2 days ago

Chinese State-Sanctioned Hacking Group Turbine Panda Conducted Multi-Year Campaign to Steal Intellectual Property to Build Country’s C919 Airplane, Local Hackers and Security Researchers Carried out the Tasks

One of China’s most ambitious hacking operations known to date, an effort that aimed to help Comac, a Chinese state-owned aerospace manufacturer, build its own airliner, the C919 airplane, in competition with Airbus and Boeing, involved a coordinated multi-year hacking campaign that systematically went after the foreign companies that supplied components for the C919 aircraft, a new report from CrowdStrike reveals. The goal of the operation was to steal the necessary intellectual property to manufacture all of the C919’s components inside China. CrowdStrike said that the Ministry of State Security (MSS) tasked the Jiangsu Bureau (MSS JSSD) to carry out these attacks, with the MSS recruiting local hackers, including some from China’s local underground hacking scene, along with security researchers rather than turn to China’s military cyber-operatives. The group involved in the operation, which Crowdstrike said it tracked as Turbine Panda, was hugely successful but ultimately made a series of mistakes and encountered problems, the biggest of which came in late 2018 when western officials arrested Xu Yanjun, the MSS JSSD officer in charge of recruiting insiders at foreign companies. (ZDNet)
2 days ago

Sudo Security Policy Bypass Issue Could Allow a Malicious User to Execute Commands as Root Even If Configuration Specifically Disallows It

A new vulnerability in Sudo,  a core command installed on almost every UNIX and Linux-based operating system, could allow a malicious user or a program to execute arbitrary commands as root on a targeted Linux system even when the “sudoers configuration” explicitly disallows the root access. The flaw, tracked as CVE-2019-14287 and discovered by Joe Vennix of Apple Information Security, is a sudo security policy bypass issue and allows a user with sufficient Sudo privileges to run commands as root even if an administrator has not granted them full root privileges. The vulnerability affects all Sudo versions before the latest released version 1.8.28. Linux users are advised to update to this latest version as soon as possible. (The Hacker News)
2 days ago

Yahoo Users Can Now File a Claim As Part of Settlement For Series of Breaches Affecting More Than Three Billion Users

At the end of September, Yahoo announced that users with an account any time between  Jan.1, 2012, and Dec. 31, 2016, who are also are a resident of the US or Israel, can file a claim for part of the $117,500,000 settlement fund for a series of breaches in 2012 and 2013 that affected for more than three billion Yahoo accounts. In those breaches, hackers were able to steal names, email addresses, telephone numbers, birth dates, passwords, and answers to security questions. Users can submit claims for credit monitoring and money, including at least two years of credit monitoring services provided by AllClearID,  a cash payment of $100  to a max of $358.80 for those users who already have credit monitoring depending on funds available after other benefit payouts, cash reimbursement up to $25,000 to cover out-of-pocket costs to address fraud and identity theft as a result of a breach, as well as compensation for up to 15 hours of time spent recovering from a breach. On top of that, users can request up to 25 percent of the amount paid for a premium Yahoo account or a Yahoo Small Business User email service, with a cap of $500 a year. (CNET)
2 days ago

Google Releases USB-C Titan Security Key Made by Yubico, Available for $40

Google announced it’s releasing a new USB-C Titan Security Key in partnership with the manufacturer Yubico. The key is used to protect users against evolving hacking and phishing methods attackers use to gain access to accounts and data and two-factor authentication for any site where FIDO security keys are supported. The device is compatible with Android, Chrome OS, macOS, and Windows devices. USB-C Titan Security Key comes with a hardware secure element chip that includes firmware engineered by Google to verify the key’s integrity, the same chip and firmware that the company uses in its existing USB-A/NFC and Bluetooth/NFC/USB Titan Security Key models manufactured in partnership with Feitian Technologies. The key is now available for $40 on the Google Store in the United States. (ZDNet)
2 days ago

Windows 10 Tamper Protection Security Feature Now Available for Enterprise and Home Customers, Will Be Enabled by Default

