STE WILLIAMS

Apple has released its May 2019 security updates, taking iOS to version 12.3 and macOS Mojave to version 10.14.5.

There are three elements to this month’s new software – new capabilities (which tend to get the most attention, and which we’ll ignore), a sizable pile of important security fixes, and a smattering of minor security tweaks.

One of the interesting things about Apple’s advisories is the large number of third-party researchers the company name checks.

That’s a positive – the more researchers combing for flaws, the fewer will be exploited and hurt people. What’s less clear without reading deeper into the CVEs (which aren’t always explanatory until user updating has occurred) is which ones are more serious.

iOS 12.3

This month iOS generated 42 CVEs, bulked by the number affecting WebKit, which amount to 20 in all.

The ones that jump out usually involve a vulnerability that might allow a remote attacker or local app to take control of the device at some level – like most of the WebKit flaws.

For example, CVE-2019-8585 in CoreAudio, which could give malware a route to compromise using a malicious movie file. That’s serious because it doesn’t appear it would necessarily require the victim to do anything.

A rung down from this are CVE-2019-8593 in AppleFileConduit, and CVE-2019-8605 in the kernel, either of which might allow an app to gain system privileges, or CVE-2019-8637 in AppleFileConduit, through which a “malicious application may be able to gain root privileges.” Those would require users to download malicious apps.

macOS Mojave 10.14.5

Excluding flaws common to both macOS (including macOS Sierra 10.12.6, macOS High Sierra 10.13.6) and iOS in things like WebKit, May’s update addresses around 20 CVEs.

This includes four in SQLite allowing privilege elevation or code execution and three kernel flaws. One that stands out is the flaw in EFI, CVE-2019-8634, through which “a user may be unexpectedly logged in to another user’s account.”

Beyond that, it’s mainly tweaks such as disabling accessories with insecure Bluetooth connections, and a fix for unlocking FileVault volumes that are having trouble resetting the user account password using a personal recovery key (PRK).

Safari

Safari, meanwhile, eases web login when using Password AutoFill, replaces the discredited Do Not Track cross-site tracking browser protection with Apple’s Intelligent Tracking Prevention, and disables web push notifications when the user has interacted with a website.

What to do?

To check you’re up to date:

• On an iPhone, go to Settings General Software Update.
• On a Mac, go to the Apple menu, choose About This Mac and click Software Update…

WhatsApp Messenger v2.19.134

Separately, readers should also update WhatsApp in the light of the news that it’s been compromised by spyware. It’s not an Apple flaw, but it is one that might require a manual update of the app to get the fix as soon as possible. That’s done by visiting the App Store, clicking on Updates and downloading the update for WhatsApp Messenger.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nJ39J3cq1QE/

On Monday, Twitter said that it goofed: it mistakenly collected and shared some accounts’ location data with one of its partners, even if a user hadn’t opted in to sharing the data.

Due to a bug in Twitter for iOS, we inadvertently collected and shared location data (at the zip code or city level… twitter.com/i/web/status/1…

—
Twitter Support (@TwitterSupport) May 13, 2019

The bug, which only affected some Twitter users, has already been fixed.

It involved inadvertently collecting and sharing location data at the postal code or city level. The bug specifically affected some people who were using more than one Twitter account on iOS and who had opted into using the precise location feature in one of those Twitter accounts. On the affected devices, the location data sharing accidentally spilled from one opted-in account to other, non-opted-in accounts on the same device, Twitter said.

Twitter told Engadget that employees discovered the glitch.

Separately, Twitter says it intended to remove location data from fields sent to a trusted partner during an advertising process known as real-time bidding. That didn’t go as planned. The partner couldn’t see precise locations, as in, it didn’t get more precise than a postal code or city – an area equivalent to 5km squared, Twitter said.

The partner couldn’t get a precise address or map precise user movements. Nor did the partner get Twitter handles or other unique account IDs that could have revealed users’ identities.

While that location data was pretty fuzzy, it never should have been collected, or shared with the partner, in the first place. But it also means that for those people using Twitter for iOS whose location data was inadvertently collected, Twitter also may have shared that data with an advertising partner.

