*** The Security News Thread ***

[harrybarracuda]

FFS...

Ukrainian authorities are investigating a potential security breach at a local nuclear power plant after employees connected parts of its internal network to the internet so they could mine cryptocurrency.
The investigation is being led by the Ukrainian Secret Service (SBU), who is looking at the incident as a potential breach of state secrets due to the classification of nuclear power plants as critical infrastructure.
Investigators are examining if attackers might have used the mining rigs as a pivot point to enter the nuclear power plant's network and retrieve information from its systems, such as data about the plant's physical defenses and protections.

https://www.zdnet.com/article/employees-connect-nuclear-plant-to-the-internet-so-they-can-mine-cryptocurrency/

[Latindancer]

I love these juxtapositions :

Russian launches floating nuclear reactor across Arctic

https://www.bangkokpost.com/world/17...62iCw#cxrecs_s

[harrybarracuda]

I love these juxtapositions :

Russian launches floating nuclear reactor across Arctic

https://www.bangkokpost.com/world/17...62iCw#cxrecs_s

Nothing to do with this thread and it's already been posted elsewhere.

https://teakdoor.com/world-news/19303...or-across.html

[harrybarracuda]

If you use Bitdefender Antivirus Free 2020, make sure you update it ASAP (and apply all Windows updates).

https://www.bitdefender.com/support/...rus-free-2020/

[harrybarracuda]

Google Uncovers Massive iPhone Attack Campaign

A group of hacked websites has been silently compromising fully patched iPhones for at least two years, Project Zero reports.

For at least two years, a small collection of hacked websites has been attacking iPhones in a massive campaign affecting thousands of devices, researchers with Google Project Zero report.

These sites quietly infiltrated iPhones through indiscriminate "watering hole" attacks using previously unknown vulnerabilities, Project Zero's Ian Beer reports in a disclosure published late Thursday. He estimates affected websites receive thousands of weekly visitors, underscoring the severity of a campaign that upsets long-held views on the security of Apple products.

"There was no target discrimination; simply visiting the hacked website was enough for the exploit server to attack your device, and if it was successful, install a monitoring plant," Beer explains.

Google's Threat Analysis Group (TAG) found five exploit chains covering nearly every operating system release from iOS 10 to the latest version of iOS 12. These chains connected security flaws so attackers could bypass several layers of protection. In total, they exploited 14 vulnerabilities: seven affecting the Safari browser, five for the kernel, and two sandbox escapes.

When unsuspecting victims accessed these malicious websites, which had been live since 2017, the site would evaluate the device. If the iPhone was vulnerable, it would load monitoring malware. This was primarily used to steal files and upload users' live location data, Beer writes.

The malware granted access to all of a victims' database files used by apps like WhatsApp, Telegram, and iMessage so attackers could view plaintext messages sent and received. Beer demonstrates how attackers could upload private files, copy a victim's contacts, steal photos, and track real-time location every minute. The implant also uploads the device keychain containing credentials and certificates, as well as tokens used by services like single sign-on, which people use to access several accounts.

There is no visual indicator to tell victims the implant is running, Beer points out, and the malware requests commands from a command-and-control server every 60 seconds.

"The implant has access to almost all of the personal information available on the device, which it is able to upload, unencrypted, to the attacker's server," he says. It does not persist on the device; if the iPhone is rebooted the implant won't run unless the device is re-exploited. Still, given the amount of data they have, the attacker may remain persistent without the malware.

Google initially discovered this campaign in February and reported it to Apple, giving the iPhone maker one week to fix the problem. Apple patched it in iOS 12.1.4, released on February 7, 2019.

iPhones, MacBooks, and other Apple devices are widely considered safer than their competitors. Popular belief also holds that expensive zero-day attacks are reserved for specific, high-value victims. Google's discovery dispels both of these assumptions: This attack group demonstrated how zero-days can be used to wreak havoc by hacking a larger population.

https://www.darkreading.com/endpoint...d/d-id/1335699

[harrybarracuda]

Researchers say an attacker could send a rogue over-the-air provisioning message to susceptible phones and route all internet traffic through a hacker-controlled proxy.

Over half of all Android handsets are susceptible to a clever over-the-air SMS phishing attack that could allow an adversary to route all internet traffic through a rogue proxy, as well as hijack features such as a handset’s homepage, mail server and directory servers for synchronizing contacts and calendars.
Researchers at Check Point said Samsung, Huawei, LG and Sony handsets are “susceptible” to the phishing ploy.