Microsoft announced that the Windows 10 Tamper Protection security feature is now officially generally available for the Enterprise and consumers and said it will be enabling this security feature on all Windows 10 devices by default. Tamper Protection prevents Windows Security and Windows Defender settings from being changed by programs, Windows command-line tools, Registry changes, or group policies. Users must modify security settings directly through the Windows 10 user interface or via Microsoft enterprise management software such as Intune. (Bleeping Computer)
2 days ago

Shipping Giant Pitney Bowes Grapples With Disruption Following Ransomware Attack

Shipping giant Pitney Bowes confirmed in a statement that it was hit by a “malware attack that encrypted information” on its systems, more commonly known as ransomware. The company said in a statement that it had seen no evidence that customer or employee data were improperly accessed but that many of its internal systems are offline, and some client services and other corporate processes were disrupted. (TechCrunch)
2 days ago

China’s Winnti Group Updates Arsenal With New Modular Windows Backdoor ‘PortReuse,’ Infects High-Profile Asian Manufacturer

The Chinese state-backed threat group known as the Winnti Group, but also known as Blackfly and Suckfly, Wicked Panda, BARIUM and APT 41, updated their arsenal with a new modular Windows backdoor called PortReuse that they used to infect the servers of a high-profile Asian mobile hardware and software manufacturer, according to researchers at ESET. The group also updated its ShadowPad malware with random module IDs and some extra obfuscation. A supply chain attack against a video game developer led to the malware’s distribution via a game’s official update server. (Bleeping Computer)
2 days ago

Apple Clarifies, Defends Against Reports That It Sends User Traffic to China’s Tencent, Says It Never Sends Browsing Traffic to Tencent’s System

Following a series of reports that Apple’s Safari web browser was secretly sending user traffic to Chinese company Tencent, all of which reflected a recent discovery that Apple had implemented a second “safe browsing” system within Safari, Apple issued a statement clarifying the situation and defending its practices. Apple said it has used Google’s Safe Browsing API inside Safari to check for bad links, and this year also added Tencent’s safe browsing system to Apple as well. Despite earlier versions of safe browsing sending a URL to a safe browsing provider, most current safe browsing mechanisms, such as those managed by Google and Tencent, work by sending a copy of the database to a user’s browser and letting the browser check the URL against this local database. Apple said its developers have implemented Safari’s safe browsing mechanism in this manner and never sends the user’s internet browsing traffic to safe browsing providers. Tencent is not the default safe browsing provider and is only used on devices where the Chinese locale is enabled. Apple relies on Tencent to help keep its users safe because the Chinese government bans Google domains inside China. (ZDNet)
3 days ago

Chinese Propaganda App Gives Communist Party Superuser Access to All Data on More Than 100 Million Android Phones

The Chinese Communist Party appears to have superuser access to all data on more than 100 million Android cellphones through a back door in a propaganda app called “Study the Great Nation,” according to a study conducted by Cure53, a German cybersecurity firm, on behalf of the Open Technology Fund. The Cure53 researchers investigated the Android version of the app, used in smartphones made by Chinese manufacturers such as Huawei, Oppo, and Vivo, but did not look into the version available on Apple’s iOS. They discovered code that amounts to a back door into the phone that can run arbitrary commands with superuser privileges. The terms and conditions of the app, developed by the Communist Party’s Propaganda Department in collaboration with Chinese tech giant Alibaba, show that users must agree to allow access to a vast trove of information and functions. The Cure53 researchers also found that the app sends detailed log reports daily, containing a wealth of user data and app activity. (Washington Post)
3 days ago

Thoma Bravo to Buy Sophos for $3.9 Billion Marking First Big Buy Outside U.S. for Increasingly Cybersecurity-Focused Private Equity Group

UK cybersecurity firm Sophos agreed to be bought by a US private equity group Thoma Bravo for $3.9bn (£3.1bn), marking the first acquisition outside the U.S. for the increasingly cybersecurity-focused buyout group. Thoma Bravo said it would carry out a six-month review of the business but indicated that a significant restructuring and material job losses were unlikely. (Guardian)
3 days ago

[Updated in Later Post]: Apple Is Sending Some Safari iOS Users’ IP Addresses to Chinese Government-Linked Giant Tencent