Twitter said the partner only had the data in its system for a short time: it’s already been deleted as part of the company’s normal data-handling procedures.

How many users, for how long, when?

Twitter’s announcement was short on specifics. It didn’t disclose how many users were affected when the location data sharing bug was in effect, nor for how long, and it didn’t name the partner with which it shared the data.

Twitter disclosed another privacy-jeopardizing glitch in January when it disclosed a bug that, under certain circumstances, switched private tweets to public view in Twitter for Android. That bug went unnoticed for four years, starting in November 2014.

The bug disabled the “Protect your Tweets” setting for Android users if certain account changes were made, Twitter said. Namely, Android users were told they’d be well-advised to check their settings if they changed the email address associated with their account during that time period.

At the time, the Irish Data Protection Commission (DPC) said it was mulling whether or not it would launch a formal investigation into the flaw.

Users have been notified

Twitter said that it’s already told the users whose accounts were affected that the location data-sharing bug has been fixed. It invited users to check their privacy settings to make sure you’re only sharing the data you actually want Twitter to see, and that it’s “very sorry” it happened.

Twitter says that if you have any questions, you can get in touch with its Office of Data Protection through this form.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oB6tRPE9-C0/

Microsoft’s May 2019 Patch Tuesday fixed 79 vulnerabilities, 19 of which are classed as Critical. Here’s a summary of the most notable ones. 

ZombieLoad

The update fixed a processor logic flaw (CVE-2018-12130) that allows computer programs to steal each others’ data.

Discovered by researchers at the Graz University of Technology and KU Leaven, the attack is able to read data between different threads, which are separate programs running on the same physical computer core.

ZombieLoad is known as a Microarchitectural Data Sampling (MDS) vulnerability, and it shares some characteristics with Spectre and Meltdown, the two side channel attacks announced in January 2018. It is a flaw in Intel processor hardware, meaning that it affects any operating systems running on x86 chips, including Windows. It uses Intel’s speculative execution feature to pilfer other programs’ data. As Microsoft explained in the note associated with the patch:

In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another.

The attack affects both desktop and server-based systems, although exploiting it isn’t trivial. Someone would need to run a malicious app on the target system.

Microsoft’s patch joins other fixes from companies including Apple and Google. It provides a software workaround until Intel fixes the bug in future processor releases. The patch probably won’t affect performance on consumer systems, said the advisory.

Just as with the software fixes for Spectre and Meltdown, then, the people feeling any performance hit from the software patch will be server customers. Microsoft says that to get full protection, server admins might have to disable the Hyperthreading functionality that the attack exploits.

Windows Server

Microsoft included several fixes for critical vulnerabilities that could enable an attacker to run code remotely on a target system. These include CVE-2019-0725, a vulnerability in Windows Server’s DHCP server.

CVE-2019-0708 allows someone sending specially crafted packets to Windows Server’s Remote Desktop Services system to run code on it, even if they are not authenticated on the system. CVE-2019-0708 is so serious that Microsoft has even released patches for its long-unsupported operating systems, Windows 2003 and XP.

For more on this, read our companion article dealing with the potential consequences, affected systems and mitigations for this remote, ‘wormable’ Windows vulnerability.

Another patch fixes CVE-2019-0903, which exploits a problem in Windows Server’s Windows Graphics Device Interface (GDI), and enables an attacker to run code via a malicious web site or file.

Edge and IE 11

The Patch Tuesday releases also fix several critical remote code execution vulnerabilities targeted the Edge and Internet Explorer 11 browsers. Some, including CVE-2019-0911, CVE-2019-0912, CVE-2019-0914, CVE-2019-0924, and CVE-2019-0925, use flaws in Edge’s scripting engine to gain the same privileges as the current user, while CVE-2019-0926 exploits the way that Edge accesses objects in memory.

Microsoft Office

Microsoft also patched CVE-2019-0953, a remote code vulnerability in Microsoft Office which lets an attacker run code as the targeted user by persuading them to open a malicious file. That vulnerability affects both Mac and Windows systems.

