Support Metacurity!

We’ve launched a Patreon campaign to help you support the Metacurity community. Check it out and earn lots of goodwill from your infosec peers and even get a great Metacurity sticker, among other patron rewards!

Latest News

13 hours ago
Catalin Cimpanu / ZDNet

Flaw in Trend Micro OfficeScan Antivirus Led to Hack on Mitsubishi Electric, Source

Chinese hackers used a now-patched zero-day in the Trend Micro OfficeScan antivirus during their attacks on Mitsubishi Electric. Early last week, the Japanese electronics vendor and defense contractor said it was hacked in June 2019 and that hackers gained access to its internal network from where they stole roughly 200 MB of files. The stolen data primarily related to information on employees and not to its business dealings and partners. The hackers exploited CVE-2019-18187, a directory traversal and arbitrary file upload vulnerability in the Trend Micro OfficeScan antivirus, according to a source. Japanese media said the attack was the work of a Chinese state-sponsored cyber-espionage group known as Tick.

22 hours ago
Brian Barrett / Wired

Sneaky macOS Shlayer Trojan Affects One in Ten Devices, Uses Standard Techniques to Push Fake Adobe Flash Update

A relatively crude piece of macOS malware, the Shlayer Trojan,  affects one in ten Mac devices and accounts for nearly a third of macOS malware detections, according to a Kaspersky Lab report that details the top ten macOS malware infections. The relatively garden variety adware effectively uses well-trod techniques, including convincing people to click on a bad link and pushing a fake Adobe Flash update. The operators behind the trojan reportedly offer website owners, YouTubers, and Wikipedia editors a cut if they drive visitors toward a malicious download. Kaspersky counted more than 1,000 partners distributing the Shlayer software, with one of the partners owning 700 domains redirecting users to Shlayer download landing pages.

23 hours ago
Catalin Cimpanu / ZDNet

Mozilla’s Add-On Review Team Bans, Removes 197 Firefox Add-Ons for Malicious Code, Stealing User Data, or Hiding Source Code

Over the past two weeks, Mozilla’s add-on review team has banned and removed from the Mozilla Add-on (AMO) portal 197 Firefox add-ons that were executing malicious code, stealing user data, or using obfuscation to hide their source code. The add-ons have also been disabled in the browsers of the users who already installed them. Most of the banned add-ons were developed by 2Ring, a provider of B2B software because they were downloading and executing code from a remote server. Mozilla’s rules say add-ons must self-contain all their code, and not download code dynamically from remote locations. But 30 add-ons were banned for exhibiting malicious behavior, including the FromDocToPDF add-on, which Mozilla engineers said was loading remote content into Firefox’s new tab page. Another add-on,  Fake Youtube Downloader was banned for attempting to install other malware in users’ browsers. Other add-ons, such as EasySearch for Firefox, EasyZipTab, FlixTab, ConvertToPDF, and FlixTab Search, were banned for intercepting and collecting user search terms, a clearly bannable offense. A batch of still other add-ons was banned for using obfuscated code, a technique through which add-on developers make their code hard to read, to hide malicious behavior.

2 days ago
Dustin Volz, Robert McMillan / Wall Street Journal

As Questions Swirl Around Forensic Evidence Tying Hack of Bezos’ Phone to Saudi Crown Prince, Trump Administration Refuses to Say Whether It Will Investigate Further

Analysis by cyber forensics experts claims that a report tying the hacking of Jeff Bezos’ phone to the WhatsApp account of Saudi Crown Prince Mohammed bin Salman relied heavily on circumstantial evidence to make its case. They say the audit by business advisory firm FTI Consulting left several major technical questions about the incident unexplained and in need of more examination. Although representatives of the U.N. have called for the U.S. to investigate the hack of Bezos’ firm, the Trump Administration has refused to say whether it has any plans to investigate, calling Saudi Arabia an “important ally.”

