Incidents Calendar

Notable recent developments in digital security

The Incidents Calendar is best viewed when JavaScript is enabled on your web browser.

2017 | 2016

Digital Security

    • 4 Mar

      Trump wiretapping claims lead to flat denial from GCHQ

      A political firestorm which was sparked when US President Trump claimed that he had been the subject of a 'wiretap' by the preceding administration during the presidential election campaign aroused further trans-Atlantic consternation when the White House press secretary quoted a media report alleging that the UK's intelligence agency GCHQ had been used to perform the surveillance.

      The allegations lead to an unprecedented public statement from GCHQ dismissing the claims as 'utterly ridiculous', breaking its longstanding practice of refusing to comment on media reports covering its activities. Statements from the UK government have also repudiated the claims.

    • 8 Mar

      WikiLeaks releases 'Vault 7' docs of CIA hacking tools

      WikiLeaks released a vast trove of documents (referred to as the Vault 7 cache) reportedly from the CIA covering their hacking techniques and tools. While there has been no confirmation from the agency that the documents are real, security researchers examing the contents analysts have publicly affirmed that they believe them to be authentic.

      Of particular note in the released documents are the existence of previously undisclosed vulnerabilities in a variety of consumer devices and software from companies such as Google, Apple, Cisco, and various antivirus companies including F-Secure. The affected companies have in turn issued statements on the impact of the revealed materials and recommendations for affected users.

    • 21 Mar

      US, UK 'bans laptops' on direct flights from 10 airports

      The US has banned laptops, tablets and other devices larger than a smartphone in carry-on luggage on direct inbound flights from specific airports and airlines. The ban was reportedly prompted by security fears after the government received intelligence that terrorist groups were trying to install explosives on such devices.

      The US ban affects 8 countries - Jordan, Egypt, Turkey, Saudi Arabia, Morocco, Qatar, Kuwait and the United Arab Emirates - and 10 airports. The UK followed suit shortly after, imposing a similar ban that affects flights from 6 countries - Egypt, Jordan, Lebanon, Saudi Arabia, Tunisia and Turkey.

      The ban has raised concerns over the security of any devices that would now need to be stowed in checkin luggage for the affected flights. The concern is particularly pressing for business travellers, who are faced with ensuring the integrity of any data stored on the devices while they are out of sight. Security observers have also questioned the effectiveness of the ban itself.

    • 10 Feb

      US: Microsoft allowed to sue gov't over secret gag orders

      A US federal judge has determined that Microsoft has sufficient standing to sue the US Department of Justice (DOJ) for the right to inform its users when their data has been subjected to a legal data demand from the government.

      Currently, legal demands for user data made under the Electronic Communications Privacy Act (ECPA) are also accompanied by gag orders which prevent the affected companies from alerting their users to the  requests. These gag orders frequently have no end date, a situation which the companies say violates the Fourth Amendment rights of their users. The DOJ in turn has argued that the companies suffer no material harm from not providing such notice to their users, and that the companies themselves have no standing to pursue Fourth Amendment claims on behalf of others.

      The judge's decision to allow Microsoft to proceed with its lawsuit has been hailed as a promising development by privacy advocates, who remain concerned about secretive government overreach to data held in cloud storage.

    • 20 Feb

      Concerns raised over US border phone searches

      Following the controversy over the travel ban initiated by President Trump, concerns have been raised over the impact on privacy of the vetting procedures used by US border officials, especially after multiple reports surfaced of travelers (both US citizens and non-citizens) being pressured to give their phone or device passwords in order for immigration officers to view the contents.

      The concerns were also heightened by comments from Department of Homeland Security (DHS)Secretary John Kelly that foreign visa applicants may be required to provide the passwords to their social media accounts, as part of vetting procedures.The news reports and controversy have lead at least one US Senator to launch legislation that would require border agents to obtain a warrant before they can search devices.