Adobe

Adobe’s ADV190012 fixes a critical remote code execution vulnerability in Adobe Flash, and APSB19-29 was released to fix an RCE vulnerability in Adobe Media Encoder.

Patches for a mammoth 84 flaws were released for Adobe Acrobat and Reader on Windows and MacOS, so head to  APSB19-18 for details. 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iHTU4AJ85-M/

Microsoft has issued a patch for a vulnerability in its Remote Desktop Services that can be exploited remotely, via RDP, without authentication and used to run arbitrary code:

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

It doesn’t get much worse than that.

Fixes are included in for versions of Windows 7 and Windows 2008 (see the advisory for the full list) as part of Microsoft’s most recent Patch Tuesday. Patches have also been made available for versions of Windows XP and Windows 2003 (see the customer guidance for the full list).

The flaw is considered ‘wormable’, meaning that it has the potential to be used in malware that spreads itself across and between networks. Millions of computer networks around the world are connected to the internet via RDP, often deliberately, sometimes not, and any of them running one of the affected operating systems is a potential gateway to a network of victims.

Given the number of targets, and the potential for an explosive, exponential spread, we suggest you treat it as a matter of when, not if, the patch is reverse engineered and an exploit created, so you should update immediately. For more guidance, check out this article’s What to do? section.

The fact that Microsoft has taken the exceptional step of issuing patches for Windows XP and Windows 2003, is instructive.

Given the potential impact to customers and their businesses, we made the decision to make security updates available for platforms that are no longer in mainstream support … We recommend that customers running one of these operating systems download and install the update as soon as possible.

In the five years since the end-of-life date for Windows XP and 2003, Microsoft has issued countless patches for critical issues in its family of operating systems that it didn’t back-port to its retired products. It’s only broken that support embargo on four occasions, including this one, most notably during the WannaCry outbreak of 2017.

WannaCry was a ransomware worm that spread around the world in a day by exploiting a flaw in version one of Microsoft’s SMB software. The worm had no trouble finding hundreds of thousands of Windows systems to infect despite the age of the software and a patch having been issued the previous month.

As if to demonstrate our continued, collective failure to learn the lesson about the importance of patching, WannaCry was followed a little over a month later by NotPetya, another global ransomware outbreak using the same exploit.

What to do

Whatever else you do, patch.

If, for some reason, you can’t patch immediately, Microsoft offers the following mitigations and workarounds:

• Enable Network Level Authentication (NLA). This forces a user to authenticate before RDP is exposed to the attacker. Not all affected systems support NLA.
• Turn off RDP. If RDP isn’t running, the vulnerability can’t be exploited. As obvious as this seems, some organisations are unable to work without RDP, and some are running it without realising it.
• Block TCP port 3389. Blocking port 3389 (and any other ports you’ve assigned to RDP) at the perimeter will prevent an attack from entering your network but can’t stop an attack from originating inside your network.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KKxkbc8wD4Y/

Home Secretary Sajid Javid has confessed to Parliament that MI5 bungled the security of “certain technology environments used to store and analyse data,” including that of ordinary Britons spied on by the agency.

In a lengthy Parliamentary statement made last week, Javid obliquely admitted that spies had allowed more people to help themselves to its treasure troves of data on British citizens than was legally allowed.

The Home Secretary’s statement referred to how “certain [data] processing” by MI5 and other spy agencies “is kept to the minimum necessary for the statutory purpose, including the number of people to whom material is made available, the number of copies made and the length of time it is retained.”

Given how notoriously lax UK law is when it comes to allowing state employees to trawl through whatever personal data they fancy with few meaningful prior permissions required (known in the jargon as “lawful interception”), Lord Justice Fulford, the Investigatory Powers Commissioner and head of audit agency IPCO, characterised the breach as “serious” and requiring “immediate mitigation”.

