Incidents Calendar

Notable recent developments in digital security

The Incidents Calendar is best viewed when JavaScript is enabled on your web browser.

2017 | 2016

Digital Security

    • 17 May

      UK: Activist charged for not giving device passwords

      The United Kingdom have formally charged Muhammad Rabbani, a director at the Cage human rights campaign group, with wilfully obstructing a search under Schedule 7 of the Terrorism Act 2000 for refusing to divulge the passwords for his electronic devices while crossing the UK border in 2016.

      The controversial Schedule 7 legislation gives police broad powers to search individuals and their devices without needing the approval of a judge, including requiring suspects to hand over the passwords for any devices present. According to news reports, Rabbani claimed his laptop had contained confidential information related to a human rights abuse case involving US intelligence services.

      This is reportedly the first time that a formal charge has been filed under Schedule 7 for failing to disclose passwords.

    • 28 May

      US: Laptop ban may apply to all flights to & from US

      United States Secretary for Homeland Security John Kelly reportedly said that the department was considering expanding an existing ban on laptops being carried in the cabins of flights from certain countries to the US to encompass all flights both into and out of the country.

      If instituted, the ban would mean that all electronics bigger than a smartphone would need to be checked in on international flights. The ban in its current state has already raised concerns about the security of electronics being transported in the checked in luggage, as well as worries about the security of any data stored on such devices.

    • 4 Apr

      US allows ISPs to sell user data

      The United States passed legislation repealing privacy regulations that prevented Internet Service Providers (ISPs) from selling the user browsing data they collect. The legislation essentially allows ISPs to sell the collected information to advertisers and other third-party agencies without requiring prior authorization or notification to the user.

      The legislation had prompted criticism from privacy and consumer rights advocates, who point out that many users are in no position to choose alternative ISPs if they disagree with the providers' policies. In response to these concerns, some ISPs have publicly announced that they would not collect personal information unless explicitly permitted by their users.

    • 5 Apr

      US considers extending 'extreme vetting' to more US visitors

      The Trump administration is reportedly considering expanding the practice known as 'extreme vetting' during the visa application process to include applicants from more countries, including the US's traditional allies such as Britain, France and Australia.

      'Extreme vetting', or demanding mobile phone contacts, social media passwords and other personal information supposedly to determine a visa applicant's potential security risk, has already been a target of major privacy and security concerns. Until now however, the intensive scrutiny was not considered necessary for nationals of the 38 countries listed under the US's visa waiver program, as the listed nations already have an cooperative data sharing arrangement with the US.

      News reports have been careful to note that the changes are only being 'considered', and the Department of Homeland Security has thus far not commented on the speculations.

    • 4 Mar

      Trump wiretapping claims lead to flat denial from GCHQ

      A political firestorm which was sparked when US President Trump claimed that he had been the subject of a 'wiretap' by the preceding administration during the presidential election campaign aroused further trans-Atlantic consternation when the White House press secretary quoted a media report alleging that the UK's intelligence agency GCHQ had been used to perform the surveillance.

      The allegations lead to an unprecedented public statement from GCHQ dismissing the claims as 'utterly ridiculous', breaking its longstanding practice of refusing to comment on media reports covering its activities. Statements from the UK government have also repudiated the claims.

    • 8 Mar

      WikiLeaks releases 'Vault 7' docs of CIA hacking tools

      WikiLeaks released a vast trove of documents (referred to as the Vault 7 cache) reportedly from the CIA covering their hacking techniques and tools. While there has been no confirmation from the agency that the documents are real, security researchers examing the contents analysts have publicly affirmed that they believe them to be authentic.

      Of particular note in the released documents are the existence of previously undisclosed vulnerabilities in a variety of consumer devices and software from companies such as Google, Apple, Cisco, and various antivirus companies including F-Secure. The affected companies have in turn issued statements on the impact of the revealed materials and recommendations for affected users.

    • 21 Mar

      US, UK 'bans laptops' on direct flights from 10 airports

      The US has banned laptops, tablets and other devices larger than a smartphone in carry-on luggage on direct inbound flights from specific airports and airlines. The ban was reportedly prompted by security fears after the government received intelligence that terrorist groups were trying to install explosives on such devices.

      The US ban affects 8 countries - Jordan, Egypt, Turkey, Saudi Arabia, Morocco, Qatar, Kuwait and the United Arab Emirates - and 10 airports. The UK followed suit shortly after, imposing a similar ban that affects flights from 6 countries - Egypt, Jordan, Lebanon, Saudi Arabia, Tunisia and Turkey.

      The ban has raised concerns over the security of any devices that would now need to be stowed in checkin luggage for the affected flights. The concern is particularly pressing for business travellers, who are faced with ensuring the integrity of any data stored on the devices while they are out of sight. Security observers have also questioned the effectiveness of the ban itself.

    • 10 Feb

      US: Microsoft allowed to sue gov't over secret gag orders

      A US federal judge has determined that Microsoft has sufficient standing to sue the US Department of Justice (DOJ) for the right to inform its users when their data has been subjected to a legal data demand from the government.