    • 6 Jan

      US: Election systems designated 'critical infrastructure'

      Following the contentious 2016 US presidential elections, which was marred by claims of election rigging and cyber attacks, the nation's election infrastructure has been officially designated as 'critical', alongside other sectors such as finance, food and agriculture, and communications. The designation formally gives responsibility to the Department of Homeland Security (DHS) to prioritize and protect the identified sectors.

    • 26 Jan

      US executive order prompts Privacy Shield concerns

      US President Trump's executive order, Enhancing Public Safety in the Interior of the United States, which expressly excludes non-US citizens from being granted privacy protections under the US Privacy Act, have raised concerns over the standing of the US-EU Privacy Shield legislation, especially among the tech companies who would be hardest hit if the legislation was dismantled.

      European legislators, who have to date been stringent in overseeing the privacy of European data being held on servers belonging to US tech companies, had already scuttled the preceding Safe Harbor act after the European Court of Justice ruled that the US had failed to properly heed European privacy requirements.

      While some legal commentators have noted that the executive order does not appear to affect Privacy Shield, the uncertainty has prompted calls from the tech industry for more overt assurance from the US government.

Privacy

    • 15 Mar

      33M records of US corporate contacts leaked

      A database containing over 33 million records of contact details for personnel in a wide swathe of corporations and government bodies has reportedly been leaked. According to news coverage, the database has been confirmed as belonging to Dun & Bradstreet, a business services organization that acquired the database in a 2015 deal with NetProspex.

      A statement from the company itself claims that no breach of its internal systems occurred, and that the database contains "generally publicly available business contact data, used for sales and marketing purposes."

    • 24 Mar

      Docs.com users accidentally exposing personal info

      A security researcher discovered that thousands of users had inadvertently left their passwords and other sensitive personal data publicly viewable for months on the popular Docs.com file-sharing service from Microsoft.

      The service, which uploads all documents as publicly-viewable by default, also offers options for more limited access which restrict viewing to a selected audience; the research however indicated that many users uploaded sensitive documents with default settings that left them viewable to any users browsing the site using a built-in search engine.

      Following the news reports, Microsoft briefly took down the site's search engine, though the feature has since returned.

    • 28 Mar

      US Senate, Congress allows ISPs to sell user browsing history

      Both the US Senate and Congress have voted to repeal regulations that required Internet Service Providers (ISPs) to obtain user consent before selling on the sensitive personal data they handle and collect, including user browsing histories, to advertisers and other third-party agencies.

      The repeal has lead to concerns about how ISPs could use the data, with privacy advocates worried that the material could be sold on without the user's knowledge or consent. In response, some US states have begun introducing legislation that would require ISPs to obtain written permission from their users before the company could sell the collected data.

    • 16 Feb

      Yahoo!: Forged cookies used to hack some accounts

      Yahoo! has again returned to the headlines for a security incident, as it sent email notifications to some users informing them that their account had been accessed as recently as 2015 or 2016 using forged cookies. The company had last year quietly announced that it had suffered an data breach exploiting the cookie-related vulnerability in a filing with the Securities and Exchange Commission, but this is the first notification of that particular breach to be sent to the affected users themselves.

      Verizon, which is in acquisitions negotiations with the embattled Yahoo!, have since announced that the agreed price for the deal has been reduced by $350 million.

    • 17 Feb

      Germany: connected doll 'illegal spy device'

      Germany's telecommunications regulator the Federal Network Agency (Bundesnetzagentur) have urged parents to get rid of the Cayla Internet-connected dolls, after ruling that the toys were legally considered 'surveillance devices'. The toys themselves have been banned in the country.

      Germany is considered one of the most privacy-conscious countries in Europe, and considers any device that can record and transmit audio or video without detection to be unlawful. Security researchers have demonstrated that the Bluetooth connection used by the doll can be hacked to eavesdrop on persons within the toy's vicinity.