Researchers said, assuming that at least some of the recipients are gullible enough to accept a CP without challenging its authenticity, the OMA CP message allows the modification of the following settings over-the-air:

• MMS message server
• Proxy address
• Browser homepage and bookmarks
• Mail server
• Directory servers for synchronizing contacts and calendar

https://threatpost.com/half-of-andro...attack/147988/

[Klondyke]

Huawei accuses US of trying to hack its systems, recruit spies & intimidate employees

The US has used “unscrupulous means” to attack Huawei’s business in recent months – trying to hack its servers and turn employees into spies using extortion, legal threats and coercion, the Chinese telecom giant has claimed.

Washington “has been using every tool at its disposal – including both judicial and administrative powers, as well as a host of other unscrupulous means – to disrupt the normal business operations of Huawei and its partners,” the company said in a statement released on Tuesday, adding that the US had been “leveraging its political and diplomatic influence to lobby other governments to ban Huawei equipment” as well.

Jealous of Huawei’s number-two position in the world smartphone market, the US government has used law enforcement to threaten, coerce, and entice current and former employees to become spies for Washington, impersonated Huawei employees for entrapment purposes, launching cyberattacks against company systems, and “obstruct[ed] normal business activities,” Huawei declared, accusing the US of interfering with shipments, denying visas, and otherwise waging lawfare against the company.

Washington has even conspired with Huawei clients and competitors to try to get the company blackballed in the industry, the company added.

The statement came in response to last week’s claim by the Wall Street Journal that the US Department of Justice was investigating Huawei for stealing a patented smartphone camera design.

Patent-holder Rui Pedro Oliveira, Huawei claimed, had threatened the Chinese company with media exposure and pressure exerted through “political channels” if it did not pay “an extortionate amount of money” – even though his design bears little resemblance to Huawei’s own. Accusing Oliveira of “taking advantage of the current geopolitical situation,” Huawei also slammed the media for “encouraging” such mendacious behavior.

The allegations may seem like a ‘man-bites-dog’ story to media that have uncritically parroted US allegations that China is the one using Huawei’s ubiquitous telecom infrastructure to spy on other countries and stealing their tech, but Huawei has always maintained it is innocent of the charges of spying leveled against it by the US, and no proof of any spying has emerged.

“The fact remains that none of Huawei’s core technology has been the subject of any criminal case brought against the company, and none of the accusations levied by the US government have been supported with sufficient evidence,” the statement continued, concluding that “no company becomes a global leader in their field through theft.”

https://www.rt.com/news/468058-huawe...g-intimidation

[harrybarracuda]

For those of you that do things like check facts, Wiki is under a significant DDOS attack.

Wikipedia has stopped working for some users in the UK and Europe, and a number of places in the Middle East.
The online encyclopaedia failed to load on desktops, tablets and mobile phones.
Outages were reported shortly before 7pm, BST, according to the downdetector.com , which monitors websites.

The UK was heavily affected, but there were reports of the site being down in a number of other European countries, including Poland, France, Germany and Italy.
No one was immediately available for comment at the Wikimedia Foundation, which manages the site.

[harrybarracuda]

Couple of things to try before you use the hotel safe....

[harrybarracuda]

....And....

[harrybarracuda]

I would imagine the more responsible vendors will have updates soon, so check. Full list of devices at the bottom of this post.

125 New Flaws Found in Routers and NAS Devices from Popular Brands


The world of connected consumer electronics, IoT, and smart devices is growing faster than ever with tens of billions of connected devices streaming and sharing data wirelessly over the Internet, but how secure is it?

As we connect everything from coffee maker to front-door locks and cars to the Internet, we're creating more potential—and possibly more dangerous—ways for hackers to wreak havoc.

Believe me, there are over 100 ways a hacker can ruin your life just by compromising your wireless router—a device that controls the traffic between your local network and the Internet, threatening the security and privacy of a wide range of wireless devices, from computers and phones to IP Cameras, smart TVs and connected appliances.


In its latest study titled "SOHOpelessly Broken 2.0," Independent Security Evaluators (ISE) discovered a total of 125 different security vulnerabilities across 13 small office/home office (SOHO) routers and Network Attached Storage (NAS) devices, likely affecting millions.

List of Affected Router Vendors


SOHO routers and NAS devices tested by the researchers are from the following manufacturers:

• Buffalo
• Synology
• TerraMaster
• Zyxel
• Drobo
• ASUS and its subsidiary Asustor
• Seagate
• QNAP
• Lenovo
• Netgear
• Xiaomi
• Zioncom (TOTOLINK)

These vulnerabilities range from cross-site scripting (XSS), cross-site request forgery (CSRF), buffer overflow, operating system command injection (OS CMDi), authentication bypass, SQL injection (SQLi), and file upload path traversal vulnerabilities.

Full Control Over Devices Without Authentication


Researchers said they successfully obtained root shells on 12 of the devices, allowing them to have complete control over the affected devices, 6 of which contained flaws that would enable attackers to gain full control over a device remotely and without authentication.