      Currently, legal demands for user data made under the Electronic Communications Privacy Act (ECPA) are also accompanied by gag orders which prevent the affected companies from alerting their users to the  requests. These gag orders frequently have no end date, a situation which the companies say violates the Fourth Amendment rights of their users. The DOJ in turn has argued that the companies suffer no material harm from not providing such notice to their users, and that the companies themselves have no standing to pursue Fourth Amendment claims on behalf of others.

      The judge's decision to allow Microsoft to proceed with its lawsuit has been hailed as a promising development by privacy advocates, who remain concerned about secretive government overreach to data held in cloud storage.

    • 20 Feb

      Concerns raised over US border phone searches

      Following the controversy over the travel ban initiated by President Trump, concerns have been raised over the impact on privacy of the vetting procedures used by US border officials, especially after multiple reports surfaced of travelers (both US citizens and non-citizens) being pressured to give their phone or device passwords in order for immigration officers to view the contents.

      The concerns were also heightened by comments from Department of Homeland Security (DHS)Secretary John Kelly that foreign visa applicants may be required to provide the passwords to their social media accounts, as part of vetting procedures.The news reports and controversy have lead at least one US Senator to launch legislation that would require border agents to obtain a warrant before they can search devices.

    • 6 Jan

      US: Election systems designated 'critical infrastructure'

      Following the contentious 2016 US presidential elections, which was marred by claims of election rigging and cyber attacks, the nation's election infrastructure has been officially designated as 'critical', alongside other sectors such as finance, food and agriculture, and communications. The designation formally gives responsibility to the Department of Homeland Security (DHS) to prioritize and protect the identified sectors.

    • 26 Jan

      US executive order prompts Privacy Shield concerns

      US President Trump's executive order, Enhancing Public Safety in the Interior of the United States, which expressly excludes non-US citizens from being granted privacy protections under the US Privacy Act, have raised concerns over the standing of the US-EU Privacy Shield legislation, especially among the tech companies who would be hardest hit if the legislation was dismantled.

      European legislators, who have to date been stringent in overseeing the privacy of European data being held on servers belonging to US tech companies, had already scuttled the preceding Safe Harbor act after the European Court of Justice ruled that the US had failed to properly heed European privacy requirements.

      While some legal commentators have noted that the executive order does not appear to affect Privacy Shield, the uncertainty has prompted calls from the tech industry for more overt assurance from the US government.

Privacy

    • 12 May

      HP laptops with 'keylogger' installed reported

      Security researchers reported their discovery of an audio driver, found on some HP device models, with a debugging feature that effectively functioned like a keylogger. The driver was found to be quietly recording all keystrokes entered on the affected devices and storing the information in an unencrypted file on the laptop's hard drive; data that would have included such sensitive information as login credentials and banking information.

      The audio driver, which was developed by Conexant, was reportedly preinstalled on more than two dozen laptop and tablet models, including the HP Elitebook and ZBook. HP announced that it has since issued a patch to fix the issue.

    • 19 May

      Twitter kills 'Do Not Track' feature

      Twitter recently announced a number of changes to its privacy and data usage policies which have raised concerns among privacy-conscious users. The changes include discontinuing support for the Do Not Track (DNT) browser feature and extending the life of its tracking cookies. The revisions also include giving the user more transparency and control over the information it collects and shares with third parties.

    • 31 May

      Germany: Parents denied access to teen's Facebook account

      A German appeals court has ruled that the parents of a teen who was killed by a train in 2012 did not have any rights to access the child's Facebook account. The parents had sought access to the account to determine if their child had been bullied or suicidal; Facebook had however rejected their request due to concerns that granting it could set a precedent and compromise the privacy of other account holders.

      In the first case filed by the parents, a regional court had ruled in the family's favour to allow them access to the account; in the following case however, the appeals court ruled that the teen had entered a contract with Facebook in creating the account which had ended with the death.

    • 3 Apr

      Fancy Bear hacking group steal more athlete drugs data

      The International Association of Athletics Federations (IAAF) announced that it had been hit by a cyber-attack that may have compromised some of its stored medical information for international athletes.

      The organization attributed the attack to the hacking group known as Fancy Bear, which is believed to also be behind previous attacks on the World Anti-Doping Agency (WADA) and the US presidential elections. The group is also believed to have ties to Russia, though the nation has repeatedly denied the allegations.

    • 15 Apr

      Shadow Brokers' NSA leak: Windows exploits, SWIFT banking hacks

      Hacking group the Shadow Brokers released documents allegedly stolen from NSA that contain exploits for previously unknown vulnerabilities in various Windows operating systems, including a framework that could be used to load and run the exploits.

      Also included in the release was code that appear to show the NSA hacking deep into banks, particularly in the Middle East region. According to reports, the agency focused on accessing at least one of the regional service bureaus tied to the SWIFT global banking network, though the named bureau has since denied the reports.

    • 19 Apr

      Intercontinental data breach expanded from 12 to 1,000 affected hotels

      Following an internal investigation, the Intercontinental hotel chain announced that over 1,000 of its hotel properties had shown signs of having data-harvesting malware installed on their point-of-sale (POS) systems. The number of affected properties is a dramatic increase over the 12 that the chain initially thought had been compromised.

