turn that data back into a biometric image of a fingerprint. And even if they can’t find a way to use the data for bad purposes at the moment, that will change as technology advances, Sen said.

 

10 -Whisper, an anonymous secret-sharing app, failed to keep messages or profiles private

Whisper is a secret-sharing app where you can post anonymous messages, but security failures ensured user content and profiles were available for anyone online to view.  The inadvertent data exposure was caused by an open database with no credentials or password protection in place, as reported by the Washington Post.  Independent researchers Matthew Porter and Dan Ehrlich came across the data treasure trove, which contained approximately 900 million records spanning back from the app’s launch in 2012 to the present day.  While the records did not include user names, it included nicknames, stated ages, ethnicities, genders, hometowns, group memberships — some of which are sexual in nature — and location data tied to posts. 

Related Posts