Search Results for “Dan Goodin”

August 3, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
New, Advanced and Possibly Nation-State Malware ‘LookBack’ Targeted Three U.S. Utility Companies Last Month

A new piece of advanced, full-featured espionage malware dubbed LookBack, possibly developed by a nation-supported attacker, targeted three US companies in the utilities industry last month, researchers at ProofPoint report. Employees at the targeted utilities received emails purporting to come from the National Council of Examiners for Engineering and Surveying with malicious document attachments containing the malware. Once the malware is installed it was capable of a host of functions including reading, writing and deleting files, executing commands, taking pictures of desktops and more.  LookBack’s command server proxy could impersonate WinGup, an open source updater that’s used by Notepad++ in an attempt to camouflage itself. All three utilities were able to block the phishing attempts.

Related: ThreatpostSecurity Affairs, Techradar, Dark Reading: Attacks/Breaches,, SecurityWeek, Help Net Security, Proofpoint

October 11, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Attackers Exploited Stealthy Zero-Day Flaw in iTunes and iCloud to Infect Windows Computers with BitPaymer Ransomware

Attackers exploited a zero-day vulnerability in Apple’s iTunes and iCloud programs to infect Windows computers with ransomware without triggering antivirus protections, researchers from Morphisec reported. The bug, known as an unquoted service path, is in the Bonjour component on which both iTunes and iCloud for Windows rely. When it’s in a trusted program such as one digitally signed by a well-known developer like Apple, attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious. Morphisec discovered in August that the attackers were exploiting the vulnerability to install ransomware called BitPaymer on the computers of an unidentified company in the automotive industry and reported it to Apple. Apple patched the vulnerability in both iTunes 12.10.1 for Windows and iCloud for Windows 7.14. The iTunes uninstaller doesn’t automatically remove Bonjour, so anyone who has ever installed and later uninstalled iTunes should inspect their PCs to ensure Bonjour is not present.

Related: ZDNet, SC Magazine, Ars Technica,,, Security Affairs, The Hacker News, Born’s Tech and Windows World, Dark Reading: Threat Intelligence, Morphisec, Threatpost

October 4, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Zero-Day Local Privilege Escalation Vulnerability in Google’s Android Mobile Operating System Exploited by NSO Group, Google Project Zero

Attackers are exploiting a zero-day vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, Project Zero member Maddie Stone said in a post. The vulnerability is actively being exploited by notorious Israeli exploit developer NSO Group or one of its customers, although NSO Group denies any such exploitation. The bug, a local privilege escalation vulnerability, can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content. The vulnerability is scheduled to be patched in the October Android security update.

Related: Bugs.chromium, Forbes, ZDNet, The Next Web, The Hacker News, Bleeping Computer, SecurityWeek, Security Affairs, Spyware news,, HOTforSecurity, Computer Business Review, TechNadu, The Next Web, 9to5Google, The Verge, Help Net Security

Tweets:@dangoodin001 @campuscodi @iblametom @RonDeibert @lukOlejnik @dcuthbert @fs0c131y @0xAmit @argvee @maddiestone @josephfcox @iblametom