      According to reports, the malware was active for three months at the end of 2016, and was designed to steal data from a card's magnetic strip. It was also reported only in hotels based in the US and Puerto Rico, though the hotel chain has said it will be investigating its other international properties.

    • 15 Mar

      33M records of US corporate contacts leaked

      A database containing over 33 million records of contact details for personnel in a wide swathe of corporations and government bodies has reportedly been leaked. According to news coverage, the database has been confirmed as belonging to Dun & Bradstreet, a business services organization that acquired the database in a 2015 deal with NetProspex.

      A statement from the company itself claims that no breach of its internal systems occurred, and that the database contains "generally publicly available business contact data, used for sales and marketing purposes."

    • 24 Mar

      Docs.com users accidentally exposing personal info

      A security researcher discovered that thousands of users had inadvertently left their passwords and other sensitive personal data publicly viewable for months on the popular Docs.com file-sharing service from Microsoft.

      The service, which uploads all documents as publicly-viewable by default, also offers options for more limited access which restrict viewing to a selected audience; the research however indicated that many users uploaded sensitive documents with default settings that left them viewable to any users browsing the site using a built-in search engine.

      Following the news reports, Microsoft briefly took down the site's search engine, though the feature has since returned.

    • 28 Mar

      US Senate, Congress allows ISPs to sell user browsing history

      Both the US Senate and Congress have voted to repeal regulations that required Internet Service Providers (ISPs) to obtain user consent before selling on the sensitive personal data they handle and collect, including user browsing histories, to advertisers and other third-party agencies.

      The repeal has lead to concerns about how ISPs could use the data, with privacy advocates worried that the material could be sold on without the user's knowledge or consent. In response, some US states have begun introducing legislation that would require ISPs to obtain written permission from their users before the company could sell the collected data.

    • 16 Feb

      Yahoo!: Forged cookies used to hack some accounts

      Yahoo! has again returned to the headlines for a security incident, as it sent email notifications to some users informing them that their account had been accessed as recently as 2015 or 2016 using forged cookies. The company had last year quietly announced that it had suffered an data breach exploiting the cookie-related vulnerability in a filing with the Securities and Exchange Commission, but this is the first notification of that particular breach to be sent to the affected users themselves.

      Verizon, which is in acquisitions negotiations with the embattled Yahoo!, have since announced that the agreed price for the deal has been reduced by $350 million.

    • 17 Feb

      Germany: connected doll 'illegal spy device'

      Germany's telecommunications regulator the Federal Network Agency (Bundesnetzagentur) have urged parents to get rid of the Cayla Internet-connected dolls, after ruling that the toys were legally considered 'surveillance devices'. The toys themselves have been banned in the country.

      Germany is considered one of the most privacy-conscious countries in Europe, and considers any device that can record and transmit audio or video without detection to be unlawful. Security researchers have demonstrated that the Bluetooth connection used by the doll can be hacked to eavesdrop on persons within the toy's vicinity.

    • 24 Feb

      'Cloudbleed': Cloudflare bug leaks user data

      Google researchers announced the discovery of a bug, dubbed 'Cloudbleed', in the Cloudflare web hosting hosting and security infrastructure, which has been leaking private user data for months. The infrastructure, which is owned and managed by Cloudflare, is quietly used in the background by hundreds of thousands of websites to improve their traffic handling capabilities, particular popular services such as OKCupid, Uber and Fitbit.

      The bug, in simple terms, unintentionally loaded the private data of other users in a webpage's source code, where it is not visible from normal users. All reports have indicated that the data is not currently being exploited.

      In response, Cloudflare has been open, prompt and transparent in fixing and addressing the issue. They have also urged users to change all passwords, strictly as a precaution.

    • 28 Feb

      Cloudpets connected toys data breach

      Security researcher Troy Hunt reported that the personal data of over half a million customers who had bought Internet-connected toys had been compromised due to a poorly secured database.

      The CloudPets toys, which could be connected via Bluetooth to a phone app that allowed parents to leave audio messages for their children, reportedly stored user info and voice messages on a public-facing database with weak security. Though the database has since been removed from public access, the researcher noted that multiple demands for ransom had been left by then. Warnings sent to the Spiral Toys company selling the toys were reportedly ignored, and no notice about the data breach have yet been provided to affected users. Spiral Toys have also denied the breach, saying that no recordings had been stolen.

    • 13 Jan

      900GB Cellebrite data lost to hack, some tools published online

      900GB of data were reportedly leaked from Cellebrite, the data extraction company best known for . The stolen data was said to include customer information, technical product details and also some of the evidence the company was able to retrieve from devices.

      The company itself has confirmed that it detected "unauthorized access" on an external server, but was "not aware of any specific inicreased risk to customers as a result of this incident".

      A couple weeks later, the hacker publicly released (a part of) the stolen data to Pastebin. The released data mainly focused on tools to hack iOS but there are also references to Samsung and Blackberry. Some of the iOS tools are nearly identical to software written by the jailbreaking scene.