Javid, however, hid behind an ongoing legal case brought by the Liberty pressure group, aimed at getting the Investigatory Powers Act toughened up, as an excuse for not giving full details to Parliament. He only told MPs that “the compliance risks identified are limited to how material is treated after it has been obtained. They do not relate in any way to the manner in which MI5 acquires information in the first instance or the necessity and proportionality of doing so.”

MI5’s uses of the data that Britain’s dragnet surveillance operations hoover up is audited after the event by the Investigatory Powers Commissioner’s Office (IPCO). In its annual report for 2017/18, the last public report issued by IPCO, IPCO criticised MI5 for using “boilerplate text” in internal applications to spy on particular people and groups, suggesting that the spies weren’t taking existing permissive laws seriously.

Lord Justice Fulford said in a statement: “I first became aware of the compliance risks identified by MI5 at an oral briefing meeting on 27 February 2019, and I immediately requested a comprehensive written description of all the matters that had then been outlined. This was provided on 11 March 2019.”

He continued: “I am reassured that MI5 has taken immediate steps to introduce a series of mitigating actions in the light of that thorough review, and these actions – along with a programme of further measures that will be progressively implemented – provide sufficient reassurance that MI5’s handling arrangements within the particular area of concern are now satisfactory as regards warranted material.”

A team of IPCO investigators was sent into MI5 for a week to investigate the breach. There was no information from IPCO or Javid’s statement suggesting that anyone was identified, caught, disciplined or charged with an offence as a result of the breach.

A lawyer for Liberty, Megan Goulding, said in a statement: “The breach in itself is deeply concerning but on top of that the way this has unfolded – with IPCO only finding out because MI5 reported it, and the wider public only knowing apparently because of our legal case – shows how fatally flawed the oversight system for security services is.” ®

Bootnote

In pop culture, the answer to threats from a police worker is to say “get a warrant!” Taking this at face value, the UK merely has the Home and Foreign Secretaries (as ministers for domestic spy agency MI5 GCHQ, and foreign spy agency MI6, respectively) sign so-called “thematic” warrants that authorise almost anything the spy agencies fancy doing, on a blanket, non-specific basis.

They’ve got a warrant. It’s just not the type you wanted it to be.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/15/mi5_data_breach_investigatory_powers/

Learn to set malware lures, pinpoint unintentional but identifying human behaviors, and detect industrial control system attacks via sensor noise.

Boatloads of new Briefings been confirmed for Black Hat USA this August, and among them are a number of practical, actionable deep dives into cutting edge cybersecurity issues.

Worm Charming: Harvesting Malware Lures for Fun and Profit promises to show you how to set up malware lures that can – by applying a series of YARA rules – charm interesting malware samples to the surface from the ~1M files uploaded to Virus Total daily.

You’ll learn how to harvest lures for the purposes of dissection and detection, and explore mechanisms for identifying interesting samples that can give you a heads-up about what attacks are coming. This is a useful skill to have along with multiple real-world examples showing how an astute researcher can harvest zero-day exploits from the public domain.

In I’m Unique, Just Like You: Human Side-Channels and Their Implications for Security and Privacy you’ll be given an expert’s perspective on which identifiers are unintentional, non-physical, and generated as a result of human behaviors and activities, yet can still be used to uniquely identify and/or track individual users in the digital realm.

These “human side-channels” (among them forensic linguistics, behavioral signatures, and cultural references) take training to spot. In this Briefing you’ll learn how to do just that, as well as how side-channels can be used by bad actors to erode privacy, and possible countermeasures to disguise your own human side-channels. Don’t miss it!

Sensor and Process Fingerprinting in Industrial Control Systems will revisit some common cyber and cyber-physical attack vectors to critical infrastructure (like electricity and power distribution), as well as current defense strategies against such attacks.

This is a great opportunity to get an expert demonstration of how noise in industrial sensors and their inherent processes can be used to detect both cyber and physical attacks. Plus, you’ll learn how building a model based on the noise profile of both sensors and process can effectively detect such attacks.

All three of these Briefings are part of the Black Hat USA Applied Security track, which aims to serve up topics and techniques that attendees will be able to put into practice as soon as they get home.