3 days ago
Andy Greenberg / Wired

Researchers at First Pwn2Own Event Focusing on Industrial Control Security Take Home $280,000, Incite Team Top Winner

Researchers who took part this week in the Zero Day Initiative’s Pwn2Own Miami hacking competition, which for the first time focused on industrial control at the S4 industrial control system security conference, have earned a total of $280,000 for exploits targeting industrial control systems (ICS) and associated protocols. Participants were given three months to study the industrial control system software that would serve as the contest’s targets, developing their hacking techniques ahead of the competition. Over the three-day competition, contestants successfully hacked every one of the eight industrial control system applications put before them, with hackers offered as much as $25,000 if they could exploit the target software to achieve remote code execution on the victim machines. The winner of this event was the Incite Team, whose members were researchers Steven Seeley and Chris Anastasio. They earned a total of $80,000 for exploits targeting the Triangle Microworks SCADA Data Gateway, Inductive Automation Ignition, Rockwell Automation Studio 5000, the OPC Foundation’s OPC UA .NET standard, and Iconics Genesis64.

3 days ago
Vikram Dodd / The Guardian

UK’s Met Police Will Start Using Live Facial Recognition in Controversial Move Decried by Privacy, Civil Liberties Advocates

The UK’s largest police force, the Metropolitan police, announced that it would start using live facial recognition, a controversial decision that has sparked significant objections by privacy and civil liberties groups. After two years’ of trials, the Met will start using facial recognition cameras next month, which will be linked to a database of suspects. Johanna Morley, a senior technologist with the Met, said the system was 70% effective at spotting wanted suspects. It falsely identified someone as wanted one in a thousand times, she said.

3 days ago
Swati Khandelwal / The Hacker News

Russian Crook Who Ran Payment Card Fraud Sites Pleads Guilty in U.S. District Court, Faces Up to 15 Years in Prison

A 29-year-old Russian hacker Aleksei Burkov pleaded guilty before Senior U.S. District Judge T.S. Ellis III to charges related to his operation of two websites devoted to the facilitation of payment card fraud, computer hacking, and other crimes. Burkov operated an online marketplace for buying and selling stolen credit card and debit card numbers called Cardplanet, which roughly hosted 150,000 payment card details between the years 2009 and 2013. He also masterminded a separate invite-only forum website for elite cybercriminals where they advertised stolen personal identity information, malicious software, and other illegal services, like money laundering and hacking services. Burkov was arrested at Israel’s Ben-Gurion Airport in late 2015 and extradited to the United States in November 2019 after he lost his appeal against extradition in the Israeli Supreme Court and the Israeli High Court of Justice. He is facing a prison sentence of up to 15 years, which will be announced by the federal court in Alexandria on 8th May 2020.

3 days ago
Sergiu Gatlan / Bleeping Computer

LastPass Accidentally Removed Its Extension From Chrome Web Store, Caused Outage for Users, Is Now Available Again After Chrome Review Process

An accidental outage was caused by LastPass on Wednesday when the company mistakenly removed the LastPass extension from the Chrome Web Store, leading to users seeing 404 errors when trying to download and install it on their devices. As of yesterday, the LastPass extension’s Chrome Web Store entry was still inaccessible, although LastPass later issued a notice saying the extension is now available again after clearing Google’s Chrome Store review process. While the unexpected and accidental removal led to hundreds, if not thousands of reports from users, the ones who already had the extension installed were not affected by this incident.

3 days ago
Ryan Mac, Caroline Haskins, Logan McDonald / Buzzfeed News

Controversial Facial Recognition Company Clearview AI Lied About Cracking Terrorism Case, Has Ties to Far-Right Figures, Is Banned From Scraping Twitter Photos and Is Under Fire From Lawmakers

Peter Thiel-backed facial recognition company Clearview AI, which has amassed billions of photos and promotes its service to police departments nationwide, falsely claimed to crack a case of alleged terrorism in the New York City subway last year, according to the New York City Police Department. The NYPD said it identified the suspect “using the Department’s facial recognition practice where a still image from a surveillance video was compared to a pool of lawfully possessed arrest photos.” Moreover, Clearview founder Ton-That is linked to various Trump allied far-right figures, including Rudy Giuliani, Michael Cernovich, Chuck Johnson, Pax Dickinson, the details of which go back some years. Also, Twitter has ordered Clearview to stop scraping images from its site, while lawmakers, including Ed Markey (D-MA), have demanded answers from the company about its partnerships with local law enforcement.