Attacks

    • 3 May

      'Google Docs' phishing campaign reported

      A phishing email campaign has been reported that uses a legitimate-looking Google Docs link to lure users into granting permissions to a malicious app disguised as Google Docs. If the unsuspecting user does so, they effectively grant access to their Gmail account to the malware.

      The phishing emails are styled to look very similar to the notification emails that legitimate Google Docs apps send out. Clicking on the included link however would lead to a dialog asking the user to allow an app named Google Docs (and using the actual Google Docs icon) to 'read, send, delete and manage your email'. This is however a malicious third-party app that simply appropriated the Google Docs name and branding. If the user grants access, the app then uses the account to send out further phishing emails.

      Google has since disabled the app, removed related phishing pages and is investigating the issue further.

    • 6 May

      French electoral campaign hacked

      The campaign team for French presidential candidate Emmanuel Macron announced that they had been the target of a hacking campaign, which they believe to be an attempt to undermine the outcome of the French presidential elections in early May. The annoucnement follows the release of a cache of documents and emails online, which were allegedly stolen from the campaign team in the lead-up to the elections.

      Unlike hacking incidents that affected the US presidential elections, news of hack in France has been relatively muted, as the press respected a legal blackout on election reporting during the voting period. The impact of the hack on the elections also appears to have been almost negligible.

    • 15 May

      WannaCry ransomware outbreak spreads globally

      The largest ransomware outbreak in history exploded over Easter weekend, with the most notable infections reportedly affecting hospitals, public transit services and telecommunications companies, as well as innumerable businesses and home users. The ransomware, variously known as Wanna, WCry, WannaCry, WannaCryptor and Wana DecryptOr, targeted Windows machines running versions prior to Windows 10, encrypted files stored on the device and demanded payment in Bitcoin for the decyrption key.

      WannaCry was particularly notable for spreading using the EternalBlue exploit of Windows' Sever Message Block (SMB) that was first revealed in a dump of alleged material from the US National Security Agency (NSA) by hacking group The Shadow Brokers. Another notable aspect of the ransomware is the presence of a 'kill switch' feature, which required the malware to contact a domain before it could proceed with the infection. A security researcher was able to register the contacted domain, effectively slowing down the initial spread and impact of the ransomware. Later WannaCry versions were discovered without the kill switch, but these never gained as much traction as the initial variant.

      In response to the outbreak, Microsoft issued emergency patches for both the current supported Windows versions and for unsupported ones such as Windows XP and Windows Server 2003. Since the outbreak however, news reports have noted that almost all infected machines were running Windows 7.

    • 5 Apr

      'Cloud Hopper' attack reported

      Security researchers reported on a hacking group they named 'Operation Cloud Hopper' that targets IT service providers and other third-party services as a stepping stone towards compromising the victim's client companies, which are the hacking group's real targets. This form of indirect, multi-stage compromise is also known as a 'supply-chain' or 'upstream' attack.

      According to the report, the eventual aim of the hacking is to steal trade secrets from the targeted companies.

    • 10 Apr

      Hackers set off Dallas' emergency sirens

      Residents of Dallas, Texas were forced to endure a night of blaring noise when hackers managed to repeatedly trigger the city's 156 emergency sirens, before emergency workers were finally able to deactivate the system.

      Subsequent news reports indicated that the hack was due to a 'radio issue', with speculation being that the unknown intruders had managed to find and broadcast the radio signal used to centrally control the siren system, rather than a direct computer hack.

    • 12 Apr

      Callisto Group targeting East European orgs

      F-Secure Labs released a report detailing its investigations of the hacking group known as Callisto Group, an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists.

      The group's primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions. The group is currently still active.

    • 15 Mar

      Website attacks exploiting zero-day in Apache Struts 2

      Security researchers reported the discovery of a zero-day vulnerability in the Apache Struts 2 framework, which could allow an attacker to remotely execute code on an affected web server. Exploit code for the flaw was said to be publicly available on hacker forums for some time prior to the report.

      Shortly after an exploit for the flaw was added to the Metasploit framework, an increase in scans for and attacks against servers affected by the vulnerability was observed. A patch for the CVE-2017-5638 flaw has been quickly issued and server administrators are urged to apply it as soon as possible.

    • 16 Mar

      FBI briefing hints spearphishing lead to Yahoo! breach

      A briefing by the Federal Bureau of Investigations (FBI) on the massive Yahoo! data breach revealed that their investigations indicated that the intrusion likely began with a spearphishing attack on a single "semi-privileged' employee.

      According to news reports, the initial targeting lead to the attackers obtaining the employee's credentials, which gave them access to the company's internal network. The attackers were then able to move laterally through the network until they could reach targets of interest, as well as discover the tool which allowed them to forge cookies that granted access to the targeted accounts.

    • 26 Mar

      Hackers demands ransom from Apple, alleges mass iCloud account hack

      A hacker group calling itself the Turkish Crime Family claims they have access to 250 million iCloud accounts, and are demanding a ransom of $700,000 from Apple in return for not locking the users out of their own accounts on 7 April. For its part, Apple has said that there have been no breaches of its systems, and that the email account details the group had used to demonstrate its access appeared to be culled from 'previously compromised third-party sources'. 