For more information about these Briefings and many more check out the Black Hat USA Briefings page, which is regularly updated with new content as we get closer to the event!

Black Hat USA will return to the Mandalay Bay in Las Vegas August 3-8, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/brush-up-on-the-latest-security-techniques-at-black-hat-usa/d/d-id/1334710?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Patch Tuesday It’s that time of the month again, and Microsoft has released a bumper bundle of security fixes for Patch Tuesday, including one for out-of-support operating systems Windows XP and Server 2003.

Usually support for such aging operating systems costs an arm and a leg, though Redmond has released a freebie because of the serious nature of the critical flaw, assigned CVE-2019-0708, in Remote Desktop Services, or Terminal Services as it was. The vulnerability allows remote code execution with no user involvement or any authentication required, making it a gift to scum looking to spread malware.

Basically, find one of countless vulnerable Windows boxes facing the internet or on a network, and send carefully crafted packets to its remote desktop service, if running, to start executing malicious code on the machine. From there, other computers can be found by scanning IP ranges, and then you’ve got a proper old school worm on your hands.

“The vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” the advisory states, referring to the Windows nasty that used stolen NSA exploits to hijack boxes.

“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows.”

For highly likely, read absolutely certain: a malware propagation method like this is going to be appearing very soon since it’s a low-cost, highly effective way of spamming out ransomware and trojans. Windows 8 and 10 are unaffected, but there’s still a vast pool of older systems out there that could be hit if left unpatched. THe affected operating system builds include: Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows XP.

While you’re patching that, there’s a lot of other stuff to fix in the Patch Tuesday update. In particular there’s fixes out for the information-leaking family of Microarchitectural Data Sampling (MDS) security flaws in Intel processors revealed this week.

Buffer the Intel flayer: Chipzilla, Microsoft, Linux world, etc emit fixes for yet more data-leaking processor flaws

READ MORE

In all Redmond put out fixes for 79 holes, 22 of them critical. Of those, three can be exploited to achieve remote code execution, and they affect GDI+, Word and DHCP Server. The latter, CVE-2019-0725, is a particularly nasty memory corruption vulnerability, since all that is needed to exploit it is a well-crafted packet sent to a DHCP server and affects all currently supported versions of Windows, client and server.

The remaining 18 critical flaws are for scripting engines and browsers, and while all should be patched there’s no evidence as yet that any are being exploited in the wild. Not so for CVE-2019-0863, an elevation of privilege flaw in Windows Error Reporting (WER) deals with files, which Microsoft says is being used by crooks to fully compromise infected machines.

What with it being Patch Tuesday there are other vendors adding their patches in. As is traditional, Adobe dropped 86 flaw fixes, mainly in Reader and Acrobat, and Citrix, too, has one of its own.

That flaw, spotted by researchers at NCC Group, is a logic vulnerability that can be exploited to gain “remote access to a host’s storage via Edge, Internet Explorer, Firefox and Chrome on Microsoft Windows by a malicious Citrix server.” Concerned customers should update to the latest builds of Citrix Workspace app, and Citrix Receiver for Windows.

Please make sure you apply all the patches you can as soon as you are able before hackers start targeting them. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/15/may_patch_tuesday/

Microsoft releases security updates for some out-of-support systems to fix a bug that could be weaponized as a worm if exploited.

Microsoft today took the unusual step of issuing security fixes for out-of-support systems to patch a vulnerability it fears could be wormable if exploited. CVE-2019-0708 affects in-support systems Windows 7, Server 2008, and 2008 R2 and out-of-support Windows 2003 and XP.

This is a critical remote code execution flaw in Remote Desktop Services, formerly known as Terminal Services, which affects some older versions of Windows. Remote Desktop Protocol (RDP) is not vulnerable. CVE-2019-0708 is pre-authentication and requires no user interaction, meaning any future malware could propagate from vulnerable machine to vulnerable machine.