Bugs.chromium: Issue 1942: Android: Use-After-Free in Binder driver
Forbes: Millions Of Android Phones Are Vulnerable To Israeli Surveillance Dealer Attack, Google Warns
ZDNet: Google finds Android zero-day impacting Pixel, Samsung, Huawei, Xiaomi devices
The Next Web : Google, Xiaomi, and Huawei devices affected by zero-day flaw that unlocks root access
The Hacker News: New 0-Day Flaw Affecting Most Android Phones Being Exploited in the Wild
Bleeping Computer: Actively Exploited Android Zero-Day Impacts Google, Samsung Devices
SecurityWeek: Zero-Day Used in the Wild Impacts Pixel 2, Other Android Phones
Security Affairs: Project Zero researcher found unpatched Android zero-day likely exploited by NSO group
Spyware news: Several Android phone models impacted by a critical zero-day vulnerability Google, Samsung & Other Smartphones Vulnerable To Scary Hack
HOTforSecurity: Android 0-Day exploit granting attackers root access found running in the wild
Computer Business Review: Samsung S8, S9, Pixel, Huawei Phones Vulnerable to Android Zero Day
TechNadu: Google Issues Urgent Alert About NSO Spying on Older Android Phones
The Next Web: Google, Xiaomi, and Huawei devices affected by zero-day flaw that unlocks root access
9to5Google: Attackers get full control of Android phones, inc Pixel and Samsung models
The Verge: Google finds Android zero day that can take control of Pixel and Galaxy devices
Help Net Security: Unpatched Android flaw exploited by attackers, impacts Pixel, Samsung, Xiaomi devices

@dangoodin001: Google's Project Zero found this bug, which takes control of 18 phone models running fully up-to-date versions of Android. 4 models of Pixels are affected. P0 uncovered evidence the exploit is being used of sold by exploit developer NSO Group.
@campuscodi: Google finds Android zero-day used in the wild-impacts Pixel, Samsung, Huawei, Xiaomi devices -Google linked it to NSO Group -patched in early OS versions, but newer ones vulnerable again -tracked as CVE-2019-2215 -it's an LPE
@iblametom: Best quote I've had from NSO yet where they say they don't even sell exploits, so meh!Also... wut?
@RonDeibert: Google's Project Zero Burns an NSO Group 0-day. "Attackers exploit 0-day vulnerability that gives full control of Android phones"
@lukOlejnik: Androids exploited with a 0day stuff (apparently held by NSO/Pegasus). Fix to arrive soon.
@dcuthbert: I do personally love the fact that Project Zero is continually giving NSO a wedgie and making life hard for them to peddle misery to the highest bidder. Kudos to the team @laparisa @benhawkes
@fs0c131y: Excellent work by @maddiestone : a "Use-After-Free in Binder driver" on #Android used in the wild and attributed to the #NSO group
@0xAmit : Fuck off NSO.
@argvee: Maddie killing it (Android bugs exploited by NSO) in Project Zero!!! ! @maddiestone
@maddiestone: Kernel privilege escalation bug in Android affecting fully patched Pixel 2 & others. Reported under 7 day deadline due to evidence of in-the-wild exploit. @tehjh and I quickly wrote a POC to get arbitrary kernel r/w using this bug, released in tracker.
@josephfcox: This is NSO's statement on Project Zero saying an exploit came from NSO. When asked to explain whether instead of selling exploits, NSO sells a platform that uses exploits, NSO said it is not able to discuss specifics on how the technology works
@iblametom: Ok so I guess there is some truth to this in that NSO sells a phone surveillance platform which the exploits feed via infected phones... that must mean customers never control the exploits and NSO keeps them all in house right?

October 2, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Ten Hospitals in Alabama, Australia Cope With Paralyzing Ransomware Attacks That Limit Their Ability to Serve Patients

Ten hospitals, three in Alabama and seven in Australia, have been hit with paralyzing ransomware attacks that are affecting their ability to take new patients. All three hospitals that make up the DCH Health System, DCH Regional Medical Center in Tuscaloosa, Northport Medical Center and Fayette Medical Center in Alabama were closed to new patients on Tuesday and were turning “all but the most critical new patients” as the hospitals coped with paralyzing ransomware attacks. Seven hospitals in Gippsland and southwest Victoria, Australia were rescheduling patients as they dealt with the aftermath of ransomware attacks.