      While there has been no solid evidence thus far that the group has the breadth of access that it claims, news reports have recommended that users change their passwords and enable two-factor authentication on their accounts, just in case.

    • 8 Feb

      In-memory malware targeting banks, other enterprises

      Fileless, in-memory malware have been reported in 140 enterprise networks in over 40 countries. Once considered the province of nation-state actors for espionage, in-memory malware appears to now be within the reach of cybercriminals. Of particular note is its use against banks, which have been under increasingly public cyber attack in the last few years.

    • 10 Feb

      Hackers turn university's IoT devices on its own network

      Following complaints of network inaccessibility, administrators at an American university discovered that their network contained over 5000 IoT devices - from smart lightbulbs to vending machines - which had been infected by a botnet.

      The devices had fallen victim due to using default or weak passwords, which allowed attackers to brute-force and infect them. Once roped into the botnet, the IoT devices made hundreds of DNS lookups every 15 minutes, causing the bandwidth issues.

    • 17 Feb

      Android malware used to spy on Israeli soldiers

      Researchers reported the discovery of ViperRAT malware targeting the Android devices of Israeli military members. The malware is capable of monitoring activity and harvesting content from the device, most notably images and audio files, as well as text and contact data. According to reports, the malware is distributed using social engineering tactics.

      The group operating the RAT is not explicitly identified in the reports, though speculation based on analysis of the malware itself is that they operate out of the Middle East.

Malware

    • 9 May

      Mac DVD ripper tool site downloads Photon backdoor

      The website of an open source DVD ripping utility program for Mac was reportedly hacked to download a backdoor onto users computers that could steal passwords keychains and password vaults.

      A mirror site for the popular Handbrake program was found downloading a backdoor known as Proton, disguised as a fake copy of the desired software. When launched, the downloaded file would ask the user to enter their Mac administrator password, which was then sent to a remote server controlled by the attackers.

      The malicious file has since been removed from the affected site; users who may have downloaded Handbrake software during this period are advised to verify their download and if necessary, remove the file and change their passwords.

    • 16 May

      Adylkuzz crypto-currency botnet uses NSA-linked exploits

      Security researchers reproted the discovery of a cryptocurrency-mining botnet that, like the WannaCry ransomware, ues NSA-linked exploits to infect computers. According to the reports, the botnet uses both the same EternalBlue exploit as WannaCry, as well as a backdoor named DoublePulsar, to gain access to computers, but instead of downloading ransomware onto the affected machine, installs a mining software known as Adylkuzz.

      The botnet appears to have started earlier than the WannaCry epidemic, most likely at the beginning of May. The botnet was however successful at staying under the radar for some weeks, both because it spread using a then-unpatched vulnerability, and because signs of its infection were far less visible.

    • 23 May

      EternalRocks worm spreading using NSA-linked exploit

      A security researcher reported the discovery of a new worm, dubbed EternalRocks, which uses the same vulnerability in the Windows Server Message Block (SMB) protocol that WannaCry targets to spread itself. Unlike the ransomware, the worm uses the affected machine to continue spreading itself.

      In addition to the EternalBlue exploit, the worm also uses 6 other exploits also revealed in the dump of alleged NSA content, including the ones codenamed EternalSynergy, ArchTouch and DoublePulsar.

    • 20 May

      Uiwix ransomware uses NSA-linked EternalBlue exploit to spread

      Following on from WannaCry, security researchers have reported the discovery of another ransomware, named Uiwix, that uses the same NSA-linked EternalBlue exploit of the Windows Server Message Block (SMB) protocol to spread. In addition to encrypting files on a machine, this new threat also includes code to steal browser login, file transfer protocol (FTP), email and instant messaging app login credentials.

      Unlike its predecessor however, Uiwix does not write files to the system and instead runs in the memory, making it harder to analyze. Another indiccation that the malware is being designed to avoid detection and analysis is its apparent ability to recognize the present of a virtual machine (VM) or sandbox, a common software found on security researcher's machines.

    • 30 May

      Android Judy malware reported

      Security researchers reported finding almost 50 Android apps in Google's Play Store that includes code to perform fraudulent ad-clicking behavior. According to reports, most but not all of the affected apps were from a South Korean developer also noted for publishing games that include a character called Judy. The affected apps are reported to have been downloaded up to 36.5 million times.

      The apps were apparently passed by the Play Store's Bouncer code verification system because at that point, they did not contain the malicious code. Once installed on a device however, the app silently registers the device on a remote server, which then downloads the ad-clicking software on it. When run, the apps would then send the devices to a webpage where it then generated fraudulent clicks on adverts placed on the page.

      The apps have since been removed from the Play Store.

    • 4 Apr

      Pegasus spy trojan now on Android

      Researchers reported the discovery of the sophisticated Pegasus spy trojan on devices running the Android mobile platform. The malware was previously only available for iOS, and was first discovered being used to monitor the devices of activists in the Middle East, possibly by a nation state.  

      The Android version of the Pegasus malware reportedly has the same capabilities as its iOS counterpart, including capturing keystrokes and live audio, as well as capturing data sent in installed apps and email messages.