    • 24 Feb

      'Cloudbleed': Cloudflare bug leaks user data

      Google researchers announced the discovery of a bug, dubbed 'Cloudbleed', in the Cloudflare web hosting hosting and security infrastructure, which has been leaking private user data for months. The infrastructure, which is owned and managed by Cloudflare, is quietly used in the background by hundreds of thousands of websites to improve their traffic handling capabilities, particular popular services such as OKCupid, Uber and Fitbit.

      The bug, in simple terms, unintentionally loaded the private data of other users in a webpage's source code, where it is not visible from normal users. All reports have indicated that the data is not currently being exploited.

      In response, Cloudflare has been open, prompt and transparent in fixing and addressing the issue. They have also urged users to change all passwords, strictly as a precaution.

    • 28 Feb

      Cloudpets connected toys data breach

      Security researcher Troy Hunt reported that the personal data of over half a million customers who had bought Internet-connected toys had been compromised due to a poorly secured database.

      The CloudPets toys, which could be connected via Bluetooth to a phone app that allowed parents to leave audio messages for their children, reportedly stored user info and voice messages on a public-facing database with weak security. Though the database has since been removed from public access, the researcher noted that multiple demands for ransom had been left by then. Warnings sent to the Spiral Toys company selling the toys were reportedly ignored, and no notice about the data breach have yet been provided to affected users. Spiral Toys have also denied the breach, saying that no recordings had been stolen.

    • 13 Jan

      900GB Cellebrite data lost to hack, some tools published online

      900GB of data were reportedly leaked from Cellebrite, the data extraction company best known for . The stolen data was said to include customer information, technical product details and also some of the evidence the company was able to retrieve from devices.

      The company itself has confirmed that it detected "unauthorized access" on an external server, but was "not aware of any specific inicreased risk to customers as a result of this incident".

      A couple weeks later, the hacker publicly released (a part of) the stolen data to Pastebin. The released data mainly focused on tools to hack iOS but there are also references to Samsung and Blackberry. Some of the iOS tools are nearly identical to software written by the jailbreaking scene.

Attacks

    • 15 Mar

      Website attacks exploiting zero-day in Apache Struts 2

      Security researchers reported the discovery of a zero-day vulnerability in the Apache Struts 2 framework, which could allow an attacker to remotely execute code on an affected web server. Exploit code for the flaw was said to be publicly available on hacker forums for some time prior to the report.

      Shortly after an exploit for the flaw was added to the Metasploit framework, an increase in scans for and attacks against servers affected by the vulnerability was observed. A patch for the CVE-2017-5638 flaw has been quickly issued and server administrators are urged to apply it as soon as possible.

    • 16 Mar

      FBI briefing hints spearphishing lead to Yahoo! breach

      A briefing by the Federal Bureau of Investigations (FBI) on the massive Yahoo! data breach revealed that their investigations indicated that the intrusion likely began with a spearphishing attack on a single "semi-privileged' employee.

      According to news reports, the initial targeting lead to the attackers obtaining the employee's credentials, which gave them access to the company's internal network. The attackers were then able to move laterally through the network until they could reach targets of interest, as well as discover the tool which allowed them to forge cookies that granted access to the targeted accounts.

    • 26 Mar

      Hackers demands ransom from Apple, alleges mass iCloud account hack

      A hacker group calling itself the Turkish Crime Family claims they have access to 250 million iCloud accounts, and are demanding a ransom of $700,000 from Apple in return for not locking the users out of their own accounts on 7 April. For its part, Apple has said that there have been no breaches of its systems, and that the email account details the group had used to demonstrate its access appeared to be culled from 'previously compromised third-party sources'. 

      While there has been no solid evidence thus far that the group has the breadth of access that it claims, news reports have recommended that users change their passwords and enable two-factor authentication on their accounts, just in case.

    • 8 Feb

      In-memory malware targeting banks, other enterprises

      Fileless, in-memory malware have been reported in 140 enterprise networks in over 40 countries. Once considered the province of nation-state actors for espionage, in-memory malware appears to now be within the reach of cybercriminals. Of particular note is its use against banks, which have been under increasingly public cyber attack in the last few years.