These affected business and home routers are Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.

This new report, SOHOpelessly Broken 2.0, is a follow-up study, SOHOpelessly Broken 1.0, published by the ISE security firm in 2013, when they disclosed a total of 52 vulnerabilities in 13 SOHO routers and NAS devices from vendors including TP-Link, ASUS, and Linksys.

Since SOHOpelessly Broken 1.0, researchers said they found a few newer IoT devices implementing some useful security mechanisms in place, like address-space layout randomization (ASLR), functionalities that hinder reverse engineering, and integrity verification mechanisms for HTTP requests.

However, some things have not changed since SOHOpelessly Broken 1.0, like many IoT devices still lack basic web application protection features, like anti-CSRF tokens and browser security headers, which can greatly enhance the security posture of web applications and the underlying systems they interact with.

ISE researchers responsibly reported all of the vulnerabilities they discovered to affected device manufacturers, most of which promptly responded and already took security measures to mitigate these vulnerabilities, which have already received CVE Ids.

However, some device manufacturers, including Drobo, Buffalo Americas, and Zioncom Holdings, did not respond to the researchers' findings.

https://thehackernews.com/2019/09/hacking-soho-routers.html?m=1

Devices in SOHOpelessly Broken 2.0

Device	Firmware Version
Buffalo TeraStation TS5600D1206*	3.61-0.08
Synology DS218j	6.1.5
TerraMaster F2-420	3.1.03
Zyxel NSA325 v2*	4.81
Drobo 5N2	4.0.5-13.28.96115
Asustor AS-602T*	3.1.1
Seagate STCR3000101	4.3.15.1
QNAP TS-870*	4.3.4.0486
Lenovo ix4-300d*	4.1.402.34662
ASUS RT-AC3200	3.0.0.4.382.50010
Netgear Nighthawk R9000	1.0.3.10
TOTOLINK A3002RU	1.0.8
Xiaomi Mi Router 3	2.22.15

[harrybarracuda]

If you have any of these D-Link routers connected to the Internet, throw them in the bin and buy a new one.

Fortinet's FortiGuard Labs discovered and reported an unauthenticated command injection vulnerability (FGVD-19-117 / CVE-2019-16920) in D-Link products that could lead to remote code execution without authentication. The cybersecurity specialists therefore considers this problem as critical.

"The main cause of the vulnerability is the lack of verification of the integrity of arbitrary commands executed by the execution of native system commands, which is a typical security pit for many firmware manufacturers" Fortinet explains. blog.

The vulnerability has been detected in the latest firmware of the following D-Link routers: DIR-655, DIR-866L, DIR-652, and DHP-1565. These equipments arrived at the end of their life. D-Link, which was notified of the problem on September 22nd (and confirmed the vulnerability the next day) will not make any bug fixes. That's why Fortinet believes that it is essential for users of these devices to immediately turn to a new product.

https://www.freetechways.xyz/2019/10/dlink-router-remote-execution.html

[OhOh]

No mention of Chinese made ZTE Internet/WIFI boxes?

[harrybarracuda]

No mention of Chinese made ZTE Internet/WIFI boxes?

Why would you be dumb enough to buy that shit?

[OhOh]

It was part of the AIS package, very responsive to all my queries and faultless performance of the equipment's features/requirements.

What's not to like, a sticker on the bottom with "Made in China" printed on it? Try determining a coffee machine's provenance in the largest ameristani supermarket.

[harrybarracuda]

It was part of the AIS package, very responsive to all my queries and faultless performance of the equipment's features/requirements.

What's not to like, a sticker on the bottom with "Made in China" printed on it? Try determining a coffee machine's provenance in the largest ameristani supermarket.

Well I suppose in your case you are happy to send everything to Chinastan.

[OhOh]

you are happy

Like a pig in shit.

However after spending a few weeks at an Issan farm where they were raising pigs, I would question it's value as a sign of contentment.

send everything to Chinastan

If it doubles the grams/post rate, what's not to like.

[harrybarracuda]

Like a pig in shit.

However after spending a few weeks at an Issan farm where they were raising pigs, I would question it's value as a sign of contentment.



If it doubles the grams/post rate, what's not to like.

[harrybarracuda]

"It’s to be noted that you need to be an administrator in order to make the changes."

It's also to be noted that you should go back to a standard user profile when you are playing on the interwebsnet.

Microsoft has officially announced the general availability of a new Tamper Protection feature for its Windows Defender Antivirus service.

The security feature is essentially meant to thwart any attempts made by cybercriminals to break the real-time anti-malware defenses incorporated in Windows.

In other words, tamper protection safeguards against “malicious and unauthorized changes to security features, ensuring that endpoint security doesn’t go down.”