    • 7 Apr

      Brickerbot botnet makes IoT devices unusable

      Security researchers reported the discovery of a worm, dubbed Brickerbot, that seeks out and infects insecure IoT devices which are susceptible to the same default login credentials used by the Mirai botnet. Unlike other botnets, the Brickerbot malware deliberately targets the storage component of the infected devices, issuing commands that damage the storage sufficiently to make the device completely unusable - essentially 'bricking' it.

    • 14 Apr

      'Rensenware' demands victims play game instead of paying

      In a novel twist, a new ransomware identified as Rensenware encrypts files on the affected user's device, then demands that they "score 0.2 billion in LUNATIC level" on an old shoot-em-up PC game, TH12 ~ Undefined Fantastic Object. While no monetary payment is required, Rensenware is no less troublesome to deal with, as it requires that the user gain a high score in a notoriously difficult game.

      Even more unusually, Ransenware's author Tvple eraser has reportedly apologized for its release, claiming that the malware had been created as a 'joke'. The author also released a tool that can be used to trick the ransomware into believing that the high score has been achieved, and thus obtain the decryption key.

    • 19 Apr

      Hajime 'grayhat' botnet preemptively infects IoT devices

      A so-called 'grayhat' botnet has been reportedly targeting and infecting IoT devices that are susceptible to the Mirai botnet in order to prevent the rival botnet from taking control of the vulnerable devices. The Hajime botnet, as it is known, searches the Internet for accessible devices that use the same default login credentials that Mirai looks for, and if found, infects them and closes the ports used by Mirai to spread.

      Despite the arguably positive aim of the Hajime botnet, security experts have cautioned that, even after overlooking the legal violations involved, the botnet's actions are at best a temporary and inadequate fix to the underlying security issues posed by insecure IoT devices.

    • 6 Mar

      StoneDrill malware reported

      Researchers reported the discovery of a new malware family designed to wipe all accessible files on the system, and is also capable of spreading itself to other accessible machines in the network. Named StoneDrill, the new malware bears similarities to existing Shamoon malware, though reports indicate that the two malware are more likely to have been the products of two separate groups.

      The StoneDrill family mostly appears to focus on organizations in Saudi Arabia, though at least one instance of it appearing in Europe has been noted, indicating either an unintentional infection or an expansion of scope. 

    • 14 Mar

      Supply chain attack 'pre-installs' malware on 36 Android phones

      Security researchers reported discovering malicious apps on 36 different models of 'factory-fresh' Android phones. The apps were not part of the official ROM provided by the vendors, indicating that the devices had been infected somewhere along the supply chain or manufacturing process.

      Affected models were mostly from the Samsung Galaxy range, as well as specific models from the Xiaomi, Lenovo, Oppo and Asus brands. The pre-installed apps were mainly designed to either silently collection information or display ads, though at least one was reportedly a ransomware.

    • 15 Feb

      APT28 Xagent backdoor for Mac reported

      Security researchers reported discovering a new version of a malware linked to a known cyberespionage goup which can target OS X systems in order to steal passwords and screenshots, execute files and so on.

      The emergence of a Mac version of the Xagent backdoor, which is already operable on Windows, Linux and Android, indicate the expanding scope of the APT298 hacker group, which has been previously linked to the 2016 hack of the US Democratic National Committee, among other alleged cyber attacks.

    • 16 Feb

      Flaws found in Android 'connected-car' apps

      Security researchers reported finding security flaws in the Android 'connected-car' apps on offer from seven car manufacturers that could allow hackers to locate or access a connected car through the app itself. The apps were not named in the report.

      According to the researchers, the apps' code lack basic security protections, potentially allowing attackers to tamper with the programs in order to affect the connected car. The researchers have stressed they have not found any real-world attacks targeting the flaws they note, and compare the nascent state of 'connected-car' apps to the more secure banking apps, which rapidly incorporated security layers into their design in response to repeated attacks.

    • 10 Jan

      Spora ransomware targets Russian users

      A new ransomware variant dubbed Spora targets Russian customers. The malware arrives to the system by spam pretending to be an invoice from an accounting software with .hta downloader attached (filename: "Скан-копия _ 10 января 2017г. Составлено и подписано главным бухгалтером. Экспорт из 1С.a01e743_рdf.hta").

      This ransomware differs from other variants in that it asks for a relatively small ransom, and provides options for paying up. The affected users can choose from only restoring files, removing the malware, purchasing an immunity, or all previously mentioned options for a cheaper package price. This kind of revenue model is first of it's kind with ransomware.

    • 18 Jan

      Fruitfly/Quimitchin backdoor targets Mac OS X and Linux

      Researchers from Malwarebytes discovered a new backdoor malware dubbed as Fruitfly/Quimitchin targetin Mac OS X and Linux platforms. The comments and imported libraries suggest that the malware has been around for multiple years, and have resided on the compromised system for at least two years. The malware was discovered only recently due to tightly targeted systems all belonging to biomedical research institutions.

Vulnerabilities

    • 5 Apr

      Broadcom Wi-Fi mobile chip flaw reported; Apple, Google issue fixes

      Researchers with Google's Project Zero team reported the discovery of a vulnerability in the Wi-Fi chip produced by Broadcom and used in many mobile devices. Theoretically, the flaw could be exploited to allow an attacker to silently take control of a vulnerable device that is logged onto the same Wi-Fi network as the attacker.