October 1, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
eGobbler Threat Group Exploited Zero-Day Bugs in Chrome and Safari to Bombard Internet With a Billion Malicious Ads in Two Months

The threat group called eGobbler has leveraged obscure zero-day bugs in Chrome and Safari browsers to bypass built-in browser mitigations against pop-ups and force redirections, bombarding the Internet with more than 1 billion malicious ads in less than two months, security firm Confiant says. eGobbler exploited what had been a zero-day vulnerability in Webkit (CVE-2019-8771), the browser engine used in Safari and that shares code with Blink, the Webkit fork used for Chrome. The group’s onslaught also relied on a then-unpatched vulnerability in the iOS version of Chrome, tracked as CVE-2019–5840. Both Google and Apple patched the vulnerabilities in September.

September 28, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Researcher Releases ‘Permanent Unpatchable Bootrom’ iOS Exploit Checkm8 That Could Cause Serious Problems for iPhone, iPad Hardware

An iOS security researcher who goes by axi0mX on Twitter and Github posted a new software tool called Checkm8 that he claims uses a “permanent unpatchable bootrom exploit” that could bypass boot security for millions of Apple devices, from the iPhone 4S to the iPhone X. The researchers did not release a full jailbreak, but an exploit that can be used it to dump SecureROM [the boot ROM code], decrypt keybags [the escrow memory with the keys for all encrypted data on the device] with AES engine, and demote the device to enable JTAG. It’s possible other researchers have found the exploit and are already using it, especially via tools used by intelligence and law enforcement agencies, such as GreyShift’s GreyKey.

Related: ZDNet Security, Cyberscoop, Security Affairs, iPhone Hacks, The Verge, The Hacker News, Redmond Pie, Malwarebytes Unpacked, The Mac Observer, Dark Reading: Vulnerabilities / ThreatsFull Disclosure, US-CERT Current Activity, Reddit-hacking,, Ars Technica, ThreatpostSecurityWeek

Tweets:@axi0mX @lilyhaynewman @andreabarisani @campuscodi @thomasreed @dangoodin001

ZDNet Security: New Checkm8 jailbreak released for all iOS devices running A5 to A11 chips
Cyberscoop: ‘Unpatchable’ iOS exploit sends jailbreak enthusiasts into a frenzy
Security Affairs: Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips
iPhone Hacks: Breaking News: Unpatchable Bootrom Exploit Could Lead to Permanent iPhone Jailbreak
The Verge: New ‘unpatchable’ iPhone exploit could allow permanent jailbreaking on hundreds of millions of devices
The Hacker News: Hacker Releases ‘Unpatchable’ Jailbreak For All iOS Devices, iPhone 4s to iPhone X
Redmond Pie: Checkm8 Bootrom Jailbreak Exploit Makes iPhone X To iPhone 4S Pwned For Life For Jailbreaks, Downgrades, Custom Firmwares, More
Malwarebytes Unpacked: New iOS exploit checkm8 allows permanent compromise of iPhones
The Mac Observer: Hacker Claims New ‘checkm8’ Exploit Can Lead to Permanent Jailbreak
Dark Reading: Vulnerabilities / Threats: Apple Patches Multiple Vulnerabilities Across Platforms
Full Disclosure: APPLE-SA-2019-9-26-7 Xcode 11.0
US-CERT Current Activity: Apple Releases Security Updates

@axi0mX: EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).
@lilyhaynewman: today a researcher dropped a really rare type of exploit that can be used to jailbreak EIGHT generations of iPhones *and* the vuln is unfixable. so that's a thing now.
@andreabarisani: What was I saying recently about unpatchable bootrom exploits?We find them constantly in automotive grade SoCs. Consumer products have even larger attack surface...Future hacks will more and more target the code embedded in the silicon.
@campuscodi: NEW: New Checkm8 jailbreak released for all iOS devices running A5 to A11 chips-works on iPhones 4S up to iPhone 8 and X -doesn't support A12 and A13 chipsets -code available on GitHub -uses "a permanent unpatchable Bootrom exploit"
@thomasreed: If you haven’t heard yet, an exploit was dropped on Twitter this morning capable of modifying the bootrom on nearly all iOS devices except the most recent. Learn about the possible implications here:
@dangoodin001: Good writeup for anyone trying to understand the security consequences of the Checkm8 exploit.