Authenticated attackers could exploit this vulnerability by connecting to a target system via RDP and sending specially crafted requests. If successful, they could execute code on the target system; install programs; view, edit, or delete data; or create new accounts with full user rights. Today’s security fix corrects the way Remote Desktop Services handles connection requests.

Simon Pope, director of incident response for the Microsoft Security Response Center, says it’s “highly likely” malicious actors will write an exploit for this vulnerability and build it into malware. Microsoft has not seen any evidence of CVE-2019-0708 being exploited in the wild, but it urges companies to update immediately, warning the bug could be weaponized as a worm.

The impact is limited to older versions of Windows that are either out of support or approaching the end-of-support life cycle. Vulnerable in-support systems with automatic updates enabled are protected. Vulnerable out-of-support versions can find guidance here.

There is a partial mitigation on affected systems with Network Level Authentication (NLA) enabled, Pope explains in a blog post. These systems are protected from wormable malware or advanced threats that could exploit this vulnerability; NLA requires authentication before the vuln can be triggered. These systems are exposed to RCE if an attacker has valid credentials.

It’s worth noting CVE-2019-0708 does not affect newer versions of Windows, including Windows 10, 8.1, and 8, as well as Windows Server 2019, Server 2016, Server 2012 R2, and Server 2012.

CVE-2019-0708 isn’t the only vulnerability Microsoft fixed for this month’s Patch Tuesday update. The company issued patches for 79 CVEs, 22 of which were deemed Critical in severity and 57 of which were ranked Important. Two were publicly known; one is under active attack.

The bug being abused in the wild is CVE-2019-0863, a Windows Error Reporting (WER) elevation of privilege vulnerability that exists in the way WER handles files. Attackers must first gain unprivileged execution on a victim system to execute an attack. “The exploitation of this vulnerability could lead to arbitrary code execution in kernel mode, which is typically reserved for trusted functions of the operating system,” says Satnam Narang, senior research engineer at Tenable. Exploitation of CVE-2019-0863 would also let an attacker view, change, or delete data, or create new accounts with admin privileges.

“While details about the use of the exploit are not available, it is likely being used in limited attacks against specific targets,” writes Dustin Childs of Trend Micro’s Zero-Day Initiative.

Related Content:

• Missing in Action: Cybersecurity Professionals
• The 2019 State of Cloud Security
• Attacks on JavaScript Services Leak Info From Websites
• Microsoft SharePoint Bug Exploited in the Wild

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/microsoft-patches-wormable-vuln-in-windows-7-2003-xp-server-2008/d/d-id/1334709?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Tweet suggests possible screenshot of stolen city documents and credentials in the wake of attack that took down city servers last week.

A mysterious and newly created Twitter account on May 12 posted what purports to be a screenshot of sensitive documents and user credentials from the city of Baltimore, which was hit late last week by a major ransomware attack.

Researchers at Armor who have been investigating the so-called Robbinhood ransomware malware used in the attack on the city discovered the post. They say it could either be from the attacker, a city employee, someone with access to the documents — or even be just a hoax. The city is still recovering from the May 7 attack, which has disrupted everything from real estate transactions awaiting deeds, bill payments for residents, and services such as email and telecommunications.

Ransomware attacks typically are all about making money: Attackers demand a fee to decrypt victims’ files they have accessed and encrypted. Whether the tweet came from the attackers trying to put the squeeze on the city to pay up or threatening to abuse the kidnapped information is unclear.                              

City officials previously have said they have no plans to pay the ransom. “I think the mayor was very clear: We’re not paying a ransom,” said City Council president Brandon Scott in an interview yesterday on a local CBS affiliate. 

Eric Sifford, security researcher with Armor’s Threat Resistance Unit (TRU), discovered the Twitter post appearing to taunt or threaten Baltimore officials. He says he’s not sure whether the tweet came from the actual attackers. “They are trying to make a statement … and to show that they not only were able to encrypt major portions of network of the city …. but they have a lot of internal access,” as well, if the documents in the screenshot are legitimate, Sifford says.

Armor today will post a blog with an obfuscated shot of the tweet and account to ensure the City of Baltimore gets the chance to change the posted usernames and passwords if, indeed, they are legit.