3 days ago
Catalin Cimpanu / ZDNet

Mysterious Hijacker Uninstalls Phorpiex Spam-Bot Malware From Infected Hosts, Tells Users to Install Antivirus and Update Computers

A mysterious entity appears to have hijacked the backend infrastructure of the Phorpiex (Trik) botnet. It is uninstalling the spam-bot malware from infected hosts, while also showing a popup telling users to install an antivirus and update their computers, according to pop-ups that appeared on users’ screens as spotted by Check Point researchers. Yaniv Balmas, Head of Cyber Research at Check Point, has several theories of what could be happening. The malware operators might have decided to quit and shut down the botnet on their terms, or the popups could be a law enforcement action. Also, a vigilante security researcher might be taking matters into his own hands, or a rival malware gang might be sabotaging the Phorpiex crew by destroying their botnet. Another antivirus vendor speculates that a rival botnet operator has hijacked the Phorpiex botnet out of envy.

3 days ago
Lindsey O'Donnell / Threatpost

Cisco Issues Patches for High Severity Vulnerability in Its Firepower Management Center That Could Give Attacker Admin Privileges

Cisco reported a critical vulnerability in the web-based management interface of the Cisco Firepower Management Center (FMC), which is its platform for managing Cisco network security solutions, like firewalls or its advanced malware protection service. The flaw could allow an unauthenticated, remote attacker to gain administrative privileges on impacted devices.  Cisco has released patches for the vulnerability (CVE-2019-16028), which has a score of 9.8 out of 10 on the CVSS scale, making it critical in severity.

3 days ago
Catalin Cimpanu / ZDNet

DHS, GE Warn That Attackers Can Exploit ‘MDhex’ Flaws to Take Over Patient Monitors, Telemetry Aggregation Servers

Researchers from healthcare security company CyberMDX disclosed six vulnerabilities collectively referring to as MDhex that impact seven GE Healthcare devices meant for patient vital signs monitoring. The devices are intended to collect data from sick patients and send them back to a telemetry server, monitored by clinical staff.  The flaws allow an attacker with access to a hospital’s network to take over vulnerable patient monitors and telemetry aggregation servers, and then silence alerts, putting patient lives at risk. The FDA and DHS also published security advisories meant to warn healthcare providers about the MDhex vulnerabilities and offering mitigations that hospitals and clinics can deploy to prevent attackers from exploiting the devices. GE plans to issue updates during the second quarter of 2020 to fix the flaws.

4 days ago
Edward Ongweso Jr / Motherboard

Detailed Data on More Than 30,000 Cannabis Users Exposed via Unencrypted Amazon S3 Bucket Owned by Compliance Software Vendor

More than 30,000 cannabis users had sensitive personal information exposed online by a company that makes software used by weed dispensaries, researchers at vpnMentor report. The information, which included scans of driver’s licenses as well as the type and quantity of weed purchased, was discovered by the researchers on December 24 after they found an unencrypted Amazon S3 bucket owned by THSuite, the company that makes the software. Dispensaries use THSuite to help ensure compliance with state laws. Other data exposed for the 30,000 cannabis users include patient medical history, photographs of scanned government and employee IDs, full name, phone number, email address, date of birth, street address, medical ID number, signatures, cannabis strain and the quantity purchased, employee names and work schedule, and more. vpnMentor identified records belonging to at least three cannabis dispensaries: AmediCanna Dispensary, located in Maryland; Bloom Medicinals, located throughout Ohio; Colorado Grow Company, a recreational dispensary, although the entirety of THSuite’s client base might also be affected.

4 days ago
Shannon Vavra / Cyberscoop

Some Infosec Experts Express Skepticism Over Portions of the Forensic Report on Bezos’ Phone Hack

The report by cybersecurity firm FTI Consulting, which concluded that Jeff Bezos’ phone was hacked from the WhatsApp account of Saudi Crown Prince Mohammed bin Salman, has, in part, been met with skepticism by some cybersecurity experts. Former CISO of Facebook Alex Stamos says the report doesn’t go far enough and that FTI hasn’t figured out yet how to thoroughly test Bezos’ phone. Bill Marczak, a research fellow at Citizen Lab, a University of Toronto, and Matthew Green, an associate professor of computer science at Johns Hopkins, said that FTI should have been able to decrypt the encrypted video file downloader that contained the malicious file infecting Bezos’ phone. Cybersecurity expert Rob Graham and Cisco Talos’ Craig Williams question the report’s low level of traffic from the phone before the sudden burst of traffic that reflected the exfiltration from Bezos’ phone.