      The news prompted Apple and Google to issue fixes for the flaw, which were published in their iOS 10.3.1 and April Android Security bulletin updates, respectively. The latest update would not apply to users of older iOS models, which are no longer supported. Meanwhile, users of Android models that are not directly updated by Google would need to wait until their relevant device manufacturer issued an security patch addressing the flaw. In the meantime, users are advised to disable their device's Wi-Fi functionality when not on a known network.

    • 9 Apr

      Word zero-day exploited to spam millions with Dridex trojan

      A recently reported zero-day vulnerability in Microsoft Word is being leveraged to distribute the Dridex banking-trojan. According to security researchers, millions of booby-trapped Word documents have been observed being sent out as attachments to spam email messages.

      Unlike most such document-based attacks, use of the zero-day flaw means that no further user action (such as enabling macros) is required once the attachment is opened. Instead, opening the document leads to the vulnerability being exploited, which then automatically executes the embedded Dridex malware. The trojan itself looks for and harvests details related to online banking accounts.

    • 15 Mar

      Flaw reported in WhatsApp, Telegram web apps

      Security researchers privately reported a flaw in the browser-based versions of popular mobile messaging apps WhatsApp and Telegram, which if exploited could allow attackers to send malicious code embedded in an image file. Following the disclosure, both companies quickly issued patches to close the loophole.

      Coverage of the incident has highlighted that in comparison to a smartphone, the web browser remains a more vulnerable channel for communication, even for encrypted messaging applications.

    • 20 Mar

      Cisco: 0-day revealed in 'Vault 7' CIA docs leak

      Cisco announced that its perusal of the documents dumped in the 'Vault 7' WikiLeaks release has turned up a zero-day vulnerability affecting their IOS and IOS XE software. The CVE-2017-3881 flaw could, if exploited, allow an attacker to remotely run code with elevated privileges on affected devices, which include hundreds of router and switch models sold by the company.  

      According to Cisco's own security advisory, no workaround exists for the vulnerability, though 'disabling the Telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector.'

    • 22 Mar

      DoubleAgent exploits Application Verifier

      Security researchers publicized a method to create launch points in Windows by leveraging in-built Application Verifier mechanisms. An attacker with admin privileges could use such methodology to replace a legitimate DLL from Microsoft with a malicious one, and thus hijack any process running under Windows.

      While the original report focused on hijacking antivirus applications, the attack method is reportedly able to target any other application, including the operating system itself. While some companies have issued patches to address the attack method, others have highlighted that an attacker would require both physical access to the targeted machine and admin privileges on it, significantly reducing the severity of the attack method.

    • 29 Mar

      Flaws in LastPass reported

      Google security researchers privately reported three vulnerabilities in popular password manager LastPass in the span of a month, with the first two related to extensions used by the manager in different browsers and the third one being a 'unique and highly sophisticated' vulnerability that could allow malicious sites to steal passwords.

      LastPass quickly issued patches for the first two flaws and confirmed that they are working on a fix for the newest reported vulnerability. In the meantime, the company has also recommended that its users use the LastPass Vault to launch sites until the third flaw is fixed, and where possible, enable two-factor authentication.

    • 20 Feb

      Project Zero discloses Microsoft zero-day

      Google's Project Zero announced its discovery of a zero-day vulnerability (CVE-2017-0038) in Windows Graphics Driver Interface (GDI) after Microsoft failed to address the issue within the standard 90-day window Project Zero provides for disclosing and fixing vulnerabilities.

      According to reports, the announcement had been timed to coincide with Microsoft's February Patch Tuesday release, but the updates were unexpectedly postponed for a month due to a 'last-minute issue'.

    • 23 Feb

      Linux patches decade-old DCCP flaw

      A patch has been released for a recently discovered vulnerability (CVE-2017-6074) in the code for Linux's Datagram Congestion Control Protocol (DCCP), which is enabled on many Linux distributions. According to news reports, the vulnerability was introduced in 2005 when DCCP was first incorporated.

      Administrators are advised to check if their installations are vulnerable and apply the relevant patches as soon as possible. A workaround to manually disable the DCCP kernel module is also available.

    • 22 Feb

      Adobe, Microsoft release updates for Flash flaws

      Adobe and Microsoft both released security updates this week to address 13 vulnerabilities in Flash Player libraries used by Internet Explorer 10, Internet Explorer 11 and Edge. According to reports, the vulnerabilities were not under active exploitation at the time of patch release.

Enforcement

Product Security

    • 15 Apr

      Microsoft quietly fixed flaws revealed in Shadow Brokers NSA dump

      Shortly after the news broke that hacking group Shadow Brokers had released documents allegedly from the NSA containing exploits for Windows products, Microsoft announced that most of the flaws targeted by the exploits had already been addressed in prior security updates. Three flaws still unpatched reportedly do not affect the most recent supported Windows systems, though older, unsupported systems may still be exposed.