    • 10 Feb

      Hackers turn university's IoT devices on its own network

      Following complaints of network inaccessibility, administrators at an American university discovered that their network contained over 5000 IoT devices - from smart lightbulbs to vending machines - which had been infected by a botnet.

      The devices had fallen victim due to using default or weak passwords, which allowed attackers to brute-force and infect them. Once roped into the botnet, the IoT devices made hundreds of DNS lookups every 15 minutes, causing the bandwidth issues.

    • 17 Feb

      Android malware used to spy on Israeli soldiers

      Researchers reported the discovery of ViperRAT malware targeting the Android devices of Israeli military members. The malware is capable of monitoring activity and harvesting content from the device, most notably images and audio files, as well as text and contact data. According to reports, the malware is distributed using social engineering tactics.

      The group operating the RAT is not explicitly identified in the reports, though speculation based on analysis of the malware itself is that they operate out of the Middle East.

Malware

    • 6 Mar

      StoneDrill malware reported

      Researchers reported the discovery of a new malware family designed to wipe all accessible files on the system, and is also capable of spreading itself to other accessible machines in the network. Named StoneDrill, the new malware bears similarities to existing Shamoon malware, though reports indicate that the two malware are more likely to have been the products of two separate groups.

      The StoneDrill family mostly appears to focus on organizations in Saudi Arabia, though at least one instance of it appearing in Europe has been noted, indicating either an unintentional infection or an expansion of scope. 

    • 14 Mar

      Supply chain attack 'pre-installs' malware on 36 Android phones

      Security researchers reported discovering malicious apps on 36 different models of 'factory-fresh' Android phones. The apps were not part of the official ROM provided by the vendors, indicating that the devices had been infected somewhere along the supply chain or manufacturing process.

      Affected models were mostly from the Samsung Galaxy range, as well as specific models from the Xiaomi, Lenovo, Oppo and Asus brands. The pre-installed apps were mainly designed to either silently collection information or display ads, though at least one was reportedly a ransomware.

    • 15 Feb

      APT28 Xagent backdoor for Mac reported

      Security researchers reported discovering a new version of a malware linked to a known cyberespionage goup which can target OS X systems in order to steal passwords and screenshots, execute files and so on.

      The emergence of a Mac version of the Xagent backdoor, which is already operable on Windows, Linux and Android, indicate the expanding scope of the APT298 hacker group, which has been previously linked to the 2016 hack of the US Democratic National Committee, among other alleged cyber attacks.

    • 16 Feb

      Flaws found in Android 'connected-car' apps

      Security researchers reported finding security flaws in the Android 'connected-car' apps on offer from seven car manufacturers that could allow hackers to locate or access a connected car through the app itself. The apps were not named in the report.

      According to the researchers, the apps' code lack basic security protections, potentially allowing attackers to tamper with the programs in order to affect the connected car. The researchers have stressed they have not found any real-world attacks targeting the flaws they note, and compare the nascent state of 'connected-car' apps to the more secure banking apps, which rapidly incorporated security layers into their design in response to repeated attacks.

    • 10 Jan

      Spora ransomware targets Russian users

      A new ransomware variant dubbed Spora targets Russian customers. The malware arrives to the system by spam pretending to be an invoice from an accounting software with .hta downloader attached (filename: "Скан-копия _ 10 января 2017г. Составлено и подписано главным бухгалтером. Экспорт из 1С.a01e743_рdf.hta").

      This ransomware differs from other variants in that it asks for a relatively small ransom, and provides options for paying up. The affected users can choose from only restoring files, removing the malware, purchasing an immunity, or all previously mentioned options for a cheaper package price. This kind of revenue model is first of it's kind with ransomware.