4 days ago
Ed Targett / Computer Business Review

CISA Warns of Increased Emotet Activity as Threat Group Behind the Email Malware Ramps Ups Campaigns Against Government, Military Targets

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned security teams to be alert to the rising threat of the powerful email malware Emotet as the threat group believed to behind Emotet, known as TA542, is ramping up campaigns against government and military targets. CISA is pushing routine cybersecurity hygiene tasks as protection against Emotet, including blocking email attachments commonly associated with malware (e.g.,.dll and .exe), blocking email attachments that cannot be scanned by antivirus software (e.g., .zip files) and implementing Group Policy Object and firewall rules.

4 days ago
Shaun Nichols / The Register

New Citrix and FireEye Free Security Tool Will Scan Devices for Indicators of Compromise by the ‘Shitrix’ Vulnerability

Citrix and FireEye have released a free new security tool to help admins find out if their servers have been hacked via the high-profile CVE-2019-19781 flaw that was disclosed in December but only patched on Monday. The tool, shared under the Apache 2.0 open-source license, will scan devices for indications of compromise for the so-called “Shitrix” arbitrary code execution vulnerability in Citrix’s Application Delivery Controller and Gateway products. The tool is not intended as a vulnerability indicator and will only detect specific indicators of compromise to give admins a general indicator of their Citrix gear.

4 days ago
Danny Palmer / ZDNet

Hacking Campaign With Suspected Ties to Iran’s APT 33 Targeted a European Energy Firm With PupyRAT Software on Probable Reconnaissance Mission

A hacking campaign with suspected ties to Iran, particularly the hacking group known as APT 33, targeted the European energy sector from November 2019 to January 2020. in what’s thought to be a reconnaissance mission aimed at gathering sensitive information, according to researchers at Recorded Future. The PupyRAT software used by the attackers is open-source malware. It can infiltrate Windows, Linux, OSX, and Android to give hackers access to the victim’s system, including usernames, passwords, and sensitive information across the network. The PupyRAT software has previously been deployed by APT 33 in attacks against critical infrastructure. Recorded Future has informed the affected target about the attack, and the security company has worked with the energy company to root out the intruders before more damage could be done.

4 days ago
Madhumita Murgia / Financial Times

Google Researchers Found Multiple Flaws in Safari’s Intelligent Tracking Prevention Feature That Allowed Users’ Browsing Behavior to Be Tracked

Google researchers have exposed details of multiple security flaws in the Intelligent Tracking Prevention feature in Apple’s Safari web browser that allowed users’ browsing behavior to be tracked, even though the affected tool was specifically designed to protect their privacy. Google first disclosed the flaws to Apple in August last year. Since then, Google’s cloud team have identified five different types of a potential attack that could have resulted from the vulnerabilities, allowing third parties to obtain “sensitive private information about the user’s browsing habits. The flaws exposed user data because the Intelligent Tracking Prevention list implicitly stores information about the websites visited by the user. Google’s researchers also found a flaw that allows hackers to create a “persistent fingerprint that will follow the user around the web.” In contrast, others were able to reveal what individual users were searching for on search engine pages. Apple has confirmed that it has patched these flaws.

5 days ago
SUHAUNA HUSSAIN / Los Angeles Times

Tomorrow is the Deadline for Filing Claim Related to Equifax Data Breach

Wednesday, January 23, is the deadline for filing a claim for the more than 147 million people whose data were exposed in a 2017 Equifax data breach who are entitled to money or free credit monitoring. Under the $700-million settlement between the credit rating firm and the Federal Trade Commission, affected people can submit a claim for up to $125 or up to 10 years of credit monitoring. However, given the sheer numbers of people likely to file, the total compensation is expected to be far lower than $125. People who spent time or money to recover from the breach may be able to claim up to $20,000.

5 days ago
Kim Zetter, Joseph Cox / Motherboard

Forensic Report on How Saudi Crown Prince Allegedly Hacked Bezos’ Phone Found Suspicious File But No Malware, Data Exfiltrated from Phone Skyrocketed After File’s Receipt

A forensic report made by FTI Consulting into how Crown Prince Mohammad Bin Salman allegedly hacked Amazon CEO Jeff Bezos’ phone indicates that forensic investigators found a suspicious file but no evidence of any malware on the phone. The report also noted that investigators had to reset Bezos’s iTunes backup password because investigators didn’t have it to access the backup of his phone. The investigators set up a secure lab to examine the phone and its artifacts and spent two days poring over the device but were unable to find any malware on it. Instead, they only found a suspicious video file sent to Bezos on May 1, 2018, that “appears to be an Arabic language promotional film about telecommunications.” However, a suspicious encrypted downloader began transmitting large amounts of data. “[W]ithin hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos’ phone began, continuing and escalating for months after that,” the report states. The amount of data sent by Bezos’ phone “immediately jumped by approximately 29,000 percent,” the report notes, and stayed high for months thereafter, including many massive and highly atypical spikes of egress data.