September 21, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Click2Gov Self-Service Payment Portal Hit With Second Wave of Attacks Affecting Eight Cities, Hackers Dumped More Than 20,000 Records Onto Dark Web Compromising Payment Cards for People in 50 States

The Click2Gov self-service bill-payment portal in dozens of cities across the United States has been hit with a second wave of attacks in recent years that’s dumped more than 20,000 records onto the Dark Web researchers at security firm Gemini Advisory report.  The recent round of attacks hit in August and have so far hit systems in eight cities, six of which were compromised in the previous episode of attacks that occurred in 2017 and 2018. Despite hitting only eight cities, the attacks compromised payment cards belong to people in all 50 states. CentralSquare Technologies, the company that markets Click2Gov, said that it conducted an extensive forensic analysis and contacted each customer that uses this specific software, with only a small number reporting unauthorized access.

September 18, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Over 800,000 IoT Devices Are Vulnerable to Crippling DDoS Attacks Through New Attack Vector That Leverages UDP Amplification Technique Known as WS-Discovery

Hackers have found a new way to amplify the crippling effects of denial-of-service techniques by exploiting a DDoS (distributed denial of service) vector that leverages a UDP Amplification technique known as WS-Discovery (WSD), researchers at Akamai report. The vector or protocol lets devices send user datagram protocol packets that describe the device capabilities and requirements over port 3702. A recent attack that uses this technique targeted the gaming industry and weighed in at 35/Gbps at peak bandwidth. Although WSD calls for restricting probes and responses to local networks, many Internet-of-things (IoT) devices allow the devices to send probes and responses over the Internet at large. Akamai estimates that more than 802,000 such devices are vulnerable to the technique. Although blocking port 3702 will prevent traffic from entering a targeted network, the only real solution that stops the flooding of the Internet provider that is upstream from the target is to hire a DDoS mitigation service.

September 11, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Likely Iranian Threat Group Cobalt Dickens Keeps on Ticking Despite Federal Indictments, Currently Targeting 380 Universities in Over 30 Countries

Likely Iranian threat group COBALT DICKENS (also known as Silent Librarian) shows no signs of slowing down despite a March 2018 indictment against the group brought by the U.S. Department of Justice for compromising hundreds of universities to steal intellectual property and benefit, according to researchers at SecureWorks. In July and August 2019, the researchers discovered a new large global phishing operation launched by COBALT DICKENS using compromised university resources to send library-themed phishing emails. Once the victims clicked on the links in the emails, they were directed to spoofed university library pages and asked to enter their credentials. As of the time of their report publication, SecureWorks researchers observed COBALT DICKENS targeting at least 380 universities in over 30 countries.

September 6, 2019
Dan Goodin / Ars Technica

Dan Goodin / Ars Technica  
Estimated 600,000 Cheap GPS Trackers Expose Kids, Seniors and Pets to Hackers

An estimated 600,000 inexpensive GPS trackers sold under the name T8 Mini GPS Tracker Locator, as well as 30 similar models by the same manufacturer which are used for monitoring the location of kids, seniors, and pets, contain vulnerabilities that open users up to a host of attacks, researchers from security firm Avast have found. The manufacturer Shenzhen i365 Tech assigned ID numbers to each device based on its International Mobile Equipment Identity, or IMEI and all devices were assigned precisely the same default password of 123456, which allowed the researchers to find more than 600,000 devices in the wild using that password. Moreover, the devices transmitted all data in plaintext using commands that were easy to reverse engineer. As a consequence, people who are on the same network as the smartphone or Web-based app can monitor or modify sensitive traffic. The researchers notified the vendor of the T8 Mini GPS tracker of the vulnerabilities on June 24 and never got a response.

Related: CNET,, Infosecurity Magazine, The Daily Swig,,, Avast, Slashdot, Futurism, Security Affairs, The Hacker News, TechNadu