Security News Ticker

OOOOOOOOOOOOooooooooooooooooo helloooooo there

Gonna write up a full topic tomorrow(unless someone else beats me to it), an interesting hiccup in the above and other info.

1 Like

:neutral_face:

1 Like

I definitely like the idea of a security ticker/news-wire; but since at the moment this thread is not seeing many updates, might I recommend using the ISC Podcast and site as a source:


Seems to be the closest equivalent of what this thread aims to be.

2 Likes

Feel free to add when you come across things. I intend to pop things in here as i come across interesting or emerging info.

1 Like

LineageOS infrastructure suffered an intrusion via Saltstack

Intrusion: 2020-05-03 (03:00 or 04:00 UTC, timezone given ambiguous)
Reported: 2020-05-03 05:40

Initial information links to a Saltstack patch note referencing CVE-2020-11651 & CVE-2020-11652, unknown which was exploited or if both.

Saltstack CVE-2020-11651 CVE-2020-11652

Detected: before 2020-03-16
Patched: 2020-04-29
Reported: 2020-04-30

https://labs.f-secure.com/advisories/saltstack-authorization-bypass

https://docs.saltstack.com/en/latest/topics/releases/3000.2.html

Mentioned in 2020-05-01 ISC StormCast

Others affected

Ghost, DigiCert CT - mentioned in 2020-05-04 and 2020-05-05 ISC StormCasts

3 Likes

So, they bought something to build something that’s supposed to do something they claimed they’d be doing already?

hmm


LOL

2 Likes

http://blog.paulch.ru/2020-07-26-hunting-for-bugs-in-virtualbox-first-take.html

1 Like

Number of high vulnerabilities discovered and fixed

1 Like

Daily Top 10 Countries – July 27, 2020
New unique DDoS malware hosts detected by country:
:cn: China: 363
:taiwan: Taiwan: 319
:vietnam: Vietnam: 279
:egypt: Egypt: 198
:greece: Greece: 84
:us: United States: 57
:kr: South Korea: 55
:hong_kong: Hong Kong: 53
:brazil: Brazil: 51
:malaysia: Malaysia: 48

Source: bad_packets

3 Likes

27th July
Alert: Potential legacy risk from malware targeting QNAP NAS devices

Campaigns
The NCSC and CISA have identified two campaigns of activity for QSnatch malware. The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. The two campaigns are distinguished by the initial payload used as well as some differences in capabilities. This alert focuses on the second campaign as it is the most recent threat.

It is important to note that infrastructure used by the malicious cyber actors in both campaigns is not currently active, but the threat remains to unpatched devices.

Although the identities and objectives of the malicious cyber actors using QSnatch are currently unknown, the malware is relatively sophisticated, and the cyber actors demonstrate an awareness of operational security.

Global distribution of infections
Analysis shows a significant number of infected devices. In mid-June 2020, there were approximately 62,000 infected devices worldwide; of these, approximately 3,900 were in the UK and 7,600 were in the US.

Original advisory

Community topic: UK/US Governments Warn of QNAP NAS Malware

1 Like

See also for community topic: GRUB2 Secure Boot Vulnerability: Boothole

1 Like

I just realised I posted the very same thing! :joy:

1 Like
1 Like

GNU-TLS CVE-2020-13777

old notice, but of severity that I felt it important to include; was previously mentioned in News thread

2020-06-11 - Anarcat
CVE-2020-13777 GnuTLS audit: be scared
… You are reading this correctly: supposedly encrypted TLS connections made with affected GnuTLS releases are vulnerable to passive cleartext recovery attack (and active for 1.3, but who uses that anyways).

Garmin ransomware likely paid, data potentially not stolen

2020-08-01 - Abrams, Lawrence - Bleeping Computer
Confirmed: Garmin received decryptor for WastedLocker ransomware
BleepingComputer can confirm that Garmin has received the decryption key to recover their files encrypted in the WastedLocker Ransomware attack.

Following article dated 2020-07-28, author Cimpanu, Catalin:

Context: Previously mentioned in News thread when only outage, and an attack was suspected.
Searchability: WastedLocker, EvilCorp

Real-world EMV-Bypass Cloning

following article dated 2020-07-31, author Cimpanu, Catalin

Miscellaneous

2 Likes

https://www.cisa.gov/news/2020/08/05/cisa-releases-new-cyber-career-pathways-tool

2 Likes

PRC (mainland china) blocking Encrypted-SNI in

mentioned in News thread, and in the ISC stormcast for 2020-08-10

Source collection

Date Author Article
2020-08-07 Kevin Bock;
iyouport;
Anonymous;
Merino, Louis-Henri;
Fifield, David;
Houmansadr, Amir;
Levin, Dave
Exposing and Circumventing China’s Censorship of ESNI Great Firewall Report
2020-08-08 Cimpanu, Catalin China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI ZDNet
2020-08-11 China now blocking ESNI-enabled TLS 1.3 connections, say Great-Firewall-watchers Register

PDF vulnerabilities tested across multiple programs

Portable Document Flaws 101 presentation by Jens Müller at Blackhat
There is now an associated GitHub repo; see the readme file for an overview comparison table:

Microsoft Download Center removed SHA-1 signed content

“Microsoft will retire content that is Windows-signed for Secure Hash Algorithm 1 (SHA-1) from the Microsoft Download Center on August 3, 2020.”

older news (2020-07-29), but potentially has large effects; are these downloads entirely impossible to find now?

Source collection

Date Author Article
2020-07-28 Namrata_Bachwani (Microsoft Tech Community) SHA-1 Windows content to be retired August 3, 2020 Microsoft
2020-07-29 Cimpanu, Catalin Microsoft to remove all SHA-1 Windows downloads next week ZDNet
2 Likes

One of these was particularly useful, thanks.

1 Like