    • 18 Jan

      Fruitfly/Quimitchin backdoor targets Mac OS X and Linux

      Researchers from Malwarebytes discovered a new backdoor malware dubbed as Fruitfly/Quimitchin targetin Mac OS X and Linux platforms. The comments and imported libraries suggest that the malware has been around for multiple years, and have resided on the compromised system for at least two years. The malware was discovered only recently due to tightly targeted systems all belonging to biomedical research institutions.

Vulnerabilities

    • 15 Mar

      Flaw reported in WhatsApp, Telegram web apps

      Security researchers privately reported a flaw in the browser-based versions of popular mobile messaging apps WhatsApp and Telegram, which if exploited could allow attackers to send malicious code embedded in an image file. Following the disclosure, both companies quickly issued patches to close the loophole.

      Coverage of the incident has highlighted that in comparison to a smartphone, the web browser remains a more vulnerable channel for communication, even for encrypted messaging applications.

    • 20 Mar

      Cisco: 0-day revealed in 'Vault 7' CIA docs leak

      Cisco announced that its perusal of the documents dumped in the 'Vault 7' WikiLeaks release has turned up a zero-day vulnerability affecting their IOS and IOS XE software. The CVE-2017-3881 flaw could, if exploited, allow an attacker to remotely run code with elevated privileges on affected devices, which include hundreds of router and switch models sold by the company.  

      According to Cisco's own security advisory, no workaround exists for the vulnerability, though 'disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector.'

    • 22 Mar

      DoubleAgent exploits Application Verifier

      Security researchers publicized a method to create launch points in Windows by leveraging in-built Application Verifier mechanisms. An attacker with admin privileges could use such methodology to replace a legitimate DLL from Microsoft with a malicious one, and thus hijack any process running under Windows.

      While the original report focused on hijacking antivirus applications, the attack method is reportedly able to target any other application, including the operating system itself. While some companies have issued patches to address the attack method, others have highlighted that an attacker would require both physical access to the targeted machine and admin privileges on it, significantly reducing the severity of the attack method.

    • 29 Mar

      Flaws in LastPass reported

      Google security researchers privately reported three vulnerabilities in popular password manager LastPass in the span of a month, with the first two related to extensions used by the manager in different browsers and the third one being a 'unique and highly sophisticated' vulnerability that could allow malicious sites to steal passwords.

      LastPass quickly issued patches for the first two flaws and confirmed that they are working on a fix for the newest reported vulnerability. In the meantime, the company has also recommended that its users use the LastPass Vault to launch sites until the third flaw is fixed, and where possible, enable two-factor authentication.

    • 20 Feb

      Project Zero discloses Microsoft zero-day

      Google's Project Zero announced its discovery of a zero-day vulnerability (CVE-2017-0038) in Windows Graphics Driver Interface (GDI) after Microsoft failed to address the issue within the standard 90-day window Project Zero provides for disclosing and fixing vulnerabilities.

      According to reports, the announcement had been timed to coincide with Microsoft's February Patch Tuesday release, but the updates were unexpectedly postponed for a month due to a 'last-minute issue'.

    • 23 Feb

      Linux patches decade-old DCCP flaw

      A patch has been released for a recently discovered vulnerability (CVE-2017-6074) in the code for Linux's Datagram Congestion Control Protocol (DCCP), which is enabled on many Linux distributions. According to news reports, the vulnerability was introduced in 2005 when DCCP was first incorporated.

      Administrators are advised to check if their installations are vulnerable and apply the relevant patches as soon as possible. A workaround to manually disable the DCCP kernel module is also available.

    • 22 Feb

      Adobe, Microsoft release updates for Flash flaws

      Adobe and Microsoft both released security updates this week to address 13 vulnerabilities in Flash Player libraries used by Internet Explorer 10, Internet Explorer 11 and Edge. According to reports, the vulnerabilities were not under active exploitation at the time of patch release.

Enforcement

Product Security

    • 7 Mar

      Apple: Many 'Vault 7' flaws already fixed

      Following WikiLeak's 'Vault 7' release of documents allegedly describing CIA hacking tools, Apple released a statement saying that many of the exploits revealed in the material had already been addressed in the latest updates for their iOS system. The company also said that they are working to 'rapidly address' the rest.