The setting, which will be on by default for home users, can be accessed as follows:

• In the search box on Taskbar, type Windows Security and select the option
• Select Virus & threat protection
• Select Virus & threat protection settings
• Select Manage settings
• Turn on/off Tamper Protection

It’s to be noted that you need to be an administrator in order to make the changes.

Microsoft originally launched Tamper Protection last December for Windows Insiders, the community devoted to testing pre-release builds of the operating system.

The Windows maker’s decision to roll out the feature comes as multiple Trojans, including Nodersok and banking malware TrickBot, have targeted PCs to disable Windows Defender and gain elevated system privileges.

“With this protection in place, customers can mitigate malware and threats that attempt to disable security protection features,” Microsoft said.

https://thenextweb.com/security/2019/10/15/microsoft-rolls-out-windows-tamper-protection-for-windows-antivirus-to-keep-hackers-at-bay/

[harrybarracuda]

Oh Vlad.... your Iranian brothers will not be pleased.

Russian hackers cloak attacks using Iranian group


An Iranian hacking group was itself hacked by a Russian group to spy on multiple countries, UK and US intelligence agencies have revealed.

The Iranian group - codenamed OilRig - had its operations compromised by a Russian-based group known as Turla.

The Russians piggybacked on the Iranian group to target other victims.

A National Cyber Security Centre (NCSC) investigation, begun in 2017 into an attack on a UK academic institution, uncovered the double-dealing.

The NCSC discovered that the attack on the institution had been carried out by the Russian Turla group, which it realised was scanning for capabilities and tools used by Iran-based OilRig.

In an investigation that lasted months, it became clear the Russian group had targeted the Iranian-based group and then used its tools and access to collect data and compromise further systems.

Attacks were discovered against more than 35 countries with the majority of the victims being in the Middle East. At least 20 were successfully compromised. The ambition was to steal secrets, and documents were taken from a number of targets, including governments.

Intelligence agencies said Turla was both getting hold of information the Iranians were stealing but also running their own operations using Iranian access and then hoping it would hide their tracks.

Victims might have assumed they had been compromised by the Iranian-based group when in fact the real culprit was based in Russia.

There is no evidence that Iran was complicit or aware of the Russians' use of their access or that the activity was done to foment trouble between countries but is a sign of the increasingly complex world of cyber-operations.

"This is getting to be a very crowded space," explained Paul Chichester, director of operations for the NCSC, the protective arm of the intelligence agency GCHQ.

He adding he had not previously seen such a sophisticated attack carried out. Separately it has been reported in leaks that the US and UK also have similar capabilities.

Mr Chichester said he would not describe the Russian hack attacks as a "false flag" since it was not an attempt to deliberately frame someone else.

The NCSC would also not directly attribute the attacks to the Russian and Iranian states but Turla has previously been linked by others to Russia's Security Service, the FSB, and OilRig to the Iranian state.

The investigation was primarily a UK one but the details are being revealed jointly by the NCSC and America's NSA. A report of Turla compromising another espionage group was made by the private security company Symantec in June.

Mr Chichester said the purpose of revealing the details was to help others detect this activity and defend themselves.

"We want to send a clear message that even when cyber-actors seek to mask their identity, our capabilities are a match for them and we can identify them," he said.

How the two groups will react to the exposure is not something officials said they could predict.

https://www.bbc.com/news/technology-50103378

[harrybarracuda]

New Google Chrome Security Alert: Update Your Browsers As ‘High Severity’ Zero-Day Exploit Confirmed

https://www.forbes.com/sites/daveywinder/2019/11/01/new-google-chrome-security-alert-update-your-browsers-as-high-severity-zero-day-exploit-confirmed/#4784246470b3

[harrybarracuda]

Is anyone still using routers this old?

The new Gafgyt variant, detected in September, is a competitor of the JenX botnet. JenX also leverages remote code execution exploits to access and recruit botnets to attack gaming servers, especially those running the Valve Source engine, and launch a denial-of-service (DoS) attack. This Gafgyt variant targets vulnerabilities in three wireless router models, two of which it has in common with JenX. The two share CVE-2017-17215 (in Huawei HG532) and CVE-2014-8361 (in Realtek's RTL81XX chipset). CVE-2017-18368 (in Zyxel P660HN-T1A) is a new addition to Gafgyt.

[Neverna]

Is anyone still using routers this old?

Butterfluff?

[harrybarracuda]

Butterfluff?

Yeah probably.

[harrybarracuda]

If you're driving in the US, remember: CASH IS KING!

Payments processor VISA says North American merchants who operate gas stations and gas pumps are facing a rash of attacks from cybercrime groups wanting to deploy point-of-sale (POS) malware on their networks.

https://www.zdnet.com/article/visa-w...north-america/