10 mins ago
Cyber Work

The rise of insider cybersecurity threats

Irena Mroz, VP and Co-founder of Nucleus Cyber, and Cyber Work podcast host Chris Sienko discuss all things internal threats, from intentional and malicious attacks to poor employee practices and awareness

15 mins ago
Shared Security

Dark Web Fraud and Cybercrime with Emily Wilson

Emily Wilson, VP of Research at Terbium Labs talks about the new forms of fraud and cybercrime found on the Dark Web,

18 mins ago
ISC StormCast

Citrix ADC Updates; Windows Fix Breaks Printer; GE Medical Devices

Johannes Ullrich talks about Citrix Releases ADC Updates For All Versions, Temporary Windows 0-Day Fix Breaks Printers, Critical Vulnerabilities in GE Medical Devices.

22 mins ago
Open Source Security Podcast

Episode 180 – A Tale of Two Vulnerabilities

Josh Bressers and Kurt Seifried talk about two recent vulnerabilities that have had very different outcomes. One was the Citrix remote code execution flaw. While the flaw is bad, the handling of the flaw was possibly worse than the flaw itself. The other was the Microsoft ECC encryption flaw. It was well handled even though it was hard to understand and it is a pretty big deal. As all these things go, fixing and disclosing vulnerabilities is hard.

28 mins ago

Why Elections Officials Aren’t Taking A Simple Security Step

Elections officials could improve their cybersecurity in a simple way — by using dot gov website domains instead of the others they use. Why don’t they?

22 hours ago
Tom Temin / Federal Drive

DHS releases list of the most dangerous software flaws

Chris Levendis of the Homeland Security Systems Engineering and Development Institute and Scott Randels, director of the Federally Funded Research and Development Center program management office, both at the DHS Science and Technology Directorate, talk about the Common Weakness Enumeration list maintained by the Homeland Security Systems Engineering and Development Institute.


Cybersecurity Events

Jan. 20-23S4Miami, FLUSA
Jan. 22-23The Oil and Gas IoT Summit 2020LisbonPortugal
Jan. 24-25SH3LLCON 2020SantanderSpain
Jan. 27-31NextGen SCADA Global 2020BerlinGermany
Jan. 27-Feb. 1San Francisco East Bay 2020Emeryville, CAUSA
Jan. 30-Feb. 2ShmooconWashington, DCUSA
Feb. 5-6BlueHatILTel AvivIsrael
Feb. 6-7Suits and SpooksWashington, DCUSA
Feb. 18-19Rail Cybersecurity SummitLondonUK
Feb. 20-22The Human Hacking ConferenceLake Buena Vista, FLUSA
Feb. 24-28RSA ConferenceSan Francisco, CAUSA
Mar. 2-3SANS Cyber Threat Intelligence SummitOrlando, FLUSA
Mar. 5-7RootedConMadridSpain
Mar. 10-13WWHF SAN DIEGO 2020San Diego, CAUSA
Mar. 12-14WiCyS 2020 ConferenceAurora, COUSA

Listen to Metacurity on Alexa

Metacurity now has over 500 monthly listeners, and thousands of plays for our ongoing summaries on Amazon Alexa.

Sign up on Alexa today and just ask “Alexa, what’s the latest in cybersecurity news!”

Please Support Us!

We need the help and support of our individual readers as we develop new forms of corporate support, including sponsorships and an information security job hub. Please support Metacurity’s  by one of the two following methods. If you have any questions at all, please don’t hesitate to contact us at


We’ve launched a Patreon campaign to help you support the Metacurity community. Check it out and earn lots of goodwill from your infosec peers and even get a great Metacurity sticker, among other patron rewards!

One-Time or Recurring Payments

If you like to support our effort to truly become the end of cybersecurity information overload, chip in and for less than a proverbial cup of coffee you will be doing your part to help Metacurity survive. Please select one of the options below to ensure that Metacurity sticks around as an important information security resource.