      The leaked documents contained details of exploits that targeted mobile operating systems from both Apple and Google, though thus far only Apple has issued a statement addressing the revelations.

    • 14 Mar

      Patch Tuesday fixes 134 flaws

      Following an unexpected pause in its patch release cycle last month, Microsoft pushed out a monster update in this month's Patch Tuesday release, with 18 patches (9 of them marked Critical) to address 134 vulnerabilities. Users are, as usual, urged to apply the patches at their earliest convenience.

    • 23 Mar

      Instagram adds 2-factor authentication

      Popular image-sharing site Instagram has introduced 2-factor authentication in a move to improve security for its users. The measure is aimed at protecting users against having their accounts compromised if an attacker manages to steal their login credentials (most commonly through phishing attacks or password reuse), and requires a six-digit code sent to the user's device each time they want to log into the service.

    • 27 Mar

      Google acts against Symantec 'mis-issued' certs

      Google announced that its Chrome web browser will be reducing the level of trust it assigns to certificates issued by Symantec, which are used by hundreds of thousands of websites to authenticate their encrypted connections. The announcement follows reports that Symantec, which reportedly serves as a Certificate Authority (CA) for almost 30% of all sites on the Internet as of 2015, had issued the coveted certificates to some 30,000 sites without properly verifying the recipients, thereby undermining the value and usefulness of the issued certificates.

      The latest move would have Chrome reducing the amount of time that the affected certificates are considered 'trusted', as well as requiring that the sites using such certificates replace them with newer, trusted ones. For its part, Symantec has called Google's claims 'exaggerated and misleading'. Website owners who use Symantec-issued certificates would in the meantime have to take steps to ensure that Chrome-using visitors would still be able to access their site as normal.

    • 31 Mar

      Microsoft: No patch for flaw in EOL'ed Windows Server

      Microsoft has confirmed it will not issue a patch for a zero-day vulnerability in IIS 6 on Windows Server 2003 R2, which has not been supported since 2010. The CVE-2017-7269 flaw could allow an attacker to remotely run code on a vulnerable machine, and had reportedly already been actively exploited in-the-wild last year.

      The confirmation from Redmond follows the release of a proof-of-concept (POC) exploit code by security researchers, which has lead to concerns that malware authors would integrate the POC into their own attack code. According to reports, some 600,000 servers are sill using IIS 6 today, with many of them based in China and the US.

    • 13 Jan

      Whatsapp vs The Guardian: It's not a 'backdoor', it's a 'feature'

      An article published in The Guardian caused concern among security researchers over claims that the popular mobile messaging app Whatsapp contained what it called a 'backdoor'. The article reported on the contentions of an independent security researcher that the way the app handles changes in a user's encryption key amounted to a 'retransmission vulnerability' that could allow an attacker to intercept and read encrypted messages.

      Whatsapp has refuted the claim, arguing that the issue was in fact a deliberate design choice that balanced performance and usability to provide security without disrupting the user experience suitable to the less tech-savvy profile of its user base. Security researchers also disagreed with the characterization of the issue as either a 'backdoor' or a 'vulnerability', and issued an open letter to The Guardian calling for the retraction of the article.

    • 19 Jan

      $40K payout for critical ImageMagick bug bounty report

      A security researcher discovered a way to circumvent the patch that the Facebook security team had used to fix the critical remote code execution vulnerability in the opensource ImageMagik photo-editing tool that was reported last May. The researcher subsequently reported his discovery to Facebook, who quickly closed the hole, and rewarded the researcher with a $40,000 payout under their bug bounty program, the biggest payment they've made to date.

Sources

Items listed in the Calendar were reported in various technology news portals, security research publications, law enforcement sites, major newspapers and our own F-Secure Weblog.

See our Threat Reports for previous editions of the Incidents Calendar.