Dark Reading has viewed the full Twitter account and post but is only publishing the obfuscated information.

Meanwhile, the Robbinhood attackers in their ransom note demanded $17,600 in bitcoin per system — a total of about $76,280, according to analysis by Armor. The bitcoin wallet for the ransom for the city had not been used at this time, the researchers say, indicating the city has kept its vow not to pay.

Most of Baltimore’s servers were shut down as officials investigated the attack last week, but its 911 and 311 systems were not hit, according to reporting by The Baltimore Sun. When the attack was spotted, employees at City Hall were told to unplug Ethernet cables and shut down their computers and other devices to stem the spread of the malware, Baltimore city councilman Ryan Dorsey told the Sun. 

Efforts today to reach some Baltimore city officials, including the office of the city’s newly named mayor, Bernard C. Jack Young, were unsuccessful in several cases, in part because email is down for many employees, and several departments are instead using Google Voice voicemail to get messages. 

A spokesperson for Baltimore City Council Member Zeke Cohen, with whom Dark Reading was able to contact, said Cohen’s office did not have any information on the tweet, nor could they verify whether the information and documents in the screenshot are from the information encrypted by the ransomware attackers.

Security expert John Bambenek, director of cybersecurity research at ThreatStop, says the tweet looks relatively legitimate. “Either someone spent real effort trying to find documents from public sources or it’s our guy. Either way, he just put himself on the menu for the FBI if he’s not,” Bambenek says.

‘Hurry Up!’
Armor said the Robbinhood ransom note also warns the city not to call the FBI, or risk the attackers going away and leaving the files encrypted. “We’ve watching you for days and we’ve worked on your systems to gain full access to your company and bypass all of your protections,” the ransom note said, specifying payment within four days or the fee would increase. After 10 days, the data would no longer be recoverable, the note said, according to Armor.

“We won’t talk more. All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!” the note read, according to Armor.

The same ransomware recently hit the city of Greenville, N.C., as well as several power companies in India last month, according to the security firm.

Meanwhile, Baltimore’s ransomware attack is one of 22 against state and local government entities so far in 2019, Armor notes. Other victims including Washington, Pennsylvania; Amarillo, Texas; Cleveland Airport, Cleveland, Ohio; Augusta City Center, Augusta, Maine; Stuart, Florida; Imperial County, California; Garfield County, Utah; Greenville, North Carolina; Albany, New York; Jackson County, Georgia; Schools System of Taos, New Mexico; Del Rio, Texas; Atlanta, Georgia; and Leominster, Massachusetts.

Related Content: 

• Confluence Vulnerability Opens Door to GandCrab
• LockerGoga, MegaCortex Ransomware Share Unlikely Traits
• Demystifying the Dark Web: What You Need to Know
• Satan Ransomware Variant Exploits 10 Server-Side Flaws

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/baltimore-ransomware-attack-takes-strange-twist/d/d-id/1334706?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Fast Retailing Co. reports cyberattackers accessed accounts registered to its Japanese Uniqlo and GU brand websites.

Fast Retailing Co., parent company of Uniqlo and Asia’s largest retailer, confirms data belonging to 461,091 people was compromised in a cyberattack on its Uniqlo and GU shopping websites.

Officials say the breach took place between April 23 and May 10, 2019, when it was confirmed, as reported in a statement on Fast Retailing’s website. An investigation began when customers reported strange account activity — for example, notice of registration information changes. So far, officials have learned this is a “list-type attack” on the firm’s Japanese websites, meaning intruders reused credentials that were also used on, and stolen from, other sites.

Compromised data includes: full name, physical and email address, phone number, gender, birth date, purchase history, and partial credit card numbers. The company reports credit card numbers are hidden except for the first and last four digits; CVV numbers are not stored.

Fast Retailing has invalidated the account passwords of affected users and notified them to reset their passwords. Read more details here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/uniqlo-parent-company-says-hack-compromised-461091/d/d-id/1334715?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple