AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 3/6/2020

1 – Backdoor malware is being spread through fake security certificate alerts

Backdoor and Trojan malware variants are being distributed through a new phishing technique that attempts to lure victims into accepting an “update” to website security certificates.  Certificate Authorities (CAs) distribute SSL/TLS security certificates for improved security online by providing encryption for communication channels between a browser and server — especially important for domains providing e-commerce services — as well as identity validation, which is intended to instill trust in a domain. While there are cases of certificate misuse, fraud, and even cybercriminals posing as executives to obtain security certificates to sign off fraudulent domains or malware payloads, a new phishing approach is now abusing the certificate trust mechanism. 


2 – Cathay Pacific slammed for security failures following hack which exposed 9.4 million people worldwide

The UK’s Information Commissioner’s Office (ICO) has fined Cathay Pacific for “a number of basic security inadequacies” which resulted in hackers stealing the data of 9.4 million people worldwide – including 111,578 from the UK. In October 2018, the Hong Kong-based airline admitted that hackers had broken into its internal systems and accessed passenger data – including names, nationalities, dates of birth, phone numbers, email addresses, postal addresses, passport details, frequent flier numbers, and historical travel information. However, it is now known that the security breach had been going on since at least 15 October 2014, and was only identified in May 2018 after Cathay Pacific became aware of a brute force attack against its Active Directory database.


3 – Microsoft, Google Offer Free Remote Work Tools Due to Coronavirus

With employees either being quarantined after international travel or encouraged to work remotely due to the Coronavirus (COVID–19), Microsoft, Google, LogMeIn, and Cisco are offering free licenses to their meeting, collaboration, and remote work tools. Using these products, remote workers will be able to perform virtual meetings and chat with other employees while working remotely from their homes. A tweet by JP Courtois, Microsoft EVP and President, Microsoft Global Sales, Marketing & Operations, stated that Microsoft Teams is now available for free for six months to “support public health and safety by making remote work even easier.”


4 – FBI working to ‘burn down’ cyber criminals’ infrastructure

To thwart increasingly dangerous cyber criminals, law enforcement agents are working to “burn down their infrastructure” and take out the tools that allow them to carry out their devastating attacks, FBI Director Christopher Wray said Wednesday. Unsophisticated cyber criminals now have the power to paralyze entire hospitals, businesses and police departments, Wray said during a conference on cybersecurity at Boston College. The ever-changing threat has forced law enforcement to get creative and target the dark web sites and other tools at hackers’ disposal, he said.


5 – Hacking airliner systems doesn’t make them magically fall out of the sky

Airline pilots faced with hacked or spoofed safety systems tend to ignore them – but could cost their airlines big sums of money, an infosec study has found. An Oxford University research team put 30 Airbus A320-rated pilots in front of a desktop flight simulator before manipulating three safety systems: the Instrument Landing System (ILS), the Ground Proximity Warning System (GPWS) and the Traffic Collision Avoidance System (TCAS). The team, who presented their paper at the NDSS infosec symposium, found that while their attacks against these systems “created significant control impact and disruption through missed approaches”, all pilots in the study were able to cope and land their simulated aircraft safely.


6 – Zero-Day Bug Allowed Attackers to Register Malicious Domains

A zero-day vulnerability impacting Verisign and several SaaS services including Google, Amazon, and DigitalOcean allowed potential attackers to register .com and .net homograph domain names (among others) that could be used in insider, phishing, and social-engineering attacks against organizations. Before this was disclosed by Soluble security researcher Matt Hamilton in collaboration with security testing firm Bishop Fox to Verisign and SaaS services, anyone could register homograph domain names on gTLDs (.com, .net, and more) and subdomains within some SaaS companies using homoglyph characters. “Some of these vendors were responsive and engaged in productive dialog, though others have not responded or did not want to fix the issue,” Hamilton says.


7 – India’s supreme court lifts ban on banks facilitating cryptocurrency trade

India’s banks can now finally go back to dealing with cryptocurrency exchanges. In a landmark judgment, the country’s highest court today (March 4) quashed a 2018 central bank order barring lenders from dealing with these exchanges. The supreme court today said the Reserve Bank of India (RBI) order was “unconstitutional. ”On April 6, 2018, the RBI asked banks not to transact with crypto exchanges, choking the virtual currency ecosystem in the country. Since then, the Internet and Mobile Association of India, representing various crypto exchanges had challenged the RBI’s decision in court.


8 – Seven people wrongfully apprehended by Met Police during Oxford Circus facial recognition deployment

The Metropolitan Police’s facial recognition deployment in Oxford Circus on Thursday led to the wrongful apprehension of seven innocent members of the public who were incorrectly identified. Nevertheless, their facial images will be added to the police database that already has more than one million mugshots. On top of that, five further members of the public who were passing by were stopped, questioned and asked to produce ID, with 8,600 people in total scanned by the facial recognition technology without their consent.


9 – UK broadband ISP spills 900,000 punters’ records into wrong hands from insecure database

Virgin Media, one of the UK’s biggest ISPs, on Thursday admitted it accidentally spilled 900,000 of its subscribers’ personal information onto the internet via a poorly secured database. The cableco said it “incorrectly configured” a storage system so that at least one miscreant was able to access it and potentially siphon off customer records. The now-secured marketing database – containing names, home and email addresses, and phone numbers, and some dates of birth, plus other info – had been left open since mid-April 2019. Crucially, the information “was accessed on at least one occasion but we do not know the extent of the access,” Virgin Media’s CEO Lutz Schüler said in a statement this evening. 


10 – US Govt Adds Stricter Requirements for .gov Domain Registration

The U.S. government will start requiring notarized signatures as part of the registration process for .gov domains starting March 10, 2020, to prevent wire and mail fraud that might lead to such domains being registered by unauthorized organizations or individuals. The U.S. General Services Administration (GSA) oversees the DotGov Program that operates the .GOV top-level domain (TLD) and it makes such domains available to US-based government organizations, from local municipalities to federal agencies. “Effective on March 10, 2020, the DotGov Program will begin requiring notarized signatures on all authorization letters when submitting a request for a new .gov domain,” the DotGov Registrar says.

Related Posts