Update: Following the publication of reports that it is sending users’ IP addresses to Tencent, Apple issued a clarification that states it does not send traffic to Tencent’s safe browsing system. Please see this update. Apple is sending some IP addresses from users of its Safari browser on iOS to Chinese Internet, entertainment, and technology conglomerate Tencent, a company with close ties to the Chinese Communist Party. Apple admits that it sends some user IP addresses to Tencent in the “About Safari & Privacy” section of its Safari settings, which is accessible on an iOS device by opening the Settings app and then selecting “Safari > About Privacy & Security.” A “Fraudulent Website Warning” is toggled on by default meaning that unless iPhone or iPad users toggle it off, their IP addresses may be logged by Tencent or Google when they use the Safari browser. One Twitter user reported seeing this change to Safari as early as the iOS 12.2 beta in February 2019. Even if users install a third-party browser on their iOS device, viewing web pages inside apps still opens them in an integrated form of Safari called Safari View Controller instead of the third-party. (Reclaim The Net)
3 days ago

Researcher Planted Tiny Spy Chip in Cisco Motherboard to Give Remote Attacker Deep Control Using Only $200 in Equipment

A tiny spy chip could be planted in a company’s hardware supply chain with as little as $200 in equipment security researcher Monta Elkins will show at the CS3sthlm security conference later this month. Using a $150 hot-air soldering tool, a $40 microscope, and some $2 chips, Elkins was able to alter a Cisco firewall in a way that he says most IT admins wouldn’t notice, yet would give a remote attacker deep control. Elkins used an ATtiny85 chip, about 5 millimeters square, that he found on a $2 Digispark Arduino board and programmed to launch an attack as soon as the firewall boots up in the target’s data center; he then soldered it to the motherboard of a Cisco ASA 5505 firewall. Elkins said he could have reprogrammed the firmware of the firewall to make it into a more full-featured foothold for spying on the victim’s network. (Wired)
4 days ago

Twenty-Nine Countries Vulnerable to Simjacker SMS-Based Attacks, Attacks Detected in Three Countries

Adaptive Mobile published a list of 29 countries where local mobile operators ship SIM cards vulnerable to Simjacker, an SMS-based attack method being abused in the real world by a surveillance vendor to track and monitor individuals. Also, Adaptive Mobile revealed the countries where it detected attacks, which are Mexico, Colombia, and Peru. Although capable of much more, Simjacker has to date only been used to track users’ locations, and nothing more. Adaptive Mobile believes that Simjacker was developed by a company that sells surveillance software to governments across the world. (ZDNet)
5 days ago

New Hard-to-Detect Mac Malware ‘Tarmac’ Runs Rogue Code Inside Browser to Peddle Malicious Software Updates

A malvertising campaign that distributes new mysterious Mac malware called Tarmac (OSX/Tarmac) runs rogue code inside a Mac user’s browser to redirect the would-be victim to sites showing popups peddling software updates, usually for Adobe’s Flash Player, according to Taha Karim, a security researcher at Confiant. Victims who installed the Adobe update would end up installing a malware duo on their systems, first the OSX/Shlayer malware, and then OSX/Tarmac, launched by the first. The campaign started in January and was geo-targeted at users located in the US, Italy, and Japan. Tarmac payloads come signed by legitimate Apple developer certificates, and features like Gatekeeper and XProtect won’t stop its installation or show any errors. (ZDNet)
5 days ago

Critical Local Privilege Escalation Vulnerability Found and Fixed in HP Touchpoint Analytics, Could Impact Millions of Windows Systems

A critical security vulnerability in Open Hardware Monitor, a free open-source software program that monitors temperature sensors, fan speeds, voltages, load and clock speeds of a computer, which is used in monitoring systems, including HP Touchpoint Analytics, allowed attackers to escalate privileges and execute arbitrary code using SYSTEM privileges on computers running Windows, researchers at Safebreach Labs report.  The local privilege escalation (LPE) vulnerability, tracked as CVE-2019-6333, was discovered by SafeBreach Labs security researcher Peleg Hadar and reported to HP on July 4. It impacts all versions of HP Touchpoint Analytics Client below 4.1.4.2827. HP patched this vulnerability with the release of HP Touchpoint Analytics Client version 4.1.4.2827 on October 4. HP published procedures to detect if a device is vulnerable and appropriate remediation actions. (Bleeping Computer)