    • 19 Apr

      Oracle releases 299-flaw patch, fixes flaw revealed in Shadow Brokers leak

      Oracle has released a monster security patch that addresses almost 300 vulnerabilities across the company's product lines.

      Of particular note among the fixes is the flaw in Apache Struts framework, which has been under active attack since its revelation in early March, and CVE-2017-3622, a vulnerability in Solaris 10 and 113 which was first publicly revealed in the dump of NSA-related content by hacking group Shadow Brokers.

      Users and administrators of affected products are urged to apply the patch as soon as possible.

    • 19 Apr

      Microsoft moving from passwords to Authenticator app

      Microsoft issued an update to its Authenticator mobile app intended to simplify how users access their Microsoft accounts. With the update, users can now simply tap a button displayed in the app when they are logging into their accounts, rather than remembering a password or having to use an app-generated one-time PIN.

      According to reports, Microsoft aims to move away from passwords and towards a more app-based authentication method it believes would be more user-friendly, as it removes the need to deal with passwords, as well as being more secure since attackers would require physical possession of the registered mobile device.

    • 7 Mar

      Apple: Many 'Vault 7' flaws already fixed

      Following WikiLeak's 'Vault 7' release of documents allegedly describing CIA hacking tools, Apple released a statement saying that many of the exploits revealed in the material had already been addressed in the latest updates for their iOS system. The company also said that they are working to 'rapidly address' the rest.

      The leaked documents contained details of exploits that targeted mobile operating systems from both Apple and Google, though thus far only Apple has issued a statement addressing the revelations.

    • 14 Mar

      Patch Tuesday fixes 134 flaws

      Following an unexpected pause in its patch release cycle last month, Microsoft pushed out a monster update in this month's Patch Tuesday release, with 18 patches (9 of them marked Critical) to address 134 vulnerabilities. Users are, as usual, urged to apply the patches at their earliest convenience.

    • 23 Mar

      Instagram adds 2-factor authentication

      Popular image-sharing site Instagram has introduced 2-factor authentication in a move to improve security for its users. The measure is aimed at protecting users against having their accounts compromised if an attacker manages to steal their login credentials (most commonly through phishing attacks or password reuse), and requires a six-digit code sent to the user's device each time they want to log into the service.

    • 27 Mar

      Google acts against Symantec 'mis-issued' certs

      Google announced that its Chrome web browser will be reducing the level of trust it assigns to certificates issued by Symantec, which are used by hundreds of thousands of websites to authenticate their encrypted connections. The announcement follows reports that Symantec, which reportedly serves as a Certificate Authority (CA) for almost 30% of all sites on the Internet as of 2015, had issued the coveted certificates to some 30,000 sites without properly verifying the recipients, thereby undermining the value and usefulness of the issued certificates.

      The latest move would have Chrome reducing the amount of time that the affected certificates are considered 'trusted', as well as requiring that the sites using such certificates replace them with newer, trusted ones. For its part, Symantec has called Google's claims 'exaggerated and misleading'. Website owners who use Symantec-issued certificates would in the meantime have to take steps to ensure that Chrome-using visitors would still be able to access their site as normal.

    • 31 Mar

      Microsoft: No patch for flaw in EOL'ed Windows Server

      Microsoft has confirmed it will not issue a patch for a zero-day vulnerability in IIS 6 on Windows Server 2003 R2, which has not been supported since 2010. The CVE-2017-7269 flaw could allow an attacker to remotely run code on a vulnerable machine, and had reportedly already been actively exploited in-the-wild last year.

      The confirmation from Redmond follows the release of a proof-of-concept (POC) exploit code by security researchers, which has lead to concerns that malware authors would integrate the POC into their own attack code. According to reports, some 600,000 servers are sill using IIS 6 today, with many of them based in China and the US.

    • 13 Jan

      Whatsapp vs The Guardian: It's not a 'backdoor', it's a 'feature'

      An article published in The Guardian caused concern among security researchers over claims that the popular mobile messaging app Whatsapp contained what it called a 'backdoor'. The article reported on the contentions of an independent security researcher that the way the app handles changes in a user's encryption key amounted to a 'retransmission vulnerability' that could allow an attacker to intercept and read encrypted messages.

      Whatsapp has refuted the claim, arguing that the issue was in fact a deliberate design choice that balanced performance and usability to provide security without disrupting the user experience suitable to the less tech-savvy profile of its user base. Security researchers also disagreed with the characterization of the issue as either a 'backdoor' or a 'vulnerability', and issued an open letter to The Guardian calling for the retraction of the article.

    • 19 Jan

      $40K payout for critical ImageMagick bug bounty report

      A security researcher discovered a way to circumvent the patch that the Facebook security team had used to fix the critical remote code execution vulnerability in the opensource ImageMagik photo-editing tool that was reported last May. The researcher subsequently reported his discovery to Facebook, who quickly closed the hole, and rewarded the researcher with a $40,000 payout under their bug bounty program, the biggest payment they've made to date.

Sources

Items listed in the Calendar were reported in various technology news portals, security research publications, law enforcement sites, major newspapers and our own F-Secure Weblog.

See our Threat Reports for previous editions of the Incidents Calendar.